Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cri-o cannot pull from internal registry with default image-puller role #16349

Closed
csrwng opened this issue Sep 14, 2017 · 11 comments
Closed

cri-o cannot pull from internal registry with default image-puller role #16349

csrwng opened this issue Sep 14, 2017 · 11 comments
Assignees
@runcom
Labels
component/containers kind/bug Categorizes issue or PR as related to a bug. priority/P2

Comments

@csrwng
Copy link
Contributor

csrwng commented Sep 14, 2017
edited

On an OpenShift cluster running on cri-o, trying to run an pod with an image from the internal registry, I get the following event:

Failed to pull image "docker-registry.default.svc:5000/test-docker/origin-ruby-sample@sha256:c1fb4160ed2b43b9b8c6d93a5908ca22ccac8442a0876e1103da9493daa1e73d": rpc error: code = 2 desc = Error reading signatures: received unexpected HTTP status: 500 Internal Server Error

In the registry log, I see this:

time="2017-09-06T00:34:20.806312657Z" level=error msg="(*signatureHandler): unknown: unknown error" go.version=go1.7.6 http.request.host="docker-registry.default.svc:5000"
http.request.id=3739e0d4-252c-452a-9027-26ac2d344014 http.request.method=GET http.request.remoteaddr="10.129.0.1:47694" 
http.request.uri="/extensions/v2/test-docker/origin-ruby-sample/signatures/sha256:c1fb4160ed2b43b9b8c6d93a5908ca22ccac8442a0876e1103da9493daa1e73d" 
http.request.useragent="Go-http-client/1.1" instance.id=b95c4973-6916-4f02-8ad9-6c22952d927c openshift.auth.user="system:serviceaccount:test-docker:default" 
openshift.logger=registry vars.digest="sha256:c1fb4160ed2b43b9b8c6d93a5908ca22ccac8442a0876e1103da9493daa1e73d" 
vars.name="test-docker/origin-ruby-sample”

The default service account already has the /system:image-puller role. If I assign cluster-admin role to the same service account, then the pull succeeds.

It seems that the image-puller role doesn't have sufficient permissions for cri-o to pull the image.
@csrwng
Copy link
Contributor Author

csrwng commented Sep 14, 2017

@mfojtik @openshift/devex @runcom

@bparees
Copy link
Contributor

bparees commented Sep 14, 2017

and/or cri-o is trying to do things it shouldn't have to do? (if docker doesn't need additional permissions, why does cri-o?)

@csrwng
Copy link
Contributor Author

csrwng commented Sep 14, 2017

It looks like docker doesn't query signatures directly or querying for them in a different way

@runcom
Copy link
Member

runcom commented Sep 14, 2017

It looks like docker doesn't query signatures directly or querying for them in a different way

and/or cri-o is trying to do things it shouldn't have to do? (if docker doesn't need additional permissions, why does cri-o?)

Nope, we use containers/image in both afaict and the call to "get signatures" is the same :(

@runcom
Copy link
Member

runcom commented Sep 14, 2017

is there any way to debug this in the live cluster? just remove cluster-admin and see what happens?

@runcom
Copy link
Member

runcom commented Sep 14, 2017

/cc @mtrmac

@csrwng csrwng mentioned this issue Sep 14, 2017
Closed
@mfojtik mfojtik mentioned this issue Sep 14, 2017
Merged
@runcom
Copy link
Member

runcom commented Sep 14, 2017

and/or cri-o is trying to do things it shouldn't have to do? (if docker doesn't need additional permissions, why does cri-o?)

alright, I figured this, docker runs with --signature-verification=false so it never hit the GetSignature method...that's why it doesn't fail with docker.

@giuseppe
Copy link
Member

@csrwng what was your workaround? I've oadm policy add-role-to-user cluster-admin default but I am still seeing the same error

@csrwng
Copy link
Contributor Author

csrwng commented Sep 14, 2017

@giuseppe

oadm policy add-cluster-role-to-user cluster-admin system:serviceaccount:thenamespace:default

(Substitute thenamespace with whatever namespace your test is in)

@csrwng
Copy link
Contributor Author

csrwng commented Sep 14, 2017

Or, if you want to test @mfojtik's latest fix, you can simply change the image ref in dc/docker-registry to cewong/origin-docker-registry:v3.6.0

@giuseppe
Copy link
Member

@csrwng lovely, it works!

openshift-merge-robot added a commit that referenced this issue Sep 18, 2017
@openshift-merge-robot
Merge pull request #16353 from mfojtik/allow-read-signatures
e4defee 
Automatic merge from submit-queue (batch tested with PRs 15834, 16321, 16353, 15298, 15433)

use privileged  client in registry instead of user client when getting or creating signatures

@csrwng 

Fixes: #16349
@pweil- pweil- added component/containers kind/bug Categorizes issue or PR as related to a bug. priority/P2 labels Sep 18, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@runcom runcom

Labels
component/containers kind/bug Categorizes issue or PR as related to a bug. priority/P2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@giuseppe @runcom @bparees @pweil- @csrwng