Bug 1751258

Summary: Import by digest doesn't work for manifest lists
Product: OpenShift Container Platform Reporter: Oleg Bulatov <obulatov>
Component: ImageStreamsAssignee: Ricardo Maraschini <rmarasch>
Status: CLOSED ERRATA QA Contact: XiuJuan Wang <xiuwang>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.2.0CC: adam.kaplan, aos-bugs, bparees, jokerman, jscholz, kliberti, wzheng
Target Milestone: ---Keywords: Reopened
Target Release: 4.6.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: Bad managing on conversion from manifest list to manifest Consequence: Imports using digests on manifest lists were not taking place. Fix: We fixed the conversion by using the digest of the selected manifest inside the manifest list. Result: Imports by digest of manifest lists now works as expected.
 Story Points: ---
Clone Of:
: 1857128 (view as bug list) Environment:
Last Closed: 2020-10-27 15:54:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1857128    

Description Oleg Bulatov 2019-09-11 14:17:51 UTC 
`oc import-image` cannot import an images by manifest lists' digests.

Steps to reproduce:

$ oc tag docker.io/library/ubuntu@sha256:d1d454df0f579c6be4d8161d227462d69e163a8ff9d20a847533989cf0c94d90 ubuntu:latest
Tag ubuntu:latest set to docker.io/library/ubuntu@sha256:d1d454df0f579c6be4d8161d227462d69e163a8ff9d20a847533989cf0c94d90.
562.95 ms
$ oc import-image ubuntu:latest
error: tag  failed: Internal error occurred: content integrity error: the schema 2 manifest retrieved with digest sha256:d1d454df0f579c6be4d8161d227462d69e163a8ff9d20a847533989cf0c94d90 does not match the digest calculated from the content sha256:ca013ac5c09f9a9f6db8370c1b759a29fe997d64d6591e9a75b71748858f7da0

Actual result:

content integrity error

Expected result:

The image is successfully imported.
Comment 1 Adam Kaplan 2020-04-17 13:20:13 UTC 
Closing this bug due to current engineering priorities, severity, availability of suitable workarounds and lack of customer cases. If this should be addressed, please reopen and provide additional details.
Comment 2 Ben Parees 2020-05-20 15:57:27 UTC 
This needs to be fixed, see https://projects.engineering.redhat.com/browse/CLOUDBLD-1167 for the motivation.

tldr:  OLM operators use digests for everything, and they use manifestlists to support multiarch, so they definitely use manifestlist by digest/sha references.  They may not always use imagestreams today, but clearly at least one of them does and with all these manifestlist sha references floating around i'd expect this to become a common issue.
Comment 8 Wenjing Zheng 2020-07-17 07:37:53 UTC 
Verified on below version:
$ oc version
Client Version: 4.6.0-0.nightly-2020-07-14-035247
Server Version: 4.6.0-0.nightly-2020-07-16-211200
Kubernetes Version: v1.18.3+ada98f4

$ oc tag docker.io/library/ubuntu@sha256:d1d454df0f579c6be4d8161d227462d69e163a8ff9d20a847533989cf0c94d90 ubuntu:latest
Tag ubuntu:latest set to docker.io/library/ubuntu@sha256:d1d454df0f579c6be4d8161d227462d69e163a8ff9d20a847533989cf0c94d90.
$ oc import-image ubuntu:latest
imagestream.image.openshift.io/ubuntu imported

Name:			ubuntu
Namespace:		wzheng1
Created:		9 seconds ago
Labels:			<none>
Annotations:		openshift.io/image.dockerRepositoryCheck=2020-07-17T07:35:12Z
Image Repository:	image-registry.openshift-image-registry.svc:5000/wzheng1/ubuntu
Image Lookup:		local=false
Unique Images:		1
Tags:			1

latest
  tagged from docker.io/library/ubuntu@sha256:d1d454df0f579c6be4d8161d227462d69e163a8ff9d20a847533989cf0c94d90

  * docker.io/library/ubuntu@sha256:ca013ac5c09f9a9f6db8370c1b759a29fe997d64d6591e9a75b71748858f7da0
      9 seconds ago

Image Name:	ubuntu:latest
Docker Image:	docker.io/library/ubuntu@sha256:ca013ac5c09f9a9f6db8370c1b759a29fe997d64d6591e9a75b71748858f7da0
Name:		sha256:ca013ac5c09f9a9f6db8370c1b759a29fe997d64d6591e9a75b71748858f7da0
Created:	Less than a second ago
Annotations:	image.openshift.io/dockerLayersOrder=ascending
Image Size:	26.73MB in 4 layers
Layers:		26.69MB	sha256:35c102085707f703de2d9eaad8752d6fe1b8f02b5d2149f1d8357c9cc7fb7d0a
		35.37kB	sha256:251f5509d51d9e4119d4ffb70d4820f8e2d7dc72ad15df3ebd7cd755539e40fd
		848B	sha256:8e829fe70a46e3ac4334823560e98b257234c23629f19f05460e21a453091e6d
		162B	sha256:6001e1789921cf851f6fb2e5fe05be70f482fe9c2286f66892fe5a3bc404569c
Image Created:	11 months ago
Author:		<none>
Arch:		amd64
Command:	/bin/bash
Working Dir:	<none>
User:		<none>
Exposes Ports:	<none>
Docker Labels:	<none>
Environment:	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Comment 9 kliberti 2020-08-07 17:49:27 UTC 
Can this fix can be backported to the other supported versions of OCP (e.g. 3.11+) as well? Otherwise products that need this fix may need to drop support for older supported versions of OCP!
Comment 10 kliberti 2020-08-07 18:44:34 UTC 
This fix would be especially helpful for OCP 4+ where OperatorHub is supported since many products use manifest lists in their OLM files to identify specific image builds.
Comment 11 Oleg Bulatov 2020-09-24 12:06:20 UTC 
It is backported to 4.5.5, we also will backport it to 4.4. It's unlikely that we'll be able to backport it to 4.3 before its EOL.
Comment 13 errata-xmlrpc 2020-10-27 15:54:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196