Skip to content

OCPBUGS-77141: Fix registriesd "unknown userid" failure for arbitrary UIDs#1357

Merged
openshift-merge-bot[bot] merged 2 commits intoopenshift:mainfrom
lunarwhite:patch
Feb 24, 2026
Merged

OCPBUGS-77141: Fix registriesd "unknown userid" failure for arbitrary UIDs#1357
openshift-merge-bot[bot] merged 2 commits intoopenshift:mainfrom
lunarwhite:patch

Conversation

@lunarwhite
Copy link
Member

@lunarwhite lunarwhite commented Feb 21, 2026

Description

Github / Jira issue: https://issues.redhat.com/browse/OCPBUGS-77141

Background

The registriesd package was introduced in v4.19 and later enabled by default in v4.21 to support sigstore signature attachments for mirrored container images. The module attempts to discover the user's home directory to locate registries.d configuration files using Go's user.Current() function:

oc-mirror/internal/pkg/registriesd/registriesd.go

Lines 52 to 57 in b27c4b9

usr, err := user.Current()
if err != nil {
return "", fmt.Errorf("unable to determine the current user : %w", err)
}
return registriesDirPathWithHomeDir(usr.HomeDir), nil

We've met an edge case where oc-mirror running inside a container with arbitrary user IDs (i.e. OpenShift CI). The failure occurs during the sigstore signature preparation phase with the following error:

[ERROR] : [Executor] error getting the default registryd config path :
  unable to determine the current user : user: unknown userid 1000890000

Ref: https://github.com/openshift/release/blob/93e8fa82775a0ab6a81e85acccbd2e32e332360e/ci-operator/step-registry/cert-manager/install/catalog/cert-manager-install-catalog-commands.sh#L103-L128

Root Cause

user.Current() requires an /etc/passwd entry for the current UID. But in containerized environments, processes could run with dynamically assigned UIDs (e.g. 1000890000 or 1003650000) that don't exist in /etc/passwd. And, this function would immediately return an error instead of falling back to environment variables or system defaults.

Proposed Fix

Replace user.Current() with os.UserHomeDir() in GetDefaultRegistrydConfigPath().

This matches the pattern used in executor.go for cache directory setup:

oc-mirror/internal/pkg/cli/executor.go

Line 223 in b27c4b9

homeDir, err := os.UserHomeDir()

Type of change

  • Bug fix (non-breaking change which fixes an issue)

How Has This Been Tested?

  1. Build binary from source: https://github.com/lunarwhite/ocp-oc-mirror/releases/download/patch/oc-mirror.tar.gz
  2. Use above self-built patch version in CI and re-trigger jobs run: openshift/release@9ca28fb

without this patch: jobs failed at oc-mirror commands (staring from Feb 4th).

with this patch: oc-mirror commands succeeded and jobs passed

@openshift-ci-robot openshift-ci-robot added jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Feb 21, 2026
@openshift-ci-robot
Copy link

openshift-ci-robot commented Feb 21, 2026

@lunarwhite: This pull request references Jira Issue OCPBUGS-77141, which is invalid:

  • expected the bug to target the "4.22.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Description

Github / Jira issue: https://issues.redhat.com/browse/OCPBUGS-77141

Background

The registriesd package was introduced in v4.19 and later enabled by default in v4.21 to support sigstore signature attachments for mirrored container images. The module attempts to discover the user's home directory to locate registries.d configuration files using Go's user.Current() function:

oc-mirror/internal/pkg/registriesd/registriesd.go

Lines 52 to 57 in b27c4b9

usr, err := user.Current()
if err != nil {
return "", fmt.Errorf("unable to determine the current user : %w", err)
}
return registriesDirPathWithHomeDir(usr.HomeDir), nil

We've met an edge case where oc-mirror running inside a container with arbitrary user IDs (i.e. OpenShift CI). The failure occurs during the sigstore signature preparation phase with the following error:

[ERROR] : [Executor] error getting the default registryd config path :
 unable to determine the current user : user: unknown userid 1000890000

Ref: https://github.com/openshift/release/blob/93e8fa82775a0ab6a81e85acccbd2e32e332360e/ci-operator/step-registry/cert-manager/install/catalog/cert-manager-install-catalog-commands.sh#L103-L128

Root Cause

user.Current() requires an /etc/passwd entry for the current UID. But in containerized environments, processes could run with dynamically assigned UIDs (e.g. 1000890000 or 1003650000) that don't exist in /etc/passwd. And, this function would immediately return an error instead of falling back to environment variables or system defaults.

Proposed Fix

Replace user.Current() with os.UserHomeDir() in GetDefaultRegistrydConfigPath().

This matches the pattern used in executor.go for cache directory setup:

oc-mirror/internal/pkg/cli/executor.go

Line 223 in b27c4b9

homeDir, err := os.UserHomeDir()

Type of change

  • Bug fix (non-breaking change which fixes an issue)

How Has This Been Tested?

  1. Build binary from source: https://github.com/lunarwhite/ocp-oc-mirror/releases/download/patch/oc-mirror.tar.gz
  2. Use above self-built patch version in CI and re-trigger jobs run: openshift/release@9ca28fb

without this patch: jobs failed at oc-mirror commands (staring from Feb 4th).

with this patch: oc-mirror commands succeeded and jobs passed

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested review from adolfo-ab and r4f4 February 21, 2026 15:25
@lunarwhite
Copy link
Member Author

lunarwhite commented Feb 21, 2026

/jira refresh

@openshift-ci-robot openshift-ci-robot added the jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. label Feb 21, 2026
@openshift-ci-robot
Copy link

openshift-ci-robot commented Feb 21, 2026

@lunarwhite: This pull request references Jira Issue OCPBUGS-77141, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.22.0) matches configured target version for branch (4.22.0)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @nidangavali

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot removed the jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. label Feb 21, 2026
@openshift-ci openshift-ci bot requested a review from nidangavali February 21, 2026 15:29
@r4f4
Copy link
Contributor

r4f4 commented Feb 21, 2026

/cc @aguidirh

@openshift-ci openshift-ci bot requested a review from aguidirh February 21, 2026 15:55
@lunarwhite lunarwhite closed this Feb 21, 2026
@openshift-ci-robot
Copy link

openshift-ci-robot commented Feb 21, 2026

@lunarwhite: This pull request references Jira Issue OCPBUGS-77141. The bug has been updated to no longer refer to the pull request using the external bug tracker. All external bug links have been closed. The bug has been moved to the NEW state.

Details

In response to this:

Description

Github / Jira issue: https://issues.redhat.com/browse/OCPBUGS-77141

Background

The registriesd package was introduced in v4.19 and later enabled by default in v4.21 to support sigstore signature attachments for mirrored container images. The module attempts to discover the user's home directory to locate registries.d configuration files using Go's user.Current() function:

oc-mirror/internal/pkg/registriesd/registriesd.go

Lines 52 to 57 in b27c4b9

usr, err := user.Current()
if err != nil {
return "", fmt.Errorf("unable to determine the current user : %w", err)
}
return registriesDirPathWithHomeDir(usr.HomeDir), nil

We've met an edge case where oc-mirror running inside a container with arbitrary user IDs (i.e. OpenShift CI). The failure occurs during the sigstore signature preparation phase with the following error:

[ERROR] : [Executor] error getting the default registryd config path :
 unable to determine the current user : user: unknown userid 1000890000

Ref: https://github.com/openshift/release/blob/93e8fa82775a0ab6a81e85acccbd2e32e332360e/ci-operator/step-registry/cert-manager/install/catalog/cert-manager-install-catalog-commands.sh#L103-L128

Root Cause

user.Current() requires an /etc/passwd entry for the current UID. But in containerized environments, processes could run with dynamically assigned UIDs (e.g. 1000890000 or 1003650000) that don't exist in /etc/passwd. And, this function would immediately return an error instead of falling back to environment variables or system defaults.

Proposed Fix

Replace user.Current() with os.UserHomeDir() in GetDefaultRegistrydConfigPath().

This matches the pattern used in executor.go for cache directory setup:

oc-mirror/internal/pkg/cli/executor.go

Line 223 in b27c4b9

homeDir, err := os.UserHomeDir()

Type of change

  • Bug fix (non-breaking change which fixes an issue)

How Has This Been Tested?

  1. Build binary from source: https://github.com/lunarwhite/ocp-oc-mirror/releases/download/patch/oc-mirror.tar.gz
  2. Use above self-built patch version in CI and re-trigger jobs run: openshift/release@9ca28fb

without this patch: jobs failed at oc-mirror commands (staring from Feb 4th).

with this patch: oc-mirror commands succeeded and jobs passed

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@lunarwhite lunarwhite reopened this Feb 21, 2026
@openshift-ci-robot
Copy link

openshift-ci-robot commented Feb 21, 2026

@lunarwhite: This pull request references Jira Issue OCPBUGS-77141, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.22.0) matches configured target version for branch (4.22.0)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @nidangavali

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Description

Github / Jira issue: https://issues.redhat.com/browse/OCPBUGS-77141

Background

The registriesd package was introduced in v4.19 and later enabled by default in v4.21 to support sigstore signature attachments for mirrored container images. The module attempts to discover the user's home directory to locate registries.d configuration files using Go's user.Current() function:

oc-mirror/internal/pkg/registriesd/registriesd.go

Lines 52 to 57 in b27c4b9

usr, err := user.Current()
if err != nil {
return "", fmt.Errorf("unable to determine the current user : %w", err)
}
return registriesDirPathWithHomeDir(usr.HomeDir), nil

We've met an edge case where oc-mirror running inside a container with arbitrary user IDs (i.e. OpenShift CI). The failure occurs during the sigstore signature preparation phase with the following error:

[ERROR] : [Executor] error getting the default registryd config path :
 unable to determine the current user : user: unknown userid 1000890000

Ref: https://github.com/openshift/release/blob/93e8fa82775a0ab6a81e85acccbd2e32e332360e/ci-operator/step-registry/cert-manager/install/catalog/cert-manager-install-catalog-commands.sh#L103-L128

Root Cause

user.Current() requires an /etc/passwd entry for the current UID. But in containerized environments, processes could run with dynamically assigned UIDs (e.g. 1000890000 or 1003650000) that don't exist in /etc/passwd. And, this function would immediately return an error instead of falling back to environment variables or system defaults.

Proposed Fix

Replace user.Current() with os.UserHomeDir() in GetDefaultRegistrydConfigPath().

This matches the pattern used in executor.go for cache directory setup:

oc-mirror/internal/pkg/cli/executor.go

Line 223 in b27c4b9

homeDir, err := os.UserHomeDir()

Type of change

  • Bug fix (non-breaking change which fixes an issue)

How Has This Been Tested?

  1. Build binary from source: https://github.com/lunarwhite/ocp-oc-mirror/releases/download/patch/oc-mirror.tar.gz
  2. Use above self-built patch version in CI and re-trigger jobs run: openshift/release@9ca28fb

without this patch: jobs failed at oc-mirror commands (staring from Feb 4th).

with this patch: oc-mirror commands succeeded and jobs passed

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

adolfo-ab
adolfo-ab reviewed Feb 23, 2026
View reviewed changes
internal/pkg/registriesd/registriesd.go
// os.UserHomeDir() reads $HOME env var first, avoiding passwd lookups.
homeDir, err := os.UserHomeDir()
if err == nil {
return registriesDirPathWithHomeDir(homeDir), nil
Copy link
Contributor

@adolfo-ab adolfo-ab Feb 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the user has a home directory but does not have ~/.config/containers/registries.d yet, we silently pivot to use systemRegistriesDirPath. I think it makes more sense to only use systemRegistriesDirPath when we can't find $HOME.

Copy link
Contributor

@adolfo-ab adolfo-ab Feb 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Resolved after talking with @aguidirh , feel free to resolve this

adolfo-ab
adolfo-ab approved these changes Feb 23, 2026
View reviewed changes
internal/pkg/registriesd/registriesd.go
// os.UserHomeDir() reads $HOME env var first, avoiding passwd lookups.
homeDir, err := os.UserHomeDir()
if err == nil {
return registriesDirPathWithHomeDir(homeDir), nil
Copy link
Contributor

@adolfo-ab adolfo-ab Feb 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Resolved after talking with @aguidirh , feel free to resolve this

aguidirh
aguidirh approved these changes Feb 23, 2026
View reviewed changes
Copy link
Contributor

@aguidirh aguidirh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for fixing this bug. This is an critical one.

@aguidirh
Copy link
Contributor

aguidirh commented Feb 23, 2026

/label acknowledge-critical-fixes-only

@openshift-ci openshift-ci bot added acknowledge-critical-fixes-only Indicates if the issuer of the label is OK with the policy. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Feb 23, 2026
@aguidirh
Copy link
Contributor

aguidirh commented Feb 23, 2026

/cherry-pick release-4.21

@openshift-cherrypick-robot
Copy link

openshift-cherrypick-robot commented Feb 23, 2026

@aguidirh: once the present PR merges, I will cherry-pick it on top of release-4.21 in a new PR and assign it to you.

Details

In response to this:

/cherry-pick release-4.21

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@nidangavali
Copy link

nidangavali commented Feb 24, 2026

/verified by @nidangavali

@openshift-ci-robot openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Feb 24, 2026
@openshift-ci-robot
Copy link

openshift-ci-robot commented Feb 24, 2026

@nidangavali: This PR has been marked as verified by @nidangavali.

Details

In response to this:

/verified by @nidangavali

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci
Copy link

openshift-ci bot commented Feb 24, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: adolfo-ab, aguidirh, lunarwhite, nidangavali

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@lunarwhite
Copy link
Member Author

lunarwhite commented Feb 24, 2026

Thanks team for all your quick review! Could I get a lgtm label to get this PR merged?

aguidirh
aguidirh reviewed Feb 24, 2026
View reviewed changes
Copy link
Contributor

@aguidirh aguidirh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Feb 24, 2026
@openshift-merge-bot openshift-merge-bot bot merged commit 1ef708f into openshift:main Feb 24, 2026
12 checks passed
@openshift-ci-robot
Copy link

openshift-ci-robot commented Feb 24, 2026

@lunarwhite: Jira Issue Verification Checks: Jira Issue OCPBUGS-77141
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-77141 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

Description

Github / Jira issue: https://issues.redhat.com/browse/OCPBUGS-77141

Background

The registriesd package was introduced in v4.19 and later enabled by default in v4.21 to support sigstore signature attachments for mirrored container images. The module attempts to discover the user's home directory to locate registries.d configuration files using Go's user.Current() function:

oc-mirror/internal/pkg/registriesd/registriesd.go

Lines 52 to 57 in b27c4b9

usr, err := user.Current()
if err != nil {
return "", fmt.Errorf("unable to determine the current user : %w", err)
}
return registriesDirPathWithHomeDir(usr.HomeDir), nil

We've met an edge case where oc-mirror running inside a container with arbitrary user IDs (i.e. OpenShift CI). The failure occurs during the sigstore signature preparation phase with the following error:

[ERROR] : [Executor] error getting the default registryd config path :
 unable to determine the current user : user: unknown userid 1000890000

Ref: https://github.com/openshift/release/blob/93e8fa82775a0ab6a81e85acccbd2e32e332360e/ci-operator/step-registry/cert-manager/install/catalog/cert-manager-install-catalog-commands.sh#L103-L128

Root Cause

user.Current() requires an /etc/passwd entry for the current UID. But in containerized environments, processes could run with dynamically assigned UIDs (e.g. 1000890000 or 1003650000) that don't exist in /etc/passwd. And, this function would immediately return an error instead of falling back to environment variables or system defaults.

Proposed Fix

Replace user.Current() with os.UserHomeDir() in GetDefaultRegistrydConfigPath().

This matches the pattern used in executor.go for cache directory setup:

oc-mirror/internal/pkg/cli/executor.go

Line 223 in b27c4b9

homeDir, err := os.UserHomeDir()

Type of change

  • Bug fix (non-breaking change which fixes an issue)

How Has This Been Tested?

  1. Build binary from source: https://github.com/lunarwhite/ocp-oc-mirror/releases/download/patch/oc-mirror.tar.gz
  2. Use above self-built patch version in CI and re-trigger jobs run: openshift/release@9ca28fb

without this patch: jobs failed at oc-mirror commands (staring from Feb 4th).

with this patch: oc-mirror commands succeeded and jobs passed

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-cherrypick-robot
Copy link

openshift-cherrypick-robot commented Feb 24, 2026

@aguidirh: new pull request created: #1358

Details

In response to this:

/cherry-pick release-4.21

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request Feb 24, 2026
Merged
@lunarwhite lunarwhite deleted the patch branch February 24, 2026 14:10
@openshift-ci
Copy link

openshift-ci bot commented Feb 24, 2026

@lunarwhite: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aguidirh aguidirh aguidirh approved these changes

@r4f4 r4f4 Awaiting requested review from r4f4

+2 more reviewers

@adolfo-ab adolfo-ab adolfo-ab approved these changes

@nidangavali nidangavali nidangavali approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@aguidirh aguidirh

Labels

acknowledge-critical-fixes-only Indicates if the issuer of the label is OK with the policy. approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. verified Signifies that the PR passed pre-merge verification criteria

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@lunarwhite @openshift-ci-robot @r4f4 @aguidirh @openshift-cherrypick-robot @nidangavali @adolfo-ab