Harbor service fails to start with "sudo: unable to change expired password: Authentication token manipulation error"
search cancel

Harbor service fails to start with "sudo: unable to change expired password: Authentication token manipulation error"

book

Article ID: 316804

calendar_today

Updated On:

Products

VMware Tanzu Kubernetes Grid Operations Manager

Issue/Introduction

Symptoms:

  • Harbor service is failing to start.
  • When you check the harbor-app logs, you see the entries similar to:

sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
sudo: unable to change expired password: Authentication token manipulation error
sudo: Account or password is expired, reset your password and try again Changing password for root.

 

Environment

VMware PKS 1.x

Cause

This issue occurs as the harbor-log container set a 90 days to expire its password, see this github page for more information.

Resolution

This is a known issue with Harbor 1.10.x, it will be fixed in 1.10.3.


Workaround:

Note: These steps will not work for an upgraded Harbor installation. Please contact VMware Technical Support for guidance.

1.       Connect Harbor vm from bosh by running the below command:
bosh ssh -d <Harbor-service_instance-name>

2.       Switch to sudo mode by running: sudo -i

3.       Export the docker alias:
alias docker='/var/vcap/packages/docker/bin/docker -H unix:///var/vcap/sys/run/docker/dockerd.sock'

4.       Stop all running containers and delete them by running:
docker stop $(docker ps -aq) && docker rm $(docker ps -a)

5.       Pull the new harbor-log image:
docker pull goharbor/harbor-log:v1.10.3-dev
Note: If you do not have internet access from Harbor, then download it on any client vm and then copy to Harbor and load the image.

6.       Update this latest image in docker-compose file and then start all the services.

a.                   Navigate to /var/vcap/packages/harbor-app

b.                   Edit the docker-compose.yaml file, search for the harbor-log image and update it with latest image, goharbor/harbor-log:v1.10.3-dev.

c.                   Export the docker compose alias:
alias docker-compose='/var/vcap/packages/docker-compose/bin/docker-compose -H unix:///var/vcap/sys/run/docker/dockerd.sock -f /var/vcap/packages/harbor-app/docker-compose.yml '
export PATH=$PATH:/var/vcap/jobs/andes/bin/

d.                   Start all the services by running docker compose:
docker-compose up -d

e.                   Confirm that all the services are running and Harbor UI is accessible.

Note:  Please note that these changes are ephemeral and gets reverted upon vm recreation.  

 

Powered by Wolken Software