APAR status
Closed as program error.
Error description
Docker commands that connect to configured secure Docker registry (such as docker pull, docker build, etc.) gets x509: certificate signed by unknown authority error response from Docker Daemon, even though secure Docker registry is correctly configured using the ZCX_SECURE_DOCKER_REGISTRY_ENABLE, ZCX_SECURE_DOCKER_REGISTRY_IP, ZCX_SECURE_DOCKER_REGISTRY_PORT, and ZCX_DOCKER_REGISTRY_TLS_CA_CERT z/OSMF workflow variables.
Local fix
BYPASS/CIRCUMVENTION: Configure Docker registry as insecure Docker registry to allow zCX appliance instance to connect with registry.
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM z/OS Container Extensions * * (IBM zCX) for HZDC7C0 that use a secure * * Docker registry with a private TLS CA * * certificate. * **************************************************************** The secure Docker Registry private TLS CA certificate provided in ZCX_DOCKER_REGISTRY_TLS_CA_CERT is not installed in the base Linux, so it is unavailable to the Docker daemon.
Problem conclusion
zCX is changed to install the secure Docker Registry private TLS CA certificate provided in ZCX_DOCKER_REGISTRY_TLS_CA_CERT in the base Linux, so it is available to the Docker daemon. Updates to information in the comprehensive collection of content for IBM z/OS Container Extensions in Knowledge Center: https://www.ibm.com/support/z-content-solutions/container-extens ions/ IBM z/OS Container Extensions Reference information for zCX AZD messages The following new messages are added: AZDD0010E Failure errcode installing Docker TLS CA certificate Explanation An internal error occurred installing the Docker TLS CA certificate. In the message text: errcode is the internal error code. System action The zCX instance continues processing without the certificate. Operator response Refer to message GLZM009I in z/OS MVS System Messages, Vol 5 (EDG-GLZ). Programmer response Refer to message GLZM009I in z/OS MVS System Messages, Vol 5 (EDG-GLZ). AZDD0011E Failure errcode checksumming Docker TLS CA certificate Explanation An internal error occurred validating the Docker TLS CA certificate. In the message text: errcode is the internal error code. System action The zCX instance continues processing without the certificate. Operator response Refer to message GLZM009I in z/OS MVS System Messages, Vol 5 (EDG-GLZ). Programmer response Refer to message GLZM009I in z/OS MVS System Messages, Vol 5 (EDG-GLZ). AZDD0012E Failure errcode removing Docker TLS CA certificate Explanation An internal error occurred removing the Docker TLS CA certificate. In the message text: errcode is the internal error code. System action The zCX instance continues processing without removing the certificate. Operator response Refer to message GLZM009I in z/OS MVS System Messages, Vol 5 (EDG-GLZ). Programmer response Refer to message GLZM009I in z/OS MVS System Messages, Vol 5 (EDG-GLZ). KEYWORDS: ZCX/K
Temporary fix
Comments
APAR Information
APAR number
OA62492
Reported component name
ZCX WORKFLOW
Reported component ID
5752SCCWF
Reported release
7C0
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2021-11-18
Closed date
2022-04-21
Last modified date
2022-06-01
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Modules/Macros
AZDGBRTB
Fix information
Fixed component name
ZCX SERVER
Fixed component ID
5752SCCDE
Applicable component levels
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M"},"Platform":[{"code":"PF054","label":"z Systems"}],"Version":"7C0"}]
Document Information
Modified date:
06 July 2022