Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-21309

Nightly images should be signed or served from other registry

XMLWordPrintable

    • Security & Compliance
    • False
    • Hide

      None

      Show
      None
    • False
    • Low
    • None

      Description of problem:

      When running assisted installer installs, an agent will run "podman run <image>" commands.

      At the moment, those commands are failing with nightly images:

      Trying to pull registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:e94a05430e87664f59ed8ea24340d6d2c7803538535409442127aeb7187b1bb0...
      Error: copying system image from manifest list: Source image rejected: A signature was required, but no signature exist 

      This means the nightly images are not signed AND served on registry.redhat.io, which is required to check image signature by default on RHCOS

       

      At the moment the workaround is to disable signature check from RHCOS, but it's not idea testing scenarios that should be a as close as possible to production.

       

      I'd recommend either signing the images or serve them from another registry which doesn't require signature checking by default on RHCOS.

      Version-Release number of selected component (if applicable):

       

      MCE 2.9 nightly images

      How reproducible:

      100%

      Steps to Reproduce:

      1. launch ZTP assisted-installer install
      2. watch install fail
      3. check logs of the agent

      Actual results:

      Failing to run image due to lack of signature

      Expected results:

      Agent can run the image correctly

      Additional info:

              eerez@redhat.com Elior Erez
              rh-ee-rpiccoli Riccardo Piccoli
              Gal Amado Gal Amado
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated:
                Resolved: