-
Bug
-
Resolution: Unresolved
-
Critical
-
None
-
4.19, 4.20.0
-
Quality / Stability / Reliability
-
False
-
-
None
-
Important
-
Yes
-
None
-
None
-
Rejected
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
Starting April 10th, RHCOS 4.19 live iso (from 4.19 ocp installer reference) contains a restrictive */etc/containers/policy.json* that causes OCP clusters deployed by assisted service to fail in certain scenarios.
Version-Release number of selected component (if applicable):
Trying to deploy 4.19.0-ec4 Booted image information: NAME="Red Hat Enterprise Linux CoreOS" VERSION="9.6.20250321-0 (Plow)" ID="rhel" ID_LIKE="fedora" VERSION_ID="9.6" PLATFORM_ID="platform:el9" PRETTY_NAME="Red Hat Enterprise Linux CoreOS 9.6.20250321-0 (Plow)" ANSI_COLOR="0;31" LOGO="fedora-logo-icon" CPE_NAME="cpe:/o:redhat:enterprise_linux:9::baseos" HOME_URL="https://www.redhat.com/" DOCUMENTATION_URL="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9" BUG_REPORT_URL="https://issues.redhat.com/" REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 9" REDHAT_BUGZILLA_PRODUCT_VERSION=9.6 REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux" REDHAT_SUPPORT_PRODUCT_VERSION="9.6" OSTREE_VERSION='9.6.20250321-0' VARIANT=CoreOS VARIANT_ID=coreos Red Hat Enterprise Linux release 9.6 (Plow) Red Hat Enterprise Linux release 9.6 (Plow)
How reproducible:
100%
Steps to Reproduce:
1. Run coreos image 2. cat /etc/containers/policy.json
Actual results:
[core@sno ~]$ cat /etc/containers/policy.json
{
"default": [
{
"type": "insecureAcceptAnything"
}
],
"transports": {
"docker": {
"registry.access.redhat.com": [
{
"type": "signedBy",
"keyType": "GPGKeys",
"keyPaths": ["/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release", "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta"]
}
],
"registry.redhat.io": [
{
"type": "signedBy",
"keyType": "GPGKeys",
"keyPaths": ["/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release", "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta"]
}
]
},
"docker-daemon": {
"": [
{
"type": "insecureAcceptAnything"
}
]
}
}
}
Expected results:
{
"default": [
{
"type": "insecureAcceptAnything"
}
],
"transports": {
"docker-daemon": {
"": [
{
"type": "insecureAcceptAnything"
}
]
}
}
}
There was no change to the configuration and the deployment the day before (On April 9th completed successfully). The issue persists since then on every deployment attempt.
The issue itself is that with those records, agent image cannot be downloaded:
Apr 17 12:05:33 sno.xr11.kni-qe-9.lab.eng.rdu2.redhat.com systemd[1]: Starting agent.service...
Apr 17 12:05:34 sno.xr11.kni-qe-9.lab.eng.rdu2.redhat.com podman[971303]: Trying to pull registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:49f93c9d88aac3a1a4bb9df2f46d52ea2581c05095a42b01993ea15594b21aa9...
Apr 17 12:05:34 sno.xr11.kni-qe-9.lab.eng.rdu2.redhat.com podman[971303]: Error: copying system image from manifest list: Source image rejected: A signature was required, but no signature exists
Apr 17 12:05:34 sno.xr11.kni-qe-9.lab.eng.rdu2.redhat.com podman[971303]: 2025-04-17 12:05:34.17935456 +0000 UTC m=+0.165353038 image pull-error registry.redhat.io/multicluster-engine/assisted-installer-agent-rhel9@sha256:49f93c9d88aac3a1a4bb9df2f46d52ea2581c05095a42b01993ea1559>
Apr 17 12:05:34 sno.xr11.kni-qe-9.lab.eng.rdu2.redhat.com systemd[1]: agent.service: Control process exited, code=exited, status=125/n/a
Apr 17 12:05:34 sno.xr11.kni-qe-9.lab.eng.rdu2.redhat.com systemd[1]: agent.service: Failed with result 'exit-code'.
Apr 17 12:05:34 sno.xr11.kni-qe-9.lab.eng.rdu2.redhat.com systemd[1]: Failed to start agent.service.
Once `docker` section is removed the image is pulled and the deployment continues.
- clones
-
-
- Closed
-
- duplicates
-
-
- Closed
-
- is cloned by
-
-
- ASSIGNED
-
- is depended on by
-
-
- Closed
-
- is duplicated by
-
-
- Closed
-
- relates to
-
-
- Resolved
-
- links to