NAPP-AA: Uploading images to Private Harbor VM fails while using the script
search cancel

NAPP-AA: Uploading images to Private Harbor VM fails while using the script

book

Article ID: 389047

calendar_today

Updated On:

Products

VMware vDefend Firewall with Advanced Threat Prevention VMware vDefend Firewall

Issue/Introduction

During the manual deployment of NAPP, users may encounter an error when attempting to "Upload Docker images and Helm charts" to a private Harbor registry via the NAPP Automation Appliance VM. This issue typically occurs after executing the ./upload_oci_artifacts_to_artifactory.sh script.

The error message is generally as follows:

FATA[0120] initializing source docker://172.16.5.62:5000/clients:24389994: pinging container registry 172.16.5.62:5000: Get "http://172.16.5.62:5000/v2/": dial tcp 172.16.5.62:5000: i/o timeout 

This problem typically arises when container-to-container communication is not properly enabled due to missing firewall or iptables configurations on the client machine (Photon OS).

Environment

NAPP Automation Appliance Version: 4.2.0

Cause

The issue is caused by the updated methodology in the NAPP-AA tool, introduced in version 4.2.0, which requires container-to-container communication for image uploads.

Since the containers are assigned IP addresses from a private subnet, the appropriate iptables rule is needed to enable this communication.

Without this configuration, the image upload fails due to network connectivity issues between the containers.

Resolution

To resolve this issue, we need to add the appropriate iptables rule on the NAPP-AA VM (or Docker VM) to enable communication between containers.

Steps:

(1) Log into the NAPP-AA machine (or Docker VM) and add the following iptables rule:

iptables -A INPUT -m iprange --src-range 172.17.0.1-172.17.0.255 -j ACCEPT

The IP range 172.17.0.1-172.17.0.255 can be determined by checking the docker0 interface. Use the following command on the NAPP-AA CLI to retrieve the information:

ip a

Sample output:

root@photon [ ~ ]# ip a
docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
  link/ether 02:42:23:1c:de:57 brd ff:ff:ff:ff:ff:ff
  inet 172.17.0.1/24 brd 172.17.0.255 scope global docker0
     valid_lft forever preferred_lft forever
  inet6 fe80::42:23ff:fe1c:de57/64 scope link
     valid_lft forever preferred_lft forever

The output should display the IP range 172.17.0.0/24 under the docker0 interface. In your environment, the range could be different, but it will follow the same format.

(2) Explanation: This rule allows communication between containers within the IP range 172.17.0.0/24, which is the default for Docker’s docker0 interface.

(3) After adding the iptables rule, re-run the script ./upload_oci_artifacts_to_artifactory.sh. The image upload should now proceed without any issues.

 

Additional Information

This is fixed in the latest NAPP-AA version. Kindly download the latest NAPP-AA from the support portal under VMware NSX products.

Powered by Wolken Software