Bug 1970805

Summary:	Cannot create build when docker image url contains dir structure
Product:	OpenShift Container Platform	Reporter:	Ankit Sachdeva <ansachde>
Component:	Build	Assignee:	Alice Rum <irum>
Status:	CLOSED ERRATA	QA Contact:	Jitendar Singh <jitsingh>
Severity:	low	Docs Contact:
Priority:	medium
Version:	4.6	CC:	adam.kaplan, aos-bugs, jitsingh, pkumari, rhodain
Target Milestone:	---
Target Release:	4.10.0
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2022-03-10 16:03:59 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Comment 5 Adam Kaplan 2021-06-22 17:24:10 UTC

I am able to reproduce this issue - the logic in `oc new-build` seems to require images to have an image spec in the format `<hostname>/<user>/<imagename>:<tag>`, which is too restrictive. The Docker v2 and OCI image specifications allow any path depth in an image pull spec.

As a work-around, you can do the following:

1. Use `oc tag --source=docker` to create an imagestream referencing the image:

$ oc tag --source=docker privateregistry:5000/path/to/image:tag myproject/image:tag

2. Run `oc new-build --dockerfile` referencing the imagestream tag's short name:

```
$ oc new-build --name testapp --to testapp --dockerfile='FROM myproject/image:tag \nRUN echo "Hello world!" \nCMD [ "/bin/bash" ]'
```

This will successfully create a BuildConfig that references the imagestream tag from before.


Steps to reproduce this bug:

1. In the OpenShift developer console, create an application from the Docker distribution container image (`docker.io/registry:v2`). Click the checkbox to create a route for the application.
2. In the OpenShift admin console, edit the created route so that TLS is enabled with "edge" termination:

```yaml
spec:
  ...
  tls:
    termination: edge
```

This will ensure you have a valid Docker container registry up and running (note this is not the internal registry).
Record the hostname of the registry.

3. Use skopeo to copy the ubi8 image to the docker/distribution container registry running in the cluster, with a path that is more than two levels deep. Disable tls verification at the destination unless the ingress operator is configured to use globally trusted certificates.

```
$ skopeo copy docker://registry.access.redhat.com/ubi8/ubi:latest docker://<registry-hostname>/registry/redhat/ubi8/ubi:latest --dest-tls-verify=false
```

4. Try to use `oc new-build` with an inline Dockerfile that references the image copied by skopeo:

```
$ oc new-build --name testapp --to testapp --dockerfile='FROM <registry-hostname>/registry/redhat/ubi8/ubi:latest \nRUN echo "Hello world!" \nCMD [ "/bin/bash" ]'
```

Result (with --loglevel=5):

```
I0622 12:18:23.392830   92987 newapp.go:648] Docker client did not respond to a ping: Get "http://unix.sock/_ping": dial unix /var/run/docker.sock: connect: no such file or directory
I0622 12:18:23.393033   92987 imagestreamlookup.go:49] image streams must be of the form [<namespace>/]<name>[:<tag>|@<digest>], term "docker-registry-test-newbuild.apps-crc.testing/registry/redhat/ubi8/ubi:latest" did not qualify
I0622 12:18:23.393061   92987 dockerimagelookup.go:88] checking remote registry for "docker-registry-test-newbuild.apps-crc.testing/registry/redhat/ubi8/ubi:latest"
I0622 12:18:23.479395   92987 dockerimagelookup.go:281] Adding container image "docker-registry-test-newbuild.apps-crc.testing/registry/redhat/ubi8/ubi:latest" (tag "latest"), 272209f, from docker-registry-test-newbuild.apps-crc.testing, 79.630mb as component match for "docker-registry-test-newbuild.apps-crc.testing/registry/redhat/ubi8/ubi:latest" with score 0
I0622 12:18:23.479415   92987 dockerimagelookup.go:94] Found remote match docker-registry-test-newbuild.apps-crc.testing/registry/redhat/ubi8/ubi:latest
I0622 12:18:23.479425   92987 resolve.go:190] Code []
I0622 12:18:23.479434   92987 resolve.go:191] Components [docker-registry-test-newbuild.apps-crc.testing/registry/redhat/ubi8/ubi:latest]
I0622 12:18:23.479457   92987 newapp.go:435] found group: docker-registry-test-newbuild.apps-crc.testing/registry/redhat/ubi8/ubi:latest
I0622 12:18:23.479463   92987 newapp.go:444] will add "" secrets into a build for a source build of ""
I0622 12:18:23.479469   92987 newapp.go:449] will add "" configMaps into a build for a source build of ""
I0622 12:18:23.479478   92987 newapp.go:474] will use "docker-registry-test-newbuild.apps-crc.testing/registry/redhat/ubi8/ubi:latest" as the base image for a source build of ""
--> Found container image 272209f (2 weeks old) from docker-registry-test-newbuild.apps-crc.testing for "docker-registry-test-newbuild.apps-crc.testing/registry/redhat/ubi8/ubi:latest"

    Red Hat Universal Base Image 8 
    ------------------------------ 
    The Universal Base Image is designed and engineered to be the base layer for all of your containerized applications, middleware and utilities. This base image is freely redistributable, but Red Hat only supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained by Red Hat and updated regularly.

    Tags: base rhel8

    * An image stream tag will be created as "redhat/ubi8/ubi:latest" that will track the source image
    * A Docker build using a predefined Dockerfile will be created
      * The resulting image will be pushed to image stream tag "ubi8-test:latest"
      * Every time "redhat/ubi8/ubi:latest" changes a new build will be triggered

I0622 12:18:23.479554   92987 request.go:844] Error in request: invalid resource name "redhat/ubi8/ubi": [may not contain '/']
I0622 12:18:23.517424   92987 newapp.go:1290] 

Cycle check input object 0:
{
	"kind": "ImageStream",
	"apiVersion": "image.openshift.io/v1",
	"metadata": {
		"name": "redhat/ubi8/ubi",
		"creationTimestamp": null
	},
	"spec": {
		"lookupPolicy": {
			"local": false
		},
		"tags": [
			{
				"name": "latest",
				"annotations": {
					"openshift.io/imported-from": "docker-registry-test-newbuild.apps-crc.testing/registry/redhat/ubi8/ubi:latest"
				},
				"from": {
					"kind": "DockerImage",
					"name": "docker-registry-test-newbuild.apps-crc.testing/registry/redhat/ubi8/ubi:latest"
				},
				"generation": null,
				"importPolicy": {},
				"referencePolicy": {
					"type": ""
				}
			}
		]
	},
	"status": {
		"dockerImageRepository": ""
	}
}
I0622 12:18:23.517463   92987 newapp.go:1290] 

Cycle check input object 1:
{
	"kind": "ImageStream",
	"apiVersion": "image.openshift.io/v1",
	"metadata": {
		"name": "ubi8-test",
		"creationTimestamp": null
	},
	"spec": {
		"lookupPolicy": {
			"local": false
		}
	},
	"status": {
		"dockerImageRepository": ""
	}
}
I0622 12:18:23.517799   92987 newapp.go:1290] 

Cycle check input object 2:
{
	"kind": "BuildConfig",
	"apiVersion": "build.openshift.io/v1",
	"metadata": {
		"name": "test-multipath",
		"creationTimestamp": null
	},
	"spec": {
		"triggers": [
			{
				"type": "GitHub",
				"github": {
					"secret": "DXrSDlZANTQ3icNjU302"
				}
			},
			{
				"type": "Generic",
				"generic": {
					"secret": "xM66llKhVmOSe1lzzgMf"
				}
			},
			{
				"type": "ConfigChange"
			},
			{
				"type": "ImageChange",
				"imageChange": {}
			}
		],
		"source": {
			"type": "Dockerfile",
			"dockerfile": "FROM docker-registry-test-newbuild.apps-crc.testing/registry/redhat/ubi8/ubi:latest \\n USER 1001 \\n CMD [ \"sh\", \"-c\", \"java -version\" ]"
		},
		"strategy": {
			"type": "Docker",
			"dockerStrategy": {
				"from": {
					"kind": "ImageStreamTag",
					"name": "redhat/ubi8/ubi:latest"
				}
			}
		},
		"output": {
			"to": {
				"kind": "ImageStreamTag",
				"name": "ubi8-test:latest"
			}
		},
		"resources": {},
		"postCommit": {},
		"nodeSelector": null
	},
	"status": {
		"lastVersion": 0
	}
}
I0622 12:18:23.517848   92987 newapp.go:1309] Post follow input:
&v1.ObjectReference{Kind:"DockerImage", Namespace:"", Name:"docker-registry-test-newbuild.apps-crc.testing/registry/redhat/ubi8/ubi:latest", UID:"", APIVersion:"", ResourceVersion:"", FieldPath:""}
I0622 12:18:23.517869   92987 newapp.go:1319] Post follow:
(*v1.ObjectReference)(nil)
I0622 12:18:23.517884   92987 request.go:844] Error in request: invalid resource name "redhat/ubi8/ubi": [may not contain '/']
--> Creating resources with label build=test-multipath ...
    error: ImageStream.image.openshift.io "redhat/ubi8/ubi" is invalid: metadata.name: Invalid value: "redhat/ubi8/ubi": may not contain '/'
    imagestream.image.openshift.io "ubi8-test" created
    error: BuildConfig.build.openshift.io "test-multipath" is invalid: spec.strategy.dockerStrategy.from.name: Invalid value: "redhat/ubi8/ubi": invalid name syntax
--> Failed
```

Comment 12 Priti Kumari 2021-12-07 09:30:02 UTC

I have verified the change and no longer getting the `invalidValue error`. @jitsingh Could you please move the state to verified.

Comment 13 Jitendar Singh 2021-12-07 10:23:02 UTC

VERIFIED

Comment 16 errata-xmlrpc 2022-03-10 16:03:59 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056