https://rancher.com/ logo
#rancher-desktop
Title
# rancher-desktop
a

adamant-kite-43734

01/09/2023, 3:01 AM
This message was deleted.
f

fast-garage-66093

01/09/2023, 6:49 AM
You'll have to include additional information. How does it fail for you, what is the error message. Are you using a registry with basic auth, or using client certificates for authentication? Or are you using cloud registries that have their own credentials helpers, like ECR?
b

bored-planet-1228

01/09/2023, 6:49 AM
I installed rancher desktop, fixed up the path manually in the fish shell, and get this error message whenever I try to fetch images:
Copy code
> nerdctl pull alpine
INFO[0000] trying next host                              error="failed to do request: Head \"<https://registry-1.docker.io/v2/library/alpine/manifests/latest>\": proxyconnect tcp: dial tcp 127.0.0.1:3128: connect: connection refused" host=<http://registry-1.docker.io|registry-1.docker.io>
ERRO[0000] server "<http://docker.io|docker.io>" does not seem to support HTTPS  error="failed to resolve reference \"<http://docker.io/library/alpine:latest\|docker.io/library/alpine:latest\>": failed to do request: Head \"<https://registry-1.docker.io/v2/library/alpine/manifests/latest>\": proxyconnect tcp: dial tcp 127.0.0.1:3128: connect: connection refused"
INFO[0000] Hint: you may want to try --insecure-registry to allow plain HTTP (if you are in a trusted network)
FATA[0000] failed to resolve reference "<http://docker.io/library/alpine:latest|docker.io/library/alpine:latest>": failed to do request: Head "<https://registry-1.docker.io/v2/library/alpine/manifests/latest>": proxyconnect tcp: dial tcp 127.0.0.1:3128: connect: connection refused
Error: exit status 1
`
f

fast-garage-66093

01/09/2023, 6:50 AM
Are you using a proxy?
b

bored-planet-1228

01/09/2023, 6:51 AM
No, it’s just my personal laptop, macos M1. I do have “Little Snitch” installed, but it’s currently disabled.
f

fast-garage-66093

01/09/2023, 6:52 AM
Can you confirm that you can reach the registry from a shell on your laptop?
Copy code
$ curl <https://registry-1.docker.io/v2/library/alpine/manifests/latest>
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Class":"","Name":"library/alpine","Action":"pull"}]}]}
b

bored-planet-1228

01/09/2023, 6:53 AM
The message I get is:
Copy code
{
  "errors": [
    {
      "code": "UNAUTHORIZED",
      "message": "authentication required",
      "detail": [
        {
          "Type": "repository",
          "Class": "",
          "Name": "library/alpine",
          "Action": "pull"
        }
      ]
    }
  ]
}
f

fast-garage-66093

01/09/2023, 6:53 AM
Ok, that's good. And does it work from inside the VM as well?
Copy code
$ rdctl shell curl <https://registry-1.docker.io/v2/library/alpine/manifests/latest>
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Class":"","Name":"library/alpine","Action":"pull"}]}]}
b

bored-planet-1228

01/09/2023, 6:53 AM
How do I test that.
f

fast-garage-66093

01/09/2023, 6:54 AM
See the command I just posted:
rdctl shell ...
b

bored-planet-1228

01/09/2023, 6:54 AM
Ah, ideed.
Copy code
> rdctl shell curl <https://registry-1.docker.io/v2/library/alpine/manifests/latest>
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Class":"","Name":"library/alpine","Action":"pull"}]}]}
So I think that also works.
f

fast-garage-66093

01/09/2023, 6:56 AM
This is with RD 1.7.0 (latest release)?
b

bored-planet-1228

01/09/2023, 6:56 AM
I installed it at lunchtime today, it should be the latest. Let me check.
Yes. 1.7.0
f

fast-garage-66093

01/09/2023, 6:57 AM
This is weird; it works normally for me, and the commands you just ran show that the registry is accessible from inside the VM
b

bored-planet-1228

01/09/2023, 6:58 AM
The only thing I can think of that might be different, is how I fixed up the path.
So I installed it, told it not to fiddle with the path, and then I added the path setting manually myself.
f

fast-garage-66093

01/09/2023, 6:58 AM
That should have no effect on how the registry is accessed from inside the VM.
And the fact that you can run
rdctl
shows that the directory is on the
PATH
b

bored-planet-1228

01/09/2023, 6:59 AM
Strange. 😞
f

fast-garage-66093

01/09/2023, 7:00 AM
Did you enabled the experimental "Allowed Images" feature in the Preferences?
b

bored-planet-1228

01/09/2023, 7:00 AM
I haven’et changed anything else, I don’t think so anyway, let me check… Nope. Actually there is one more thing:
I have no idea why those two diagnostics are failing, though.
f

fast-garage-66093

01/09/2023, 7:03 AM
I assume the first one fails because you only configured the
PATH
for
zsh
, but not for
bash
. You can just mute that diagnostic, if it is not relevant to you.
The second diagnostic is a bug; it looks like the probe failed to run.
b

bored-planet-1228

01/09/2023, 7:03 AM
I don’t use bash, I’ve actually set it up in zsh though anyway because that’s the default shell these days in macos, but I’ve added it to fish for good measure (the shell I use)]
My zsh is configured to exec fish.
f

fast-garage-66093

01/09/2023, 7:04 AM
This shouldn't happen, and I'm curious why it failed, but it will be unrelated to your registry problem
Can you share that config with me, so we can fix the diagnostic?
I believe we are running the equivalent of
zsh -i -c "echo $PATH"
to check the PATH
b

bored-planet-1228

01/09/2023, 7:06 AM
I think the prudent part of my zsh
.zshrc
is perhaps this bit:
Copy code
export WASMTIME_HOME="$HOME/.wasmtime"
export RANCHER_HOME="$HOME/.rd"

export PATH="$RANCHER_BIN/bin:$WASMTIME_HOME/bin:$PATH"

exec fish -l
And as for fish, because I usually launch that directly if using iTerm2, is done with:
fish_add_path ~/.rd/bin
, which just adds that to the paths globally on the user account for me.
Copy code
> zsh -i -c "echo $PATH"
Welcome to fish, the friendly interactive shell
Type `help` for instructions on how to use fish
That’s because of the
exec fish
line.
f

fast-garage-66093

01/09/2023, 7:07 AM
Thanks! I will look into this tomorrow (it is still 11PM Sunday night here)
b

bored-planet-1228

01/09/2023, 7:07 AM
Ah, no worries!
I’m only looking into this as a personal curiosity thing, I’ve a million other things to work on so there is no time pressure at all on my end.
f

fast-garage-66093

01/09/2023, 7:07 AM
Your real problem is:
Copy code
error="failed to do request: Head \"<https://registry-1.docker.io/v2/library/alpine/manifests/latest>\": proxyconnect tcp: dial tcp 127.0.0.1:3128: connect: connection refused" host=<http://registry-1.docker.io|registry-1.docker.io>
b

bored-planet-1228

01/09/2023, 7:08 AM
Yeah…. Is rancher setting something up there?
Or supposed to be?
f

fast-garage-66093

01/09/2023, 7:09 AM
It does set up an internal proxy when the "Allowed images" functionality is enabled:
Copy code
if [ -f /usr/local/openresty/nginx/conf/image-allow-list.conf ]; then
  export HTTPS_PROXY=<http://127.0.0.1:3128>
fi
b

bored-planet-1228

01/09/2023, 7:10 AM
Ah, interesting, but I don’t have that ticked.
f

fast-garage-66093

01/09/2023, 7:10 AM
Can you double-check that the file doesn't exist:
Copy code
$ rdctl shell ls -l /usr/local/openresty/nginx/conf/image-allow-list.conf
ls: /usr/local/openresty/nginx/conf/image-allow-list.conf: No such file or directory
Error: exit status 1
b

bored-planet-1228

01/09/2023, 7:11 AM
It exists.
Copy code
> rdctl shell cat /usr/local/openresty/nginx/conf/image-allow-list.conf
"~*^registry\.k8s\.io(:443)?/v2/pause/manifests/[^/]+$" 0;
"~*^[^./]+\.pkg\.dev(:443)?/v2/.+/manifests/[^/]+$" 0;
"~*^registry-1\.docker\.io(:443)?/v2/rancher/mirrored-pause/manifests/[^/]+$" 0;
f

fast-garage-66093

01/09/2023, 7:12 AM
I wonder why it exists, but I think if you delete it, then
nerdctl pull alpine
will start working
b

bored-planet-1228

01/09/2023, 7:12 AM
Hmm, I get a permission denied if I try using rdctl shell.
f

fast-garage-66093

01/09/2023, 7:13 AM
Copy code
rdctl shell sudo rm -f /usr/local/openresty/nginx/conf/image-allow-list.conf
1
💯 1
b

bored-planet-1228

01/09/2023, 7:13 AM
Interesting, yeah that removed the file.
And that now works.
f

fast-garage-66093

01/09/2023, 7:13 AM
Please confirm that the openresty service is not running:
Copy code
$ rdctl shell ls -l /usr/local/openresty/nginx/conf/image-allow-list.conf
ls: /usr/local/openresty/nginx/conf/image-allow-list.conf: No such file or directory
Error: exit status 1
b

bored-planet-1228

01/09/2023, 7:14 AM
I’ve now managed to pull alpine, too.
That file doesn’t appear to have been recreated.
f

fast-garage-66093

01/09/2023, 7:14 AM
Yeah, the question is why the file exists even though the feature has not been enabled
I will look into this tomorrow, and may have more questions for you then.
b

bored-planet-1228

01/09/2023, 7:15 AM
No worries! Sleep well!
And thanks for checking in!
f

fast-garage-66093

01/09/2023, 7:16 AM
In the meantime, you may want to try to stop RD and start it again, and see if that re-creates the file. Please post any updates about things you find here. You should be able to get
nerdctl
working again by deleting the file
b

bored-planet-1228

01/09/2023, 7:23 AM
Just tried - it’s not recreated. odd.
f

fast-garage-66093

01/10/2023, 5:41 AM
I think I found the issue: the file is created (incorrectly) when Allowed Images is disabled, and you make a Preferences change that doesn't require a restart of the VM (which would clean things up again), e.g. changing the
PATH
management setting, but there are others as well.
👍 1
f

faint-lizard-84272

02/09/2023, 11:12 AM
Hi @fast-garage-66093, just in case it's interesting to you, it happened to me too today, and the fix worked too. • macOS Ventura 13.2 • Just installed latest RD without enabling kubernetes • Used containerd engine • Added manually the path to my .zshrc , and Rancher Desktop keeps complaining abouth not being in the path.
Copy code
❯ nerdctl pull debian:11
INFO[0000] trying next host                              error="failed to do request: Head \"<https://registry-1.docker.io/v2/library/debian/manifests/11>\": proxyconnect tcp: dial tcp 127.0.0.1:3128: connect: connection refused" host=<http://registry-1.docker.io|registry-1.docker.io>
ERRO[0000] server "<http://docker.io|docker.io>" does not seem to support HTTPS  error="failed to resolve reference \"<http://docker.io/library/debian:11\|docker.io/library/debian:11\>": failed to do request: Head \"<https://registry-1.docker.io/v2/library/debian/manifests/11>\": proxyconnect tcp: dial tcp 127.0.0.1:3128: connect: connection refused"
INFO[0000] Hint: you may want to try --insecure-registry to allow plain HTTP (if you are in a trusted network) 
FATA[0000] failed to resolve reference "<http://docker.io/library/debian:11|docker.io/library/debian:11>": failed to do request: Head "<https://registry-1.docker.io/v2/library/debian/manifests/11>": proxyconnect tcp: dial tcp 127.0.0.1:3128: connect: connection refused 
Error: exit status 1
❯ rdctl shell sudo ls -l /usr/local/openresty/nginx/conf/image-allow-list.conf
-rw-r--r--    1 alvaro   alvaro         195 Feb  9 10:59 /usr/local/openresty/nginx/conf/image-allow-list.conf
❯ rdctl shell sudo rm -f /usr/local/openresty/nginx/conf/image-allow-list.conf
❯ nerdctl pull debian:11
<http://docker.io/library/debian:11|docker.io/library/debian:11>:                                                      resolved       |++++++++++++++++++++++++++++++++++++++| 
index-sha256:43ef0c6c3585d5b406caa7a0f232ff5a19c1402aeb415f68bcd1cf9d10180af8:    done           |++++++++++++++++++++++++++++++++++++++| 
manifest-sha256:749383b0a6d17fb745d397b108d2ea38b5832226586b25c9f5cf7fcde24458ab: done           |++++++++++++++++++++++++++++++++++++++| 
config-sha256:54e726b437fbb2dd7b43e4dd5cd79b0181e96a22849b7fc2ffe934fac2d65440:   done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:1e4aec178e0864db93a6f97a20bde3445871a4562c1801185eca1238d3a0e80d:    done           |++++++++++++++++++++++++++++++++++++++| 
elapsed: 7.1 s
644 Views