vscode-docker icon indicating copy to clipboard operation
vscode-docker copied to clipboard
verified publisher icon microsoft

Connecting to generic v2 registry is failing

Open pWoLiAn opened this issue 1 year ago • 20 comments

using latest extension version. When connecting to registry, get the message "fetch failed" image im able to pull using CLI image EDIT: the extension works properly with the previous version(1.28). issue is seen only with the latest version(1.29)

vscode details: Version: 1.86.2 (user setup) Commit: 903b1e9d8990623e3d7da1df3d33db3e42d80eda Date: 2024-02-13T19:40:56.878Z Electron: 27.2.3 ElectronBuildId: 26908389 Chromium: 118.0.5993.159 Node.js: 18.17.1 V8: 11.8.172.18-electron.0 OS: Windows_NT x64 10.0.22631

running on ubuntu 20.4 with remote SSH

pWoLiAn avatar Feb 21 '24 21:02 pWoLiAn

Try removing the /v2 from your registry URL, the extension adds that automatically as needed.

bwateratmsft avatar Feb 21 '24 21:02 bwateratmsft

still failing with the same error

pWoLiAn avatar Feb 21 '24 21:02 pWoLiAn

Can you tell me more about your registry provider? It may not be supported by the generic V2 registry connection.

bwateratmsft avatar Feb 22 '24 14:02 bwateratmsft

What type of information do you need? Although i dont think this is an issue with the registry because I'm able to connect to it normally with version 1.28.

pWoLiAn avatar Feb 22 '24 15:02 pWoLiAn

That's helpful to know. I think the most likely change that could have caused this is https://github.com/microsoft/vscode-docker-extensibility/commit/24e2d357bf481dd5e7f0636734187a41234cce0d, we changed from using node-fetch to the built-in fetch in Node.js 18. Are you using a proxy?

bwateratmsft avatar Feb 22 '24 15:02 bwateratmsft

yes i am

pWoLiAn avatar Feb 22 '24 16:02 pWoLiAn

Are you able to test without the proxy in place? It would be helpful to know for sure if the issue is something to do with the proxy.

bwateratmsft avatar Feb 22 '24 17:02 bwateratmsft

i cannot access the registry without the proxy but i can try using a different proxy

pWoLiAn avatar Feb 22 '24 20:02 pWoLiAn

I'm getting the same issue. It was working with a previous version of the extension, and now it's not. I suspect it might be something to do with the cert on the private registry (hosted on a local linux server) being self-signed?

The certificate is installed as a trusted CA on the machine, and I can browse to it fine in a web browser.

Is there any logging for the extension that I can look at perhaps?

Cheers

westy avatar Feb 23 '24 18:02 westy

That's very helpful to know. @pWoLiAn does your registry also use a self-signed certificate?

bwateratmsft avatar Feb 26 '24 17:02 bwateratmsft

yes

pWoLiAn avatar Feb 27 '24 04:02 pWoLiAn

I had the same problem with my mac, vs code version: 1.88.1 docker plugin version: 1.29.0 I can't connect to docker hub registried Uploading WechatIMG149.jpg…

fengjianxincoke avatar Apr 27 '24 11:04 fengjianxincoke

Our current workaround is to use version v1.28.0. Otherwise getting the fetch failed message. Tried v1.29.1 this morning. Same issue as found with v1.29.0.

What we have seen is that with the newer versions it doesn't seem to reach out to the remote server. We don't see any new logs in the registry container. With v1.28.0 we see the GET transaction.

After more diagnosis, the fetch actually isn't being done on a consistent basis. No packets across the network and the plugin just declares the fetch failed. We are not using self-signed certificates.

TorchDSP avatar May 05 '24 13:05 TorchDSP

I confirm that 1.28.0 working fine and 1.29.1 doesn't

tonimore avatar May 17 '24 13:05 tonimore

another confirmation. Glad to have found this work-around, downgrading to 1.28 works.

RuthAlk avatar Jul 17 '24 19:07 RuthAlk

1.29.2 that was just pushed to the marketplace yesterday contains fixes to the Accept header used by the extension when connecting to V2 registries. I can't guarantee it will solve all the connection issues being reported, but it's worth testing to see if you're unblocked with the latest release.

danegsta avatar Aug 14 '24 18:08 danegsta

1.29.2 that was just pushed to the marketplace yesterday contains fixes to the Accept header used by the extension when connecting to V2 registries. I can't guarantee it will solve all the connection issues being reported, but it's worth testing to see if you're unblocked with the latest release.

Hi,

Good to hear updates are being made. Unfortunately this does not solve the self-certificate issue for it, so have had to revert to 1.28.0 Hopefully a future update can sort it.

Cheers

westy avatar Aug 15 '24 09:08 westy

1.29.2 that was just pushed to the marketplace yesterday contains fixes to the Accept header used by the extension when connecting to V2 registries. I can't guarantee it will solve all the connection issues being reported, but it's worth testing to see if you're unblocked with the latest release.

Thanks for the update, but as mentioned above as well, it does not fix the issue with connecting to a docker with self-signed certificate. Reverted to 1.28

RuthAlk avatar Aug 16 '24 15:08 RuthAlk

So, it's not a good security practice, but you might be able to work around it by setting the environment variable NODE_TLS_REJECT_UNAUTHORIZED=0 for VSCode before launching it. Node.js has a static list of trusted root certificates; the system certificate store is ignored unfortunately.

A better solution would be to get "real" certificates for the registries, but of course that likely will cost money.

EDIT: see @danegsta's comment just below for a better possible workaround.

bwateratmsft avatar Aug 21 '24 18:08 bwateratmsft

It looks like node also supports trusting a specific certificate by setting the NODE_EXTRA_CA_CERTS environment variable (i.e. NODE_EXTRA_CA_CERTS=/path/to/your/cert.pem). This should hopefully allow you to trust the specific certificate without disabling the certificate trust feature entirely.

danegsta avatar Aug 21 '24 18:08 danegsta