OCPBUGS-77283: bump kubevirt fedora containerDisk to multi-arch v1.8.2 + permanent exception#31284
Conversation
|
Pipeline controller notification For optional jobs, comment This repository is configured in: automatic mode |
openshift-ci-robot
added
jira/valid-reference
|
@qinqon: This pull request references Jira Issue OCPBUGS-77283, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
WalkthroughBump the quay.io/kubevirt/fedora-with-test-tooling-container-disk tag to v1.8.2 in tests/allowlist and VM template, and add a permanent exception in the image README noting the image is multi-arch for amd64, arm64, and s390x but excludes ppc64le. ChangesKubeVirt Fedora image updates
🎯 2 (Simple) | ⏱️ ~10 minutes Caution Pre-merge checks failedPlease resolve all errors before merging. Addressing warnings is optional.
❌ Failed checks (1 error)
✅ Passed checks (14 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
openshift-ci
Bot
added
the
ready-for-human-review
|
Scheduling required tests: |
qinqon
changed the title
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: qinqon The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
qinqon
force-pushed
the
ocpbugs-77283-kubevirt-fedora-permanent-exception
branch
from
2fb26fc to
c1aef31
Compare
…xception The kubevirt fedora-with-test-tooling containerDisk used by the VM live-migration networking tests was mirrored from a single-arch (amd64) tag (20241024_891122a6fc). Bump it to v1.8.2, which upstream publishes as an OCI index covering amd64/arm64/s390x, so we mirror a genuine multi-arch image. Updates the mirror allowlist key, the livemigration test reference, and the generated upstream->quay mapping. The image still has no ppc64le variant, because KubeVirt dropped ppc64le support (kubevirt/kubevirt#14976). Record the existing --allow-missing-architectures exception (verify-image-manifest-lists presubmit in openshift/release) as a permanent exception with justification in the README. It should be revisited once KubeVirt VEP-258 (kubevirt/enhancements#258) restores ppc64le support. Assisted-By: Claude Opus 4.8 <noreply@anthropic.com> Signed-off-by: Enrique Llorente <ellorent@redhat.com>
qinqon
force-pushed
the
ocpbugs-77283-kubevirt-fedora-permanent-exception
branch
from
c1aef31 to
9489957
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@test/extended/util/image/image.go`:
- Line 63: The listed image tag
"quay.io/kubevirt/fedora-with-test-tooling-container-disk:v1.8.2" in
test/extended/util/image/image.go is single-arch (amd64) and must be replaced
with a multi-arch manifest-list tag (or the tests/docs updated to declare an
exception); update the map entry to point to a tag that provides a manifest list
for amd64/arm64/s390x (excluding ppc64le) and also ensure the mirrored
"quay.io/openshift/community-e2e-images" entry matches the same multi-arch set
so the image resolution and architecture checks in this test file succeed.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: c6f8d8ee-a8f7-45fc-bd3e-1479708d49d1
⛔ Files ignored due to path filters (1)
test/extended/util/image/zz_generated.txtis excluded by!**/zz_generated*
📒 Files selected for processing (2)
test/extended/networking/livemigration.gotest/extended/util/image/image.go
|
|
||
| // used by KubeVirt test to start fedora VMs | ||
| "quay.io/kubevirt/fedora-with-test-tooling-container-disk:20241024_891122a6fc": -1, | ||
| "quay.io/kubevirt/fedora-with-test-tooling-container-disk:v1.8.2": -1, |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Description: Verify the KubeVirt Fedora v1.8.2 tag exists and list its architectures
# Check if the tag exists and list supported architectures
skopeo inspect --raw docker://quay.io/kubevirt/fedora-with-test-tooling-container-disk:v1.8.2 | jq -r '.manifests[]? | select(.platform) | "\(.platform.os)/\(.platform.architecture)"' | sort -u
# If the above returns nothing, it might be a single-arch image (which would be unexpected)
# In that case, check if it's a valid image at all
skopeo inspect docker://quay.io/kubevirt/fedora-with-test-tooling-container-disk:v1.8.2 > /dev/null 2>&1 && echo "Image exists" || echo "Image not found"Repository: openshift/origin
Length of output: 139
🌐 Web query:
quay.io api v2 manifest list endpoint /v2/{namespace}/{repo}/manifests/{tag} bearer token WWW-Authenticate
💡 Result:
The quay.io container registry adheres to the Docker Registry HTTP API V2 specification [1][2]. The manifest endpoint used to fetch or manipulate image manifests (including manifest lists) is /v2/{namespace}/{repo}/manifests/{tag} [2][3]. Authentication via Bearer Token When making an unauthenticated request to a protected v2 endpoint, the registry will return a 401 Unauthorized status code along with a WWW-Authenticate header [1][4][5]. This header provides the necessary information for the client to authenticate, typically formatted as follows [2][4][5]: WWW-Authenticate: Bearer realm="{auth-url}",service="{service-name}" To obtain a token: 1. Extract the realm and service from the WWW-Authenticate header [4][5]. 2. Perform a GET request to the specified realm (e.g., https://quay.io/v2/auth) with the service, scope (e.g., repository:{namespace}/{repo}:pull), and any required credentials [6][4]. 3. The response will contain a JSON object with a token field [6][4]. 4. Use this token in subsequent API requests by including an Authorization header: Authorization: Bearer {token} [6][7][2]. Manifest List Details A manifest list (or "fat manifest") allows a single tag to point to multiple image manifests across different platforms [8][9]. Clients distinguish manifest lists from standard image manifests by checking the Content-Type header in the response, which for manifest lists should be application/vnd.docker.distribution.manifest.list.v2+json [8][9]. To ensure the registry returns the correct manifest format, clients should include an Accept header in their request indicating support for the desired manifest content types [7][2].
Citations:
- 1: feat(api v2): global readonly superuser support and registry auth behavior (PROJQUAY-8279) quay/quay#4277
- 2: https://distribution.github.io/distribution/spec/api/
- 3: https://github.com/opencontainers/distribution-spec/blob/v1.1.0/spec.md
- 4: https://groups.google.com/g/quay-sig/c/i20J7s0Zubk
- 5: proxy: Modify registry auth url for proxy cache validation (PROJQUAY-4585) quay/quay#1603
- 6: When will quay.io fully use v2's scheme2.manifest quay/quay-docs#11
- 7: https://github.com/distribution/distribution/blob/ed0b3aebb31a38ba617bb21494de9e914b6e4bed/docs/spec/api.md
- 8: https://github.com/distribution/distribution/blob/main/docs/content/spec/manifest-v2-2.md
- 9: https://github.com/distribution/distribution/blob/fda42e5ef908bdba722d435ff1f330d40dfcd56c/docs/spec/manifest-v2-2.md
🏁 Script executed:
#!/bin/bash
set -euo pipefail
IMG="quay.io/kubevirt/fedora-with-test-tooling-container-disk"
TAG="v1.8.2"
echo "== Tool availability =="
command -v curl >/dev/null && echo "curl: yes" || echo "curl: no"
command -v jq >/dev/null && echo "jq: yes" || echo "jq: no"
command -v skopeo >/dev/null && echo "skopeo: yes" || echo "skopeo: no"
command -v docker >/dev/null && echo "docker: yes" || echo "docker: no"
echo "== Query Quay manifest list via registry API =="
# Try manifest list accept header
MANIFEST_URL="https://quay.io/v2/kubevirt/fedora-with-test-tooling-container-disk/manifests/${TAG}"
# Get auth challenge (if any)
HDR="$(curl -sSI \
-H 'Accept: application/vnd.docker.distribution.manifest.list.v2+json' \
"$MANIFEST_URL" | tr -d '\r')"
echo "$HDR" | sed -n '1,30p'
AUTH_WWW="$(echo "$HDR" | awk -F': ' '/^WWW-Authenticate: /{sub(/^WWW-Authenticate: /,""); print}')"
if [[ -n "${AUTH_WWW:-}" ]]; then
echo "== Bearer auth challenge detected =="
echo "WWW-Authenticate: $AUTH_WWW"
# Parse realm and service and scope
REALM="$(echo "$AUTH_WWW" | sed -n 's/.*realm="\([^"]*\)".*/\1/p')"
SERVICE="$(echo "$AUTH_WWW" | sed -n 's/.*service="\([^"]*\)".*/\1/p')"
# scope usually like: repository:kubevirt/fedora-with-test-tooling-container-disk:pull
SCOPE="$(echo "$AUTH_WWW" | sed -n 's/.*scope="\([^"]*\)".*/\1/p')"
if [[ -z "${REALM:-}" || -z "${SERVICE:-}" ]]; then
echo "Failed to parse realm/service from WWW-Authenticate; cannot proceed."
exit 2
fi
TOKEN_URL="${REALM}?service=${SERVICE}"
if [[ -n "${SCOPE:-}" ]]; then
TOKEN_URL="${TOKEN_URL}&scope=${SCOPE}"
fi
echo "Token URL: $TOKEN_URL"
TOKEN="$(curl -sSL "$TOKEN_URL" | python3 - <<'PY'
import sys, json
data=sys.stdin.read()
j=json.loads(data)
print(j.get("token",""))
PY
)"
if [[ -z "$TOKEN" ]]; then
echo "Failed to obtain token from Quay."
exit 3
fi
echo "Got token (length): ${`#TOKEN`}"
RESP="$(curl -sSL \
-H "Authorization: Bearer $TOKEN" \
-H 'Accept: application/vnd.docker.distribution.manifest.list.v2+json' \
"$MANIFEST_URL")"
else
echo "== No auth challenge; fetching manifest directly =="
RESP="$(curl -sSL \
-H 'Accept: application/vnd.docker.distribution.manifest.list.v2+json' \
"$MANIFEST_URL")"
fi
echo "== Manifest fetch ok; parsing platforms =="
python3 - <<'PY'
import json,sys
resp=json.loads(sys.stdin.read())
# manifest list v2 schema has "manifests"
manifests = resp.get("manifests") or []
if not manifests:
# if it's single manifest, treat as one platform if present
plat = resp.get("platform") or {}
arch = (plat.get("architecture") or "")
os_ = (plat.get("os") or "")
if arch and os_:
print(f"{os_}/{arch}")
else:
print("NO_MANIFEST_LIST_OR_PLATFORMS")
sys.exit(0)
plats=set()
for m in manifests:
p=m.get("platform") or {}
os_=p.get("os")
arch=p.get("architecture")
if os_ and arch:
plats.add(f"{os_}/{arch}")
for x in sorted(plats):
print(x)
PY <<< "$RESP"Repository: openshift/origin
Length of output: 794
🏁 Script executed:
#!/bin/bash
set -euo pipefail
IMG="kubevirt/fedora-with-test-tooling-container-disk"
TAG="v1.8.2"
URL="https://quay.io/v2/${IMG}/manifests/${TAG}"
echo "== HEAD/GET with manifest-list Accept =="
resp_headers_and_body="$(mktemp)"
# Fetch body and capture status+content-type
body="$(curl -sS -D "$resp_headers_and_body" \
-H 'Accept: application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.v1+json' \
"$URL")"
status="$(awk 'NR==1{print $2}' "$resp_headers_and_body")"
ctype="$(awk 'tolower($1)=="content-type:"{print $2}' "$resp_headers_and_body" | head -n1)"
echo "HTTP status: $status"
echo "Content-Type: $ctype"
echo "== Top-level keys =="
python3 - <<'PY' "$body"
import json,sys
data=json.loads(sys.argv[1])
print("keys:", sorted(list(data.keys())))
PY "$(printf '%s' "$body")" || true
echo "== Does it contain manifests[]? =="
echo "$body" | jq -r 'if (.manifests? | type)=="array" then "manifests_count="+((.manifests|length|tostring)) else "no_manifests_array" end'
echo "== Extract platforms if manifests[] exists =="
echo "$body" | jq -r '
if (.manifests? | type)=="array" then
[.manifests[]
| select(.platform != null)
| "\(.platform.os)/\(.platform.architecture)"]
| unique | sort | .[]
else
empty
end'
echo "== If single manifest: try extract architecture from config (best-effort) =="
# For schema v2/v1, may have .architecture/.config/os/.config/architecture depending on schema.
echo "$body" | jq -r '
(
if .architecture? and .os? then "\(.os)/\(.architecture)" else empty end
),
(
if .config? and (.config.platform?) then "\(.config.platform.os)/\(.config.platform.architecture)" else empty end
),
(
if .config? and .config.os? and .config.architecture? then "\(.config.os)/\(.config.architecture)" else empty end
)
' | head -n20Repository: openshift/origin
Length of output: 461
🏁 Script executed:
#!/bin/bash
set -euo pipefail
IMG="kubevirt/fedora-with-test-tooling-container-disk"
TAG="v1.8.2"
URL="https://quay.io/v2/${IMG}/manifests/${TAG}"
tmpdir="$(mktemp -d)"
hdr="$tmpdir/headers.txt"
body="$tmpdir/body.json"
curl -sS -D "$hdr" -o "$body" \
-H 'Accept: application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.v1+json' \
"$URL" >/dev/null
status="$(awk 'NR==1{print $2}' "$hdr" | head -n1)"
ctype="$(awk -F': ' 'tolower($1)=="content-type"{print $2}' "$hdr" | head -n1 | tr -d '\r')"
echo "HTTP status: $status"
echo "Content-Type: $ctype"
echo "Body size: $(wc -c < "$body") bytes"
echo "== jq: top-level keys =="
jq -r 'keys|sort|join(", ")' < "$body" | head -c 5000
echo
echo "== jq: manifests array type and count (if any) =="
jq -r '(.manifests? | type) as $t | if $t=="array" then "manifests_type=array\nmanifests_count="+( (.manifests|length|tostring) ) else "manifests_type="+$t end' < "$body"
echo "== jq: platforms from manifests[] (if any) =="
jq -r '
if (.manifests? | type)=="array" then
[.manifests[]
| select(.platform? != null)
| "\(.platform.os)/\(.platform.architecture)"]
| unique | sort | .[]
else empty end
' < "$body"
echo "== jq: schema v1 architecture/os (best-effort) =="
jq -r '
if (.os? != null and .architecture? != null) then "\(.os)/\(.architecture)" else empty end
' < "$body"
echo "== jq: any .platform fields present (best-effort) =="
jq -r '
.. | objects | .platform? // empty
' < "$body" 2>/dev/null | head -n 50
rm -rf "$tmpdir"Repository: openshift/origin
Length of output: 468
🏁 Script executed:
#!/bin/bash
set -euo pipefail
IMG="kubevirt/fedora-with-test-tooling-container-disk"
TAG="v1.8.2"
URL="https://quay.io/v2/${IMG}/manifests/${TAG}"
tmpdir="$(mktemp -d)"
hdr="$tmpdir/headers.txt"
body="$tmpdir/body.json"
curl -sS -D "$hdr" -o "$body" \
-H 'Accept: application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.v1+json' \
"$URL" >/dev/null
echo "== Content-Type =="
awk -F': ' 'tolower($1)=="content-type"{print $2}' "$hdr" | head -n1 | tr -d '\r'
echo
echo "== Manifest fields =="
jq -r '"schemaVersion=" + (.schemaVersion|tostring) +
"\narchitecture=" + (.architecture // "null") +
"\nname=" + (.name // "null") +
"\ntag=" + (.tag // "null") +
"\nfsLayers_count=" + ((.fsLayers|length)|tostring)' < "$body"
echo
echo "== architecture from schema v1 (raw) =="
jq -r '.architecture // empty' < "$body"
rm -rf "$tmpdir"Repository: openshift/origin
Length of output: 319
Quay v1.8.2 is single-arch (amd64) — expected multi-arch manifest list not provided
In test/extended/util/image/image.go (line 63), quay.io/kubevirt/fedora-with-test-tooling-container-disk:v1.8.2 resolves to a schema v1 single image manifest (architecture=amd64, no manifests[] list), so it does not provide a manifest list for amd64/arm64/s390x with ppc64le excluded as required. Update to a tag that publishes the expected multi-arch manifest list (or adjust the documented exception/tests accordingly); also ensure the mirrored quay.io/openshift/community-e2e-images image matches the intended architectures.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@test/extended/util/image/image.go` at line 63, The listed image tag
"quay.io/kubevirt/fedora-with-test-tooling-container-disk:v1.8.2" in
test/extended/util/image/image.go is single-arch (amd64) and must be replaced
with a multi-arch manifest-list tag (or the tests/docs updated to declare an
exception); update the map entry to point to a tag that provides a manifest list
for amd64/arm64/s390x (excluding ppc64le) and also ensure the mirrored
"quay.io/openshift/community-e2e-images" entry matches the same multi-arch set
so the image resolution and architecture checks in this test file succeed.
|
@qinqon: This pull request references Jira Issue OCPBUGS-77283, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@openshift-ci-robot: GitHub didn't allow me to request PR reviews from the following users: zhaozhanqi. Note that only openshift members and repo collaborators can review this PR, and authors cannot review their own PRs. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
Scheduling required tests: |
2 participants
What
Two related changes for the KubeVirt Fedora
fedora-with-test-tooling-container-diskimage used by the VM live-migration networking tests (test/extended/networking/livemigration.go):20241024_891122a6fctov1.8.2, which upstream publishes as an OCI index coveringamd64/arm64/s390x. Updates the mirror allowlist key, the test reference, and the generatedzz_generated.txtmapping.test/extended/util/image/README.md.Why
Even at
v1.8.2the upstream image has noppc64levariant, because KubeVirt does not currently support theppc64learchitecture (support was removed in kubevirt/kubevirt#14976). Bumping to the multi-archv1.8.2index closes the gap for the supported arches, while the documented--allow-missing-architecturesexception (already present in theverify-image-manifest-listspresubmit in openshift/release) covers the still-missingppc64le.Restoring
ppc64leis tracked upstream by KubeVirt VEP-258 (kubevirt/enhancements#258). This exception should be revisited once that lands.Important
An image-mirror owner must mirror
quay.io/kubevirt/fedora-with-test-tooling-container-disk:v1.8.2intoquay.io/openshift/community-e2e-imagesbefore this merges, otherwise the live-migration tests will hitImagePullBackOff.Ref
Summary by CodeRabbit