Gitea container register ask auth for all users except Administrators on public registry #11235

Closed
opened 2025-11-02 09:31:40 -06:00 by GiteaMirror · 13 comments
Owner

Originally created by @PavelMXFox on GitHub (Jul 16, 2023).

Description

Gitea on mysql says "Unauthorized" on docker image pull req for all users, except Administrators in puplic orgs.
This begins after update on latest-release 1.19. I tried to update on 1.20 and 1.21-dev and has the same situation.

Test cases:

  1. I has logged in docker registry by docker login under my account with Admistrator flag - docker pull OK
  2. I has logged in docker registry under generic user, that Owner of organization - docker pull failed.
  3. I granted this user Administrator flag - docker pull OK
  4. I logged out with docker logout - docker pull OK.
gitea                 | 2023/07/16 17:35:51 ...eb/routing/logger.go:102:func1() [I] router: completed GET /v2/ for 188.124.55.73:0, 401 Unauthorized in 0.5ms @ container/container.go:118(container.ReqContainerAccess)
gitea                 | 2023/07/16 17:35:52 ...eb/routing/logger.go:102:func1() [I] router: completed GET /v2/token?account=xxxx_importer&scope=repository%3Amxfox%2Fchimera-mk2-core%3Apull&service=container_registry for 188.124.55.73:0, 200 OK in 418.1ms @ container/container.go:142(container.Authenticate)
gitea                 | 2023/07/16 17:35:52 ...eb/routing/logger.go:102:func1() [I] router: completed HEAD /v2/mxfox/chimera-mk2-core/manifests/testing for 188.124.55.73:0, 401 Unauthorized in 24.8ms @ packages/api.go:44(packages.reqPackageAccess)
gitea                 | 2023/07/16 17:35:52 ...eb/routing/logger.go:102:func1() [I] router: completed GET /v2/mxfox/chimera-mk2-core/manifests/testing for 188.124.55.73:0, 401 Unauthorized in 30.0ms @ packages/api.go:44(packages.reqPackageAccess)

Gitea Version

1.21.0

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

Debian 1.15 in docker

How are you running Gitea?

In docker using mysql DB

Database

MySQL

Originally created by @PavelMXFox on GitHub (Jul 16, 2023). ### Description Gitea on mysql says "Unauthorized" on docker image pull req for all users, except Administrators in puplic orgs. This begins after update on latest-release 1.19. I tried to update on 1.20 and 1.21-dev and has the same situation. Test cases: 1. I has logged in docker registry by `docker login` under my account with Admistrator flag - docker pull OK 2. I has logged in docker registry under generic user, that Owner of organization - docker pull failed. 3. I granted this user Administrator flag - docker pull OK 4. I logged out with `docker logout` - docker pull OK. ``` gitea | 2023/07/16 17:35:51 ...eb/routing/logger.go:102:func1() [I] router: completed GET /v2/ for 188.124.55.73:0, 401 Unauthorized in 0.5ms @ container/container.go:118(container.ReqContainerAccess) gitea | 2023/07/16 17:35:52 ...eb/routing/logger.go:102:func1() [I] router: completed GET /v2/token?account=xxxx_importer&scope=repository%3Amxfox%2Fchimera-mk2-core%3Apull&service=container_registry for 188.124.55.73:0, 200 OK in 418.1ms @ container/container.go:142(container.Authenticate) gitea | 2023/07/16 17:35:52 ...eb/routing/logger.go:102:func1() [I] router: completed HEAD /v2/mxfox/chimera-mk2-core/manifests/testing for 188.124.55.73:0, 401 Unauthorized in 24.8ms @ packages/api.go:44(packages.reqPackageAccess) gitea | 2023/07/16 17:35:52 ...eb/routing/logger.go:102:func1() [I] router: completed GET /v2/mxfox/chimera-mk2-core/manifests/testing for 188.124.55.73:0, 401 Unauthorized in 30.0ms @ packages/api.go:44(packages.reqPackageAccess) ``` ### Gitea Version 1.21.0 ### Can you reproduce the bug on the Gitea demo site? No ### Log Gist _No response_ ### Screenshots _No response_ ### Git Version _No response_ ### Operating System Debian 1.15 in docker ### How are you running Gitea? In docker using mysql DB ### Database MySQL
GiteaMirror added the topic/packagesissue/needs-feedback labels 2025-11-02 09:31:40 -06:00
Author
Owner

@KN4CK3R commented on GitHub (Jul 17, 2023):

Are you sure that's not fixed by https://github.com/go-gitea/gitea/pull/25707?

@KN4CK3R commented on GitHub (Jul 17, 2023): Are you sure that's not fixed by https://github.com/go-gitea/gitea/pull/25707?
Author
Owner

@PavelMXFox commented on GitHub (Jul 17, 2023):

I'm using latest gitea docker image gitea/gitea:1.21.0-dev (checked for image updated just now) and problem not solved on it. I can check another image if it needed.

@PavelMXFox commented on GitHub (Jul 17, 2023): I'm using latest gitea docker image `gitea/gitea:1.21.0-dev` (checked for image updated just now) and problem not solved on it. I can check another image if it needed.
Author
Owner

@PavelMXFox commented on GitHub (Jul 27, 2023):

Hi! I checked now at version of docker image gitea/gitea:1.21.0-dev and problem not solved. If i don't use auth - i can pull image. If I authorized with any user, except global admin - i can't pull image.

@PavelMXFox commented on GitHub (Jul 27, 2023): Hi! I checked now at version of docker image `gitea/gitea:1.21.0-dev` and problem not solved. If i don't use auth - i can pull image. If I authorized with any user, except global admin - i can't pull image.
Author
Owner

@roop90 commented on GitHub (Aug 4, 2023):

Hi all,

I'd like to extend this. I'm no longer able to pull any image without logging in.
It's a public organization. Images are pushed by an Admin.

In 1.19.x I was able to just pull the images.

Greetings, roop

@roop90 commented on GitHub (Aug 4, 2023): Hi all, I'd like to extend this. I'm no longer able to pull any image without logging in. It's a public organization. Images are pushed by an Admin. In 1.19.x I was able to just pull the images. Greetings, roop
Author
Owner

@KN4CK3R commented on GitHub (Aug 4, 2023):

@roop90 Is your instance public? There are access tests and it's hard to believe that downloads are not working if the package owner is public.

@KN4CK3R commented on GitHub (Aug 4, 2023): @roop90 Is your instance public? There are access tests and it's hard to believe that downloads are not working if the package owner is public.
Author
Owner

@roop90 commented on GitHub (Aug 4, 2023):

@KN4CK3R please ignore my comment. It's probably on my end.
Just tested it on different machines where it works as expected.

Sorry about that 🙁

@roop90 commented on GitHub (Aug 4, 2023): @KN4CK3R please ignore my comment. It's probably on my end. Just tested it on different machines where it works as expected. Sorry about that 🙁
Author
Owner

@PavelMXFox commented on GitHub (Aug 4, 2023):

Hi all! On my instance i can pull any public images with unauthorized user, but if i log in with any user, except global instance admin - i don't able to pull any public images.

@PavelMXFox commented on GitHub (Aug 4, 2023): Hi all! On my instance i can pull any public images with unauthorized user, but if i log in with any user, except global instance admin - i don't able to pull any public images.
Author
Owner

@KN4CK3R commented on GitHub (Aug 4, 2023):

Still can't reproduce your problem. Uploading as admin to a public org works. After that every user, admin, owner, member, anonymous can pull that image.

@KN4CK3R commented on GitHub (Aug 4, 2023): Still can't reproduce your problem. Uploading as admin to a public org works. After that every user, admin, owner, member, anonymous can pull that image.
Author
Owner

@PavelMXFox commented on GitHub (Aug 4, 2023):

How i can help you to reproduce this? May be on my instance?

@PavelMXFox commented on GitHub (Aug 4, 2023): How i can help you to reproduce this? May be on my instance?
Author
Owner

@MTRNord commented on GitHub (Aug 10, 2023):

Hi,

I think I am hitting this now at codeberg.org which is running the forgejo fork in 1.20 version since today. Any pull there fails with an error. This seems to also affect the helm packages via oci for me.

First I noticed it with the helm chart:

➜  kubernetes helm pull oci://codeberg.org/forgejo-contrib/forgejo --version 0.10.1 --debug  
DEBU[0000] resolving                                     host=codeberg.org
DEBU[0000] do request                                    host=codeberg.org request.header.accept="application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, */*" request.header.user-agent=Helm/3.11 request.method=HEAD url="https://codeberg.org/v2/forgejo-contrib/forgejo/manifests/0.10.1"
DEBU[0000] fetch response received                       host=codeberg.org response.header.content-length=50 response.header.content-security-policy-report-only="default-src data: 'self' https://*.codeberg.org https://codeberg.org; script-src 'self' https://*.codeberg.org https://codeberg.org; style-src data: 'self' 'unsafe-inline' https://*.codeberg.org https://codeberg.org; img-src *; media-src *; object-src 'none'" response.header.content-type=application/json response.header.date="Thu, 10 Aug 2023 18:31:49 GMT" response.header.docker-distribution-api-version=registry/2.0 response.header.permissions-policy="interest-cohort=()" response.header.strict-transport-security="max-age=63072000; includeSubDomains; preload" response.header.www-authenticate="Bearer realm=\"https://codeberg.org/v2/token\",service=\"container_registry\",scope=\"*\"" response.header.x-content-type-options=nosniff response.header.x-frame-options=sameorigin response.status="401 Unauthorized" url="https://codeberg.org/v2/forgejo-contrib/forgejo/manifests/0.10.1"
DEBU[0000] Unauthorized                                  header="Bearer realm=\"https://codeberg.org/v2/token\",service=\"container_registry\",scope=\"*\"" host=codeberg.org
DEBU[0000] do request                                    host=codeberg.org request.header.accept="application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, */*" request.header.user-agent=Helm/3.11 request.method=HEAD url="https://codeberg.org/v2/forgejo-contrib/forgejo/manifests/0.10.1"
DEBU[0000] fetch response received                       host=codeberg.org response.header.content-length=54 response.header.content-security-policy-report-only="default-src data: 'self' https://*.codeberg.org https://codeberg.org; script-src 'self' https://*.codeberg.org https://codeberg.org; style-src data: 'self' 'unsafe-inline' https://*.codeberg.org https://codeberg.org; img-src *; media-src *; object-src 'none'" response.header.content-type=application/json response.header.date="Thu, 10 Aug 2023 18:31:49 GMT" response.header.docker-distribution-api-version=registry/2.0 response.header.permissions-policy="interest-cohort=()" response.header.strict-transport-security="max-age=63072000; includeSubDomains; preload" response.header.x-content-type-options=nosniff response.header.x-frame-options=sameorigin response.status="404 Not Found" url="https://codeberg.org/v2/forgejo-contrib/forgejo/manifests/0.10.1"
INFO[0000] trying next host - response was http.StatusNotFound  host=codeberg.org
Error: codeberg.org/forgejo-contrib/forgejo:0.10.1: not found
helm.go:84: [debug] codeberg.org/forgejo-contrib/forgejo:0.10.1: not found

and then with the docker images:

➜  kubernetes crictl pull codeberg.org/forgejo/forgejo:1.20.2-0
E0810 21:12:04.335810 1993953 remote_image.go:171] "PullImage from image service failed" err="rpc error: code = Unknown desc = reading manifest 1.20.2-0 in codeberg.org/forgejo/forgejo: manifest unknown" image="codeberg.org/forgejo/forgejo:1.20.2-0"
FATA[0000] pulling image: rpc error: code = Unknown desc = reading manifest 1.20.2-0 in codeberg.org/forgejo/forgejo: manifest unknown

I am able to reproduce this with any image on codeberg and from any server. So a network fault on my side is unlikely, I think.

@MTRNord commented on GitHub (Aug 10, 2023): Hi, I think I am hitting this now at codeberg.org which is running the forgejo fork in 1.20 version since today. Any pull there fails with an error. This seems to also affect the helm packages via oci for me. First I noticed it with the helm chart: ``` ➜ kubernetes helm pull oci://codeberg.org/forgejo-contrib/forgejo --version 0.10.1 --debug DEBU[0000] resolving host=codeberg.org DEBU[0000] do request host=codeberg.org request.header.accept="application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, */*" request.header.user-agent=Helm/3.11 request.method=HEAD url="https://codeberg.org/v2/forgejo-contrib/forgejo/manifests/0.10.1" DEBU[0000] fetch response received host=codeberg.org response.header.content-length=50 response.header.content-security-policy-report-only="default-src data: 'self' https://*.codeberg.org https://codeberg.org; script-src 'self' https://*.codeberg.org https://codeberg.org; style-src data: 'self' 'unsafe-inline' https://*.codeberg.org https://codeberg.org; img-src *; media-src *; object-src 'none'" response.header.content-type=application/json response.header.date="Thu, 10 Aug 2023 18:31:49 GMT" response.header.docker-distribution-api-version=registry/2.0 response.header.permissions-policy="interest-cohort=()" response.header.strict-transport-security="max-age=63072000; includeSubDomains; preload" response.header.www-authenticate="Bearer realm=\"https://codeberg.org/v2/token\",service=\"container_registry\",scope=\"*\"" response.header.x-content-type-options=nosniff response.header.x-frame-options=sameorigin response.status="401 Unauthorized" url="https://codeberg.org/v2/forgejo-contrib/forgejo/manifests/0.10.1" DEBU[0000] Unauthorized header="Bearer realm=\"https://codeberg.org/v2/token\",service=\"container_registry\",scope=\"*\"" host=codeberg.org DEBU[0000] do request host=codeberg.org request.header.accept="application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, */*" request.header.user-agent=Helm/3.11 request.method=HEAD url="https://codeberg.org/v2/forgejo-contrib/forgejo/manifests/0.10.1" DEBU[0000] fetch response received host=codeberg.org response.header.content-length=54 response.header.content-security-policy-report-only="default-src data: 'self' https://*.codeberg.org https://codeberg.org; script-src 'self' https://*.codeberg.org https://codeberg.org; style-src data: 'self' 'unsafe-inline' https://*.codeberg.org https://codeberg.org; img-src *; media-src *; object-src 'none'" response.header.content-type=application/json response.header.date="Thu, 10 Aug 2023 18:31:49 GMT" response.header.docker-distribution-api-version=registry/2.0 response.header.permissions-policy="interest-cohort=()" response.header.strict-transport-security="max-age=63072000; includeSubDomains; preload" response.header.x-content-type-options=nosniff response.header.x-frame-options=sameorigin response.status="404 Not Found" url="https://codeberg.org/v2/forgejo-contrib/forgejo/manifests/0.10.1" INFO[0000] trying next host - response was http.StatusNotFound host=codeberg.org Error: codeberg.org/forgejo-contrib/forgejo:0.10.1: not found helm.go:84: [debug] codeberg.org/forgejo-contrib/forgejo:0.10.1: not found ``` and then with the docker images: ``` ➜ kubernetes crictl pull codeberg.org/forgejo/forgejo:1.20.2-0 E0810 21:12:04.335810 1993953 remote_image.go:171] "PullImage from image service failed" err="rpc error: code = Unknown desc = reading manifest 1.20.2-0 in codeberg.org/forgejo/forgejo: manifest unknown" image="codeberg.org/forgejo/forgejo:1.20.2-0" FATA[0000] pulling image: rpc error: code = Unknown desc = reading manifest 1.20.2-0 in codeberg.org/forgejo/forgejo: manifest unknown ``` I am able to reproduce this with any image on codeberg and from any server. So a network fault on my side is unlikely, I think.
Author
Owner

@earl-warren commented on GitHub (Aug 10, 2023):

That should be resolved now @MTRNord, packages were disabled for a few hours.

@earl-warren commented on GitHub (Aug 10, 2023): That should be resolved now @MTRNord, packages were disabled for a few hours.
Author
Owner

@MTRNord commented on GitHub (Aug 10, 2023):

That should be resolved now @MTRNord, packages were disabled for a few hours.

It is! thanks. Seems like that was indeed the issue

@MTRNord commented on GitHub (Aug 10, 2023): > That should be resolved now @MTRNord, packages were disabled for a few hours. It is! thanks. Seems like that was indeed the issue
Author
Owner

@GiteaBot commented on GitHub (Sep 10, 2023):

We close issues that need feedback from the author if there were no new comments for a month. 🍵

@GiteaBot commented on GitHub (Sep 10, 2023): We close issues that need feedback from the author if there were no new comments for a month. :tea:
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#11235