Comments (6)
@Maxsh Do you have any kind of a proxy in place, when it is used from within Kubernetes? You mentioned trying it in the node. Do you mind bringing up a pod and then trying it there?
I would set the task to something like: sleep 1800
and then kc exec
into the pod to try this docker pull
manually and see what happens and debug further.
from kubernetes-elastic-agents.
I was looking at issues such as docker-archive/toolbox#603 (comment) to see if this could be related. They were talking about proxies. You could also see if running update-ca-certificates
helps, as mentioned in this other comment.
from kubernetes-elastic-agents.
The other aspect I was thinking about was whether the time inside the pod and container are correct. I was basing this on the last part of the message, where it says: ... or is not yet valid
.
from kubernetes-elastic-agents.
May be https://docs.docker.com/machine/reference/regenerate-certs/ will help? On the k8s node on which the pod was scheduled. Best to check by doing a ssh into a k8s node and trying docker pull php:7.2-fpm-alpine3.8
.
from kubernetes-elastic-agents.
Thanks all for your suggestions.
It seems the issue is resolved. It was depends on DNS resolving issue from the pod.
Here are some details:
-
It worked properly from docker container running through docker run
$ docker run --privileged --rm -it gocd/gocd-agent-docker-dind:v19.7.0 sh
curl -v https://registry-1.docker.io/v2/_catalog
-
It doesn't work in the pod container:
$ curl -v https://registry-1.docker.io/v2/_catalog
TLSv1.2 (OUT)
TLS alert, unknown CA (560):
SSL certificate problem: unable to get local issuer certificate
and
$ openssl s_client -CApath /etc/ssl/certs/ -connect registry-1.docker.io:443
CONNECTED(00000003)
depth=0 CN = localhost
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = localhost
verify error:num=21:unable to verify the first certificate
verify return:1
-
But, other domains works properly e.g. https://google.com:443 from the pod container
Then it's revealed, that DNS for registry-1.docker.io
is not resolved from the agent container and from server container as well.
$ nslookup registry-1.docker.io
There are other pods in other k8s namespcases where this domain is resolved properly.
Moreover, in a new busybox pod in gocd namespace, resolving works.
So, the issue was resolved by changes in the Agent Profile / PodConfiguration
dnsPolicy: ClusterFirst
dnsConfig:
nameserver:
- 10.96.0.10
- <COMPANY_DNS_IP>
searches:
- cluster.local
- svc.cluster.local
- gocd.svc.cluster.local
options:
- name: ndots
value: '2'
Looks like the issue depends on the known ndots
in k8s issue for Alpine distributive
jenkinsci/docker#710 (comment)
kubernetes/kubernetes#64924
But, I'm not sure precise, because other my pods also based on Alpine and there Docker registry host is resolved successfully. The issue is only for GoCD pods (server and agent)
from kubernetes-elastic-agents.
Hi @Maxsh
We tried to reproduce this issue on GKE and couldn't. We provisioned a static agent from the image "gocd/gocd-agent-docker-dind:v19.7.0".
We could verify that nslookup registry-1.docker.io
is resolved.
We then ran curl -v https://registry-1.docker.io/v2/_catalog
on the agent container. The docker registry certificate is verified.
Here's the output:
$curl -v https://registry-1.docker.io/v2/_catalog
* Trying 3.210.179.11:443...
.
.
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=*.docker.io
* start date: Jun 7 00:00:00 2019 GMT
* expire date: Jul 7 12:00:00 2020 GMT
* subjectAltName: host "registry-1.docker.io" matched cert's "*.docker.io"
* issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
* SSL certificate verify ok.
Can you confirm to us where your K8s cluster is running so we can debug this further?
Sheroy and Arvind
from kubernetes-elastic-agents.
Related Issues (20)
- Cannot add new Cluster Profile HOT 4
- Elastic agents don't get assigned HOT 11
- Passing environment variables to Elastic Agents from templates HOT 2
- Wrong size parsing in utils/Size.java HOT 4
- Agents are killed after 10 minutes HOT 8
- Question: Which rule is the plugin using when it choose the k8s node for the agent? HOT 2
- Long delay when creating new agents. HOT 13
- Use other env variable in elastic agent pod name than POD_POSTFIX HOT 3
- Elastic agents should be able to use `http` to server communication HOT 1
- Limit number of Elastic Agents running per cluster profile HOT 6
- Secure Environment variables on elastic agent HOT 1
- getting Could not parse certificate: java.io.IOException: Empty input HOT 2
- Remote Configuration in Bitbucket private repo returns 403 HOT 2
- The pod is interrupted within 100s HOT 5
- If using a non-default namespace, GoCD is unable to render the status report page HOT 1
- After the gocd db data is migrated, the following error message is displayed: HOT 5
- Better document how to get service account tokens on modern Kubernetes HOT 4
- Cluster Status Report unable to render after restarting the GoCD server, cluster profile params returned in plain text HOT 5
- Incorrect credentials being used when creating Kubernetes Client HOT 6
- Need to insatll java on this gocd docker image what is the procedure , please anyone help HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kubernetes-elastic-agents.