Bug 1557607 - [3.7] oc adm migrate storage produces error as signature annotations forbidden
Summary: [3.7] oc adm migrate storage produces error as signature annotations forbidden
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Image
Version: 3.7.0
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: ---
: 3.7.z
Assignee: Michal Minar
QA Contact: Dongbo Yan
URL:
Whiteboard:
Depends On:
Blocks: 1559982 1559991 1559994 1559997 1560311
TreeView+ depends on / blocked
 
Reported: 2018-03-17 04:09 UTC by Kenjiro Nakayama
Modified: 2018-06-05 16:45 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Image validation used to validate old image object. And image signature import controller used generate such an image. Consequence: An invalid images were pushed to etcd. Fix: Validation has been changed to validate new image object. Logic to fix some invalid images has been introduced. Controller no longer generates invalid images. Result: It's no longer possible to upload an invalid image object.
Clone Of:
: 1559982 1559991 1559994 1559997 1560311 (view as bug list)
Environment:
Last Closed: 2018-04-05 09:40:50 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0636 None None None 2018-04-05 09:41:24 UTC

Description Kenjiro Nakayama 2018-03-17 04:09:28 UTC
Description of problem:
- When we run oc adm migrate storage, we got following error.

# oc adm --config=/etc/origin/master/admin.kubeconfig migrate storage --include=* --confirm
E0315 10:11:30.026186 error:      images/sha256:0270334c4d7adaa8a5dcd592cb219efd13b3c00631184b3a594b329dfd331eec: Image "sha256:0270334c4d7adaa8a5dcd592cb219efd13b3c00631184b3a594b329dfd331eec" is invalid: signatures[0].metadata.annotations: Forbidden: signature annotations cannot be set
E0315 10:11:30.057761 error:      images/sha256:0677366367b1f1a736bdb50b926559c1bdeed02de1bce477f8fe7ed53336a572: Image "sha256:0677366367b1f1a736bdb50b926559c1bdeed02de1bce477f8fe7ed53336a572" is invalid: signatures[0].metadata.annotations: Forbidden: signature annotations cannot be set
E0315 10:11:30.156449 error:      images/sha256:1104dcdacfa9c40222e9256029cafe0b084c8dcc911ab8e816c3f39bd5a4dad1: Image "sha256:1104dcdacfa9c40222e9256029cafe0b084c8dcc911ab8e816c3f39bd5a4dad1" is invalid: signatures[0].metadata.annotations: Forbidden: signature annotations cannot be set
E0315 10:11:30.275157 error:      images/sha256:263c5a1107b6703b3db87f1cb7481a74aa7b7d1138a2da49cb692fa1ec05a42b: Image "sha256:263c5a1107b6703b3db87f1cb7481a74aa7b7d1138a2da49cb692fa1ec05a42b" is invalid: signatures[0].metadata.annotations: Forbidden: signature annotations cannot be set
  ...

- The image contains `image.openshift.io/managed-signature: "true"`

# oc get images
  ...
signatures:
- content: xxxxx
  metadata:
    annotations:
      image.openshift.io/managed-signature: "true"
    creationTimestamp: 2018-02-12T03:51:53Z
    name: sha256:xxxx
  type: AtomicImageV1

Version-Release number of selected component (if applicable):
- OCP 3.7

How reproducible: 100%

Steps to Reproduce:
1.

Actual results:
- Please refer to above error

Expected results:
- No error output.

Additional info:
- proposal patch: https://github.com/openshift/origin/pull/19011

Comment 9 Michal Minar 2018-03-20 18:50:25 UTC
Fix: https://github.com/openshift/origin/pull/19037

Comment 16 Michal Minar 2018-03-23 16:14:09 UTC
OSE 3.7 PR: https://github.com/openshift/ose/pull/1154

Comment 18 Dongbo Yan 2018-04-03 08:38:13 UTC
Test with 
openshift v3.7.42
kubernetes v1.7.6+a08f5eeb62
etcd 3.2.8

Reproduce steps:
1.Build an image, get the image digest id
 $ oc get images
2.Create image signature for this image
$ cat <<EOF |
{
  "kind": "ImageSignature",
  "schemaVersion": 2,
  "type": "AtomicImageV1",
  "metadata": {
    "annotations": {
      "image.openshift.io/managed-signature": "true"},
    "name": "sha256:cb6fd4551f05ff04aedada6e11be38e92861cfedf490d136b8004cee31803569@cddeb7006d914716e2728000746a0b23"},
  "content": "owGbw......"
 }
EOF
oc create -f -

3.Migrate image
 $ oc adm migrate storage --include=images --confirm

Result:
fail in step2
# oc create -f sig.json 
The ImageSignature "sha256:cb6fd4551f05ff04aedada6e11be38e92861cfedf490d136b8004cee31803569@cddeb7006d914716e2728000746a0b23" is invalid: metadata.annotations: Forbidden: signature annotations cannot be set

Could you help give some suggestions how to add an annotation into imageSignature?
Thanks

Comment 19 Michal Minar 2018-04-03 10:38:31 UTC
You're trying to create ImageSignature kind which which is not a native resource. It exists and can be modified only on image object.

You can either

 a) create a new image with the signature attached
 b) add a signature to an existing image

Since b) is more complex than a), let me just describe the a):

  - save the image object from comment 1 into img.yaml
  - import it with oc create -f img.yaml

However, if you test just with the latest oc server version, the annotation gets dropped before the image is saved into etcd. If you want to test the migration command with the annotation set on the image/signature, you'll have to:

  1. launch an older version of OCP master (withought the patch)
  2. create an image **without** the signature
  3. do b) from above:
     - add the "signatures: ..." part with the annotation using oc edit image sha256:...
  4. tear down the OCP master while preserving etcd and configuration
  5. launch a new version of OCP master (with the pach)
  6. continue with the migration ...

The b) is necessary here because the api refuses the annotation just on Create(image, not on Update(image) - only this way can the annotation be propagated.

Hope it helps.

Comment 20 Dongbo Yan 2018-04-03 11:49:17 UTC
Michal Minar, thanks

try with a) and b), do not reproduce error with
openshift v3.7.42
kubernetes v1.7.6+a08f5eeb62
etcd 3.2.8

move to verified

Comment 24 errata-xmlrpc 2018-04-05 09:40:50 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0636

Comment 25 Ben Parees 2018-06-05 16:45:32 UTC
*** Bug 1585876 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.