RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1728054 - podman authentication not functioning properly
Summary: podman authentication not functioning properly
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: subscription-manager
Version: 8.0
Hardware: x86_64
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Jiri Hnidek
QA Contact: Red Hat subscription-manager QE Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-07-08 22:54 UTC by Mike Rochefort
Modified: 2023-03-07 12:34 UTC (History)
10 users (show)

Fixed In Version: subscription-manager-1.26.5-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-04-28 16:54:49 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github candlepin subscription-manager pull 2151 0 'None' Merged 1728054: Do not install container plugin on RHEL8; ENT-1488 2021-11-30 10:02:08 UTC
Red Hat Issue Tracker RHELPLAN-29810 0 None None None 2023-03-07 12:34:32 UTC
Red Hat Product Errata RHBA-2020:1849 0 None None None 2020-04-28 16:55:08 UTC

Description Mike Rochefort 2019-07-08 22:54:11 UTC 
Description of problem:

Running RHEL 8.0 VMs (Virtualbox 6.0.8) on macOS 10.14.5, podman will fail to login and authenticate
against registries. It will use non-existent credentials that were never entered, and claim that it is
logged it when in fact it is not. Any attempts of accessing registry.redhat.io or registry.access.redhat.com
will fail with a permission issue on the /etc/docker/certs.d/*/*.key files. This is all in user space,
not as root or with sudo. Everything else seems to be working fine, with the exception of the known issue
with subscription manager: https://github.com/containers/libpod/issues/3499

Version-Release number of selected component (if applicable):

Version:       1.0.2-dev
Go Version:    go1.11.5
OS/Arch:       linux/amd64

How reproducible:
100% on VMs.

Steps to Reproduce:

Type A
1. Attempt logging in to registry of choice :: podman login docker.io
2. Receive message stating already logged in when actually not logged in.

Type B
1. Attempt to log in or access Red Hat registries
2. Attempt will fail with a permission error.

Actual results:

Type A
Podman reports that it is already logged in when it in fact is not.

Type B
Podman fails with an inability to access the registries key file.

Expected results:

Type A
Podman will log in and add details to the auth.json file.

Type B
Podman will not fail when accessing Red Hat repositories.

Additional info:

Current workaround for Type A is to use the --user flag when logging in (works for docker.io). Possible solution
for Type B is altering permissions on the key files. Currently they are as follows:

/etc/docker/certs.d/access.redhat.com:
total 40
-rw-r--r--. 1 root root 36309 Jul  2 15:01 my_value.cert
-rw-------. 1 root root  3243 Jul  2 15:01 my_value.key

/etc/docker/certs.d/cdn.redhat.com:
total 44
-rw-r--r--. 1 root root 36309 Jul  2 15:01 my_value.cert
-rw-------. 1 root root  3243 Jul  2 15:01 my_value.key
-rw-r--r--. 1 root root  2305 Mar  6 06:22 redhat-entitlement-authority.crt

/etc/docker/certs.d/registry.access.redhat.com:
total 40
-rw-r--r--. 1 root root 36309 Jul  2 15:01 my_value.cert
-rw-------. 1 root root  3243 Jul  2 15:01 my_value.key

/etc/docker/certs.d/registry.redhat.io:
total 40
-rw-r--r--. 1 root root 36309 Jul  2 15:01 my_value.cert
-rw-------. 1 root root  3243 Jul  2 15:01 my_value.key

Prompt Examples:

mrochefort.rhel8 [~] () $ podman logout docker.io
error logging out of "docker.io": error updating "/home/mrochefort/.config/containers/auth.json": not logged in

mrochefort.rhel8 [~] () $ podman login docker.io
Authenticating with existing credentials...
Existing credentials are valid. Already logged in to docker.io

mrochefort.rhel8 [~] () $ podman search ubi7
ERRO[0000] error searching registry "registry.redhat.io": error creating new docker client: open /etc/docker/certs.d/registry.redhat.io/my_value.key: permission denied
Comment 1 Daniel Walsh 2019-07-09 14:21:25 UTC 
This is a known issue on subscription-manager.

https://bugzilla.redhat.com/show_bug.cgi?id=1718362

Looks like we need the change for RHEL8 as well.
Comment 9 Rehana 2020-03-16 12:22:51 UTC 
Demonstrating the availability of subscription-manager-plugin-container on RHEL8.1
==================================================================================
[root@kvm-03-guest02 ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux release 8.1 (Ootpa)
[root@kvm-03-guest02 ~]# subscription-manager version
server type: Red Hat Subscription Management
subscription management server: 2.9.21-1
subscription management rules: 5.37
subscription-manager: 1.25.17-1.el8
[root@kvm-03-guest02 ~]# yum install subscription-manager-plugin-container
Updating Subscription Management repositories.
Last metadata expiration check: 0:04:23 ago on Mon 16 Mar 2020 08:08:26 AM EDT.
Dependencies resolved.
=======================================================================================================================
 Package                   Architecture           Version         Repository                           Size
========================================================================================================================
Installing:
 subscription-manager-plugin-container   x86_64      1.25.17-1.el8  rhel-8-for-x86_64-baseos-rpms                    248 k

Transaction Summary
==================================================================================================================
Install  1 Package

Total download size: 248 k
Installed size: 18 k
<snip>

Verifying that subscription-manager-plugin-container is not longer shipped on RHEL 8.2
=====================================================================================
# rpm -qa *subsc*
subscription-manager-rhsm-certificates-1.26.14-1.el8.x86_64
python3-subscription-manager-rhsm-1.26.14-1.el8.x86_64
dnf-plugin-subscription-manager-1.26.14-1.el8.x86_64
subscription-manager-1.26.14-1.el8.x86_64

[root@kvm-01-guest04 product-default]# cat /etc/redhat-release 
Red Hat Enterprise Linux release 8.2 Beta (Ootpa)

[root@kvm-01-guest04 product-default]# dnf install subscription-manager-plugin-container
Updating Subscription Management repositories.
Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs)                                                                                                                                               11 MB/s |  14 MB     00:01    
Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs)                                                                                                                                                  12 MB/s |  14 MB     00:01    
Package subscription-manager-1.26.14-1.el8.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!

^^ "subscription-manager-plugin-container" is no longer available on RHEL8

WITHOUT THE CONTAINER PLUGIN , PODMAN CAN STILL RUN CONTAINERS WITH ACCESS TO REDHAT CONTENT

[root@kvm-01-guest04 product-default]# podman run -t -i --rm registry-proxy.engineering.redhat.com/rh-osbs/rhel7:guest-rhel-7.8-containers-candidate-51839-20200225162914-x86_64
[root@3ea9468da61f /]# yum install zsh
Loaded plugins: ovl, product-id, search-disabled-repos, subscription-manager
rhel-7-server-rpms                                                                                                                                                                                             | 3.5 kB  00:00:00     
(1/3): rhel-7-server-rpms/7Server/x86_64/group                                                                                                                                                                 | 767 kB  00:00:00     
(2/3): rhel-7-server-rpms/7Server/x86_64/updateinfo                                                                                                                                                            | 3.5 MB  00:00:00     
(3/3): rhel-7-server-rpms/7Server/x86_64/primary_db                                                                                                                                                            |  66 MB  00:00:01     
Resolving Dependencies
--> Running transaction check
---> Package zsh.x86_64 0:5.0.2-33.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

======================================================================================================================================================================================================================================
 Package                                          Arch                                                Version                                                   Repository                                                       Size
======================================================================================================================================================================================================================================
Installing:
 zsh                                              x86_64                                              5.0.2-33.el7                                              rhel-7-server-rpms                                              2.4 M

Transaction Summary
==================================================================================================================
Install  1 Package

Total download size: 2.4 M
Installed size: 5.6 M
Is this ok [y/d/N]: y
Downloading packages:
warning: /var/cache/yum/x86_64/7Server/rhel-7-server-rpms/packages/zsh-5.0.2-33.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY                                              ]  0.0 B/s |    0 B  --:--:-- ETA 
Public key for zsh-5.0.2-33.el7.x86_64.rpm is not installed
zsh-5.0.2-33.el7.x86_64.rpm                                                                                                                                                                                    | 2.4 MB  00:00:00     
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Importing GPG key 0xFD431D51:
 Userid     : "Red Hat, Inc. (release key 2) <security>"
 Fingerprint: 567e 347a d004 4ade 55ba 8a5f 199e 2f91 fd43 1d51
 Package    : redhat-release-server-7.8-2.el7.x86_64 (@anaconda/7.8)
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Is this ok [y/N]: y
Importing GPG key 0x2FA658E0:
 Userid     : "Red Hat, Inc. (auxiliary key) <security>"
 Fingerprint: 43a6 e49c 4a38 f4be 9abf 2a53 4568 9c88 2fa6 58e0
 Package    : redhat-release-server-7.8-2.el7.x86_64 (@anaconda/7.8)
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Is this ok [y/N]: y
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : zsh-5.0.2-33.el7.x86_64                                                                                                                                                                                            1/1 
  Verifying  : zsh-5.0.2-33.el7.x86_64                                                                                                                                                                                            1/1 
rhel-7-server-rpms/7Server/x86_64/productid                                                                                                                                                                    | 2.1 kB  00:00:00     

Installed:
  zsh.x86_64 0:5.0.2-33.el7                                                                                                                                                                                                           

Complete!


Based on the above observations, moving the bug to verified
Comment 12 errata-xmlrpc 2020-04-28 16:54:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1849
Note You need to log in before you can comment on or make changes to this bug.