nerdctl icon indicating copy to clipboard operation
nerdctl copied to clipboard

Published 20 hours ago verified publisher icon containerd

Make PR 1270 less draconian

Open ericpromislow opened this issue 2 years ago • 3 comments

Description

A Rancher Desktop user can get into a state where when they run nerdctl run SOME_IMAGE, they see the error message

FATA[0000] expected ac.ServerAddress ("") to be "https://index.docker.io/v1/"

Steps to reproduce the issue

  1. Run Rancher Desktop 1.4.1 with nerdctl 0.20.0
  2. nerdctl login
  3. Shut down Rancher Desktop, and install version 1.5.0
  4. nerdctl run busybox uname -a

This sometimes triggers the above error message on Windows and macOS. It seems that this is easier to trigger on a new system, like a fresh VM.

Describe the results you received and expected

I expected to see the results of uname -a on the container, but instead got the error message

FATA[0000] expected ac.ServerAddress ("") to be "https://index.docker.io/v1/"

What version of nerdctl are you using?

0.22.0

Are you using a variant of nerdctl? (e.g., Rancher Desktop)

Rancher Desktop for macOS

Host information

Client:
 Namespace:	default
 Debug Mode:	false

Server:
 Server Version: v1.6.6
 Storage Driver: overlayfs
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Log: fluentd journald json-file
  Storage: native overlayfs
 Security Options:
  seccomp
   Profile: default
 Kernel Version: 5.15.57-0-virt
 Operating System: Alpine Linux v3.16
 OSType: linux
 Architecture: x86_64
 CPUs: 2
 Total Memory: 3.846GiB
 Name: lima-rancher-desktop
 ID: d28cfc71-d41b-4077-891c-c78648e76494

ericpromislow avatar Aug 10 '22 00:08 ericpromislow

Why you expect uname -a , what is the relation ?

fahedouch avatar Aug 11 '22 11:08 fahedouch

Actually, uname -a had nothing to do with it. It's just a matter of running the code at dockerconfigresolver.NewAuthCreds

ericpromislow avatar Aug 12 '22 22:08 ericpromislow

We have more of a repro:

# Run Rancher Desktop in docker/moby mode
$ docker login ...
# Switch to containerd
$ nerdctl pull busybox

Even then it depends on the state of /root/.docker/config.json on the Rancher Desktop VM

I think the error happens when I see this from a linux host:

$ cat /root/.docker/config.json { "auths": {}, "credsStore": "pass" }

and ~/.password/docker-credential-helpers has a dir that's base64 for https://index.docker.io/v1/

The problem is that ac.Username and ac.Password are correctly retrieved via pass, but the config-file loader reports that ac.ServerAddress is the empty string, possibly because of the empty auths hash in the above config.json.

Now.... all of the code called by ac, err := dockerConfigFile.GetAuthConfig(authConfigHostname) is in the github.com/docker/cli@.../cli/config/ subtree, which means the Docker CLI probably runs this same code and doesn't get confused.

So I would guess that the interpretation is incorrect -- if we have a username & password for the well-known docker serverAddress, we don't need a serverAddress from the config resolution.

ericpromislow avatar Aug 12 '22 22:08 ericpromislow