podman allowed to pull although the "allow anonymous docker pull" is disabled

[venerari]

Hi,

Podman is allowed to pull even if the "allow anonymous docker pull" is disabled,

ric@crc-centos8 ~]$ podman pull nexus-vm:5455/hello-world --tls-verify=false
Trying to pull nexus-vm:5455/hello-world:latest...
Getting image source signatures
Copying blob c1ec31eb5944 done
Copying config d2c94e258d done
Writing manifest to image destination
d2c94e258dcb3c5ac2798d32e1249e42ef01cba4841c2234249495f87264ac5a

unlike docker,

#docker pull nexus-vm:5455/hello-world
Using default tag: latest
Error response from daemon: Head "https://nexus-vm:5555/v2/hello-world/manifests/latest": no basic auth credentials
[root@ansible /home/ric]

Both podman/docker don't have login to the docker address before doing this.

Please fix this, it's a security risk.

Thanks, Venerari

[mrprescott]

@venerari Thanks for opening this. As it happens, the docker CLI doesn't actually support the concept of anonymous access, it always tries to authenticate. The global anonymous mode as originally implemented didn't work for Docker, which would try to log in regardless (and fail, and stop processing). For this reason, we added a special flag on Docker repositories to help the Docker CLI work in this anonymous way.

podman, on the other hand, does support anonymous mode more naturally. It doesn't try to log in proactively; as a result, enabling anonymous access mode globally is enough to let it access whatever repositories the anonymous role can access. The repository-level setting is irrelevant.

If you want to prevent anonymous access in this way, make sure you've turned off the global anonymous access setting.

We're aware that there's some UX improvements we could make here to make clearer how these work together, perhaps combining these settings entirely so it's all done in one place.

[venerari]

@mrprescott Thanks from your reply, I thought there's a workaround that, I need to make the nexus hosted to login like docker-hosted or maven-hosted. More power.