Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authentication not working with ostree container unencapsulate #3015

Closed
javipolo opened this issue Aug 28, 2023 · 6 comments · Fixed by ostreedev/ostree-rs-ext#519
Closed

Authentication not working with ostree container unencapsulate #3015

javipolo opened this issue Aug 28, 2023 · 6 comments · Fixed by ostreedev/ostree-rs-ext#519

Comments

@javipolo
Copy link

When trying to run container unencapsulate in a private repo, I get unauthorized: access to the requested resource is not authorized

[root@sno ~]# oci_url=quay.io/whatever/ost:backup
[root@sno ~]# ostree container unencapsulate --repo /ostree/repo ostree-unverified-registry:$oci_url
error: Creating importer: Failed to invoke skopeo proxy method OpenImage: remote error: reading manifest backup in quay.io/whatever/ost: unauthorized: access to the requested resource is not authorized

When trying with podman, I have no problems pulling the image using /etc/ostree/auth.json:

[root@sno ~]# podman pull --authfile /etc/ostree/auth.json $oci_url
Trying to pull quay.io/whatever/ost:backup...
Getting image source signatures
Copying blob 346d2d8b7e27 done  
Copying config 09a563fade done  
Writing manifest to image destination
Storing signatures
09a563fade9b04e3ab59e1b8246daa9d55a7011357921c48d913e82c8082759e

# Check /etc/ostree/auth.json file permissions
[root@sno ~]# ls -ld /etc/ostree/auth.json 
-rw-------. 1 root root 97 Aug 28 12:12 /etc/ostree/auth.json

I have tried both /etc/ostree/auth.json and $HOME/.docker/config.json and none works. Also running strace I've seen that ostree does open /etc/ostree/auth.json

In the end, the only authentication file that is being used is the one set as global_auth_file in crio configuration (that in my case happens to be /var/lib/kubelet/config.json)

It be cool if container unencapsulate could have an --authfile flag as container image deploy has
cgwalters added a commit to cgwalters/ostree-rs-ext that referenced this issue Aug 28, 2023
@cgwalters
cli/unencapsulate: Add proxy options
f4a7aaf 
We need to support all the proxy options so that custom
authentication files can be supported, etc.

Closes: ostreedev/ostree#3015
@cgwalters cgwalters mentioned this issue Aug 28, 2023
Merged
@cgwalters
Copy link
Member

PR in ostreedev/ostree-rs-ext#519

@cgwalters
Copy link
Member

A workaround today is likely env REGISTRY_AUTH_FILE=/path/to/auth.json ostree container unencapsulate ....

@javipolo
Copy link
Author

Thanks for the quick response 🚀 !!

The workaround seems to work for encapsulate but not for unencapsulate:

unencapsulate

[root@sno ~]# REGISTRY_AUTH_FILE=/var/tmp/backup-secret.json ostree container unencapsulate --repo /ostree/repo ostree-unverified-registry:quay.io/whatever/ost:backup --write-ref backup
error: Creating importer: Failed to invoke skopeo proxy method OpenImage: remote error: reading manifest backup in quay.io/whatever/ost: unauthorized: access to the requested resource is not authorized

encapsulate

[root@sno ~]# REGISTRY_AUTH_FILE=/var/tmp/backup-secret.json ostree container encapsulate --repo /ostree/repo test registry:quay.io/whatever/ost:test
sha256:a6136f83c32872489feec8daa9d10654888861f1e1dd6237d40f503780a22e05

@cgwalters
Copy link
Member

For encapsulate, you can work around this by pushing to an oci directory, and then using skopeo copy oci:... docker://.

@javipolo
Copy link
Author

For encapsulate, you can work around this by pushing to an oci directory, and then using skopeo copy oci:... docker://.

The workaround does work with encapsulate, it is with unencapsulate that is not working 😅

cgwalters added a commit to cgwalters/ostree-rs-ext that referenced this issue Aug 28, 2023
@cgwalters
cli/unencapsulate: Add proxy options
b78b43b 
We need to support all the proxy options so that custom
authentication files can be supported, etc.

Closes: ostreedev/ostree#3015
cgwalters added a commit to cgwalters/ostree-rs-ext that referenced this issue Aug 28, 2023
@cgwalters
cli/encapsulate: Add --authfile
52c543c 
Ideally we'd pass through all of the proxy options here, but
doing that sanely really requires being able to do *pushes*
through containers-image-proxy-rs, which is a quite nontrivial
amount of work.

For now, let's pass through `--authfile` which is the main thing
people want.  Anything else can be worked around by encapsulating
to `oci` and then doing a `skopeo copy` from there.

cc ostreedev/ostree#3015
@cgwalters cgwalters mentioned this issue Aug 28, 2023
Merged
@cgwalters
Copy link
Member

And ostreedev/ostree-rs-ext#523 is the other half.

cgwalters added a commit to cgwalters/ostree-rs-ext that referenced this issue Aug 28, 2023
@cgwalters
cli/encapsulate: Add --authfile
1d20f34 
Ideally we'd pass through all of the proxy options here, but
doing that sanely really requires being able to do *pushes*
through containers-image-proxy-rs, which is a quite nontrivial
amount of work.

For now, let's pass through `--authfile` which is the main thing
people want.  Anything else can be worked around by encapsulating
to `oci` and then doing a `skopeo copy` from there.

cc ostreedev/ostree#3015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

cli/unencapsulate: Add proxy options cgwalters/ostree-rs-ext
2 participants
@cgwalters @javipolo