Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-5949

oc --icsp mapping scope does not match openshift icsp mapping scope

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • 4.14.0
    • 4.11
    • oc
    • None
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • N/A
    • Release Note Not Required

    Description

      Description of problem:
      The oc client has recently had functionality added to reference an icsp manifest with a variety of commands (using the --icsp flag).

      The issue is that the registry/repo scope in an icsp required to trigger a mapping is different between ocp and oc. OCP icsp will match an image at the registry level, where the OC client requires exact registry + repo to match. This difference can cause major confusion (especially without adequate warning/error messages in the oc client).

      Example Image to mirror: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1631b0f0bf9c6dc4f9519ceb06b6ec9277f53f4599853fcfad3b3a47d2afd404o

      In OCP registry.mirrorregistry.com:5000/openshift-release-dev/ will accurately mirror the image

      But using OC with --icsp , quay.io/openshift-release-dev/ocp-v4.0-art-dev is required or or the mirroring will not match.

      Version-Release number of selected component (if applicable):{code:none}
      oc version
      Client Version: 4.11.0-202212070335.p0.g1928ac4.assembly.stream-1928ac4
      Kustomize Version: v4.5.4
      Server Version: 4.12.0-rc.8
      Kubernetes Version: v1.25.4+77bec7a
      
      
      
      

      How reproducible:

      100%
      
      

      Steps to Reproduce:
      1. Create an ICSP file with content similar to below (Replace with your mirror registry url)

      apiVersion: operator.openshift.io/v1alpha1
      kind: ImageContentSourcePolicy
      metadata:
        creationTimestamp: null
        name: image-policy
      spec:
        repositoryDigestMirrors:
        - mirrors:
          - registry.mirrorregistry.com:5005/openshift-release-dev
          source: quay.io/openshift-release-dev
      

      2. Add the ICSP to a bm openshift cluster and wait for MCP to finish node restarts
      3. SSH to a cluster node
      4. Try to podman pull the following image with debug log level

      podman pull --log-level=debug quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1631b0f0bf9c6dc4f9519ceb06b6ec9277f53f4599853fcfad3b3a47d2afd404
      

      5. The log will show the mirror registry is attempted (Which is similar behavior to OCP)
      6. Now try to extract a the payload image from the release using oc client and --icsp flag (ICSP file should be the same manifest uses at step 1)

      oc adm release extract --command=openshift-baremetal-install --to=/data/install-config-generate/installercache/registry.mirrorregistry.com:5005/openshift-release-dev/ocp-release:4.12.0-rc.8-x86_64 --insecure=false --icsp-file=/tmp/icsp-file1635083302 registry.mirrorregistry.com:5005/openshift-release-dev/ocp-release:4.12.0-rc.8-x86_64 --registry-config=/tmp/registry-config1265925963
      

      Expected results:
      openshift-baremetal-install is extracted to the proper directory using the mirrored payload image

      Actual result:
      oc client does not match the payload image because the icsp is not exact, so it immediately tries quay.io rather than the mirror registry

      ited with non-zero exit code 1: \nwarning: --icsp-file only applies to images referenced by digest and will be ignored for tags\nerror: unable to read image quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1631b0f0bf9c6dc4f9519ceb06b6ec9277f53f4599853fcfad3b3a47d2afd404: Get \"https://quay.io/v2/\": dial tcp 52.203.129.140:443: i/o timeout\n" func=github.com/openshift/assisted-service/internal/oc.execute file="/remote-source/assisted-service/app/internal/oc/release.go:404" go-id=26228 request_id=
      

      Additional info:

      I understand that oc-mirror or oc adm release mirror provides an icsp manifest to use, but as OCP itself allows for a wider scope for mapping, it can cause great confusion that oc icsp scope is not in parity. 
      
      At the very least a warning/error message in the oc client when the icsp partially matches an image (but is not used) would be VERY useful. 
      

      Attachments

        Activity

          People

            aguclu@redhat.com Arda Guclu
            chadcrum Chad Crum
            ying zhou ying zhou
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: