Bug 2090266

Summary: oc adm release extract is failing on mutli arch image
Product: OpenShift Container Platform Reporter: Igal Tsoiref <itsoiref>
Component: ocAssignee: Maciej Szulik <maszulik>
oc sub component: oc QA Contact: zhou ying <yinzhou>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: high CC: maszulik, mfojtik, mko, psundara, wking
Version: 4.11Keywords: TestBlocker
Target Milestone: ---   
Target Release: 4.11.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-08-10 11:14:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Igal Tsoiref 2022-05-25 12:58:41 UTC 
Description of problem:
oc adm release extract is failing on mutli arch image

In assisted-installer we extract installer from image and it is failing on multiarch images

For example:

oc adm release extract --command=openshift-baremetal-install --to=/data/install-config-generate/installercache/quay.io/openshift-release-dev/ocp-release:4.11.0-0.nightly-multi-2022-05-11-151437-x86_64 --insecure=false quay.io/openshift-release-dev/ocp-release:4.11.0-0.nightly-multi-2022-05-11-151437 

fails with:

error: unable to parse image quay.io/openshift-release-dev/ocp-v4.0-art-dev: unknown image manifest of type *manifestlist.DeserializedManifestList from manifest 

same happens with 
quay.io/openshift-release-dev/ocp-release:4.11.0-0.nightly-multi-2022-05-11-151437-x86_64


Version-Release number of selected component (if applicable):


How reproducible:
oc adm release extract --command=openshift-baremetal-install --to=/data/install-config-generate/installercache/quay.io/openshift-release-dev/ocp-release:4.11.0-0.nightly-multi-2022-05-11-151437-x86_64 --insecure=false quay.io/openshift-release-dev/ocp-release:4.11.0-0.nightly-multi-2022-05-11-151437 


Actual results:
error: unable to parse image quay.io/openshift-release-dev/ocp-v4.0-art-dev: unknown image manifest of type *manifestlist.DeserializedManifestList from manifest 

Expected results:
file is extracted

Additional info:
Comment 1 Prashanth Sundararaman 2022-05-25 14:33:12 UTC 
similarly, oc adm mirror is failing:

oc adm release mirror --from=quay.io/openshift-release-dev/ocp-release@sha256:9ab0d024d9d2b1f7e9b2deedbbbc72aa95d2cf929713de6147ffc2dcba12cd7a --keep-manifest-list --to=quay.io/psundara/openshift-release --apply-release-image-signature

error: unable to retrieve release image info: unable to parse image quay.io/openshift-release-dev/ocp-release@sha256:9ab0d024d9d2b1f7e9b2deedbbbc72aa95d2cf929713de6147ffc2dcba12cd7a: unknown image manifest of type *manifestlist.DeserializedManifestList from manifest sha256:9ab0d024d9d2b1f7e9b2deedbbbc72aa95d2cf929713de6147ffc2dcba12cd7a

and so is the oc adm release new command with the --from-release flag:

oc adm release new --keep-manifest-list --from-release=quay.io/openshift-release-dev/ocp-release@sha256:9ab0d024d9d2b1f7e9b2deedbbbc72aa95d2cf929713de6147ffc2dcba12cd7a --to-image=docker.io/prashanths684/openshift-release:4.11-hetero-test machine-os-content=quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:a21810d31b52cb6f97354dca0f829302e4150c0f438944e3a61c11f6e99141a4  --keep-manifest-list


error: unable to parse image quay.io/openshift-release-dev/ocp-release@sha256:9ab0d024d9d2b1f7e9b2deedbbbc72aa95d2cf929713de6147ffc2dcba12cd7a: unknown image manifest of type *manifestlist.DeserializedManifestList from manifest sha256:9ab0d024d9d2b1f7e9b2deedbbbc72aa95d2cf929713de6147ffc2dcba12cd7a
Comment 4 zhou ying 2022-06-14 12:30:49 UTC 
verified with latest oc :

oc version --client
Client Version: 4.11.0-0.nightly-2022-06-14-032134
Kustomize Version: v4.5.4


oc adm release extract --command=openshift-baremetal-install --to=/home/roottest/origin/oc/ocp-release:test quay.io/openshift-release-dev/ocp-release@sha256:539fc5f98ea138395595fc72e9764aff3ad370803745b4d22db7df8e21d530db
Warning: the default reading order of registry auth file will be changed from "${HOME}/.docker/config.json" to podman registry config locations in the future version of oc. "${HOME}/.docker/config.json" is deprecated, but can still be used for storing credentials as a fallback. See https://github.com/containers/image/blob/main/docs/containers-auth.json.5.md for the order of podman registry config locations.
W0614 19:36:35.542425  101571 manifest.go:442] Chose linux/amd64 manifest from the manifest list.
Warning: the default reading order of registry auth file will be changed from "${HOME}/.docker/config.json" to podman registry config locations in the future version of oc. "${HOME}/.docker/config.json" is deprecated, but can still be used for storing credentials as a fallback. See https://github.com/containers/image/blob/main/docs/containers-auth.json.5.md for the order of podman registry config locations.
W0614 19:36:41.261817  101571 manifest.go:442] Chose linux/amd64 manifest from the manifest list.

 ls ocp-release\:test/
openshift-baremetal-install



oc adm release mirror --from=quay.io/openshift-release-dev/ocp-release@sha256:539fc5f98ea138395595fc72e9764aff3ad370803745b4d22db7df8e21d530db   --keep-manifest-list --to=localhost:5000/newmirrortest --apply-release-image-signature --insecure 
Warning: the default reading order of registry auth file will be changed from "${HOME}/.docker/config.json" to podman registry config locations in the future version of oc. "${HOME}/.docker/config.json" is deprecated, but can still be used for storing credentials as a fallback. See https://github.com/containers/image/blob/main/docs/containers-auth.json.5.md for the order of podman registry config locations.
W0614 19:49:10.351620  102002 manifest.go:442] Chose linux/amd64 manifest from the manifest list.
warning: An image was retrieved that failed verification: unable to verify sha256:1bff94be38f1f93bca31ce61706d568b1ab06da42fd6862037abb811c82ce0e3 against keyrings: verifier-public-key-redhat
info: Mirroring 168 images to localhost:5000/newmirrortest ...
Warning: the default reading order of registry auth file will be changed from "${HOME}/.docker/config.json" to podman registry config locations in the future version of oc. "${HOME}/.docker/config.json" is deprecated, but can still be used for storing credentials as a fallback. See https://github.com/containers/image/blob/main/docs/containers-auth.json.5.md for the order of podman registry config locations.
localhost:5000/
  newmirrortest
    blobs:
      quay.io/openshift-release-dev/ocp-release sha256:fa7d3d3fed5d2fc0d5c4b1cb4c1111b2ddb338b467c6d28bec0d7c0f2be2eee5 1.75KiB
      quay.io/openshift-release-dev/ocp-release sha256:b88304ccd20b48c3e167431fdaa53db68d449caf91511ca66a32b356f947b6ea 1.752KiB
......


oc adm release mirror --from=quay.io/openshift-release-dev/ocp-release@sha256:539fc5f98ea138395595fc72e9764aff3ad370803745b4d22db7df8e21d530db   --keep-manifest-list --to=localhost:5000/newmirrortest --apply-release-image-signature --insecure ^C
[root@localhost oc]# oc image info localhost:5000/newmirrortest --insecure 
Warning: the default reading order of registry auth file will be changed from "${HOME}/.docker/config.json" to podman registry config locations in the future version of oc. "${HOME}/.docker/config.json" is deprecated, but can still be used for storing credentials as a fallback. See https://github.com/containers/image/blob/main/docs/containers-auth.json.5.md for the order of podman registry config locations.
error: the image is a manifest list and contains multiple images - use --filter-by-os to select from:

  OS            DIGEST
  linux/amd64   sha256:73e0f934655ba888ecbf7a181954093ee284db32a97898bec59ea55cb83f8206
  linux/arm64   sha256:08b5cd660444fba746c2c22c7a7d92845366b16ecb3c17f64dc8d20a94c53869
  linux/ppc64le sha256:4223f8e34aaae2dc1c9101bd9b9c38e8d31b14bf93dc62e799987a5a768098e7
  linux/s390x   sha256:e1a9fb8361657dc88861779874d980207e879715146538b6cd1a10e256f549a1
Comment 5 zhou ying 2022-06-14 12:33:30 UTC 
But still hit issue with `oc adm release new` :

oc adm release new --keep-manifest-list --from-release=quay.io/openshift-release-dev/ocp-release@sha256:539fc5f98ea138395595fc72e9764aff3ad370803745b4d22db7df8e21d530db  --to-image=localhost:5000/newtest  --keep-manifest-list
Warning: the default reading order of registry auth file will be changed from "${HOME}/.docker/config.json" to podman registry config locations in the future version of oc. "${HOME}/.docker/config.json" is deprecated, but can still be used for storing credentials as a fallback. See https://github.com/containers/image/blob/main/docs/containers-auth.json.5.md for the order of podman registry config locations.
error: unable to parse image quay.io/openshift-release-dev/ocp-release@sha256:539fc5f98ea138395595fc72e9764aff3ad370803745b4d22db7df8e21d530db: unknown image manifest of type *manifestlist.DeserializedManifestList from manifest sha256:539fc5f98ea138395595fc72e9764aff3ad370803745b4d22db7df8e21d530db
Comment 6 Maciej Szulik 2022-06-14 12:38:49 UTC 
Spoke with Ying Zhou on slack, she'll open a new bug just for that new command.
Comment 9 errata-xmlrpc 2022-08-10 11:14:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5069