[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: [atomic-devel] Attempting to setup OSBS in it's own OpenShift project namespace

From: Tomas Tomecek <ttomecek redhat com>
To: Adam Miller <maxamillion fedoraproject org>, "atomic-devel projectatomic io" <atomic-devel projectatomic io>
Subject: Re: [atomic-devel] Attempting to setup OSBS in it's own OpenShift project namespace
Date: Thu, 30 Jul 2015 11:20:03 +0200

Quoting Adam Miller (2015-07-30 00:29:10)
> Hello all,
>     I see that both atomic-reactor and osbs-client have moved within
> the Project Atomic space so I'm sending this here. If there is a more
> appropriate mailing list for it please let me know.

Unless list owners mind, we can discuss here.

>     I'm currently working on setting up OSBS with an existing
> OpenShift environment mostly as an exercise to see if it can be done.
> My hope and motivation is to have an environment where users can use
> the PaaS, but it can also be used via OSBS but OSBS would be
> sand-boxed off into it's own environment.
> 
> I have a VM setup following these notes:
>     https://gist.github.com/maxamillion/7e71f252830d08da4e3a
> 
> However I'm getting an error attempting to list builds. I suspect this
> is an authorization and/or OpenShift policy thing that I'm just
> missing but I wanted to ask for guidance.
> 
> # osbs --verbose list-builds
> 2015-07-29 17:08:05,198 - osbs - DEBUG - Logging level set to debug
> * About to connect() to losbs.example.com port 8443 (#0)
> *   Trying 192.168.122.28...
> * Connected to losbs.example.com (192.168.122.28) port 8443 (#0)
> * Initializing NSS with certpath: sql:/etc/pki/nssdb
> * skipping SSL peer certificate verification
> * NSS: client certificate not found (nickname not specified)
> * SSL connection using TLS_RSA_WITH_AES_128_CBC_SHA
> * Server certificate:
> *       subject: CN=losbs.example.com
> *       start date: Jul 28 22:42:10 2015 GMT
> *       expire date: Jul 27 22:42:11 2016 GMT
> *       common name: losbs.example.com
> *       issuer: CN=openshift-signer 1438123330
> > GET /osapi/v1beta3/namespaces/default/builds/ HTTP/1.1
> User-Agent: PycURL/7.29.0
> Host: losbs.example.com:8443
> Accept: */*
> 
> < HTTP/1.1 403 Forbidden
> < Cache-Control: no-store
> < Content-Type: application/json
> < Date: Wed, 29 Jul 2015 22:08:05 GMT
> < Content-Length: 231
> <
> * Connection #0 to host losbs.example.com left intact
> Traceback (most recent call last):
>   File "/usr/bin/osbs", line 9, in <module>
>     load_entry_point('osbs==0.14', 'console_scripts', 'osbs')()
>   File "/usr/lib/python2.7/site-packages/osbs/cli/main.py", line 353, in main
>     args.func(args, osbs)
>   File "/usr/lib/python2.7/site-packages/osbs/cli/main.py", line 32,
> in cmd_list_builds
>     builds = osbs.list_builds(namespace=args.namespace)
>   File "/usr/lib/python2.7/site-packages/osbs/api.py", line 28, in
> catch_exceptions
>     return func(*args, **kwargs)
>   File "/usr/lib/python2.7/site-packages/osbs/api.py", line 74, in list_builds
>     serialized_response = response.json()
>   File "/usr/lib/python2.7/site-packages/osbs/http.py", line 158, in json
>     self._check_status_code()
>   File "/usr/lib/python2.7/site-packages/osbs/http.py", line 185, in
> _check_status_code
>     raise OsbsNetworkException(url, message, self.status_code)
> osbs.exceptions.OsbsNetworkException: (403)
> 
> I've looked through the logs for the docker-registry pod within
> OpenShift/kube and checked the openshift-master and openshift-node
> logs, nothing is jumping out at me at the culprit. Anything I
> could/should be looking at or some suggestion on how to set this up
> would be greatly appreciated.
> 
> Thank you,
> -AdamM
> 

Your client is not allowed to access the API endpoint.

`oc describe policyBindings :default` please


Looking at the gist, I can see two possible issues:

1. I can see you are logging as "builder" user but can't see policy setup for
the user


2. `oadm policy add-role-to-group edit system:unauthenticated system:authenticated`

 * you should set this for "builder" namespace:

   `oadm policy add-role-to-group edit --namespace builder system:unauthenticated system:authenticated`

 * and then you need to operate on the namespace:

   `osbs --namespace builder list-builds`

   `osbs build -g https://github.com/maxamillion/atomic-reactor-dockerfile-test.git -c test-image -u builder --namespace builder`

The `-u` option of the build command is a bit unfortunate, it doesn't have to do
anything with openshift, it is just the prefix for image name. Will open up
issue to make it more clear: https://github.com/projectatomic/osbs-client/issues/184


Regards,
~~
Tomáš Tomeček
Software Engineer
Developer Experience
UTC+2 (CEST)

Follow-Ups:
- Re: [atomic-devel] Attempting to setup OSBS in it's own OpenShift project namespace
  - From: Adam Miller

References:
- [atomic-devel] Attempting to setup OSBS in it's own OpenShift project namespace
  - From: Adam Miller

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]