Bug 1728062
| Summary: | toolbox requires registry authentication | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Alex Crawford <crawford> |
| Component: | RHCOS | Assignee: | Steve Milner <smilner> |
| Status: | CLOSED ERRATA | QA Contact: | Micah Abbott <miabbott> |
| Severity: | low | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4.1.0 | CC: | bbreard, dornelas, dustymabe, imcleod, jerzhang, jligon, nstielau, smilner |
| Target Milestone: | --- | ||
| Target Release: | 4.2.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Enhancement | |
| Doc Text: |
Feature:
When using toolbox on OCP the configured authentication is used by default.
Reason:
Since pulling the default toolbox container requires authentication it's a better UX for the configured authentication to be used. If the image is pulled from another location with authentication OR the authentication previously laid down does not work the user is prompted if they'd like to manually authenticate.
Result:
Default usage of toolbox doesn't require manual authentication.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-10-16 06:33:23 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Alex Crawford
2019-07-08 23:19:14 UTC
'podman pull ...' will let you specify an alternate auth file # podman pull registry.redhat.io/rhel8/support-tools Trying to pull registry.redhat.io/rhel8/support-tools...Failed error pulling image "registry.redhat.io/rhel8/support-tools": unable to pull registry.redhat.io/rhel8/support-tools: unable to pull image: Error determining manifest MIME type for docker://registry.redhat.io/rhel8/support-tools:latest: unable to retrieve auth token: invalid username/password # podman pull --authfile /var/lib/kubelet/config.json registry.redhat.io/rhel8/support-tools Trying to pull registry.redhat.io/rhel8/support-tools...Getting image source signatures Copying blob 89f1c7157a2d: 494.68 KiB / 67.84 MiB [>---------------------------] Copying blob 89f1c7157a2d: 10.86 MiB / 67.84 MiB [====>------------------------] Copying blob 89f1c7157a2d: 67.40 MiB / 67.84 MiB [=============================] Copying blob 89f1c7157a2d: 67.84 MiB / 67.84 MiB [==========================] 4s Copying blob 7e0f5f7bc63f: 1.47 KiB / 1.47 KiB [============================] 4s Copying blob 9a445dbcc310: 8.66 MiB / 8.66 MiB [============================] 4s Copying config cfad8fd065a6: 4.36 KiB / 4.36 KiB [==========================] 0s Writing manifest to image destination Storing signatures cfad8fd065a6fea83b6f2640ab9599841ba034494e4ff26aadf08521ae228499 # REGISTRY_AUTH_FILE=/var/lib/kubelet/config.json podman pull registry.redhat.io/rhel8/support-tools Trying to pull registry.redhat.io/rhel8/support-tools...Getting image source signatures Skipping blob 9a445dbcc310 (already present): 8.66 MiB / 8.66 MiB [=========] 0s Skipping blob 89f1c7157a2d (already present): 67.84 MiB / 67.84 MiB [=======] 0s Skipping blob 7e0f5f7bc63f (already present): 1.47 KiB / 1.47 KiB [=========] 0s Skipping blob 89f1c7157a2d (already present): 67.84 MiB / 67.84 MiB [=======] 0s Skipping blob 7e0f5f7bc63f (already present): 1.47 KiB / 1.47 KiB [=========] 0s Skipping blob 9a445dbcc310 (already present): 8.66 MiB / 8.66 MiB [=========] 0s Copying config cfad8fd065a6: 4.36 KiB / 4.36 KiB [==========================] 0s Writing manifest to image destination Storing signatures cfad8fd065a6fea83b6f2640ab9599841ba034494e4ff26aadf08521ae228499 It doesn't look like podman create/run can use these options # podman create --authfile /var/lib/kubelet/config.json --hostname toolbox --name test --network host --privileged --security-opt label=disable --tty --vlume /:/media/root:rslave registry.redhat.io/rhel8/support-tools flag provided but not defined: -authfile See 'podman create --help'. # REGISTRY_AUTH_FILE=/var/lib/kubelet/config.json podman create --hostname toolbox --name test --network host --privileged --security-opt label=disable --tty --volume /:/media/root:rslave registry.redhat.io/rhel8/support-tools Trying to pull registry.redhat.io/rhel8/support-tools...Failed unable to pull registry.redhat.io/rhel8/support-tools: unable to pull image: Error determining manifest MIME type for docker://registry.redhat.io/rhel8/support-tools:latest: unable to retrieve auth token: invalid username/password but this shouldn't be a problem since toolbox is already doing a separate pull and create. RHCOS toolbox has been updated and a new release has been made to include the change: https://github.com/coreos/toolbox/releases/tag/0.0.5 Verified with 4.2.0-0.nightly-2019-07-29-154123
```
$ oc get clusterversion
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.2.0-0.nightly-2019-07-29-154123 True False 17h Cluster version is 4.2.0-0.nightly-2019-07-29-154123
$ oc get nodes
NAME STATUS ROLES AGE VERSION
ip-10-0-133-198.us-west-2.compute.internal Ready master 17h v1.14.0+2e9d4a117
ip-10-0-134-97.us-west-2.compute.internal Ready worker 17h v1.14.0+2e9d4a117
ip-10-0-147-117.us-west-2.compute.internal Ready worker 17h v1.14.0+2e9d4a117
ip-10-0-153-236.us-west-2.compute.internal Ready master 17h v1.14.0+2e9d4a117
ip-10-0-160-158.us-west-2.compute.internal Ready master 17h v1.14.0+2e9d4a117
ip-10-0-172-150.us-west-2.compute.internal Ready worker 17h v1.14.0+2e9d4a117
$ oc debug node/ip-10-0-134-97.us-west-2.compute.internal
Starting pod/ip-10-0-134-97us-west-2computeinternal-debug ...
To use host binaries, run `chroot /host`
Pod IP: 10.0.134.97
If you don't see a command prompt, try pressing enter.
sh-4.2# chroot /host
sh-4.4# rpm-ostree status
State: idle
AutomaticUpdates: disabled
Deployments:
* pivot://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:3ea1bccf8de033ff9ec6782dc9de3b7d0dd1efe0312fde4e71942dad1408a91d
CustomOrigin: Managed by machine-config-operator
Version: 42.80.20190729.0 (2019-07-29T09:00:02Z)
pivot://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:7e57683aef2630a24a7fef421f148135ff0bc22cbb1465801fa2ecce703687a5
CustomOrigin: Image generated via coreos-assembler
Version: 42.80.20190725.1 (2019-07-25T13:53:07Z)
sh-4.4# rpm -q toolbox
toolbox-0.0.5-1.rhaos4.2.el8.noarch
sh-4.4# toolbox
Trying to pull registry.redhat.io/rhel8/support-tools...Getting image source signatures
Copying blob 9a445dbcc310 done
Copying blob 89f1c7157a2d done
Copying blob 7e0f5f7bc63f done
Copying config cfad8fd065 done
Writing manifest to image destination
Storing signatures
cfad8fd065a6fea83b6f2640ab9599841ba034494e4ff26aadf08521ae228499
Spawning a container 'toolbox-' with image 'registry.redhat.io/rhel8/support-tools'
Detected RUN label in the container image. Using that as the default...
command: podman run -it --name toolbox- --privileged --ipc=host --net=host --pid=host -e HOST=/host -e NAME=toolbox- -e IMAGE=registry.redhat.io/rhel8/support-tools:latest -v /run:/run -v /var/log:/var/log -v /etc/machine-id:/etc/machine-id -v /etc/localtime:/etc/localtime -v /:/host registry.redhat.io/rhel8/support-tools:latest
bash-4.4#
```
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2922 |