Bug 2151943

Summary: The authfile parameter is not used with buildah when building and pushing container images with tcib to the remote registry
Product: Red Hat OpenStack Reporter: Alexey <akashavkin>
Component: openstack-tripleo-commonAssignee: Brendan Shephard <bshephar>
Status: ASSIGNED --- QA Contact: David Rosenfeld <drosenfe>
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bshephar, mariel, mburns, slinaber, tkajinam
Target Milestone: ---Keywords: Triaged
Target Release: ---Flags: ifrangs: needinfo? (bshephar)
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alexey 2022-12-08 16:41:33 UTC 
Description of problem:

The authfile parameter is not passed during the build and the subsequent pushing of the container images to the remote registry. This is because the specified file in the authfile parameter is set as the REGISTRY_AUTH_FILE env variable at build time, but buildah is run via sudo without preserving environment variables.


How reproducible:
Everytime.

Steps to Reproduce:
1. Install tripleoclient.
2. Run "openstack tripleo container image build --registry remote_registry --push --authfile /path/to/auth.json ...other_parameters..."


Actual results:
The container image cannot be pushed to the remote registry.
Error: unauthorized: authentication required
https://paste.opendev.org/raw/bUbvZAD3Qoro59l0Z7HO/


Additional info:
I ran into this using Wallaby tripleoclient, but I was comparing code from different releases in the tripleo-common repository and I think you can run into this in other releases as well.

To fix this, I added preserving env vars to the line with sudo buildah in tripleo_common/image/builder/buildah.py:
[stack@undercloud tripleo_common]$ diff image/builder/buildah.py{,_old}
98c98
< self.buildah_cmd = ['sudo', '-E', 'buildah']
---
> self.buildah_cmd = ['sudo', 'buildah']

After that the building and pushing of the container images was successful.
Comment 1 Brendan Shephard 2022-12-09 06:34:54 UTC 
Hey Alexey,

Thanks for the report. Sounds reasonable, I proposed that change here:
https://review.opendev.org/c/openstack/tripleo-common/+/867080
Comment 2 Takashi Kajinami 2023-01-16 01:07:38 UTC 
(In reply to Brendan Shephard from comment #1)
> Hey Alexey,
> 
> Thanks for the report. Sounds reasonable, I proposed that change here:
> https://review.opendev.org/c/openstack/tripleo-common/+/867080

We later found out this change breaks the existing auth record as was reported in [1].

I've submitted an alternative fix. One problem I'm facing now is that we likely need a new release
of tripleo-common once we merge the t-c patch, then we can merge python-tripleoclient.

[1] https://bugs.launchpad.net/tripleo/+bug/1999749
[2] https://review.opendev.org/q/topic:rhbz2151943