Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-7529

OMR can redirect to invalid locations

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • None
    • omr-v1.3.10
    • OMR
    • False
    • None
    • False
    • Compatibility/Configuration, User Experience
      1. Install OMR
      2. Make a request like /v2. e.g. curl -L -kvvv localhost:8443/v2
    • None

      OpenShift Mirror Registry (and Quay) redirects to an invalid location when the Quay application and external port mappings are not the same, and when the request path is not considered canonical (see references for more information on canonical URLs).

       

      Running OMR in the default configuration will have podman publish port 8443, with the Quay pod's nginx binding 8443 and forwarding to port 443 for Quay (inside the container). Making a request against a URL path such as /v2 will return a 308 redirect which specifies an invalid location value which doesn't consider the SERVER_HOSTNAME configuration (i.e. the accessible host:port for the registry). The path of the redirect changes slightly to /v2/, which is considered the canonical URL.

      Similar Example:

      $ curl -k -L https://labservices.internal:8443/organization/osp
< HTTP/2 308 
< server: nginx/1.20.1
< date: Thu, 18 Jul 2024 05:48:14 GMT
< content-type: text/html; charset=utf-8
< content-length: 323
< location: https://labservices.internal/organization/osp/
< x-frame-options: DENY
< strict-transport-security: max-age=63072000; preload
< 
* Ignoring the response-body
* Connection #0 to host labservices.internal left intact
* Clear auth, redirects to port from 8443 to 443Issue another request to this URL: 'https://labservices.internal/organization/osp/'
*   Trying 10.8.234.14:443...
* connect to 10.8.234.14 port 443 failed: Connection refused
* Failed to connect to labservices.internal port 443: Connection refused
* Closing connection 1
curl: (7) Failed to connect to labservices.internal port 443: Connection refused

       

      The above behavior was exhibited in testing performed for OpenStack, where the path /v2 was being used to check the registry and being redirected from port 8443 to 443. The config.yaml generated by mirror-registry install contains:

      SERVER_HOSTNAME: labservices.internal:8443

      Expected Behavior

      Quay (Mirror Registry) should return a working redirect.

      Workaround

      It is possible to copy the value of SERVER_HOSTNAME in the config.yaml as SERVER_NAME, which is passed through to the Quay Flask app configuration and will adjust the behavior of redirects to use the application context instead of the request's context. This happens to work due to the way config.yaml configuration is passed to the Quay Flask application.

      References

      Flask: Unique URLs / Redirection Behavior
      Flask: Configuration / SERVER_NAME

              Unassigned Unassigned
              rhn-support-aamarks Aaron Marks
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: