bootc icon indicating copy to clipboard operation
bootc copied to clipboard
verified publisher icon containers

bootc install does not use my podman credentials

Open stefwalter opened this issue 1 year ago • 9 comments

I've tried to install a bootable container with an install to-filesystem as documented here: https://containers.github.io/bootc/bootc-install.html#executing-bootc-install

My image is pushed in a private registry tag (in quay.io). However bootc cannot access my repository. I used podman login quay.io to login on the host, which allows podman to pull the container image, but for some reason that I cannot understand bootc wants to access it again:

# sudo podman run --rm --privileged --pid=host --security-opt label=type:unconfined_t -v /:/target -v /var/lib/containers:/var/lib/containers quay.io/swalter/tuesday:1.0 bootc install to-filesystem --karg=console=ttyS0,115200n8 --replace=alongside /target
Trying to pull quay.io/swalter/tuesday:1.0...
Getting image source signatures
Copying blob 123a23fee02f done  
Copying blob 123a23fee02f done  
... snip ...
Copying blob f76da783556e done  
Copying config 4787122538 done  
Writing manifest to image destination
ERROR Installing to filesystem: Verifying fetch: Creating importer: Failed to invoke skopeo proxy method OpenImage: remote error: reading manifest 1.0 in quay.io/swalter/tuesday: unauthorized: access to the requested resource is not authorized

stefwalter avatar Mar 26 '24 11:03 stefwalter

I would expect that bootc install doesn't need to know the registry. What if the image was local, and not pushed to a registry?

stefwalter avatar Mar 26 '24 11:03 stefwalter

https://github.com/containers/bootc/issues/428 tracks importing credentials in this case; what do you think of that one?

I would expect that bootc install doesn't need to know the registry. What if the image was local, and not pushed to a registry?

There is --skip-fetch-check for this use case. But the fetch check is exactly to avoid this foot-gun. Would improving the error message help? Something like linking to the documentation? (I expanded https://github.com/containers/bootc/pull/430 recently related to this too).

cgwalters avatar Mar 26 '24 11:03 cgwalters

Why is this a foot-gun? Why would fetch check be an error? Should it only be a warning by default?

stefwalter avatar Mar 26 '24 12:03 stefwalter

Why is this a foot-gun? Why would fetch check be an error?

Because it's really easy to fall into the trap of failing to configure the fetch credentials inside one's image, right?

cgwalters avatar Mar 26 '24 18:03 cgwalters

I usually save QUAY_SECRET into /etc/ostree/auth.json and copy auth.json into container image when build image.

QUAY_SECRET=$(echo -n "${QUAY_USERNAME}:${QUAY_PASSWORD}" | base64 -w 0)

{
  "auths": {
    "quay.io": {
      "auth": "$QUAY_SECRET"
    }
  }
}

henrywang avatar Mar 27 '24 14:03 henrywang

I stumbled upon this issue, it's not obvious why bootc doesn't use the same files as podman to organize authentication. As further argument, I'd like to add that the flightctl-agent follows podman there when it comes to updating the OS, so that you need to hold and maintain twice the same information for basically the same purpose.

ericzolf avatar Feb 20 '25 13:02 ericzolf

To add to this it seems logical that if you were to pull the OS image into container storage IE podman pull $image then use containers-storage as the transport any auth needed would come from container auth.

$ podman pull 192.168.1.42:5000/flightctl-device:v3
Trying to pull 192.168.1.42:5000/flightctl-device:v3...
Getting image source signatures
Copying blob f314e09c5f79 skipped: already exists  
Copying blob f314e09c5f79 skipped: already exists 
....

$ bootc switch --transport containers-storage 192.168.1.42:5000/flightctl-device:v3
layers already present: 75; layers needed: 2 (624 bytes)
Fetched layers: 624 B in 15 seconds (41 B/s)

If the image is pulled why do we still need to fetch 2 layers?

hexfusion avatar Feb 21 '25 17:02 hexfusion

I stumbled upon this issue, it's not obvious why bootc doesn't use the same files as podman to organize authentication.

See https://github.com/containers/image/pull/1746

you need to hold and maintain twice the same information for basically the same purpose.

Yes, I agree it is painful, but there is a rationale.

https://docs.fedoraproject.org/en-US/bootc/container-pull-secrets/#_unifying_bootc_and_podman_credentials has one suggestion.

cgwalters avatar Feb 21 '25 17:02 cgwalters

If the image is pulled why do we still need to fetch 2 layers?

containers-storage aka /var/lib/containers is disjoint from the bootc-owned storage. See https://containers.github.io/bootc/filesystem-storage.html and https://github.com/containers/bootc/issues/20 for related topics. So those two layers were copied from /var/lib/containers/storage to /sysroot/ostree (and unfortunately without even using reflinks, for that see also https://github.com/containers/storage/issues/1849 ).

cgwalters avatar Feb 21 '25 17:02 cgwalters