Bug 1557607
Summary: | [3.7] oc adm migrate storage produces error as signature annotations forbidden | |||
---|---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Kenjiro Nakayama <knakayam> | |
Component: | ImageStreams | Assignee: | Michal Minar <miminar> | |
Status: | CLOSED ERRATA | QA Contact: | Dongbo Yan <dyan> | |
Severity: | urgent | Docs Contact: | ||
Priority: | urgent | |||
Version: | 3.7.0 | CC: | aos-bugs, bparees, jokerman, miminar, mkhan, mmccomas, rbost, sdodson, snalawad, tibrahim | |
Target Milestone: | --- | |||
Target Release: | 3.7.z | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: |
Cause: Image validation used to validate old image object. And image signature import controller used generate such an image.
Consequence: An invalid images were pushed to etcd.
Fix: Validation has been changed to validate new image object. Logic to fix some invalid images has been introduced. Controller no longer generates invalid images.
Result: It's no longer possible to upload an invalid image object.
|
Story Points: | --- | |
Clone Of: | ||||
: | 1559982 1559991 1559994 1559997 1560311 (view as bug list) | Environment: | ||
Last Closed: | 2018-04-05 09:40:50 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1559982, 1559991, 1559994, 1559997, 1560311 |
Description
Kenjiro Nakayama
2018-03-17 04:09:28 UTC
OSE 3.7 PR: https://github.com/openshift/ose/pull/1154 Test with openshift v3.7.42 kubernetes v1.7.6+a08f5eeb62 etcd 3.2.8 Reproduce steps: 1.Build an image, get the image digest id $ oc get images 2.Create image signature for this image $ cat <<EOF | { "kind": "ImageSignature", "schemaVersion": 2, "type": "AtomicImageV1", "metadata": { "annotations": { "image.openshift.io/managed-signature": "true"}, "name": "sha256:cb6fd4551f05ff04aedada6e11be38e92861cfedf490d136b8004cee31803569@cddeb7006d914716e2728000746a0b23"}, "content": "owGbw......" } EOF oc create -f - 3.Migrate image $ oc adm migrate storage --include=images --confirm Result: fail in step2 # oc create -f sig.json The ImageSignature "sha256:cb6fd4551f05ff04aedada6e11be38e92861cfedf490d136b8004cee31803569@cddeb7006d914716e2728000746a0b23" is invalid: metadata.annotations: Forbidden: signature annotations cannot be set Could you help give some suggestions how to add an annotation into imageSignature? Thanks You're trying to create ImageSignature kind which which is not a native resource. It exists and can be modified only on image object. You can either a) create a new image with the signature attached b) add a signature to an existing image Since b) is more complex than a), let me just describe the a): - save the image object from comment 1 into img.yaml - import it with oc create -f img.yaml However, if you test just with the latest oc server version, the annotation gets dropped before the image is saved into etcd. If you want to test the migration command with the annotation set on the image/signature, you'll have to: 1. launch an older version of OCP master (withought the patch) 2. create an image **without** the signature 3. do b) from above: - add the "signatures: ..." part with the annotation using oc edit image sha256:... 4. tear down the OCP master while preserving etcd and configuration 5. launch a new version of OCP master (with the pach) 6. continue with the migration ... The b) is necessary here because the api refuses the annotation just on Create(image, not on Update(image) - only this way can the annotation be propagated. Hope it helps. Michal Minar, thanks try with a) and b), do not reproduce error with openshift v3.7.42 kubernetes v1.7.6+a08f5eeb62 etcd 3.2.8 move to verified Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0636 *** Bug 1585876 has been marked as a duplicate of this bug. *** |