Quoting Adam Miller (2015-07-30 00:29:10) > Hello all, > I see that both atomic-reactor and osbs-client have moved within > the Project Atomic space so I'm sending this here. If there is a more > appropriate mailing list for it please let me know.
Unless list owners mind, we can discuss here. > I'm currently working on setting up OSBS with an existing > OpenShift environment mostly as an exercise to see if it can be done. > My hope and motivation is to have an environment where users can use > the PaaS, but it can also be used via OSBS but OSBS would be > sand-boxed off into it's own environment. > > I have a VM setup following these notes: > https://gist.github.com/maxamillion/7e71f252830d08da4e3a > > However I'm getting an error attempting to list builds. I suspect this > is an authorization and/or OpenShift policy thing that I'm just > missing but I wanted to ask for guidance. > > # osbs --verbose list-builds > 2015-07-29 17:08:05,198 - osbs - DEBUG - Logging level set to debug > * About to connect() to losbs.example.com port 8443 (#0) > * Trying 192.168.122.28... > * Connected to losbs.example.com (192.168.122.28) port 8443 (#0) > * Initializing NSS with certpath: sql:/etc/pki/nssdb > * skipping SSL peer certificate verification > * NSS: client certificate not found (nickname not specified) > * SSL connection using TLS_RSA_WITH_AES_128_CBC_SHA > * Server certificate: > * subject: CN=losbs.example.com > * start date: Jul 28 22:42:10 2015 GMT > * expire date: Jul 27 22:42:11 2016 GMT > * common name: losbs.example.com > * issuer: CN=openshift-signer@1438123330 > > GET /osapi/v1beta3/namespaces/default/builds/ HTTP/1.1 > User-Agent: PycURL/7.29.0 > Host: losbs.example.com:8443 > Accept: */* > > < HTTP/1.1 403 Forbidden > < Cache-Control: no-store > < Content-Type: application/json > < Date: Wed, 29 Jul 2015 22:08:05 GMT > < Content-Length: 231 > < > * Connection #0 to host losbs.example.com left intact > Traceback (most recent call last): > File "/usr/bin/osbs", line 9, in <module> > load_entry_point('osbs==0.14', 'console_scripts', 'osbs')() > File "/usr/lib/python2.7/site-packages/osbs/cli/main.py", line 353, in main > args.func(args, osbs) > File "/usr/lib/python2.7/site-packages/osbs/cli/main.py", line 32, > in cmd_list_builds > builds = osbs.list_builds(namespace=args.namespace) > File "/usr/lib/python2.7/site-packages/osbs/api.py", line 28, in > catch_exceptions > return func(*args, **kwargs) > File "/usr/lib/python2.7/site-packages/osbs/api.py", line 74, in list_builds > serialized_response = response.json() > File "/usr/lib/python2.7/site-packages/osbs/http.py", line 158, in json > self._check_status_code() > File "/usr/lib/python2.7/site-packages/osbs/http.py", line 185, in > _check_status_code > raise OsbsNetworkException(url, message, self.status_code) > osbs.exceptions.OsbsNetworkException: (403) > > I've looked through the logs for the docker-registry pod within > OpenShift/kube and checked the openshift-master and openshift-node > logs, nothing is jumping out at me at the culprit. Anything I > could/should be looking at or some suggestion on how to set this up > would be greatly appreciated. > > Thank you, > -AdamM > Your client is not allowed to access the API endpoint. `oc describe policyBindings :default` please Looking at the gist, I can see two possible issues: 1. I can see you are logging as "builder" user but can't see policy setup for the user 2. `oadm policy add-role-to-group edit system:unauthenticated system:authenticated` * you should set this for "builder" namespace: `oadm policy add-role-to-group edit --namespace builder system:unauthenticated system:authenticated` * and then you need to operate on the namespace: `osbs --namespace builder list-builds` `osbs build -g https://github.com/maxamillion/atomic-reactor-dockerfile-test.git -c test-image -u builder --namespace builder` The `-u` option of the build command is a bit unfortunate, it doesn't have to do anything with openshift, it is just the prefix for image name. Will open up issue to make it more clear: https://github.com/projectatomic/osbs-client/issues/184 Regards, ~~ Tomáš Tomeček Software Engineer Developer Experience UTC+2 (CEST)
