Bug 1800815

Summary: "podman login" writes auth.json in a location "skopeo copy" does not expect
Product: Red Hat Enterprise Linux 8 Reporter: Ken Dreyer (Red Hat) <kdreyer>
Component: skopeoAssignee: Jindrich Novy <jnovy>
Status: CLOSED ERRATA QA Contact: atomic-bugs <atomic-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.2CC: bbaude, branto, dornelas, dwalsh, jligon, jnovy, lsm5, mheon, nnosenzo, oarribas, tserlin, tsweeney, ypu, yujiang
Target Milestone: rc   
Target Release: 8.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: skopeo-1.0.0 and newer Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 03:05:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1186913, 1804543    

Description Ken Dreyer (Red Hat) 2020-02-07 22:54:21 UTC 
Description of problem:
"podman login" writes its credentials in such a way that "skopeo copy" cannot use them.

Version-Release number of selected component (if applicable):
podman-1.6.4-3.module+el8.2.0+5399+beb15b66.x86_64
skopeo-0.1.40-8.module+el8.2.0+5352+afaeb1b9.x86_64

How reproducible:
always

Steps to Reproduce:
1. Obtain an account token that has write access to a registry.
2. Log in like so:
   sudo podman login -p **** -u unused docker-registry.example.com
3. Verify the output says "Login succeeded!"
4. Run "skopeo copy" like so:
   sudo skopeo copy docker://origin.com/mycontainer:latest docker://docker-registry.example.com/mycontainer:latest

Actual results:
Error uploading manifest latest to docker-registry.example.com/mycontainer: unauthorized: authentication required 

Expected results:
The copy operation proceeds without error.

Additional info:
This exact same set of commands works fine in Fedora 30 with podman-1.7.0-3.fc30 and skopeo-0.1.40-2.fc30. I have tested this in completely new RHEL 8.1 and Fedora 30 VMs.

In RHEL 8:
"podman login" stores its credentials in this file: /run/user/0/containers/auth.json
But "skopeo copy" is trying to read this file:
/run/containers/0/auth.json

On Fedora 30, podman and skopeo both use this file:
/run/containers/0/auth.json

When I move the file on my RHEL 8 system to the correct location, then skopeo is able to successfully copy images:

mkdir -p /run/containers/0/
mv /run/user/0/containers/auth.json /run/containers/0/

skopeo copy ...
Comment 1 Ken Dreyer (Red Hat) 2020-02-07 22:59:42 UTC 
When I downgrade to podman-1.4.2-6.module+el8.1.0+4830+f49150d7.x86_64 , "podman login" correctly writes to /run/containers/0/auth.json .
Comment 2 Ken Dreyer (Red Hat) 2020-02-07 23:18:05 UTC 
Reading the source of libpod-5cc9284.tar.gz, I see now that podman will use XDG_RUNTIME_DIR if that is set. That env variable is indeed defined on RHEL 8 VM. I think this means podman respects XDG_RUNTIME_DIR and skopeo does not.
Comment 3 Ken Dreyer (Red Hat) 2020-02-07 23:33:41 UTC 
Even when I unset the XDG_RUNTIME_DIR environment variable, I am still unable to get podman to write its auth file to anywhere other than /run/user/0/containers/auth.json
Comment 4 Daniel Walsh 2020-02-08 13:13:06 UTC 
I think this is more of a skopeo bug then a Podman bug, although we should consolidate all of the code to find the auth files into one library and share it between all of the tools.
Comment 5 Tom Sweeney 2020-02-10 23:45:14 UTC 
Adding Qi to the cc list as she's been dealing with buildah and podman login and may have thoughts.
Comment 6 Tom Sweeney 2020-06-03 23:54:16 UTC 
This is fixed in Skopeo v1.0 which will included in RHEL 8.3.  There is now a `skopeo login` and `skopeo logout` command that handles the authorization needs of Skopeo.

Setting to Post and assigning to Jindrich so he can handle any BZ or packaging needs.
Comment 14 errata-xmlrpc 2020-11-04 03:05:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: container-tools:rhel8 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4694