Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1874399

Summary: [DR] etcd-member-recover.sh fails to pull image with unauthorized
Product: OpenShift Container Platform Reporter: ge liu <geliu>
Component: EtcdAssignee: Suresh Kolichala <skolicha>
Status: CLOSED ERRATA QA Contact: ge liu <geliu>
Severity: high Docs Contact:
Priority: high    
Version: 4.3.0CC: gtinsley, jcharles, sbatsche, sttts, wsun
Target Milestone: ---Keywords: CustomerScenariosInitiative, Regression
Target Release: 4.3.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-20 21:56:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 9 Suresh Kolichala 2020-09-10 14:27:39 UTC 
This should be considered a workaround to what appears to be a `podman` bug.

The image policy on openshift is set to pull `IfNotPresent` according to this document:
https://docs.openshift.com/container-platform/4.3/openshift_images/managing_images/image-pull-policy.html

But I just tested on the node to remove the active image, and reload it:

```
[core@ip-10-0-145-68 ~]$ podman image rm 9b1b15add376987b5a2d44659827c5cc3578a8821c4aa0cf014d1b7d42769406
Untagged: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:4f1964349e1bd7153860ce8d670bd55ba8773e928bcd0b4917f0d56919113483
Deleted: 9b1b15add376987b5a2d44659827c5cc3578a8821c4aa0cf014d1b7d42769406
[core@ip-10-0-145-68 ~]$ podman create  quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:4f1964349e1bd7153860ce8d670bd55ba8773e928bcd0b4917f0d56919113483 --authfile=/tmp/config.json
Trying to pull quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:4f1964349e1bd7153860ce8d670bd55ba8773e928bcd0b4917f0d56919113483...
  unauthorized: access to the requested resource is not authorized
Error: unable to pull quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:4f1964349e1bd7153860ce8d670bd55ba8773e928bcd0b4917f0d56919113483: unable to pull image: Error initializing source docker://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:4f1964349e1bd7153860ce8d670bd55ba8773e928bcd0b4917f0d56919113483: Error reading manifest sha256:4f1964349e1bd7153860ce8d670bd55ba8773e928bcd0b4917f0d56919113483 in quay.io/openshift-release-dev/ocp-v4.0-art-dev: unauthorized: access to the requested resource is not authorized
[core@ip-10-0-145-68 ~]$ podman image pull  quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:4f1964349e1bd7153860ce8d670bd55ba8773e928bcd0b4917f0d56919113483 --authfile=/tmp/config.json
Trying to pull quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:4f1964349e1bd7153860ce8d670bd55ba8773e928bcd0b4917f0d56919113483...
Getting image source signatures
Copying blob c4d6733b50ad done  
Copying blob 74cbb6607642 done  
Copying blob 7ea9dfa937b6 done  
Copying blob c9fa7d57b902 done  
Copying blob 4c6d7ac7b28c done  
Copying config 9b1b15add3 done  
Writing manifest to image destination
Storing signatures
9b1b15add376987b5a2d44659827c5cc3578a8821c4aa0cf014d1b7d42769406
```
Comment 16 ge liu 2020-10-19 12:05:56 UTC 
Verified with 4.3.40.
Comment 18 errata-xmlrpc 2020-10-20 21:56:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Low: OpenShift Container Platform 4.3.40 security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4264