Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Community-Owned package repositories fail with 403 if no user-agent set #3261

Closed
AverageMarcus opened this issue Sep 11, 2023 · 3 comments · Fixed by kubernetes/k8s.io#5823
Closed

Community-Owned package repositories fail with 403 if no user-agent set #3261

AverageMarcus opened this issue Sep 11, 2023 · 3 comments · Fixed by kubernetes/k8s.io#5823
Assignees
@xmudrii
Labels
area/release-eng Issues or PRs related to the Release Engineering subproject kind/bug Categorizes issue or PR as related to a bug. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. sig/release Categorizes an issue or PR as relevant to SIG Release.

Comments

@AverageMarcus
Copy link
Member

What happened:

When attempting to install from new Community-Owned Package Repositories using tdnf from Photon the following error is returned:

Error: 403 when downloading https://pkgs.k8s.io/core:/stable:/v1.26/rpm/repodata/repomd.xml

This then blocks being able to install any packages.

What you expected to happen:

tdnf should successfully refresh its metadata and allow installing packages.

How to reproduce it (as minimally and precisely as possible):

docker run -ti --rm photon:latest

Inside the container

cat << EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=kubernetes
description=the kubernetes yum repo
baseurl=https://pkgs.k8s.io/core:/stable:/v1.26/rpm/
gpgcheck=True
gpgkey=https://pkgs.k8s.io/core:/stable:/v1.26/rpm/repodata/repomd.xml.key
enabled=1

EOF

tdnf install kubelet-1.26.7 --nogpgcheck -y

Output:

Refreshing metadata for: 'kubernetes'
kubernetes                                 919 100%
Error: 403 when downloading https://pkgs.k8s.io/core:/stable:/v1.26/rpm/repodata/repomd.xml
. Please check repo url or refresh metadata with 'tdnf makecache'.
Error(1622) : Invalid argument
Error: Failed to synchronize cache for repo 'kubernetes'
Error(1622) : Invalid argument

(Taken from kubernetes-sigs/image-builder#1280 (comment))

Anything else we need to know?:

The problem is due to tdnf not setting the User-Agent header and can be reproduced with Curl using the following:

curl -L -H 'User-Agent:' https://pkgs.k8s.io/core:/stable:/v1.26/rpm/repodata/repomd.xml

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>ERROR: The request could not be satisfied</TITLE>
</HEAD><BODY>
<H1>403 ERROR</H1>
<H2>The request could not be satisfied.</H2>
<HR noshade size="1px">
Request blocked.
We can't connect to the server for this app or website at this time. There might be too much traffic or a configuration error. Try again later, or contact the app or website owner.
<BR clear="all">
If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by reviewing the CloudFront documentation.
<BR clear="all">
<HR noshade size="1px">
<PRE>
Generated by cloudfront (CloudFront)
Request ID: UbCX8uy59GTtjMeZj_HN-cL6o9ng6qnBPLByOF3OeczliuSY-TiGQA==
</PRE>
<ADDRESS>
</ADDRESS>
</BODY></HTML>

Related:

Environment:

  • Cloud provider or hardware configuration:
  • OS (e.g: cat /etc/os-release): Photon
  • Kernel (e.g. uname -a):
  • Others:
@AverageMarcus AverageMarcus added area/release-eng Issues or PRs related to the Release Engineering subproject kind/bug Categorizes issue or PR as related to a bug. sig/release Categorizes an issue or PR as relevant to SIG Release. labels Sep 11, 2023
@AverageMarcus AverageMarcus mentioned this issue Sep 11, 2023
Merged
@AverageMarcus
Copy link
Member Author

This appears to be the expected behavior based on this Slack thread: https://kubernetes.slack.com/archives/C03U7N0VCGK/p1694194051373989

It'd be good if we could get some confirmation on if this is the desired behavior or not.

As it stands currently, Proton users have no way of switching to the new repositories without replacing or re-compiling tdnf.

@xmudrii
Copy link
Member

xmudrii commented Sep 11, 2023

This is caused by AWS WAF (Web Access Firewall) blocking requests without User-Agent. We can look into disabling this rule.
/assign

@xmudrii
Copy link
Member

xmudrii commented Sep 11, 2023

/priority important-soon

@k8s-ci-robot k8s-ci-robot added priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. and removed needs-priority labels Sep 11, 2023
@xmudrii xmudrii moved this to 🏗️ In Progress in SIG Release - Packaging Sep 11, 2023
@xmudrii xmudrii mentioned this issue Sep 11, 2023
Merged
@xmudrii xmudrii moved this from 🏗️ In Progress to 👀 In Review in SIG Release - Packaging Sep 11, 2023
@github-project-automation github-project-automation bot moved this from 👀 In Review to ✅ Done in SIG Release - Packaging Sep 11, 2023
@remram44 remram44 mentioned this issue Nov 20, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@xmudrii xmudrii

Labels
area/release-eng Issues or PRs related to the Release Engineering subproject kind/bug Categorizes issue or PR as related to a bug. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. sig/release Categorizes an issue or PR as relevant to SIG Release.
Projects
SIG Release - Packaging
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Allow requests without User-Agent header to pkgs.k8s.io xmudrii/k8s.io
3 participants
@AverageMarcus @xmudrii @k8s-ci-robot