Pass insecure option to docker

[Chetna Khullar]

Hi all,

We are getting certificate error in docker logs while trying to talk to a registry over SSL, would like to pass --insecure-registry option to docker. 

Error message in docker.service logs:

level=info msg="Graph migration to content-addressability took 0.00 se

level=info msg="Firewalld running: false"

level=info msg="Loading containers: start."

level=info msg="Loading containers: done."

level=info msg="Daemon has completed initialization"

level=error msg="Handler for GET /images/gcr.io/google_containers/pause-amd64:3.0/json returned error: No such image: gcr.io/google_containers/pause-amd64:3.0"

level=error msg="Download failed, retrying: x509: certificate signed by unknown authority"

Is there any way to pass extra options to the docker daemon? The default unit file is not editable. The docker unit file pulls some env variables from /run/flannel_docker_opts.env but that file is not editable either.

Thanks!

[Rob Szumski]

Yes, check out this doc: https://coreos.com/os/docs/latest/registry-authentication.html#using-a-registry-without-ssl-configured

Be sure to do a `systemctl daemon-reload` and then `systemctl restart docker`

 - Rob

--
You received this message because you are subscribed to the Google Groups "CoreOS User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to coreos-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Chetna Khullar]

Thanks Rob. Will give it a try.

[Rob Szumski]

Also, I’m skeptical that Google’s registry is actually returning an error, however. You might need some more investigation.

[Chetna Khullar]

Thanks Rob. 

I am trying to create a Kubernetes bay based on coreOS. In order to inculcate the changes, the change has to be made in the cloud-config.yml file under /usr/share/oem/ on the master node.  I am not able to find the file that would write this cloud-config.yml so that I can make changes in it. Could you please advise on the same.

Thanks.

[Rob Szumski]

What platform are you deploying CoreOS on? I assume Google Compute Engine since you’re using GCR?

On cloud providers you specify your cloud-config in “user data”, which is stored by the cloud-provider and sent to the instance when it boots. This means you can easily autoscale a group of machines and have them all get configured the same way.

For bare metal, there are other ways of providing it. The “OEM” that you referenced, is a configuration for each provider, like Amazon, VMware, etc. This isn’t typically edited by end users, but it can be.

For GCE, check out this API call that has the “metadata-from-file” parameter set.

For all of the cloudconfig locations check this doc.

 - Rob

[Chetna Khullar]

Thanks Rob. In this case, I am deploying coreOS on VM and I am aiming to edit the cloud config file before the VM boots. The whole scenario is that I have a docker container in which I create a Kubernetes bay and the VM is created having coreOS in which I would be running Kubernetes pods. 

Thanks.

[Rob Szumski]

How are you running your VM — qemu, VMware, Vagrant, etc? Each of these have a slightly different way of passing in user-data.

[Chetna Khullar]

In our case, the hypervisor is KVM + qemu. 

Thanks!

[Alex Crawford]

On 08/26, Chetna Khullar wrote:
> In our case, the hypervisor is KVM + qemu.

You can use a config-drive with QEMU to pass the cloud-config through to
the VM. Check out the qemu.sh script [1] for an example. Also, as of
CoreOS 1151.0.0, Ignition supports the QEMU configuration device [2].

-Alex

[1]: https://github.com/coreos/scripts/blob/a761a05db008b1af75f964d456564dbe26fb2eaf/build_library/qemu_template.sh#L152
[2]: https://github.com/qemu/qemu/blob/d75aa4372f0414c9960534026a562b0302fcff29/docs/specs/fw_cfg.txt