MCO-707: Strip registry transport from os image URL for comparison

[ori-amizur]

One of the conditions to reboot after firstboot is different os image
URLs. In order to correctly compare the URLs, the booted OS image URL
has to be stripped from container image reference and transport.
This commit utilizes a recent change in rpm-ostree client to do just
that.

- What I did
Strip registry transport from os image URLs before checking if reboot is needed.
- How to verify it

1. Regression
2. Verify if URLs are considered equal when booted os URL is with a registry transport, and the required is without.
   - Description for the changelog

Strip registry transport from OS Image URLs for comparison

[openshift-ci-robot]

@ori-amizur: This pull request references MCO-707 which is a valid jira issue.

In response to this:

When comparing os image URLs in or to decide if reboot is needed, sometimes the URL starts with a scheme (i.e docker://), and sometimes without. In order to compare correctly, the scheme is removed before comparison is done.

- What I did
Canonized os image URLs before checking if reboot is needed.
- How to verify it

1. Regression
2. Verify if URLs are considered equal when booted os URL is with scheme, and the required is without.
   - Description for the changelog

Canonize OS Image URLs for comparison

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[ori-amizur]

/assign @sinnykumari

[ori-amizur]

/uncc @cdoern

[ori-amizur]

/retest

[ori-amizur]

/test e2e-hypershift

[ori-amizur]

/test e2e-hypershift

[cgwalters]

This could use a doc comment (and also "canonicalize" is more canonical here) - canonization is a different thing and I don't think this function quite qualifies for sainthood yet 😄 . But even "canonicalize" would make someone wonder "canonicalize how?" I think.

Further this is going to be a bit fragile because in theory we could (and in fact have a TODO to) change it. So how about combining these two:

Suggested change

	func canonizeImageURL(url string) string {
	// stripRegistryTransport removes the registry transport prefix, see https://docs.rs/ostree-ext/latest/ostree_ext/container/enum.Transport.html
	func stripRegistryTransport(url string) string {
	return strings.Relpace(strings.Replace(url, "docker://", "", 1), "registry:", "", 1))

or so?

Could also use a unit test.

[sinnykumari]

Do we know that it will be always "docker://" or we should handle rest of the transport replacement as well that are supported by OSTree ?

[cgwalters]

I think in OpenShift today we effectively hardcode docker:// - i.e. we only support fetching from a registry in osImageURL.

So...yes. Note openshift/os#657 would actually switch things so that the initial state is from an oci-archive, but that's OK because it will today always be older anyways.

(A whole other problem here is that today we deploy as OCI, but when we later push the container image it gets converted to d2s2, which changes the digest...)

[sinnykumari]

yeah, makes sense.

[sinnykumari]

One question, other than that I agree with changes already suggested by Colin.

[sinnykumari]

Can we also add a test case where oldConfig has empty OSImageURL and newConfig has a valid OSImageURL. something like oldConfig.Spec.OSImageURL = " " and newConfig.Spec.OSImageURL = ""quay.io/example/foo@sha256:b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c" .

This usually is the case today during initial node bootstrap for a cluster.

[ori-amizur]

Doesn't this already exist on line 222?

[sinnykumari]

ah yes, should have looked at existing test cases.

[sinnykumari]

Also, will be good to reword commit message based on latest changes that we have.

[openshift-ci-robot]

@ori-amizur: This pull request references MCO-707 which is a valid jira issue.

In response to this:

When comparing os image URLs in or to decide if reboot is needed,
sometimes the URL starts with a prefix (i.e docker:// or registry:), and sometimes
without. In order to compare correctly, the prefix is removed before
comparison is done.

- What I did
Strip registry transport os image URLs before checking if reboot is needed.
- How to verify it

1. Regression
2. Verify if URLs are considered equal when booted os URL is with scheme, and the required is without.
   - Description for the changelog

Canonize OS Image URLs for comparison

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

@ori-amizur: This pull request references MCO-707 which is a valid jira issue.

In response to this:

When comparing os image URLs in or to decide if reboot is needed,
sometimes the URL starts with a prefix (i.e docker:// or registry:), and sometimes
without. In order to compare correctly, the prefix is removed before
comparison is done.

- What I did
Strip registry transport from os image URLs before checking if reboot is needed.
- How to verify it

1. Regression
2. Verify if URLs are considered equal when booted os URL is with a registry transport, and the required is without.
   - Description for the changelog

Strip registry transport from OS Image URLs for comparison

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[sinnykumari]

Thanks Ori for working on this.
/lgtm
This should get merged once 4.14 branching has happened and we no longer require valid-bz label.

[sergiordlr]

Verifying using IPI on GCP

1. Create a custom osImage (we used the internal registry)
   image-registry.openshift-image-registry.svc:5000/openshift-machine-config-operator/tc-54056-new-os-image@sha256:5ccada2081859a95414cd3f6a96a5f871e9ef8b5463ad28e4e8128bfe503faa3

2. Deploy a mc to use this custom osImage

kind: MachineConfig
apiVersion: machineconfiguration.openshift.io/v1
metadata:
  labels:
    machineconfiguration.openshift.io/role: "worker"
  name: "test-new-os-image"
spec:
  osImageURL: "image-registry.openshift-image-registry.svc:5000/openshift-machine-config-operator/tc-54056-new-os-image@sha256:5ccada2081859a95414cd3f6a96a5f871e9ef8b5463ad28e4e8128bfe503faa3"

The new osImage is applied and the nodes rebooted.

3. Edit the test-new-os-image MC create in step 2 to prepend "docker://" to the osIMage. Like this:

spec:
  osImageURL: "docker://image-registry.openshift-image-registry.svc:5000/openshift-machine-config-operator/tc-54056-new-os-image@sha256:5ccada2081859a95414cd3f6a96a5f871e9ef8b5463ad28e4e8128bfe503faa3"

A new MC is rendered and, when it is applied to the nodes, it is considered to be already applied and the nodes are not rebooted nor drained, as expected.

Nevertheless, we need to be aware that "docker://..." is not the right format for osImageURL. So we are accepting a wrong format in osImageURL if the image is the same as the one already present in the cluster. Imho, It's not a big deal, but we need to be aware of it. A customer could wonder why "docker://" is accepted in the MCs' osImageURL only sometimes.

Regarding the agent-install, we can't verify this PR using agent-install until openshift/os#657 is merged. Is it right?

/cc @rioliu-rh

[rioliu-rh]

/hold

[rioliu-rh]

hold this PR according to Sergio's comment, another issue about url format validation, if we create a mc to update os image with a new one w/o transport prefix docker://, the pool will be degraded with message like docker://... is not the right format

Sergio can provide more details about it.

[cgwalters]

Nevertheless, we need to be aware that "docker://..." is not the right format for osImageURL. So we are accepting a wrong format in osImageURL if the image is the same as the one already present in the cluster. Imho, It's not a big deal, but we need to be aware of it. A customer could wonder why "docker://" is accepted in the MCs' osImageURL only sometimes.

Hmm yes. I think we should actually continue to reject docker:// being present in osImageURL. I don't see what we gain by allowing it there.

So this PR started with:

sometimes the URL starts with a prefix (i.e docker:// or registry:), and sometimes without

Let's try to identify more precisely the code flows involved here.

I'm actually a bit confused here because I thought we were parsing the output from rpm-ostree status --json, which has e.g.:
"container-image-reference" : "ostree-unverified-registry:quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cd29255bd4e6634404ef8e0f4a7f19b4ae5a57a3afc7d67cbe00934ba998d6ac"

And then we sort of hackily scrape that off...

Ohh, wait hmm...I think I may understand now! Yes, the bug is in that code in the MCO that's incorrectly parsing ostree-container image references. When we use ostree container image deploy, it ends up as e.g.:

$ rpm-ostree status --json | jq -r '.deployments[0]."container-image-reference"'
ostree-unverified-image:docker://quay.io/fedora/fedora-coreos:stable

So the core bug is here

machine-config-operator/pkg/daemon/rpm-ostree.go

Line 155 in 5b821a2

tokens := strings.SplitN(bootedDeployment.ContainerImageReference, ":", 2)

Now an immediate practical problem is that the code for parsing these strings today lives in Rust, not Go. (And even for using Rust, we don't really want to vendor all of ostree-rs-ext, which is its own distinct bug).

Here's what I'd propose:

• Add a minimal Go reimplementation of the logic in https://github.com/ostreedev/ostree-rs-ext/blob/8b04520d8e0d3ffb0c6ba72098d4114083ee7124/lib/src/container/mod.rs#L183 into https://github.com/coreos/rpmostree-client-go/
• Bump that dependency and use it here instead of just stripping from the first :

[cgwalters]

I can also look at "canonicalizing" ostree-unverified-image:docker:// back to ostree-unverified-registry: on the ostree side, which would also implicitly fix things.

[cgwalters]

ostreedev/ostree-rs-ext#533

[cgwalters]

PR in coreos/rpmostree-client-go#21

[cgwalters]

So next we need #3916
and then we can update this PR to execute on the bottom half of #3857 (comment)

[sinnykumari]

#3916 has been merged, we should be good to utilize bootedDeployment.RequireContainerImage() to get bootedOSImageURL without worrying about transport prefix.

[ori-amizur]

/retest

[openshift-ci-robot]

@ori-amizur: This pull request references MCO-707 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.15.0" version, but no target version was set.

In response to this:

One of the conditions to reboot after firstboot is different os image
URLs. In order to correctly compare the URLs, the booted OS image URL
has to be stripped from container image reference and transport.
This commit utilizes a recent change in rpm-ostree client to do just
that.

- What I did
Strip registry transport from os image URLs before checking if reboot is needed.
- How to verify it

1. Regression
2. Verify if URLs are considered equal when booted os URL is with a registry transport, and the required is without.
   - Description for the changelog

Strip registry transport from OS Image URLs for comparison

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[sinnykumari]

LGTM
/approve
@sergiordlr This should be ready for qe testing now
@cgwalters PTAL

[cgwalters]

Thanks for this!

[ori-amizur]

/unhold

[sergiordlr]

Hello! @sinnykumari this PR depends on openshift/os#657

We need that PR to be merged before we can execute the verification here.

We have verified that the new change does not have the problem reported above, and it fails properly when we use osImage values with "docker://".

The rest of the verification (agent-installer skipping the first boot) will be executed once the PR linked above is merged.

[sinnykumari]

Thanks Sergio for testing it. Agree it is difficult to test complete functionality without openshift/os#657 . With current testing, it should be sufficient for the PR to get merged as it doesn't break any existing functionalities.
/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cgwalters, ori-amizur, sinnykumari

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [cgwalters,sinnykumari]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 30c28f3 and 2 for PR HEAD b19dc30 in total

[openshift-ci]

@ori-amizur: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.