Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-588

minVersion in ImageSetConfiguration seems to be ignored as older images are also pulled

XMLWordPrintable

    • None
    • CFE Sprint 233, CFE Sprint 234, CFE Sprint 235
    • 3
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Hide
      This fix addresses the minVersion (in the ImageSetConfig) that is not filtered properly, i.e it filters on minVersion lower than that set in the ImageSetConfig field.
      The fix ensures that the minVersion is respected and that only versions equal or greater than the set minVersion are included
      Show
      This fix addresses the minVersion (in the ImageSetConfig) that is not filtered properly, i.e it filters on minVersion lower than that set in the ImageSetConfig field. The fix ensures that the minVersion is respected and that only versions equal or greater than the set minVersion are included

      Description of problem:
      Older images are pulled even when using minVersion in ImageSetConfiguration.

      Version-Release number of selected component (if applicable):
      oc mirror version
      Client Version: version.Info

      {Major:"", Minor:"", GitVersion:"4.11.0-202208031306.p0.g3c1c80c.assembly.stream-3c1c80c", GitCommit:"3c1c80ca6a5a22b5826c88897e7a9e5acd7c1a96", GitTreeState:"clean", BuildDate:"2022-08-03T14:23:35Z", GoVersion:"go1.18.4", Compiler:"gc", Platform:"linux/amd64"}

      How reproducible:
      Always

      Steps to Reproduce:
      1. get attached ImageSetConfiguration
      2. run 'oc mirror --config=./image-set.yaml docker://<yourRegistry> --continue-on-error'

      Actual results:
      Output contains a lot of 'unable to retrieve source image' errors for images which are older than defined in minVersion (those images are known to be missing, a goal was to use minVersion to filter out those older images to get rid of those errors but it's not working)

      Expected results:
      Those older images should not be included

      Additional info:
      image-set.yaml is attached
      Full output of 'oc mirror' attached
      There are more images failing but as an example:

      error: unable to retrieve source image registry.redhat.io/openshift-service-mesh/pilot-rhel8 manifest sha256:f7c468b5a35bfce54e53b4d8d00438f33a0861549697d14445eae52d8ead9a68: for image pulls. Use the equivalent V2 schema 2 manifest digest instead. For more information see https://access.redhat.com/articles/6138332

      This image is from version 1.0.11 but minVersion: '2.2.1-0' so it should not be included.
      Here is how I checked that image:

      podman inspect registry-proxy.engineering.redhat.com/rh-osbs/openshift-service-mesh-pilot-rhel8@sha256:f7c468b5a35bfce54e53b4d8d00438f33a0861549697d14445eae52d8ead9a68 | grep version
                "istio_version": "1.1.17",
                "version": "1.0.11"
            "istio_version": "1.1.17",
            "version": "1.0.11"

        1. image-set.yaml
          0.8 kB
          Filip Brychta
        2. mirror-log.txt
          229 kB
          Filip Brychta

            [OCPBUGS-588] minVersion in ImageSetConfiguration seems to be ignored as older images are also pulled

            Errata Tool added a comment -

            Since the problem described in this issue should be resolved in a recent advisory, it has been closed.

            For information on the advisory (Important: OpenShift Container Platform 4.14.0 bug fix and security update), and where to find the updated files, follow the link below.

            If the solution does not work for you, open a new bug report.
            https://access.redhat.com/errata/RHSA-2023:5006

            Errata Tool added a comment - Since the problem described in this issue should be resolved in a recent advisory, it has been closed. For information on the advisory (Important: OpenShift Container Platform 4.14.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:5006

            Filip Brychta added a comment -

            yinzhou@redhat.com luzuccar@redhat.com Hello, I would like to also test this. Do I need to use the latest nightly 4.14 build from https://mirror.openshift.com/pub/openshift-v4/clients/ocp-dev-preview/latest-4.14/ or it will get to the latest OCP 4.13 too? Thank you.

            Filip Brychta added a comment - yinzhou@redhat.com luzuccar@redhat.com Hello, I would like to also test this. Do I need to use the latest nightly 4.14 build from https://mirror.openshift.com/pub/openshift-v4/clients/ocp-dev-preview/latest-4.14/ or it will get to the latest OCP 4.13 too? Thank you.

            Ying Zhou added a comment -

            Done pre-merge test , can't reproduce the issue with fixed pr: 

            cat config.yaml 
kind: ImageSetConfiguration
apiVersion: mirror.openshift.io/v1alpha2
storageConfig:
  registry:
    imageURL: ec2-18-216-142-183.us-east-2.compute.amazonaws.com:5000/mirror/oc-mirror-metadata
    skipTLS: true
mirror:
  operators:
  - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.11
    packages:
    - name: servicemeshoperator
      channels:
      - name: stable
        minVersion: '2.3.1-0'
    - name: kiali-ossm
      channels:
      - name: stable
        minVersion: '1.57.5'
    - name: elasticsearch-operator
      channels:
      - name: stable
        minVersion: '5.7.0'
    - name: jaeger-product
      channels:
      - name: stable
        minVersion: '1.34.1-5'
  additionalImages:
  - name: registry.redhat.io/ubi8/ubi:latest
  helm: {}

./oc-mirror --config config.yaml docker://ec2-18-216-142-183.us-east-2.compute.amazonaws.com:5000 --dest-skip-tls
....
info: Mirroring completed in 12m53.88s (27.19MB/s)
Rendering catalog image "ec2-18-216-142-183.us-east-2.compute.amazonaws.com:5000/redhat/redhat-operator-index:v4.11" with file-based catalog 
Writing image mapping to oc-mirror-workspace/results-1686042611/mapping.txt
Writing CatalogSource manifests to oc-mirror-workspace/results-1686042611
Writing ICSP manifests to oc-mirror-workspace/results-1686042611

            Ying Zhou added a comment - Done pre-merge test , can't reproduce the issue with fixed pr: cat config.yaml kind: ImageSetConfiguration apiVersion: mirror.openshift.io/v1alpha2 storageConfig: registry: imageURL: ec2-18-216-142-183.us-east-2.compute.amazonaws.com:5000/mirror/oc-mirror-metadata skipTLS: true mirror: operators: - catalog: registry.redhat.io/redhat/redhat- operator -index:v4.11 packages: - name: servicemeshoperator channels: - name: stable minVersion: '2.3.1-0' - name: kiali-ossm channels: - name: stable minVersion: '1.57.5' - name: elasticsearch- operator channels: - name: stable minVersion: '5.7.0' - name: jaeger-product channels: - name: stable minVersion: '1.34.1-5' additionalImages: - name: registry.redhat.io/ubi8/ubi:latest helm: {} ./oc-mirror --config config.yaml docker: //ec2-18-216-142-183.us-east-2.compute.amazonaws.com:5000 --dest-skip-tls .... info: Mirroring completed in 12m53.88s (27.19MB/s) Rendering catalog image "ec2-18-216-142-183.us-east-2.compute.amazonaws.com:5000/redhat/redhat- operator -index:v4.11" with file-based catalog Writing image mapping to oc-mirror-workspace/results-1686042611/mapping.txt Writing CatalogSource manifests to oc-mirror-workspace/results-1686042611 Writing ICSP manifests to oc-mirror-workspace/results-1686042611

            Luigi Mario Zuccarelli added a comment -

            For reference isc used 

            kind: ImageSetConfiguration
apiVersion: mirror.openshift.io/v1alpha2
mirror:
  operators:
  - catalog: oci:///tmp/case60601
    packages:
    - name: servicemeshoperator
      channels:
      - name: stable
        minVersion: 2.3.1-0
        maxVersion: 2.3.2-0

            Command line used

            oc-mirror --config config-oci.yaml docker://yinzhou-177.mirror-registry.qe.gcp.devcluster.openshift.com:5000/ocit --dest-skip-tls --use-oci-feature

            Luigi Mario Zuccarelli added a comment - For reference isc used  kind: ImageSetConfiguration apiVersion: mirror.openshift.io/v1alpha2 mirror: operators: - catalog: oci: ///tmp/case60601 packages: - name: servicemeshoperator channels: - name: stable minVersion: 2.3.1-0 maxVersion: 2.3.2-0 Command line used oc-mirror --config config-oci.yaml docker: //yinzhou-177.mirror-registry.qe.gcp.devcluster.openshift.com:5000/ocit --dest-skip-tls --use-oci-feature

            Ying Zhou added a comment -

            For normal format I can't reproduce the issue with/without the pr;
            For OCI format , I could reproduce even with the fixed pr . but this only could reproduce with version like : 2.3.1-0 . for version 5.6.3 without -, minVersion and maxVersion works well.

            Ying Zhou added a comment - For normal format I can't reproduce the issue with/without the pr; For OCI format , I could reproduce even with the fixed pr . but this only could reproduce with version like : 2.3.1-0 . for version 5.6.3 without -, minVersion and maxVersion works well.

            Filip Brychta added a comment -

            Thank you for your update luzuccar@redhat.com If possible I would rather keep this one open as I believe there are people waiting for this so it will be easier for them to track the progress.

            When this is fixed (minVersion is working), we will suggest it as a workaround for https://issues.redhat.com/browse/OSSM-1759

            Filip Brychta added a comment - Thank you for your update luzuccar@redhat.com If possible I would rather keep this one open as I believe there are people waiting for this so it will be easier for them to track the progress. When this is fixed (minVersion is working), we will suggest it as a workaround for https://issues.redhat.com/browse/OSSM-1759

            Luigi Mario Zuccarelli added a comment -

            heheffne@redhat.com FYI

            Luigi Mario Zuccarelli added a comment - heheffne@redhat.com FYI

            Tomas Smetana added a comment -

            Rejecting as release blocker – we can fix oc-mirror anytime, it may never block an OCP release.

            Tomas Smetana added a comment - Rejecting as release blocker – we can fix oc-mirror anytime, it may never block an OCP release.

            To Hung Sze added a comment -

            This is blocking customers from using oc-mirror to workaround an issue mirroring images from production site.

            Please provide some guidance in when this can be fixed.
            Thanks.

             

            To Hung Sze added a comment - This is blocking customers from using oc-mirror to workaround an issue mirroring images from production site. Please provide some guidance in when this can be fixed. Thanks.  

            Filip Brychta added a comment -

            Any update on this? We would like to use this functionality as a workaround for customer escalated issue but it's not working for us.

            Filip Brychta added a comment - Any update on this? We would like to use this functionality as a workaround for customer escalated issue but it's not working for us.

              luzuccar@redhat.com Luigi Mario Zuccarelli
              fbrychta@redhat.com Filip Brychta
              Ying Zhou Ying Zhou
              Votes:
              0 Vote for this issue
              Watchers:
              14 Start watching this issue

                Created:
                Updated:
                Resolved: