0003269: "pulling image: rpc error: code = Unknown desc = invalid policy in \"/etc/containers/policy.json\": Unknown key \"keyPaths\"" - Rocky Linux BugTracker

ID	Project	Category	View Status	Date Submitted	Last Update

0003269	Rocky-Linux-9	containers-common	public	2023-05-20 18:13	2023-05-20 18:15

Reporter	Udayendu Kar	Assigned To
Priority	high	Severity	major	Reproducibility	always
Status	new	Resolution	open
Platform	Rocky Linux 8.8	OS	8	OS Version	8.8

Summary	0003269: "pulling image: rpc error: code = Unknown desc = invalid policy in \"/etc/containers/policy.json\": Unknown key \"keyPaths\""
Description	[preflight] Pulling images required for setting up a Kubernetes cluster [preflight] This might take a minute or two, depending on the speed of your internet connection [preflight] You can also perform this action in beforehand using 'kubeadm config images pull' error execution phase preflight: [preflight] Some fatal errors occurred: [ERROR ImagePull]: failed to pull image registry.k8s.io/kube-apiserver:v1.26.5: output: time="2023-05-20T23:11:21+05:30" level=fatal msg="pulling image: rpc error: code = Unknown desc = invalid policy in \"/etc/containers/policy.json\": Unknown key \"keyPaths\"" , error: exit status 1 [ERROR ImagePull]: failed to pull image registry.k8s.io/kube-controller-manager:v1.26.5: output: time="2023-05-20T23:11:39+05:30" level=fatal msg="pulling image: rpc error: code = Unknown desc = invalid policy in \"/etc/containers/policy.json\": Unknown key \"keyPaths\"" , error: exit status 1 [ERROR ImagePull]: failed to pull image registry.k8s.io/kube-scheduler:v1.26.5: output: time="2023-05-20T23:11:57+05:30" level=fatal msg="pulling image: rpc error: code = Unknown desc = invalid policy in \"/etc/containers/policy.json\": Unknown key \"keyPaths\"" , error: exit status 1 [ERROR ImagePull]: failed to pull image registry.k8s.io/kube-proxy:v1.26.5: output: time="2023-05-20T23:12:15+05:30" level=fatal msg="pulling image: rpc error: code = Unknown desc = invalid policy in \"/etc/containers/policy.json\": Unknown key \"keyPaths\"" , error: exit status 1 [ERROR ImagePull]: failed to pull image registry.k8s.io/pause:3.9: output: time="2023-05-20T23:12:34+05:30" level=fatal msg="pulling image: rpc error: code = Unknown desc = invalid policy in \"/etc/containers/policy.json\": Unknown key \"keyPaths\"" , error: exit status 1 [ERROR ImagePull]: failed to pull image registry.k8s.io/etcd:3.5.6-0: output: time="2023-05-20T23:12:52+05:30" level=fatal msg="pulling image: rpc error: code = Unknown desc = invalid policy in \"/etc/containers/policy.json\": Unknown key \"keyPaths\"" , error: exit status 1 [ERROR ImagePull]: failed to pull image registry.k8s.io/coredns/coredns:v1.9.3: output: time="2023-05-20T23:13:10+05:30" level=fatal msg="pulling image: rpc error: code = Unknown desc = invalid policy in \"/etc/containers/policy.json\": Unknown key \"keyPaths\"" , error: exit status 1 [preflight] If you know what you are doing, you can make a check non-fatal with `--ignore-preflight-errors=...` To see the stack trace of this error execute with --v=5 or higher
Steps To Reproduce	Make sure to have the following version of 'containers-common' package is installed in the system: # rpm -qi containers-common Name : containers-common Epoch : 2 Version : 1 Release : 64.module+el8.8.0+1265+fa25dd7a Architecture: x86_64 Install Date: Sat May 20 23:08:59 2023 Group : Unspecified Size : 521080 License : ASL 2.0 Signature : RSA/SHA256, Wed May 17 03:08:41 2023, Key ID 15af5dac6d745a60 Source RPM : containers-common-1-64.module+el8.8.0+1265+fa25dd7a.src.rpm Build Date : Wed May 17 02:52:24 2023 Build Host : ord1-prod-x86build005.svc.aws.rockylinux.org Relocations : (not relocatable) Packager : infrastructure@rockylinux.org Vendor : Rocky Summary : Common configuration and documentation for containers Description : This package contains common configuration files and documentation for container tools ecosystem, such as Podman, Buildah and Skopeo. It is required because the most of configuration files and docs come from projects which are vendored into Podman, Buildah, Skopeo, etc. but they are not packaged separately. Then try to pull the required container images for kubernetes cluster configuration using the below command: # kubeadm config images pull The above command will fail with the error message as mentioned in the issue description.
Additional Information	To fix this issue, the '/etc/containers/policy.json' file has to be updated with the following content: { "default": [ { "type": "insecureAcceptAnything" } ], "transports": { "docker": { "registry.access.redhat.com": [ { "type": "signedBy", "keyType": "GPGKeys", "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" } ], "registry.redhat.io": [ { "type": "signedBy", "keyType": "GPGKeys", "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" } ] }, "docker-daemon": { "": [ { "type": "insecureAcceptAnything" } ] } } }
Tags	imagepull, kubernetes, policy

Udayendu Kar 2023-05-20 18:15 reporter ~0003435	The default 'policy.json' file is looking like the below which is causing the issue: { "default": [ { "type": "insecureAcceptAnything" } ], "transports": { "docker": { "registry.access.redhat.com": [ { "type": "signedBy", "keyType": "GPGKeys", "keyPaths": ["/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release", "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta"] } ], "registry.redhat.io": [ { "type": "signedBy", "keyType": "GPGKeys", "keyPaths": ["/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release", "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta"] } ] }, "docker-daemon": { "": [ { "type": "insecureAcceptAnything" } ] } } }

Date Modified	Username	Field	Change
2023-05-20 18:13	Udayendu Kar	New Issue
2023-05-20 18:13	Udayendu Kar	Tag Attached: imagepull
2023-05-20 18:13	Udayendu Kar	Tag Attached: kubernetes
2023-05-20 18:13	Udayendu Kar	Tag Attached: policy
2023-05-20 18:15	Udayendu Kar	Note Added: 0003435