1515060 – Scheduled image import performed on non scheduled tags

Bug 1515060 - Scheduled image import performed on non scheduled tags

Summary: Scheduled image import performed on non scheduled tags

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Image
Sub Component:
Version:	3.6.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	low
Target Milestone:	---
Target Release:	3.9.0
Assignee:	Jim Minter
QA Contact:	Wenjing Zheng
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-11-20 05:14 UTC by Takayoshi Kimura
Modified:	2018-03-28 14:12 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Previously, OpenShift would erroneously re-import all tags on an imagestream, regardless if marked as scheduled or not, if any tag on the imagestream was marked as scheduled. This behaviour has been resolved.
Clone Of:
Environment:
Last Closed:	2018-03-28 14:12:08 UTC
Target Upstream Version:

Attachments	(Terms of Use)
ImageStream yaml output after the test (2.33 KB, text/plain) 2017-11-22 01:09 UTC, Takayoshi Kimura	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:0489	None	None	None	2018-03-28 14:12:37 UTC

Internal Links: 1546097

Description Takayoshi Kimura 2017-11-20 05:14:51 UTC

Description of problem:

There are 3 tags: v1, v2 and latest. Enabled scheduled import on tag "v2".

oc import-image app --from=kunimare.usersys.redhat.com:5000/test/app --confirm --all --insecure
oc tag kunimare.usersys.redhat.com:5000/test/app:latest app:v2 --insecure=true --scheduled=true

When docker push to "latest" tag, the image stream tag "latest" is updated within the scheduled import.

Version-Release number of selected component (if applicable):

$ openshift version
openshift v3.6.173.0.49
kubernetes v1.6.1+5115d708d7
etcd 3.2.1

How reproducible:

Always

Steps to Reproduce:

$ oc import-image app --from=kunimare.usersys.redhat.com:5000/test/app --confirm --all --insecure
$ oc tag kunimare.usersys.redhat.com:5000/test/app:latest app:v2 --insecure=true --scheduled=true

$ oc describe is
Name:			app
Namespace:		test-import
Created:		24 seconds ago
Labels:			<none>
Annotations:		openshift.io/image.dockerRepositoryCheck=2017-11-20T05:07:07Z
Docker Pull Spec:	172.30.100.180:5000/test-import/app
Image Lookup:		local=false
Unique Images:		2
Tags:			3

latest
  tagged from kunimare.usersys.redhat.com:5000/test/app:latest
    will use insecure HTTPS or HTTP connections

  * kunimare.usersys.redhat.com:5000/test/app@sha256:5fa3855815ef2eb8cb73632e35005078e59e3ad1c1c14ecaeeec070e65a25ee6
      24 seconds ago

v1
  tagged from kunimare.usersys.redhat.com:5000/test/app:v1
    will use insecure HTTPS or HTTP connections

  * kunimare.usersys.redhat.com:5000/test/app@sha256:a6929df10c9db619356a413f7cb094b9c4f59ee6c487ef8bbafb2074ddbded4c
      24 seconds ago

v2
  updates automatically from registry kunimare.usersys.redhat.com:5000/test/app:v2
    will use insecure HTTPS or HTTP connections

  * kunimare.usersys.redhat.com:5000/test/app@sha256:5fa3855815ef2eb8cb73632e35005078e59e3ad1c1c14ecaeeec070e65a25ee6
      24 seconds ago

$ sudo docker tag kunimare.usersys.redhat.com:5000/test/app:v1 kunimare.usersys.redhat.com:5000/test/app:latest
$ sudo docker push kunimare.usersys.redhat.com:5000/test/app:latest

$ oc describe is
Name:			app
Namespace:		test-import
Created:		About a minute ago
Labels:			<none>
Annotations:		openshift.io/image.dockerRepositoryCheck=2017-11-20T05:08:31Z
Docker Pull Spec:	172.30.100.180:5000/test-import/app
Image Lookup:		local=false
Unique Images:		2
Tags:			3

latest
  tagged from kunimare.usersys.redhat.com:5000/test/app:latest
    will use insecure HTTPS or HTTP connections

  * kunimare.usersys.redhat.com:5000/test/app@sha256:a6929df10c9db619356a413f7cb094b9c4f59ee6c487ef8bbafb2074ddbded4c
      1 second ago
    kunimare.usersys.redhat.com:5000/test/app@sha256:5fa3855815ef2eb8cb73632e35005078e59e3ad1c1c14ecaeeec070e65a25ee6
      About a minute ago

v1
  tagged from kunimare.usersys.redhat.com:5000/test/app:v1
    will use insecure HTTPS or HTTP connections

  * kunimare.usersys.redhat.com:5000/test/app@sha256:a6929df10c9db619356a413f7cb094b9c4f59ee6c487ef8bbafb2074ddbded4c
      About a minute ago

v2
  updates automatically from registry kunimare.usersys.redhat.com:5000/test/app:v2
    will use insecure HTTPS or HTTP connections

  * kunimare.usersys.redhat.com:5000/test/app@sha256:5fa3855815ef2eb8cb73632e35005078e59e3ad1c1c14ecaeeec070e65a25ee6
      About a minute ago

Actual results:

"latest" imported with scheduled import on "v2" tag

Expected results:

"latest" is not imported with scheduled import on "v2" tag

Additional info:

Looks like same behavior applies to insecure. When "oc tag" performed without --insecure=true on a particular tag, import failed on all tags. Single tag update affects to all tags.

Comment 1 Takayoshi Kimura 2017-11-21 09:18:49 UTC

Initial description has a typo "app:latest":

oc import-image app --from=kunimare.usersys.redhat.com:5000/test/app --confirm --all --insecure
oc tag kunimare.usersys.redhat.com:5000/test/app:latest app:v2 --insecure=true --scheduled=true

Actually it's tested with "app:v2":

oc import-image app --from=kunimare.usersys.redhat.com:5000/test/app --confirm --all --insecure
oc tag kunimare.usersys.redhat.com:5000/test/app:v2 app:v2 --insecure=true --scheduled=true

and scheduled image imports "latest" updates.

Comment 2 Ben Parees 2017-11-21 22:30:10 UTC

what is kunimare.usersys.redhat.com:5000?  is that a route to the openshift internal cluster registry, or is that an external registry?

also need to see the full imagestream yaml.

Comment 3 Takayoshi Kimura 2017-11-22 01:09:32 UTC

Created attachment 1357107 [details]
ImageStream yaml output after the test

Comment 4 Takayoshi Kimura 2017-11-22 01:10:29 UTC

> what is kunimare.usersys.redhat.com:5000?  is that a route to the openshift internal cluster registry, or is that an external registry?

It's an external registry.

Comment 5 Jim Minter 2018-01-19 22:37:08 UTC

I confirm the behaviour.

# docker run -d -p 5000:5000 --name registry registry

# docker tag 422dc563ca32 localhost:5000/test/app:v1
# docker tag d1fd7d86a825 localhost:5000/test/app:v2
# docker tag d1fd7d86a825 localhost:5000/test/app:latest
# docker push localhost:5000/test/app:v1
# docker push localhost:5000/test/app:v2
# docker push localhost:5000/test/app:latest

# oc import-image app --from=localhost:5000/test/app --confirm --all --insecure
# oc tag localhost:5000/test/app:v2 app:v2 --insecure=true --scheduled=true

# oc describe is
Name:			app
Namespace:		demo
Created:		About a minute ago
Labels:			<none>
Annotations:		openshift.io/image.dockerRepositoryCheck=2018-01-19T22:21:52Z
Docker Pull Spec:	172.30.138.244:5000/demo/app
Image Lookup:		local=false
Unique Images:		2
Tags:			3

latest
  tagged from localhost:5000/test/app:latest
    will use insecure HTTPS or HTTP connections

  * localhost:5000/test/app@sha256:feb40d14cd33e646b9985e2d6754ed66616fedb840226c4d917ef53d616dcd6c
      About a minute ago

v1
  tagged from localhost:5000/test/app:v1
    will use insecure HTTPS or HTTP connections

  * localhost:5000/test/app@sha256:1b9bfb4e634dc1e5c19d0fa1eb2e5a28a5c2b498e3d3e4ac742bd7f5dae08611
      About a minute ago

v2
  updates automatically from registry localhost:5000/test/app:v2
    will use insecure HTTPS or HTTP connections

  * localhost:5000/test/app@sha256:feb40d14cd33e646b9985e2d6754ed66616fedb840226c4d917ef53d616dcd6c
      About a minute ago

# docker tag 422dc563ca32 localhost:5000/test/app:latest
# docker push localhost:5000/test/app:latest

# oc describe is
Name:			app
Namespace:		demo
Created:		3 minutes ago
Labels:			<none>
Annotations:		openshift.io/image.dockerRepositoryCheck=2018-01-19T22:23:37Z
Docker Pull Spec:	172.30.138.244:5000/demo/app
Image Lookup:		local=false
Unique Images:		2
Tags:			3

latest
  tagged from localhost:5000/test/app:latest
    will use insecure HTTPS or HTTP connections

  * localhost:5000/test/app@sha256:1b9bfb4e634dc1e5c19d0fa1eb2e5a28a5c2b498e3d3e4ac742bd7f5dae08611
      48 seconds ago
    localhost:5000/test/app@sha256:feb40d14cd33e646b9985e2d6754ed66616fedb840226c4d917ef53d616dcd6c
      3 minutes ago

v1
  tagged from localhost:5000/test/app:v1
    will use insecure HTTPS or HTTP connections

  * localhost:5000/test/app@sha256:1b9bfb4e634dc1e5c19d0fa1eb2e5a28a5c2b498e3d3e4ac742bd7f5dae08611
      3 minutes ago

v2
  updates automatically from registry localhost:5000/test/app:v2
    will use insecure HTTPS or HTTP connections

  * localhost:5000/test/app@sha256:feb40d14cd33e646b9985e2d6754ed66616fedb840226c4d917ef53d616dcd6c
      3 minutes ago

Comment 6 Jim Minter 2018-01-22 17:54:45 UTC

https://github.com/openshift/origin/pull/18199

Comment 8 Wenjing Zheng 2018-02-22 09:33:48 UTC

I can still reproduce this issue with openshift v3.9.0-0.47.0 with below steps:
1. oc import-image app --from=docker.io/wzheng/ruby-22-centos7 --confirm --all --insecure
2. oc tag docker.io/wzheng/ruby-22-centos7:v2 app:v2 --insecure=true --scheduled=true
3. $ sudo docker tag docker.io/wzheng/ruby-22-centos7:v1 docker.io/wzheng/ruby-22-centos7:latest
$ sudo docker push docker.io/wzheng/ruby-22-centos7:latest
4. $ oc describe is
Name:			app
Namespace:		wzheng3
Created:		About a minute ago
Labels:			<none>
Annotations:		openshift.io/image.dockerRepositoryCheck=2018-02-22T09:24:39Z
Docker Pull Spec:	docker-registry.default.svc:5000/wzheng3/app
Image Lookup:		local=false
Unique Images:		2
Tags:			4

latest
  tagged from docker.io/wzheng/ruby-22-centos7:latest
    will use insecure HTTPS or HTTP connections

  * docker.io/wzheng/ruby-22-centos7@sha256:fc4fe46e2db742bbe5ca2078ea5137e67beaad97070281b8df35379a26ef27b6
      About a minute ago

v1
  tagged from docker.io/wzheng/ruby-22-centos7:v1
    will use insecure HTTPS or HTTP connections

  * docker.io/wzheng/ruby-22-centos7@sha256:68c6c65b2dfb6af6540d06e4515d0d2325781741f7c2de830dc893ee561dbfab
      About a minute ago

v2
  updates automatically from registry docker.io/wzheng/ruby-22-centos7:v2
    will use insecure HTTPS or HTTP connections

  * docker.io/wzheng/ruby-22-centos7@sha256:fc4fe46e2db742bbe5ca2078ea5137e67beaad97070281b8df35379a26ef27b6
      About a minute ago

Comment 10 Dongbo Yan 2018-02-22 09:49:17 UTC

Verified
openshift v3.9.0-0.47.0
kubernetes v1.9.1+a0ce1bc657
etcd 3.2.8

$ oc describe is
Name:			mysql
Namespace:		dyan1
Created:		17 minutes ago
Labels:			<none>
Annotations:		openshift.io/image.dockerRepositoryCheck=2018-02-22T09:45:30Z
Docker Pull Spec:	docker-registry.default.svc:5000/dyan1/mysql
Image Lookup:		local=false
Unique Images:		2
Tags:			2

latest
  tagged from docker.io/dyan/mysql

  * docker.io/dyan/mysql@sha256:e1bb7bde4075033586516681e6f2bb47dbe2cea6ec0187320b1f17da079c2f23
      17 minutes ago

v5
  updates automatically from registry docker.io/dyan/mysql

  * docker.io/dyan/mysql@sha256:4cee1979ba0bf7db9fc5d28fb7b798ca69ae95a47c5fecf46327720df4ff352d
      About a minute ago
    docker.io/dyan/mysql@sha256:e1bb7bde4075033586516681e6f2bb47dbe2cea6ec0187320b1f17da079c2f23
      16 minutes ago

Comment 13 errata-xmlrpc 2018-03-28 14:12:08 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0489

Note You need to log in before you can comment on or make changes to this bug.