Bug #48715
closeddocker-mirror: x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0]
0%
Description
stderr Error: Error initializing source docker://ceph/daemon-base:latest-octopus: (Mirrors also failed: [docker-mirror.front.sepia.ceph.com:5000/ceph/daemon-base:latest-octopus: error pinging docker registry docker-mirror.front.sepia.ceph.com:5000: Get "https://docker-mirror.front.sepia.ceph.com:5000/v2/": x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0]):
Updated by Sebastian Wagner over 3 years ago
- Category set to teuthology
- Priority changed from Normal to Urgent
Updated by David Galloway over 3 years ago
Sebastian Wagner wrote:
This is not the same thing
Updated by David Galloway over 3 years ago
- Status changed from New to Fix Under Review
- Assignee set to David Galloway
I believe this is resolved. I'm not sure why but just restarting the mirror seemed to take care of it. I know the previous container was using the correct certificate though.
Updated by Sebastian Wagner over 3 years ago
Hm. I can still the the error:
2021-01-08T12:40:46.647 INFO:tasks.workunit.client.0.smithi165.stderr:Non-zero exit code 125 from /usr/bin/podman run --rm --ipc=host --net=host --entrypoint ceph -e CONTAINER_IMAGE=docker.io/ceph/daemon-base:latest-octopus -e NODE_NAME=smithi165 docker.io/ceph/daemon-base:latest-octopus --version 2021-01-08T12:40:46.648 INFO:tasks.workunit.client.0.smithi165.stderr:ceph: stderr Trying to pull docker.io/ceph/daemon-base:latest-octopus... 2021-01-08T12:40:46.648 INFO:tasks.workunit.client.0.smithi165.stderr:ceph: stderr toomanyrequests: You have reached your pull rate limit. You may increase the limit by authenticating and upgrading: https://www.docker.com/increase-rate-limit 2021-01-08T12:40:46.648 INFO:tasks.workunit.client.0.smithi165.stderr:ceph: stderr Error: Error initializing source docker://ceph/daemon-base:latest-octopus: (Mirrors also failed: [docker-mirror.front.sepia.ceph.com:5000/ceph/daemon-base:latest-octopus: error pinging docker registry docker-mirror.front.sepia.ceph.com:5000: Get "https://docker-mirror.front.sepia.ceph.com:5000/v2/": x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0]): docker.io/ceph/daemon-base:latest-octopus: Error reading manifest latest-octopus in docker.io/ceph/daemon-base: toomanyrequests: You ha ve reached your pull rate limit. You may increase the limit by authenticating and upgrading: https://www.docker.com/increase-rate-limit
Updated by David Galloway over 3 years ago
Ah. Okay. So this is because you're running podman on Bionic. ceph-cm-ansible isn't expecting this.
See
https://github.com/ceph/ceph-cm-ansible/blob/master/roles/container-host/vars/apt_systems.yml#L3
then
https://github.com/ceph/ceph-cm-ansible/blob/master/roles/container-host/tasks/main.yml#L31-L36
So the cert is getting installed at /etc/docker/certs.d
but you're not using docker. Maybe I should just have the cert put in both places on all testnodes.
Updated by David Galloway over 3 years ago
Updated by Sebastian Wagner over 3 years ago
unfortunately, it's still there: https://pulpito.ceph.com/swagner-2021-01-15_09:42:49-rados:cephadm-wip-swagner-testing-2021-01-14-1551-distro-basic-smithi/
Updated by David Galloway over 3 years ago
https://github.com/ceph/ceph-sepia-secrets/pull/595
dgalloway@gibba008:~$ /usr/bin/podman run --rm --ipc=host --net=host --entrypoint ceph -e CONTAINER_IMAGE=docker-mirror.front.sepia.ceph.com:5000/ceph/daemon-base:latest-octopus -e NODE_NAME=smithi184 docker-mirror.front.sepia.ceph.com:5000/ceph/daemon-base:latest-octopus --version Trying to pull docker-mirror.front.sepia.ceph.com:5000/ceph/daemon-base:latest-octopus... Getting image source signatures Copying blob 7a0437f04f83 done Copying blob bd6b109c913e done Copying config b4a42a2be8 done Writing manifest to image destination Storing signatures ceph version 15.2.8 (bdf3eebcd22d7d0b3dd4d5501bee5bac354d5b55) octopus (stable)
Updated by Sage Weil about 3 years ago
- Status changed from Fix Under Review to Resolved
appears to be fixed!