Bug 1970805 - Cannot create build when docker image url contains dir structure
Summary: Cannot create build when docker image url contains dir structure
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Build
Version: 4.6
Hardware: Unspecified
OS: Unspecified
medium
low
Target Milestone: ---
: 4.10.0
Assignee: Alice Rum
QA Contact: Jitendar Singh
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-06-11 09:13 UTC by Ankit Sachdeva
Modified: 2022-03-10 16:04 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-03-10 16:03:59 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift oc pull 922 0 None None None 2021-09-08 11:01:22 UTC
Red Hat Product Errata RHSA-2022:0056 0 None None None 2022-03-10 16:04:25 UTC

Comment 5 Adam Kaplan 2021-06-22 17:24:10 UTC
I am able to reproduce this issue - the logic in `oc new-build` seems to require images to have an image spec in the format `<hostname>/<user>/<imagename>:<tag>`, which is too restrictive. The Docker v2 and OCI image specifications allow any path depth in an image pull spec.

As a work-around, you can do the following:

1. Use `oc tag --source=docker` to create an imagestream referencing the image:

$ oc tag --source=docker privateregistry:5000/path/to/image:tag myproject/image:tag

2. Run `oc new-build --dockerfile` referencing the imagestream tag's short name:

```
$ oc new-build --name testapp --to testapp --dockerfile='FROM myproject/image:tag \nRUN echo "Hello world!" \nCMD [ "/bin/bash" ]'
```

This will successfully create a BuildConfig that references the imagestream tag from before.


Steps to reproduce this bug:

1. In the OpenShift developer console, create an application from the Docker distribution container image (`docker.io/registry:v2`). Click the checkbox to create a route for the application.
2. In the OpenShift admin console, edit the created route so that TLS is enabled with "edge" termination:

```yaml
spec:
  ...
  tls:
    termination: edge
```

This will ensure you have a valid Docker container registry up and running (note this is not the internal registry).
Record the hostname of the registry.

3. Use skopeo to copy the ubi8 image to the docker/distribution container registry running in the cluster, with a path that is more than two levels deep. Disable tls verification at the destination unless the ingress operator is configured to use globally trusted certificates.

```
$ skopeo copy docker://registry.access.redhat.com/ubi8/ubi:latest docker://<registry-hostname>/registry/redhat/ubi8/ubi:latest --dest-tls-verify=false
```

4. Try to use `oc new-build` with an inline Dockerfile that references the image copied by skopeo:

```
$ oc new-build --name testapp --to testapp --dockerfile='FROM <registry-hostname>/registry/redhat/ubi8/ubi:latest \nRUN echo "Hello world!" \nCMD [ "/bin/bash" ]'
```

Result (with --loglevel=5):

```
I0622 12:18:23.392830   92987 newapp.go:648] Docker client did not respond to a ping: Get "http://unix.sock/_ping": dial unix /var/run/docker.sock: connect: no such file or directory
I0622 12:18:23.393033   92987 imagestreamlookup.go:49] image streams must be of the form [<namespace>/]<name>[:<tag>|@<digest>], term "docker-registry-test-newbuild.apps-crc.testing/registry/redhat/ubi8/ubi:latest" did not qualify
I0622 12:18:23.393061   92987 dockerimagelookup.go:88] checking remote registry for "docker-registry-test-newbuild.apps-crc.testing/registry/redhat/ubi8/ubi:latest"
I0622 12:18:23.479395   92987 dockerimagelookup.go:281] Adding container image "docker-registry-test-newbuild.apps-crc.testing/registry/redhat/ubi8/ubi:latest" (tag "latest"), 272209f, from docker-registry-test-newbuild.apps-crc.testing, 79.630mb as component match for "docker-registry-test-newbuild.apps-crc.testing/registry/redhat/ubi8/ubi:latest" with score 0
I0622 12:18:23.479415   92987 dockerimagelookup.go:94] Found remote match docker-registry-test-newbuild.apps-crc.testing/registry/redhat/ubi8/ubi:latest
I0622 12:18:23.479425   92987 resolve.go:190] Code []
I0622 12:18:23.479434   92987 resolve.go:191] Components [docker-registry-test-newbuild.apps-crc.testing/registry/redhat/ubi8/ubi:latest]
I0622 12:18:23.479457   92987 newapp.go:435] found group: docker-registry-test-newbuild.apps-crc.testing/registry/redhat/ubi8/ubi:latest
I0622 12:18:23.479463   92987 newapp.go:444] will add "" secrets into a build for a source build of ""
I0622 12:18:23.479469   92987 newapp.go:449] will add "" configMaps into a build for a source build of ""
I0622 12:18:23.479478   92987 newapp.go:474] will use "docker-registry-test-newbuild.apps-crc.testing/registry/redhat/ubi8/ubi:latest" as the base image for a source build of ""
--> Found container image 272209f (2 weeks old) from docker-registry-test-newbuild.apps-crc.testing for "docker-registry-test-newbuild.apps-crc.testing/registry/redhat/ubi8/ubi:latest"

    Red Hat Universal Base Image 8 
    ------------------------------ 
    The Universal Base Image is designed and engineered to be the base layer for all of your containerized applications, middleware and utilities. This base image is freely redistributable, but Red Hat only supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained by Red Hat and updated regularly.

    Tags: base rhel8

    * An image stream tag will be created as "redhat/ubi8/ubi:latest" that will track the source image
    * A Docker build using a predefined Dockerfile will be created
      * The resulting image will be pushed to image stream tag "ubi8-test:latest"
      * Every time "redhat/ubi8/ubi:latest" changes a new build will be triggered

I0622 12:18:23.479554   92987 request.go:844] Error in request: invalid resource name "redhat/ubi8/ubi": [may not contain '/']
I0622 12:18:23.517424   92987 newapp.go:1290] 

Cycle check input object 0:
{
	"kind": "ImageStream",
	"apiVersion": "image.openshift.io/v1",
	"metadata": {
		"name": "redhat/ubi8/ubi",
		"creationTimestamp": null
	},
	"spec": {
		"lookupPolicy": {
			"local": false
		},
		"tags": [
			{
				"name": "latest",
				"annotations": {
					"openshift.io/imported-from": "docker-registry-test-newbuild.apps-crc.testing/registry/redhat/ubi8/ubi:latest"
				},
				"from": {
					"kind": "DockerImage",
					"name": "docker-registry-test-newbuild.apps-crc.testing/registry/redhat/ubi8/ubi:latest"
				},
				"generation": null,
				"importPolicy": {},
				"referencePolicy": {
					"type": ""
				}
			}
		]
	},
	"status": {
		"dockerImageRepository": ""
	}
}
I0622 12:18:23.517463   92987 newapp.go:1290] 

Cycle check input object 1:
{
	"kind": "ImageStream",
	"apiVersion": "image.openshift.io/v1",
	"metadata": {
		"name": "ubi8-test",
		"creationTimestamp": null
	},
	"spec": {
		"lookupPolicy": {
			"local": false
		}
	},
	"status": {
		"dockerImageRepository": ""
	}
}
I0622 12:18:23.517799   92987 newapp.go:1290] 

Cycle check input object 2:
{
	"kind": "BuildConfig",
	"apiVersion": "build.openshift.io/v1",
	"metadata": {
		"name": "test-multipath",
		"creationTimestamp": null
	},
	"spec": {
		"triggers": [
			{
				"type": "GitHub",
				"github": {
					"secret": "DXrSDlZANTQ3icNjU302"
				}
			},
			{
				"type": "Generic",
				"generic": {
					"secret": "xM66llKhVmOSe1lzzgMf"
				}
			},
			{
				"type": "ConfigChange"
			},
			{
				"type": "ImageChange",
				"imageChange": {}
			}
		],
		"source": {
			"type": "Dockerfile",
			"dockerfile": "FROM docker-registry-test-newbuild.apps-crc.testing/registry/redhat/ubi8/ubi:latest \\n USER 1001 \\n CMD [ \"sh\", \"-c\", \"java -version\" ]"
		},
		"strategy": {
			"type": "Docker",
			"dockerStrategy": {
				"from": {
					"kind": "ImageStreamTag",
					"name": "redhat/ubi8/ubi:latest"
				}
			}
		},
		"output": {
			"to": {
				"kind": "ImageStreamTag",
				"name": "ubi8-test:latest"
			}
		},
		"resources": {},
		"postCommit": {},
		"nodeSelector": null
	},
	"status": {
		"lastVersion": 0
	}
}
I0622 12:18:23.517848   92987 newapp.go:1309] Post follow input:
&v1.ObjectReference{Kind:"DockerImage", Namespace:"", Name:"docker-registry-test-newbuild.apps-crc.testing/registry/redhat/ubi8/ubi:latest", UID:"", APIVersion:"", ResourceVersion:"", FieldPath:""}
I0622 12:18:23.517869   92987 newapp.go:1319] Post follow:
(*v1.ObjectReference)(nil)
I0622 12:18:23.517884   92987 request.go:844] Error in request: invalid resource name "redhat/ubi8/ubi": [may not contain '/']
--> Creating resources with label build=test-multipath ...
    error: ImageStream.image.openshift.io "redhat/ubi8/ubi" is invalid: metadata.name: Invalid value: "redhat/ubi8/ubi": may not contain '/'
    imagestream.image.openshift.io "ubi8-test" created
    error: BuildConfig.build.openshift.io "test-multipath" is invalid: spec.strategy.dockerStrategy.from.name: Invalid value: "redhat/ubi8/ubi": invalid name syntax
--> Failed
```

Comment 12 Priti Kumari 2021-12-07 09:30:02 UTC
I have verified the change and no longer getting the `invalidValue error`. @jitsingh Could you please move the state to verified.

Comment 13 Jitendar Singh 2021-12-07 10:23:02 UTC
VERIFIED

Comment 16 errata-xmlrpc 2022-03-10 16:03:59 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056


Note You need to log in before you can comment on or make changes to this bug.