oras: Using ORAS from snap can't authenticate with gcloud credential helper

What happened in your environment?

I’m using oras like this: oras push us-central1-docker.pkg.dev/... file.tar.gz

I have docker configured to use gcloud auth using this command: gcloud auth configure-docker us-central1-docker.pkg.dev

which sets up the ~/.docker/config.json like so:

{
  "credHelpers": {
    "us-central1-docker.pkg.dev": "gcloud"
  }
}

If I use oras from snap, authentication fails, but if I use the downloaded oras binary it works fine

What did you expect to happen?

Authentication doesn’t depend on

How can we reproduce it?

Since this requires authenticating with google cloud platform, replicating my setup isn’t the easiest. I can help someone setup a similar environment if necessary

What is the version of your ORAS CLI?

1.0.0, which is the latest version in snap

What is your OS environment?

Ubuntu 20.04

Are you willing to submit PRs to fix it?

  • Yes, I am willing to fix it.

About this issue

  • Original URL
  • State: open
  • Created 10 months ago
  • Comments: 23 (18 by maintainers)

Most upvoted comments

I’m not sure if setting confinement level to classic and install using --classic works or not. Noto to @qweeah, --classic flag does not work as it is not declared as classic.

Tried building a snapcraft version locally with confinement level set to classic and it worked: both config file and cred binaries can be successfully invoked. I think this is the most ideal solution we currently have.

+2
qweeah on Sep 4, 2023

Currently, oras is configured to strict confinement level.

https://github.com/oras-project/oras/blob/999ac385ed704b1cb0dfa97c7b88e2ce7d290c3c/snapcraft.yaml#L20

I’m not sure if setting confinement level to classic and install using --classic works or not. Noto to @qweeah, --classic flag does not work as it is not declared as classic.

Another thing we can try is the snap interfaces, mounting :home to oras:home.

+1
shizhMSFT on Aug 30, 2023

@qweeah that doesn’t quite work either, it doesn’t have a way to call the credential helper:

Error: failed to resolve latest: GET "https://us-central1-docker.pkg.dev/v2/[...]/manifests/latest": error getting credentials - err: docker-credential-gcloud resolves to executable in current directory (./docker-credential-gcloud), out: ``
+1
jteichroeb-oanda on Aug 29, 2023

@jteichroeb-oanda snap apps uses separated config file. You should add cred helper to the docker config in snap’s virtual environment ~/snap/oras/current/.docker/config.json and it should work.

+1
qweeah on Aug 29, 2023

@qweeah both 1.0.0 and 1.0.1 work. I can’t try 1.0.1 with snap since the lastest I see is 1.0.0.

+1
jteichroeb-oanda on Aug 28, 2023
Read more comments on GitHub
← oras-go: `Transfer-Encoding: chunked` responses fail
orbitdb: Custom AccessController is not immutable →