Document URL: https://docs.openshift.com/container-platform/4.6/installing/install_config/installing-restricted-networks-preparations.html Section Number and Name: Mirroring the OpenShift Container Platform image repository - Step 3 - Bullet 2 - "If the local container registry is connected to the mirror host, take the following actions:" Describe the issue: As the current documentation is written for Restricted network installation, the command to mirror the release images to the local registry shows the same command for both an install and upgrade. The restricted network installation will succeed with the current mirror example: $ oc adm release mirror -a ${LOCAL_SECRET_JSON} \ --from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} \ --to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} \ --to-release-image=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE} Using the same command to mirror a newer OCP release, such as 4.7.7 for example, will also succeed. However, the command to upgrade will fail with "the image may not be safe to use". Command to upgrade: $ oc adm upgrade --allow-upgrade-with-warnings --allow-explicit-upgrade --to-image ${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}@sha256:9e0b967e4d50a518e4ffa680095a48c47a641c0e25bdc7799e0e04df2242871f warning: The requested upgrade image is not one of the available updates. You have used --allow-explicit-upgrade to the update to proceed anyway Updating to release image bastion:5000/ocp4/openshift4@sha256:9e0b967e4d50a518e4ffa680095a48c47a641c0e25bdc7799e0e04df2242871f Failure output: $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.7.6 True True 4m48s Unable to apply bastion:5000/ocp4/openshift4@sha256:9e0b967e4d50a518e4ffa680095a48c47a641c0e25bdc7799e0e04df2242871f: the image may not be safe to use The current workaround is to use --force in the upgrade. But instead, if we were to use the parameter "--apply-release-image-signature" when performing the step for the mirror command, the upgrade will succeed without the need to use --force. Suggestions for improvement: Add the required parameter "--apply-release-image-signature". Additional information: We have performed this test on 4.7.x and 4.8.x Restricted Install upgrades and have consistently seen "--apply-release-image-signature" is required.
Changing severity from urgent to high as this is not a blocker bug. We have the options to workaround the issue.
@Phil The documentation you are referring to has been removed a few days ago and there's a a brand new description: https://docs.openshift.com/container-platform/4.7/installing/installing-mirroring-installation-images.html#installing-mirroring-installation-images Does that solve the problem?
@Silke I followed the latest 4.7 documentation for mirroring. As it stands now, the disconnected installation will work using the given steps. However, if I were to perform an upgrade, for example upgrading from OCP 4.7.12 to 4.7.13, the problem still persists: [root@bastion ~]# oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.7.12 True True 29m Unable to apply bastion:5000/ocp4/openshift4@sha256:4cf44e68413acad063203e1ee8982fd01d8b9c1f8643a5b31cd7ff341b3199cd: the image may not be safe to use I had mirrored the version images to my internal registry without "--apply-release-image-signature" parameter. In my opinion, there are two ways we can update the documentation to resolve this: 1) We write a separate paragraph that explains how you can upgrade. 2) We add a small bullet or note that states for an upgrade, please add --apply-release-image-signature to the mirror command: oc adm release mirror -a ${LOCAL_SECRET_JSON} --from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} --to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} --to-release-image=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE} --apply-release-image-signature Open to other options too. Thanks, Phil
Can someone paste the doc PR here? In the present official doc, https://docs.openshift.com/container-platform/4.7/updating/updating-restricted-network-cluster.html, we already mentioned how to apply image signature config map. """ If the local container registry and the cluster are connected to the mirror host, directly push the release images to the local registry and apply the config map to the cluster by using following command: $ oc adm release mirror -a ${LOCAL_SECRET_JSON} --from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} \ --to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} --apply-release-image-signature """ """ Creating the config map for image signature verification by using the oc CLI """ """ Creating an image signature config map manually """ So personally I think the official doc looks good to me, no need change, anything missing?
PR: https://github.com/openshift/openshift-docs/compare/main...chinmayi-chandrasekar:BZ1953775_add_required_parameter_for_network_upgrade?expand=1
PR: https://github.com/openshift/openshift-docs/pull/40174
After reviewed https://github.com/openshift/openshift-docs/pull/40174, seem like no need any update, the reason mentioned in comment 5, for customers who are mirroring images and upgrading the cluster, the detailed steps about image signature is already described in https://docs.openshift.com/container-platform/4.7/updating/updating-restricted-network-cluster.html. https://docs.openshift.com/container-platform/4.6/installing/install_config/installing-restricted-networks-preparations.html is for a fresh install, but not upgrade.
(In reply to Chinmayi Chandrasekhar from comment #7) > PR: https://github.com/openshift/openshift-docs/pull/40174 Wrong PR. The bug does not require any changes - can be closed.
(In reply to Chinmayi Chandrasekhar from comment #6) > PR: > https://github.com/openshift/openshift-docs/compare/main...chinmayi- > chandrasekar:BZ1953775_add_required_parameter_for_network_upgrade?expand=1 Wrong PR. The bug does not require any changes - can be closed.