Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Running docker commands against Gitea registry results in a call against ROOT_URL #22033

Closed
scubbo opened this issue Dec 5, 2022 · 3 comments
Closed

Running docker commands against Gitea registry results in a call against ROOT_URL #22033

scubbo opened this issue Dec 5, 2022 · 3 comments
Labels
topic/packages type/bug

Comments

@scubbo
Copy link

scubbo commented Dec 5, 2022

Description

See this repo - when running docker commands (docker login, docker pull, etc.) against a registry, a call is made against the server's ROOT_URL. If there is no server available at the ROOT_URL, this will result in an error. This can result in issues when the ROOT_URL refers to the public domain name of the Gitea service, but an image provided by the registry that is a prerequisite for setting up the public domain name is referenced by an internal domain name.

Gitea Version

Gitea version 1.18.0+rc1 built with GNU Make 4.3, go1.19.3

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

Kubernetes in the original situation; docker-compose in the minimal reproduction.

Database

None
@scubbo scubbo added the type/bug label Dec 5, 2022
@KN4CK3R
Copy link
Member

KN4CK3R commented Dec 5, 2022
edited
Loading

You set ROOT_URL to something non-existing. Why should that work?

In your stackoverflow question you describe an "internal call" to the wrong domain. Gitea does not perform a request. The usual docker login flow is to query /v2. This will respond with Unauthorized and an url to obtain the ticket from.

gitea/routers/api/packages/container/container.go

Lines 114 to 119 in 77f5035

func ReqContainerAccess(ctx *context.Context) {
if ctx.Doer == nil {
ctx.Resp.Header().Add("WWW-Authenticate", `Bearer realm="`+setting.AppURL+`v2/token",service="container_registry",scope="*"`)
apiErrorDefined(ctx, errUnauthorized)
}
}

Here you see the url is build using setting.AppURL which is influenced by your ROOT_URL setting. Your curl request succeeds because the basic auth handles the login but that's not used by docker.

@scubbo
Copy link
Author

scubbo commented Dec 5, 2022

You set ROOT_URL to something non-existing. Why should that work?

Naïvely, for operations that do not require Gitea knowing it's own URL (like generating a git clone link), there's no reason to think that it wouldn't. Sure, a non-existent ROOT_URL is clearly not correct - but it's surprising that it results in breakages of APIs that appear to have nothing to do with the ROOT_URL itself.

That said, your explanation of the authentication mechanism makes it clear why this behaviour happens, and why addressing it would not be desirable. Thanks for the explanation!

@scubbo scubbo closed this as completed Dec 5, 2022
@scubbo
Copy link
Author

scubbo commented Jan 4, 2023
edited
Loading

Basically I was looking for Multi-domain support - I want to be able to access my Gitea instance via an internal Domain Name (which resolves directly via my Router's DNS override) or via an external Domain Name (resolved by DNS servers out on the broader Internet), and moreover want to be able to access the former even if the latter is inaccessible.

@scubbo scubbo mentioned this issue Jan 4, 2023
Closed
@go-gitea go-gitea locked and limited conversation to collaborators May 3, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
topic/packages type/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@KN4CK3R @scubbo