Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-25703

oc tag command not having regexp check towards tag names cause OADP backup image fail

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Normal Normal
    • 4.16.0
    • 4.13.z, 4.12.z, 4.14.z
    • ImageStreams
    • Moderate
    • No
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Previously, the `oc tag` command did not validate tag names when the command created new tags. After images were created from tags with invalid names, the `podman pull` command would fail. With this release, a validation step checks new tags for invalid names and you can now delete existing tags that have invalid names, so that this issue no longer exists. (link:https://issues.redhat.com/browse/OCPBUGS-25703[*OCPBUGS-25703*])
      Show
      * Previously, the `oc tag` command did not validate tag names when the command created new tags. After images were created from tags with invalid names, the `podman pull` command would fail. With this release, a validation step checks new tags for invalid names and you can now delete existing tags that have invalid names, so that this issue no longer exists. (link: https://issues.redhat.com/browse/OCPBUGS-25703 [* OCPBUGS-25703 *])
    • Bug Fix
    • Done

      Description of problem:

      1) Customer tag a image which including # (Hashtag) in the tag name 

      uk302-img-app-j:v0.6.12-build0000#000

      2)When customer using OADP to backup images , they got below error

      error excuting custom action(groupResource=imagestream.image.openshift.io namespace=dbp-p0010001, name=uk302-image-app-j): rpc error: code= Unknown= Invalid destination name udistribution-s3-c9814a92-67a4-4251-bd0d-142dfc4d3c80://dbp-p0010001/uk302-image-app-j:v0.6.12-build0000#00: invalid reference format  

      3) when check the source code below, we found that there are check towards tag name , seems # (Hashtag) is not allowed in regexp check

      https://github.com/openshift/openshift-velero-plugin/blob/83f5067b1e04d740cd79ee0046e24283a8d7a184/velero-plugins/imagecopy/imagestream.go#L138

      func copyImage(log logr.Logger, src, dest string, copyOptions *copy.Options) ([]byte, error) {
    policyContext, err := getPolicyContext()
    if err != nil {
        return []byte{}, fmt.Errorf("Error loading trust policy: %v", err)
    }
    defer policyContext.Destroy()
    srcRef, err := alltransports.ParseImageName(src)
    if err != nil {
        return []byte{}, fmt.Errorf("Invalid source name %s: %v", src, err)
    }
    destRef, err := alltransports.ParseImageName(dest)
    if err != nil {
        return []byte{}, fmt.Errorf("Invalid destination name %s: %v", dest, err)
    }

      https://github.com/containers/image/blob/main/docker/reference/regexp.go#L111

      const (
    // alphaNumeric defines the alpha numeric atom, typically a
    // component of names. This only allows lower case characters and digits.
    alphaNumeric = `[a-z0-9]+`

    // separator defines the separators allowed to be embedded in name
    // components. This allow one period, one or two underscore and multiple
    // dashes. Repeated dashes and underscores are intentionally treated
    // differently. In order to support valid hostnames as name components,
    // supporting repeated dash was added. Additionally double underscore is
    // now allowed as a separator to loosen the restriction for previously
    // supported names.
    separator = `(?:[._]|__|[-]*)`

    // repository name to start with a component as defined by DomainRegexp
    // and followed by an optional port.
    domainComponent = `(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])`

    // The string counterpart for TagRegexp.
    tag = `[\w][\w.-]{0,127}`

    // The string counterpart for DigestRegexp.
    digestPat = `[A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}`

    // The string counterpart for IdentifierRegexp.
    identifier = `([a-f0-9]{64})`

    // The string counterpart for ShortIdentifierRegexp.
    shortIdentifier = `([a-f0-9]{6,64})`
      Expected results:

Customer want to know if this should be a bug that ,  when doing 
{code:java}
oc tag

      We should have some checking towards the tag name to prevent the #(Hashtag)  or other non allowed code been setting in the image tag which causing unexpected issue like in using OADP or other tools.

      please have a check , thank you!

      Regards
      Jacob

              fmissi Flavian Missi
              rhn-support-jayu Jacob Yu
              Wen Wang Wen Wang
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: