search

openshift / oc

The OpenShift Command Line, part of OKD
https://www.openshift.org
Apache License 2.0
193 stars 377 forks source link

`oc adm catalog mirror` generates way too big requests #789

Closed m4r1k closed 3 years ago

m4r1k commented 3 years ago

Recently while mirroring the OpenShift OperatorHubs to a Harbor registry, I came across an error. While executing the oc adm catalog mirror command, Harbor's frontend (Nginx) was giving the error 414 Request-URI Too Large when pushing large contents.

It looks like oc is generating wayyyyy too large URI requests. Follows the log from Nginx

Mar 10 18:57:51 172.22.0.1 proxy[20934]: 192.168.222.1 - "GET /service/token?account=ocp4&scope=repository%3Aocp4-v4.6%2F3scale-amp2-3scale-rhel7-operator-metadata%3Apull%2Cpush&scope=reposi
tory%3Aocp4-v4.6%2F3scale-amp2-3scale-rhel7-operator%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2F3scale-amp2-apicast-gateway-rhel8%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2F3scale-amp2-a
picast-rhel7-operator-metadata%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2F3scale-amp2-apicast-rhel7-operator%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2F3scale-amp2-backend-rhel7%3Apull%2
Cpush&scope=repository%3Aocp4-v4.6%2F3scale-amp2-memcached-rhel7%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2F3scale-amp2-system-rhel7%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2F3scale-amp
2-zync-rhel7%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2F3scale-amp26-3scale-operator%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Famq7-amq-broker-lts-operator-bundle%3Apull%2Cpush&scope=re
pository%3Aocp4-v4.6%2Famq7-amq-broker-lts-rhel7-operator%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Famq7-amq-broker-lts-rhel7%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Famq7-amq-broker-
operator-bundle%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Famq7-amq-broker-rhel7-operator%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Famq7-amq-broker%3Apull%2Cpush&scope=repository%3Aocp4
-v4.6%2Famq7-amq-interconnect-operator-metadata%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Famq7-amq-interconnect-operator%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Famq7-amq-interconnect
%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Famq7-amq-online-1-address-space-controller%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Famq7-amq-online-1-agent%3Apull%2Cpush&scope=repository%3
Aocp4-v4.6%2Famq7-amq-online-1-auth-plugin%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Famq7-amq-online-1-broker-plugin%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Famq7-amq-online-1-console
-init%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Famq7-amq-online-1-console-server-rhel7%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Famq7-amq-online-1-controller-manager-rhel7-operator-met
adata%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Famq7-amq-online-1-controller-manager-rhel7-operator%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Famq7-amq-online-1-mqtt-gateway%3Apull%2Cpu
sh&scope=repository%3Aocp4-v4.6%2Famq7-amq-online-1-mqtt-lwt%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Famq7-amq-online-1-none-auth-service%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Famq
7-amq-online-1-standard-controller%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Famq7-amq-online-1-topic-forwarder%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Famq7-amq-streams-bridge-rhel7%3
Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Famq7-amq-streams-cluster-operator%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Famq7-amq-streams-kafka-23-rhel7%3Apull%2Cpush&scope=repository%3Aoc
p4-v4.6%2Famq7-amq-streams-kafka-24-rhel7%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Famq7-amq-streams-kafka-25-rhel7%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Famq7-amq-streams-kafka-26-
rhel7%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Famq7-amq-streams-operator%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Famq7-amq-streams-rhel7-operator%3Apull%2Cpush&scope=repository%3Aocp
4-v4.6%2Famq7-amqstreams-rhel7-operator-metadata%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Famq7-tech-preview-amq-online-1-iot-adapters-rhel7%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Fa
mq7-tech-preview-amq-online-1-iot-auth-service%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Famq7-tech-preview-amq-online-1-iot-device-registry-datagrid%3Apull%2Cpush&scope=repository%3Aocp4-
v4.6%2Famq7-tech-preview-amq-online-1-iot-device-registry-file%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Famq7-tech-preview-amq-online-1-iot-device-registry-rhel7%3Apull%2Cpush&scope=repos
itory%3Aocp4-v4.6%2Famq7-tech-preview-amq-online-1-iot-http-adapter%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Famq7-tech-preview-amq-online-1-iot-lorawan-adapter-rhel7%3Apull%2Cpush&scope=
repository%3Aocp4-v4.6%2Famq7-tech-preview-amq-online-1-iot-mqtt-adapter%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Famq7-tech-preview-amq-online-1-iot-proxy-configurator%3Apull%2Cpush&scop
e=repository%3Aocp4-v4.6%2Famq7-tech-preview-amq-online-1-iot-sigfox-adapter-rhel7%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Famq7-tech-preview-amq-online-1-iot-tenant-cleaner-rhel7%3Apull
%2Cpush&scope=repository%3Aocp4-v4.6%2Famq7-tech-preview-amq-online-1-iot-tenant-service%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Famqstreams-1-amqstreams10-clusteroperator-openshift%3Apu
ll%2Cpush&scope=repository%3Aocp4-v4.6%2Fansible-automation-platform-platform-resource-operator-bundle%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Fansible-automation-platform-platform-resou
rce-rhel7-operator%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Fansible-automation-platform-platform-resource-runner-rhel7%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Fcodeready-workspaces-c
onfigbump-rhel8%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Fcodeready-workspaces-crw-2-rhel8-operator-metadata%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Fcodeready-workspaces-crw-2-rhel8-
operator%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Fcodeready-workspaces-devfileregistry-rhel8%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Fcodeready-workspaces-jwtproxy-rhel8%3Apull%2Cpus
h&scope=repository%3Aocp4-v4.6%2Fcodeready-workspaces-machineexec-rhel8%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Fcodeready-workspaces-plugin-java11-openj9-rhel8%3Apull%2Cpush&scope=repos
itory%3Aocp4-v4.6%2Fcodeready-workspaces-plugin-java11-rhel8%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Fcodeready-workspaces-plugin-java8-openj9-rhel8%3Apull%2Cpush&scope=repository%3Aocp4
-v4.6%2Fcodeready-workspaces-plugin-java8-rhel8%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Fcodeready-workspaces-plugin-kubernetes-rhel8%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Fcoderea
dy-workspaces-plugin-openshift-rhel8%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Fcodeready-workspaces-pluginbroker-artifacts-rhel8%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Fcodeready-wor
kspaces-pluginbroker-metadata-rhel8%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Fcodeready-workspaces-pluginregistry-rhel8%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Fcodeready-workspaces-s
erver-operator-rhel8%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Fcodeready-workspaces-server-rhel8%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Fcodeready-workspaces-stacks-cpp-rhel8%3Apull%
2Cpush&scope=repository%3Aocp4-v4.6%2Fcodeready-workspaces-stacks-dotnet-rhel8%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Fcodeready-workspaces-stacks-golang-rhel8%3Apull%2Cpush&scope=repos
itory%3Aocp4-v4.6%2Fcodeready-workspaces-stacks-java-rhel8%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Fcodeready-workspaces-stacks-node-rhel8%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Fco
deready-workspaces-stacks-php-rhel8%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Fcodeready-workspaces-stacks-python-rhel8%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Fcodeready-workspaces-theia-endpoint-rhel8%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Fcodeready-workspaces-theia-rhel8%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Fcodeready-workspaces-traefik-rhel8%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Fcontainer-native-virtualization-bridge-marker%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Fcontainer-native-virtualization-cluster-network-addons-operator%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Fcontainer-native-virtualization-cnv-containernetworking-plugins%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Fcontainer-native-virtualization-cnv-must-gather-rhel8%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Fcontainer-native-virtualization-hco-bundle-registry%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Fcontainer-native-virtualization-hostpath-provisioner-rhel8-operator%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Fcontainer-native-virtualization-hostpath-provisioner-rhel8%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Fcontainer-native-virtualization-hyperconverged-cluster-operator%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Fcontainer-native-virtualization-kubemacpool%3Apull%2Cpush&scope=repository%3Aocp4-v4.6%2Fcontainer-native-virtualization-kubernetes-nmstate-handler-rhel8%3Apull%2Cpush" 414 170 "-" "-" 0.000 - .

I initially opened a issue and PR in Harbor but the community came back saying that is quite unusual generating URI this big.

In the official OpenShift documentation, when mirroring the OperatorHub, the only Registry requirement is "access to mirror registry that supports Docker v2-2".

Now I can be very wrong, but I don't see anywhere in the official Docker v2-2 specs that URI can have an unlimited (or definitely very large) size such as what the oc CLI generates. https://docs.docker.com/registry/spec/manifest-v2-2/ https://docs.docker.com/registry/spec/api/

I suspect this problem will affect also other Registry implementation not tuned for oc.

So couple of questions:

Thanks!

sallyom commented 3 years ago

@m4r1k I believe this is the same issue https://bugzilla.redhat.com/show_bug.cgi?id=1874106 . With oc image mirror the workaround is to add the flag --skip-multiple-scopes=true. However this flag is not exposed with oc adm catalog mirror so it should be added to provide the same workaround, while a more permanent solution is being investigated.

sallyom commented 3 years ago

@m4r1k can you share the oc adm catalog mirror command you ran? thanks

m4r1k commented 3 years ago

As also wrote in the Harbor issue, the oc is fairly standard

oc adm catalog mirror \
  registry.redhat.io/redhat/redhat-operator-index:v4.6 \
  harbor.localdomain/ocp4-v4.6 \
  -a ~/pull-secret.json \
  --filter-by-os=linux/amd64
sallyom commented 3 years ago

if you don't mind, can you confirm that command succeeds w/ oc from this commit: https://github.com/openshift/oc/pull/780/commits/511ab52fc1f19d1127e43ca2be3930bd69e19acc (PR https://github.com/openshift/oc/pull/780) you can grab it with this image: quay.io/sallyom/cli:test then something like: 

podman run --rm -it -v ~/pull-secret.json:/pull-secret:z \
quay.io/sallyom/cli:test \
oc adm catalog mirror registry.redhat.io/redhat/redhat-operator-index:v4.6 harbor.localdomain/ocp4-v4.6 \
-a /pull-secret --filter-by-os=linux/amd64

thanks

oliverbutanowitz commented 3 years ago

Good Morning @sallyom !

i tested your oc version against harbor v2.2.0-ec0ba116 With oc 4.7.1 i got the described "14 Request-URI Too Large" from Harbor.

Now using your oc Client Version: v4.2.0-alpha.0-1033-g6abfff6 it's working, Image mirror running successful without any issues. thanks

m4r1k commented 3 years ago

I can also confirm that using works the patch oc cli the OperatorHub mirroring works without patching Harbor

sallyom commented 3 years ago

nice! ok, let's get that merged. :)

openshift-bot commented 3 years ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

openshift-bot commented 3 years ago

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten /remove-lifecycle stale

openshift-bot commented 3 years ago

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen. Mark the issue as fresh by commenting /remove-lifecycle rotten. Exclude this issue from closing again by commenting /lifecycle frozen.

/close

openshift-ci[bot] commented 3 years ago

@openshift-bot: Closing this issue.

In response to [this](https://github.com/openshift/oc/issues/789#issuecomment-907971290): >Rotten issues close after 30d of inactivity. > >Reopen the issue by commenting `/reopen`. >Mark the issue as fresh by commenting `/remove-lifecycle rotten`. >Exclude this issue from closing again by commenting `/lifecycle frozen`. > >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.