Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot install windows in airgap using private registry #1648

Closed
rancher-max opened this issue Aug 13, 2021 · 2 comments
Closed

Cannot install windows in airgap using private registry #1648

rancher-max opened this issue Aug 13, 2021 · 2 comments
Assignees
@rosskirkpat @rancher-max
Labels
area/windows kind/bug Something isn't working
Projects
Development [DEPRECATED]
Milestone
v1.21 - Backlog

Comments

@rancher-max
Copy link
Contributor

Environmental Info:
RKE2 Version:

v1.21.3-rc5+rke2r2

Node(s) CPU architecture, OS, and Version:

WindowsBuildLabEx                                       : 17763.1.amd64fre.rs5_release.180914-1434
WindowsCurrentVersion                                   : 6.3
WindowsEditionId                                        : ServerDatacenter
WindowsInstallationType                                 : Server
WindowsInstallDateFromRegistry                          : 7/24/2021 6:08:30 AM
WindowsProductId                                        : 00430-00000-00000-AA230
WindowsProductName                                      : Windows Server 2019 Datacenter
WindowsRegisteredOrganization                           : Amazon.com
WindowsRegisteredOwner                                  : EC2
WindowsSystemRoot                                       : C:\Windows
WindowsVersion                                          : 1809

Cluster Configuration:

1 airgapped server node (using calico and strictaffinity), trying to add 1 windows agent but fails

Describe the bug:

Windows fails to install in an airgap environment when using the private registry. Error shown is:

PS C:\Users\Administrator> rke2 agent
I0813 20:49:24.471957    2804 ipsec_windows.go:20] ipsec is not supported on this platform
time="2021-08-13T20:49:24Z" level=warning msg="not running in CIS mode"
time="2021-08-13T20:49:24Z" level=info msg="Starting rke2 agent v1.21.3-rc5+rke2r2 (fca5af9e52c5b0969c520a1a6320b3a5c93f8909)"
time="2021-08-13T20:49:24Z" level=info msg="Running load balancer 127.0.0.1:6444 -> [172.31.7.42:9345]"
time="2021-08-13T20:49:44Z" level=info msg="Running load balancer 127.0.0.1:6443 -> [172.31.7.42:6443]"
time="2021-08-13T20:49:45Z" level=error msg="Failed to write C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\rke2-resolv.conf: open C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\rke2-resolv.conf: Access is denied."
time="2021-08-13T20:49:45Z" level=info msg="Checking local image archives in C:\\var\\lib\\rancher\\rke2\\agent\\images for index.docker.io/rancher/rke2-runtime:v1.21.3-rc5-rke2r2"
time="2021-08-13T20:49:45Z" level=error msg="Failed to load runtime image index.docker.io/rancher/rke2-runtime:v1.21.3-rc5-rke2r2: no local image available for index.docker.io/rancher/rke2-runtime:v1.21.3-rc5-rke2r2: not found in any file in C:\\var\\lib\\rancher\\rke2\\agent\\images: image not found"
time="2021-08-13T20:49:45Z" level=info msg="Checking local image archives in C:\\var\\lib\\rancher\\rke2\\agent\\images for index.docker.io/rancher/rke2-runtime:v1.21.3-rc5-rke2r2"
time="2021-08-13T20:49:45Z" level=error msg="Failed to load runtime image index.docker.io/rancher/rke2-runtime:v1.21.3-rc5-rke2r2: no local image available for index.docker.io/rancher/rke2-runtime:v1.21.3-rc5-rke2r2: not found in any file in C:\\var\\lib\\rancher\\rke2\\agent\\images: image not found"
time="2021-08-13T20:49:45Z" level=info msg="Using private registry config file at /etc/rancher/rke2/registries.yaml"
time="2021-08-13T20:49:45Z" level=info msg="Pulling runtime image index.docker.io/rancher/rke2-runtime:v1.21.3-rc5-rke2r2"
time="2021-08-13T20:49:45Z" level=fatal msg="failed to get runtime image index.docker.io/rancher/rke2-runtime:v1.21.3-rc5-rke2r2: Get \"https://<redacted_registry>/v2/\": failed to get TLS config for endpoint <redacted_registry>: failed to get system cert pool: crypto/x509: system root pool is not available on Windows"

Steps To Reproduce:

  • Install airgapped server node with calico as cni
  • Setup the registries.yaml tarball into C:\etc\rancher\rke2\ on windows airgapped node:
---
mirrors:
  docker.io:
    endpoint:
      - https://<redacted_registry>
  k8s.gcr.io:
    endpoint:
      - https://<redacted_registry>
configs:
  <redacted_registry>:
    auth:
      username: <redacted_username>
      password: <redacted_password>
    tls:
      cert_file: C:\Users\Administrator\certs\cert.pem
      key_file:  C:\Users\Administrator\certs\key.pem
      ca_file: C:\Users\Administrator\certs\ca.pem
  • Setup config.yaml file with correct server and token
  • Run rke2 agent

Expected behavior:

rke2 should install correctly

Actual behavior:

See the error at the end of the logs posted: failed to get system cert pool: crypto/x509: system root pool is not available on Windows. I believe this might be an issue with containerd?

Additional context / logs:

N/A
@rancher-max rancher-max added kind/bug Something isn't working area/windows labels Aug 13, 2021
@rancher-max rancher-max added this to the v1.21.5+rke2r1 milestone Aug 13, 2021
@rancher-max rancher-max added this to To Triage in Development [DEPRECATED] via automation Aug 13, 2021
@rancher-max rancher-max mentioned this issue Aug 13, 2021
Closed
@rancher-max rancher-max mentioned this issue Mar 24, 2022
Closed
@rancher-max rancher-max moved this from To Triage to To Test in Development [DEPRECATED] Mar 24, 2022
@rancher-max
Copy link
Contributor Author

Moving this to test as it seems like the "epic" to:

@rancher-max rancher-max self-assigned this Mar 24, 2022
@rancher-max
Copy link
Contributor Author

Validated in v1.21.11-rc6+rke2r1, v1.22.8-rc6+rke2r1, and v1.23.5-rc5+rke2r1

  • Windows is able to be installed in an airgap environment now using private registry method
  • Confirmed that install is successful on both Windows 2022 and Windows 2019 servers.
  • My steps were:
1. Start an airgapped server node running calico pointing to a private registry
2. Join an airgapped linux agent node
3. Setup windows node to use the private registry:
  a. Trust the cert on the node: `Import-Certificate -FilePath "C:\Users\Administrator\ca.pem" -CertStoreLocation cert:\CurrentUser\Root`
  b. Setup `c:\etc\rancher\rke2\config.yaml` to have the server and token information to join
  c. Setup `c:\etc\rancher\rke2\registries.yaml` to have the proper mirror(s) and config(s).
4. Run `rke2.exe agent`

Development [DEPRECATED] automation moved this from To Test to Done Issue / Merged PR Mar 30, 2022
@rosskirkpat rosskirkpat mentioned this issue Apr 15, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rosskirkpat rosskirkpat

@rancher-max rancher-max

Labels
area/windows kind/bug Something isn't working
Projects
No open projects
Development [DEPRECATED]
Done Issue / Merged PR
Milestone
v1.21 - Backlog
Development

No branches or pull requests
3 participants
@cwayne18 @rosskirkpat @rancher-max