Podman Registry Pull Fails within OCP 4 Node

Mindwatering Incorporated

Author: Tripp W Black

Created: 07/03 at 02:48 PM

 

Category:
RH OpenShift
Troubleshooting

Issue:


Pulling images fails with OCP 4 nodes. Typically, this occurs with one of the OCP4 images not updating for the node operators.

Error:
sh-4.x# podman pull registry.redhat.io/openshift4/<image_name>
Failed to pull image "registry.redhat.io/openshift4/<image-operator>@sha256:abc12345": rpc error: code = Unknown desc = unable to retrieve auth token: invalid username/password: unauthorized: Please login to the Red Hat Registry using your Customer Portal credentials.


Cause:


After confirming the @sha256:abc12345 service account is valid...

The podman login command doesn't store its credentials as they are in clear text. Therefore, they are not available for the subsequent podman pull command. Therefore, with OCP4 podman pull requires credentials passed via the --authfile parameter pointing to a local config.json file containing the credential.


Workaround/Solution:


Provide the secret via the kubelet/config.json file:
sh-4.x# podman pull registry.redhat.io/openshift4/<image_name> --authfile /var/lib/kubelet/config.json

Note:
- After successful authentication, OCP (and podman actually), are re-used for the next registry pull. The authorization is stored in:
${XDG_RUNTIME_DIR}/containers/auth.json

Sample format of auth.json:

{
           "auths": {
                   "https://registry.redhat.io": {
                           "auth": "abc12qrs3t4UvwXyz"
                   }
           }
   }



---


Standard authentication during pull tests:
sh-4.x# podman pull registry.redhat.io/rhel8/<image_name>
Username: myrhloginid
Password: abcd1234


sh-4.x# podman pull registry.redhat.io/openshift4/<image_name>
Username: myrhloginid
Password: abcd1234





previous page

×