1461325 – Can't verify the image signature with the route of registry out of the cluster host

Bug 1461325 - Can't verify the image signature with the route of registry out of the cluster host

Summary: Can't verify the image signature with the route of registry out of the cluste...

Keywords:
Status:	CLOSED UPSTREAM
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Image Registry
Sub Component:
Version:	3.6.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	3.7.0
Assignee:	Michal Fojtik
QA Contact:	ge liu
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-06-14 08:41 UTC by zhou ying
Modified:	2017-06-20 09:37 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-06-19 11:43:34 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description zhou ying 2017-06-14 08:41:44 UTC

Description of problem:
When use the 'oadm verify-image-signature' out of the cluster , will met error:
error verifying signature sha256:3b278d74fbb8d1a6046334cb78b4260a4d499e5a3cb99b07e02e9a9fd36644fb@b048acf7a8105b02a837dc8fbd393313 for image sha256:3b278d74fbb8d1a6046334cb78b4260a4d499e5a3cb99b07e02e9a9fd36644fb (verification status will be removed): failed to get image "sha256:3b278d74fbb8d1a6046334cb78b4260a4d499e5a3cb99b07e02e9a9fd36644fb" manifest: Get http://172.30.226.141:5000/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)

Version-Release number of selected component (if applicable):
openshift v3.6.106
kubernetes v1.6.1+5115d708d7
etcd 3.2.0

How reproducible:
always

Steps to Reproduce:
1. Login Openshift and create project;
2. Sign and push image to project:
  `skopeo copy  --sign-by 215FF0D3C5B13412  --dest-creds zhouy:Cq-EFS09EK2X4ldFZpXuQVwKTqSHvEtN6-CEG30C_Os --dest-tls-verify=false docker://docker.io/busybox:latest  atomic:docker-registry-default.0614-7w2.qe.rhcloud.com/zhouy/busybox:latest`
3. Try to verify the image out of the cluster host:
   `oadm verify-image-signature sha256:3b278d74fbb8d1a6046334cb78b4260a4d499e5a3cb99b07e02e9a9fd36644fb --expected-identity=docker-registry-default.0614-7w2.qe.rhcloud.com/zhouy/busybox:latest --public-key='/root/.gnupg/pubring.gpg'`


Actual results:
3. Verify failed with error:
oadm verify-image-signature sha256:3b278d74fbb8d1a6046334cb78b4260a4d499e5a3cb99b07e02e9a9fd36644fb --expected-identity=docker-registry-default.0614-7w2.qe.rhcloud.com/zhouy/busybox:latest --public-key='/root/.gnupg/pubring.gpg' --loglevel=8
........
I0614 15:51:47.114483   11976 request.go:991] Response Body: {"kind":"Image","apiVersion":"v1","metadata":{"name":"sha256:3b278d74fbb8d1a6046334cb78b4260a4d499e5a3cb99b07e02e9a9fd36644fb","selfLink":"/oapi/v1/images/sha256%3A3b278d74fbb8d1a6046334cb78b4260a4d499e5a3cb99b07e02e9a9fd36644fb","uid":"50261e2f-50d4-11e7-b06c-fa163e22d5a9","resourceVersion":"9372","creationTimestamp":"2017-06-14T07:37:26Z","annotations":{"openshift.io/image.managed":"true"}},"dockerImageReference":"172.30.226.141:5000/zhouy/busybox@sha256:3b278d74fbb8d1a6046334cb78b4260a4d499e5a3cb99b07e02e9a9fd36644fb","dockerImageMetadata":{"kind":"DockerImage","apiVersion":"1.0","Id":"82c7ed4295eafe827b1ab2915f345e40d95dff508cdcf4eb772a48e427838eed","Parent":"09af4c1280d660415c9f504b6750d75a799dd8b60126abf323c8d47be9f5dcb6","Created":"2017-05-15T22:15:45Z","Container":"a3c2e8914eef4442b3758b801542fd7e853deb283637fc7cec7f8aa5c9058b64","ContainerConfig":{"Hostname":"971d7095b61b","Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],"Cmd":["/bin/sh","-c","#(nop) ","CMD [\"sh\"]"],"Image":"sha256:7cc4b5aefd1d0cadf8d97d4350462ba51c694ebca145b08d7d41b41acc8db5aa"},"DockerVersion":"17.03.1-ce","Config":{"Hostname":"971d7095b61b","Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],"Cmd":["sh"],"Image":"sha256:7cc4b5aefd1d0cadf8d97d4350462ba51c694ebca145b08d7d41b41acc8db5aa"},"Architecture":"amd64","Size":699343},"dockerImageMetadataVersion":"1.0","dockerImageLayers":[{"name":"sha256:1cae461a1479c5a24dd38bd5f377ce65f531399a7db8c3ece891ac2197173f1d","size":699311,"mediaType":"application/vnd.docker.container.image.rootfs.diff+x-gtar"},{"name":"sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4","size":32,"mediaType":"application/vnd.docker.container.image.rootfs.diff+x-gtar"}],"signatures":[{"metadata":{"name":"sha256:3b278d74fbb8d1a6046334cb78b4260a4d499e5a3cb99b07e02e9a9fd36644fb@b048acf7a8105b02a837dc8fbd393313","uid":"2de2d7d6-50d5-11e7-b06c
-fa163e22d5a9","creationTimestamp":"2017-06-14T07:43:38Z"},"type":"atomic","content":"owGbwMvMwMGoGP/h8tGNJkKMpw/0JjFEOrzUqFZKLsosyUxOzFGyqlbKTEnNK8ksqQSxU/KTs1OLdItS01KLUvOSU5WsEELpmcUlRZW6KalpiaU5JXoGZoYmuublRnqFqXpFGck5+aUpesn5ufpVGfmllfpJpcWVSfkVVjmJJanFJUq1OkqZuYnpqUh25CbmZaYB5XRTMtNBSqyUijMSjUzNrIyTjMwtUsxN0pKSLFIME80MTMyMjU2Sk8wtkkyMzAwSTVJMLC1TTRONk5MsLZMMzFMNjFItEy3TUozNzEyAukCWlVQWgNyeWJKfm5mskJyfV5KYmZdapFCcmZ6XWFJalApSlF9QkpmfBwmE5KJUoOIihB4DPUM9A6Bny5SApmXmAl2YmFugZGVoYmkOdIWRoVltbSejDAsDIwcDGysTKFQZuDgFYGF9wYqDYd28coE09xONEYWKoj3hvcJzVCZ9u1R0tVNu2dmYg0/W/C2zj4h6nnbn7IN9xQ6/lS13zpuufEb3U2DdA47MCXMZ/ug/OxIb+oPBf6LQs5dVktEWOfVXotiWZS+fVsFQs3bH+w+z7819vbj+ataqrNy+DOXl9RnTguU3HTB/+NJSNvaB0Z41KWbSO9j1PbN/mU+a2aTCzTjRQ31yw91HV04HOSvzCClYzZh2w9qidbn4k2vXta6cXpR6Py41zcfkw6O1PxoqpwRxV4k+Pu8a9v30yz9aU57ZbWT2mXGLYdHU8m8dcve3qn5wvlW35VHwXAcJq9R5j86knQxrjKphen5OYXLHrrx5WV1l//et4wEA"}],"dockerImageSignatures":["eyJoZWFkZXIiOnsiandrIjp7ImNydiI6IlAtMjU2Iiwia2lkIjoiM0NVWTpPTUpMOkJQNEY6S1k1TTpRU1FaOlRGVUY6VkVBRTpSWERLOkJXS0I6VFUzVDpUTlFBOlFCRkoiLCJrdHkiOiJFQyIsIngiOiJUY2tySTZwOVN2LTZmTmVkaVB1RlpYcmZKWG9QcWJhMGVPelMxWDVBeGQ0IiwieSI6IjFFaW01MU1nYUZJMm84cEFnWVhqSlZHS2xHTk03dFQ2Z05ydlpyTzY4SG8ifSwiYWxnIjoiRVMyNTYifSwic2lnbmF0dXJlIjoicGdQeTdkTWVCY0UwVEtGN2JyYjlFdUEwTFk1NTVFUFBYRVhNbm5XRjB2XzRFNDhqUF9MVE42NzNBSHh2Vmp3a29WNW9NSlZ4LVMzUUNXV0xIdFRjMUEiLCJwcm90ZWN0ZWQiOiJleUptYjNKdFlYUk1aVzVuZEdnaU9qSXdNRElzSW1admNtMWhkRlJoYVd3aU9pSm1VU0lzSW5ScGJXVWlPaUl5TURFM0xUQTJMVEUwVkRBM09qTTNPakkwV2lKOSJ9"],"dockerImageManifestMediaType":"application/vnd.docker.distribution.manifest.v1+json"}
I0614 15:52:02.116391   11976 client.go:139] Falling back to an HTTP check for an insecure registry {https  <nil> 172.30.226.141:5000   %!s(bool=false)  }: Get https://172.30.226.141:5000/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
error verifying signature sha256:3b278d74fbb8d1a6046334cb78b4260a4d499e5a3cb99b07e02e9a9fd36644fb@b048acf7a8105b02a837dc8fbd393313 for image sha256:3b278d74fbb8d1a6046334cb78b4260a4d499e5a3cb99b07e02e9a9fd36644fb (verification status will be removed): failed to get image "sha256:3b278d74fbb8d1a6046334cb78b4260a4d499e5a3cb99b07e02e9a9fd36644fb" manifest: Get http://172.30.226.141:5000/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)


Expected results:
3. Since use the route of registry, should verify the image succeed when out of the cluster hosts.

Additional info:

Comment 1 Michal Fojtik 2017-06-19 07:49:53 UTC

I guess it is failing to get the manifest. Will verify.

Note You need to log in before you can comment on or make changes to this bug.