Validate settings before running up a Pulp instance #1550

lubosmj · 2024-03-13T10:41:09Z

When you run the Pulp in One Container instance without configuring the pulp-container's related settings first, the following error is returned:

podman pull localhost:8080/library/busybox --tls-verify=false

pulp [ebdbf4ba17f345fb958f0531041300a8]: django.request:ERROR: Internal Server Error: /v2/
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/rest_framework/views.py", line 497, in dispatch
    self.initial(request, *args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/rest_framework/views.py", line 415, in initial
    self.check_permissions(request)
  File "/usr/local/lib/python3.8/site-packages/rest_framework/views.py", line 332, in check_permissions
    if not permission.has_permission(request, self):
  File "/usr/local/lib/python3.8/site-packages/pulp_container/app/token_verification.py", line 209, in has_permission
    raise NotAuthenticated()
rest_framework.exceptions.NotAuthenticated: {'errors': [{'code': 'UNAUTHORIZED', 'message': ErrorDetail(string='Authentication credentials were not provided.', code='not_authenticated'), 'detail': {}}]}

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/django/core/handlers/exception.py", line 55, in inner
    response = get_response(request)
  File "/usr/local/lib/python3.8/site-packages/django/core/handlers/base.py", line 197, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/usr/local/lib/python3.8/site-packages/django/views/decorators/csrf.py", line 56, in wrapper_view
    return view_func(*args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/django/views/generic/base.py", line 104, in view
    return self.dispatch(request, *args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/rest_framework/views.py", line 509, in dispatch
    response = self.handle_exception(exc)
  File "/usr/local/lib/python3.8/site-packages/pulp_container/app/registry_api.py", line 258, in handle_exception
    response = super().handle_exception(exc)
  File "/usr/local/lib/python3.8/site-packages/rest_framework/views.py", line 456, in handle_exception
    auth_header = self.get_authenticate_header(self.request)
  File "/usr/local/lib/python3.8/site-packages/rest_framework/views.py", line 190, in get_authenticate_header
    return authenticators[0].authenticate_header(request)
  File "/usr/local/lib/python3.8/site-packages/pulp_container/app/token_verification.py", line 149, in authenticate_header
    realm = settings.TOKEN_SERVER
  File "/usr/local/lib/python3.8/site-packages/dynaconf/base.py", line 145, in __getattr__
    value = getattr(self._wrapped, name)
  File "/usr/local/lib/python3.8/site-packages/dynaconf/base.py", line 328, in __getattribute__
    return super().__getattribute__(name)
AttributeError: 'HookableSettings' object has no attribute 'TOKEN_SERVER'
('pulp [ebdbf4ba17f345fb958f0531041300a8]: ::ffff:127.0.0.1 - - [13/Mar/2024:10:28:52 +0000] "GET /v2/ HTTP/1.0" 500 145 "-" "containers/5.29.2 (github.com/containers/image)"',)

This error is visible when accessing the live API (docker API, v2/* endpoints).

Solution

Instead of returning an uncaught exception, we should clearly state that the admin needs to pre-configure the token server: https://staging-docs.pulpproject.org/pulp_container/docs/admin/learn/authentication/#token-authentication.

I can imagine doing the following:

try:
    settings.TOKEN_SERVER
except AttributeError:
   raise ConfigurationError("The token server was not configured. Please, follow the documentation at ... to proceed further.")

Details

From https://pulpproject.org/pulp-in-one-container/, it is unclear whether the admin needs to provide any additional settings besides the default ones. It might be worth adding a note about the plugin's specific settings. There is no reference to the pulp-container's documentation either.

Visiting https://docs.pulpproject.org/pulp_container/installation.html#configure-required-settings and https://docs.pulpproject.org/pulp_container/authentication.html#token-authentication-label might not be obvious for new-comers when the entry point was https://pulpproject.org/pulp-in-one-container/

The text was updated successfully, but these errors were encountered:

ipanova · 2024-03-13T10:59:11Z

We could add settings validator in pulp_container/app/settings.py when certain settings like token server is missing (with token_auth_disabled set to false). This way pulp will refuse to start unless settings validation passes

lubosmj · 2024-03-13T12:37:15Z

We merged this pulp/pulpproject.org#465, so the traceback is not relevant anymore. We should focus on adding the validator instead.

lubosmj · 2024-06-20T09:34:16Z

Note that the traceback can be still raised when a user forgets to set up any settings required for pulp-container.

When token authentization is enabled, 4 additional variables have to be set. The state of these variables is now checked, while properly informing the user, instead of relying on exceptions raised later during the instance's run. closes pulp#1550

lubosmj added the Issue label Mar 13, 2024

lubosmj added this to Pulp Container Roadmap Mar 13, 2024

github-project-automation bot moved this to Not Started in Pulp Container Roadmap Mar 13, 2024

lubosmj moved this from Not Started to Todo in Pulp Container Roadmap Mar 13, 2024

lubosmj mentioned this issue Mar 13, 2024

Added reference to plugin settings config docs pulp/pulpproject.org#465

Merged

lubosmj changed the title ~~An error with no details is raised on a clean Pulp in One Container instance when accessing the Pulp Container Registry~~ Validate settings before running up a Pulp instance Mar 13, 2024

MichalPysik self-assigned this Jun 20, 2024

pulpbot added this to RH Pulp Kanban board Jun 20, 2024

pulpbot moved this to In Progress in RH Pulp Kanban board Jun 20, 2024

lubosmj moved this from Todo to In Progress in Pulp Container Roadmap Jun 20, 2024

MichalPysik mentioned this issue Jun 21, 2024

Validate settings before running Pulp instance #1671

Merged

pulpbot moved this from In Progress to Needs review in RH Pulp Kanban board Jun 21, 2024

lubosmj mentioned this issue Jun 27, 2024

Add a note about plugin specific settings pulp/pulp-oci-images#645

Merged

lubosmj closed this as completed in #1671 Jun 28, 2024

lubosmj closed this as completed in 8973f80 Jun 28, 2024

github-project-automation bot moved this from In Progress to Done in Pulp Container Roadmap Jun 28, 2024

pulpbot moved this from Needs review to Done in RH Pulp Kanban board Jun 28, 2024

lubosmj moved this from Done to Shipped in Pulp Container Roadmap Jul 19, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Validate settings before running up a Pulp instance #1550

Validate settings before running up a Pulp instance #1550

lubosmj commented Mar 13, 2024 •

edited

Loading

ipanova commented Mar 13, 2024

lubosmj commented Mar 13, 2024

lubosmj commented Jun 20, 2024

Validate settings before running up a Pulp instance #1550

Validate settings before running up a Pulp instance #1550

Comments

lubosmj commented Mar 13, 2024 • edited Loading

Solution

Details

ipanova commented Mar 13, 2024

lubosmj commented Mar 13, 2024

lubosmj commented Jun 20, 2024

lubosmj commented Mar 13, 2024 •

edited

Loading