Bug 1557607
| Summary: | [3.7] oc adm migrate storage produces error as signature annotations forbidden | |||
|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Kenjiro Nakayama <knakayam> | |
| Component: | ImageStreams | Assignee: | Michal Minar <miminar> | |
| Status: | CLOSED ERRATA | QA Contact: | Dongbo Yan <dyan> | |
| Severity: | urgent | Docs Contact: | ||
| Priority: | urgent | |||
| Version: | 3.7.0 | CC: | aos-bugs, bparees, jokerman, miminar, mkhan, mmccomas, rbost, sdodson, snalawad, tibrahim | |
| Target Milestone: | --- | |||
| Target Release: | 3.7.z | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: |
Cause: Image validation used to validate old image object. And image signature import controller used generate such an image.
Consequence: An invalid images were pushed to etcd.
Fix: Validation has been changed to validate new image object. Logic to fix some invalid images has been introduced. Controller no longer generates invalid images.
Result: It's no longer possible to upload an invalid image object.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1559982 1559991 1559994 1559997 1560311 (view as bug list) | Environment: | ||
| Last Closed: | 2018-04-05 09:40:50 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1559982, 1559991, 1559994, 1559997, 1560311 | |||
OSE 3.7 PR: https://github.com/openshift/ose/pull/1154 Test with
openshift v3.7.42
kubernetes v1.7.6+a08f5eeb62
etcd 3.2.8
Reproduce steps:
1.Build an image, get the image digest id
$ oc get images
2.Create image signature for this image
$ cat <<EOF |
{
"kind": "ImageSignature",
"schemaVersion": 2,
"type": "AtomicImageV1",
"metadata": {
"annotations": {
"image.openshift.io/managed-signature": "true"},
"name": "sha256:cb6fd4551f05ff04aedada6e11be38e92861cfedf490d136b8004cee31803569@cddeb7006d914716e2728000746a0b23"},
"content": "owGbw......"
}
EOF
oc create -f -
3.Migrate image
$ oc adm migrate storage --include=images --confirm
Result:
fail in step2
# oc create -f sig.json
The ImageSignature "sha256:cb6fd4551f05ff04aedada6e11be38e92861cfedf490d136b8004cee31803569@cddeb7006d914716e2728000746a0b23" is invalid: metadata.annotations: Forbidden: signature annotations cannot be set
Could you help give some suggestions how to add an annotation into imageSignature?
Thanks
You're trying to create ImageSignature kind which which is not a native resource. It exists and can be modified only on image object. You can either a) create a new image with the signature attached b) add a signature to an existing image Since b) is more complex than a), let me just describe the a): - save the image object from comment 1 into img.yaml - import it with oc create -f img.yaml However, if you test just with the latest oc server version, the annotation gets dropped before the image is saved into etcd. If you want to test the migration command with the annotation set on the image/signature, you'll have to: 1. launch an older version of OCP master (withought the patch) 2. create an image **without** the signature 3. do b) from above: - add the "signatures: ..." part with the annotation using oc edit image sha256:... 4. tear down the OCP master while preserving etcd and configuration 5. launch a new version of OCP master (with the pach) 6. continue with the migration ... The b) is necessary here because the api refuses the annotation just on Create(image, not on Update(image) - only this way can the annotation be propagated. Hope it helps. Michal Minar, thanks try with a) and b), do not reproduce error with openshift v3.7.42 kubernetes v1.7.6+a08f5eeb62 etcd 3.2.8 move to verified Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0636 *** Bug 1585876 has been marked as a duplicate of this bug. *** |
Description of problem: - When we run oc adm migrate storage, we got following error. # oc adm --config=/etc/origin/master/admin.kubeconfig migrate storage --include=* --confirm E0315 10:11:30.026186 error: images/sha256:0270334c4d7adaa8a5dcd592cb219efd13b3c00631184b3a594b329dfd331eec: Image "sha256:0270334c4d7adaa8a5dcd592cb219efd13b3c00631184b3a594b329dfd331eec" is invalid: signatures[0].metadata.annotations: Forbidden: signature annotations cannot be set E0315 10:11:30.057761 error: images/sha256:0677366367b1f1a736bdb50b926559c1bdeed02de1bce477f8fe7ed53336a572: Image "sha256:0677366367b1f1a736bdb50b926559c1bdeed02de1bce477f8fe7ed53336a572" is invalid: signatures[0].metadata.annotations: Forbidden: signature annotations cannot be set E0315 10:11:30.156449 error: images/sha256:1104dcdacfa9c40222e9256029cafe0b084c8dcc911ab8e816c3f39bd5a4dad1: Image "sha256:1104dcdacfa9c40222e9256029cafe0b084c8dcc911ab8e816c3f39bd5a4dad1" is invalid: signatures[0].metadata.annotations: Forbidden: signature annotations cannot be set E0315 10:11:30.275157 error: images/sha256:263c5a1107b6703b3db87f1cb7481a74aa7b7d1138a2da49cb692fa1ec05a42b: Image "sha256:263c5a1107b6703b3db87f1cb7481a74aa7b7d1138a2da49cb692fa1ec05a42b" is invalid: signatures[0].metadata.annotations: Forbidden: signature annotations cannot be set ... - The image contains `image.openshift.io/managed-signature: "true"` # oc get images ... signatures: - content: xxxxx metadata: annotations: image.openshift.io/managed-signature: "true" creationTimestamp: 2018-02-12T03:51:53Z name: sha256:xxxx type: AtomicImageV1 Version-Release number of selected component (if applicable): - OCP 3.7 How reproducible: 100% Steps to Reproduce: 1. Actual results: - Please refer to above error Expected results: - No error output. Additional info: - proposal patch: https://github.com/openshift/origin/pull/19011