1897577 – Build with "forcePull: true" fails with global pull secret

Bug 1897577 - Build with "forcePull: true" fails with global pull secret

Summary: Build with "forcePull: true" fails with global pull secret

Keywords:
Status:	CLOSED DUPLICATE of bug 1883803
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Build
Sub Component:
Version:	4.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	---
Assignee:	Adam Kaplan
QA Contact:	XiuJuan Wang
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-11-13 13:58 UTC by Robert Heinzmann
Modified:	2020-11-13 14:27 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-11-13 14:27:43 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Robert Heinzmann 2020-11-13 13:58:59 UTC

Description of problem:

Using the global pull secret feature available in 4.5++, BuildConfig builds from private docker hub repo fails if the BuildConfig specifies "forcePull: true". Without "forcePull: true" the build works.

Version-Release number of selected component (if applicable):

OCP 4.5.7

How reproducible:

Steps to Reproduce:

1. Create account and private repo on Dockerhub (e.g. copy ubuntu:16.04)
2. Configure global pull secret for docker.io with access to the private repo [1] 
3. Create Image Stream and BuildConfig (config see below)
4. Start the build

[1] https://docs.openshift.com/container-platform/4.5/openshift_images/managing_images/using-image-pull-secrets.html#images-update-global-pull-secret_using-image-pull-secrets

~~~
apiVersion: image.openshift.io/v1
kind: ImageStream
metadata:
  name: myapp
  namespace: dockerhub
spec:
  lookupPolicy:
    local: true
---
apiVersion: build.openshift.io/v1
kind: BuildConfig
metadata:
  name: myapp
  namespace: dockerhub
spec:
  failedBuildsHistoryLimit: 1
  nodeSelector: null
  output:
    to:
      kind: ImageStreamTag
      name: myapp:latest
  postCommit: {}
  resources: {}
  runPolicy: Serial
  source:
    binary: {}
    type: Binary
  strategy:
    dockerStrategy:
      forcePull: true
      from:
        kind: DockerImage
        name: docker.io/privatetestrepo/myubuntu:16.04
    type: Docker
  successfulBuildsHistoryLimit: 3
  triggers:
  - type: ConfigChange
~~~

Dockerfile

~~~
[stack@osp16 upi]$ cat builddir/Dockerfile 
FROM OverwrittenAnyway
USER 0
RUN touch /test
USER 1001
~~~


Actual results:

~~~
[stack@osp16 upi]$ oc start-build --build-loglevel=9 myapp --wait --follow --from-dir=builddir/
WARNING: Specifying --build-loglevel with binary builds is not supported.
WARNING: Specifying environment variables with binary builds is not supported.
Uploading directory "builddir" as binary input for the build ...

Uploading finished
build.build.openshift.io/myapp-8 started
Receiving source from STDIN as archive ...
Replaced Dockerfile FROM image Overwritten
Caching blobs under "/var/cache/blobs".

Pulling image docker.io/privatetestrepo/myubuntu:16.04 ...
Getting image source signatures
Copying blob sha256:04feeed388b71fdca5cc3bce619d65a34f8a1a3e5b0ef03f8392d499970818eb
Copying blob sha256:903d0ffd64f6ca1355d2b2df702fc674f5663981dfd100fe4588fb390dd3382c
Copying blob sha256:4f53fa4d2cf0e29c6a522433e0ac71a7ce0fdab158481052b2198b5518b83248
Copying blob sha256:6af7c939e38e8e3160fbbdcc26a32669529b962c79f7337df0a26bf0e9a76d59
Copying config sha256:096efd74bb89d5ec92cb3a61c79cf8ceab00c135b7d3ef2715215bdabf84de9c
Writing manifest to image destination
Storing signatures
STEP 1: FROM docker.io/privatetestrepo/myubuntu:16.04
error: build error: error creating build container: Error initializing source docker://privatetestrepo/myubuntu:16.04: Error reading manifest 16.04 in docker.io/privatetestrepo/myubuntu: errors:
denied: requested access to the resource is denied
unauthorized: authentication required
error: the build dockerhub/myapp-8 status is "Failed"
~~~


Expected results:

Successful build like the following (without force):

~~~
[stack@osp16 upi]$ oc start-build --build-loglevel=9 myapp --wait --follow --from-dir=builddir/
WARNING: Specifying --build-loglevel with binary builds is not supported.
WARNING: Specifying environment variables with binary builds is not supported.
Uploading directory "builddir" as binary input for the build ...

Uploading finished
build.build.openshift.io/myapp-9 started
Receiving source from STDIN as archive ...
Replaced Dockerfile FROM image Overwritten
Caching blobs under "/var/cache/blobs".

Pulling image docker.io/privatetestrepo/myubuntu:16.04 ...
Getting image source signatures
Copying blob sha256:903d0ffd64f6ca1355d2b2df702fc674f5663981dfd100fe4588fb390dd3382c
Copying blob sha256:6af7c939e38e8e3160fbbdcc26a32669529b962c79f7337df0a26bf0e9a76d59
Copying blob sha256:04feeed388b71fdca5cc3bce619d65a34f8a1a3e5b0ef03f8392d499970818eb
Copying blob sha256:4f53fa4d2cf0e29c6a522433e0ac71a7ce0fdab158481052b2198b5518b83248
Copying config sha256:096efd74bb89d5ec92cb3a61c79cf8ceab00c135b7d3ef2715215bdabf84de9c
Writing manifest to image destination
Storing signatures
STEP 1: FROM docker.io/privatetestrepo/myubuntu:16.04
STEP 2: USER 0
time="2020-11-13T13:39:32Z" level=info msg="Image operating system mismatch: image uses OS \"\"+architecture \"\", expecting one of \"linux+amd64\""
--> bc27ce54b53
STEP 3: RUN touch /test
time="2020-11-13T13:39:32Z" level=info msg="Image operating system mismatch: image uses OS \"\"+architecture \"\", expecting one of \"linux+amd64\""
--> 0d93f04863b
STEP 4: USER 1001
time="2020-11-13T13:39:33Z" level=info msg="Image operating system mismatch: image uses OS \"\"+architecture \"\", expecting one of \"linux+amd64\""
--> f65cfd48bad
STEP 5: ENV "OPENSHIFT_BUILD_NAME"="myapp-9" "OPENSHIFT_BUILD_NAMESPACE"="dockerhub"
time="2020-11-13T13:39:33Z" level=info msg="Image operating system mismatch: image uses OS \"\"+architecture \"\", expecting one of \"linux+amd64\""
--> 3198cf5bcd5
STEP 6: LABEL "io.openshift.build.name"="myapp-9" "io.openshift.build.namespace"="dockerhub"
STEP 7: COMMIT temp.builder.openshift.io/privatetestrepo/myapp-9:a5f79c70
time="2020-11-13T13:39:33Z" level=info msg="Image operating system mismatch: image uses OS \"\"+architecture \"\", expecting one of \"linux+amd64\""
--> ef6093cf683
ef6093cf683963a933ecb27ccc83e8e710eff5175ef0d8cccbc67a33267ab1d2

Pushing image image-registry.openshift-image-registry.svc:5000/dockerhub/myapp:latest ...
Getting image source signatures
Copying blob sha256:4f53fa4d2cf0e29c6a522433e0ac71a7ce0fdab158481052b2198b5518b83248
Copying blob sha256:04feeed388b71fdca5cc3bce619d65a34f8a1a3e5b0ef03f8392d499970818eb
Copying blob sha256:6af7c939e38e8e3160fbbdcc26a32669529b962c79f7337df0a26bf0e9a76d59
Copying blob sha256:903d0ffd64f6ca1355d2b2df702fc674f5663981dfd100fe4588fb390dd3382c
Copying blob sha256:02a5bf51d28851d8ea6a3f1680119258e79c14e4fe76020e8b1d476bb8f8dcc9
Copying config sha256:ef6093cf683963a933ecb27ccc83e8e710eff5175ef0d8cccbc67a33267ab1d2
Writing manifest to image destination
Storing signatures
Successfully pushed image-registry.openshift-image-registry.svc:5000/dockerhub/myapp@sha256:36e6c142b88a3ccd52eae44bedbafcd7e01a8b87fa5bdf04e8ac99452f0b72fb
Push successful

~~~

Additional info:

- Build from Image Stream works (pull through and pull source)
- Deployment works
- Image import works
- Build without force works

Comment 1 Adam Kaplan 2020-11-13 14:27:43 UTC


*** This bug has been marked as a duplicate of bug 1883803 ***

Note You need to log in before you can comment on or make changes to this bug.