OCPBUGS 70297 Known issue for oc adm release mirror #104865
Conversation
openshift-ci
bot
added
the
size/S
|
🤖 Fri Jan 16 15:32:47 - Prow CI generated the docs preview: |
mburke5678
force-pushed
the
ocpbugs-70297-oc-mirror-deprecate-rn
branch
from
f2ee5c0 to
07983a4
Compare
|
|
||
| //// | ||
| Instructions: Add entries in the following format: | ||
| * If you mirror the {product-title} release images to the registry of a disconnected environment by using the `oc adm release mirror` command, the release image cosign signature is not mirrored with the image. |
There was a problem hiding this comment.
nit: I think we're trying to consolidate around "Sigstore signature" or some such for the name of the signature image. cosign would be the name of one possible tool used for interacting with those signatures. Evidence of frequent "sigstore" use:
openshift-docs$ git log --oneline -1
160c72e9e9 (HEAD -> main, origin/main, origin/HEAD) Merge pull request #104654 from aspauldi/CNV-76050
openshift-docs$ git grep -ioh 'sigstore\|cosign' | sort | uniq -c | sort -n
1 COSIGN
1 SigStore
10 Sigstore
12 Cosign
37 cosign
151 sigstoreNot clear to me why we have so many sigstore and so few Sigstore, or what that one SigStore is about. Upstream https://www.sigstore.dev/ has text like:
...Everyone involved in Sigstore believes...
which suggests Sigstore is their preferred casing.
There was a problem hiding this comment.
FYI: cosign signature came from the release note text in the Jira.
| + | ||
| This is an issue in {product-title} {product-version}, because the `openshift` cluster image policy is deployed by default to the cluster, which causes CRI-O to automatically verify the signature when pulling images into a cluster. | ||
| + | ||
| As a result of the missing signature, when upgrading to {product-title} {product-version} on a disconnected environment, the upgrade will fail. You can avoid this problem by installing the oc-mirror plugin v2 and using the `oc mirror` command to again mirror the {product-title} release image. The oc-mirror plugin v2 mirrors both the release image and its signature to a disconnected environment. |
There was a problem hiding this comment.
Maybe "As a result of the missing signature" -> "In the absence of the Sigstore signature" or something that explains what happens in that case, without assuming that the Sigstore-oblivious oc adm release mirror call was the only mirror tooling in use?
And the update from 4.20 to 4.21 will succeed, because the openshift ClusterImagePolicy only comes in at the end of the update. The issue is with the next CVO Pod reschedule after the openshift policy is in place. Maybe replace "when upgrading...will fail" with:
after updating to {product-title} {product-version} on a disconnected environment, future Cluster Version Operator Pods may fail to run.
"the oc-mirror plugin v2 and using" has a doubled space after v2.
Assembling all these suggestions:
| As a result of the missing signature, when upgrading to {product-title} {product-version} on a disconnected environment, the upgrade will fail. You can avoid this problem by installing the oc-mirror plugin v2 and using the `oc mirror` command to again mirror the {product-title} release image. The oc-mirror plugin v2 mirrors both the release image and its signature to a disconnected environment. | |
| In the absence of the Sigstore signature, after updating to {product-title} {product-version} on a disconnected environment, future Cluster Version Operator Pods may fail to run. You can avoid this problem by installing the oc-mirror plugin v2 and using the `oc mirror` command to again mirror the {product-title} release image. The oc-mirror plugin v2 mirrors both the release image and its signature to a disconnected environment. |
| + | ||
| [source,terminal] | ||
| ---- | ||
| $ oc image mirror quay.io/openshift-release-dev/ocp-release:$<RELEASE_DIGEST>.sig registry.example.com/openshift/repo:$<RELEASE_DIGEST>.sig |
There was a problem hiding this comment.
You need to point out that the signature needs to show up alongside the release image being mirrored, and that the release digest needs to use a - delimiter instead of : to be a valid tag. Using variables from the oc adm release mirror docs, it would be:
$ oc "quay.io/openshift-release-dev/ocp-release:${RELEASE_DIGEST/:/-}.sig" "${LOCAL_REGISTRY}/${LOCAL_RELEASE_IMAGES_REPOSITORY}:${RELEASE_DIGEST/:/-}.sig"There was a problem hiding this comment.
@wking I am not clear on what you are suggesting here. RELEASE_DIGEST-.sig looks odd.
oc image mirror "quay.io/openshift-release-dev/ocp-release:${RELEASE_DIGEST}-.sig" "${LOCAL_REGISTRY}/${LOCAL_RELEASE_IMAGES_REPOSITORY}:${RELEASE_DIGEST}-.sig" ??
| + | ||
| This is an issue in {product-title} {product-version}, because the `openshift` cluster image policy is deployed by default to the cluster, which causes CRI-O to automatically verify the Sigstore signature when pulling images into a cluster. | ||
| + | ||
| In the absence of the Sigstore signature, after updating to {product-title} {product-version} on a disconnected environment, future Cluster Version Operator pods might fail to run. You can avoid this problem by installing the oc-mirror plugin v2 and using the `oc mirror` command to again mirror the {product-title} release image. The oc-mirror plugin v2 mirrors both the release image and its Sigstore signature to a disconnected environment. |
There was a problem hiding this comment.
nit: still the doubled space after v2:
| In the absence of the Sigstore signature, after updating to {product-title} {product-version} on a disconnected environment, future Cluster Version Operator pods might fail to run. You can avoid this problem by installing the oc-mirror plugin v2 and using the `oc mirror` command to again mirror the {product-title} release image. The oc-mirror plugin v2 mirrors both the release image and its Sigstore signature to a disconnected environment. | |
| In the absence of the Sigstore signature, after updating to {product-title} {product-version} on a disconnected environment, future Cluster Version Operator pods might fail to run. You can avoid this problem by installing the oc-mirror plugin v2 and using the `oc mirror` command to again mirror the {product-title} release image. The oc-mirror plugin v2 mirrors both the release image and its Sigstore signature to a disconnected environment. |
| + | ||
| [source,terminal] | ||
| ---- | ||
| $ oc image mirror "quay.io/openshift-release-dev/ocp-release:${RELEASE_DIGEST}-.sig" "${LOCAL_REGISTRY}/${LOCAL_RELEASE_IMAGES_REPOSITORY}:${RELEASE_DIGEST}-.sig" |
There was a problem hiding this comment.
${RELEASE_DIGEST}- has a dash, but after the sha256:.. digest. I'm suggesting that folks take the release digest like sha256:..., replace the : with a -, add a .sig suffix, and use that as the tag name. For example:
$ oc adm release info -o json quay.io/openshift-release-dev/ocp-release:4.20.0-x86_64 | jq -r .digest
sha256:d1dc76522d1e235b97675b28e977cb8c452f47d39c0eb519cde02114925f91d2has sha256:d1dc... as the digest, but uses sha256-d1dc... in the signature tag:
$ oc image info -o json quay.io/openshift-release-dev/ocp-release:sha256-d1dc76522d1e235b97675b28e977cb8c452f47d39c0eb519cde02114925f91d2.sig | grep mediaType
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"mediaType": "application/vnd.dev.cosign.simplesigning.v1+json",
"mediaType": "application/vnd.dev.cosign.simplesigning.v1+json",In my previous suggestion, I'd been using ${RELEASE_DIGEST/:/-}.sig to create those tag names, implicitly assuming Bash's ${parameter/pattern/string} variable expansion. That substitution isn't part of POSIX parameter expansion, though, so fine with me if you'd rather talk through it in English below where you currently have RELEASE_DIGEST:: Specifies your digest image. But something in this release note should cover replacing the digest's : with the - needed for a valid tag name.
There was a problem hiding this comment.
There's a similar procedure for this in the comments of the jira ticket, if you want to have another way than the POSIX param expansion
| + | ||
| In the absence of the Sigstore signature, after updating to {product-title} {product-version} on a disconnected environment, future Cluster Version Operator pods might fail to run. You can avoid this problem by installing the oc-mirror plugin v2 and using the `oc mirror` command to again mirror the {product-title} release image. The oc-mirror plugin v2 mirrors both the release image and its Sigstore signature to a disconnected environment. | ||
| + | ||
| If you cannot use the oc-mirror plugin v2, you can use the `oc adm release mirror` command to mirror the Sigstore signature into your mirror registry by using a command similar to the following: |
There was a problem hiding this comment.
| If you cannot use the oc-mirror plugin v2, you can use the `oc adm release mirror` command to mirror the Sigstore signature into your mirror registry by using a command similar to the following: | |
| If you cannot use the oc-mirror plugin v2, you can use the `oc image mirror` command to mirror the Sigstore signature into your mirror registry by using a command similar to the following: |
|
@mburke5678: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
5 participants
https://issues.redhat.com/browse/OCPBUGS-70297 and forum node slack.
Link to docs preview:
QE review: