-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ACR Datasource unauthorized while fetching tags list. #14708
Comments
Is |
Seems to be ACR specific. |
@rarkins This PR is only a workaround which can break any time soon. A better solution is to make a HEAD request to the real resource (like tags list) and use the auth header values to get a token, looks like this is the way other docker api clients work. WDYT? |
Sounds good |
I start to implement something but the amount of test to fix could be big |
|
In my case the token is valid 10min. I do not know if it is set by our admin or the default settings. There is an other option if we don't call first the resource with HEAD.
|
This comment was marked as outdated.
This comment was marked as outdated.
@vlagorce What does |
@rarkins It seems the docker daemon does a |
Current issue is the need of getting the expected scope action to use the endpoint tag/list. docker daemon/cli only pull or push images/tags curl -iL --get https://123456.azurecr.io/v2/
HTTP/1.1 401 Unauthorized
Server: openresty
Date: Fri, 08 Apr 2022 12:12:17 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 149
Connection: keep-alive
Access-Control-Expose-Headers: Docker-Content-Digest
Access-Control-Expose-Headers: WWW-Authenticate
Access-Control-Expose-Headers: Link
Access-Control-Expose-Headers: X-Ms-Correlation-Request-Id
Docker-Distribution-Api-Version: registry/2.0
Strict-Transport-Security: max-age=31536000; includeSubDomains
Www-Authenticate: Bearer realm="https://123456.azurecr.io/oauth2/token",service="123456.azurecr.io"
X-Content-Type-Options: nosniff
X-Ms-Correlation-Request-Id: 12307f6a-249c-4c8d-bbc4-13409af3d711
Strict-Transport-Security: max-age=31536000; includeSubDomains Scope is missing. |
ok, so the daemon doesn't need |
It is a guess. I do not have a complete knowledge about what it could achieve. Looking at the doc and the code I don't see any other scope action than pull, push, mount, delete. It seems they are always requesting them both. some doc https://github.com/distribution/distribution/blob/main/docs/spec/auth/token.md (that the lib use by docker ) |
To summarize.
Other container registry (CR) might not support HEAD. Other CR expect a
Solution.
|
|
|
@viceice are you OK with this proposal? |
I'm ok with 2. that can also return a 200, so we should suppress further credential handling in that case , so that the following normal get call will use the already cached get result. |
🎉 This issue has been resolved in version 32.64.0 🎉 The release is available on:
Your semantic-release bot 📦🚀 |
How are you running Renovate?
Self-hosted
If you're self-hosting Renovate, tell us what version of Renovate you run.
32.6.0
Please select which platform you are using if self-hosting.
GitLab self-hosted
If you're self-hosting Renovate, tell us what version of the platform you run.
14.8.2
Was this something which used to work for you, and then stopped?
I never saw this working
Describe the bug
Using ACR. Fetching new docker image tags is failing.
I tried to reproduced the call and authentication performed by renovate.
I'm facing the same authentication issue.
Renovate is requesting a token with the following scope.
repository:upstream/rust:pull
.Scope should be either
repository:upstream/rust:pull,metadata_read
orrepository:upstream/rust:*
Relevant debug logs
Logs
Have you created a minimal reproduction repository?
No reproduction repository
The text was updated successfully, but these errors were encountered: