Skip to content

containerd (v2.0.0) fails to provide credentials when pulling sandbox image #10916

New issue
New issue
Closed
#10917
Closed
containerd (v2.0.0) fails to provide credentials when pulling sandbox image#10916
#10917
Labels
area/criContainer Runtime Interface (CRI)kind/bug
@smira

Description

@smira
smira
opened on Oct 29, 2024

Description

Sandbox controller doesn't pass credentials down to PullImage (it passes nil):

containerd/internal/cri/server/podsandbox/sandbox_run.go

Lines 310 to 316 in 1e6fdb5

// Pull image to ensure the image exists
// TODO: Cleaner interface
imageID, err := c.imageService.PullImage(ctx, ref, nil, config, runtimeHandler)
if err != nil {
return nil, fmt.Errorf("failed to pull image %q: %w", ref, err)
}
newImage, err := c.imageService.GetImage(imageID)

If hosts config_path is set, the path taken is:

containerd/internal/cri/server/images/image_pull.go

Lines 415 to 417 in 1e6fdb5

UpdateClient: updateClientFn,
}
hostOptions.Credentials = credentials

As credentials is nil, proper auth is never attached.

When a container (not a sanbox) is created, another path to PullImage sets the credentials properly:

containerd/internal/cri/server/images/image_pull.go

Lines 102 to 112 in 1e6fdb5

credentials := func(host string) (string, string, error) {
hostauth := r.GetAuth()
if hostauth == nil {
config := c.config.Registry.Configs[host]
if config.Auth != nil {
hostauth = toRuntimeAuthConfig(*config.Auth)
}
}
return ParseAuth(hostauth, host)
}

(if hosts are not configured, another path is taken which re-reads auth from ImageService config, so the issue doesn't appear)

Steps to reproduce the issue

Configure the sandbox image to be hosted in a repository behind auth:

  [plugins]
    [plugins."io.containerd.cri.v1.images".pinned_images]
      sandbox = "my-secret-registry/pause:3.10"  

     [plugins.'io.containerd.cri.v1.images'.registry.configs.'my-secret-registry'.auth]
          username = 'root'
          password = 'secret'

Make sure hosts_directory is set (otherwise the code path taken is different, and the issue is not reproducible):

    [plugins.'io.containerd.cri.v1.images'.registry]
      config_path = '/etc/cri/conf.d/hosts'

Describe the results you received and expected

Expected success, instead pod sandbox is not created with 401 Unauthorized error, as credentials are not passed.

What version of containerd are you using?

v2.0.0-rc.6 + main

Any other relevant information

No response

Show configuration if it is related to CRI plugin.

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/criContainer Runtime Interface (CRI)kind/bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions