Bug 1376489

Summary: Role system:image-pusher 500 http error when pushing to registry
Product: OpenShift Container Platform Reporter: Ryan Howe <rhowe>
Component: SecurityAssignee: Eric Paris <eparis>
Status: CLOSED WONTFIX QA Contact: Chuan Yu <chuyu>
Severity: low Docs Contact:
Priority: low    
Version: 3.2.1CC: aos-bugs, jialiu, jokerman, mmccomas, wsun
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-18 15:21:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Ryan Howe 2016-09-15 14:43:30 UTC 
Description of problem:

Just giving a user the role system:image-pusher allows them to push to the internal registry but after the pushed, but 500 Internal Server Error occurs at the very end.

Version-Release number of selected component (if applicable):
  v3.2
  openshift3/ose-docker-registry:v3.2.1.15-1

How reproducible:
100%

Steps to Reproduce:
1. oc policy add-role-to-user system:image-pusher peter -n openshift
2. docker login -u peter -e email -p TOKEN 172.30.206.129:5000
3. docker tag registry.access.redhat.com/rhscl/nodejs-4-rhel7 172.30.206.129:5000/openshift/test1:1.1
4. docker push 172.30.206.129:5000/openshift/test1:1.1


Actual results:

Client shows image is pushed but error is seen on last step
```
The push refers to a repository [172.30.206.129:5000/openshift/test1] (len: 1)
9415d973b084: Pushed 
b1519065eba4: Pushed 
5b6aba0f60e8: Pushed 
1.1: digest: sha256:557bae829c35be94688fef427bd19ca5f0aa0daee0efe397f9d56937fed5b3af size: 3782
Received unexpected HTTP status: 500 Internal Server Error

```

DockerRegistry logs
```
time="2016-09-15T10:37:46.153228369-04:00" level=error msg="response completed with error" err.code=UNKNOWN err.detail="imagestreams \"test1\" not found" err.message="unknown error" go.version=go1.4.2 http.request.host="172.30.206.129:5000" http.request.id=15036e90-4ea3-47f8-a5c2-d753527555cb http.request.method=PUT http.request.remoteaddr="10.1.2.1:49813" http.request.uri="/v2/openshift/test1/manifests/1.1" http.request.useragent="docker/1.9.1 go/go1.4.2 kernel/3.10.0-327.18.2.el7.x86_64 os/linux arch/amd64" http.response.contenttype="application/json; charset=utf-8" http.response.duration=27.643361ms http.response.status=500 http.response.written=275 instance.id=8887de3f-93d1-4823-ad97-2948124884b0 vars.name="openshift/test1" vars.reference=1.1 
10.1.2.1 - - [15/Sep/2016:10:37:46 -0400] "PUT /v2/openshift/test1/manifests/1.1 HTTP/1.1" 500 275 "" "docker/1.9.1 go/go1.4.2 kernel/3.10.0-327.18.2.el7.x86_64 os/linux arch/amd64"

```


Expected results:

No http500 error


Additional info:

I was able to fix this by adding imagestreams as a resource for the role. 


Old Role 

# oc get clusterrole system:image-pusher -o yaml
apiVersion: v1
kind: ClusterRole
metadata:
  creationTimestamp: 2016-05-24T18:15:09Z
  name: system:image-pusher
  resourceVersion: "6716165"
  selfLink: /oapi/v1/clusterroles/system:image-pusher
  uid: 735c64cf-21db-11e6-8075-fa163ecd1122
rules:
- apiGroups: null
  attributeRestrictions: null
  resources:
  - imagestreams/layers
  verbs:
  - get
  - update


Fixed Role 

# oc get clusterrole system:image-pusher -o yaml
apiVersion: v1
kind: ClusterRole
metadata:
  creationTimestamp: 2016-05-24T18:15:09Z
  name: system:image-pusher
  resourceVersion: "6716165"
  selfLink: /oapi/v1/clusterroles/system:image-pusher
  uid: 735c64cf-21db-11e6-8075-fa163ecd1122
rules:
- apiGroups: null
  attributeRestrictions: null
  resources:
  - imagestreams/layers
  - imagestreams
  verbs:
  - get
  - update
Comment 1 Jordan Liggitt 2016-09-15 15:06:40 UTC 
can you see any 403 forbidden errors in the docker registry?
Comment 2 Ryan Howe 2016-10-08 13:31:46 UTC 
This error is seen from docker logs. 

level=error msg="Upload failed: unauthorized: authentication required"
Comment 3 Jordan Liggitt 2016-10-27 05:10:48 UTC 
were they trying to push to an existing imagestream, or create a new one?
Comment 4 Michal Fojtik 2016-11-02 09:34:49 UTC 
Jordan: I think they were creating a new one (iow. they pushed to non-existing image stream and registry is trying to create it and fail as the pusher does not have rights to create new imagestreams.)
Comment 6 Eric Paris 2017-12-18 15:21:29 UTC 
I am closing this BZ as WONTFIX since we are unable to prioritize doing any additional work in this area in the near future and we apologize for any inconvenience.