No OCI registry login step before pulling image

[eecsmap]

I have a private OCI repo hosted on JFrog artifactory. Before pulling images from it, user needs to login the OCI first. Something like tart login or docker login. Yet, when sending the image creation request via REST API /v1/vms to orchard controller, we only provide image argument, so the node accepting this request cannot pull the image successfully without login first.

Can we have a login credential argument in the request which could be picked up by node evetually?

[fkorotkov]

Hey @eecsmap, you only need to login into a registry once. Can you do it upon node configuration? Tart can save password to Keychain or use Docker Credential Helpers.

[eecsmap]

Since I might end up manage many nodes over multiple OCI repositories. Manually do it on those nodes will be a pain. Btw, if I remember correctly, the login session does not last forever right? It seems my nodes fail to pull images from time to time where I need to login again to solve it.

One more thing to mention here. If I run echo $TOKEN | tart login $REPO --username $USER --password-stdin

I got Error: Failed(message: "Keychain failed to update item: User interaction is not allowed.")

Yet it has no problem when I use docker command instead:

WARNING! Your password will be stored unencrypted in /Users/cm/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

Not sure whether we could address this and ease the automation script instead of do it manually in GUI.

[fkorotkov]

To fix Keychain issue please take a look at this FAQ item.

Passing credentials to VMs mean storing them which we'd prefer to avoid. If you have a single registry with multiple repositories then you don't need to login into each repository. Login is per-host aka per-registry.

[eecsmap]

We can close this ticket. I think you have a good solution as mentioned above. Thanks.