Bug 1836429

Summary: 401 error when using podman to download image from registry
Product: Red Hat OpenStack Reporter: Siggy Sigwald <ssigwald>
Component: openstack-tripleo-commonAssignee: Adriano Petrich <apetrich>
Status: CLOSED NOTABUG QA Contact: David Rosenfeld <drosenfe>
Severity: high Docs Contact:
Priority: high    
Version: 15.0 (Stein)CC: aschultz, bbaude, dwalsh, jligon, jnovy, lsm5, mburns, mheon, slinaber
Target Milestone: ---Keywords: Triaged, ZStream
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-05-18 14:08:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Siggy Sigwald 2020-05-15 21:15:07 UTC 
Description of problem:
Even though customer seems to be able to successfully login to registry:

[root@q23ru26 ~]# podman login -u $TOKEN -p $SECRET https://registry.redhat.io --log-level=debug
DEBU[0000] Credentials not found
DEBU[0000] Looking for TLS certificates and private keys in /etc/docker/certs.d/registry.redhat.io
DEBU[0000] GET https://registry.redhat.io/v2/
DEBU[0000] Ping https://registry.redhat.io/v2/ status 401
DEBU[0000] GET https://registry.redhat.io/auth/realms/rhcc/protocol/redhat-docker-v2/auth?account=2924717%7Csiv&service=docker-registry
DEBU[0001] GET https://registry.redhat.io/v2/
Login Succeeded!

[root@q23ru26 ~]# podman login -u $UNAME -p $PASS registry.redhat.io --log-level=debug
DEBU[0000] Returning credentials from /run/user/0/containers/auth.json
DEBU[0000] Looking for TLS certificates and private keys in /etc/docker/certs.d/registry.redhat.io
DEBU[0000] GET https://registry.redhat.io/v2/
DEBU[0000] Ping https://registry.redhat.io/v2/ status 401
DEBU[0000] GET https://registry.redhat.io/auth/realms/rhcc/protocol/redhat-docker-v2/auth?account=rolando.c.sacramento%40intel.com&service=docker-registry
DEBU[0001] GET https://registry.redhat.io/v2/
Login Succeeded!


He's getting the following while running an Openstack deployment:

Exception: Unable to authenticate. This may indicate missing registry credentials or the provided container or namespace does not exist. 401 Client Error: Unauthorized for url: https://registry.redhat.io/auth/realms/rhcc/protocol/redhat-docker-v2/auth?service=docker-registry&scope=repository%3Arhosp-rhel8%2Fopenstack-cinder-api%3Apull
Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/tripleo_common/image/image_uploader.py", line 2320, in discover_tag_from_inspect
    image_url, username=username, password=password)

How reproducible:
Every time for this specific customer.
Comment 2 Alex Schultz 2020-05-18 14:08:47 UTC 
You need to provide ContainerImageRegistryCredentials in order to interact with registry.redhat.io. This is failing in the discovery process which does not use podman and needs to have this parameter specified in order to function correctly.
Comment 3 Alex Schultz 2020-05-18 14:11:55 UTC 
FTR, https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/16.0/html/director_installation_and_usage/preparing-for-director-installation#container-image-preparation-parameters has all the various items documented. There's additional parameters needed if you don't use push_destination: true