Bug 1992468 - oc command doesn't inquire ${XDG_RUNTIME_DIR}/containers/auth.json, ${XDG_CONFIG_HOME}/containers/auth.json, ~/.docker/config.json in turn
Summary: oc command doesn't inquire ${XDG_RUNTIME_DIR}/containers/auth.json, ${XDG_CON...
Keywords:
Status: CLOSED DUPLICATE of bug 1982498
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: oc
Version: 4.9
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: Premerge
Assignee: Maciej Szulik
QA Contact: XiuJuan Wang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-08-11 07:38 UTC by XiuJuan Wang
Modified: 2021-08-16 14:53 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-08-16 14:53:06 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description XiuJuan Wang 2021-08-11 07:38:21 UTC 
Description of problem:
Per https://github.com/openshift/oc/pull/893

When ${XDG_RUNTIME_DIR}/containers/auth.json exists but doesn't contain target auth, oc command won't query ${XDG_CONFIG_HOME}/containers/auth.json, ~/.docker/config.json in turn, just return 401 unauth error.

Version-Release number of selected component (if applicable):
Build oc from https://github.com/openshift/oc/pull/893

How reproducible:
always

Steps to Reproduce:
1.Set ${XDG_RUNTIME_DIR},and create a empty file ${XDG_RUNTIME_DIR}/containers/auth.json
 
$ ll ${XDG_RUNTIME_DIR}/containers/auth.json 
-rw-r--r--. 1 wxj docker 3 8月  11 15:21 /run/user/1000/containers/auth.json

2. Ensure the quay.io auth are in ~/.docker/config.json

3. Check a quay.io image using oc image info cmd.
$oc image info  quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:b2387eba6081b9feb57fd84751789cb1f5ea915ca061895e29949f6d3b60515e --loglevel=5

4. Delete ${XDG_RUNTIME_DIR}/containers/auth.json 
5. repeat step 3
Could get image info

Actual results:

step 3:
I0811 15:23:30.697626   13959 client_mirrored.go:169] Attempting to connect to quay.io/openshift-release-dev/ocp-v4.0-art-dev
I0811 15:23:31.831879   13959 credentials.go:105] Unable to find a secret to match https://quay.io/v2/auth (quay.io/auth)
I0811 15:23:32.410903   13959 client_mirrored.go:378] get manifest for sha256:b2387eba6081b9feb57fd84751789cb1f5ea915ca061895e29949f6d3b60515e served from registryclient.retryManifest{ManifestService:registryclient.manifestServiceVerifier{ManifestService:(*client.manifests)(0xc000cf2e70)}, repo:(*registryclient.retryRepository)(0xc000d00880)}: unauthorized: access to the requested resource is not authorized
I0811 15:23:32.410991   13959 workqueue.go:143] about to send work queue error: unable to read image quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:b2387eba6081b9feb57fd84751789cb1f5ea915ca061895e29949f6d3b60515e: unauthorized: access to the requested resource is not authorized
I0811 15:23:32.411030   13959 workqueue.go:54] worker 0 stopping
error: unable to read image quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:b2387eba6081b9feb57fd84751789cb1f5ea915ca061895e29949f6d3b60515e: unauthorized: access to the requested resource is not authorized

Expected results:
Should query auth of ${XDG_RUNTIME_DIR}/containers/auth.json, ${XDG_CONFIG_HOME}/containers/auth.json, ~/.docker/config.json in turn

Additional info:
Comment 1 Filip Krepinsky 2021-08-11 17:57:17 UTC 
Thanks for the feedback. I have reassessed the logic we have in oc and decided to use the same logic as podman uses. The logic itself is quite complex and is fortunately shared via github.com/containers/image library.

Although bear in mind that even podman doesn't fallback to other locations when REGISTRY_AUTH_FILE or --authfile is specified. So the oc is using the same convention.
Comment 3 Maciej Szulik 2021-08-16 14:53:06 UTC 

*** This bug has been marked as a duplicate of bug 1982498 ***
Note You need to log in before you can comment on or make changes to this bug.