bootc install does not use my podman credentials

[stefwalter]

I've tried to install a bootable container with an install to-filesystem as documented here: https://containers.github.io/bootc/bootc-install.html#executing-bootc-install

My image is pushed in a private registry tag (in quay.io). However bootc cannot access my repository. I used podman login quay.io to login on the host, which allows podman to pull the container image, but for some reason that I cannot understand bootc wants to access it again:

# sudo podman run --rm --privileged --pid=host --security-opt label=type:unconfined_t -v /:/target -v /var/lib/containers:/var/lib/containers quay.io/swalter/tuesday:1.0 bootc install to-filesystem --karg=console=ttyS0,115200n8 --replace=alongside /target
Trying to pull quay.io/swalter/tuesday:1.0...
Getting image source signatures
Copying blob 123a23fee02f done  
Copying blob 123a23fee02f done  
... snip ...
Copying blob f76da783556e done  
Copying config 4787122538 done  
Writing manifest to image destination
ERROR Installing to filesystem: Verifying fetch: Creating importer: Failed to invoke skopeo proxy method OpenImage: remote error: reading manifest 1.0 in quay.io/swalter/tuesday: unauthorized: access to the requested resource is not authorized

[stefwalter]

I would expect that bootc install doesn't need to know the registry. What if the image was local, and not pushed to a registry?

[cgwalters]

#428 tracks importing credentials in this case; what do you think of that one?

I would expect that bootc install doesn't need to know the registry. What if the image was local, and not pushed to a registry?

There is --skip-fetch-check for this use case. But the fetch check is exactly to avoid this foot-gun. Would improving the error message help? Something like linking to the documentation? (I expanded #430 recently related to this too).

[stefwalter]

Why is this a foot-gun? Why would fetch check be an error? Should it only be a warning by default?

[cgwalters]

Why is this a foot-gun? Why would fetch check be an error?

Because it's really easy to fall into the trap of failing to configure the fetch credentials inside one's image, right?

[henrywang]

I usually save QUAY_SECRET into /etc/ostree/auth.json and copy auth.json into container image when build image.

QUAY_SECRET=$(echo -n "${QUAY_USERNAME}:${QUAY_PASSWORD}" | base64 -w 0)

{
  "auths": {
    "quay.io": {
      "auth": "$QUAY_SECRET"
    }
  }
}

[ericzolf]

I stumbled upon this issue, it's not obvious why bootc doesn't use the same files as podman to organize authentication.
As further argument, I'd like to add that the flightctl-agent follows podman there when it comes to updating the OS, so that you need to hold and maintain twice the same information for basically the same purpose.

[hexfusion]

To add to this it seems logical that if you were to pull the OS image into container storage IE podman pull $image then use containers-storage as the transport any auth needed would come from container auth.

$ podman pull 192.168.1.42:5000/flightctl-device:v3
Trying to pull 192.168.1.42:5000/flightctl-device:v3...
Getting image source signatures
Copying blob f314e09c5f79 skipped: already exists  
Copying blob f314e09c5f79 skipped: already exists 
....

$ bootc switch --transport containers-storage 192.168.1.42:5000/flightctl-device:v3
layers already present: 75; layers needed: 2 (624 bytes)
Fetched layers: 624 B in 15 seconds (41 B/s)

If the image is pulled why do we still need to fetch 2 layers?

[cgwalters]

I stumbled upon this issue, it's not obvious why bootc doesn't use the same files as podman to organize authentication.

See containers/image#1746

you need to hold and maintain twice the same information for basically the same purpose.

Yes, I agree it is painful, but there is a rationale.

https://docs.fedoraproject.org/en-US/bootc/container-pull-secrets/#_unifying_bootc_and_podman_credentials has one suggestion.

[cgwalters]

If the image is pulled why do we still need to fetch 2 layers?

containers-storage aka /var/lib/containers is disjoint from the bootc-owned storage. See https://containers.github.io/bootc/filesystem-storage.html and #20 for related topics. So those two layers were copied from /var/lib/containers/storage to /sysroot/ostree (and unfortunately without even using reflinks, for that see also containers/storage#1849 ).