https://rancher.com/ logo
Join Slack
Powered by
This message was deleted.
# rancher-desktop
a
This message was deleted.
w
g
I'm not sure I understand, I am on a zscaler vpn but there is no proxy. I don't have anything to put in any of those inputs if I check to enable the proxy.
w
ahh than probably ZIA is handling your internet access.
if you jump into the distro using 
rdctl shell
does WSL seem like it has access to the internet? ZIA does use a PAC for browsers (and Docker Desktop suports PACs) but you may not have a direct route to the internet in your ZIA config
g
yes we have a ZIA policy
w
you could try setting the proxy to http://127.0.0.1:9000 if memory serves and see if traffic gets out.
g
wsl does deem like it has access
w
hmmmm and if you curl the same endpoints from rd shell stuff looks good?
g
yeah just not from the app that is run via dockerfile
w
well that should just be a container running in RD's alpine distro so if you don't need a proxy directive it should work just the same as curl.
g
that was what I thought... curl https://api.nuget.org/v3/index.json from the shell available vis 
rdctl shell
works but a dockerfile with a line RUN dotnet build "./projectname.csproj" -c Release -o /app/build errors with a failure to retrieve that url with an error: => => # /projectname.csproj : error NU1301: Unable to load the service index for source https://api.nuget.org/v3/index.json
w
so did you hash your internal CA into your from image? wondering if ZIA is doing TLS interception so dotnet build is failing TLS
g
hmm with a different testcase I created this dockerfile: FROM alpine:latest RUN apk add --no-cache bash ENTRYPOINT [ "bash" ]
docker build --pull --rm -f "DockerFile" -t mytest:latest
0.6s ------ > [2/2] RUN apk add --no-cache bash: 0.242 fetch https://dl-cdn.alpinelinux.org/alpine/v3.20/main/x86_64/APKINDEX.tar.gz 0.449 280BB2F12C7F0000error0A000086:SSL routinestls post process server certificatecertificate verify failedssl/statem/statem clnt.c2091: 0.450 WARNING: fetching https://dl-cdn.alpinelinux.org/alpine/v3.20/main: Permission denied 0.450 fetch https://dl-cdn.alpinelinux.org/alpine/v3.20/community/x86_64/APKINDEX.tar.gz 0.614 280BB2F12C7F0000error0A000086:SSL routinestls post process server certificatecertificate verify failedssl/statem/statem clnt.c2091: 0.616 WARNING: fetching https://dl-cdn.alpinelinux.org/alpine/v3.20/community: Permission denied 0.616 ERROR: unable to select packages: 0.616 bash (no such package):
w
yup that is a tls breakdown. you will need to hash your internal CA into your images CA certs so it can access things on the internet
you can use openssl to check trust 
openssl s_client -connect <http://dl-cdn.alpinelinux.org:443|dl-cdn.alpinelinux.org:443>
and look for that verify return: 1
g
hmm that will take a while because these images don't have openssl installed it seems; thanks for the help though I do wonder why the shells from 
docker exec -it ... sh
and 
rdctl shell
can successfully request stuff but the thing running via dockerfile run commands or entrypoint cannot.
w
well the build will be a container inside that vm. so envs won't propagate by default
and WSL has its own autoproxy config that is default on and could be at play. so in the distro it has a proxy from the PAC
rancher desktop also reads ca certs and copies them into the VM context, but those won't be reflective in a container inside the host
11 Views
Open in Slack
PreviousNext
Powered by