Bug 1822750

Summary: Adding blockedRegistries to image.config.openshift.io leads to an endless reboot loop in workers and masters
Product: OpenShift Container Platform Reporter: Urvashi Mohnani <umohnani>
Component: NodeAssignee: Ryan Phillips <rphillips>
Status: CLOSED ERRATA QA Contact: MinLi <minmli>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 4.3.0CC: acomabon, amurdaca, aos-bugs, bchardim, farandac, fgrosjea, joboyer, jokerman, jparrill, openshift-bugs-escalate, rdiazgav, rphillips, rsandu, schoudha, skrenger, sreber, umohnani
Target Milestone: ---   
Target Release: 4.3.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: 1809007 Environment:
Last Closed: 2020-05-11 21:20:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1822748    
Bug Blocks:    

Comment 5 Antonio Murdaca 2020-04-27 15:20:48 UTC 
*** Bug 1828300 has been marked as a duplicate of this bug. ***
Comment 6 MinLi 2020-05-06 08:40:24 UTC 
verified with version : 4.3.0-0.nightly-2020-05-04-051714

$ oc get machineconfig 
NAME                                                        GENERATEDBYCONTROLLER                      IGNITIONVERSION   CREATED
00-master                                                   860382c905f4358418c6513a9ab55fdd6dcc4f2d   2.2.0             172m
00-worker                                                   860382c905f4358418c6513a9ab55fdd6dcc4f2d   2.2.0             172m
01-master-container-runtime                                 860382c905f4358418c6513a9ab55fdd6dcc4f2d   2.2.0             172m
01-master-kubelet                                           860382c905f4358418c6513a9ab55fdd6dcc4f2d   2.2.0             172m
01-worker-container-runtime                                 860382c905f4358418c6513a9ab55fdd6dcc4f2d   2.2.0             172m
01-worker-kubelet                                           860382c905f4358418c6513a9ab55fdd6dcc4f2d   2.2.0             172m
99-master-0fd19308-91f9-495e-98a4-ef557d12358d-registries   860382c905f4358418c6513a9ab55fdd6dcc4f2d   2.2.0             172m
99-master-ssh                                                                                          2.2.0             173m
99-worker-16bd119c-9914-4cac-9d83-44c3a76894c2-registries   860382c905f4358418c6513a9ab55fdd6dcc4f2d   2.2.0             172m
99-worker-ssh                                                                                          2.2.0             173m
rendered-master-0ae3cbf100da68319871380a8f79a799            860382c905f4358418c6513a9ab55fdd6dcc4f2d   2.2.0             172m
rendered-master-4324b96886c57b616e238da2653991f2            860382c905f4358418c6513a9ab55fdd6dcc4f2d   2.2.0             4m56s
rendered-worker-0dc82ff4d8a5d941d3493cf301419a04            860382c905f4358418c6513a9ab55fdd6dcc4f2d   2.2.0             4m56s
rendered-worker-7cd8cef65936aec1f42c88a172f66dc0            860382c905f4358418c6513a9ab55fdd6dcc4f2d   2.2.0             172m

$ oc get node 
NAME                                         STATUS   ROLES    AGE     VERSION
ip-10-0-129-14.us-east-2.compute.internal    Ready    worker   4h13m   v1.16.2
ip-10-0-134-228.us-east-2.compute.internal   Ready    master   4h21m   v1.16.2
ip-10-0-153-156.us-east-2.compute.internal   Ready    worker   4h13m   v1.16.2
ip-10-0-158-73.us-east-2.compute.internal    Ready    master   4h21m   v1.16.2
ip-10-0-160-176.us-east-2.compute.internal   Ready    worker   4h13m   v1.16.2
ip-10-0-165-140.us-east-2.compute.internal   Ready    master   4h21m   v1.16.2

$ oc debug node/ip-10-0-129-14.us-east-2.compute.internal
Starting pod/ip-10-0-129-14us-east-2computeinternal-debug ...
To use host binaries, run `chroot /host`
Pod IP: 10.0.129.14
If you don't see a command prompt, try pressing enter.
sh-4.2# chroot /host 
sh-4.4#  cat /etc/containers/registries.conf 
unqualified-search-registries = ["registry.access.redhat.com", "docker.io"]

[[registry]]
  prefix = ""
  location = "untrusted.com"
  blocked = true

$ oc debug node/ip-10-0-134-228.us-east-2.compute.internal
Starting pod/ip-10-0-134-228us-east-2computeinternal-debug ...
To use host binaries, run `chroot /host`
Pod IP: 10.0.134.228
If you don't see a command prompt, try pressing enter.
sh-4.2# chroot /host 
sh-4.4# cat /etc/containers/registries.conf                                   
unqualified-search-registries = ["registry.access.redhat.com", "docker.io"]

[[registry]]
  prefix = ""
  location = "untrusted.com"
  blocked = true
Comment 8 errata-xmlrpc 2020-05-11 21:20:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2006