1:40 p.m.
On Fri, Feb 5, 2021 at 1:53 PM Valentin Rothberg <rothberg(a)redhat.com>
wrote:
On Wed, Feb 3, 2021 at 9:54 PM Ioan Rogers via Podman <
podman(a)lists.podman.io> wrote:
> Hi,
>
> > I'm on Ubuntu, and I've recently encountered an issue when trying to
> use rootless podman with the docker-credential-gcloud helper installed via
> snap.
> > This works fine when using the official google-cloud-sdk apt packages,
> and it used to work with snap packages until last October.
>
> Do you recall if it broke with an update to Podman?
>
>
> I forgot to mention that this also happens with buildah, but I guess they
> share the same code for pulling and pushing?
>
> Well, yikes, my shell history shows that this first happened in July, but
> I decided to just do my builds somewhere else and deal with it later.
> "Later" didn't
> come until November, when I next tried to push something, and ended up
> uninstalling the gcloud snap.
>
> So this was when I first encountered it, according to my history:
> 2020-07-07 strace -ff -o tr buildah push --authfile auth.json
> gcr.io/private/image: <http://gcr.io/production-176813/mm-perl:5.30.3>xxx
> (I do still have those trace files, but I'm not sure if they would have
> anything private in them, so I won't post them here)
>
> The last update before that was on 2020-06-24, buildah from 1.14.9~1 to
> 1.15.0~1 and podman from 1.9.3~1 to 2.0.0~1.
>
> Unfortunately, my shell history doesn't go back before June, but there
> couple of images which would've only be pushed by me in the registry, which
> are dated 2020-05-20.
> At that point, apt history shows buildah 1.14.9~1, so 1.15.0 does seem
> the likely suspect.
>
>
> > So it looks like the credential helper is being executed as root now.
> I'm not sure in which component the problem lies, or where I should file an
> issue.
> > Any pointers would be appreciated.
>
> I suspect that's due to the user namespace rootless Podman runs in.
>
>
> Is it possible that podman/buildah used to call the credhelper before
> setting up the user namespace?
>
While I'd love this to be possible, it would require major changes in our
architecture. All our tools create the user namespace and rexec into it
during start up.
However, I opened a pull request against the GCR credential helper. If
the helper would give precedence to $HOME, it should work well with
Podman. Let's see if the maintainers like the change.
The only other alternative I can see at the moment is to run as root.
Kind regards,
Valentin
[1] https://github.com/GoogleCloudPlatform/docker-credential-gcr/pull/85
The PR for the docker-credential-gcr helper just merged.
Kind regards,
Valentin