Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Description of problem:
Image signature only has one docker registry reference, but two references are needed.
Since docker is being phased out in favor of podman, perhaps this should be cloned to podman and closed under docker?
Version-Release number of selected component (if applicable):
docker 1.13.1-96
How reproducible:
100%
Steps to Reproduce:
# gpg --gen-key
# gpg --armor --export --output sample.gpg sample
# docker pull busybox
# docker tag <busybox_image_id> <registry-route>/sample/busy:latest
# atomic sign <registry-route>/sample/busy:latest --sign-by sample
# docker push <registry_route>/sample/busy:latest
Verifying image signature:
# # oc adm verify-image-signature sha256:fce9305a943acdc5539ea217c7fc6fa176af8fcc5efe16c5db82972326ddc7b6 --expected-identity <registry_route>/sample/busy:latest --public-key /etc/pki/containers/sample.gpg
The image signature verification is only working with the registry route not with the registry service hostname or registry service-ip
And not able to deploy the application as the image stream point to the registry service hostname.
~~~
# cat /etc/sysconfig/atomic-openshift-master-api
CONFIG_FILE=/etc/origin/master/master-config.yaml
OPENSHIFT_DEFAULT_REGISTRY=docker-registry.default.svc:5000
~~~
If I am building an image outside the OCP cluster, signing with route and pushing to the registry. In this scenario not able to deploy the application.
Actual results:
Failed to pull image "docker-registry.default.svc:5000/<project-name>/<image-name>@sha256:73ff953fe0b4f6e57cd2c525efc5746bb3d5185cf4de0899acdea218790a8711": rpc error: code = Unknown desc = docker-registry.default.svc:5000/<project-name>/<image-name>@sha256:73ff953fe0b4f6e57cd2c525efc5746bb3d5185cf4de0899acdea218790a8711 isn't allowed: Signature for identity docker-registry-default.example.com/<project-name>/<image-name>:1.0.0-SNAPSHOT.98 is not accepted-
Expected results:
The ability to sign with two registry hostnames
Additional info:
How can 2 references be used?
https://github.com/containers/image/blob/master/docs/atomic-signature-embedded-json.json#L41https://github.com/containers/image/blob/master/docs/containers-signature.5.md#criticalidentitydocker-reference
How does our registry do this for registry.access.redhat.com and registry.redhat.io?
The primary answer is that you can create two or more signatures for a single image, for example
> skopeo copy --sign-by <key> docker://<original-image-source> docker://<name1>
> skopeo copy --sign-by <key> docker://<name1> docker://<name2>
> skopeo copy --sign-by <key> docker://<name1> docker://<name3>
> …
(where the <name1/2/3…> references may point to the same physical registry.)
I’m afraid right now there is a known problem in OpenShift, (oc adm verify-image-signature) won’t verify one of the signatures when there is another one with an unrecognized identity (part of bug#1705984 ); that problem should not prevent nodes from enforcing policy.json correctly.
Another option is to configure policy.json on all nodes to expect one of the names when accessing images designated by the other names; see exactReference / exactRepository in https://github.com/containers/image/blob/master/docs/containers-policy.json.5.md . That’s likely to be rather cumbersome right now.
(Note that (oc adm verify-image-signature) does not use policy.json, though.)
To an extent, though, I’d like to push against the idea that it’s a good practice to reference the registry by many different host names, especially the IP address. It’s reasonable to have an internal and external host name for the same service, but the IP address suggestion baffles me (although I don’t know _that much_ about OpenShift internals); you wouldn’t expect contacting www.google.com via the IP address of one of the servers directly as https://<ip> to work… Simplifying the set of used names might well be a part of the solution.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Moderate: container-tools:rhel8 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2021:1796