`oc import-image` cannot import an images by manifest lists' digests. Steps to reproduce: $ oc tag docker.io/library/ubuntu@sha256:d1d454df0f579c6be4d8161d227462d69e163a8ff9d20a847533989cf0c94d90 ubuntu:latest Tag ubuntu:latest set to docker.io/library/ubuntu@sha256:d1d454df0f579c6be4d8161d227462d69e163a8ff9d20a847533989cf0c94d90. 562.95 ms $ oc import-image ubuntu:latest error: tag failed: Internal error occurred: content integrity error: the schema 2 manifest retrieved with digest sha256:d1d454df0f579c6be4d8161d227462d69e163a8ff9d20a847533989cf0c94d90 does not match the digest calculated from the content sha256:ca013ac5c09f9a9f6db8370c1b759a29fe997d64d6591e9a75b71748858f7da0 Actual result: content integrity error Expected result: The image is successfully imported.
Closing this bug due to current engineering priorities, severity, availability of suitable workarounds and lack of customer cases. If this should be addressed, please reopen and provide additional details.
This needs to be fixed, see https://projects.engineering.redhat.com/browse/CLOUDBLD-1167 for the motivation. tldr: OLM operators use digests for everything, and they use manifestlists to support multiarch, so they definitely use manifestlist by digest/sha references. They may not always use imagestreams today, but clearly at least one of them does and with all these manifestlist sha references floating around i'd expect this to become a common issue.
Verified on below version: $ oc version Client Version: 4.6.0-0.nightly-2020-07-14-035247 Server Version: 4.6.0-0.nightly-2020-07-16-211200 Kubernetes Version: v1.18.3+ada98f4 $ oc tag docker.io/library/ubuntu@sha256:d1d454df0f579c6be4d8161d227462d69e163a8ff9d20a847533989cf0c94d90 ubuntu:latest Tag ubuntu:latest set to docker.io/library/ubuntu@sha256:d1d454df0f579c6be4d8161d227462d69e163a8ff9d20a847533989cf0c94d90. $ oc import-image ubuntu:latest imagestream.image.openshift.io/ubuntu imported Name: ubuntu Namespace: wzheng1 Created: 9 seconds ago Labels: <none> Annotations: openshift.io/image.dockerRepositoryCheck=2020-07-17T07:35:12Z Image Repository: image-registry.openshift-image-registry.svc:5000/wzheng1/ubuntu Image Lookup: local=false Unique Images: 1 Tags: 1 latest tagged from docker.io/library/ubuntu@sha256:d1d454df0f579c6be4d8161d227462d69e163a8ff9d20a847533989cf0c94d90 * docker.io/library/ubuntu@sha256:ca013ac5c09f9a9f6db8370c1b759a29fe997d64d6591e9a75b71748858f7da0 9 seconds ago Image Name: ubuntu:latest Docker Image: docker.io/library/ubuntu@sha256:ca013ac5c09f9a9f6db8370c1b759a29fe997d64d6591e9a75b71748858f7da0 Name: sha256:ca013ac5c09f9a9f6db8370c1b759a29fe997d64d6591e9a75b71748858f7da0 Created: Less than a second ago Annotations: image.openshift.io/dockerLayersOrder=ascending Image Size: 26.73MB in 4 layers Layers: 26.69MB sha256:35c102085707f703de2d9eaad8752d6fe1b8f02b5d2149f1d8357c9cc7fb7d0a 35.37kB sha256:251f5509d51d9e4119d4ffb70d4820f8e2d7dc72ad15df3ebd7cd755539e40fd 848B sha256:8e829fe70a46e3ac4334823560e98b257234c23629f19f05460e21a453091e6d 162B sha256:6001e1789921cf851f6fb2e5fe05be70f482fe9c2286f66892fe5a3bc404569c Image Created: 11 months ago Author: <none> Arch: amd64 Command: /bin/bash Working Dir: <none> User: <none> Exposes Ports: <none> Docker Labels: <none> Environment: PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Can this fix can be backported to the other supported versions of OCP (e.g. 3.11+) as well? Otherwise products that need this fix may need to drop support for older supported versions of OCP!
This fix would be especially helpful for OCP 4+ where OperatorHub is supported since many products use manifest lists in their OLM files to identify specific image builds.
It is backported to 4.5.5, we also will backport it to 4.4. It's unlikely that we'll be able to backport it to 4.3 before its EOL.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4196