Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docker login with docker.io creds "successfully" logs-into registry.fedoraproject.org then fails to push to registry-1.docker.io #22400

Open
rhatdan opened this issue Apr 16, 2024 Discussed in #22394 · 20 comments · May be fixed by #24888
Open

docker login with docker.io creds "successfully" logs-into registry.fedoraproject.org then fails to push to registry-1.docker.io #22400

rhatdan opened this issue Apr 16, 2024 Discussed in #22394 · 20 comments · May be fixed by #24888
Assignees
@lslavkov @tthvo
Labels
Good First Issue This issue would be a good issue for a first time contributor to undertake. kind/bug Categorizes issue or PR as related to a bug.

Comments

@rhatdan
Copy link
Member

rhatdan commented Apr 16, 2024

Discussed in #22394

Originally posted by azdle April 16, 2024

Issue Description

First off, I'm not sure if this is a podman issue or a fedora package issue, but I figured this might be helpful here since there are a lot of closed, but unresolved, issues here that seem like they could be caused by this. Also, this is on 4.9.4, I haven't tried v5.

Doing a fresh setup with podman-docker installed on fedora and following docker.io's instructions for logging in and pushing my first image, I'm told my "Login Succeeded!", but when I try to push I get a "resource denied" error.

It seems running docker login -u $USER stores the access token as a token for registry.fedoraproject.org (not what I expected), but when I try to push it tries to push to registry-1.docker.io (is what I expected).

Steps to reproduce the issue

  1. Install podman-docker
  2. Follow docker.io's instructions to login
    a. Create access token
    b. run docker login -u $USER
    c. enter token

Describe the results you received

$ podman login -u $USER
Password:
Login Succeeded!
$ cat /run/user/1000/containers/auth.json
{
    "auths": {
	    "registry.fedoraproject.org": {
		    "auth": "cGF0cmljazpkY2tyX3BhdF84X2xvbHRoaXNhaW50cmVhbAo="
	    }
    }
}⏎
$ docker push $USER/$IMAGE
[...]
Error: writing blob: initiating layer upload to /v2/$USER/$IMAGE/blobs/uploads/ in registry-1.docker.io: requested access to the resource is denied

Describe the results you expected

$ docker login -u $USER
Password: 
Login Succeeded!
$ cat /run/user/1000/containers/auth.json
{
    "auths": {
	    "registry-1.docker.io": {
		    "auth": "cGF0cmljazpkY2tyX3BhdF84X2xvbHRoaXNhaW50cmVhbAo="
	    }
    }
}⏎
$ docker push $USER/$IMAGE
Writing manifest to image destination

^ exit success

or

Failure for the login command

podman info output

host:
  arch: amd64
  buildahVersion: 1.33.7
  cgroupControllers:
  - cpu
  - io
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.10-1.fc39.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.10, commit: '
  cpuUtilization:
    idlePercent: 94.97
    systemPercent: 1.49
    userPercent: 3.54
  cpus: 20
  databaseBackend: sqlite
  distribution:
    distribution: fedora
    variant: workstation
    version: "39"
  eventLogger: journald
  freeLocks: 2039
  hostname: brick
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 524288
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 524288
      size: 65536
  kernel: 6.7.11-200.fc39.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 40281542656
  memTotal: 67076845568
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.10.0-1.fc39.x86_64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.10.0
    package: netavark-1.10.3-1.fc39.x86_64
    path: /usr/libexec/podman/netavark
    version: netavark 1.10.3
  ociRuntime:
    name: crun
    package: crun-1.14.4-1.fc39.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.14.4
      commit: a220ca661ce078f2c37b38c92e66cf66c012d9c1
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-0^20240220.g1e6f92b-1.fc39.x86_64
    version: |
      pasta 0^20240220.g1e6f92b-1.fc39.x86_64
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: true
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.2.2-1.fc39.x86_64
    version: |-
      slirp4netns version 1.2.2
      commit: 0ee2d87523e906518d34a6b423271e4826f71faf
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.3
  swapFree: 8589930496
  swapTotal: 8589930496
  uptime: 25h 7m 53.00s (Approximately 1.04 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
  - quay.io
store:
  configFile: /home/$USER/.config/containers/storage.conf
  containerStore:
    number: 3
    paused: 0
    running: 2
    stopped: 1
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/$USER/.local/share/containers/storage
  graphRootAllocated: 4095101370368
  graphRootUsed: 37661007872
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 26
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /home/$USER/.local/share/containers/storage/volumes
version:
  APIVersion: 4.9.4
  Built: 1711445992
  BuiltTime: Tue Mar 26 04:39:52 2024
  GitCommit: ""
  GoVersion: go1.21.8
  Os: linux
  OsArch: linux/amd64
  Version: 4.9.4

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

No

Additional environment details

No response

Additional information

Workaround

For anyone else having this issue, either edit your auth.json file to say "registry-1.docker.io" or just run docker login -u $USER registry-1.docker.io instead.
@rhatdan rhatdan added the kind/bug Categorizes issue or PR as related to a bug. label Apr 16, 2024
@rhatdan
Copy link
Member Author

rhatdan commented Apr 16, 2024

I guess the login successfull command should say

Login Succeeded registry.fedoraproject.org!

Or potentially better, if Podman and Buildah could figure it out, would be to return an error and tell the user to specify the registry. This is probably the more secure thing to do, since your credentials were sent to registry.fedoraproject.org.

If podman/buildah know that there are more then one registry, and the user does not specify one, it should error and tell the user to specify a registry.

@rhatdan rhatdan added the Good First Issue This issue would be a good issue for a first time contributor to undertake. label Apr 16, 2024
@rhatdan
Copy link
Member Author

rhatdan commented Apr 16, 2024

Just need someone to step up to open a PR.

@github-actions GitHub Actions
Copy link

A friendly reminder that this issue had no activity for 30 days.

@tthvo
Copy link

tthvo commented May 18, 2024

Mind if I have a look? I am new here so just need to get familiar with the codebase :))

@rhatdan
Copy link
Member Author

rhatdan commented May 18, 2024

You got it.

@tthvo
Copy link

tthvo commented May 22, 2024
edited
Loading

Or potentially better, if Podman and Buildah could figure it out, would be to return an error and tell the user to specify the registry. This is probably the more secure thing to do, since your credentials were sent to registry.fedoraproject.org.
If podman/buildah know that there are more then one registry, and the user does not specify one, it should error and tell the user to specify a registry.

@rhatdan hi, I have a question as I am walking through this. This does mean that podman login/logout would not be compatible with docker, right? Essentially, reverting #5233?

Login Succeeded registry.fedoraproject.org!

Otherwise, this makes sense to me! Seems like its out of scope of podman and must be done in https://github.com/containers/common.

What are your thoughts?

@danishprakash
Copy link
Contributor

danishprakash commented May 24, 2024
edited
Loading

Login Succeeded registry.fedoraproject.org!

Otherwise, this makes sense to me!

I'd suggest reverting #5233 since logging in unintentionally to a different registry doesn't look good from a security point of view.

If reverting is not ideal, then we can let the user confirm their choice while displaying the registry podman would end up logging in to, allowing the user to choose not to login to a different registry and modifying the registries.conf as desired or even pass the registry as a flag.

@tthvo
Copy link

tthvo commented May 24, 2024
edited
Loading

Sounds reasonable to me on the security standpoint! I suppose anyone would not want their credentials sent elsewhere unintended, for example, a tampered registries.conf.

If reverting is not ideal, then we can let the user confirm their choice while displaying the registry podman would end up logging in to, allowing the user to choose not to login to a different registry and modifying the registries.conf as desired or even pass the registry as a flag.

This is a good idea here. Though, it can be a bit tough for non-interactive login that would just want to skip confirmation. Something like podman login -y <registry> might be ok, but it does sound odd and maybe there are better ways.

@tthvo
Copy link

tthvo commented Jun 6, 2024

To keep it simple for now unless we decide otherwise later, I will have a look to output the registry that is being logged in.

@arsenalzp
Copy link

arsenalzp commented Nov 24, 2024
edited
Loading

Hello,
Does anybody work on this issue?
If no, please assign it to me. I would also know are there any deadlines for solving this issue?

@tthvo
Copy link

tthvo commented Nov 26, 2024

Hello,
Does anybody work on this issue?
If no, please assign it to me. I would also know are there any deadlines for solving this issue?

Hey @arsenalzp , I have yet to hear back on which direction to go in this issue, so there has yet to be any progress. Though, not sure if I have the time in the next couple months, so feel free to work on it :D

@arsenalzp
Copy link

Please assign it to me.

@lslavkov
Copy link

Greetings! I want to take the mantle to fix this but seems that @arsenalzp is next in line for fixing the issue.

@lslavkov
Copy link

@rhatdan

If podman/buildah know that there are more then one registry, and the user does not specify one, it should error and tell the user to specify a registry.

So If I understand correctly it needs to ask specific registry if there is already one in the auth.json to avoid collisions, right?

@lslavkov
Copy link

/assign

@rhatdan
Copy link
Member Author

rhatdan commented Dec 13, 2024

Awesome thanks @lslavkov

@lslavkov
Copy link

@danishprakash

I'd suggest reverting #5233 since logging in unintentionally to a different registry doesn't look good from a security point of view.

I don't think that is really ideal situation to revert the code. Based on commits I have checked that is no longer possible to return on that point. Would need to code the stuff for that.

If reverting is not ideal, then we can let the user confirm their choice while displaying the registry podman would end up logging in to, allowing the user to choose not to login to a different registry and modifying the registries.conf as desired or even pass the registry as a flag.

Would be better to fail command with context of like you have not declared a registry to login?

@rhatdan
Copy link
Member Author

rhatdan commented Dec 16, 2024

How about if you have more then one registry then we force users to enter the specific registry. Then if they only have one listed, it just works.

@lslavkov
Copy link

lslavkov commented Dec 16, 2024
edited
Loading

How about if you have more then one registry then we force users to enter the specific registry. Then if they only have one listed, it just works.

Registry in auth.json file I assume?

@rhatdan

Actually it is better to target directly the registry from registry.conf. Your thoughts?

@rhatdan
Copy link
Member Author

rhatdan commented Dec 18, 2024

That is what I was talking about.

If you have one unqualified registry listed in registry.conf say quay.io, then
podman login

Should work as well as
podman login REGISTRY

If we have more then one unqualified registry in registries.conf, then
podman login

SHould throw an error saying please pick a registry.

@lslavkov lslavkov linked a pull request Dec 21, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lslavkov lslavkov

@tthvo tthvo

Labels
Good First Issue This issue would be a good issue for a first time contributor to undertake. kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Checking for multiple registries when login/logout lslavkov/podman
5 participants
@rhatdan @danishprakash @lslavkov @arsenalzp @tthvo