Actions
Issue #2287
closed
Cannot get docker v2 repo tags list
Status:
CLOSED - CURRENTRELEASE
Priority:
Urgent
Assignee:
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
3. High
Version:
Platform Release:
2.10.1
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:
Description
TL;DR version: HTTP GET requests to /pulp/docker/v2/foo/tags/list/ always fail with an HTTP 403 (forbidden) due to SELinux issues.
The longer version follows.
Let's say one executes the following script:
# Execute problematic actions
pulp-admin docker repo create --repo-id foo \
--feed https://registry-1.docker.io --upstream-name library/busybox
pulp-admin docker repo sync run --repo-id foo
curl --insecure --user admin:admin \
https://localhost/pulp/docker/v2/foo/tags/list/
pulp-admin docker repo delete --repo-id foo
This should work, but it doesn't under the current nightly builds of Pulp 2.10 and 2.11. The curl step fails with an HTTP 403 (forbidden). Here's what's printed:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pulp/docker/v2/foo/tags/list/ was not found on this server.</p>
</body></html>
Why does this happen? That's unclear, but a likely cause is an SELinux denial. If SELinux is disabled, the script above succeeds. Here's a more full-fledged script that succeeds:
#!/usr/bin/env bash
set -euo pipefail
# Configure SELinux
setenforce 0
echo > /var/log/audit/audit.log
semodule -R
# Execute problematic actions
pulp-admin docker repo create --repo-id foo \
--feed https://registry-1.docker.io --upstream-name library/busybox
pulp-admin docker repo sync run --repo-id foo
curl --insecure --user admin:admin \
https://localhost/pulp/docker/v2/foo/tags/list/
pulp-admin docker repo delete --repo-id foo
# Get info
set -x
audit2allow -al
audit2allow -Ral || true
cat /var/log/audit/audit.log
Here's the last few lines of output:
+ audit2allow -al
#============= httpd_t ==============
#!!!! The file '/var/lib/pulp/published/docker/v2/master/foo/1475082477.3/tags/list' is mislabeled on your system.
#!!!! Fix with $ restorecon -R -v /var/lib/pulp/published/docker/v2/master/foo/1475082477.3/tags/list
allow httpd_t pulp_var_cache_t:file getattr;
+ audit2allow -Ral
could not open interface info [/var/lib/sepolgen/interface_info]
+ true
+ cat /var/log/audit/audit.log
type=MAC_POLICY_LOAD msg=audit(1475082461.412:12606): policy loaded auid=0 ses=108
type=AVC msg=audit(1475082479.139:12607): avc: denied { getattr } for pid=10392 comm="httpd" path="/var/lib/pulp/published/docker/v2/master/foo/1475082477.3/tags/list" dev="dm-0" ino=1716474 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:pulp_var_cache_t:s0 tclass=file permissive=1
For what it's worth, here's the corresponding log entries from the system, as captured by journalctl --follow:
-- Logs begin at Mon 2016-09-26 09:17:28 EDT. --
Sep 28 13:16:57 pulp.example.com pulp[11859]: pulp.server.agent.direct.services:INFO: Task reply handler, started.
Sep 28 13:16:57 pulp.example.com pulp[11859]: gofer.messaging.adapter.qpid.connection:INFO: open: URL: tcp://localhost|SSL: ca: /etc/pki/qpid/ca/ca.crt|key: None|certificate: /etc/pki/qpid/client/client.pem|host-validation: False
Sep 28 13:16:57 pulp.example.com pulp[11859]: pulp.server.agent.direct.services:INFO: AMQP reply handler started
Sep 28 13:16:57 pulp.example.com pulp[11859]: pulp.server.webservices.application:INFO: *************************************************************
Sep 28 13:16:57 pulp.example.com pulp[11859]: pulp.server.webservices.application:INFO: The Pulp server has been successfully initialized
Sep 28 13:16:57 pulp.example.com pulp[11859]: pulp.server.webservices.application:INFO: *************************************************************
Sep 28 13:16:57 pulp.example.com pulp[11859]: gofer.messaging.adapter.qpid.connection:INFO: opened: qpid+tcp://localhost:5672
Sep 28 13:16:57 pulp.example.com pulp[11859]: gofer.messaging.adapter.connect:INFO: connected: qpid+tcp://localhost:5672
Sep 28 13:16:59 pulp.example.com audit[9682]: USER_START pid=9682 uid=0 auid=0 ses=108 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=10.10.53.186 addr=10.10.53.186 terminal=/dev/pts/0 res=success'
Sep 28 13:16:59 pulp.example.com audit[9682]: CRYPTO_KEY_USER pid=9682 uid=0 auid=0 ses=108 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:ef:4c:bc:82:5b:1d:8d:86:96:a5:89:f5:d2:fe:5b:72:bd:4b:2e:4d:35:39:a8:bf:79:85:65:3e:f8:cc:b9:fa direction=? spid=12165 suid=0 exe="/usr/sbin/sshd" hostname=? addr=10.10.53.186 terminal=? res=success'
Sep 28 13:17:10 pulp.example.com kernel: SELinux: 32768 avtab hash slots, 103924 rules.
Sep 28 13:17:10 pulp.example.com kernel: SELinux: 32768 avtab hash slots, 103924 rules.
Sep 28 13:17:10 pulp.example.com kernel: SELinux: 8 users, 14 roles, 4956 types, 308 bools, 1 sens, 1024 cats
Sep 28 13:17:10 pulp.example.com kernel: SELinux: 92 classes, 103924 rules
Sep 28 13:17:10 pulp.example.com kernel: SELinux: Permission validate_trans in class security not defined in policy.
Sep 28 13:17:10 pulp.example.com kernel: SELinux: Permission module_load in class system not defined in policy.
Sep 28 13:17:10 pulp.example.com kernel: SELinux: Class cap_userns not defined in policy.
Sep 28 13:17:10 pulp.example.com kernel: SELinux: Class cap2_userns not defined in policy.
Sep 28 13:17:10 pulp.example.com kernel: SELinux: the above unknown classes and permissions will be allowed
Sep 28 13:17:11 pulp.example.com dbus[702]: Can't send to audit system: USER_AVC avc: received policyload notice (seqno=11)
exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?
Sep 28 13:17:11 pulp.example.com audit: MAC_POLICY_LOAD policy loaded auid=0 ses=108
Sep 28 13:17:11 pulp.example.com dbus[702]: [system] Reloaded configuration
Sep 28 13:17:11 pulp.example.com pulp[11860]: kombu.transport.qpid:INFO: Connected to qpid with SASL mechanism ANONYMOUS
Sep 28 13:17:11 pulp.example.com pulp[11810]: celery.worker.strategy:INFO: Received task: pulp.server.async.tasks._queue_reserved_task[74555716-670f-431b-89f8-a4a0ec9e2eda]
Sep 28 13:17:11 pulp.example.com pulp[11956]: py.warnings:WARNING: (11956-10368) /usr/lib64/python2.7/site-packages/pymongo/topology.py:74: UserWarning: MongoClient opened before fork. Create MongoClient with connect=False, or create client after forking. See PyMongo's documentation for details: http://api.mongodb.org/python/current/faq.html#using-pymongo-with-multiprocessing>
Sep 28 13:17:11 pulp.example.com pulp[11956]: py.warnings:WARNING: (11956-10368) "MongoClient opened before fork. Create MongoClient "
Sep 28 13:17:11 pulp.example.com pulp[11956]: py.warnings:WARNING: (11956-10368)
Sep 28 13:17:11 pulp.example.com pulp[11956]: kombu.transport.qpid:INFO: Connected to qpid with SASL mechanism ANONYMOUS
Sep 28 13:17:11 pulp.example.com pulp[11752]: celery.worker.strategy:INFO: Received task: pulp.server.managers.repo.sync.sync[40a8f8a4-a451-4fdb-bca3-2781e702e484]
Sep 28 13:17:11 pulp.example.com pulp[11834]: py.warnings:WARNING: (11834-22336) /usr/lib64/python2.7/site-packages/pymongo/topology.py:74: UserWarning: MongoClient opened before fork. Create MongoClient with connect=False, or create client after forking. See PyMongo's documentation for details: http://api.mongodb.org/python/current/faq.html#using-pymongo-with-multiprocessing>
Sep 28 13:17:11 pulp.example.com pulp[11834]: py.warnings:WARNING: (11834-22336) "MongoClient opened before fork. Create MongoClient "
Sep 28 13:17:11 pulp.example.com pulp[11834]: py.warnings:WARNING: (11834-22336)
Sep 28 13:17:11 pulp.example.com pulp[11752]: celery.worker.strategy:INFO: Received task: pulp.server.async.tasks._release_resource[c6495e19-f4b7-4456-9b48-a6b71b5ee9ec]
Sep 28 13:17:11 pulp.example.com pulp[11810]: celery.worker.job:INFO: Task pulp.server.async.tasks._queue_reserved_task[74555716-670f-431b-89f8-a4a0ec9e2eda] succeeded in 0.0460691690096s: None
Sep 28 13:17:12 pulp.example.com pulp[11834]: requests.packages.urllib3.connectionpool:INFO: Starting new HTTPS connection (1): registry-1.docker.io
Sep 28 13:17:12 pulp.example.com pulp[11834]: requests.packages.urllib3.connectionpool:INFO: Starting new HTTPS connection (1): auth.docker.io
Sep 28 13:17:12 pulp.example.com pulp[11834]: requests.packages.urllib3.connectionpool:INFO: Starting new HTTPS connection (2): registry-1.docker.io
Sep 28 13:17:13 pulp.example.com pulp[11834]: requests.packages.urllib3.connectionpool:INFO: Starting new HTTPS connection (3): registry-1.docker.io
Sep 28 13:17:21 pulp.example.com pulp[11834]: requests.packages.urllib3.connectionpool:INFO: Starting new HTTPS connection (1): registry-1.docker.io
Sep 28 13:17:21 pulp.example.com pulp[11834]: requests.packages.urllib3.connectionpool:INFO: Starting new HTTPS connection (2): registry-1.docker.io
Sep 28 13:17:21 pulp.example.com pulp[11834]: requests.packages.urllib3.connectionpool:INFO: Starting new HTTPS connection (3): registry-1.docker.io
Sep 28 13:17:21 pulp.example.com pulp[11834]: requests.packages.urllib3.connectionpool:INFO: Starting new HTTPS connection (4): registry-1.docker.io
Sep 28 13:17:21 pulp.example.com pulp[11834]: requests.packages.urllib3.connectionpool:INFO: Starting new HTTPS connection (5): registry-1.docker.io
Sep 28 13:17:22 pulp.example.com pulp[11834]: requests.packages.urllib3.connectionpool:INFO: Starting new HTTPS connection (6): registry-1.docker.io
Sep 28 13:17:22 pulp.example.com pulp[11834]: requests.packages.urllib3.connectionpool:INFO: Starting new HTTPS connection (1): dseasb33srnrn.cloudfront.net
Sep 28 13:17:24 pulp.example.com pulp[11834]: requests.packages.urllib3.connectionpool:INFO: Starting new HTTPS connection (7): registry-1.docker.io
Sep 28 13:17:24 pulp.example.com pulp[11834]: requests.packages.urllib3.connectionpool:INFO: Starting new HTTPS connection (2): dseasb33srnrn.cloudfront.net
Sep 28 13:17:26 pulp.example.com pulp[11834]: requests.packages.urllib3.connectionpool:INFO: Starting new HTTPS connection (8): registry-1.docker.io
Sep 28 13:17:26 pulp.example.com pulp[11834]: requests.packages.urllib3.connectionpool:INFO: Starting new HTTPS connection (9): registry-1.docker.io
Sep 28 13:17:26 pulp.example.com pulp[11834]: requests.packages.urllib3.connectionpool:INFO: Starting new HTTPS connection (3): dseasb33srnrn.cloudfront.net
Sep 28 13:17:26 pulp.example.com pulp[11834]: requests.packages.urllib3.connectionpool:INFO: Starting new HTTPS connection (4): dseasb33srnrn.cloudfront.net
Sep 28 13:17:26 pulp.example.com pulp[11834]: requests.packages.urllib3.connectionpool:INFO: Starting new HTTPS connection (5): dseasb33srnrn.cloudfront.net
Sep 28 13:17:28 pulp.example.com pulp[11834]: kombu.transport.qpid:INFO: Connected to qpid with SASL mechanism ANONYMOUS
Sep 28 13:17:28 pulp.example.com pulp[11810]: celery.worker.strategy:INFO: Received task: pulp.server.async.tasks._queue_reserved_task[4683a490-5258-4433-ab77-26a5993e56cf]
Sep 28 13:17:28 pulp.example.com pulp[11752]: celery.worker.job:INFO: Task pulp.server.managers.repo.sync.sync[40a8f8a4-a451-4fdb-bca3-2781e702e484] succeeded in 16.310618789s: <pulp.server.async.tasks.TaskResult object at 0x7fda4fab9250>
Sep 28 13:17:28 pulp.example.com pulp[11752]: celery.worker.strategy:INFO: Received task: pulp.server.managers.repo.publish.publish[f9170aca-eb7c-4997-87bf-2a93f952eb25]
Sep 28 13:17:28 pulp.example.com pulp[11752]: celery.worker.strategy:INFO: Received task: pulp.server.async.tasks._release_resource[b8fd4289-86f6-4ea7-9410-c56be555377e]
Sep 28 13:17:28 pulp.example.com pulp[11810]: celery.worker.job:INFO: Task pulp.server.async.tasks._queue_reserved_task[4683a490-5258-4433-ab77-26a5993e56cf] succeeded in 0.0374169150018s: None
Sep 28 13:17:28 pulp.example.com pulp[11752]: celery.worker.job:INFO: Task pulp.server.async.tasks._release_resource[c6495e19-f4b7-4456-9b48-a6b71b5ee9ec] succeeded in 0.0477471390041s: None
Sep 28 13:17:28 pulp.example.com pulp[11752]: celery.worker.job:INFO: Task pulp.server.managers.repo.publish.publish[f9170aca-eb7c-4997-87bf-2a93f952eb25] succeeded in 0.587830191012s: {'exception': None, 'repo_id': u'foo', 'traceback': None, 'started': '2016-09-28T17:17:28Z', '_ns': u'repo_publish_results',...
Sep 28 13:17:28 pulp.example.com pulp[11752]: celery.worker.job:INFO: Task pulp.server.async.tasks._release_resource[b8fd4289-86f6-4ea7-9410-c56be555377e] succeeded in 0.00430754901026s: None
Sep 28 13:17:29 pulp.example.com audit[11871]: AVC avc: denied { getattr } for pid=11871 comm="httpd" path="/var/lib/pulp/published/docker/v2/master/foo/1475083048.37/tags/list" dev="dm-0" ino=1716474 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:pulp_var_cache_t:s0 tclass=file permissive=1
Here's the packages on a system suffering from the issue. The packages are a few days old, but don't worry: the current Beaker systems also suffer from this bug.
ssh $hostname rpm -qa | sort | grep -i pulp
pulp-admin-client-2.11.0-0.1.alpha.git.703.7b6e4af.fc23.noarch
pulp-docker-admin-extensions-2.2.0-0.1.alpha.git.201.5462eab.fc23.noarch
pulp-docker-plugins-2.2.0-0.1.alpha.git.201.5462eab.fc23.noarch
pulp-ostree-admin-extensions-1.2.0-0.1.alpha.git.104.8f728f9.fc23.noarch
pulp-ostree-plugins-1.2.0-0.1.alpha.git.104.8f728f9.fc23.noarch
pulp-puppet-admin-extensions-2.11.0-0.1.alpha.git.187.e97c179.fc23.noarch
pulp-puppet-plugins-2.11.0-0.1.alpha.git.187.e97c179.fc23.noarch
pulp-python-admin-extensions-1.2.0-0.1.alpha.git.108.404f437.fc23.noarch
pulp-python-plugins-1.2.0-0.1.alpha.git.108.404f437.fc23.noarch
pulp-rpm-admin-extensions-2.11.0-0.1.alpha.git.543.4255a48.fc23.noarch
pulp-rpm-plugins-2.11.0-0.1.alpha.git.543.4255a48.fc23.noarch
pulp-selinux-2.11.0-0.1.alpha.git.703.7b6e4af.fc23.noarch
pulp-server-2.11.0-0.1.alpha.git.703.7b6e4af.fc23.noarch
python-kombu-3.0.33-6.pulp.fc23.noarch
python-pulp-bindings-2.11.0-0.1.alpha.git.703.7b6e4af.fc23.noarch
python-pulp-client-lib-2.11.0-0.1.alpha.git.703.7b6e4af.fc23.noarch
python-pulp-common-2.11.0-0.1.alpha.git.703.7b6e4af.fc23.noarch
python-pulp-docker-common-2.2.0-0.1.alpha.git.201.5462eab.fc23.noarch
python-pulp-oid_validation-2.11.0-0.1.alpha.git.703.7b6e4af.fc23.noarch
python-pulp-ostree-common-1.2.0-0.1.alpha.git.104.8f728f9.fc23.noarch
python-pulp-puppet-common-2.11.0-0.1.alpha.git.187.e97c179.fc23.noarch
python-pulp-python-common-1.2.0-0.1.alpha.git.108.404f437.fc23.noarch
python-pulp-repoauth-2.11.0-0.1.alpha.git.703.7b6e4af.fc23.noarch
python-pulp-rpm-common-2.11.0-0.1.alpha.git.543.4255a48.fc23.noarch
python-pulp-streamer-2.11.0-0.1.alpha.git.703.7b6e4af.fc23.noarch
Related issues
Updated by bmbouter over 7 years ago
The selinux label of the content of /var/lib/pulp is not being relabeled correctly. This is likely due to a move being done instead of a copy. @jortel is working on a bug similar to this. Maybe it has the same root cause.
Updated by jortel@redhat.com over 7 years ago
Updated by Ichimonji10 over 7 years ago
Re-tested with systems provisioned yesterday. Below are the packages on the two systems I'm currently using for testing.
$ grep PRETTY /etc/os-release
PRETTY_NAME="Fedora 24 (Twenty Four)"
$ rpm -qa | sort | grep -i pulp
pulp-admin-client-2.10.1-0.1.alpha.git.29.d93434d.fc24.noarch
pulp-docker-admin-extensions-2.1.1-0.1.alpha.git.25.b1956ff.fc24.noarch
pulp-docker-plugins-2.1.1-0.1.alpha.git.25.b1956ff.fc24.noarch
pulp-puppet-admin-extensions-2.10.1-0.1.alpha.git.40.b787209.fc24.noarch
pulp-puppet-plugins-2.10.1-0.1.alpha.git.40.b787209.fc24.noarch
pulp-python-admin-extensions-1.1.2-1.fc24.noarch
pulp-python-plugins-1.1.2-1.fc24.noarch
pulp-rpm-admin-extensions-2.10.1-0.1.alpha.git.49.6d2eaf2.fc24.noarch
pulp-rpm-plugins-2.10.1-0.1.alpha.git.49.6d2eaf2.fc24.noarch
pulp-selinux-2.10.1-0.1.alpha.git.29.d93434d.fc24.noarch
pulp-server-2.10.1-0.1.alpha.git.29.d93434d.fc24.noarch
python-kombu-3.0.33-6.pulp.fc24.noarch
python-pulp-bindings-2.10.1-0.1.alpha.git.29.d93434d.fc24.noarch
python-pulp-client-lib-2.10.1-0.1.alpha.git.29.d93434d.fc24.noarch
python-pulp-common-2.10.1-0.1.alpha.git.29.d93434d.fc24.noarch
python-pulp-docker-common-2.1.1-0.1.alpha.git.25.b1956ff.fc24.noarch
python-pulp-oid_validation-2.10.1-0.1.alpha.git.29.d93434d.fc24.noarch
python-pulp-puppet-common-2.10.1-0.1.alpha.git.40.b787209.fc24.noarch
python-pulp-python-common-1.1.2-1.fc24.noarch
python-pulp-repoauth-2.10.1-0.1.alpha.git.29.d93434d.fc24.noarch
python-pulp-rpm-common-2.10.1-0.1.alpha.git.49.6d2eaf2.fc24.noarch
python-pulp-streamer-2.10.1-0.1.alpha.git.29.d93434d.fc24.noarch
$ grep PRETTY /etc/os-release
PRETTY_NAME="Fedora 23 (Twenty Three)"
$ rpm -qa | sort | grep -i pulp
pulp-admin-client-2.11.0-0.1.alpha.git.710.7290d2b.fc23.noarch
pulp-docker-admin-extensions-2.2.0-0.1.alpha.git.201.ca717bc.fc23.noarch
pulp-docker-plugins-2.2.0-0.1.alpha.git.201.ca717bc.fc23.noarch
pulp-ostree-admin-extensions-1.2.0-0.1.alpha.git.104.d8fab7d.fc23.noarch
pulp-ostree-plugins-1.2.0-0.1.alpha.git.104.d8fab7d.fc23.noarch
pulp-puppet-admin-extensions-2.11.0-0.1.alpha.git.187.e97c179.fc23.noarch
pulp-puppet-plugins-2.11.0-0.1.alpha.git.187.e97c179.fc23.noarch
pulp-python-admin-extensions-1.2.0-0.1.alpha.git.109.03ee7ec.fc23.noarch
pulp-python-plugins-1.2.0-0.1.alpha.git.109.03ee7ec.fc23.noarch
pulp-rpm-admin-extensions-2.11.0-0.1.alpha.git.543.4255a48.fc23.noarch
pulp-rpm-plugins-2.11.0-0.1.alpha.git.543.4255a48.fc23.noarch
pulp-selinux-2.11.0-0.1.alpha.git.710.7290d2b.fc23.noarch
pulp-server-2.11.0-0.1.alpha.git.710.7290d2b.fc23.noarch
python-kombu-3.0.33-6.pulp.fc23.noarch
python-pulp-bindings-2.11.0-0.1.alpha.git.710.7290d2b.fc23.noarch
python-pulp-client-lib-2.11.0-0.1.alpha.git.710.7290d2b.fc23.noarch
python-pulp-common-2.11.0-0.1.alpha.git.710.7290d2b.fc23.noarch
python-pulp-docker-common-2.2.0-0.1.alpha.git.201.ca717bc.fc23.noarch
python-pulp-oid_validation-2.11.0-0.1.alpha.git.710.7290d2b.fc23.noarch
python-pulp-ostree-common-1.2.0-0.1.alpha.git.104.d8fab7d.fc23.noarch
python-pulp-puppet-common-2.11.0-0.1.alpha.git.187.e97c179.fc23.noarch
python-pulp-python-common-1.2.0-0.1.alpha.git.109.03ee7ec.fc23.noarch
python-pulp-repoauth-2.11.0-0.1.alpha.git.710.7290d2b.fc23.noarch
python-pulp-rpm-common-2.11.0-0.1.alpha.git.543.4255a48.fc23.noarch
python-pulp-streamer-2.11.0-0.1.alpha.git.710.7290d2b.fc23.noarch
The issue is still apparent on both systems:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /pulp/docker/v2/foo/tags/list/
on this server.<br />
</p>
</body></html>
Only the F24/Pulp 2.10.1 system is currently worth paying attention to, though, because the other system suffers from an additional new issue. Here's the last few lines of output from the diagnostic script:
+ audit2allow -al
#============= httpd_t ==============
#!!!! The file '/var/lib/pulp/published/docker/v2/master/foo/1475678006.63/tags/list' is mislabeled on your system.
#!!!! Fix with $ restorecon -R -v /var/lib/pulp/published/docker/v2/master/foo/1475678006.63/tags/list
allow httpd_t pulp_var_cache_t:file getattr;
+ audit2allow -Ral
could not open interface info [/var/lib/sepolgen/interface_info]
+ true
+ cat /var/log/audit/audit.log
type=USER_AVC msg=audit(1475677987.661:1659): pid=706 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received setenforce notice (enforcing=0) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1475677988.768:1660): pid=706 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received policyload notice (seqno=9) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=MAC_POLICY_LOAD msg=audit(1475677988.773:1661): policy loaded auid=0 ses=26
type=AVC msg=audit(1475678007.833:1662): avc: denied { getattr } for pid=17638 comm="httpd" path="/var/lib/pulp/published/docker/v2/master/foo/1475678006.63/tags/list" dev="dm-0" ino=2492585 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:pulp_var_cache_t:s0 tclass=file permissive=1
Updated by Ichimonji10 over 7 years ago
I provisioned one more pair of systems just now, and encountered the same issue. Here's the packages on the F24 system:
$ rpm -qa | sort | grep -i pulp
pulp-admin-client-2.10.1-0.1.alpha.git.29.d8dedbe.fc24.noarch
pulp-docker-admin-extensions-2.1.1-0.1.alpha.git.25.8d0b470.fc24.noarch
pulp-docker-plugins-2.1.1-0.1.alpha.git.25.8d0b470.fc24.noarch
pulp-puppet-admin-extensions-2.10.1-0.1.alpha.git.40.eebbc61.fc24.noarch
pulp-puppet-plugins-2.10.1-0.1.alpha.git.40.eebbc61.fc24.noarch
pulp-python-admin-extensions-1.1.2-1.fc24.noarch
pulp-python-plugins-1.1.2-1.fc24.noarch
pulp-rpm-admin-extensions-2.10.1-0.1.alpha.git.49.41cb4ef.fc24.noarch
pulp-rpm-plugins-2.10.1-0.1.alpha.git.49.41cb4ef.fc24.noarch
pulp-selinux-2.10.1-0.1.alpha.git.29.d8dedbe.fc24.noarch
pulp-server-2.10.1-0.1.alpha.git.29.d8dedbe.fc24.noarch
python-kombu-3.0.33-6.pulp.fc24.noarch
python-pulp-bindings-2.10.1-0.1.alpha.git.29.d8dedbe.fc24.noarch
python-pulp-client-lib-2.10.1-0.1.alpha.git.29.d8dedbe.fc24.noarch
python-pulp-common-2.10.1-0.1.alpha.git.29.d8dedbe.fc24.noarch
python-pulp-docker-common-2.1.1-0.1.alpha.git.25.8d0b470.fc24.noarch
python-pulp-oid_validation-2.10.1-0.1.alpha.git.29.d8dedbe.fc24.noarch
python-pulp-puppet-common-2.10.1-0.1.alpha.git.40.eebbc61.fc24.noarch
python-pulp-python-common-1.1.2-1.fc24.noarch
python-pulp-repoauth-2.10.1-0.1.alpha.git.29.d8dedbe.fc24.noarch
python-pulp-rpm-common-2.10.1-0.1.alpha.git.49.41cb4ef.fc24.noarch
python-pulp-streamer-2.10.1-0.1.alpha.git.29.d8dedbe.fc24.noarch
Updated by mhrivnak over 7 years ago
Should this be closed as a duplicate of #2277?
Updated by Ichimonji10 over 7 years ago
I don't know whether the root cause is the same or not.
Updated by amacdona@redhat.com over 7 years ago
- Related to Issue #2277: Content published using move (instead of copy) causes 404 due to selinux denial. added
Updated by amacdona@redhat.com over 7 years ago
- Priority changed from Normal to Urgent
- Severity changed from 2. Medium to 3. High
- Triaged changed from No to Yes
Updated by semyers over 7 years ago
Based on my limited understanding of #2277, it seems possible that this is a duplicate and may now be resolved, but it needs to be retested.
Updated by pthomas@redhat.com over 7 years ago
This seems to be still present in the pulp 10.1 nightly
[root@mgmt2 ~]# pulp-admin docker repo create --repo-id foo \
> --feed https://registry-1.docker.io --upstream-name library/busybox
Repository [foo] successfully created
[root@mgmt2 ~]# pulp-admin docker repo sync run --repo-id foo
+----------------------------------------------------------------------+
Synchronizing Repository [foo]
+----------------------------------------------------------------------+
This command may be exited via ctrl+c without affecting the request.
Downloading manifests
[/]
... completed
Copying units already in pulp
[-]
... completed
Copying units already in pulp
[-]
... completed
Downloading remote files
[==================================================] 100%
20 of 20 items
... completed
Saving Manifests and Blobs
[\]
... completed
Saving Tags
[==================================================] 100%
43 of 43 items
... completed
Task Succeeded
Task Succeeded
[root@mgmt2 ~]# curl --insecure --user admin:admin \
> https://localhost/pulp/docker/v2/foo/tags/list/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /pulp/docker/v2/foo/tags/list/
on this server.</p>
</body></html>
[root@mgmt2 ~]#
[root@mgmt2 ~]#
[root@mgmt2 ~]#
[root@mgmt2 ~]# setenforce 0
[root@mgmt2 ~]#
[root@mgmt2 ~]#
[root@mgmt2 ~]#
[root@mgmt2 ~]# curl --insecure --user admin:admin https://localhost/pulp/docker/v2/foo/tags/list/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pulp/docker/v2/foo/tags/list/ was not found on this server.</p>
</body></html>
[root@mgmt2 ~]# getenforce
Permissive
[root@mgmt2 ~]# rpm -qa | sort |grep -i pulp
pulp-admin-client-2.10.1-0.1.alpha.git.33.737643a.el7.noarch
pulp-docker-admin-extensions-2.1.1-0.1.alpha.git.25.e424568.el7.noarch
pulp-docker-plugins-2.1.1-0.1.alpha.git.25.e424568.el7.noarch
pulp-ostree-admin-extensions-1.1.4-0.1.alpha.git.16.de039ba.el7.noarch
pulp-ostree-plugins-1.1.4-0.1.alpha.git.16.de039ba.el7.noarch
pulp-puppet-admin-extensions-2.10.1-0.1.alpha.git.40.c2866dc.el7.noarch
pulp-puppet-plugins-2.10.1-0.1.alpha.git.40.c2866dc.el7.noarch
pulp-python-admin-extensions-1.1.4-0.1.alpha.git.28.71c18b3.el7.noarch
pulp-python-plugins-1.1.4-0.1.alpha.git.28.71c18b3.el7.noarch
pulp-rpm-admin-extensions-2.10.1-0.1.alpha.git.50.1a52fa1.el7.noarch
pulp-rpm-plugins-2.10.1-0.1.alpha.git.50.1a52fa1.el7.noarch
pulp-selinux-2.10.1-0.1.alpha.git.33.737643a.el7.noarch
pulp-server-2.10.1-0.1.alpha.git.33.737643a.el7.noarch
python-isodate-0.5.0-4.pulp.el7.noarch
python-kombu-3.0.33-6.pulp.el7.noarch
python-pulp-bindings-2.10.1-0.1.alpha.git.33.737643a.el7.noarch
python-pulp-client-lib-2.10.1-0.1.alpha.git.33.737643a.el7.noarch
python-pulp-common-2.10.1-0.1.alpha.git.33.737643a.el7.noarch
python-pulp-docker-common-2.1.1-0.1.alpha.git.25.e424568.el7.noarch
python-pulp-oid_validation-2.10.1-0.1.alpha.git.33.737643a.el7.noarch
python-pulp-ostree-common-1.1.4-0.1.alpha.git.16.de039ba.el7.noarch
python-pulp-puppet-common-2.10.1-0.1.alpha.git.40.c2866dc.el7.noarch
python-pulp-python-common-1.1.4-0.1.alpha.git.28.71c18b3.el7.noarch
python-pulp-repoauth-2.10.1-0.1.alpha.git.33.737643a.el7.noarch
python-pulp-rpm-common-2.10.1-0.1.alpha.git.50.1a52fa1.el7.noarch
python-pulp-streamer-2.10.1-0.1.alpha.git.33.737643a.el7.noarch
[root@mgmt2 ~]#
audit.log
type=AVC msg=audit(1476452475.294:1920): avc: denied { getattr } for pid=15064 comm="httpd" path="/var/lib/pulp/published/docker/v2/master/foo/1476452447.94/tags/list" dev="dm-0" ino=67498782 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:pulp_var_cache_t:s0 tclass=file
type=SYSCALL msg=audit(1476452475.294:1920): arch=c000003e syscall=6 success=yes exit=0 a0=7f58dea0ef00 a1=7ffcdb1763b0 a2=7ffcdb1763b0 a3=ffffffffffffffff items=0 ppid=15054 pid=15064 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
Updated by dkliban@redhat.com over 7 years ago
- Status changed from NEW to ASSIGNED
- Assignee set to dkliban@redhat.com
Updated by dkliban@redhat.com over 7 years ago
- Status changed from ASSIGNED to MODIFIED
One of the PRs that fixed #2277 was missing from 2.10-dev branch. Adding those commits and rebuilding the packages fixed the problem.
Updated by semyers over 7 years ago
- Project changed from Docker Support to Pulp
- Subject changed from Cannot get v2 repo tags list to Cannot get docker v2 repo tags list
Since this was fixed in platform, I'm moving it over there so it doesn't look like I'm telling lies in my release notes.
Updated by semyers over 7 years ago
- Status changed from 5 to CLOSED - CURRENTRELEASE
Actions
.