Description of problem: Several operators are not supported in disconnected clusters because they don't reference the images by digest [1]. As it's possible to do some configurations to the registries creating a file in the `/etc/containers/registries.conf.d/` directory [2] with a MachineConfig, test the configuration of registries with the `mirror-by-digest-only = false` that way. Version-Release number of selected component (if applicable): 4.6 and newer versions How reproducible: Create a configuration file for a mirror with `mirror-by-digest-only = false` in `/etc/containers/registries.conf.d/` Actual results: It's needed to test that configuration for potential issues. Expected results: Be able to configure registries with the `mirror-by-digest-only = false` option. Additional info: It is possible to configure the `unqualified-search-registries` this way in OCP 4.x. Also, starting with OCP 4.7, it can be configured using the `image.config.openshift.io` resource [2]. [1] https://access.redhat.com/articles/4740011 [2] https://access.redhat.com/solutions/5063741
I don't believe this is a blocker
There's an RFE for allowing mirror-by-digest=false https://bugzilla.redhat.com/show_bug.cgi?id=1921049. Close this bug since it's a duplicate. *** This bug has been marked as a duplicate of bug 1921049 ***
@oarribas I have tested the `mirror-by-digest-only = false` in `/etc/containers/registries.conf.d/` in 4.6 and 4.7. For the answer to the question posted in slack [1], this feature is supported. If this configuration is necessary for the customer right now, we can document it as a workaround. Steps to confirm it: 1. Change the cluster configuration using mco. The mirror configuration I used as below ``` unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "registry.centos.org", "docker.io", "quay.io"] [[registry]] prefix = "" location = "docker.io/library/alpine" mirror-by-digest-only = false [[registry.mirror]] location = "mirror.gcr.io/library/alpine" ``` 2. Use podman to pull the image without digest and check the log to make sure the mirror was used. podman --log-level debug pull docker.io/library/alpine DEBU[0000] GET https://mirror.gcr.io/v2/library/alpine/blobs/sha256:5843afab387455b37944e709ee8c78d7520df80f8d01cf7f861aae63beeddb6b DEBU[0000] Detected compression format gzip DEBU[0000] Using original blob without modification Copying blob 5843afab3874 done [1]https://coreos.slack.com/archives/CK1AE4ZCK/p1618999300078300
@sbelmasg Override `mirror-by-digest-only = true` under `/etc/containers/registries.conf.d works as expected. We can document it as a workaround if customers really need it. Do you responsible for the support exception or do I need to contact someone for documenting this?
@sbelmasg @oarribas do you think we can close this bugzilla?
ok on my side, thanks.
@oarribas Yes. The KCS is ok for me. Please also point out the possible limitations of using this workaround. To pull images from mirror registries without the digest specifications, this could lead to returning different image version from different registry if the image tag mapping is out of sync. But the OpenShift core required image using digests to avoid different versions won't consume this feature at all, so it is not exposed to the risks that anyone who actually uses the feature will be exposed to.