colima
colima copied to clipboard
Cannot click allow network button on macOS because it disappears too fast
Configure firewall and try colima start
Can you explain more? Or is your experience similar to this https://github.com/abiosoft/colima/issues/156?
+1 on this issue. I'm able to see the same behavior with the network permissions prompt appearing and disappearing quickly when you run colima start
. In my case the SSH connection still ends up working fine.
Environment:
- macOS Catalina v10.15.7
- x86 intel mac
Colima:
colima version 0.3.2
git commit: 272db4732b90390232ed9bdba955877f46a50552
runtime: docker
arch: x86_64
client: v20.10.12
server: v20.10.11
We think this ends up manifesting as an issue where this step in colima start
retries and fails:
Waiting for the essential requirement 1 of 5: ‘ssh’
I took a look at the affected user's /Users/{username}/.lima/colima/ha.stderr.log
error log file, and for the SSH calls I would see errors like these:
"kex_exchange_identification: read: Connection reset by peer\\r\\nConnection reset by 127.0.0.1 port 52074\\r\\n\": exit status 255
If you are able to accept the dialog quickly enough, the issue is permanently fix. So it's just on initial start the first time you try to start up colima.
You can also manually add colima in the "Firewall Options" section of Firewall in Security & Privacy in System Preferences.
I am curious why it needs this in the first place. I would have thought Colima would only need to open an external port when specifically exposing a port to an external interface.
I have a use case currently with Colima, wondering if it might be related.
I'm executing a docker-compose with --env file that calls a remote docker host. It appears like it loads the file just fine, but ignores the docker host portion and executes on my local box.
So I delved into this for a problem that I thought existed, but it didn't: because lima
uses SSH tunnelling to open ports, only ssh should need permission to listen and it already does have that permission, AFAIK.
So, something like
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --add "$(brew --prefix colima)/bin/colima"
should not be necessary because colima itself doesn't listen. limactl
does listen along with qemu, obvs, e.g.
limactl 40075 colin 15u IPv4 0xf9381268b43c6a45 0t0 TCP 127.0.0.1:61570 (LISTEN)
qemu-syst 40082 colin 19u IPv4 0xf9381268b40dc005 0t0 TCP 127.0.0.1:61569 (LISTEN)
Yes, very interested in why this is happening. Doesn't seem like incoming network connections should be necessary for colima. See screenshot of popup below (had to record screen it disappeared so fast)