Open RogerSik opened 10 months ago
What is a signature key
in the docker context? There wasn't a significant change on the package code for 1.21. Could you show the router log for the failing docker command?
I'm also curious. Specially because push is working from Gitea CI or local docker client, but not the pull. On the Demo Site it is working fine.
Could you show the router log for the failing docker command?
What is the router log? How do i get them?
I created a test pipeline which can also be visited: https://gitea.sikorski.cloud/RogerSik/registry-test/actions/runs/1/jobs/0
Somehow it needs to be the client? Because now i got the same error but i wasn't fast enough to assign this image to this repository. So this repository was / is empty and the pull error was the message.
Checking now my reverse proxy traefik. I get following message when using the pull command
2023/11/21 05:41:47 reverseproxy.go:666: httputil: ReverseProxy read error during body copy: unexpected EOF
2023/11/21 05:44:32 reverseproxy.go:666: httputil: ReverseProxy read error during body copy: unexpected EOF
2023/11/21 05:46:48 reverseproxy.go:666: httputil: ReverseProxy read error during body copy: unexpected EOF
Will troubleshooting forward in this direction.
@KN4CK3R I am experiencing the same problem with a very similar environment setup as Roger; please see my logs below:
In this case, I am attempting to run a CI pipeline for example-org/example-repo
that pulls a base image from other-org/image-name
.
I did now exclued traefik and connected directly with Gitea. "Interesting" part is that the problem is still there.
$ docker tag alpine:latest localhost:3000/rogersik/gitea-act-runner:development-test
$ docker push localhost:3000/rogersik/gitea-act-runner:development-test
The push refers to repository [localhost:3000/rogersik/gitea-act-runner]
cc2447e1835a: Layer already exists
development-test: digest: sha256:48d9183eb12a05c99bcc0bf44a003607b8e941e1d4f41f9ad12bdcc4b5672f86 size: 528
$ docker pull localhost:3000/rogersik/gitea-act-runner:development-test
development-test: Pulling from rogersik/gitea-act-runner
Digest: sha256:48d9183eb12a05c99bcc0bf44a003607b8e941e1d4f41f9ad12bdcc4b5672f86
Status: Image is up to date for localhost:3000/rogersik/gitea-act-runner:development-test
localhost:3000/rogersik/gitea-act-runner:development-test
$ docker image rm localhost:3000/rogersik/gitea-act-runner:development-test
Untagged: localhost:3000/rogersik/gitea-act-runner:development-test
Untagged: localhost:3000/rogersik/gitea-act-runner@sha256:48d9183eb12a05c99bcc0bf44a003607b8e941e1d4f41f9ad12bdcc4b5672f86
$ docker pull localhost:3000/rogersik/gitea-act-runner:development-test
development-test: Pulling from rogersik/gitea-act-runner
Digest: sha256:48d9183eb12a05c99bcc0bf44a003607b8e941e1d4f41f9ad12bdcc4b5672f86
Status: Downloaded newer image for localhost:3000/rogersik/gitea-act-runner:development-test
localhost:3000/rogersik/gitea-act-runner:development-test
$ docker system prune -af
Deleted Images:
$ docker pull localhost:3000/rogersik/gitea-act-runner:development-test
Error response from daemon: missing signature key
So something Gitea relevated but with my configuration because of the try.gitea.io it did work.
When executing
$ docker pull localhost:3000/rogersik/gitea-act-runner:development-test
appears in the container log.
2023/11/25 22:44:35 ...eb/routing/logger.go:102:func1() [I] router: completed GET /v2/ for 127.0.0.1:44664, 401 Unauthorized in 0.1ms @ container/container.go:118(container.ReqContainerAccess)
But I was before authenticiated with docker login (push was also successfull). @EternalDeiwos has the same message.
I think this is related at least in some regard, as it started happening after upgrading to 1.21.0 as well.
docker login <server>
[...]
Error response from daemon: Get "https://<server>/v2/": unauthorized: authGroup.Verify
Previously I was using my users credentials. After generating an application specific token, I was able to login with that token and all was good again.
Profile -> Settings -> Applications -> Generate Token
Not sure if it's relevant, but my account uses 2FA.
Edit: Yes, it was relevant:
What I find odd here is I am getting the expected 307 that redirects to my S3 storage containing the image layers… and the error message is complaining about a missing signature key
. I don’t think this is authentication related but rather a server-side problem.
That said, I’ll play with the auth and see if I can at least rule it out as related.
@evanreichard I also have 2FA enabled but i was using the application token. For testing I disabled 2FA and re-logged in with the normal user passwort. Sadly same error message:
Error response from daemon: missing signature key
The strange thing (from begin of this issue) is that uploads seems to working (no errors) but the pull is failing.
I don’t think this is authentication related but rather a server-side problem.
Good clue. Because of that I tried now Gitea Packages with local storages instead of the currently setup with Minio.
[storage.packages]
STORAGE_TYPE = local
Pull is now working. :D :/
That said, I’ll play with the auth and see if I can at least rule it out as related.
I've tested with fresh admin-level credentials and I am pretty sure it is not auth related. Given local is working for Roger, I'd say that probably indicates something to do with #25543.
Edit: also no change for 1.21.1.
Further testing; after disabling SERVE_DIRECT
for packages I am now able to use the registry again as normal.
Further testing; after disabling
SERVE_DIRECT
for packages I am now able to use the registry again as normal.
Can confirm here the same. 🙌
Thanks for testing. Maybe a newer docker client version is more strict with the HTTP headers of the content. With SERVE_DIRECT
the content response looks like this
Docker-Header: xyx
Docker-Header2: xyx
Location: url-where-the-blob-is
But the response from url-where-the-blob-is
does not contain the docker headers.
May still be wrong because you can't add arbitrary headers to the response: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html
Overriding Response Header Values
There are times when you want to override certain response header values in a GET response. For example, you might override the Content-Disposition response header value in your GET request.
You can override values for a set of response headers using the following query parameters. ...
response-content-type response-content-language response-expires response-cache-control response-content-disposition response-content-encoding
Looks like the error message is from here: https://github.com/docker/libtrust/blob/aabc10ec26b754e797f9028f4589c5b7bd90dc20/jsonsign.go#L23-L25
But that is unrelated to the serve direct setting...?
The code is only used in Docker schema1 manifests which were removed in 08/23: https://github.com/distribution/distribution/commit/0742b56677a04d00a97fd298663ab09f80b7583c#diff-f65d932ec1e10721d44ebd79b23a64cc70599bb6f24db45b48a9f275c9332147L146
What Docker version do you use? Does some setting enforces the usage of schema1 (which is not supported in Gitea)?
What Docker version do you use?
I'm running Docker CE 24.0.6
locally.
Does some setting enforces the usage of schema1 (which is not supported in Gitea)?
Not as far as I have explicitly configured or am aware of...
I've changed nothing other than the update to 1.21. I can push to packages but cannot pull. I tried to re login to docker and it's getting Error response from daemon: ............ connection refused
even though it's the same setup as before.
Tried to downgrade but the databases are not compatible. Any work arounds until a fix is out?
Note: out of curiosity I pulled down the nightly
docker build to see if the fix was on that, but alas it was not. Same issue and now with the database upgrade I'm stuck on the nightly
release haha
Maybe you need to check whether your ROOT_URL
is correct.
Maybe you need to check whether your
ROOT_URL
is correct.
I'll double-check it in the morning, but it was for the last several months with no configuration changes. Only the last update broke pulling from package registries for me.
Maybe you have a different problem as this one? If that, you can create a new issue with more description.
Maybe you have a different problem as this one? If that, you can create a new issue with more description.
It's possible, actually, although it seems like it's similar.
I'll produce the issue again tomorrow and post a more detailed bug in a separate issue.
@KN4CK3R I have just seen the needs feedback tag, looking for anything specific?
I had this problem, it turned out I had a rather old version of docker-ce running.
Sending build context to Docker daemon 5.632kB
Step 1/1 : FROM gitea/gitea:1.20
missing signature key
Docker version: Docker version 17.09.1-ce, build 19e2cf6
After upgrading to the latest version (Docker version 25.0.3, build 4debf41) I no longer had any problems pulling/building the image.
I'm seeing this using Amazon S3 with SERVE_DIRECT
enabled. Once SERVE_DIRECT
is disabled things work as normal. Gitea 1.22.0
.
Podman:
# podman version
Client: Podman Engine
Version: 5.1.1
API Version: 5.1.1
Go Version: go1.22.3
Git Commit: bda6eb03dcbcf12a5b7ae004c1240e38dd056d24-dirty
Built: Tue Jun 4 18:12:10 2024
OS/Arch: linux/amd64
# podman pull gitea/org/test:latest
Trying to pull gitea/org/test:latest...
Error: initializing image from source docker://gitea/org/test:latest: unsupported schema version 2
Docker:
# docker version
Client:
Version: 27.0.3
API version: 1.46
Go version: go1.22.4
Git commit: 7d4bcd863a
Built: Mon Jul 1 21:15:54 2024
OS/Arch: linux/amd64
Context: default
Server:
Engine:
Version: 27.0.3
API version: 1.46 (minimum version 1.24)
Go version: go1.22.4
Git commit: 662f78c0b1
Built: Mon Jul 1 21:15:54 2024
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: v1.7.18
GitCommit: ae71819c4f5e67bb4d5ae76a6b735f29cc25774e.m
runc:
Version: 1.1.13
GitCommit:
docker-init:
Version: 0.19.0
GitCommit: de40ad0
# docker pull gitea/org/test:latest
Error response from daemon: missing signature key
same here, minio over blackblaze b2, SERVE_DIRECT=false fixes it
Description
Since the upgrade to 1.21.0 the docker image build succeed but the docker pull fails with
I suspect this is because of 1.21.0 because before the upgrade I din't have this problem. I can't
Test build locally with docker client
I builded the image now on three different ways
I deleted the :development image and rebuild it the same error happens. When using an unused tag example test1 same error.
When downloading a ready image like alpine:latest
Gitea Version
1.21.0
Can you reproduce the bug on the Gitea demo site?
No
Log Gist
No response
Screenshots
No response
Git Version
1.21.0
Operating System
Ubuntu 22.04 / K3s
How are you running Gitea?
Gitea with the official docker container running on K3S.
Database
PostgreSQL