search

containers / skopeo

Work with remote images registries - retrieving information, images, signing content
Apache License 2.0
7.83k stars 758 forks source link

LDAP users can't use `containers-storage` transport #2020

Closed mtalexan closed 12 months ago

mtalexan commented 1 year ago

When an LDAP user that has been successfully using podman tries to copy an image with the containers-storage transport, skopeo complains with an error. All output formats and images produce the same error:

$ cd ~
$ podman pull fedora:37
...snip...
$ echo $?
0
$ skopeo copy containers-storage:fedora:37 oci:fedora_37
ERRO[0000] error determining current user: user: unknown userid 1684455083

In this case skopeo is being run by the user trying to access their own default podman container cache storage from the bare metal system, and the user is an LDAP/ActiveDirectory user.

No such issue exists when using podman commands from the same user.

Skopeo version: 1.11.1

This type of issue often comes up when an application incorrectly tries to parse a username from a UID or visa versa by manually examining /etc/passwd. The only valid way to get this information on a Linux system using PAM is to use getent passwd, parsing /etc/passwd or /etc/shadow directly is explicitly incorrect. While I'm not sure if this is the actual cause, it's a common error pattern I thought I'd mention.

mtrmac commented 1 year ago

Thanks for your report.

Where did that Skopeo binary come from, and how it was compiled? This is because user.Current is failing, and compare the top paragraphs at https://pkg.go.dev/os/user .

mtalexan commented 1 year ago

If I'm understanding, the module used for user parsing is dependent on what's available during the build, with the fallback implementation being one that parses the files directly. Correct?

I installed both podman and skopeo using Nix from the nix-store onto an Ubuntu system, so maybe the build definition for skopeo is missing something podman has.

mtrmac commented 1 year ago

That’s how I understand things as well.

From a quick look comparing https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/tools/skopeo/default.nix and https://github.com/NixOS/nixpkgs/blob/cce724adc339049505b4fc5f9fbf6d7ca274cb3b/pkgs/applications/virtualization/podman/default.nix I can’t see an obvious cause, but I’m unfamiliar with Nix.

If a manually-built binary works as expected, I’d recommend reporting this to the Nix package maintainers.

github-actions[bot] commented 12 months ago

A friendly reminder that this issue had no activity for 30 days.

rhatdan commented 12 months ago

I am closing this, since I don't believe this is our issue.