[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Authorisation issue



Between the nodes and the master... :)

If you have configured the nodes so that they *can* reach the master,
and are using openshift-sdn, be sure that port 4789 is open for UDP
between your nodes and master.

On Wed, Aug 26, 2015 at 12:53 AM, Jordan Liggitt <jliggitt redhat com> wrote:
> Looks more like a network issue between the registry and the master API. The
> registry is getting a timeout trying to check the access level before
> allowing the push:
>
> time="2015-08-25T23:12:50-04:00" level=error msg="error checking
> authorization: Post
> https://master.sixtree.com:8443/oapi/v1/namespaces/kafka-elastic/subjectaccessreviews:
> dial tcp: i/o timeout"
>
>
>
>
>
>
> On Aug 25, 2015, at 11:45 PM, Justin Wood <justin wood sixtree co nz> wrote:
>
> Hi All
>
> Can anyone help with this?   From a fresh install of open shift enterprise
> with only a router and registry I’ve attempted to build an image based on a
> docker file.   The build works but the image can’t be pushed to the
> repository because there appears to be an authorisation problem.   I am
> using the AllowAll security. and I have service users for the registry and
> the router.
>
> oc edit scc priviliged
> ...
> users:
> - system:serviceaccount:openshift-infra:build-controller
> - system:serviceaccount:default:registry
> - system:serviceaccount:default:router
>
> I looks like this issue
>
> https://github.com/openshift/origin/issues/3613
>
> but
>
> [root master ~]# sudo ls -laZ /var/lib/openshift/openshift.local.volumes/
> drwxr-x---. root root system_u:object_r:svirt_sandbox_file_t:s0 .
> drwxr-xr-x. root root system_u:object_r:openshift_var_lib_t:s0 ..
> drwxr-x---. root root system_u:object_r:svirt_sandbox_file_t:s0 plugins
> drwxr-x---. root root system_u:object_r:svirt_sandbox_file_t:s0 pods
>
> Here’s what I get:
>
> oc create -f ./java7-base-buildConfig.json
>
> $ oc get pods
> NAME                                READY     STATUS         RESTARTS   AGE
> sixtree-docker-java7-base-1-build   0/1       ExitCode:255   0          2$1m
>
> Here are the logs from the build:
> ---------------------------------------------
>
> $ oc logs sixtree-docker-java7-base-1-build
>
> …
>
> Removing intermediate container 5e7c5499b845
> Successfully built 04cce34a6768
> I0825 23:05:16.345191       1 docker.go:105] Pushing
> 172.30.187.196:5000/kafka-elastic/sixtree-docker-java7-base:latest image ...
> E0825 23:06:18.688196       1 dockerutil.go:50] push for image
> 172.30.187.196:5000/kafka-elastic/sixtree-docker-java7-base:latest failed,
> will retry in 10s ...
> E0825 23:08:57.310072       1 dockerutil.go:50] push for image
> 172.30.187.196:5000/kafka-elastic/sixtree-docker-java7-base:latest failed,
> will retry in 10s ...
> F0825 23:12:50.808531       1 builder.go:64] Build error: Failed to push
> image: Error pushing to registry: Server error: unexpected 400 response
> status trying to initiate upload of kafka-elastic/sixtree-docker-java7-base
>
> Here are the logs from the registry:
> ---------------------------------------------
>
> $ oc logs docker-registry-1-259kz
>
> …
>
> time="2015-08-25T23:11:24-04:00" level=info msg="response completed"
> http.request.host="172.30.187.196:5000"
> http.request.id=49bfcb6c-8341-4cd9-bea6-ec7a13a60ef3 http.request.method=PUT
> http.request.remoteaddr="10.1.1.1:59058"
> http.request.uri="/v2/kafka-elastic/sixtree-docker-java7-base/blobs/uploads/86659720-4a86-4c3e-9c5f-6975fc8fb6fc?_state=bfwh7lQgr_kxASK0brAixitGP_U4YOMxPs6QaF3MgkB7Ik5hbWUiOiJrYWZrYS1lbGFzdGljL3NpeHRyZWUtZG9ja2VyLWphdmE3LWJhc2UiLCJVVUlEIjoiODY2NTk3MjAtNGE4Ni00YzNlLTljNWYtNjk3NWZjOGZiNmZjIiwiT2Zmc2V0IjowLCJTdGFydGVkQXQiOiIyMDE1LTA4LTI2VDAzOjEwOjU4LjI5MDAzMjA4N1oifQ%3D%3D&digest=sha256%3Aa3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"
> http.request.useragent="docker/1.7.1 go/go1.4.2
> kernel/3.10.0-229.11.1.el7.x86_64 os/linux arch/amd64"
> http.response.duration=26.313875973s http.response.written=0
> instance.id=a53483e4-d891-4191-8f60-1dcdf0473192
> 10.1.1.1 - - [25/Aug/2015:23:10:58 -0400] "PUT
> /v2/kafka-elastic/sixtree-docker-java7-base/blobs/uploads/86659720-4a86-4c3e-9c5f-6975fc8fb6fc?_state=bfwh7lQgr_kxASK0brAixitGP_U4YOMxPs6QaF3MgkB7Ik5hbWUiOiJrYWZrYS1lbGFzdGljL3NpeHRyZWUtZG9ja2VyLWphdmE3LWJhc2UiLCJVVUlEIjoiODY2NTk3MjAtNGE4Ni00YzNlLTljNWYtNjk3NWZjOGZiNmZjIiwiT2Zmc2V0IjowLCJTdGFydGVkQXQiOiIyMDE1LTA4LTI2VDAzOjEwOjU4LjI5MDAzMjA4N1oifQ%3D%3D&digest=sha256%3Aa3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
> HTTP/1.1" 201 0 "" "docker/1.7.1 go/go1.4.2
> kernel/3.10.0-229.11.1.el7.x86_64 os/linux arch/amd64"
> time="2015-08-25T23:12:20-04:00" level=debug msg="authorizing request"
> http.request.host="172.30.187.196:5000"
> http.request.id=f1da96d2-42d4-49ec-ac7c-3d727aa24cdc
> http.request.method=POST http.request.remoteaddr="10.1.1.1:59060"
> http.request.uri="/v2/kafka-elastic/sixtree-docker-java7-base/blobs/uploads/"
> http.request.useragent="docker/1.7.1 go/go1.4.2
> kernel/3.10.0-229.11.1.el7.x86_64 os/linux arch/amd64"
> instance.id=a53483e4-d891-4191-8f60-1dcdf0473192
> vars.name="kafka-elastic/sixtree-docker-java7-base"
> time="2015-08-25T23:12:20-04:00" level=debug msg="OpenShift auth: checking
> for access to repository:kafka-elastic/sixtree-docker-java7-base:pull"
> time="2015-08-25T23:12:50-04:00" level=error msg="OpenShift client error:
> Post
> https://master.sixtree.com:8443/oapi/v1/namespaces/kafka-elastic/subjectaccessreviews:
> dial tcp: i/o timeout"
> time="2015-08-25T23:12:50-04:00" level=error msg="error checking
> authorization: Post
> https://master.sixtree.com:8443/oapi/v1/namespaces/kafka-elastic/subjectaccessreviews:
> dial tcp: i/o timeout" http.request.host="172.30.187.196:5000"
> http.request.id=f1da96d2-42d4-49ec-ac7c-3d727aa24cdc
> http.request.method=POST http.request.remoteaddr="10.1.1.1:59060"
> http.request.uri="/v2/kafka-elastic/sixtree-docker-java7-base/blobs/uploads/"
> http.request.useragent="docker/1.7.1 go/go1.4.2
> kernel/3.10.0-229.11.1.el7.x86_64 os/linux arch/amd64"
> instance.id=a53483e4-d891-4191-8f60-1dcdf0473192
> vars.name="kafka-elastic/sixtree-docker-java7-base"
> time="2015-08-25T23:12:50-04:00" level=error msg="error authorizing context:
> Post
> https://master.sixtree.com:8443/oapi/v1/namespaces/kafka-elastic/subjectaccessreviews:
> dial tcp: i/o timeout" http.request.host="172.30.187.196:5000"
> http.request.id=f1da96d2-42d4-49ec-ac7c-3d727aa24cdc
> http.request.method=POST http.request.remoteaddr="10.1.1.1:59060"
> http.request.uri="/v2/kafka-elastic/sixtree-docker-java7-base/blobs/uploads/"
> http.request.useragent="docker/1.7.1 go/go1.4.2
> kernel/3.10.0-229.11.1.el7.x86_64 os/linux arch/amd64"
> instance.id=a53483e4-d891-4191-8f60-1dcdf0473192
> vars.name="kafka-elastic/sixtree-docker-java7-base"
> time="2015-08-25T23:12:50-04:00" level=info msg="response completed"
> http.request.host="172.30.187.196:5000"
> http.request.id=f1da96d2-42d4-49ec-ac7c-3d727aa24cdc
> http.request.method=POST http.request.remoteaddr="10.1.1.1:59060"
> http.request.uri="/v2/kafka-elastic/sixtree-docker-java7-base/blobs/uploads/"
> http.request.useragent="docker/1.7.1 go/go1.4.2
> kernel/3.10.0-229.11.1.el7.x86_64 os/linux arch/amd64"
> http.response.duration=30.002254933s http.response.written=0
> instance.id=a53483e4-d891-4191-8f60-1dcdf0473192
> 10.1.1.1 - - [25/Aug/2015:23:12:20 -0400] "POST
> /v2/kafka-elastic/sixtree-docker-java7-base/blobs/uploads/ HTTP/1.1" 400 0
> "" "docker/1.7.1 go/go1.4.2 kernel/3.10.0-229.11.1.el7.x86_64 os/linux
> arch/amd64”
>
> Thanks and regards
> Justin
>
>
> _______________________________________________
> users mailing list
> users lists openshift redhat com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>
> _______________________________________________
> users mailing list
> users lists openshift redhat com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>



-- 
Clayton Coleman | Lead Engineer, OpenShift


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]