Bug 1823143: Try user-given registry/repository for oc adm release extract|info|mirror before defaulting to referenced image #395
Conversation
openshift-ci-robot
added
bugzilla/medium
bugzilla/valid-bug
|
@sallyom: This pull request references Bugzilla bug 1823143, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: sallyom The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
do-not-merge/hold
|
@sallyom: This pull request references Bugzilla bug 1823143, which is valid. 3 validation(s) were run on this bug
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
2 similar comments
|
@sallyom: This pull request references Bugzilla bug 1823143, which is valid. 3 validation(s) were run on this bug
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@sallyom: This pull request references Bugzilla bug 1823143, which is valid. 3 validation(s) were run on this bug
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@sallyom: An error was encountered searching for bug 1823143 on the Bugzilla server at https://bugzilla.redhat.com:
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@sallyom: An error was encountered searching for bug 1823143 on the Bugzilla server at https://bugzilla.redhat.com:
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@sallyom: This pull request references Bugzilla bug 1823143, which is valid. 3 validation(s) were run on this bug
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
1 similar comment
|
@sallyom: This pull request references Bugzilla bug 1823143, which is valid. 3 validation(s) were run on this bug
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci-robot
removed
the
do-not-merge/hold
|
/test e2e-cmd |
|
@sallyom: This pull request references Bugzilla bug 1823143, which is valid. 3 validation(s) were run on this bug
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/retest |
|
/hold This PR uses a bump in library-go for a not-yet-merged PR: openshift/library-go#785 |
openshift-ci-robot
added
the
do-not-merge/hold
|
/retest |
|
@sallyom: This pull request references Bugzilla bug 1823143, which is valid. 3 validation(s) were run on this bug
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@soltysh I've reworked this PR, moved all changes to pkg/cli/admin/release/info.go rather than release/extract_tools.go - this is more clear. ptal, thanks. |
sallyom
force-pushed
the
bz1819546
branch
3 times, most recently
from
329df97 to
d72ae52
Compare
pkg/cli/admin/release/info.go
Outdated
| if err != nil { | ||
| errs = append(errs, err) | ||
| return true, nil | ||
| } |
There was a problem hiding this comment.
This could be outside of the loop.
There was a problem hiding this comment.
Actually looking inside ParseReference invoked at the beginning of the method that one already has that invocation see
oc/pkg/cli/image/imagesource/reference.go
Line 96 in 29e9a33
ref.Type == DestinationRegistry and drop this above code entirely.
There was a problem hiding this comment.
thanks, i've updated. much cleaner.
userGivenImage.AsRepository() == ref.Ref.AsRepository() :) so i can drop the userGivenImage nonsense altogether
pkg/cli/admin/release/info.go
Outdated
| // try to verify user-passed image tag first, in case of mirrored images this will | ||
| // exist, and if so, use this instead of the release image-reference. If this doesn't | ||
| // exist, proceed with tag from release image-reference from the readReleaseImageReference above | ||
| givenTag := fmt.Sprintf("%s@%s", userGivenImage.AsRepository(), digest) |
There was a problem hiding this comment.
tag is confusing, since this is more imageID, imageDigest, right?
There was a problem hiding this comment.
I'm a bit confused, you're creating a new reference from user-passed registry and release's image SHA, right? And then you parse it once again in verifyImageExists. If this works you replace the tag contents, correct?
There was a problem hiding this comment.
I still don't understand why you can't just use the DockerImageReference returned from userGivenImage.AsRepository() invocation and set digest there. Iow.
newRef := userGivenImage.AsRepository() // this will clear both Tag and ID fields
newRef.ID = digest
if verifyImageExists(opts, newRef)...This way verifyImageExists will work with already passed reference, so there's no need for double parsing.
There was a problem hiding this comment.
thanks! updated, now passing imagereference.DockerImageReference to verifyImageExists, and if found, tag.From.Name = newRef.String()
pkg/cli/admin/release/info.go
Outdated
| if err != nil { | ||
| if imagemanifest.IsImageNotFound(err) { | ||
| return false | ||
| } |
There was a problem hiding this comment.
This condition is not necessary, since in both cases you just return false.
There was a problem hiding this comment.
kind of, but if imageNotFound, no logging (this means it's not a mirrored image) but for any other reason should log the error, this would indicate there was an error reading the mirrored image (it exists, but there is a problem). I'm fine not logging, too, but this was my reasoning.
|
@sallyom: This pull request references Bugzilla bug 1823143, which is valid. 3 validation(s) were run on this bug
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
sallyom
force-pushed
the
bz1819546
branch
2 times, most recently
from
09f91c9 to
b2d9989
Compare
|
/hold cancel fake bump removed |
openshift-ci-robot
removed
the
do-not-merge/hold
|
/retest |
| // try to verify user-passed image first, in case of mirrored images this will | ||
| // exist, and if so, use this instead of the release image-reference. If this doesn't | ||
| // exist, proceed with release image-reference from the readReleaseImageReference above | ||
| newRef := ref.Ref.AsRepository() |
There was a problem hiding this comment.
Assuming that the release image and the target share the same repository is a really ugly hack. I don't think it's appropriate without the user explicitly telling us where it is (perhaps via a flag, perhaps by providing an ICSP).
There was a problem hiding this comment.
So is this "pull down any ICSPs from the cluster and teach the local oc image resolvers how to process them"? That would be great, but seems like a lot of work without vendoring more of containers/image. Or does the native oc image-resolution code already support mirrors and we'd just need to feed the ICSPs in?
There was a problem hiding this comment.
... and there is no guarantee that ICSPs that make sense for the cluster also make sense for wherever the user is running oc. Would be nice if we had image-streams for every image referenced from the release image or some such, so we could pull from there without having to reach out and hit some external registry.
There was a problem hiding this comment.
so ICS is printed when mirroring image like so:
imageContentSources:
- mirrors:
- quay.io/sallyom/release-test
source: quay.io/openshift-release-dev/ocp-v4.0-art-dev
- mirrors:
- quay.io/sallyom/release-test
source: registry.svc.ci.openshift.org/ocp/release
so if an image is mirrored pass a flag to provide that info? i don't have details for how to use this info atm, i'll take a look.
There was a problem hiding this comment.
OK, that's fair and w/o that information it's ok to not to have properly working disconnected mirrors working, exactly like described in the bug. The second question is I can't seem to find which piece of containers/image is responsible for that, can you point to it?
There was a problem hiding this comment.
It would be more appropriate right now to add a flag that is "--mirror-repository=foo/bar" (possibly that supports multiple flags via StringSlice) than to add magic lookup. In the future, reeading from an ICSP file or ICSP on the cluster might be reasonable. Right now, don't do magic.
There was a problem hiding this comment.
Adding error path when image can't be found to suggest that if this is a mirrored repository to provide that flag, and to add a paragraph to help that describes how to work with mirrored repositories, would also be required to make this clear to users.
There was a problem hiding this comment.
but how will that solve 'I can't oc adm release extract in disconnected environment'?
As/is, the cmd does that-extracts from the mirrored repository (you don't have to pass it), and succeeds if you are connected and have the correct pull secret for that repo but fails otherwise.
There was a problem hiding this comment.
That flag would add additional search locations (like ICSP) if the first fetch fails. All locations that look at an image would support the alternates.
There was a problem hiding this comment.
You would be designing in (vs adding hacks) a mechanism that says "if i get an image, if i can't get it at location A, try B, C, and D by digest". That mechanism probably should be in the lowest level client (the registry fetcher) which would transparently support this for all commands (i.e. putting code into mirror is probably wrong).
|
@sallyom: This pull request references Bugzilla bug 1823143, which is valid. 3 validation(s) were run on this bug
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
1 similar comment
|
@sallyom: This pull request references Bugzilla bug 1823143, which is valid. 3 validation(s) were run on this bug
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
sallyom
changed the title
sallyom
changed the title
… defaulting to image reference When working with mirrored release payloads, a release from a mirrored registry, mylocalregistry/ocp/release:4.5.0-0.nightly-2020-04-18-093630 mirrored from registry.svc.ci.openshift.org/ocp/release:4.5.0-0.nightly-2020-04-18-093630 - Both reference 'quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:2eb0a51...'. When extracting from the mirrored registry, try extracting from the user-given registry/repo/name If this fails, then try the release image-references. In disconnected environments, currently, oc adm release extract fails. Different from mirrored, when working with a tagged release that was uploaded to another repository, such as `quay.io/sallyom/release:new`, since that release wasn't mirrored, the underlying images still point to the original tag. In this case, `oc adm release extract --command openshift-install` will try the sallyom/release image but will fail, issue an info message, and then proceed to use the underlying tagged installer image - that will succeed as long as the user has access to the original release image.
…defaulting to image reference
|
@sallyom: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
closing in favor of #427 , it's less ugly, but maybe still too ugly |
|
Please see #439 and openshift/enhancements#334 for progress |
5 participants
When working with mirrored release payloads, a release from a mirrored registry,
mylocalregistry/ocp/release:4.5.0-0.nightly-2020-04-18-093630mirrored fromregistry.svc.ci.openshift.org/ocp/release:4.5.0-0.nightly-2020-04-18-093630-In both, the tags reference
quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:2eb0a51....In
oc adm release extract, always try extracting from the user-given release first. If this fails, then fall back to the release image-references. In disconnected environments, currently, oc adm release extract fails when the given release is mirrored from a connected registry.Different from mirrored, when working with a tagged release that was uploaded to another repository, such as
quay.io/sallyom/release:new, since that release wasn't mirrored, the underlying images still point to the original tag. In this case,oc adm release extract --command openshift-installwill try the sallyom/release image but since that image does not exist, proceed to use the underlying tagged installer image - that will succeed as long as the user has access to the original release image. Note many devs build release w/ substitutions for one or a few component images, and this is the way they sometimes push images around.To test this PR, do something like this:
you'll find the failure from master, fixed w /this PR
Scenarios i tested:
Bugs that are resolved with these changes (or the equivalent):