Bug 1825565 - oc refuses to mirror unless at least one of --apply-release-image-signature, --release-image-signature-to-dir, or --to-dir is set
Summary: oc refuses to mirror unless at least one of --apply-release-image-signature, ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: oc
Version: 4.5
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: ---
: 4.5.0
Assignee: W. Trevor King
QA Contact: Johnny Liu
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-04-18 23:57 UTC by Stephen Benjamin
Modified: 2020-07-13 17:28 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-07-13 17:28:40 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift oc pull 392 0 None closed Bug 1825565: pkg/cli/admin/release/mirror: Allow --apply-release-image-signature and --release-image-signature-to-dir 2021-02-10 09:25:06 UTC
Red Hat Product Errata RHBA-2020:2409 0 None None None 2020-07-13 17:28:54 UTC

Description Stephen Benjamin 2020-04-18 23:57:58 UTC
Description of problem:

https://github.com/openshift/oc/pull/343 introduces a bunch of options to handle release image signatures.

The e2e-metal-ipi job is now broken, as it does a disconnected install.


Version-Release number of selected component (if applicable):

Latest CI build since Friday

How reproducible:
Always

Steps to Reproduce:
1. Try to mirror a release to a local registry:

```
oc adm release mirror --insecure=true -a combined-pullsecret--gyUsq8fVYL --from registry.svc.ci.openshift.org/ci-op-hmxpdxpw/release@sha256:7d9cc5731a84efab3c59fe66a81a66ec1d3e386183b383f905d0efc71dd6f161 --to-release-image virthost.ostest.test.metalkube.org:5000/localimages/local-release-image:7d9cc5731a84efab3c59fe66a81a66ec1d3e386183b383f905d0efc71dd6f161 --to virthost.ostest.test.metalkube.org:5000/localimages/local-release-image
```


Actual results:

error: if --to-dir and --apply-release-image-signature are not specified, --release-image-signature-to-dir must be used to specify a directory to export the signature

Expected results:

Ideally the old command would always work, possibly exporting the config map to `$PWD`. This would make the change backwards-compatible and not require us to do something special in 4.5 with our automation.

Additional info:

This whole change is problematic to deal with because `oc version --client -o json` doesn't give you an easily comparable version. Even if we parse the `releaseClientVersion`, I don't believe this was in 4.3 or 4.4 -- the output of oc version` has changed.

Comment 2 W. Trevor King 2020-04-19 04:18:22 UTC
> Ideally the old command would always work, possibly exporting the config map to `$PWD`.

If --to-dir, --release-image-signature-to-dir, and --apply-release-image-signature are all unset, oc should probably just do nothing about the signature.

Comment 6 Johnny Liu 2020-04-22 09:57:23 UTC
Reproduced this bug with 4.5.0-202004201837-2039c60.

[root@preserve-jialiu-ansible ~]# oc version
Client Version: 4.5.0-202004201837-2039c60

[root@preserve-jialiu-ansible ~]# oc adm release mirror --from=registry.svc.ci.openshift.org/ocp/release:4.5.0-0.nightly-2020-04-21-103613 --to=upshift.mirror-registry.qe.devcluster.openshift.com:5000/ocp/release --to-release-image=upshift.mirror-registry.qe.devcluster.openshift.com:5000/ocp/release:4.5.0-0.nightly-2020-04-21-103613
error: if --to-dir and --apply-release-image-signature are not specified, --release-image-signature-to-dir must be used to specify a directory to export the signature

Fixed in 4.5.0-0.nightly-2020-04-21-075048

[root@preserve-jialiu-ansible ~]# oc version
Client Version: 4.5.0-0.nightly-2020-04-21-075048

[root@preserve-jialiu-ansible ~]# oc adm release mirror --from=registry.svc.ci.openshift.org/ocp/release:4.5.0-0.nightly-2020-04-21-103613 --to=upshift.mirror-registry.qe.devcluster.openshift.com:5000/ocp/release --to-release-image=upshift.mirror-registry.qe.devcluster.openshift.com:5000/ocp/release:4.5.0-0.nightly-2020-04-21-103613
info: Mirroring 111 images to upshift.mirror-registry.qe.devcluster.openshift.com:5000/ocp/release ...
upshift.mirror-registry.qe.devcluster.openshift.com:5000/
  ocp/release
    manifests:
<--snip-->
info: Mirroring completed in 1.04s (0B/s)

Success
Update image:  upshift.mirror-registry.qe.devcluster.openshift.com:5000/ocp/release:4.5.0-0.nightly-2020-04-21-103613
Mirror prefix: upshift.mirror-registry.qe.devcluster.openshift.com:5000/ocp/release

To use the new mirrored repository to install, add the following section to the install-config.yaml:

imageContentSources:
- mirrors:
  - upshift.mirror-registry.qe.devcluster.openshift.com:5000/ocp/release
  source: quay.io/openshift-release-dev/ocp-v4.0-art-dev
- mirrors:
  - upshift.mirror-registry.qe.devcluster.openshift.com:5000/ocp/release
  source: registry.svc.ci.openshift.org/ocp/release


To use the new mirrored repository for upgrades, use the following to create an ImageContentSourcePolicy:

apiVersion: operator.openshift.io/v1alpha1
kind: ImageContentSourcePolicy
metadata:
  name: example
spec:
  repositoryDigestMirrors:
  - mirrors:
    - upshift.mirror-registry.qe.devcluster.openshift.com:5000/ocp/release
    source: quay.io/openshift-release-dev/ocp-v4.0-art-dev
  - mirrors:
    - upshift.mirror-registry.qe.devcluster.openshift.com:5000/ocp/release
    source: registry.svc.ci.openshift.org/ocp/release

Comment 7 errata-xmlrpc 2020-07-13 17:28:40 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409


Note You need to log in before you can comment on or make changes to this bug.