TABLE OF CONTENTS
Kublr-in-a-Box Installer (Kublr Box) is a slimmed down version of Kublr Control Plane packaged into a single Docker container image and running as a single container.
As it runs on a client machine, often a laptop, it can sometime run into the client environment issues.
This document describes some of the known issues and general troubleshooting procedures.
Docker for Mac 3.3.0 and 3.3.1
Docker for Mac 3.3.0 and 3.3.1 has a known issue that prevents container applications connecting to HTTPS endpoints with self-signed certificates with "NSS error -5938".
The issue is tracked at https://github.com/docker/for-mac/issues/5524
As a result Kublr Box cannot connect to a newly created cluster API endpoint and never finishes creating a cluster. Cluster will stay in an error state indicating that Kubernetes API is not available.
How to identify:
Connection to the cluster API endpoint works from the host but fails from the Docker container.
# works curl https://www.google.com # works curl -k https://<kubernetes-API-address> # works docker exec kublr curl https://www.google.com # FAILS docker exec kublr curl -k -v https://<kubernetes-API-address> * About to connect() to x.x.x.x port 443 (#0) * Trying x.x.x.x... * Connected to x.x.x.x (x.x.x.x) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * NSS error -5938 (PR_END_OF_FILE_ERROR) * Encountered end of file * Closing connection 0 curl: (35) Encountered end of file
How to fix:
Upgrade or roll back Docker for Mac version to the one that does not have this issue.