This is a known issue affecting vSphere Integrated Containers 1.2.
Currently, there is no resolution.
Workaround:
To work around this issue:
- Validate if Harbor is impacted.
- SSH to the VIC Appliance.
- Shut down the vSphere Integrated Containers appliance by selecting Shut Down Guest OS.
Note: Do not select Power Off.
- Right-click the new vSphere Integrated Containers appliance, and select Edit Settings.
- Click vApp Options to modify the settings that you provided when you used the OVA installer to deploy the appliance.
- In Appliance Security, update the password for the appliance root account, enable or disable SSH log in.
- Click OK to close the Edit Settings window.
- Power on the vSphere Integrated Containers appliance.
- Use preferred SSH client to connect under the user root.
- Check if the harbor container exist by running this command:
docker ps -a
You see output similar to:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
340f83d7d25b vmware/admiral:ova "/entrypoint.sh" 19 hours ago Up 19 hours 0.0.0.0:8282->8282/tcp vic-admiral
- Validate that harbor_startup.service fails to copy the ca.crt file by running this command:
journalctl -u harbor_startup.service
You see output similar to:
vicappliance.viclab.local systemd[1]: Starting Harbor Startup Configuration…
vicappliance.viclab.local bash[1040]: cp: cannot stat '/data/admiral/cert/ca.crt': No such file or directory
vicappliance.viclab.local systemd[1]: harbor_startup.service: Control process exited, code=exited status=1
### lines omitted for brevity ###
- Obtain the root signing certificate authority certificate in x509 pem format. The security team responsible for the datacenter can provide this.
- Typically the certificate would be provided as a chain during the OVA deployment. If this was done, then the root CA would be the last certificate in /data/admiral/cert/server.crt. Cat the file and if the chain was already provided, it will look similar to .
cat /data/admiral/cert/server.crt
You see output similar to:
-----BEGIN CERTIFICATE-----
MIIDYTCCAkmgAwIBAgIJAPPUd8W7LBp8MA0GCSqGSIb3DQEBCwUAMGcxCzAJBgNV
### lines omitted for brevity ### --> Signed cert is always at the top
BAMMAkNBMRcwFQYKCZImiZPyLGQBGRYHdnNwaGVyZTEVMBMGCgmSJomT8ixkARkW
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
LjE2OC4xLjEwMQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
### lines omitted for brevity ### --> Intermediate CA if one is in use.
AQoCggEBAMV93QescNy4Lke5EW8hw/qZwN0fzlXR/C/9radJLgFudVpqD3qmdf4m
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Y1WA45DLC1yUcFRRwslGdYvpNAV7BUhJPRa3bKLEnKtI02Ul0rEDj/1TKtSNJgUE
### lines omitted for brevity ### --> Root CA that needs to be copied.
IztqLMuI9GWxOIef6RqAEX7Xr+PGTVTFGLc8y6LqT455vWXwQ/bNu2jD39EmRmbU
iYpj4VE=
-----END CERTIFICATE-----
- Copy the Root CA certificate including the header -----BEGIN CERTIFICATE----- and footer
-----END CERTIFICATE----- to a text ca.crt file in /tmp/.
- Copy the Root ca.crt file obtained from the security team or if the chain was provided in the OVA deployment wizard to /data/admiral/cert/ca.crt.
- Shutdown the VIC Appliance from the vSphere Web Client and then power on again.
- Wait few minutes for the configurations to complete the harbor_startup tasks before testing the UI.