Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Please add a switch to turn off avatar downloads #1817

Open
dbk-rabel opened this issue Apr 16, 2024 · 11 comments
Open

Please add a switch to turn off avatar downloads #1817

dbk-rabel opened this issue Apr 16, 2024 · 11 comments

Comments

@dbk-rabel
Copy link

Is your feature request related to a problem? Please describe.
We sync collections with PAH from ansible galaxy. In this progress the namespace avatars are downloaded. But they can be from any third party source. This is bad because it seems to be a security issue and also it is difficult because of firewall rules that have to be adjusted potentially.

Describe the solution you'd like
For us it would be sufficient to have an option to disable avatar downloads.

And it would be great to also make this option accessable via PAH WebUI, but I think I would have to create an additional RFE there with Redhat, once this is implemented here.

Yours
David

@mdellweg
Copy link
Member

FWIW, I believe failing to download the avatar (by the power of firewall) should not impact the correctness and success of the sync. And for the security concerns, the validity of the avatar is checked by it's sha256.

Still one could add a tracker in the server of the avatar to gain intel on who is synching from a namespace.

@dbk-rabel
Copy link
Author

Thanks for your answer.

I think you might be wrong though.

Here are some old logs from when we were first experiencing the problem. We put the collection jfrog.platform in the requirements.yml and started a collection sync in PAH, but did not have a proxy rule to allow access to media.jfrog.com

<30> 2024-01-18T17:08:33.152813+01:00 <hostname> pulpcore-worker[414996]: pulp [5b58bf5c37cd48bc81a8fe8fa00bd3bc]: pulpcore.tasking.pulpcore_worker:INFO: Starting task 78ed5305-0272-4e0e-8aa4-afa951799ee9
<30> 2024-01-18T17:08:33.169612+01:00 <hostname> pulpcore-worker[414996]: pulp [5b58bf5c37cd48bc81a8fe8fa00bd3bc]: pulpcore.tasking.pulpcore_worker:INFO: Task completed 78ed5305-0272-4e0e-8aa4-afa951799ee9
<30> 2024-01-18T17:08:41.248619+01:00 <hostname> pulpcore-worker[415009]: pulp [2034f7d0143f4383bdd9df5df44397bc]: pulpcore.tasking.pulpcore_worker:INFO: Starting task aa26e234-44a9-42fb-8156-8b5470d5f7b8
<30> 2024-01-18T17:09:01.042546+01:00 <hostname> pulpcore-worker[415009]: Backing off download_wrapper(...) for 0.2s (aiohttp.client_exceptions.ClientConnectorError: Cannot connect to host media.jfrog.com:443 ssl:default [Connection reset by peer])
<30> 2024-01-18T17:09:01.042546+01:00 <hostname> pulpcore-worker[415009]: pulp [2034f7d0143f4383bdd9df5df44397bc]: backoff:INFO: Backing off download_wrapper(...) for 0.2s (aiohttp.client_exceptions.ClientConnectorError: Cannot connect to host media.jfrog.com:443 ssl:default [Connection reset by peer])
<30> 2024-01-18T17:09:01.043035+01:00 <hostname> pulpcore-worker[415009]: Backing off download_wrapper(...) for 1.0s (aiohttp.client_exceptions.ClientConnectorError: Cannot connect to host media.jfrog.com:443 ssl:default [Connection reset by peer])

>>>> hundreds of lines more with the same content here <<<<

<30> 2024-01-18T17:09:36.952334+01:00 <hostname> pulpcore-worker[415009]: Giving up download_wrapper(...) after 4 tries (aiohttp.client_exceptions.ClientConnectorError: Cannot connect to host media.jfrog.com:443 ssl:default [Connection reset by peer])
<30> 2024-01-18T17:09:36.952334+01:00 <hostname> pulpcore-worker[415009]: pulp [2034f7d0143f4383bdd9df5df44397bc]: backoff:ERROR: Giving up download_wrapper(...) after 4 tries (aiohttp.client_exceptions.ClientConnectorError: Cannot connect to host media.jfrog.com:443 ssl:default [Connection reset by peer])
<30> 2024-01-18T17:09:36.952334+01:00 <hostname> pulpcore-worker[415009]: pulp [2034f7d0143f4383bdd9df5df44397bc]: pulp_ansible.app.tasks.collections:INFO: Failed to download namespace avatar: None - Cannot connect to host media.jfrog.com:443 ssl:default [Connection reset by peer], Skipping
<30> 2024-01-18T17:09:38.037557+01:00 <hostname> pulpcore-worker[415009]: Giving up download_wrapper(...) after 4 tries (aiohttp.client_exceptions.ClientConnectorError: Cannot connect to host media.jfrog.com:443 ssl:default [Connection reset by peer])
<30> 2024-01-18T17:09:38.037557+01:00 <hostname> pulpcore-worker[415009]: pulp [2034f7d0143f4383bdd9df5df44397bc]: backoff:ERROR: Giving up download_wrapper(...) after 4 tries (aiohttp.client_exceptions.ClientConnectorError: Cannot connect to host media.jfrog.com:443 ssl:default [Connection reset by peer])
<30> 2024-01-18T17:09:38.037990+01:00 <hostname> pulpcore-worker[415009]: pulp [2034f7d0143f4383bdd9df5df44397bc]: pulp_ansible.app.tasks.collections:INFO: Failed to download namespace avatar: None - Cannot connect to host media.jfrog.com:443 ssl:default [Connection reset by peer], Skipping
<30> 2024-01-18T17:09:38.350274+01:00 <hostname> pulpcore-worker[415009]: pulp [2034f7d0143f4383bdd9df5df44397bc]: pulpcore.tasking.pulpcore_worker:INFO: Task aa26e234-44a9-42fb-8156-8b5470d5f7b8 failed ('NoneType' object is not iterable)
<30> 2024-01-18T17:09:38.350274+01:00 <hostname> pulpcore-worker[415009]: pulp [2034f7d0143f4383bdd9df5df44397bc]: pulpcore.tasking.pulpcore_worker:INFO:   File "/usr/lib/python3.9/site-packages/pulpcore/tasking/pulpcore_worker.py", line 458, in _perform_task
<30> 2024-01-18T17:09:38.350274+01:00 <hostname> pulpcore-worker[415009]:    result = func(*args, **kwargs)
<30> 2024-01-18T17:09:38.350274+01:00 <hostname> pulpcore-worker[415009]:  File "/usr/lib/python3.9/site-packages/pulp_ansible/app/tasks/collections.py", line 191, in sync
<30> 2024-01-18T17:09:38.350274+01:00 <hostname> pulpcore-worker[415009]:    repo_version = d_version.create()
<30> 2024-01-18T17:09:38.350274+01:00 <hostname> pulpcore-worker[415009]:  File "/usr/lib/python3.9/site-packages/pulpcore/plugin/stages/declarative_version.py", line 161, in create
<30> 2024-01-18T17:09:38.350274+01:00 <hostname> pulpcore-worker[415009]:    loop.run_until_complete(pipeline)
<30> 2024-01-18T17:09:38.350274+01:00 <hostname> pulpcore-worker[415009]:  File "/usr/lib64/python3.9/asyncio/base_events.py", line 647, in run_until_complete
<30> 2024-01-18T17:09:38.350274+01:00 <hostname> pulpcore-worker[415009]:    return future.result()
<30> 2024-01-18T17:09:38.350274+01:00 <hostname> pulpcore-worker[415009]:  File "/usr/lib/python3.9/site-packages/pulpcore/plugin/stages/api.py", line 220, in create_pipeline
<30> 2024-01-18T17:09:38.350274+01:00 <hostname> pulpcore-worker[415009]:    await asyncio.gather(*futures)
<30> 2024-01-18T17:09:38.350274+01:00 <hostname> pulpcore-worker[415009]:  File "/usr/lib/python3.9/site-packages/pulpcore/plugin/stages/api.py", line 41, in __call__
<30> 2024-01-18T17:09:38.350274+01:00 <hostname> pulpcore-worker[415009]:    await self.run()
<30> 2024-01-18T17:09:38.350274+01:00 <hostname> pulpcore-worker[415009]:  File "/usr/lib/python3.9/site-packages/pulpcore/plugin/stages/content_stages.py", line 198, in run
<30> 2024-01-18T17:09:38.350274+01:00 <hostname> pulpcore-worker[415009]:    await sync_to_async(process_batch)()
<30> 2024-01-18T17:09:38.350274+01:00 <hostname> pulpcore-worker[415009]:  File "/usr/lib/python3.9/site-packages/asgiref/sync.py", line 448, in __call__
<30> 2024-01-18T17:09:38.350274+01:00 <hostname> pulpcore-worker[415009]:    ret = await asyncio.wait_for(future, timeout=None)
<30> 2024-01-18T17:09:38.350274+01:00 <hostname> pulpcore-worker[415009]:  File "/usr/lib64/python3.9/asyncio/tasks.py", line 442, in wait_for
<30> 2024-01-18T17:09:38.350274+01:00 <hostname> pulpcore-worker[415009]:    return await fut
<30> 2024-01-18T17:09:38.350274+01:00 <hostname> pulpcore-worker[415009]:  File "/usr/lib64/python3.9/concurrent/futures/thread.py", line 58, in run
<30> 2024-01-18T17:09:38.350274+01:00 <hostname> pulpcore-worker[415009]:    result = self.fn(*self.args, **self.kwargs)
<30> 2024-01-18T17:09:38.350274+01:00 <hostname> pulpcore-worker[415009]:  File "/usr/lib/python3.9/site-packages/asgiref/sync.py", line 490, in thread_handler
<30> 2024-01-18T17:09:38.350274+01:00 <hostname> pulpcore-worker[415009]:    return func(*args, **kwargs)
<30> 2024-01-18T17:09:38.350274+01:00 <hostname> pulpcore-worker[415009]:  File "/usr/lib/python3.9/site-packages/pulpcore/plugin/stages/content_stages.py", line 126, in process_batch
<30> 2024-01-18T17:09:38.350274+01:00 <hostname> pulpcore-worker[415009]:    for d_artifact in d_content.d_artifacts:

@mdellweg
Copy link
Member

Can you confirm that your version runs with this DeclarativeFailsafeArtifact statement?
https://github.com/pulp/pulp_ansible/blob/main/pulp_ansible/app/tasks/collections.py#L713

@dbk-rabel
Copy link
Author

Seems like this was commit f56e097 and therefore released with 0.21.3

It seems we are on version 0.17.5 . But the fix is also included there. (I checked the code on our system and also there is this commit: 6c6fefb )

And additionally I just saw that the error message we receive wouldn't probably have been there before that commit.

@mdellweg
Copy link
Member

Oh, the skipping seems to work. But there's another bug appearing: "'NoneType' object is not iterable"
Can you confirm, this happens on the newest version too?

@dbk-rabel
Copy link
Author

Ah ok.

"'NoneType' object is not iterable" should be fixed via #1813 according to Redhat support. But that has not made it in to a PAH release yet.

So you say that the namespace avatar was never the problem?

@mdellweg
Copy link
Member

So you say that the namespace avatar was never the problem?

I'm saying the skipping of downloads works as advertised. But I don't yet understand the "real" cause of the stacktrace enough to say whether that is related.

@dbk-rabel
Copy link
Author

Can I provide any more information to help with that?

@mdellweg
Copy link
Member

If you want to do some debugging, It would be interesting to know which stage throws the error.
Also can you spot a place, where d_artifacts is set to None?

@dbk-rabel
Copy link
Author

Actually it seems that I am not able to reproduce the issue at the moment. :( Still got the old logs from January though.

@mdellweg
Copy link
Member

Thanks for looking into this. If you get to see it again, we should have bugreport issue for it.

Let's keep this issue as a wishlist item. The original ask is valid as is (though rather low priority on our side).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants