X509: certificate is valid for aicore.goldwind.com.cn, not registry.service.consul

Hopsworks
#1

When I executed hops__docker_registry.sh, I encountered an error:

Get https://registry.service.consul:4443/v2/: x509: certificate is valid for aicore.goldwind.com.cn, not registry.service.consul

aicore.goldwind.com.cn is the host name of the master node, and it is also an internal domain name for master node.

Some of the error messages are as follows :

Recipe: hops::docker_registry

  • remote_file[/tmp/chef-solo/registry_image.tar] action create_if_missing (skipped due to not_if)

  • bash[import_image] action run (skipped due to not_if)

  • file[/tmp/chef-solo/registry_image.tar] action delete (up to date)

  • bash[start_docker_registry] action run (skipped due to not_if)

  • template[/srv/hops/hadoop/bin/consul/registry-health.sh] action create (up to date)

  • consul_service[Registering Registry with Consul] action register

    • template[/srv/hops/consul/consul.d/registry-consul.hcl] action create (up to date)
    • systemd_unit[consul.service] action reload
      • reloading unit: consul.service
    • systemd_unit[consul.service] action restart (skipped due to only_if)

  • bash[download_images] action run (skipped due to not_if)

  • bash[import_images] action run

    • execute “bash” “/tmp/chef-script20210526-94255-v8iuf6”

  • bash[tag_images] action run

    • execute “bash” “/tmp/chef-script20210526-94255-2074oz”

  • bash[push_images] action run

    ================================================================================
    Error executing action run on resource ‘bash[push_images]’

    Mixlib::ShellOut::ShellCommandFailed

    Expected process to exit with [0], but received ‘1’
    ---- Begin output of “bash” “/tmp/chef-script20210526-94255-ximmn3” ----
    STDOUT: The push refers to repository [registry.service.consul:4443/base]
    The push refers to repository [registry.service.consul:4443/python37]
    STDERR: Get https://registry.service.consul:4443/v2/: x509: certificate is valid for aicore.goldwind.com.cn, not registry.service.consul
    Get https://registry.service.consul:4443/v2/: x509: certificate is valid for aicore.goldwind.com.cn, not registry.service.consul
    ---- End output of “bash” “/tmp/chef-script20210526-94255-ximmn3” ----
    Ran “bash” “/tmp/chef-script20210526-94255-ximmn3” returned 1

    Resource Declaration:

    In /tmp/chef-solo/cookbooks/hops/recipes/docker_registry.rb

    144: bash “push_images” do
    145: user “root”
    146: code <<-EOF
    147: docker push #{registry_address}/#{base_image}
    148: docker push #{registry_address}/#{base_image_python}
    149: EOF
    150: end
    151:
    152: #delete tar
    153: file “#{Chef::Config[‘file_cache_path’]}/#{base_filename}” do
    154: action :delete
    155: only_if { File.exist? “#{Chef::Config[‘file_cache_path’]}/#{base_filename}” }
    156: end
    157:
    158: # We add docker in kagent in this recipe as the hops::docker recipe runs during the install phase and it might run
    159: # before kagent::install
    160: service_name=‘docker’
    161: if node[‘kagent’][‘enabled’] == “true”
    162: kagent_config service_name do
    163: service “docker”
    164: end
    165: end
    166:
    167: if conda_helpers.is_upgrade
    168: kagent_config service_name do
    169: action :systemd_reload
    170: end
    171: end

    Compiled Resource:

    Declared in /tmp/chef-solo/cookbooks/hops/recipes/docker_registry.rb:144:in `from_file’

    bash(“push_images”) do
    action [:run]
    default_guard_interpreter :default
    command nil
    backup 5
    interpreter “bash”
    declared_type :bash
    cookbook_name “hops”
    recipe_name “docker_registry”
    user “root”
    code " docker push registry.service.consul:4443/base:2.0.0\n docker push registry.service.consul:4443/python37:2.0.0\n"
    domain nil
    end

    System Info:

    chef_version=14.10.9
    platform=centos
    platform_version=7.9.2009
    ruby=ruby 2.5.3p105 (2018-10-18 revision 65156) [x86_64-linux]
    program_name=/bin/chef-solo
    executable=/opt/chefdk/bin/chef-solo

Has anyone ever had this problem? Any comments will be much appreciated.

#2

@Freeman - How does you /etc/docker/daemon.json look like? We give it a certificate but we also add it to the list of insecure-registries as the certificate is signed by the Hopsworks internal CA. See:

[root@hopsworks0 vagrant]# cat /etc/docker/daemon.json 
{
    "graph": "/srv/hops/docker",
    "exec-opts": ["native.cgroupdriver=cgroupfs"],
    "log-driver": "json-file",
    "log-opts": {
      "max-size": "100m"
    },
    "storage-driver":  "overlay2",
    "insecure-registries" : ["registry.service.consul:4443"]
}

It might be that you already had docker installed on the machine, and the configuration is different.

#3

Hi @Fabio ,
Thank you very much for your help.

Now I remember that I had modified the file /etc/docker/daemon.json. According to your suggestion, I added “insecure-registries” : [“registry.service.consul:4443”] into the daemon.json and restarted Docker, this issue was solved.

BTW, could you please help me with this issue? Error executing action `create_as_superuser` on resource 'hops_hdfs_directory[/tmp]' . Your help would be greatly appreciated.