Issues running with podman

[cameronbraid]

First of all thanks for this great project, its a great solution, and has saved gigabytes already

I wish to run this container with podman so that I can uses it as a proxy for my local docker installation.

I ran into an issue if I run it as follows : (converting the docker run to podman run)

sudo podman run --rm --name docker_registry_proxy -it -p 0.0.0.0:3128:3128 -v /media/data/kube-dev-docker-registry-proxy/docker_mirror_cache:/docker_mirror_cache -v /media/data/kube-dev-docker-registry-proxy/docker_mirror_certs:/ca -e REGISTRIES="k8s.gcr.io gcr.io quay.io" -e AUTH_REGISTRIES="" rpardini/docker-registry-proxy:0.2.4
Adding certificate for registry: docker.caching.proxy.internal
Adding certificate for registry: registry-1.docker.io
Adding certificate for registry: auth.docker.io
Adding certificate for registry: k8s.gcr.io
Adding certificate for registry: gcr.io
Adding certificate for registry: quay.io
INFO: Will create certificate with names DNS:docker.caching.proxy.internal,DNS:registry-1.docker.io,DNS:auth.docker.io,DNS:k8s.gcr.io,DNS:gcr.io,DNS:quay.io
INFO: CA already exists. Good. We'll reuse it.
INFO: Generate IA key
INFO: Create a signing request for the IA: d66094a91f46 2020.03.09 22:42
INFO: Sign the IA request with the CA cert and key, producing the IA cert
INFO: Initialize the serial number for signed certificates
INFO: Create the key (w/o passphrase..)
INFO: Create the signing request, using extensions
INFO: Sign the request, using the intermediate cert and key
INFO: Concatenating fullchain.pem...
INFO: Concatenating fullchain_with_key.pem
Upstream SSL certificate verification enabled.
Testing nginx config...
2020/03/09 22:42:43 [emerg] 56#56: invalid port in resolver "2001:4860:4860::8888" in /etc/nginx/resolvers.conf:1
nginx: [emerg] invalid port in resolver "2001:4860:4860::8888" in /etc/nginx/resolvers.conf:1
nginx: configuration file /etc/nginx/nginx.conf test failed

The contents of the /etc/resolv.conf when running podman is

bash-4.4# cat /etc/resolv.conf 
nameserver 8.8.8.8
nameserver 8.8.4.4
nameserver 2001:4860:4860::8888
nameserver 2001:4860:4860::8844

This differs from my host /etc/resolv.conf

cat /etc/resolv.conf 
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.

nameserver 127.0.0.1

SO I guess podman is adding those IP6 addresses.

I managed to make podman work with adding --dns argument

sudo podman run --rm --dns 127.0.0.11 --name docker_registry_proxy -it -p 0.0.0.0:3128:3128 -v /media/data/kube-dev-docker-registry-proxy/docker_mirror_cache:/docker_mirror_cache -v /media/data/kube-dev-docker-registry-proxy/docker_mirror_certs:/ca -e REGISTRIES="k8s.gcr.io gcr.io quay.io" -e AUTH_REGISTRIES="" rpardini/docker-registry-proxy:0.2.4
Adding certificate for registry: docker.caching.proxy.internal
Adding certificate for registry: registry-1.docker.io
Adding certificate for registry: auth.docker.io
Adding certificate for registry: k8s.gcr.io
Adding certificate for registry: gcr.io
Adding certificate for registry: quay.io
INFO: Will create certificate with names DNS:docker.caching.proxy.internal,DNS:registry-1.docker.io,DNS:auth.docker.io,DNS:k8s.gcr.io,DNS:gcr.io,DNS:quay.io
INFO: CA already exists. Good. We'll reuse it.
INFO: Generate IA key
INFO: Create a signing request for the IA: 645af140aa11 2020.03.09 22:44
INFO: Sign the IA request with the CA cert and key, producing the IA cert
INFO: Initialize the serial number for signed certificates
INFO: Create the key (w/o passphrase..)
INFO: Create the signing request, using extensions
INFO: Sign the request, using the intermediate cert and key
INFO: Concatenating fullchain.pem...
INFO: Concatenating fullchain_with_key.pem
Upstream SSL certificate verification enabled.
Testing nginx config...
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
Starting nginx! Have a nice day.

Would it be possible to make a change in the entrypoint to filter out the 'invalid' nameservers when generating the nginx resolves ?

[rpardini]

Hmm. I don't know podman, at all, but this seems a more generic case of IPv6 handling.

[rpardini]

Podman is becoming more relevant, I will try and look into this soon.