Bug 1957337
| Summary: | Test mirror-by-digest=false configuration in /etc/containers/registries.conf.d | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | oarribas <oarribas> |
| Component: | Node | Assignee: | Qi Wang <qiwan> |
| Node sub component: | CRI-O | QA Contact: | Sunil Choudhary <schoudha> |
| Status: | CLOSED WORKSFORME | Docs Contact: | |
| Severity: | medium | ||
| Priority: | unspecified | CC: | abraj, aos-bugs, erich, jcall, oarribas, qiwan, sbelmasg |
| Version: | 4.6 | Keywords: | Reopened |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-06-22 13:02:07 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
oarribas
2021-05-05 15:56:21 UTC
I don't believe this is a blocker There's an RFE for allowing mirror-by-digest=false https://bugzilla.redhat.com/show_bug.cgi?id=1921049. Close this bug since it's a duplicate. *** This bug has been marked as a duplicate of bug 1921049 *** @oarribas I have tested the `mirror-by-digest-only = false` in `/etc/containers/registries.conf.d/` in 4.6 and 4.7. For the answer to the question posted in slack [1], this feature is supported. If this configuration is necessary for the customer right now, we can document it as a workaround. Steps to confirm it: 1. Change the cluster configuration using mco. The mirror configuration I used as below ``` unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "registry.centos.org", "docker.io", "quay.io"] [[registry]] prefix = "" location = "docker.io/library/alpine" mirror-by-digest-only = false [[registry.mirror]] location = "mirror.gcr.io/library/alpine" ``` 2. Use podman to pull the image without digest and check the log to make sure the mirror was used. podman --log-level debug pull docker.io/library/alpine DEBU[0000] GET https://mirror.gcr.io/v2/library/alpine/blobs/sha256:5843afab387455b37944e709ee8c78d7520df80f8d01cf7f861aae63beeddb6b DEBU[0000] Detected compression format gzip DEBU[0000] Using original blob without modification Copying blob 5843afab3874 done [1]https://coreos.slack.com/archives/CK1AE4ZCK/p1618999300078300 @sbelmasg Override `mirror-by-digest-only = true` under `/etc/containers/registries.conf.d works as expected. We can document it as a workaround if customers really need it. Do you responsible for the support exception or do I need to contact someone for documenting this? @sbelmasg @oarribas do you think we can close this bugzilla? ok on my side, thanks. @oarribas Yes. The KCS is ok for me. Please also point out the possible limitations of using this workaround. To pull images from mirror registries without the digest specifications, this could lead to returning different image version from different registry if the image tag mapping is out of sync. But the OpenShift core required image using digests to avoid different versions won't consume this feature at all, so it is not exposed to the risks that anyone who actually uses the feature will be exposed to. |