Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-2383

podman push fails after whilelisting registries

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • None
    • 4.10, 4.8
    • Containers
    • None
    • None
    • Rejected
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      podman push fails after whilelisting registries

      Version-Release number of selected component (if applicable):

      4.8, 4.10

      How reproducible:

      always

      Steps to Reproduce:

      1. whilelist registries by editing the "image.config.openshift.io/cluster " and adding the following:

spec:
     registrySources:
       allowedRegistries:
       - image-registry.openshift-image-registry.svc:5000
       - registry.access.redhat.com
       - registry.redhat.io
       - registry.connect.redhat.com
       - quay.io
       - docker.io


2. podman push --log-level debug image-registry.openshift-image-registry.svc:5000/openshift/centos:latest




3.  the logs show the following:

DEBU[0000] IsRunningImageAllowed for image containers-storage:[overlay@/var/lib/containers/storage]@5812dfe24a4fd91ce8c5d0b2667fec71259674a2e37c08fda9a9d15a9ff2feb0
DEBU[0000]  Using default policy section
DEBU[0000] Requirement 0: denied, done

 
Error: Source image rejected: Running image containers-storage:[overlay@/var/lib/containers/storage+/var/run/containers/storage]@300e315adb2f96afe5f0b2780b87f28ae95231fe3bdd1e16b9ba606307728f55 is rejected by policy.

      Actual results:

      The push fails

      Expected results:

      Push should succeed

      Additional info:

      The issue seems to be that the transport "containers-storage" is not created in /etc/containers/poliy.json when you whitelist registries and since that transport does not exist the default policy "reject" is applied.

When I manually create the transport "containers-storage" like below, the push works.

 "containers-storage": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },


DEBU[0000] IsRunningImageAllowed for image containers-storage:[overlay@/var/lib/containers/storage]@300e315adb2f96afe5f0b2780b87f28ae95231fe3bdd1e16b9ba606307728f55 
DEBU[0000]  Using default policy section                
DEBU[0000]  Requirement 0: allowed                      
DEBU[0000] Overall: allowed 

DEBU[0003] PUT https://image-registry.openshift-image-registry.svc:5000/v2/openshift/centos/manifests/latest 
Storing signatures
DEBU[0003] Called push.PersistentPostRunE(podman push --log-level debug image-registry.openshift-image-registry.svc:5000/openshift/centos:latest)


We tested this problem in both 4.8 and 4.10 and the problem exists in both and the above fix worked in both.  We are not sure why the code is not creating the transport automatically when you white list the registries.  A similar issue was fixed in the past ->  https://bugzilla.redhat.com/show_bug.cgi?id=1838372 

              rhn-engineering-nalin Nalin Dahyabhai
              anand.paladugu Anand Paladugu
              Votes:
              1 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: