Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-13962

related image validation against catalog displays false positives

    XMLWordPrintable

Details

    • No
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Hide
      Previously, when using the 'registries.conf', some images were not included in the mapping.
      With this bug fix, you can now see the images included in the mapping without any errors.
      Show
      Previously, when using the 'registries.conf', some images were not included in the mapping. With this bug fix, you can now see the images included in the mapping without any errors.
    • Bug Fix
    • Done

    Description

      Description of problem:

      When using the --oci-registries-config flag explicitly or getting registries.conf from the environment, the source image in the mapping could have been modified from the value found in the catalog in some circumstances. For example, when using registries.conf we might find an image in a mirror and use that for the mapping rather than the original location defined in the catalog.

      The docker image format could be one of these variants:

      <registry>/<namespace>/name
<registry>/<namespace>/name:tag
<registry>/<namespace>/name@digest
<registry>/<namespace>/name:tag@digest

      Because the registry and namespace portion of the docker reference could be different, not only do we need to check for "exact matches", we also need to attempt to find a match based on the name and one of the tag / digest variants above to get a match. If none of those variants match than we need to add a validation message in the validateMapping function.

      Version-Release number of selected component (if applicable): 4.13

      How reproducible: always

      Steps to Reproduce:

      Note: the catalog and images used here are publicly available

      1. Copy catalog image to disk in OCI layout 
        mkdir -p /tmp/oci/registriesconf/validation
skopeo --override-os linux copy docker://quay.io/jhunkins/ocp13962:v1 oci:///tmp/oci/registriesconf/validation --format v2s2
      2. Create a ~/.config/containers/registries.conf file with this content 
        [[registry]]
location = "docker.io/amd64"
insecure = false
blocked = false
mirror-by-digest-only = true
prefix = ""
[[registry.mirror]]
  location = "quay.io/jhunkins/amd64"
  insecure = false
      3. Create a ISC [path to isc]/isc-registriesconf-validation.yaml 
        kind: ImageSetConfiguration
apiVersion: mirror.openshift.io/v1alpha2
mirror: 
  operators: 
  - catalog: oci:///tmp/oci/registriesconf/validation
    full: true
    targetTag: latest
    targetCatalog: ibm-catalog
storageConfig: 
  local: 
    path: /tmp/oc-mirror-temp
      4. run oc mirror with OCI flags (running with dry run is sufficient to replicate this issue) 
        oc mirror --config [path to isc]/isc-registriesconf-validation.yaml --include-local-oci-catalogs --oci-insecure-signature-policy --dest-use-http docker://localhost:5000/oci --skip-cleanup --dry-run

      Actual results:

      Notice the "image XXXX is not included in mapping" messages in the output because registries.conf "redirected" the images to be found in an alternate location, so the exact matching code did not behave correctly and added false warnings.

      Checking push permissions for localhost:5000
Creating directory: oc-mirror-workspace/src/publish
Creating directory: oc-mirror-workspace/src/v2
Creating directory: oc-mirror-workspace/src/charts
Creating directory: oc-mirror-workspace/src/release-signatures
No metadata detected, creating new workspace
2 related images processed in 876.220585ms
Writing image mapping to oc-mirror-workspace/operators.1684898412/manifests-validation/mapping.txt
image docker.io/amd64/hello-world@sha256:7e9b6e7ba2842c91cf49f3e214d04a7a496f8214356f41d81a6e6dcad11f11e3 is not included in mapping
image docker.io/amd64/hello-world@sha256:7e9b6e7ba2842c91cf49f3e214d04a7a496f8214356f41d81a6e6dcad11f11e3 is not included in mapping
localhost:5000/
  oci/amd64/hello-world
    blobs:
      quay.io/jhunkins/amd64/hello-world sha256:9c7a54a9a43cca047013b82af109fe963fde787f63f9e016fdc3384500c2823d 1.436KiB
      quay.io/jhunkins/amd64/hello-world sha256:719385e32844401d57ecfd3eacab360bf551a1491c05b85806ed8f1b08d792f6 2.399KiB
    manifests:
      sha256:7e9b6e7ba2842c91cf49f3e214d04a7a496f8214356f41d81a6e6dcad11f11e3 -> 7e9b6e
  oci/cpopen/ibm-aiops-orchestrator-bundle
    blobs:
      icr.io/cpopen/ibm-aiops-orchestrator-bundle sha256:15011dd9a92d5d7b7b503556da537ba0c11a40eaff96829a04769ab4dc53c34c 3.729KiB
      icr.io/cpopen/ibm-aiops-orchestrator-bundle sha256:1772fafc08b82487cf53c600aa6c5ad1db8191d0839042640a2ce415940957e3 7.96KiB
    manifests:
      sha256:2db967de122e3b71a54d1fef109925d45aab481dbd3c8d4bc18948848102e27e -> 2db967
  stats: shared=0 unique=4 size=15.52KiB ratio=1.00

phase 0:
  localhost:5000 oci/cpopen/ibm-aiops-orchestrator-bundle blobs=2 mounts=0 manifests=1 shared=0
  localhost:5000 oci/amd64/hello-world                    blobs=2 mounts=0 manifests=1 shared=0

info: Planning completed in 650ms
info: Dry run complete
Writing image mapping to oc-mirror-workspace/mapping.txt

      Expected results:

      Checking push permissions for localhost:5000
Creating directory: oc-mirror-workspace/src/publish
Creating directory: oc-mirror-workspace/src/v2
Creating directory: oc-mirror-workspace/src/charts
Creating directory: oc-mirror-workspace/src/release-signatures
No metadata detected, creating new workspace
2 related images processed in 885.009594ms
Writing image mapping to oc-mirror-workspace/operators.1684898245/manifests-validation/mapping.txt
localhost:5000/
  oci/amd64/hello-world
    blobs:
      quay.io/jhunkins/amd64/hello-world sha256:9c7a54a9a43cca047013b82af109fe963fde787f63f9e016fdc3384500c2823d 1.436KiB
      quay.io/jhunkins/amd64/hello-world sha256:719385e32844401d57ecfd3eacab360bf551a1491c05b85806ed8f1b08d792f6 2.399KiB
    manifests:
      sha256:7e9b6e7ba2842c91cf49f3e214d04a7a496f8214356f41d81a6e6dcad11f11e3 -> 7e9b6e
  oci/cpopen/ibm-aiops-orchestrator-bundle
    blobs:
      icr.io/cpopen/ibm-aiops-orchestrator-bundle sha256:15011dd9a92d5d7b7b503556da537ba0c11a40eaff96829a04769ab4dc53c34c 3.729KiB
      icr.io/cpopen/ibm-aiops-orchestrator-bundle sha256:1772fafc08b82487cf53c600aa6c5ad1db8191d0839042640a2ce415940957e3 7.96KiB
    manifests:
      sha256:2db967de122e3b71a54d1fef109925d45aab481dbd3c8d4bc18948848102e27e -> 2db967
  stats: shared=0 unique=4 size=15.52KiB ratio=1.00

phase 0:
  localhost:5000 oci/amd64/hello-world                    blobs=2 mounts=0 manifests=1 shared=0
  localhost:5000 oci/cpopen/ibm-aiops-orchestrator-bundle blobs=2 mounts=0 manifests=1 shared=0

info: Planning completed in 620ms
info: Dry run complete
Writing image mapping to oc-mirror-workspace/mapping.txt

      Additional info:

      I intend to create a PR which adds correct validation

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-13762 Performance issues when using registries.conf

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-14402 oc-mirror should respect the insecure setting in the registries config file location

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          links to

          GitHub openshift/oc-mirror#640: OCPBUGS-13962: fix validateMapping

          Web Link RHEA-2023:5006 rpm

          Activity

            People

              jhunkins@redhat.com John Hunkins
              jhunkins@redhat.com John Hunkins
              ying zhou ying zhou
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: