Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-62122

CatalogSource pod for AirGapped operator index fails with permission denied on <olm_operator>-operator/catalog.json

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

       

      Summary
      CatalogSource pod for mirrored operator index fails with permission denied on <olm_operator>-operator/catalog.json

      Description
      When deploying a CatalogSource using a mirrored operator index image in a disconnected OpenShift environment, the CatalogSource pod fails to start. The pod exits with exitCode: 1, and the logs show that opm is unable to load or rebuild its cache due to a permission denied error when accessing cephcsi-operator/catalog.json.

      This prevents OLM from serving the catalog and blocks operator installation.

      Steps to Reproduce

      1. Use the `oc-mirrorv4.20.0-rc.{0..2}`
      2. Mirror operator index image (prega/prega-operator-index:v4.20) into a private registry.
      1. Create a CatalogSource pointing to the mirrored index image.
      1. Observe the CatalogSource pod logs.

      Actual Results
      Pod repeatedly crashes with error:

      {{}}

      time="2025-09-23T15:05:45Z" level=fatal msg="failed to load or rebuild cache: failed to rebuild cache: open <olm_operator>-operator/catalog.json: permission denied"

      {{}}

      Pod status example:

      lastState: terminated: exitCode: 1 message: | ... failed to load or rebuild cache: open <olm_operator>-operator/catalog.json: permission denied

      Expected Results
      CatalogSource pod should successfully load/rebuild its cache and serve the mirrored operator catalog.

      Additional Information

      • OpenShift version: v4.20.0-rc.{0..2}
      • Operator index image: registry.offline.redhat.lan:5000/redhat/redhat-operator-index:v4.20
      • Environment: Disconnected / air-gapped cluster

      Workarounds

      • Manually adjust file permissions for catalog configs (ensure catalog.json and parent directories are world-readable).
      • Rebuild / re-mirror the index image ensuring proper permissions.
      • Apply fsGroup in pod security context so non-root container user can read configs.
      • There is a WA available in [1][2] and [3] , but my BUG advocates to preserve the 4.16 or 4.18 oc-mirror behaviour, and try to enhance the user-experience of the end-user since our partners and customers rely on this tool.

      [1]: https://access.redhat.com/solutions/7049642

      [2]: https://access.redhat.com/solutions/7113459

      [3]: https://access.redhat.com/solutions/7041232 

      Impact

      • OLM unable to install operators from mirrored index
      • Blocks deployment and other operators in disconnected environments

       

              rh-ee-aguidi Alex Guidi
              midu@redhat.com Mihai IDU
              None
              Federico Ferrando
              Nidan Gavali Nidan Gavali
              None
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: