Bug 1874399 - [DR] etcd-member-recover.sh fails to pull image with unauthorized
Summary: [DR] etcd-member-recover.sh fails to pull image with unauthorized
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Etcd
Version: 4.3.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.3.z
Assignee: Suresh Kolichala
QA Contact: ge liu
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-09-01 09:51 UTC by ge liu
Modified: 2020-10-20 21:56 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-10-20 21:56:10 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github openshift machine-config-operator pull 2069 None closed Bug 1874399: Pull the image using authfile before creating the container layer 2020-11-11 05:17:31 UTC
Red Hat Product Errata RHSA-2020:4264 None None None 2020-10-20 21:56:31 UTC

Comment 9 Suresh Kolichala 2020-09-10 14:27:39 UTC
This should be considered a workaround to what appears to be a `podman` bug.

The image policy on openshift is set to pull `IfNotPresent` according to this document:
https://docs.openshift.com/container-platform/4.3/openshift_images/managing_images/image-pull-policy.html

But I just tested on the node to remove the active image, and reload it:

```
[core@ip-10-0-145-68 ~]$ podman image rm 9b1b15add376987b5a2d44659827c5cc3578a8821c4aa0cf014d1b7d42769406
Untagged: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:4f1964349e1bd7153860ce8d670bd55ba8773e928bcd0b4917f0d56919113483
Deleted: 9b1b15add376987b5a2d44659827c5cc3578a8821c4aa0cf014d1b7d42769406
[core@ip-10-0-145-68 ~]$ podman create  quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:4f1964349e1bd7153860ce8d670bd55ba8773e928bcd0b4917f0d56919113483 --authfile=/tmp/config.json
Trying to pull quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:4f1964349e1bd7153860ce8d670bd55ba8773e928bcd0b4917f0d56919113483...
  unauthorized: access to the requested resource is not authorized
Error: unable to pull quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:4f1964349e1bd7153860ce8d670bd55ba8773e928bcd0b4917f0d56919113483: unable to pull image: Error initializing source docker://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:4f1964349e1bd7153860ce8d670bd55ba8773e928bcd0b4917f0d56919113483: Error reading manifest sha256:4f1964349e1bd7153860ce8d670bd55ba8773e928bcd0b4917f0d56919113483 in quay.io/openshift-release-dev/ocp-v4.0-art-dev: unauthorized: access to the requested resource is not authorized
[core@ip-10-0-145-68 ~]$ podman image pull  quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:4f1964349e1bd7153860ce8d670bd55ba8773e928bcd0b4917f0d56919113483 --authfile=/tmp/config.json
Trying to pull quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:4f1964349e1bd7153860ce8d670bd55ba8773e928bcd0b4917f0d56919113483...
Getting image source signatures
Copying blob c4d6733b50ad done  
Copying blob 74cbb6607642 done  
Copying blob 7ea9dfa937b6 done  
Copying blob c9fa7d57b902 done  
Copying blob 4c6d7ac7b28c done  
Copying config 9b1b15add3 done  
Writing manifest to image destination
Storing signatures
9b1b15add376987b5a2d44659827c5cc3578a8821c4aa0cf014d1b7d42769406
```

Comment 16 ge liu 2020-10-19 12:05:56 UTC
Verified with 4.3.40.

Comment 18 errata-xmlrpc 2020-10-20 21:56:10 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Low: OpenShift Container Platform 4.3.40 security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4264


Note You need to log in before you can comment on or make changes to this bug.