Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-55106

RHCOS 4.19 live iso x86_64 contains restrictive policy.json

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      Customers attempting to deploy a

      Show
      Customers attempting to deploy a
    • None
    • Important
    • Yes
    • None
    • None
    • Rejected
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Description of problem:

      Starting April 10th, RHCOS 4.19 live iso (from 4.19 ocp installer reference) contains a restrictive */etc/containers/policy.json* that causes OCP clusters deployed by assisted service to fail in certain scenarios.
      

      Version-Release number of selected component (if applicable):

      Trying to deploy 4.19.0-ec4
      
      Booted image information:
      
      NAME="Red Hat Enterprise Linux CoreOS"
      VERSION="9.6.20250321-0 (Plow)"
      ID="rhel"
      ID_LIKE="fedora"
      VERSION_ID="9.6"
      PLATFORM_ID="platform:el9"
      PRETTY_NAME="Red Hat Enterprise Linux CoreOS 9.6.20250321-0 (Plow)"
      ANSI_COLOR="0;31"
      LOGO="fedora-logo-icon"
      CPE_NAME="cpe:/o:redhat:enterprise_linux:9::baseos"
      HOME_URL="https://www.redhat.com/"
      DOCUMENTATION_URL="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9"
      BUG_REPORT_URL="https://issues.redhat.com/"
      REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 9"
      REDHAT_BUGZILLA_PRODUCT_VERSION=9.6
      REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
      REDHAT_SUPPORT_PRODUCT_VERSION="9.6"
      OSTREE_VERSION='9.6.20250321-0'
      VARIANT=CoreOS
      VARIANT_ID=coreos
      Red Hat Enterprise Linux release 9.6 (Plow)
      Red Hat Enterprise Linux release 9.6 (Plow)  

      How reproducible:

      100%
      
      

      Steps to Reproduce:

      1. Run coreos image
      2. cat /etc/containers/policy.json
      
      

      Actual results:

      [core@sno ~]$ cat /etc/containers/policy.json 
      {
          "default": [
              {
                  "type": "insecureAcceptAnything"
              }
          ],
          "transports": {
              "docker": {
                  "registry.access.redhat.com": [
                      {
                          "type": "signedBy",
                          "keyType": "GPGKeys",
                          "keyPaths": ["/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release", "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta"]                                                                                                                          
                      }
                  ],
                  "registry.redhat.io": [
                      {
                          "type": "signedBy",
                          "keyType": "GPGKeys",
                          "keyPaths": ["/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release", "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta"]
                      }
                  ]
              },
              "docker-daemon": {
                  "": [
                      {
                          "type": "insecureAcceptAnything"
                      }
                  ]
              }
          }
      }  

      Expected results:

      {
          "default": [
              {
                  "type": "insecureAcceptAnything"
              }
          ],
          "transports": {
              "docker-daemon": {
              "": [
              {
                  "type": "insecureAcceptAnything"
              }
              ]
          }
          }
      }
      
      
      There was no change to the configuration and the deployment the day before (On April 9th completed successfully). The issue persists since then on every deployment attempt.

      The issue itself is that with those records, agent image cannot be downloaded:

      Apr 17 12:05:33 sno.xr11.kni-qe-9.lab.eng.rdu2.redhat.com systemd[1]: Starting agent.service...
      Apr 17 12:05:34 sno.xr11.kni-qe-9.lab.eng.rdu2.redhat.com podman[971303]: Trying to pull registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:49f93c9d88aac3a1a4bb9df2f46d52ea2581c05095a42b01993ea15594b21aa9...
      Apr 17 12:05:34 sno.xr11.kni-qe-9.lab.eng.rdu2.redhat.com podman[971303]: Error: copying system image from manifest list: Source image rejected: A signature was required, but no signature exists
      Apr 17 12:05:34 sno.xr11.kni-qe-9.lab.eng.rdu2.redhat.com podman[971303]: 2025-04-17 12:05:34.17935456 +0000 UTC m=+0.165353038 image pull-error  registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:49f93c9d88aac3a1a4bb9df2f46d52ea2581c05095a42b01993ea1559>
      Apr 17 12:05:34 sno.xr11.kni-qe-9.lab.eng.rdu2.redhat.com systemd[1]: agent.service: Control process exited, code=exited, status=125/n/a
      Apr 17 12:05:34 sno.xr11.kni-qe-9.lab.eng.rdu2.redhat.com systemd[1]: agent.service: Failed with result 'exit-code'.
      Apr 17 12:05:34 sno.xr11.kni-qe-9.lab.eng.rdu2.redhat.com systemd[1]: Failed to start agent.service.
       

      Once `docker` section is removed the image is pulled and the deployment continues.

       

              rh-ee-rpiccoli Riccardo Piccoli
              agurenko@redhat.com Alexander Gurenko
              None
              None
              Gal Amado Gal Amado
              None
              Votes:
              1 Vote for this issue
              Watchers:
              40 Start watching this issue

                Created:
                Updated: