-
Bug
-
Resolution: Done-Errata
-
Major
-
None
-
4.12
-
None
-
+
-
Important
-
No
-
3
-
CMP Sprint 66, CMP Sprint 67
-
2
-
False
-
Issue:
Security Profiles Operator specifies two openshift-selinuxd-rhel8 versions to be mirrored for a disconnected cluster install, but one does not exist in the registry
Security Profiles Operator Version: 0.7.1
Problem Description:
While trying to install Security Profiles Operator into a disconnected cluster, two versions of openshift-selinuxd-rhel8 are identified but only one can successfully be mirrored.
The two versions are listed below:
- registry.redhat.io/compliance/openshift-selinuxd-rhel8@sha256:246ffdfd3cd71449e221409b8b42a4211b6d5b557262f1392b14987a59d5feb0
- registry.redhat.io/compliance/openshift-selinuxd-rhel8@sha256:568d5b06ebeb54770d5edf7407f2e6e34f8e0fa58a412e19a27124ed496b18d5
The first version works fine but the second version is not found in the registry.
Based on the link [2], users that mirror images for disconnected environments must mirror both selinuxd images provided by the Security Profiles Operator.
Bad image used by the security profile operator is referenced in the imageContentSourcePolicy.yaml which is created by `oc adm mirror command.` The following points need to be updated in the imageContentSourcePolicy.yaml for the Security Profile Operator:
- The imageContentSourcePolicy.yaml file created by oc adm mirror should pull automatically the correct image tags for security Profile Operator instead of the user manually modifying this.
- In case only one image is required, the other shouldn't be part of imageContentSourcePolicy.yaml
Tried to pull the referenced bad image at my end using `podman` and the following error message is reported:
~~~
$ podman pull registry.redhat.io/compliance/openshift-selinuxd-rhel8@sha256:568d5b06ebeb54770d5edf7407f2e6e34f8e0fa58a412e19a27124ed496b18d5^C
[sasakshi@sasakshi ~]$ oc version
Client Version: 4.12.7
Kustomize Version: v4.5.7
Server Version: 4.10.57
Kubernetes Version: v1.23.17+16bcd69
$ podman pull registry.redhat.io/compliance/openshift-selinuxd-rhel8@sha256:568d5b06ebeb54770d5edf7407f2e6e34f8e0fa58a412e19a27124ed496b18d5
Trying to pull registry.redhat.io/compliance/openshift-selinuxd-rhel8@sha256:568d5b06ebeb54770d5edf7407f2e6e34f8e0fa58a412e19a27124ed496b18d5...
WARN[0002] Failed, retrying in 1s ... (1/3). Error: initializing source docker://registry.redhat.io/compliance/openshift-selinuxd-rhel8@sha256:568d5b06ebeb54770d5edf7407f2e6e34f8e0fa58a412e19a27124ed496b18d5: reading manifest sha256:568d5b06ebeb54770d5edf7407f2e6e34f8e0fa58a412e19a27124ed496b18d5 in registry.redhat.io/compliance/openshift-selinuxd-rhel8: unsupported: Not Found, or unsupported. V2 schema 1 manifest digest are no longer supported for image pulls. Use the equivalent schema 2 manifest digest instead. For more information see https://access.redhat.com/articles/6138332
WARN[0004] Failed, retrying in 1s ... (2/3). Error: initializing source docker://registry.redhat.io/compliance/openshift-selinuxd-rhel8@sha256:568d5b06ebeb54770d5edf7407f2e6e34f8e0fa58a412e19a27124ed496b18d5: reading manifest sha256:568d5b06ebeb54770d5edf7407f2e6e34f8e0fa58a412e19a27124ed496b18d5 in registry.redhat.io/compliance/openshift-selinuxd-rhel8: unsupported: Not Found, or unsupported. V2 schema 1 manifest digest are no longer supported for image pulls. Use the equivalent schema 2 manifest digest instead. For more information see https://access.redhat.com/articles/6138332
~~~
As a temporary workaround customer has been able to install SPO using one version, but this is not a permanent solution. The main issue is that the `oc adm mirror` command provides a sha that does not exist.