Running docker commands against Gitea registry results in a call against ROOT_URL #9929

New Issue

Closed

opened 2025-11-02 08:53:19 -06:00 by GiteaMirror · 3 comments

GiteaMirror commented 2025-11-02 08:53:19 -06:00

Owner

Copy Link

Originally created by @scubbo on GitHub (Dec 5, 2022).

Description

See this repo - when running docker commands (docker login, docker pull, etc.) against a registry, a call is made against the server's ROOT_URL. If there is no server available at the ROOT_URL, this will result in an error. This can result in issues when the ROOT_URL refers to the public domain name of the Gitea service, but an image provided by the registry that is a prerequisite for setting up the public domain name is referenced by an internal domain name.

Gitea Version

Gitea version 1.18.0+rc1 built with GNU Make 4.3, go1.19.3

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

Kubernetes in the original situation; docker-compose in the minimal reproduction.

Database

None

Originally created by @scubbo on GitHub (Dec 5, 2022). ### Description See [this repo](https://github.com/scubbo/possible-gitea-bug) - when running `docker` commands (`docker login`, `docker pull`, etc.) against a registry, a call is made against the server's `ROOT_URL`. If there is no server available at the `ROOT_URL`, this will result in an error. This can result in issues when the `ROOT_URL` refers to the public domain name of the Gitea service, but an image provided by the registry that is a prerequisite for setting up the public domain name is referenced by an internal domain name. ### Gitea Version Gitea version 1.18.0+rc1 built with GNU Make 4.3, go1.19.3 ### Can you reproduce the bug on the Gitea demo site? No ### Log Gist _No response_ ### Screenshots _No response_ ### Git Version _No response_ ### Operating System _No response_ ### How are you running Gitea? Kubernetes in the original situation; docker-compose in the minimal reproduction. ### Database None

GiteaMirror added the topic/packagestype/bug labels 2025-11-02 08:53:19 -06:00

GiteaMirror closed this issue 2025-11-02 08:53:20 -06:00

GiteaMirror commented 2025-11-02 08:53:20 -06:00

Author

Owner

Copy Link

@KN4CK3R commented on GitHub (Dec 5, 2022):

You set ROOT_URL to something non-existing. Why should that work?

In your stackoverflow question you describe an "internal call" to the wrong domain. Gitea does not perform a request. The usual docker login flow is to query /v2. This will respond with Unauthorized and an url to obtain the ticket from.

77f50356f4/routers/api/packages/container/container.go (L114-L119)

Here you see the url is build using setting.AppURL which is influenced by your ROOT_URL setting. Your curl request succeeds because the basic auth handles the login but that's not used by docker.

@KN4CK3R commented on GitHub (Dec 5, 2022): You set ROOT_URL to something non-existing. Why should that work? In your stackoverflow question you describe an "internal call" to the wrong domain. Gitea does not perform a request. The usual docker login flow is to query `/v2`. This will respond with `Unauthorized` and an url to obtain the ticket from. https://github.com/go-gitea/gitea/blob/77f50356f4dd108b1e35b1a706269573aeaf98f1/routers/api/packages/container/container.go#L114-L119 Here you see the url is build using `setting.AppURL` which is influenced by your `ROOT_URL` setting. Your curl request succeeds because the basic auth handles the login but that's not used by docker.

GiteaMirror commented 2025-11-02 08:53:20 -06:00

Author

Owner

Copy Link

@scubbo commented on GitHub (Dec 5, 2022):

You set ROOT_URL to something non-existing. Why should that work?

Naïvely, for operations that do not require Gitea knowing it's own URL (like generating a git clone link), there's no reason to think that it wouldn't. Sure, a non-existent ROOT_URL is clearly not correct - but it's surprising that it results in breakages of APIs that appear to have nothing to do with the ROOT_URL itself.

That said, your explanation of the authentication mechanism makes it clear why this behaviour happens, and why addressing it would not be desirable. Thanks for the explanation!

@scubbo commented on GitHub (Dec 5, 2022): > You set ROOT_URL to something non-existing. Why should that work? Naïvely, for operations that do not require Gitea knowing it's own URL (like generating a `git clone` link), there's no reason to think that it _wouldn't_. Sure, a non-existent `ROOT_URL` is clearly not *correct* - but it's surprising that it results in breakages of APIs that appear to have nothing to do with the `ROOT_URL` itself. That said, your explanation of the authentication mechanism makes it clear why this behaviour happens, and why addressing it would not be desirable. Thanks for the explanation!

GiteaMirror commented 2025-11-02 08:53:20 -06:00

Author

Owner

Copy Link

@scubbo commented on GitHub (Jan 4, 2023):

Basically I was looking for Multi-domain support - I want to be able to access my Gitea instance via an internal Domain Name (which resolves directly via my Router's DNS override) or via an external Domain Name (resolved by DNS servers out on the broader Internet), and moreover want to be able to access the former even if the latter is inaccessible.

@scubbo commented on GitHub (Jan 4, 2023): Basically I was looking for [Multi-domain support](https://github.com/go-gitea/gitea/issues/19345) - I want to be able to access my Gitea instance via an internal Domain Name (which resolves directly via my Router's DNS override) _or_ via an external Domain Name (resolved by DNS servers out on the broader Internet), and moreover want to be able to access the former even if the latter is inaccessible.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

release/v1.25

release/v1.24

release/v1.23

release/v1.22

release/v1.21

release/v1.20

release/v1.19

release/v1.18

release/v1.17

release/v1.16

release/v1.15

release/v1.14

release/v1.13

release/v1.12

release/v1.11

release/v1.10

release/v1.9

release/v1.8

v1.25.3

v1.25.2

v1.25.1

v1.25.0

v1.24.7

v1.25.0-rc0

v1.26.0-dev

v1.24.6

v1.24.5

v1.24.4

v1.24.3

v1.24.2

v1.24.1

v1.24.0

v1.23.8

v1.24.0-rc0

v1.25.0-dev

v1.23.7

v1.23.6

v1.23.5

v1.23.4

v1.23.3

v1.23.2

v1.23.1

v1.23.0

v1.23.0-rc0

v1.24.0-dev

v1.22.6

v1.22.5

v1.22.4

v1.22.3

v1.22.2

v1.22.1

v1.22.0

v1.23.0-dev

v1.22.0-rc1

v1.21.11

v1.22.0-rc0

v1.21.10

v1.21.9

v1.21.8

v1.21.7

v1.21.6

v1.21.5

v1.21.4

v1.21.3

v1.21.2

v1.20.6

v1.21.1

v1.21.0

v1.21.0-rc2

v1.21.0-rc1

v1.20.5

v1.22.0-dev

v1.21.0-rc0

v1.20.4

v1.20.3

v1.20.2

v1.20.1

v1.20.0

v1.19.4

v1.21.0-dev

v1.20.0-rc2

v1.20.0-rc1

v1.20.0-rc0

v1.19.3

v1.19.2

v1.19.1

v1.19.0

v1.19.0-rc1

v1.20.0-dev

v1.19.0-rc0

v1.18.5

v1.18.4

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.4

v1.18.0-rc1

v1.19.0-dev

v1.18.0-rc0

v1.17.3

v1.17.2

v1.17.1

v1.17.0

v1.17.0-rc2

v1.16.9

v1.17.0-rc1

v1.18.0-dev

v1.16.8

v1.16.7

v1.16.6

v1.16.5

v1.16.4

v1.16.3

v1.16.2

v1.16.1

v1.16.0

v1.15.11

v1.17.0-dev

v1.16.0-rc1

v1.15.10

v1.15.9

v1.15.8

v1.15.7

v1.15.6

v1.15.5

v1.15.4

v1.15.3

v1.15.2

v1.15.1

v1.14.7

v1.15.0

v1.15.0-rc3

v1.14.6

v1.15.0-rc2

v1.14.5

v1.16.0-dev

v1.15.0-rc1

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.7

v1.14.0-rc2

v1.13.6

v1.13.5

v1.14.0-rc1

v1.15.0-dev

v1.13.4

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.6

v1.13.0-rc2

v1.14.0-dev

v1.13.0-rc1

v1.12.5

v1.12.4

v1.12.3

v1.12.2

v1.12.1

v1.11.8

v1.12.0

v1.11.7

v1.12.0-rc2

v1.11.6

v1.12.0-rc1

v1.13.0-dev

v1.11.5

v1.11.4

v1.11.3

v1.10.6

v1.12.0-dev

v1.11.2

v1.10.5

v1.11.1

v1.10.4

v1.11.0

v1.11.0-rc2

v1.10.3

v1.11.0-rc1

v1.10.2

v1.10.1

v1.10.0

v1.9.6

v1.9.5

v1.10.0-rc2

v1.11.0-dev

v1.10.0-rc1

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.9.0-rc2

v1.10.0-dev

v1.9.0-rc1

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.8.0-rc3

v1.7.6

v1.8.0-rc2

v1.7.5

v1.8.0-rc1

v1.9.0-dev

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.7.0-rc3

v1.6.4

v1.7.0-rc2

v1.6.3

v1.7.0-rc1

v1.7.0-dev

v1.6.2

v1.6.1

v1.6.0

v1.6.0-rc2

v1.5.3

v1.6.0-rc1

v1.6.0-dev

v1.5.2

v1.5.1

v1.5.0

v1.5.0-rc2

v1.5.0-rc1

v1.5.0-dev

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.4.0-rc3

v1.4.0-rc2

v1.3.3

v1.4.0-rc1

v1.3.2

v1.3.1

v1.3.0

v1.3.0-rc2

v1.3.0-rc1

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.2.0-rc3

v1.2.0-rc2

v1.1.4

v1.2.0-rc1

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.2

v1.0.1

v1.0.0

v0.9.99

Labels

Clear labels

$20

$250

$50

$500

backport/done

💎 Bounty

docs-update-needed

good first issue

hacktoberfest

issue/bounty

issue/confirmed

issue/critical

issue/duplicate

issue/needs-feedback

issue/not-a-bug

issue/regression

issue/stale

issue/workaround

lgtm/need 2

modifies/api

modifies/translation

outdated/backport/v1.18

outdated/theme/markdown

outdated/theme/timetracker

performance/bigrepo

performance/cpu

performance/memory

performance/speed

pr/breaking

proposal/accepted

proposal/rejected

pr/wip

pull-request

Mirrored from GitHub Pull Request

reviewed/wontfix

💰 Rewarded

skip-changelog

status/blocked

topic/accessibility

topic/api

topic/authentication

topic/build

topic/code-linting

topic/commit-signing

topic/content-rendering

topic/deployment

topic/distribution

topic/federation

topic/gitea-actions

topic/issues

topic/lfs

topic/mobile

topic/moderation

topic/packages

topic/pr

topic/projects

topic/repo

topic/repo-migration

topic/security

topic/theme

topic/ui

topic/ui-interaction

topic/ux

topic/webhooks

topic/wiki

type/bug

type/deprecation

type/docs

type/enhancement

type/feature

type/miscellaneous

type/proposal

type/question

type/refactoring

type/summary

type/testing

type/upstream

No Label topic/packages type/bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#9929