Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to login to docker registry using podman on macOS using certificate in keychain #11507

Closed
softinio opened this issue Sep 9, 2021 · 16 comments · Fixed by #12709
Closed
Assignees
Labels
kind/feature Categorizes issue or PR as related to a new feature. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. machine macos MacOS (OSX) related

Comments

@softinio
Copy link

softinio commented Sep 9, 2021

Is this a FEATURE REQUEST? (leave only one on its own line)

/kind feature

Unable to login to docker registry using podman on macOS using keychain. When I try it I get this after entering username/passowrd:

x509: certificate signed by unknown authority

Note that this works perfectly with docker so not sure if its a feature podman supports or not or I am doing something wrong.

I have created a stackoverflow for it too in case: https://stackoverflow.com/questions/69111227/unable-to-login-to-docker-registry-using-podman-on-macos-x509-certificate-sig

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

version: 3.2.3

Output of podman info --debug:

TBA

Package info (e.g. output of rpm -q podman or apt list podman):

brew install podman

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/master/troubleshooting.md)

Yes

Additional environment details (AWS, VirtualBox, physical, etc.):

Used podman machine init and the default VM it uses

@openshift-ci openshift-ci bot added the kind/feature Categorizes issue or PR as related to a new feature. label Sep 9, 2021
@guillaumerose
Copy link
Contributor

Just bringing some Docker Desktop knowledge about certs here:

First, when starting the VM, Docker Desktop takes all installed certs (in the keychain for macOS) on the host and push them in the VM (/etc/ssl/...).

Second, user can have custom certs installer in location like this:

~/.docker/certs.d/my.secure.registry/client.cert
~/.docker/certs.d/my.secure.registry/client.key

Docker Desktop will also put these files in the right place in the VM.

@vrothberg vrothberg added the macos MacOS (OSX) related label Sep 10, 2021
@Luap99 Luap99 added the machine label Sep 11, 2021
@github-actions
Copy link

A friendly reminder that this issue had no activity for 30 days.

@github-actions
Copy link

A friendly reminder that this issue had no activity for 30 days.

@cgruver
Copy link

cgruver commented Nov 14, 2021

I am struggling with this issue as well. Although, it does work if you add --tls-verify=false to all of your Rodman commands. So, "struggling" is perhaps a bit strong... ;-)

However, since I have trusted the certs for my local registry, it would be nice if there were a way to inject them into the VM that podman machine creates.

@rdean-csx
Copy link

I ran into this issue yesterday and haven't gotten much traction on a solution.

There's a --certs-dir option on the podman pull command within the vm that doesn't exist on the Mac side. Assuming this is because the cert would have to be part of the ignition file at vm startup.

I found this link that suggests that certificates could be added to the CoreOS vm through an entry in the storage.files key:
https://ask.fedoraproject.org/t/how-to-add-certificates-to-coreos-truststore/15031

Would this work for passing in the CA cert, and is there any guidance for producing the kind of ignition file that podman machine needs? I took a stab at it, and it disabled creation of the SSH connection information.

@rhatdan
Copy link
Member

rhatdan commented Nov 16, 2021

@mtrmac @vrothberg Is this a case were we need to include the Certs in the Payload, or do we require the certs to be on the server side? I guess if you copied the Certs into the VM this would work. Not sure what Docker is doing in this case.

@Conan-Kudo
Copy link

In Docker Desktop, the certs are copied from the host into the VM that the true Docker daemon runs in. For Podman on Mac, we'd want the same thing (contents of ~/.config/containers/certs.d and ~/.config/docker/certs.d should be copied to the VM's /etc/containers/certs.d/ directory).

@github-actions
Copy link

A friendly reminder that this issue had no activity for 30 days.

@rhatdan
Copy link
Member

rhatdan commented Dec 26, 2021

@jwhonce @flouthoc Could either of you look into this?

@flouthoc
Copy link
Collaborator

@rhatdan I believe something like cert should not be done over API. Instead it should be done while we are doing the machine init step and we could pass certs via ignition file.

Here is the PR:#12709

@flouthoc
Copy link
Collaborator

@Conan-Kudo @rdean-csx Could one of you please try above PR on macOS I can verify this on a linux machine.

@rhatdan
Copy link
Member

rhatdan commented Dec 27, 2021

I agree this should be done at init or start.

@sherif84
Copy link

sherif84 commented Jan 26, 2022

Hi, can anyone share documentation or validation steps on MacOS after this fix has been merged ?

we are facing the same issue on MacOs and I tried to build 4.0.0-rc2 version , but I'm still running into the same issue where the certs are not copied inside the VM

source code : https//github.com/containers/podman/archive/refs/tags/v4.0.0-rc2.tar.gz
built using directions in : https://github.com/containers/podman/blob/v4.0.0-rc2/build_osx.md ( seems outdated though)

podman-4.0.0-rc2 % bin/darwin/podman version
Client:       Podman Engine
Version:      4.0.0-rc2
API Version:  4.0.0-rc2
Go Version:   go1.17.6

Built:      Wed Jan 26 04:37:51 2022
OS/Arch:    darwin/amd64

Server:       Podman Engine
Version:      3.4.4
API Version:  3.4.4
Go Version:   go1.16.8

Built:      Wed Dec  8 16:45:07 2021
OS/Arch:    linux/amd64

MacOs Host dir :

ls ~/.docker/certs.d
blr.docker.privateregistry.com				build-images-development.qa.docker.privateregistry.com	images.privateregistry.com

VM certs dir

Last login: Wed Jan 26 04:40:26 2022 from 192.168.127.1
[core@localhost ~]$ ls /etc/containers/certs.d/
[core@localhost ~]$

any suggestions ? am i missing something ?

@mheon
Copy link
Member

mheon commented Jan 26, 2022

The fact that the server in the VM is still on v3.4.4 definitely seems like a potential cause

@sherif84
Copy link

yes, i was suspecting that . are there any docs on how to build the server from source ? the instructions here seem to only build the client

@mheon
Copy link
Member

mheon commented Jan 27, 2022

We're talking about how to get a VM image out with Podman v4.0 pre-installed, so folks can test by just swapping in a custom image. Building the image is easy, we just need to figure out how to distribute it; @baude is looking into it.

@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 21, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 21, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
kind/feature Categorizes issue or PR as related to a new feature. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. machine macos MacOS (OSX) related
Projects
None yet
Development

Successfully merging a pull request may close this issue.