-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docker login
with docker.io creds "successfully" logs-into registry.fedoraproject.org
then fails to push to registry-1.docker.io
#22400
Comments
I guess the login successfull command should say Login Succeeded registry.fedoraproject.org! Or potentially better, if Podman and Buildah could figure it out, would be to return an error and tell the user to specify the registry. This is probably the more secure thing to do, since your credentials were sent to registry.fedoraproject.org. If podman/buildah know that there are more then one registry, and the user does not specify one, it should error and tell the user to specify a registry. |
Just need someone to step up to open a PR. |
A friendly reminder that this issue had no activity for 30 days. |
Mind if I have a look? I am new here so just need to get familiar with the codebase :)) |
You got it. |
@rhatdan hi, I have a question as I am walking through this. This does mean that podman login/logout would not be compatible with
Otherwise, this makes sense to me! Seems like its out of scope of podman and must be done in https://github.com/containers/common. What are your thoughts? |
I'd suggest reverting #5233 since logging in unintentionally to a different registry doesn't look good from a security point of view. If reverting is not ideal, then we can let the user confirm their choice while displaying the registry podman would end up logging in to, allowing the user to choose not to login to a different registry and modifying the registries.conf as desired or even pass the registry as a flag. |
Sounds reasonable to me on the security standpoint! I suppose anyone would not want their credentials sent elsewhere unintended, for example, a tampered registries.conf.
This is a good idea here. Though, it can be a bit tough for non-interactive login that would just want to skip confirmation. Something like |
To keep it simple for now unless we decide otherwise later, I will have a look to output the registry that is being logged in. |
Hello, |
Hey @arsenalzp , I have yet to hear back on which direction to go in this issue, so there has yet to be any progress. Though, not sure if I have the time in the next couple months, so feel free to work on it :D |
Please assign it to me. |
Greetings! I want to take the mantle to fix this but seems that @arsenalzp is next in line for fixing the issue. |
So If I understand correctly it needs to ask specific registry if there is already one in the |
/assign |
Awesome thanks @lslavkov |
I don't think that is really ideal situation to revert the code. Based on commits I have checked that is no longer possible to return on that point. Would need to code the stuff for that.
Would be better to fail command with context of like |
How about if you have more then one registry then we force users to enter the specific registry. Then if they only have one listed, it just works. |
Actually it is better to target directly the registry from |
That is what I was talking about. If you have one unqualified registry listed in registry.conf say quay.io, then Should work as well as If we have more then one unqualified registry in registries.conf, then SHould throw an error saying please pick a registry. |
Discussed in #22394
Originally posted by azdle April 16, 2024
Issue Description
First off, I'm not sure if this is a podman issue or a fedora package issue, but I figured this might be helpful here since there are a lot of closed, but unresolved, issues here that seem like they could be caused by this. Also, this is on 4.9.4, I haven't tried v5.
Doing a fresh setup with
podman-docker
installed on fedora and following docker.io's instructions for logging in and pushing my first image, I'm told my "Login Succeeded!", but when I try to push I get a "resource denied" error.It seems running
docker login -u $USER
stores the access token as a token forregistry.fedoraproject.org
(not what I expected), but when I try to push it tries to push toregistry-1.docker.io
(is what I expected).Steps to reproduce the issue
a. Create access token
b. run
docker login -u $USER
c. enter token
Describe the results you received
Describe the results you expected
^ exit success
or
Failure for the login command
podman info output
Podman in a container
No
Privileged Or Rootless
Rootless
Upstream Latest Release
No
Additional environment details
No response
Additional information
Workaround
For anyone else having this issue, either edit your
auth.json
file to say "registry-1.docker.io" or just rundocker login -u $USER registry-1.docker.io
instead.The text was updated successfully, but these errors were encountered: