Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-14404

Security Profiles Operator specifies two openshift-selinuxd-rhel8 versions to be mirrored for a disconnected cluster install, but one does not exist in the registry

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Major Major
    • None
    • 4.12
    • None
    • +
    • Important
    • No
    • 3
    • CMP Sprint 66, CMP Sprint 67
    • 2
    • False
    • Hide

      None

      Show
      None

      Issue:

      Security Profiles Operator specifies two openshift-selinuxd-rhel8 versions to be mirrored for a disconnected cluster install, but one does not exist in the registry

      Security Profiles Operator Version: 0.7.1

      Problem Description:

      While trying to install Security Profiles Operator into a disconnected cluster, two versions of openshift-selinuxd-rhel8 are identified but only one can successfully be mirrored.

      The two versions are listed below:

      • registry.redhat.io/compliance/openshift-selinuxd-rhel8@sha256:246ffdfd3cd71449e221409b8b42a4211b6d5b557262f1392b14987a59d5feb0
      • registry.redhat.io/compliance/openshift-selinuxd-rhel8@sha256:568d5b06ebeb54770d5edf7407f2e6e34f8e0fa58a412e19a27124ed496b18d5

      The first version works fine but the second version is not found in the registry.

      Based on the link [2], users that mirror images for disconnected environments must mirror both selinuxd images provided by the Security Profiles Operator.

      Bad image used by the security profile operator is referenced in the imageContentSourcePolicy.yaml which is created by `oc adm mirror command.` The following points need to be updated in the imageContentSourcePolicy.yaml for the Security Profile Operator:

      • The imageContentSourcePolicy.yaml file created by oc adm mirror should pull automatically the correct image tags for security Profile Operator instead of the user manually modifying this.
      • In case only one image is required, the other shouldn't be part of imageContentSourcePolicy.yaml

      Tried to pull the referenced bad image at my end using `podman` and the following error message is reported:

      ~~~
      $ podman pull registry.redhat.io/compliance/openshift-selinuxd-rhel8@sha256:568d5b06ebeb54770d5edf7407f2e6e34f8e0fa58a412e19a27124ed496b18d5^C
      [sasakshi@sasakshi ~]$ oc version
      Client Version: 4.12.7
      Kustomize Version: v4.5.7
      Server Version: 4.10.57
      Kubernetes Version: v1.23.17+16bcd69

      $ podman pull registry.redhat.io/compliance/openshift-selinuxd-rhel8@sha256:568d5b06ebeb54770d5edf7407f2e6e34f8e0fa58a412e19a27124ed496b18d5
      Trying to pull registry.redhat.io/compliance/openshift-selinuxd-rhel8@sha256:568d5b06ebeb54770d5edf7407f2e6e34f8e0fa58a412e19a27124ed496b18d5...
      WARN[0002] Failed, retrying in 1s ... (1/3). Error: initializing source docker://registry.redhat.io/compliance/openshift-selinuxd-rhel8@sha256:568d5b06ebeb54770d5edf7407f2e6e34f8e0fa58a412e19a27124ed496b18d5: reading manifest sha256:568d5b06ebeb54770d5edf7407f2e6e34f8e0fa58a412e19a27124ed496b18d5 in registry.redhat.io/compliance/openshift-selinuxd-rhel8: unsupported: Not Found, or unsupported. V2 schema 1 manifest digest are no longer supported for image pulls. Use the equivalent schema 2 manifest digest instead. For more information see https://access.redhat.com/articles/6138332
      WARN[0004] Failed, retrying in 1s ... (2/3). Error: initializing source docker://registry.redhat.io/compliance/openshift-selinuxd-rhel8@sha256:568d5b06ebeb54770d5edf7407f2e6e34f8e0fa58a412e19a27124ed496b18d5: reading manifest sha256:568d5b06ebeb54770d5edf7407f2e6e34f8e0fa58a412e19a27124ed496b18d5 in registry.redhat.io/compliance/openshift-selinuxd-rhel8: unsupported: Not Found, or unsupported. V2 schema 1 manifest digest are no longer supported for image pulls. Use the equivalent schema 2 manifest digest instead. For more information see https://access.redhat.com/articles/6138332
      ~~~
      As a temporary workaround customer has been able to install SPO using one version, but this is not a permanent solution. The main issue is that the `oc adm mirror` command provides a sha that does not exist.

      [2] https://docs.openshift.com/container-platform/4.12/security/security_profiles_operator/spo-release-notes.html#spo-0-7-1-new-features-and-enhancements

              wenshen@redhat.com Vincent Shen
              sasakshi@redhat.com Sakshi sakshi
              Xiaojie Yuan Xiaojie Yuan
              Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: