|
2 | 2 | # Secrets (e.g. container pull secrets) |
3 | 3 |
|
4 | 4 | To have `bootc` fetch updates from registry which requires authentication, |
5 | | -you must include a pull secret in `/etc/ostree/auth.json` (or |
6 | | -as of recent versions in `/usr/lib/ostree/auth.json`). |
| 5 | +you must include a pull secret in one of `/etc/ostree/auth.json`, |
| 6 | +`/run/ostree/auth.json` or `/usr/lib/ostree/auth.json`. |
7 | 7 |
|
8 | | -Another common case is to also fetch container images via |
9 | | -`podman` or equivalent. There is a [pull request to add `/etc/containers/auth.json`](https://github.com/containers/image/pull/1746) |
10 | | -which would be shared by the two stacks by default. |
| 8 | +The path to the authentication file differs from that used |
| 9 | +by e.g. `podman` by default as some of the file paths used |
| 10 | +there are not appropriate for system services (e.g. reading |
| 11 | +the `/root` home directory). |
11 | 12 |
|
12 | 13 | Regardless, injecting this data is a good example of a generic |
13 | 14 | "secret". The bootc project does not currently include one |
14 | 15 | single opinionated mechanism for secrets. |
15 | 16 |
|
| 17 | +## Synchronizing the bootc and podman credentials |
| 18 | + |
| 19 | +See the [containers-auth.json](https://github.com/containers/image/blob/main/docs/containers-auth.json.5.md) man page. In many cases, you will |
| 20 | +want to keep both the bootc and podman/skopeo credentials |
| 21 | +in sync. One pattern is to symlink the two via e.g. a systemd `tmpfiles.d` fragment. |
| 22 | + |
| 23 | +If you have a process invoking `podman login` (which by default writes to |
| 24 | +an ephemeral `$XDG_RUNTIME_DIR/containers/auth.json`) you can then |
| 25 | +`ln -s /run/user/0/containers/auth.json /run/ostree/auth.json`. |
| 26 | + |
| 27 | +## Performing an explicit login |
| 28 | + |
| 29 | +If you have automation (or manual processes) performing a login, |
| 30 | +you can pass `--authfile` to set the bootc authfile explicitly; |
| 31 | +for example |
| 32 | + |
| 33 | +```bash |
| 34 | +echo <somepassword> | podman login --authfile /run/ostree/auth.json -u someuser --password-stdin |
| 35 | +``` |
| 36 | + |
| 37 | +This pattern of using the ephemeral location in `/run` can work |
| 38 | +well when the credentials are derived on system start from |
| 39 | +an external system. For example, `aws ecr get-login-password --region region` |
| 40 | +as suggested by [this document](https://docs.aws.amazon.com/AmazonECR/latest/userguide/Podman.html). |
| 41 | + |
| 42 | +You can also use the machine-local persistent location `/etc/ostree/auth.json` |
| 43 | +via this method. |
| 44 | + |
16 | 45 | ## Using a credential helper |
17 | 46 |
|
18 | 47 | In order to use a credential helper as configured in `registries.conf` |
|
0 commit comments