Channels
extensions
rancher-extensions
supermicro-sixsq
ozt
os
one-point-x
rio
onlinemeetup
v16-v21-migration
events
onlinetraining
training-1220
training-0110
training-0124
k3s-contributor
submariner
storage
k3os
windows
ci-cd
theranchcast
rfed_ara
nederlands
ukranian
danish
training-0131
masterclass
training-0207
training-0214
terraform-controller
epinio
phillydotnet
swarm
rancher-wrangler
deutsch
russian
chinese
mesos
français
japanese
arm
longhorn-dev
terraform-provider-rke
service-mesh
azure
gcp
academy
random
elemental
espanol
lima
harvester-dev
portugues
kubernetes
kim
hypper
kubewarden
opni
logging
neuvector-security
rancher-setup
developer
office-hours
mexico
cabpr
rke
vsphere
longhorn-storage
k3s
k3d
terraform-provider-rancher2
fleet
amazon
harvester
rke2
s3gw
hobbyfarm
rancher-desktop
general
Title
b
bored-planet-1228
01/09/2023, 3:01 AMI’ve just tried rancher-desktop for the first time, and as I’ve asked in #general, I can’t seem to get access to the normal public registries. What am I doing wrong?
(I tried to move that question here, but it seems this slack doesn’t let me do that).
f
fast-garage-66093
01/09/2023, 6:49 AMYou'll have to include additional information. How does it fail for you, what is the error message. Are you using a registry with basic auth, or using client certificates for authentication? Or are you using cloud registries that have their own credentials helpers, like ECR?
b
bored-planet-1228
01/09/2023, 6:49 AMI installed rancher desktop, fixed up the path manually in the fish shell, and get this error message whenever I try to fetch images:
> nerdctl pull alpine
INFO[0000] trying next host error="failed to do request: Head \"<https://registry-1.docker.io/v2/library/alpine/manifests/latest>\": proxyconnect tcp: dial tcp 127.0.0.1:3128: connect: connection refused" host=<http://registry-1.docker.io|registry-1.docker.io>
ERRO[0000] server "<http://docker.io|docker.io>" does not seem to support HTTPS error="failed to resolve reference \"<http://docker.io/library/alpine:latest\|docker.io/library/alpine:latest\>": failed to do request: Head \"<https://registry-1.docker.io/v2/library/alpine/manifests/latest>\": proxyconnect tcp: dial tcp 127.0.0.1:3128: connect: connection refused"
INFO[0000] Hint: you may want to try --insecure-registry to allow plain HTTP (if you are in a trusted network)
FATA[0000] failed to resolve reference "<http://docker.io/library/alpine:latest|docker.io/library/alpine:latest>": failed to do request: Head "<https://registry-1.docker.io/v2/library/alpine/manifests/latest>": proxyconnect tcp: dial tcp 127.0.0.1:3128: connect: connection refused
Error: exit status 1f
fast-garage-66093
01/09/2023, 6:50 AMAre you using a proxy?
b
bored-planet-1228
01/09/2023, 6:51 AMNo, it’s just my personal laptop, macos M1. I do have “Little Snitch” installed, but it’s currently disabled.
f
fast-garage-66093
01/09/2023, 6:52 AMCan you confirm that you can reach the registry from a shell on your laptop?
$ curl <https://registry-1.docker.io/v2/library/alpine/manifests/latest>
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Class":"","Name":"library/alpine","Action":"pull"}]}]}b
bored-planet-1228
01/09/2023, 6:53 AMThe message I get is:
{
"errors": [
{
"code": "UNAUTHORIZED",
"message": "authentication required",
"detail": [
{
"Type": "repository",
"Class": "",
"Name": "library/alpine",
"Action": "pull"
}
]
}
]
}f
fast-garage-66093
01/09/2023, 6:53 AMOk, that's good. And does it work from inside the VM as well?
$ rdctl shell curl <https://registry-1.docker.io/v2/library/alpine/manifests/latest>
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Class":"","Name":"library/alpine","Action":"pull"}]}]}b
bored-planet-1228
01/09/2023, 6:53 AMHow do I test that.
f
fast-garage-66093
01/09/2023, 6:54 AMSee the command I just posted:
rdctl shell ...b
bored-planet-1228
01/09/2023, 6:54 AMAh, ideed.
> rdctl shell curl <https://registry-1.docker.io/v2/library/alpine/manifests/latest>
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Class":"","Name":"library/alpine","Action":"pull"}]}]}So I think that also works.
f
fast-garage-66093
01/09/2023, 6:56 AMThis is with RD 1.7.0 (latest release)?
b
bored-planet-1228
01/09/2023, 6:56 AMI installed it at lunchtime today, it should be the latest. Let me check.
Yes. 1.7.0
f
fast-garage-66093
01/09/2023, 6:57 AMThis is weird; it works normally for me, and the commands you just ran show that the registry is accessible from inside the VM
b
bored-planet-1228
01/09/2023, 6:58 AMThe only thing I can think of that might be different, is how I fixed up the path.
So I installed it, told it not to fiddle with the path, and then I added the path setting manually myself.
f
fast-garage-66093
01/09/2023, 6:58 AMThat should have no effect on how the registry is accessed from inside the VM.
And the fact that you can run
rdctlPATHb
bored-planet-1228
01/09/2023, 6:59 AMStrange. 😞
f
fast-garage-66093
01/09/2023, 7:00 AMDid you enabled the experimental "Allowed Images" feature in the Preferences?
b
bored-planet-1228
01/09/2023, 7:00 AMI haven’et changed anything else, I don’t think so anyway, let me check…
Nope.
Actually there is one more thing:
I have no idea why those two diagnostics are failing, though.
f
fast-garage-66093
01/09/2023, 7:03 AMI assume the first one fails because you only configured the
PATHzshbashThe second diagnostic is a bug; it looks like the probe failed to run.
b
bored-planet-1228
01/09/2023, 7:03 AMI don’t use bash, I’ve actually set it up in zsh though anyway because that’s the default shell these days in macos, but I’ve added it to fish for good measure (the shell I use)]
My zsh is configured to exec fish.
f
fast-garage-66093
01/09/2023, 7:04 AMThis shouldn't happen, and I'm curious why it failed, but it will be unrelated to your registry problem
Can you share that config with me, so we can fix the diagnostic?
I believe we are running the equivalent of
zsh -i -c "echo $PATH"b
bored-planet-1228
01/09/2023, 7:06 AMI think the prudent part of my zsh
.zshrcexport WASMTIME_HOME="$HOME/.wasmtime"
export RANCHER_HOME="$HOME/.rd"
export PATH="$RANCHER_BIN/bin:$WASMTIME_HOME/bin:$PATH"
exec fish -lfish_add_path ~/.rd/bin> zsh -i -c "echo $PATH"
Welcome to fish, the friendly interactive shell
Type `help` for instructions on how to use fishThat’s because of the
exec fishf
fast-garage-66093
01/09/2023, 7:07 AMThanks! I will look into this tomorrow (it is still 11PM Sunday night here)
b
bored-planet-1228
01/09/2023, 7:07 AMAh, no worries!
I’m only looking into this as a personal curiosity thing, I’ve a million other things to work on so there is no time pressure at all on my end.
f
fast-garage-66093
01/09/2023, 7:07 AMYour real problem is:
error="failed to do request: Head \"<https://registry-1.docker.io/v2/library/alpine/manifests/latest>\": proxyconnect tcp: dial tcp 127.0.0.1:3128: connect: connection refused" host=<http://registry-1.docker.io|registry-1.docker.io>b
bored-planet-1228
01/09/2023, 7:08 AMYeah…. Is rancher setting something up there?
Or supposed to be?
f
fast-garage-66093
01/09/2023, 7:09 AMIt does set up an internal proxy when the "Allowed images" functionality is enabled:
if [ -f /usr/local/openresty/nginx/conf/image-allow-list.conf ]; then
export HTTPS_PROXY=<http://127.0.0.1:3128>
fib
bored-planet-1228
01/09/2023, 7:10 AMAh, interesting, but I don’t have that ticked.
f
fast-garage-66093
01/09/2023, 7:10 AMCan you double-check that the file doesn't exist:
$ rdctl shell ls -l /usr/local/openresty/nginx/conf/image-allow-list.conf
ls: /usr/local/openresty/nginx/conf/image-allow-list.conf: No such file or directory
Error: exit status 1b
bored-planet-1228
01/09/2023, 7:11 AMIt exists.
> rdctl shell cat /usr/local/openresty/nginx/conf/image-allow-list.conf
"~*^registry\.k8s\.io(:443)?/v2/pause/manifests/[^/]+$" 0;
"~*^[^./]+\.pkg\.dev(:443)?/v2/.+/manifests/[^/]+$" 0;
"~*^registry-1\.docker\.io(:443)?/v2/rancher/mirrored-pause/manifests/[^/]+$" 0;f
fast-garage-66093
01/09/2023, 7:12 AMI wonder why it exists, but I think if you delete it, then
nerdctl pull alpineb
bored-planet-1228
01/09/2023, 7:12 AMHmm, I get a permission denied if I try using rdctl shell.
f
fast-garage-66093
01/09/2023, 7:13 AMrdctl shell sudo rm -f /usr/local/openresty/nginx/conf/image-allow-list.conf✅ 1
💯 1
b
bored-planet-1228
01/09/2023, 7:13 AMInteresting, yeah that removed the file.
And that now works.
f
fast-garage-66093
01/09/2023, 7:13 AMPlease confirm that the openresty service is not running:
$ rdctl shell ls -l /usr/local/openresty/nginx/conf/image-allow-list.conf
ls: /usr/local/openresty/nginx/conf/image-allow-list.conf: No such file or directory
Error: exit status 1b
bored-planet-1228
01/09/2023, 7:14 AMI’ve now managed to pull alpine, too.
That file doesn’t appear to have been recreated.
f
fast-garage-66093
01/09/2023, 7:14 AMYeah, the question is why the file exists even though the feature has not been enabled
I will look into this tomorrow, and may have more questions for you then.
b
bored-planet-1228
01/09/2023, 7:15 AMNo worries! Sleep well!
And thanks for checking in!
f
fast-garage-66093
01/09/2023, 7:16 AMIn the meantime, you may want to try to stop RD and start it again, and see if that re-creates the file. Please post any updates about things you find here. You should be able to get
nerdctlb
bored-planet-1228
01/09/2023, 7:23 AMJust tried - it’s not recreated. odd.
f
fast-garage-66093
01/10/2023, 5:41 AMI think I found the issue: the file is created (incorrectly) when Allowed Images is disabled, and you make a Preferences change that doesn't require a restart of the VM (which would clean things up again), e.g. changing the
PATH👍 1
f
faint-lizard-84272
02/09/2023, 11:12 AMHi @fast-garage-66093, just in case it's interesting to you, it happened to me too today, and the fix worked too.
• macOS Ventura 13.2
• Just installed latest RD without enabling kubernetes
• Used containerd engine
• Added manually the path to my .zshrc , and Rancher Desktop keeps complaining abouth not being in the path.
❯ nerdctl pull debian:11
INFO[0000] trying next host error="failed to do request: Head \"<https://registry-1.docker.io/v2/library/debian/manifests/11>\": proxyconnect tcp: dial tcp 127.0.0.1:3128: connect: connection refused" host=<http://registry-1.docker.io|registry-1.docker.io>
ERRO[0000] server "<http://docker.io|docker.io>" does not seem to support HTTPS error="failed to resolve reference \"<http://docker.io/library/debian:11\|docker.io/library/debian:11\>": failed to do request: Head \"<https://registry-1.docker.io/v2/library/debian/manifests/11>\": proxyconnect tcp: dial tcp 127.0.0.1:3128: connect: connection refused"
INFO[0000] Hint: you may want to try --insecure-registry to allow plain HTTP (if you are in a trusted network)
FATA[0000] failed to resolve reference "<http://docker.io/library/debian:11|docker.io/library/debian:11>": failed to do request: Head "<https://registry-1.docker.io/v2/library/debian/manifests/11>": proxyconnect tcp: dial tcp 127.0.0.1:3128: connect: connection refused
Error: exit status 1
❯ rdctl shell sudo ls -l /usr/local/openresty/nginx/conf/image-allow-list.conf
-rw-r--r-- 1 alvaro alvaro 195 Feb 9 10:59 /usr/local/openresty/nginx/conf/image-allow-list.conf
❯ rdctl shell sudo rm -f /usr/local/openresty/nginx/conf/image-allow-list.conf
❯ nerdctl pull debian:11
<http://docker.io/library/debian:11|docker.io/library/debian:11>: resolved |++++++++++++++++++++++++++++++++++++++|
index-sha256:43ef0c6c3585d5b406caa7a0f232ff5a19c1402aeb415f68bcd1cf9d10180af8: done |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:749383b0a6d17fb745d397b108d2ea38b5832226586b25c9f5cf7fcde24458ab: done |++++++++++++++++++++++++++++++++++++++|
config-sha256:54e726b437fbb2dd7b43e4dd5cd79b0181e96a22849b7fc2ffe934fac2d65440: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:1e4aec178e0864db93a6f97a20bde3445871a4562c1801185eca1238d3a0e80d: done |++++++++++++++++++++++++++++++++++++++|
elapsed: 7.1 s