Bug #48715: docker-mirror: x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0] - Orchestrator - Ceph

Bug #48715

docker-mirror: x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0]

Added by Sebastian Wagner 2 months ago. Updated 23 days ago.

Status:

Resolved

Priority:

Urgent

Assignee:

David Galloway

Category:

teuthology

Target version:

% Done:

Source:

Tags:

Backport:

Regression:

Severity:

3 - minor

Reviewed:

Affected Versions:

ceph-qa-suite:

Pull request ID:

Crash signature:

Description

https://pulpito.ceph.com/swagner-2020-12-23_18:12:01-rados:cephadm-wip-swagner-testing-2020-12-22-0110-distro-basic-smithi/5734449/

stderr Error: Error initializing source docker://ceph/daemon-base:latest-octopus: (Mirrors also failed: [docker-mirror.front.sepia.ceph.com:5000/ceph/daemon-base:latest-octopus: error pinging docker registry docker-mirror.front.sepia.ceph.com:5000: Get "https://docker-mirror.front.sepia.ceph.com:5000/v2/": x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0]):

History

#1 Updated by Sebastian Wagner 2 months ago

Category set to teuthology
Priority changed from Normal to Urgent

#2 Updated by Sebastian Wagner about 2 months ago

https://pulpito.ceph.com/swagner-2021-01-06_08:53:53-rados:cephadm-wip-swagner-testing-2021-01-05-1550-distro-basic-smithi/5759671/

#3 Updated by David Galloway about 2 months ago

Sebastian Wagner wrote:

https://pulpito.ceph.com/swagner-2021-01-06_08:53:53-rados:cephadm-wip-swagner-testing-2021-01-05-1550-distro-basic-smithi/5759671/

This is not the same thing

#4 Updated by David Galloway about 2 months ago

Status changed from New to Fix Under Review
Assignee set to David Galloway

I believe this is resolved. I'm not sure why but just restarting the mirror seemed to take care of it. I know the previous container was using the correct certificate though.

#5 Updated by Sebastian Wagner about 2 months ago

Hm. I can still the the error:

https://pulpito.ceph.com/swagner-2021-01-07_14:03:38-rados:cephadm-wip-swagner-testing-2021-01-07-1213-distro-basic-smithi/5762634

2021-01-08T12:40:46.647 INFO:tasks.workunit.client.0.smithi165.stderr:Non-zero exit code 125 from /usr/bin/podman run --rm --ipc=host --net=host --entrypoint ceph -e CONTAINER_IMAGE=docker.io/ceph/daemon-base:latest-octopus -e NODE_NAME=smithi165 docker.io/ceph/daemon-base:latest-octopus --version
2021-01-08T12:40:46.648 INFO:tasks.workunit.client.0.smithi165.stderr:ceph: stderr Trying to pull docker.io/ceph/daemon-base:latest-octopus...
2021-01-08T12:40:46.648 INFO:tasks.workunit.client.0.smithi165.stderr:ceph: stderr   toomanyrequests: You have reached your pull rate limit. You may increase the limit by authenticating and upgrading: https://www.docker.com/increase-rate-limit
2021-01-08T12:40:46.648 INFO:tasks.workunit.client.0.smithi165.stderr:ceph: stderr Error: Error initializing source docker://ceph/daemon-base:latest-octopus: (Mirrors also failed: [docker-mirror.front.sepia.ceph.com:5000/ceph/daemon-base:latest-octopus: error pinging docker registry docker-mirror.front.sepia.ceph.com:5000: Get
 "https://docker-mirror.front.sepia.ceph.com:5000/v2/": x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0]): docker.io/ceph/daemon-base:latest-octopus: Error reading manifest latest-octopus in docker.io/ceph/daemon-base: toomanyrequests: You ha
ve reached your pull rate limit. You may increase the limit by authenticating and upgrading: https://www.docker.com/increase-rate-limit

#6 Updated by David Galloway about 2 months ago

Ah. Okay. So this is because you're running podman on Bionic. ceph-cm-ansible isn't expecting this.

See
https://github.com/ceph/ceph-cm-ansible/blob/master/roles/container-host/vars/apt_systems.yml#L3
then
https://github.com/ceph/ceph-cm-ansible/blob/master/roles/container-host/tasks/main.yml#L31-L36

So the cert is getting installed at /etc/docker/certs.d but you're not using docker. Maybe I should just have the cert put in both places on all testnodes.

dgalloway@gibba008:~$ /usr/bin/podman run --rm --ipc=host --net=host --entrypoint ceph -e CONTAINER_IMAGE=docker-mirror.front.sepia.ceph.com:5000/ceph/daemon-base:latest-octopus -e NODE_NAME=smithi184 docker-mirror.front.sepia.ceph.com:5000/ceph/daemon-base:latest-octopus --version
Trying to pull docker-mirror.front.sepia.ceph.com:5000/ceph/daemon-base:latest-octopus...
Getting image source signatures
Copying blob 7a0437f04f83 done  
Copying blob bd6b109c913e done  
Copying config b4a42a2be8 done  
Writing manifest to image destination
Storing signatures
ceph version 15.2.8 (bdf3eebcd22d7d0b3dd4d5501bee5bac354d5b55) octopus (stable)

#11 Updated by Sage Weil 23 days ago

Status changed from Fix Under Review to Resolved

appears to be fixed!

Also available in: Atom PDF

Project

General

Profile

Ceph » Orchestrator

Issues

Tags

Custom queries