-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
4.17, 4.16.z
-
Moderate
-
None
-
False
-
Description of problem:
An invalid registry config is very hard to debug as the only symptom is nodes not joining the cluster
Version-Release number of selected component (if applicable):
4.17
How reproducible:
Always
Steps to Reproduce:
1. Create an HC with spec.configuration.image as below
2. wait for nodes with new configuration to rollout
3.
image:
additionalTrustedCA:
name: ""
registrySources:
blockedRegistries:
- trusted.com/myrepo:latest
Actual results:
Machines are provisioned but new nodes never join the cluster.
NP mentions that config is valid. Ignition logs are clean.
- lastTransitionTime: "2024-10-14T15:04:59Z" observedGeneration: 1 reason: AsExpected status: "True" type: ValidMachineConfig - lastTransitionTime: "2024-10-14T15:04:59Z" message: 'Updating config in progress. Target config: 7880ef74' observedGeneration: 1 reason: AsExpected status: "True" type: UpdatingConfig
SSHing in the node shows the following error in journalctl
Oct 14 15:38:04 ip-10-0-131-137 sh[6728]: Error: invalid policy in "/etc/containers/policy.json": Unknown key "trusted.com/myrepo:latest"
Expected results:
Error should be caught earlier and reported in the NP condition and in the ignition logs. As it is, it is very complicated to debug.
Additional info:
Generated etc/containers/policy.json
{code:java}
{"default":[{"type":"insecureAcceptAnything"}],"transports":{"atomic":{"trusted.com/myrepo:latest":[{"type":"reject"}]},"docker":{"trusted.com/myrepo:latest":[{"type":"reject"}]},"docker-daemon":{"":[{"type":"insecureAcceptAnything"}]}}}
Visible in both 4.16 and 4.17.
