Frontend failing to download via proxy requiring authentication

[dandavids]

Steps to Reproduce Download Rancher.Desktop.Setup.1.0.1.exe Start Rancher Desktop. Choose Kubernetes version 1.20.15 Opted for containerd (nerdctl) Get the error

Result Error Starting Kubernetes Error: Error downloading sha256sum-amd64.txt 1.20.15: authenticationrequired

Last command run: wsl --import rancher-desktop C:\Users\dan\AppData\Local\rancher-desktop\distro C:\Users\dan\AppData\Local\Programs\Rancher Desktop\resources\resources\win32\distro-0.12.1.tar --version 2

Context: Starting Kubernetes

Some recent logfile lines: 2022-02-16T15:07:07.673Z: Running command wsl --list --quiet... 2022-02-16T15:07:08.593Z: Registered distributions: 2022-02-16T15:07:08.620Z: Running command wsl --list --quiet... 2022-02-16T15:07:09.025Z: Registered distributions: 2022-02-16T15:07:09.025Z: Running command wsl --list --quiet... 2022-02-16T15:07:09.470Z: Registered distributions: 2022-02-16T15:07:09.472Z: Running command wsl --import rancher-desktop C:\Users\dan\AppData\Local\rancher-desktop\distro C:\Users\dan\AppData\Local\Programs\Rancher Desktop\resources\resources\win32\distro-0.12.1.tar --version 2...

Rancher Desktop Version 1.0.1

Rancher Desktop K8s Version 1.20.15

Which container runtime are you using? containerd (nerdctl)

What operating system are you using? Windows

Operating System / Build Version Windows 10 Enterprise 64-bit Build 20h2 (19042)

What CPU architecture are you using? x64

Screenshot of error

[dandavids]

Forgot to mention one more thing - I am behind a company proxy. And I have setup my HTTPS and HTTP Proxy environment variables. Not sure if there is something else I need to do? Or is there an endpoint Rancher Desktop uses that I need to look into?

[dandavids]

Steps to reproduce Uninstalled and re-installed without the Run-As administrator (i.e.) installed as a normal user. Got a similar error, but the failure occurred even prior to choosing the k8s version and containerd option.

Error Starting Kubernetes Error: Error downloading k3s-airgap-images-amd64.tar 1.20.15: authenticationrequired Last command run: wsl --distribution rancher-desktop --exec /bin/sh -c [ -e /etc/os-release ] && . /etc/os-release ; echo ${VERSION_ID:-0.1}

Context: Starting Kubernetes

Some recent logfile lines: 2022-02-16T17:28:10.211Z: Running command wsl --list --quiet... 2022-02-16T17:28:11.141Z: Registered distributions: rancher-desktop,rancher-desktop-data 2022-02-16T17:28:11.238Z: Running command wsl --list --quiet... 2022-02-16T17:28:11.866Z: Registered distributions: rancher-desktop,rancher-desktop-data 2022-02-16T17:28:11.866Z: Running command wsl --distribution rancher-desktop --exec /bin/sh -c [ -e /etc/os-release ] && . /etc/os-release ; echo ${VERSION_ID:-0.1}...

[mook-as]

The errors in both appear to be similar (the files are downloaded at about the same time):

Error: Error downloading sha256sum-amd64.txt 1.20.15: authenticationrequired

Error downloading k3s-airgap-images-amd64.tar 1.20.15: authenticationrequired

We seem to be doing something wrong here regarding proxies that require authentication. This is during the initial download (from the GUI app, outside of the VM), where we should be using the system (IE) proxy settings…

[pgonin]

What type of authentication do you rely on ? user/password or NTLM ?

[dandavids]

What type of authentication do you rely on ? user/password or NTLM ?

Thanks for reaching out @pgonin . Using user/password for proxy authentication. I have setup the http_proxy and https_proxy variables as windows system env's.
http_proxy=http://USERNAME:PASSWORD@SERVER:PORT https_proxy=http://USERNAME:PASSWORD@SERVER:PORT

[mook-as]

I have setup the http_proxy and https_proxy variables as windows system env's.

The UI uses the system proxy settings, which you'd have to set in Windows (Windows-level Settings → Proxy). But I assume that's already done, since Chrome uses the same set.

(We possibly also have bugs around this; we'll need to look at it more too.)

[dandavids]

@mook-as - Proxy is setup in two different places in Windows

1. Windows->System Properties -> Environment Variables -> System Variables: I am setting both HTTPS_PROXY and HTTP_PROXY in the following format "http://USERNAME:PASSWORD@server:PORT/". I have had to set this for multiple tools like maven, Docker Desktop etc to work.

2. Windows Settings -> Proxy where "Use Setup script" is turned on. Which essentially points to a .pac script. Which is provided by our security engineering team.

From my observation - #2 is what the browser uses. #1 Is a definite must for all dev tools to work. This includes build tools like maven and also Docker desktop. Essentially, anything that takes a non-browser route to communicate externally.

Will it be possible to give me the endpoints the frontend uses? e.g docker.io, k8s.gcr.io, ghcr.io etc.

With an endpoint, I can try and get our engineering team to add it to our bypass rules to see if that fixes the issue. If it does, then at least there is a temp workaround. And a more permanent resolution/bug-fix can be included in the next release as almost everyone working in a medium-large company is behind a proxy :unamused:

[mook-as]

Right, we attempt to use the PAC script, but there may be issues there.

At the moment, I believe the frontend will access:

• https://update.k3s.io/v1-release/channels (to get the preferred k3s versions)
• https://api.github.com/repos/k3s-io/k3s/releases (to get all possible k3s versions)
• https://github.com/k3s-io/k3s/releases/download/* (actual K3s artifacts)
• https://objects.githubusercontent.com/ (redirect of the above)
• https://desktop.version.rancher.io/v1/checkupgrade (upgrade checks)

The backend will do the docker image downloads (index.docker.io, etc.); that's inside the VM (WSL or lima), so https_proxy etc. should apply.

We do want to support proxies, but (especially now with everybody working from home) it's a bit harder to set up things to get good testing. I'm hopeful we'll eventually be able to iron things out eventually.

[dandavids]

Got the above endpoints all added for proxy auth bypass and now I have run into a different issue. Opened a new bug - #1772