Has anyone here been able to get their rootless podman-in-podman runners working with a proxy (squid)? More specifically, to pull container images from an external container registry?
When I run a pipeline, it gets the error:
dial tcp x.x.x.x:y: connect: no route to host when attempting to pull a container image from the internet.
Initially, I thought this was a networking/routing problem, but I see the same error when I
remove the proxy environment variables from my rootless user and try a manual podman pull on the host.
To clarify, manually running podman pull works fine when those proxy variables are set. But for some reason, the runner seems to ignore these variables?
What’s really confusing is that the runner pipeline output is returning the value of $http_proxy. For example, here is my .gitlab-ci.yml file.
and it’s showing this output
Pulling docker image squid.proxy.com:3128 ...
I am lost.
http_proxy, https_proxy, HTTP_PROXY, HTTPS_PROXY have been configured for…
the rootless user’s .bashrc and .bash_profile
runner containers’ env variables
same error messae for me using an internal registry.
I can use this registry using command line.
Pulling images works for me using proper HTTP and HTTPS proxy vars
It’s good to know someone else is getting this problem. I’ll see if I can submit a gitlab issue later today about this.
My colleagues found the solution. You need to do the following.
Login as your rootless podman user.
systemctl --user edit podman
Add these settings and save.
This file has been truncated.
# Podman socket activation
Socket activation conceptually works by having systemd create a socket (e.g. TCP, UDP or Unix
socket). As soon as a client connects to the socket, systemd will start the systemd service that is
configured for the socket. The newly started program inherits the file descriptor of the socket
and can then accept the incoming connection (in other words run the system call `accept()`).
This description corresponds to the default systemd socket configuration
that lets the service accept the socket.
Podman supports two forms of socket activation:
* Socket activation of the API service
* Socket activation of containers
## Socket activation of the API service
The architecture looks like this
The approach you’ve mentioned involves configuring the HTTP_PROXY and HTTPS_PROXY environment variables for the systemd user service associated with your rootless Podman user. This should ensure that the proxy settings are applied when the Podman runner is trying to pull container images from external registries.