Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CI: ubi8 considered harmful (the "0x3c" bug) #16695

Closed
edsantiago opened this issue Nov 30, 2022 · 5 comments · Fixed by #17017
Closed

CI: ubi8 considered harmful (the "0x3c" bug) #16695

edsantiago opened this issue Nov 30, 2022 · 5 comments · Fixed by #17017
Labels
locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@edsantiago
Copy link
Member

The redhat registry is unreliable. We see these flakes in podman frequently:

# podman [options] pull registry.access.redhat.com/ubi8-minimal
Trying to pull registry.access.redhat.com/ubi8-minimal:latest...
time="2022-11-28T22:25:14Z" level=warning
    msg="Signature \"https://access.redhat.com/webassets/docker/content/sigstore/ubi8-minimal@sha256=2db613439c1708842f3fd6104a6b7b831f1f9b1c223c225101649e6bc4ae2983/signature-7\" 
    has Content-Type \"text/html\", unexpected for a signature"
Error: copying system image from manifest list: Source image rejected:
    parsing signature https://access.redhat.com/webassets/docker/content/sigstore/ubi8-minimal@sha256=2db613439c1708842f3fd6104a6b7b831f1f9b1c223c225101649e6bc4ae2983/signature-7:
    unrecognized signature format, starting with binary 0x3c

We already fixed buildah to not use it. And we keep adding workarounds elsewhere for registry bugs. It's time to just give up.

Some recent failure logs:

int podman fedora-36 root container: unknown failure

int podman fedora-37 rootless host: unknown failure
@github-actions
Copy link

A friendly reminder that this issue had no activity for 30 days.

@Luap99
Copy link
Member

Luap99 commented Jan 5, 2023

still seeing these:
https://api.cirrus-ci.com/v1/artifact/task/5846543626928128/html/int-podman-fedora-37-root-container.log.html
https://api.cirrus-ci.com/v1/artifact/task/6409493580349440/html/int-podman-fedora-37-rootless-host.log.html

@edsantiago edsantiago mentioned this issue Jan 5, 2023
Merged
@edsantiago
Copy link
Member Author

Well, quay.io has been pretty bad the last two weeks, but I have hopes that it will recover after the holidays. Filed #17017.

edsantiago added a commit to edsantiago/libpod that referenced this issue Jan 6, 2023
@edsantiago
e2e tests: stop using UBI images
e82045f 
Red Hat registry is too unreliable. (As of this writing
in January 2023, quay.io is not much better, but this is
a new flake. Ubi has been flaking for a year or more).

Instead of UBI, use the new systemd-image added to system tests
in containers#16814. Since this reduces the number of cached images,
a few unrelated tests (image count) need to be tweaked.

And, sigh, Fedora systemd colorizes boot messages by default,
causing a failure where we don't see an expected Reached Target
message. I don't want to rely on ASCII formatting codes, so
I've updated the build-systemd-image script so it disables
systemd colors, and have built a new systemd-image:20230106.
Made a few small usability improvements to the script as well.

Closes: containers#16695

Signed-off-by: Ed Santiago <[email protected]>
@MehdiSellamiAdministrator
Copy link

MehdiSellamiAdministrator commented Mar 8, 2023
edited
Loading

The "unrecognized signature format, starting with binary 0x3c" error message in Podman usually occurs when you try to pull an image that is not a valid Docker or OCI (Open Container Initiative) image. The error message indicates that Podman is interpreting the image as an HTML file, which is not a valid container image format.

To fix this issue, you should check the image source and ensure that it is a valid Docker or OCI image. Here are some steps you can take to troubleshoot the issue:

Check the image source: Make sure that you are pulling the image from a valid container image registry, such as Docker Hub or Quay.io.

Corrupted or incomplete image or container file: If the file you are trying to load is corrupted or incomplete, it may not be recognized by Podman. Try downloading the file again or verifying that it is not corrupted.

Verify the image format: Check that the image format is a valid Docker or OCI image format. You can verify the image format by downloading the image using curl and checking its file type. For example, the following command downloads the "nginx" image from Docker Hub and checks its file type.

The output should indicate that the file type is a Docker image or OCI image, depending on the format of the image.

File encoding issue: If the file you are trying to load has a different encoding than expected, this could also cause the error. Try converting the file to the correct encoding before running the podman load command.

Use the correct command: If you are trying to pull an image from a non-standard registry or using a different image format, you may need to use a different command to pull the image. For example, you can use the skopeo command to pull images from non-standard registries or in different image formats.

This copies the image from the private registry to the local file system in the dir directory.

By following these steps, you can troubleshoot the "unrecognized signature format" error message in Podman and ensure that you are pulling valid container images.

Configuring Linux container tools to check image signatures:

The Linux container tools (Podman, Skopeo, and Buildah) have built-in support for detached signatures, as well as the CRI-O container engine from Kubernetes and the Red Hat OpenShift Container Platform.

https://developers.redhat.com/blog/2019/10/29/verifying-signatures-of-red-hat-container-images

Check the image signature: If the image file is signed, check the signature to ensure that it is valid and matches the image file. Podman uses GPG (GNU Privacy Guard) signatures to verify the authenticity of signed images. You can use the podman trust inspect command to check the signature status of an image.

Use a different image source: If none of the above solutions work, try using a different image source or registry to obtain the image. The issue may be related to a specific registry or image file, and switching to a different source may help to resolve the problem.

@edsantiago
Copy link
Member Author

@MehdiSellamiAdministrator thanks for taking the time to follow up with helpful advice. Unfortunately, in this case, none of that is applicable: the error we were seeing was a flake, meaning, exactly the same command will fail in nondeterministic, seemingly random ways. My recollection was that the failures were time-dependent, such that multiple independent tests would fail at close times; this strongly suggests a problem with the registry itself. That is beyond our control.

@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Aug 30, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 30, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

e2e tests: stop using UBI images edsantiago/libpod
3 participants
@edsantiago @Luap99 @MehdiSellamiAdministrator