Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bootc install does not use my podman credentials #436

Open
stefwalter opened this issue Mar 26, 2024 · 5 comments
Open

bootc install does not use my podman credentials #436

stefwalter opened this issue Mar 26, 2024 · 5 comments
Labels
area/install Issues related to `bootc install`

Comments

@stefwalter
Copy link
Contributor

I've tried to install a bootable container with an install to-filesystem as documented here: https://containers.github.io/bootc/bootc-install.html#executing-bootc-install

My image is pushed in a private registry tag (in quay.io). However bootc cannot access my repository. I used podman login quay.io to login on the host, which allows podman to pull the container image, but for some reason that I cannot understand bootc wants to access it again:

# sudo podman run --rm --privileged --pid=host --security-opt label=type:unconfined_t -v /:/target -v /var/lib/containers:/var/lib/containers quay.io/swalter/tuesday:1.0 bootc install to-filesystem --karg=console=ttyS0,115200n8 --replace=alongside /target
Trying to pull quay.io/swalter/tuesday:1.0...
Getting image source signatures
Copying blob 123a23fee02f done  
Copying blob 123a23fee02f done  
... snip ...
Copying blob f76da783556e done  
Copying config 4787122538 done  
Writing manifest to image destination
ERROR Installing to filesystem: Verifying fetch: Creating importer: Failed to invoke skopeo proxy method OpenImage: remote error: reading manifest 1.0 in quay.io/swalter/tuesday: unauthorized: access to the requested resource is not authorized
@stefwalter
Copy link
Contributor Author

stefwalter commented Mar 26, 2024
edited

I would expect that bootc install doesn't need to know the registry. What if the image was local, and not pushed to a registry?

@cgwalters cgwalters added the area/install Issues related to `bootc install` label Mar 26, 2024
@cgwalters
Copy link
Collaborator

#428 tracks importing credentials in this case; what do you think of that one?

I would expect that bootc install doesn't need to know the registry. What if the image was local, and not pushed to a registry?

There is --skip-fetch-check for this use case. But the fetch check is exactly to avoid this foot-gun. Would improving the error message help? Something like linking to the documentation? (I expanded #430 recently related to this too).

@cgwalters cgwalters mentioned this issue Mar 26, 2024
Open
@stefwalter
Copy link
Contributor Author

Why is this a foot-gun? Why would fetch check be an error? Should it only be a warning by default?

@cgwalters
Copy link
Collaborator

Why is this a foot-gun? Why would fetch check be an error?

Because it's really easy to fall into the trap of failing to configure the fetch credentials inside one's image, right?

@henrywang
Copy link
Contributor

henrywang commented Mar 27, 2024
edited

I usually save QUAY_SECRET into /etc/ostree/auth.json and copy auth.json into container image when build image.

QUAY_SECRET=$(echo -n "${QUAY_USERNAME}:${QUAY_PASSWORD}" | base64 -w 0)

{
  "auths": {
    "quay.io": {
      "auth": "$QUAY_SECRET"
    }
  }
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/install Issues related to `bootc install`
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cgwalters @henrywang @stefwalter