Skip to content

Only the user name root can push to docker, other accounts, even admin, cannot #34217

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
0xWilliamWang opened this issue Apr 16, 2025 · 1 comment
Open

Only the user name root can push to docker, other accounts, even admin, cannot #34217

0xWilliamWang opened this issue Apr 16, 2025 · 1 comment
Labels
issue/needs-feedback For bugs, we need more details. For features, the feature must be described in more detail type/bug

Comments

@0xWilliamWang
Copy link

Description

  1. I roughly browsed the issues of this repository and did not find the same problem

  2. No CDN/proxy

  3. Deploy on k3s

  4. Latest relase

    b760-13600kf ~ kubectl get all -o wide -n code
NAME          READY   STATUS    RESTARTS   AGE   IP            NODE           NOMINATED NODE   READINESS GATES
pod/gitea-0   1/1     Running   0          50m   10.42.0.106   b760-13600kf   <none>           <none>

NAME                 TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)           AGE   SELECTOR
service/gitea-http   ClusterIP   10.43.202.140   <none>        80/TCP            50m   app=gitea
service/gitea-ssh    NodePort    10.43.220.187   <none>        30003:30003/TCP   50m   app=gitea

NAME                     READY   AGE   CONTAINERS   IMAGES
statefulset.apps/gitea   1/1     50m   gitea        docker.gitea.com/gitea:latest

b760-13600kf ~ k exec -it pod/gitea-0 -n code -- gitea --version
Gitea version 1.23.7 built with GNU Make 4.4.1, go1.23.8 : bindata, timetzdata, sqlite, sqlite_unlock_notify

b760-13600kf ~ k exec -it pod/gitea-0 -n code -- git --version
git version 2.47.2

  5. Operator log: 3abdd8a5e7a8: Retrying in 1 second .... unknown: Not found.

    b76docker login gitea.wangkaixuan.com --username william


i Info → A Personal Access Token (PAT) can be used instead.
        To create a PAT, visit https://app.docker.com/settings


Password:

WARNING! Your credentials are stored unencrypted in '/root/.docker/config.json'.
Configure a credential helper to remove this warning. See
https://docs.docker.com/go/credential-store/

Login Succeeded
b760-13600kf ~
b76docker push gitea.wangkaixuan.com/william/ubuntu:24.04                                                                                   The push refers to repository [gitea.wangkaixuan.com/william/ubuntu]
3abdd8a5e7a8: Retrying in 1 second
unknown: Not found.

b76docker logout gitea.wangkaixuan.com
Removing login credentials for gitea.wangkaixuan.com
b76docker login gitea.wangkaixuan.com --username root


i Info → A Personal Access Token (PAT) can be used instead.
        To create a PAT, visit https://app.docker.com/settings


Password:

WARNING! Your credentials are stored unencrypted in '/root/.docker/config.json'.
Configure a credential helper to remove this warning. See
https://docs.docker.com/go/credential-store/

Login Succeeded
b760-13600kf ~
b76docker push gitea.wangkaixuan.com/root/ubuntu:24.04

The push refers to repository [gitea.wangkaixuan.com/root/ubuntu]
3abdd8a5e7a8: Pushed
24.04: digest: sha256:0b9e751164f0f576086bb03062186c5643fe6dc56223b6bfef0be2a9d4828c67 size: 529
b760-13600kf ~

  6. Server log:

    2025/04/16 02:33:49 ...eb/routing/logger.go:102:func1() [I] router: completed GET /v2/ for 10.42.6.29:39202, 401 Unauthorized in 0.2ms @ container/container.go:128(container.ReqContainerAccess)
2025/04/16 02:33:49 ...eb/routing/logger.go:102:func1() [I] router: completed GET /v2/token?account=william&client_id=docker&offline_token=true&service=container_registry for 10.42.6.29:39202, 200 OK in 28.3ms @ container/container.go:151(container.Authenticate)
2025/04/16 02:33:49 ...eb/routing/logger.go:102:func1() [I] router: completed GET /v2/ for 10.42.6.29:39202, 200 OK in 2.1ms @ container/container.go:143(container.DetermineSupport)
2025/04/16 02:33:53 ...eb/routing/logger.go:102:func1() [I] router: completed GET /v2/ for 10.42.6.29:39202, 401 Unauthorized in 0.2ms @ container/container.go:128(container.ReqContainerAccess)
2025/04/16 02:33:53 ...eb/routing/logger.go:102:func1() [I] router: completed GET /v2/token?account=william&scope=repository%3Awilliam%2Fubuntu%3Apush%2Cpull&service=container_registry for 10.42.6.29:39202, 200 OK in 20.2ms @ container/container.go:151(container.Authenticate)
2025/04/16 02:33:53 ...eb/routing/logger.go:102:func1() [I] router: completed HEAD /v2/william/ubuntu/blobs/sha256:ac0c285abb482df6684de5a61b4577fc5cc5fafe8cd1280ebf52d8909d121599 for 10.42.6.29:39202, 404 Not Found in 3.0ms @ context/user.go:16(packages.ContainerRoutes.UserAssignmentWeb)
2025/04/16 02:33:53 ...eb/routing/logger.go:102:func1() [I] router: completed HEAD /v2/william/ubuntu/blobs/sha256:2726e237d1a374379e783053d93d0345c8a3bf3c57b5d35b099de1ad777486ee for 10.42.6.29:39202, 404 Not Found in 2.2ms @ context/user.go:16(packages.ContainerRoutes.UserAssignmentWeb)
2025/04/16 02:33:53 ...eb/routing/logger.go:102:func1() [I] router: completed POST /v2/william/ubuntu/blobs/uploads/ for 10.42.6.29:39202, 404 Not Found in 2.4ms @ context/user.go:16(packages.ContainerRoutes.UserAssignmentWeb)
2025/04/16 02:33:58 ...eb/routing/logger.go:102:func1() [I] router: completed POST /v2/william/ubuntu/blobs/uploads/ for 10.42.6.29:39202, 404 Not Found in 5.0ms @ context/user.go:16(packages.ContainerRoutes.UserAssignmentWeb)
2025/04/16 02:34:08 ...eb/routing/logger.go:102:func1() [I] router: completed POST /v2/william/ubuntu/blobs/uploads/ for 10.42.6.29:39202, 404 Not Found in 4.5ms @ context/user.go:16(packages.ContainerRoutes.UserAssignmentWeb)
2025/04/16 02:34:23 ...eb/routing/logger.go:102:func1() [I] router: completed POST /v2/william/ubuntu/blobs/uploads/ for 10.42.6.29:39202, 404 Not Found in 5.1ms @ context/user.go:16(packages.ContainerRoutes.UserAssignmentWeb)
2025/04/16 02:34:40 ...eb/routing/logger.go:102:func1() [I] router: completed POST /user/logout for 10.42.6.29:39202, 200 OK in 16.3ms @ auth/auth.go:400(auth.SignOut)
2025/04/16 02:34:40 ...eb/routing/logger.go:102:func1() [I] router: completed GET /user/events for 10.42.6.29:60362, 200 OK in 55215.2ms @ events/events.go:18(events.Events)
2025/04/16 02:34:40 ...eb/routing/logger.go:102:func1() [I] router: completed POST /-/fetch-redirect for 10.42.6.29:60362, 303 See Other in 1.6ms @ common/redirect.go:13(common.FetchRedirectDelegate)
2025/04/16 02:34:40 ...eb/routing/logger.go:102:func1() [I] router: completed GET / for 10.42.6.29:60362, 200 OK in 1.6ms @ web/home.go:32(web.Home)
2025/04/16 02:34:43 ...eb/routing/logger.go:102:func1() [I] router: completed GET /user/sign_up for 10.42.6.29:60362, 200 OK in 4.4ms @ auth/auth.go:412(auth.SignUp)
2025/04/16 02:34:43 ...eb/routing/logger.go:102:func1() [I] router: completed POST /v2/william/ubuntu/blobs/uploads/ for 10.42.6.29:60362, 404 Not Found in 4.6ms @ context/user.go:16(packages.ContainerRoutes.UserAssignmentWeb)
2025/04/16 02:34:49 ...eb/routing/logger.go:102:func1() [I] router: completed POST /user/sign_up for 10.42.6.29:60362, 303 See Other in 105.1ms @ auth/auth.go:440(auth.SignUpPost)
2025/04/16 02:34:49 ...eb/routing/logger.go:102:func1() [I] router: completed GET / for 10.42.6.29:60362, 200 OK in 100.8ms @ web/home.go:32(web.Home)
2025/04/16 02:34:49 ...eb/routing/logger.go:102:func1() [I] router: completed GET /avatars/e52a883c131a43b65e1a9a5b7abeaf72?size=48 for 10.42.6.29:60362, 200 OK in 2.1ms @ web/base.go:22(avatars)
2025/04/16 02:34:49 ...eb/routing/logger.go:102:func1() [I] router: completed GET /repo/search?count_only=1&uid=2&team_id=undefined&q=&page=1&mode= for 10.42.6.29:60362, 200 OK in 32.6ms @ repo/repo.go:573(repo.SearchRepo)
2025/04/16 02:34:49 ...eb/routing/logger.go:102:func1() [I] router: completed GET /repo/search?sort=updated&order=desc&uid=2&team_id=undefined&q=&page=1&limit=15&mode=&archived=false for 10.42.6.29:60362, 200 OK in 24.8ms @ repo/repo.go:573(repo.SearchRepo)
2025/04/16 02:34:52 ...eb/routing/logger.go:68:func1() [I] router: polling   GET /user/events for 10.42.6.29:60362, elapsed 3096.0ms @ events/events.go:18(events.Events)
2025/04/16 02:34:53 ...eb/routing/logger.go:102:func1() [I] router: completed GET /user/events for 10.42.6.29:60362, 200 OK in 3606.7ms @ events/events.go:18(events.Events)
2025/04/16 02:34:53 ...eb/routing/logger.go:102:func1() [I] router: completed GET /user/settings for 10.42.6.29:39202, 200 OK in 31.7ms @ setting/profile.go:45(setting.Profile)
2025/04/16 02:34:54 ...eb/routing/logger.go:102:func1() [I] router: completed GET /user/events for 10.42.6.29:39202, 200 OK in 1274.5ms @ events/events.go:18(events.Events)
2025/04/16 02:34:54 ...eb/routing/logger.go:102:func1() [I] router: completed GET /user/settings/applications for 10.42.6.29:36914, 200 OK in 58.7ms @ setting/applications.go:25(setting.Applications)
2025/04/16 02:34:58 ...eb/routing/logger.go:68:func1() [I] router: polling   GET /user/events for 10.42.6.29:36914, elapsed 3712.6ms @ events/events.go:18(events.Events)
2025/04/16 02:35:03 ...eb/routing/logger.go:102:func1() [I] router: completed GET /user/events for 10.42.6.29:36914, 200 OK in 8138.2ms @ events/events.go:18(events.Events)
2025/04/16 02:35:03 ...eb/routing/logger.go:102:func1() [I] router: completed POST /user/settings/applications for 10.42.6.29:56386, 303 See Other in 51.1ms @ setting/applications.go:36(setting.ApplicationsPost)
2025/04/16 02:35:03 ...eb/routing/logger.go:102:func1() [I] router: completed GET /user/settings/applications for 10.42.6.29:56386, 200 OK in 29.3ms @ setting/applications.go:25(setting.Applications)
2025/04/16 02:35:06 ...eb/routing/logger.go:68:func1() [I] router: polling   GET /user/events for 10.42.6.29:56386, elapsed 3082.3ms @ events/events.go:18(events.Events)
2025/04/16 02:35:24 ...eb/routing/logger.go:102:func1() [I] router: completed GET /v2/ for 10.42.6.29:35496, 401 Unauthorized in 0.1ms @ container/container.go:128(container.ReqContainerAccess)
2025/04/16 02:35:24 ...eb/routing/logger.go:102:func1() [I] router: completed GET /v2/token?account=root&client_id=docker&offline_token=true&service=container_registry for 10.42.6.29:35496, 200 OK in 11.5ms @ container/container.go:151(container.Authenticate)
2025/04/16 02:35:24 ...eb/routing/logger.go:102:func1() [I] router: completed GET /v2/ for 10.42.6.29:35496, 200 OK in 1.1ms @ container/container.go:143(container.DetermineSupport)
2025/04/16 02:35:31 ...eb/routing/logger.go:102:func1() [I] router: completed GET /v2/ for 10.42.6.29:35496, 401 Unauthorized in 0.2ms @ container/container.go:128(container.ReqContainerAccess)
2025/04/16 02:35:31 ...eb/routing/logger.go:102:func1() [I] router: completed GET /v2/token?account=root&scope=repository%3Aroot%2Fubuntu%3Apush%2Cpull&service=container_registry for 10.42.6.29:35496, 200 OK in 27.0ms @ container/container.go:151(container.Authenticate)
2025/04/16 02:35:31 ...eb/routing/logger.go:102:func1() [I] router: completed HEAD /v2/root/ubuntu/blobs/sha256:ac0c285abb482df6684de5a61b4577fc5cc5fafe8cd1280ebf52d8909d121599 for 10.42.6.29:35496, 404 Not Found in 4.6ms @ container/container.go:501(container.HeadBlob)
2025/04/16 02:35:31 ...eb/routing/logger.go:102:func1() [I] router: completed HEAD /v2/root/ubuntu/blobs/sha256:2726e237d1a374379e783053d93d0345c8a3bf3c57b5d35b099de1ad777486ee for 10.42.6.29:35496, 404 Not Found in 4.0ms @ container/container.go:501(container.HeadBlob)
2025/04/16 02:35:31 ...eb/routing/logger.go:102:func1() [I] router: completed POST /v2/root/ubuntu/blobs/uploads/ for 10.42.6.29:35496, 202 Accepted in 8.0ms @ container/container.go:233(container.InitiateUploadBlob)
2025/04/16 02:35:35 ...eb/routing/logger.go:68:func1() [W] router: slow      PATCH /v2/root/ubuntu/blobs/uploads/q6f9kddq286kt4rywmvg8kwi7 for 10.42.6.29:35496, elapsed 3933.0ms @ container/container.go:343(container.UploadBlob)
2025/04/16 02:35:37 ...eb/routing/logger.go:102:func1() [I] router: completed PATCH /v2/root/ubuntu/blobs/uploads/q6f9kddq286kt4rywmvg8kwi7 for 10.42.6.29:35496, 202 Accepted in 5175.1ms @ container/container.go:343(container.UploadBlob)
2025/04/16 02:35:37 ...eb/routing/logger.go:102:func1() [I] router: completed PUT /v2/root/ubuntu/blobs/uploads/q6f9kddq286kt4rywmvg8kwi7?digest=sha256%3Aac0c285abb482df6684de5a61b4577fc5cc5fafe8cd1280ebf52d8909d121599 for 10.42.6.29:35496, 201 Created in 666.0ms @ container/container.go:388(container.EndUploadBlob)
2025/04/16 02:35:37 ...eb/routing/logger.go:102:func1() [I] router: completed HEAD /v2/root/ubuntu/blobs/sha256:ac0c285abb482df6684de5a61b4577fc5cc5fafe8cd1280ebf52d8909d121599 for 10.42.6.29:35496, 200 OK in 7.0ms @ container/container.go:501(container.HeadBlob)
2025/04/16 02:35:37 ...eb/routing/logger.go:102:func1() [I] router: completed HEAD /v2/root/ubuntu/blobs/sha256:602eb6fb314b5fafad376a32ab55194e535e533dec6552f82b70d7ac0e554b1c for 10.42.6.29:35496, 404 Not Found in 3.6ms @ container/container.go:501(container.HeadBlob)
2025/04/16 02:35:37 ...eb/routing/logger.go:102:func1() [I] router: completed POST /v2/root/ubuntu/blobs/uploads/ for 10.42.6.29:35496, 202 Accepted in 11.1ms @ container/container.go:233(container.InitiateUploadBlob)
2025/04/16 02:35:37 ...eb/routing/logger.go:102:func1() [I] router: completed PATCH /v2/root/ubuntu/blobs/uploads/5g0js4diryecyav5qv9huwhn4 for 10.42.6.29:35496, 202 Accepted in 15.4ms @ container/container.go:343(container.UploadBlob)
2025/04/16 02:35:37 ...eb/routing/logger.go:102:func1() [I] router: completed PUT /v2/root/ubuntu/blobs/uploads/5g0js4diryecyav5qv9huwhn4?digest=sha256%3A602eb6fb314b5fafad376a32ab55194e535e533dec6552f82b70d7ac0e554b1c for 10.42.6.29:35496, 201 Created in 65.3ms @ container/container.go:388(container.EndUploadBlob)
2025/04/16 02:35:37 ...eb/routing/logger.go:102:func1() [I] router: completed HEAD /v2/root/ubuntu/blobs/sha256:602eb6fb314b5fafad376a32ab55194e535e533dec6552f82b70d7ac0e554b1c for 10.42.6.29:35496, 200 OK in 6.0ms @ container/container.go:501(container.HeadBlob)
2025/04/16 02:35:38 ...eb/routing/logger.go:102:func1() [I] router: completed PUT /v2/root/ubuntu/manifests/24.04 for 10.42.6.29:35496, 201 Created in 101.4ms @ container/container.go:554(container.UploadManifest)

  7. If more configuration information is needed please let me know

  8. Any tips are much appreciated, thanks

Gitea Version

Gitea version 1.23.7 built with GNU Make 4.4.1, go1.23.8 : bindata, timetzdata, sqlite, sqlite_unlock_notify

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

No response

Git Version

2.47.2

Operating System

No response

How are you running Gitea?

k3s

Database

PostgreSQL
@KN4CK3R
Copy link
Member

KN4CK3R commented Apr 16, 2025

If you want to push to the user root, you must use the user root or an admin account. If you want to push to an org, you must be member in that org with package write permissions.

@lunny lunny added the issue/needs-feedback For bugs, we need more details. For features, the feature must be described in more detail label Apr 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
issue/needs-feedback For bugs, we need more details. For features, the feature must be described in more detail type/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lunny @KN4CK3R @0xWilliamWang