5.1.0 - Worker - failed to ping registry

#1

I’m working on a setup of concourse based on version 5.1.0 and I can’t see to get the worker to pull download the containers from the docker registry.

hello-world

resource script ‘/opt/resource/check []’ failed: exit status 1 stderr: failed to ping registry: 2 error(s) occurred: * ping https: Get https://registry-1.docker.io/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers) * ping http: Get http://registry-1.docker.io/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)

I’ve tried
–garden-dns-proxy-enable
CONCOURSE_GARDEN_DNS_SERVER=8.8.8.8
&
CONCOURSE_GARDEN_ALLOW_HOST_ACCESS=1

I can see in the worker logs that its taking these. I’m running on centos7 using the 4.4.179-1.el7.elrepo.x86_64 kernel.

I haven’t been able to hijack the container yet I guess cause it hasn’t downloaded it? as I get the following error

./fly -t ci hijack /handle f0a4befd-eed4-46e4-4a26-dc35e8fbb4a2
error: websocket: bad handshake

I don’t have firewalld running but could it be firewall releated? I am able to run docker on the host, is there anyway I could download the images it needs to help jumpstart it so I might be able to troubleshoot it further.

Let me know what you think.

Gary

#2

I managed to get it working and I’ve tried to strip back my worker arguments to only what I need to get it to work. It wasn’t a DNS resolution issue per say more a firewall issue with iptables

Before running concourse on the worker node I ran
/sbin/iptables -P FORWARD ACCEPT

then here is my worker arguments, the {{ }} are my config
concourse worker
–tsa-host {{web.sys.ip}}:2222
–tsa-public-key {{pkg.svc_config_path}}/keys/worker/tsa_host_key.pub
–tsa-worker-private-key {{pkg.svc_config_path}}/keys/worker/worker_key
–garden-dns-proxy-enable

I can drop and rebuild my config as needed so can get it back to a non-working state again if that would help troubleshooting what the underlining issue it with iptables.