why login registry auth.json always been cleared?

[runseason]

In doker, there is no need to login again after initial login, but in podman the /run/user/0/containers/auth.json file always been cleared, then should login again and again. I'm not sure is a problem in podman or only my env has something wrong.
Any body has the same situation?

[TomSweeneyRedHat]

@runseason good question. This is indeed one area where Podman differs from Docker and it was done on purpose to make your credentials more secure. As noted in the man page for podman login, the default location for the auth.json file where the credentials are stored is ${XDG_RUNTIME_DIR}/containers/auth.json which is generally somewhere in the /run directory tree, /run/user/{userid}. As you're probably aware, files in the/run directory are removed when you log out. We did this to make it a little harder for someone to grab them.

If you would prefer, you could move the credentials to another location where they won't be removed at logout using the podman login --authfile {file_location} option. If you do that, then you'd need to use the --authfile option with your other podman commands too. Or if you want to set the location somewhere else permanently, you can set the REGISTRY_AUTH_FILE environment variable to your location of choice, and then podman commands will use the authfile found in that location without the need of the --authfile option. More info on the --authfile option and the environment variable can also be found on the podman login man page.

Hope that helps!

[TomSweeneyRedHat]

And I should have noted, that if you use the --authfile option or the REGISTRY_AUTH_FILE environment variable option, the credentials will NOT be removed when you log out unless you set them somewhere else under the /run directory. So it's doable to retain the credentials across boots/logoouts like Docker does, but not recommended.

[rhatdan]

Correct, you want the credentials to be stored permanently in a file then use REGISTRY_AUTH_FILE. From a security point of view the content of this file stores a username and password in slightly altered form, but easily translated. So storing them permanently in your Homedir or on an NFS share is in my opinion a horrible default. Putting them on /run gives us better UID protection for them, they never go out over the network for shared homedirs and they are destroyed when I log out of the system reboots.

This was an intentional change from a security point of view.