Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

After configuring docker insecure-registries, when pulling an image, the following error occurs: 'failed to authorize: failed to fetch oauth token ...... failed to verify certificate: x509: certificate signed by unknown authority'. #1614

Open
magicmopper opened this issue Aug 27, 2024 · 3 comments

Comments

@magicmopper
Copy link

root@nydus:~# nydusd --version
Version:        v2.2.4
Git Commit:     1c9c819942ce6fb0b1ebf178df0b3966021ae6bb
Build Time:     2023-11-02T11:32:06.442899984Z
Profile:        release
Rustc:          rustc 1.66.1 (90743e729 2023-01-10)
root@nydus:~# containerd-nydus-grpc --version
Version:     v0.13.3
Revision:    0dfc6a45217592e3ac7071634cd8e82ecb458eba
Go version:  go1.19.6
Build time:  2023-10-19T06:12:58
root@nydus:~# docker info
Client: Docker Engine - Community
 Version:    24.0.7
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.11.2
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.21.0
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 3
 Server Version: 24.0.7
 Storage Driver: nydus
  driver-type: io.containerd.snapshotter.v1
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 61f9fd88f79f081d64d6fa3bb1a0dc71ec870523
 runc version: v1.1.9-0-gccaecfc
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.8.0-40-generic
 Operating System: Ubuntu 22.04 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 2
 Total Memory: 3.778GiB
 Name: nydus
 ID: 90d15f77-f5ce-4d59-b56b-f4b08a027682
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  192.168.220.127:5002
  127.0.0.0/8
 Live Restore Enabled: false
root@nydus:~# cat /etc/docker/daemon.json
{
  "features": {
    "containerd-snapshotter": true
  },
  "insecure-registries": ["https://192.168.220.127:5002"],
  "storage-driver": "nydus"
}
root@nydus:~# cat /etc/nydus/nydusd-config.json
{
  "device": {
    "backend": {
      "type": "registry",
      "config": {
        "scheme": "https",
        "host": "192.168.220.127:5002",
        "skip_verify": true,
        "auth": "YWRtaW46SGFyYm9yMTIzNDU=",
        "timeout": 5,
        "connect_timeout": 5,
        "retry_limit": 2
      }
    },
    "cache": {
      "type": "blobcache"
    }
  },
  "mode": "direct",
  "digest_validate": false,
  "iostats_files": false,
  "enable_xattr": true,
  "fs_prefetch": {
    "enable": true,
    "threads_count": 8,
    "merging_size": 1048576,
    "prefetch_all": true
  }
}

containerd config:

version = 2
[plugins."io.containerd.grpc.v1.cri".registry.configs]
  [plugins."io.containerd.grpc.v1.cri".registry.configs."192.168.220.127:5002".tls]
    insecure_skip_verify = true
  [plugins."io.containerd.grpc.v1.cri".registry.configs."192.168.220.127:5002".auth]
    identitytoken = "YWRtaW46SGFyYm9yMTIzNDU="
    #username = "admin"
    #password = "Harbor12345"



# Plug nydus snapshotter into containerd
[proxy_plugins]
  [proxy_plugins.nydus]
    type = "snapshot"
    address = "/run/containerd-nydus/containerd-nydus-grpc.sock"

root@nydus:~# docker login 192.168.220.127:5002
Authenticating with existing credentials...
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

root@nydus:~# docker pull 192.168.220.127:5002/check/debian:stable
Error response from daemon: failed to resolve reference "192.168.220.127:5002/check/debian:stable": failed to authorize: failed to fetch oauth token: Post "https://192.168.220.127:5002/service/token": tls: failed to verify certificate: x509: certificate signed by unknown authority
@imeoer
Copy link
Collaborator

imeoer commented Aug 28, 2024

It seems the error not related to nydus, it tells that docker request registry token server did not skip tls cert validation.

@guquanheng
Copy link

Me too, the private certificate cannot be used

@magicmopper
Copy link
Author

When I don't use nydus and use native Docker configuration, there won't be authentication issues, but when I switch to nydus, the above problems will occur. This issue also occurs in the integration scenario with Dragonfly: if nydus is not deployed, it is normal to pull the private repository image of Dragonfly agent through Docker, but once nydus is deployed, authentication issues may also occur.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants