Project

Profile

Help

Issue #2287

closed

Cannot get docker v2 repo tags list

Added by Ichimonji10 about 8 years ago. Updated over 5 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Urgent
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
3. High
Version:
Platform Release:
2.10.1
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:

Description

TL;DR version: HTTP GET requests to /pulp/docker/v2/foo/tags/list/ always fail with an HTTP 403 (forbidden) due to SELinux issues.

The longer version follows.

Let's say one executes the following script:

# Execute problematic actions
pulp-admin docker repo create --repo-id foo \
    --feed https://registry-1.docker.io --upstream-name library/busybox
pulp-admin docker repo sync run --repo-id foo
curl --insecure --user admin:admin \
    https://localhost/pulp/docker/v2/foo/tags/list/
pulp-admin docker repo delete --repo-id foo

This should work, but it doesn't under the current nightly builds of Pulp 2.10 and 2.11. The curl step fails with an HTTP 403 (forbidden). Here's what's printed:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pulp/docker/v2/foo/tags/list/ was not found on this server.</p>
</body></html>

Why does this happen? That's unclear, but a likely cause is an SELinux denial. If SELinux is disabled, the script above succeeds. Here's a more full-fledged script that succeeds:

#!/usr/bin/env bash
set -euo pipefail

# Configure SELinux
setenforce 0
echo > /var/log/audit/audit.log
semodule -R

# Execute problematic actions
pulp-admin docker repo create --repo-id foo \
    --feed https://registry-1.docker.io --upstream-name library/busybox
pulp-admin docker repo sync run --repo-id foo
curl --insecure --user admin:admin \
    https://localhost/pulp/docker/v2/foo/tags/list/
pulp-admin docker repo delete --repo-id foo

# Get info
set -x
audit2allow -al
audit2allow -Ral || true
cat /var/log/audit/audit.log

Here's the last few lines of output:

+ audit2allow -al

#============= httpd_t ==============

#!!!! The file '/var/lib/pulp/published/docker/v2/master/foo/1475082477.3/tags/list' is mislabeled on your system.  
#!!!! Fix with $ restorecon -R -v /var/lib/pulp/published/docker/v2/master/foo/1475082477.3/tags/list
allow httpd_t pulp_var_cache_t:file getattr;
+ audit2allow -Ral
could not open interface info [/var/lib/sepolgen/interface_info]
+ true
+ cat /var/log/audit/audit.log

type=MAC_POLICY_LOAD msg=audit(1475082461.412:12606): policy loaded auid=0 ses=108
type=AVC msg=audit(1475082479.139:12607): avc:  denied  { getattr } for  pid=10392 comm="httpd" path="/var/lib/pulp/published/docker/v2/master/foo/1475082477.3/tags/list" dev="dm-0" ino=1716474 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:pulp_var_cache_t:s0 tclass=file permissive=1

For what it's worth, here's the corresponding log entries from the system, as captured by journalctl --follow:

-- Logs begin at Mon 2016-09-26 09:17:28 EDT. --
Sep 28 13:16:57 pulp.example.com pulp[11859]: pulp.server.agent.direct.services:INFO: Task reply handler, started.
Sep 28 13:16:57 pulp.example.com pulp[11859]: gofer.messaging.adapter.qpid.connection:INFO: open: URL: tcp://localhost|SSL: ca: /etc/pki/qpid/ca/ca.crt|key: None|certificate: /etc/pki/qpid/client/client.pem|host-validation: False
Sep 28 13:16:57 pulp.example.com pulp[11859]: pulp.server.agent.direct.services:INFO: AMQP reply handler started
Sep 28 13:16:57 pulp.example.com pulp[11859]: pulp.server.webservices.application:INFO: *************************************************************
Sep 28 13:16:57 pulp.example.com pulp[11859]: pulp.server.webservices.application:INFO: The Pulp server has been successfully initialized
Sep 28 13:16:57 pulp.example.com pulp[11859]: pulp.server.webservices.application:INFO: *************************************************************
Sep 28 13:16:57 pulp.example.com pulp[11859]: gofer.messaging.adapter.qpid.connection:INFO: opened: qpid+tcp://localhost:5672
Sep 28 13:16:57 pulp.example.com pulp[11859]: gofer.messaging.adapter.connect:INFO: connected: qpid+tcp://localhost:5672
Sep 28 13:16:59 pulp.example.com audit[9682]: USER_START pid=9682 uid=0 auid=0 ses=108 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=10.10.53.186 addr=10.10.53.186 terminal=/dev/pts/0 res=success'
Sep 28 13:16:59 pulp.example.com audit[9682]: CRYPTO_KEY_USER pid=9682 uid=0 auid=0 ses=108 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:ef:4c:bc:82:5b:1d:8d:86:96:a5:89:f5:d2:fe:5b:72:bd:4b:2e:4d:35:39:a8:bf:79:85:65:3e:f8:cc:b9:fa direction=? spid=12165 suid=0  exe="/usr/sbin/sshd" hostname=? addr=10.10.53.186 terminal=? res=success'
Sep 28 13:17:10 pulp.example.com kernel: SELinux: 32768 avtab hash slots, 103924 rules.
Sep 28 13:17:10 pulp.example.com kernel: SELinux: 32768 avtab hash slots, 103924 rules.
Sep 28 13:17:10 pulp.example.com kernel: SELinux:  8 users, 14 roles, 4956 types, 308 bools, 1 sens, 1024 cats
Sep 28 13:17:10 pulp.example.com kernel: SELinux:  92 classes, 103924 rules
Sep 28 13:17:10 pulp.example.com kernel: SELinux:  Permission validate_trans in class security not defined in policy.
Sep 28 13:17:10 pulp.example.com kernel: SELinux:  Permission module_load in class system not defined in policy.
Sep 28 13:17:10 pulp.example.com kernel: SELinux:  Class cap_userns not defined in policy.
Sep 28 13:17:10 pulp.example.com kernel: SELinux:  Class cap2_userns not defined in policy.
Sep 28 13:17:10 pulp.example.com kernel: SELinux: the above unknown classes and permissions will be allowed
Sep 28 13:17:11 pulp.example.com dbus[702]: Can't send to audit system: USER_AVC avc:  received policyload notice (seqno=11)
                                                                     exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?
Sep 28 13:17:11 pulp.example.com audit: MAC_POLICY_LOAD policy loaded auid=0 ses=108
Sep 28 13:17:11 pulp.example.com dbus[702]: [system] Reloaded configuration
Sep 28 13:17:11 pulp.example.com pulp[11860]: kombu.transport.qpid:INFO: Connected to qpid with SASL mechanism ANONYMOUS
Sep 28 13:17:11 pulp.example.com pulp[11810]: celery.worker.strategy:INFO: Received task: pulp.server.async.tasks._queue_reserved_task[74555716-670f-431b-89f8-a4a0ec9e2eda]
Sep 28 13:17:11 pulp.example.com pulp[11956]: py.warnings:WARNING: (11956-10368) /usr/lib64/python2.7/site-packages/pymongo/topology.py:74: UserWarning: MongoClient opened before fork. Create MongoClient with connect=False, or create client after forking. See PyMongo's documentation for details: http://api.mongodb.org/python/current/faq.html#using-pymongo-with-multiprocessing>
Sep 28 13:17:11 pulp.example.com pulp[11956]: py.warnings:WARNING: (11956-10368)   "MongoClient opened before fork. Create MongoClient "
Sep 28 13:17:11 pulp.example.com pulp[11956]: py.warnings:WARNING: (11956-10368)
Sep 28 13:17:11 pulp.example.com pulp[11956]: kombu.transport.qpid:INFO: Connected to qpid with SASL mechanism ANONYMOUS
Sep 28 13:17:11 pulp.example.com pulp[11752]: celery.worker.strategy:INFO: Received task: pulp.server.managers.repo.sync.sync[40a8f8a4-a451-4fdb-bca3-2781e702e484]
Sep 28 13:17:11 pulp.example.com pulp[11834]: py.warnings:WARNING: (11834-22336) /usr/lib64/python2.7/site-packages/pymongo/topology.py:74: UserWarning: MongoClient opened before fork. Create MongoClient with connect=False, or create client after forking. See PyMongo's documentation for details: http://api.mongodb.org/python/current/faq.html#using-pymongo-with-multiprocessing>
Sep 28 13:17:11 pulp.example.com pulp[11834]: py.warnings:WARNING: (11834-22336)   "MongoClient opened before fork. Create MongoClient "
Sep 28 13:17:11 pulp.example.com pulp[11834]: py.warnings:WARNING: (11834-22336)
Sep 28 13:17:11 pulp.example.com pulp[11752]: celery.worker.strategy:INFO: Received task: pulp.server.async.tasks._release_resource[c6495e19-f4b7-4456-9b48-a6b71b5ee9ec]
Sep 28 13:17:11 pulp.example.com pulp[11810]: celery.worker.job:INFO: Task pulp.server.async.tasks._queue_reserved_task[74555716-670f-431b-89f8-a4a0ec9e2eda] succeeded in 0.0460691690096s: None
Sep 28 13:17:12 pulp.example.com pulp[11834]: requests.packages.urllib3.connectionpool:INFO: Starting new HTTPS connection (1): registry-1.docker.io
Sep 28 13:17:12 pulp.example.com pulp[11834]: requests.packages.urllib3.connectionpool:INFO: Starting new HTTPS connection (1): auth.docker.io
Sep 28 13:17:12 pulp.example.com pulp[11834]: requests.packages.urllib3.connectionpool:INFO: Starting new HTTPS connection (2): registry-1.docker.io
Sep 28 13:17:13 pulp.example.com pulp[11834]: requests.packages.urllib3.connectionpool:INFO: Starting new HTTPS connection (3): registry-1.docker.io
Sep 28 13:17:21 pulp.example.com pulp[11834]: requests.packages.urllib3.connectionpool:INFO: Starting new HTTPS connection (1): registry-1.docker.io
Sep 28 13:17:21 pulp.example.com pulp[11834]: requests.packages.urllib3.connectionpool:INFO: Starting new HTTPS connection (2): registry-1.docker.io
Sep 28 13:17:21 pulp.example.com pulp[11834]: requests.packages.urllib3.connectionpool:INFO: Starting new HTTPS connection (3): registry-1.docker.io
Sep 28 13:17:21 pulp.example.com pulp[11834]: requests.packages.urllib3.connectionpool:INFO: Starting new HTTPS connection (4): registry-1.docker.io
Sep 28 13:17:21 pulp.example.com pulp[11834]: requests.packages.urllib3.connectionpool:INFO: Starting new HTTPS connection (5): registry-1.docker.io
Sep 28 13:17:22 pulp.example.com pulp[11834]: requests.packages.urllib3.connectionpool:INFO: Starting new HTTPS connection (6): registry-1.docker.io
Sep 28 13:17:22 pulp.example.com pulp[11834]: requests.packages.urllib3.connectionpool:INFO: Starting new HTTPS connection (1): dseasb33srnrn.cloudfront.net
Sep 28 13:17:24 pulp.example.com pulp[11834]: requests.packages.urllib3.connectionpool:INFO: Starting new HTTPS connection (7): registry-1.docker.io
Sep 28 13:17:24 pulp.example.com pulp[11834]: requests.packages.urllib3.connectionpool:INFO: Starting new HTTPS connection (2): dseasb33srnrn.cloudfront.net
Sep 28 13:17:26 pulp.example.com pulp[11834]: requests.packages.urllib3.connectionpool:INFO: Starting new HTTPS connection (8): registry-1.docker.io
Sep 28 13:17:26 pulp.example.com pulp[11834]: requests.packages.urllib3.connectionpool:INFO: Starting new HTTPS connection (9): registry-1.docker.io
Sep 28 13:17:26 pulp.example.com pulp[11834]: requests.packages.urllib3.connectionpool:INFO: Starting new HTTPS connection (3): dseasb33srnrn.cloudfront.net
Sep 28 13:17:26 pulp.example.com pulp[11834]: requests.packages.urllib3.connectionpool:INFO: Starting new HTTPS connection (4): dseasb33srnrn.cloudfront.net
Sep 28 13:17:26 pulp.example.com pulp[11834]: requests.packages.urllib3.connectionpool:INFO: Starting new HTTPS connection (5): dseasb33srnrn.cloudfront.net
Sep 28 13:17:28 pulp.example.com pulp[11834]: kombu.transport.qpid:INFO: Connected to qpid with SASL mechanism ANONYMOUS
Sep 28 13:17:28 pulp.example.com pulp[11810]: celery.worker.strategy:INFO: Received task: pulp.server.async.tasks._queue_reserved_task[4683a490-5258-4433-ab77-26a5993e56cf]
Sep 28 13:17:28 pulp.example.com pulp[11752]: celery.worker.job:INFO: Task pulp.server.managers.repo.sync.sync[40a8f8a4-a451-4fdb-bca3-2781e702e484] succeeded in 16.310618789s: <pulp.server.async.tasks.TaskResult object at 0x7fda4fab9250>
Sep 28 13:17:28 pulp.example.com pulp[11752]: celery.worker.strategy:INFO: Received task: pulp.server.managers.repo.publish.publish[f9170aca-eb7c-4997-87bf-2a93f952eb25]
Sep 28 13:17:28 pulp.example.com pulp[11752]: celery.worker.strategy:INFO: Received task: pulp.server.async.tasks._release_resource[b8fd4289-86f6-4ea7-9410-c56be555377e]
Sep 28 13:17:28 pulp.example.com pulp[11810]: celery.worker.job:INFO: Task pulp.server.async.tasks._queue_reserved_task[4683a490-5258-4433-ab77-26a5993e56cf] succeeded in 0.0374169150018s: None
Sep 28 13:17:28 pulp.example.com pulp[11752]: celery.worker.job:INFO: Task pulp.server.async.tasks._release_resource[c6495e19-f4b7-4456-9b48-a6b71b5ee9ec] succeeded in 0.0477471390041s: None
Sep 28 13:17:28 pulp.example.com pulp[11752]: celery.worker.job:INFO: Task pulp.server.managers.repo.publish.publish[f9170aca-eb7c-4997-87bf-2a93f952eb25] succeeded in 0.587830191012s: {'exception': None, 'repo_id': u'foo', 'traceback': None, 'started': '2016-09-28T17:17:28Z', '_ns': u'repo_publish_results',...
Sep 28 13:17:28 pulp.example.com pulp[11752]: celery.worker.job:INFO: Task pulp.server.async.tasks._release_resource[b8fd4289-86f6-4ea7-9410-c56be555377e] succeeded in 0.00430754901026s: None
Sep 28 13:17:29 pulp.example.com audit[11871]: AVC avc:  denied  { getattr } for  pid=11871 comm="httpd" path="/var/lib/pulp/published/docker/v2/master/foo/1475083048.37/tags/list" dev="dm-0" ino=1716474 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:pulp_var_cache_t:s0 tclass=file permissive=1

Here's the packages on a system suffering from the issue. The packages are a few days old, but don't worry: the current Beaker systems also suffer from this bug.

ssh $hostname rpm -qa | sort | grep -i pulp
pulp-admin-client-2.11.0-0.1.alpha.git.703.7b6e4af.fc23.noarch
pulp-docker-admin-extensions-2.2.0-0.1.alpha.git.201.5462eab.fc23.noarch
pulp-docker-plugins-2.2.0-0.1.alpha.git.201.5462eab.fc23.noarch
pulp-ostree-admin-extensions-1.2.0-0.1.alpha.git.104.8f728f9.fc23.noarch
pulp-ostree-plugins-1.2.0-0.1.alpha.git.104.8f728f9.fc23.noarch
pulp-puppet-admin-extensions-2.11.0-0.1.alpha.git.187.e97c179.fc23.noarch
pulp-puppet-plugins-2.11.0-0.1.alpha.git.187.e97c179.fc23.noarch
pulp-python-admin-extensions-1.2.0-0.1.alpha.git.108.404f437.fc23.noarch
pulp-python-plugins-1.2.0-0.1.alpha.git.108.404f437.fc23.noarch
pulp-rpm-admin-extensions-2.11.0-0.1.alpha.git.543.4255a48.fc23.noarch
pulp-rpm-plugins-2.11.0-0.1.alpha.git.543.4255a48.fc23.noarch
pulp-selinux-2.11.0-0.1.alpha.git.703.7b6e4af.fc23.noarch
pulp-server-2.11.0-0.1.alpha.git.703.7b6e4af.fc23.noarch
python-kombu-3.0.33-6.pulp.fc23.noarch
python-pulp-bindings-2.11.0-0.1.alpha.git.703.7b6e4af.fc23.noarch
python-pulp-client-lib-2.11.0-0.1.alpha.git.703.7b6e4af.fc23.noarch
python-pulp-common-2.11.0-0.1.alpha.git.703.7b6e4af.fc23.noarch
python-pulp-docker-common-2.2.0-0.1.alpha.git.201.5462eab.fc23.noarch
python-pulp-oid_validation-2.11.0-0.1.alpha.git.703.7b6e4af.fc23.noarch
python-pulp-ostree-common-1.2.0-0.1.alpha.git.104.8f728f9.fc23.noarch
python-pulp-puppet-common-2.11.0-0.1.alpha.git.187.e97c179.fc23.noarch
python-pulp-python-common-1.2.0-0.1.alpha.git.108.404f437.fc23.noarch
python-pulp-repoauth-2.11.0-0.1.alpha.git.703.7b6e4af.fc23.noarch
python-pulp-rpm-common-2.11.0-0.1.alpha.git.543.4255a48.fc23.noarch
python-pulp-streamer-2.11.0-0.1.alpha.git.703.7b6e4af.fc23.noarch

Related issues

Related to Pulp - Issue #2277: Content published using move (instead of copy) causes 404 due to selinux denial.CLOSED - CURRENTRELEASEjortel@redhat.comActions
Actions #1

Updated by bmbouter about 8 years ago

The selinux label of the content of /var/lib/pulp is not being relabeled correctly. This is likely due to a move being done instead of a copy. @jortel is working on a bug similar to this. Maybe it has the same root cause.

Actions #2

Updated by jortel@redhat.com about 8 years ago

This seems related to: #2277. The fix PR #2770 was merged yesterday. Can you please retest w/ this patch?

https://github.com/pulp/pulp/pull/2770

Actions #3

Updated by Ichimonji10 about 8 years ago

Re-tested with systems provisioned yesterday. Below are the packages on the two systems I'm currently using for testing.

$ grep PRETTY /etc/os-release
PRETTY_NAME="Fedora 24 (Twenty Four)"
$ rpm -qa | sort | grep -i pulp
pulp-admin-client-2.10.1-0.1.alpha.git.29.d93434d.fc24.noarch
pulp-docker-admin-extensions-2.1.1-0.1.alpha.git.25.b1956ff.fc24.noarch
pulp-docker-plugins-2.1.1-0.1.alpha.git.25.b1956ff.fc24.noarch
pulp-puppet-admin-extensions-2.10.1-0.1.alpha.git.40.b787209.fc24.noarch
pulp-puppet-plugins-2.10.1-0.1.alpha.git.40.b787209.fc24.noarch
pulp-python-admin-extensions-1.1.2-1.fc24.noarch
pulp-python-plugins-1.1.2-1.fc24.noarch
pulp-rpm-admin-extensions-2.10.1-0.1.alpha.git.49.6d2eaf2.fc24.noarch
pulp-rpm-plugins-2.10.1-0.1.alpha.git.49.6d2eaf2.fc24.noarch
pulp-selinux-2.10.1-0.1.alpha.git.29.d93434d.fc24.noarch
pulp-server-2.10.1-0.1.alpha.git.29.d93434d.fc24.noarch
python-kombu-3.0.33-6.pulp.fc24.noarch
python-pulp-bindings-2.10.1-0.1.alpha.git.29.d93434d.fc24.noarch
python-pulp-client-lib-2.10.1-0.1.alpha.git.29.d93434d.fc24.noarch
python-pulp-common-2.10.1-0.1.alpha.git.29.d93434d.fc24.noarch
python-pulp-docker-common-2.1.1-0.1.alpha.git.25.b1956ff.fc24.noarch
python-pulp-oid_validation-2.10.1-0.1.alpha.git.29.d93434d.fc24.noarch
python-pulp-puppet-common-2.10.1-0.1.alpha.git.40.b787209.fc24.noarch
python-pulp-python-common-1.1.2-1.fc24.noarch
python-pulp-repoauth-2.10.1-0.1.alpha.git.29.d93434d.fc24.noarch
python-pulp-rpm-common-2.10.1-0.1.alpha.git.49.6d2eaf2.fc24.noarch
python-pulp-streamer-2.10.1-0.1.alpha.git.29.d93434d.fc24.noarch
$ grep PRETTY /etc/os-release
PRETTY_NAME="Fedora 23 (Twenty Three)"
$ rpm -qa | sort | grep -i pulp
pulp-admin-client-2.11.0-0.1.alpha.git.710.7290d2b.fc23.noarch
pulp-docker-admin-extensions-2.2.0-0.1.alpha.git.201.ca717bc.fc23.noarch
pulp-docker-plugins-2.2.0-0.1.alpha.git.201.ca717bc.fc23.noarch
pulp-ostree-admin-extensions-1.2.0-0.1.alpha.git.104.d8fab7d.fc23.noarch
pulp-ostree-plugins-1.2.0-0.1.alpha.git.104.d8fab7d.fc23.noarch
pulp-puppet-admin-extensions-2.11.0-0.1.alpha.git.187.e97c179.fc23.noarch
pulp-puppet-plugins-2.11.0-0.1.alpha.git.187.e97c179.fc23.noarch
pulp-python-admin-extensions-1.2.0-0.1.alpha.git.109.03ee7ec.fc23.noarch
pulp-python-plugins-1.2.0-0.1.alpha.git.109.03ee7ec.fc23.noarch
pulp-rpm-admin-extensions-2.11.0-0.1.alpha.git.543.4255a48.fc23.noarch
pulp-rpm-plugins-2.11.0-0.1.alpha.git.543.4255a48.fc23.noarch
pulp-selinux-2.11.0-0.1.alpha.git.710.7290d2b.fc23.noarch
pulp-server-2.11.0-0.1.alpha.git.710.7290d2b.fc23.noarch
python-kombu-3.0.33-6.pulp.fc23.noarch
python-pulp-bindings-2.11.0-0.1.alpha.git.710.7290d2b.fc23.noarch
python-pulp-client-lib-2.11.0-0.1.alpha.git.710.7290d2b.fc23.noarch
python-pulp-common-2.11.0-0.1.alpha.git.710.7290d2b.fc23.noarch
python-pulp-docker-common-2.2.0-0.1.alpha.git.201.ca717bc.fc23.noarch
python-pulp-oid_validation-2.11.0-0.1.alpha.git.710.7290d2b.fc23.noarch
python-pulp-ostree-common-1.2.0-0.1.alpha.git.104.d8fab7d.fc23.noarch
python-pulp-puppet-common-2.11.0-0.1.alpha.git.187.e97c179.fc23.noarch
python-pulp-python-common-1.2.0-0.1.alpha.git.109.03ee7ec.fc23.noarch
python-pulp-repoauth-2.11.0-0.1.alpha.git.710.7290d2b.fc23.noarch
python-pulp-rpm-common-2.11.0-0.1.alpha.git.543.4255a48.fc23.noarch
python-pulp-streamer-2.11.0-0.1.alpha.git.710.7290d2b.fc23.noarch

The issue is still apparent on both systems:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /pulp/docker/v2/foo/tags/list/
on this server.<br />
</p>
</body></html>

Only the F24/Pulp 2.10.1 system is currently worth paying attention to, though, because the other system suffers from an additional new issue. Here's the last few lines of output from the diagnostic script:

+ audit2allow -al

#============= httpd_t ==============

#!!!! The file '/var/lib/pulp/published/docker/v2/master/foo/1475678006.63/tags/list' is mislabeled on your system.
#!!!! Fix with $ restorecon -R -v /var/lib/pulp/published/docker/v2/master/foo/1475678006.63/tags/list
allow httpd_t pulp_var_cache_t:file getattr;
+ audit2allow -Ral
could not open interface info [/var/lib/sepolgen/interface_info]
+ true
+ cat /var/log/audit/audit.log

type=USER_AVC msg=audit(1475677987.661:1659): pid=706 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1475677988.768:1660): pid=706 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=9)  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=MAC_POLICY_LOAD msg=audit(1475677988.773:1661): policy loaded auid=0 ses=26
type=AVC msg=audit(1475678007.833:1662): avc:  denied  { getattr } for  pid=17638 comm="httpd" path="/var/lib/pulp/published/docker/v2/master/foo/1475678006.63/tags/list" dev="dm-0" ino=2492585 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:pulp_var_cache_t:s0 tclass=file permissive=1
Actions #4

Updated by Ichimonji10 about 8 years ago

I provisioned one more pair of systems just now, and encountered the same issue. Here's the packages on the F24 system:

$ rpm -qa | sort | grep -i pulp                                                                          
pulp-admin-client-2.10.1-0.1.alpha.git.29.d8dedbe.fc24.noarch
pulp-docker-admin-extensions-2.1.1-0.1.alpha.git.25.8d0b470.fc24.noarch
pulp-docker-plugins-2.1.1-0.1.alpha.git.25.8d0b470.fc24.noarch
pulp-puppet-admin-extensions-2.10.1-0.1.alpha.git.40.eebbc61.fc24.noarch
pulp-puppet-plugins-2.10.1-0.1.alpha.git.40.eebbc61.fc24.noarch
pulp-python-admin-extensions-1.1.2-1.fc24.noarch
pulp-python-plugins-1.1.2-1.fc24.noarch
pulp-rpm-admin-extensions-2.10.1-0.1.alpha.git.49.41cb4ef.fc24.noarch
pulp-rpm-plugins-2.10.1-0.1.alpha.git.49.41cb4ef.fc24.noarch
pulp-selinux-2.10.1-0.1.alpha.git.29.d8dedbe.fc24.noarch
pulp-server-2.10.1-0.1.alpha.git.29.d8dedbe.fc24.noarch
python-kombu-3.0.33-6.pulp.fc24.noarch
python-pulp-bindings-2.10.1-0.1.alpha.git.29.d8dedbe.fc24.noarch
python-pulp-client-lib-2.10.1-0.1.alpha.git.29.d8dedbe.fc24.noarch
python-pulp-common-2.10.1-0.1.alpha.git.29.d8dedbe.fc24.noarch
python-pulp-docker-common-2.1.1-0.1.alpha.git.25.8d0b470.fc24.noarch
python-pulp-oid_validation-2.10.1-0.1.alpha.git.29.d8dedbe.fc24.noarch
python-pulp-puppet-common-2.10.1-0.1.alpha.git.40.eebbc61.fc24.noarch
python-pulp-python-common-1.1.2-1.fc24.noarch
python-pulp-repoauth-2.10.1-0.1.alpha.git.29.d8dedbe.fc24.noarch
python-pulp-rpm-common-2.10.1-0.1.alpha.git.49.41cb4ef.fc24.noarch
python-pulp-streamer-2.10.1-0.1.alpha.git.29.d8dedbe.fc24.noarch
Actions #5

Updated by mhrivnak about 8 years ago

Should this be closed as a duplicate of #2277?

Actions #6

Updated by Ichimonji10 about 8 years ago

I don't know whether the root cause is the same or not.

Actions #7

Updated by amacdona@redhat.com about 8 years ago

  • Related to Issue #2277: Content published using move (instead of copy) causes 404 due to selinux denial. added
Actions #8

Updated by amacdona@redhat.com about 8 years ago

  • Priority changed from Normal to Urgent
  • Severity changed from 2. Medium to 3. High
  • Triaged changed from No to Yes
Actions #9

Updated by semyers about 8 years ago

Based on my limited understanding of #2277, it seems possible that this is a duplicate and may now be resolved, but it needs to be retested.

Actions #10

Updated by pthomas@redhat.com about 8 years ago

This seems to be still present in the pulp 10.1 nightly

[root@mgmt2 ~]# pulp-admin docker repo create --repo-id foo \
>     --feed https://registry-1.docker.io --upstream-name library/busybox
Repository [foo] successfully created

[root@mgmt2 ~]# pulp-admin docker repo sync run --repo-id foo
+----------------------------------------------------------------------+
                     Synchronizing Repository [foo]
+----------------------------------------------------------------------+

This command may be exited via ctrl+c without affecting the request.

Downloading manifests
[/]
... completed

Copying units already in pulp
[-]
... completed

Copying units already in pulp
[-]
... completed

Downloading remote files
[==================================================] 100%
20 of 20 items
... completed

Saving Manifests and Blobs
[\]
... completed

Saving Tags
[==================================================] 100%
43 of 43 items
... completed

Task Succeeded

Task Succeeded

[root@mgmt2 ~]# curl --insecure --user admin:admin \
>     https://localhost/pulp/docker/v2/foo/tags/list/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /pulp/docker/v2/foo/tags/list/
on this server.</p>
</body></html>
[root@mgmt2 ~]# 
[root@mgmt2 ~]# 
[root@mgmt2 ~]# 

[root@mgmt2 ~]# setenforce 0
[root@mgmt2 ~]# 
[root@mgmt2 ~]# 
[root@mgmt2 ~]# 
[root@mgmt2 ~]# curl --insecure --user admin:admin     https://localhost/pulp/docker/v2/foo/tags/list/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pulp/docker/v2/foo/tags/list/ was not found on this server.</p>
</body></html>
[root@mgmt2 ~]# getenforce
Permissive

[root@mgmt2 ~]# rpm -qa | sort |grep -i pulp
pulp-admin-client-2.10.1-0.1.alpha.git.33.737643a.el7.noarch
pulp-docker-admin-extensions-2.1.1-0.1.alpha.git.25.e424568.el7.noarch
pulp-docker-plugins-2.1.1-0.1.alpha.git.25.e424568.el7.noarch
pulp-ostree-admin-extensions-1.1.4-0.1.alpha.git.16.de039ba.el7.noarch
pulp-ostree-plugins-1.1.4-0.1.alpha.git.16.de039ba.el7.noarch
pulp-puppet-admin-extensions-2.10.1-0.1.alpha.git.40.c2866dc.el7.noarch
pulp-puppet-plugins-2.10.1-0.1.alpha.git.40.c2866dc.el7.noarch
pulp-python-admin-extensions-1.1.4-0.1.alpha.git.28.71c18b3.el7.noarch
pulp-python-plugins-1.1.4-0.1.alpha.git.28.71c18b3.el7.noarch
pulp-rpm-admin-extensions-2.10.1-0.1.alpha.git.50.1a52fa1.el7.noarch
pulp-rpm-plugins-2.10.1-0.1.alpha.git.50.1a52fa1.el7.noarch
pulp-selinux-2.10.1-0.1.alpha.git.33.737643a.el7.noarch
pulp-server-2.10.1-0.1.alpha.git.33.737643a.el7.noarch
python-isodate-0.5.0-4.pulp.el7.noarch
python-kombu-3.0.33-6.pulp.el7.noarch
python-pulp-bindings-2.10.1-0.1.alpha.git.33.737643a.el7.noarch
python-pulp-client-lib-2.10.1-0.1.alpha.git.33.737643a.el7.noarch
python-pulp-common-2.10.1-0.1.alpha.git.33.737643a.el7.noarch
python-pulp-docker-common-2.1.1-0.1.alpha.git.25.e424568.el7.noarch
python-pulp-oid_validation-2.10.1-0.1.alpha.git.33.737643a.el7.noarch
python-pulp-ostree-common-1.1.4-0.1.alpha.git.16.de039ba.el7.noarch
python-pulp-puppet-common-2.10.1-0.1.alpha.git.40.c2866dc.el7.noarch
python-pulp-python-common-1.1.4-0.1.alpha.git.28.71c18b3.el7.noarch
python-pulp-repoauth-2.10.1-0.1.alpha.git.33.737643a.el7.noarch
python-pulp-rpm-common-2.10.1-0.1.alpha.git.50.1a52fa1.el7.noarch
python-pulp-streamer-2.10.1-0.1.alpha.git.33.737643a.el7.noarch
[root@mgmt2 ~]# 

audit.log

type=AVC msg=audit(1476452475.294:1920): avc:  denied  { getattr } for  pid=15064 comm="httpd" path="/var/lib/pulp/published/docker/v2/master/foo/1476452447.94/tags/list" dev="dm-0" ino=67498782 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:pulp_var_cache_t:s0 tclass=file
type=SYSCALL msg=audit(1476452475.294:1920): arch=c000003e syscall=6 success=yes exit=0 a0=7f58dea0ef00 a1=7ffcdb1763b0 a2=7ffcdb1763b0 a3=ffffffffffffffff items=0 ppid=15054 pid=15064 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
Actions #11

Updated by dkliban@redhat.com about 8 years ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to dkliban@redhat.com
Actions #12

Updated by dkliban@redhat.com about 8 years ago

  • Status changed from ASSIGNED to MODIFIED

One of the PRs that fixed #2277 was missing from 2.10-dev branch. Adding those commits and rebuilding the packages fixed the problem.

Actions #13

Updated by semyers about 8 years ago

  • Platform Release set to 2.10.1
Actions #14

Updated by semyers about 8 years ago

  • Project changed from Docker Support to Pulp
  • Subject changed from Cannot get v2 repo tags list to Cannot get docker v2 repo tags list

Since this was fixed in platform, I'm moving it over there so it doesn't look like I'm telling lies in my release notes.

Actions #15

Updated by semyers about 8 years ago

  • Status changed from MODIFIED to 5
Actions #16

Updated by semyers about 8 years ago

  • Status changed from 5 to CLOSED - CURRENTRELEASE
Actions #17

Updated by bmbouter over 5 years ago

  • Tags Pulp 2 added

Also available in: Atom PDF