Pulling image from private GHCR results in unauthorized

[jurgenf]

When trying to pull an image inside the docker-compose trigger the pulling fails with the log message

Error when pulling image ghcr.io/[image]:[version] ((HTTP code 500) server error - Head "https://ghcr.io/v2/[image]/manifests/[version]": unauthorized )

I suspect this is a side-effect from https://github.com/fmartinou/whats-up-docker/pull/254. The getAuthPull method still expects a username: https://github.com/fmartinou/whats-up-docker/blob/master/app/registries/providers/ghcr/Ghcr.js#L63 but I am not certain.

[jurgenf]

I have checked my hypothesis by hard-coding the username in the getAuthPull function, after which the image can be pulled by WUD. I think I can submit a PR to fix this but I am uncertain about how you want to solve it @fmartinou . Would you like to re-introduce the username configuration option or something else?

[marcusique]

I'm experiencing the same issue.

22:36:24.751  INFO whats-up-docker/trigger.dockercompose.zzz: Pull image ghcr.io/xxx/yyy:latest (container=local_yyy)
22:36:25.134  WARN whats-up-docker/trigger.dockercompose.zzz: Error when pulling image ghcr.io/xxx/yyy:latest ((HTTP code 500) server error - Head "https://ghcr.io/v2/xxx/yyy/manifests/latest": unauthorized ) (container=local_yyy)
22:36:25.134  WARN whats-up-docker/trigger.dockercompose.zzz: Error ((HTTP code 500) server error - Head "https://ghcr.io/v2/xxx/yyy/manifests/latest": unauthorized )

[fmartinou]

Hi, @jurgenf ,

Thanks for the troubleshoot 👍

If I understand correctly, the github username is not needed to use the Docker Registry API but it's still needed for the Docker engine to authenticate to ghcr?

Passing an empty or a dummy username doesn't work?

If so, yeah, there is no other way than bringing back the username config option 😞 .

[jurgenf]

I am now testing with a fixed username 'github', I think that works. I also tried with an empty string but I am not sure if it failed because of another crash I am experiencing (possibly #275) or this is not allowed. I will check again...

[marcusique]

@jurgenf, a fixed username github doesn't work for me, still results in unauthorized.

[jurgenf]

I think you need the correct username afterall @marcusique. So I think we need to bring back the username option.

[fmartinou]

Hi,

I pushed a fixed version fmartinou/whats-up-docker:fix__271_ghcr_pull_authentication

The WUD_REGISTRY_GHCR_USERNAME and WUD_REGISTRY_LSCR_USERNAME have been reintroduced (PR https://github.com/fmartinou/whats-up-docker/pull/286) (both GHCR and LSCR registries are impacted)

Can you give it a try?

[marcusique]

Hi @fmartinou,

I can confirm it worked. GHCR was successfully added to the authenticated registries

09:44:39.531  INFO whats-up-docker/registry.ghcr: Register with configuration {"username":"xxx","token":"g**************************************i"}

And it managed to automatically update an image based on a trigger

09:47:39.026  INFO whats-up-docker/trigger.dockercompose.zzz: Pull image ghcr.io/xxx/yyy:latest (container=local_yyy)
09:49:18.103  INFO whats-up-docker/trigger.dockercompose.zzz: Image ghcr.io/xxx/yyy:latest pulled with success (container=local_yyy)
09:49:18.105  INFO whats-up-docker/trigger.dockercompose.zzz: Stop container yyy with id bbd9b329b0f89a24b4a35c4838dab1c1e396d77d7ca0a12e790cd6290c21ae98 (container=local_yyy)
09:51:47.915  INFO whats-up-docker/watcher.docker.local: Status changed from running to exited (container=local_yyy)
09:51:47.918  INFO whats-up-docker/trigger.dockercompose.zzz: Container yyy with id bbd9b329b0f89a24b4a35c4838dab1c1e396d77d7ca0a12e790cd6290c21ae98 stopped with success (container=local_yyy)
09:51:47.919  INFO whats-up-docker/trigger.dockercompose.zzz: Remove container yyy with id bbd9b329b0f89a24b4a35c4838dab1c1e396d77d7ca0a12e790cd6290c21ae98 (container=local_yyy)
09:51:47.982  INFO whats-up-docker/trigger.dockercompose.zzz: Container yyy with id bbd9b329b0f89a24b4a35c4838dab1c1e396d77d7ca0a12e790cd6290c21ae98 removed with success (container=local_yyy)
09:51:47.983  INFO whats-up-docker/trigger.dockercompose.zzz: Create container yyy (container=local_yyy)
09:51:48.187  INFO whats-up-docker/trigger.dockercompose.zzz: Container yyy recreated on new image with success (container=local_yyy)
09:51:48.187  INFO whats-up-docker/trigger.dockercompose.zzz: Start container yyy (container=local_yyy)
09:51:49.225  INFO whats-up-docker/trigger.dockercompose.zzz: Container yyy started with success (container=local_yyy)
09:51:49.227  INFO whats-up-docker/trigger.dockercompose.zzz: Remove image ghcr.io/xxx/yyy@sha256:87f21b07426af7dcab249775b8dbb5a16461e5d90e6e96ad79c9ff5365cad42f (container=local_yyy)
09:51:51.008  INFO whats-up-docker/trigger.dockercompose.zzz: Image ghcr.io/xxx/yyy@sha256:87f21b07426af7dcab249775b8dbb5a16461e5d90e6e96ad79c9ff5365cad42f removed with success (container=local_yyy)
09:51:53.186  INFO whats-up-docker/watcher.docker.local: Cron started (1 0 * * *)

[fmartinou]

Hi @marcusique ,

Thank you for the feedback 👍

I wait for @jurgenf confirmation that the fix is also working for him, then I'll merge it 😃

[jurgenf]

Fix works on my end too!

[sebstrgg]

Hi, I guessed my way to this solution (env for username) when setting up WUD earlier today based on stdout logs. I think it would be great if documentation would be updated that these variables are reintroduced :)

[samcro1967]

@fmartinou Getting an error tying to pull fmartinou/whats-up-docker:fix__271_ghcr_pull_authentication and doesn't seem like GHCR_USERNAME is in 6.3.0. Is there another workaround currently?

07:24:25.025  WARN whats-up-docker/registry: Some registries failed to register (Error when registering component ghcr ("username" is not allowed))