prefer podman authentication file locations #3345
Conversation
atiratree
force-pushed
the
prefer-podman-auth
branch
from
61febc7
to
9d8cd97
Compare
- podman ~/.docker/config.json is deprecated in favor of podman
authentication file locations (default is
${XDG_RUNTIME_DIR}/containers/auth.json)
- oc registry login will try to write to this location so
XDG_RUNTIME_DIR environment variable must be present and the XDG_RUNTIME_DIR
directory created/accessible. Places that need to manipulate with
~/.docker/config.json for backwards compatibility reasons need to
specify --to or --registry-config
- other oc commands that lookup credentials from registry authentication files
will first try the podman locations and if the credentials are not found,
oc will fallback and check ~/.docker/config.json
atiratree
force-pushed
the
prefer-podman-auth
branch
from
9d8cd97
to
993a786
Compare
| @@ -433,7 +438,7 @@ objects: | |||
|
|
|||
| # mirror the release image and override the release image to point to the mirrored one | |||
| mkdir /tmp/.docker && cp /etc/openshift-installer/pull-secret /tmp/.docker/config.json | |||
| oc registry login | |||
| oc registry login --to /tmp/.docker/config.json | |||
There was a problem hiding this comment.
we need to mention the file explicitly to support the pre 4.10 jobs
|
/cc @bbguimaraes |
| - name: XDG_RUNTIME_DIR | ||
| value: /tmp/home/run |
There was a problem hiding this comment.
I don't see any oc registry login calls in either the test or teardown containers, are they done by openshift-tests / the installer? Will those calls also need a --to argument?
There was a problem hiding this comment.
@bbguimaraes These variables are not needed at this time. I am adding this so we that do not have to add them later in case someone needs to call the oc registry login, or have other functionality that depends on this common directory. We may also decide that we want to change/remove the .docker/config.json preferences in the code. Although I am not sure how likely that is. I can remove the support for XDG_RUNTIME_DIR to slim down the PR if you prefer.
There was a problem hiding this comment.
SGTM, this code is only used for legacy tests anyway.
Feel free to /hold cancel whenever you want this deployed.
There was a problem hiding this comment.
ok, thanks. Next one to go is this one: openshift/release#37726
openshift-ci
bot
added
the
do-not-merge/hold
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: atiratree, bbguimaraes The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
/hold cancel |
openshift-ci
bot
removed
the
do-not-merge/hold
|
@atiratree: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
we want to remove preference for docker auth files in favor of podman ones in openshift/oc#1376. Since ci-operator depends on the cli (oc) we need to first merge the changes here before the changes in oc can be merged. This change was announced in 4.10 and a proper warning was shown when using oc commands that work with registries since then.