Container registry (docker) ask credential for pull

[PavelMXFox]

Description

Hello! I have public organization with public repo. In this org i have docker (containes) package. If i do docker login - i can pull it, if if don't - Error response from daemon: Head "XXXXXXXX": no basic auth credentials. But i can see this package's page in gitea without any auth.

Gitea Version

1.17.0+dev-511-g71bafa026

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

Using docker image: gitea/gitea:dev

Database

MySQL

[UnlimitedCookies]

I am experiencing the same issue. Might be worth to ping @KN4CK3R as he's the author.
The following endpoint requires to be signed in, while the package should be public:
Head "https://gitea.example.com/v2/{owner}/{package}/manifests/{tag}": no basic auth credentials

Currently, I would expect all packages to be public (as they're visible in the GUI), but the addition of private packages in the future would be useful nevertheless.

[KN4CK3R]

That's normal behaviour even for public packages. The spec says:

If a 401 Unauthorized response is returned, the client should take action based on the contents of the “WWW-Authenticate” header and try the endpoint again.

It works like this if you use the official docker registry too:

HEAD https://registry.docker.com/v2/gitea/gitea/manifests/latest

content-type: application/json
docker-distribution-api-version: registry/2.0
www-authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io",scope="repository:gitea/gitea:pull"
date: Tue, 17 May 2022 05:20:03 GMT
content-length: 154
strict-transport-security: max-age=31536000

GET https://auth.docker.io/token?service=registry.docker.io&scope=repository:gitea/gitea:pull

content-type: application/json; charset=utf-8
date: Tue, 17 May 2022 05:24:26 GMT
transfer-encoding: chunked
strict-transport-security: max-age=31536000
{
  "token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXV...",
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsIng1YyI6W...",
  "expires_in": 300,
  "issued_at": "2022-05-17T05:24:26.283390798Z"
}

HEAD https://registry.docker.com/v2/gitea/gitea/manifests/latest
Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXV...

content-length: 12647
content-type: application/vnd.docker.distribution.manifest.v1+prettyjws
docker-content-digest: sha256:64393d1820234a2117156b0703a32f5ba685c283797350046e071673304e9c18
docker-distribution-api-version: registry/2.0
etag: "sha256:64393d1820234a2117156b0703a32f5ba685c283797350046e071673304e9c18"
date: Tue, 17 May 2022 05:28:01 GMT
strict-transport-security: max-age=31536000
ratelimit-limit: 100;w=21600
ratelimit-remaining: 100;w=21600

If you really login you need to pass BasicAuth to the the GET .../token request.

[PavelMXFox]

It 's not quite like that - when I do docker pull gitea/gitea without docker login i can pull this public image from official dockerhub whitout any additional actions. If i nee to pull protected image - i need exec docker login.

When i pull public image from my own gitea - it says no basic auth credentials and i neel to login.
When i pulling image without auth from my own another registry (deployed from official docker'sregistry image) - no any additional auth needed.

[KN4CK3R]

Thank you for clarification. Looks like the official Docker client does not like multiple WWW-Authenticate headers.
Fix is in #19735.

[PavelMXFox]

Hi! I updated now my gitea to 1.17.0+dev-587-g9ea920640 and when try docker pull from public repos, receive Error response from daemon: unauthorized: authentication required.
I can see this public image's page in gitea UI without any auth and can pull it after docker login.

[UnlimitedCookies]

If a 401 Unauthorized response is returned, the client should take action based on the contents of the “WWW-Authenticate” header and try the endpoint again.

Why is the server returning a 401 for a public container image though? A 401 should only be returned when trying to access a private container image, though in that case a 404 might be better to avoid leaking private repos through enumeration.

[KN4CK3R]

I can't reproduce the problem:

$> docker push host.docker.internal:3000/kn4ck3r/test:alpine
The push refers to repository [host.docker.internal:3000/kn4ck3r/test]
1ad27bdd166b: Preparing
unauthorized: authentication required
$> docker login host.docker.internal:3000
Username: KN4CK3R
Password:
Login Succeeded
$> docker push host.docker.internal:3000/kn4ck3r/test:alpine
The push refers to repository [host.docker.internal:3000/kn4ck3r/test]
1ad27bdd166b: Pushed
alpine: digest: sha256:cb64bbe7fa613666c234e1090e91427314ee18ec6420e9426cf4e7f314056813 size: 528
$> docker logout host.docker.internal:3000
Removing login credentials for host.docker.internal:3000
$> docker push host.docker.internal:3000/kn4ck3r/test:alpine
The push refers to repository [host.docker.internal:3000/kn4ck3r/test]
1ad27bdd166b: Layer already exists
unauthorized: authentication required
$> docker image rm host.docker.internal:3000/kn4ck3r/test:alpine
Untagged: host.docker.internal:3000/kn4ck3r/test:alpine
Untagged: host.docker.internal:3000/kn4ck3r/test@sha256:cb64bbe7fa613666c234e1090e91427314ee18ec6420e9426cf4e7f314056813
$> docker pull host.docker.internal:3000/kn4ck3r/test:alpine
alpine: Pulling from kn4ck3r/test
Digest: sha256:cb64bbe7fa613666c234e1090e91427314ee18ec6420e9426cf4e7f314056813
Status: Downloaded newer image for host.docker.internal:3000/kn4ck3r/test:alpine
host.docker.internal:3000/kn4ck3r/test:alpine
$> docker push host.docker.internal:3000/kn4ck3r/test:alpine
The push refers to repository [host.docker.internal:3000/kn4ck3r/test]
1ad27bdd166b: Layer already exists
unauthorized: authentication required

Why is the server returning a 401 for a public container image though?

You access the packages within a session. The docker client automaticly creates this session. May be used for billing, rate limiting and so on.

[PavelMXFox]

You can try it on this image https://mxfox.ru/MXFOX/-/packages/container/fox-web-basic/php-7.4

root@pavel-Vostro-5468:~# docker pull mxfox.ru/mxfox/fox-web-basic:php-7.4
php-7.4: Pulling from mxfox/fox-web-basic
Digest: sha256:84142ff36d1b8c0b427d2457213a7beb26f5013aad29ff314390121369e75f76
Status: Image is up to date for mxfox.ru/mxfox/fox-web-basic:php-7.4
mxfox.ru/mxfox/fox-web-basic:php-7.4
root@pavel-Vostro-5468:~# docker logout mxfox.ru
Removing login credentials for mxfox.ru
root@pavel-Vostro-5468:~# docker pull mxfox.ru/mxfox/fox-web-basic:php-7.4
Error response from daemon: unauthorized: authentication required
root@pavel-Vostro-5468:~# 

[KN4CK3R]

Can you show the logged requests?

[PavelMXFox]

# docker pull mxfox.ru/mxfox/fox-web-basic:php-7.4
Error response from daemon: unauthorized: authentication required

2022/05/17 23:28:26 [6284056a] router: completed GET /v2/ for 37.145.210.127:0, 401 Unauthorized in 0.3ms @ container/container.go:113(container.ReqContainerAccess)
2022/05/17 23:28:26 [6284056a-2] router: completed GET /v2/token?scope=repository%3Amxfox%2Ffox-web-basic%3Apull for 37.145.210.127:0, 200 OK in 0.4ms @ container/container.go:137(container.Authenticate)
2022/05/17 23:28:27 [6284056b] router: completed HEAD /v2/mxfox/fox-web-basic/manifests/php-7.4 for 37.145.210.127:0, 401 Unauthorized in 11.2ms @ packages/api.go:31(packages.reqPackageAccess)
2022/05/17 23:28:27 [6284056b-2] router: completed GET /v2/mxfox/fox-web-basic/manifests/php-7.4 for 37.145.210.127:0, 401 Unauthorized in 10.1ms @ packages/api.go:31(packages.reqPackageAccess)

[KN4CK3R]

The problem occurs with packages in organziations. Please test with #19742.

[PavelMXFox]

Checked on [1.17.0+dev-594-gce5251476] - it seems to be OK.