go-gitea / gitea

Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD
https://gitea.com
MIT License
44.84k stars 5.47k forks source link

docker push fails #31802

Closed avber closed 2 months ago

avber commented 2 months ago

Description

Hello,

gitea is run on a custom port and subpath behind a separate firewall with NAT https://domain.com:8443/gitea

Self-check page shows no problems

docker push from external machine works fine.

docker login succeeds in the VM that hosts gitea. Push fails from the VM that hosts gitea.

Some gitea logs are below;

2024/08/08 03:11:22 ...eb/routing/logger.go:102:func1() [I] router: completed GET /v2/ for 172.18.0.1:0, 401 Unauthorized in 0.3ms @ container/container.go:126(container.ReqContainerAccess) 2024/08/08 03:11:22 ...eb/routing/logger.go:102:func1() [I] router: completed GET /v2/token?scope=repository%3A---------%2F---------%3Apush%2Cpull&service=container_registry for 172.18.0.1:0, 200 OK in 0.2ms @ container/container.go> 2024/08/08 03:11:22 ...eb/routing/logger.go:102:func1() [I] router: completed HEAD /v2/---------/blobs/sha256:2fe3f9fcc07ad363a19d33bb9f38f3540c724121f112de29713ae8cd98ab6343 for 172.18.0.1:0, 404 Not Found in 1.1ms @ cont> 2024/08/08 03:11:22 ...eb/routing/logger.go:102:func1() [I] router: completed HEAD /v2/---------/blobs/sha256:46401f65b78c42a666f8b63e8beab24b33558f5eee661d8e7ba7efe7cfa56b35 for 172.18.0.1:0, 404 Not Found in 1.5ms @ cont> 2024/08/08 03:11:22 ...eb/routing/logger.go:102:func1() [I] router: completed HEAD /v2/---------/blobs/sha256:75cceec2ae3fd04477c61b35783c4a727362703003063f084100448d6b72ed75 for 172.18.0.1:0, 404 Not Found in 0.7ms @ cont> 2024/08/08 03:11:22 ...eb/routing/logger.go:102:func1() [I] router: completed HEAD /v2/---------/blobs/sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1 for 172.18.0.1:0, 404 Not Found in 0.6ms @ cont> 2024/08/08 03:11:22 ...eb/routing/logger.go:102:func1() [I] router: completed POST /v2/---------/blobs/uploads/ for 172.18.0.1:0, 401 Unauthorized in 0.4ms @ packages/api.go:42(packages.ContainerRoutes.func2.1.reqPackageAc> 2024/08/08 03:11:22 ...eb/routing/logger.go:102:func1() [I] router: completed HEAD /v2/---------/blobs/sha256:e15b63474834ed288774bd3d34953acb26783b0ffe61715eb039ab4a8f270fa7 for 172.18.0.1:0, 404 Not Found in 1.3ms @ cont> 2024/08/08 03:11:22 ...eb/routing/logger.go:102:func1() [I] router: completed POST /v2/---------/blobs/uploads/ for 172.18.0.1:0, 401 Unauthorized in 0.4ms @ packages/api.go:42(packages.ContainerRoutes.func2.1.reqPackageAc> 2024/08/08 03:11:22 ...eb/routing/logger.go:102:func1() [I] router: completed POST /v2/---------/blobs/uploads/ for 172.18.0.1:0, 401 Unauthorized in 0.4ms @ packages/api.go:42(packages.ContainerRoutes.func2.1.reqPackageAc> 2024/08/08 03:11:22 ...eb/routing/logger.go:102:func1() [I] router: completed POST /v2/---------/blobs/uploads/ for 172.18.0.1:0, 401 Unauthorized in 0.4ms @ packages/api.go:42(packages.ContainerRoutes.func2.1.reqPackageAc> 2024/08/08 03:11:22 ...eb/routing/logger.go:102:func1() [I] router: completed POST /v2/---------/blobs/uploads/ for 172.18.0.1:0, 401 Unauthorized in 0.4ms @ packages/api.go:42(packages.ContainerRoutes.func2.1.reqPackageAc

Gitea Version

1.22 1.22.1

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

docker https://domain.com:8443/gitea

Database

None

lunny commented 2 months ago

What's your configuration for the ROOT_URL?

avber commented 2 months ago

https://domain.com:8443/gitea

Logs show that docker registry GET/HEAD auth is fine. The POST request is failing

KN4CK3R commented 2 months ago

Maybe the docker user has no permission to push to the target scope.

avber commented 2 months ago

@KN4CK3R Could you clarify?

The same gitea (admin) user is used to push images from external machine (where push is working)

If it helps, here is a part of docker compose

services: server: image: gitea/gitea:1.22.1 container_name: gitea environment:

avber commented 2 months ago

FYI

push failed when the image name was domain.com:8443/adminusername/image-name

push worked when adminusername was replaced with an organization name

KN4CK3R commented 2 months ago

That sounds like what I said earlier, the docker user has no permission to push to adminusername. Only that user or another admin has permission to do so.