colima icon indicating copy to clipboard operation
colima copied to clipboard

Published 20 hours ago verified publisher icon abiosoft

Cannot click allow network button on macOS because it disappears too fast

Open kigawas opened this issue 2 years ago • 7 comments

Configure firewall and try colima start

kigawas avatar Feb 02 '22 09:02 kigawas

Can you explain more? Or is your experience similar to this https://github.com/abiosoft/colima/issues/156?

abiosoft avatar Feb 02 '22 21:02 abiosoft

+1 on this issue. I'm able to see the same behavior with the network permissions prompt appearing and disappearing quickly when you run colima start. In my case the SSH connection still ends up working fine.

Environment:

  • macOS Catalina v10.15.7
  • x86 intel mac

Colima:

colima version 0.3.2
git commit: 272db4732b90390232ed9bdba955877f46a50552

runtime: docker
arch: x86_64
client: v20.10.12
server: v20.10.11

We think this ends up manifesting as an issue where this step in colima start retries and fails:

Waiting for the essential requirement 1 of 5: ‘ssh’

I took a look at the affected user's /Users/{username}/.lima/colima/ha.stderr.log error log file, and for the SSH calls I would see errors like these:

"kex_exchange_identification: read: Connection reset by peer\\r\\nConnection reset by 127.0.0.1 port 52074\\r\\n\": exit status 255

joseph-galindo avatar Feb 08 '22 18:02 joseph-galindo

If you are able to accept the dialog quickly enough, the issue is permanently fix. So it's just on initial start the first time you try to start up colima.

josephschmitt avatar Feb 08 '22 19:02 josephschmitt

You can also manually add colima in the "Firewall Options" section of Firewall in Security & Privacy in System Preferences.

I am curious why it needs this in the first place. I would have thought Colima would only need to open an external port when specifically exposing a port to an external interface.

deviantintegral avatar Feb 15 '22 21:02 deviantintegral

I have a use case currently with Colima, wondering if it might be related.

I'm executing a docker-compose with --env file that calls a remote docker host. It appears like it loads the file just fine, but ignores the docker host portion and executes on my local box.

requiem240sx avatar Mar 04 '22 15:03 requiem240sx

So I delved into this for a problem that I thought existed, but it didn't: because lima uses SSH tunnelling to open ports, only ssh should need permission to listen and it already does have that permission, AFAIK.

So, something like

sudo /usr/libexec/ApplicationFirewall/socketfilterfw --add "$(brew --prefix colima)/bin/colima"

should not be necessary because colima itself doesn't listen. limactl does listen along with qemu, obvs, e.g.

limactl   40075 colin   15u  IPv4 0xf9381268b43c6a45      0t0  TCP 127.0.0.1:61570 (LISTEN)
qemu-syst 40082 colin   19u  IPv4 0xf9381268b40dc005      0t0  TCP 127.0.0.1:61569 (LISTEN)

colindean avatar Mar 07 '22 22:03 colindean

Yes, very interested in why this is happening. Doesn't seem like incoming network connections should be necessary for colima. See screenshot of popup below (had to record screen it disappeared so fast) Screen Shot 2022-03-19 at 12 36 16 AM

stoutput avatar Mar 19 '22 05:03 stoutput