Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-34807

Cannot build ISOs from a GPG/simple signed container

    • None
    • Critical
    • sst_image_builder
    • ssg_front_door
    • None
    • False
    • Hide

      None

      Show
      None
    • Yes
    • None
    • None
    • None
    • Known Issue
    • Hide
      .Unable to build ISOs from a signed container

      Trying to build an ISO disk image from a GPG or a simple signed container results in an error, similar to the following:

      ----
      manifest - failed
      Failed
      Error: cannot run osbuild: running osbuild failed: exit status 1
      2024/04/23 10:56:48 error: cannot run osbuild: running osbuild failed: exit status 1
      ----

      This happens because the system fails to get the image source signatures. To workaround this issue, you can either remove the signature from the container image or build a derived container image. For example, to remove the signature, you can run the following command:

      ----
       $ sudo skopeo copy --remove-signatures containers-storage:registry.redhat.io/rhel9-beta/rhel-bootc:9.4 containers-storage:registry.redhat.io/rhel9-beta/rhel-bootc:9.4
      $ sudo podman run \
             --rm \
             -it \
             --privileged \
             --pull=newer \
             --security-opt label=type:unconfined_t \
             -v /var/lib/containers/storage:/var/lib/containers/storage \
             -v ~/images/iso:/output \
             quay.io/centos-bootc/bootc-image-builder \
             --type iso --local \
             registry.redhat.io/rhel9-beta/rhel-bootc:9.4
      ----

      To build a derived container image, and avoid adding a simple GPG signatures to it, see the link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/building_running_and_managing_containers/assembly_signing-container-images_building-running-and-managing-containers[Signing container images] product documentation.
      Show
      .Unable to build ISOs from a signed container Trying to build an ISO disk image from a GPG or a simple signed container results in an error, similar to the following: ---- manifest - failed Failed Error: cannot run osbuild: running osbuild failed: exit status 1 2024/04/23 10:56:48 error: cannot run osbuild: running osbuild failed: exit status 1 ---- This happens because the system fails to get the image source signatures. To workaround this issue, you can either remove the signature from the container image or build a derived container image. For example, to remove the signature, you can run the following command: ----  $ sudo skopeo copy --remove-signatures containers-storage:registry.redhat.io/rhel9-beta/rhel-bootc:9.4 containers-storage:registry.redhat.io/rhel9-beta/rhel-bootc:9.4 $ sudo podman run \        --rm \        -it \        --privileged \        --pull=newer \        --security-opt label=type:unconfined_t \        -v /var/lib/containers/storage:/var/lib/containers/storage \        -v ~/images/iso:/output \        quay.io/centos-bootc/bootc-image-builder \        --type iso --local \        registry.redhat.io/rhel9-beta/rhel-bootc:9.4 ---- To build a derived container image, and avoid adding a simple GPG signatures to it, see the link: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/building_running_and_managing_containers/assembly_signing-container-images_building-running-and-managing-containers [Signing container images] product documentation.
    • Done
    • None

      What were you trying to do that didn't work?

      sudo podman run --rm -i --privileged --pull=newer --security-opt label=type:unconfined_t -v /var/lib/containers/storage:/var/lib/containers/storage quay.io/centos-bootc/bootc-image-builder:latest --type anaconda-iso --local registry.redhat.io/rhel9-beta/rhel-bootc:9.4 

      Actual results

      copying '/run/osbuild/inputs/root-tree/EFI' -> '/run/osbuild/tree/.'
      
      ⏱  Duration: 0s
      org.osbuild.mkdir: 4731fad3210461f62fc509bf5e0b1e6ab14b8733499daf7a4ccf73e0bc459fa3 {
        "paths": [
          {
            "path": "/container"
          }
        ]
      }
      
      ⏱  Duration: 0s
      org.osbuild.skopeo: 7a4bb4465cd7bdb793e7674059b3eb28740ce663288a6e8f2cec94ec263cf2b5 {
        "destination": {
          "type": "oci",
          "path": "/container"
        }
      }
      Getting image source signatures
      Checking if image destination supports signatures
      time="2024-04-23T10:56:46Z" level=fatal msg="Can not copy signatures to oci:/run/osbuild/tree/container:: Pushing signatures for OCI images is not supported"
      Traceback (most recent call last):
        File "/run/osbuild/bin/org.osbuild.skopeo", line 45, in <module>
          r = main(args["inputs"], args["tree"], args["options"])
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
        File "/run/osbuild/bin/org.osbuild.skopeo", line 28, in main
          subprocess.run(["skopeo", "copy", image_source, dest], check=True)
        File "/usr/lib64/python3.12/subprocess.py", line 571, in run
          raise CalledProcessError(retcode, process.args,
      subprocess.CalledProcessError: Command '['skopeo', 'copy', 'containers-storage:[overlay@/run/osbuild/containers/storage+/run/containers/storage]f0c6094df5b84d59e039fe661914a4760c21933a167c4ebd5a0d43fcc83f9b3a', 'oci:/run/osbuild/tree/container']' returned non-zero exit status 1.
      
      ⏱  Duration: 0s
      manifest - failed
      Failed
      Error: cannot run osbuild: running osbuild failed: exit status 1
      2024/04/23 10:56:48 error: cannot run osbuild: running osbuild failed: exit status 1 

      Workaround

      Remove the signature from the container image:

      $ sudo skopeo copy --remove-signatures containers-storage:registry.redhat.io/rhel9-beta/rhel-bootc:9.4 containers-storage:registry.redhat.io/rhel9-beta/rhel-bootc:9.4
      $ sudo podman run \
             --rm \
             -it \
             --privileged \
             --pull=newer \
             --security-opt label=type:unconfined_t \
             -v /var/lib/containers/storage:/var/lib/containers/storage \
             -v ~/images/iso:/output \
             quay.io/centos-bootc/bootc-image-builder \
             --type iso --local \
             registry.redhat.io/rhel9-beta/rhel-bootc:9.4

            osbuilders Osbuilders Bot Account
            obudai@redhat.com Ondrej Budai
            Osbuilders Bot Account Osbuilders Bot Account
            Release Test Team Release Test Team
            Eliane Pereira Eliane Pereira
            Votes:
            0 Vote for this issue
            Watchers:
            12 Start watching this issue

              Created:
              Updated: