2218315 – podman auto-update ignores --authfile and REGISTRY_AUTH_FILE

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2218315 - podman auto-update ignores --authfile and REGISTRY_AUTH_FILE

Summary: podman auto-update ignores --authfile and REGISTRY_AUTH_FILE

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	podman
Sub Component:
Version:	8.8
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Jindrich Novy
QA Contact:	Yuhui Jiang
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-06-28 18:06 UTC by Jered Floyd
Modified:	2023-11-14 16:32 UTC (History)
CC List:	12 users (show)
Fixed In Version:	podman-4.6.0-0.3.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-11-14 15:29:19 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	containers podman pull 19092	0	None	Merged	auto update: fix usage of --authfile	2023-07-10 03:39:12 UTC
Red Hat Issue Tracker	RHELPLAN-161126	0	None	None	None	2023-06-28 18:08:07 UTC

Description Jered Floyd 2023-06-28 18:06:04 UTC

Description of problem:

podman auto-update does not use credentials provided with --authfile or specified in the REGISTRY_AUTH_FILE.

(podman auto-update also does not present an error when no credentials are available, but this may be intended behavior?) 


Version-Release number of selected component (if applicable):

4.4.1


How reproducible:

Always


Steps to Reproduce:
1. Create a new podman container with systemd integration, label io.containers.autoupdate=registry, and from a registry that requires authentication.
2. Update registry image.
3a. Run podman auto-update --authfile /srv/auth.json where /srv/auth.json has registry login credentials.  

3b. Run podman auto-update with REGISTRY_AUTH_FILE set to /srv/auth.json.

Actual results:

Container is not updated.  podman auto-update indicates "false" for Update Status.


Expected results:

Container is updated if credentials are valid and update status is "true", and update status is "failed" if credentials are unavailable or invalid.


Additional info:

Sample output (edited) with "podman auto-update --log-level debug --authfile /srv/auth.json":

time="2023-06-28T17:58:40Z" level=info msg="podman filtering at log level debug"
time="2023-06-28T17:58:40Z" level=debug msg="Called auto-update.PersistentPreRunE(podman auto-update --log-level debug --authfile /srv/auth.json)"
time="2023-06-28T17:58:40Z" level=debug msg="Using conmon: \"/usr/bin/conmon\""
time="2023-06-28T17:58:40Z" level=debug msg="Initializing boltdb state at /var/lib/containers/storage/libpod/bolt_state.db"
time="2023-06-28T17:58:40Z" level=debug msg="Using graph driver overlay"
time="2023-06-28T17:58:40Z" level=debug msg="Using graph root /var/lib/containers/storage"
time="2023-06-28T17:58:40Z" level=debug msg="Using run root /run/containers/storage"
time="2023-06-28T17:58:40Z" level=debug msg="Using static dir /var/lib/containers/storage/libpod"
time="2023-06-28T17:58:40Z" level=debug msg="Using tmp dir /run/libpod"
time="2023-06-28T17:58:40Z" level=debug msg="Using volume path /var/lib/containers/storage/volumes"
time="2023-06-28T17:58:40Z" level=debug msg="Using transient store: false"
time="2023-06-28T17:58:40Z" level=debug msg="Set libpod namespace to \"\""
time="2023-06-28T17:58:40Z" level=debug msg="[graphdriver] trying provided driver \"overlay\""
time="2023-06-28T17:58:40Z" level=debug msg="Cached value indicated that overlay is supported"
time="2023-06-28T17:58:40Z" level=debug msg="Cached value indicated that overlay is supported"
time="2023-06-28T17:58:40Z" level=debug msg="Cached value indicated that metacopy is being used"
time="2023-06-28T17:58:40Z" level=debug msg="Cached value indicated that native-diff is not being used"
time="2023-06-28T17:58:40Z" level=info msg="Not using native diff for overlay, this may cause degraded performance for building images: kernel has CONFIG_OVERLAY_FS_REDIRECT_DIR enabled
"
time="2023-06-28T17:58:40Z" level=debug msg="backingFs=xfs, projectQuotaSupported=false, useNativeDiff=false, usingMetacopy=true"
time="2023-06-28T17:58:40Z" level=debug msg="Initializing event backend file"
time="2023-06-28T17:58:40Z" level=debug msg="Configured OCI runtime ocijail initialization failed: no valid executable found for OCI runtime ocijail: invalid argument"
time="2023-06-28T17:58:40Z" level=debug msg="Configured OCI runtime runj initialization failed: no valid executable found for OCI runtime runj: invalid argument"
time="2023-06-28T17:58:40Z" level=debug msg="Configured OCI runtime kata initialization failed: no valid executable found for OCI runtime kata: invalid argument"
time="2023-06-28T17:58:40Z" level=debug msg="Configured OCI runtime runsc initialization failed: no valid executable found for OCI runtime runsc: invalid argument"
time="2023-06-28T17:58:40Z" level=debug msg="Configured OCI runtime crun-wasm initialization failed: no valid executable found for OCI runtime crun-wasm: invalid argument"
time="2023-06-28T17:58:40Z" level=debug msg="Configured OCI runtime youki initialization failed: no valid executable found for OCI runtime youki: invalid argument"
time="2023-06-28T17:58:40Z" level=debug msg="Configured OCI runtime krun initialization failed: no valid executable found for OCI runtime krun: invalid argument"
time="2023-06-28T17:58:40Z" level=debug msg="Using OCI runtime \"/usr/bin/runc\""
time="2023-06-28T17:58:40Z" level=info msg="Setting parallel job count to 7"
time="2023-06-28T17:58:40Z" level=debug msg="parsed reference into \"[overlay@/var/lib/containers/storage+/run/containers/storage:overlay.mountopt=nodev,metacopy=on]@13487ca8dd86f89158f
cdcb2127bb9b4fbab5c93b05dd4e5ec7a8a4165474cd0\""
time="2023-06-28T17:58:40Z" level=debug msg="exporting opaque data as blob \"sha256:13487ca8dd86f89158fcdcb2127bb9b4fbab5c93b05dd4e5ec7a8a4165474cd0\""
time="2023-06-28T17:58:40Z" level=debug msg="Using registries.d directory /etc/containers/registries.d"
time="2023-06-28T17:58:40Z" level=debug msg="Loading registries configuration \"/etc/containers/registries.conf\""
time="2023-06-28T17:58:40Z" level=debug msg="Loading registries configuration \"/etc/containers/registries.conf.d/000-shortnames.conf\""
time="2023-06-28T17:58:40Z" level=debug msg="Loading registries configuration \"/etc/containers/registries.conf.d/001-rhel-shortnames.conf\""
time="2023-06-28T17:58:41Z" level=debug msg="Loading registries configuration \"/etc/containers/registries.conf.d/002-rhel-shortnames-overrides.conf\""
[..]
time="2023-06-28T17:58:43Z" level=debug msg="Trying to access \"registry.redhat.io/rhel8/mariadb-103:latest\""
time="2023-06-28T17:58:43Z" level=debug msg="No credentials matching registry.redhat.io/rhel8/mariadb-103 found in /run/user/0/containers/auth.json"
time="2023-06-28T17:58:43Z" level=debug msg="No credentials matching registry.redhat.io/rhel8/mariadb-103 found in /root/.config/containers/auth.json"
time="2023-06-28T17:58:43Z" level=debug msg="No credentials matching registry.redhat.io/rhel8/mariadb-103 found in /root/.docker/config.json"
time="2023-06-28T17:58:43Z" level=debug msg="No credentials matching registry.redhat.io/rhel8/mariadb-103 found in /root/.dockercfg"
time="2023-06-28T17:58:43Z" level=debug msg="No credentials for registry.redhat.io/rhel8/mariadb-103 found"
time="2023-06-28T17:58:43Z" level=debug msg=" Lookaside configuration: using \"docker\" namespace registry.redhat.io"
time="2023-06-28T17:58:43Z" level=debug msg="  Using \"sigstore\" https://registry.redhat.io/containers/sigstore"
time="2023-06-28T17:58:43Z" level=debug msg="Looking for TLS certificates and private keys in /etc/docker/certs.d/registry.redhat.io"
time="2023-06-28T17:58:43Z" level=debug msg=" Sigstore attachments: using \"docker\" namespace registry.redhat.io"
time="2023-06-28T17:58:43Z" level=debug msg="GET https://registry.redhat.io/v2/"
time="2023-06-28T17:58:43Z" level=debug msg="Ping https://registry.redhat.io/v2/ status 401"
time="2023-06-28T17:58:43Z" level=debug msg="GET https://registry.redhat.io/auth/realms/rhcc/protocol/redhat-docker-v2/auth?scope=repository%3Arhel8%2Fmariadb-103%3Apull&service=docker-registry"
time="2023-06-28T17:58:43Z" level=debug msg="Accessing \"registry.redhat.io/rhel8/mariadb-103:latest\" failed: unable to retrieve auth token: invalid username/password: unauthorized: Please login to the Red Hat Registry using your Customer Portal credentials. Further instructions can be found here: https://access.redhat.com/RegistryAuthentication"
time="2023-06-28T17:58:43Z" level=debug msg="Error checking updates for image registry.redhat.io/rhel8/mariadb-103: unable to retrieve auth token: invalid username/password: unauthorized: Please login to the Red Hat Registry using your Customer Portal credentials. Further instructions can be found here: https://access.redhat.com/RegistryAuthentication (ignoring error)"
[..]


Sample output (edited) with "podman auto-update --log-level debug" with the contents of /srv/auth.json in ~/.config/containers/auth.json:

time="2023-06-28T18:03:23Z" level=info msg="podman filtering at log level debug"
time="2023-06-28T18:03:23Z" level=debug msg="Called auto-update.PersistentPreRunE(podman auto-update --log-level debug)"
time="2023-06-28T18:03:23Z" level=debug msg="Using conmon: \"/usr/bin/conmon\""
time="2023-06-28T18:03:23Z" level=debug msg="Initializing boltdb state at /var/lib/containers/storage/libpod/bolt_state.db"
time="2023-06-28T18:03:23Z" level=debug msg="Using graph driver overlay"
time="2023-06-28T18:03:23Z" level=debug msg="Using graph root /var/lib/containers/storage"
time="2023-06-28T18:03:23Z" level=debug msg="Using run root /run/containers/storage"
time="2023-06-28T18:03:23Z" level=debug msg="Using static dir /var/lib/containers/storage/libpod"
time="2023-06-28T18:03:23Z" level=debug msg="Using tmp dir /run/libpod"
time="2023-06-28T18:03:23Z" level=debug msg="Using volume path /var/lib/containers/storage/volumes"
time="2023-06-28T18:03:23Z" level=debug msg="Using transient store: false"
time="2023-06-28T18:03:23Z" level=debug msg="Set libpod namespace to \"\""
time="2023-06-28T18:03:23Z" level=debug msg="[graphdriver] trying provided driver \"overlay\""
time="2023-06-28T18:03:23Z" level=debug msg="Cached value indicated that overlay is supported"
time="2023-06-28T18:03:23Z" level=debug msg="Cached value indicated that overlay is supported"
time="2023-06-28T18:03:23Z" level=debug msg="Cached value indicated that metacopy is being used"
time="2023-06-28T18:03:23Z" level=debug msg="Cached value indicated that native-diff is not being used"
time="2023-06-28T18:03:23Z" level=info msg="Not using native diff for overlay, this may cause degraded performance for building images: kernel has CONFIG_OVERLAY_FS_REDIRECT_DIR enabled"
time="2023-06-28T18:03:23Z" level=debug msg="backingFs=xfs, projectQuotaSupported=false, useNativeDiff=false, usingMetacopy=true"
time="2023-06-28T18:03:23Z" level=debug msg="Initializing event backend file"
time="2023-06-28T18:03:23Z" level=debug msg="Configured OCI runtime kata initialization failed: no valid executable found for OCI runtime kata: invalid argument"
time="2023-06-28T18:03:23Z" level=debug msg="Configured OCI runtime krun initialization failed: no valid executable found for OCI runtime krun: invalid argument"
time="2023-06-28T18:03:23Z" level=debug msg="Configured OCI runtime ocijail initialization failed: no valid executable found for OCI runtime ocijail: invalid argument"
time="2023-06-28T18:03:23Z" level=debug msg="Configured OCI runtime youki initialization failed: no valid executable found for OCI runtime youki: invalid argument"
time="2023-06-28T18:03:23Z" level=debug msg="Configured OCI runtime crun-wasm initialization failed: no valid executable found for OCI runtime crun-wasm: invalid argument"
time="2023-06-28T18:03:23Z" level=debug msg="Configured OCI runtime runj initialization failed: no valid executable found for OCI runtime runj: invalid argument"
time="2023-06-28T18:03:23Z" level=debug msg="Configured OCI runtime runsc initialization failed: no valid executable found for OCI runtime runsc: invalid argument"
time="2023-06-28T18:03:23Z" level=debug msg="Using OCI runtime \"/usr/bin/runc\""
time="2023-06-28T18:03:23Z" level=info msg="Setting parallel job count to 7"
time="2023-06-28T18:03:23Z" level=debug msg="Looking up image \"localhost/mediawiki\" in local containers storage"
time="2023-06-28T18:03:23Z" level=debug msg="Normalized platform linux/amd64 to {amd64 linux  [] }"
time="2023-06-28T18:03:23Z" level=debug msg="Trying \"localhost/mediawiki:latest\" ..."
time="2023-06-28T18:03:23Z" level=debug msg="parsed reference into \"[overlay@/var/lib/containers/storage+/run/containers/storage:overlay.mountopt=nodev,metacopy=on]@9fc98a366b2a73a1550bb6f1f0b4f1c6ba48305c06769b714afa475f70269ca2\""
time="2023-06-28T18:03:23Z" level=debug msg="Found image \"localhost/mediawiki\" as \"localhost/mediawiki:latest\" in local containers storage"
time="2023-06-28T18:03:23Z" level=debug msg="Found image \"localhost/mediawiki\" as \"localhost/mediawiki:latest\" in local containers storage ([overlay@/var/lib/containers/storage+/run/containers/storage:overlay.mountopt=nodev,metacopy=on]@9fc98a366b2a73a1550bb6f1f0b4f1c6ba48305c06769b714afa475f70269ca2)"
time="2023-06-28T18:03:23Z" level=debug msg="exporting opaque data as blob \"sha256:9fc98a366b2a73a1550bb6f1f0b4f1c6ba48305c06769b714afa475f70269ca2\""
time="2023-06-28T18:03:23Z" level=debug msg="parsed reference into \"[overlay@/var/lib/containers/storage+/run/containers/storage:overlay.mountopt=nodev,metacopy=on]@13487ca8dd86f89158fcdcb2127bb9b4fbab5c93b05dd4e5ec7a8a4165474cd0\""
time="2023-06-28T18:03:23Z" level=debug msg="exporting opaque data as blob \"sha256:13487ca8dd86f89158fcdcb2127bb9b4fbab5c93b05dd4e5ec7a8a4165474cd0\""
time="2023-06-28T18:03:23Z" level=debug msg="Using registries.d directory /etc/containers/registries.d"
time="2023-06-28T18:03:23Z" level=debug msg="Loading registries configuration \"/etc/containers/registries.conf\""
time="2023-06-28T18:03:23Z" level=debug msg="Loading registries configuration \"/etc/containers/registries.conf.d/000-shortnames.conf\""
time="2023-06-28T18:03:23Z" level=debug msg="Loading registries configuration \"/etc/containers/registries.conf.d/001-rhel-shortnames.conf\""
time="2023-06-28T18:03:24Z" level=debug msg="Loading registries configuration \"/etc/containers/registries.conf.d/002-rhel-shortnames-overrides.conf\""
[..]
time="2023-06-28T18:03:26Z" level=debug msg="Trying to access \"registry.redhat.io/rhel8/mariadb-103:latest\""
time="2023-06-28T18:03:26Z" level=debug msg="No credentials matching registry.redhat.io/rhel8/mariadb-103 found in /run/user/0/containers/auth.json"
time="2023-06-28T18:03:26Z" level=debug msg="Found credentials for registry.redhat.io/rhel8/mariadb-103 in credential helper containers-auth.json in file /root/.config/containers/auth.json"
time="2023-06-28T18:03:26Z" level=debug msg=" Lookaside configuration: using \"docker\" namespace registry.redhat.io"
time="2023-06-28T18:03:26Z" level=debug msg="  Using \"sigstore\" https://registry.redhat.io/containers/sigstore"
time="2023-06-28T18:03:26Z" level=debug msg="Looking for TLS certificates and private keys in /etc/docker/certs.d/registry.redhat.io"
time="2023-06-28T18:03:26Z" level=debug msg=" Sigstore attachments: using \"docker\" namespace registry.redhat.io"
time="2023-06-28T18:03:26Z" level=debug msg="GET https://registry.redhat.io/v2/"
time="2023-06-28T18:03:26Z" level=debug msg="Ping https://registry.redhat.io/v2/ status 401"
time="2023-06-28T18:03:26Z" level=debug msg="GET https://registry.redhat.io/auth/realms/rhcc/protocol/redhat-docker-v2/auth?account=[REDACTED]&scope=repository%3Arhel8%2Fmariadb-103%3Apull&service=docker-registry"
time="2023-06-28T18:03:26Z" level=debug msg="GET https://registry.redhat.io/v2/rhel8/mariadb-103/manifests/latest"
time="2023-06-28T18:03:26Z" level=debug msg="Content-Type from manifest GET is \"application/vnd.docker.distribution.manifest.list.v2+json\""
time="2023-06-28T18:03:26Z" level=debug msg="GET https://registry.redhat.io/v2/rhel8/mariadb-103/manifests/sha256:d7ef9a47131eeea7ece6b531eb0793fe93a37fde75040defa4d777444b552b88"
time="2023-06-28T18:03:26Z" level=debug msg="Content-Type from manifest GET is \"application/vnd.docker.distribution.manifest.v2+json\""
time="2023-06-28T18:03:26Z" level=debug msg="parsed reference into \"[overlay@/var/lib/containers/storage+/run/containers/storage:overlay.mountopt=nodev,metacopy=on]@6701ff105db000bd2d397ff6a06ff2ced4fec2b6ae2abec736479179136ddfe5\""
time="2023-06-28T18:03:26Z" level=debug msg="exporting opaque data as blob \"sha256:6701ff105db000bd2d397ff6a06ff2ced4fec2b6ae2abec736479179136ddfe5\""
[..]

Comment 1 Valentin Rothberg 2023-06-29 06:41:41 UTC

Thanks for filing the issue, Jered!  I will take a look at it in the coming days.

Comment 2 Valentin Rothberg 2023-07-03 09:27:32 UTC

Opened the following PR upstream: https://github.com/containers/podman/pull/19092

Comment 10 errata-xmlrpc 2023-11-14 15:29:19 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: container-tools:rhel8 security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:6939

Note You need to log in before you can comment on or make changes to this bug.