search

rancher-sandbox / rancher-desktop

Container Management and Kubernetes on the Desktop
https://rancherdesktop.io
Apache License 2.0
5.97k stars 281 forks source link

Insecure mirror registry configuration #3123

Open massigrillo opened 2 years ago

massigrillo commented 2 years ago

Actual Behavior

Corporate proxy denies access to most common docker registries. So it is necessary to use a mirror. After having configured Rancher Desktop to use it, attempting to pull an image with nerdctl fails.

Steps to Reproduce

vi $HOME/.local/share/rancher-desktop/lima/_config/override.yaml
provision:
  - mode: system
    script: |
      #!/bin/sh
      set -eux
      mkdir -p /etc/rancher/k3s
      cat <<'EOF' >/etc/rancher/k3s/registries.yaml
      mirrors:
        docker.io:
          endpoint:
            - "http://192.168.8.123:8082"
        k8s.gcr.io:
          endpoint:
            - "http://192.168.8.123:8082"
        "192.168.8.123:8082":
          endpoint:
            - "http://192.168.8.123:8082"
      configs:
        "192.168.8.123:8082":
          tls:
            insecure_skip_verify: true
      EOF
rdctl start
rdctl shell -- cat /etc/rancher/k3s/registries.yaml
mirrors:
  docker.io:
    endpoint:
      - "http://192.168.8.123:8082"
  k8s.gcr.io:
    endpoint:
      - "http://192.168.8.123:8082"
  "192.168.8.123:8082":
    endpoint:
      - "http://192.168.8.123:8082"
configs:
  "192.168.8.123:8082":
    tls:
      insecure_skip_verify: true

Result

image pulling fails, since it attempts to pull the image directly and not through mirror.

user@laptop-dev:~$ nerdctl pull nginx
docker.io/library/nginx:latest: resolving      |--------------------------------------| 
elapsed: 29.9s                  total:   0.0 B (0.0 B/s)                                         
INFO[0030] trying next host                              error="failed to do request: Head \"https://registry-1.docker.io/v2/library/nginx/manifests/latest\": dial tcp 3.216.34.172:443: i/o timeout" host=registry-1.docker.io
ERRO[0030] active check failed                           error="context canceled"
FATA[0030] failed to resolve reference "docker.io/library/nginx:latest": failed to do request: Head "https://registry-1.docker.io/v2/library/nginx/manifests/latest": dial tcp 3.216.34.172:443: i/o timeout

Expected Behavior

image pulling succeeds.

Additional Information

Registry mirror works with Docker and Podman, both previously installed.

Rancher Desktop Version

1.5.1

Rancher Desktop K8s Version

1.24.6

Which container engine are you using?

containerd (nerdctl)

What operating system are you using?

Ubuntu

Operating System / Build Version

Ubuntu 22.04.1 LTS

What CPU architecture are you using?

x64

Linux only: what package format did you use to install Rancher Desktop?

deb

Windows User Only

No response

hof commented 2 years ago

Does it work if you remove this from the mirrors section? 

  "192.168.8.123:8082":
    endpoint:
      - "http://192.168.8.123:8082"
massigrillo commented 2 years ago

@hof no, same outcome

Niklas2501 commented 1 year ago

Is there any update on this topic?

I'm also trying to setup a docker.io mirror in Rancher Desktop. In my case the "insecure" option is not necessary i think. Nevertheless, the approach of creating the registries.yaml via the override.yaml does not seem to work for me.

jandubois commented 1 year ago

Try this workaround: https://github.com/rancher-sandbox/rancher-desktop/discussions/1924#discussioncomment-4762471

Niklas2501 commented 1 year ago

Try this workaround: #1924 (reply in thread)

Hey, thanks for the quick response. The workaround seems to be working, i just adapted the entry a little bit for non-insecure mirrors:

DOCKER_OPTS="--registry-mirror=https://mirror.company.com"

SeanKnight commented 1 year ago

/etc/containerd/config.toml is overwritten by Rancher Desktop. /etc/rancher/k3s/registries.yaml seems to be completely ignored (k3s agent?) or if it is doing anything it is getting overwritten by the template as Rancher Desktop boots. The template is not version 2 so you'll need to include the old key name.

### append to /etc/containerd/config.toml
# v1 config style
[plugins.cri.registry.mirrors."docker.io"]
  endpoint = ["https://registry.example.com"]
# containerd ignores this in a v1 config file
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
  endpoint = ["https://registry.example.com"]

I tried appending to the config with the lima overrides.yaml file but Rancher Desktop would overwrite the containerd config file after it brings the VM up.

719 #721 #2405 #3123