Admiral can't pull images from insecure registry (harbor) when creating a container using VIC-E

[hmahmood]

While creating a container through the Admiral UI with VIC-E as the only docker host, I get the following error:

Service https://10.192.82.84:2376/v1.21/images/create?fromImage=10.192.92.136:443/library/alpine:latest returned error 500 for POST. id 129958; Reason: Head https://10.192.92.136:443/v2/: x509: certificate signed by unknown authority

I created my VCH with --insecure-registry <harbor-ip>, i.e. without specifying the port. Looking at the code path (https://github.com/vmware/vic/blob/master/lib/apiservers/engine/backends/image.go#L372), I see that we are matching the hostname we get from the create image request with the ip/host specified in the --insecure-registry option above; they don't match because the latter has the port missing.

Workaround: specify the port when using --insecure-registry vic-machine option.

[stuclem]

Sounds like a release note to me, @hmahmood. Adding the kind/note flag.

[hmahmood]

@stuclem yes; forgot to put that label on it yesterday.

[stuclem]

Proposed release note:

---

• vSphere Integrated Containers Management Portal cannot pull images from an insecure vSphere Integrated Containers instance when creating a container using vSphere Integrated Containers Engine. #4557
  Creating a container in vSphere Integrated Containers Management Portal with vSphere Integrated Containers Engine as the only Docker host results in the error certificate signed by unknown authority.

  Workaround: Specify the vSphere Integrated Containers Registry port when you set the vic-machine create--insecure-registry option.

---

@hmahmood is this OK? One question: Since Registry always uses HTTPS and always uses a cert (custom or autogenerated) when deployed with the OVA, is this still an issue for vic-product?

[hmahmood]

@stuclem this is an issue as long as the cert cannot be validated. The vic-machine create --registry-ca can be used to add a CA cert that was used to sign the registry's cert. If the cert cannot be validated, and the --insecure-registry option is used, the port has to specified as Admiral always uses the port, even when it is the standard https port. So two workarounds:

1. Specify the CA cert with --registry-ca, or
2. Specify the port when using --insecure-registry

[stuclem]

Thanks @hmahmood. Updated as below:

---

• vSphere Integrated Containers Management Portal cannot pull images from an insecure vSphere Integrated Containers instance when creating a container using vSphere Integrated Containers Engine. #4706
  Creating a container in vSphere Integrated Containers Management Portal with vSphere Integrated Containers Engine as the only Docker host results in the error certificate signed by unknown authority.

  Workarounds: Specify the vSphere Integrated Containers Registry port when you set the vic-machine create--insecure-registry option, or provide a CA certificate in the --registry-ca option.

---

Is this OK now? Thanks!

[hmahmood]

@stuclem looks good.

[stuclem]

Thanks @hmahmood