[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [atomic-devel] Attempting to setup OSBS in it's own OpenShift project namespace



On Thu, Jul 30, 2015 at 4:20 AM, Tomas Tomecek <ttomecek redhat com> wrote:
> Quoting Adam Miller (2015-07-30 00:29:10)
>> Hello all,
>>     I see that both atomic-reactor and osbs-client have moved within
>> the Project Atomic space so I'm sending this here. If there is a more
>> appropriate mailing list for it please let me know.
>
> Unless list owners mind, we can discuss here.
>
>>     I'm currently working on setting up OSBS with an existing
>> OpenShift environment mostly as an exercise to see if it can be done.
>> My hope and motivation is to have an environment where users can use
>> the PaaS, but it can also be used via OSBS but OSBS would be
>> sand-boxed off into it's own environment.
>>
>> I have a VM setup following these notes:
>>     https://gist.github.com/maxamillion/7e71f252830d08da4e3a
>>
>> However I'm getting an error attempting to list builds. I suspect this
>> is an authorization and/or OpenShift policy thing that I'm just
>> missing but I wanted to ask for guidance.
>>
>> # osbs --verbose list-builds
>> 2015-07-29 17:08:05,198 - osbs - DEBUG - Logging level set to debug
>> * About to connect() to losbs.example.com port 8443 (#0)
>> *   Trying 192.168.122.28...
>> * Connected to losbs.example.com (192.168.122.28) port 8443 (#0)
>> * Initializing NSS with certpath: sql:/etc/pki/nssdb
>> * skipping SSL peer certificate verification
>> * NSS: client certificate not found (nickname not specified)
>> * SSL connection using TLS_RSA_WITH_AES_128_CBC_SHA
>> * Server certificate:
>> *       subject: CN=losbs.example.com
>> *       start date: Jul 28 22:42:10 2015 GMT
>> *       expire date: Jul 27 22:42:11 2016 GMT
>> *       common name: losbs.example.com
>> *       issuer: CN=openshift-signer 1438123330
>> > GET /osapi/v1beta3/namespaces/default/builds/ HTTP/1.1
>> User-Agent: PycURL/7.29.0
>> Host: losbs.example.com:8443
>> Accept: */*
>>
>> < HTTP/1.1 403 Forbidden
>> < Cache-Control: no-store
>> < Content-Type: application/json
>> < Date: Wed, 29 Jul 2015 22:08:05 GMT
>> < Content-Length: 231
>> <
>> * Connection #0 to host losbs.example.com left intact
>> Traceback (most recent call last):
>>   File "/usr/bin/osbs", line 9, in <module>
>>     load_entry_point('osbs==0.14', 'console_scripts', 'osbs')()
>>   File "/usr/lib/python2.7/site-packages/osbs/cli/main.py", line 353, in main
>>     args.func(args, osbs)
>>   File "/usr/lib/python2.7/site-packages/osbs/cli/main.py", line 32,
>> in cmd_list_builds
>>     builds = osbs.list_builds(namespace=args.namespace)
>>   File "/usr/lib/python2.7/site-packages/osbs/api.py", line 28, in
>> catch_exceptions
>>     return func(*args, **kwargs)
>>   File "/usr/lib/python2.7/site-packages/osbs/api.py", line 74, in list_builds
>>     serialized_response = response.json()
>>   File "/usr/lib/python2.7/site-packages/osbs/http.py", line 158, in json
>>     self._check_status_code()
>>   File "/usr/lib/python2.7/site-packages/osbs/http.py", line 185, in
>> _check_status_code
>>     raise OsbsNetworkException(url, message, self.status_code)
>> osbs.exceptions.OsbsNetworkException: (403)
>>
>> I've looked through the logs for the docker-registry pod within
>> OpenShift/kube and checked the openshift-master and openshift-node
>> logs, nothing is jumping out at me at the culprit. Anything I
>> could/should be looking at or some suggestion on how to set this up
>> would be greatly appreciated.
>>
>> Thank you,
>> -AdamM
>>
>
> Your client is not allowed to access the API endpoint.
>
> `oc describe policyBindings :default` please
>
>
> Looking at the gist, I can see two possible issues:
>
> 1. I can see you are logging as "builder" user but can't see policy setup for
> the user
>
>
> 2. `oadm policy add-role-to-group edit system:unauthenticated system:authenticated`
>
>  * you should set this for "builder" namespace:
>
>    `oadm policy add-role-to-group edit --namespace builder system:unauthenticated system:authenticated`
>
>  * and then you need to operate on the namespace:
>
>    `osbs --namespace builder list-builds`
>
>    `osbs build -g https://github.com/maxamillion/atomic-reactor-dockerfile-test.git -c test-image -u builder --namespace builder`
>
> The `-u` option of the build command is a bit unfortunate, it doesn't have to do
> anything with openshift, it is just the prefix for image name. Will open up
> issue to make it more clear: https://github.com/projectatomic/osbs-client/issues/184
>

This is perfect, thank you! The policyBinding for the builder
namespace and then namespacing the osbs commands is exactly the piece
of the puzzle I was missing.

Couple very minor things I thought I'd note just for the sake of the
mailing list thread posterity, a couple of the commands as written
didn't work for me, the 'osbs build' command needed the namespace arg
in a different order (before the sub-command), which resulted in 'osbs
--namespace builder build ....' and the oadm policy needed
'--namespace=builder' (not idea why it failed to parse the following
arg, but it threw the error 'Error: flag needs an argument:
--namespace').

Thank you again!
-AdamM


>
> Regards,
> ~~
> Tomáš Tomeček
> Software Engineer
> Developer Experience
> UTC+2 (CEST)


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]