Bug 2036202 - Bump podman to >= 3.3.0 so that setup of multiple credentials for a single registry which can be distinguished by their path will work
Summary: Bump podman to >= 3.3.0 so that setup of multiple credentials for a single r...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: RHCOS
Version: 4.10
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.11.0
Assignee: Micah Abbott
QA Contact: HuijingHei
URL:
Whiteboard:
Depends On: 2013822
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-12-30 11:48 UTC by Andreas Karis
Modified: 2022-08-10 10:41 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-08-10 10:41:05 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:5069 0 None None None 2022-08-10 10:41:27 UTC

Description Andreas Karis 2021-12-30 11:48:21 UTC 
Thanks for reporting your issue!

In order for the CoreOS team to be able to quickly and successfully triage your issue, please fill out the following template as completely as possible.

Be ready for follow-up questions and please respond in a timely manner.

If we can't reproduce a bug, we might close your issue.

---

OCP Version at Install Time: 
4.10.0-0.nightly-2021-12-21-130047

RHCOS Version at Install Time:
~~~
[root@ip-10-0-14-69 ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux CoreOS release 4.10
~~~

Platform: 
AWS

Architecture: 
x86_64


What are you trying to do? What is your use case?

The containers-auth spec mentions a way to setup multiple credentials for a single registry which can be distinguished by their path:
https://github.com/containers/image/blob/main/docs/containers-auth.json.5.md

That made it in relatively recently with commit https://github.com/containers/image/commit/2cafc0105c89b1c569f68733f7a5eaf6e326831b . That's in starting with container/image v5.14.0.

While podman works perfectly with such a setup on my laptop, and while the oc 4.10.0-0.nightly-2021-12-21-130047 binary works as well, the installation fails because the bootstrap's podman version is too old.

Here is an example of my credentials file which refers to quay.io, and 2 private repositories of my own, hosted on quay.io as well:
~~~
$ cat ~/.docker/config.json  | sed 's/"auth": ".*"/"auth":"xyz"/g'
{
  "auths": {
    "quay.io/akaris/origin-release": {
      "auth": "(...)==",
      "email": ""
    },
    "quay.io/akaris/machine-config-operator": {
      "auth": "(...)==",
      "email": ""
    },
    "registry.ci.openshift.org": {
      "auth":"xyz"
    },
    "cloud.openshift.com": {
      "auth":"xyz",
      "email": "akaris"
    },
    "quay.io": {
      "auth":"xyz",
      "email": "akaris"
    },
    "registry.connect.redhat.com": {
      "auth":"xyz",
      "email": "akaris"
    },
    "registry.redhat.io": {
      "auth":"xyz",
      "email": "akaris"
    }
  }
}
~~~


On my fedora box, podman works perfectly fine with that, and so does the latest 4.10 oc client. Crio should work, too, as the dependencies are met starting with v1.22.0:
* in podman, it's in starting with: 3.3.0 https://github.com/containers/podman/blob/v3.3.0/go.mod#L17
* in crio, it's in starting with: 1.22 https://github.com/cri-o/cri-o/blob/v1.22.0/go.mod#L19
* in oc, this is in with 4.10 latest and 4.9 latest: https://github.com/openshift/oc/blob/release-4.10/go.mod

Unfortunately, the podman version that we are using in RHCOS is too old and it doesn't match crio's behavior. Ironically, that makes the installation fail just because of podman, because whereas 4.10 ships the correct crio version:
~~~
[root@ip-10-0-14-69 ~]# rpm -qa | grep cri
cri-tools-1.22.0-1.el8.x86_64
initscripts-10.00.15-1.el8.x86_64
criu-3.15-1.module+el8.4.0+11822+6cc1e7d7.x86_64
cri-o-1.23.0-89.rhaos4.10.git367232b.el8.x86_64
crypto-policies-scripts-20210209-1.gitbfb6bed.el8_3.noarch
subscription-manager-rhsm-certificates-1.28.13-4.el8_4.x86_64
~~~

It still comes with an outdated podman 3.2.3:
~~~
[root@ip-10-0-14-69 ~]# rpm -qa | grep podman
podman-3.2.3-0.11.module+el8.4.0+12050+ef972f71.x86_64
podman-catatonit-3.2.3-0.11.module+el8.4.0+12050+ef972f71.x86_64
~~~

The bootstrap node pulls images with podman and fails:
~~~
[root@ip-10-0-14-69 ~]#  journalctl -b -u release-image.service -u bootkube.service | tail -n 2
Dec 30 11:22:13 ip-10-0-14-69 release-image-download.sh[1581]: Error: Error initializing source docker://quay.io/akaris/origin-release:v4.10-metric-50: Error reading manifest v4.10-metric-50 in quay.io/akaris/origin-release: unauthorized: access to the requested resource is not authorized
Dec 30 11:22:13 ip-10-0-14-69 release-image-download.sh[1581]: Pull failed. Retrying quay.io/akaris/origin-release:v4.10-metric-50...
[root@ip-10-0-14-69 ~]# grep 'Pull failed' -B10 /sysroot/ostree/deploy/rhcos/var/usrlocal/bin/release-image-download.sh
echo "Pulling $RELEASE_IMAGE..."
while true
do
    record_service_stage_start "pull-release-image"
    if podman pull --quiet "$RELEASE_IMAGE"
    then
        record_service_stage_success
        break
    else
        record_service_stage_failure
        echo "Pull failed. Retrying $RELEASE_IMAGE..."
~~~

What happened? What went wrong or what did you expect?

Podman should have feature parity with 4.10 crio and 4.10 oc. It should either be bumped to 3.3.0 or above, or we should ship a custom version that uses container/image v5.14.0 or above.
Comment 1 Andreas Karis 2021-12-30 11:48:44 UTC 
Also see https://bugzilla.redhat.com/show_bug.cgi?id=2036191
Comment 5 Micah Abbott 2022-01-03 16:27:48 UTC 
We have plans to include podman 3.3+ in RHCOS 4.10; we are currently working through the configuration steps necessary to build + include newer podman builds in RHCOS 4.10
Comment 6 Micah Abbott 2022-01-27 15:15:19 UTC 
Unfortunately, our plans to include a newer `podman` as part of OCP/RHCOS 4.10 were not able to be successful and we will continue to ship `podman-3.2.3` at RHCOS 4.10 GA.

We will revisit the plan to include newer `podman` in OCP/RHCOS in the future.

For more context, see https://bugzilla.redhat.com/show_bug.cgi?id=2013822#c3
Comment 7 Micah Abbott 2022-07-07 13:51:09 UTC 
RHCOS/OCP 4.11 will include podman v4
Comment 9 HuijingHei 2022-07-08 02:52:59 UTC 
Verify passed on 4.11.0-0.nightly-2022-07-06-145812, podman-4.0.2-6.rhaos4.11.el8.x86_64 is included in OCP 4.11

$ oc get clusterversion
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.11.0-0.nightly-2022-07-06-145812   True        False         5m10s   Cluster version is 4.11.0-0.nightly-2022-07-06-145812
$ oc get nodes
NAME                           STATUS   ROLES    AGE   VERSION
ip-10-0-145-69.ec2.internal    Ready    master   19m   v1.24.0+2dd8bb1
ip-10-0-153-242.ec2.internal   Ready    worker   13m   v1.24.0+2dd8bb1
ip-10-0-153-58.ec2.internal    Ready    worker   13m   v1.24.0+2dd8bb1
ip-10-0-164-116.ec2.internal   Ready    master   19m   v1.24.0+2dd8bb1
ip-10-0-226-227.ec2.internal   Ready    master   19m   v1.24.0+2dd8bb1
ip-10-0-252-22.ec2.internal    Ready    worker   10m   v1.24.0+2dd8bb1


$ oc debug node/ip-10-0-153-242.ec2.internal -- chroot /host rpm -qa | grep podman
podman-catatonit-4.0.2-6.rhaos4.11.el8.x86_64
podman-4.0.2-6.rhaos4.11.el8.x86_64
Comment 11 errata-xmlrpc 2022-08-10 10:41:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5069
Note You need to log in before you can comment on or make changes to this bug.