Description of problem: The authfile parameter is not passed during the build and the subsequent pushing of the container images to the remote registry. This is because the specified file in the authfile parameter is set as the REGISTRY_AUTH_FILE env variable at build time, but buildah is run via sudo without preserving environment variables. How reproducible: Everytime. Steps to Reproduce: 1. Install tripleoclient. 2. Run "openstack tripleo container image build --registry remote_registry --push --authfile /path/to/auth.json ...other_parameters..." Actual results: The container image cannot be pushed to the remote registry. Error: unauthorized: authentication required https://paste.opendev.org/raw/bUbvZAD3Qoro59l0Z7HO/ Additional info: I ran into this using Wallaby tripleoclient, but I was comparing code from different releases in the tripleo-common repository and I think you can run into this in other releases as well. To fix this, I added preserving env vars to the line with sudo buildah in tripleo_common/image/builder/buildah.py: [stack@undercloud tripleo_common]$ diff image/builder/buildah.py{,_old} 98c98 < self.buildah_cmd = ['sudo', '-E', 'buildah'] --- > self.buildah_cmd = ['sudo', 'buildah'] After that the building and pushing of the container images was successful.
Hey Alexey, Thanks for the report. Sounds reasonable, I proposed that change here: https://review.opendev.org/c/openstack/tripleo-common/+/867080
(In reply to Brendan Shephard from comment #1) > Hey Alexey, > > Thanks for the report. Sounds reasonable, I proposed that change here: > https://review.opendev.org/c/openstack/tripleo-common/+/867080 We later found out this change breaks the existing auth record as was reported in [1]. I've submitted an alternative fix. One problem I'm facing now is that we likely need a new release of tripleo-common once we merge the t-c patch, then we can merge python-tripleoclient. [1] https://bugs.launchpad.net/tripleo/+bug/1999749 [2] https://review.opendev.org/q/topic:rhbz2151943