Bug 1353223

Summary: Internal Docker Registry certificate expire when the Vagrant box halts
Product: Container Development Kit (CDK) Reporter: Ramón Román Nissen <rromanni>
Component: vmsAssignee: Lalatendu Mohanty <lmohanty>
Status: NEW --- QA Contact: Ondřej Pták <optak>
Severity: high Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: jgreguske, kanderso, rromanni, timoran
Target Milestone: beta4   
Target Release: 2.0   
Hardware: x86_64   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ramón Román Nissen 2016-07-06 14:52:46 UTC
Description of problem:

Certificate for the internal Docker Registry expires when the Vagrant box is halted. This behavior didn't happen on release 2.0.0.


Version-Release number of selected component (if applicable):

2.1.0 (Not available on the Version list)


How reproducible:

Get certificates from the internal Docker Registry and use them to configure a Docker Host. Perform a successful login. Halt the Vagrant box. Bring it up again and repeat the login to the registry.

Steps to Reproduce:

1.Start a fresh box with vagrant up after getting the image (can be reproduced with both the Virtualbox and libvirt images)

2.Get the certificate from the Internal Docker Registry (ssh into the box, docker cp the registry.crt from /etc/secrets on the registry container, and then copy the certificate in whatever docker host you want to use for registry login under /etc/docker/certs.d/<registry_hostname>)

3. Login using the OSE cli:

[rroman@localhost rhel-ose]$ oc login
Authentication required for https://10.1.2.2:8443 (openshift)
Username: admin
Password:
Login successful.

4. Get the token and use it to login to the Internal Docker Registry

[rroman@localhost rhel-ose]$ oc whoami -t
guQEZZJ0C_W9Lm2jAjUdqI7qfoSWsAF3RKcflfj1AZg
[rroman@localhost rhel-ose]$ docker login -u admin -p guQEZZJ0C_W9Lm2jAjUdqI7qfoSWsAF3RKcflfj1AZg hub.openshift.rhel-cdk.10.1.2.2.xip.io
Login Succeeded

5. Halt the Vagrant box:

[rroman@localhost rhel-ose]$ vagrant halt
==> default: Unregistering box with vagrant-registration...
==> default: Halting domain...
[rroman@localhost rhel-ose]$ vagrant status
Current machine states:

default                   shutoff (libvirt)


6. Start the Vagrant box again:

[rroman@localhost rhel-ose]$ vagrant up
Bringing machine 'default' up with 'libvirt' provider...
==> default: Starting domain.
==> default: Waiting for domain to get an IP address...
==> default: Waiting for SSH to become available...
==> default: Creating shared folders metadata...
==> default: Registering box with vagrant-registration...
    default: Would you like to register the system now (default: yes)? [y|n]yes
    default: username: rromanni
    default: password:
==> default: Copying TLS certificates to /home/rroman/cdk210/components/rhel/rhel-ose/.vagrant/machines/default/libvirt/docker
==> default: Rsyncing folder: /home/rroman/cdk210/components/rhel/rhel-ose/ => /vagrant
==> default: Machine already provisioned. Run `vagrant provision` or use the `--provision`
==> default: flag to force provisioning. Provisioners marked to run always will still run.
==> default: Running provisioner: shell...
    default: Running: inline script
==> default: Running provisioner: shell...
    default: Running: inline script
==> default:
==> default: Successfully started and provisioned VM with 2 cores and 3072 MB of memory.
==> default: To modify the number of cores and/or available memory set the environment variables
==> default: VM_CPU respectively VM_MEMORY.
==> default:
==> default: You can now access the OpenShift console on: https://10.1.2.2:8443/console
==> default:
==> default: To use OpenShift CLI, run:
==> default: $ vagrant ssh
==> default: $ oc login 10.1.2.2:8443
==> default:
==> default: Configured users are (<username>/<password>):
==> default: openshift-dev/devel
==> default: admin/admin
==> default:
==> default: If you have the oc client library on your host, you can also login from your host.

7. Repeat the oc login/registry login steps:

[rroman@localhost rhel-ose]$ oc login
Authentication required for https://10.1.2.2:8443 (openshift)
Username: admin
Password:
Login successful.
[...]
rroman@localhost rhel-ose]$ oc whoami -t
le7zhEWvmWyaLfRo5uP4QQ9EVeR-4wMRAwKYzRYNf1E
[rroman@localhost rhel-ose]$ docker login -u admin -p le7zhEWvmWyaLfRo5uP4QQ9EVeR-4wMRAwKYzRYNf1E hub.openshift.rhel-cdk.10.1.2.2.xip.io
Error response from daemon: Get https://hub.openshift.rhel-cdk.10.1.2.2.xip.io/v1/users/: x509: certificate has expired or is not yet valid



Actual results:

Error from Internal Docker Registry

Error response from daemon: Get https://hub.openshift.rhel-cdk.10.1.2.2.xip.io/v1/users/: x509: certificate has expired or is not yet valid


Expected results:

Successful login

Additional info:

The capability to login to the registry and push images to it is key for customer demos on Continuos Delivery pipelines external to OSE.