Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-10421

RHCOS 4.13 live iso x84_64 contains restrictive policy.json

XMLWordPrintable

    • Yes
    • Proposed
    • False
    • Hide

      Customers attempting to deploy a

      Show
      Customers attempting to deploy a

      Description of problem:

      RHCOS 4.13 live iso (from 4.13 ocp installer reference) contains a restrictive */etc/containers/policy.json* that causes OCP clusters deployed by assisted service to fail in certain scenarios.

*Impact:* OCP clusters deployed disconnected and secondarily internal deployments with icsp mapping registry.redhat.io to brew (ipv4 clusters using default registry.redhat.io should be unaffected)

      Version-Release number of selected component (if applicable):

      
- https://github.com/openshift/installer/blob/238da2765adfe9a1cc19f33f90f82e946575786b/data/data/coreos/rhcos.json#L544

- https://rhcos.mirror.openshift.com/art/storage/prod/streams/4.13-9.2/builds/413.92.202303011445-0/x86_64/rhcos-413.92.202303011445-0-live.x86_64.iso",

      How reproducible:

      100%

      Steps to Reproduce:

      1. Run coreos image
2. cat /etc/containers/policy.json

      Actual results:

      [core@localhost ~]$ cat /etc/containers/policy.json 
{
    "default": [
        {
            "type": "insecureAcceptAnything"
        }
    ],
    "transports": {
        "docker": {
            "registry.access.redhat.com": [
                {
                    "type": "signedBy",
                    "keyType": "GPGKeys",
                    "keyPaths": ["/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release", "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta"]
                }
            ],
            "registry.redhat.io": [
                {
                    "type": "signedBy",
                    "keyType": "GPGKeys",
                    "keyPaths": ["/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release", "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta"]
                }
            ]
        },
        "docker-daemon": {
            "": [
                {
                    "type": "insecureAcceptAnything"
                }
            ]
        }
    }
}

      Expected results:

      [core@spoke-master-0-0 ~]$ cat /etc/containers/policy.json
{
    "default": [
        {
            "type": "insecureAcceptAnything"
        }
    ],
    "transports": {
        "docker-daemon": {
        "": [
        {
            "type": "insecureAcceptAnything"
        }
        ]
    }
    }
}


      [core@localhost ~]$ cat /etc/*elea*
CentOS Stream release 9
NAME="CentOS Stream CoreOS"
ID="rhcos"
ID_LIKE="rhel fedora"
VERSION="413.92.202303011445-0"
VERSION_ID="4.13"
VARIANT="CoreOS"
VARIANT_ID=coreos
PLATFORM_ID="platform:el9"
PRETTY_NAME="CentOS Stream CoreOS 413.92.202303011445-0 (Plow)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:9coreos"
HOME_URL="https://centos.org/"
DOCUMENTATION_URL="https://docs.openshift.com/container-platform/4.13/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="OpenShift Container Platform"
REDHAT_BUGZILLA_PRODUCT_VERSION="4.13"
REDHAT_SUPPORT_PRODUCT="OpenShift Container Platform"
REDHAT_SUPPORT_PRODUCT_VERSION="4.13"
OPENSHIFT_VERSION="4.13"
RHEL_VERSION="9"
OSTREE_VERSION="413.92.202303011445-0"
CentOS Stream CoreOS release 4.13
CentOS Stream CoreOS release 4.13
cpe:/o:centos:centos:9coreos

              Unassigned Unassigned
              chadcrum Chad Crum
              Gaoyun Pei Gaoyun Pei
              Votes:
              0 Vote for this issue
              Watchers:
              13 Start watching this issue

                Created:
                Updated:
                Resolved: