Description of problem:
When using the --oci-registries-config flag explicitly or getting registries.conf from the environment, the source image in the mapping could have been modified from the value found in the catalog in some circumstances. For example, when using registries.conf we might find an image in a mirror and use that for the mapping rather than the original location defined in the catalog.
The docker image format could be one of these variants:
<registry>/<namespace>/name <registry>/<namespace>/name:tag <registry>/<namespace>/name@digest <registry>/<namespace>/name:tag@digest
Because the registry and namespace portion of the docker reference could be different, not only do we need to check for "exact matches", we also need to attempt to find a match based on the name and one of the tag / digest variants above to get a match. If none of those variants match than we need to add a validation message in the validateMapping function.
Version-Release number of selected component (if applicable): 4.13
How reproducible: always
Steps to Reproduce:
Note: the catalog and images used here are publicly available
- Copy catalog image to disk in OCI layout
mkdir -p /tmp/oci/registriesconf/validation skopeo --override-os linux copy docker://quay.io/jhunkins/ocp13962:v1 oci:///tmp/oci/registriesconf/validation --format v2s2 - Create a ~/.config/containers/registries.conf file with this content
[[registry]] location = "docker.io/amd64" insecure = false blocked = false mirror-by-digest-only = true prefix = "" [[registry.mirror]] location = "quay.io/jhunkins/amd64" insecure = false
- Create a ISC [path to isc]/isc-registriesconf-validation.yaml
kind: ImageSetConfiguration apiVersion: mirror.openshift.io/v1alpha2 mirror: operators: - catalog: oci:///tmp/oci/registriesconf/validation full: true targetTag: latest targetCatalog: ibm-catalog storageConfig: local: path: /tmp/oc-mirror-temp
- run oc mirror with OCI flags (running with dry run is sufficient to replicate this issue)
oc mirror --config [path to isc]/isc-registriesconf-validation.yaml --include-local-oci-catalogs --oci-insecure-signature-policy --dest-use-http docker://localhost:5000/oci --skip-cleanup --dry-run
Actual results:
Notice the "image XXXX is not included in mapping" messages in the output because registries.conf "redirected" the images to be found in an alternate location, so the exact matching code did not behave correctly and added false warnings.
Checking push permissions for localhost:5000 Creating directory: oc-mirror-workspace/src/publish Creating directory: oc-mirror-workspace/src/v2 Creating directory: oc-mirror-workspace/src/charts Creating directory: oc-mirror-workspace/src/release-signatures No metadata detected, creating new workspace 2 related images processed in 876.220585ms Writing image mapping to oc-mirror-workspace/operators.1684898412/manifests-validation/mapping.txt image docker.io/amd64/hello-world@sha256:7e9b6e7ba2842c91cf49f3e214d04a7a496f8214356f41d81a6e6dcad11f11e3 is not included in mapping image docker.io/amd64/hello-world@sha256:7e9b6e7ba2842c91cf49f3e214d04a7a496f8214356f41d81a6e6dcad11f11e3 is not included in mapping localhost:5000/ oci/amd64/hello-world blobs: quay.io/jhunkins/amd64/hello-world sha256:9c7a54a9a43cca047013b82af109fe963fde787f63f9e016fdc3384500c2823d 1.436KiB quay.io/jhunkins/amd64/hello-world sha256:719385e32844401d57ecfd3eacab360bf551a1491c05b85806ed8f1b08d792f6 2.399KiB manifests: sha256:7e9b6e7ba2842c91cf49f3e214d04a7a496f8214356f41d81a6e6dcad11f11e3 -> 7e9b6e oci/cpopen/ibm-aiops-orchestrator-bundle blobs: icr.io/cpopen/ibm-aiops-orchestrator-bundle sha256:15011dd9a92d5d7b7b503556da537ba0c11a40eaff96829a04769ab4dc53c34c 3.729KiB icr.io/cpopen/ibm-aiops-orchestrator-bundle sha256:1772fafc08b82487cf53c600aa6c5ad1db8191d0839042640a2ce415940957e3 7.96KiB manifests: sha256:2db967de122e3b71a54d1fef109925d45aab481dbd3c8d4bc18948848102e27e -> 2db967 stats: shared=0 unique=4 size=15.52KiB ratio=1.00 phase 0: localhost:5000 oci/cpopen/ibm-aiops-orchestrator-bundle blobs=2 mounts=0 manifests=1 shared=0 localhost:5000 oci/amd64/hello-world blobs=2 mounts=0 manifests=1 shared=0 info: Planning completed in 650ms info: Dry run complete Writing image mapping to oc-mirror-workspace/mapping.txt
Expected results:
Checking push permissions for localhost:5000 Creating directory: oc-mirror-workspace/src/publish Creating directory: oc-mirror-workspace/src/v2 Creating directory: oc-mirror-workspace/src/charts Creating directory: oc-mirror-workspace/src/release-signatures No metadata detected, creating new workspace 2 related images processed in 885.009594ms Writing image mapping to oc-mirror-workspace/operators.1684898245/manifests-validation/mapping.txt localhost:5000/ oci/amd64/hello-world blobs: quay.io/jhunkins/amd64/hello-world sha256:9c7a54a9a43cca047013b82af109fe963fde787f63f9e016fdc3384500c2823d 1.436KiB quay.io/jhunkins/amd64/hello-world sha256:719385e32844401d57ecfd3eacab360bf551a1491c05b85806ed8f1b08d792f6 2.399KiB manifests: sha256:7e9b6e7ba2842c91cf49f3e214d04a7a496f8214356f41d81a6e6dcad11f11e3 -> 7e9b6e oci/cpopen/ibm-aiops-orchestrator-bundle blobs: icr.io/cpopen/ibm-aiops-orchestrator-bundle sha256:15011dd9a92d5d7b7b503556da537ba0c11a40eaff96829a04769ab4dc53c34c 3.729KiB icr.io/cpopen/ibm-aiops-orchestrator-bundle sha256:1772fafc08b82487cf53c600aa6c5ad1db8191d0839042640a2ce415940957e3 7.96KiB manifests: sha256:2db967de122e3b71a54d1fef109925d45aab481dbd3c8d4bc18948848102e27e -> 2db967 stats: shared=0 unique=4 size=15.52KiB ratio=1.00 phase 0: localhost:5000 oci/amd64/hello-world blobs=2 mounts=0 manifests=1 shared=0 localhost:5000 oci/cpopen/ibm-aiops-orchestrator-bundle blobs=2 mounts=0 manifests=1 shared=0 info: Planning completed in 620ms info: Dry run complete Writing image mapping to oc-mirror-workspace/mapping.txt
Additional info:
I intend to create a PR which adds correct validation
- clones
-
OCPBUGS-13762 Performance issues when using registries.conf
-
- Closed
-
- is cloned by
-
-
- Closed
-
- links to
-
RHEA-2023:5006
rpm
