Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to bind a signed image at install time #812

Open
ckyrouac opened this issue Oct 2, 2024 · 4 comments
Open

Unable to bind a signed image at install time #812

ckyrouac opened this issue Oct 2, 2024 · 4 comments
Labels
area/logically-bound-images Issues related to "logically bound" images bug Something isn't working triaged This looks like a valid issue

Comments

@ckyrouac
Copy link
Contributor

ckyrouac commented Oct 2, 2024

When bootc tries to copy the signed image from the host to the install disk it fails with the following error:

ERROR Installing to disk: Pulling from host storage: registry.redhat.io/amq-streams/kafka-37-rhel9:2.7.0-13: Subprocess failed: ExitStatus(unix_wait_status(32000))
Getting image source signatures
Checking if image destination supports signatures
Error: Copying this image would require changing layer representation, which we cannot do: "Would invalidate signatures"

Adding "--remove-signatures" to the podman image push command here fixes this error, however the result is an unsigned image. I did some digging through the containers/image code, skopeo docs, and containers-storage.conf docs. It looks like the only way to copy and sign an image is to re-sign the image when copying it, I couldn't find a way to copy a signed image while preserving the signature. I might be missing something though.
@cgwalters
Copy link
Collaborator

Hm, only glancing at this one thing I notice is

$ skopeo inspect --raw -n docker://registry.redhat.io/amq-streams/kafka-37-rhel9:2.7.0-13 | jq -r .mediaType
application/vnd.docker.distribution.manifest.list.v2+json

It's a legacy media type, not OCI. This is a thing we should start trying to change across Red Hat images.

But indeed there may be a larger conflict here even with OCI that may need fixing.

@cgwalters cgwalters added bug Something isn't working area/logically-bound-images Issues related to "logically bound" images triaged This looks like a valid issue labels Oct 2, 2024
@Odilhao
Copy link

Odilhao commented Oct 3, 2024

Hey @cgwalters we just stumbled on this while tying to locally build one RHEL 9.4 image.

With a really simple config.toml:

[[blueprint.customizations.user]]
name = "someuser"
password = "somepassword"
key = ""
groups = ["wheel"]

sudo podman run --rm -it --privileged --pull=newer --security-opt label=type:unconfined_t -v ./config.toml:/root/config.toml:ro -v ./output:/root/output -v /var/lib/containers/storage:/var/lib/containers/storage registry.redhat.io/rhel9/bootc-image-builder:latest --local --type qcow2 --config /root/config.toml registry.redhat.io/rhel9/rhel-bootc:9.4

That fails with:

Checking if image destination supports signatures
time="2024-10-03T20:25:35Z" level=fatal msg="Copying this image would require changing layer representation, which we cannot do: \"Would invalidate signatures\""
Error: tmp-container-deploy-71731344553455: image not known
Traceback (most recent call last):
 File "/run/osbuild/bin/org.osbuild.container-deploy", line 50, in main
   subprocess.run(
 File "/usr/lib64/python3.9/subprocess.py", line 528, in run
   raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '['skopeo', 'copy', 'containers-storage:[overlay@/run/osbuild/containers/storage+/run/containers/storage]1f64fbbed435d0f92755b9e6f6521e8d20c3d00f62cb869774cc6d0aab9bf897', 'containers-storage:tmp-container-deploy-71731344553455']' returned non-zero exit status 1.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
 File "/run/osbuild/bin/org.osbuild.container-deploy", line 64, in <module>
   r = main(args["inputs"], args["tree"], args["options"])
 File "/run/osbuild/bin/org.osbuild.container-deploy", line 56, in main
   subprocess.run(["cp", "-a", f"{img}/.", f"{tree}/"], check=True)
 File "/usr/lib64/python3.9/contextlib.py", line 532, in __exit__
   raise exc_details[1]
 File "/usr/lib64/python3.9/contextlib.py", line 517, in __exit__
   if cb(*exc_details):
 File "/usr/lib64/python3.9/contextlib.py", line 405, in _exit_wrapper
   callback(*args, **kwds)
 File "/usr/lib64/python3.9/subprocess.py", line 528, in run
   raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '['podman', 'rmi', 'tmp-container-deploy-71731344553455']' returned non-zero exit status 1.

@ckyrouac ckyrouac mentioned this issue Oct 3, 2024
Closed
@cgwalters
Copy link
Collaborator

Hi @Odilhao that issue is related (in fact ultimately the same I suspect) but practically distinct because the failure there is in bootc-image-builder code.

For reasons I don't understand really (and we're debating in multiple places), bootc-image-builder ends up copying the input container's rootfs and running it via custom tooling instead of just launching it via a standard OCI mechanism (e.g. podman).

@cgwalters
Copy link
Collaborator

cc @mvo5 @achilleas-k re ⬆

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/logically-bound-images Issues related to "logically bound" images bug Something isn't working triaged This looks like a valid issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

copy: Allow copying images with signatures ckyrouac/image
3 participants
@cgwalters @ckyrouac @Odilhao