Description
Sandbox controller doesn't pass credentials down to PullImage (it passes nil):
|
// Pull image to ensure the image exists |
|
// TODO: Cleaner interface |
|
imageID, err := c.imageService.PullImage(ctx, ref, nil, config, runtimeHandler) |
|
if err != nil { |
|
return nil, fmt.Errorf("failed to pull image %q: %w", ref, err) |
|
} |
|
newImage, err := c.imageService.GetImage(imageID) |
If hosts config_path is set, the path taken is:
|
UpdateClient: updateClientFn, |
|
} |
|
hostOptions.Credentials = credentials |
As credentials is nil, proper auth is never attached.
When a container (not a sanbox) is created, another path to PullImage sets the credentials properly:
|
credentials := func(host string) (string, string, error) { |
|
hostauth := r.GetAuth() |
|
if hostauth == nil { |
|
config := c.config.Registry.Configs[host] |
|
if config.Auth != nil { |
|
hostauth = toRuntimeAuthConfig(*config.Auth) |
|
} |
|
} |
|
return ParseAuth(hostauth, host) |
|
} |
|
|
(if hosts are not configured, another path is taken which re-reads auth from ImageService config, so the issue doesn't appear)
Steps to reproduce the issue
Configure the sandbox image to be hosted in a repository behind auth:
[plugins]
[plugins."io.containerd.cri.v1.images".pinned_images]
sandbox = "my-secret-registry/pause:3.10"
[plugins.'io.containerd.cri.v1.images'.registry.configs.'my-secret-registry'.auth]
username = 'root'
password = 'secret'Make sure hosts_directory is set (otherwise the code path taken is different, and the issue is not reproducible):
[plugins.'io.containerd.cri.v1.images'.registry]
config_path = '/etc/cri/conf.d/hosts'
Describe the results you received and expected
Expected success, instead pod sandbox is not created with 401 Unauthorized error, as credentials are not passed.
What version of containerd are you using?
v2.0.0-rc.6 + main
Any other relevant information
No response
Show configuration if it is related to CRI plugin.
No response
Description
Sandbox controller doesn't pass
credentialsdown toPullImage(it passesnil):containerd/internal/cri/server/podsandbox/sandbox_run.go
Lines 310 to 316 in 1e6fdb5
If hosts config_path is set, the path taken is:
containerd/internal/cri/server/images/image_pull.go
Lines 415 to 417 in 1e6fdb5
As
credentialsis nil, proper auth is never attached.When a container (not a sanbox) is created, another path to
PullImagesets the credentials properly:containerd/internal/cri/server/images/image_pull.go
Lines 102 to 112 in 1e6fdb5
(if hosts are not configured, another path is taken which re-reads auth from ImageService config, so the issue doesn't appear)
Steps to reproduce the issue
Configure the sandbox image to be hosted in a repository behind auth:
Make sure
hosts_directoryis set (otherwise the code path taken is different, and the issue is not reproducible):Describe the results you received and expected
Expected success, instead pod sandbox is not created with
401 Unauthorizederror, as credentials are not passed.What version of containerd are you using?
v2.0.0-rc.6 + main
Any other relevant information
No response
Show configuration if it is related to CRI plugin.
No response