Trouble with insecure_registries #2193
Comments
sebastian-philipp
changed the title
|
@sebastian-philipp Thanks for opening this issue. I think we need to fix up the docs cc: @mtrmac @vrothberg |
|
Can you clarify precisely
(and if you tried multiple things, which all failed differently, which configurations correspond to which failures), please? Is it using HTTP or HTTPS (TLS), and on which port is it serving the content? The report seems to say that there is an untrusted TLS-protected registry on …122.1:443, the configuration sets …122.1:443 as insecure, and the request is for an image hosted at …122.1:443; at a first glance that should all match and be treated as TLS not enforced; OTOH I’ve never seen the quoted “cannot validate certificate for 192.168.122.1 because it doesn't contain any IP SANs”, that could be some unexpected code path that behaves differently or outright incorrectly. At the moment it is, at least, unclear whether this is a bug/user error/documentation error. (How this should work: for non-CIDR OTOH the CIDR match code completely ignores ports, so using it may bypass some port mismatches between request/configuration. But, again, AFAICT your configuration has all three matching, so this should not be making a difference.) |
|
Ok, after the weekend, I was able to create an insecure registry quite easily. I guess three things went wrong last week: My first error was a definitely my fault: I used something like this to add the registry: echo 'insecure_registries = ["192.168.122.1"]' >> /etc/crio/crio.confWhich obviously doesn't work, as the config file is grouped in sections. The second problem was being mislead by "List of registries to skip TLS verification for pulling images." in the documentation, which lead me to believe that cri-o only supports HTTPS registries (certificate verified and unverified). So, I cannot say, if And finally: As of today, I don't know if |
|
@sebastian-philipp it seems by your comment that this issue is fixed. as such, I'm closing this. please reopen if you disagree |
Trouble with insecure_registries in the conf
(this is an extract of an irc log. sorry for being a bit unstructured)
I guess this is mainly a documentation bug or a user error.
adding
insecure_registries = ["192.168.122.1"]to /etc/crio/crio.conf . Did not work for me.Also
insecure_registries = ["192.168.122.1:443"]did not work, as I was gettingThe documentation did not mention that crio is supposed to try HTTP, that's why I originally removed my HTTP registry on port 5000 with a self-signed registry on 443. According to the sources, it in fact does try http.
My crio.conf that didn't worked: https://paste.opensuse.org/view//27932805
Finally I've tried
192.0.0.0/8which actually works.Steps to reproduce the issue:
1.
2.
3.
Describe the results you received:
Describe the results you expected:
Additional information you deem important (e.g. issue happens only occasionally):
Output of
crio --version:1.13.1
Additional environment details (AWS, VirtualBox, physical, etc.):
The text was updated successfully, but these errors were encountered: