-
Bug
-
Resolution: Cannot Reproduce
-
Normal
-
None
-
4.20
-
Quality / Stability / Reliability
-
False
-
-
None
-
Moderate
-
None
-
x86_64
-
QA
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
ImageTagMirrorSets are not working with crictl
Version-Release number of selected component (if applicable):
ocp-4.20-ec.3
How reproducible:
Always
Steps to Reproduce:
1.Deploy OCP 4.10-ec.3 in a disconnected env
2.Apply ITMS for images available in a local registry by tag
3.Deploy a pod that that has as pullspec a public image.
The pod fails trying to pull the image from the source registry
Actual results:
The pod fails trying to pull the image from the source registry Warning Failed 82m kubelet Failed to pull image "registry.redhat.io/openshift4/ztp-site-generate-rhel8:v4.19.0": unable to try pulling possible OCI artifact: get manifest: build image source: pinging container registry registry.redhat.io: Get "https://registry.redhat.io/v2/": dial tcp 52.203.147.28:443: i/o timeout Warning Failed 81m kubelet Failed to pull image "registry.redhat.io/openshift4/ztp-site-generate-rhel8:v4.19.0": rpc error: code = DeadlineExceeded desc = unable to try pulling possible OCI artifact: get manifest: build image source: pinging container registry registry.redhat.io: Get "https://registry.redhat.io/v2/": dial tcp 52.86.195.215:443: i/o timeout * Pulling using podman works using the source and mirror addresses * Pulling using criclt pull works only from the mirror address Error pulling with criclt: unable to try pulling possible OCI artifact: get manifest: build image source: pinging container registry registry.redhat.io: Get \"https://registry.redhat.io/v2/\": dial tcp 34.232.174.208:443: i/o timeout" image="registry.redhat.io/openshift4/ztp-site-generate-rhel8:v4.19.0
Expected results:
The image should be pulled from the mirror.
Additional info: $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.20.0-0.nightly-2025-07-07-234740 True False 13h Cluster version is 4.20.0-0.nightly-2025-07-07-23474 $ oc get itms gitops-images -o yaml apiVersion: config.openshift.io/v1 kind: ImageTagMirrorSet metadata: creationTimestamp: "2025-07-10T10:57:40Z" generation: 1 name: gitops-images resourceVersion: "141753" uid: 5eb5104b-7e68-4071-bef3-088624c211b7 spec: imageTagMirrors: - mirrors: - registry.lab:4443/openshift4/ztp-site-generate-rhel8 source: registry.redhat.io/openshift4/ztp-site-generate-rhel8 - mirrors: - registry.lab:4443/rhacm2/multicluster-operators-subscription-rhel9 source: registry.redhat.io/rhacm2/multicluster-operators-subscription-rhel9 $ oc debug node/worker-2 -- chroot /host bash -c 'crictl pull registry.redhat.io/openshift4/ztp-site-generate-rhel8:v4.19.0' Temporary namespace openshift-debug-ffvnf is created for debugging node... Starting pod/worker-2-debug-rkvqc ... To use host binaries, run `chroot /host` E0710 22:52:54.508904 748949 log.go:32] "PullImage from image service failed" err="rpc error: code = DeadlineExceeded desc = unable to try pulling possible OCI artifact: get manifest: build image source: pinging container registry registry.redhat.io: Get \"https://registry.redhat.io/v2/\": dial tcp 34.232.174.208:443: i/o timeout" image="registry.redhat.io/openshift4/ztp-site-generate-rhel8:v4.19.0" time="2025-07-10T22:52:54Z" level=fatal msg="pulling image: rpc error: code = DeadlineExceeded desc = unable to try pulling possible OCI artifact: get manifest: build image source: pinging container registry registry.redhat.io: Get \"https://registry.redhat.io/v2/\": dial tcp 34.232.174.208:443: i/o timeout" $ oc debug node/worker-2 -- chroot /host bash -c 'crictl pull registry.lab:4443/openshift4/ztp-site-generate-rhel8:v4.19.0' Temporary namespace openshift-debug-mtdx5 is created for debugging node... Starting pod/worker-2-debug-ggnkz ... To use host binaries, run `chroot /host` Image is up to date for registry.lab:4443/openshift4/ztp-site-generate-rhel8@sha256:6cb2b71146fa350ea373bd1e53618faa2074095820d74950e53d66723e3ee4c8 $ oc debug node/worker-2 -- chroot /host bash -c 'podman pull registry.redhat.io/openshift4/ztp-site-generate-rhel8:v4.19.0' Temporary namespace openshift-debug-5glhw is created for debugging node... Starting pod/worker-2-debug-vbz4j ... To use host binaries, run `chroot /host` Trying to pull registry.redhat.io/openshift4/ztp-site-generate-rhel8:v4.19.0... Getting image source signatures Copying blob sha256:29259b1b01b678915c12a0d89e8f8f792ad9b6f150bb5f9cee56015b7b18e301 Copying blob sha256:d1ef09bd6ce657e3db9e74720a2d40cf194c833003675db6d7fd591afd0640c0 Copying config sha256:1b7794b9d1c969e5205daecb11a454950cc752e0580b5335da0eb23cafb201d5 Writing manifest to image destination 1b7794b9d1c969e5205daecb11a454950cc752e0580b5335da0eb23cafb201d5 $ oc debug node/worker-2 -- chroot /host bash -c 'podman pull registry.lab:4443/openshift4/ztp-site-generate-rhel8:v4.19.0' Temporary namespace openshift-debug-wprs9 is created for debugging node... Starting pod/worker-2-debug-vzwll ... To use host binaries, run `chroot /host` Trying to pull registry.lab:4443/openshift4/ztp-site-generate-rhel8:v4.19.0... Getting image source signatures Copying blob sha256:29259b1b01b678915c12a0d89e8f8f792ad9b6f150bb5f9cee56015b7b18e301 Copying blob sha256:d1ef09bd6ce657e3db9e74720a2d40cf194c833003675db6d7fd591afd0640c0 Copying config sha256:1b7794b9d1c969e5205daecb11a454950cc752e0580b5335da0eb23cafb201d5 Writing manifest to image destination 1b7794b9d1c969e5205daecb11a454950cc752e0580b5335da0eb23cafb201d5 $ oc debug node/worker-2 -- chroot /host bash -c 'grep -A4 -B2 ztp-site-generate /etc/containers/registries.conf' Temporary namespace openshift-debug-bzl8l is created for debugging node... Starting pod/worker-2-debug-7j2sr ... To use host binaries, run `chroot /host` [[registry]] prefix = "" location = "registry.redhat.io/openshift4/ztp-site-generate-rhel8" [[registry.mirror]] location = "registry.lab:4443/openshift4/ztp-site-generate-rhel8" pull-from-mirror = "tag-only"