Bug 1861696
| Summary: | Docker library images can still be imported without docker.io prefix if docker.io is defined in blockedRegistries | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Wenjing Zheng <wzheng> |
| Component: | Image Registry | Assignee: | Ricardo Maraschini <rmarasch> |
| Status: | CLOSED ERRATA | QA Contact: | Wenjing Zheng <wzheng> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4.6 | CC: | aos-bugs, obulatov, pasik |
| Target Milestone: | --- | ||
| Target Release: | 4.6.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-10-27 16:21:20 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Verified on 4.6.0-0.nightly-2020-08-17-184032:
$ oc import-image myimage4 --from=busybox --confirm=true
error: tag failed: forbidden: registry blocked
imagestream.image.openshift.io/myimage4 imported with errors
Name: myimage4
Namespace: wzheng1
Created: Less than a second ago
Labels: <none>
Annotations: openshift.io/image.dockerRepositoryCheck=2020-08-18T09:51:37Z
Image Repository: image-registry.openshift-image-registry.svc:5000/wzheng1/myimage4
Image Lookup: local=false
Unique Images: 0
Tags: 1
latest
tagged from busybox
! error: Import failed (Forbidden): forbidden: registry blocked
Less than a second ago
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4196 |
Description of problem: If define docker.io in images.config.openshift.io/cluster as below: spec: registrySources: blockedRegistries: - docker.io Library images can still be imported, but cannot with docker.io/library prefix: $ oc import-image myimage4 --from=busybox --confirm=true imagestream.image.openshift.io/myimage4 imported Name: myimage4 Namespace: wzheng1 Created: 1 second ago Labels: <none> Annotations: openshift.io/image.dockerRepositoryCheck=2020-07-29T09:32:45Z Image Repository: image-registry.openshift-image-registry.svc:5000/wzheng1/myimage4 Image Lookup: local=false Unique Images: 1 Tags: 1 latest tagged from busybox * busybox@sha256:400ee2ed939df769d4681023810d2e4fb9479b8401d97003c710d0e20f7c49c6 1 second ago Image Name: myimage4:latest Docker Image: busybox@sha256:400ee2ed939df769d4681023810d2e4fb9479b8401d97003c710d0e20f7c49c6 Name: sha256:400ee2ed939df769d4681023810d2e4fb9479b8401d97003c710d0e20f7c49c6 Created: 1 second ago Annotations: image.openshift.io/dockerLayersOrder=ascending Image Size: 765.3kB in 1 layers Layers: 763.8kB sha256:61c5ed1cbdf8e801f3b73d906c61261ad916b2532d6756e7c4fbcacb975299fb Image Created: 33 hours ago Author: <none> Arch: amd64 Command: sh Working Dir: <none> User: <none> Exposes Ports: <none> Docker Labels: <none> Environment: PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin $ oc import-image myimage6 --from=docker.io/library/busybox --confirm=true error: tag failed: forbidden: registry docker.io blocked imagestream.image.openshift.io/myimage6 imported with errors Name: myimage6 Namespace: wzheng1 Created: Less than a second ago Labels: <none> Annotations: openshift.io/image.dockerRepositoryCheck=2020-07-29T09:36:06Z Image Repository: image-registry.openshift-image-registry.svc:5000/wzheng1/myimage6 Image Lookup: local=false Unique Images: 0 Tags: 1 latest tagged from docker.io/library/busybox ! error: Import failed (Forbidden): forbidden: registry docker.io blocked Less than a second ago Version-Release number of selected component (if applicable): 4.6.0-0.nightly-2020-07-25-091217 How reproducible: Always Steps to Reproduce: 1.Define as below in images.config.openshift.io/cluster as below: spec: registrySources: blockedRegistries: - docker.io 2.After cluster finish restarting, import busybox image 3.Import image docker.io/library/busybox Actual results: 2. Succeed 3. Failed Expected results: Should be failed Additional info: skopeo inspect docker://busybox@sha256:400ee2ed939df769d4681023810d2e4fb9479b8401d97003c710d0e20f7c49c6 { "Name": "docker.io/library/busybox",