-
Bug
-
Resolution: Unresolved
-
Critical
-
None
-
4.19, 4.20.0
-
Quality / Stability / Reliability
-
False
-
-
None
-
Important
-
Yes
-
None
-
None
-
Rejected
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
Starting April 10th, RHCOS 4.19 live iso (from 4.19 ocp installer reference) contains a restrictive */etc/containers/policy.json* that causes OCP clusters deployed by assisted service to fail in certain scenarios.
Version-Release number of selected component (if applicable):
Trying to deploy 4.19.0-ec4 Booted image information: NAME="Red Hat Enterprise Linux CoreOS" VERSION="9.6.20250321-0 (Plow)" ID="rhel" ID_LIKE="fedora" VERSION_ID="9.6" PLATFORM_ID="platform:el9" PRETTY_NAME="Red Hat Enterprise Linux CoreOS 9.6.20250321-0 (Plow)" ANSI_COLOR="0;31" LOGO="fedora-logo-icon" CPE_NAME="cpe:/o:redhat:enterprise_linux:9::baseos" HOME_URL="https://www.redhat.com/" DOCUMENTATION_URL="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9" BUG_REPORT_URL="https://issues.redhat.com/" REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 9" REDHAT_BUGZILLA_PRODUCT_VERSION=9.6 REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux" REDHAT_SUPPORT_PRODUCT_VERSION="9.6" OSTREE_VERSION='9.6.20250321-0' VARIANT=CoreOS VARIANT_ID=coreos Red Hat Enterprise Linux release 9.6 (Plow) Red Hat Enterprise Linux release 9.6 (Plow)
How reproducible:
100%
Steps to Reproduce:
1. Run coreos image 2. cat /etc/containers/policy.json
Actual results:
[core@sno ~]$ cat /etc/containers/policy.json { "default": [ { "type": "insecureAcceptAnything" } ], "transports": { "docker": { "registry.access.redhat.com": [ { "type": "signedBy", "keyType": "GPGKeys", "keyPaths": ["/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release", "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta"] } ], "registry.redhat.io": [ { "type": "signedBy", "keyType": "GPGKeys", "keyPaths": ["/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release", "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta"] } ] }, "docker-daemon": { "": [ { "type": "insecureAcceptAnything" } ] } } }
Expected results:
{ "default": [ { "type": "insecureAcceptAnything" } ], "transports": { "docker-daemon": { "": [ { "type": "insecureAcceptAnything" } ] } } }
There was no change to the configuration and the deployment the day before (On April 9th completed successfully). The issue persists since then on every deployment attempt.
The issue itself is that with those records, agent image cannot be downloaded:
Apr 17 12:05:33 sno.xr11.kni-qe-9.lab.eng.rdu2.redhat.com systemd[1]: Starting agent.service...
Apr 17 12:05:34 sno.xr11.kni-qe-9.lab.eng.rdu2.redhat.com podman[971303]: Trying to pull registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:49f93c9d88aac3a1a4bb9df2f46d52ea2581c05095a42b01993ea15594b21aa9...
Apr 17 12:05:34 sno.xr11.kni-qe-9.lab.eng.rdu2.redhat.com podman[971303]: Error: copying system image from manifest list: Source image rejected: A signature was required, but no signature exists
Apr 17 12:05:34 sno.xr11.kni-qe-9.lab.eng.rdu2.redhat.com podman[971303]: 2025-04-17 12:05:34.17935456 +0000 UTC m=+0.165353038 image pull-error registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:49f93c9d88aac3a1a4bb9df2f46d52ea2581c05095a42b01993ea1559>
Apr 17 12:05:34 sno.xr11.kni-qe-9.lab.eng.rdu2.redhat.com systemd[1]: agent.service: Control process exited, code=exited, status=125/n/a
Apr 17 12:05:34 sno.xr11.kni-qe-9.lab.eng.rdu2.redhat.com systemd[1]: agent.service: Failed with result 'exit-code'.
Apr 17 12:05:34 sno.xr11.kni-qe-9.lab.eng.rdu2.redhat.com systemd[1]: Failed to start agent.service.
Once `docker` section is removed the image is pulled and the deployment continues.
- clones
-
OCPBUGS-10421 RHCOS 4.13 live iso x84_64 contains restrictive policy.json
-
- Closed
-
- duplicates
-
ACM-21766 Assisted agent can not pull image b/c of image policy in core OS
-
- Closed
-
- is cloned by
-
OCPBUGS-55973 Interaction between RHEL and OCP image policy opinions
-
- ASSIGNED
-
- is depended on by
-
ACM-21766 Assisted agent can not pull image b/c of image policy in core OS
-
- Closed
-
- is duplicated by
-
OCPBUGS-55474 RHCOS 4.19 live iso x84_64 contains restrictive policy.json
-
- Closed
-
- relates to
-
ACM-21309 Nightly images should be signed or served from other registry
-
- Resolved
-
- links to