Bug 1751258 - Import by digest doesn't work for manifest lists
Summary: Import by digest doesn't work for manifest lists
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: ImageStreams
Version: 4.2.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 4.6.0
Assignee: Ricardo Maraschini
QA Contact: XiuJuan Wang
URL:
Whiteboard:
Depends On:
Blocks: 1857128
TreeView+ depends on / blocked
 
Reported: 2019-09-11 14:17 UTC by Oleg Bulatov
Modified: 2020-10-27 15:54 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Bad managing on conversion from manifest list to manifest Consequence: Imports using digests on manifest lists were not taking place. Fix: We fixed the conversion by using the digest of the selected manifest inside the manifest list. Result: Imports by digest of manifest lists now works as expected.
Clone Of:
: 1857128 (view as bug list)
Environment:
Last Closed: 2020-10-27 15:54:19 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift openshift-apiserver pull 115 0 None closed Bug 1751258: Using manifest digest on manifest list import 2020-10-26 07:43:51 UTC
Red Hat Product Errata RHBA-2020:4196 0 None None None 2020-10-27 15:54:52 UTC

Description Oleg Bulatov 2019-09-11 14:17:51 UTC
`oc import-image` cannot import an images by manifest lists' digests.

Steps to reproduce:

$ oc tag docker.io/library/ubuntu@sha256:d1d454df0f579c6be4d8161d227462d69e163a8ff9d20a847533989cf0c94d90 ubuntu:latest
Tag ubuntu:latest set to docker.io/library/ubuntu@sha256:d1d454df0f579c6be4d8161d227462d69e163a8ff9d20a847533989cf0c94d90.
562.95 ms
$ oc import-image ubuntu:latest
error: tag  failed: Internal error occurred: content integrity error: the schema 2 manifest retrieved with digest sha256:d1d454df0f579c6be4d8161d227462d69e163a8ff9d20a847533989cf0c94d90 does not match the digest calculated from the content sha256:ca013ac5c09f9a9f6db8370c1b759a29fe997d64d6591e9a75b71748858f7da0

Actual result:

content integrity error

Expected result:

The image is successfully imported.

Comment 1 Adam Kaplan 2020-04-17 13:20:13 UTC
Closing this bug due to current engineering priorities, severity, availability of suitable workarounds and lack of customer cases. If this should be addressed, please reopen and provide additional details.

Comment 2 Ben Parees 2020-05-20 15:57:27 UTC
This needs to be fixed, see https://projects.engineering.redhat.com/browse/CLOUDBLD-1167 for the motivation.

tldr:  OLM operators use digests for everything, and they use manifestlists to support multiarch, so they definitely use manifestlist by digest/sha references.  They may not always use imagestreams today, but clearly at least one of them does and with all these manifestlist sha references floating around i'd expect this to become a common issue.

Comment 8 Wenjing Zheng 2020-07-17 07:37:53 UTC
Verified on below version:
$ oc version
Client Version: 4.6.0-0.nightly-2020-07-14-035247
Server Version: 4.6.0-0.nightly-2020-07-16-211200
Kubernetes Version: v1.18.3+ada98f4

$ oc tag docker.io/library/ubuntu@sha256:d1d454df0f579c6be4d8161d227462d69e163a8ff9d20a847533989cf0c94d90 ubuntu:latest
Tag ubuntu:latest set to docker.io/library/ubuntu@sha256:d1d454df0f579c6be4d8161d227462d69e163a8ff9d20a847533989cf0c94d90.
$ oc import-image ubuntu:latest
imagestream.image.openshift.io/ubuntu imported

Name:			ubuntu
Namespace:		wzheng1
Created:		9 seconds ago
Labels:			<none>
Annotations:		openshift.io/image.dockerRepositoryCheck=2020-07-17T07:35:12Z
Image Repository:	image-registry.openshift-image-registry.svc:5000/wzheng1/ubuntu
Image Lookup:		local=false
Unique Images:		1
Tags:			1

latest
  tagged from docker.io/library/ubuntu@sha256:d1d454df0f579c6be4d8161d227462d69e163a8ff9d20a847533989cf0c94d90

  * docker.io/library/ubuntu@sha256:ca013ac5c09f9a9f6db8370c1b759a29fe997d64d6591e9a75b71748858f7da0
      9 seconds ago

Image Name:	ubuntu:latest
Docker Image:	docker.io/library/ubuntu@sha256:ca013ac5c09f9a9f6db8370c1b759a29fe997d64d6591e9a75b71748858f7da0
Name:		sha256:ca013ac5c09f9a9f6db8370c1b759a29fe997d64d6591e9a75b71748858f7da0
Created:	Less than a second ago
Annotations:	image.openshift.io/dockerLayersOrder=ascending
Image Size:	26.73MB in 4 layers
Layers:		26.69MB	sha256:35c102085707f703de2d9eaad8752d6fe1b8f02b5d2149f1d8357c9cc7fb7d0a
		35.37kB	sha256:251f5509d51d9e4119d4ffb70d4820f8e2d7dc72ad15df3ebd7cd755539e40fd
		848B	sha256:8e829fe70a46e3ac4334823560e98b257234c23629f19f05460e21a453091e6d
		162B	sha256:6001e1789921cf851f6fb2e5fe05be70f482fe9c2286f66892fe5a3bc404569c
Image Created:	11 months ago
Author:		<none>
Arch:		amd64
Command:	/bin/bash
Working Dir:	<none>
User:		<none>
Exposes Ports:	<none>
Docker Labels:	<none>
Environment:	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

Comment 9 kliberti 2020-08-07 17:49:27 UTC
Can this fix can be backported to the other supported versions of OCP (e.g. 3.11+) as well? Otherwise products that need this fix may need to drop support for older supported versions of OCP!

Comment 10 kliberti 2020-08-07 18:44:34 UTC
This fix would be especially helpful for OCP 4+ where OperatorHub is supported since many products use manifest lists in their OLM files to identify specific image builds.

Comment 11 Oleg Bulatov 2020-09-24 12:06:20 UTC
It is backported to 4.5.5, we also will backport it to 4.4. It's unlikely that we'll be able to backport it to 4.3 before its EOL.

Comment 13 errata-xmlrpc 2020-10-27 15:54:19 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196


Note You need to log in before you can comment on or make changes to this bug.