Skip to content

Reset SystemContext.DockerAuthConfig when using mirrors at different registries #625

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mtrmac merged 1 commit into from
May 13, 2019
Merged

Reset SystemContext.DockerAuthConfig when using mirrors at different registries #625

mtrmac merged 1 commit into from
May 13, 2019

Conversation

@mtrmac
Copy link
Collaborator

@mtrmac mtrmac commented May 11, 2019

This was brought up sometime during the reviews, but was apparently lost.

Consider registries.conf:

[[registry]]
location = "example.com"
mirror = [
	{ location = "docker.io" },
	{ location = "registry.access.redhat.com" },
	{ location = "registry.redhat.io" },
	{ location = "registry.fedoraproject.org" },
]

Then

skopeo --registries-conf registries.conf copy --src-creds foo:bar docker://example.com/foo/bar dir:t

currently sends the foo:bar to every mirror that requires authentication, not just to example.com; that seems clearly undesirable.

So, clear SystemContext.DockerAuthConfig when using a mirror at a different registry than the one specified by the user; if the mirrors require credentials, they have to be set up in the auth file, e.g. by podman login.

@vrothberg @saschagrunert PTAL.

(#588 may be relevant for more discussion about DockerAuthConfig)

@saschagrunert saschagrunert mentioned this pull request May 11, 2019
Open
9 tasks
@saschagrunert
Copy link
Member

saschagrunert commented May 13, 2019
edited
Loading

LGTM, but the CI seems to need a rebump. Maybe a test case in skopeo or a unit test here would be good to add.

@vrothberg
Copy link
Member

vrothberg commented May 13, 2019

LGTM. I opened #627 to make CI pass again. ubuntu:artful (i.e., 17:10) hit EOL.

@mtrmac
Reset SystemContext.DockerAuthConfig when using mirrors at different …
88dba62 
…registries

.. so that we don't send credentials intended for the primary endpoint to mirrors.

Signed-off-by: Miloslav Trmač <[email protected]>
@mtrmac mtrmac force-pushed the mirror-no-credentials branch from 99fc419 to 88dba62 Compare May 13, 2019 19:29
@mtrmac mtrmac mentioned this pull request May 13, 2019
Merged
@mtrmac mtrmac merged commit defcee8 into containers:master May 13, 2019
@mtrmac mtrmac deleted the mirror-no-credentials branch May 13, 2019 20:22
This was referenced Sep 10, 2025
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mtrmac @saschagrunert @vrothberg