[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Certificate Problem?



can you create a pod, exec into it, and then try pinging the master
(to verify the pods can reach back to the master)?

On Thu, Aug 20, 2015 at 6:17 PM, Justin Wood <justin wood sixtree co nz> wrote:
> Yes.  I also get a successful answer from on the URL that’s timing out
>
> [root node1 ~]# curl -k https://master.example.com:8443/api/v1/namespaces/default/replicationcontrollers/docker-registry-1
> {
>   "kind": "Status",
>   "apiVersion": "v1",
>   "metadata": {},
>   "status": "Failure",
>   "message": "User \"system:anonymous\" cannot get replicationcontrollers in project \"default\"",
>   "reason": "Forbidden",
>   "details": {
>     "name": "docker-registry-1",
>     "kind": "replicationcontrollers"
>   },
>   "code": 403
>
> I’m looking for a way to bump the login level up.
>
> Justin
>
>> On 21/08/2015, at 10:04 am, Clayton Coleman <ccoleman redhat com> wrote:
>>
>> Does master.example.com resolve from your node?  Is the IP address the
>> same as your master instance?
>>
>> On Thu, Aug 20, 2015 at 5:48 PM, Justin Wood <justin wood example co nz> wrote:
>>> Ok here’s what I get.
>>>
>>> [root master ~]# oc logs docker-registry-1-deploy
>>> F0820 17:35:02.953324       1 deployer.go:64] couldn't get deployment default/docker-registry-1: Get https://master.example.com:8443/api/v1/namespaces/default/replicationcontrollers/docker-registry-1: dial tcp: i/o timeout
>>>
>>> [root master ~]# oc get pods
>>> NAME                       READY     STATUS         RESTARTS   AGE
>>> docker-registry-1-deploy   0/1       ExitCode:255   0          3m
>>>
>>>
>>> Aug 21 09:14:18 master.example.com openshift-master[1466]: 2015/08/21 09:14:18 etcdserver: saved snapshot at index 20002
>>> Aug 21 09:34:31 master.example.com openshift-master[1466]: I0821 09:34:31.317638 1466 controller.go:72] Ignoring change for DeploymentConfig default/docker-registry:1; no existing Deployment found
>>> Aug 21 09:34:31 master.example.com openshift-master[1466]: I0821 09:34:31.702437 1466 factory.go:214] About to try and schedule pod docker-registry-1-deploy
>>> Aug 21 09:34:31 master.example.com openshift-master[1466]: I0821 09:34:31.703204 1466 factory.go:312] Attempting to bind docker-registry-1-deploy to node1.example.com
>>> Aug 21 09:34:33 master.example.com openshift-master[1466]: I0821 09:34:33.492440    1466 controller.go:85] Ignoring DeploymentConfig change for default/docker-registry:1 (latestVersion=1); same as Deployment default/docker-registry-1
>>>
>>> I took the firewall on node1 down, just for good measure and tried again, but got the same result
>>>
>>> Justin
>>>
>>>> On 21/08/2015, at 9:31 am, Clayton Coleman <ccoleman redhat com> wrote:
>>>>
>>>> Hrm, the TLS error may be a red herring.  Pull the logs for the deploy
>>>> pod - oc logs docker-registry-1-deploy
>>>>
>>>> On Thu, Aug 20, 2015 at 5:29 PM, Justin Wood <justin wood example co nz> wrote:
>>>>> Thanks Clayton.  This is what I have
>>>>>
>>>>> ...
>>>>> serviceAccountConfig:
>>>>> managedNames:
>>>>> - default
>>>>> - builder
>>>>> - deployer
>>>>> masterCA: ca.crt
>>>>> privateKeyFile: serviceaccounts.private.key
>>>>> publicKeyFiles:
>>>>> - serviceaccounts.public.key
>>>>> servingInfo:
>>>>> bindAddress: 0.0.0.0:8443
>>>>> certFile: master.server.crt
>>>>> clientCA: ca.crt
>>>>> keyFile: master.server.key
>>>>> maxRequestsInFlight: 500
>>>>> requestTimeoutSeconds: 3600
>>>>> …
>>>>>
>>>>> and I was running the command as system:admin
>>>>>
>>>>> [root master ~]# oc whoami
>>>>> system:admin
>>>>>
>>>>>
>>>>> Cheers
>>>>> Justin
>>>>>
>>>>>> On 21/08/2015, at 8:40 am, Clayton Coleman <ccoleman redhat com> wrote:
>>>>>>
>>>>>> Hrm, check that you have "masterCA" set under the serviceAccountConfig field in your master-config.yaml
>>>>>>
>>>>>> On Thu, Aug 20, 2015 at 4:05 PM, Justin Wood <justin wood example co nz> wrote:
>>>>>> Hi All
>>>>>>
>>>>>> I just did a fresh install of OpenShift using this guide
>>>>>>
>>>>>> https://docs.openshift.com/enterprise/3.0/admin_guide/install/advanced_install.html
>>>>>>
>>>>>> and everything comes up as it should but when I try to deploy a registry it fails
>>>>>>
>>>>>> The logs indicate that I need to address some certificate issue.   Where do I had trusted certs configure it to just use plain http?
>>>>>>
>>>>>> Here are the logs
>>>>>>
>>>>>> Aug 20 19:26:18 master.example.com openshift-master[1466]: [676ns] [676ns] About to list directory
>>>>>> Aug 20 19:26:18 master.example.com openshift-master[1466]: [819.978876ms] [819.9782ms] List extracted
>>>>>> Aug 20 19:26:18 master.example.com openshift-master[1466]: [819.989248ms] [10.372µs] List filtered
>>>>>> Aug 20 19:26:18 master.example.com openshift-master[1466]: [819.989814ms] [566ns] END
>>>>>> Aug 20 19:26:18 master.example.com openshift-master[1466]: I0820 19:26:18.298101    1466 trace.go:57] Trace "List *api.PodList" (started 2015-08-20 19:26:17.394538848 +1200 NZST):
>>>>>> Aug 20 19:26:18 master.example.com openshift-master[1466]: [490ns] [490ns] About to list directory
>>>>>> Aug 20 19:26:18 master.example.com openshift-master[1466]: [903.534372ms] [903.533882ms] List extracted
>>>>>> Aug 20 19:26:18 master.example.com openshift-master[1466]: [903.537414ms] [3.042µs] List filtered
>>>>>> Aug 20 19:26:18 master.example.com openshift-master[1466]: [903.537779ms] [365ns] END
>>>>>> Aug 20 19:26:19 master.example.com openshift-master[1466]: I0820 19:26:19.363015    1466 common.go:66] Self IP: 172.16.63.129.
>>>>>> Aug 20 19:29:50 master.example.com openshift-master[1466]: I0820 19:29:50.900598 1466 controller.go:72] Ignoring change for DeploymentConfig default/docker-registry:1; no existing Deployment found
>>>>>> Aug 20 19:29:51 master.example.com openshift-master[1466]: I0820 19:29:51.014624    1466 factory.go:214] About to try and schedule pod docker-registry-1-deploy
>>>>>> Aug 20 19:29:51 master.example.com openshift-master[1466]: I0820 19:29:51.014842    1466 factory.go:312] Attempting to bind docker-registry-1-deploy to node1.example.com
>>>>>> Aug 20 19:30:21 master.example.com openshift-master[1466]: I0820 19:30:21.843904 1466 controller.go:85] Ignoring DeploymentConfig change for default/docker-registry:1 (latestVersion=1); same as Deployment default/docker-registry-1
>>>>>> Aug 20 19:32:22 master.example.com openshift-master[1466]: I0820 19:32:22.844859 1466 controller.go:85] Ignoring DeploymentConfig change for default/docker-registry:1 (latestVersion=1); same as Deployment default/docker-registry-1
>>>>>>
>>>>>> Aug 20 19:33:35 master.example.com openshift-master[1466]: 2015/08/20 19:33:35 http: TLS handshake error from 172.16.63.129:56385: remote error: unknown certificate authority
>>>>>>
>>>>>> Aug 20 19:34:23 master.example.com openshift-master[1466]: I0820 19:34:23.951961 1466 controller.go:85] Ignoring DeploymentConfig change for default/docker-registry:1 (latestVersion=1); same as Deployment default/docker-registry-1
>>>>>> Aug 20 19:36:24 master.example.com openshift-master[1466]: I0820 19:36:24.873571 1466 controller.go:85] Ignoring DeploymentConfig change for default/docker-registry:1 (latestVersion=1); same as Deployment default/docker-registry-1
>>>>>> Aug 20 19:37:03 master.example.com openshift-master[1466]: I0820 19:37:03.750158    1466 replication_controller.go:370] Replication Controller has been deleted default/docker-registry-1
>>>>>> Aug 20 19:37:21 master.example.com openshift-master[1466]: I0820 19:37:21.932608    1466 controller.go:72] Ignoring change for DeploymentConfig default/docker-registry:1; no existing Deployment found
>>>>>>
>>>>>> Cheers
>>>>>> Justin
>>>>>>
>>>>>> _______________________________________________
>>>>>> users mailing list
>>>>>> users lists openshift redhat com
>>>>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Clayton Coleman | Lead Engineer, OpenShift
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Clayton Coleman | Lead Engineer, OpenShift
>>>
>>
>>
>>
>> --
>> Clayton Coleman | Lead Engineer, OpenShift
>



-- 
Clayton Coleman | Lead Engineer, OpenShift


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]