rancher-desktop
rancher-desktop copied to clipboard
rancher-sandbox
Insecure mirror registry configuration
Actual Behavior
Corporate proxy denies access to most common docker registries. So it is necessary to use a mirror. After having configured Rancher Desktop to use it, attempting to pull an image with nerdctl fails.
Steps to Reproduce
- edit override.yaml
vi $HOME/.local/share/rancher-desktop/lima/_config/override.yaml
provision:
- mode: system
script: |
#!/bin/sh
set -eux
mkdir -p /etc/rancher/k3s
cat <<'EOF' >/etc/rancher/k3s/registries.yaml
mirrors:
docker.io:
endpoint:
- "http://192.168.8.123:8082"
k8s.gcr.io:
endpoint:
- "http://192.168.8.123:8082"
"192.168.8.123:8082":
endpoint:
- "http://192.168.8.123:8082"
configs:
"192.168.8.123:8082":
tls:
insecure_skip_verify: true
EOF
- start Rancher Desktop
rdctl start
- verify that configuration is correctly loaded in Lima virtual machine
rdctl shell -- cat /etc/rancher/k3s/registries.yaml
mirrors:
docker.io:
endpoint:
- "http://192.168.8.123:8082"
k8s.gcr.io:
endpoint:
- "http://192.168.8.123:8082"
"192.168.8.123:8082":
endpoint:
- "http://192.168.8.123:8082"
configs:
"192.168.8.123:8082":
tls:
insecure_skip_verify: true
Result
image pulling fails, since it attempts to pull the image directly and not through mirror.
user@laptop-dev:~$ nerdctl pull nginx
docker.io/library/nginx:latest: resolving |--------------------------------------|
elapsed: 29.9s total: 0.0 B (0.0 B/s)
INFO[0030] trying next host error="failed to do request: Head \"https://registry-1.docker.io/v2/library/nginx/manifests/latest\": dial tcp 3.216.34.172:443: i/o timeout" host=registry-1.docker.io
ERRO[0030] active check failed error="context canceled"
FATA[0030] failed to resolve reference "docker.io/library/nginx:latest": failed to do request: Head "https://registry-1.docker.io/v2/library/nginx/manifests/latest": dial tcp 3.216.34.172:443: i/o timeout
Expected Behavior
image pulling succeeds.
Additional Information
Registry mirror works with Docker and Podman, both previously installed.
Rancher Desktop Version
1.5.1
Rancher Desktop K8s Version
1.24.6
Which container engine are you using?
containerd (nerdctl)
What operating system are you using?
Ubuntu
Operating System / Build Version
Ubuntu 22.04.1 LTS
What CPU architecture are you using?
x64
Linux only: what package format did you use to install Rancher Desktop?
deb
Windows User Only
No response
Does it work if you remove this from the mirrors section?
"192.168.8.123:8082":
endpoint:
- "http://192.168.8.123:8082"
Is there any update on this topic?
I'm also trying to setup a docker.io mirror in Rancher Desktop. In my case the "insecure" option is not necessary i think. Nevertheless, the approach of creating the registries.yaml via the override.yaml does not seem to work for me.
Try this workaround: https://github.com/rancher-sandbox/rancher-desktop/discussions/1924#discussioncomment-4762471
Try this workaround: #1924 (reply in thread)
Hey, thanks for the quick response. The workaround seems to be working, i just adapted the entry a little bit for non-insecure mirrors:
DOCKER_OPTS="--registry-mirror=https://mirror.company.com"
/etc/containerd/config.toml is overwritten by Rancher Desktop. /etc/rancher/k3s/registries.yaml seems to be completely ignored (k3s agent?) or if it is doing anything it is getting overwritten by the template as Rancher Desktop boots. The template is not version 2 so you'll need to include the old key name.
### append to /etc/containerd/config.toml
# v1 config style
[plugins.cri.registry.mirrors."docker.io"]
endpoint = ["https://registry.example.com"]
# containerd ignores this in a v1 config file
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
endpoint = ["https://registry.example.com"]
- Run
sudo containerd config dumpinside ofrdctl shellto verify that the mirror makes it into the config file. - To restart containerd after a config change run
sudo service containerd restartin the VM
I tried appending to the config with the lima overrides.yaml file but Rancher Desktop would overwrite the containerd config file after it brings the VM up.
#719 #721 #2405 #3123
