Pulp Docker Compose 403 on Content Page

Support
#1

HI all,

I’m fairly new to Pulp. I just deployed Pulp via Docker Compose (Folders) and added SSL to the NGINX template.

Problem:
I created a repository called “el9” and added a package to it. After this I pulished the package to the repository and called it a day. I excpeted to see it inside /pulp/content/el9/. When I browse to /pulp/content/el9/ I get the error: 403: Access not authenticated. For my usecase it would be suitable that this content repository page is public. Is this even possible?

SECRET_KEY = "xxx"
CONTENT_ORIGIN = "http://pulp_content:24816"
DATABASES = {"default": {"HOST": "postgres", "ENGINE": "django.db.backends.postgresql", "NAME": "pulp", "USER": "pulp", "PASSWORD": "xxx", "PORT": "5432", "CONN_MAX_AGE": 0, "OPTIONS": {"sslmode": "prefer"}}}
CACHE_ENABLED = True
REDIS_HOST = "redis"
REDIS_PORT = 6379
REDIS_PASSWORD = ""
ANSIBLE_API_HOSTNAME = "http://pulp_api:24817"
ANSIBLE_CONTENT_HOSTNAME = "http://pulp_content:24816/pulp/content"
ALLOWED_IMPORT_PATHS = ["/tmp"]
ALLOWED_EXPORT_PATHS = ["/tmp"]
TOKEN_SERVER = "http://pulp_api:24817/token/"
TOKEN_AUTH_DISABLED = False
TOKEN_SIGNATURE_ALGORITHM = "ES256"
PUBLIC_KEY_PATH = "/etc/pulp/certs/public_key.pem"
PRIVATE_KEY_PATH = "/etc/pulp/certs/private_key.pem"
ANALYTICS = False
STATIC_ROOT = "/var/lib/operator/static/"
CSRF_TRUSTED_ORIGINS = ['https://xxx']

I also tried setting TOKEN_AUTH_DISABLED = True without any change. Trying to follow Token Authentication I already created keys and set them (see above) without any change.

My NGINX Config looks like this

Config 
error_log /dev/stdout info;
worker_processes 1;
events {
    worker_connections 1024; # increase if you have lots of clients
    accept_mutex off; # set to 'on' if nginx worker_processes > 1
}


http {
    access_log /dev/stdout;
    include mime.types;
    # fallback in case we can't determine a type
    default_type application/octet-stream;
    sendfile on;

    # If left at the default of 1024, nginx emits a warning about being unable
    # to build optimal hash types.
    types_hash_max_size 4096;

    server {
        listen 80 default_server;
        server_name _;
        return 301 https://$host$request_uri;
    }

    server {
        # This logic enables us to have multiple servers, and check to see
        # if they are scaled every 10 seconds.
        # https://www.nginx.com/blog/dns-service-discovery-nginx-plus#domain-name-variable
        # https://serverfault.com/a/821625/189494
        resolver $NAMESERVER valid=10s;
        set $pulp_api pulp_api;
        set $pulp_content pulp_content;

         # Gunicorn docs suggest the use of the "deferred" directive on Linux.
        listen 443 default_server deferred ssl;

        ssl_certificate /etc/pulp/certs/pulp_webserver.crt;
        ssl_certificate_key /etc/pulp/certs/pulp_webserver.key;
        ssl_session_cache shared:SSL:50m;
        ssl_session_timeout 1d;
        ssl_session_tickets off;

        # intermediate configuration
        ssl_protocols TLSv1.2;
        ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
        ssl_prefer_server_ciphers on;

        # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
        add_header Strict-Transport-Security max-age=15768000;

        # If you have a domain name, this is where to add it
        server_name xxx;

        # The default client_max_body_size is 1m. Clients uploading
        # files larger than this will need to chunk said files.
        client_max_body_size 50m;

        # Gunicorn docs suggest this value.
        keepalive_timeout 5;

        # static files that can change dynamically, or are needed for TLS
        # purposes are served through the webserver.
        root /opt/app-root/src;

        location /pulp/content/ {
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header Host $http_host;
            # we don't want nginx trying to do something clever with
            # redirects, we set the Host: header above already.
            proxy_redirect off;
            proxy_pass http://$pulp_content:24816;
        }

        location /pulp/api/v3/ {
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header Host $http_host;
            # we don't want nginx trying to do something clever with
            # redirects, we set the Host: header above already.
            proxy_redirect off;
            proxy_pass http://$pulp_api:24817;
        }

        location /auth/login/ {
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header Host $http_host;
            # we don't want nginx trying to do something clever with
            # redirects, we set the Host: header above already.
            proxy_redirect off;
            proxy_pass http://$pulp_api:24817;
        }

        include /opt/app-root/etc/nginx.default.d/*.conf;

        location / {
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header Host $http_host;
            # we don't want nginx trying to do something clever with
            # redirects, we set the Host: header above already.
            proxy_redirect off;
            proxy_pass http://$pulp_api:24817;
            # static files are served through whitenoise - http://whitenoise.evans.io/en/stable/
        }
    }
}

Am I missing something?

Expected outcome:

Either /pulp/content/* public or working token auth.

Pulpcore version:

3.47.0

Pulp plugins installed and their versions:

Summary 
{
    "versions": [
        {
            "component": "core",
            "version": "3.47.0",
            "package": "pulpcore",
            "module": "pulpcore.app",
            "domain_compatible": true
        },
        {
            "component": "ansible",
            "version": "0.21.2",
            "package": "pulp-ansible",
            "module": "pulp_ansible.app",
            "domain_compatible": false
        },
        {
            "component": "container",
            "version": "2.18.0",
            "package": "pulp-container",
            "module": "pulp_container.app",
            "domain_compatible": false
        },
        {
            "component": "deb",
            "version": "3.1.1",
            "package": "pulp_deb",
            "module": "pulp_deb.app",
            "domain_compatible": false
        },
        {
            "component": "maven",
            "version": "0.8.0",
            "package": "pulp-maven",
            "module": "pulp_maven.app",
            "domain_compatible": false
        },
        {
            "component": "ostree",
            "version": "2.3.0",
            "package": "pulp-ostree",
            "module": "pulp_ostree.app",
            "domain_compatible": true
        },
        {
            "component": "python",
            "version": "3.11.0",
            "package": "pulp-python",
            "module": "pulp_python.app",
            "domain_compatible": false
        },
        {
            "component": "rpm",
            "version": "3.25.1",
            "package": "pulp-rpm",
            "module": "pulp_rpm.app",
            "domain_compatible": true
        },
        {
            "component": "certguard",
            "version": "3.47.0",
            "package": "pulpcore",
            "module": "pulp_certguard.app",
            "domain_compatible": true
        },
        {
            "component": "file",
            "version": "3.47.0",
            "package": "pulpcore",
            "module": "pulp_file.app",
            "domain_compatible": true
        }
    ],
}

Operating system - distribution and version:

Rocky 9 with Docker Compose

Other relevant data:
N/A

#2

You mention that you created a repository, is it an RPM repository? If so, did you set it to autopublish?

if autopublish is not enabled, did you create a publication from the latest repository version?

Did you create a distribution with the repository associated to it?

We are working on revamping our docs. It’s still a work in progress, but you should check out this page: Create, Sync and Publish a Repository - Pulp Project. While you don’t need to sync a repository, you may find the rest of that guide useful.

#3

I also want to add that if you didn’t create the distribution, you should be getting a 404 and not a 403. If that is the case please file a bug here.

#4

Hi @dkliban,
thanks for the quick reply. Sorry for my wording since I’m not really deep into Pulp at this moment. Your link seems really good. :slightly_smiling_face:

I started with this wiki page: Upload Content — Pulp RPM Support 3.25.1 documentation
Then I followed this page: Exposing Content — Pulp Project 3.17.0.dev documentation

For our usecase I want to simplify the process as much as possible. I just want to upload rpms/ or debs and they should be available in the repo. In our case we do not need to sync external repos, since we are only getting the packages directly from the developer.

Long story short…

I guess so… :sweat_smile: What API endpoints I would need to check if I have done it correctly?

image

#5

I just retried everything to make it reproducible:

  1. POST /pulp/api/v3/repositories/rpm/rpm/ 
{
    "name": "el9",
    "autopublish": true
}
  1. POST /pulp/api/v3/artifacts/
  2. POST /pulp/api/v3/content/rpm/packages/ 
{
    "repository": "/pulp/api/v3/repositories/rpm/rpm/018df953-e46d-7e0c-8503-32261d9937ef/",
    "artifact": "/pulp/api/v3/artifacts/018df955-5177-796d-9bff-a1905792e3bf/"
}
  1. POST /pulp/api/v3/repositories/rpm/rpm/018df953-e46d-7e0c-8503-32261d9937ef/modify/ 
{
    "add_content_units": ["/pulp/api/v3/content/rpm/packages/018df959-5bd7-7e25-84a8-13dec87800e4/"]
}
  1. POST /pulp/api/v3/distributions/container/container/ 
{
    "name": "el9",
    "base_path": "el9",
    "repository": "/pulp/api/v3/repositories/rpm/rpm/018df953-e46d-7e0c-8503-32261d9937ef/"
}

Result:
image

#6

I’m confused that your point-5 says /pulp/api/v3/distributions/container/container/ but you’re working with RPM Repositories - I assume that’s a typo/paste error?

Anyway - the sequence here works fine for me, but I was authenticating as “admin”. Let me create a “normal” user that has repo-create permissions and try again.

One possibility here is that there’s an RBAC issue in the artifact-upload/create-content-from-artifact path. My example uploads the RPM directly to the desired repository, which is easier on you :slight_smile:

I’ll experiment some more today and see if I can figure out what’s going on. If you have a chance, try the sequence in my pastebin and let me know what the results are!

#7

In fact it is not. Well this was the issue. Now it’s working :slight_smile:
image

I blindly followed the “Exposing Content” tutorial without checking for rpm in this case. After I created this rpm repo I am now able to see it’s content.

1 Like
#8

Outstanding - glad we could help! :slight_smile:

1 Like
#9

Thank you for the support @ggainey and @dkliban :slight_smile:

#10

Maybe one more question. Inside the config.repo file the baseurl attribute is pointing to the internal container url. Is there a possiblity to change this url to the public facing url?
image

#11

Yes, you need to change the CONTENT_ORIGIN setting.

1 Like