Registry authentication is not supported

[HarryMichal]

Describe the bug

Some registries (e.g., registry.redhat.io) require the user to be authenticated before they can pull an image from it. Toolbox should notice when a registry requires authentication and ask the user for their credentials instead of failing.

Steps how to reproduce the behaviour

1. toolbox create -i registry.redhat.io/ubi8/ubi

Expected behaviour
Toolbox allows the user to authenticate.

Actual behaviour
Toolbox fails to pull an image and exits

Output of toolbox --version (v0.0.90+)
toolbox version 0.0.99.1

Toolbox package info (rpm -q toolbox)
toolbox-0.0.99.1-1.fc35.x86_64

Output of podman version

Version:      3.1.0-dev
API Version:  3.0.0
Go Version:   go1.16
Built:        Mon Feb 22 23:40:29 2021
OS/Arch:      linux/amd64

Podman package info (rpm -q podman)
podman-3.1.0-0.42.dev.gitd999328.fc35.x86_64

Info about your OS
Fedora Silverblue Rawhide

Additional context
This is required for getting Toolbox into RHEL.

[pierreprinetti]

Might or might not be useful to you, but I managed that by explicitly passing podman's registry auth file as an environment variable:

REGISTRY_AUTH_FILE=secret.json toolbox create -i registry.redhat.io/ubi8/ubi ubi

[HarryMichal]

Might or might not be useful to you, but I managed that by explicitly passing podman's registry auth file as an environment variable:

REGISTRY_AUTH_FILE=secret.json toolbox create -i registry.redhat.io/ubi8/ubi ubi

Indeed, this is possible. Still, we'd like Toolbox to tell the user that they should log into a registry to be able to pull an image.

[debarshiray]

This depends on podman pull having a dedicated exit code for authorization failures. See: containers/podman#10858

Or we need to re-implement podman pull directly inside Toolbox so that we have better access to the errors.

The patch-set in #787 based on screen scraping the standard error stream of podman pull is too fragile and has negative consequences. Downstream distributors can use it at their own risk, but it can't be merged upstream.

[travier]

I don't think we should try to interpret podman failures (even if it would be good indeed if podman could tell us if login to a registry is needed to pull an image).

The default behavior in the coreos/toolbox is to try authenticating to the registry first with the credentials from the file /var/lib/kubelet/config.json before pulling the image (see https://github.com/coreos/toolbox/blob/main/rhcos-toolbox#L74..L86). But we probably don't want to try using those credentials in the general case by default.

So I think this is case where we want to be able to specify different non-interactive default for some setups specifically (RHCOS for example), for example with a configuration file. If a certain configuration option is set (i.e. credentials=/var/lib/kubelet/config.json) then toolbox would always try to authenticate first using those credentials before pulling any image. In the other cases, nothing would happen (until we get the information from podman to log in to get the image).

[travier]

Reading the podman issue (containers/podman#10858), I understand that figuring out if credentials are needed is not easy. So what I would suggest instead would be to offer that as an advice to users and to let them decide:

$ toolbox create --image docker.io/idonot/exist:latest test
Image required to create toolbox container.
Download docker.io/idonot/exist:latest (500MB)? [y/N]: y
Error: failed to pull image docker.io/idonot/exist:latest
Hint: If you're pulling from a private registry, please login with 'podman login docker.io' and retry

[debarshiray]

So what I would suggest instead would be to offer that as an
advice to users and to let them decide:

Yes, that's what I was thinking myself. :)

[debarshiray]

Fixed with #852