prefer podman authentication file locations #37726
Conversation
|
@atiratree: the
A total of 2459 jobs have been affected by this change. The above listing is non-exhaustive and limited to 35 jobs. A full list of affected jobs can be found here Interacting with pj-rehearseComment: Once you are satisfied with the results of the rehearsals, comment: |
atiratree
force-pushed
the
prefer-podman-auth
branch
from
b3ef2a4
to
d4c6263
Compare
| echo "ERROR Registry config file not found: $REGISTRY_TOKEN_FILE" | ||
| echo " Is the docker/config.json in a different location?" | ||
| echo "ERROR Registry authentication file not found: $REGISTRY_TOKEN_FILE" | ||
| echo " Is the auth.json in a different location?" | ||
| exit 1 | ||
| fi | ||
| oc registry login |
There was a problem hiding this comment.
this PR changes only places that depend on ~/.docker/config.json, eg. plain oc registry login. Other invocations of oc registry login that write to a different file were not changed in this PR as they are not required to be updated to comply with openshift/oc#1376.
There are still many mention of docker/config.json and we can update these in a followup as these will be mostly cosmetic changes.
| @@ -18,6 +18,10 @@ fi | |||
| MIRROR_REGISTRY_HOST=`head -n 1 "${SHARED_DIR}/mirror_registry_url"` | |||
| echo "MIRROR_REGISTRY_HOST: $MIRROR_REGISTRY_HOST" | |||
|
|
|||
| export HOME="${HOME:-/tmp/home}" | |||
There was a problem hiding this comment.
I am not sure if HOME variable is always exposed in all of these so I am adding it to make sure we always have it.
| @@ -167,6 +167,11 @@ objects: | |||
| value: /tmp/artifacts | |||
| - name: HOME | |||
| value: /tmp/home | |||
| - name: XDG_RUNTIME_DIR | |||
There was a problem hiding this comment.
these changes should be identical to changes here openshift/ci-tools#3345
| @@ -64,16 +66,16 @@ echo "INFO Image tag is $IMAGE_TAG" | |||
| # Setup registry credentials | |||
| REGISTRY_TOKEN_FILE="$SECRETS_PATH/$REGISTRY_SECRET/$REGISTRY_SECRET_FILE" | |||
|
|
|||
| config_file="$HOME/.docker/config.json" | |||
| config_file="${XDG_RUNTIME_DIR}/containers/auth.json" | |||
There was a problem hiding this comment.
assisted-baremetal-images-publish, assisted-baremetal-operator-publish, opendatahub-io-ci-image-mirror and red-hat-data-services-ci-image-mirror seem to be used only up to 4.10 so these should be okay to change
|
|
||
| if [[ -n "${INSTALL_INITIAL_RELEASE}" && -n "${RELEASE_IMAGE_INITIAL}" ]]; then | ||
| echo "Installing from initial release ${RELEASE_IMAGE_INITIAL}" | ||
| OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE="${RELEASE_IMAGE_INITIAL}" | ||
| elif [[ "${CLUSTER_VARIANT}" =~ "mirror" ]]; then | ||
| # mirror the release image and override the release image to point to the mirrored one | ||
| mkdir /tmp/.docker && cp /etc/openshift-installer/pull-secret /tmp/.docker/config.json | ||
| mkdir "${XDG_RUNTIME_DIR}/containers" && cp /etc/openshift-installer/pull-secret "${XDG_RUNTIME_DIR}/containers/auth.json" |
There was a problem hiding this comment.
hm, this seems it might brake eg. release-openshift-ocp-installer-e2e-aws-csi-4.9. Need to test and we probably have to support the ~docker/config.json for the old releases
There was a problem hiding this comment.
I have reverted these and using .docker/config.js to ensure it works for older versions
|
/pj-rehearse release-openshift-ocp-installer-e2e-aws-csi-4.9 pull-ci-openshift-assisted-service-master-push-pr-image periodic-ci-red-hat-data-services-notebooks-release-2023a-notebook-jupyter-pytorch-ubi9-python-3-9-image-mirror-weekly |
|
/pj-rehearse release-openshift-ocp-installer-e2e-aws-csi-4.9 |
|
@atiratree: job(s): release-openshift-ocp-installer-e2e-aws-csi-4.9 either don't exist or were not found to be affected, and cannot be rehearsed |
|
/pj-rehearse pull-ci-openshift-assisted-service-master-push-pr-image |
|
/pj-rehearse periodic-ci-red-hat-data-services-notebooks-release-2023a-notebook-jupyter-pytorch-ubi9-python-3-9-image-mirror-weekly |
|
@atiratree: job(s): either don't exist or were not found to be affected, and cannot be rehearsed |
|
/pj-rehearse release-openshift-origin-installer-e2e-aws-shared-vpc-4.9 |
|
@atiratree: job(s): release-openshift-origin-installer-e2e-aws-shared-vpc-4.9 either don't exist or were not found to be affected, and cannot be rehearsed |
|
/pj-rehearse release-openshift-origin-installer-e2e-azure-shared-vpc-4.9 |
|
/pj-rehearse release-openshift-origin-installer-e2e-aws-disruptive-4.9 |
|
@atiratree: job(s): release-openshift-origin-installer-e2e-azure-shared-vpc-4.9 either don't exist or were not found to be affected, and cannot be rehearsed |
|
/pj-rehearse release-openshift-ocp-installer-e2e-aws-mirrors-4.9 |
|
@atiratree: job(s): release-openshift-origin-installer-e2e-aws-disruptive-4.9 either don't exist or were not found to be affected, and cannot be rehearsed |
|
/pj-rehearse periodic-ci-openshift-cluster-autoscaler-operator-e2e-aws-master |
|
@atiratree: job(s): periodic-ci-openshift-cluster-autoscaler-operator-e2e-aws-master either don't exist or were not found to be affected, and cannot be rehearsed |
atiratree
force-pushed
the
prefer-podman-auth
branch
2 times, most recently
from
6690f43
to
bcc8c5d
Compare
- podman ~/.docker/config.json is deprecated in favor of podman
authentication file locations (default is
${XDG_RUNTIME_DIR}/containers/auth.json)
- oc registry login will try to write to this location so
XDG_RUNTIME_DIR environment variable must be present and the XDG_RUNTIME_DIR
directory created/accessible. Places that need to manipulate with
~/.docker/config.json for backwards compatibility reasons should specify
--to or --registry-config
- other oc commands that lookup credentials from registry authentication files
will first try the podman locations and if the credentials are not found,
oc will fallback and check ~/.docker/config.json
atiratree
force-pushed
the
prefer-podman-auth
branch
from
bcc8c5d
to
5cb6c26
Compare
|
/pj-rehearse refresh |
|
@atiratree: the
A total of 2462 jobs have been affected by this change. The above listing is non-exhaustive and limited to 35 jobs. A full list of affected jobs can be found here Interacting with pj-rehearseComment: Once you are satisfied with the results of the rehearsals, comment: |
|
/pj-rehearse |
|
the rehearse failures do not seem to be connected to these changes |
|
/pj-rehearse |
|
the additional rehearse failures do not seem to be relevant as well |
|
Issues in openshift/release go stale after 30d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle stale |
openshift-ci
bot
added
the
lifecycle/stale
|
Stale issue in openshift/release rot after 15d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle rotten |
openshift-ci
bot
added
lifecycle/rotten
|
/remove-lifecycle rotten |
openshift-ci
bot
removed
the
lifecycle/rotten
|
/pj-rehearse max |
|
@atiratree: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/approve |
openshift-ci
bot
added
the
approved
|
/pj-rehearse ack |
openshift-ci-robot
added
the
rehearsals-ack
openshift-merge-robot
merged commit 1122e12
into
openshift:master
|
@atiratree: Updated the following 24 configmaps:
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
- podman ~/.docker/config.json is deprecated in favor of podman
authentication file locations (default is
${XDG_RUNTIME_DIR}/containers/auth.json)
- oc registry login will try to write to this location so
XDG_RUNTIME_DIR environment variable must be present and the XDG_RUNTIME_DIR
directory created/accessible. Places that need to manipulate with
~/.docker/config.json for backwards compatibility reasons should specify
--to or --registry-config
- other oc commands that lookup credentials from registry authentication files
will first try the podman locations and if the credentials are not found,
oc will fallback and check ~/.docker/config.json
we want to remove preference for docker auth files in favor of podman ones in openshift/oc#1376. Since openshift/release depends on the cli (oc) to obtain and manipulate images and releases, we need to first merge the changes in openshift/ci-tools#3345 and then here before the changes in oc can be merged. This change was announced in 4.10 and a proper warning was shown when using oc commands that work with registries since then.