search

rancher-sandbox / rancher-desktop

Container Management and Kubernetes on the Desktop
https://rancherdesktop.io
Apache License 2.0
5.94k stars 281 forks source link

Snyk Extension cannot auth with private registries #5081

Open jaden-zerbe-kr opened 1 year ago

jaden-zerbe-kr commented 1 year ago

Actual Behavior

When using the Snyk extension in Docker Desktop users get an "Authentication is required" message when pulling from a private registry.

Steps to Reproduce

  1. Configure Rancher Desktop with dockerd (moby) backend
  2. Install the Snyk extension with rdctl extension install snyk/snyk-docker-desktop-extension
  3. Configure sSnyk nyk token via the Snyk Extension "Settings" button
  4. Perform docker login and pull an image from private registry
  5. Attempt to scan the pulled image

Result

image

An error is displayed stating "Authentication is required".

Expected Behavior

Synk scans the specified image and displays security vulnerabilities

Additional Information

This same process works with Docker Desktop. It seems as if stored credentials are not accessible by the Snyk plugin when using Rancher Desktop. This process has been tested on both windows and mac with the same results.

Rancher Desktop Version

1.9.0

Rancher Desktop K8s Version

v1.26.5

Which container engine are you using?

moby (docker cli)

What operating system are you using?

Windows

Operating System / Build Version

Windows 10 Enterprise 21H2

What CPU architecture are you using?

x64

Linux only: what package format did you use to install Rancher Desktop?

None

Windows User Only

VPN is in use with the "Enable networking tunnel" feature enabled.

jandubois commented 1 year ago

@ericsmalling do you have any ideas?

ericsmalling commented 1 year ago

That's odd. AFAIK, it should be using the local image via the bind-mounted docker.sock

ericsmalling commented 1 year ago

@jaden-zerbe-kr if you re-tag the image with something like "notarealregistry/image:tag", does it give the same error?

jaden-zerbe-kr commented 1 year ago

@ericsmalling - I pulled the node:latest image from our private registry and re-tagged it nodelocal:latest. On VPN, I get a "socket hang up" error. Off VPN, I get "Failed to scan image "localnode:latest". Please make sure the image and/or repository exist, and that you are using the correct credentials."

Using the original private registry tag, I get the same "Authentication is required" error whether I am on or off VPN.

ericsmalling commented 1 year ago

In my own testing I see similar errors but the same test on Docker Desktop works fine.

Side note: my Docker Desktop laptop is Mac OS on ARM vs. the Rancher Desktop laptop is Mac OS on Intel. Not sure if platform is contributing. (I doubt it as the image I tested with was amd64-only anyway)

ericsmalling commented 1 year ago

I think I figured it out. Per Docker's Extensions docs, we are bind mounting /var/run/docker.sock.raw which does not exist in the Rancher Desktop VM. Let me see if I can add some detection logic to pick the right one.

jandubois commented 1 year ago

Per Docker's Extensions docs, we are bind mounting /var/run/docker.sock.raw which does not exist in the Rancher Desktop VM.

Thank you for figuring this out! I've created a separate issue for it in #5084.

Let me see if I can add some detection logic to pick the right one.

While this helps the snyk extension, having the socket available improves compatibility and might fix other extensions too.

If you playing around with it, would just having a symlink from docker.sock.raw to docker.sock work for you?