Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-34807

Cannot build ISOs from a GPG/simple signed container

XMLWordPrintable

    • None
    • Critical
    • sst_image_builder
    • ssg_front_door
    • None
    • False
    • Hide

      None

      Show
      None
    • Yes
    • None
    • None
    • None
    • Known Issue
    • Hide
      .Unable to build ISOs from a signed container

      Trying to build an ISO disk image from a GPG or a simple signed container results in an error, similar to the following:

      ----
      manifest - failed
      Failed
      Error: cannot run osbuild: running osbuild failed: exit status 1
      2024/04/23 10:56:48 error: cannot run osbuild: running osbuild failed: exit status 1
      ----

      This happens because the system fails to get the image source signatures. To workaround this issue, you can either remove the signature from the container image or build a derived container image. For example, to remove the signature, you can run the following command:

      ----
       $ sudo skopeo copy --remove-signatures containers-storage:registry.redhat.io/rhel9-beta/rhel-bootc:9.4 containers-storage:registry.redhat.io/rhel9-beta/rhel-bootc:9.4
      $ sudo podman run \
             --rm \
             -it \
             --privileged \
             --pull=newer \
             --security-opt label=type:unconfined_t \
             -v /var/lib/containers/storage:/var/lib/containers/storage \
             -v ~/images/iso:/output \
             quay.io/centos-bootc/bootc-image-builder \
             --type iso --local \
             registry.redhat.io/rhel9-beta/rhel-bootc:9.4
      ----

      To build a derived container image, and avoid adding a simple GPG signatures to it, see the link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/building_running_and_managing_containers/assembly_signing-container-images_building-running-and-managing-containers[Signing container images] product documentation.
      Show
      .Unable to build ISOs from a signed container Trying to build an ISO disk image from a GPG or a simple signed container results in an error, similar to the following: ---- manifest - failed Failed Error: cannot run osbuild: running osbuild failed: exit status 1 2024/04/23 10:56:48 error: cannot run osbuild: running osbuild failed: exit status 1 ---- This happens because the system fails to get the image source signatures. To workaround this issue, you can either remove the signature from the container image or build a derived container image. For example, to remove the signature, you can run the following command: ----  $ sudo skopeo copy --remove-signatures containers-storage:registry.redhat.io/rhel9-beta/rhel-bootc:9.4 containers-storage:registry.redhat.io/rhel9-beta/rhel-bootc:9.4 $ sudo podman run \        --rm \        -it \        --privileged \        --pull=newer \        --security-opt label=type:unconfined_t \        -v /var/lib/containers/storage:/var/lib/containers/storage \        -v ~/images/iso:/output \        quay.io/centos-bootc/bootc-image-builder \        --type iso --local \        registry.redhat.io/rhel9-beta/rhel-bootc:9.4 ---- To build a derived container image, and avoid adding a simple GPG signatures to it, see the link: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/building_running_and_managing_containers/assembly_signing-container-images_building-running-and-managing-containers [Signing container images] product documentation.
    • Done
    • None

      What were you trying to do that didn't work?

      sudo podman run --rm -i --privileged --pull=newer --security-opt label=type:unconfined_t -v /var/lib/containers/storage:/var/lib/containers/storage quay.io/centos-bootc/bootc-image-builder:latest --type anaconda-iso --local registry.redhat.io/rhel9-beta/rhel-bootc:9.4

      Actual results

      copying '/run/osbuild/inputs/root-tree/EFI' -> '/run/osbuild/tree/.'

⏱  Duration: 0s
org.osbuild.mkdir: 4731fad3210461f62fc509bf5e0b1e6ab14b8733499daf7a4ccf73e0bc459fa3 {
  "paths": [
    {
      "path": "/container"
    }
  ]
}

⏱  Duration: 0s
org.osbuild.skopeo: 7a4bb4465cd7bdb793e7674059b3eb28740ce663288a6e8f2cec94ec263cf2b5 {
  "destination": {
    "type": "oci",
    "path": "/container"
  }
}
Getting image source signatures
Checking if image destination supports signatures
time="2024-04-23T10:56:46Z" level=fatal msg="Can not copy signatures to oci:/run/osbuild/tree/container:: Pushing signatures for OCI images is not supported"
Traceback (most recent call last):
  File "/run/osbuild/bin/org.osbuild.skopeo", line 45, in <module>
    r = main(args["inputs"], args["tree"], args["options"])
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/run/osbuild/bin/org.osbuild.skopeo", line 28, in main
    subprocess.run(["skopeo", "copy", image_source, dest], check=True)
  File "/usr/lib64/python3.12/subprocess.py", line 571, in run
    raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '['skopeo', 'copy', 'containers-storage:[overlay@/run/osbuild/containers/storage+/run/containers/storage]f0c6094df5b84d59e039fe661914a4760c21933a167c4ebd5a0d43fcc83f9b3a', 'oci:/run/osbuild/tree/container']' returned non-zero exit status 1.

⏱  Duration: 0s
manifest - failed
Failed
Error: cannot run osbuild: running osbuild failed: exit status 1
2024/04/23 10:56:48 error: cannot run osbuild: running osbuild failed: exit status 1

      Workaround

      Remove the signature from the container image:

      $ sudo skopeo copy --remove-signatures containers-storage:registry.redhat.io/rhel9-beta/rhel-bootc:9.4 containers-storage:registry.redhat.io/rhel9-beta/rhel-bootc:9.4
$ sudo podman run \
       --rm \
       -it \
       --privileged \
       --pull=newer \
       --security-opt label=type:unconfined_t \
       -v /var/lib/containers/storage:/var/lib/containers/storage \
       -v ~/images/iso:/output \
       quay.io/centos-bootc/bootc-image-builder \
       --type iso --local \
       registry.redhat.io/rhel9-beta/rhel-bootc:9.4

            osbuilders Osbuilders Bot Account
            obudai@redhat.com Ondrej Budai
            Osbuilders Bot Account Osbuilders Bot Account
            Release Test Team Release Test Team
            Eliane Pereira Eliane Pereira
            Votes:
            0 Vote for this issue
            Watchers:
            12 Start watching this issue

              Created:
              Updated: