I am able to reproduce this issue - the logic in `oc new-build` seems to require images to have an image spec in the format `<hostname>/<user>/<imagename>:<tag>`, which is too restrictive. The Docker v2 and OCI image specifications allow any path depth in an image pull spec. As a work-around, you can do the following: 1. Use `oc tag --source=docker` to create an imagestream referencing the image: $ oc tag --source=docker privateregistry:5000/path/to/image:tag myproject/image:tag 2. Run `oc new-build --dockerfile` referencing the imagestream tag's short name: ``` $ oc new-build --name testapp --to testapp --dockerfile='FROM myproject/image:tag \nRUN echo "Hello world!" \nCMD [ "/bin/bash" ]' ``` This will successfully create a BuildConfig that references the imagestream tag from before. Steps to reproduce this bug: 1. In the OpenShift developer console, create an application from the Docker distribution container image (`docker.io/registry:v2`). Click the checkbox to create a route for the application. 2. In the OpenShift admin console, edit the created route so that TLS is enabled with "edge" termination: ```yaml spec: ... tls: termination: edge ``` This will ensure you have a valid Docker container registry up and running (note this is not the internal registry). Record the hostname of the registry. 3. Use skopeo to copy the ubi8 image to the docker/distribution container registry running in the cluster, with a path that is more than two levels deep. Disable tls verification at the destination unless the ingress operator is configured to use globally trusted certificates. ``` $ skopeo copy docker://registry.access.redhat.com/ubi8/ubi:latest docker://<registry-hostname>/registry/redhat/ubi8/ubi:latest --dest-tls-verify=false ``` 4. Try to use `oc new-build` with an inline Dockerfile that references the image copied by skopeo: ``` $ oc new-build --name testapp --to testapp --dockerfile='FROM <registry-hostname>/registry/redhat/ubi8/ubi:latest \nRUN echo "Hello world!" \nCMD [ "/bin/bash" ]' ``` Result (with --loglevel=5): ``` I0622 12:18:23.392830 92987 newapp.go:648] Docker client did not respond to a ping: Get "http://unix.sock/_ping": dial unix /var/run/docker.sock: connect: no such file or directory I0622 12:18:23.393033 92987 imagestreamlookup.go:49] image streams must be of the form [<namespace>/]<name>[:<tag>|@<digest>], term "docker-registry-test-newbuild.apps-crc.testing/registry/redhat/ubi8/ubi:latest" did not qualify I0622 12:18:23.393061 92987 dockerimagelookup.go:88] checking remote registry for "docker-registry-test-newbuild.apps-crc.testing/registry/redhat/ubi8/ubi:latest" I0622 12:18:23.479395 92987 dockerimagelookup.go:281] Adding container image "docker-registry-test-newbuild.apps-crc.testing/registry/redhat/ubi8/ubi:latest" (tag "latest"), 272209f, from docker-registry-test-newbuild.apps-crc.testing, 79.630mb as component match for "docker-registry-test-newbuild.apps-crc.testing/registry/redhat/ubi8/ubi:latest" with score 0 I0622 12:18:23.479415 92987 dockerimagelookup.go:94] Found remote match docker-registry-test-newbuild.apps-crc.testing/registry/redhat/ubi8/ubi:latest I0622 12:18:23.479425 92987 resolve.go:190] Code [] I0622 12:18:23.479434 92987 resolve.go:191] Components [docker-registry-test-newbuild.apps-crc.testing/registry/redhat/ubi8/ubi:latest] I0622 12:18:23.479457 92987 newapp.go:435] found group: docker-registry-test-newbuild.apps-crc.testing/registry/redhat/ubi8/ubi:latest I0622 12:18:23.479463 92987 newapp.go:444] will add "" secrets into a build for a source build of "" I0622 12:18:23.479469 92987 newapp.go:449] will add "" configMaps into a build for a source build of "" I0622 12:18:23.479478 92987 newapp.go:474] will use "docker-registry-test-newbuild.apps-crc.testing/registry/redhat/ubi8/ubi:latest" as the base image for a source build of "" --> Found container image 272209f (2 weeks old) from docker-registry-test-newbuild.apps-crc.testing for "docker-registry-test-newbuild.apps-crc.testing/registry/redhat/ubi8/ubi:latest" Red Hat Universal Base Image 8 ------------------------------ The Universal Base Image is designed and engineered to be the base layer for all of your containerized applications, middleware and utilities. This base image is freely redistributable, but Red Hat only supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained by Red Hat and updated regularly. Tags: base rhel8 * An image stream tag will be created as "redhat/ubi8/ubi:latest" that will track the source image * A Docker build using a predefined Dockerfile will be created * The resulting image will be pushed to image stream tag "ubi8-test:latest" * Every time "redhat/ubi8/ubi:latest" changes a new build will be triggered I0622 12:18:23.479554 92987 request.go:844] Error in request: invalid resource name "redhat/ubi8/ubi": [may not contain '/'] I0622 12:18:23.517424 92987 newapp.go:1290] Cycle check input object 0: { "kind": "ImageStream", "apiVersion": "image.openshift.io/v1", "metadata": { "name": "redhat/ubi8/ubi", "creationTimestamp": null }, "spec": { "lookupPolicy": { "local": false }, "tags": [ { "name": "latest", "annotations": { "openshift.io/imported-from": "docker-registry-test-newbuild.apps-crc.testing/registry/redhat/ubi8/ubi:latest" }, "from": { "kind": "DockerImage", "name": "docker-registry-test-newbuild.apps-crc.testing/registry/redhat/ubi8/ubi:latest" }, "generation": null, "importPolicy": {}, "referencePolicy": { "type": "" } } ] }, "status": { "dockerImageRepository": "" } } I0622 12:18:23.517463 92987 newapp.go:1290] Cycle check input object 1: { "kind": "ImageStream", "apiVersion": "image.openshift.io/v1", "metadata": { "name": "ubi8-test", "creationTimestamp": null }, "spec": { "lookupPolicy": { "local": false } }, "status": { "dockerImageRepository": "" } } I0622 12:18:23.517799 92987 newapp.go:1290] Cycle check input object 2: { "kind": "BuildConfig", "apiVersion": "build.openshift.io/v1", "metadata": { "name": "test-multipath", "creationTimestamp": null }, "spec": { "triggers": [ { "type": "GitHub", "github": { "secret": "DXrSDlZANTQ3icNjU302" } }, { "type": "Generic", "generic": { "secret": "xM66llKhVmOSe1lzzgMf" } }, { "type": "ConfigChange" }, { "type": "ImageChange", "imageChange": {} } ], "source": { "type": "Dockerfile", "dockerfile": "FROM docker-registry-test-newbuild.apps-crc.testing/registry/redhat/ubi8/ubi:latest \\n USER 1001 \\n CMD [ \"sh\", \"-c\", \"java -version\" ]" }, "strategy": { "type": "Docker", "dockerStrategy": { "from": { "kind": "ImageStreamTag", "name": "redhat/ubi8/ubi:latest" } } }, "output": { "to": { "kind": "ImageStreamTag", "name": "ubi8-test:latest" } }, "resources": {}, "postCommit": {}, "nodeSelector": null }, "status": { "lastVersion": 0 } } I0622 12:18:23.517848 92987 newapp.go:1309] Post follow input: &v1.ObjectReference{Kind:"DockerImage", Namespace:"", Name:"docker-registry-test-newbuild.apps-crc.testing/registry/redhat/ubi8/ubi:latest", UID:"", APIVersion:"", ResourceVersion:"", FieldPath:""} I0622 12:18:23.517869 92987 newapp.go:1319] Post follow: (*v1.ObjectReference)(nil) I0622 12:18:23.517884 92987 request.go:844] Error in request: invalid resource name "redhat/ubi8/ubi": [may not contain '/'] --> Creating resources with label build=test-multipath ... error: ImageStream.image.openshift.io "redhat/ubi8/ubi" is invalid: metadata.name: Invalid value: "redhat/ubi8/ubi": may not contain '/' imagestream.image.openshift.io "ubi8-test" created error: BuildConfig.build.openshift.io "test-multipath" is invalid: spec.strategy.dockerStrategy.from.name: Invalid value: "redhat/ubi8/ubi": invalid name syntax --> Failed ```
I have verified the change and no longer getting the `invalidValue error`. @jitsingh Could you please move the state to verified.
VERIFIED
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0056