Bug 1316017 - [platformmanagement_public_426]The quota can be abused by creating image steam tags
Summary: [platformmanagement_public_426]The quota can be abused by creating image stea...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OKD
Classification: Red Hat
Component: Image Registry
Version: 3.x
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: Michal Minar
QA Contact: Wei Sun
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-03-09 09:31 UTC by zhou ying
Modified: 2016-09-19 13:50 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-09-19 13:50:02 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description zhou ying 2016-03-09 09:31:56 UTC 
Description of problem:
The quota can be abused by creating image steam tags

Version-Release number of selected component (if applicable):
openshift v1.1.3-536-gda71953
kubernetes v1.2.0-alpha.7-703-gbc4550d
etcd 2.2.5

How reproducible:
always

Steps to Reproduce:
1. To apply a quota to a project:
more resource-quota.json 
{
  "apiVersion": "v1",
  "kind": "ResourceQuota",
  "metadata": {
    "name": "quota"
  },
  "spec": {
    "hard": {
      "memory": "1Gi",
      "cpu": "20",
      "openshift.io/imagesize": "0.2Gi",
      "openshift.io/imagestreamsize": "0.2Gi",
      "openshift.io/projectimagessize": "0.2Gi",
      "pods": "10",
      "services": "5",
      "replicationcontrollers":"5",
      "resourcequotas":"1"
    }
  }
}

`oc create -f resource-quota.json -n zhouy`

2. Tag a public registry image to the project, the image size is 160M;
  `docker tag docker.io/zhouying7780/singlelayer hellotest:latest`
3. Push the image to integrated docker-registry.
4. Tag the ImageStream with another tag:
   `oc tag hellotest:latest mybase:v2`
5. Push the new ImageSteam again.
6. Check the quota info.

Actual results:
5. Push successfully;
6. The quota info show that the Used of openshift.io/projectimagessize is bigger than the Hard of openshift.io/projectimagessize.
[root@ip-172-18-6-56 amd64]# oc describe quota
Name:                quota
Namespace:            zhouy
Resource            Used        Hard
--------            ----        ----
cpu                0        20
memory                0        1Gi
openshift.io/imagesize        0        214748364800m
openshift.io/imagestreamsize    0        214748364800m
openshift.io/projectimagessize    320204510    214748364800m
pods                0        10
replicationcontrollers        0        5
resourcequotas            1        1
services            0        5

Expected results:
The Used of openshift.io/projectimagessize should not exceed the Hard of openshift.io/projectimagessize.

Additional info:
Comment 1 Michal Minar 2016-03-14 10:05:27 UTC 
Origin PR addressing this: https://github.com/openshift/origin/pull/7930
Comment 2 Paul Weil 2016-03-30 17:37:03 UTC 
Latest PR with reworked quota: https://github.com/openshift/origin/pull/8195
Comment 3 zhou ying 2016-04-11 02:31:07 UTC 
Since the latest strategy will not limit the total project-image-size , can we close this issue ?
Comment 4 Michal Minar 2016-04-11 07:49:03 UTC 
Let's wait for a merge of the PR #8195.
Comment 5 Paul Weil 2016-04-11 12:23:41 UTC 
Moving to ON_QA, they can close this when 8195 merges since they've begun testing 8195 already and this will not be relevant.
Comment 6 zhou ying 2016-04-13 03:15:52 UTC 
Will verify it until the PR #8195 to be merged.
Comment 7 Michal Minar 2016-04-27 07:24:43 UTC 
Quota is being reworked once more. Blocked on PR #8195.
Comment 10 Michal Minar 2016-06-07 10:33:36 UTC 
The quota refactor PR https://github.com/openshift/origin/pull/8195 has been merged. This bug is no longer relevant.
Comment 11 zhou ying 2016-06-12 08:03:10 UTC 
Confirmed with ami :devenv-rhel7_4354 , the issue has fixed. 
openshift v1.3.0-alpha.1-251-ga19279f
kubernetes v1.3.0-alpha.1-331-g0522e63
etcd 2.3.0
Note You need to log in before you can comment on or make changes to this bug.