-
Bug
-
Resolution: Done
-
Major
-
None
-
MCE 2.9.0
-
Quality / Stability / Reliability
-
False
-
-
False
-
-
-
Critical
-
None
Description of problem:
This is the first time that I use ACM/MCE Konflux build to install SNOs with Assisted installer so that I can create seed image from them to do Image Based install test.
The agent service failed to start on the bare metal host b/c it can not pull the image as shown below.
[root@vm00001 ~]# journalctl -u agent.service Jun 23 05:17:45 vm00001 systemd[1]: Starting agent.service... Jun 23 05:17:45 vm00001 podman[2122]: Trying to pull registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:561aeb1c68d77313d944f89f5f97392d7e20e59bc978efa3172999cb2d8d8808... Jun 23 05:17:45 vm00001 podman[2122]: Error: copying system image from manifest list: Source image rejected: A signature was required, but no signature exists Jun 23 05:17:45 vm00001 podman[2122]: 2025-06-23 05:17:45.943572712 +0000 UTC m=+0.544130291 image pull-error registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:561aeb1c68d77313d944f89> Jun 23 05:17:45 vm00001 systemd[1]: agent.service: Control process exited, code=exited, status=125/n/a
I've searched Assisted installer slack channel and found people are discussing this issue and I'm surprised people caught similar issue long time before and there is a bug opened to OCP installer(https://redhat-internal.slack.com/archives/CUPJTHQ5P/p1750462029526969?thread_ts=1747060998.029219&cid=CUPJTHQ5P)
But for my case, when I used the last ACM Cpaas build, last week, to do install the same OCP version on bare metal host, I didn't hit the issue. so for my case the only change is I'm using the konflux build now. Just in case there is some AI change happens between the last Cpaas build (2.14.0-DOWNSTREAM-2025-06-13-01-47-52) and current Konflux build (
2.14.0-DOWNSTREAM-2025-06-19-07-18-25
), cchun@redhat.com please help double check if any AI change between these two build that related to this change.
So the reason the agent service can not pull image is b/c the core OS has some policy configured in /etc/contains/policy.json for "registry.redhat.io", as shown below:
[root@vm00001 ~]# vi /etc/containers/policy.json
{
"default": [
{
"type": "insecureAcceptAnything"
}
],
"transports": {
"docker": {
"registry.access.redhat.com": [
{
"type": "signedBy",
"keyType": "GPGKeys",
"keyPaths": ["/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release", "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta"]
}
],
"registry.redhat.io": [
{
"type": "signedBy",
"keyType": "GPGKeys",
"keyPaths": ["/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release", "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta"]
}
]
},
"docker-daemon": {
"": [
{
"type": "insecureAcceptAnything"
}
]
}
}
}
after removing the "registry.redhat.io" section from the /etc/containers/policy.json, as the default type is "insecureAcceptAnything", the image pulling is started
Jun 23 05:21:22 vm00001 systemd[1]: Starting agent.service... Jun 23 05:21:22 vm00001 podman[4584]: Trying to pull registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:561aeb1c68d77313d944f89f5f97392d7e20e59bc978efa3172999cb2d8d8808... Jun 23 05:21:23 vm00001 podman[4584]: Getting image source signatures Jun 23 05:21:23 vm00001 podman[4584]: Copying blob sha256:b9f508b4eb9889782c0b3475baa13c11abdda977fc6fb040a988a19e134d101f Jun 23 05:21:23 vm00001 podman[4584]: Copying blob sha256:00a2391e45d52d904e44528fec25aaf84712cd72d8b36ca696d22a34105a5ce6
Again, when I do the same OCP version(4.19.0) SNO deployment last week with the Cpaas build 2.14.0-DOWNSTREAM-2025-06-13-01-47-52, i didn't hit the issue.
Version-Release number of selected component (if applicable):
How reproducible:
Steps to Reproduce:
- ...
Actual results:
Expected results:
Additional info:
- depends on
-
-
- ON_QA
-
-
-
- Closed
-
- is duplicated by
-
-
- ON_QA
-
