podman-desktop: Cannot add insecure registry
Issue Description
After installing podman-desktop on Windows 10, it asked me to install podman. That’s what I did, so far so good,
Then I tried to add a local registry that comes without a certificate. I tried that in the GUI in Settings -> Registries -> Add registry, which resulted in the error message Unable to find auth info for https://server.net.local/v2/. Error: RequestError: certificate has expired.
Then I tried to add the registry within the WSL container podman-machine-default in ~/config/containers/registries.conf, /etc/containers/registries.conf and /etc/containers/registries.conf.d/001-myreg.conf like this:
[[registry]]
location = "server.net.local"
insecure = true
But with no luck.
I also added the server in the /etc/hosts file. Also, no change there. The error is still shown. Even after restarting podman-desktop.
The server works fine in docker-desktop (which is currently not running) with the URL being stated in the insecure-registries entry in the settings, so I guess the server would be alright.
Any idea what I am doing wrong?
Steps to reproduce the issue
see above
Describe the results you received
see above
Describe the results you expected
see above
podman info output
$ podman version
Client: Podman Engine
Version: 4.4.1
API Version: 4.4.1
Go Version: go1.19.5
Git Commit: 34e8f3933242f2e566bbbbf343cf69b7d506c1cf
Built: Wed Feb 8 22:08:06 2023
OS/Arch: windows/amd64
Server: Podman Engine
Version: 4.4.1
API Version: 4.4.1
Go Version: go1.18.10
Built: Fri Feb 17 11:31:22 2023
OS/Arch: linux/amd64
$ podman info
host:
arch: amd64
buildahVersion: 1.29.0
cgroupControllers: []
cgroupManager: cgroupfs
cgroupVersion: v1
conmon:
package: conmon-2.1.5-1.fc36.x86_64
path: /usr/bin/conmon
version: 'conmon version 2.1.5, commit: '
cpuUtilization:
idlePercent: 99.88
systemPercent: 0.1
userPercent: 0.02
cpus: 12
distribution:
distribution: fedora
variant: container
version: "36"
eventLogger: journald
hostname: avah-frsc-lt
idMappings:
gidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 100000
size: 65536
uidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 100000
size: 65536
kernel: 5.10.16.3-microsoft-standard-WSL2
linkmode: dynamic
logDriver: journald
memFree: 26235785216
memTotal: 26602029056
networkBackend: netavark
ociRuntime:
name: crun
package: crun-1.8.1-1.fc36.x86_64
path: /usr/bin/crun
version: |-
crun version 1.8.1
commit: f8a096be060b22ccd3d5f3ebe44108517fbf6c30
rundir: /run/user/1000/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +WASM:wasmedge +YAJL
os: linux
remoteSocket:
exists: true
path: /run/user/1000/podman/podman.sock
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: true
seccompEnabled: true
seccompProfilePath: /usr/share/containers/seccomp.json
selinuxEnabled: false
serviceIsRemote: true
slirp4netns:
executable: /usr/bin/slirp4netns
package: slirp4netns-1.2.0-0.2.beta.0.fc36.x86_64
version: |-
slirp4netns version 1.2.0-beta.0
commit: 477db14a24ff1a3de3a705e51ca2c4c1fe3dda64
libslirp: 4.6.1
SLIRP_CONFIG_VERSION_MAX: 3
libseccomp: 2.5.3
swapFree: 7516192768
swapTotal: 7516192768
uptime: 1h 12m 36.00s (Approximately 0.04 days)
plugins:
authorization: null
log:
- k8s-file
- none
- passthrough
- journald
network:
- bridge
- macvlan
volume:
- local
registries:
server.net.local:
Blocked: false
Insecure: true
Location: server.net.local
MirrorByDigestOnly: false
Mirrors: null
Prefix: server.net.local
PullFromMirror: ""
search:
- docker.io
store:
configFile: /home/user/.config/containers/storage.conf
containerStore:
number: 0
paused: 0
running: 0
stopped: 0
graphDriverName: overlay
graphOptions: {}
graphRoot: /home/user/.local/share/containers/storage
graphRootAllocated: 269490393088
graphRootUsed: 827060224
graphStatus:
Backing Filesystem: extfs
Native Overlay Diff: "false"
Supports d_type: "true"
Using metacopy: "false"
imageCopyTmpDir: /var/tmp
imageStore:
number: 0
runRoot: /run/user/1000/containers
transientStore: false
volumePath: /home/user/.local/share/containers/storage/volumes
version:
APIVersion: 4.4.1
Built: 1676629882
BuiltTime: Fri Feb 17 11:31:22 2023
GitCommit: ""
GoVersion: go1.18.10
Os: linux
OsArch: linux/amd64
Version: 4.4.1
Podman in a container
Yes
Privileged Or Rootless
Rootless
Upstream Latest Release
Yes
Additional environment details
Additional environment details
Additional information
Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting
About this issue
- Original URL
- State: closed
- Created a year ago
- Comments: 38 (12 by maintainers)
Commits related to this issue
- refactor: remove adding new registry modal ### What does this PR do? When implementing a registry feature, I noticed we have a lefover modal that hasn't been updated in a while. It also does not in... — committed to cdrage/podman-desktop by cdrage a year ago
- refactor: remove adding new registry modal (#2882) ### What does this PR do? When implementing a registry feature, I noticed we have a lefover modal that hasn't been updated in a while. It als... — committed to containers/podman-desktop by cdrage a year ago
- docs: how to add an insecure registry ### What does this PR do? Adds documentation on how to add an insecure registry to Podman Desktop which consists of adding it via the Registries section as well... — committed to cdrage/podman-desktop by cdrage a year ago
- docs: how to add an insecure registry ### What does this PR do? Adds documentation on how to add an insecure registry to Podman Desktop which consists of adding it via the Registries section as well... — committed to cdrage/podman-desktop by cdrage a year ago
- docs: how to add an insecure registry ### What does this PR do? Adds documentation on how to add an insecure registry to Podman Desktop which consists of adding it via the Registries section as well... — committed to cdrage/podman-desktop by cdrage a year ago
- docs: how to add an insecure registry (#2953) * docs: how to add an insecure registry ### What does this PR do? Adds documentation on how to add an insecure registry to Podman Desktop which co... — committed to containers/podman-desktop by cdrage a year ago
- docs: how to add an insecure registry (#2953) * docs: how to add an insecure registry ### What does this PR do? Adds documentation on how to add an insecure registry to Podman Desktop which co... — committed to mairin/podman-desktop by cdrage a year ago
Not so obvious at all, it’s still perfectly reasonable for a group to have an http registry without authentication in a dev environment that is on an isolated network (not accessible from the Internet).
Both have been closed / merged #2896 and #2928 so this issue has been completed (as the add insecure registry is reliant on upstream / podman)
To me the basic requirement is that if you connect to a registry with an invalid certificate or over http you get an appropriate warning, and if you accept we’ll remember for that specific registry and all future interaction with it, even after restart. If you delete the registry and create a new one you’d be prompted again.
Users can add the certificate to their trust store if they want to do it permanently. It’d be nice if we could do that from within Podman Desktop too, or provide options for ‘prompt again after restart/next week’, but IMHO those are refinements for another time.
I agree with Thadir except maybe for the once a week part - once I’ve made the decision to accept an invalid (self signed) cert or create an unauthentcated connection and you popped up a confirmation warning once during the creation you’ve done everything you can and should do, your user has decided what they want. No need to annoy anyone every time they use the program or even weekly. In fact that’s building the muscle memory to just ignore such warnings and I’d say that’s a far bigger problem.
To clarify as I start the implementation, in this issue, there are two things that are to be implemented:
For both, we will make sure to issue multiple warnings when adding the insecure registry.
@vl-twinsec Did some more testing and I believe that’s exactly what’s happening. I don’t think the podman VM is accurately grabbing the CA’s from the host machine. I was able to re-produce it, but after restarting it suddenly worked?
I encountered a DNS issue as well which may be unrelated, where I updated the IP pointing to one of my private servers propagated to my local machine, but not my podman VM.
After performing a restart, the CA cert was grabbed and the DNS issue resolved, which was odd because I followed the same steps as @benoitf above and it only propagated after restart.
Talked to @benoitf and had an internal discussion on what we should do going forward with insecure registries.
We are able to add registries using ~/.config/containers/auth.json but we cannot specify them as insecure unless we edit the registries.conf on the podman machine (in this case, the VM). The code to implement this would be complex as it’s going to use the podman CLI to SSH into the machine, edit the configuration file, make sure it’s valid, and then restart the VM. The same needs to be done when removing the registry as well.
After discussion we’ve decided to do the following tasks:
Thanks @sprior and @Thadir for the insight. I’ll split this up into two separate PR’s. One for the “invalid certificate” when user’s haven’t setup TLS / Let’s Encrypt / etc.
And another for plain-old http without authentication.