Project access tokens rejected for container registry after upgrading to GitLab 13.7
Summary
All project access tokens have stopped working (401 denied) for pulling containers after updating to GitLab 13.7.1 from 13.6.3. Podman under Fedora CoreOS is used as client.
Steps to reproduce
For GitLab Core:
- Open any project with the container registry feature enabled.
- Open settings/access_tokens
- Check
read_registry
- Attempt to log in with Podman using the selected name and generated password:
[root@foo ~]# podman login --authfile=/root/.docker/config.json gitdocker.example.com
Username: foo.bar.example.com
Password:
Error: error logging into "gitdocker.example.com": invalid username/password
Note: Using the bot account's name instead of the token name yields the same behaviour. Both worked with GitLab 13.6. Installations where the login has worked previously show the same issue.
Example Project
Unfortunately I cannot create a project to reproduce it on GitLab.com, because the feature requires a subscription.
What is the current bug behavior?
The PAT is rejected and registry read access is denied.
What is the expected correct behavior?
The PAT should be accepted for container registry access like in GitLab 13.6.
Relevant logs and/or screenshots
Podman debug log:
DEBU[0036] Looking for TLS certificates and private keys in /etc/docker/certs.d/gitdocker.example.com
DEBU[0036] Loading registries configuration "/etc/containers/registries.conf"
DEBU[0036] GET https://gitdocker.example.com/v2/
DEBU[0036] Ping https://gitdocker.example.com/v2/ status 401
DEBU[0036] GET https://git.example.com/jwt/auth?account=foo.bar.example.com&service=container_registry
DEBU[0036] error logging into "gitdocker.example.com": unable to retrieve auth token: invalid username/password: unauthorized: HTTP Basic: Access denied
Error: error logging into "gitdocker.example.com": invalid username/password
In GitLab's logs I unfortunately only find an nginx entry where the /jwt/auth endpoint is shown with a 401 return value. No details seem to be logged as to why access was denied. I tried grepping by the token/bot name and timestamps.
Output of checks
N/A, gitlab:check output is included below.
Results of GitLab environment info
GitLab runs under Podman on Fedora CoreOS (latest).
Expand for output related to GitLab environment info
[root@gitlab config]# podman exec -it gitlab gitlab-rake gitlab:env:info System information System: Current User: git Using RVM: no Ruby Version: 2.7.2p137 Gem Version: 3.1.4 Bundler Version:2.1.4 Rake Version: 13.0.1 Redis Version: 5.0.9 Git Version: 2.29.0 Sidekiq Version:5.2.9 Go Version: unknown GitLab information Version: 13.7.1 Revision: c97c8073a0e Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: PostgreSQL DB Version: 11.9 URL: https://git.example.com HTTP Clone URL: https://git.example.com/some-group/some-project.git SSH Clone URL: git@git.example.com:some-group/some-project.git Using LDAP: yes Using Omniauth: no GitLab Shell Version: 13.14.0 Repository storage paths: - default: /var/opt/gitlab/git-data/repositories GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell Git: /opt/gitlab/embedded/bin/git
Results of GitLab application Check
Expand for output related to the GitLab application check
[root@gitlab config]# podman exec -it gitlab gitlab-rake gitlab:check SANITIZE=true Checking GitLab subtasks ...Checking GitLab Shell ...
GitLab Shell: ... GitLab Shell version >= 13.14.0 ? ... OK (13.14.0) Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Internal API available: OK Redis available via internal API: OK gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Gitaly ...
Gitaly: ... default ... OK
Checking Gitaly ... Finished
Checking Sidekiq ...
Sidekiq: ... Running? ... yes Number of Sidekiq processes ... 1
Checking Sidekiq ... Finished
Checking Incoming Email ...
Incoming Email: ... Reply by email is disabled in config/gitlab.yml
Checking Incoming Email ... Finished
Checking LDAP ...
LDAP: ... Server: ldapmain LDAP authentication... Success LDAP users with access to your GitLab server (only showing the first 100 results) User output sanitized. Found 10 users of 100 limit.
Checking LDAP ... Finished
Checking GitLab App ...
Git configured correctly? ... yes Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... yes Init script exists? ... skipped (omnibus-gitlab has no init script) Init script up-to-date? ... skipped (omnibus-gitlab has no init script) Projects have namespace: ... 5/2 ... yes 5/4 ... yes 5/7 ... yes 5/8 ... yes 5/9 ... yes 5/11 ... yes 5/12 ... yes 5/13 ... yes 5/15 ... yes 12/17 ... yes 5/20 ... yes 5/21 ... yes 5/22 ... yes 5/25 ... yes 5/29 ... yes 6/30 ... yes 5/31 ... yes 6/33 ... yes 18/34 ... yes 9/37 ... yes 20/40 ... yes 13/42 ... yes 5/45 ... yes 4/46 ... yes 9/47 ... yes 20/49 ... yes 5/51 ... yes 5/52 ... yes 20/54 ... yes 9/57 ... yes 5/59 ... yes 5/60 ... yes 5/61 ... yes 5/63 ... yes 5/65 ... yes 5/66 ... yes 5/69 ... yes 3/70 ... yes 5/71 ... yes 5/73 ... yes 20/74 ... yes 5/78 ... yes 6/81 ... yes 13/82 ... yes 24/83 ... yes 24/84 ... yes 24/85 ... yes 5/86 ... yes 23/87 ... yes 23/88 ... yes 9/89 ... yes 23/91 ... yes 5/97 ... yes 6/98 ... yes 28/99 ... yes 28/100 ... yes 28/101 ... yes 28/102 ... yes 13/103 ... yes 28/105 ... yes 5/106 ... yes 5/107 ... yes 2/108 ... yes 4/109 ... yes 5/110 ... yes 5/111 ... yes 5/112 ... yes 5/113 ... yes 13/114 ... yes 5/115 ... yes 3/116 ... yes 4/118 ... yes 28/119 ... yes 4/121 ... yes 4/122 ... yes 4/123 ... yes 5/124 ... yes 5/125 ... yes 28/126 ... yes 13/127 ... yes 5/128 ... yes 5/129 ... yes 5/131 ... yes 5/133 ... yes 4/134 ... yes 5/135 ... yes 5/136 ... yes 20/137 ... yes 28/138 ... yes 5/139 ... yes 8/140 ... yes 4/141 ... yes 5/142 ... yes 5/143 ... yes 13/145 ... yes 5/146 ... yes 30/147 ... yes 5/149 ... yes 5/151 ... yes 5/152 ... yes 13/153 ... yes 5/154 ... yes 12/155 ... yes 5/156 ... yes 6/157 ... yes 5/158 ... yes 5/159 ... yes 5/160 ... yes 5/161 ... yes 5/162 ... yes 5/163 ... yes 5/164 ... yes 5/165 ... yes 13/166 ... yes 5/167 ... yes 5/168 ... yes 5/169 ... yes 5/170 ... yes 5/171 ... yes 5/174 ... yes 5/175 ... yes 5/176 ... yes 13/177 ... yes 4/178 ... yes 5/179 ... yes 5/181 ... yes 5/182 ... yes 28/183 ... yes 28/184 ... yes 28/185 ... yes 12/186 ... yes 5/187 ... yes 13/188 ... yes 5/189 ... yes 13/191 ... yes 5/192 ... yes 5/193 ... yes 5/194 ... yes 6/195 ... yes 5/196 ... yes 13/197 ... yes 23/198 ... yes 9/199 ... yes 13/200 ... yes 13/201 ... yes 2/202 ... yes 5/205 ... yes 13/206 ... yes 5/207 ... yes 5/208 ... yes 5/209 ... yes 5/211 ... yes 5/212 ... yes 43/213 ... yes 5/214 ... yes 20/215 ... yes 5/217 ... yes 5/218 ... yes 5/220 ... yes 20/221 ... yes 20/222 ... yes 5/223 ... yes 5/224 ... yes 5/225 ... yes 20/226 ... yes 5/227 ... yes 38/228 ... yes 5/229 ... yes 5/230 ... yes 5/232 ... yes 23/233 ... yes 5/235 ... yes 5/236 ... yes 2/237 ... yes 51/238 ... yes 51/239 ... yes 5/240 ... yes 20/241 ... yes 5/242 ... yes 52/243 ... yes 52/244 ... yes 13/245 ... yes 5/246 ... yes 5/247 ... yes 2/248 ... yes 5/250 ... yes 20/252 ... yes 5/256 ... yes 5/257 ... yes 5/258 ... yes 5/259 ... yes 58/260 ... yes 58/261 ... yes 58/262 ... yes 20/264 ... yes 5/295 ... yes 5/296 ... yes 2/297 ... yes 23/298 ... yes 20/299 ... yes 20/300 ... yes 5/301 ... yes 20/302 ... yes 9/303 ... yes 20/305 ... yes 61/307 ... yes 5/308 ... yes 61/309 ... yes 61/310 ... yes 61/312 ... yes 38/314 ... yes 61/315 ... yes 38/316 ... yes 12/318 ... yes 12/319 ... yes 12/320 ... yes 62/321 ... yes 38/323 ... yes 12/324 ... yes 12/325 ... yes 61/326 ... yes 12/327 ... yes 12/328 ... yes 38/329 ... yes 62/330 ... yes 12/331 ... yes 5/332 ... yes 5/333 ... yes 62/334 ... yes 62/335 ... yes 12/337 ... yes 64/338 ... yes 38/339 ... yes 61/341 ... yes 12/342 ... yes 38/343 ... yes 12/344 ... yes 12/345 ... yes 20/347 ... yes 12/348 ... yes Redis version >= 4.0.0? ... yes Ruby version >= 2.7.2 ? ... yes (2.7.2) Git version >= 2.29.0 ? ... yes (2.29.0) Git user has default SSH configuration? ... yes Active users: ... 16 Is authorized keys file accessible? ... yes GitLab configured to store new projects in hashed storage? ... yes All projects are in hashed storage? ... yes
Checking GitLab App ... Finished
Checking GitLab subtasks ... Finished
Possible fixes
N/A. I have looked over the changelog and there is a change (!47247 (merged)) related to PATs, but nothing stands out that would cause the issue I describe here.