Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-47696

Use of optional_namespaces in the ImageTagMirrorSet does not work as documented

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Normal Normal
    • 4.19.0
    • 4.16.z
    • Windows Containers
    • None
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • 3
    • None
    • None
    • None
    • WINC - Sprint 269, WINC - Sprint 270
    • 2
    • In Progress
    • Bug Fix
    • Hide
      Fixes an issue where Windows nodes were unable to pull from organizations/namespaces of container image mirror registries.

      Additional guidelines and requirements around using mirror registries have been added as part of this fix
      Show
      Fixes an issue where Windows nodes were unable to pull from organizations/namespaces of container image mirror registries. Additional guidelines and requirements around using mirror registries have been added as part of this fix
    • None
    • None
    • None
    • None

      Description of problem:

      Customer has a disconnected OCP 4.16 environment(issue can be reproduced locally as well). He configures imagetagset configuration as shown below. Problem only happens when optional_namespace is used as mentioned in the documentation

Illustration: <registry>/<optional-namespace>/oss/kubernetes/pause

It works if he mirrors without  the "optional-namespace" ie  <registry>/oss/kubernetes/pause
 
apiVersion: config.openshift.io/v1
kind: ImageTagMirrorSet
metadata:
  name: mirrorset
spec:
  imageTagMirrors:
  - mirrorSourcePolicy: NeverContactSource
    mirrors:
    - docker.<registry>/<optional_namespace>/oss/kubernetes/pause
    source: mcr.microsoft.com/oss/kubernetes/pause

    
This ends up creating proper hosts.toml file
 
 
server = "<registry>"
[host."<registry>"]
  capabilities = ["pull", "resolve"]

 
Containerd fails to pull the pause image with the following error "not found"
 
Failed to create pod sandbox: rpc error: code = NotFound desc = failed to get sandbox image "mcr.microsoft.com/oss/kubernetes/pause:3.9": failed to pull image "mcr.microsoft.com/oss/kubernetes/pause:3.9": failed to pull and unpack image "mcr.microsoft.com/oss/kubernetes/pause:3.9": failed to resolve reference "mcr.microsoft.com/oss/kubernetes/pause:3.9": mcr.microsoft.com/oss/kubernetes/pause:3.9: not found
 
 
Containerd in the background is executing a similar command to check for the repositories
 
curl -v <registry>/<optional_namespace>/v2/oss/kubernetes/pause/manifests/3.9?ns=mcr.microsoft.com
 
 
with optional_namespaces, a simple docker registry or quay registry is not returning the repo outputs. Due to this, we are getting "not found" when optional namespaces are used in the mirror registry
Customer can pull the image directly 
 
C:\scripts> .\crictl.exe -debug pull <registry>/<optional_namespace>/oss/kubernetes/pause:3.9
Image is up to date for sha256:c868a912caad9a64e6601bafa5188aa9d5d981b0c63f58988d90c88160c19688
 
 

      Version-Release number of selected component (if applicable):

          OCP 4.16.24/WMCO 10.16.1

      How reproducible:

          Always

      Steps to Reproduce:

          1. Create a ImageTagMirrorSet definition for pause container image for use in windows    
    2. try to pull the image using mcr.microsoft.com/oss/kubernetes/pause:3.9
    3.

      Actual results:

      With optional_namespaces, containerd fails to pull the image

      Expected results:

         As explained in the documentation, containerd should be able to pull the image with optional namespaces in use

      Additional info:

              rh-ee-ssoto Sebastian Soto
              rhn-support-rrajaram Ranjith Rajaram
              None
              None
              Aharon Rasouli Aharon Rasouli
              None
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: