Fetching Image From Public Registry Results in HTTP 401 on Windows 11 Under WSL2 Through Rancher Desktop

[donmai2024]

What happened in your environment?

Hello,

oras fails authorization when ran via WSL2 through Rancher Desktop to pull from a public GitHub container registry.

Example CLI log:

/mnt/wsl/rancher-desktop/run/data/ # oras manifest fetch --debug --verbose ghcr.io/jonashackt/hello-world:latest
DEBU[0000] Request #0
> Request URL: "https://ghcr.io/v2/jonashackt/hello-world/manifests/latest"
> Request method: "GET"
> Request headers:
   "Accept": "application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, application/vnd.oci.artifact.manifest.v1+json"
   "User-Agent": "oras/1.2.1"
DEBU[0000] Response #0
< Response Status: "401 Unauthorized"
< Response headers:
   "Content-Length": "73"
   "X-Github-Request-Id": "C778:3ED69D:CE2642:E9A965:67603DE8"
   "Content-Type": "application/json"
   "Www-Authenticate": "Bearer realm=\"https://ghcr.io/token\",service=\"ghcr.io\",scope=\"repository:jonashackt/hello-world:pull\""
   "Date": "Mon, 16 Dec 2024 14:49:12 GMT"
Error: failed to fetch the content of "ghcr.io/jonashackt/hello-world:latest": GET "https://ghcr.io/v2/jonashackt/hello-world/manifests/latest": exit status 28

docker config.json

{
  "credsStore": "rancher-desktop"
}

What did you expect to happen?

The manifest and images to be pulled to my local workstation.

How can we reproduce it?

1. Install Rancher Desktop on a Windows 11 host machine
2. Install WSL2
3. Use rancher-desktop as your distribution for WSL2
4. Use docker login in the Windows host, so that your credentials are in the Windows Credential Manager
5. Run oras manifest fetch in the WSL2 shell against a public image of your choice

What is the version of your ORAS CLI?

/mnt/wsl/rancher-desktop/run/data # oras version
Version:        1.2.1
Go version:     go1.23.4
Git commit:     a0228556766b6276010d8feb937af512e8a50808
Git tree state: clean

What is your OS environment?

Windows 11, WSL2, Rancher-Desktop

Are you willing to submit PRs to fix it?

• Yes, I am willing to fix it.

[Wwwsylvia]

Hi @donmai2024 , it looks like your scenario is saving the credentials in wincred in Windows host and reading it from rancher-desktop in WSL? Is the expectation that rancher-desktop should automatically sync the credentials in wincred?

If so, you may get the credentials from wincred in Windows:

echo "ghcr.io" | docker-credential-wincred get

Do the same from rancher-desktop in WSL:

echo "ghcr.io" | docker-credential-rancher-desktop get

And see if the credentials match.

I tried to reproduce this in my environment, but docker-credential-rancher-desktop hangs. There might be something tricky with this credentials helper. 🤔

[donmai2024]

Hello @Wwwsylvia,

it looks like your scenario is saving the credentials in wincred in Windows host and reading it from rancher-desktop in WSL? Is the expectation that rancher-desktop should automatically sync the credentials in wincred?

Yes. That's how I hope it would work.

If so, you may get the credentials from wincred in Windows:

echo "ghcr.io" | docker-credential-wincred get

This returns my Github credentials.

Do the same from rancher-desktop in WSL:

echo "ghcr.io" | docker-credential-rancher-desktop get

This returns nothing.

I tried to reproduce this in my environment, but docker-credential-rancher-desktop hangs. There might be something tricky with this credentials helper. 🤔

This hung for me too. I let it run for about 5-10 minutes, and then it completed with no output (but it did return control to the system). The credential helper seems to be a shell script calling curl against a rancher endpoint.

[Wwwsylvia]

@donmai2024 It doesn't look like rancher-desktop can automatically sync credentials from docker desktop. You may need to find a workable credentials helper to use in rancher-desktop.

This hung for me too. I let it run for about 5-10 minutes, and then it completed with no output (but it did return control to the system). The credential helper seems to be a shell script calling curl against a rancher endpoint.

This is more of a set-up issue with rancher-desktop then. ORAS relies on docker credentials helpers (or config files for plaintext credentials) to read/save credentials but does not provide a credentials store itself.

[donmai2024]

@Wwwsylvia, thank you for the insights and support! As you say, it seems to be a problem with rancher-desktop, so I will close this issue.

For a closing note: I have found a potential workaround that I'll need to look into more on my end. By updating the docker config.json from this:

{
  "credsStore": "rancher-desktop"
}

to this:

{
  "credsStore": "wincred"
}

I was able to use oras manifest fetch on public and private images. In my mind, this further points to it being a problem on rancher-desktop's end.