Bug 1921049

Summary: [RFE] Make mirror-by-digest-only option configurable through ImageContentSourcePolicy
Product: OpenShift Container Platform Reporter: Mario Vázquez <mavazque>
Component: NodeAssignee: Ryan Phillips <rphillips>
Node sub component: CRI-O QA Contact: MinLi <minmli>
Status: CLOSED NOTABUG Docs Contact:
Severity: medium    
Priority: unspecified CC: aos-bugs, bradnichols, brault, dcain, fiezzi, jparrill, mavazque, mfojtik, oarribas, rlopez, tsweeney
Version: 4.6   
Target Milestone: ---   
Target Release: 4.8.0   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-03-03 18:23:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mario Vázquez 2021-01-27 12:59:27 UTC 
Description of problem:

When working with disconnected environments, sometimes you need to define multiple ImageContentSourcePolicies, some of them are used by apps/manifests that don't use digests when pulling the images.

Currently, all configurations are added with the mirror-by-digest-only property set to true. It will be nice if this property could be configured using the ImageContentSourcePolicy.


Version-Release number of selected component (if applicable):

4.6.X but I believe it affects any 4.X release which supports ICSPs.

How reproducible:

Always.

Steps to Reproduce:
1. Create an ICSP
2. In the OCP nodes check the file /etc/containers/registries.conf
3. Registries will be configured with "mirror-by-digest-only = true"

Actual results:

Workloads using image tags rather than image digests will not pull the images from the mirror.

Expected results:

Workloads using image tags whose their mirror has been configured with "mirror-by-digest-only = false" should be able to pull the image from that mirror.

Additional info:

https://github.com/openshift/api/issues/636
Comment 1 Stefan Schimanski 2021-01-27 13:31:06 UTC 
To my knowledge the ImageContentSourcePolicies API is owned by node team. Moving over.
Comment 2 Dave Cain 2021-01-27 13:49:35 UTC 
The current development preview version of the OpenShift Assisted Installer pulls images by tag, not by digest, which renders installs initiated through it to not proceed.  Restricted network installations, which ones that are not able to pull content from Red Hat registries (registry.redhat.io, quay.io) directly, are unable to proceed.  Setting /etc/containers/registries.conf via a machineconfig leveraging ImageContentSourcePolicies during installation appears to be overwritten by the MCO to be true, despite being set to false in the initial ignition.  The only workaround I found was to overwrite pulling by digest from true to false in registries.conf, which allows the installation to proceed.

We really need a way to overwrite this behavior.
Comment 5 Ryan Phillips 2021-03-03 18:23:30 UTC 
Jira card for the RFE: https://issues.redhat.com/browse/RFE-676

Marking as closed.
Comment 7 Qi Wang 2021-06-07 21:24:01 UTC 
*** Bug 1957337 has been marked as a duplicate of this bug. ***