Shortnames are broken in 3.0.0 due to missing list of unqualified-search registries

[edigaryev]

3.0.0 changelog states that:

Shortname aliasing support has now been turned on by default. All Podman commands that must pull an image will, if a TTY is available, prompt the user about what image to pull.

As described in the RedHat blog about this feature, the user can expect some form of fallback in case no shortname alias is defined:

If no matching alias is found, Podman will now prompt the user to choose one of the unqualified-search registries.

However, because the 3.0.0 installation is missing these registries, pulling python:latest (or any other image not currently included in the shortnames list) results in an unexpected result:

$ podman version
Version:      3.0.0
API Version:  3.0.0
Go Version:   go1.14
Built:        Thu Jan  1 03:00:00 1970
OS/Arch:      linux/amd64
$ podman pull python:latest
Error: error getting default registries to try: short-name "python:latest" did not resolve to an alias and no unqualified-search registries are defined in ""

The package that presumably should ship the registries configuration:

$ dpkg -l | grep containers-common
ii  containers-common                100:1-7                           all          Configuration files for working with image signatures.
$ dpkg -L containers-common
/.
/etc
/etc/containers
/etc/containers/containers.conf
/etc/containers/policy.json
/etc/containers/registries.conf.d
/etc/containers/registries.conf.d/shortnames.conf
/etc/containers/registries.d
/etc/containers/registries.d/default.yaml
/etc/containers/storage.conf
/usr
/usr/share
/usr/share/containers
/usr/share/containers/containers.conf
/usr/share/doc
/usr/share/doc/containers-common
/usr/share/doc/containers-common/changelog.Debian.gz
/usr/share/doc/containers-common/copyright
/usr/share/man
/usr/share/man/man5
/usr/share/man/man5/containers-auth.json.5.gz
/usr/share/man/man5/containers-certs.d.5.gz
/usr/share/man/man5/containers-mounts.conf.5.gz
/usr/share/man/man5/containers-policy.json.5.gz
/usr/share/man/man5/containers-registries.conf.5.gz
/usr/share/man/man5/containers-registries.conf.d.5.gz
/usr/share/man/man5/containers-registries.d.5.gz
/usr/share/man/man5/containers-signature.5.gz
/usr/share/man/man5/containers-storage.conf.5.gz
/usr/share/man/man5/containers-transports.5.gz
/usr/share/man/man5/containers.conf.5.gz
/var
/var/lib
/var/lib/containers
/var/lib/containers/sigstore

It would be nice if this list would be included and contain at least something like:

unqualified-search-registries=["docker.io"]

...to adhere to the principle of least astonishment.

[rhatdan]

Is this on Debian? Ubuntu?

The registries.conf file is invalid it should have at least that registry in the list/

[mheon]

I think this is a dupe, but I can't find the other bug.

Regardless, this is not the first I've heard of this - it seems like we're having packaging issues in OBS. @lsm5 PTAL

[edigaryev]

Is this on Debian? Ubuntu?

The registries.conf file is invalid it should have at least that registry in the list/

I'm observing this on both distros, the repos are:

• Debian: https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Debian_10/
• Ubuntu: https://ftp.gwdg.de/pub/opensuse/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_20.04/

The https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Debian_10/all/containers-common_1-7_all.deb file doesn't seem to contain registries.conf at all.

[lsm5]

Should be fixed with podman 100:3.0.0-3. Building on OBS atm: https://build.opensuse.org/package/show/devel:kubic:libcontainers:stable/podman . Will be available hopefully in an hour or less.

I'll keep the bug open for now. Please close it if this resolves your issue.

[edigaryev]

I'll keep the bug open for now. Please close it if this resolves your issue.

Thanks! Closing because it works now.

[Giszmo]

$ podman --version
podman version 3.0.1
$ podman pull python:latest
Error: error getting default registries to try: short-name "python:latest" did not resolve to an alias and no unqualified-search registries are defined in "/etc/containers/registries.conf"

Is this issue back? Maybe the message should suggest what most people probably want anyway: "Try docker.io/python:latest instead".

[rhatdan]

This is up to the distribution to decide. We don't want to force user to docker.io. A reasonable site might decide to have no default registry, so this error message is valid.

[Giszmo]

@rhatdan yours is the principled approach but it's also ignorant to people who just want to get things done. I lost 20 minutes on this because I didn't know if docker uses hub.docker.com or docker.io or ... as default and neither did I know how to provide the url. Is it url:image:version or url/with/repo/path:image:version, ... I never cared and never had to and when searching for a python image, the run instructions usually do not include that part neither.

The current error message is just a terrible time-waster and frustrates the user, especially if he's trying to migrate from docker where it "just works". Add a link to an explainer with examples please!

[vrothberg]

Note that there is a security issue behind these changes: https://www.redhat.com/sysadmin/container-image-short-names

Which distribution are you running on, @Giszmo?

I sympathize with the frustration but our hands are tied. Do you think pointing to the containers-registries.conf(5) man page in the error message would have helped you resolve the issue faster?

For the record, the fix in this case would be adding the following line to /etc/containers/registries.conf:
unqualified-search-registries=["docker.io"]

[rhatdan]

@Giszmo How did you get the Podman that you are using? I would figure most naive users get their Podman from a distribution? If a distribution gave you a version without a configured registry, then I could see this as a problem.

If you just grabbed the static version, then you have a point, but there are lots of config files that we need that are not shipped with a static version.

[Giszmo]

I run podman on my Ubuntu 20.04. So if others have the same issue, Ubuntu should be poked. I'm fine with @vrothberg's config I guess. Thanks.

[rhatdan]

Where did you get the Podman from? It looks like it did not pull in containers-common which should have the registries.conf settings.

[Giszmo]

@rhatdan:

$ sudo apt search containers-common
Sorting... Done
Full Text Search... Done
golang-github-containers-common/hirsute,hirsute,now 0.33.4+ds1-1 all [installed,automatic]
  Common files for github.com/containers repositories

golang-github-containers-common-dev/hirsute,hirsute 0.33.4+ds1-1 all
  Common files for github.com/containers repositories (library)
$ sudo apt list podman
Listing... Done
podman/hirsute,now 3.0.1+dfsg1-1ubuntu1 amd64 [installed]

what exactly should I check?

[rhatdan]

I don't know apt, but this looks like containers-common is installed, did it come with a registries.conf file?

@lsm5 PTAL

[Giszmo]

The podman package did come with a registries.conf ... in /usr/share/doc/podman/examples/registries.conf.

podman depends on golang-github-containers-common which comes with:

$ dpkg -L golang-github-containers-common | grep 'conf$'
/etc/containers/registries.conf.d/shortnames.conf
/usr/share/containers/containers.conf
/etc/containers/containers.conf

but those define no such defaults:

$ cat /etc/containers/registries.conf.d/shortnames.conf | grep -v '^#\|^$'
[aliases]
  # centos
  "centos" = "registry.centos.org/centos"
  # containers
  "skopeo" = "quay.io/skopeo/stable"
  "buildah" = "quay.io/buildah/stable"
  "podman" = "quay.io/podman/stable"
  # docker
  "alpine" = "docker.io/library/alpine"
  "docker" = "docker.io/library/docker"
  "registry" = "docker.io/library/registry"
  "hello-world" = "docker.io/library/hello-world"
  "swarm" = "docker.io/library/swarm"
  # Fedora
  "fedora-minimal" = "registry.fedoraproject.org/fedora-minimal"
  "fedora" = "registry.fedoraproject.org/fedora"
  # openSUSE
  "opensuse/tumbleweed" = "registry.opensuse.org/opensuse/tumbleweed"
  "opensuse/leap" = "registry.opensuse.org/opensuse/leap"
  "opensuse/busybox" = "registry.opensuse.org/opensuse/busybox"
  "tumbleweed" = "registry.opensuse.org/opensuse/tumbleweed"
  "leap" = "registry.opensuse.org/opensuse/leap"
  "tw-busybox" = "registry.opensuse.org/opensuse/busybox"
  # SUSE
  "suse/sle15" = "registry.suse.com/suse/sle15"
  "suse/sles12sp5" = "registry.suse.com/suse/sles12sp5"
  "suse/sles12sp4" = "registry.suse.com/suse/sles12sp4"
  "suse/sles12sp3" = "registry.suse.com/suse/sles12sp3"
  "sle15" = "registry.suse.com/suse/sle15"
  "sles12sp5" = "registry.suse.com/suse/sles12sp5"
  "sles12sp4" = "registry.suse.com/suse/sles12sp4"
  "sles12sp3" = "registry.suse.com/suse/sles12sp3"
  # Red Hat Enterprise Linux
  "rhel" = "registry.access.redhat.com/rhel"
  "rhel6" = "registry.access.redhat.com/rhel6"
  "rhel7" = "registry.access.redhat.com/rhel7"
  "ubi7" = "registry.access.redhat.com/ubi7"
  "ubi7-init" = "registry.access.redhat.com/ubi7-init"
  "ubi7-minimal" = "registry.access.redhat.com/ubi7-minimal"
  "ubi8" = "registry.access.redhat.com/ubi8"
  "ubi8-minimal" = "registry.access.redhat.com/ubi8-minimal"
  "ubi8-init" = "registry.access.redhat.com/ubi8-init"
  # Debian
  "debian" = "docker.io/library/debian"
  # Ubuntu
  "ubuntu" = "docker.io/library/ubuntu"
$ cat /usr/share/containers/containers.conf | grep -v '^#\|^$'
[containers]
default_capabilities = [
    "CHOWN",
    "DAC_OVERRIDE",
    "FOWNER",
    "FSETID",
    "KILL",
    "NET_BIND_SERVICE",
    "SETFCAP",
    "SETGID",
    "SETPCAP",
    "SETUID",
    "SYS_CHROOT"
]
default_sysctls = [
 "net.ipv4.ping_group_range=0 0",
]
[network]
[engine]
[engine.runtimes]
[engine.volume_plugins]
$ cat /etc/containers/containers.conf | grep -v '^#\|^$'
[containers]
[network]
[engine]
[engine.runtimes]

so if I read that correctly, it makes things work as with docker before, for select few images (alpine, hello-world, ...) but does not default to docker.io for non-listed images.

[rhatdan]

Right this is a packaging issue with Ubuntu. It should ship /etc/containers/registries.comf

[alexander-manley]

Quick fix for the majority of users is to alter one line:
sudo vim /etc/containers/registries.conf
unqualified-search-registries=["docker.io"]

[pgampe]

Even better, add a file /etc/containers/registries.conf.d/docker.conf with just the line unqualified-search-registries=["docker.io"]

[BiggerPicture2]

Quick fix for the majority of users is to alter one line: sudo vim /etc/containers/registries.conf unqualified-search-registries=["docker.io"]

So for this issue do we edit the .conf or the .conf.d?

[rhatdan]

Either is fine.

[BiggerPicture2]

unqualified-search-registries=["docker.io"]
This is the error i get after updating the conf file

[rhatdan]

I guess you need to edit the registries.conf, or there is something wrong with the file.

[BiggerPicture2]

I guess you need to edit the registries.conf, or there is something wrong with the file.

This is what my file consist of

[vrothberg]

It looks more like the /etc/containers/registries.conf.d/shortnames.conf file has an issue.

[BiggerPicture2]

It looks more like the /etc/containers/registries.conf.d/shortnames.conf file has an issue.

[vrothberg]

@BiggerPicture2, the last line 79 shouldn't be there. shortnames.conf should only be for shortnames.

[BiggerPicture2]

Thanks for the help, idk where the error is coming from. maybe its my ubuntu and nvidia/cuda runtime

[vrothberg]

Without a reproducer and/or the exact file, there's not much I can do.

The error message includes the path to the config file that fails to be loaded.

[BiggerPicture2]

you would need to see the container file or the shortnames.conf?

[BiggerPicture2]

Without a reproducer and/or the exact file, there's not much I can do.

The error message includes the path to the config file that fails to be loaded.

Yeah its most likely the container file now. It says it built the image but this error is unusual.

[ryanotella]

For Podman Desktop on MacOS you can get the docker behaviour...
https://www.linkedin.com/pulse/podman-installation-macos-vikas-sharma