OCPBUGS-77283: bump kubevirt fedora containerDisk to multi-arch v1.8.2 + permanent exception#31284
Conversation
|
Pipeline controller notification For optional jobs, comment This repository is configured in: automatic mode |
openshift-ci-robot
added
jira/valid-reference
|
@qinqon: This pull request references Jira Issue OCPBUGS-77283, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
WalkthroughBump the quay.io/kubevirt/fedora-with-test-tooling-container-disk tag to v1.8.2 in tests/allowlist and VM template, and add a permanent exception in the image README noting the image is multi-arch for amd64, arm64, and s390x but excludes ppc64le. ChangesKubeVirt Fedora image updates
🎯 2 (Simple) | ⏱️ ~10 minutes Caution Pre-merge checks failedPlease resolve all errors before merging. Addressing warnings is optional.
❌ Failed checks (1 error)
✅ Passed checks (14 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
openshift-ci
Bot
added
the
ready-for-human-review
|
Scheduling required tests: |
qinqon
changed the title
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: qinqon The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
qinqon
force-pushed
the
ocpbugs-77283-kubevirt-fedora-permanent-exception
branch
from
2fb26fc to
c1aef31
Compare
…xception The kubevirt fedora-with-test-tooling containerDisk used by the VM live-migration networking tests was mirrored from a single-arch (amd64) tag (20241024_891122a6fc). Bump it to v1.8.2, which upstream publishes as an OCI index covering amd64/arm64/s390x, so we mirror a genuine multi-arch image. Updates the mirror allowlist key, the livemigration test reference, and the generated upstream->quay mapping. The image still has no ppc64le variant, because KubeVirt dropped ppc64le support (kubevirt/kubevirt#14976). Record the existing --allow-missing-architectures exception (verify-image-manifest-lists presubmit in openshift/release) as a permanent exception with justification in the README. It should be revisited once KubeVirt VEP-258 (kubevirt/enhancements#258) restores ppc64le support. Assisted-By: Claude Opus 4.8 <noreply@anthropic.com> Signed-off-by: Enrique Llorente <ellorent@redhat.com>
qinqon
force-pushed
the
ocpbugs-77283-kubevirt-fedora-permanent-exception
branch
from
c1aef31 to
9489957
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@test/extended/util/image/image.go`:
- Line 63: The listed image tag
"quay.io/kubevirt/fedora-with-test-tooling-container-disk:v1.8.2" in
test/extended/util/image/image.go is single-arch (amd64) and must be replaced
with a multi-arch manifest-list tag (or the tests/docs updated to declare an
exception); update the map entry to point to a tag that provides a manifest list
for amd64/arm64/s390x (excluding ppc64le) and also ensure the mirrored
"quay.io/openshift/community-e2e-images" entry matches the same multi-arch set
so the image resolution and architecture checks in this test file succeed.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: c6f8d8ee-a8f7-45fc-bd3e-1479708d49d1
⛔ Files ignored due to path filters (1)
test/extended/util/image/zz_generated.txtis excluded by!**/zz_generated*
📒 Files selected for processing (2)
test/extended/networking/livemigration.gotest/extended/util/image/image.go
|
|
||
| // used by KubeVirt test to start fedora VMs | ||
| "quay.io/kubevirt/fedora-with-test-tooling-container-disk:20241024_891122a6fc": -1, | ||
| "quay.io/kubevirt/fedora-with-test-tooling-container-disk:v1.8.2": -1, |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Description: Verify the KubeVirt Fedora v1.8.2 tag exists and list its architectures
# Check if the tag exists and list supported architectures
skopeo inspect --raw docker://quay.io/kubevirt/fedora-with-test-tooling-container-disk:v1.8.2 | jq -r '.manifests[]? | select(.platform) | "\(.platform.os)/\(.platform.architecture)"' | sort -u
# If the above returns nothing, it might be a single-arch image (which would be unexpected)
# In that case, check if it's a valid image at all
skopeo inspect docker://quay.io/kubevirt/fedora-with-test-tooling-container-disk:v1.8.2 > /dev/null 2>&1 && echo "Image exists" || echo "Image not found"Repository: openshift/origin
Length of output: 139
🌐 Web query:
quay.io api v2 manifest list endpoint /v2/{namespace}/{repo}/manifests/{tag} bearer token WWW-Authenticate
💡 Result:
The quay.io container registry adheres to the Docker Registry HTTP API V2 specification [1][2]. The manifest endpoint used to fetch or manipulate image manifests (including manifest lists) is /v2/{namespace}/{repo}/manifests/{tag} [2][3]. Authentication via Bearer Token When making an unauthenticated request to a protected v2 endpoint, the registry will return a 401 Unauthorized status code along with a WWW-Authenticate header [1][4][5]. This header provides the necessary information for the client to authenticate, typically formatted as follows [2][4][5]: WWW-Authenticate: Bearer realm="{auth-url}",service="{service-name}" To obtain a token: 1. Extract the realm and service from the WWW-Authenticate header [4][5]. 2. Perform a GET request to the specified realm (e.g., https://quay.io/v2/auth) with the service, scope (e.g., repository:{namespace}/{repo}:pull), and any required credentials [6][4]. 3. The response will contain a JSON object with a token field [6][4]. 4. Use this token in subsequent API requests by including an Authorization header: Authorization: Bearer {token} [6][7][2]. Manifest List Details A manifest list (or "fat manifest") allows a single tag to point to multiple image manifests across different platforms [8][9]. Clients distinguish manifest lists from standard image manifests by checking the Content-Type header in the response, which for manifest lists should be application/vnd.docker.distribution.manifest.list.v2+json [8][9]. To ensure the registry returns the correct manifest format, clients should include an Accept header in their request indicating support for the desired manifest content types [7][2].
Citations:
- 1: feat(api v2): global readonly superuser support and registry auth behavior (PROJQUAY-8279) quay/quay#4277
- 2: https://distribution.github.io/distribution/spec/api/
- 3: https://github.com/opencontainers/distribution-spec/blob/v1.1.0/spec.md
- 4: https://groups.google.com/g/quay-sig/c/i20J7s0Zubk
- 5: proxy: Modify registry auth url for proxy cache validation (PROJQUAY-4585) quay/quay#1603
- 6: When will quay.io fully use v2's scheme2.manifest quay/quay-docs#11
- 7: https://github.com/distribution/distribution/blob/ed0b3aebb31a38ba617bb21494de9e914b6e4bed/docs/spec/api.md
- 8: https://github.com/distribution/distribution/blob/main/docs/content/spec/manifest-v2-2.md
- 9: https://github.com/distribution/distribution/blob/fda42e5ef908bdba722d435ff1f330d40dfcd56c/docs/spec/manifest-v2-2.md
🏁 Script executed:
#!/bin/bash
set -euo pipefail
IMG="quay.io/kubevirt/fedora-with-test-tooling-container-disk"
TAG="v1.8.2"
echo "== Tool availability =="
command -v curl >/dev/null && echo "curl: yes" || echo "curl: no"
command -v jq >/dev/null && echo "jq: yes" || echo "jq: no"
command -v skopeo >/dev/null && echo "skopeo: yes" || echo "skopeo: no"
command -v docker >/dev/null && echo "docker: yes" || echo "docker: no"
echo "== Query Quay manifest list via registry API =="
# Try manifest list accept header
MANIFEST_URL="https://quay.io/v2/kubevirt/fedora-with-test-tooling-container-disk/manifests/${TAG}"
# Get auth challenge (if any)
HDR="$(curl -sSI \
-H 'Accept: application/vnd.docker.distribution.manifest.list.v2+json' \
"$MANIFEST_URL" | tr -d '\r')"
echo "$HDR" | sed -n '1,30p'
AUTH_WWW="$(echo "$HDR" | awk -F': ' '/^WWW-Authenticate: /{sub(/^WWW-Authenticate: /,""); print}')"
if [[ -n "${AUTH_WWW:-}" ]]; then
echo "== Bearer auth challenge detected =="
echo "WWW-Authenticate: $AUTH_WWW"
# Parse realm and service and scope
REALM="$(echo "$AUTH_WWW" | sed -n 's/.*realm="\([^"]*\)".*/\1/p')"
SERVICE="$(echo "$AUTH_WWW" | sed -n 's/.*service="\([^"]*\)".*/\1/p')"
# scope usually like: repository:kubevirt/fedora-with-test-tooling-container-disk:pull
SCOPE="$(echo "$AUTH_WWW" | sed -n 's/.*scope="\([^"]*\)".*/\1/p')"
if [[ -z "${REALM:-}" || -z "${SERVICE:-}" ]]; then
echo "Failed to parse realm/service from WWW-Authenticate; cannot proceed."
exit 2
fi
TOKEN_URL="${REALM}?service=${SERVICE}"
if [[ -n "${SCOPE:-}" ]]; then
TOKEN_URL="${TOKEN_URL}&scope=${SCOPE}"
fi
echo "Token URL: $TOKEN_URL"
TOKEN="$(curl -sSL "$TOKEN_URL" | python3 - <<'PY'
import sys, json
data=sys.stdin.read()
j=json.loads(data)
print(j.get("token",""))
PY
)"
if [[ -z "$TOKEN" ]]; then
echo "Failed to obtain token from Quay."
exit 3
fi
echo "Got token (length): ${`#TOKEN`}"
RESP="$(curl -sSL \
-H "Authorization: Bearer $TOKEN" \
-H 'Accept: application/vnd.docker.distribution.manifest.list.v2+json' \
"$MANIFEST_URL")"
else
echo "== No auth challenge; fetching manifest directly =="
RESP="$(curl -sSL \
-H 'Accept: application/vnd.docker.distribution.manifest.list.v2+json' \
"$MANIFEST_URL")"
fi
echo "== Manifest fetch ok; parsing platforms =="
python3 - <<'PY'
import json,sys
resp=json.loads(sys.stdin.read())
# manifest list v2 schema has "manifests"
manifests = resp.get("manifests") or []
if not manifests:
# if it's single manifest, treat as one platform if present
plat = resp.get("platform") or {}
arch = (plat.get("architecture") or "")
os_ = (plat.get("os") or "")
if arch and os_:
print(f"{os_}/{arch}")
else:
print("NO_MANIFEST_LIST_OR_PLATFORMS")
sys.exit(0)
plats=set()
for m in manifests:
p=m.get("platform") or {}
os_=p.get("os")
arch=p.get("architecture")
if os_ and arch:
plats.add(f"{os_}/{arch}")
for x in sorted(plats):
print(x)
PY <<< "$RESP"Repository: openshift/origin
Length of output: 794
🏁 Script executed:
#!/bin/bash
set -euo pipefail
IMG="kubevirt/fedora-with-test-tooling-container-disk"
TAG="v1.8.2"
URL="https://quay.io/v2/${IMG}/manifests/${TAG}"
echo "== HEAD/GET with manifest-list Accept =="
resp_headers_and_body="$(mktemp)"
# Fetch body and capture status+content-type
body="$(curl -sS -D "$resp_headers_and_body" \
-H 'Accept: application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.v1+json' \
"$URL")"
status="$(awk 'NR==1{print $2}' "$resp_headers_and_body")"
ctype="$(awk 'tolower($1)=="content-type:"{print $2}' "$resp_headers_and_body" | head -n1)"
echo "HTTP status: $status"
echo "Content-Type: $ctype"
echo "== Top-level keys =="
python3 - <<'PY' "$body"
import json,sys
data=json.loads(sys.argv[1])
print("keys:", sorted(list(data.keys())))
PY "$(printf '%s' "$body")" || true
echo "== Does it contain manifests[]? =="
echo "$body" | jq -r 'if (.manifests? | type)=="array" then "manifests_count="+((.manifests|length|tostring)) else "no_manifests_array" end'
echo "== Extract platforms if manifests[] exists =="
echo "$body" | jq -r '
if (.manifests? | type)=="array" then
[.manifests[]
| select(.platform != null)
| "\(.platform.os)/\(.platform.architecture)"]
| unique | sort | .[]
else
empty
end'
echo "== If single manifest: try extract architecture from config (best-effort) =="
# For schema v2/v1, may have .architecture/.config/os/.config/architecture depending on schema.
echo "$body" | jq -r '
(
if .architecture? and .os? then "\(.os)/\(.architecture)" else empty end
),
(
if .config? and (.config.platform?) then "\(.config.platform.os)/\(.config.platform.architecture)" else empty end
),
(
if .config? and .config.os? and .config.architecture? then "\(.config.os)/\(.config.architecture)" else empty end
)
' | head -n20Repository: openshift/origin
Length of output: 461
🏁 Script executed:
#!/bin/bash
set -euo pipefail
IMG="kubevirt/fedora-with-test-tooling-container-disk"
TAG="v1.8.2"
URL="https://quay.io/v2/${IMG}/manifests/${TAG}"
tmpdir="$(mktemp -d)"
hdr="$tmpdir/headers.txt"
body="$tmpdir/body.json"
curl -sS -D "$hdr" -o "$body" \
-H 'Accept: application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.v1+json' \
"$URL" >/dev/null
status="$(awk 'NR==1{print $2}' "$hdr" | head -n1)"
ctype="$(awk -F': ' 'tolower($1)=="content-type"{print $2}' "$hdr" | head -n1 | tr -d '\r')"
echo "HTTP status: $status"
echo "Content-Type: $ctype"
echo "Body size: $(wc -c < "$body") bytes"
echo "== jq: top-level keys =="
jq -r 'keys|sort|join(", ")' < "$body" | head -c 5000
echo
echo "== jq: manifests array type and count (if any) =="
jq -r '(.manifests? | type) as $t | if $t=="array" then "manifests_type=array\nmanifests_count="+( (.manifests|length|tostring) ) else "manifests_type="+$t end' < "$body"
echo "== jq: platforms from manifests[] (if any) =="
jq -r '
if (.manifests? | type)=="array" then
[.manifests[]
| select(.platform? != null)
| "\(.platform.os)/\(.platform.architecture)"]
| unique | sort | .[]
else empty end
' < "$body"
echo "== jq: schema v1 architecture/os (best-effort) =="
jq -r '
if (.os? != null and .architecture? != null) then "\(.os)/\(.architecture)" else empty end
' < "$body"
echo "== jq: any .platform fields present (best-effort) =="
jq -r '
.. | objects | .platform? // empty
' < "$body" 2>/dev/null | head -n 50
rm -rf "$tmpdir"Repository: openshift/origin
Length of output: 468
🏁 Script executed:
#!/bin/bash
set -euo pipefail
IMG="kubevirt/fedora-with-test-tooling-container-disk"
TAG="v1.8.2"
URL="https://quay.io/v2/${IMG}/manifests/${TAG}"
tmpdir="$(mktemp -d)"
hdr="$tmpdir/headers.txt"
body="$tmpdir/body.json"
curl -sS -D "$hdr" -o "$body" \
-H 'Accept: application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.v1+json' \
"$URL" >/dev/null
echo "== Content-Type =="
awk -F': ' 'tolower($1)=="content-type"{print $2}' "$hdr" | head -n1 | tr -d '\r'
echo
echo "== Manifest fields =="
jq -r '"schemaVersion=" + (.schemaVersion|tostring) +
"\narchitecture=" + (.architecture // "null") +
"\nname=" + (.name // "null") +
"\ntag=" + (.tag // "null") +
"\nfsLayers_count=" + ((.fsLayers|length)|tostring)' < "$body"
echo
echo "== architecture from schema v1 (raw) =="
jq -r '.architecture // empty' < "$body"
rm -rf "$tmpdir"Repository: openshift/origin
Length of output: 319
Quay v1.8.2 is single-arch (amd64) — expected multi-arch manifest list not provided
In test/extended/util/image/image.go (line 63), quay.io/kubevirt/fedora-with-test-tooling-container-disk:v1.8.2 resolves to a schema v1 single image manifest (architecture=amd64, no manifests[] list), so it does not provide a manifest list for amd64/arm64/s390x with ppc64le excluded as required. Update to a tag that publishes the expected multi-arch manifest list (or adjust the documented exception/tests accordingly); also ensure the mirrored quay.io/openshift/community-e2e-images image matches the intended architectures.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@test/extended/util/image/image.go` at line 63, The listed image tag
"quay.io/kubevirt/fedora-with-test-tooling-container-disk:v1.8.2" in
test/extended/util/image/image.go is single-arch (amd64) and must be replaced
with a multi-arch manifest-list tag (or the tests/docs updated to declare an
exception); update the map entry to point to a tag that provides a manifest list
for amd64/arm64/s390x (excluding ppc64le) and also ensure the mirrored
"quay.io/openshift/community-e2e-images" entry matches the same multi-arch set
so the image resolution and architecture checks in this test file succeed.
|
@qinqon: This pull request references Jira Issue OCPBUGS-77283, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@openshift-ci-robot: GitHub didn't allow me to request PR reviews from the following users: zhaozhanqi. Note that only openshift members and repo collaborators can review this PR, and authors cannot review their own PRs. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
Scheduling required tests: |
|
@qinqon: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
2 participants
What
Two related changes for the KubeVirt Fedora
fedora-with-test-tooling-container-diskimage used by the VM live-migration networking tests (test/extended/networking/livemigration.go):20241024_891122a6fctov1.8.2, which upstream publishes as an OCI index coveringamd64/arm64/s390x. Updates the mirror allowlist key, the test reference, and the generatedzz_generated.txtmapping.test/extended/util/image/README.md.Why
Even at
v1.8.2the upstream image has noppc64levariant, because KubeVirt does not currently support theppc64learchitecture (support was removed in kubevirt/kubevirt#14976). Bumping to the multi-archv1.8.2index closes the gap for the supported arches, while the documented--allow-missing-architecturesexception (already present in theverify-image-manifest-listspresubmit in openshift/release) covers the still-missingppc64le.Restoring
ppc64leis tracked upstream by KubeVirt VEP-258 (kubevirt/enhancements#258). This exception should be revisited once that lands.Important
An image-mirror owner must mirror
quay.io/kubevirt/fedora-with-test-tooling-container-disk:v1.8.2intoquay.io/openshift/community-e2e-imagesbefore this merges, otherwise the live-migration tests will hitImagePullBackOff.Ref
Summary by CodeRabbit