Bug 1543122
Summary: | RBAC DENY (system:anonymous fails to imagestreams/layers.image.openshift.io) | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Greg Rodriguez II <grodrigu> |
Component: | Image Registry | Assignee: | Oleg Bulatov <obulatov> |
Status: | CLOSED ERRATA | QA Contact: | Dongbo Yan <dyan> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 3.7.0 | CC: | aabhishe, ansverma, aos-bugs, bparees, jokerman, mfojtik, mmccomas, mtaru, obulatov, tparsons |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | 3.9.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
Cause: the signature importer tries to import signatures from the internal registry without credentials.
Consequence: the registry checks if the anonymous user can get signatures using SAR requests.
Fix: the signature importer skips the internal registry, because the internal registry and the signature importer work with the same storage.
Result: no SAR requests.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-05-09 15:21:01 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Greg Rodriguez II
2018-02-07 18:47:44 UTC
Is a route cause known for this issue and is there any cause for concern with these messages or is this just logspam? Michal what makes you suspect the registry is making these anonymous requests? (And Oleg, assuming it is the registry, do you have any theory about what's causing it?) Yeah, it is either signature importer or the docker plugin that fetches signatures from registry. Michal did you ever land your PRs to fix this stuff? (ie allow us to disable the import controller and/or stop it looking up signatures against anything except the redhat registry?) If not, when you do you plan to do so? Oleg, please talk to Michal Fojtik about this in the office and find out where his PRs are/what state they are in and how they can be moved forward to resolve this. I talked to him a few day ago, here is his PR: https://github.com/containers/image/pull/383 But, as I told on scrum, I don't understand why we try to import signatures for managed (pushed into the registry) images. We use a magic library that can get signatures for an image not only from the registry, but from local files too, but do we need to import signatures for managed images from local files? I cannot find non-marketing description for image signatures, so I don't know where to look for answers. Hi, Oleg Bulatov I follow the reproduce steps in description, but cannot get the error. Could you please help provide some simple steps to reproduce this issue? thanks in advance Test with # openshift version openshift v3.7.36 kubernetes v1.7.6+a08f5eeb62 etcd 3.2.8 1. run OpenShift server with --loglevel=5,
2. secure registry,
3. push an image to the registry.
You may also want to edit dockerImageReference to use router, and somehow get a trusted certificate, otherwise you'll get
> Failed to get signatures for {{{registry.127.0.0.1.nip.io myproject/busybox-glibc} sha256:eb31109cc48cc7df6d77e559fbb221ef0e1497534538f7ce88f8306ee72b295a}} due to: pinging docker registry returned: Get https://registry.127.0.0.1.nip.io/v2/: x509: certificate signed by unknown authority
Thanks for your help, could reproduce this issue with v3.7.36, get error like below: time="2018-03-07T04:37:16.900931775Z" level=error msg="OpenShift access denied: User \"system:anonymous\" cannot get imagestreams/layers.image.openshift.io in project \"install-test\"" go.version=go1.8.3 http.request.host="docker-registry.default.svc:5000" http.request.id=bd3014e5-030f-4b49-85ed-de0b7f5367a9 http.request.method=GET http.request.remoteaddr="10.128.0.1:53524" http.request.uri="/extensions/v2/install-test/nodejs-mongodb-example/signatures/sha256:b36340c92bf04e3b0bafbf893bf5a0aae2b38f6760e4ab9237c9e45f760a61f7" http.request.useragent="Go-http-client/1.1" instance.id=5f45af42-c13f-46ba-baeb-96d4e8d9e2df openshift.auth.user=anonymous openshift.logger=registry vars.digest="sha256:b36340c92bf04e3b0bafbf893bf5a0aae2b38f6760e4ab9237c9e45f760a61f7" vars.name="install-test/nodejs-mongodb-example" Verified with openshift v3.9.3 kubernetes v1.9.1+a0ce1bc657 etcd 3.2.16 No similar error in docker-registry pod log Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0489 |