Bug 1316017 - [platformmanagement_public_426]The quota can be abused by creating image steam tags
[platformmanagement_public_426]The quota can be abused by creating image stea...
Product: OpenShift Origin
Classification: Red Hat
Component: Image Registry (Show other bugs)
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Michal Minar
Wei Sun
Depends On:
  Show dependency treegraph
Reported: 2016-03-09 04:31 EST by zhou ying
Modified: 2016-09-19 09:50 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-09-19 09:50:02 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description zhou ying 2016-03-09 04:31:56 EST
Description of problem:
The quota can be abused by creating image steam tags

Version-Release number of selected component (if applicable):
openshift v1.1.3-536-gda71953
kubernetes v1.2.0-alpha.7-703-gbc4550d
etcd 2.2.5

How reproducible:

Steps to Reproduce:
1. To apply a quota to a project:
more resource-quota.json 
  "apiVersion": "v1",
  "kind": "ResourceQuota",
  "metadata": {
    "name": "quota"
  "spec": {
    "hard": {
      "memory": "1Gi",
      "cpu": "20",
      "openshift.io/imagesize": "0.2Gi",
      "openshift.io/imagestreamsize": "0.2Gi",
      "openshift.io/projectimagessize": "0.2Gi",
      "pods": "10",
      "services": "5",

`oc create -f resource-quota.json -n zhouy`

2. Tag a public registry image to the project, the image size is 160M;
  `docker tag docker.io/zhouying7780/singlelayer hellotest:latest`
3. Push the image to integrated docker-registry.
4. Tag the ImageStream with another tag:
   `oc tag hellotest:latest mybase:v2`
5. Push the new ImageSteam again.
6. Check the quota info.

Actual results:
5. Push successfully;
6. The quota info show that the Used of openshift.io/projectimagessize is bigger than the Hard of openshift.io/projectimagessize.
[root@ip-172-18-6-56 amd64]# oc describe quota
Name:                quota
Namespace:            zhouy
Resource            Used        Hard
--------            ----        ----
cpu                0        20
memory                0        1Gi
openshift.io/imagesize        0        214748364800m
openshift.io/imagestreamsize    0        214748364800m
openshift.io/projectimagessize    320204510    214748364800m
pods                0        10
replicationcontrollers        0        5
resourcequotas            1        1
services            0        5

Expected results:
The Used of openshift.io/projectimagessize should not exceed the Hard of openshift.io/projectimagessize.

Additional info:
Comment 1 Michal Minar 2016-03-14 06:05:27 EDT
Origin PR addressing this: https://github.com/openshift/origin/pull/7930
Comment 2 Paul Weil 2016-03-30 13:37:03 EDT
Latest PR with reworked quota: https://github.com/openshift/origin/pull/8195
Comment 3 zhou ying 2016-04-10 22:31:07 EDT
Since the latest strategy will not limit the total project-image-size , can we close this issue ?
Comment 4 Michal Minar 2016-04-11 03:49:03 EDT
Let's wait for a merge of the PR #8195.
Comment 5 Paul Weil 2016-04-11 08:23:41 EDT
Moving to ON_QA, they can close this when 8195 merges since they've begun testing 8195 already and this will not be relevant.
Comment 6 zhou ying 2016-04-12 23:15:52 EDT
Will verify it until the PR #8195 to be merged.
Comment 7 Michal Minar 2016-04-27 03:24:43 EDT
Quota is being reworked once more. Blocked on PR #8195.
Comment 10 Michal Minar 2016-06-07 06:33:36 EDT
The quota refactor PR https://github.com/openshift/origin/pull/8195 has been merged. This bug is no longer relevant.
Comment 11 zhou ying 2016-06-12 04:03:10 EDT
Confirmed with ami :devenv-rhel7_4354 , the issue has fixed. 
openshift v1.3.0-alpha.1-251-ga19279f
kubernetes v1.3.0-alpha.1-331-g0522e63
etcd 2.3.0

Note You need to log in before you can comment on or make changes to this bug.