Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

403 : Access not Authenticated issue on PULP UI #1867

Open
VrindaMarwah opened this issue Dec 16, 2024 · 6 comments
Open

403 : Access not Authenticated issue on PULP UI #1867

VrindaMarwah opened this issue Dec 16, 2024 · 6 comments
Labels

Comments

@VrindaMarwah
Copy link

VrindaMarwah commented Dec 16, 2024

I have deployed a pulp container using podman and created a pulp container registry 'container_images', also created a remote. I synced the repo and created a distribution but on the Pulp UI, I am getting 403 status code and unable to view the synced image.

image

Additionally, I have disabled the token authentication for my container registry and below is the screenshot of my settings.py:

[root] # cat settings/settings.py
CONTENT_ORIGIN=<pulp_host>
TOKEN_AUTH_DISABLED=True
SECRET_KEY=<redacted>

Below are the commands run:

pulp container repository create --name container_images
pulp container remote create --name coredns --url https://registry.k8s.io --upstream-name coredns/coredns --include-tags '["v1.11.1"]'
pulp container repository sync --name container_images --remote coredns
pulp container distribution create --name "dist1" --base-path "container_images" --publication "<pulp_href>"

Also, configured the container registry as insecure registry in /etc/containers/registries.conf

#unqualified-search-registries = [<pulp_host>]
[registries]
    [registries.search]
    registries = [<pulp_host>]

    [registries.insecure]
    registries = [<pulp_host>]

I am trying to pull the image from the pulp registry using podman:
The login is successful but the image pull is failing:

[root]# podman login -u admin -p <redacted>
Login Succeeded!
[root]# podman pull <pulp_host>/container_images:v1.11.1
Trying to pull <pulp_host>/container_images:v1.11.1...
Error: initializing source docker://<pulp_host>/container_images:v1.11.1: reading manifest v1.11.1 in <pulp_host>/container_images: name unkown: Repository not found.
[root]#
[root]# curl <pulp_host>/pulp/content/

<html>
<head><title>Index of /pulp/content/</title></head>
<body bgcolor="white">
<h1>Index of /pulp/content/</h1>
<hr><pre>
<a href="container_images/">container_images/</a>
</pre><hr></body>
</html>[root]#
[root]#
[root]# curl <pulp_host>/pulp/content/container_images/
403: Access not authenticated

Also, wanted to check on the following points:

  • Does pulp also support nerdctl tool?
  • If nerdctl is supported, what are the compatible versions of Podman and nerdctl that should work together?
@gerrod3
Copy link
Contributor

gerrod3 commented Dec 16, 2024

@VrindaMarwah I moved the issue over to pulp_container since that seems to be the plugin you are having trouble with. Also, I rewrote the information you shared in your screenshots to text and redacted the information that should be private.

@gerrod3
Copy link
Contributor

gerrod3 commented Dec 17, 2024

@VrindaMarwah I can't reproduce this. When I was converting your images to text I don't know if I missed/erred on copying somethings, so some follow up questions:

When creating a distribution you are not using --publication "<pulp_href>" right? pulp_container doesn't have publications, it should be --repository container_images.

When doing the login have you tried manually specifying your Pulp host in the command, e.g. podman login -u <user> -p <pass> <pulp_host>. I'm pretty sure you don't have to since you edited your registries.conf file, but if you didn't login correctly then you would receive a permission error.

Finally, did you check the status of the sync task after it completed? It is possible the sync failed and that is why podman can't find the image, since it's technically not there!

As for nerdctl tool, from my brief reading of their github page we probably support a good portion of the features of that tool. We implement the Registry API V2 and this spec is what most OCI tooling is built around. It is possible some extra features of the tool might not work with Pulp, but we have never tested it so we wouldn't know. As for the second question I have no idea.

@VrindaMarwah
Copy link
Author

I created a fresh repository and synced the remote using the below command as given in the Pulp doc:
pulp container repository sync --name foo --remote foo
The syncing was successful, and the image was downloaded, as shown in the pulp task list output also:
image

After this, I created a distribution using the command (without the --publication flag):
pulp container distribution create --name foo --base-path foo --repository foo

But still my dashboard shows 403: Access not Authorized:
image

image

Since SSL is not setup for my Pulp registry, I have configured podman to work with insecure registry:
image

and, I am able to successfully login to the registry, but podman pull is resulting in 500 internal server error:
image

@gerrod3
Copy link
Contributor

gerrod3 commented Dec 18, 2024

Can you see what the 500 error is? podman logs pulp

As for the 403 when you access from the browser that is because by default pulp_container content is protected by a redirect content guard which only allows downloading the content upon a successful redirect from the registry api. You could remove the content guard to see the stored content. pulp container distribution update --name foo --content-guard ""

@VrindaMarwah
Copy link
Author

Thank you for the response @gerrod3. For the 403 error, I removed the content guard using the below command:

curl -X DELETE http://localhost:8005/pulp/api/v3/contentguards/core/content_redirect/0193deb5-6dc9-7c5b-a7a9-047177a0d727/ -u admin

since the command pulp container distribution update --name foo --content-guard "" wasnt available for me:

image

The 403 error got resolved however, the dashboard lists the image checksums:
image

Is this the expected output from the pulp dashboard? If yes, does pulp support displaying list of downloaded images, instead of checksums?

@gerrod3
Copy link
Contributor

gerrod3 commented Jan 16, 2025

@VrindaMarwah Sorry for the late response, this got lost over the Winter break.

Yes that is the expected output. You are looking at the Content App (not the Pulp-UI, that's a separate project) which displays all the artifacts that Pulp is distributing for that distribution. Typically you can't really see it for pulp_container since their distributions are guarded by the redirect guard by default and looking at the code we don't allow users to unset it, so sorry about my early comment, it was incorrect. I would suggest deleting your distribution and recreating it so that it is properly protected again.

Currently we don't have a nice UI for listing out the downloadable images like Docker or Quay does, if you want something like that I would recommend filing an issue in https://github.com/pulp/pulp-ui. Otherwise you can see the available tags for an image by either

  1. Using the Pulp api pulp container repository content -t tag list --repository container_images
  2. Using the Docker V2 api http <pulp_host>/v2/container_images/tags/list (note 'container_images' is the base-path of the distribution in this example)

@gerrod3 gerrod3 added Question and removed Issue labels Jan 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
Status: Not Started
Development

No branches or pull requests

2 participants