azure-cli: ACR login does not work with podman

#!/bin/bash

# Copyright (c) 2021 djds <djds@bghost.xyz>
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.


set -euo pipefail

readonly USERNAME='00000000-0000-0000-0000-000000000000'


acr_password() {
    local -r registry="${1}"

    set +x
    az acr login \
        --name "${registry}" \
        --expose-token  \
        2>/dev/null \
        | jq -r '.accessToken'
}


podman_login() {
    local -r registries=("${@}")

    for registry in "${registries[@]}"; do
        printf "%s: %s\n" "${registry}" "$(
            acr_password "${registry}" \
                | podman login \
                    --username "${USERNAME}" \
                    --password-stdin \
                    "${registry}.azurecr.io"
        )"
    done
}


podman_login "${@}"
unset -f acr_password podman_login  # if wrapping this whole script as a function

./podman-login.sh ${registry} [${registry}] ...

Soon it will be 2 years while this is still an issue 😄

This worked for me on MacOS:

TOKEN=$(az acr login -n myacrrepo --expose-token -o tsv --query accessToken)
podman pull myacrrepo.azurecr.io/myapp:latest --creds 00000000-0000-0000-0000-000000000000:$TOKEN

For any readers hoping to do this in powershell and with WSL2, I’ve translated the workaround to something you can put in your powershell profile (code $profile to edit your profile with vscode):

function Invoke-AcrLogin {
    param (
        [string]$repository
    )
    $json = az acr login -n $repository --expose-token | ConvertFrom-Json
    $registryUrl = "{0}.azurecr.io" –f $repository
    echo $json.accessToken | wsl podman login --username "00000000-0000-0000-0000-000000000000" --password-stdin "$registryUrl"
}
Set-Alias acrlogin Invoke-AcrLogin

Usage: acrlogin <your-registry>

@yugangw-msft with Docker Desktop 4.0’s change of terms the story for using docker with WSL becomes less ergonomic & raises the value of podman compatibility in aks. Unfortunately the feedback links in this thread are dead, redirecting to https://azure.microsoft.com/en-us/feedback

I found some information on this blog: https://www.danielstechblog.io/running-podman-on-macos-with-multipass/ I just set the link, executed podman machine init and podman machine start and it worked 😃

Mac Homebrew M1 ln -s /opt/homebrew/bin/podman /usr/local/bin/docker || true

Mac Homebrew Intel ln -s /usr/local/bin/podman /usr/local/bin/docker || true

I was able to get it working with --expose-token in az acr login, followed by --creds=00000000-0000-0000-0000-000000000000:{shellescape(accessToken)} when invoking podman push

Suboptimal, but it works

TOKEN=$(az acr login -n myacrrepo --expose-token -o tsv --query accessToken)
podman pull myacrrepo.azurecr.io/myapp:latest --creds 00000000-0000-0000-0000-000000000000:$TOKEN

These can also be combined into one command:

podman login myregistry.azurecr.io -u 00000000-0000-0000-0000-000000000000 -p "$(az acr login --name myregistry --expose-token -o tsv --query accessToken)"

The socket approach will only work with systemd, because Podman is daemonless and the socket is activated by a systemd unit.

Since podman gets a sufficient replacement for docker, which has multiple advantages, e.g. rootless usage this becomes more and more used in the community. Could you please add podman support to the az acr tool. The workaround may work for specific cases, but there are cases e.g. az acr check-health where the mentioned workarounds are not helping.

@murphy85’s approach worked for me but required just a minor tweak for using on WSL. After this, az acr login worked as expected.

sudo ln -s /usr/bin/podman /usr/bin/docker || true

Note: an alias in ~/.bashrc was not sufficient.

+1 We are currently using Azure Container Registry and would like to explore using podman as well.

@kalkin i have tried the following and unfortunately it did not work for me

export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/podman/podman.sock

i still get this:

az acr login --name ***** You may want to use ‘az acr login -n acrtestlowers01 --expose-token’ to get an access token, which does not require Docker to be installed. 2023-02-15 18:02:42.622443 An error occurred: DOCKER_COMMAND_ERROR Emulate Docker CLI using podman. Create /etc/containers/nodocker to quiet msg.