https://rancher.com/ logo
Join Slack
Powered by
This message was deleted.
# rancher-desktop
a
This message was deleted.
f
You'll have to include additional information. How does it fail for you, what is the error message. Are you using a registry with basic auth, or using client certificates for authentication? Or are you using cloud registries that have their own credentials helpers, like ECR?
b
I installed rancher desktop, fixed up the path manually in the fish shell, and get this error message whenever I try to fetch images:
Copy code
> nerdctl pull alpine
INFO[0000] trying next host                              error="failed to do request: Head \"<https://registry-1.docker.io/v2/library/alpine/manifests/latest>\": proxyconnect tcp: dial tcp 127.0.0.1:3128: connect: connection refused" host=<http://registry-1.docker.io|registry-1.docker.io>
ERRO[0000] server "<http://docker.io|docker.io>" does not seem to support HTTPS  error="failed to resolve reference \"<http://docker.io/library/alpine:latest\|docker.io/library/alpine:latest\>": failed to do request: Head \"<https://registry-1.docker.io/v2/library/alpine/manifests/latest>\": proxyconnect tcp: dial tcp 127.0.0.1:3128: connect: connection refused"
INFO[0000] Hint: you may want to try --insecure-registry to allow plain HTTP (if you are in a trusted network)
FATA[0000] failed to resolve reference "<http://docker.io/library/alpine:latest|docker.io/library/alpine:latest>": failed to do request: Head "<https://registry-1.docker.io/v2/library/alpine/manifests/latest>": proxyconnect tcp: dial tcp 127.0.0.1:3128: connect: connection refused
Error: exit status 1
`
f
Are you using a proxy?
b
No, it’s just my personal laptop, macos M1. I do have “Little Snitch” installed, but it’s currently disabled.
f
Can you confirm that you can reach the registry from a shell on your laptop?
Copy code
$ curl <https://registry-1.docker.io/v2/library/alpine/manifests/latest>
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Class":"","Name":"library/alpine","Action":"pull"}]}]}
b
The message I get is:
Copy code
{
  "errors": [
    {
      "code": "UNAUTHORIZED",
      "message": "authentication required",
      "detail": [
        {
          "Type": "repository",
          "Class": "",
          "Name": "library/alpine",
          "Action": "pull"
        }
      ]
    }
  ]
}
f
Ok, that's good. And does it work from inside the VM as well?
Copy code
$ rdctl shell curl <https://registry-1.docker.io/v2/library/alpine/manifests/latest>
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Class":"","Name":"library/alpine","Action":"pull"}]}]}
b
How do I test that.
f
See the command I just posted: 
rdctl shell ...
b
Ah, ideed.
Copy code
> rdctl shell curl <https://registry-1.docker.io/v2/library/alpine/manifests/latest>
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Class":"","Name":"library/alpine","Action":"pull"}]}]}
So I think that also works.
f
This is with RD 1.7.0 (latest release)?
b
I installed it at lunchtime today, it should be the latest. Let me check.
Yes. 1.7.0
f
This is weird; it works normally for me, and the commands you just ran show that the registry is accessible from inside the VM
b
The only thing I can think of that might be different, is how I fixed up the path.
So I installed it, told it not to fiddle with the path, and then I added the path setting manually myself.
f
That should have no effect on how the registry is accessed from inside the VM.
And the fact that you can run 
rdctl
shows that the directory is on the 
PATH
b
Strange. 😞
f
Did you enabled the experimental "Allowed Images" feature in the Preferences?
b
I haven’et changed anything else, I don’t think so anyway, let me check… Nope. Actually there is one more thing:
I have no idea why those two diagnostics are failing, though.
f
I assume the first one fails because you only configured the 
PATH
for 
zsh
, but not for 
bash
. You can just mute that diagnostic, if it is not relevant to you.
The second diagnostic is a bug; it looks like the probe failed to run.
b
I don’t use bash, I’ve actually set it up in zsh though anyway because that’s the default shell these days in macos, but I’ve added it to fish for good measure (the shell I use)]
My zsh is configured to exec fish.
f
This shouldn't happen, and I'm curious why it failed, but it will be unrelated to your registry problem
Can you share that config with me, so we can fix the diagnostic?
I believe we are running the equivalent of 
zsh -i -c "echo $PATH"
to check the PATH
b
I think the prudent part of my zsh 
.zshrc
is perhaps this bit:
Copy code
export WASMTIME_HOME="$HOME/.wasmtime"
export RANCHER_HOME="$HOME/.rd"

export PATH="$RANCHER_BIN/bin:$WASMTIME_HOME/bin:$PATH"

exec fish -l
And as for fish, because I usually launch that directly if using iTerm2, is done with: 
fish_add_path ~/.rd/bin
, which just adds that to the paths globally on the user account for me.
Copy code
> zsh -i -c "echo $PATH"
Welcome to fish, the friendly interactive shell
Type `help` for instructions on how to use fish
That’s because of the 
exec fish
line.
f
Thanks! I will look into this tomorrow (it is still 11PM Sunday night here)
b
Ah, no worries!
I’m only looking into this as a personal curiosity thing, I’ve a million other things to work on so there is no time pressure at all on my end.
f
Your real problem is:
Copy code
error="failed to do request: Head \"<https://registry-1.docker.io/v2/library/alpine/manifests/latest>\": proxyconnect tcp: dial tcp 127.0.0.1:3128: connect: connection refused" host=<http://registry-1.docker.io|registry-1.docker.io>
b
Yeah…. Is rancher setting something up there?
Or supposed to be?
f
It does set up an internal proxy when the "Allowed images" functionality is enabled:
Copy code
if [ -f /usr/local/openresty/nginx/conf/image-allow-list.conf ]; then
  export HTTPS_PROXY=<http://127.0.0.1:3128>
fi
b
Ah, interesting, but I don’t have that ticked.
f
Can you double-check that the file doesn't exist:
Copy code
$ rdctl shell ls -l /usr/local/openresty/nginx/conf/image-allow-list.conf
ls: /usr/local/openresty/nginx/conf/image-allow-list.conf: No such file or directory
Error: exit status 1
b
It exists.
Copy code
> rdctl shell cat /usr/local/openresty/nginx/conf/image-allow-list.conf
"~*^registry\.k8s\.io(:443)?/v2/pause/manifests/[^/]+$" 0;
"~*^[^./]+\.pkg\.dev(:443)?/v2/.+/manifests/[^/]+$" 0;
"~*^registry-1\.docker\.io(:443)?/v2/rancher/mirrored-pause/manifests/[^/]+$" 0;
f
I wonder why it exists, but I think if you delete it, then 
nerdctl pull alpine
will start working
b
Hmm, I get a permission denied if I try using rdctl shell.
f
Copy code
rdctl shell sudo rm -f /usr/local/openresty/nginx/conf/image-allow-list.conf
1
💯 1
b
Interesting, yeah that removed the file.
And that now works.
f
Please confirm that the openresty service is not running:
Copy code
$ rdctl shell ls -l /usr/local/openresty/nginx/conf/image-allow-list.conf
ls: /usr/local/openresty/nginx/conf/image-allow-list.conf: No such file or directory
Error: exit status 1
b
I’ve now managed to pull alpine, too.
That file doesn’t appear to have been recreated.
f
Yeah, the question is why the file exists even though the feature has not been enabled
I will look into this tomorrow, and may have more questions for you then.
b
No worries! Sleep well!
And thanks for checking in!
f
In the meantime, you may want to try to stop RD and start it again, and see if that re-creates the file. Please post any updates about things you find here. You should be able to get 
nerdctl
working again by deleting the file
b
Just tried - it’s not recreated. odd.
f
I think I found the issue: the file is created (incorrectly) when Allowed Images is disabled, and you make a Preferences change that doesn't require a restart of the VM (which would clean things up again), e.g. changing the 
PATH
management setting, but there are others as well.
👍 1
f
Hi @fast-garage-66093, just in case it's interesting to you, it happened to me too today, and the fix worked too. • macOS Ventura 13.2 • Just installed latest RD without enabling kubernetes • Used containerd engine • Added manually the path to my .zshrc , and Rancher Desktop keeps complaining abouth not being in the path.
Copy code
❯ nerdctl pull debian:11
INFO[0000] trying next host                              error="failed to do request: Head \"<https://registry-1.docker.io/v2/library/debian/manifests/11>\": proxyconnect tcp: dial tcp 127.0.0.1:3128: connect: connection refused" host=<http://registry-1.docker.io|registry-1.docker.io>
ERRO[0000] server "<http://docker.io|docker.io>" does not seem to support HTTPS  error="failed to resolve reference \"<http://docker.io/library/debian:11\|docker.io/library/debian:11\>": failed to do request: Head \"<https://registry-1.docker.io/v2/library/debian/manifests/11>\": proxyconnect tcp: dial tcp 127.0.0.1:3128: connect: connection refused"
INFO[0000] Hint: you may want to try --insecure-registry to allow plain HTTP (if you are in a trusted network) 
FATA[0000] failed to resolve reference "<http://docker.io/library/debian:11|docker.io/library/debian:11>": failed to do request: Head "<https://registry-1.docker.io/v2/library/debian/manifests/11>": proxyconnect tcp: dial tcp 127.0.0.1:3128: connect: connection refused 
Error: exit status 1
❯ rdctl shell sudo ls -l /usr/local/openresty/nginx/conf/image-allow-list.conf
-rw-r--r--    1 alvaro   alvaro         195 Feb  9 10:59 /usr/local/openresty/nginx/conf/image-allow-list.conf
❯ rdctl shell sudo rm -f /usr/local/openresty/nginx/conf/image-allow-list.conf
❯ nerdctl pull debian:11
<http://docker.io/library/debian:11|docker.io/library/debian:11>:                                                      resolved       |++++++++++++++++++++++++++++++++++++++| 
index-sha256:43ef0c6c3585d5b406caa7a0f232ff5a19c1402aeb415f68bcd1cf9d10180af8:    done           |++++++++++++++++++++++++++++++++++++++| 
manifest-sha256:749383b0a6d17fb745d397b108d2ea38b5832226586b25c9f5cf7fcde24458ab: done           |++++++++++++++++++++++++++++++++++++++| 
config-sha256:54e726b437fbb2dd7b43e4dd5cd79b0181e96a22849b7fc2ffe934fac2d65440:   done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:1e4aec178e0864db93a6f97a20bde3445871a4562c1801185eca1238d3a0e80d:    done           |++++++++++++++++++++++++++++++++++++++| 
elapsed: 7.1 s
736 Views
Open in Slack
PreviousNext
Powered by