Podman pull with authentication fails with authenticationrequired if --rootful is set

[KaiHufenbach]

Issue Description

podman pull mynexus:5000/alpine --log-level=debug fails with authenticationrequired

This happens only if machine is set to rootful before start:

podman machine set --rootful

When connecting to the machine with podman machine ssh the same command podman pull ... works from within the machine

Steps to reproduce the issue

Steps to reproduce the issue

1. installed latest version with homebrew:
   brew info podman shows:

Tool for managing OCI containers and pods
https://podman.io/
Installed
/Users/xxx/Documents/homebrew/Cellar/podman/5.2.4 (201 files, 76.2MB) *
  Poured from bottle using the formulae.brew.sh API on 2024-10-09 at 16:51:04
From: https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/p/podman.rb
License: Apache-2.0 AND GPL-3.0-or-later
==> Dependencies
Build: go ✘, go-md2man ✘, make ✘
==> Requirements
Required: macOS >= 13 (or Linux) ✔
==> Options
--HEAD
	Install HEAD version
==> Caveats
        In order to run containers locally, podman depends on a Linux kernel.
        One can be started manually using podman machine from this package.
        To start a podman VM automatically at login, also install the cask
        "podman-desktop".

zsh completions have been installed to:
  /Users/xxx/Documents/homebrew/share/zsh/site-functions
==> Analytics
install: 12,290 (30 days), 42,012 (90 days), 216,958 (365 days)
install-on-request: 11,747 (30 days), 39,187 (90 days), 188,237 (365 days)
build-error: 1 (30 days)

2. changed /Users/xxx/.config/containers/registries.conf to

[[registry]]
prefix="quay.io"
location="mynexus:5000"
insecure=true

[[registry]]
prefix="docker.io"
location="mynexus:5000"
insecure=true

3. Login podman login mynexus:5000
   Which shows Login Succeeded!
4. Init machine podman machine init <--- Downloads an image from nexus which works
5. podman machine set --rootful
6. podman machine start

Starting machine "podman-machine-default"
API forwarding listening on: /var/folders/z0/bk0z5t556yn112k_tgpdpsym0000gp/T/podman/podman-machine-default-api.sock

The system helper service is not installed; the default Docker API socket
address can't be used by podman. If you would like to install it, run the following commands:

        sudo /Users/xxx/Documents/homebrew/Cellar/podman/5.2.4/bin/podman-mac-helper install
        podman machine stop; podman machine start

You can still connect Docker API clients by setting DOCKER_HOST using the
following command in your terminal session:

        export DOCKER_HOST='unix:///var/folders/z0/bk0z5t556yn112k_tgpdpsym0000gp/T/podman/podman-machine-default-api.sock'

Machine "podman-machine-default" started successfully

7. podman pull mynexus:5000/alpine --log-level=debug fails

Describe the results you received

podman pull mynexus:5000/alpine --log-level=debug

INFO[0000] podman filtering at log level debug          
DEBU[0000] Called pull.PersistentPreRunE(podman pull mynexus:5000/alpine --log-level=debug) 
DEBU[0000] SSH Ident Key "/Users/xxx/.local/share/containers/podman/machine/machine" SHA256:xxx ssh-ed25519 
DEBU[0000] DoRequest Method: GET URI: http://d/v5.2.4/libpod/_ping 
DEBU[0000] Loading registries configuration "/Users/xxx/.config/containers/registries.conf" 
DEBU[0000] Found credentials for mynexus:5000 in credential helper containers-auth.json in file /Users/xxx/.config/containers/auth.json 
DEBU[0000] DoRequest Method: POST URI: http://d/v5.2.4/libpod/images/pull 
Trying to pull mynexus.net:5000/alpine:latest...
Error: initializing source docker://mynexus:5000/alpine:latest: pinging container registry mynexus:5000: Get "https://mynexus:5000/v2/": authenticationrequired

Describe the results you expected

podman pull works with authentication no matter if -rootful is activated or not

podman info output

host:
  arch: arm64
  buildahVersion: 1.37.4
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - pids
  - rdma
  - misc
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.12-2.fc40.aarch64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.12, commit: '
  cpuUtilization:
    idlePercent: 99.78
    systemPercent: 0.11
    userPercent: 0.11
  cpus: 5
  databaseBackend: sqlite
  distribution:
    distribution: fedora
    variant: coreos
    version: "40"
  eventLogger: journald
  freeLocks: 2048
  hostname: localhost.localdomain
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 6.10.10-200.fc40.aarch64
  linkmode: dynamic
  logDriver: journald
  memFree: 1514631168
  memTotal: 2044022784
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.12.1-1.20241007140227477357.main.38.g08fbf82.fc40.aarch64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.13.0-dev
    package: netavark-1.12.1-1.20241007131025236895.main.62.g47632d8.fc40.aarch64
    path: /usr/libexec/podman/netavark
    version: netavark 1.13.0-dev
  ociRuntime:
    name: crun
    package: crun-1.17-1.20241007140634150540.main.7.g7c194cb.fc40.aarch64
    path: /usr/bin/crun
    version: |-
      crun version UNKNOWN
      commit: 4f2c23486977b381fd9461150d2c0038b7d918b3
      rundir: /run/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-0^20240906.g6b38f07-1.fc40.aarch64
    version: |
      pasta 0^20240906.g6b38f07-1.fc40.aarch64-pasta
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: true
    path: /run/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: true
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.2.2-2.fc40.aarch64
    version: |-
      slirp4netns version 1.2.2
      commit: 0ee2d87523e906518d34a6b423271e4826f71faf
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.5
  swapFree: 0
  swapTotal: 0
  uptime: 0h 10m 59.00s
  variant: v8
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - docker.io
store:
  configFile: /usr/share/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.imagestore: /usr/lib/containers/storage
    overlay.mountopt: nodev,metacopy=on
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 106769133568
  graphRootUsed: 4582780928
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Supports shifting: "true"
    Supports volatile: "true"
    Using metacopy: "true"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 1
  runRoot: /run/containers/storage
  transientStore: false
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 5.2.4
  Built: 1728259200
  BuiltTime: Mon Oct  7 02:00:00 2024
  GitCommit: ""
  GoVersion: go1.22.7
  Os: linux
  OsArch: linux/arm64
  Version: 5.2.4

Podman in a container

No

Privileged Or Rootless

None

Upstream Latest Release

Yes

Additional environment details

Additional environment details

Additional information

Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting

[github-actions]

A friendly reminder that this issue had no activity for 30 days.