podman auto-update should support multiple authfiles

[neVERberleRfellerER]

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind feature

Description

podman auto-update does not respect --authfile originally used to pull image nor original REGISTRY_AUTH_FILE. It also does not take REGISTRY_AUTH_FILE environment variable manually added to generated systemd services. This makes it impossible to use reliably with gitlab container repositories beloging to particular gitlab instance since all gitlab repisitories are on the same domain as their owning gitlab instance.

Steps to reproduce the issue:

1. Pull at least two images from same registry where different credentials are required for each image.

2. Start containers from these, generate systemd services, stop original containers and start generated services.

3. Start podman auto-update

Describe the results you received:

failed: Requesting bear token: invalid status code from registry 403 (Forbidden)

Describe the results you expected:

(nothing) if no new versions of previously pulled images were pushed, update otherwise.

Additional information you deem important (e.g. issue happens only occasionally):

issue happens all the time.

Output of podman version:

Version:            1.9.1
RemoteAPI Version:  1
Go Version:         go1.12.17
Built:              Wed Apr 29 02:00:00 2020
OS/Arch:            linux/amd64

Output of podman info --debug:

debug:
  compiler: gc
  gitCommit: ""
  goVersion: go1.12.17
  podmanVersion: 1.9.1
host:
  arch: amd64
  buildahVersion: 1.14.8
  cgroupVersion: v1
  conmon:
    package: conmon-2.0.15-1.1.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.15, commit: unknown'
  cpus: 2
  distribution:
    distribution: '"opensuse-microos"'
    version: "20200507"
  eventLogger: file
  hostname: kubic1
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 100
      size: 1
    - container_id: 1
      host_id: 165536
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 477
      size: 1
    - container_id: 1
      host_id: 165536
      size: 65536
  kernel: 5.6.11-1-default
  memFree: 105771008
  memTotal: 1862139904
  ociRuntime:
    name: runc
    package: runc-1.0.0~rc10-3.1.x86_64
    path: /usr/bin/runc
    version: |-
      runc version 1.0.0-rc10
      spec: 1.0.1-dev
  os: linux
  rootless: true
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.0.0-1.1.x86_64
    version: |-
      slirp4netns version 1.0.0
      commit: unknown
      libslirp: 4.3.0
  swapFree: 0
  swapTotal: 0
  uptime: 14h 9m 29.87s (Approximately 0.58 days)
registries:
  search:
  - docker.io
store:
  configFile: /var/lib/container-runner/.config/containers/storage.conf
  containerStore:
    number: 6
    paused: 0
    running: 3
    stopped: 3
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: fuse-overlayfs-1.0.0-1.1.x86_64
      Version: |-
        fuse-overlayfs: version 1.0.0
        FUSE library version 3.9.1
        using FUSE kernel interface version 7.31
  graphRoot: /var/lib/container-runner/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 4
  runRoot: /run/user/477/containers
  volumePath: /var/lib/container-runner/.local/share/containers/storage/volumes

Package info (e.g. output of rpm -q podman or apt list podman):

podman-1.9.1-1.1.x86_64

Additional environment details (AWS, VirtualBox, physical, etc.):

physical

[rhatdan]

Thanks @neVERberleRfellerER
Interested in opening a Pull Request for fixing this issue?

[neVERberleRfellerER]

@rhatdan I have basics here https://github.com/neVERberleRfellerER/libpod/tree/sysgenauth, but I can't really test it beyond systemd unit generation because auto-update in master does not do anything (at least when I build it on Fedora 32 or Arch; it never makes it past https://github.com/neVERberleRfellerER/libpod/blob/sysgenauth/pkg/autoupdate/autoupdate.go#L103 , not sure why) and v1.9 is too different. Maybe when auto update starts working again I can return to it.

[vrothberg]

This would mean that no container has the "io.containers.autoupdate=image" label set. I can have a look at it.

Thanks for opening the issue! Support for --authfile is definitely a logic next step. I am quite happy to see that autoupdates are already being used.

[neVERberleRfellerER]

This would mean that no container has the "io.containers.autoupdate=image" label set. I can have a look at it.

It looks more like label detection issue because even when I use podman from master for everything, auto-update from podman 1.9 (using different binary) works and complains about registry permissions. At the same time autoupdate from master doesn't do anything.

[vrothberg]

I opened #6186 which adds support for --authfile.

[neVERberleRfellerER]

@vrothberg Would you also accept my approach on top of functionality provided by your PR (when I can finally test it properly)?
My approach persist autfile path into environment variable in generated systemd services and autoupdate reads it the same way it's done with PODMAN_SYSTEMD_UNIT. Or I can drop persistence and just add environment into generated systemd files manually - even this simpler approach would help me tremendously, otherwise I'd have to to create multiple timers (one per gitlab group).

[vrothberg]

Sure, feel free to open a PR at any time! Note that auto-updates now support the REGISTRY_AUTH_FILE env variable.

If you want to extend generate systemd and add an REGISTRY_AUTH_FILE there, I suggest to generalize the problem and add an --env flag: generate systemd --env KEY=VAL --env KEY=VAL

This way, we can support a whole range of env variables at once. Feel free to reach out here or on IRC if you want to chat.