1381736 – 'atomic pull' must use fully-qualified registry name when pulling images

Bug 1381736 - 'atomic pull' must use fully-qualified registry name when pulling images

Summary: 'atomic pull' must use fully-qualified registry name when pulling images

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	atomic
Sub Component:
Version:	7.3
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Brent Baude
QA Contact:	atomic-bugs@redhat.com
Docs Contact:	Yoana Ruseva
URL:
Whiteboard:
Depends On:	1389677 1391788
Blocks:
TreeView+	depends on / blocked

Reported:	2016-10-04 20:55 UTC by Micah Abbott
Modified:	2016-12-06 17:42 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-12-06 17:42:20 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:2857	0	normal	SHIPPED_LIVE	atomic bug fix and enhancement update	2016-12-06 22:40:27 UTC

Description Micah Abbott 2016-10-04 20:55:04 UTC

Using atomic-1.12.5-2.el7.x86_64 in RHELAH 7.3

When using 'atomic pull' to pull down docker images, if a user does not use the fully qualified registry name, the operation will fail:

# atomic --debug pull rhel7/cockpit-ws
Image rhel7/cockpit-ws is being pulled to docker ...
ReturnTuple(return_code=1, stdout='', stderr='time="2016-10-04T19:46:31Z" level=fatal msg="error fetching manifest: status code: 401, body: {\\"errors\\":[{\\"code\\":\\"UNAUTHORIZED\\",\\"message\\":\\"authenti
cation required\\",\\"detail\\":[{\\"Type\\":\\"repository\\",\\"Name\\":\\"rhel7/cockpit-ws\\",\\"Action\\":\\"pull\\"}]}]}\\n" \n')
Traceback (most recent call last):
  File "/bin/atomic", line 186, in <module>
    sys.exit(_func())
  File "/usr/lib/python2.7/site-packages/Atomic/pull.py", line 56, in pull_image
    handler()
  File "/usr/lib/python2.7/site-packages/Atomic/pull.py", line 37, in pull_docker_image
    fq_name = skopeo_inspect("{}{}".format(pull_uri, self.args.image))['Name']
  File "/usr/lib/python2.7/site-packages/Atomic/util.py", line 274, in skopeo_inspect
    raise ValueError(results)
ValueError: ReturnTuple(return_code=1, stdout='', stderr='time="2016-10-04T19:46:31Z" level=fatal msg="error fetching manifest: status code: 401, body: {\\"errors\\":[{\\"code\\":\\"UNAUTHORIZED\\",\\"message\\"
:\\"authentication required\\",\\"detail\\":[{\\"Type\\":\\"repository\\",\\"Name\\":\\"rhel7/cockpit-ws\\",\\"Action\\":\\"pull\\"}]}]}\\n" \n')


The correct way is to use the fully qualified registry name, like this:

atomic pull registry.access.redhat.com/rhel7/cockpit-ws

Comment 2 Daniel Walsh 2016-10-10 15:54:36 UTC

Brent is this fixed in atomic-1.13?

Comment 3 Brent Baude 2016-10-10 17:28:51 UTC

Yes it is.  Might be good to get an ack from micah on it.

Comment 4 Daniel Walsh 2016-10-10 17:47:38 UTC

Fixed in atomic-1.13

Comment 6 Alex Jia 2016-11-01 09:30:47 UTC

It works well on my RHEL7.3-RC-3, but it's failed on 7.3.0-3 atomic cloud images. 


1. failure on 7.3.0-3 atomic cloud images

it may be caused by lost /etc/containers/policy.json and /etc/containers/registries.d/default.yaml in cloud images.

[root@atomic-00 cloud-user]# atomic host status
State: idle
Deployments:
● rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
       Version: 7.3 (2016-10-26 14:24:09)
        Commit: 90c9735becfff1c55c8586ae0f2c904bc0928f042cd4d016e9e0e2edd16e5e97
        OSName: rhel-atomic-host
  GPGSignature: (unsigned)
      Unlocked: development
[root@atomic-00 cloud-user]# cat /etc/redhat-release 
Red Hat Enterprise Linux Atomic Host release 7.3
[root@atomic-00 cloud-user]# atomic host status
State: idle
Deployments:
● rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
       Version: 7.3 (2016-10-26 14:24:09)
        Commit: 90c9735becfff1c55c8586ae0f2c904bc0928f042cd4d016e9e0e2edd16e5e97
        OSName: rhel-atomic-host
  GPGSignature: (unsigned)
      Unlocked: development
[root@atomic-00 cloud-user]# rpm -q atomic skopeo
atomic-1.13.5-1.el7.x86_64
skopeo-0.1.17-0.5.git1f655f3.el7.x86_64

[root@atomic-00 cloud-user]# atomic --debug pull rhel7/cockpit-ws
Image rhel7/cockpit-ws is being pulled to docker ...
[
    {
        "search": true,
        "hostname": "registry-1.docker.io",
        "name": "docker.io",
        "secure": true
    },
    {
        "search": true,
        "hostname": "registry.access.redhat.com",
        "name": "registry.access.redhat.com",
        "secure": true
    },
    {
        "search": false,
        "hostname": "10.73.73.33:5000",
        "name": "10.73.73.33:5000",
        "secure": false
    }
]
Trying docker.io/rhel7/cockpit-ws:latest
URL: https://registry-1.docker.io/v2/
GET_URL: https://registry-1.docker.io/v2/
GET_HEADER: {'Accept': '[application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.v2+json,application/vnd.docker.distribution.manifest.v1+prettyjws,application/vnd.docker.distribution.manifest.v1+json]'}
GET_VERIFY: True
Set token_scope to repository:rhel7/cockpit-ws:pull
URL: http://registry-1.docker.io/v2/
GET_URL: https://auth.docker.io/token?service=registry.docker.io&scope=repository:rhel7/cockpit-ws:pull
GET_HEADER: {'Accept': '[application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.v2+json,application/vnd.docker.distribution.manifest.v1+prettyjws,application/vnd.docker.distribution.manifest.v1+json]'}
GET_VERIFY: True
Set token to eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlDTHpDQ0FkU2dBd0lCQWdJQkFEQUtCZ2dxaGtqT1BRUURBakJHTVVRd1FnWURWUVFERXp0Uk5Gb3pPa2RYTjBrNldGUlFSRHBJVFRSUk9rOVVWRmc2TmtGRlF6cFNUVE5ET2tGU01rTTZUMFkzTnpwQ1ZrVkJPa2xHUlVrNlExazFTekFlRncweE5qQTFNekV5TXpVNE5UZGFGdzB4TnpBMU16RXlNelU0TlRkYU1FWXhSREJDQmdOVkJBTVRPMUV6UzFRNlFqSkpNenBhUjFoT09qSlhXRTA2UTBWWFF6cFVNMHhPT2tvMlYxWTZNbGsyVHpwWlFWbEpPbGhQVTBRNlZFUlJTVG8wVWtwRE1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRVo0NkVLV3VKSXhxOThuUC9GWEU3U3VyOXlkZ3c3K2FkcndxeGlxN004VHFUa0N0dzBQZm1SS2VLdExwaXNTRFU4LzZseWZ3QUFwZWh6SHdtWmxZR2dxT0JzakNCcnpBT0JnTlZIUThCQWY4RUJBTUNCNEF3RHdZRFZSMGxCQWd3QmdZRVZSMGxBREJFQmdOVkhRNEVQUVE3VVROTFZEcENNa2t6T2xwSFdFNDZNbGRZVFRwRFJWZERPbFF6VEU0NlNqWlhWam95V1RaUE9sbEJXVWs2V0U5VFJEcFVSRkZKT2pSU1NrTXdSZ1lEVlIwakJEOHdQWUE3VVRSYU16cEhWemRKT2xoVVVFUTZTRTAwVVRwUFZGUllPalpCUlVNNlVrMHpRenBCVWpKRE9rOUdOemM2UWxaRlFUcEpSa1ZKT2tOWk5Vc3dDZ1lJS29aSXpqMEVBd0lEU1FBd1JnSWhBTzYxSWloN1FUcHNTMFFIYUNwTDFZTWNMMnZXZlNydlhHbHpSRDEwN2NRUEFpRUFtZXduelNYRHplRGxqcDc4T1NsTFFzbnROYWM5eHRyYW0xU0kxY0ZXQ2tJPSJdfQ.eyJhY2Nlc3MiOltdLCJhdWQiOiJyZWdpc3RyeS5kb2NrZXIuaW8iLCJleHAiOjE0Nzc5OTIzNzAsImlhdCI6MTQ3Nzk5MjA3MCwiaXNzIjoiYXV0aC5kb2NrZXIuaW8iLCJqdGkiOiI4aWNmSDM5MHV3YjdMWEMzY3h3ViIsIm5iZiI6MTQ3Nzk5MjA3MCwic3ViIjoiIn0.05B9FKShqd7wcEete2i_s-pw4A6bUYH6pmgiUGCVB5CuEPyRqkcHYo0BOV_E45JtNd3VwD2uqERCGcWVt2qHWg
GET_URL: http://registry-1.docker.io/v2/
GET_HEADER: {'Authorization': 'Bearer eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlDTHpDQ0FkU2dBd0lCQWdJQkFEQUtCZ2dxaGtqT1BRUURBakJHTVVRd1FnWURWUVFERXp0Uk5Gb3pPa2RYTjBrNldGUlFSRHBJVFRSUk9rOVVWRmc2TmtGRlF6cFNUVE5ET2tGU01rTTZUMFkzTnpwQ1ZrVkJPa2xHUlVrNlExazFTekFlRncweE5qQTFNekV5TXpVNE5UZGFGdzB4TnpBMU16RXlNelU0TlRkYU1FWXhSREJDQmdOVkJBTVRPMUV6UzFRNlFqSkpNenBhUjFoT09qSlhXRTA2UTBWWFF6cFVNMHhPT2tvMlYxWTZNbGsyVHpwWlFWbEpPbGhQVTBRNlZFUlJTVG8wVWtwRE1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRVo0NkVLV3VKSXhxOThuUC9GWEU3U3VyOXlkZ3c3K2FkcndxeGlxN004VHFUa0N0dzBQZm1SS2VLdExwaXNTRFU4LzZseWZ3QUFwZWh6SHdtWmxZR2dxT0JzakNCcnpBT0JnTlZIUThCQWY4RUJBTUNCNEF3RHdZRFZSMGxCQWd3QmdZRVZSMGxBREJFQmdOVkhRNEVQUVE3VVROTFZEcENNa2t6T2xwSFdFNDZNbGRZVFRwRFJWZERPbFF6VEU0NlNqWlhWam95V1RaUE9sbEJXVWs2V0U5VFJEcFVSRkZKT2pSU1NrTXdSZ1lEVlIwakJEOHdQWUE3VVRSYU16cEhWemRKT2xoVVVFUTZTRTAwVVRwUFZGUllPalpCUlVNNlVrMHpRenBCVWpKRE9rOUdOemM2UWxaRlFUcEpSa1ZKT2tOWk5Vc3dDZ1lJS29aSXpqMEVBd0lEU1FBd1JnSWhBTzYxSWloN1FUcHNTMFFIYUNwTDFZTWNMMnZXZlNydlhHbHpSRDEwN2NRUEFpRUFtZXduelNYRHplRGxqcDc4T1NsTFFzbnROYWM5eHRyYW0xU0kxY0ZXQ2tJPSJdfQ.eyJhY2Nlc3MiOltdLCJhdWQiOiJyZWdpc3RyeS5kb2NrZXIuaW8iLCJleHAiOjE0Nzc5OTIzNzAsImlhdCI6MTQ3Nzk5MjA3MCwiaXNzIjoiYXV0aC5kb2NrZXIuaW8iLCJqdGkiOiI4aWNmSDM5MHV3YjdMWEMzY3h3ViIsIm5iZiI6MTQ3Nzk5MjA3MCwic3ViIjoiIn0.05B9FKShqd7wcEete2i_s-pw4A6bUYH6pmgiUGCVB5CuEPyRqkcHYo0BOV_E45JtNd3VwD2uqERCGcWVt2qHWg', 'Accept': '[application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.v2+json,application/vnd.docker.distribution.manifest.v1+prettyjws,application/vnd.docker.distribution.manifest.v1+json]'}
GET_VERIFY: True
URL: http://registry-1.docker.io/v2/
GET_URL: http://registry-1.docker.io/v2/
GET_HEADER: {'Authorization': 'Bearer eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlDTHpDQ0FkU2dBd0lCQWdJQkFEQUtCZ2dxaGtqT1BRUURBakJHTVVRd1FnWURWUVFERXp0Uk5Gb3pPa2RYTjBrNldGUlFSRHBJVFRSUk9rOVVWRmc2TmtGRlF6cFNUVE5ET2tGU01rTTZUMFkzTnpwQ1ZrVkJPa2xHUlVrNlExazFTekFlRncweE5qQTFNekV5TXpVNE5UZGFGdzB4TnpBMU16RXlNelU0TlRkYU1FWXhSREJDQmdOVkJBTVRPMUV6UzFRNlFqSkpNenBhUjFoT09qSlhXRTA2UTBWWFF6cFVNMHhPT2tvMlYxWTZNbGsyVHpwWlFWbEpPbGhQVTBRNlZFUlJTVG8wVWtwRE1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRVo0NkVLV3VKSXhxOThuUC9GWEU3U3VyOXlkZ3c3K2FkcndxeGlxN004VHFUa0N0dzBQZm1SS2VLdExwaXNTRFU4LzZseWZ3QUFwZWh6SHdtWmxZR2dxT0JzakNCcnpBT0JnTlZIUThCQWY4RUJBTUNCNEF3RHdZRFZSMGxCQWd3QmdZRVZSMGxBREJFQmdOVkhRNEVQUVE3VVROTFZEcENNa2t6T2xwSFdFNDZNbGRZVFRwRFJWZERPbFF6VEU0NlNqWlhWam95V1RaUE9sbEJXVWs2V0U5VFJEcFVSRkZKT2pSU1NrTXdSZ1lEVlIwakJEOHdQWUE3VVRSYU16cEhWemRKT2xoVVVFUTZTRTAwVVRwUFZGUllPalpCUlVNNlVrMHpRenBCVWpKRE9rOUdOemM2UWxaRlFUcEpSa1ZKT2tOWk5Vc3dDZ1lJS29aSXpqMEVBd0lEU1FBd1JnSWhBTzYxSWloN1FUcHNTMFFIYUNwTDFZTWNMMnZXZlNydlhHbHpSRDEwN2NRUEFpRUFtZXduelNYRHplRGxqcDc4T1NsTFFzbnROYWM5eHRyYW0xU0kxY0ZXQ2tJPSJdfQ.eyJhY2Nlc3MiOltdLCJhdWQiOiJyZWdpc3RyeS5kb2NrZXIuaW8iLCJleHAiOjE0Nzc5OTIzNzAsImlhdCI6MTQ3Nzk5MjA3MCwiaXNzIjoiYXV0aC5kb2NrZXIuaW8iLCJqdGkiOiI4aWNmSDM5MHV3YjdMWEMzY3h3ViIsIm5iZiI6MTQ3Nzk5MjA3MCwic3ViIjoiIn0.05B9FKShqd7wcEete2i_s-pw4A6bUYH6pmgiUGCVB5CuEPyRqkcHYo0BOV_E45JtNd3VwD2uqERCGcWVt2qHWg', 'Accept': '[application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.v2+json,application/vnd.docker.distribution.manifest.v1+prettyjws,application/vnd.docker.distribution.manifest.v1+json]'}
GET_VERIFY: True
GET_URL: http://registry-1.docker.io/v2/rhel7/cockpit-ws/manifests/latest
GET_HEADER: {'Authorization': 'Bearer eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlDTHpDQ0FkU2dBd0lCQWdJQkFEQUtCZ2dxaGtqT1BRUURBakJHTVVRd1FnWURWUVFERXp0Uk5Gb3pPa2RYTjBrNldGUlFSRHBJVFRSUk9rOVVWRmc2TmtGRlF6cFNUVE5ET2tGU01rTTZUMFkzTnpwQ1ZrVkJPa2xHUlVrNlExazFTekFlRncweE5qQTFNekV5TXpVNE5UZGFGdzB4TnpBMU16RXlNelU0TlRkYU1FWXhSREJDQmdOVkJBTVRPMUV6UzFRNlFqSkpNenBhUjFoT09qSlhXRTA2UTBWWFF6cFVNMHhPT2tvMlYxWTZNbGsyVHpwWlFWbEpPbGhQVTBRNlZFUlJTVG8wVWtwRE1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRVo0NkVLV3VKSXhxOThuUC9GWEU3U3VyOXlkZ3c3K2FkcndxeGlxN004VHFUa0N0dzBQZm1SS2VLdExwaXNTRFU4LzZseWZ3QUFwZWh6SHdtWmxZR2dxT0JzakNCcnpBT0JnTlZIUThCQWY4RUJBTUNCNEF3RHdZRFZSMGxCQWd3QmdZRVZSMGxBREJFQmdOVkhRNEVQUVE3VVROTFZEcENNa2t6T2xwSFdFNDZNbGRZVFRwRFJWZERPbFF6VEU0NlNqWlhWam95V1RaUE9sbEJXVWs2V0U5VFJEcFVSRkZKT2pSU1NrTXdSZ1lEVlIwakJEOHdQWUE3VVRSYU16cEhWemRKT2xoVVVFUTZTRTAwVVRwUFZGUllPalpCUlVNNlVrMHpRenBCVWpKRE9rOUdOemM2UWxaRlFUcEpSa1ZKT2tOWk5Vc3dDZ1lJS29aSXpqMEVBd0lEU1FBd1JnSWhBTzYxSWloN1FUcHNTMFFIYUNwTDFZTWNMMnZXZlNydlhHbHpSRDEwN2NRUEFpRUFtZXduelNYRHplRGxqcDc4T1NsTFFzbnROYWM5eHRyYW0xU0kxY0ZXQ2tJPSJdfQ.eyJhY2Nlc3MiOltdLCJhdWQiOiJyZWdpc3RyeS5kb2NrZXIuaW8iLCJleHAiOjE0Nzc5OTIzNzAsImlhdCI6MTQ3Nzk5MjA3MCwiaXNzIjoiYXV0aC5kb2NrZXIuaW8iLCJqdGkiOiI4aWNmSDM5MHV3YjdMWEMzY3h3ViIsIm5iZiI6MTQ3Nzk5MjA3MCwic3ViIjoiIn0.05B9FKShqd7wcEete2i_s-pw4A6bUYH6pmgiUGCVB5CuEPyRqkcHYo0BOV_E45JtNd3VwD2uqERCGcWVt2qHWg', 'Accept': '[application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.v2+json,application/vnd.docker.distribution.manifest.v1+prettyjws,application/vnd.docker.distribution.manifest.v1+json]'}
GET_VERIFY: True
Trying registry.access.redhat.com/rhel7/cockpit-ws:latest
URL: https://registry.access.redhat.com/v2/
GET_URL: https://registry.access.redhat.com/v2/
GET_HEADER: {'Accept': '[application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.v2+json,application/vnd.docker.distribution.manifest.v1+prettyjws,application/vnd.docker.distribution.manifest.v1+json]'}
GET_VERIFY: True
GET_URL: https://registry.access.redhat.com/v2/rhel7/cockpit-ws/manifests/latest
GET_HEADER: {'Accept': '[application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.v2+json,application/vnd.docker.distribution.manifest.v1+prettyjws,application/vnd.docker.distribution.manifest.v1+json]'}
GET_VERIFY: True
argument of type 'NoneType' is not iterable
Traceback (most recent call last):
  File "/bin/atomic", line 186, in <module>
    sys.exit(_func())
  File "/usr/lib/python2.7/site-packages/Atomic/pull.py", line 65, in pull_image
    handler()
  File "/usr/lib/python2.7/site-packages/Atomic/pull.py", line 49, in pull_docker_image
    trust.discover_sigstore(fq_name)
  File "/usr/lib/python2.7/site-packages/Atomic/trust.py", line 282, in discover_sigstore
    if not scope in registry_configs:
TypeError: argument of type 'NoneType' is not iterable



2. works well in RHEL7.3-RC-3

[root@bootp-73-3-203 ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.3 (Maipo)

[root@bootp-73-3-203 ~]# rpm -q atomic skopeo
atomic-1.13.5-1.el7.x86_64
skopeo-0.1.17-0.5.git1f655f3.el7.x86_64


[root@bootp-73-3-203 ~]# atomic --debug pull rhel7/cockpit-ws
Image rhel7/cockpit-ws is being pulled to docker ...
[
    {
        "search": true,
        "hostname": "registry-1.docker.io",
        "name": "docker.io",
        "secure": true
    },
    {
        "search": true,
        "hostname": "registry.access.redhat.com",
        "name": "registry.access.redhat.com",
        "secure": true
    },
    {
        "search": false,
        "hostname": "registry.access.stage.redhat.com",
        "name": "registry.access.stage.redhat.com",
        "secure": false
    }
]
Trying docker.io/rhel7/cockpit-ws:latest
URL: https://registry-1.docker.io/v2/
GET_URL: https://registry-1.docker.io/v2/
GET_HEADER: {'Accept': '[application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.v2+json,application/vnd.docker.distribution.manifest.v1+prettyjws,application/vnd.docker.distribution.manifest.v1+json]'}
GET_VERIFY: True
Set token_scope to repository:rhel7/cockpit-ws:pull
URL: http://registry-1.docker.io/v2/
GET_URL: https://auth.docker.io/token?service=registry.docker.io&scope=repository:rhel7/cockpit-ws:pull
GET_HEADER: {'Accept': '[application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.v2+json,application/vnd.docker.distribution.manifest.v1+prettyjws,application/vnd.docker.distribution.manifest.v1+json]'}
GET_VERIFY: True
Set token to eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlDTHpDQ0FkU2dBd0lCQWdJQkFEQUtCZ2dxaGtqT1BRUURBakJHTVVRd1FnWURWUVFERXp0Uk5Gb3pPa2RYTjBrNldGUlFSRHBJVFRSUk9rOVVWRmc2TmtGRlF6cFNUVE5ET2tGU01rTTZUMFkzTnpwQ1ZrVkJPa2xHUlVrNlExazFTekFlRncweE5qQTFNekV5TXpVNE5UZGFGdzB4TnpBMU16RXlNelU0TlRkYU1FWXhSREJDQmdOVkJBTVRPMUV6UzFRNlFqSkpNenBhUjFoT09qSlhXRTA2UTBWWFF6cFVNMHhPT2tvMlYxWTZNbGsyVHpwWlFWbEpPbGhQVTBRNlZFUlJTVG8wVWtwRE1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRVo0NkVLV3VKSXhxOThuUC9GWEU3U3VyOXlkZ3c3K2FkcndxeGlxN004VHFUa0N0dzBQZm1SS2VLdExwaXNTRFU4LzZseWZ3QUFwZWh6SHdtWmxZR2dxT0JzakNCcnpBT0JnTlZIUThCQWY4RUJBTUNCNEF3RHdZRFZSMGxCQWd3QmdZRVZSMGxBREJFQmdOVkhRNEVQUVE3VVROTFZEcENNa2t6T2xwSFdFNDZNbGRZVFRwRFJWZERPbFF6VEU0NlNqWlhWam95V1RaUE9sbEJXVWs2V0U5VFJEcFVSRkZKT2pSU1NrTXdSZ1lEVlIwakJEOHdQWUE3VVRSYU16cEhWemRKT2xoVVVFUTZTRTAwVVRwUFZGUllPalpCUlVNNlVrMHpRenBCVWpKRE9rOUdOemM2UWxaRlFUcEpSa1ZKT2tOWk5Vc3dDZ1lJS29aSXpqMEVBd0lEU1FBd1JnSWhBTzYxSWloN1FUcHNTMFFIYUNwTDFZTWNMMnZXZlNydlhHbHpSRDEwN2NRUEFpRUFtZXduelNYRHplRGxqcDc4T1NsTFFzbnROYWM5eHRyYW0xU0kxY0ZXQ2tJPSJdfQ.eyJhY2Nlc3MiOltdLCJhdWQiOiJyZWdpc3RyeS5kb2NrZXIuaW8iLCJleHAiOjE0Nzc5OTE4NDMsImlhdCI6MTQ3Nzk5MTU0MywiaXNzIjoiYXV0aC5kb2NrZXIuaW8iLCJqdGkiOiIzaDdZQzJVbWgzNGRXNWpXUW5QSyIsIm5iZiI6MTQ3Nzk5MTU0Mywic3ViIjoiIn0.qZnjcTTNA0HYvhbMMtqZOL6wgJYTLaiZfb2sT1mHG7VKU8KNcNolVPxczagLFPKwE0wJl8K8nkp5UX6X0ff_zw
GET_URL: http://registry-1.docker.io/v2/
GET_HEADER: {'Authorization': 'Bearer eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlDTHpDQ0FkU2dBd0lCQWdJQkFEQUtCZ2dxaGtqT1BRUURBakJHTVVRd1FnWURWUVFERXp0Uk5Gb3pPa2RYTjBrNldGUlFSRHBJVFRSUk9rOVVWRmc2TmtGRlF6cFNUVE5ET2tGU01rTTZUMFkzTnpwQ1ZrVkJPa2xHUlVrNlExazFTekFlRncweE5qQTFNekV5TXpVNE5UZGFGdzB4TnpBMU16RXlNelU0TlRkYU1FWXhSREJDQmdOVkJBTVRPMUV6UzFRNlFqSkpNenBhUjFoT09qSlhXRTA2UTBWWFF6cFVNMHhPT2tvMlYxWTZNbGsyVHpwWlFWbEpPbGhQVTBRNlZFUlJTVG8wVWtwRE1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRVo0NkVLV3VKSXhxOThuUC9GWEU3U3VyOXlkZ3c3K2FkcndxeGlxN004VHFUa0N0dzBQZm1SS2VLdExwaXNTRFU4LzZseWZ3QUFwZWh6SHdtWmxZR2dxT0JzakNCcnpBT0JnTlZIUThCQWY4RUJBTUNCNEF3RHdZRFZSMGxCQWd3QmdZRVZSMGxBREJFQmdOVkhRNEVQUVE3VVROTFZEcENNa2t6T2xwSFdFNDZNbGRZVFRwRFJWZERPbFF6VEU0NlNqWlhWam95V1RaUE9sbEJXVWs2V0U5VFJEcFVSRkZKT2pSU1NrTXdSZ1lEVlIwakJEOHdQWUE3VVRSYU16cEhWemRKT2xoVVVFUTZTRTAwVVRwUFZGUllPalpCUlVNNlVrMHpRenBCVWpKRE9rOUdOemM2UWxaRlFUcEpSa1ZKT2tOWk5Vc3dDZ1lJS29aSXpqMEVBd0lEU1FBd1JnSWhBTzYxSWloN1FUcHNTMFFIYUNwTDFZTWNMMnZXZlNydlhHbHpSRDEwN2NRUEFpRUFtZXduelNYRHplRGxqcDc4T1NsTFFzbnROYWM5eHRyYW0xU0kxY0ZXQ2tJPSJdfQ.eyJhY2Nlc3MiOltdLCJhdWQiOiJyZWdpc3RyeS5kb2NrZXIuaW8iLCJleHAiOjE0Nzc5OTE4NDMsImlhdCI6MTQ3Nzk5MTU0MywiaXNzIjoiYXV0aC5kb2NrZXIuaW8iLCJqdGkiOiIzaDdZQzJVbWgzNGRXNWpXUW5QSyIsIm5iZiI6MTQ3Nzk5MTU0Mywic3ViIjoiIn0.qZnjcTTNA0HYvhbMMtqZOL6wgJYTLaiZfb2sT1mHG7VKU8KNcNolVPxczagLFPKwE0wJl8K8nkp5UX6X0ff_zw', 'Accept': '[application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.v2+json,application/vnd.docker.distribution.manifest.v1+prettyjws,application/vnd.docker.distribution.manifest.v1+json]'}
GET_VERIFY: True
URL: http://registry-1.docker.io/v2/
GET_URL: http://registry-1.docker.io/v2/
GET_HEADER: {'Authorization': 'Bearer eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlDTHpDQ0FkU2dBd0lCQWdJQkFEQUtCZ2dxaGtqT1BRUURBakJHTVVRd1FnWURWUVFERXp0Uk5Gb3pPa2RYTjBrNldGUlFSRHBJVFRSUk9rOVVWRmc2TmtGRlF6cFNUVE5ET2tGU01rTTZUMFkzTnpwQ1ZrVkJPa2xHUlVrNlExazFTekFlRncweE5qQTFNekV5TXpVNE5UZGFGdzB4TnpBMU16RXlNelU0TlRkYU1FWXhSREJDQmdOVkJBTVRPMUV6UzFRNlFqSkpNenBhUjFoT09qSlhXRTA2UTBWWFF6cFVNMHhPT2tvMlYxWTZNbGsyVHpwWlFWbEpPbGhQVTBRNlZFUlJTVG8wVWtwRE1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRVo0NkVLV3VKSXhxOThuUC9GWEU3U3VyOXlkZ3c3K2FkcndxeGlxN004VHFUa0N0dzBQZm1SS2VLdExwaXNTRFU4LzZseWZ3QUFwZWh6SHdtWmxZR2dxT0JzakNCcnpBT0JnTlZIUThCQWY4RUJBTUNCNEF3RHdZRFZSMGxCQWd3QmdZRVZSMGxBREJFQmdOVkhRNEVQUVE3VVROTFZEcENNa2t6T2xwSFdFNDZNbGRZVFRwRFJWZERPbFF6VEU0NlNqWlhWam95V1RaUE9sbEJXVWs2V0U5VFJEcFVSRkZKT2pSU1NrTXdSZ1lEVlIwakJEOHdQWUE3VVRSYU16cEhWemRKT2xoVVVFUTZTRTAwVVRwUFZGUllPalpCUlVNNlVrMHpRenBCVWpKRE9rOUdOemM2UWxaRlFUcEpSa1ZKT2tOWk5Vc3dDZ1lJS29aSXpqMEVBd0lEU1FBd1JnSWhBTzYxSWloN1FUcHNTMFFIYUNwTDFZTWNMMnZXZlNydlhHbHpSRDEwN2NRUEFpRUFtZXduelNYRHplRGxqcDc4T1NsTFFzbnROYWM5eHRyYW0xU0kxY0ZXQ2tJPSJdfQ.eyJhY2Nlc3MiOltdLCJhdWQiOiJyZWdpc3RyeS5kb2NrZXIuaW8iLCJleHAiOjE0Nzc5OTE4NDMsImlhdCI6MTQ3Nzk5MTU0MywiaXNzIjoiYXV0aC5kb2NrZXIuaW8iLCJqdGkiOiIzaDdZQzJVbWgzNGRXNWpXUW5QSyIsIm5iZiI6MTQ3Nzk5MTU0Mywic3ViIjoiIn0.qZnjcTTNA0HYvhbMMtqZOL6wgJYTLaiZfb2sT1mHG7VKU8KNcNolVPxczagLFPKwE0wJl8K8nkp5UX6X0ff_zw', 'Accept': '[application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.v2+json,application/vnd.docker.distribution.manifest.v1+prettyjws,application/vnd.docker.distribution.manifest.v1+json]'}
GET_VERIFY: True
GET_URL: http://registry-1.docker.io/v2/rhel7/cockpit-ws/manifests/latest
GET_HEADER: {'Authorization': 'Bearer eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlDTHpDQ0FkU2dBd0lCQWdJQkFEQUtCZ2dxaGtqT1BRUURBakJHTVVRd1FnWURWUVFERXp0Uk5Gb3pPa2RYTjBrNldGUlFSRHBJVFRSUk9rOVVWRmc2TmtGRlF6cFNUVE5ET2tGU01rTTZUMFkzTnpwQ1ZrVkJPa2xHUlVrNlExazFTekFlRncweE5qQTFNekV5TXpVNE5UZGFGdzB4TnpBMU16RXlNelU0TlRkYU1FWXhSREJDQmdOVkJBTVRPMUV6UzFRNlFqSkpNenBhUjFoT09qSlhXRTA2UTBWWFF6cFVNMHhPT2tvMlYxWTZNbGsyVHpwWlFWbEpPbGhQVTBRNlZFUlJTVG8wVWtwRE1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRVo0NkVLV3VKSXhxOThuUC9GWEU3U3VyOXlkZ3c3K2FkcndxeGlxN004VHFUa0N0dzBQZm1SS2VLdExwaXNTRFU4LzZseWZ3QUFwZWh6SHdtWmxZR2dxT0JzakNCcnpBT0JnTlZIUThCQWY4RUJBTUNCNEF3RHdZRFZSMGxCQWd3QmdZRVZSMGxBREJFQmdOVkhRNEVQUVE3VVROTFZEcENNa2t6T2xwSFdFNDZNbGRZVFRwRFJWZERPbFF6VEU0NlNqWlhWam95V1RaUE9sbEJXVWs2V0U5VFJEcFVSRkZKT2pSU1NrTXdSZ1lEVlIwakJEOHdQWUE3VVRSYU16cEhWemRKT2xoVVVFUTZTRTAwVVRwUFZGUllPalpCUlVNNlVrMHpRenBCVWpKRE9rOUdOemM2UWxaRlFUcEpSa1ZKT2tOWk5Vc3dDZ1lJS29aSXpqMEVBd0lEU1FBd1JnSWhBTzYxSWloN1FUcHNTMFFIYUNwTDFZTWNMMnZXZlNydlhHbHpSRDEwN2NRUEFpRUFtZXduelNYRHplRGxqcDc4T1NsTFFzbnROYWM5eHRyYW0xU0kxY0ZXQ2tJPSJdfQ.eyJhY2Nlc3MiOltdLCJhdWQiOiJyZWdpc3RyeS5kb2NrZXIuaW8iLCJleHAiOjE0Nzc5OTE4NDMsImlhdCI6MTQ3Nzk5MTU0MywiaXNzIjoiYXV0aC5kb2NrZXIuaW8iLCJqdGkiOiIzaDdZQzJVbWgzNGRXNWpXUW5QSyIsIm5iZiI6MTQ3Nzk5MTU0Mywic3ViIjoiIn0.qZnjcTTNA0HYvhbMMtqZOL6wgJYTLaiZfb2sT1mHG7VKU8KNcNolVPxczagLFPKwE0wJl8K8nkp5UX6X0ff_zw', 'Accept': '[application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.v2+json,application/vnd.docker.distribution.manifest.v1+prettyjws,application/vnd.docker.distribution.manifest.v1+json]'}
GET_VERIFY: True
Trying registry.access.redhat.com/rhel7/cockpit-ws:latest
URL: https://registry.access.redhat.com/v2/
GET_URL: https://registry.access.redhat.com/v2/
GET_HEADER: {'Accept': '[application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.v2+json,application/vnd.docker.distribution.manifest.v1+prettyjws,application/vnd.docker.distribution.manifest.v1+json]'}
GET_VERIFY: True
GET_URL: https://registry.access.redhat.com/v2/rhel7/cockpit-ws/manifests/latest
GET_HEADER: {'Accept': '[application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.v2+json,application/vnd.docker.distribution.manifest.v1+prettyjws,application/vnd.docker.distribution.manifest.v1+json]'}
GET_VERIFY: True
Pulling registry.access.redhat.com/rhel7/cockpit-ws:latest ...
Executing: /usr/bin/skopeo --debug copy --remove-signatures docker://registry.access.redhat.com/rhel7/cockpit-ws:latest docker-daemon:rhel7/cockpit-ws:latest
DEBU[0000] Using registries.d directory /etc/containers/registries.d for sigstore configuration 
DEBU[0000]  Using "default-docker" configuration        
DEBU[0000]  No signature storage configuration found for registry.access.redhat.com/rhel7/cockpit-ws:latest 
DEBU[0000] IsRunningImageAllowed for image docker:registry.access.redhat.com/rhel7/cockpit-ws:latest 
DEBU[0000]  Using default policy section                
DEBU[0000]  Requirement 0: allowed                      
DEBU[0000] Overall: allowed                             
DEBU[0000] GET https://registry.access.redhat.com/v2/   
DEBU[0001] Ping https://registry.access.redhat.com/v2/ err <nil> 
DEBU[0001] Ping https://registry.access.redhat.com/v2/ status 200 
DEBU[0001] GET https://registry.access.redhat.com/v2/rhel7/cockpit-ws/manifests/latest 
DEBU[0002] Will convert manifest from MIME type application/vnd.docker.distribution.manifest.v1+prettyjws to application/vnd.docker.distribution.manifest.v2+json 
Copying blob sha256:30cf2e26a24f2a8426cbe8444f8af2ecb7023bd468b05c1b6fd0b2797b0f9ff9
DEBU[0002] Downloading rhel7/cockpit-ws/blobs/sha256:30cf2e26a24f2a8426cbe8444f8af2ecb7023bd468b05c1b6fd0b2797b0f9ff9 
DEBU[0002] GET https://registry.access.redhat.com/v2/rhel7/cockpit-ws/blobs/sha256:30cf2e26a24f2a8426cbe8444f8af2ecb7023bd468b05c1b6fd0b2797b0f9ff9 
DEBU[0004] Detected compression format gzip             
 0 B / ? [--------------------------------------------------------------------=]DEBU[0004] Using original blob without modification     
DEBU[0004] docker-daemon: input with unknown size, streaming to disk first… 
 67.72 MB / ? [---------------------------------------------------------------=]DEBU[0038] … streaming done                             
DEBU[0038] Sending as tar file sha256:30cf2e26a24f2a8426cbe8444f8af2ecb7023bd468b05c1b6fd0b2797b0f9ff9 
 67.95 MB / ? [------------------------------------------=--------------------] DEBU[0038] Consuming rest of the original blob to satisfy getOriginalLayerCopyWriter 

DEBU[0038] Computed DiffID sha256:94b2db70f7476c98f4c4a1b7a922136e0c5600d2d74905407ad364dcca2bf852 for layer sha256:30cf2e26a24f2a8426cbe8444f8af2ecb7023bd468b05c1b6fd0b2797b0f9ff9 
Copying blob sha256:99dd41655d8a45c2fb74f9eeb73e327b3ad4796f0ff0d602c575e32e9804baed
DEBU[0038] Downloading rhel7/cockpit-ws/blobs/sha256:99dd41655d8a45c2fb74f9eeb73e327b3ad4796f0ff0d602c575e32e9804baed 
DEBU[0038] GET https://registry.access.redhat.com/v2/rhel7/cockpit-ws/blobs/sha256:99dd41655d8a45c2fb74f9eeb73e327b3ad4796f0ff0d602c575e32e9804baed 
DEBU[0040] Detected compression format gzip             
 0 B / 700 B [-----------------------------------------------------------------]DEBU[0040] Using original blob without modification     
DEBU[0040] Sending as tar file sha256:99dd41655d8a45c2fb74f9eeb73e327b3ad4796f0ff0d602c575e32e9804baed 
DEBU[0040] Consuming rest of the original blob to satisfy getOriginalLayerCopyWriter 

DEBU[0040] Computed DiffID sha256:22426f366c51f26105aa9a6c6c9aea9fff0f21b7aabfc97870727577edaa3260 for layer sha256:99dd41655d8a45c2fb74f9eeb73e327b3ad4796f0ff0d602c575e32e9804baed 
Copying blob sha256:4ecb11c223ec8ccf0afba1eda003b64726db42b9c8ce52a78794c0988448efc8
DEBU[0040] Downloading rhel7/cockpit-ws/blobs/sha256:4ecb11c223ec8ccf0afba1eda003b64726db42b9c8ce52a78794c0988448efc8 
DEBU[0040] GET https://registry.access.redhat.com/v2/rhel7/cockpit-ws/blobs/sha256:4ecb11c223ec8ccf0afba1eda003b64726db42b9c8ce52a78794c0988448efc8 
 700 B / 700 B [===============================================================]DEBU[0042] Detected compression format gzip             
 0 B / ? [--------------------------------------------------------------------=]DEBU[0042] Using original blob without modification     
DEBU[0042] docker-daemon: input with unknown size, streaming to disk first… 
 4.12 MB / ? [------------------------------------------------=---------------] DEBU[0042] … streaming done                             
DEBU[0042] Sending as tar file sha256:4ecb11c223ec8ccf0afba1eda003b64726db42b9c8ce52a78794c0988448efc8 
DEBU[0042] Consuming rest of the original blob to satisfy getOriginalLayerCopyWriter 

DEBU[0042] Computed DiffID sha256:326d0a1c81f59c2b0b5a3e075169287a31be68dc726a1f06cb00bc8050f99bf0 for layer sha256:4ecb11c223ec8ccf0afba1eda003b64726db42b9c8ce52a78794c0988448efc8 
Copying config sha256:b43b419e2783b348b771fc92872654b9b9ae27aac112f034ef8f313fc26ead24
DEBU[0042] No compression detected                      
 0 B / 2.19 KB [---------------------------------------------------------------]DEBU[0042] Using original blob without modification     
DEBU[0042] Sending as tar file sha256:b43b419e2783b348b771fc92872654b9b9ae27aac112f034ef8f313fc26ead24 

Writing manifest to image destination
DEBU[0042] Sending as tar file manifest.json            
Storing signatures
DEBU[0042] docker-daemon: Closing tar stream            
DEBU[0042] docker-daemon: Waiting for status            
 2.19 KB / 2.19 KB [===========================================================]DEBU[0044] docker-daemon: sending done, status <nil>

[root@bootp-73-3-203 ~]# atomic images list
   REPOSITORY                               TAG      IMAGE ID       CREATED            VIRTUAL SIZE   TYPE      
   registry.access.stage.redhat.com/rhel7   latest   f98706e16e41   2016-10-26 20:02   192.51 MB      Docker    
>  busybox                                  latest   e02e811dd08f   2016-10-08 05:03   1.09 MB        Docker    
   rhel7/cockpit-ws                         latest   b43b419e2783   2016-09-08 05:03   218.81 MB      Docker

Comment 8 Alex Jia 2016-11-04 03:31:48 UTC

Please also see bug 1391788

Comment 9 Alex Jia 2016-11-04 05:13:32 UTC

(In reply to Alex Jia from comment #8)
> Please also see bug 1391788

Manually copy existing policy.json into /etc/containers/ of RHELAH, it works well and not found the issue in Comment 0.

Comment 10 Alex Jia 2016-11-08 10:42:33 UTC

It works well both rhel-atomic-host-7.3.1-1 image and RHEL7.3-RC-3 w/ latest docker and selinux-policy installation.

1. in rhel-atomic-host-7.3.1-1 imag

[root@atomic-00 cloud-user]# cat /etc/redhat-release 
Red Hat Enterprise Linux Atomic Host release 7.3

[root@atomic-00 cloud-user]# atomic host status
State: idle
Deployments:
● rhel-atomic-host:rhel-atomic-host/7/x86_64/standard
       Version: 7.3.1 (2016-11-04 00:49:18)
        Commit: ad61697d3d0df9859551104d57c6187925f05e7daeffb41d4a276a9fed7e089d
        OSName: rhel-atomic-host

[root@atomic-00 cloud-user]# rpm -q atomic skopeo docker selinux-policy
atomic-1.13.6-1.el7.x86_64
skopeo-0.1.17-0.5.git1f655f3.el7.x86_64
docker-1.12.3-2.el7.x86_64
selinux-policy-3.13.1-102.el7_3.4.noarch

2. in RHEL7.3-RC-3

[root@dell-per630-02 RPMs]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.3 (Maipo)

[root@dell-per630-02 RPMs]# rpm -q atomic skopeo docker selinux-policy
atomic-1.13.8-1.el7.x86_64
skopeo-0.1.17-0.5.git1f655f3.el7.x86_64
docker-1.12.3-4.el7.x86_64
selinux-policy-3.13.1-102.el7_3.4.noarch

Comment 12 errata-xmlrpc 2016-12-06 17:42:20 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2857.html

Note You need to log in before you can comment on or make changes to this bug.