failed to authorize: failed to fetch anonymous token: unexpected status: 401 Unauthorized, while running oc-mirror

Environment

• OpenShift Container Platform
  • 4.11 +
• oc-mirror

Issue

• 401 Unauthorized - Server message: unauthorized: while running oc-mirror.
• Getting Unauthorized while running oc-mirror command as root user.
• Even after successful login to registry.redhat.io getting 401 Unauthorized after executing oc-mirror command.

[root@~]# podman login registry.redhat.io
Username: user_id
Password: password
Login Succeeded!

[root@~]# oc-mirror list operators --catalog=registry.redhat.io/redhat/redhat-operator-index:v4.12
level=info msg=trying next host error=failed to authorize: failed to fetch anonymous token: unexpected status: 401 Unauthorized host=registry.redhat.io
error: failed to list operators, please check catalog name - registry.redhat.io/redhat/redhat-operator-index:v4.12 : render reference "registry.redhat.io/redhat/redhat-operator-index:v4.12": error resolving name : failed to authorize: failed to fetch anonymous token: unexpected status: 401 Unauthorized

Resolution

• Store the credential in ~/.docker/config.json. Below steps can be followed.

1. First login using podman command.

[root@~]# podman login registry.redhat.io -u <user-id> -p <password>

2. Make sure credentials are stored in below path

[root@~]# cat /run/containers/0/auth.json 

3. Create .docker directory in root's home directory and redirect the output to ~/.docker/config.json

[root@~]# mkdir ~/.docker
[root@~]# cat /run/containers/0/auth.json > ~/.docker/config.json

OR

• Make sure that your This content is not included.Red Hat OpenShift Pull Secret and any other needed registry credentials are populated in ~/.docker/config.json

Root Cause

• oc-mirror currently retrieves Content from github.com is not included.registry credentials from ~/.docker/config.json or ${XDG_RUNTIME_DIR}/containers/auth.json. Since root user doesn't have ${XDG_RUNTIME_DIR}/containers/auth.json path to store the credentials oc-mirror unable to find run-time credentials for root user.

Diagnostic Steps

• Use podman login command with --log-level=debug option in order to check in which path credentials are getting stored.

[root@~]# podman login registry.redhat.io --log-level=debug

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.