Ask Your Question
0

Magnum with Kubernetes behind a firewall [closed]

asked 2017-08-21 22:09:39 -0500

Bernd Bausch gravatar image

I am trying Magnum on a Newton cluster behind a firewall. I have a proxy server.

magnum cluster-template-create --http-proxy http://myproxy:myport --https-proxy https://myproxy:myport --coe kubernetes ...
magnum cluster-create .....
ssh fedora@kubemaster-IP
sudo journalctl -u kubelet

I find this error in the log:

manager.go:1894] Failed to create pod infra container: ErrImagePull; Skipping pod "kube-proxy-10.0.0.9_kube-system(04083247da2cb47383b8c7432da69cd0

and

pod_workers.go:125] Error syncing pod 04083247da2cb47383b8c7432da69cd0, skipping: failed to "StartContainer" for "POD" with ErrImagePull: "image pull failed for gcr.io/google_containers/pause:2.0, this may be because there are no credentials on this request.  details: (unable to ping registry endpoint https://gcr.io/v0/\nv2 ping attempt failed with error: Get https://gcr.io/v2/: x509: certificate has expired or is not yet valid\n v1 ping attempt failed with error: Get https://gcr.io/v1/_ping: x509: certificate has expired or is not yet valid)"

After which the cluster is unusable, since it can't even set up the fundamental containers.

What puzzles me: I don't see the http-proxy environment variables anywhere on the kube-master. Not in /etc/environment, not in /etc/kubernetes. And I don't know where else to look. When I set http-proxy, I can curl http://gcr.io/google_containers/pause:2.0 without problems.

If it's really a certificate problem, I don't know where to start either.

Where should I check?

edit retag flag offensive reopen merge delete

Closed for the following reason the question is answered, right answer was accepted by Bernd Bausch
close date 2017-08-22 02:40:01.297375

1 answer

Sort by ยป oldest newest most voted
0

answered 2017-08-22 02:39:43 -0500

Bernd Bausch gravatar image

updated 2017-08-22 02:40:51 -0500

It was a certificate problem.

The NTP server for my cluster sets a date a few months in the past. Thus, certificates from remote sites appear to have a future timestamp and are considered invalid. After correcting the date manually, I can use my Magnum cluster.

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2017-08-21 22:09:39 -0500

Seen: 20 times

Last updated: Aug 22