1921049 – [RFE] Make mirror-by-digest-only option configurable through ImageContentSourcePolicy

Bug 1921049 - [RFE] Make mirror-by-digest-only option configurable through ImageContentSourcePolicy

Summary: [RFE] Make mirror-by-digest-only option configurable through ImageContentSour...

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Node
Sub Component:
Version:	4.6
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	4.8.0
Assignee:	Ryan Phillips
QA Contact:	MinLi
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-01-27 12:59 UTC by Mario Vázquez
Modified:	2021-06-07 21:24 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-03-03 18:23:30 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	openshift api issues 636	None	closed	Make mirror-by-digest-only option configurable through ImageContentSourcePolicy	2021-02-19 14:28:44 UTC
Red Hat Issue Tracker	RFE-1608	Urgent	Accepted	Make mirror-by-digest-only option configurable through ImageContentSourcePolicy	2021-04-21 15:28:06 UTC
Red Hat Knowledge Base (Solution)	4817401	None	None	None	2021-06-07 21:24:00 UTC

Description Mario Vázquez 2021-01-27 12:59:27 UTC

Description of problem:

When working with disconnected environments, sometimes you need to define multiple ImageContentSourcePolicies, some of them are used by apps/manifests that don't use digests when pulling the images.

Currently, all configurations are added with the mirror-by-digest-only property set to true. It will be nice if this property could be configured using the ImageContentSourcePolicy.


Version-Release number of selected component (if applicable):

4.6.X but I believe it affects any 4.X release which supports ICSPs.

How reproducible:

Always.

Steps to Reproduce:
1. Create an ICSP
2. In the OCP nodes check the file /etc/containers/registries.conf
3. Registries will be configured with "mirror-by-digest-only = true"

Actual results:

Workloads using image tags rather than image digests will not pull the images from the mirror.

Expected results:

Workloads using image tags whose their mirror has been configured with "mirror-by-digest-only = false" should be able to pull the image from that mirror.

Additional info:

https://github.com/openshift/api/issues/636

Comment 1 Stefan Schimanski 2021-01-27 13:31:06 UTC

To my knowledge the ImageContentSourcePolicies API is owned by node team. Moving over.

Comment 2 Dave Cain 2021-01-27 13:49:35 UTC

The current development preview version of the OpenShift Assisted Installer pulls images by tag, not by digest, which renders installs initiated through it to not proceed.  Restricted network installations, which ones that are not able to pull content from Red Hat registries (registry.redhat.io, quay.io) directly, are unable to proceed.  Setting /etc/containers/registries.conf via a machineconfig leveraging ImageContentSourcePolicies during installation appears to be overwritten by the MCO to be true, despite being set to false in the initial ignition.  The only workaround I found was to overwrite pulling by digest from true to false in registries.conf, which allows the installation to proceed.

We really need a way to overwrite this behavior.

Comment 5 Ryan Phillips 2021-03-03 18:23:30 UTC

Jira card for the RFE: https://issues.redhat.com/browse/RFE-676

Marking as closed.

Comment 7 Qi Wang 2021-06-07 21:24:01 UTC

*** Bug 1957337 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.