search

containerd / nerdctl

contaiNERD CTL - Docker-compatible CLI for containerd, with support for Compose, Rootless, eStargz, OCIcrypt, IPFS, ...
Apache License 2.0
7.91k stars 587 forks source link

nerdctl login fails when 2fa is enabled (registry.gitlab.com) #3378

Open hrkrx opened 2 weeks ago

hrkrx commented 2 weeks ago

Description

When enabling 2fa in gitlab the login to the registry is not working.

Steps to reproduce the issue

  1. enable gitlab 2fa
  2. run "nerdctl login registry.gitlab.com -u user"
  3. input password
  4. Error: 
    ERRO[0012] failed to call tryLoginWithRegHost            error="failed to call rh.Authorizer.Authorize: failed to fetch oauth token: unexpected status from GET request to https://gitlab.com/jwt/auth?offline_token=true&service=container_registry: 401 Unauthorized" i=0
FATA[0012] failed to call rh.Authorizer.Authorize: failed to fetch oauth token: unexpected status from GET request to https://gitlab.com/jwt/auth?offline_token=true&service=container_registry: 401 Unauthorized

Describe the results you received and expected

I expected the login to function normally even with 2fa

What version of nerdctl are you using?

0.23.0

Are you using a variant of nerdctl? (e.g., Rancher Desktop)

Rancher Desktop for Windows

Host information

Windows 10 (WinBuild.160101.0800)

apostasie commented 2 weeks ago

Thanks @hrkrx I am not a gitlab user. Would you have a reproducer for this? (eg: a few lines to setup gitlab with 2fa locally)

Otherwise, I will look into gitlab of course - but might take some time.

apostasie commented 2 weeks ago

@hrkrx does docker support 2FA?

apostasie commented 2 weeks ago

Actually, since you enabled 2FA, you need to use a personal access token or a deploy token to login against your gitlab registry with a cli.

This is true for both docker and nerdctl.

Documentation here:

https://docs.gitlab.com/ee/user/packages/container_registry/troubleshoot_container_registry.html

@AkihiroSuda can we tag this as question and close it?