Cannot import Custom Image from-object with instance_principal

[jeliker]

Creating Custom Image from Object Storage bucket object is failing when using Instance Principal.

Consider this scenario

• QCOW2 image exists in Object Storage bucket Compartment "Migration"
• Intent is to import and create new Custom Image in Compartment "Apps"
• Instance Principal has been granted (temporarily) policy "allow dynamic group MigrationHost to manage all-resources in tenancy"

$ oci os object list --auth instance_principal --bucket-name $MY_BUCKET --namespace $MY_NS --fields name --prefix myimage.qcow2
{
  "data": [
    {
      "etag": null,
      "md5": null,
      "name": "myimage.qcow2",
      "size": null,
      "time-created": null,
      "time-modified": null
    }
  ],
  "prefixes": []
}

$ oci compute image import from-object --auth instance_principal --compartment-id $TARGET_COMP --display-name myimage --launch-mode PARAVIRTUALIZED --namespace $MY_NS --bucket-name $MY_BUCKET --name myimage.qcow2 --source-image-type QCOW2
ServiceError:
{
    "code": "InvalidParameter",
    "message": "Invalid objectName: Specified object or bucket or namespace to import image from does not exist",
    "opc-request-id": "C6A5591993327EE3CF7279489521B6C3/CA5CFAAF4CFB91606974817A22274ADE/491E1052DEC6BFE3618EE1924AFAF818",
    "status": 400
}

[jeliker]

I have just confirmed above command using API-key authentication (not instance principal) works as expected.

Also I have created a simple ~/.oci/config file containing only this (below) and still the same error as shown above.

[DEFAULT]
tenancy=[MY TENANCY OCID]

[jeliker]

Confirmed issue still persists

[TajMahPaul]

Are you able to list the buckets in your compartment?

[jimmywutangclan]

I'm currently experiencing the same issue occurring here, on OCI CLI version 3.2.2 and OCI Python SDK version 2.49.1 on Python 3.6.8. When I try to use the instance principal to create a custom image with the OCI Python SDK, I get the same error. This leads me to suspect that there's a bug in the Python SDK.

This command is able to successfully return the list of all the buckets within the compartment: oci os bucket list --auth instance_principal --compartment-id ocid1.compartment.oc1..aaaaaaaar4...

The same command that was run above, to import a custom image, results in an identical error as the one above

{
    "code": "InvalidParameter",
    "message": "Invalid objectName: Specified object or bucket or namespace to import image from does not exist",
    "opc-request-id": "FD3C047100404B6AA6DBCDB050B6D347/FD614F6CB6F5EB6BE2B0EE9C1BABCB48/7D26FE16118F8D3B57A8A29ACA51B31C",
    "status": 400
}

The command cat /etc/os-release returns

NAME="Oracle Linux Server"
VERSION="7.9"
ID="ol"
ID_LIKE="fedora"
VARIANT="Server"
VARIANT_ID="server"
VERSION_ID="7.9"
PRETTY_NAME="Oracle Linux Server 7.9"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:oracle:linux:7:9:server"
HOME_URL="https://linux.oracle.com/"
BUG_REPORT_URL="https://bugzilla.oracle.com/"

ORACLE_BUGZILLA_PRODUCT="Oracle Linux 7"
ORACLE_BUGZILLA_PRODUCT_VERSION=7.9
ORACLE_SUPPORT_PRODUCT="Oracle Linux"
ORACLE_SUPPORT_PRODUCT_VERSION=7.9

[jhult]

@vish1, @kernleee, @harshkumar-dev,

Any ideas on getting this resolved?

[franciscvass]

HI, I'm having the same issue. The same piece of code (create custom img importing from bucket) works if I authenticate with API key but does not works if I try with instance or resource principal. However, the issues seams to be related with obj storage as it is working either way if I simply create cust img from compute instance.

[harshkumar-dev]

hi @franciscvass Could you confirm the follow:

1. You are running the command from an --auth instance_principal
2. Your instance principal setup is correct. i.e run some other CLI command to confirm

if you still have same error, could you please send the terminal output with exact error?

[franciscvass]

Hi,

I'm running from an Instance principal. See the examples below. Some commands works.

Here I'm listing the objects in the bucket I'm using to import the image from

the object is cust-img

[opc@fvass-dev1-fra ~]$ oci os object list --auth instance_principal --bucket-name bucket1 { "data": [ { "archival-state": null, "etag": "f376f0f6-7957-4591-9891-e54a783ef30f", "md5": "pNb2+kVzP2FfUyZLJh/GvQ==-45", "name": "cust-img", "size": 6024003584, "storage-tier": "Standard", "time-created": "2022-02-25T11:51:11.553000+00:00", "time-modified": "2022-02-25T11:51:11.553000+00:00" }, { "archival-state": null, "etag": "a15393d5-37ea-4257-b42d-a6cff5ed4212", "md5": "lQ2sVLwfoMGOchx7vax7AQ==", "name": "deployment.yaml", "size": 371, "storage-tier": "Standard", "time-created": "2022-02-17T09:59:16.127000+00:00", "time-modified": "2022-02-17T09:59:16.127000+00:00" }, { "archival-state": null, "etag": "9baffa75-7471-474c-beae-e7acdbf6f8c2", "md5": "glA7VIxzcjgeelgAtVz9EQ==", "name": "file1", "size": 4, "storage-tier": "Standard", "time-created": "2022-02-17T10:07:27.980000+00:00", "time-modified": "2022-02-17T10:07:27.980000+00:00" }, { "archival-state": null, "etag": "63c6145e-6c60-4301-a0b8-bbdc4460c7a2", "md5": "10mhYMkk6nVRmZkF6Hciqg==", "name": "file2", "size": 4, "storage-tier": "Standard", "time-created": "2022-02-17T10:18:06.952000+00:00", "time-modified": "2022-02-22T14:42:01.526000+00:00" }, { "archival-state": null, "etag": "5a5b6e89-71bc-4657-aa7e-9208d7f480b8", "md5": "glA7VIxzcjgeelgAtVz9EQ==", "name": "file4", "size": 4, "storage-tier": "Standard", "time-created": "2022-02-17T10:39:24.191000+00:00", "time-modified": "2022-02-17T10:39:24.191000+00:00" }, { "archival-state": null, "etag": "3bfde951-a8d6-4265-a536-0b96ae1352f4", "md5": "10mhYMkk6nVRmZkF6Hciqg==", "name": "file5", "size": 4, "storage-tier": "Standard", "time-created": "2022-02-17T10:50:45.926000+00:00", "time-modified": "2022-02-17T10:52:00.926000+00:00" }, { "archival-state": null, "etag": "be8966dd-e7d2-4ccd-a057-a276f97c61d5", "md5": "10mhYMkk6nVRmZkF6Hciqg==", "name": "file8", "size": 4, "storage-tier": "Standard", "time-created": "2022-02-17T10:59:34.711000+00:00", "time-modified": "2022-02-17T10:59:34.711000+00:00" } ], "prefixes": [] }

Here I'm geting the error whiletry to import image from bucket

[opc@fvass-dev1-fra ~]$ oci compute image import \

from-object --auth instance_principal
--compartment-id "ocid1.compartment.oc1..aaaaaaaawrkzz3hmmifq65xo6zx7impepmtoekwqyhzzc7dctzmxn75gyjnq"
--display-name myimage
--launch-mode PARAVIRTUALIZED
--namespace orasenatdpltintegration03
--bucket-name bucket1
--name cus-img
--source-image-type VMDK ServiceError: { "code": "InvalidParameter", "message": "Invalid objectName: Specified object or bucket or namespace to import image from does not exist. Please visit https://docs.oracle.com/en-us/iaas/Content/API/References/apierrors.htm to learn more about this error code", "opc-request-id": "F69213F22369459CA0FAD7685F00DE1D/9035F040B4563EB9D9B7E49276806A0D/157A1D0FE96731D7E46450A1B78FD481", "status": 400 }

And here I'm able to create a cust image but from a Compute, not

from a bucket import

[opc@fvass-dev1-fra ~]$ oci compute image create --auth instance_principal \

--compartment-id "ocid1.compartment.oc1..aaaaaaaawrkzz3hmmifq65xo6zx7impepmtoekwqyhzzc7dctzmxn75gyjnq"
--display-name myimage
--instance-id ocid1.instance.oc1.eu-frankfurt-1.antheljrwe6j4fqciyr7z57z2cfdy2oxklqgk5zzcm7mevkdyssffyk342ga { "data": { "agent-features": null, "base-image-id": "ocid1.image.oc1.eu-frankfurt-1.aaaaaaaazvpglpbyifadkympzsz2655vbgburotz7srfpc66vm4tzqr7mpzq", "billable-size-in-gbs": null, "compartment-id": "ocid1.compartment.oc1..aaaaaaaawrkzz3hmmifq65xo6zx7impepmtoekwqyhzzc7dctzmxn75gyjnq", "create-image-allowed": true, "defined-tags": { "Oracle-Tags": { "CreatedBy": "ocid1.instance.oc1.eu-frankfurt-1.antheljrwe6j4fqcb3oz7eexjvw7bybgix3kskawwgehspal4ib7bxoinmka", "CreatedOn": "2022-02-28T18:40:13.690Z" } }, "display-name": "myimage", "freeform-tags": {}, "id": "ocid1.image.oc1.eu-frankfurt-1.aaaaaaaafv3y3pwm4h6ybm3gayif7kvi2olzoszqf4bycawjizzh7chtpvra", "launch-mode": "NATIVE", "launch-options": { "boot-volume-type": "PARAVIRTUALIZED", "firmware": "UEFI_64", "is-consistent-volume-naming-enabled": true, "is-pv-encryption-in-transit-enabled": true, "network-type": "VFIO", "remote-data-volume-type": "PARAVIRTUALIZED" }, "lifecycle-state": "PROVISIONING", "listing-type": null, "operating-system": "Oracle Linux", "operating-system-version": "8", "size-in-mbs": null, "time-created": "2022-02-28T18:40:14.043000+00:00" }, "etag": "ac3b853cafaed0403f138bb6e2f1412917b5194cee466e0e098071e890573353", "opc-work-request-id": "ocid1.coreservicesworkrequest.oc1.eu-frankfurt-1.abtheljr75jukwl723b6sfxhdzw5v7ppxpjvjdyt4wswt6scza774o5wsgaa" } [

Thanks a lot. As well I raised this issue: https://github.com/oracle/oci-python-sdk/issues/438

[harshkumar-dev]

We have identified an issue with API and we will fix the API in future release.

For now, please follow this as a workaround.

Workaround is to split SDK or CLI call into 2 commands Get a pre-authenticated request for the image file you want to import from object storage Use the pre-authenticated request in the "oci compute image import" call, rather than trying to reference the image file in object storage directly

https://docs.oracle.com/en-us/iaas/tools/oci-cli/2.17.0/oci_cli_docs/cmdref/compute/image/import/from-object-uri.html https://docs.oracle.com/en-us/iaas/tools/oci-cli/2.17.0/oci_cli_docs/cmdref/os/preauth-request/create.html

oci os preauth-request create --namespace <object_storage_namespace> --bucket-name <bucket_name> --name MyObjectReadPAR --access-type ObjectRead -time-expires --object-name

#For import command, you use from-object-uri instead of from-object

oci compute image import from-object-uri --uri <your URI from the above command> --auth instance_principal --compartment-id --display-name --launch-mode PARAVIRTUALIZED --source-image-type VMDK

[franciscvass]

Hi, we implemented the WA provided using the OCI python SDK and its working. It should works with OCI CLI as well. basically we generate a PAR for the object and we use that PAR instead of object URI to import the image. Thanks.

[franciscvass]

HI,

Basically to access_uri returned by PAR creation : oci.object_storage.ObjectStorageClient(config={}).create_preauthenticated_request() you need to add the endpoint of the bucket . You can get this from: oci.object_storage.ObjectStorageClient(config={}).obj_client.base_client.endpoint

and when you call create_image from oci.core.ComputeClient you pass this endpoint + access_uri to source_uri argument as below:

create_img_response = oci.core.ComputeClient(config={}).create_image( create_image_details = oci.core.models.CreateImageDetails( display_name =...,

        compartment_id          = v_comp_id

        launch_mode             = "NATIVE",
        image_source_details    =

oci.core.models.ImageSourceViaObjectStorageUriDetails( source_image_type = "VMDK", source_uri = v_endpoint + v_uri ,source_type = "objectStorageUri" ) ) )

I hope that helped.

On Fri, Jun 24, 2022 at 9:30 PM Matthew Hopper @.***> wrote:

I ran into this issue today. When you are creating the PAR it lists data attributes, one of which is "access-uri" "/p/RnAP-xxxxx" How do I use the PAR "instead" of object URI? Could you demo the PAR generation command and then the subsequent oci compute image import command to include the PAR? Thanks very much.

— Reply to this email directly, view it on GitHub https://github.com/oracle/oci-cli/issues/384#issuecomment-1165830973, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJGQMVYTLCGDUSZOQLHDGO3VQX5FXANCNFSM4ZATKOTQ . You are receiving this because you were mentioned.Message ID: @.***>

[simengineering]

Yes it helped very much thanks!

Sent from my iPhone

On Jun 25, 2022, at 10:09 AM, Francisc Vass @.***> wrote:

 HI,

Basically to access_uri returned by PAR creation : oci.object_storage.ObjectStorageClient(config={}).create_preauthenticated_request() you need to add the endpoint of the bucket . You can get this from: oci.object_storage.ObjectStorageClient(config={}).obj_client.base_client.endpoint

and when you call create_image from oci.core.ComputeClient you pass this endpoint + access_uri to source_uri argument as below:

create_img_response = oci.core.ComputeClient(config={}).create_image( create_image_details = oci.core.models.CreateImageDetails( display_name =...,

compartment_id = v_comp_id

launch_mode = "NATIVE", image_source_details = oci.core.models.ImageSourceViaObjectStorageUriDetails( source_image_type = "VMDK", source_uri = v_endpoint + v_uri ,source_type = "objectStorageUri" ) ) )

I hope that helped.

On Fri, Jun 24, 2022 at 9:30 PM Matthew Hopper @.***> wrote:

I ran into this issue today. When you are creating the PAR it lists data attributes, one of which is "access-uri" "/p/RnAP-xxxxx" How do I use the PAR "instead" of object URI? Could you demo the PAR generation command and then the subsequent oci compute image import command to include the PAR? Thanks very much.

— Reply to this email directly, view it on GitHub https://github.com/oracle/oci-cli/issues/384#issuecomment-1165830973, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJGQMVYTLCGDUSZOQLHDGO3VQX5FXANCNFSM4ZATKOTQ . You are receiving this because you were mentioned.Message ID: @.***>

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you commented.

[KartikShrikantHegde]

Closing this ticket as a resolution has been found based on the comments above. Please feel free to reopen the ticket in case of a problem.