JasonYangShadow · JasonYangShadow · Sep 6, 2024 · Sep 6, 2024
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -11,6 +11,12 @@ For older changes see the [archived Singularity change log](https://github.com/a
   for example: `Apptainer runtime parent: example.sif`.
 - Fix the `mconfig -s` option to build the apptainer and starter
   binaries statically as documented.
+- The `registry login` and `registry logout` commands now support a `--authfile
+  <path>` flag, which causes the OCI credentials to be written to / removed from
+  a custom file located at `<path>` instead of the default location
+  (`$HOME/.apptainer/docker-config.json`). The commands `pull`, `push`, `run`,
+  `exec`, `shell` and `instance start` can now also be passed a `--authfile
+  <path>` option, to read OCI registry credentials from this custom file.
 
 ## Changes for v1.3.x
 

diff --git a/cmd/internal/cli/action_flags.go b/cmd/internal/cli/action_flags.go
@@ -939,6 +939,7 @@ func init() {
 		cmdManager.RegisterFlagForCmd(&actionIgnoreUsernsFlag, actionsInstanceCmd...)
 		cmdManager.RegisterFlagForCmd(&actionUnderlayFlag, actionsInstanceCmd...)
 		cmdManager.RegisterFlagForCmd(&actionShareNSFlag, actionsCmd...)
+		cmdManager.RegisterFlagForCmd(&commonAuthFileFlag, actionsInstanceCmd...)
 		cmdManager.RegisterFlagForCmd(&actionRunscriptTimeoutFlag, actionsRunscriptCmd...)
 	})
 }
diff --git a/cmd/internal/cli/actions.go b/cmd/internal/cli/actions.go
@@ -27,6 +27,7 @@ import (
 	"github.com/apptainer/apptainer/internal/pkg/client/oras"
 	"github.com/apptainer/apptainer/internal/pkg/client/shub"
 	"github.com/apptainer/apptainer/internal/pkg/instance"
+	"github.com/apptainer/apptainer/internal/pkg/ocitransport"
 	"github.com/apptainer/apptainer/internal/pkg/runtime/launch"
 	"github.com/apptainer/apptainer/internal/pkg/util/env"
 	"github.com/apptainer/apptainer/internal/pkg/util/uri"
@@ -79,27 +80,28 @@ func actionPreRun(cmd *cobra.Command, args []string) {
 }
 
 func handleOCI(ctx context.Context, imgCache *cache.Handle, cmd *cobra.Command, pullFrom string) (string, error) {
-	ociAuth, err := makeDockerCredentials(cmd)
+	ociAuth, err := makeOCICredentials(cmd)
 	if err != nil {
 		sylog.Fatalf("While creating Docker credentials: %v", err)
 	}
 
 	pullOpts := oci.PullOptions{
-		TmpDir:     tmpDir,
-		OciAuth:    ociAuth,
-		DockerHost: dockerHost,
-		NoHTTPS:    noHTTPS,
+		TmpDir:      tmpDir,
+		OciAuth:     ociAuth,
+		DockerHost:  dockerHost,
+		NoHTTPS:     noHTTPS,
+		ReqAuthFile: reqAuthFile,
 	}
 
 	return oci.Pull(ctx, imgCache, pullFrom, pullOpts)
 }
 
 func handleOras(ctx context.Context, imgCache *cache.Handle, cmd *cobra.Command, pullFrom string) (string, error) {
-	ociAuth, err := makeDockerCredentials(cmd)
+	ociAuth, err := makeOCICredentials(cmd)
 	if err != nil {
 		return "", fmt.Errorf("while creating docker credentials: %v", err)
 	}
-	return oras.Pull(ctx, imgCache, pullFrom, tmpDir, ociAuth, noHTTPS)
+	return oras.Pull(ctx, imgCache, pullFrom, tmpDir, ociAuth, noHTTPS, reqAuthFile)
 }
 
 func handleLibrary(ctx context.Context, imgCache *cache.Handle, pullFrom string) (string, error) {
@@ -156,7 +158,7 @@ func replaceURIWithImage(ctx context.Context, cmd *cobra.Command, args []string)
 		image, err = handleOras(ctx, imgCache, cmd, args[0])
 	case uri.Shub:
 		image, err = handleShub(ctx, imgCache, args[0])
-	case oci.IsSupported(t):
+	case ocitransport.SupportedTransport(t):
 		image, err = handleOCI(ctx, imgCache, cmd, args[0])
 	case uri.HTTP:
 		image, err = handleNet(ctx, imgCache, args[0])

diff --git a/cmd/internal/cli/apptainer.go b/cmd/internal/cli/apptainer.go
@@ -40,7 +40,7 @@ import (
 	"github.com/apptainer/apptainer/pkg/util/apptainerconf"
 	keyClient "github.com/apptainer/container-key-client/client"
 	libClient "github.com/apptainer/container-library-client/client"
-	ocitypes "github.com/containers/image/v5/types"
+	"github.com/google/go-containerregistry/pkg/authn"
 	"github.com/spf13/cobra"
 	"golang.org/x/term"
 )
@@ -56,16 +56,18 @@ var CurrentUser = getCurrentUser()
 var currentRemoteEndpoint *endpoint.Config
 
 var (
-	dockerAuthConfig ocitypes.DockerAuthConfig
-	dockerLogin      bool
-	dockerHost       string
+	authConfig  authn.AuthConfig
+	dockerLogin bool
+	dockerHost  string
 
 	encryptionPEMPath   string
 	promptForPassphrase bool
 	forceOverwrite      bool
 	noHTTPS             bool
 	useBuildConfig      bool
 	tmpDir              string
+	// Optional user requested authentication file for writing/reading OCI registry credentials
+	reqAuthFile string
 )
 
 // apptainer command flags
@@ -136,7 +138,7 @@ var singVerboseFlag = cmdline.Flag{
 // --docker-username
 var dockerUsernameFlag = cmdline.Flag{
 	ID:            "dockerUsernameFlag",
-	Value:         &dockerAuthConfig.Username,
+	Value:         &authConfig.Username,
 	DefaultValue:  "",
 	Name:          "docker-username",
 	Usage:         "specify a username for docker authentication",
@@ -148,7 +150,7 @@ var dockerUsernameFlag = cmdline.Flag{
 // --docker-password
 var dockerPasswordFlag = cmdline.Flag{
 	ID:            "dockerPasswordFlag",
-	Value:         &dockerAuthConfig.Password,
+	Value:         &authConfig.Password,
 	DefaultValue:  "",
 	Name:          "docker-password",
 	Usage:         "specify a password for docker authentication",
@@ -258,6 +260,16 @@ var singBuildConfigFlag = cmdline.Flag{
 	Usage:        "use configuration needed for building containers",
 }
 
+// --authfile
+var commonAuthFileFlag = cmdline.Flag{
+	ID:           "commonAuthFileFlag",
+	Value:        &reqAuthFile,
+	DefaultValue: "",
+	Name:         "authfile",
+	Usage:        "Docker-style authentication file to use for writing/reading OCI registry credentials",
+	EnvKeys:      []string{"AUTH_FILE"},
+}
+
 func getCurrentUser() *user.User {
 	usr, err := user.Current()
 	if err != nil {

diff --git a/cmd/internal/cli/build.go b/cmd/internal/cli/build.go
@@ -22,7 +22,7 @@ import (
 	"github.com/apptainer/apptainer/pkg/cmdline"
 	"github.com/apptainer/apptainer/pkg/image"
 	"github.com/apptainer/apptainer/pkg/sylog"
-	ocitypes "github.com/containers/image/v5/types"
+	"github.com/google/go-containerregistry/pkg/authn"
 	"github.com/spf13/cobra"
 	"golang.org/x/term"
 )
@@ -359,6 +359,7 @@ func init() {
 		cmdManager.RegisterFlagForCmd(&buildVarArgsFlag, buildCmd)
 		cmdManager.RegisterFlagForCmd(&buildVarArgFileFlag, buildCmd)
 		cmdManager.RegisterFlagForCmd(&buildArgUnusedWarn, buildCmd)
+		cmdManager.RegisterFlagForCmd(&commonAuthFileFlag, buildCmd)
 	})
 }
 
@@ -468,34 +469,37 @@ func checkBuildTarget(path string) error {
 	return nil
 }
 
-// makeDockerCredentials creates an *ocitypes.DockerAuthConfig to use for
-// OCI/Docker registry operation configuration. Note that if we don't have a
-// username or password set it will return a nil pointer, as containers/image
-// requires this to fall back to .docker/config based authentication.
-func makeDockerCredentials(cmd *cobra.Command) (authConf *ocitypes.DockerAuthConfig, err error) {
+// makeOCICredentials creates an *authn.AuthConfig that should be used for
+// explicit OCI/Docker registry authentication when appropriate. If
+// `--docker-login` has been specified then interactive authentication will be
+// performed. If `--docker-login` has not been specified, and explicit
+// credentials have not been supplied via env-vars/flags, then a nil AuthConfig
+// will be returned.
+func makeOCICredentials(cmd *cobra.Command) (*authn.AuthConfig, error) {
 	usernameFlag := cmd.Flags().Lookup("docker-username")
 	passwordFlag := cmd.Flags().Lookup("docker-password")
 
+	var err error
 	if dockerLogin {
 		if !usernameFlag.Changed {
-			dockerAuthConfig.Username, err = interactive.AskQuestion("Enter Docker Username: ")
+			authConfig.Username, err = interactive.AskQuestion("Enter Docker Username: ")
 			if err != nil {
-				return authConf, err
+				return &authConfig, nil
 			}
-			usernameFlag.Value.Set(dockerAuthConfig.Username)
+			usernameFlag.Value.Set(authConfig.Username)
 			usernameFlag.Changed = true
 		}
 
-		dockerAuthConfig.Password, err = interactive.AskQuestionNoEcho("Enter Docker Password: ")
+		authConfig.Password, err = interactive.AskQuestionNoEcho("Enter Docker Password: ")
 		if err != nil {
-			return authConf, err
+			return &authConfig, nil
 		}
-		passwordFlag.Value.Set(dockerAuthConfig.Password)
+		passwordFlag.Value.Set(authConfig.Password)
 		passwordFlag.Changed = true
 	}
 
 	if usernameFlag.Changed || passwordFlag.Changed {
-		return &dockerAuthConfig, nil
+		return &authConfig, nil
 	}
 
 	// If a username / password have not been explicitly set, return a nil

diff --git a/cmd/internal/cli/build_linux.go b/cmd/internal/cli/build_linux.go
@@ -219,6 +219,10 @@ func runBuild(cmd *cobra.Command, args []string) {
 		os.Setenv("APPTAINER_WRITABLE_TMPFS", "1")
 	}
 
+	if cmd.Flags().Lookup("authfile").Changed && buildArgs.remote {
+		sylog.Fatalf("Custom authfile is not supported for remote build")
+	}
+
 	// check if target collides with existing file
 	if err := checkBuildTarget(dest); err != nil {
 		sylog.Fatalf("While checking build target: %s", err)
@@ -265,7 +269,7 @@ func runBuildLocal(ctx context.Context, cmd *cobra.Command, dst, spec string, fa
 		sylog.Fatalf("Could not check build sections: %v", err)
 	}
 
-	authConf, err := makeDockerCredentials(cmd)
+	authConf, err := makeOCICredentials(cmd)
 	if err != nil {
 		sylog.Fatalf("While creating Docker credentials: %v", err)
 	}
@@ -365,13 +369,14 @@ func runBuildLocal(ctx context.Context, cmd *cobra.Command, dst, spec string, fa
 				LibraryAuthToken:  authToken,
 				FakerootPath:      fakerootPath,
 				KeyServerOpts:     ko,
-				DockerAuthConfig:  authConf,
+				OCIAuthConfig:     authConf,
 				DockerDaemonHost:  dockerHost,
 				EncryptionKeyInfo: keyInfo,
 				FixPerms:          buildArgs.fixPerms,
 				SandboxTarget:     sandboxTarget,
 				Binds:             buildArgs.bindPaths,
 				Unprivilege:       unprivilege,
+				ReqAuthFile:       reqAuthFile,
 			},
 		})
 	if err != nil {

diff --git a/cmd/internal/cli/keyserver.go b/cmd/internal/cli/keyserver.go
@@ -206,7 +206,7 @@ var KeyserverLogoutCmd = &cobra.Command{
 			name = args[0]
 		}
 
-		if err := apptainer.KeyserverLogout(remoteConfig, name); err != nil {
+		if err := apptainer.KeyserverLogout(remoteConfig, name, reqAuthFile); err != nil {
 			sylog.Fatalf("%s", err)
 		}
 		sylog.Infof("Logout succeeded")

diff --git a/cmd/internal/cli/loginargs.go b/cmd/internal/cli/loginargs.go
@@ -28,6 +28,7 @@ func ObtainLoginArgs(name string) *apptainer.LoginArgs {
 	loginArgs.Password = loginPassword
 	loginArgs.Tokenfile = loginTokenFile
 	loginArgs.Insecure = loginInsecure
+	loginArgs.ReqAuthFile = reqAuthFile
 
 	if loginPasswordStdin {
 		p, err := io.ReadAll(os.Stdin)

diff --git a/cmd/internal/cli/pull.go b/cmd/internal/cli/pull.go
@@ -23,6 +23,7 @@ import (
 	"github.com/apptainer/apptainer/internal/pkg/client/oci"
 	"github.com/apptainer/apptainer/internal/pkg/client/oras"
 	"github.com/apptainer/apptainer/internal/pkg/client/shub"
+	"github.com/apptainer/apptainer/internal/pkg/ocitransport"
 	"github.com/apptainer/apptainer/internal/pkg/remote/endpoint"
 	"github.com/apptainer/apptainer/internal/pkg/util/uri"
 	"github.com/apptainer/apptainer/pkg/cmdline"
@@ -166,6 +167,7 @@ func init() {
 		cmdManager.RegisterFlagForCmd(&pullAllowUnauthenticatedFlag, PullCmd)
 		cmdManager.RegisterFlagForCmd(&pullArchFlag, PullCmd)
 		cmdManager.RegisterFlagForCmd(&pullArchVariantFlag, PullCmd)
+		cmdManager.RegisterFlagForCmd(&commonAuthFileFlag, PullCmd)
 	})
 }
 
@@ -262,12 +264,12 @@ func pullRun(cmd *cobra.Command, args []string) {
 			sylog.Fatalf("While pulling shub image: %v\n", err)
 		}
 	case OrasProtocol:
-		ociAuth, err := makeDockerCredentials(cmd)
+		ociAuth, err := makeOCICredentials(cmd)
 		if err != nil {
 			sylog.Fatalf("Unable to make docker oci credentials: %s", err)
 		}
 
-		_, err = oras.PullToFile(ctx, imgCache, pullTo, pullFrom, tmpDir, ociAuth, noHTTPS)
+		_, err = oras.PullToFile(ctx, imgCache, pullTo, pullFrom, tmpDir, ociAuth, noHTTPS, reqAuthFile)
 		if err != nil {
 			sylog.Fatalf("While pulling image from oci registry: %v", err)
 		}
@@ -276,8 +278,8 @@ func pullRun(cmd *cobra.Command, args []string) {
 		if err != nil {
 			sylog.Fatalf("While pulling from image from http(s): %v\n", err)
 		}
-	case oci.IsSupported(transport):
-		ociAuth, err := makeDockerCredentials(cmd)
+	case ocitransport.SupportedTransport(transport):
+		ociAuth, err := makeOCICredentials(cmd)
 		if err != nil {
 			sylog.Fatalf("While creating Docker credentials: %v", err)
 		}
@@ -288,12 +290,13 @@ func pullRun(cmd *cobra.Command, args []string) {
 			return
 		}
 		pullOpts := oci.PullOptions{
-			TmpDir:     tmpDir,
-			OciAuth:    ociAuth,
-			DockerHost: dockerHost,
-			NoHTTPS:    noHTTPS,
-			NoCleanUp:  buildArgs.noCleanUp,
-			Pullarch:   arch,
+			TmpDir:      tmpDir,
+			OciAuth:     ociAuth,
+			DockerHost:  dockerHost,
+			NoHTTPS:     noHTTPS,
+			NoCleanUp:   buildArgs.noCleanUp,
+			Pullarch:    arch,
+			ReqAuthFile: reqAuthFile,
 		}
 
 		_, err = oci.PullToFile(ctx, imgCache, pullTo, pullFrom, pullOpts)

diff --git a/cmd/internal/cli/push.go b/cmd/internal/cli/push.go
@@ -80,6 +80,7 @@ func init() {
 		cmdManager.RegisterFlagForCmd(&dockerHostFlag, PushCmd)
 		cmdManager.RegisterFlagForCmd(&dockerUsernameFlag, PushCmd)
 		cmdManager.RegisterFlagForCmd(&dockerPasswordFlag, PushCmd)
+		cmdManager.RegisterFlagForCmd(&commonAuthFileFlag, PushCmd)
 	})
 }
 
@@ -162,12 +163,12 @@ var PushCmd = &cobra.Command{
 			if cmd.Flag(pushDescriptionFlag.Name).Changed {
 				sylog.Warningf("Description is not supported for push to oras. Ignoring it.")
 			}
-			ociAuth, err := makeDockerCredentials(cmd)
+			ociAuth, err := makeOCICredentials(cmd)
 			if err != nil {
 				sylog.Fatalf("Unable to make docker oci credentials: %s", err)
 			}
 
-			if err := oras.UploadImage(cmd.Context(), file, ref, ociAuth, noHTTPS); err != nil {
+			if err := oras.UploadImage(cmd.Context(), file, ref, ociAuth, noHTTPS, reqAuthFile); err != nil {
 				sylog.Fatalf("Unable to push image to oci registry: %v", err)
 			}
 			sylog.Infof("Upload complete")

diff --git a/cmd/internal/cli/registry.go b/cmd/internal/cli/registry.go
@@ -72,6 +72,8 @@ func init() {
 		cmdManager.RegisterFlagForCmd(&registryLoginUsernameFlag, RegistryLoginCmd)
 		cmdManager.RegisterFlagForCmd(&registryLoginPasswordFlag, RegistryLoginCmd)
 		cmdManager.RegisterFlagForCmd(&registryLoginPasswordStdinFlag, RegistryLoginCmd)
+		cmdManager.RegisterFlagForCmd(&commonAuthFileFlag, RegistryLoginCmd)
+		cmdManager.RegisterFlagForCmd(&commonAuthFileFlag, RegistryLogoutCmd)
 	})
 }
 
@@ -114,7 +116,7 @@ var RegistryLogoutCmd = &cobra.Command{
 			name = args[0]
 		}
 
-		if err := apptainer.RegistryLogout(remoteConfig, name); err != nil {
+		if err := apptainer.RegistryLogout(remoteConfig, name, reqAuthFile); err != nil {
 			sylog.Fatalf("%s", err)
 		}
 		sylog.Infof("Logout succeeded")

diff --git a/cmd/internal/cli/remote.go b/cmd/internal/cli/remote.go
@@ -303,8 +303,9 @@ var RemoteAddCmd = &cobra.Command{
 			sylog.Infof("Global option detected. Will not automatically log into remote.")
 		} else if !remoteNoLogin {
 			loginArgs := &apptainer.LoginArgs{
-				Name:      name,
-				Tokenfile: loginTokenFile,
+				Name:        name,
+				Tokenfile:   loginTokenFile,
+				ReqAuthFile: reqAuthFile,
 			}
 			if err := apptainer.RemoteLogin(remoteConfig, loginArgs); err != nil {
 				sylog.Fatalf("%s", err)
@@ -392,6 +393,7 @@ var RemoteLoginCmd = &cobra.Command{
 		loginArgs.Password = loginPassword
 		loginArgs.Tokenfile = loginTokenFile
 		loginArgs.Insecure = loginInsecure
+		loginArgs.ReqAuthFile = reqAuthFile
 
 		if loginPasswordStdin {
 			p, err := io.ReadAll(os.Stdin)