Uploaded image for project: 'Container Tools'
  1. Container Tools
  2. RUN-3247

[containers/podman] Podman auto update doesn't use credentials from quadlet .image

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False
    • rhel-container-tools

      [3165303930] Upstream Reporter: Uumas
      Upstream issue status: Open
      Upstream description:

      Issue Description

      I have a service.container with:

      [Container]
Image=service.image
AutoUpdate=registry
...

      and service.image:

      [Image]
Image=ghcr.io/user/private-repo:latest
Creds=user:password

      Podman auto updates don't work as it doesn't use the credentials.

      Steps to reproduce the issue

      Steps to reproduce the issue

      1. Create an image in a registry requiring credentials to pull
      2. Create a quadlet .container -file referencing a .image -file with auto update from registry enabled
      3. In the .image -file pointing to the image in the private registry with credentials
      4. Start the container. This will pull the image and start it.
      5. Run podman-auto-update.service. It will fail to pull the image as it doesn't use the credentials.

      Describe the results you received

      When podman-auto-update.service runs, it fails with: Error: checking image updates for container <container hash>: unable to retrieve auth token: invalid username/password: unauthorized

      Describe the results you expected

      I expected it to use the same credentials originally used to pull the image

      podman info output

      host:   arch: arm64
  buildahVersion: 1.39.3
  cgroupControllers:   - cpuset
  - cpu
  - io
  - memory
  - hugetlb
  - pids
  - rdma
  - misc
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:     package: conmon_2.1.12-4_arm64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.12, commit: unknown'
  cpuUtilization:     idlePercent: 98.3
    systemPercent: 0.54
    userPercent: 1.15
  cpus: 4
  databaseBackend: sqlite
  distribution:     codename: trixie
    distribution: debian
    version: unknown
  eventLogger: journald
  freeLocks: 2032
  hostname: jalka
  idMappings:     gidmap: null
    uidmap: null
  kernel: 6.11.5-arm64
  linkmode: dynamic
  logDriver: journald
  memFree: 843788288
  memTotal: 8119738368
  networkBackend: netavark
  networkBackendInfo:     backend: netavark
    dns:       package: aardvark-dns_1.14.0-3_arm64
      path: /usr/lib/podman/aardvark-dns
      version: aardvark-dns 1.14.0
    package: netavark_1.14.0-2_arm64
    path: /usr/lib/podman/netavark
    version: netavark 1.14.0
  ociRuntime:     name: crun
    package: crun_1.20-1_arm64
    path: /usr/bin/crun
    version: |-
      crun version 1.20
      commit: 9c9a76ac11994701dd666c4f0b869ceffb599a66
      rundir: /run/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +WASM:wasmedge +YAJL
  os: linux
  pasta:     executable: ""
    package: ""
    version: ""
  remoteSocket:     exists: true
    path: /run/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:     apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:     executable: ""
    package: ""
    version: ""
  swapFree: 0
  swapTotal: 0
  uptime: 5162h 30m 20.00s (Approximately 215.08 days)
  variant: v8
plugins:   authorization: null
  log:   - k8s-file
  - none
  - passthrough
  - journald
  network:   - bridge
  - macvlan
  - ipvlan
  volume:   - local
registries: {}
store:   configFile: /usr/share/containers/storage.conf
  containerStore:     number: 10
    paused: 0
    running: 10
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 80321626112
  graphRootUsed: 35366531072
  graphStatus:     Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "true"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:     number: 22
  runRoot: /run/containers/storage
  transientStore: false
  volumePath: /var/lib/containers/storage/volumes
version:   APIVersion: 5.4.1
  BuildOrigin: Debian
  Built: 1742477809
  BuiltTime: Thu Mar 20 13:36:49 2025
  GitCommit: ""
  GoVersion: go1.24.1
  Os: linux
  OsArch: linux/arm64
  Version: 5.4.1

      Podman in a container

      No

      Privileged Or Rootless

      None

      Upstream Latest Release

      No

      Additional environment details

      Checked the release notes up to 5.5.1 and no mention of anything related

      Additional information

      No response


      Upstream URL: https://github.com/containers/podman/issues/26484

              container-runtime-eng Container Runtime Eng Bot
              upstream-sync Upstream Sync
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: