Support logging into a registry if necessary #787
Closed
+549
−15
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
HarryMichal
added
3. Enhancement
HarryMichal
added a commit
to HarryMichal/toolbox
that referenced
this pull request
Jun 7, 2021
HarryMichal
force-pushed
the
cmd/create/support-registry-authentication
branch
from
1155a56 to
fc636da
Compare
HarryMichal
changed the title
|
Build succeeded.
|
HarryMichal
added a commit
to HarryMichal/toolbox
that referenced
this pull request
Jun 8, 2021
Some registries contain private repositories of images and require the user to log in first to gain access. With this Toolbox tries to recognize errors when pulling images and offer the user the means to log in. The parsing process is quite fragile since Podman does not provide clear means to distinguish such cases and provided messages differ between registries. This should distinguish authorization errors with registry.redhat.io and docker.io. Testing of this feature is tricky as it relies on network which is inherently flaky. So, not everything added/changed by this will be tested. In the future we'll have to start mocking servers to be able to do so. containers#787
HarryMichal
force-pushed
the
cmd/create/support-registry-authentication
branch
from
fc636da to
6808d35
Compare
|
Build failed.
|
HarryMichal
added a commit
to HarryMichal/toolbox
that referenced
this pull request
Jun 8, 2021
Some registries contain private repositories of images and require the user to log in first to gain access. With this Toolbox tries to recognize errors when pulling images and offer the user the means to log in. The parsing process is quite fragile since Podman does not provide clear means to distinguish such cases and provided messages differ between registries. This should distinguish authorization errors with registry.redhat.io and docker.io. Testing of this feature is tricky as it relies on network which is inherently flaky. So, not everything added/changed by this will be tested. In the future we'll have to start mocking servers to be able to do so. containers#787
HarryMichal
force-pushed
the
cmd/create/support-registry-authentication
branch
from
6808d35 to
bbcd5e1
Compare
|
Build failed.
|
|
recheck |
|
Build failed.
|
HarryMichal
added a commit
to HarryMichal/toolbox
that referenced
this pull request
Jun 9, 2021
Some registries contain private repositories of images and require the user to log in first to gain access. With this Toolbox tries to recognize errors when pulling images and offer the user the means to log in. The parsing process is quite fragile since Podman does not provide clear means to distinguish such cases and provided messages differ between registries. This should distinguish authorization errors with registry.redhat.io and docker.io. Testing of this feature is tricky as it relies on network which is inherently flaky. So, not everything added/changed by this will be tested. In the future we'll have to start mocking servers to be able to do so. containers#787
HarryMichal
force-pushed
the
cmd/create/support-registry-authentication
branch
from
bbcd5e1 to
4ab6577
Compare
|
Build succeeded.
|
|
I may have gotten an idea on how to test this reliably. Until I have it figured out or I give up, let's postpone merging this. EDIT: I also found more info regarding the parsed error messages. I started to make more sense of them :). All thanks to reading the documentation \o/. |
tpopela
reviewed
Jun 10, 2021
src/pkg/podman/podman.go
Outdated
| return nil | ||
| } | ||
|
|
||
| // Pull pulls an image. Wraps around command 'podman pull'. |
There was a problem hiding this comment.
I think that is intentional since Go tooling requires function comments to start with the name of the function. But I'd reword the function anyway :).
HarryMichal
added a commit
to HarryMichal/toolbox
that referenced
this pull request
Jun 12, 2021
Some registries contain private repositories of images and require the user to log in first to gain access. With this Toolbox tries to recognize errors when pulling images and offer the user the means to log in or tell the user that the requested image/manifest does not exist. The parsing process relies on error messages that match the OCI specification[0]. Testing of this feature is tricky as it relies on network which is inherently flaky. So, as part of the setup two local image registries are created and these features can be tested against them. To prevent the removal of the registries during testing a flag --namespace is used in Podman during their creation. [0] https://github.com/opencontainers/distribution-spec/blob/main/spec.md#error-codes containers#787
HarryMichal
force-pushed
the
cmd/create/support-registry-authentication
branch
from
4ab6577 to
b160671
Compare
HarryMichal
added a commit
to HarryMichal/toolbox
that referenced
this pull request
Jun 12, 2021
Some registries contain private repositories of images and require the user to log in first to gain access. With this Toolbox tries to recognize errors when pulling images and offer the user the means to log in or tell the user that the requested image/manifest does not exist. The parsing process relies on error messages that match the OCI specification[0]. Testing of this feature is tricky as it relies on network which is inherently flaky. So, as part of the setup two local image registries are created and these features can be tested against them. To prevent the removal of the registries during testing a flag --namespace is used in Podman during their creation. [0] https://github.com/opencontainers/distribution-spec/blob/main/spec.md#error-codes containers#787
HarryMichal
force-pushed
the
cmd/create/support-registry-authentication
branch
from
b160671 to
b88cc96
Compare
HarryMichal
added a commit
to HarryMichal/toolbox
that referenced
this pull request
Jun 12, 2021
Some registries contain private repositories of images and require the user to log in first to gain access. With this Toolbox tries to recognize errors when pulling images and offer the user the means to log in or tell the user that the requested image/manifest does not exist. The parsing process relies on error messages that match the OCI specification[0]. Testing of this feature is tricky as it relies on network which is inherently flaky. So, as part of the setup two local image registries are created and these features can be tested against them. To prevent the removal of the registries during testing a flag --namespace is used in Podman during their creation. [0] https://github.com/opencontainers/distribution-spec/blob/main/spec.md#error-codes containers#787
HarryMichal
force-pushed
the
cmd/create/support-registry-authentication
branch
from
b88cc96 to
12b766c
Compare
HarryMichal
added a commit
to HarryMichal/toolbox
that referenced
this pull request
Jun 12, 2021
Some registries contain private repositories of images and require the user to log in first to gain access. With this Toolbox tries to recognize errors when pulling images and offer the user the means to log in or tell the user that the requested image/manifest does not exist. The parsing process relies on error messages that match the OCI specification[0]. Testing of this feature is tricky as it relies on network which is inherently flaky. So, as part of the setup two local image registries are created and these features can be tested against them. To prevent the removal of the registries during testing a flag --namespace is used in Podman during their creation. [0] https://github.com/opencontainers/distribution-spec/blob/main/spec.md#error-codes containers#787
|
Build failed.
|
debarshiray
pushed a commit
to HarryMichal/toolbox
that referenced
this pull request
Jul 4, 2021
debarshiray
pushed a commit
to HarryMichal/toolbox
that referenced
this pull request
Jul 4, 2021
debarshiray
added a commit
to HarryMichal/toolbox
that referenced
this pull request
Jul 4, 2021
A subsequent commit will use this when retrying the 'podman pull' after logging the user into the registry for images that require authorization. containers#787
debarshiray
pushed a commit
to HarryMichal/toolbox
that referenced
this pull request
Jul 4, 2021
Some registries contain private repositories of images and require the user to log in first to gain access. With this Toolbox tries to recognize errors when pulling images and offers the user the means to log in. Some changes by Debarshi Ray. containers#787
debarshiray
pushed a commit
to HarryMichal/toolbox
that referenced
this pull request
Jul 4, 2021
Testing of this feature is tricky as it relies on network which is inherently flaky. So, as part of the setup two local image registries are created and these features can be tested against them. To prevent the removal of the registries during testing a different root for Podman is used. The only tested registry implementation is Docker[0]. [0] https://hub.docker.com/_/registry/ containers#787
debarshiray
pushed a commit
to HarryMichal/toolbox
that referenced
this pull request
Jul 4, 2021
The new additions to the system tests makes them take longer to run, and was causing them to timeout. containers#787
debarshiray
force-pushed
the
cmd/create/support-registry-authentication
branch
from
ce01f2a to
f160b2e
Compare
debarshiray
requested changes
Jul 4, 2021
| load 'libs/helpers' | ||
|
|
||
| @test "test suite: Setup" { | ||
| # Cache the default image for the system | ||
| _pull_and_cache_distro_image $(get_system_id) $(get_system_version) || die | ||
| # Cache all images that will be needed during the tests | ||
| _pull_and_cache_distro_image fedora 32 || die | ||
| _pull_and_cache_distro_image rhel 8.4 || die |
There was a problem hiding this comment.
Can't we use a Fedora (or anything that's not UBI) image for testing?
| $PODMAN --root "$PODMAN_REG_ROOT" logs docker-registry-auth | ||
|
|
||
| # Add UBI8 to created registries | ||
| run $SKOPEO copy "dir:${IMAGE_CACHE_DIR}/fedora-toolbox-32" "docker://localhost:50000/fedora-toolbox:32" |
There was a problem hiding this comment.
Typo in the comment? Is the comment really necessary? We didn't use one for the similar statement below. :)
|
Build failed.
|
debarshiray
changed the title
This is meant to get a better understanding of a failed 'podman pull' invocation to understand whether pulling an image requires logging into the registry or not. Currently, 'podman pull' doesn't have a dedicated exit code to denote authorization errors, so this is meant to be a temporary workaround for that. Parsing the error stream is inherently fragile and tricky because there's no guarantee that the structure of the messages won't change, and there's no clear definition of how the messages are laid out. Therefore, this approach can't be treated as a generic solution for getting detailed information about failed Podman invocations. The error stream is used not only for dumping error messages, but also for showing progress bars. Therefore, all lines are skipped until one that starts with "Error: " is found. This is a heuristic based on how Go programs written using the Cobra [1] library tend to report errors. All subsequent lines are taken together and split around the ": " sub-string, on the assumption that the ": " sub-string is used when a new error message is prefixed to an inner error. Each sub-string created from the split is treated as a potential member of the chain of errors reported within Podman. Some real world examples of the 'podman pull' error stream in the case of authorization errors are: * With Docker Hub (https://hub.docker.com/): Trying to pull docker.io/library/foobar:latest... Error: Error initializing source docker://foobar:latest: Error reading manifest latest in docker.io/library/foobar: errors: denied: requested access to the resource is denied unauthorized: authentication required * With registry.redhat.io: Trying to pull registry.redhat.io/foobar:latest... Error: Error initializing source docker://registry.redhat.io/foobar:latest: unable to retrieve auth token: invalid username/password: unauthorized: Please login to the Red Hat Registry using your Customer Portal credentials. Further instructions can be found here: https://access.redhat.com/RegistryAuthentication [1] https://github.com/spf13/cobra/ https://pkg.go.dev/github.com/spf13/cobra containers#689 containers#786 containers#787
This way the standard error stream of the spawned binaries can be inspected to get a better understanding of the failure, while still being shown to the user when run with the '--verbose' flag. Unfortunately, this breaks the progress bar in 'podman pull' because the standard error stream is no longer connected to a file descriptor that's a terminal device. containers#689 containers#787 containers#823
A subsequent commit will use this when retrying the 'podman pull' after logging the user into the registry for images that require authorization. containers#689 containers#787
Some registries contain private repositories of images and require the user to log in first to gain access. With this Toolbox tries to recognize errors when pulling images and offers the user the means to log in. Some changes by Debarshi Ray. containers#689 containers#787
Testing of this feature is tricky as it relies on network which is inherently flaky. So, as part of the setup two local image registries are created and these features can be tested against them. To prevent the removal of the registries during testing a different root for Podman is used. The only tested registry implementation is Docker[0]. [0] https://hub.docker.com/_/registry/ containers#689 containers#787
The new additions to the system tests makes them take longer to run, and was causing them to timeout. containers#689 containers#787
debarshiray
force-pushed
the
cmd/create/support-registry-authentication
branch
from
f160b2e to
ba2fc50
Compare
|
Build failed.
|
This was referenced Jul 4, 2021
|
Unless In the absence of a dedicated exit code from First, the messages that get dumped in the error stream don't have any fixed structure or format, and can change from one Podman version to another. Moreover, the error stream is also used to show things like progress bars, so those need to be skipped when parsing it. This makes it very fragile to test whether the parsing works as expected across several Podman versions in several operating systems. Second, since the error stream is also used to show progress bars for So, long story short, we either need |
|
I'll close this since this approach is not acceptable long-term-wise. If the work is attempted again, it can be done in a separate PR. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This introduces handling of registries with private repositories/images. Practically speaking, if a used image lives in a registry behind a login wall, Toolbox will be aware of the fact and asks the user if they want to log in. This can be automated by combining the existing global
--assumeyesoption with newly introduced options--authfileand--credsin commandcreate.The authentication is done by Podman and Toolbox only serves as a mediator between the user and Podman. It does not record/store user's credentials in any way.
Examples of the new behaviour:
Depends on #786, #823
Closes #754