Docker Community Forums

Share and learn in the Docker community.

Integrating DTR with UCP Beta -- Troubleshooting


(Vivek Saraswat) #1

Hi folks,

The latest beta release for UCP (v0.8) added support for integrating with DTR 1.4.3. While we will provide more extensive information in the documentation for the full release, here are some troubleshooting tips for this process in the beta:

1): This requires DTR 1.4.3. Since the production version has not been released yet, you can download the tar file for the DTR 1.4.3 release candidate here (note this is not a supported version, just for testing with UCP beta purposes):

https://packages.docker.com/dtr/1.4/dtr-1.4.3-rc2.tar

2): You have to tell DTR to trust UCP - Run the following command on the primary UCP controller:

docker run --rm -it
–name ucp
-v /var/run/docker.sock:/var/run/docker.sock
docker/ucp:0.8.0
dump-certs --swarm > /tmp/chain.pem

Now paste ​only the first​ PEM block from that file into the DTR configuration ui - https://$MYDTR/admin/settings/general in the “Auth Bypass TLS Root CA” field.

3): If you’re DTR server cert is signed by a 3rd party CA, theoretically you’re done. If its signed by a less popular CA, or self signed, somehow you have to get your hand on the CA certificate, and manually add that on ​every​ engine in your cluster using something like this:

mkdir -p /etc/docker/certs.d/mydtr.acme.com
cat - > /etc/docker/certs.d/mydtr.acme.com/ca.crt

(and paste in the ca certificate material - ​not the server certificate​)

If you had problems with step #2, the you might see errors like this:

% docker push mydtr.acme.com/jdoe/myrepo:latest
The push refers to a repository [mydtr.acme.com/jdoe/myrepo]
5f70bf18a086: Preparing
2c84284818d1: Preparing
unauthorized: authentication required

If you had problems with step #3, you’ll see something like this when you try to push:

% docker push mydtr.acme.com/jdoe/myrepo:latest
The push refers to a repository [mydtr.acme.com/jdoe/myrepo]
unable to ping registry endpoint https://mydtr.acme.com/v0/
v2 ping attempt failed with error: Get https://mydtr.acme.com/v2/: x509: certificate signed by unknown authority
v1 ping attempt failed with error: Get https://mydtr.acme.com/v1/_ping: x509: certificate signed by unknown authority

Let us know if you have any issues with this.


(Cajund) #2

Hi there,

I’m using the trial version of UCP and DTR, and I am getting the error noted in step #3. However, the error appears when trying to log in, not pushing (I haven’t gotten that far). The certs that were generated for this trial were generated by the install itself. Can you provide the steps for installing the missing pieces? I can generate the two PEM’s, it is the second one that should be placed on all of the nodes?

Thanks.


(Vivek Saraswat) #3

Hey cajund,

Quick question. Are you using the latest instructions on integration from the docs?

https://docs.docker.com/ucp/dtr-integration/

The instructions I gave above are similar but not exactly the same, as they were relevant for the old beta as opposed to the UCP 1.0 and DTR 1.4.3 (not release candidate).


(Cajund) #4

Yes, I was working from the page you mentioned. The only difference that I saw was the option to pull the cert (you had --swarm).

$ docker run --rm -it --name ucp -v /var/run/docker.sock:/var/run/docker.sock docker/ucp dump-certs --cluster -ca

If you drop the ‘-ca’ you get both certs. But adding the second one to the file as indicated is not working. I wonder if there are host name issues in play. I am on an AWS instance, but I have a DNS entry for the DTR machine.

Or, I could be way off base. Thanks for your help.


(Alm. Brand Docker admins) #5

I noticed a typo in the docs in that it says to run

$ docker run --rm -it --name ucp -v /var/run/docker.sock:/var/run/docker.sock docker/ucp dump-certs  --cluster -ca > /tmp/cluster-root-chain.pem

The flag should be --ca instead of -ca. If by any chance like me you were installing without properly running the uninstall command first, you’ll also have to make sure to specify docker/ucp:1.0.0 as the image, as otherwise the implicit latest tag might refer to an older version.


(Cajund) #6

Thanks for the reply.

The single or double dashes don’t seem to make much difference. The cert looks the same. I was also installing from scratch, and only in the last week (since the announcement).

I’m following these instructions:

https://docs.docker.com/ucp/dtr-integration/

And I get stuck on Step 2.5, logging in to the DTR from the UCP machine. I’m wondering if there needs to be more configured. For example, only the DTR machine has a DNS entry. When installing, I was placing in the Public IP’s as SAN’s. This may not be correct, particularly considering in the AWS environment, it is the private IP’s that are used for instances to talk to each other. Could this be a point of concern?

Thanks again.


(Cajund) #7

Here’s an example of my error:

Error response from daemon: invalid registry endpoint https://52.37.58.76/v0/: unable to ping registry endpoint https://52.37.58.76/v0/ v2 ping attempt failed with error: Get https://52.37.58.76/v2/: x509: cannot validate certificate for 52.37.58.76 because it doesn't contain any IP SANs v1 ping attempt failed with error: Get https://52.37.58.76/v1/_ping: x509: cannot validate certificate for 52.37.58.76 because it doesn't contain any IP SANs. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add "--insecure-registry 52.37.58.76" to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/52.37.58.76/ca.crt

That’s the public IP, the one that I used as a SAN when installing. But all versions (domain, public and private IP’s) give the same error.


(Vivek Saraswat) #8

Hey cajund, we are making some updates to the DTR integration docs page which should make this process clearer. In the meantime here are a couple of things to try.

For the SANs, even when you use the DNS name itself do you run into the same error?

For step 3, in terms of getting the correct cert, try this command instead:

openssl s_client -host -port 443 </dev/null 2>/dev/null | openssl x509 -CAform PEM | tee /tmp/dtr.pem


(Cajund) #9

Hey cajund, we are making some updates to the DTR integration docs page which should make this process clearer. In the meantime here are a couple of things to try.

Thanks, happy to evaluate them for you.

For the SANs, even when you use the DNS name itself do you run into the same error?

I’m not 100% sure I can answer this question. The SAN is placed on the UCP, not the DTR. Since I am using the UCP to connect to the DTR, I’m unclear on how to tell the DTR to allow the connection from the UCP (assuming it is the DTR that is refusing the connection. It’s sounds possible that I need to regenerate the certs.

openssl s_client -host -port 443 /dev/null | openssl x509 -CAform PEM | tee /tmp/dtr.pem

That command is not working on my ubuntu box, but this one did:

openssl s_client -host 52.37.58.76 -port 443 | openssl x509 -CAform PEM

Taking the cert from that and placing it here:

/etc/docker/certs.d/52.37.58.76/ca.crt

Worked…


(Cajund) #10

I am not able to push the image to the DTR machine. I get a “Repository does not exist” error. Even when I manually create the repo in the web interface, the error persists.

I’m happy to continue to test this for you guys. I have plans to present this all to my company next week, so the more I have working the better. However, we should probably continue this conversation off-board. Please contact me directly using my email from the Hub account.

Thanks again.


(Adyanthaya17) #11

Hi,

I am facing a similar error when I try to test the DTR and UCP for integration. I get the error: Repository does not exist:"

Is there a way to fix it?


(Vivek Saraswat) #12

Did you follow the steps listed here: https://docs.docker.com/ucp/dtr-integration/

If so, at what step are you seeing the issue?

(The instructions in the forum post above are meant for the older beta).


(Adyanthaya17) #13

Yes, I have followed the same steps. I’m having an issue with the Step 5. Confirm the integration.

root@dtr:/home/oss# docker login dtr.example.net
Username (admin): admin
Password:
WARNING: login credentials saved in /root/.docker/config.json
Login Succeeded

root@dtr:/home/oss# docker pull dtr.example.net/admin/hello_world
Using default tag: latest
Pulling repository dtr.example.net/admin/hello_world
Error: image admin/hello_world not found

My Image is in the UCP instance and I’m trying to pull it from there:
root@ucp:/home/oss# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
dtr.example.net/admin/hello_world test 94df4f0ce8a4 5 days ago 967 B
hello-world latest 94df4f0ce8a4 5 days ago 967 B

I’m able to push the image from the DTR to the DTR GUI to view into my repository.


(Vivek Saraswat) #14

I’m a bit confused. Are you attempting to push pull images from UCP, or from DTR? The idea is to pull the image from DTR onto the UCP instances. If you already have the image on UCP then it wouldn’t try to pull from DTR.

Just to confirm: Did you:

  1. Pull the image to your local node
  2. Retag with docker tag hello-world dtr.example.net/admin/hello_world:test (replace test with your own tag of choice)
  3. Login to DTR
  4. Push the updated image to DTR? docker push dtr.example.net/admin/hello_world:test
  5. Then in UCP, ensure that you have deleted the image before attempting to pull again?