Bug 1982498: default to podman credential configs #893
Conversation
|
@atiratree: An error was encountered searching for bug 1982498 on the Bugzilla server at https://bugzilla.redhat.com. No known errors were detected, please see the full error message for details. Full error message.
could not unmarshal response body: invalid character '<' looking for beginning of value
Please contact an administrator to resolve this issue, then request a bug refresh with In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci
bot
added
bugzilla/severity-medium
|
@atiratree: This pull request references Bugzilla bug 1982498, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@atiratree: An error was encountered querying GitHub for users with public email (wzheng@redhat.com) for bug 1982498 on the Bugzilla server at https://bugzilla.redhat.com. No known errors were detected, please see the full error message for details. Full error message.
Post "http://ghproxy/graphql": dial tcp 172.30.229.2:80: connect: connection refused
Please contact an administrator to resolve this issue, then request a bug refresh with In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/bugzilla refresh |
openshift-ci
bot
added
the
bugzilla/valid-bug
|
@atiratree: This pull request references Bugzilla bug 1982498, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci
bot
removed
the
bugzilla/invalid-bug
|
/assign @soltysh |
|
/bugzilla refresh |
|
@xiuwang: This pull request references Bugzilla bug 1982498, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/retest |
1 similar comment
|
/retest |
|
Build oc from this pr, and report two premerged bugs, This pr didn't account the situation when ${XDG_RUNTIME_DIR} and ${XDG_CONFIG_HOME} not set in host. Then the podman login auth will located to a replacement directory with similar capabilities . Like this: |
atiratree
force-pushed
the
podman-credentials
branch
from
626f543
to
a224a8c
Compare
|
@xiuwang Thanks for the feedback. I have reassessed the logic we have in oc and decided to use the same logic as podman uses. The logic itself is quite complex and is fortunately shared via github.com/containers/image library. Although bear in mind that even podman doesn't fallback to other locations when Regarding the oc login I think it is not feasible without breaking backwards compatibility (please see the BZ for more details). |
atiratree
force-pushed
the
podman-credentials
branch
2 times, most recently
from
56abe09
to
ebadfd8
Compare
|
/retest |
1 similar comment
|
/retest |
|
Hi @atiratree Thanks for update. -a, --registry-config='': Path to your registry credentials. Alternatively env variable ${REGISTRY_AUTH_FILE} can be |
|
This issue https://bugzilla.redhat.com/show_bug.cgi?id=1992474 doesn't be fixed yet. |
@xiuwang Can you please share how are you reproducing this and what errors you are getting? |
pkg/cli/image/manifest/manifest.go
Outdated
| @@ -51,7 +51,7 @@ type SecurityOptions struct { | |||
| } | |||
|
|
|||
| func (o *SecurityOptions) Bind(flags *pflag.FlagSet) { | |||
| flags.StringVarP(&o.RegistryConfig, "registry-config", "a", o.RegistryConfig, "Path to your registry credentials (defaults to ~/.docker/config.json)") | |||
| flags.StringVarP(&o.RegistryConfig, "registry-config", "a", o.RegistryConfig, "Path to your registry credentials. Alternatively env variable ${REGISTRY_AUTH_FILE} can be also specified. Defaults to ${XDG_RUNTIME_DIR}/containers/auth.json, ${XDG_CONFIG_HOME}/containers/auth.json, /run/containers/${UID}/auth.json, ${DOCKER_CONFIG}, ~/.docker/config.json, ~/.dockercfg") | |||
There was a problem hiding this comment.
We can't change the order, since that might break current users. We'll have to do it gradually:
- Add podman locations after
.docker/config.json, we talked with @atiratree about it, it'll be done by re-using the current logic to read.docker/config.jsonand add everything else usinggithub.com/containers/imagelibrary. We just need to ensure that the former has higher precedence than the latter. - Add a warning when using the old loading order.
- Add support for the new order, but behind an env var,
CONTAINERS_AUTH_ORDERor something like that. This would basically drop the legacy support we currently have for.docker/config.jsonand just usegithub.com/containers/image/. This would apply both to reading and writing as well.
Don't forget:
- Add release notes about the loading order changes including the env var to enable it -
CONTAINERS_AUTH_ORDER. Mention supportingREGISTRY_AUTH_FILEas well.
Call out that in 2 release, we'll flipCONTAINERS_AUTH_ORDERto on by default.
There was a problem hiding this comment.
@soltysh I think I have resolved all of the issues. Can you please rereview?
regarding the release notes, I will write them just after we confirm the name of the env variable
|
@atiratree After I used the previous format for .dockercfg, the cmd could get the auth. /label qe-approved |
openshift-ci
bot
added
the
qe-approved
|
/bugzilla refresh |
openshift-ci
bot
removed
the
bugzilla/valid-bug
|
@atiratree: This pull request references Bugzilla bug 1982498, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci
bot
added
the
bugzilla/invalid-bug
|
/retest |
|
/bugzilla refresh |
|
@atiratree: This pull request references Bugzilla bug 1982498, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci
bot
added
bugzilla/valid-bug
|
/retest |
atiratree
force-pushed
the
podman-credentials
branch
from
a046188
to
1c3d992
Compare
|
rebased |
|
/retest |
- introduce REGISTRY_AUTH_FILE env variable as an alternative to --registry-config - introduce REGISTRY_AUTH_PREFERENCE env variable for switching preference for default auth config location (podman, docker)
atiratree
force-pushed
the
podman-credentials
branch
from
1c3d992
to
e1e3858
Compare
…tials - introduce REGISTRY_AUTH_FILE env variable as an alternative to --registry-config - introduce REGISTRY_AUTH_PREFERENCE env variable for switching preference for default auth config location (podman, docker)
atiratree
force-pushed
the
podman-credentials
branch
from
e1e3858
to
c065372
Compare
| @@ -50,7 +50,8 @@ type SecurityOptions struct { | |||
| } | |||
|
|
|||
| func (o *SecurityOptions) Bind(flags *pflag.FlagSet) { | |||
| flags.StringVarP(&o.RegistryConfig, "registry-config", "a", o.RegistryConfig, "Path to your registry credentials (defaults to ~/.docker/config.json)") | |||
| // TODO: fix priority and deprecation notice in 4.12 | |||
| flags.StringVarP(&o.RegistryConfig, "registry-config", "a", o.RegistryConfig, "Path to your registry credentials. Alternatively REGISTRY_AUTH_FILE env variable can be also specified. Defaults to ~/.docker/config.json (order deprecated), ${XDG_RUNTIME_DIR}/containers/auth.json, ${XDG_CONFIG_HOME}/containers/auth.json, /run/containers/${UID}/auth.json, ${DOCKER_CONFIG}, ~/.dockercfg. Defaults can be changed via REGISTRY_AUTH_PREFERENCE env variable to docker or podman.") | |||
There was a problem hiding this comment.
Suggestion:
Path to your registry credentials. Alternatively REGISTRY_AUTH_FILE env variable can be specified.
Defaults to ~/.docker/config.json, ${XDG_RUNTIME_DIR}/containers/auth.json, ${XDG_CONFIG_HOME}/containers/auth.json, /run/containers/${UID}/auth.json, ${DOCKER_CONFIG}, ~/.dockercfg. The order can be changed via REGISTRY_AUTH_PREFERENCE env variable to docker (current default - deprecated) or podman (prioritizes podman credentials over docker) .
| result = RegistryAuthConfigPreference(authPreference) | ||
| } else { | ||
| // TODO: remove once deprecated in 4.12 | ||
| klog.Warningln("Defaulting of registry auth file to \"${HOME}/.docker/config.json\" is deprecated. The default will be switched to podman config locations in 4.12") |
There was a problem hiding this comment.
Nit: in the future version
we don't specify exact version in these messages, in case we forget 😉
| "net/http" | ||
| "net/url" | ||
| "os" | ||
| "path/filepath" | ||
| "strings" | ||
|
|
||
| "github.com/containers/image/v5/pkg/docker/config" | ||
| imageTypes "github.com/containers/image/v5/types" |
There was a problem hiding this comment.
Nit: most import aliases are lowercase to differentiate that from variables.
There was a problem hiding this comment.
Can we maybe make these imports be:
dockerconfig and containerstypes so it's explicit where these are coming while reading the code
| flag.StringVarP(&o.ConfigFile, "registry-config", "a", o.ConfigFile, "The location of the file your credentials will be stored in. Default is Docker config.json") | ||
| flag.StringVar(&o.ConfigFile, "to", o.ConfigFile, "The location of the file your credentials will be stored in. Default is Docker config.json") | ||
| flag.StringVarP(&o.ConfigFile, "registry-config", "a", o.ConfigFile, "The location of the file your credentials will be stored in. Alternatively REGISTRY_AUTH_FILE env variable can be also specified. Default is Docker config.json (deprecated). Default can be changed via REGISTRY_AUTH_PREFERENCE env variable to docker or podman.") | ||
| flag.StringVar(&o.ConfigFile, "to", o.ConfigFile, "The location of the file your credentials will be stored in. Alternatively REGISTRY_AUTH_FILE env variable can be also specified. Default is Docker config.json (deprecated). Default can be changed via REGISTRY_AUTH_PREFERENCE env variable to docker or podman.") |
There was a problem hiding this comment.
Suggestion:
The location of the file your credentials will be stored in. Alternatively REGISTRY_AUTH_FILE env variable can be specified. Defaults to ~/.docker/config.json. Default can be changed via REGISTRY_AUTH_PREFERENCE env variable to docker (current default - deprecated) or podman (prioritizes podman credentials over docker) .
This will be inline with that other place where I left similar comment.
| contents, err := json.MarshalIndent(cfg, "", " ") | ||
| if err != nil { | ||
| ctx := &imageTypes.SystemContext{AuthFilePath: o.ConfigFile} | ||
| if err := config.SetAuthentication(ctx, o.HostPort, o.Credentials.Username, o.Credentials.Password); err != nil { |
There was a problem hiding this comment.
This makes the code so much easier 😅 we should've done that long time ago.
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: atiratree, soltysh The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
@atiratree: All pull requests linked via external trackers have merged: Bugzilla bug 1982498 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
we should first try podman location for detecting credentials and then check the docker ones
relevant docs:
https://man.archlinux.org/man/community/containers-common/containers-auth.json.5.en
http://docs.podman.io/en/latest/markdown/podman-login.1.html