Podman auth discards registry path

[cristianrgreco]

Issue Description

Podman login is discarding the registry path. E.g logging into https://index.docker.io/v1/ creates the following auth file:

{
  "auths": {
    "index.docker.io": {
      "auth": "..."
    }
  }
}

Logging into https://index.docker.io/v1/ does not update the auth file.

This may be an issue for other container registries, e.g https://example.registries.com/registry1 and https://example.registries.com/registry2 will merge to one entry.

Steps to reproduce the issue

1. podman login https://index.docker.io/v1/
2. podman login https://index.docker.io/v2/

Describe the results you received

Podman rejects the 2nd login which could have different credentials.

Describe the results you expected

Podman stores 2 different entries for each registry, like Docker:

{
  "auths": {
    "https://index.docker.io/v1/": {
      "auth": "..."
    },
    "https://index.docker.io/v2/": {
      "auth": "..."
    }
  }
}

podman info output

host:
  arch: amd64
  buildahVersion: 1.29.0
  cgroupControllers:
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon_2:2.1.7-0debian9999+obs15.6_amd64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.7, commit: '
  cpuUtilization:
    idlePercent: 87.46
    systemPercent: 5.69
    userPercent: 6.84
  cpus: 2
  distribution:
    codename: jammy
    distribution: ubuntu
    version: "22.04"
  eventLogger: journald
  hostname: fv-az646-90
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 123
      size: 1
    - container_id: 1
      host_id: 165536
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1001
      size: 1
    - container_id: 1
      host_id: 165536
      size: 65536
  kernel: 5.15.0-1034-azure
  linkmode: dynamic
  logDriver: journald
  memFree: 4857856000
  memTotal: 7281278976
  networkBackend: netavark
  ociRuntime:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/runner/.local/share/containers/storage
  graphRootAllocated: 89297309696
  graphRootUsed: 58336636928
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 0
  runRoot: /run/user/1001/containers
  transientStore: false
  volumePath: /home/runner/.local/share/containers/storage/volumes
version:
  APIVersion: 4.4.2
  Built: 0
  BuiltTime: Thu Jan  1 00:00:00 1970
  GitCommit: ""
  GoVersion: go1.19.6
  Os: linux
  OsArch: linux/amd64
  Version: 4.4.2

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

Yes

Additional environment details

DOCKER_HOST=unix:///run/user/$(id -u)/podman/podman.sock

Additional information

No response

[Luap99]

@vrothberg @mtrmac PTAL

[mtrmac]

Thanks for your report.

Podman rejects the 2nd login which could have different credentials.

Why would these two in particular have different credentials? (Notably index.docker.io/v1/ just returns a HTTP 404; and, apart from search, nothing in Podman supports the /v1/ protocol anyway — and neither does Docker nowadays.)

This may be an issue for other container registries,

If you are actually concerned about those “other container registries”, please use examples that use those “other registries”, perhaps redacting the name. The docker.io domain has a bunch of special-casing that is not representative of the behavior of other domains, especially on the credential lookup side.

---

Podman does support different credentials for different namespaces of a single registry, but we have to carefully thread the needle between expressing that, and compatibility with other uses, exactly scripts like docker login https://…docker.io/v2, which does not mean “only images named docker.io/v2/….

So, if the parameter starts with a scheme, that’s always interpreted as a “whole-registry” credential. Use podman login quay.io/namespace (without https:// to create a namespaced credential.

[cristianrgreco]

Thanks for your response!

Let me better explain my use case:

I have a library which creates containers. When someone wants to pull from a private repository, I look up which creds to send from their auth file, based on the registry they're pulling the image from.

For Docker for example, the IndexServerAddress is https://index.docker.io/v1/, so someone who has logged into a private repository in Docker Hub will have that exact key in their auth file. When looking up the creds, I expect a full match on the registry name, to avoid a potential security issue if for example there are different registries on different schemes, paths, etc.

I am currently looking at adding Podman support to the library.

Now, because Podman handles index.docker.io as a special case, and returns an empty string for the IndexServerAddress (#17776), I have to assume a default registry for short named images. I use the same default as Docker (https://index.docker.io/v1/). Because Podman has created an auth file without the full path, index.docker.io != https://index.docker.io/v1/ and so I fail to find the auth config.

I am sure there are plenty of details I am missing, but I am basically unable to swap out Docker for Podman when auth is required for Docker Hub.

---

I have tried to login as you suggested without the scheme to create a namespaced credential, but the special case for docker.io causes issues:

podman login "index.docker.io/v1"
Error: internal error: key "index.docker.io/v1" registry mismatch, "docker.io/library/v1" vs. "docker.io"

podman login "quay.io/v1"
Username: 

Additionally, Docker does support trailing / in the registry name, but Podman returns an error:

podman login "quay.io/v1/"
Error: parse reference from "quay.io/v1/": invalid reference format

[mtrmac]

Thanks.

For that use case, there are other things to consider. Notably, https://github.com/containers/image/blob/main/docs/containers-registries.conf.5.md allows the user to transparently re-map a reference to one registry to another, or possibly to multiple ones. IMHO the only practical way[1] to support that in callers of Podman is to hand Podman the full set of credentials (e.g. podman pull --authfile=…), and let Podman itself choose the right ones. That is, also probably much simpler to implement, at least if the input is in the auth.json format already.

[1]It’s not really practical for a caller of Podman to somehow parse all the relevant configuration files, merge them correctly, and the like: the configuration semantics can add new features at any time, so any external implementation would only work against a frozen version of Podman. (Alternatively, it could be suggested that Podman should add a podman required-credentials-for-pulling $image command, but if Podman is trusted to correctly list exactly the necessary credentials, and no more, then Podman is equally trusted to just read exactly the necessary credentials, and no more, from the auth.json file itself, without adding that command.)

---

but the special case for docker.io causes issues:

Yes. We have decided to enforce a canonical form for the new (Podman-only) namespaced credentials feature. Use podman login docker.io/namespace, just like users write podman pull docker.io/namespace/image and not … pull index.docker.io/…, and forget about the hidden implementation details of index.docker.io and the like; leave that to Podman.

[github-actions]

A friendly reminder that this issue had no activity for 30 days.

[mtrmac]

I’m assuming this works as designed, and it does currently allow making using Podman for this purpose; please reopen if that’s incorrect.