commit 2

Signed-off-by: jason yang <jasonyangshadow@gmail.com>

cmd/internal/cli/keyserver.go

@@ -206,7 +206,7 @@ var KeyserverLogoutCmd = &cobra.Command{
 			name = args[0]
 		}
 
-		if err := apptainer.KeyserverLogout(remoteConfig, name); err != nil {
+		if err := apptainer.KeyserverLogout(remoteConfig, name, reqAuthFile); err != nil {
 			sylog.Fatalf("%s", err)
 		}
 		sylog.Infof("Logout succeeded")

cmd/internal/cli/pull.go

@@ -295,7 +295,7 @@ func pullRun(cmd *cobra.Command, args []string) {
 			NoHTTPS:     noHTTPS,
 			NoCleanUp:   buildArgs.noCleanUp,
 			Pullarch:    arch,
-			OciAuthFile: reqAuthFile,
+			ReqAuthFile: reqAuthFile,
 		}
 
 		_, err = oci.PullToFile(ctx, imgCache, pullTo, pullFrom, pullOpts)

cmd/internal/cli/registry.go

@@ -115,7 +115,7 @@ var RegistryLogoutCmd = &cobra.Command{
 			name = args[0]
 		}
 
-		if err := apptainer.RegistryLogout(remoteConfig, name); err != nil {
+		if err := apptainer.RegistryLogout(remoteConfig, name, reqAuthFile); err != nil {
 			sylog.Fatalf("%s", err)
 		}
 		sylog.Infof("Logout succeeded")

e2e/internal/e2e/home.go

@@ -20,6 +20,7 @@ import (
 	"text/template"
 
 	"github.com/apptainer/apptainer/internal/pkg/buildcfg"
+	"github.com/apptainer/apptainer/internal/pkg/util/fs"
 	"github.com/apptainer/apptainer/internal/pkg/util/user"
 	"github.com/pkg/errors"
 )
@@ -102,14 +103,41 @@ func SetupHomeDirectories(t *testing.T, testRegistry string) {
 			err = errors.Wrapf(err, "creating temporary home directory at %s", unprivSessionHome)
 			t.Fatalf("failed to create temporary home: %+v", err)
 		}
-		if err := os.Chown(unprivSessionHome, int(unprivUser.UID), int(unprivUser.GID)); err != nil {
+		if err := os.Mkdir(filepath.Join(unprivSessionHome, ".apptainer"), 0o700); err != nil {
+			err = errors.Wrapf(err, "creating temporary .apptainer suvdirectory at %s", unprivSessionHome)
+			t.Fatalf("failed to create apptainer subdirectory: %+v", err)
+		}
+		// No need to check for errors on this - if the file is accessible in the original location, this will work; and if it isn't, it won't.
+		fs.CopyFile(
+			filepath.Join(unprivUser.Dir, ".apptainer", "docker-config.json"),
+			filepath.Join(unprivSessionHome, ".apptainer", "docker-config.json"),
+			0o600,
+		)
+		// Recursive chown
+		if err := filepath.Walk(unprivSessionHome, func(name string, info os.FileInfo, err error) error {
+			if err == nil {
+				err = os.Chown(name, int(unprivUser.UID), int(unprivUser.GID))
+			}
+			return err
+		}); err != nil {
 			err = errors.Wrapf(err, "changing temporary home directory ownership at %s", unprivSessionHome)
 			t.Fatalf("failed to set temporary home owner: %+v", err)
 		}
+		// Privileged home setup
 		if err := os.Mkdir(privSessionHome, 0o700); err != nil {
 			err = errors.Wrapf(err, "changing temporary home directory %s", privSessionHome)
 			t.Fatalf("failed to create temporary home: %+v", err)
 		}
+		if err := os.Mkdir(filepath.Join(privSessionHome, ".apptainer"), 0o700); err != nil {
+			err = errors.Wrapf(err, "creating temporary .apptainer suvdirectory at %s", privSessionHome)
+			t.Fatalf("failed to create apptainer subdirectory: %+v", err)
+		}
+		// No need to check for errors on this - if the file is accessible in the original location, this will work; and if it isn't, it won't.
+		fs.CopyFile(
+			filepath.Join(privUser.Dir, ".apptainer", "docker-config.json"),
+			filepath.Join(privSessionHome, ".apptainer", "docker-config.json"),
+			0o600,
+		)
 
 		sourceDir := buildcfg.SOURCEDIR
 

e2e/registry/registry.go

@@ -349,23 +349,23 @@ func (c ctx) registryIssue2226(t *testing.T) {
 		t.Fatalf("failed to create new policy context: %v", err)
 	}
 
+	u := e2e.CurrentUser(t)
+	configPath := filepath.Join(u.Dir, ".apptainer", syfs.DockerConfFile)
+
 	sourceCtx := &types.SystemContext{
 		OCIInsecureSkipTLSVerify:    false,
 		DockerInsecureSkipTLSVerify: types.NewOptionalBool(false),
 		DockerRegistryUserAgent:     useragent.Value(),
+		AuthFilePath:                configPath,
 	}
 	destCtx := &types.SystemContext{
 		OCIInsecureSkipTLSVerify:    true,
 		DockerInsecureSkipTLSVerify: types.NewOptionalBool(true),
 		DockerRegistryUserAgent:     useragent.Value(),
+		AuthFilePath:                configPath,
 	}
 
-	u := e2e.CurrentUser(t)
-	configPath := filepath.Join(u.Dir, ".apptainer", syfs.DockerConfFile)
-	sourceCtx.AuthFilePath = configPath
-	destCtx.AuthFilePath = configPath
-
-	source := "docker://alpine:latest"
+	source := "docker://docker.io/alpine:latest"
 	dest := fmt.Sprintf("%s/my-alpine:latest", privRepoURI)
 	sourceRef, err := docker.ParseReference(strings.TrimPrefix(source, "docker:"))
 	if err != nil {

internal/app/apptainer/keyserver_logout.go

@@ -19,7 +19,7 @@ import (
 )
 
 // KeyserverLogout logs out from a keyserver.
-func KeyserverLogout(usrConfigFile, name string) (err error) {
+func KeyserverLogout(usrConfigFile, name string, reqAuthFile string) (err error) {
 	// opening config file
 	file, err := os.OpenFile(usrConfigFile, os.O_RDWR|os.O_CREATE, 0o600)
 	if err != nil {
@@ -38,7 +38,7 @@ func KeyserverLogout(usrConfigFile, name string) (err error) {
 	}
 
 	// services
-	if err := c.Logout(name); err != nil {
+	if err := c.Logout(name, reqAuthFile); err != nil {
 		return fmt.Errorf("while verifying token: %v", err)
 	}
 

internal/app/apptainer/registry_login.go

@@ -20,7 +20,7 @@ import (
 )
 
 // RegistryLogin logs in to an OCI/Docker registry.
-func RegistryLogin(usrConfigFile string, args *LoginArgs, ociAuthFile string) (err error) {
+func RegistryLogin(usrConfigFile string, args *LoginArgs, reqAuthFile string) (err error) {
 	// opening config file
 	file, err := os.OpenFile(usrConfigFile, os.O_RDWR|os.O_CREATE, 0o600)
 	if err != nil {
@@ -38,7 +38,7 @@ func RegistryLogin(usrConfigFile string, args *LoginArgs, ociAuthFile string) (e
 		return err
 	}
 
-	if err := c.Login(args.Name, args.Username, args.Password, args.Insecure, ociAuthFile); err != nil {
+	if err := c.Login(args.Name, args.Username, args.Password, args.Insecure, reqAuthFile); err != nil {
 		return fmt.Errorf("while login to %s: %s", args.Name, err)
 	}
 

internal/app/apptainer/registry_logout.go

@@ -19,7 +19,7 @@ import (
 )
 
 // RegistryLogout logs out from an OCI/Docker registry.
-func RegistryLogout(usrConfigFile, name string) (err error) {
+func RegistryLogout(usrConfigFile, name string, reqAuthFile string) (err error) {
 	// opening config file
 	file, err := os.OpenFile(usrConfigFile, os.O_RDWR|os.O_CREATE, 0o600)
 	if err != nil {
@@ -38,7 +38,7 @@ func RegistryLogout(usrConfigFile, name string) (err error) {
 	}
 
 	// services
-	if err := c.Logout(name); err != nil {
+	if err := c.Logout(name, reqAuthFile); err != nil {
 		return fmt.Errorf("while verifying token: %v", err)
 	}
 

internal/app/apptainer/remote_logout.go

@@ -52,7 +52,7 @@ func RemoteLogout(usrConfigFile, name string) (err error) {
 	} else {
 		// services
 		sylog.Warningf("'remote logout' is deprecated for registries or keyservers and will be removed in a future release; running 'registry logout'")
-		return RegistryLogout(usrConfigFile, name)
+		return RegistryLogout(usrConfigFile, name, "")
 	}
 
 	// truncating file before writing new contents and syncing to commit file

internal/pkg/build/sources/conveyorPacker_oci.go

@@ -27,6 +27,7 @@ import (
 	"text/template"
 
 	"github.com/apptainer/apptainer/internal/pkg/build/oci"
+	"github.com/apptainer/apptainer/internal/pkg/util/ociauth"
 	"github.com/apptainer/apptainer/internal/pkg/util/shell"
 	sytypes "github.com/apptainer/apptainer/pkg/build/types"
 	"github.com/apptainer/apptainer/pkg/image"
@@ -159,7 +160,7 @@ func (cp *OCIConveyorPacker) Get(ctx context.Context, b *sytypes.Bundle) (err er
 		DockerAuthConfig:         cp.b.Opts.DockerAuthConfig,
 		DockerDaemonHost:         cp.b.Opts.DockerDaemonHost,
 		OSChoice:                 "linux",
-		AuthFilePath:             cp.b.Opts.OciAuthFile,
+		AuthFilePath:             ociauth.ChooseAuthFile(cp.b.Opts.ReqAuthFile),
 		DockerRegistryUserAgent:  useragent.Value(),
 		BigFilesTemporaryDir:     b.TmpDir,
 	}

internal/pkg/client/oci/pull.go

@@ -21,6 +21,7 @@ import (
 	"github.com/apptainer/apptainer/internal/pkg/build/oci"
 	"github.com/apptainer/apptainer/internal/pkg/cache"
 	"github.com/apptainer/apptainer/internal/pkg/util/fs"
+	"github.com/apptainer/apptainer/internal/pkg/util/ociauth"
 	buildtypes "github.com/apptainer/apptainer/pkg/build/types"
 	"github.com/apptainer/apptainer/pkg/sylog"
 	useragent "github.com/apptainer/apptainer/pkg/util/user-agent"
@@ -34,7 +35,7 @@ type PullOptions struct {
 	NoHTTPS     bool
 	NoCleanUp   bool
 	Pullarch    string
-	OciAuthFile string
+	ReqAuthFile string
 }
 
 // pull will build a SIF image into the cache if directTo="", or a specific file if directTo is set.
@@ -47,7 +48,7 @@ func pull(ctx context.Context, imgCache *cache.Handle, directTo, pullFrom string
 	sysCtx := &ocitypes.SystemContext{
 		OCIInsecureSkipTLSVerify: opts.NoHTTPS,
 		DockerAuthConfig:         opts.OciAuth,
-		AuthFilePath:             opts.OciAuthFile,
+		AuthFilePath:             ociauth.ChooseAuthFile(opts.ReqAuthFile),
 		DockerRegistryUserAgent:  useragent.Value(),
 		BigFilesTemporaryDir:     opts.TmpDir,
 	}
@@ -125,6 +126,7 @@ func convertOciToSIF(ctx context.Context, imgCache *cache.Handle, image, cachedI
 				DockerDaemonHost: opts.DockerHost,
 				ImgCache:         imgCache,
 				Arch:             opts.Pullarch,
+				ReqAuthFile:      opts.ReqAuthFile,
 			},
 		},
 	)