On Thu, Jul 30, 2015 at 4:20 AM, Tomas Tomecek <[email protected]> wrote: > Quoting Adam Miller (2015-07-30 00:29:10) >> Hello all, >> I see that both atomic-reactor and osbs-client have moved within >> the Project Atomic space so I'm sending this here. If there is a more >> appropriate mailing list for it please let me know. > > Unless list owners mind, we can discuss here. > >> I'm currently working on setting up OSBS with an existing >> OpenShift environment mostly as an exercise to see if it can be done. >> My hope and motivation is to have an environment where users can use >> the PaaS, but it can also be used via OSBS but OSBS would be >> sand-boxed off into it's own environment. >> >> I have a VM setup following these notes: >> https://gist.github.com/maxamillion/7e71f252830d08da4e3a >> >> However I'm getting an error attempting to list builds. I suspect this >> is an authorization and/or OpenShift policy thing that I'm just >> missing but I wanted to ask for guidance. >> >> # osbs --verbose list-builds >> 2015-07-29 17:08:05,198 - osbs - DEBUG - Logging level set to debug >> * About to connect() to losbs.example.com port 8443 (#0) >> * Trying 192.168.122.28... >> * Connected to losbs.example.com (192.168.122.28) port 8443 (#0) >> * Initializing NSS with certpath: sql:/etc/pki/nssdb >> * skipping SSL peer certificate verification >> * NSS: client certificate not found (nickname not specified) >> * SSL connection using TLS_RSA_WITH_AES_128_CBC_SHA >> * Server certificate: >> * subject: CN=losbs.example.com >> * start date: Jul 28 22:42:10 2015 GMT >> * expire date: Jul 27 22:42:11 2016 GMT >> * common name: losbs.example.com >> * issuer: CN=openshift-signer@1438123330 >> > GET /osapi/v1beta3/namespaces/default/builds/ HTTP/1.1 >> User-Agent: PycURL/7.29.0 >> Host: losbs.example.com:8443 >> Accept: */* >> >> < HTTP/1.1 403 Forbidden >> < Cache-Control: no-store >> < Content-Type: application/json >> < Date: Wed, 29 Jul 2015 22:08:05 GMT >> < Content-Length: 231 >> < >> * Connection #0 to host losbs.example.com left intact >> Traceback (most recent call last): >> File "/usr/bin/osbs", line 9, in <module> >> load_entry_point('osbs==0.14', 'console_scripts', 'osbs')() >> File "/usr/lib/python2.7/site-packages/osbs/cli/main.py", line 353, in main >> args.func(args, osbs) >> File "/usr/lib/python2.7/site-packages/osbs/cli/main.py", line 32, >> in cmd_list_builds >> builds = osbs.list_builds(namespace=args.namespace) >> File "/usr/lib/python2.7/site-packages/osbs/api.py", line 28, in >> catch_exceptions >> return func(*args, **kwargs) >> File "/usr/lib/python2.7/site-packages/osbs/api.py", line 74, in >> list_builds >> serialized_response = response.json() >> File "/usr/lib/python2.7/site-packages/osbs/http.py", line 158, in json >> self._check_status_code() >> File "/usr/lib/python2.7/site-packages/osbs/http.py", line 185, in >> _check_status_code >> raise OsbsNetworkException(url, message, self.status_code) >> osbs.exceptions.OsbsNetworkException: (403) >> >> I've looked through the logs for the docker-registry pod within >> OpenShift/kube and checked the openshift-master and openshift-node >> logs, nothing is jumping out at me at the culprit. Anything I >> could/should be looking at or some suggestion on how to set this up >> would be greatly appreciated. >> >> Thank you, >> -AdamM >> > > Your client is not allowed to access the API endpoint. > > `oc describe policyBindings :default` please > > > Looking at the gist, I can see two possible issues: > > 1. I can see you are logging as "builder" user but can't see policy setup for > the user > > > 2. `oadm policy add-role-to-group edit system:unauthenticated > system:authenticated` > > * you should set this for "builder" namespace: > > `oadm policy add-role-to-group edit --namespace builder > system:unauthenticated system:authenticated` > > * and then you need to operate on the namespace: > > `osbs --namespace builder list-builds` > > `osbs build -g > https://github.com/maxamillion/atomic-reactor-dockerfile-test.git -c > test-image -u builder --namespace builder` > > The `-u` option of the build command is a bit unfortunate, it doesn't have to > do > anything with openshift, it is just the prefix for image name. Will open up > issue to make it more clear: > https://github.com/projectatomic/osbs-client/issues/184 >
This is perfect, thank you! The policyBinding for the builder namespace and then namespacing the osbs commands is exactly the piece of the puzzle I was missing. Couple very minor things I thought I'd note just for the sake of the mailing list thread posterity, a couple of the commands as written didn't work for me, the 'osbs build' command needed the namespace arg in a different order (before the sub-command), which resulted in 'osbs --namespace builder build ....' and the oadm policy needed '--namespace=builder' (not idea why it failed to parse the following arg, but it threw the error 'Error: flag needs an argument: --namespace'). Thank you again! -AdamM > > Regards, > ~~ > Tomáš Tomeček > Software Engineer > Developer Experience > UTC+2 (CEST)
