Bug 1977280
| Summary: | registries.conf mixes v1 and v2 syntax | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Valentin Rothberg <vrothber> | ||||
| Component: | skopeo | Assignee: | Jindrich Novy <jnovy> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Yuhui Jiang <yujiang> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 8.4 | CC: | bbaude, dwalsh, jligon, jnovy, leiwang, lsm5, mheon, mitr, pthomas, tsweeney, umohnani, ypu | ||||
| Target Milestone: | beta | Keywords: | Triaged | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | skopeo-1.4.0-5.el8 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2021-11-09 17:38:44 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
This is rejected: > unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "registry.centos.org", "docker.io"] > [registries.search] > registries = ['registry.access.redhat.com', 'registry.redhat.io', 'docker.io'] while this is accepted: > [registries.search] > registries = ['registry.access.redhat.com', 'registry.redhat.io', 'docker.io'] > unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "registry.centos.org", "docker.io"] and like this, without comments, it’s easier to see what is going on: the second version defines, in TOML, a field registries.search.unqualified-search-registries, not the v2 top-level unqualified-search-registries field. --- So this is, in some sense, not a bug in the config file parser, OTOH it seems quite desirable to reject such configs as a special case. Assigning to Jindrich, since it must be fixed in the downstream registries.conf. Can we get qa ack please? http://pkgs.devel.redhat.com/cgit/rpms/skopeo/tree/registries.conf?h=stream-container-tools-rhel8-rhel-8.5.0 Does it look good Valentin? @Jindrich, looks good to me. Thanks for the ping! I have a slight preference to move `short-name-mode = "enforcing"` up to line 23, maybe with a blank line in before. It looks a bit hidden down there but it does the job. Thanks Valentin. It's actually a good catch as we need enforcing for short-name-mode in RHEL9+ only and not in 8.5? If so I actually need to drop this... FYI - for RHEL9 I'm using this: http://pkgs.devel.redhat.com/cgit/rpms/skopeo/tree/update.sh?h=stream-container-tools-latest-rhel-9.0.0-beta#n27 which tests if there is "# short-name-mode" within the config and if so, it will put the "short-name-mode = enforcing" straight after it. (In reply to Jindrich Novy from comment #6) > Thanks Valentin. It's actually a good catch as we need enforcing for > short-name-mode in RHEL9+ only and not in 8.5? If so I actually need to drop > this... Good catch. Yes, no enforcing in 8.5 since it would be a breaking change. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: container-tools:rhel8 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:4154 |
Created attachment 1795755 [details] Updated/fixed registries.conf Description of problem: /etc/containers/registries.conf mixes the v1 and v2 notation, namely: ---------- # OLD v1 notation [registries.search] registries = ['registry.access.redhat.com', 'registry.redhat.io', 'docker.io'] # NEW v2 notation unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "registry.centos.org", "docker.io"] ---------- Mixing the v1 and v2 notation is unsupported and should yield an error when being loaded. Ultimately, it points to a bug in the containers/image library which we should not fix now since it would break with the shipped registries.conf. Note that only [registries.search] gets loaded; unqualified-search-registries will be ignored. But that is quite unclear when purely looking at this file. I assume that this mix-up happened when reducing the number of search registries. What we should do: - Update /etc/containers/registries.conf and remove all references to the v1 notation and update the `unqualified-search-registries` with the proper set of registries. I uploaded a file how I think registries.conf should look like. Version-Release number of selected component (if applicable): [root@kvm-01-guest13 ~]# dnf info containers-common Updating Subscription Management repositories. Unable to read consumer identity This system is not registered with an entitlement server. You can use subscription-manager to register. Last metadata expiration check: 0:41:39 ago on Tue 29 Jun 2021 01:50:39 PM IDT. Installed Packages Name : containers-common Epoch : 1 Version : 1.2.2 Release : 4.module+el8.5.0+10387+8d85dbaf Architecture : x86_64 Size : 299 k Source : skopeo-1.2.2-4.module+el8.5.0+10387+8d85dbaf.src.rpm Repository : @System From repo : beaker-AppStream Summary : Configuration files for working with image signatures URL : %{git0} License : ASL 2.0 Description : This package installs a default signature store configuration and a default : policy under `/etc/containers/`. How reproducible: Always. Also reproduced on RHEL 9 beta. Steps to Reproduce: 1. dnf install podman; cat /etc/containers/registries.conf Additional info: I added a registries.conf file with the appropriate fixes. Please include Miloslav and/or me when updating the packages, so we can have a final look.