Hide Forgot
Description of problem: Just giving a user the role system:image-pusher allows them to push to the internal registry but after the pushed, but 500 Internal Server Error occurs at the very end. Version-Release number of selected component (if applicable): v3.2 openshift3/ose-docker-registry:v3.2.1.15-1 How reproducible: 100% Steps to Reproduce: 1. oc policy add-role-to-user system:image-pusher peter -n openshift 2. docker login -u peter -e email -p TOKEN 172.30.206.129:5000 3. docker tag registry.access.redhat.com/rhscl/nodejs-4-rhel7 172.30.206.129:5000/openshift/test1:1.1 4. docker push 172.30.206.129:5000/openshift/test1:1.1 Actual results: Client shows image is pushed but error is seen on last step ``` The push refers to a repository [172.30.206.129:5000/openshift/test1] (len: 1) 9415d973b084: Pushed b1519065eba4: Pushed 5b6aba0f60e8: Pushed 1.1: digest: sha256:557bae829c35be94688fef427bd19ca5f0aa0daee0efe397f9d56937fed5b3af size: 3782 Received unexpected HTTP status: 500 Internal Server Error ``` DockerRegistry logs ``` time="2016-09-15T10:37:46.153228369-04:00" level=error msg="response completed with error" err.code=UNKNOWN err.detail="imagestreams \"test1\" not found" err.message="unknown error" go.version=go1.4.2 http.request.host="172.30.206.129:5000" http.request.id=15036e90-4ea3-47f8-a5c2-d753527555cb http.request.method=PUT http.request.remoteaddr="10.1.2.1:49813" http.request.uri="/v2/openshift/test1/manifests/1.1" http.request.useragent="docker/1.9.1 go/go1.4.2 kernel/3.10.0-327.18.2.el7.x86_64 os/linux arch/amd64" http.response.contenttype="application/json; charset=utf-8" http.response.duration=27.643361ms http.response.status=500 http.response.written=275 instance.id=8887de3f-93d1-4823-ad97-2948124884b0 vars.name="openshift/test1" vars.reference=1.1 10.1.2.1 - - [15/Sep/2016:10:37:46 -0400] "PUT /v2/openshift/test1/manifests/1.1 HTTP/1.1" 500 275 "" "docker/1.9.1 go/go1.4.2 kernel/3.10.0-327.18.2.el7.x86_64 os/linux arch/amd64" ``` Expected results: No http500 error Additional info: I was able to fix this by adding imagestreams as a resource for the role. Old Role # oc get clusterrole system:image-pusher -o yaml apiVersion: v1 kind: ClusterRole metadata: creationTimestamp: 2016-05-24T18:15:09Z name: system:image-pusher resourceVersion: "6716165" selfLink: /oapi/v1/clusterroles/system:image-pusher uid: 735c64cf-21db-11e6-8075-fa163ecd1122 rules: - apiGroups: null attributeRestrictions: null resources: - imagestreams/layers verbs: - get - update Fixed Role # oc get clusterrole system:image-pusher -o yaml apiVersion: v1 kind: ClusterRole metadata: creationTimestamp: 2016-05-24T18:15:09Z name: system:image-pusher resourceVersion: "6716165" selfLink: /oapi/v1/clusterroles/system:image-pusher uid: 735c64cf-21db-11e6-8075-fa163ecd1122 rules: - apiGroups: null attributeRestrictions: null resources: - imagestreams/layers - imagestreams verbs: - get - update
can you see any 403 forbidden errors in the docker registry?
This error is seen from docker logs. level=error msg="Upload failed: unauthorized: authentication required"
were they trying to push to an existing imagestream, or create a new one?
Jordan: I think they were creating a new one (iow. they pushed to non-existing image stream and registry is trying to create it and fail as the pusher does not have rights to create new imagestreams.)
I am closing this BZ as WONTFIX since we are unable to prioritize doing any additional work in this area in the near future and we apologize for any inconvenience.