[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Authorisation issue



Hi Guys 

Thanks for you help with this.   In the course of diagnosing things I blew away my registry and recreating it caused some chaos so I rolled my VM’s back to just after the ansible install.   Then installed the registry again with the mount host option and locked by registry and router onto master with a nodeSelector.  I then successfully create a base docker image that get’s added to the image stream in the project but then when I try to use that image to build another I get an authorisation error again.

last lines of my build pod log
...
Removing intermediate container a82af4fae27b
Successfully built b249651db36a
I0826 18:09:22.991121       1 docker.go:105] Pushing 172.30.197.84:5000/kafka-elastic/sixtree-docker-java7-base:latest image ... I 

tried this with my node down (I have two VMs one master and one node1) and it works every time even when the builds are run on node1 and they talk to registry on master.    So I feel pretty certain the coms are good and I don’t see any 'dial tcp style errors’ or timeouts now.


time="2015-08-26T18:17:19-04:00" level=debug msg="authorizing request" http.request.host="172.30.197.84:5000" http.request.id=7d6e145e-1d0d-454d-9316-ace28e9b0707 http.request.method=PUT http.request.remoteaddr="10.1.0.1:44233" http.request.uri="/v2/kafka-elastic/sixtree-docker-java7-base/manifests/latest" http.request.useragent="docker/1.7.1 go/go1.4.2 kernel/3.10.0-229.11.1.el7.x86_64 os/linux arch/amd64" instance.id=6bbf5b48-4fe4-4088-a859-e71981eca2e4 vars.name="kafka-elastic/sixtree-docker-java7-base" vars.reference=latest 
time="2015-08-26T18:17:19-04:00" level=debug msg="OpenShift auth: checking for access to repository:kafka-elastic/sixtree-docker-java7-base:pull" 
time="2015-08-26T18:17:34-04:00" level=debug msg="OpenShift auth: checking for access to repository:kafka-elastic/sixtree-docker-java7-base:push" 
time="2015-08-26T18:17:34-04:00" level=debug msg=PutImageManifest http.request.host="172.30.197.84:5000" http.request.id=7d6e145e-1d0d-454d-9316-ace28e9b0707 http.request.method=PUT http.request.remoteaddr="10.1.0.1:44233" http.request.uri="/v2/kafka-elastic/sixtree-docker-java7-base/manifests/latest" http.request.useragent="docker/1.7.1 go/go1.4.2 kernel/3.10.0-229.11.1.el7.x86_64 os/linux arch/amd64" instance.id=6bbf5b48-4fe4-4088-a859-e71981eca2e4 vars.name="kafka-elastic/sixtree-docker-java7-base" vars.reference=latest 

but I failed to get authorised when I try and pull that base image to build another one.

sixtree-docker-java7-base-1-build      0/1       ExitCode:0   0          19m
$ oc logs sixtree-docker-elasticsearch-1-build
I0826 18:27:06.730709       1 builder.go:111] Using 'ssh-privatekey' from secret 'justinscmsecret'
E0826 18:27:23.600445       1 git.go:127] Warning: Permanently added 'bitbucket.org,131.103.20.168' (RSA) to the list of known hosts.
Already on 'master'
Step 0 : FROM 172.30.197.84:5000/kafka-elastic/sixtree-docker-java7-base sha256:1bafa5d99c3ef1aaa93dab19e33cf27e6290dde0c3efe5a183820fc239f8a580
F0826 18:27:25.471225       1 builder.go:64] Build error: pulling with digest reference failed from v2 registry

and the registry logs have:

time="2015-08-26T18:27:25-04:00" level=error msg="error authorizing context: authorization header with basic token required" http.request.host="172.30.197.84:5000" http.request.id=8ba723c7-a6b6-4c85-931c-104648257f5a http.request.method=GET http.request.remoteaddr="10.1.0.1:44959" http.request.uri="/v2/kafka-elastic/sixtree-docker-java7-base/manifests/sha256:1bafa5d99c3ef1aaa93dab19e33cf27e6290dde0c3efe5a183820fc239f8a580" http.request.useragent="docker/1.7.1 go/go1.4.2 kernel/3.10.0-229.11.1.el7.x86_64 os/linux arch/amd64" instance.id=6bbf5b48-4fe4-4088-a859-e71981eca2e4 vars.name="kafka-elastic/sixtree-docker-java7-base" vars.reference="sha256:1bafa5d99c3ef1aaa93dab19e33cf27e6290dde0c3efe5a183820fc239f8a580" 
time="2015-08-26T18:27:25-04:00" level=info msg="response completed" http.request.host="172.30.197.84:5000" http.request.id=8ba723c7-a6b6-4c85-931c-104648257f5a http.request.method=GET http.request.remoteaddr="10.1.0.1:44959" http.request.uri="/v2/kafka-elastic/sixtree-docker-java7-base/manifests/sha256:1bafa5d99c3ef1aaa93dab19e33cf27e6290dde0c3efe5a183820fc239f8a580" http.request.useragent="docker/1.7.1 go/go1.4.2 kernel/3.10.0-229.11.1.el7.x86_64 os/linux arch/amd64" http.response.contenttype="application/json; charset=utf-8" http.response.duration=1.694953ms http.response.written=0 instance.id=6bbf5b48-4fe4-4088-a859-e71981eca2e4 

Note that I have service accounts for my router and registry:

...
users:
- system:serviceaccount:openshift-infra:build-controller
- system:serviceaccount:default:router
- system:serviceaccount:default:registry


> On 26/08/2015, at 4:01 pm, Clayton Coleman <ccoleman redhat com> wrote:
> 
> Between the nodes and the master... :)
> 
> If you have configured the nodes so that they *can* reach the master,
> and are using openshift-sdn, be sure that port 4789 is open for UDP
> between your nodes and master.
> 
> On Wed, Aug 26, 2015 at 12:53 AM, Jordan Liggitt <jliggitt redhat com> wrote:
>> Looks more like a network issue between the registry and the master API. The
>> registry is getting a timeout trying to check the access level before
>> allowing the push:
>> 
>> time="2015-08-25T23:12:50-04:00" level=error msg="error checking
>> authorization: Post
>> https://master.sixtree.com:8443/oapi/v1/namespaces/kafka-elastic/subjectaccessreviews:
>> dial tcp: i/o timeout"
>> 
>> 
>> 
>> 
>> 
>> 
>> On Aug 25, 2015, at 11:45 PM, Justin Wood <justin wood sixtree co nz> wrote:
>> 
>> Hi All
>> 
>> Can anyone help with this?   From a fresh install of open shift enterprise
>> with only a router and registry I’ve attempted to build an image based on a
>> docker file.   The build works but the image can’t be pushed to the
>> repository because there appears to be an authorisation problem.   I am
>> using the AllowAll security. and I have service users for the registry and
>> the router.
>> 
>> oc edit scc priviliged
>> ...
>> users:
>> - system:serviceaccount:openshift-infra:build-controller
>> - system:serviceaccount:default:registry
>> - system:serviceaccount:default:router
>> 
>> I looks like this issue
>> 
>> https://github.com/openshift/origin/issues/3613
>> 
>> but
>> 
>> [root master ~]# sudo ls -laZ /var/lib/openshift/openshift.local.volumes/
>> drwxr-x---. root root system_u:object_r:svirt_sandbox_file_t:s0 .
>> drwxr-xr-x. root root system_u:object_r:openshift_var_lib_t:s0 ..
>> drwxr-x---. root root system_u:object_r:svirt_sandbox_file_t:s0 plugins
>> drwxr-x---. root root system_u:object_r:svirt_sandbox_file_t:s0 pods
>> 
>> Here’s what I get:
>> 
>> oc create -f ./java7-base-buildConfig.json
>> 
>> $ oc get pods
>> NAME                                READY     STATUS         RESTARTS   AGE
>> sixtree-docker-java7-base-1-build   0/1       ExitCode:255   0          2$1m
>> 
>> Here are the logs from the build:
>> ---------------------------------------------
>> 
>> $ oc logs sixtree-docker-java7-base-1-build
>> 
>> …
>> 
>> Removing intermediate container 5e7c5499b845
>> Successfully built 04cce34a6768
>> I0825 23:05:16.345191       1 docker.go:105] Pushing
>> 172.30.187.196:5000/kafka-elastic/sixtree-docker-java7-base:latest image ...
>> E0825 23:06:18.688196       1 dockerutil.go:50] push for image
>> 172.30.187.196:5000/kafka-elastic/sixtree-docker-java7-base:latest failed,
>> will retry in 10s ...
>> E0825 23:08:57.310072       1 dockerutil.go:50] push for image
>> 172.30.187.196:5000/kafka-elastic/sixtree-docker-java7-base:latest failed,
>> will retry in 10s ...
>> F0825 23:12:50.808531       1 builder.go:64] Build error: Failed to push
>> image: Error pushing to registry: Server error: unexpected 400 response
>> status trying to initiate upload of kafka-elastic/sixtree-docker-java7-base
>> 
>> Here are the logs from the registry:
>> ---------------------------------------------
>> 
>> $ oc logs docker-registry-1-259kz
>> 
>> …
>> 
>> time="2015-08-25T23:11:24-04:00" level=info msg="response completed"
>> http.request.host="172.30.187.196:5000"
>> http.request.id=49bfcb6c-8341-4cd9-bea6-ec7a13a60ef3 http.request.method=PUT
>> http.request.remoteaddr="10.1.1.1:59058"
>> http.request.uri="/v2/kafka-elastic/sixtree-docker-java7-base/blobs/uploads/86659720-4a86-4c3e-9c5f-6975fc8fb6fc?_state=bfwh7lQgr_kxASK0brAixitGP_U4YOMxPs6QaF3MgkB7Ik5hbWUiOiJrYWZrYS1lbGFzdGljL3NpeHRyZWUtZG9ja2VyLWphdmE3LWJhc2UiLCJVVUlEIjoiODY2NTk3MjAtNGE4Ni00YzNlLTljNWYtNjk3NWZjOGZiNmZjIiwiT2Zmc2V0IjowLCJTdGFydGVkQXQiOiIyMDE1LTA4LTI2VDAzOjEwOjU4LjI5MDAzMjA4N1oifQ%3D%3D&digest=sha256%3Aa3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"
>> http.request.useragent="docker/1.7.1 go/go1.4.2
>> kernel/3.10.0-229.11.1.el7.x86_64 os/linux arch/amd64"
>> http.response.duration=26.313875973s http.response.written=0
>> instance.id=a53483e4-d891-4191-8f60-1dcdf0473192
>> 10.1.1.1 - - [25/Aug/2015:23:10:58 -0400] "PUT
>> /v2/kafka-elastic/sixtree-docker-java7-base/blobs/uploads/86659720-4a86-4c3e-9c5f-6975fc8fb6fc?_state=bfwh7lQgr_kxASK0brAixitGP_U4YOMxPs6QaF3MgkB7Ik5hbWUiOiJrYWZrYS1lbGFzdGljL3NpeHRyZWUtZG9ja2VyLWphdmE3LWJhc2UiLCJVVUlEIjoiODY2NTk3MjAtNGE4Ni00YzNlLTljNWYtNjk3NWZjOGZiNmZjIiwiT2Zmc2V0IjowLCJTdGFydGVkQXQiOiIyMDE1LTA4LTI2VDAzOjEwOjU4LjI5MDAzMjA4N1oifQ%3D%3D&digest=sha256%3Aa3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
>> HTTP/1.1" 201 0 "" "docker/1.7.1 go/go1.4.2
>> kernel/3.10.0-229.11.1.el7.x86_64 os/linux arch/amd64"
>> time="2015-08-25T23:12:20-04:00" level=debug msg="authorizing request"
>> http.request.host="172.30.187.196:5000"
>> http.request.id=f1da96d2-42d4-49ec-ac7c-3d727aa24cdc
>> http.request.method=POST http.request.remoteaddr="10.1.1.1:59060"
>> http.request.uri="/v2/kafka-elastic/sixtree-docker-java7-base/blobs/uploads/"
>> http.request.useragent="docker/1.7.1 go/go1.4.2
>> kernel/3.10.0-229.11.1.el7.x86_64 os/linux arch/amd64"
>> instance.id=a53483e4-d891-4191-8f60-1dcdf0473192
>> vars.name="kafka-elastic/sixtree-docker-java7-base"
>> time="2015-08-25T23:12:20-04:00" level=debug msg="OpenShift auth: checking
>> for access to repository:kafka-elastic/sixtree-docker-java7-base:pull"
>> time="2015-08-25T23:12:50-04:00" level=error msg="OpenShift client error:
>> Post
>> https://master.sixtree.com:8443/oapi/v1/namespaces/kafka-elastic/subjectaccessreviews:
>> dial tcp: i/o timeout"
>> time="2015-08-25T23:12:50-04:00" level=error msg="error checking
>> authorization: Post
>> https://master.sixtree.com:8443/oapi/v1/namespaces/kafka-elastic/subjectaccessreviews:
>> dial tcp: i/o timeout" http.request.host="172.30.187.196:5000"
>> http.request.id=f1da96d2-42d4-49ec-ac7c-3d727aa24cdc
>> http.request.method=POST http.request.remoteaddr="10.1.1.1:59060"
>> http.request.uri="/v2/kafka-elastic/sixtree-docker-java7-base/blobs/uploads/"
>> http.request.useragent="docker/1.7.1 go/go1.4.2
>> kernel/3.10.0-229.11.1.el7.x86_64 os/linux arch/amd64"
>> instance.id=a53483e4-d891-4191-8f60-1dcdf0473192
>> vars.name="kafka-elastic/sixtree-docker-java7-base"
>> time="2015-08-25T23:12:50-04:00" level=error msg="error authorizing context:
>> Post
>> https://master.sixtree.com:8443/oapi/v1/namespaces/kafka-elastic/subjectaccessreviews:
>> dial tcp: i/o timeout" http.request.host="172.30.187.196:5000"
>> http.request.id=f1da96d2-42d4-49ec-ac7c-3d727aa24cdc
>> http.request.method=POST http.request.remoteaddr="10.1.1.1:59060"
>> http.request.uri="/v2/kafka-elastic/sixtree-docker-java7-base/blobs/uploads/"
>> http.request.useragent="docker/1.7.1 go/go1.4.2
>> kernel/3.10.0-229.11.1.el7.x86_64 os/linux arch/amd64"
>> instance.id=a53483e4-d891-4191-8f60-1dcdf0473192
>> vars.name="kafka-elastic/sixtree-docker-java7-base"
>> time="2015-08-25T23:12:50-04:00" level=info msg="response completed"
>> http.request.host="172.30.187.196:5000"
>> http.request.id=f1da96d2-42d4-49ec-ac7c-3d727aa24cdc
>> http.request.method=POST http.request.remoteaddr="10.1.1.1:59060"
>> http.request.uri="/v2/kafka-elastic/sixtree-docker-java7-base/blobs/uploads/"
>> http.request.useragent="docker/1.7.1 go/go1.4.2
>> kernel/3.10.0-229.11.1.el7.x86_64 os/linux arch/amd64"
>> http.response.duration=30.002254933s http.response.written=0
>> instance.id=a53483e4-d891-4191-8f60-1dcdf0473192
>> 10.1.1.1 - - [25/Aug/2015:23:12:20 -0400] "POST
>> /v2/kafka-elastic/sixtree-docker-java7-base/blobs/uploads/ HTTP/1.1" 400 0
>> "" "docker/1.7.1 go/go1.4.2 kernel/3.10.0-229.11.1.el7.x86_64 os/linux
>> arch/amd64”
>> 
>> Thanks and regards
>> Justin
>> 
>> 
>> _______________________________________________
>> users mailing list
>> users lists openshift redhat com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>> 
>> 
>> _______________________________________________
>> users mailing list
>> users lists openshift redhat com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>> 
> 
> 
> 
> -- 
> Clayton Coleman | Lead Engineer, OpenShift



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]