Podman remote-client credentials (--creds) don't work for pull/push

[bszeti]

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description Podman remote-client parameter --creds 'USERNAME:PASSWORD' doesn't work for pull or push. I tried with Podman remote-client v1.6.1 and 1.8.0 with matching server version.

Steps to reproduce the issue:

1. Use remote-client v1.8.0

2. Try to pull an image from secured registry. E.g.: podman pull --creds 'bszeti:mysecret' quay.io/bszeti/myimage

3. Fails with message:

   Trying to pull quay.io/bszeti/myimage...
   unauthorized: access to the requested resource is not authorized
   Error: error pulling image "quay.io/bszeti/myimage": io.podman.ErrorOccurred

   The same command works using podman directly on the Linux host.

Describe the results you received:

Trying to pull quay.io/bszeti/myimage...
  unauthorized: access to the requested resource is not authorized
Error: error pulling image "quay.io/bszeti/myimage": io.podman.ErrorOccurred

Describe the results you expected: Successful pull or push.

Additional information you deem important (e.g. issue happens only occasionally): Same problem with podman push

Output of podman version:

Client:
Version:            1.8.0
RemoteAPI Version:  1
Go Version:         go1.13.6
Git Commit:         2ced9094d4728dd09f60a177faa32339a8d0f721
Built:              Mon Feb 10 14:19:38 2020
OS/Arch:            darwin/amd64

Server:
Version:            1.8.1
RemoteAPI Version:  1
Go Version:         go1.13.6
OS/Arch:            linux/amd64

Output of podman info --debug:

client:
  Connection: unix:/run/podman/io.podman
  Connection Type: DirectConnection
  OS Arch: darwin/amd64
  Podman Version: 1.8.0
  RemoteAPI Version: 1
host:
  arch: amd64
  buildah_version: 1.14.2
  cpus: 1
  distribution:
    distribution: fedora
    version: "31"
  eventlogger: journald
  hostname: localhost
  kernel: 5.4.8-200.fc31.x86_64
  mem_free: 1491628032
  mem_total: 4121419776
  os: linux
  swap_free: 0
  swap_total: 0
  uptime: 45m 56.54s
registries:
  blocked: null
  insecure: null
  search:
  - docker.io
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - registry.centos.org
  - quay.io
store:
  containers: 0
  graph_driver_name: overlay
  graph_driver_options: map[overlay.mountopt:nodev,metacopy=on]
  graph_root: /var/lib/containers/storage
  graph_status:
    backing_filesystem: xfs
    native_overlay_diff: "false"
    supports_d_type: "true"
  images: 8
  run_root: /var/run/containers/storage

Package info (e.g. output of rpm -q podman or apt list podman):

podman-1.8.1-2.fc31.x86_64

Additional environment details (AWS, VirtualBox, physical, etc.): Tried remote-client on MacOS with Fedora31 Linux host running in VirtualBox with Podman v1.6.0 and v1.8.0.

[TomSweeneyRedHat]

@QiWang19 PTAL

[mheon]

Is this related to login/logout not yet being implemented for remote?

[bszeti]

Using the --creds parameter we should be able to add username:password with every pull/push command. Login/logout is different as it should save the credentials temporarily or permanently in a file so we don't have to pass it with every command where it's needed. The remote-client clearly provides no login feature at the moment, but help says that --creds should work.

[QiWang19]

the creds are not passed to the func PullImage(name: string) API, should we add a new argument to the API for creds or hide the --creds when remote?

[rhatdan]

I don't think creds can be used on remote system, so it should be hidden.

[bszeti]

Does this mean that we don't have any solution to pull images from authenticated registries using the remote-client?

[rhatdan]

Sorry I was mistaken,I was thinking certs not creds. We should be able to pass creds across. It is a requirement.