1728062 – toolbox requires registry authentication

Bug 1728062 - toolbox requires registry authentication

Summary: toolbox requires registry authentication

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	RHCOS
Sub Component:
Version:	4.1.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	low
Target Milestone:	---
Target Release:	4.2.0
Assignee:	Steve Milner
QA Contact:	Micah Abbott
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-07-08 23:19 UTC by Alex Crawford
Modified:	2019-10-16 06:33 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:	Feature: When using toolbox on OCP the configured authentication is used by default. Reason: Since pulling the default toolbox container requires authentication it's a better UX for the configured authentication to be used. If the image is pulled from another location with authentication OR the authentication previously laid down does not work the user is prompted if they'd like to manually authenticate. Result: Default usage of toolbox doesn't require manual authentication.
Clone Of:
Environment:
Last Closed:	2019-10-16 06:33:23 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2019:2922	0	None	None	None	2019-10-16 06:33:36 UTC

Description Alex Crawford 2019-07-08 23:19:14 UTC

Description of problem:
The toolbox command cannot be used without authenticating with the image registry first. This seems like a needless hurdle and is especially frustrating when trying to debug a failing cluster.

Version-Release number of selected component (if applicable):
N/A

How reproducible:
Always

Steps to Reproduce:
1. Run `toolbox`

Actual results:
Podman is unable to pull the toolbox image.

Expected results:
Podman pulls and runs the toolbox without user intervention.

Additional info:
The pull secret is already present on the host. It should just be a matter of pointing toolbox at it.

Comment 1 Derrick Ornelas 2019-07-08 23:47:15 UTC

'podman pull ...' will let you specify an alternate auth file


# podman pull registry.redhat.io/rhel8/support-tools
Trying to pull registry.redhat.io/rhel8/support-tools...Failed
error pulling image "registry.redhat.io/rhel8/support-tools": unable to pull registry.redhat.io/rhel8/support-tools: unable to pull image: Error determining manifest MIME type for docker://registry.redhat.io/rhel8/support-tools:latest: unable to retrieve auth token: invalid username/password


# podman pull --authfile /var/lib/kubelet/config.json registry.redhat.io/rhel8/support-tools
Trying to pull registry.redhat.io/rhel8/support-tools...Getting image source signatures
Copying blob 89f1c7157a2d: 494.68 KiB / 67.84 MiB [>---------------------------]
Copying blob 89f1c7157a2d: 10.86 MiB / 67.84 MiB [====>------------------------]
Copying blob 89f1c7157a2d: 67.40 MiB / 67.84 MiB [=============================]
Copying blob 89f1c7157a2d: 67.84 MiB / 67.84 MiB [==========================] 4s
Copying blob 7e0f5f7bc63f: 1.47 KiB / 1.47 KiB [============================] 4s
Copying blob 9a445dbcc310: 8.66 MiB / 8.66 MiB [============================] 4s
Copying config cfad8fd065a6: 4.36 KiB / 4.36 KiB [==========================] 0s
Writing manifest to image destination
Storing signatures
cfad8fd065a6fea83b6f2640ab9599841ba034494e4ff26aadf08521ae228499


# REGISTRY_AUTH_FILE=/var/lib/kubelet/config.json podman pull registry.redhat.io/rhel8/support-tools
Trying to pull registry.redhat.io/rhel8/support-tools...Getting image source signatures
Skipping blob 9a445dbcc310 (already present): 8.66 MiB / 8.66 MiB [=========] 0s
Skipping blob 89f1c7157a2d (already present): 67.84 MiB / 67.84 MiB [=======] 0s
Skipping blob 7e0f5f7bc63f (already present): 1.47 KiB / 1.47 KiB [=========] 0s
Skipping blob 89f1c7157a2d (already present): 67.84 MiB / 67.84 MiB [=======] 0s
Skipping blob 7e0f5f7bc63f (already present): 1.47 KiB / 1.47 KiB [=========] 0s
Skipping blob 9a445dbcc310 (already present): 8.66 MiB / 8.66 MiB [=========] 0s
Copying config cfad8fd065a6: 4.36 KiB / 4.36 KiB [==========================] 0s
Writing manifest to image destination
Storing signatures
cfad8fd065a6fea83b6f2640ab9599841ba034494e4ff26aadf08521ae228499



It doesn't look like podman create/run can use these options

# podman create --authfile /var/lib/kubelet/config.json  --hostname toolbox --name test --network host --privileged --security-opt label=disable --tty --vlume /:/media/root:rslave registry.redhat.io/rhel8/support-tools
flag provided but not defined: -authfile
See 'podman create --help'.


# REGISTRY_AUTH_FILE=/var/lib/kubelet/config.json podman create --hostname toolbox --name test --network host --privileged --security-opt label=disable --tty --volume /:/media/root:rslave registry.redhat.io/rhel8/support-tools
Trying to pull registry.redhat.io/rhel8/support-tools...Failed
unable to pull registry.redhat.io/rhel8/support-tools: unable to pull image: Error determining manifest MIME type for docker://registry.redhat.io/rhel8/support-tools:latest: unable to retrieve auth token: invalid username/password


but this shouldn't be a problem since toolbox is already doing a separate pull and create.

Comment 3 Steve Milner 2019-07-16 20:33:32 UTC

PR: https://github.com/coreos/toolbox/pull/58

Comment 5 Steve Milner 2019-07-17 14:31:28 UTC

RHCOS toolbox has been updated and a new release has been made to include the change: https://github.com/coreos/toolbox/releases/tag/0.0.5

Comment 9 Micah Abbott 2019-07-30 15:34:47 UTC

Verified with 4.2.0-0.nightly-2019-07-29-154123 
 

```
$ oc get clusterversion                                                                                                                                                                  
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.2.0-0.nightly-2019-07-29-154123   True        False         17h     Cluster version is 4.2.0-0.nightly-2019-07-29-154123

$ oc get nodes
NAME                                         STATUS   ROLES    AGE   VERSION
ip-10-0-133-198.us-west-2.compute.internal   Ready    master   17h   v1.14.0+2e9d4a117
ip-10-0-134-97.us-west-2.compute.internal    Ready    worker   17h   v1.14.0+2e9d4a117
ip-10-0-147-117.us-west-2.compute.internal   Ready    worker   17h   v1.14.0+2e9d4a117
ip-10-0-153-236.us-west-2.compute.internal   Ready    master   17h   v1.14.0+2e9d4a117
ip-10-0-160-158.us-west-2.compute.internal   Ready    master   17h   v1.14.0+2e9d4a117
ip-10-0-172-150.us-west-2.compute.internal   Ready    worker   17h   v1.14.0+2e9d4a117

$ oc debug node/ip-10-0-134-97.us-west-2.compute.internal                                                                                                                                
Starting pod/ip-10-0-134-97us-west-2computeinternal-debug ...
To use host binaries, run `chroot /host`
Pod IP: 10.0.134.97
If you don't see a command prompt, try pressing enter.
sh-4.2# chroot /host
sh-4.4# rpm-ostree status
State: idle
AutomaticUpdates: disabled
Deployments:
* pivot://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:3ea1bccf8de033ff9ec6782dc9de3b7d0dd1efe0312fde4e71942dad1408a91d
              CustomOrigin: Managed by machine-config-operator
                   Version: 42.80.20190729.0 (2019-07-29T09:00:02Z)

  pivot://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:7e57683aef2630a24a7fef421f148135ff0bc22cbb1465801fa2ecce703687a5
              CustomOrigin: Image generated via coreos-assembler
                   Version: 42.80.20190725.1 (2019-07-25T13:53:07Z)
sh-4.4# rpm -q toolbox
toolbox-0.0.5-1.rhaos4.2.el8.noarch
sh-4.4# toolbox
Trying to pull registry.redhat.io/rhel8/support-tools...Getting image source signatures
Copying blob 9a445dbcc310 done
Copying blob 89f1c7157a2d done
Copying blob 7e0f5f7bc63f done
Copying config cfad8fd065 done
Writing manifest to image destination
Storing signatures
cfad8fd065a6fea83b6f2640ab9599841ba034494e4ff26aadf08521ae228499
Spawning a container 'toolbox-' with image 'registry.redhat.io/rhel8/support-tools'
Detected RUN label in the container image. Using that as the default...
command: podman run -it --name toolbox- --privileged --ipc=host --net=host --pid=host -e HOST=/host -e NAME=toolbox- -e IMAGE=registry.redhat.io/rhel8/support-tools:latest -v /run:/run -v /var/log:/var/log -v /etc/machine-id:/etc/machine-id -v /etc/localtime:/etc/localtime -v /:/host registry.redhat.io/rhel8/support-tools:latest
bash-4.4#
```

Comment 10 errata-xmlrpc 2019-10-16 06:33:23 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2922

Note You need to log in before you can comment on or make changes to this bug.