can not access github.com inside the docker container executed through dockerd(dind) on Kubernetes.

 https://jsty.tistory.com/330


There was a problem that could not access github.com in the docker container executed through dockerd(dind) on Kubernetes.

All other sites worked for the most part.



Connection that work:

 echo "" | openssl s_client -connect dl-cdn.alpinelinux.org:443
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = dl-cdn.alpinelinux.org
verify return:1
---
Certificate chain
 0 s:CN = dl-cdn.alpinelinux.org
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=CN = dl-cdn.alpinelinux.org

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4687 bytes and written 417 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: B6268FDEB63D337DE6E7081D85ECE5DE46B34553BF4619E73619FB7005A4B834
    Session-ID-ctx: 
    Master-Key: 311E9078267FB84B90A44F1561EE4121EE5BCF4D51C275ED128CFAC01C1810D32B5B3B29C28E058B17D54F5ED27167DB
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    ...

    Start Time: 1669078691
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
DONE

 

Connection that problematic:

# echo "" | openssl s_client -connect github.com:443 -state
CONNECTED(00000003)
SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello

 


[Dockerd Container] # ifconfig
eth0      Link encap:Ethernet  HWaddr 62:B5:76:9D:CF:96  
          inet addr:172.30.1.228  Bcast:172.30.1.228  Mask:255.255.255.255
          inet6 addr: fe80::60b5:76ff:fe9d:cf96/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1450  Metric:1
          RX packets:1255072 errors:0 dropped:0 overruns:0 frame:0
          TX packets:703606 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:6684734820 (6.2 GiB)  TX bytes:4655809637 (4.3 GiB)

[In-Docker] # ifconfig
eth0      Link encap:Ethernet  HWaddr 02:42:AC:11:00:02  
          inet addr:172.17.0.2  Bcast:172.17.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:719 errors:0 dropped:0 overruns:0 frame:0
          TX packets:366 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:3719123 (3.5 MiB)  TX bytes:27167 (26.5 KiB)


The dockerd's mtu is 1450.
But, the docker container's mtu is 1500, which is larger.

It was solved by adding --mtu=1450 to the arguments of dockerd.


댓글

댓글 쓰기

이 블로그의 인기 게시물

Fix "go get" error "invalid char ':'" when using custom-port.

Korean:  https://jsty.tistory.com/334  We are running gitlab on a non-standard port. A problem occurred recently when I tried to use the go package through the gitlab repository. $ go get https://gitlab.company.com:1234/group/pkg-name go: malformed module path "https:/gitlab.company.com:1234/group/pkg-name": invalid char ':' Related issues: - https://github.com/golang/go/issues/26912 - https://stackoverflow.com/questions/60445266/not-able-to-get-private-go-module-while-having-port-number-in-url I developed a simple service to solve this. It simply generates metadata to find the actual repository. See https://github.com/jc-lab/go-pkg-meta-proxy/
자세한 내용 보기

EJBCA-CE Docker with HSM on Kubernetes

This article is a mirror of https://jsty.tistory.com/324 There may be updates to the original article. ejbca-ee can be integrated with HSM. >  https://github.com/Keyfactor/ejbca-containers/blob/master/hsm-integration/hsm-drivers/hsm-driver-softhsm/Containerfile However, registry.primekey.com is not accessible as it is a paid repository. So, I implement it using the open source pkcs11-proxy. See https://gist.github.com/jclab-joseph/973d06db6856a8e5cb851909fbc7268b And  https://github.com/jc-lab/hsm-driver-opensc hsm-driver-opensc originally tried to implement opensc but failed and replaced it with pkcs11-proxy.
자세한 내용 보기

EJBCA: "no such algorithm" error when using PKCS11.

I used pkcs11-proxy for EJBCA-CE, but the signature didn't work. 2022-10-26 10:18:14,995+0000 ERROR [org.cesecore.certificates.certificate.CertificateCreateSessionBean] (default task-4) Error creating certificate: org.bouncycastle.operator.OperatorCreationException: cannot create signer: no such algorithm: SHA512WITHRSA for provider SunPKCS11-p11proxy-client.so-slot0 at deployment.ejbca.ear//org.bouncycastle.operator.jcajce.JcaContentSignerBuilder.build(Unknown Source) at deployment.ejbca.ear//org.cesecore.certificates.ca.X509CAImpl.generateCertificate(X509CAImpl.java:1698) at deployment.ejbca.ear//org.cesecore.certificates.ca.X509CAImpl.generateCertificate(X509CAImpl.java:1117) at deployment.ejbca.ear.cesecore-ejb.jar//org.cesecore.certificates.certificate.CertificateCreateSessionBean.createCertificate(CertificateCreateSessionBean.java:563) at deployment.ejbca.ear.cesecore-ejb.jar//org.cesecore.certificates.certificate.CertificateCreate
자세한 내용 보기