#failed to resolve image "docker.io/library/alpine:latest"

I am new to dagger so forgive me it this is a bad question. I pointed dagger at the RKE2 K8s cluster with export _EXPERIMENTAL_DAGGER_RUNNER_HOST="kube-pod://... and I am seeing the error below. Both the cluster and the dagger cli are running my my workstation. My best guess is this is NOT a dagger issure but a DNS seupd issue on RKE2 but I am new to RKE2 as well and so I am not sure. I am just looking for some ideas of what to try next. Otherwise I will start researching DNS setup on RKE2. Thanks

$ dagger query <<EOF
> {
>   container {
>     from(address:"alpine") {
>     withExec(args: ["uname", "-a"]) { stdout }
>     }
>   }
> }
> EOF
...
Setup tracing at https://dagger.cloud/traces/setup. To hide set DAGGER_NO_NAG=1
Error: make request: input: container.from failed to resolve image "docker.io/library/alpine:latest" (platform: "linux/amd64"): failed to resolve source metadata for docker.io/library/alpine:latest: failed to do request: Head "https://registry-1.docker.io/v2/library/alpine/manifests/latest": dial tcp: lookup registry-1.docker.io on 10.87.0.1:53: read udp 10.87.0.1:47496->10.87.0.1:53: i/o timeout

Hey 😄

Yeah it seems it's a DNS issue, I'm able to execute your query on a simple engine:

{
    "container": {
        "from": {
            "withExec": {
                "stdout": "Linux buildkitsandbox 6.12.15-orbstack-00304-gd0ddcf70447d #60 SMP Tue Feb 18 19:55:47 UTC 2025 aarch64 Linux\n"
            }
        }
    }
}

Are you able to run an hello-world pod on your K8S cluster? Without dagger, just to see if your cluster can successfully pull an image
So you can verify if that's a global network issue inside your cluster or just your dagger engine that has a problem resolving dns

I can verify that it is not a global network issue. I ran this to create a pod in the cluster:

kubectl run test --image=docker.io/library/alpine:latest --command sleep infinity

Then when I describe the pod I can see this:

Successfully pulled image "docker.io/library/alpine:latest" in 1.206s (1.206s including waiting). Image size: 3653068 bytes. 

So then I tried this:

$ kubectl run dns-test --image=busybox --restart=Never --command -- sleep 3600
pod/dns-test created

$ kubectl exec -it dns-test -- nslookup google.com
Server:         10.43.0.10
Address:        10.43.0.10:53

** server can't find google.com: SERVFAIL
** server can't find google.com: SERVFAIL

command terminated with exit code 1

This makes me think the issue is with the cluster's DNS configuration. I will keep looking and report back.

Sure let us know! Looks like an interesting problem that we could document if it's dagger relative

I got it to work by modifying the dnsPolicy and hostNetwork for the dagger engine (see below). I edited the DaemaonSet directly but need to do this with the Dagger Helm chart. I have not looked at the chart yet, maybe there are some comments there about how to set these values. If not I can open and issue or something, sound good?

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: dagger-dagger-helm-engine
  namespace: dagger
spec:
  selector:
    matchLabels:
      name: dagger-dagger-helm-engine
  template:
    ...
    spec:
      containers:
      - image: registry.dagger.io/engine:v0.17.0
        name: dagger-engine
        ...
      dnsPolicy: Default  # Changed this from 'ClusterFirst' to 'Default'
      hostNetwork: true   # Added this

I prepared a fix for the helm chart and want to open a PR to contribute but can seem to figure out how to sign my commits! This is embarrassing because the process looks simple. Would you happen to have a reference to a good guide on doing this? I could post what I did if needed but I don't want to over use this channel if this type of request is inappropriate?

git commit -sm "Some message"

the -s signs it

when I do that I see Signed-off-by: Tony Gilkerson <tonygilkerson@yahoo.com> but it is unverified in Github, is that message all you need?

here is more detial on what git sees:

$ git log --show-signature -1    
error: gpg.ssh.allowedSignersFile needs to be configured and exist for ssh signature verification
commit 2ecd1c2d94c0997b90822948ae002fff1a046a33 (HEAD -> main)
No signature
Author: Tony Gilkerson <tonygilkerson@yahoo.com>
Date:   Wed Mar 26 14:26:18 2025 -0400

    sign my commit
    
    Signed-off-by: Tony Gilkerson <tonygilkerson@yahoo.com>

I see the issue about allowedSignersFile but cant seem to get it right

oh right.. the gpg thing

you can tell git to use your current ssh key for signing. Here's more info about this here: https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key#telling-git-about-your-ssh-key

do you need git -s or git -S?

The -s flag adds a Signed-off-by line to the commit message, and that is working for me...

The -S flag is used to cryptographically sign the commit using your configured signing key (e.g., GPG or SSH key).

-S to sign it

I have a config in my gitconfig to automatically sign all commits

[commit]
        gpgsign = true

understood, here is what I did to configure git:

git config --global gpg.format ssh
git config --global user.signingkey ~/.ssh/id_ed25519
git config --global commit.gpgsign true

echo "git $(cat ~/.ssh/id_ed25519.pub)" > ~/.ssh/allowed_signers
git config --global gpg.ssh.allowedSignersFile ~/.ssh/allowed_signers
chmod 644 ~/.ssh/allowed_signers

# make sure key is listed
ssh-add -l
# If your key is not listed, add it:
ssh-add ~/.ssh/id_ed25519

# add a change thin
git commit -sm "sign commit"


# verify
git log --show-signature -1 

where is that file you are referring to?

in the signinkey you need to set your public key, not the private one

it should be the .gitconfig in your home directory

ok let me try that.... thanks

fixing the signinkey seems to have worked

$ git log --show-signature -1 
commit 52262479359d931d27cd99163a23da917cc2995c (HEAD -> main, origin/main, origin/HEAD)
Good "git" signature for git with ED25519 key SHA256:EO5dHA8kdxBmSQZHuF28QsaJ1+91/oG3IRzh6Z/U+4A
Author: Tony Gilkerson <tonygilkerson@yahoo.com>
Date:   Wed Mar 26 15:15:04 2025 -0400

    sign commit take 6

it is still unverified in Github. I will look at that next... but progress!

🚀

I see that key referenced in my commit SHA256:EO5dHA8kdxBmSQZHuF28QsaJ1+91/oG3IRzh6Z/U+4A is listed in GitHub as an SSH key. Do I need to do any thing else?

I found it! When you add your SSH key to GitHub there is a dropdown to indicate if you are using the key for authorization or signing. I never saw this dropown because it was an existing key and I would never let me add the same duplicate key. Way back when I initially added the SSH key I just took the default which was to use it for authorizaiton

thanks for all your help

FYI I opened this PR for this issue. https://github.com/dagger/dagger/pull/10008