Bug 1506066
| Summary: | [platformmanagement_public_850]Can't import the image signature from the RedHat registry | ||||||
|---|---|---|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | zhou ying <yinzhou> | ||||
| Component: | Image Registry | Assignee: | Michal Fojtik <mfojtik> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Dongbo Yan <dyan> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 3.7.0 | CC: | aos-bugs, dyan | ||||
| Target Milestone: | --- | ||||||
| Target Release: | 3.8.0 | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2019-11-21 18:38:11 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Can I see the result of `oc get image sha256:a744ef5b58472bccfa7c606efcc6b126a164eee4b7057f85cb8be46c481ee954 -o yaml` ? Created attachment 1384807 [details]
import image
I can see signature after tagging image # oc describe istag rhel:7 Image Name: sha256:883444ebd2520daa0f64f5d469de68f65cc113e27e16744d98d49edce610e679 Docker Image: registry.access.redhat.com/rhel7@sha256:883444ebd2520daa0f64f5d469de68f65cc113e27e16744d98d49edce610e679 Name: sha256:883444ebd2520daa0f64f5d469de68f65cc113e27e16744d98d49edce610e679 Created: 44 seconds ago Annotations: image.openshift.io/dockerLayersOrder=ascending Image Size: 74.88MB (first layer 74.88MB, last binary layer 1.239kB) Image Signatures: Name: sha256:883444ebd2520daa0f64f5d469de68f65cc113e27e16744d98d49edce610e679@22272cad1f902a4f1e378c0d0626a61a912ab3a91d837039e80e5c9562185e9f Type: AtomicImageV1 Status: Unverified Image Created: 2 months ago Author: Red Hat, Inc. oc v3.9.0-0.22.0 kubernetes v1.9.1+a0ce1bc657 features: Basic-Auth GSSAPI Kerberos SPNEGO Server https://:8443 openshift v3.9.0-0.22.0 kubernetes v1.9.1+a0ce1bc657 |
Description of problem: When import image from RedHat registry should import the image signature at the same time when setup the configuration about the related registry Version-Release number of selected component (if applicable): openshift v3.7.0-0.176.0 kubernetes v1.7.6+a08f5eeb62 etcd 3.2.8 How reproducible: always Steps to Reproduce: 1. Build env by jenkins job; 2. Login OpenShift and create project; 3. Setup configuration about the related image registry on all the master: cat /etc/containers/registries.d/redhat.yaml docker: registry.access.redhat.com: sigstore: https://access.redhat.com/webassets/docker/content/sigstore 4. Restart master service: atomic-openshift-master-api,atomic-openshift-master-controllers; 5. As normal user import image from RH registry: `oc tag --source=docker registry.access.redhat.com/rhel7 rhel:7` 6. Check the logs from master service: atomic-openshift-master-controllers. Actual results: 6. No signature imported: Oct 24 05:39:55 ip-172-18-11-57.ec2.internal atomic-openshift-master-controllers[14147]: I1024 09:39:55.140959 14158 signature_import_controller.go:61] Adding image sha256:a744ef5b58472bccfa7c606efcc6b126a164eee4b7057f85cb8be46c481ee954 Oct 24 05:39:55 ip-172-18-11-57.ec2.internal atomic-openshift-master-controllers[14147]: I1024 09:39:55.140989 14158 signature_import_controller.go:132] Initiating download of signatures for sha256:a744ef5b58472bccfa7c606efcc6b126a164eee4b7057f85cb8be46c481ee954 Oct 24 05:39:55 ip-172-18-11-57.ec2.internal atomic-openshift-master-controllers[14147]: I1024 09:39:55.433944 14158 signature_import_controller.go:148] No signatures dowloaded for sha256:a744ef5b58472bccfa7c606efcc6b126a164eee4b7057f85cb8be46c481ee954 Expected results: 6. The image has signature, should import the signature succeed. Additional info: When the OpenShift start by `oc cluster up` could import the image signature succeed.