Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Run subcommand doesn't care about Insecure: true #11933

Closed
Gwerlas opened this issue Oct 12, 2021 · 11 comments · Fixed by #12064
Closed

Run subcommand doesn't care about Insecure: true #11933

Gwerlas opened this issue Oct 12, 2021 · 11 comments · Fixed by #12064
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@Gwerlas
Copy link

Gwerlas commented Oct 12, 2021

/kind bug

Description

Since the upgrade to v3.4.0, podman run trigger http: server gave HTTP response to HTTPS client when podman pull works.

Steps to reproduce the issue:

  1. podman run my-insecure-registry:5000/my-image:latest trigger this error :

    Trying to pull my-insecure-registry:5000/my-image:latest...
    Error: initializing source docker://my-insecure-registry:5000/my-image:latest: pinging container registry my-insecure-registry:5000: Get "https://my-insecure-registry:5000/v2/": http: server gave HTTP response to HTTPS client
    
  2. podman system info show well Insecure: true

  3. podman pull my-insecure-registry:5000/my-image:latest download the image successfully

@openshift-ci openshift-ci bot added the kind/bug Categorizes issue or PR as related to a bug. label Oct 12, 2021
@Gwerlas Gwerlas changed the title Run subcommand don't care about Insecure: true Run subcommand doesn't care about Insecure: true Oct 12, 2021
@mheon
Copy link
Member

mheon commented Oct 12, 2021

@vrothberg PTAL

@vrothberg
Copy link
Member

vrothberg commented Oct 13, 2021

Thanks, I can reproduce. Push works, pull fails. I am worried how this passed tests.

Cc: @mtrmac @lsm5 @edsantiago

@vrothberg
Copy link
Member

Thanks, I can reproduce. Push works, pull fails. I am worried how this passed tests.

Cc: @mtrmac @lsm5 @edsantiago

Apologies. Was a testing error on my end. It works on my machine and I cannot reproduce.

@Gwerlas, can you share the contents of /etc/containers/registrties.conf?

@Gwerlas
Copy link
Author

Gwerlas commented Oct 22, 2021

Hi,

Thanks for testing, here is my /etc/containers/registries.conf :

unqualified-search-registries = ['my-insecure-registry:5000', 'docker.io', 'quay.io', 'registry.fedoraproject.org']

[[registry]]
location = "my-insecure-registry:5000"
insecure = true

[[registry]]
prefix = "docker.io"
location = "mirror.gcr.io"

[[registry]]
prefix = "docker.io/library"
location = "quay.io/libpod"

@vrothberg
Copy link
Member

@Gwerlas, thanks!

The config file looks good to me. Are there any files in /etc/containers/registries.conf.d (note the .d)? Those would allow for overriding previous settings.

Are there any files in ~/.config/containers? A rootless user may also override the system settings.

@Gwerlas
Copy link
Author

Gwerlas commented Oct 22, 2021

Yes there is :

  • /etc/containers/registries.d/default.yaml :

    default-docker:
      sigstore-staging: file:///var/lib/containers/sigstore
  • /etc/containers/registries.d/registry.access.redhat.com.yaml :

    docker:
      registry.access.redhat.com:
        sigstore: https://access.redhat.com/webassets/docker/content/sigstore
  • /etc/containers/registries.d/registry.redhat.io.yaml :

    docker:
      registry.redhat.io:
        sigstore: https://registry.redhat.io/containers/sigstore
  • To conclude, I've an empty ~/.config/containers/short-name-aliases.conf.lock, and nothing else in my dotdir

@vrothberg
Copy link
Member

Note the difference between /etc/containers/registries.conf.d and /etc/containers/registries.d (.conf.d vs .d). Can you look into the conf.d one?

@Gwerlas
Copy link
Author

Gwerlas commented Oct 22, 2021

Sorry, I've those files in /etc/containers/registries.conf.d :

  • 000-shortnames.conf :

    [aliases]
    "centos" = "quay.io/centos/centos"
    "skopeo" = "quay.io/skopeo/stable"
    "buildah" = "quay.io/buildah/stable"
    "podman" = "quay.io/podman/stable"
    "alpine" = "docker.io/library/alpine"
    "docker" = "docker.io/library/docker"
    "registry" = "docker.io/library/registry"
    "hello-world" = "docker.io/library/hello-world"
    "swarm" = "docker.io/library/swarm"
    "fedora-minimal" = "registry.fedoraproject.org/fedora-minimal"
    "fedora" = "registry.fedoraproject.org/fedora"
    "opensuse/tumbleweed" = "registry.opensuse.org/opensuse/tumbleweed"
    "opensuse/tumbleweed-dnf" = "registry.opensuse.org/opensuse/tumbleweed-dnf"
    "opensuse/tumbleweed-microdnf" = "registry.opensuse.org/opensuse/tumbleweed-microdnf"
    "opensuse/leap" = "registry.opensuse.org/opensuse/leap"
    "opensuse/busybox" = "registry.opensuse.org/opensuse/busybox"
    "tumbleweed" = "registry.opensuse.org/opensuse/tumbleweed"
    "tumbleweed-dnf" = "registry.opensuse.org/opensuse/tumbleweed-dnf"
    "tumbleweed-microdnf" = "registry.opensuse.org/opensuse/tumbleweed-microdnf"
    "leap" = "registry.opensuse.org/opensuse/leap"
    "leap-dnf" = "registry.opensuse.org/opensuse/leap-dnf"
    "leap-microdnf" = "registry.opensuse.org/opensuse/leap-microdnf"
    "tw-busybox" = "registry.opensuse.org/opensuse/busybox"
    "suse/sle15" = "registry.suse.com/suse/sle15"
    "suse/sles12sp5" = "registry.suse.com/suse/sles12sp5"
    "suse/sles12sp4" = "registry.suse.com/suse/sles12sp4"
    "suse/sles12sp3" = "registry.suse.com/suse/sles12sp3"
    "sle15" = "registry.suse.com/suse/sle15"
    "sles12sp5" = "registry.suse.com/suse/sles12sp5"
    "sles12sp4" = "registry.suse.com/suse/sles12sp4"
    "sles12sp3" = "registry.suse.com/suse/sles12sp3"
    "rhel" = "registry.access.redhat.com/rhel"
    "rhel6" = "registry.access.redhat.com/rhel6"
    "rhel7" = "registry.access.redhat.com/rhel7"
    "ubi7" = "registry.access.redhat.com/ubi7"
    "ubi7-init" = "registry.access.redhat.com/ubi7-init"
    "ubi7-minimal" = "registry.access.redhat.com/ubi7-minimal"
    "ubi8" = "registry.access.redhat.com/ubi8"
    "ubi8-minimal" = "registry.access.redhat.com/ubi8-minimal"
    "ubi8-init" = "registry.access.redhat.com/ubi8-init"
    "ubi8-micro" = "registry.access.redhat.com/ubi8-micro"
    "ubi8/ubi" = "registry.access.redhat.com/ubi8/ubi"
    "ubi8/ubi-minimal" = "registry.access.redhat.com/ubi8-minimal"
    "ubi8/ubi-init" = "registry.access.redhat.com/ubi8-init"
    "ubi8/ubi-micro" = "registry.access.redhat.com/ubi8-micro"
    "debian" = "docker.io/library/debian"
    "ubuntu" = "docker.io/library/ubuntu"
    "oraclelinux" = "container-registry.oracle.com/os/oraclelinux"
    "busybox" = "docker.io/library/busybox"
    "php" = "docker.io/library/php"
    "python" = "docker.io/library/python"
    "node" = "docker.io/library/node"
  • 070-my-company.conf :

    [aliases]
    "ansible" = "my-insecure-registry:5000/my-company/ansible"
    "ansible-lint" = "my-insecure-registry:5000/my-company/ansible-lint"
    "livraison" = "my-insecure-registry:5000/my-company/livraison"
    "openstack-client" = "my-insecure-registry:5000/my-company/openstack-client"

@vrothberg
Copy link
Member

Thank you. Are there any registries.conf files in $HOME/.config/containers/*? If possible, could rerun with podman --log-level=debug and share the output? Are any proxies involved?

@vrothberg
Copy link
Member

Apologies, I can reproduce. I'll take a look asap.

@vrothberg
Copy link
Member

Opened #12064 to fix the issue. Thanks a lot for your help!

vrothberg added a commit to vrothberg/libpod that referenced this issue Oct 27, 2021
Make sure that the value is only set if specified on the CLI.  c/image
already defaults to true but if set in the system context, we'd skip
settings in the registries.conf.

Fixes: containers#11933
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
vrothberg added a commit to vrothberg/libpod that referenced this issue Nov 30, 2021
Make sure that the value is only set if specified on the CLI.  c/image
already defaults to true but if set in the system context, we'd skip
settings in the registries.conf.

Backport of commit ff31f22.

Fixes: containers#11933
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 21, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 21, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants