nydus icon indicating copy to clipboard operation
nydus copied to clipboard

Published 20 hours ago verified publisher icon dragonflyoss

After configuring docker insecure-registries, when pulling an image, the following error occurs: 'failed to authorize: failed to fetch oauth token ...... failed to verify certificate: x509: certificate signed by unknown authority'.

Open magicmopper opened this issue 1 year ago • 4 comments 

root@nydus:~# nydusd --version
Version:        v2.2.4
Git Commit:     1c9c819942ce6fb0b1ebf178df0b3966021ae6bb
Build Time:     2023-11-02T11:32:06.442899984Z
Profile:        release
Rustc:          rustc 1.66.1 (90743e729 2023-01-10)

root@nydus:~# containerd-nydus-grpc --version
Version:     v0.13.3
Revision:    0dfc6a45217592e3ac7071634cd8e82ecb458eba
Go version:  go1.19.6
Build time:  2023-10-19T06:12:58

root@nydus:~# docker info
Client: Docker Engine - Community
 Version:    24.0.7
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.11.2
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.21.0
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 3
 Server Version: 24.0.7
 Storage Driver: nydus
  driver-type: io.containerd.snapshotter.v1
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 61f9fd88f79f081d64d6fa3bb1a0dc71ec870523
 runc version: v1.1.9-0-gccaecfc
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.8.0-40-generic
 Operating System: Ubuntu 22.04 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 2
 Total Memory: 3.778GiB
 Name: nydus
 ID: 90d15f77-f5ce-4d59-b56b-f4b08a027682
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  192.168.220.127:5002
  127.0.0.0/8
 Live Restore Enabled: false

root@nydus:~# cat /etc/docker/daemon.json
{
  "features": {
    "containerd-snapshotter": true
  },
  "insecure-registries": ["https://192.168.220.127:5002"],
  "storage-driver": "nydus"
}

root@nydus:~# cat /etc/nydus/nydusd-config.json
{
  "device": {
    "backend": {
      "type": "registry",
      "config": {
        "scheme": "https",
        "host": "192.168.220.127:5002",
        "skip_verify": true,
        "auth": "YWRtaW46SGFyYm9yMTIzNDU=",
        "timeout": 5,
        "connect_timeout": 5,
        "retry_limit": 2
      }
    },
    "cache": {
      "type": "blobcache"
    }
  },
  "mode": "direct",
  "digest_validate": false,
  "iostats_files": false,
  "enable_xattr": true,
  "fs_prefetch": {
    "enable": true,
    "threads_count": 8,
    "merging_size": 1048576,
    "prefetch_all": true
  }
}

containerd config:

version = 2
[plugins."io.containerd.grpc.v1.cri".registry.configs]
  [plugins."io.containerd.grpc.v1.cri".registry.configs."192.168.220.127:5002".tls]
    insecure_skip_verify = true
  [plugins."io.containerd.grpc.v1.cri".registry.configs."192.168.220.127:5002".auth]
    identitytoken = "YWRtaW46SGFyYm9yMTIzNDU="
    #username = "admin"
    #password = "Harbor12345"



# Plug nydus snapshotter into containerd
[proxy_plugins]
  [proxy_plugins.nydus]
    type = "snapshot"
    address = "/run/containerd-nydus/containerd-nydus-grpc.sock"


root@nydus:~# docker login 192.168.220.127:5002
Authenticating with existing credentials...
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

root@nydus:~# docker pull 192.168.220.127:5002/check/debian:stable
Error response from daemon: failed to resolve reference "192.168.220.127:5002/check/debian:stable": failed to authorize: failed to fetch oauth token: Post "https://192.168.220.127:5002/service/token": tls: failed to verify certificate: x509: certificate signed by unknown authority

magicmopper avatar Aug 27 '24 13:08 magicmopper

It seems the error not related to nydus, it tells that docker request registry token server did not skip tls cert validation.

imeoer avatar Aug 28 '24 09:08 imeoer

Me too, the private certificate cannot be used

guquanheng avatar Aug 30 '24 10:08 guquanheng

When I don't use nydus and use native Docker configuration, there won't be authentication issues, but when I switch to nydus, the above problems will occur. This issue also occurs in the integration scenario with Dragonfly: if nydus is not deployed, it is normal to pull the private repository image of Dragonfly agent through Docker, but once nydus is deployed, authentication issues may also occur.

magicmopper avatar Sep 06 '24 12:09 magicmopper

This issue is stale because it has been open 60 days with no activity.

github-actions[bot] avatar Jun 20 '25 00:06 github-actions[bot]

This issue was closed because it has been stalled for 7 days with no activity.

github-actions[bot] avatar Jun 27 '25 00:06 github-actions[bot]