Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"run" fails to pull image with authorization failure #3524

Closed
stefanb2 opened this issue Jul 9, 2019 · 10 comments · Fixed by #3528
Closed

"run" fails to pull image with authorization failure #3524

stefanb2 opened this issue Jul 9, 2019 · 10 comments · Fixed by #3528
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@stefanb2
Copy link
Contributor

stefanb2 commented Jul 9, 2019

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

Pull operation from company internal docker repository with podman run IMAGE fails whereas podman pull IMAGE works fine.

Steps to reproduce the issue:

  1. podman image rm docker.COMPANY.COM:5004/PATH/mongo:3.4.7
  2. podman run docker.COMPANY.COM:5004/PATH/mongo:3.4.7
  3. podman pull docker.COMPANY.COM:5004/PATH/mongo:3.4.7

Describe the results you received:

$ podman image rm docker.COMPANY.COM:5004/PATH/mongo:3.4.7
ac18aa9255fd8023d1eb6e08d2fbc7b95c0c92166db040cb12b2ac19842e6c6c

$ podman run docker.COMPANY.COM:5004/PATH/mongo:3.4.7
Trying to pull docker.COMPANY.COM:5004/PATH/mongo:3.4.7...ERRO[0000] Error pulling image ref //docker.COMPANY.COM:5004/PATH/mongo:3.4.7: Error initializing source docker://docker.COMPANY.COM:5004/PATH/mongo:3.4.7: Error reading manifest 3.4.7 in docker.COMPANY.COM:5004/PATH/mongo: unauthorized: access to the requested resource is not authorized 
Failed
Error: unable to pull docker.COMPANY.COM:5004/PATH/mongo:3.4.7: unable to pull image: Error initializing source docker://docker.COMPANY.COM:5004/PATH/mongo:3.4.7: Error reading manifest 3.4.7 in docker.COMPANY.COM:5004/PATH/mongo: unauthorized: access to the requested resource is not authorized

$ podman pull docker.COMPANY.COM:5004/PATH/mongo:3.4.7
Trying to pull docker.COMPANY.COM:5004/PATH/mongo:3.4.7...Getting image source signatures
Copying blob 9cb9d47c5d80 done
...
Copying config ac18aa9255 done
Writing manifest to image destination
Storing signatures
ac18aa9255fd8023d1eb6e08d2fbc7b95c0c92166db040cb12b2ac19842e6c6c

Describe the results you expected:

According to man podman-run

If the IMAGE is not already loaded then podman run will pull the IMAGE, and all image dependencies, from the repository in the same way running podman pull IMAGE, before it starts the container from that image.

Output of podman version:

Version:            1.4.5-dev
RemoteAPI Version:  1
Go Version:         go1.12.6
OS/Arch:            linux/amd64

Output of podman info --debug:

debug:
  compiler: gc
  git commit: ""
  go version: go1.12.6
  podman version: 1.4.5-dev
host:
  BuildahVersion: 1.9.0
  Conmon:
    package: podman-1.4.4-1.fc30.x86_64
    path: /usr/libexec/podman/conmon
    version: 'conmon version 0.2.0, commit: 41010e63c287618b1dc34ee11d10d268e2feeefe'
  Distribution:
    distribution: fedora
    version: "30"
  MemFree: 18037665792
  MemTotal: 33400737792
  OCIRuntime:
    package: runc-1.0.0-93.dev.gitb9b6cc6.fc30.x86_64
    path: /usr/bin/runc
    version: |-
      runc version 1.0.0-rc8+dev
      commit: e3b4c1108f7d1bf0d09ab612ea09927d9b59b4e3
      spec: 1.0.1-dev
  SwapFree: 32002535424
  SwapTotal: 32002535424
  arch: amd64
  cpus: 12
  hostname: beckst-lnx
  kernel: 5.1.16-300.fc30.x86_64
  os: linux
  rootless: true
  uptime: 38h 36m 26.96s (Approximately 1.58 days)
registries:
  blocked: null
  insecure: null
  search:
  - docker.io
  - registry.fedoraproject.org
  - quay.io
  - registry.access.redhat.com
  - registry.centos.org
store:
  ConfigFile: /home/stefanb/.config/containers/storage.conf
  ContainerStore:
    number: 0
  GraphDriverName: overlay
  GraphOptions:
  - overlay.mount_program=/usr/bin/fuse-overlayfs
  GraphRoot: /home/stefanb/.local/share/containers/storage
  GraphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  ImageStore:
    number: 3
  RunRoot: /tmp/1000
  VolumePath: /home/stefanb/.local/share/containers/storage/volumes

Additional environment details (AWS, VirtualBox, physical, etc.):
@openshift-ci-robot openshift-ci-robot added the kind/bug Categorizes issue or PR as related to a bug. label Jul 9, 2019
@stefanb2
Copy link
Contributor Author

stefanb2 commented Jul 9, 2019

@muayyad-alsadi while not really fatal this does cause an annoying regression for users of podman-compose, i.e. users have to manually pull images beforehand.

@giuseppe
Copy link
Member

giuseppe commented Jul 9, 2019

could it have been a temporary failure? I am not able to reproduce it locally using a local registry using a httpasswd file

@stefanb2
Copy link
Contributor Author

stefanb2 commented Jul 9, 2019

No, this happens for any docker image from our local docker repo.

I'm not sure if this is relevant: our local docker repo is

Nexus Repository Manager
OSS 3.10.0-04

That server is connected to our local AD, i.e. I have to use my AD account name and password to authenticate.

My authorization tokens are stored in ~/.podman-auth.json, apparently for BASIC authentication, i.e. Base64 encoded <user>:<password> strings

giuseppe added a commit to giuseppe/libpod that referenced this issue Jul 9, 2019
@giuseppe
podman: create and run honors auth file location
ecbfc4f 
if the auth file was overriden, be sure create and run honors it.

Closes: containers#3524

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@giuseppe giuseppe mentioned this issue Jul 9, 2019
Merged
@giuseppe
Copy link
Member

giuseppe commented Jul 9, 2019

could you try if #3528 solve the issue you are seeing?

giuseppe added a commit to giuseppe/libpod that referenced this issue Jul 9, 2019
@giuseppe
podman: create and run honors auth file location
714d36b 
if the auth file was overriden, be sure create and run honors it.

Closes: containers#3524

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@cybernet
Copy link

does anyone have a fix for this ??

@mheon
Copy link
Member

mheon commented Sep 24, 2020

Can you open a new issue if you're still seeing this? This issue is over a year old.

@cybernet
Copy link

Can you open a new issue if you're still seeing this? This issue is over a year old.

exactly, OVER 1 YEAR old and no one confirmed that is fixed, however the issue was closed ...

@vrothberg
Copy link
Member

Actually it was fixed in #3528 (July '19).

@vrothberg
Copy link
Member

Just tested on 2.1.0 and it's still working

@cybernet
Copy link

#7780 - just opened

@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 22, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 22, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

podman: create and run honors auth file location giuseppe/libpod
6 participants
@giuseppe @cybernet @mheon @stefanb2 @vrothberg @openshift-ci-robot