Is this a BUG REPORT or FEATURE REQUEST?:
kind bug
Description
podman seems to not allow anonymous pull.
Steps to reproduce the issue:
- Skopeo can inspect image:
$ skopeo inspect docker://myrepo.example.com/myproject/myimage
{
"Name": "myrepo.example.com/myproject/myimage",
"Digest": "sha256:d275b00bb22cac63962979784098dfb62ff240a4d2c057d3d7bba881650e4d71",
"RepoTags": [
"latest",
"20181205"
],
...
- Podman run image
$ sudo podman run docker://myrepo.example.com/myproject/myimage -- /bin/bash -l
Describe the results you received:
Trying to pull docker://myrepo.example.com/myproject/myimage...Failed
unable to pull docker://myrepo.example.com/myproject/myimage: unable to pull image: Error determining manifest MIME type for docker://myrepo.example.com/myproject/myimage:latest: unable to retrieve auth token: invalid username/password
Describe the results you expected:
I enter into proper bash shell
Additional information you deem important (e.g. issue happens only occasionally):
docker package not installed, Fedora 29
Output of podman version:
$ podman version
Version: 0.10.1.3
Go Version: go1.11
OS/Arch: linux/amd64
Output of podman info:
host:
BuildahVersion: 1.5-dev
Conmon:
package: podman-0.10.1.3-4.gitdb08685.fc29.x86_64
path: /usr/libexec/podman/conmon
version: 'conmon version 1.12.0-dev, commit: 1f741a8b8381375b068b147605704a02a91167a2-dirty'
Distribution:
distribution: fedora
version: "29"
MemFree: 513298432
MemTotal: 2087391232
OCIRuntime:
package: runc-1.0.0-59.dev.gitccb5efd.fc29.x86_64
path: /usr/bin/runc
version: |-
runc version 1.0.0-rc6
commit: 6e5a791a02fefb403034e0de8693d225d52b33a7
spec: 1.0.1-dev
SwapFree: 858505216
SwapTotal: 858779648
arch: amd64
cpus: 2
hostname: fedoraw
kernel: 4.19.6-300.fc29.x86_64
os: linux
uptime: 2h 53m 55.25s (Approximately 0.08 days)
insecure registries:
registries: []
registries:
registries:
- docker.io
- registry.fedoraproject.org
- quay.io
- registry.access.redhat.com
- registry.centos.org
store:
ContainerStore:
number: 0
GraphDriverName: overlay
GraphOptions:
- overlay.mountopt=nodev
- overlay.override_kernel_check=true
GraphRoot: /var/lib/containers/storage
GraphStatus:
Backing Filesystem: extfs
Native Overlay Diff: "true"
Supports d_type: "true"
ImageStore:
number: 0
RunRoot: /var/run/containers/storage
Additional environment details (AWS, VirtualBox, physical, etc.):
KVM, Fedora 29 fully updated as of today
akostadinov
All 14 comments
Part of me suspects this is the docker:// part - can you remove that and see if it works?
If so, it's probably related to how we parse image names
mheon
on 10 Dec 2018
Oh, can you also verify if the same problem happens if you run Podman as root?
mheon
on 10 Dec 2018
Tried locally, can't reproduce on 0.12.1.1. Can you grab the package (it's in updates-testing) and see if you can still reproduce?
mheon
on 10 Dec 2018
This is now fixed upstream in the master branch.
$ sudo podman run -it --rm docker://docker.io/library/alpine:latest ls
Trying to pull docker://docker.io/library/alpine:latest...Getting image source signatures
Copying blob 6c40cc604d8e: 2.63 MiB / 2.63 MiB [============================] 0s
Copying config caf27325b298: 1.48 KiB / 1.48 KiB [==========================] 0s
Writing manifest to image destination
Storing signatures
bin dev etc home lib media mnt opt proc root run sbin srv sys tmp usr var
$
closing for now... re-open if you disagree
baude
on 13 Feb 2019
I'm still seeing this issue on
Version: 1.2.0
RemoteAPI Version: 1
Go Version: go1.12.1
Built: Tue Apr 2 20:01:51 2019
OS/Arch: linux/amd64
Trying to run the following without being logged in to docker.io fails
# podman run -it --rm docker://docker.io/library/alpine:latest ls
Trying to pull docker://docker.io/library/alpine:latest...ERRO[0000] Error pulling image ref //alpine:latest: Error determining manifest MIME type for docker://alpine:latest: unable to retrieve auth token: invalid username/password
Failed
Error: unable to pull docker://docker.io/library/alpine:latest: unable to pull image: Error determining manifest MIME type for docker://alpine:latest: unable to retrieve auth token: invalid username/password
However it works with sudo
# sudo podman run -it --rm docker://docker.io/library/alpine:latest ls
bin dev etc home lib media mnt opt proc root run sbin srv sys tmp usr var
And it also works after podman login docker.io
# podman login docker.io
…
# podman run -it --rm docker://docker.io/library/alpine:latest ls
bin dev etc home lib media mnt opt proc root run sbin srv sys tmp usr var
I think this could be the same issue as #2710 and might be fixed by #2911 (haven't verified this yet) but since this issue is what one finds when searching for it and since the different behavior with sudo is so strange wanted to comment here too.
niklas88
on 9 May 2019
Just to be safe, I'm going to reopen this now so it doesn't get lost in the shuffle. Thanks for the update @niklas88!
TomSweeneyRedHat
on 9 May 2019
I'm trying podman for the first time, but I'm unable to do an unauthenticated pull from docker.io with or without sudo:
$ podman version
Version: 1.3.0-dev
RemoteAPI Version: 1
Go Version: go1.10.4
OS/Arch: linux/amd64
$ podman run -it --rm docker://docker.io/library/alpine:latest ls
Trying to pull docker://docker.io/library/alpine:latest...ERRO[0000] Error pulling image ref //alpine:latest: Error determining manifest MIME type for docker://alpine:latest: unable to retrieve auth token: invalid username/password
Failed
Error: unable to pull docker://docker.io/library/alpine:latest: unable to pull image: Error determining manifest MIME type for docker://alpine:latest: unable to retrieve auth token: invalid username/password
$ sudo podman run -it --rm docker://docker.io/library/alpine:latest ls
Trying to pull docker://docker.io/library/alpine:latest...ERRO[0000] Error pulling image ref //alpine:latest: Error determining manifest MIME type for docker://alpine:latest: unable to retrieve auth token: invalid username/password
Failed
Error: unable to pull docker://docker.io/library/alpine:latest: unable to pull image: Error determining manifest MIME type for docker://alpine:latest: unable to retrieve auth token: invalid username/password
jbergknoff
on 10 May 2019
Do you have a auth file around with bad data in it?
rhatdan
on 10 May 2019
Do you have a auth file around with bad data in it?
Yes! Thank you. Cleared out ~/.docker/config.json and now it works as expected.
jbergknoff
on 11 May 2019
I'm going to reopen this one until I get a chance to add it to the known issues page.
TomSweeneyRedHat
on 11 May 2019
I think invalid auth data shouldn't prevent anonymous pull.
akostadinov
on 12 May 2019
@TomSweeneyRedHat can you find a few minutes and wrap this one up?
baude
on 29 May 2019
@TomSweeneyRedHat can you find a few minutes and wrap this one up?
baude
on 2 Aug 2019
I've just updated the troubleshooting guide in #3739 documenting how this issue can be arrived at and how to cure it. Unfortunately, the error message we get back from authentication code that Podman vendors throws this error in the situation when the credentials were once good but are no longer, ie. did a successful podman login and then changed the password on the container registry. It also throws the same error for other situations and it's not easily discernable. So to avoid a potential cve by allowing the auth to continue, I've added the troubleshooting note to help on the rare occasion this will occur.
TomSweeneyRedHat
on 6 Aug 2019
Related issues
bbros-dev
·
5Comments
evelineraine
·
3Comments
MatMaul
·
5Comments
hong-duc
·
3Comments
runlevel5
·
4Comments
Most helpful comment
I think invalid auth data shouldn't prevent anonymous pull.