Steven Buss sbuss

## gist:4aefceae478122c565e1

      
              1 file
            
          
              0 forks
            
          
              1 comment
            
          
              0 stars
            
          
                sbuss
                / gist:4aefceae478122c565e1
            
            
              Last active
              August 29, 2015 14:21
            
              
                Deis self-signed cert cloud-config
              
          
    Problem

You have a private docker registry that is secured with self-signed cert and
you want to do deis pull https://docker-registry.example.com/myapp. Deis
won't be able to pull this image because it doesn't trust your self-signed
cert.
Solution

To get the CoreOS nodes in a Deis cluster to trust a self-signed cert, you

  
## gist:869f3f2f9d734832c0d3
$ cat drift.sh
nodes=(10.128.1.107 10.128.1.109 10.128.1.110 10.128.1.111 10.128.1.245)
for i in ${nodes[*]}
do
    echo "## $i ##"
    ssh core@$i "date; systemctl status ntpd"
    echo ""
done
$ sh drift.sh
## 10.128.1.107 ##

## gist:fcab24dababb1296d64c
core@ip-10-128-1-111 ~ $ sudo systemctl status etcd -l
● etcd.service - etcd
   Loaded: loaded (/etc/systemd/system/etcd.service; static; vendor preset: disabled)
  Drop-In: /run/systemd/system/etcd.service.d
           └─10-oem.conf, 20-cloudinit.conf
   Active: active (running) since Mon 2015-04-20 00:49:36 UTC; 2 weeks 2 days ago
 Main PID: 649 (etcd)
   CGroup: /system.slice/etcd.service
           └─649 /usr/bin/etcd

## gist:50595b3b4a6806168be1
core@ip-10-128-1-111 ~ $ journalctl -u deis-publisher
...
May 06 03:00:30 ip-10-128-1-111.counsyl.com sh[4707]: 2015/05/06 03:00:30 updateDir /deis/services/authmanager
May 06 03:00:31 ip-10-128-1-111.counsyl.com sh[4707]: 2015/05/06 03:00:31 501: All the given peers are not reachable (Tried to connect to each peer twice and
May 06 03:00:31 ip-10-128-1-111.counsyl.com sh[4707]: 2015/05/06 03:00:31 set /deis/services/woc/woc_v5.cmd.1 -> 10.128.1.111:49161
May 06 03:00:32 ip-10-128-1-111.counsyl.com sh[4707]: 2015/05/06 03:00:32 501: All the given peers are not reachable (Tried to connect to each peer twice and
May 06 03:00:32 ip-10-128-1-111.counsyl.com sh[4707]: 2015/05/06 03:00:32 updateDir /deis/services/woc
May 06 03:00:34 ip-10-128-1-111.counsyl.com sh[4707]: 2015/05/06 03:00:34 501: All the given peers are not reachable (Tried to connect to each peer twice and
May 06 03:00:34 ip-10-128-1-111.counsyl.com sh[4707]: 2015/05/06 03:00:34 set /deis/services/woc/woc_v5.cmd.2 -> 10.128.1.111:49160
May 06 03:0

## gist:5df129baab2b3ab1dbc8
core@ip-10-128-1-110 ~ $ fleetctl list-units
####################################################################
WARNING: fleetctl (0.9.1) is older than the latest registered
version of fleet found in the cluster (0.9.2). You are strongly
recommended to upgrade fleetctl to prevent incompatibility issues.
####################################################################
UNIT					MACHINE				ACTIVE	SUB
authmanager_v5.cmd.1.service		b3f7d5f4.../10.128.1.245	active	running
authmanager_v5.cmd.10.service		bc8f8ce5.../10.128.1.109	active	running
authmanager_v5.cmd.2.service		bc8f8ce5.../10.128.1.109	active	running

## gist:0a0c9a8b43f38091746c
core@ip-10-128-1-110 ~ $ fleetctl list-units
UNIT					MACHINE				ACTIVE	SUB
...
woc_v5.cmd.1.service			94ce2cdc.../10.128.1.111	active	running
woc_v5.cmd.2.service			94ce2cdc.../10.128.1.111	active	running
woc_v5.cmd.3.service			b3f7d5f4.../10.128.1.245	active	running
woc_v5.cmd.4.service			b3f7d5f4.../10.128.1.245	active	running
woc_v5.cmd.5.service			c2fb7b32.../10.128.1.107	active	running
core@ip-10-128-1-110 ~ $ etcdctl ls --recursive /deis/services
/deis/services/authmanager

## gist:0e9de8d9a4455c177ef3
core@ip-10-128-1-110 ~ $ etcdctl ls --recursive /deis/services
/deis/services/authmanager
/deis/services/authmanager/authmanager_v5.cmd.1
/deis/services/lastdeploy
/deis/services/lastdeploy/lastdeploy_v3.cmd.1
/deis/services/docker-registry
/deis/services/docker-registry/docker-registry_v3.cmd.1

## gist:530688ca41c64cbecdec
core@ip-10-128-1-110 ~ $ fleetctl list-units
####################################################################
WARNING: fleetctl (0.9.1) is older than the latest registered
version of fleet found in the cluster (0.9.2). You are strongly
recommended to upgrade fleetctl to prevent incompatibility issues.
####################################################################
UNIT					MACHINE				ACTIVE	SUB
authmanager_v5.cmd.1.service		b3f7d5f4.../10.128.1.245	active	running
deis-builder.service			fb4fac84.../10.128.1.110	active	running
deis-controller.service			94ce2cdc.../10.128.1.111	active	running

## gist:5d966abac0638051b0e7
root@cdeb3f8c0eec:/app# cat /opt/nginx/conf/nginx.conf
# required to run in a container
daemon off;

user www-data;
worker_processes auto;
pid /run/nginx.pid;

events {
    worker_connections 768;

## gist:7b1dc2ac8fb10cdff991
counsyl@go-agent-setup:~$ sudo puppet agent --test
Error: Cannot create /etc/puppetlabs/puppet; parent directory /etc/puppetlabs does not exist
Error: /File[/etc/puppetlabs/puppet]/ensure: change from absent to directory failed: Cannot create /etc/puppetlabs/puppet; parent directory /etc/puppetlabs does not exist
Error: Cannot create /etc/puppetlabs/code; parent directory /etc/puppetlabs does not exist
Error: /File[/etc/puppetlabs/code]/ensure: change from absent to directory failed: Cannot create /etc/puppetlabs/code; parent directory /etc/puppetlabs does not exist
Error: Cannot create /opt/puppetlabs/puppet/cache; parent directory /opt/puppetlabs/puppet does not exist
Error: /File[/opt/puppetlabs/puppet/cache]/ensure: change from absent to directory failed: Cannot create /opt/puppetlabs/puppet/cache; parent directory /opt/puppetlabs/puppet does not exist
Error: Cannot create /var/log/puppetlabs/puppet; parent directory /var/log/puppetlabs does not exist
Error: /File[/var/log/puppetlabs/puppet]/ensure: chang
	$ cat drift.sh
	nodes=(10.128.1.107 10.128.1.109 10.128.1.110 10.128.1.111 10.128.1.245)
	for i in ${nodes[*]}
	do
	echo "## $i ##"
	ssh core@$i "date; systemctl status ntpd"
	echo ""
	done
	$ sh drift.sh
	## 10.128.1.107 ##
	core@ip-10-128-1-111 ~ $ sudo systemctl status etcd -l
	● etcd.service - etcd
	Loaded: loaded (/etc/systemd/system/etcd.service; static; vendor preset: disabled)
	Drop-In: /run/systemd/system/etcd.service.d
	└─10-oem.conf, 20-cloudinit.conf
	Active: active (running) since Mon 2015-04-20 00:49:36 UTC; 2 weeks 2 days ago
	Main PID: 649 (etcd)
	CGroup: /system.slice/etcd.service
	└─649 /usr/bin/etcd
	core@ip-10-128-1-111 ~ $ journalctl -u deis-publisher
	...
	May 06 03:00:30 ip-10-128-1-111.counsyl.com sh[4707]: 2015/05/06 03:00:30 updateDir /deis/services/authmanager
	May 06 03:00:31 ip-10-128-1-111.counsyl.com sh[4707]: 2015/05/06 03:00:31 501: All the given peers are not reachable (Tried to connect to each peer twice and
	May 06 03:00:31 ip-10-128-1-111.counsyl.com sh[4707]: 2015/05/06 03:00:31 set /deis/services/woc/woc_v5.cmd.1 -> 10.128.1.111:49161
	May 06 03:00:32 ip-10-128-1-111.counsyl.com sh[4707]: 2015/05/06 03:00:32 501: All the given peers are not reachable (Tried to connect to each peer twice and
	May 06 03:00:32 ip-10-128-1-111.counsyl.com sh[4707]: 2015/05/06 03:00:32 updateDir /deis/services/woc
	May 06 03:00:34 ip-10-128-1-111.counsyl.com sh[4707]: 2015/05/06 03:00:34 501: All the given peers are not reachable (Tried to connect to each peer twice and
	May 06 03:00:34 ip-10-128-1-111.counsyl.com sh[4707]: 2015/05/06 03:00:34 set /deis/services/woc/woc_v5.cmd.2 -> 10.128.1.111:49160
	May 06 03:0
	core@ip-10-128-1-110 ~ $ fleetctl list-units
	####################################################################
	WARNING: fleetctl (0.9.1) is older than the latest registered
	version of fleet found in the cluster (0.9.2). You are strongly
	recommended to upgrade fleetctl to prevent incompatibility issues.
	####################################################################
	UNIT MACHINE ACTIVE SUB
	authmanager_v5.cmd.1.service b3f7d5f4.../10.128.1.245 active running
	authmanager_v5.cmd.10.service bc8f8ce5.../10.128.1.109 active running
	authmanager_v5.cmd.2.service bc8f8ce5.../10.128.1.109 active running
	core@ip-10-128-1-110 ~ $ fleetctl list-units
	UNIT MACHINE ACTIVE SUB
	...
	woc_v5.cmd.1.service 94ce2cdc.../10.128.1.111 active running
	woc_v5.cmd.2.service 94ce2cdc.../10.128.1.111 active running
	woc_v5.cmd.3.service b3f7d5f4.../10.128.1.245 active running
	woc_v5.cmd.4.service b3f7d5f4.../10.128.1.245 active running
	woc_v5.cmd.5.service c2fb7b32.../10.128.1.107 active running
	core@ip-10-128-1-110 ~ $ etcdctl ls --recursive /deis/services
	/deis/services/authmanager
	core@ip-10-128-1-110 ~ $ etcdctl ls --recursive /deis/services
	/deis/services/authmanager
	/deis/services/authmanager/authmanager_v5.cmd.1
	/deis/services/lastdeploy
	/deis/services/lastdeploy/lastdeploy_v3.cmd.1
	/deis/services/docker-registry
	/deis/services/docker-registry/docker-registry_v3.cmd.1
	root@cdeb3f8c0eec:/app# cat /opt/nginx/conf/nginx.conf
	# required to run in a container
	daemon off;

	user www-data;
	worker_processes auto;
	pid /run/nginx.pid;

	events {
	worker_connections 768;
	counsyl@go-agent-setup:~$ sudo puppet agent --test
	Error: Cannot create /etc/puppetlabs/puppet; parent directory /etc/puppetlabs does not exist
	Error: /File[/etc/puppetlabs/puppet]/ensure: change from absent to directory failed: Cannot create /etc/puppetlabs/puppet; parent directory /etc/puppetlabs does not exist
	Error: Cannot create /etc/puppetlabs/code; parent directory /etc/puppetlabs does not exist
	Error: /File[/etc/puppetlabs/code]/ensure: change from absent to directory failed: Cannot create /etc/puppetlabs/code; parent directory /etc/puppetlabs does not exist
	Error: Cannot create /opt/puppetlabs/puppet/cache; parent directory /opt/puppetlabs/puppet does not exist
	Error: /File[/opt/puppetlabs/puppet/cache]/ensure: change from absent to directory failed: Cannot create /opt/puppetlabs/puppet/cache; parent directory /opt/puppetlabs/puppet does not exist
	Error: Cannot create /var/log/puppetlabs/puppet; parent directory /var/log/puppetlabs does not exist
	Error: /File[/var/log/puppetlabs/puppet]/ensure: chang