Gitea: Internal error retrieve protected branches information failed: EOF #3992

New Issue

Closed

opened 2025-11-02 05:33:10 -06:00 by GiteaMirror · 31 comments

GiteaMirror commented 2025-11-02 05:33:10 -06:00

Owner

Copy Link

Originally created by @randyesq on GitHub (Sep 20, 2019).

• Gitea version (or commit ref): 1.7
• Git version: 2.16.4
• Operating system: Gitea Docker Image deployed on Kubernetes
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Not relevant
• Log gist:

Description

We are hitting the following error very frequently when pushing from our local git repository to Gitea. Gitea is running in its docker image in Kubernetes.

From the local system pushing the branch:

slice-sms01-nmn:~/mfisch/config-management # git push origin master
--
Username for 'https://api-gw-service-nmn.local': crayvcs
Password for 'https://vcs@api-gw-service-nmn.local':
Counting objects: 18, done.
Delta compression using up to 16 threads.
Compressing objects: 100% (14/14), done.
Writing objects: 100% (18/18), 2.10 KiB \| 2.10 MiB/s, done.
Total 18 (delta 3), reused 0 (delta 0)
remote: Gitea: Internal error
remote: retrieve protected branches information failed: EOF
To https://api-gw-service-nmn.local/vcs/config-management.git
! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to 'https://api-gw-service-nmn.local/vcs/config-management.git'

The gitea server logs running in the pod show the following:

2019/09/14 20:53:52 [T] GetProtectedBranchBy: http://localhost:3000/api/internal/branch/1/vcs/cme-premium/1.0.0
2019/09/14 20:53:55 [T] GetProtectedBranchBy: http://localhost:3000/api/internal/branch/1/master
2019/09/20 02:44:36 [T] GetProtectedBranchBy: http://localhost:3000/api/internal/branch/1/mfisch
2019/09/20 02:44:36 [...io/gitea/cmd/hook.go:109 runHookPreReceive()] [F] retrieve protected branches information failed: EOF
2019/09/20 02:48:32 [T] GetProtectedBranchBy: http://localhost:3000/api/internal/branch/1/mfisch
2019/09/20 02:48:32 [...io/gitea/cmd/hook.go:109 runHookPreReceive()] [F] retrieve protected branches information failed: EOF

Here is our app.ini:

; This file lists the default values used by Gitea
; Copy required sections to your own app.ini (default is custom/conf/app.ini)
; and modify as needed.

; see https://docs.gitea.io/en-us/config-cheat-sheet/ for additional documentation.

; App name that shows in every page title
APP_NAME = VCS
; Change it if you run locally
RUN_USER = git
; Either "dev", "prod" or "test", default is "dev"
RUN_MODE = prod

[repository]
; Disable the ability to interact with repositories using the HTTP protocol
DISABLE_HTTP_GIT = false

[repository.upload]
; Whether repository file uploads are enabled. Defaults to `true`
ENABLED = true
; Path for uploads. Defaults to `data/tmp/uploads` (tmp gets deleted on gitea restart)
TEMP_PATH = data/tmp/uploads
; One or more allowed types, e.g. image/jpeg|image/png. Nothing means any file type
ALLOWED_TYPES =
; Max size of each file in megabytes. Defaults to 3MB
FILE_MAX_SIZE = 3
; Max number of files per upload. Defaults to 5
MAX_FILES = 5

[server]
; The protocol the server listens on. One of 'http', 'https', 'unix' or 'fcgi'.
PROTOCOL = http
DOMAIN = api-gw-service-nmn.local
; ROOT_URL = %(PROTOCOL)s://%(DOMAIN)s:%(HTTP_PORT)s/
ROOT_URL = https://%(DOMAIN)s/vcs/
; The address to listen on. Either a IPv4/IPv6 address or the path to a unix socket.
HTTP_ADDR = 0.0.0.0
HTTP_PORT = 3000
; Local (DMZ) URL for Gitea workers (such as SSH update) accessing web service.
; In most cases you do not need to change the default value.
; Alter it only if your SSH server node is not the same as HTTP node.
; Do not set this variable if PROTOCOL is set to 'unix'.
LOCAL_ROOT_URL = http://localhost:3000/
; Disable SSH feature when not available
DISABLE_SSH = true
; Whether to use the builtin SSH server or not.
START_SSH_SERVER = false
; Gitea will create a authorized_keys file by default when it is not using the internal ssh server
; If you intend to use the AuthorizedKeysCommand functionality then you should turn this off.
SSH_CREATE_AUTHORIZED_KEYS_FILE = false
; Disable CDN even in "prod" mode
OFFLINE_MODE = true
DISABLE_ROUTER_LOG = false
; Default path for App data
APP_DATA_PATH = data
; Application level GZIP support
ENABLE_GZIP = false
; Application profiling (memory and cpu)
; For "web" command it listens on localhost:6060
; For "serve" command it dumps to disk at PPROF_DATA_PATH as (cpuprofile|memprofile)_<username>_<temporary id>
ENABLE_PPROF = false
; PPROF_DATA_PATH, use an absolute path when you start gitea as service
PPROF_DATA_PATH = data/tmp/pprof
; Enables git-lfs support. true or false, default is false.
LFS_START_SERVER = false
; Where your lfs files reside, default is data/lfs.
LFS_CONTENT_PATH = data/lfs
; LFS authentication secret, change this yourself
LFS_JWT_SECRET =
; LFS authentication validity period (in time.Duration), pushes taking longer than this may fail.
LFS_HTTP_AUTH_EXPIRY = 20m

[database]
; Either "mysql", "postgres", "mssql" or "sqlite3", it's your choice
DB_TYPE = postgres
HOST = vcs-database
NAME = gitea
USER = <redacted>
; Use PASSWD = `your password` for quoting if you use special characters in the password.
PASSWD = `<redacted>`
; For Postgres, either "disable" (default), "require", or "verify-full"
; For MySQL, either "false" (default), "true", or "skip-verify"
SSL_MODE = disable
; Show the database generated SQL
LOG_SQL = true

[admin]
; Disallow regular (non-admin) users from creating organizations.
DISABLE_REGULAR_ORG_CREATION = false

[security]
; Whether the installer is disabled
INSTALL_LOCK = true
; !!CHANGE THIS TO KEEP YOUR USER DATA SAFE!!
SECRET_KEY = <redacted>

[service]
; Whether a new user needs to confirm their email when registering.
REGISTER_EMAIL_CONFIRM = false
; Disallow registration, only allow admins to create accounts.
DISABLE_REGISTRATION = true
; Each new user will get the value of this setting copied into their profile
DEFAULT_KEEP_EMAIL_PRIVATE = true
; Default value for AllowCreateOrganization
; Every new user will have rights set to create organizations depending on this setting
DEFAULT_ALLOW_CREATE_ORGANIZATION = true
; Default value for EnableDependencies
; Repositories will use dependencies by default depending on this setting
DEFAULT_ENABLE_DEPENDENCIES = true
; Enable heatmap on users profiles.
ENABLE_USER_HEATMAP = false
; Show Registration button
SHOW_REGISTRATION_BUTTON = false

[mailer]
ENABLED = false

[cache]
; Either "memory", "redis", or "memcache", default is "memory"
ADAPTER = memory

[session]
; Either "memory", "file", or "redis", default is "memory"
PROVIDER = memory

[picture]
; This value will always be true in offline mode.
DISABLE_GRAVATAR = true


[log]
; Either "console", "file", "conn", "smtp" or "database", default is "console"
; Use comma to separate multiple modes, e.g. "console, file"
MODE = console
; Either "Trace", "Debug", "Info", "Warn", "Error", "Critical", default is "Trace"
LEVEL = Trace
REDIRECT_MACARON_LOG = false

; For "console" mode only
[log.console]
LEVEL = Trace

[other]
; Show template execution time in the footer
SHOW_FOOTER_TEMPLATE_LOAD_TIME = false

The only thing that can be done to unwedge this is to restart the pod running the gitea server. It appears as though the problem only happens when gitea is first deployed. After restarting the pod, we never see this issue again.

Possibly important is that we do not setup SSH at all, only https. The push failures occurs after cloning the repository using https, and pushing back using https.

Originally created by @randyesq on GitHub (Sep 20, 2019). <!-- NOTE: If your issue is a security concern, please send an email to security@gitea.io instead of opening a public issue --> <!-- 1. Please speak English, this is the language all maintainers can speak and write. 2. Please ask questions or configuration/deploy problems on our Discord server (https://discord.gg/gitea) or forum (https://discourse.gitea.io). 3. Please take a moment to check that your issue doesn't already exist. 4. Please give all relevant information below for bug reports, because incomplete details will be handled as an invalid report. --> - Gitea version (or commit ref): 1.7 - Git version: 2.16.4 - Operating system: Gitea Docker Image deployed on Kubernetes - Database (use `[x]`): - [x] PostgreSQL - [ ] MySQL - [ ] MSSQL - [ ] SQLite - Can you reproduce the bug at https://try.gitea.io: - [ ] Yes (provide example URL) - [ ] No - [x] Not relevant - Log gist: ## Description We are hitting the following error very frequently when pushing from our local git repository to Gitea. Gitea is running in its docker image in Kubernetes. From the local system pushing the branch: ``` slice-sms01-nmn:~/mfisch/config-management # git push origin master -- Username for 'https://api-gw-service-nmn.local': crayvcs Password for 'https://vcs@api-gw-service-nmn.local': Counting objects: 18, done. Delta compression using up to 16 threads. Compressing objects: 100% (14/14), done. Writing objects: 100% (18/18), 2.10 KiB \| 2.10 MiB/s, done. Total 18 (delta 3), reused 0 (delta 0) remote: Gitea: Internal error remote: retrieve protected branches information failed: EOF To https://api-gw-service-nmn.local/vcs/config-management.git ! [remote rejected] master -> master (pre-receive hook declined) error: failed to push some refs to 'https://api-gw-service-nmn.local/vcs/config-management.git' ``` The gitea server logs running in the pod show the following: ``` 2019/09/14 20:53:52 [T] GetProtectedBranchBy: http://localhost:3000/api/internal/branch/1/vcs/cme-premium/1.0.0 2019/09/14 20:53:55 [T] GetProtectedBranchBy: http://localhost:3000/api/internal/branch/1/master 2019/09/20 02:44:36 [T] GetProtectedBranchBy: http://localhost:3000/api/internal/branch/1/mfisch 2019/09/20 02:44:36 [...io/gitea/cmd/hook.go:109 runHookPreReceive()] [F] retrieve protected branches information failed: EOF 2019/09/20 02:48:32 [T] GetProtectedBranchBy: http://localhost:3000/api/internal/branch/1/mfisch 2019/09/20 02:48:32 [...io/gitea/cmd/hook.go:109 runHookPreReceive()] [F] retrieve protected branches information failed: EOF ``` Here is our app.ini: ``` ; This file lists the default values used by Gitea ; Copy required sections to your own app.ini (default is custom/conf/app.ini) ; and modify as needed. ; see https://docs.gitea.io/en-us/config-cheat-sheet/ for additional documentation. ; App name that shows in every page title APP_NAME = VCS ; Change it if you run locally RUN_USER = git ; Either "dev", "prod" or "test", default is "dev" RUN_MODE = prod [repository] ; Disable the ability to interact with repositories using the HTTP protocol DISABLE_HTTP_GIT = false [repository.upload] ; Whether repository file uploads are enabled. Defaults to `true` ENABLED = true ; Path for uploads. Defaults to `data/tmp/uploads` (tmp gets deleted on gitea restart) TEMP_PATH = data/tmp/uploads ; One or more allowed types, e.g. image/jpeg|image/png. Nothing means any file type ALLOWED_TYPES = ; Max size of each file in megabytes. Defaults to 3MB FILE_MAX_SIZE = 3 ; Max number of files per upload. Defaults to 5 MAX_FILES = 5 [server] ; The protocol the server listens on. One of 'http', 'https', 'unix' or 'fcgi'. PROTOCOL = http DOMAIN = api-gw-service-nmn.local ; ROOT_URL = %(PROTOCOL)s://%(DOMAIN)s:%(HTTP_PORT)s/ ROOT_URL = https://%(DOMAIN)s/vcs/ ; The address to listen on. Either a IPv4/IPv6 address or the path to a unix socket. HTTP_ADDR = 0.0.0.0 HTTP_PORT = 3000 ; Local (DMZ) URL for Gitea workers (such as SSH update) accessing web service. ; In most cases you do not need to change the default value. ; Alter it only if your SSH server node is not the same as HTTP node. ; Do not set this variable if PROTOCOL is set to 'unix'. LOCAL_ROOT_URL = http://localhost:3000/ ; Disable SSH feature when not available DISABLE_SSH = true ; Whether to use the builtin SSH server or not. START_SSH_SERVER = false ; Gitea will create a authorized_keys file by default when it is not using the internal ssh server ; If you intend to use the AuthorizedKeysCommand functionality then you should turn this off. SSH_CREATE_AUTHORIZED_KEYS_FILE = false ; Disable CDN even in "prod" mode OFFLINE_MODE = true DISABLE_ROUTER_LOG = false ; Default path for App data APP_DATA_PATH = data ; Application level GZIP support ENABLE_GZIP = false ; Application profiling (memory and cpu) ; For "web" command it listens on localhost:6060 ; For "serve" command it dumps to disk at PPROF_DATA_PATH as (cpuprofile|memprofile)_<username>_<temporary id> ENABLE_PPROF = false ; PPROF_DATA_PATH, use an absolute path when you start gitea as service PPROF_DATA_PATH = data/tmp/pprof ; Enables git-lfs support. true or false, default is false. LFS_START_SERVER = false ; Where your lfs files reside, default is data/lfs. LFS_CONTENT_PATH = data/lfs ; LFS authentication secret, change this yourself LFS_JWT_SECRET = ; LFS authentication validity period (in time.Duration), pushes taking longer than this may fail. LFS_HTTP_AUTH_EXPIRY = 20m [database] ; Either "mysql", "postgres", "mssql" or "sqlite3", it's your choice DB_TYPE = postgres HOST = vcs-database NAME = gitea USER = <redacted> ; Use PASSWD = `your password` for quoting if you use special characters in the password. PASSWD = `<redacted>` ; For Postgres, either "disable" (default), "require", or "verify-full" ; For MySQL, either "false" (default), "true", or "skip-verify" SSL_MODE = disable ; Show the database generated SQL LOG_SQL = true [admin] ; Disallow regular (non-admin) users from creating organizations. DISABLE_REGULAR_ORG_CREATION = false [security] ; Whether the installer is disabled INSTALL_LOCK = true ; !!CHANGE THIS TO KEEP YOUR USER DATA SAFE!! SECRET_KEY = <redacted> [service] ; Whether a new user needs to confirm their email when registering. REGISTER_EMAIL_CONFIRM = false ; Disallow registration, only allow admins to create accounts. DISABLE_REGISTRATION = true ; Each new user will get the value of this setting copied into their profile DEFAULT_KEEP_EMAIL_PRIVATE = true ; Default value for AllowCreateOrganization ; Every new user will have rights set to create organizations depending on this setting DEFAULT_ALLOW_CREATE_ORGANIZATION = true ; Default value for EnableDependencies ; Repositories will use dependencies by default depending on this setting DEFAULT_ENABLE_DEPENDENCIES = true ; Enable heatmap on users profiles. ENABLE_USER_HEATMAP = false ; Show Registration button SHOW_REGISTRATION_BUTTON = false [mailer] ENABLED = false [cache] ; Either "memory", "redis", or "memcache", default is "memory" ADAPTER = memory [session] ; Either "memory", "file", or "redis", default is "memory" PROVIDER = memory [picture] ; This value will always be true in offline mode. DISABLE_GRAVATAR = true [log] ; Either "console", "file", "conn", "smtp" or "database", default is "console" ; Use comma to separate multiple modes, e.g. "console, file" MODE = console ; Either "Trace", "Debug", "Info", "Warn", "Error", "Critical", default is "Trace" LEVEL = Trace REDIRECT_MACARON_LOG = false ; For "console" mode only [log.console] LEVEL = Trace [other] ; Show template execution time in the footer SHOW_FOOTER_TEMPLATE_LOAD_TIME = false ``` The only thing that can be done to unwedge this is to restart the pod running the gitea server. It appears as though the problem only happens when gitea is first deployed. After restarting the pod, we never see this issue again. Possibly important is that we do not setup SSH at all, only https. The push failures occurs after cloning the repository using https, and pushing back using https.

GiteaMirror added the issue/staleissue/needs-feedback labels 2025-11-02 05:33:10 -06:00

GiteaMirror closed this issue 2025-11-02 05:33:11 -06:00

GiteaMirror commented 2025-11-02 05:33:11 -06:00

Author

Owner

Copy Link

@randyesq commented on GitHub (Sep 20, 2019):

Note that our LOCAL_ROOT_URL is hard-coded to http://localhost:3000/ as was suggested in #3226, #1685, #2270, and #7630. The restart seems to be working for others with different problems that have a similar error signature (#2851).

@randyesq commented on GitHub (Sep 20, 2019): Note that our `LOCAL_ROOT_URL` is hard-coded to `http://localhost:3000/` as was suggested in #3226, #1685, #2270, and #7630. The restart seems to be working for others with different problems that have a similar error signature (#2851).

GiteaMirror commented 2025-11-02 05:33:12 -06:00

Author

Owner

Copy Link

@randyesq commented on GitHub (Sep 20, 2019):

I also have run the admin Maintenance Operations task titled "Resynchronize pre-receive, update and post-receive hooks of all repositories." and this did not fix anything.

@randyesq commented on GitHub (Sep 20, 2019): I also have run the admin Maintenance Operations task titled "Resynchronize pre-receive, update and post-receive hooks of all repositories." and this did not fix anything.

GiteaMirror commented 2025-11-02 05:33:12 -06:00

Author

Owner

Copy Link

@techknowlogick commented on GitHub (Sep 20, 2019):

This may have been fixed in a more recent version of Gitea (we just released 1.9.3). The newer versions also have patched some security vulns that are in 1.7.

1.9 also has improved logging to assist with debugging.

@techknowlogick commented on GitHub (Sep 20, 2019): This may have been fixed in a more recent version of Gitea (we just released 1.9.3). The newer versions also have patched some security vulns that are in 1.7. 1.9 also has improved logging to assist with debugging.

GiteaMirror commented 2025-11-02 05:33:12 -06:00

Author

Owner

Copy Link

@randyesq commented on GitHub (Sep 20, 2019):

@techknowlogick is there something in the diff between 1.7 -> 1.9 that would suggest this would be fixed? From most of the issues that I referred to, it didn't seem like it was understood why this was even happening in the first place.

@randyesq commented on GitHub (Sep 20, 2019): @techknowlogick is there something in the diff between 1.7 -> 1.9 that would suggest this would be fixed? From most of the issues that I referred to, it didn't seem like it was understood why this was even happening in the first place.

GiteaMirror commented 2025-11-02 05:33:12 -06:00

Author

Owner

Copy Link

@techknowlogick commented on GitHub (Sep 20, 2019):

Potentially there could be something that has been added as there has been hundreds of PRs since 1.7. It could be a timeout issue with the DB, and we've updated upstream dependencies, it could be an uncaught error that is now handled, it could be many things. We've also significantly refactored working with the underlying git repos which may be a factor. Please see the entire list of changes here: https://github.com/go-gitea/gitea/blob/master/CHANGELOG.md

I recommend updating and to see if this still happens, especially since there are several CVEs in the version you are currently using: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=gitea Once you've updated the logging in v1.9.3 is really improved and can give a ton of details about what could be happening.

@techknowlogick commented on GitHub (Sep 20, 2019): Potentially there could be something that has been added as there has been hundreds of PRs since 1.7. It could be a timeout issue with the DB, and we've updated upstream dependencies, it could be an uncaught error that is now handled, it could be many things. We've also significantly refactored working with the underlying git repos which may be a factor. Please see the entire list of changes here: https://github.com/go-gitea/gitea/blob/master/CHANGELOG.md I recommend updating and to see if this still happens, especially since there are several CVEs in the version you are currently using: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=gitea Once you've updated the logging in v1.9.3 is really improved and can give a ton of details about what could be happening.

GiteaMirror commented 2025-11-02 05:33:12 -06:00

Author

Owner

Copy Link

@randyesq commented on GitHub (Sep 20, 2019):

Okay, we'll get on with upgrading this on our side and see if anything else comes up.

@randyesq commented on GitHub (Sep 20, 2019): Okay, we'll get on with upgrading this on our side and see if anything else comes up.

GiteaMirror commented 2025-11-02 05:33:13 -06:00

Author

Owner

Copy Link

@devurandom commented on GitHub (Nov 1, 2019):

I also have run the admin Maintenance Operations task titled "Resynchronize pre-receive, update and post-receive hooks of all repositories." and this did not fix anything.

In my case it worked. I also pressed the ".ssh/authorized_keys" button, so maybe that had some effect, too.

@devurandom commented on GitHub (Nov 1, 2019): > I also have run the admin Maintenance Operations task titled "Resynchronize pre-receive, update and post-receive hooks of all repositories." and this did not fix anything. In my case it worked. I also pressed the ".ssh/authorized_keys" button, so maybe that had some effect, too.

GiteaMirror commented 2025-11-02 05:33:13 -06:00

Author

Owner

Copy Link

@zeripath commented on GitHub (Nov 1, 2019):

yeah that would need changing too if you changed the path of the gitea binary.

To be clear Gitea has to write its real full path to:

• gitea-repositories/*.git/hooks/pre-receive.d/gitea
• gitea-repositories/*.git/hooks/update.d/gitea
• gitea-repositories/*.git/hooks/post-receive.d/gitea
• .ssh/authorized_keys (if you are not using the internal SSH or an AuthorizedKeysCommand)

These all have to be updated if you change the path of the Gitea binary.

If you are moving from Gogs you may have to remove any reference to Gogs within the gitea-repositories/*.git/hooks/*.d directories.

It really is simpler not to change the name of the binary.

@zeripath commented on GitHub (Nov 1, 2019): yeah that would need changing too if you changed the path of the gitea binary. To be clear Gitea has to write its real full path to: * `gitea-repositories/*.git/hooks/pre-receive.d/gitea` * `gitea-repositories/*.git/hooks/update.d/gitea` * `gitea-repositories/*.git/hooks/post-receive.d/gitea` * `.ssh/authorized_keys` (if you are not using the internal SSH or an AuthorizedKeysCommand) These all have to be updated if you change the path of the Gitea binary. If you are moving from Gogs you may have to remove any reference to Gogs within the `gitea-repositories/*.git/hooks/*.d` directories. It really is simpler not to change the name of the binary.

GiteaMirror commented 2025-11-02 05:33:13 -06:00

Author

Owner

Copy Link

@randyesq commented on GitHub (Nov 1, 2019):

We encountered this issue in a K8S pod using v1.9.3 today.

@randyesq commented on GitHub (Nov 1, 2019): We encountered this issue in a K8S pod using v1.9.3 today.

GiteaMirror commented 2025-11-02 05:33:13 -06:00

Author

Owner

Copy Link

@zeripath commented on GitHub (Nov 1, 2019):

@randyesq in order to diagnose I need to see what the message underlying that was and what your main Gitea logs show.

The problem here as originally stated cannot happen on 1.9 because those internal endpoints do not exist. I deleted them - (and now constantly regret doing so instead of coming up with an error saying you need to update although I remain uncertain how that helpful that would be as it could only be on the server.)

If your Gitea serv is requesting those end points e.g. /api/internal/branch/1/mfisch then you have got an old version of Gitea running somewhere and you need to do hunt it down.

Otherwise it's a different problem.

@zeripath commented on GitHub (Nov 1, 2019): @randyesq in order to diagnose I need to see what the message underlying that was and what your main Gitea logs show. The problem here as originally stated _cannot_ happen on 1.9 because those internal endpoints do not exist. I deleted them - (and now constantly regret doing so instead of coming up with an error saying you need to update although I remain uncertain how that helpful that would be as it could only be on the server.) If your Gitea serv is requesting those end points e.g. `/api/internal/branch/1/mfisch` then you have got an old version of Gitea running somewhere and you need to do hunt it down. Otherwise it's a different problem.

GiteaMirror commented 2025-11-02 05:33:14 -06:00

Author

Owner

Copy Link

@randyesq commented on GitHub (Nov 2, 2019):

Here is the version of gitea that we are using:

ncn-w001:~/k8s # kubectl exec -it gitea-vcs-5df75f48f7-h8rx7 -n services bash
Defaulting container name to vcs.
Use 'kubectl describe pod/gitea-vcs-5df75f48f7-h8rx7 -n services' to see all of the containers in this pod.
bash-5.0# gitea --version
Gitea version 1.9.3 built with GNU Make 4.2.1, go1.12.9 : bindata, sqlite, sqlite_unlock_notify

Unfortunately, I don't have the server logs because they have rolled over since, but the output from the git client that was trying to force push the branch was:

    Total 12 (delta 2), reused 0 (delta 0)
    remote: Gitea: EOF
    To https://api-gw-service-nmn.local/vcs/cray/config-management.git
     ! [remote rejected] cray/cme-premium/1.1.0 -> cray/cme-premium/1.1.0 (pre-receive hook declined)
    error: failed to push some refs to 'https://api-gw-service-nmn.local/vcs/cray/config-management.git'

@randyesq commented on GitHub (Nov 2, 2019): Here is the version of gitea that we are using: ``` ncn-w001:~/k8s # kubectl exec -it gitea-vcs-5df75f48f7-h8rx7 -n services bash Defaulting container name to vcs. Use 'kubectl describe pod/gitea-vcs-5df75f48f7-h8rx7 -n services' to see all of the containers in this pod. bash-5.0# gitea --version Gitea version 1.9.3 built with GNU Make 4.2.1, go1.12.9 : bindata, sqlite, sqlite_unlock_notify ``` Unfortunately, I don't have the server logs because they have rolled over since, but the output from the git client that was trying to force push the branch was: ``` Total 12 (delta 2), reused 0 (delta 0) remote: Gitea: EOF To https://api-gw-service-nmn.local/vcs/cray/config-management.git ! [remote rejected] cray/cme-premium/1.1.0 -> cray/cme-premium/1.1.0 (pre-receive hook declined) error: failed to push some refs to 'https://api-gw-service-nmn.local/vcs/cray/config-management.git' ```

GiteaMirror commented 2025-11-02 05:33:14 -06:00

Author

Owner

Copy Link

@zeripath commented on GitHub (Nov 2, 2019):

Without those logs we can't tell you anything.

All you can say is that there was a pre-receive decline - that could be because you were force pushing to a protected branch and that was disallowed although the EOF implies that's not.

It could be a bug in /api/internal/hook/pre-receive or it could be that you've got an old Gitea hanging around that's trying to get to the old endpoints.

This last is the most likely so double check there aren't some seriously old Giteas hanging around and:

Ensure that your .SSH/authorized_keys always refers to the correct version of Gitea if there are multiple versions available, and ensure that your hooks are all doing similarly.

If it happens again grab the logs. If you're getting requests to /api/internal/branch then there's an old Gitea around. If not you've found a bug and we need the logs.

@zeripath commented on GitHub (Nov 2, 2019): Without those logs we can't tell you anything. All you can say is that there was a pre-receive decline - that could be because you were force pushing to a protected branch and that was disallowed although the EOF implies that's not. It could be a bug in /api/internal/hook/pre-receive or it could be that you've got an old Gitea hanging around that's trying to get to the old endpoints. This last is the most likely so double check there aren't some seriously old Giteas hanging around and: Ensure that your .SSH/authorized_keys always refers to the correct version of Gitea if there are multiple versions available, and ensure that your hooks are all doing similarly. If it happens again grab the logs. If you're getting requests to /api/internal/branch then there's an old Gitea around. If not you've found a bug and we need the logs.

GiteaMirror commented 2025-11-02 05:33:14 -06:00

Author

Owner

Copy Link

@randyesq commented on GitHub (Nov 4, 2019):

Ensure that your .SSH/authorized_keys always refers to the correct version of Gitea if there are multiple versions available, and ensure that your hooks are all doing similarly.

How do I ensure this?

@randyesq commented on GitHub (Nov 4, 2019): > Ensure that your .SSH/authorized_keys always refers to the correct version of Gitea if there are multiple versions available, and ensure that your hooks are all doing similarly. How do I ensure this?

GiteaMirror commented 2025-11-02 05:33:14 -06:00

Author

Owner

Copy Link

@zeripath commented on GitHub (Nov 4, 2019):

The 2 admin tasks described above rewrite both of these things - however I can imagine a deployment style that would make those not work. It's your deployment - you tell me.

All I can say is to run those tasks, make sure there's not a rogue old version of Gitea in your container(s) or an old container still knocking around, and check those files.

If your Gitea serv is requesting /api/internal/branch that Gitea is not version 1.9 and it's out of date.

Further don't put multiple versions of Gitea in your containers. If you're using a script to wrap Gitea you should run Gitea with exec -a the_name_of_the_script as we use the $0 passed to Gitea as its path when writing hooks and authorized_keys.

@zeripath commented on GitHub (Nov 4, 2019): The 2 admin tasks described above rewrite both of these things - however I can imagine a deployment style that would make those not work. It's your deployment - you tell me. All I can say is to run those tasks, make sure there's not a rogue old version of Gitea in your container(s) or an old container still knocking around, and check those files. If your Gitea serv is requesting /api/internal/branch that Gitea is not version 1.9 and it's out of date. Further don't put multiple versions of Gitea in your containers. If you're using a script to wrap Gitea you should run Gitea with exec -a the_name_of_the_script as we use the $0 passed to Gitea as its path when writing hooks and authorized_keys.

GiteaMirror commented 2025-11-02 05:33:15 -06:00

Author

Owner

Copy Link

@randyesq commented on GitHub (Nov 4, 2019):

Okay thanks, we only have one version of gitea, whatever is in the gitea/1.9.3 docker image from Docker hub, so I don't think it is a version issue.

@randyesq commented on GitHub (Nov 4, 2019): Okay thanks, we only have one version of gitea, whatever is in the gitea/1.9.3 docker image from Docker hub, so I don't think it is a version issue.

GiteaMirror commented 2025-11-02 05:33:15 -06:00

Author

Owner

Copy Link

@lunny commented on GitHub (Nov 5, 2019):

It seems you have a subpath of your domain setting, maybe it's related. https://api-gw-service-nmn.local/vcs/cray/config-management.git.

@lunny commented on GitHub (Nov 5, 2019): It seems you have a subpath of your domain setting, maybe it's related. `https://api-gw-service-nmn.local/vcs/cray/config-management.git`.

GiteaMirror commented 2025-11-02 05:33:15 -06:00

Author

Owner

Copy Link

@randyesq commented on GitHub (Nov 7, 2019):

Okay, I had this happen today. I am running v1.9.3 and logged in to the web UI, created an org, created a repo (initialized it with the checkbox), and attempted to create a file in the UI. Here is the server log:

[Macaron] 2019-11-07 20:19:31: Started POST /foo/bar/_new/master/ for 10.47.0.0
2019/11/07 20:19:31 .../xorm/session_get.go:99:nocacheGet() [I] [SQL] SELECT "id", "lower_name", "name", "full_name", "email", "keep_email_private", "passwd", "must_change_password", "login_type", "login_source", "login_name", "type", "location", "website", "rands", "salt", "language", "description", "created_unix", "updated_unix", "last_login_unix", "last_repo_visibility", "max_repo_creation", "is_active", "is_admin", "allow_git_hook", "allow_import_local", "allow_create_organization", "prohibit_login", "avatar", "avatar_email", "use_custom_avatar", "num_followers", "num_following", "num_stars", "num_repos", "num_teams", "num_members", "visibility", "diff_view_style", "theme" FROM "user" WHERE "id"=$1 LIMIT 1 []interface {}{1}
2019/11/07 20:19:31 ...s/context/context.go:328:func1() [D] Session ID: 84335f472022f1f8
2019/11/07 20:19:31 ...s/context/context.go:329:func1() [D] CSRF Token: 44JwSeHDqnv5UnglbneRrWs288M6MTU3MzE1Nzg2ODg4NjkxNjc0NA==
2019/11/07 20:19:31 .../xorm/session_raw.go:87:queryRow() [I] [SQL] SELECT count(*) FROM "notification" WHERE (user_id = $1) AND (status = $2) []interface {}{1, 0x1}
2019/11/07 20:19:31 .../xorm/session_get.go:99:nocacheGet() [I] [SQL] SELECT "id", "lower_name", "name", "full_name", "email", "keep_email_private", "passwd", "must_change_password", "login_type", "login_source", "login_name", "type", "location", "website", "rands", "salt", "language", "description", "created_unix", "updated_unix", "last_login_unix", "last_repo_visibility", "max_repo_creation", "is_active", "is_admin", "allow_git_hook", "allow_import_local", "allow_create_organization", "prohibit_login", "avatar", "avatar_email", "use_custom_avatar", "num_followers", "num_following", "num_stars", "num_repos", "num_teams", "num_members", "visibility", "diff_view_style", "theme" FROM "user" WHERE "lower_name"=$1 LIMIT 1 []interface {}{"foo"}
2019/11/07 20:19:31 .../xorm/session_get.go:99:nocacheGet() [I] [SQL] SELECT "id", "owner_id", "lower_name", "name", "description", "website", "default_branch", "num_watches", "num_stars", "num_forks", "num_issues", "num_closed_issues", "num_pulls", "num_closed_pulls", "num_milestones", "num_closed_milestones", "is_private", "is_empty", "is_archived", "is_mirror", "is_fork", "fork_id", "size", "is_fsck_enabled", "close_issues_via_commit_in_any_branch", "topics", "avatar", "created_unix", "updated_unix" FROM "repository" WHERE "owner_id"=$1 AND "lower_name"=$2 LIMIT 1 []interface {}{2, "bar"}
2019/11/07 20:19:31 .../xorm/session_get.go:99:nocacheGet() [I] [SQL] SELECT "id", "repo_id", "user_id", "mode" FROM "collaboration" WHERE "repo_id"=$1 AND "user_id"=$2 LIMIT 1 []interface {}{2, 1}
2019/11/07 20:19:31 ...xorm/session_find.go:199:noCacheFind() [I] [SQL] SELECT "id", "repo_id", "type", "config", "created_unix" FROM "repo_unit" WHERE (repo_id = $1) []interface {}{2}
2019/11/07 20:19:31 ...s/repo_permission.go:154:func1() [T] Permission Loaded for 824687817488:crayvcs in 824687817696:foo/bar:
	Permissions: AccessMode: 824687818880:owner, 5 Units, 0 UnitsMode(s): [
	Units[0]: ID: 824687817824 RepoID: 824687818160 Type: 824687818912:UnitTypeCode Config: {}
	Units[1]: ID: 824687818256 RepoID: 824687818352 Type: 824687818944:UnitTypeIssues Config: {"EnableTimetracker":true,"AllowOnlyContributorsToTrackTime":true,"EnableDependencies":true}
	Units[2]: ID: 824687818608 RepoID: 824687818640 Type: 824687818976:UnitTypePullRequests Config: {"IgnoreWhitespaceConflicts":false,"AllowMerge":true,"AllowRebase":true,"AllowRebaseMerge":true,"AllowSquash":true}
	Units[3]: ID: 824687818704 RepoID: 824687818736 Type: 824687819008:UnitTypeReleases Config: {}
	Units[4]: ID: 824687818800 RepoID: 824687818832 Type: 824687819040:UnitTypeWiki Config: {} ]
2019/11/07 20:19:31 .../xorm/session_raw.go:87:queryRow() [I] [SQL] SELECT count(*) FROM "release" WHERE repo_id=$1 AND is_draft=$2 []interface {}{2, false}
2019/11/07 20:19:31 .../xorm/session_get.go:99:nocacheGet() [I] [SQL] SELECT "id", "owner_id", "lower_name", "name", "description", "website", "default_branch", "num_watches", "num_stars", "num_forks", "num_issues", "num_closed_issues", "num_pulls", "num_closed_pulls", "num_milestones", "num_closed_milestones", "is_private", "is_empty", "is_archived", "is_mirror", "is_fork", "fork_id", "size", "is_fsck_enabled", "close_issues_via_commit_in_any_branch", "topics", "avatar", "created_unix", "updated_unix" FROM "repository" WHERE (owner_id=$1 AND fork_id=$2) LIMIT 1 []interface {}{1, 2}
2019/11/07 20:19:31 .../xorm/session_get.go:99:nocacheGet() [I] [SQL] SELECT "id", "user_id", "repo_id" FROM "watch" WHERE "user_id"=$1 AND "repo_id"=$2 LIMIT 1 []interface {}{1, 2}
2019/11/07 20:19:31 .../xorm/session_get.go:99:nocacheGet() [I] [SQL] SELECT "id", "uid", "repo_id" FROM "star" WHERE "uid"=$1 AND "repo_id"=$2 LIMIT 1 []interface {}{1, 2}
2019/11/07 20:19:31 .../xorm/session_get.go:99:nocacheGet() [I] [SQL] SELECT "id", "repo_id", "branch_name", "can_push", "enable_whitelist", "whitelist_user_i_ds", "whitelist_team_i_ds", "enable_merge_whitelist", "merge_whitelist_user_i_ds", "merge_whitelist_team_i_ds", "approvals_whitelist_user_i_ds", "approvals_whitelist_team_i_ds", "required_approvals", "created_unix", "updated_unix" FROM "protected_branch" WHERE "repo_id"=$1 AND "branch_name"=$2 LIMIT 1 []interface {}{2, "master"}
2019/11/07 20:19:31 .../xorm/session_get.go:99:nocacheGet() [I] [SQL] SELECT "id", "repo_id", "branch_name", "can_push", "enable_whitelist", "whitelist_user_i_ds", "whitelist_team_i_ds", "enable_merge_whitelist", "merge_whitelist_user_i_ds", "merge_whitelist_team_i_ds", "approvals_whitelist_user_i_ds", "approvals_whitelist_team_i_ds", "required_approvals", "created_unix", "updated_unix" FROM "protected_branch" WHERE "repo_id"=$1 AND "branch_name"=$2 LIMIT 1 []interface {}{2, "master"}
[Macaron] 2019-11-07 20:19:31: Started GET / for 127.0.0.1
2019/11/07 20:19:31 ...s/context/context.go:328:func1() [D] Session ID: 9592bbb188ca9a45
2019/11/07 20:19:31 ...s/context/context.go:329:func1() [D] CSRF Token: 21NVKuOMVuEkabb1tuJWO-fXj4M6MTU3MzE1Nzk3MTU2Mjg1ODU1Mg==
2019/11/07 20:19:31 ...s/context/context.go:137:HTML() [D] Template: home
[Macaron] 2019-11-07 20:19:31: Completed GET / 200 OK in 3.384469ms
[Macaron] 2019-11-07 20:19:31: Started GET /api/internal/hook/pre-receive/foo/bar?old=84ae4ffb4f9f503ce796d345a676c800b675aacc&new=db46e075b33bac76664db835e728b2b34384e424&ref=refs%2Fheads%2Fmaster&userID=1&gitObjectDirectory=%2Fdata%2Fgit%2Fgitea-repositories%2Ffoo%2Fbar.git%2F.%2Fobjects%2Fincoming-PfjpLI&gitAlternativeObjectDirectories=%2Fdata%2Fgit%2Fgitea-repositories%2Ffoo%2Fbar.git%2F.%2Fobjects&gitQuarantinePath=%2Fdata%2Fgit%2Fgitea-repositories%2Ffoo%2Fbar.git%2F.%2Fobjects%2Fincoming-PfjpLI&prID=0 for 127.0.0.1
2019/11/07 20:19:31 modules/auth/auth.go:97:CheckOAuthAccessToken() [T] ParseOAuth2Token: signature is invalid
2019/11/07 20:19:31 ...s/context/context.go:328:func1() [D] Session ID: 92c404aa8441d573
2019/11/07 20:19:31 ...s/context/context.go:329:func1() [D] CSRF Token: NMoCu5jvTAQNl_nD2qHisrnfQ9I6MTU3MzE1Nzk3MTc5MDgxMzM4MQ==
[Macaron] 2019-11-07 20:19:31: Completed GET /api/internal/hook/pre-receive/foo/bar?old=84ae4ffb4f9f503ce796d345a676c800b675aacc&new=db46e075b33bac76664db835e728b2b34384e424&ref=refs%2Fheads%2Fmaster&userID=1&gitObjectDirectory=%2Fdata%2Fgit%2Fgitea-repositories%2Ffoo%2Fbar.git%2F.%2Fobjects%2Fincoming-PfjpLI&gitAlternativeObjectDirectories=%2Fdata%2Fgit%2Fgitea-repositories%2Ffoo%2Fbar.git%2F.%2Fobjects&gitQuarantinePath=%2Fdata%2Fgit%2Fgitea-repositories%2Ffoo%2Fbar.git%2F.%2Fobjects%2Fincoming-PfjpLI&prID=0 403 Forbidden in 911.132µs
2019/11/07 20:19:31 ...s/context/context.go:137:HTML() [D] Template: repo/editor/edit
[Macaron] 2019-11-07 20:19:31: Completed POST /foo/bar/_new/master/ 302 Found in 469.152703ms
2019/11/07 20:19:31 ...c/net/http/server.go:3012:logf() [I] http: superfluous response.WriteHeader call from gopkg.in/macaron%2ev1.(*responseWriter).WriteHeader (response_writer.go:59)
[Macaron] 2019-11-07 20:19:31: Started GET /vendor/plugins/simplemde/simplemde.min.css for 10.47.0.0
[Macaron] [Static] Serving /vendor/plugins/simplemde/simplemde.min.css
[Macaron] 2019-11-07 20:19:31: Completed GET /vendor/plugins/simplemde/simplemde.min.css 200 OK in 734.459µs
[Macaron] 2019-11-07 20:19:31: Started GET /vendor/plugins/highlight/github.css for 10.47.0.0
[Macaron] [Static] Serving /vendor/plugins/highlight/github.css
[Macaron] 2019-11-07 20:19:31: Completed GET /vendor/plugins/highlight/github.css 200 OK in 326.641µs
[Macaron] 2019-11-07 20:19:32: Started GET /vendor/plugins/codemirror/mode/yaml/yaml.js for 10.47.0.0
[Macaron] [Static] Serving /vendor/plugins/codemirror/mode/yaml/yaml.js
[Macaron] 2019-11-07 20:19:32: Completed GET /vendor/plugins/codemirror/mode/yaml/yaml.js 200 OK in 358.95µs
[Macaron] 2019-11-07 20:19:32: Started GET /foo/bar/_new/master/site.yml for 10.47.0.0
2019/11/07 20:19:32 .../xorm/session_get.go:99:nocacheGet() [I] [SQL] SELECT "id", "lower_name", "name", "full_name", "email", "keep_email_private", "passwd", "must_change_password", "login_type", "login_source", "login_name", "type", "location", "website", "rands", "salt", "language", "description", "created_unix", "updated_unix", "last_login_unix", "last_repo_visibility", "max_repo_creation", "is_active", "is_admin", "allow_git_hook", "allow_import_local", "allow_create_organization", "prohibit_login", "avatar", "avatar_email", "use_custom_avatar", "num_followers", "num_following", "num_stars", "num_repos", "num_teams", "num_members", "visibility", "diff_view_style", "theme" FROM "user" WHERE "id"=$1 LIMIT 1 []interface {}{1}
2019/11/07 20:19:32 ...s/context/context.go:328:func1() [D] Session ID: 84335f472022f1f8
2019/11/07 20:19:32 ...s/context/context.go:329:func1() [D] CSRF Token: 44JwSeHDqnv5UnglbneRrWs288M6MTU3MzE1Nzg2ODg4NjkxNjc0NA==
2019/11/07 20:19:32 .../xorm/session_raw.go:87:queryRow() [I] [SQL] SELECT count(*) FROM "notification" WHERE (user_id = $1) AND (status = $2) []interface {}{1, 0x1}
2019/11/07 20:19:32 .../xorm/session_get.go:99:nocacheGet() [I] [SQL] SELECT "id", "lower_name", "name", "full_name", "email", "keep_email_private", "passwd", "must_change_password", "login_type", "login_source", "login_name", "type", "location", "website", "rands", "salt", "language", "description", "created_unix", "updated_unix", "last_login_unix", "last_repo_visibility", "max_repo_creation", "is_active", "is_admin", "allow_git_hook", "allow_import_local", "allow_create_organization", "prohibit_login", "avatar", "avatar_email", "use_custom_avatar", "num_followers", "num_following", "num_stars", "num_repos", "num_teams", "num_members", "visibility", "diff_view_style", "theme" FROM "user" WHERE "lower_name"=$1 LIMIT 1 []interface {}{"foo"}
2019/11/07 20:19:32 .../xorm/session_get.go:99:nocacheGet() [I] [SQL] SELECT "id", "owner_id", "lower_name", "name", "description", "website", "default_branch", "num_watches", "num_stars", "num_forks", "num_issues", "num_closed_issues", "num_pulls", "num_closed_pulls", "num_milestones", "num_closed_milestones", "is_private", "is_empty", "is_archived", "is_mirror", "is_fork", "fork_id", "size", "is_fsck_enabled", "close_issues_via_commit_in_any_branch", "topics", "avatar", "created_unix", "updated_unix" FROM "repository" WHERE "owner_id"=$1 AND "lower_name"=$2 LIMIT 1 []interface {}{2, "bar"}
2019/11/07 20:19:32 .../xorm/session_get.go:99:nocacheGet() [I] [SQL] SELECT "id", "repo_id", "user_id", "mode" FROM "collaboration" WHERE "repo_id"=$1 AND "user_id"=$2 LIMIT 1 []interface {}{2, 1}
2019/11/07 20:19:32 ...xorm/session_find.go:199:noCacheFind() [I] [SQL] SELECT "id", "repo_id", "type", "config", "created_unix" FROM "repo_unit" WHERE (repo_id = $1) []interface {}{2}
2019/11/07 20:19:32 ...s/repo_permission.go:154:func1() [T] Permission Loaded for 824707920288:crayvcs in 824707920368:foo/bar:
	Permissions: AccessMode: 824707921584:owner, 5 Units, 0 UnitsMode(s): [
	Units[0]: ID: 824707920560 RepoID: 824707920608 Type: 824707921616:UnitTypeCode Config: {}
	Units[1]: ID: 824707920992 RepoID: 824707921040 Type: 824707921648:UnitTypeIssues Config: {"EnableTimetracker":true,"AllowOnlyContributorsToTrackTime":true,"EnableDependencies":true}
	Units[2]: ID: 824707921136 RepoID: 824707921184 Type: 824707921680:UnitTypePullRequests Config: {"IgnoreWhitespaceConflicts":false,"AllowMerge":true,"AllowRebase":true,"AllowRebaseMerge":true,"AllowSquash":true}
	Units[3]: ID: 824707921344 RepoID: 824707921376 Type: 824707921712:UnitTypeReleases Config: {}
	Units[4]: ID: 824707921440 RepoID: 824707921504 Type: 824707921744:UnitTypeWiki Config: {} ]
2019/11/07 20:19:32 .../xorm/session_raw.go:87:queryRow() [I] [SQL] SELECT count(*) FROM "release" WHERE repo_id=$1 AND is_draft=$2 []interface {}{2, false}
2019/11/07 20:19:32 .../xorm/session_get.go:99:nocacheGet() [I] [SQL] SELECT "id", "owner_id", "lower_name", "name", "description", "website", "default_branch", "num_watches", "num_stars", "num_forks", "num_issues", "num_closed_issues", "num_pulls", "num_closed_pulls", "num_milestones", "num_closed_milestones", "is_private", "is_empty", "is_archived", "is_mirror", "is_fork", "fork_id", "size", "is_fsck_enabled", "close_issues_via_commit_in_any_branch", "topics", "avatar", "created_unix", "updated_unix" FROM "repository" WHERE (owner_id=$1 AND fork_id=$2) LIMIT 1 []interface {}{1, 2}
2019/11/07 20:19:32 .../xorm/session_get.go:99:nocacheGet() [I] [SQL] SELECT "id", "user_id", "repo_id" FROM "watch" WHERE "user_id"=$1 AND "repo_id"=$2 LIMIT 1 []interface {}{1, 2}
2019/11/07 20:19:32 .../xorm/session_get.go:99:nocacheGet() [I] [SQL] SELECT "id", "uid", "repo_id" FROM "star" WHERE "uid"=$1 AND "repo_id"=$2 LIMIT 1 []interface {}{1, 2}
2019/11/07 20:19:32 .../xorm/session_get.go:99:nocacheGet() [I] [SQL] SELECT "id", "repo_id", "branch_name", "can_push", "enable_whitelist", "whitelist_user_i_ds", "whitelist_team_i_ds", "enable_merge_whitelist", "merge_whitelist_user_i_ds", "merge_whitelist_team_i_ds", "approvals_whitelist_user_i_ds", "approvals_whitelist_team_i_ds", "required_approvals", "created_unix", "updated_unix" FROM "protected_branch" WHERE "repo_id"=$1 AND "branch_name"=$2 LIMIT 1 []interface {}{2, "master"}
2019/11/07 20:19:32 ...s/context/context.go:137:HTML() [D] Template: repo/editor/edit
[Macaron] 2019-11-07 20:19:32: Completed GET /foo/bar/_new/master/site.yml 200 OK in 43.711104ms
[Macaron] 2019-11-07 20:19:32: Started GET /serviceworker.js for 10.47.0.0
2019/11/07 20:19:32 .../xorm/session_get.go:99:nocacheGet() [I] [SQL] SELECT "id", "lower_name", "name", "full_name", "email", "keep_email_private", "passwd", "must_change_password", "login_type", "login_source", "login_name", "type", "location", "website", "rands", "salt", "language", "description", "created_unix", "updated_unix", "last_login_unix", "last_repo_visibility", "max_repo_creation", "is_active", "is_admin", "allow_git_hook", "allow_import_local", "allow_create_organization", "prohibit_login", "avatar", "avatar_email", "use_custom_avatar", "num_followers", "num_following", "num_stars", "num_repos", "num_teams", "num_members", "visibility", "diff_view_style", "theme" FROM "user" WHERE "id"=$1 LIMIT 1 []interface {}{1}
2019/11/07 20:19:32 ...s/context/context.go:328:func1() [D] Session ID: 84335f472022f1f8
2019/11/07 20:19:32 ...s/context/context.go:329:func1() [D] CSRF Token: 44JwSeHDqnv5UnglbneRrWs288M6MTU3MzE1Nzg2ODg4NjkxNjc0NA==
2019/11/07 20:19:32 .../xorm/session_raw.go:87:queryRow() [I] [SQL] SELECT count(*) FROM "notification" WHERE (user_id = $1) AND (status = $2) []interface {}{1, 0x1}
[Macaron] 2019-11-07 20:19:32: Completed GET /serviceworker.js 200 OK in 7.783204ms

Looks like

[Macaron] 2019-11-07 20:19:31: Started GET /api/internal/hook/pre-receive/foo/bar?old=84ae4ffb4f9f503ce796d345a676c800b675aacc&new=db46e075b33bac76664db835e728b2b34384e424&ref=refs%2Fheads%2Fmaster&userID=1&gitObjectDirectory=%2Fdata%2Fgit%2Fgitea-repositories%2Ffoo%2Fbar.git%2F.%2Fobjects%2Fincoming-PfjpLI&gitAlternativeObjectDirectories=%2Fdata%2Fgit%2Fgitea-repositories%2Ffoo%2Fbar.git%2F.%2Fobjects&gitQuarantinePath=%2Fdata%2Fgit%2Fgitea-repositories%2Ffoo%2Fbar.git%2F.%2Fobjects%2Fincoming-PfjpLI&prID=0 for 127.0.0.1
2019/11/07 20:19:31 modules/auth/auth.go:97:CheckOAuthAccessToken() [T] ParseOAuth2Token: signature is invalid

is the problem area.

Note, the user is created by the gitea admin CLI when gitea is brought up.

@randyesq commented on GitHub (Nov 7, 2019): Okay, I had this happen today. I am running v1.9.3 and logged in to the web UI, created an org, created a repo (initialized it with the checkbox), and attempted to create a file in the UI. Here is the server log: ``` [Macaron] 2019-11-07 20:19:31: Started POST /foo/bar/_new/master/ for 10.47.0.0 2019/11/07 20:19:31 .../xorm/session_get.go:99:nocacheGet() [I] [SQL] SELECT "id", "lower_name", "name", "full_name", "email", "keep_email_private", "passwd", "must_change_password", "login_type", "login_source", "login_name", "type", "location", "website", "rands", "salt", "language", "description", "created_unix", "updated_unix", "last_login_unix", "last_repo_visibility", "max_repo_creation", "is_active", "is_admin", "allow_git_hook", "allow_import_local", "allow_create_organization", "prohibit_login", "avatar", "avatar_email", "use_custom_avatar", "num_followers", "num_following", "num_stars", "num_repos", "num_teams", "num_members", "visibility", "diff_view_style", "theme" FROM "user" WHERE "id"=$1 LIMIT 1 []interface {}{1} 2019/11/07 20:19:31 ...s/context/context.go:328:func1() [D] Session ID: 84335f472022f1f8 2019/11/07 20:19:31 ...s/context/context.go:329:func1() [D] CSRF Token: 44JwSeHDqnv5UnglbneRrWs288M6MTU3MzE1Nzg2ODg4NjkxNjc0NA== 2019/11/07 20:19:31 .../xorm/session_raw.go:87:queryRow() [I] [SQL] SELECT count(*) FROM "notification" WHERE (user_id = $1) AND (status = $2) []interface {}{1, 0x1} 2019/11/07 20:19:31 .../xorm/session_get.go:99:nocacheGet() [I] [SQL] SELECT "id", "lower_name", "name", "full_name", "email", "keep_email_private", "passwd", "must_change_password", "login_type", "login_source", "login_name", "type", "location", "website", "rands", "salt", "language", "description", "created_unix", "updated_unix", "last_login_unix", "last_repo_visibility", "max_repo_creation", "is_active", "is_admin", "allow_git_hook", "allow_import_local", "allow_create_organization", "prohibit_login", "avatar", "avatar_email", "use_custom_avatar", "num_followers", "num_following", "num_stars", "num_repos", "num_teams", "num_members", "visibility", "diff_view_style", "theme" FROM "user" WHERE "lower_name"=$1 LIMIT 1 []interface {}{"foo"} 2019/11/07 20:19:31 .../xorm/session_get.go:99:nocacheGet() [I] [SQL] SELECT "id", "owner_id", "lower_name", "name", "description", "website", "default_branch", "num_watches", "num_stars", "num_forks", "num_issues", "num_closed_issues", "num_pulls", "num_closed_pulls", "num_milestones", "num_closed_milestones", "is_private", "is_empty", "is_archived", "is_mirror", "is_fork", "fork_id", "size", "is_fsck_enabled", "close_issues_via_commit_in_any_branch", "topics", "avatar", "created_unix", "updated_unix" FROM "repository" WHERE "owner_id"=$1 AND "lower_name"=$2 LIMIT 1 []interface {}{2, "bar"} 2019/11/07 20:19:31 .../xorm/session_get.go:99:nocacheGet() [I] [SQL] SELECT "id", "repo_id", "user_id", "mode" FROM "collaboration" WHERE "repo_id"=$1 AND "user_id"=$2 LIMIT 1 []interface {}{2, 1} 2019/11/07 20:19:31 ...xorm/session_find.go:199:noCacheFind() [I] [SQL] SELECT "id", "repo_id", "type", "config", "created_unix" FROM "repo_unit" WHERE (repo_id = $1) []interface {}{2} 2019/11/07 20:19:31 ...s/repo_permission.go:154:func1() [T] Permission Loaded for 824687817488:crayvcs in 824687817696:foo/bar: Permissions: AccessMode: 824687818880:owner, 5 Units, 0 UnitsMode(s): [ Units[0]: ID: 824687817824 RepoID: 824687818160 Type: 824687818912:UnitTypeCode Config: {} Units[1]: ID: 824687818256 RepoID: 824687818352 Type: 824687818944:UnitTypeIssues Config: {"EnableTimetracker":true,"AllowOnlyContributorsToTrackTime":true,"EnableDependencies":true} Units[2]: ID: 824687818608 RepoID: 824687818640 Type: 824687818976:UnitTypePullRequests Config: {"IgnoreWhitespaceConflicts":false,"AllowMerge":true,"AllowRebase":true,"AllowRebaseMerge":true,"AllowSquash":true} Units[3]: ID: 824687818704 RepoID: 824687818736 Type: 824687819008:UnitTypeReleases Config: {} Units[4]: ID: 824687818800 RepoID: 824687818832 Type: 824687819040:UnitTypeWiki Config: {} ] 2019/11/07 20:19:31 .../xorm/session_raw.go:87:queryRow() [I] [SQL] SELECT count(*) FROM "release" WHERE repo_id=$1 AND is_draft=$2 []interface {}{2, false} 2019/11/07 20:19:31 .../xorm/session_get.go:99:nocacheGet() [I] [SQL] SELECT "id", "owner_id", "lower_name", "name", "description", "website", "default_branch", "num_watches", "num_stars", "num_forks", "num_issues", "num_closed_issues", "num_pulls", "num_closed_pulls", "num_milestones", "num_closed_milestones", "is_private", "is_empty", "is_archived", "is_mirror", "is_fork", "fork_id", "size", "is_fsck_enabled", "close_issues_via_commit_in_any_branch", "topics", "avatar", "created_unix", "updated_unix" FROM "repository" WHERE (owner_id=$1 AND fork_id=$2) LIMIT 1 []interface {}{1, 2} 2019/11/07 20:19:31 .../xorm/session_get.go:99:nocacheGet() [I] [SQL] SELECT "id", "user_id", "repo_id" FROM "watch" WHERE "user_id"=$1 AND "repo_id"=$2 LIMIT 1 []interface {}{1, 2} 2019/11/07 20:19:31 .../xorm/session_get.go:99:nocacheGet() [I] [SQL] SELECT "id", "uid", "repo_id" FROM "star" WHERE "uid"=$1 AND "repo_id"=$2 LIMIT 1 []interface {}{1, 2} 2019/11/07 20:19:31 .../xorm/session_get.go:99:nocacheGet() [I] [SQL] SELECT "id", "repo_id", "branch_name", "can_push", "enable_whitelist", "whitelist_user_i_ds", "whitelist_team_i_ds", "enable_merge_whitelist", "merge_whitelist_user_i_ds", "merge_whitelist_team_i_ds", "approvals_whitelist_user_i_ds", "approvals_whitelist_team_i_ds", "required_approvals", "created_unix", "updated_unix" FROM "protected_branch" WHERE "repo_id"=$1 AND "branch_name"=$2 LIMIT 1 []interface {}{2, "master"} 2019/11/07 20:19:31 .../xorm/session_get.go:99:nocacheGet() [I] [SQL] SELECT "id", "repo_id", "branch_name", "can_push", "enable_whitelist", "whitelist_user_i_ds", "whitelist_team_i_ds", "enable_merge_whitelist", "merge_whitelist_user_i_ds", "merge_whitelist_team_i_ds", "approvals_whitelist_user_i_ds", "approvals_whitelist_team_i_ds", "required_approvals", "created_unix", "updated_unix" FROM "protected_branch" WHERE "repo_id"=$1 AND "branch_name"=$2 LIMIT 1 []interface {}{2, "master"} [Macaron] 2019-11-07 20:19:31: Started GET / for 127.0.0.1 2019/11/07 20:19:31 ...s/context/context.go:328:func1() [D] Session ID: 9592bbb188ca9a45 2019/11/07 20:19:31 ...s/context/context.go:329:func1() [D] CSRF Token: 21NVKuOMVuEkabb1tuJWO-fXj4M6MTU3MzE1Nzk3MTU2Mjg1ODU1Mg== 2019/11/07 20:19:31 ...s/context/context.go:137:HTML() [D] Template: home [Macaron] 2019-11-07 20:19:31: Completed GET / 200 OK in 3.384469ms [Macaron] 2019-11-07 20:19:31: Started GET /api/internal/hook/pre-receive/foo/bar?old=84ae4ffb4f9f503ce796d345a676c800b675aacc&new=db46e075b33bac76664db835e728b2b34384e424&ref=refs%2Fheads%2Fmaster&userID=1&gitObjectDirectory=%2Fdata%2Fgit%2Fgitea-repositories%2Ffoo%2Fbar.git%2F.%2Fobjects%2Fincoming-PfjpLI&gitAlternativeObjectDirectories=%2Fdata%2Fgit%2Fgitea-repositories%2Ffoo%2Fbar.git%2F.%2Fobjects&gitQuarantinePath=%2Fdata%2Fgit%2Fgitea-repositories%2Ffoo%2Fbar.git%2F.%2Fobjects%2Fincoming-PfjpLI&prID=0 for 127.0.0.1 2019/11/07 20:19:31 modules/auth/auth.go:97:CheckOAuthAccessToken() [T] ParseOAuth2Token: signature is invalid 2019/11/07 20:19:31 ...s/context/context.go:328:func1() [D] Session ID: 92c404aa8441d573 2019/11/07 20:19:31 ...s/context/context.go:329:func1() [D] CSRF Token: NMoCu5jvTAQNl_nD2qHisrnfQ9I6MTU3MzE1Nzk3MTc5MDgxMzM4MQ== [Macaron] 2019-11-07 20:19:31: Completed GET /api/internal/hook/pre-receive/foo/bar?old=84ae4ffb4f9f503ce796d345a676c800b675aacc&new=db46e075b33bac76664db835e728b2b34384e424&ref=refs%2Fheads%2Fmaster&userID=1&gitObjectDirectory=%2Fdata%2Fgit%2Fgitea-repositories%2Ffoo%2Fbar.git%2F.%2Fobjects%2Fincoming-PfjpLI&gitAlternativeObjectDirectories=%2Fdata%2Fgit%2Fgitea-repositories%2Ffoo%2Fbar.git%2F.%2Fobjects&gitQuarantinePath=%2Fdata%2Fgit%2Fgitea-repositories%2Ffoo%2Fbar.git%2F.%2Fobjects%2Fincoming-PfjpLI&prID=0 403 Forbidden in 911.132µs 2019/11/07 20:19:31 ...s/context/context.go:137:HTML() [D] Template: repo/editor/edit [Macaron] 2019-11-07 20:19:31: Completed POST /foo/bar/_new/master/ 302 Found in 469.152703ms 2019/11/07 20:19:31 ...c/net/http/server.go:3012:logf() [I] http: superfluous response.WriteHeader call from gopkg.in/macaron%2ev1.(*responseWriter).WriteHeader (response_writer.go:59) [Macaron] 2019-11-07 20:19:31: Started GET /vendor/plugins/simplemde/simplemde.min.css for 10.47.0.0 [Macaron] [Static] Serving /vendor/plugins/simplemde/simplemde.min.css [Macaron] 2019-11-07 20:19:31: Completed GET /vendor/plugins/simplemde/simplemde.min.css 200 OK in 734.459µs [Macaron] 2019-11-07 20:19:31: Started GET /vendor/plugins/highlight/github.css for 10.47.0.0 [Macaron] [Static] Serving /vendor/plugins/highlight/github.css [Macaron] 2019-11-07 20:19:31: Completed GET /vendor/plugins/highlight/github.css 200 OK in 326.641µs [Macaron] 2019-11-07 20:19:32: Started GET /vendor/plugins/codemirror/mode/yaml/yaml.js for 10.47.0.0 [Macaron] [Static] Serving /vendor/plugins/codemirror/mode/yaml/yaml.js [Macaron] 2019-11-07 20:19:32: Completed GET /vendor/plugins/codemirror/mode/yaml/yaml.js 200 OK in 358.95µs [Macaron] 2019-11-07 20:19:32: Started GET /foo/bar/_new/master/site.yml for 10.47.0.0 2019/11/07 20:19:32 .../xorm/session_get.go:99:nocacheGet() [I] [SQL] SELECT "id", "lower_name", "name", "full_name", "email", "keep_email_private", "passwd", "must_change_password", "login_type", "login_source", "login_name", "type", "location", "website", "rands", "salt", "language", "description", "created_unix", "updated_unix", "last_login_unix", "last_repo_visibility", "max_repo_creation", "is_active", "is_admin", "allow_git_hook", "allow_import_local", "allow_create_organization", "prohibit_login", "avatar", "avatar_email", "use_custom_avatar", "num_followers", "num_following", "num_stars", "num_repos", "num_teams", "num_members", "visibility", "diff_view_style", "theme" FROM "user" WHERE "id"=$1 LIMIT 1 []interface {}{1} 2019/11/07 20:19:32 ...s/context/context.go:328:func1() [D] Session ID: 84335f472022f1f8 2019/11/07 20:19:32 ...s/context/context.go:329:func1() [D] CSRF Token: 44JwSeHDqnv5UnglbneRrWs288M6MTU3MzE1Nzg2ODg4NjkxNjc0NA== 2019/11/07 20:19:32 .../xorm/session_raw.go:87:queryRow() [I] [SQL] SELECT count(*) FROM "notification" WHERE (user_id = $1) AND (status = $2) []interface {}{1, 0x1} 2019/11/07 20:19:32 .../xorm/session_get.go:99:nocacheGet() [I] [SQL] SELECT "id", "lower_name", "name", "full_name", "email", "keep_email_private", "passwd", "must_change_password", "login_type", "login_source", "login_name", "type", "location", "website", "rands", "salt", "language", "description", "created_unix", "updated_unix", "last_login_unix", "last_repo_visibility", "max_repo_creation", "is_active", "is_admin", "allow_git_hook", "allow_import_local", "allow_create_organization", "prohibit_login", "avatar", "avatar_email", "use_custom_avatar", "num_followers", "num_following", "num_stars", "num_repos", "num_teams", "num_members", "visibility", "diff_view_style", "theme" FROM "user" WHERE "lower_name"=$1 LIMIT 1 []interface {}{"foo"} 2019/11/07 20:19:32 .../xorm/session_get.go:99:nocacheGet() [I] [SQL] SELECT "id", "owner_id", "lower_name", "name", "description", "website", "default_branch", "num_watches", "num_stars", "num_forks", "num_issues", "num_closed_issues", "num_pulls", "num_closed_pulls", "num_milestones", "num_closed_milestones", "is_private", "is_empty", "is_archived", "is_mirror", "is_fork", "fork_id", "size", "is_fsck_enabled", "close_issues_via_commit_in_any_branch", "topics", "avatar", "created_unix", "updated_unix" FROM "repository" WHERE "owner_id"=$1 AND "lower_name"=$2 LIMIT 1 []interface {}{2, "bar"} 2019/11/07 20:19:32 .../xorm/session_get.go:99:nocacheGet() [I] [SQL] SELECT "id", "repo_id", "user_id", "mode" FROM "collaboration" WHERE "repo_id"=$1 AND "user_id"=$2 LIMIT 1 []interface {}{2, 1} 2019/11/07 20:19:32 ...xorm/session_find.go:199:noCacheFind() [I] [SQL] SELECT "id", "repo_id", "type", "config", "created_unix" FROM "repo_unit" WHERE (repo_id = $1) []interface {}{2} 2019/11/07 20:19:32 ...s/repo_permission.go:154:func1() [T] Permission Loaded for 824707920288:crayvcs in 824707920368:foo/bar: Permissions: AccessMode: 824707921584:owner, 5 Units, 0 UnitsMode(s): [ Units[0]: ID: 824707920560 RepoID: 824707920608 Type: 824707921616:UnitTypeCode Config: {} Units[1]: ID: 824707920992 RepoID: 824707921040 Type: 824707921648:UnitTypeIssues Config: {"EnableTimetracker":true,"AllowOnlyContributorsToTrackTime":true,"EnableDependencies":true} Units[2]: ID: 824707921136 RepoID: 824707921184 Type: 824707921680:UnitTypePullRequests Config: {"IgnoreWhitespaceConflicts":false,"AllowMerge":true,"AllowRebase":true,"AllowRebaseMerge":true,"AllowSquash":true} Units[3]: ID: 824707921344 RepoID: 824707921376 Type: 824707921712:UnitTypeReleases Config: {} Units[4]: ID: 824707921440 RepoID: 824707921504 Type: 824707921744:UnitTypeWiki Config: {} ] 2019/11/07 20:19:32 .../xorm/session_raw.go:87:queryRow() [I] [SQL] SELECT count(*) FROM "release" WHERE repo_id=$1 AND is_draft=$2 []interface {}{2, false} 2019/11/07 20:19:32 .../xorm/session_get.go:99:nocacheGet() [I] [SQL] SELECT "id", "owner_id", "lower_name", "name", "description", "website", "default_branch", "num_watches", "num_stars", "num_forks", "num_issues", "num_closed_issues", "num_pulls", "num_closed_pulls", "num_milestones", "num_closed_milestones", "is_private", "is_empty", "is_archived", "is_mirror", "is_fork", "fork_id", "size", "is_fsck_enabled", "close_issues_via_commit_in_any_branch", "topics", "avatar", "created_unix", "updated_unix" FROM "repository" WHERE (owner_id=$1 AND fork_id=$2) LIMIT 1 []interface {}{1, 2} 2019/11/07 20:19:32 .../xorm/session_get.go:99:nocacheGet() [I] [SQL] SELECT "id", "user_id", "repo_id" FROM "watch" WHERE "user_id"=$1 AND "repo_id"=$2 LIMIT 1 []interface {}{1, 2} 2019/11/07 20:19:32 .../xorm/session_get.go:99:nocacheGet() [I] [SQL] SELECT "id", "uid", "repo_id" FROM "star" WHERE "uid"=$1 AND "repo_id"=$2 LIMIT 1 []interface {}{1, 2} 2019/11/07 20:19:32 .../xorm/session_get.go:99:nocacheGet() [I] [SQL] SELECT "id", "repo_id", "branch_name", "can_push", "enable_whitelist", "whitelist_user_i_ds", "whitelist_team_i_ds", "enable_merge_whitelist", "merge_whitelist_user_i_ds", "merge_whitelist_team_i_ds", "approvals_whitelist_user_i_ds", "approvals_whitelist_team_i_ds", "required_approvals", "created_unix", "updated_unix" FROM "protected_branch" WHERE "repo_id"=$1 AND "branch_name"=$2 LIMIT 1 []interface {}{2, "master"} 2019/11/07 20:19:32 ...s/context/context.go:137:HTML() [D] Template: repo/editor/edit [Macaron] 2019-11-07 20:19:32: Completed GET /foo/bar/_new/master/site.yml 200 OK in 43.711104ms [Macaron] 2019-11-07 20:19:32: Started GET /serviceworker.js for 10.47.0.0 2019/11/07 20:19:32 .../xorm/session_get.go:99:nocacheGet() [I] [SQL] SELECT "id", "lower_name", "name", "full_name", "email", "keep_email_private", "passwd", "must_change_password", "login_type", "login_source", "login_name", "type", "location", "website", "rands", "salt", "language", "description", "created_unix", "updated_unix", "last_login_unix", "last_repo_visibility", "max_repo_creation", "is_active", "is_admin", "allow_git_hook", "allow_import_local", "allow_create_organization", "prohibit_login", "avatar", "avatar_email", "use_custom_avatar", "num_followers", "num_following", "num_stars", "num_repos", "num_teams", "num_members", "visibility", "diff_view_style", "theme" FROM "user" WHERE "id"=$1 LIMIT 1 []interface {}{1} 2019/11/07 20:19:32 ...s/context/context.go:328:func1() [D] Session ID: 84335f472022f1f8 2019/11/07 20:19:32 ...s/context/context.go:329:func1() [D] CSRF Token: 44JwSeHDqnv5UnglbneRrWs288M6MTU3MzE1Nzg2ODg4NjkxNjc0NA== 2019/11/07 20:19:32 .../xorm/session_raw.go:87:queryRow() [I] [SQL] SELECT count(*) FROM "notification" WHERE (user_id = $1) AND (status = $2) []interface {}{1, 0x1} [Macaron] 2019-11-07 20:19:32: Completed GET /serviceworker.js 200 OK in 7.783204ms ``` Looks like ``` [Macaron] 2019-11-07 20:19:31: Started GET /api/internal/hook/pre-receive/foo/bar?old=84ae4ffb4f9f503ce796d345a676c800b675aacc&new=db46e075b33bac76664db835e728b2b34384e424&ref=refs%2Fheads%2Fmaster&userID=1&gitObjectDirectory=%2Fdata%2Fgit%2Fgitea-repositories%2Ffoo%2Fbar.git%2F.%2Fobjects%2Fincoming-PfjpLI&gitAlternativeObjectDirectories=%2Fdata%2Fgit%2Fgitea-repositories%2Ffoo%2Fbar.git%2F.%2Fobjects&gitQuarantinePath=%2Fdata%2Fgit%2Fgitea-repositories%2Ffoo%2Fbar.git%2F.%2Fobjects%2Fincoming-PfjpLI&prID=0 for 127.0.0.1 2019/11/07 20:19:31 modules/auth/auth.go:97:CheckOAuthAccessToken() [T] ParseOAuth2Token: signature is invalid ``` is the problem area. Note, the user is created by the gitea admin CLI when gitea is brought up.

GiteaMirror commented 2025-11-02 05:33:15 -06:00

Author

Owner

Copy Link

@zeripath commented on GitHub (Nov 8, 2019):

Ok a status forbidden in hook pre-receive code is preceded by a warning.

So the forbidden is happening at:

4a08d574cf/routers/private/internal.go (L17-L24)

Meaning that the internal token being passed to the server from the running command is incorrect.

You have different internal tokens - they all have to be the same.

@zeripath commented on GitHub (Nov 8, 2019): Ok a status forbidden in hook pre-receive code is preceded by a warning. So the forbidden is happening at: https://github.com/go-gitea/gitea/blob/4a08d574cf496268b5ceae4fc605e103c870d204/routers/private/internal.go#L17-L24 Meaning that the internal token being passed to the server from the running command is incorrect. You have different internal tokens - they all have to be the same.

GiteaMirror commented 2025-11-02 05:33:16 -06:00

Author

Owner

Copy Link

@randyesq commented on GitHub (Nov 11, 2019):

So this action was run from the UI from a logged in user. Are you saying that something that is being done with my configuration of gitea itself is wrong, or something in the UI is wrong?

@randyesq commented on GitHub (Nov 11, 2019): So this action was run from the UI from a logged in user. Are you saying that something that is being done with my configuration of gitea itself is wrong, or something in the UI is wrong?

GiteaMirror commented 2025-11-02 05:33:16 -06:00

Author

Owner

Copy Link

@zeripath commented on GitHub (Nov 11, 2019):

OK, I think it's time I stepped back down to what goes on when you do any git alterations in Gitea.

• Say you edit a file to have new content from repo A
• Gitea will do a temporary (extremely shallow) clone of the repo A lets call that B.
• In B it will create a commit with the new content using git plumbing commands
• It will then push to A from the temporary repo B.
• It is during that push from B to A that gitea will then run the pre-receive, update and post-receive hooks.
• The hooks are actually performed by git itself running a gitea subcommand, gitea hook which then transmits all of its data to the Gitea server.

Now if you go and take a look at one of your gitea-repositories you'll see that the hooks are something like:

❯ cat ~/gitea-repositories/administrator/nonempty.git/hooks/pre-receive.d/gitea                           [20:50:54]
#!/usr/bin/env bash
"/home/zeripath/go/src/code.gitea.io/gitea/gitea" hook --config='/home/zeripath/go/src/code.gitea.io/gitea/custom/conf/app.ini' pre-receive

Note the absolute path to the gitea application that run it, and a config file reference.

The config file reference is important because gitea will not be unlikely to find its config otherwise, in particular it needs the INTERNAL_TOKEN from that app.ini because, well that's the authorization token that gitea hook uses to talk to the server and it needs find the local address for the Gitea server to speak to (That's specifically LOCAL_ROOT_URL, but ROOT_URL, or whatever goes to make that if that's not set.)

Now as I state above, there is no place for a user to get Forbidden in hooks without some more logging except at:

4a08d574cf/routers/private/internal.go (L17-L24)

So, when that push is happening the config that the hook files is finding is not correct - either because INTERNAL_TOKEN is not set or the server that hook speaks to over LOCAL_ROOT_URL has a different INTERNAL_TOKEN.

@zeripath commented on GitHub (Nov 11, 2019): OK, I think it's time I stepped back down to what goes on when you do any git alterations in Gitea. * Say you edit a file to have new content from repo A * Gitea will do a temporary (extremely shallow) clone of the repo A lets call that B. * In B it will create a commit with the new content using git plumbing commands * It will then push to A from the temporary repo B. * It is during that push from B to A that gitea will then run the pre-receive, update and post-receive hooks. * The hooks are actually performed by git itself running a gitea subcommand, `gitea hook` which then transmits all of its data to the Gitea server. Now if you go and take a look at one of your gitea-repositories you'll see that the hooks are something like: ``` ❯ cat ~/gitea-repositories/administrator/nonempty.git/hooks/pre-receive.d/gitea [20:50:54] #!/usr/bin/env bash "/home/zeripath/go/src/code.gitea.io/gitea/gitea" hook --config='/home/zeripath/go/src/code.gitea.io/gitea/custom/conf/app.ini' pre-receive ``` Note the absolute path to the gitea application that run it, and a config file reference. The config file reference is important because gitea will not be unlikely to find its config otherwise, in particular it needs the `INTERNAL_TOKEN` from that app.ini because, well that's the authorization token that gitea hook uses to talk to the server and it needs find the local address for the Gitea server to speak to (That's specifically LOCAL_ROOT_URL, but ROOT_URL, or whatever goes to make that if that's not set.) Now as I state above, there is no place for a user to get Forbidden in hooks without some more logging except at: https://github.com/go-gitea/gitea/blob/4a08d574cf496268b5ceae4fc605e103c870d204/routers/private/internal.go#L17-L24 So, when that push is happening the config that the hook files is finding is not correct - either because INTERNAL_TOKEN is not set or the server that hook speaks to over LOCAL_ROOT_URL has a different INTERNAL_TOKEN.

GiteaMirror commented 2025-11-02 05:33:16 -06:00

Author

Owner

Copy Link

@randyesq commented on GitHub (Nov 11, 2019):

Is there a way I can modify the pre-receive.d/gitea bash script to print out the values of the INTERNAL_TOKEN that are in play?

@randyesq commented on GitHub (Nov 11, 2019): Is there a way I can modify the `pre-receive.d/gitea` bash script to print out the values of the INTERNAL_TOKEN that are in play?

GiteaMirror commented 2025-11-02 05:33:16 -06:00

Author

Owner

Copy Link

@zeripath commented on GitHub (Nov 11, 2019):

A grep of the config file as a hook would do it as far as I can see.

@zeripath commented on GitHub (Nov 11, 2019): A grep of the config file as a hook would do it as far as I can see.

GiteaMirror commented 2025-11-02 05:33:17 -06:00

Author

Owner

Copy Link

@randyesq commented on GitHub (Nov 11, 2019):

Where would the output of that hook script end up for me to review?

@randyesq commented on GitHub (Nov 11, 2019): Where would the output of that hook script end up for me to review?

GiteaMirror commented 2025-11-02 05:33:17 -06:00

Author

Owner

Copy Link

@zeripath commented on GitHub (Nov 11, 2019):

Stdout from most git hooks is sent directly to the client. Certainly these would do so.

The issue is ensuring that you're getting exactly the same config file as the hook - you could grep/sed it out of the Gitea hook file.

However if you can do all that, I'm not certain just checking hook files and container confs would not work.

If you don't want it to go to the client - one trick is to do a wget to get it into a server log.

@zeripath commented on GitHub (Nov 11, 2019): Stdout from most git hooks is sent directly to the client. Certainly these would do so. The issue is ensuring that you're getting exactly the same config file as the hook - you could grep/sed it out of the Gitea hook file. However if you can do all that, I'm not certain just checking hook files and container confs would not work. If you don't want it to go to the client - one trick is to do a wget to get it into a server log.

GiteaMirror commented 2025-11-02 05:33:17 -06:00

Author

Owner

Copy Link

@randyesq commented on GitHub (Nov 11, 2019):

Okay, well the instance for the server logs that I found was running in a VM that I have up that has the same configuration as our regular setup, here is the content of the hook and shows that the app.ini and gitea executable are where I expect them to be:

bash-5.0# cat /data/git/gitea-repositories/foo/bar.git/hooks/pre-receive.d/gitea
#!/usr/bin/env bash
"/app/gitea/gitea" hook --config='/data/gitea/conf/app.ini' pre-receive
bash-5.0# ls -l /app/gitea/gitea
-rwxr-xr-x    1 git      git       62985080 Sep  7 18:02 /app/gitea/gitea
bash-5.0# ls -l /data/gitea/conf/app.ini
-rwxr-xr-x    1 git      git           5793 Nov  7 20:30 /data/gitea/conf/app.ini

My app.ini does not include an INTERNAL_TOKEN when Gitea first starts up, but it looks like Gitea is creating one properly

bash-5.0# grep INTERNAL_TOKEN /data/gitea/conf/app.ini
INTERNAL_TOKEN = eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE1NzMxNTg2MDB9.dhqm5QaQFItK3--HV69oW8D3j_8UKkLoN0hn4tqg0pM

LOCAL_ROOT_URL and ROOT_URL are defined as such in the server section of app.ini:

[server]
PROTOCOL                        = http
DOMAIN                          = git-service.local
ROOT_URL                        = https://%(DOMAIN)s/vcs/
HTTP_ADDR                       = 0.0.0.0
HTTP_PORT                       = 3000
LOCAL_ROOT_URL                  = http://localhost:3000/
DISABLE_SSH                     = true
START_SSH_SERVER                = false
SSH_CREATE_AUTHORIZED_KEYS_FILE = false
OFFLINE_MODE                    = true
DISABLE_ROUTER_LOG              = false
APP_DATA_PATH                   = data

Anything you see here look incorrect?

@randyesq commented on GitHub (Nov 11, 2019): Okay, well the instance for the server logs that I found was running in a VM that I have up that has the same configuration as our regular setup, here is the content of the hook and shows that the `app.ini` and `gitea` executable are where I expect them to be: ``` bash-5.0# cat /data/git/gitea-repositories/foo/bar.git/hooks/pre-receive.d/gitea #!/usr/bin/env bash "/app/gitea/gitea" hook --config='/data/gitea/conf/app.ini' pre-receive bash-5.0# ls -l /app/gitea/gitea -rwxr-xr-x 1 git git 62985080 Sep 7 18:02 /app/gitea/gitea bash-5.0# ls -l /data/gitea/conf/app.ini -rwxr-xr-x 1 git git 5793 Nov 7 20:30 /data/gitea/conf/app.ini ``` My `app.ini` does not include an `INTERNAL_TOKEN` when Gitea first starts up, but it looks like Gitea is creating one properly ``` bash-5.0# grep INTERNAL_TOKEN /data/gitea/conf/app.ini INTERNAL_TOKEN = eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE1NzMxNTg2MDB9.dhqm5QaQFItK3--HV69oW8D3j_8UKkLoN0hn4tqg0pM ``` `LOCAL_ROOT_URL` and `ROOT_URL` are defined as such in the server section of `app.ini`: ``` [server] PROTOCOL = http DOMAIN = git-service.local ROOT_URL = https://%(DOMAIN)s/vcs/ HTTP_ADDR = 0.0.0.0 HTTP_PORT = 3000 LOCAL_ROOT_URL = http://localhost:3000/ DISABLE_SSH = true START_SSH_SERVER = false SSH_CREATE_AUTHORIZED_KEYS_FILE = false OFFLINE_MODE = true DISABLE_ROUTER_LOG = false APP_DATA_PATH = data ``` Anything you see here look incorrect?

GiteaMirror commented 2025-11-02 05:33:17 -06:00

Author

Owner

Copy Link

@zeripath commented on GitHub (Nov 12, 2019):

I don't know your configuration but I suspect app.ini having internal token empty is incorrect. Do you ever have more than one Gitea running at a time?

Is it possible that the instance that is running the hook is not the same instance as the Gitea that is the server?

Stop recreating the internal token every time. Put it in the app.ini.

@zeripath commented on GitHub (Nov 12, 2019): I don't know your configuration but I suspect app.ini having internal token empty is incorrect. Do you ever have more than one Gitea running at a time? Is it possible that the instance that is running the hook is not the same instance as the Gitea that is the server? Stop recreating the internal token every time. Put it in the app.ini.

GiteaMirror commented 2025-11-02 05:33:18 -06:00

Author

Owner

Copy Link

@randyesq commented on GitHub (Nov 13, 2019):

We don't have more than one instance running at a time, so that is not possible.

I'll see about adding an internal token when we bring up gitea the first time. My question would be, however, is the internal token changing while gitea is up and running?

@randyesq commented on GitHub (Nov 13, 2019): We don't have more than one instance running at a time, so that is not possible. I'll see about adding an internal token when we bring up gitea the first time. My question would be, however, is the internal token changing while gitea is up and running?

GiteaMirror commented 2025-11-02 05:33:18 -06:00

Author

Owner

Copy Link

@randyesq commented on GitHub (Nov 21, 2019):

Is there a specific format for the internal token that needs to be used?

@randyesq commented on GitHub (Nov 21, 2019): Is there a specific format for the internal token that needs to be used?

GiteaMirror commented 2025-11-02 05:33:18 -06:00

Author

Owner

Copy Link

@zeripath commented on GitHub (Nov 21, 2019):

Not sure but I could imagine that if the server was restarted for whatever reason the internal token would change.

I think you just need to copy a created internal token from the app.ini of a running server and add that to your template.

@zeripath commented on GitHub (Nov 21, 2019): Not sure but I could imagine that if the server was restarted for whatever reason the internal token would change. I think you just need to copy a created internal token from the app.ini of a running server and add that to your template.

GiteaMirror commented 2025-11-02 05:33:19 -06:00

Author

Owner

Copy Link

@stale[bot] commented on GitHub (Jan 21, 2020):

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions.

@stale[bot] commented on GitHub (Jan 21, 2020): This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions.

GiteaMirror commented 2025-11-02 05:33:19 -06:00

Author

Owner

Copy Link

@randyesq commented on GitHub (Jan 21, 2020):

We have made the change to have the INTERNAL_TOKEN set when the instance is first brought up. Haven't seen any issues since then. Thanks for your help on this one @zeripath .

@randyesq commented on GitHub (Jan 21, 2020): We have made the change to have the INTERNAL_TOKEN set when the instance is first brought up. Haven't seen any issues since then. Thanks for your help on this one @zeripath .

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

release/v1.25

release/v1.24

release/v1.23

release/v1.22

release/v1.21

release/v1.20

release/v1.19

release/v1.18

release/v1.17

release/v1.16

release/v1.15

release/v1.14

release/v1.13

release/v1.12

release/v1.11

release/v1.10

release/v1.9

release/v1.8

v1.25.3

v1.25.2

v1.25.1

v1.25.0

v1.24.7

v1.25.0-rc0

v1.26.0-dev

v1.24.6

v1.24.5

v1.24.4

v1.24.3

v1.24.2

v1.24.1

v1.24.0

v1.23.8

v1.24.0-rc0

v1.25.0-dev

v1.23.7

v1.23.6

v1.23.5

v1.23.4

v1.23.3

v1.23.2

v1.23.1

v1.23.0

v1.23.0-rc0

v1.24.0-dev

v1.22.6

v1.22.5

v1.22.4

v1.22.3

v1.22.2

v1.22.1

v1.22.0

v1.23.0-dev

v1.22.0-rc1

v1.21.11

v1.22.0-rc0

v1.21.10

v1.21.9

v1.21.8

v1.21.7

v1.21.6

v1.21.5

v1.21.4

v1.21.3

v1.21.2

v1.20.6

v1.21.1

v1.21.0

v1.21.0-rc2

v1.21.0-rc1

v1.20.5

v1.22.0-dev

v1.21.0-rc0

v1.20.4

v1.20.3

v1.20.2

v1.20.1

v1.20.0

v1.19.4

v1.21.0-dev

v1.20.0-rc2

v1.20.0-rc1

v1.20.0-rc0

v1.19.3

v1.19.2

v1.19.1

v1.19.0

v1.19.0-rc1

v1.20.0-dev

v1.19.0-rc0

v1.18.5

v1.18.4

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.4

v1.18.0-rc1

v1.19.0-dev

v1.18.0-rc0

v1.17.3

v1.17.2

v1.17.1

v1.17.0

v1.17.0-rc2

v1.16.9

v1.17.0-rc1

v1.18.0-dev

v1.16.8

v1.16.7

v1.16.6

v1.16.5

v1.16.4

v1.16.3

v1.16.2

v1.16.1

v1.16.0

v1.15.11

v1.17.0-dev

v1.16.0-rc1

v1.15.10

v1.15.9

v1.15.8

v1.15.7

v1.15.6

v1.15.5

v1.15.4

v1.15.3

v1.15.2

v1.15.1

v1.14.7

v1.15.0

v1.15.0-rc3

v1.14.6

v1.15.0-rc2

v1.14.5

v1.16.0-dev

v1.15.0-rc1

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.7

v1.14.0-rc2

v1.13.6

v1.13.5

v1.14.0-rc1

v1.15.0-dev

v1.13.4

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.6

v1.13.0-rc2

v1.14.0-dev

v1.13.0-rc1

v1.12.5

v1.12.4

v1.12.3

v1.12.2

v1.12.1

v1.11.8

v1.12.0

v1.11.7

v1.12.0-rc2

v1.11.6

v1.12.0-rc1

v1.13.0-dev

v1.11.5

v1.11.4

v1.11.3

v1.10.6

v1.12.0-dev

v1.11.2

v1.10.5

v1.11.1

v1.10.4

v1.11.0

v1.11.0-rc2

v1.10.3

v1.11.0-rc1

v1.10.2

v1.10.1

v1.10.0

v1.9.6

v1.9.5

v1.10.0-rc2

v1.11.0-dev

v1.10.0-rc1

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.9.0-rc2

v1.10.0-dev

v1.9.0-rc1

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.8.0-rc3

v1.7.6

v1.8.0-rc2

v1.7.5

v1.8.0-rc1

v1.9.0-dev

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.7.0-rc3

v1.6.4

v1.7.0-rc2

v1.6.3

v1.7.0-rc1

v1.7.0-dev

v1.6.2

v1.6.1

v1.6.0

v1.6.0-rc2

v1.5.3

v1.6.0-rc1

v1.6.0-dev

v1.5.2

v1.5.1

v1.5.0

v1.5.0-rc2

v1.5.0-rc1

v1.5.0-dev

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.4.0-rc3

v1.4.0-rc2

v1.3.3

v1.4.0-rc1

v1.3.2

v1.3.1

v1.3.0

v1.3.0-rc2

v1.3.0-rc1

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.2.0-rc3

v1.2.0-rc2

v1.1.4

v1.2.0-rc1

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.2

v1.0.1

v1.0.0

v0.9.99

Labels

Clear labels

$20

$250

$50

$500

backport/done

💎 Bounty

docs-update-needed

good first issue

hacktoberfest

issue/bounty

issue/confirmed

issue/critical

issue/duplicate

issue/needs-feedback

issue/not-a-bug

issue/regression

issue/stale

issue/workaround

lgtm/need 2

modifies/api

modifies/translation

outdated/backport/v1.18

outdated/theme/markdown

outdated/theme/timetracker

performance/bigrepo

performance/cpu

performance/memory

performance/speed

pr/breaking

proposal/accepted

proposal/rejected

pr/wip

pull-request

Mirrored from GitHub Pull Request

reviewed/wontfix

💰 Rewarded

skip-changelog

status/blocked

topic/accessibility

topic/api

topic/authentication

topic/build

topic/code-linting

topic/commit-signing

topic/content-rendering

topic/deployment

topic/distribution

topic/federation

topic/gitea-actions

topic/issues

topic/lfs

topic/mobile

topic/moderation

topic/packages

topic/pr

topic/projects

topic/repo

topic/repo-migration

topic/security

topic/theme

topic/ui

topic/ui-interaction

topic/ux

topic/webhooks

topic/wiki

type/bug

type/deprecation

type/docs

type/enhancement

type/feature

type/miscellaneous

type/proposal

type/question

type/refactoring

type/summary

type/testing

type/upstream

No Label issue/needs-feedback issue/stale

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#3992