Description of problem: After config the sigstore, can't import image signatrue from the redhat registry. Version-Release number of selected component (if applicable): openshift v3.10.0-0.60.0 How reproducible: always Steps to Reproduce: 1. Config the sigstore for the master host, and restart api and controllers; 2. Try to import image from redhat registry: `oc import-image jboss-webserver31-tomcat8-openshift:latest --from=registry.access.redhat.com/jboss-webserver-3/webserver31-tomcat8-openshift:latest --confirm -n install-test` 3. Check the image `oc describe istag jboss-webserver31-tomcat8-openshift:latest` Actual results: 3.Can't import the image signature from the registry. Expected results: 3. Should import the image signature from the registry. Additional info:
can you share the contents of your /etc/containers/registries.d directory? (filenames + contents) w/ a redhat.yaml file in /etc/containers/registries.d with the following content: docker: registry.access.redhat.com: sigstore: https://access.redhat.com/webassets/docker/content/sigstore I was able to import the signatures: Image Name: sha256:29470583ce1511dbbe8e2552b7f0278d0d74595c42a00632cd23fda1ffab361e Docker Image: registry.access.redhat.com/jboss-webserver-3/webserver31-tomcat8-openshift@sha256:29470583ce1511dbbe8e2552b7f0278d0d74595c42a00632cd23fda1ffab361e Name: sha256:29470583ce1511dbbe8e2552b7f0278d0d74595c42a00632cd23fda1ffab361e Created: 30 seconds ago Annotations: image.openshift.io/dockerLayersOrder=ascending Image Size: 204.8MB (first layer 74.92MB, last binary layer 44.87MB) Image Signatures: Name: sha256:29470583ce1511dbbe8e2552b7f0278d0d74595c42a00632cd23fda1ffab361e@7955e42da12ab29746d0b18a6e92fd1f4fe68f39842dc377a86623e677149016 Type: AtomicImageV1 Status: Unverified Image Signatures: Name: sha256:29470583ce1511dbbe8e2552b7f0278d0d74595c42a00632cd23fda1ffab361e@aa244d390f5611242b06e3dc25a3e4e9fd3f59ff9a0dfb64f3cf7d3ed587f4de Type: AtomicImageV1 Status: Unverified Image Signatures: Name: sha256:29470583ce1511dbbe8e2552b7f0278d0d74595c42a00632cd23fda1ffab361e@47763d5c2b59a8ced4548690aeb7ca252ebdfb043be9fc479436b77cef17f99b Type: AtomicImageV1 Status: Unverified If you can share level 5 master logs that would also help.
Created attachment 1448570 [details] controllers pod logs
[root@qe-yinzhou-310-master-etcd-1 registries.d]# ll /etc/containers/registries.d/redhat.yaml -rw-r--r--. 1 root root 112 Jun 6 22:21 /etc/containers/registries.d/redhat.yaml [root@qe-yinzhou-310-master-etcd-1 registries.d]# cat /etc/containers/registries.d/redhat.yaml docker: registry.access.redhat.com: sigstore: https://access.redhat.com/webassets/docker/content/sigstore
No other files in /etc/containers/registries.d ?
With the default file /etc/containers/registries.d/default.yaml
Created attachment 1449843 [details] new logs from controller
Ben : I create the env by jenkins , not sure is the same of https://bugzilla.redhat.com/show_bug.cgi?id=1506066?
And I can import the signature with 3.9.30.
if your master is running inside a container, then the /etc/containers/registries.d/redhat.yaml file needs to be present inside that container also. So i'm not sure what the jenkins job does when creating an env, but it certainly sounds possible that the master controller process is not finding your redhat.yaml file which contains the lookaside information for the signature retrieval. also I did not see the expected output in your logs, which makes me think that whatever openshift binary you replaced, is not the one that is running the master (which again would make sense if your master is running inside a container).
oc cluster up was very different in 3.9, so if your cluster is based on oc cluster up, it may be that the configuration process has changed for this. do you have access to a "traditional" 3.10 cluster where you can attempt signature imports? I suspect getting the correct lookaside configuration into a master running inside a container is going to be a bit tricky, unless the new cluster up rewrite supports mounting directories into the master container.
I tried to patch your cluster to mount the necessary config but i think it's not starting now. the PR to fix this is here: https://github.com/openshift/openshift-ansible/pull/8719 if you want to try to manually fix your cluster, you need to patch your /etc/origin/node/pods/controller.yaml w/ the hostpath mounts defined in that PR so that the /etc/containers/registries.d dir is mounted into the controller pod at the same path.
Confirmed with openshift ,the issue has fixed: openshift v3.10.0-0.67.0 [root@qe-yinzhou-310-master-etcd-1 home]# oc describe istag jboss-webserver31-tomcat8-openshift:latest -n install-test Image Name: sha256:29470583ce1511dbbe8e2552b7f0278d0d74595c42a00632cd23fda1ffab361e Docker Image: registry.access.redhat.com/jboss-webserver-3/webserver31-tomcat8-openshift@sha256:29470583ce1511dbbe8e2552b7f0278d0d74595c42a00632cd23fda1ffab361e Name: sha256:29470583ce1511dbbe8e2552b7f0278d0d74595c42a00632cd23fda1ffab361e Created: 14 minutes ago Annotations: image.openshift.io/dockerLayersOrder=ascending Image Size: 204.8MB (first layer 74.92MB, last binary layer 44.87MB) Image Signatures: Name: sha256:29470583ce1511dbbe8e2552b7f0278d0d74595c42a00632cd23fda1ffab361e@7955e42da12ab29746d0b18a6e92fd1f4fe68f39842dc377a86623e677149016 Type: AtomicImageV1 Status: Unverified Image Signatures: Name: sha256:29470583ce1511dbbe8e2552b7f0278d0d74595c42a00632cd23fda1ffab361e@aa244d390f5611242b06e3dc25a3e4e9fd3f59ff9a0dfb64f3cf7d3ed587f4de Type: AtomicImageV1 Status: Unverified Image Signatures: Name: sha256:29470583ce1511dbbe8e2552b7f0278d0d74595c42a00632cd23fda1ffab361e@47763d5c2b59a8ced4548690aeb7ca252ebdfb043be9fc479436b77cef17f99b Type: AtomicImageV1 Status: Unverified
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:1816