search

containers / skopeo

Work with remote images registries - retrieving information, images, signing content
Apache License 2.0
7.83k stars 758 forks source link

Skopeo login error when running as skopeo user #1233

Closed namloc2001 closed 3 years ago

namloc2001 commented 3 years ago

Hi, I'm running docker run -it --entrypoint=/bin/sh --user skopeo:skopeo quay.io/containers/skopeo:v1.2.0 and then I attempt to skopeo login but I get an error;

sh-5.0$ id
uid=1000(skopeo) gid=1000(skopeo) groups=1000(skopeo)

sh-5.0$ skopeo login -u iamapikey -p <redacted> uk.icr.io/<redacted>
FATA[0003] error writing to file "/auth.json": open /auth.json: permission denied

sh-5.0$ ls -la /
total 60
drwxr-xr-x   1 root root 4096 Mar 19 14:05 .
drwxr-xr-x   1 root root 4096 Mar 19 14:05 ..
-rwxr-xr-x   1 root root    0 Mar 19 14:05 .dockerenv
lrwxrwxrwx   1 root root    7 Jul 27  2020 bin -> usr/bin
dr-xr-xr-x   2 root root 4096 Jul 27  2020 boot
drwxr-xr-x   5 root root  360 Mar 19 14:05 dev
drwxr-xr-x   1 root root 4096 Mar 19 14:05 etc
drwxr-xr-x   1 root root 4096 Mar 16 10:29 home
lrwxrwxrwx   1 root root    7 Jul 27  2020 lib -> usr/lib
lrwxrwxrwx   1 root root    9 Jul 27  2020 lib64 -> usr/lib64
drwx------   2 root root 4096 Jan  6 07:48 lost+found
drwxr-xr-x   2 root root 4096 Jul 27  2020 media
drwxr-xr-x   2 root root 4096 Jul 27  2020 mnt
drwxr-xr-x   2 root root 4096 Jul 27  2020 opt
dr-xr-xr-x 163 root root    0 Mar 19 14:05 proc
dr-xr-x---   2 root root 4096 Jan  6 07:48 root
drwxr-xr-x   1 root root 4096 Mar 16 10:30 run
lrwxrwxrwx   1 root root    8 Jul 27  2020 sbin -> usr/sbin
drwxr-xr-x   2 root root 4096 Jul 27  2020 srv
dr-xr-xr-x  11 root root    0 Mar 19 14:05 sys
drwxrwxrwt   1 root root 4096 Mar 16 10:30 tmp
drwxr-xr-x   1 root root 4096 Jan  6 07:48 usr
drwxr-xr-x   1 root root 4096 Jan  6 07:48 var

sh-5.0$ exit
exit

However, if I run as root, via: docker run -it --entrypoint=/bin/sh quay.io/containers/skopeo:v1.2.0 (root is default as no USER is specified in the image), I am able to login:

sh-5.0# id
uid=0(root) gid=0(root) groups=0(root)

sh-5.0# skopeo login -u iamapikey -p <redacted> uk.icr.io/<redacted>
Login Succeeded!

sh-5.0# ls -la /
total 64
drwxr-xr-x   1 root root 4096 Mar 19 14:06 .
drwxr-xr-x   1 root root 4096 Mar 19 14:06 ..
-rwxr-xr-x   1 root root    0 Mar 19 14:06 .dockerenv
-rw-------   1 root root  125 Mar 19 14:06 auth.json
lrwxrwxrwx   1 root root    7 Jul 27  2020 bin -> usr/bin
dr-xr-xr-x   2 root root 4096 Jul 27  2020 boot
drwxr-xr-x   5 root root  360 Mar 19 14:06 dev
drwxr-xr-x   1 root root 4096 Mar 19 14:06 etc
drwxr-xr-x   1 root root 4096 Mar 16 10:29 home
lrwxrwxrwx   1 root root    7 Jul 27  2020 lib -> usr/lib
lrwxrwxrwx   1 root root    9 Jul 27  2020 lib64 -> usr/lib64
drwx------   2 root root 4096 Jan  6 07:48 lost+found
drwxr-xr-x   2 root root 4096 Jul 27  2020 media
drwxr-xr-x   2 root root 4096 Jul 27  2020 mnt
drwxr-xr-x   2 root root 4096 Jul 27  2020 opt
dr-xr-xr-x 176 root root    0 Mar 19 14:06 proc
dr-xr-x---   2 root root 4096 Jan  6 07:48 root
drwxr-xr-x   1 root root 4096 Mar 16 10:30 run
lrwxrwxrwx   1 root root    8 Jul 27  2020 sbin -> usr/sbin
drwxr-xr-x   2 root root 4096 Jul 27  2020 srv
dr-xr-xr-x  11 root root    0 Mar 19 14:06 sys
drwxrwxrwt   1 root root 4096 Mar 16 10:30 tmp
drwxr-xr-x   1 root root 4096 Jan  6 07:48 usr
drwxr-xr-x   1 root root 4096 Jan  6 07:48 var

sh-5.0# exit
exit

Notice how when I run as root user, the /auth.json file gets created and is only given rw permissions to root user.

Is the expectation that I must include --authfile in the skopeo login command, such as:

skopeo login -u iamapikey -p <redacted> uk.icr.io/<redacted> --authfile /home/skopeo/auth.json
vrothberg commented 3 years ago

Thanks for reaching out and the thorough analysis!

The problem is that the image is built with REGISTRY_AUTH_FILE=/auth.json in the environment and with / only being writable by root, non-root users fail. I opened https://github.com/containers/skopeo/pull/1234 to change the path.

TomSweeneyRedHat commented 3 years ago

@vrothberg, is this issue a skopeo login only, or are buildah login and podman login also affected?

vrothberg commented 3 years ago

@vrothberg, is this issue a skopeo login only, or are buildah login and podman login also affected?

In theory, if the buildah/podman images set the env variable in the same way, they'd be affected as well.

rhatdan commented 3 years ago

Podman and Buildah do not set that environment variable.

TomSweeneyRedHat commented 3 years ago

OK, good to know. Then we can tell folks to please try podman login or buildah login until this appears in a release.

vrothberg commented 3 years ago

How would that work in the skopeo container image?

namloc2001 commented 3 years ago

@TomSweeneyRedHat @vrothberg isn't the workaround, as per I stated above, using --authfile <path/to/file>?

skopeo login -u iamapikey -p <redacted> uk.icr.io/<redacted> --authfile /home/skopeo/auth.json
vrothberg commented 3 years ago

@namloc2001, yes, that's a good workaround :+1: