Bug 1310616 - oc new-build with docker strategy should prompt error when using absolute path for "--build-secret" (when testing compatibility between latest oc and old openshift)
oc new-build with docker strategy should prompt error when using absolute pat...
Status: CLOSED ERRATA
Product: OpenShift Container Platform
Classification: Red Hat
Component: Build (Show other bugs)
3.2.0
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Michal Fojtik
Wenjing Zheng
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-22 06:11 EST by Xingxing Xia
Modified: 2016-05-12 12:30 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-05-12 12:30:00 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Xingxing Xia 2016-02-22 06:11:26 EST
Description of problem:
When testing compatibility between latest oc and old openshift, oc new-build with "docker" strategy should prompt error when using absolute path for "--build-secret", and should fail to create the bc. But error does not occur and the bc is created.

Version-Release number of selected component (if applicable):
CLI:
oc v3.1.1.904
kubernetes v1.2.0-alpha.7-703-gbc4550d
Master:
openshift v3.1.1.6
kubernetes v1.1.0-origin-1107-g4c8e6f4
etcd 2.1.2

How reproducible:
Always

Steps to Reproduce:
1. oc login and create a project
2. Prepare two secrets:
$ oc secrets new mysecret <any_local_file>
$ oc secrets new mysecret2 <any_local_file>
3. Run oc new-build as follows:
$ oc new-build --image=ruby-22-centos7 https://github.com/openshift/ruby-hello-world.git  --strategy=docker --build-secret mysecret:/tmp/mysecret --build-secret mysecret2

Actual results:
3. Command succeeds and bc is created.
(Though bc is created, `oc get bc ruby-hello-world -o yaml` get null secrets:
spec:
...
  source:
...
    secrets: null
)

Expected results:
3. Command should fail and prompt error:
error: BuildConfig "ruby-hello-world" is invalid: spec.source.secrets[0].destinationDir: Invalid value: "/tmp/mysecret": for the docker strategy the destinationDir has to be relative path

Additional info:
When the master version is the same as oc (i.e. both are v3.1.1.904), the bug disappears, which is as expected.
Comment 1 Michal Fojtik 2016-02-23 08:35:35 EST
The absolute path validation happens on the API validation level, so the `oc` does not validate the provided path. Does this mean we should also validate for absolute path in `oc` binary?
Comment 2 Ben Parees 2016-02-23 11:49:04 EST
Michal, this should be closed upstream as an RFE per the new trello card:
https://trello.com/c/NgWdS8qU/860-validate-calls-that-oc-make-to-master-api-to-see-if-the-requested-feature-is-available

right?
Comment 3 Xingxing Xia 2016-02-23 21:18:05 EST
(In reply to Michal Fojtik from comment #1)
> The absolute path validation happens on the API validation level, so the
> `oc` does not validate the provided path. Does this mean we should also
> validate for absolute path in `oc` binary?

I agree about Clayton's opinion https://github.com/openshift/origin/issues/7552#issuecomment-187734239. If absolute path is thought as kind of "selective" check, then better to validate for it in `oc`.
Comment 4 Michal Fojtik 2016-02-24 05:40:11 EST
I can add validation to 'oc' for that but it won't fix the problem in 'older' master where the build secrets are not supported ;-) IOW. you will not be able to create build secret with absolute path anymore, but if you provide relative, it will succeed even if the server does not support that feature...
Comment 5 Xingxing Xia 2016-02-25 01:12:28 EST
Michal, agree with you. Just need to validate oc. Thank you.
Comment 6 openshift-github-bot 2016-03-04 13:43:50 EST
Commit pushed to master at https://github.com/openshift/origin

https://github.com/openshift/origin/commit/85b571040d4694e059bf72cbe6d87374a84a0124
Bug 1310616: Validate absolute dir in build secret for docker strategy in oc new-build
Comment 7 Xingxing Xia 2016-03-06 22:28:49 EST
Verified against Origin using latest oc vs openshift older than the fix commit. Now step 3 result is:
error: unable to add build secrets "mysecret:/tmp/mysecret,mysecret2": for the docker strategy, the secret destination directory "/tmp/mysecret" must be a relative path

The bug is fixed. But code is not merged yet to OSE. Will verify against OSE when merged.
Comment 8 Xingxing Xia 2016-03-06 23:30:57 EST
s/than the fix commit/than v3.1.1.6
Comment 9 Xingxing Xia 2016-03-07 22:08:00 EST
Verified using latest OSE oc version v3.1.1.911 VS old openshift v3.1.1.6.
Comment 11 errata-xmlrpc 2016-05-12 12:30:00 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2016:1064

Note You need to log in before you can comment on or make changes to this bug.