Bug 1804160
Summary: | The server responds with "500 Internal Server Error" when trying to push an image to a non-existing namespace | ||||||
---|---|---|---|---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Udi Kalifon <ukalifon> | ||||
Component: | Image Registry | Assignee: | Ricardo Maraschini <rmarasch> | ||||
Status: | CLOSED ERRATA | QA Contact: | Wenjing Zheng <wzheng> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 4.3.z | CC: | adam.kaplan, aos-bugs, obulatov, rmarasch | ||||
Target Milestone: | --- | ||||||
Target Release: | 4.5.0 | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: |
Cause:
Pushing an image to a namespace that does not exist.
Consequence:
Image registry was returning a 500 error code.
Fix:
Changed the return code to indicate the lack of permissions.
Result:
When pushing images to a namespace that does not exist a permission denied error is returned.
|
Story Points: | --- | ||||
Clone Of: | Environment: | ||||||
Last Closed: | 2020-07-13 17:15:41 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Udi Kalifon
2020-02-18 11:19:56 UTC
Please attach the registry pod's logs. Created attachment 1663890 [details]
registry pod's logs
Attaching the logs
Verified on 4.5.0-0.nightly-2020-05-10-180138: $ docker push default-route-openshift-image-registry.apps.jima-ipishared.qe.devcluster.openshift.com/invalid/myimage The push refers to a repository [default-route-openshift-image-registry.apps.jima-ipishared.qe.devcluster.openshift.com/invalid/myimage] 5b0d2d635df8: Layer already exists denied $ oc logs pods/image-registry-55c76b59b9-6cmxk | grep denied time="2020-05-12T08:46:08.689475393Z" level=error msg="manifestService.Put: imagestreammapping got access denied for image invalid/myimage@sha256:a2490cec4484ee6c1068ba3a05f89934010c85242f736280b35343483b2264b6: ImageStream:Forbidden: CreateImageStreamMapping: error creating invalid/myimage ImageStreamMapping: namespaces \"invalid\" not found" go.version=go1.13.4 http.request.contenttype=application/vnd.docker.distribution.manifest.v2+json http.request.host=default-route-openshift-image-registry.apps.jima-ipishared.qe.devcluster.openshift.com http.request.id=ab8d502e-5ca4-40f7-a0a1-eae274643e8c http.request.method=PUT http.request.remoteaddr=66.187.233.202 http.request.uri=/v2/invalid/myimage/manifests/latest http.request.useragent="docker/1.13.1 go/go1.10.3 kernel/3.10.0-1060.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/1.13.1 \\(linux\\))" openshift.auth.user="system:serviceaccount:wzheng1:registry" vars.name=invalid/myimage vars.reference=latest time="2020-05-12T08:46:08.68958593Z" level=error msg="response completed with error" err.code=denied err.message="requested access to the resource is denied" go.version=go1.13.4 http.request.contenttype=application/vnd.docker.distribution.manifest.v2+json http.request.host=default-route-openshift-image-registry.apps.jima-ipishared.qe.devcluster.openshift.com http.request.id=ab8d502e-5ca4-40f7-a0a1-eae274643e8c http.request.method=PUT http.request.remoteaddr=66.187.233.202 http.request.uri=/v2/invalid/myimage/manifests/latest http.request.useragent="docker/1.13.1 go/go1.10.3 kernel/3.10.0-1060.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/1.13.1 \\(linux\\))" http.response.contenttype="application/json; charset=utf-8" http.response.duration=73.337921ms http.response.status=403 http.response.written=86 openshift.auth.user="system:serviceaccount:wzheng1:registry" vars.name=invalid/myimage vars.reference=latest time="2020-05-12T08:46:12.533040173Z" level=error msg="manifestService.Put: imagestreammapping got access denied for image invalid/myimage@sha256:f0fdd92f1dbc78a8f113cf251ef1962e7cb864234f0e67e921ae4fa3390f6f04: ImageStream:Forbidden: CreateImageStreamMapping: error creating invalid/myimage ImageStreamMapping: namespaces \"invalid\" not found" go.version=go1.13.4 http.request.contenttype=application/vnd.docker.distribution.manifest.v1+prettyjws http.request.host=default-route-openshift-image-registry.apps.jima-ipishared.qe.devcluster.openshift.com http.request.id=829d67f7-5d09-43a7-913b-b139eb883c93 http.request.method=PUT http.request.remoteaddr=66.187.233.202 http.request.uri=/v2/invalid/myimage/manifests/latest http.request.useragent="docker/1.13.1 go/go1.10.3 kernel/3.10.0-1060.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/1.13.1 \\(linux\\))" openshift.auth.user="system:serviceaccount:wzheng1:registry" vars.name=invalid/myimage vars.reference=latest time="2020-05-12T08:46:12.533180662Z" level=error msg="response completed with error" err.code=denied err.message="requested access to the resource is denied" go.version=go1.13.4 http.request.contenttype=application/vnd.docker.distribution.manifest.v1+prettyjws http.request.host=default-route-openshift-image-registry.apps.jima-ipishared.qe.devcluster.openshift.com http.request.id=829d67f7-5d09-43a7-913b-b139eb883c93 http.request.method=PUT http.request.remoteaddr=66.187.233.202 http.request.uri=/v2/invalid/myimage/manifests/latest http.request.useragent="docker/1.13.1 go/go1.10.3 kernel/3.10.0-1060.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/1.13.1 \\(linux\\))" http.response.contenttype="application/json; charset=utf-8" http.response.duration=77.261243ms http.response.status=403 http.response.written=86 openshift.auth.user="system:serviceaccount:wzheng1:registry" vars.name=invalid/myimage vars.reference=latest Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2409 |