Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Jib with Podman fails because registry authentication token is expected in a docker-specific location #3524

Closed
sv3ndk opened this issue Dec 11, 2021 · 2 comments
Closed

Jib with Podman fails because registry authentication token is expected in a docker-specific location #3524

sv3ndk opened this issue Dec 11, 2021 · 2 comments
Labels
enhancement priority:p3

Comments

@sv3ndk
Copy link
Contributor

sv3ndk commented Dec 11, 2021
edited by chanseokoh
Loading

Environment:

  • Jib version: 3.1.4
  • Build tool: Maven 3.8.2
  • OS: Linux

Description of the issue:

When building an OCI image with Jib and Podman, if the base image is stored in a registry that requires authentication, Jib looks up the docker authentication token and fails to connect, unless Docker itself is logged in, independently of Podman.

The documentation explains clearly how to specify another folder where to look up the authentication token, but Podman not only uses a different folder location but also uses a different filename: it write to ${XDG_RUNTIME_DIR}/containers/auth.json as opposed to ${HOME}/.docker/config.json , which as far as I could tell is not currently configurable in Jib.

Expected behavior:

When using Podman, it should be possible to let Jib use Podman's authentication token.

I suggest to extend Jib's behaviour s.t. we can either specify a specific file where to look up authentication tokens, or, given the growing popularity of Podman, let Jib also look for authentication token in ${XDG_RUNTIME_DIR}/containers/auth.json by default, which would let Podman work out of the box and make Jib less Docker-specific.

Steps to reproduce:

# this stores an authentication token in ${XDG_RUNTIME_DIR}/containers/auth.json
aws ecr get-login-password | podman login --username AWS --password-stdin <my-aws-account-id>.dkr.ecr.eu-west-1.amazonaws.com 

# this expects the token to be found in ~/.docker/config.json and therefore fails to connect to ECR:
mvn jib:dockerBuild -Djib.dockerClient.executable=$(which podman)

As a work-around, one can login with docker and use podman with Jib:

# this works, but makes Podman rely on Docker's token :( 
aws ecr get-login-password | docker login --username AWS --password-stdin <my-aws-account-id>.dkr.ecr.eu-west-1.amazonaws.com 

mvn jib:dockerBuild -Djib.dockerClient.executable=$(which podman)

Another work-around is to let Podman write where into Docker's config:

# this works, but makes Podman write into Docker's config!
aws ecr get-login-password | podman login --username AWS --password-stdin <my-aws-account-id>.dkr.ecr.eu-west-1.amazonaws.com --authfile=${HOME}/.docker/config.json

mvn jib:dockerBuild -Djib.dockerClient.executable=$(which podman)

Neither of those two workaround seem satisfactory to me since it makes two independent tools share one single location for storing security details and other configuration.

I'm happy to work on this if that's relevant.

Looking forward to your thoughts.
@zhumin8
Copy link
Contributor

zhumin8 commented Dec 13, 2021

Thanks for bringing this up and doing the investigation!

Please feel free to contribute with a PR and we'll be happy to review.

@sv3ndk sv3ndk mentioned this issue Dec 18, 2021
Merged
@emmileaf
Copy link
Contributor

emmileaf commented Aug 5, 2022

Closing as resolved by #3532.

@emmileaf emmileaf closed this as completed Aug 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement priority:p3
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sv3ndk @zhumin8 @emmileaf