Bug 1450490

Summary: unable to 'atomic run' image if 'image:tag' format is not used
Product: Red Hat Enterprise Linux 7 Reporter: Micah Abbott <miabbott>
Component: atomicAssignee: Lokesh Mandvekar <lsm5>
Status: CLOSED ERRATA QA Contact: atomic-bugs <atomic-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: ajia, bbaude, ddarrah, dwalsh, fkluknav
Target Milestone: rcKeywords: Extras
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-06-28 15:41:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Micah Abbott 2017-05-12 18:27:10 UTC 
This is the downstream version of https://github.com/projectatomic/atomic/issues/995

We found this issue still exists in atomic-1.17.1-1.gitf304570.el7 on RHELAH 7.3.5


Below is the bulk of the text from the upstream issue, just for completeness sake.



# ./atomic images list
   REPOSITORY                               TAG      IMAGE ID       CREATED            VIRTUAL SIZE   TYPE      
   registry.fedoraproject.org/f25/cockpit   latest   40aaf4b46bdb   2017-04-21 02:45   429.17 MB      docker    
   registry.fedoraproject.org/f25/etcd      latest   b0ea91d92c73   2017-05-04 14:57                  ostree    
   registry.fedoraproject.org/f25/flannel   latest   e78f6af84c12   2017-05-05 18:43                  ostree    

# ./atomic install registry.fedoraproject.org/f25/cockpit
/usr/bin/docker run --rm --privileged -v /:/host registry.fedoraproject.org/f25/cockpit /container/atomic-install
+ sed -e /pam_selinux/d -e /pam_sepermit/d /etc/pam.d/cockpit
+ mkdir -p /host/etc/cockpit/ws-certs.d /host/etc/cockpit/machines.d
+ chmod 755 /host/etc/cockpit/ws-certs.d /host/etc/cockpit/machines.d
+ chown root:root /host/etc/cockpit/ws-certs.d /host/etc/cockpit/machines.d
+ mkdir -p /host/var/lib/cockpit
+ chmod 775 /host/var/lib/cockpit
+ chown root:wheel /host/var/lib/cockpit
+ mkdir -p /etc/ssh
+ /bin/mount --bind /host/etc/cockpit /etc/cockpit
+ /usr/sbin/remotectl certificate --ensure

# ./atomic run registry.fedoraproject.org/f25/cockpit                                                                                                                               
The image 'cockpit' appears to have not been installed and has an INSTALL label.  You should install this image first.  Re-run with --ignore to bypass this error.

# ./atomic --debug run registry.fedoraproject.org/f25/cockpit                                                                                                                       
The image 'cockpit' appears to have not been installed and has an INSTALL label.  You should install this image first.  Re-run with --ignore to bypass this error.
Traceback (most recent call last):
  File "./atomic", line 203, in <module>
    sys.exit(_func())
  File "/root/atomic/Atomic/run.py", line 120, in run
    return be.run(img_object, atomic=self, args=self.args)
  File "/root/atomic/Atomic/backends/_docker.py", line 543, in run
    "error.".format(iobject.name or iobject.image))
ValueError: The image 'cockpit' appears to have not been installed and has an INSTALL label.  You should install this image first.  Re-run with --ignore to bypass this error.

# git rev-parse HEAD
a6d74441ad9980993af4b7168f8dd06632977a5d
Comment 3 Daniel Walsh 2017-05-13 09:37:19 UTC 
Fixed in atomic-1.17.2-1.git77ef28f.el7.src.rpm
Comment 5 Alex Jia 2017-06-19 03:24:06 UTC 
It works well in atomic-1.17.2-1.git77ef28f.el7.x86_64.rpm and atomic-1.17.2-8.git2760e30.el7.x86_64 w/ skopeo-0.1.20-2.el7.x86_64.

[root@dell-per630-02 ~]# atomic --debug install registry.access.redhat.com/rhel7/cockpit-ws
Namespace(_class=<class 'Atomic.install.Install'>, args=[], assumeyes=False, debug=True, display=False, func='install', ignore=False, image='registry.access.redhat.com/rhel7/cockpit-ws', name=None, opt1=None, opt2=None, opt3=None, profile=False, remote=None, setvalues=None, storage=None, system=False, system_package='auto', user=False)
/usr/bin/docker run --rm --privileged -v /:/host registry.access.redhat.com/rhel7/cockpit-ws /container/atomic-install
+ sed -e /pam_selinux/d -e /pam_sepermit/d /etc/pam.d/cockpit
+ mkdir -p /host/etc/cockpit/ws-certs.d /host/etc/cockpit/machines.d
+ chmod 755 /host/etc/cockpit/ws-certs.d /host/etc/cockpit/machines.d
+ chown root:root /host/etc/cockpit/ws-certs.d /host/etc/cockpit/machines.d
+ mkdir -p /host/var/lib/cockpit
+ chmod 775 /host/var/lib/cockpit
+ chown root:wheel /host/var/lib/cockpit
+ mkdir -p /etc/ssh
+ /bin/mount --bind /host/etc/cockpit /etc/cockpit
+ /usr/sbin/remotectl certificate --ensure

[root@dell-per630-02 ~]# atomic --debug run registry.access.redhat.com/rhel7/cockpit-ws
/usr/bin/docker run -d --privileged --pid=host -v /:/host registry.access.redhat.com/rhel7/cockpit-ws /container/atomic-run --local-ssh

This container uses privileged security switches:

INFO: --pid=host 
      Processes in this container can see and interact with all processes on the host and disables SELinux within the container.

INFO: --privileged 
      This container runs without separation and should be considered the same as root on your system.

For more information on these switches and their security implications, consult the manpage for 'docker run'.

[root@dell-per630-02 ~]# atomic containers list
   CONTAINER ID IMAGE                COMMAND              CREATED          STATE      BACKEND    RUNTIME   
   34d295b4b2e9 registry.access.redh /container/atomic-ru 2017-06-19 11:15 running    docker     docker
Comment 7 errata-xmlrpc 2017-06-28 15:41:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1627