ACR Datasource unauthorized while fetching tags list. #14708
Comments
vlagorce
added
priority-5-triage
status:requirements
|
Is |
viceice
added
datasource:docker
priority-3-medium
|
Seems to be ACR specific. |
|
@rarkins This PR is only a workaround which can break any time soon. A better solution is to make a HEAD request to the real resource (like tags list) and use the auth header values to get a token, looks like this is the way other docker api clients work. WDYT? |
|
Sounds good |
I start to implement something but the amount of test to fix could be big |
|
|
In my case the token is valid 10min. I do not know if it is set by our admin or the default settings. There is an other option if we don't call first the resource with HEAD. |
This comment was marked as outdated.
This comment was marked as outdated.
|
@vlagorce What does |
|
@rarkins It seems the docker daemon does a |
|
Current issue is the need of getting the expected scope action to use the endpoint tag/list. docker daemon/cli only pull or push images/tags curl -iL --get https://123456.azurecr.io/v2/
HTTP/1.1 401 Unauthorized
Server: openresty
Date: Fri, 08 Apr 2022 12:12:17 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 149
Connection: keep-alive
Access-Control-Expose-Headers: Docker-Content-Digest
Access-Control-Expose-Headers: WWW-Authenticate
Access-Control-Expose-Headers: Link
Access-Control-Expose-Headers: X-Ms-Correlation-Request-Id
Docker-Distribution-Api-Version: registry/2.0
Strict-Transport-Security: max-age=31536000; includeSubDomains
Www-Authenticate: Bearer realm="https://123456.azurecr.io/oauth2/token",service="123456.azurecr.io"
X-Content-Type-Options: nosniff
X-Ms-Correlation-Request-Id: 12307f6a-249c-4c8d-bbc4-13409af3d711
Strict-Transport-Security: max-age=31536000; includeSubDomainsScope is missing. |
|
ok, so the daemon doesn't need |
It is a guess. I do not have a complete knowledge about what it could achieve. Looking at the doc and the code I don't see any other scope action than pull, push, mount, delete. It seems they are always requesting them both. some doc https://github.com/distribution/distribution/blob/main/docs/spec/auth/token.md (that the lib use by docker ) |
|
To summarize. Other container registry (CR) might not support HEAD. Other CR expect a Solution.
|
|
|
|
@viceice are you OK with this proposal? |
|
I'm ok with 2. that can also return a 200, so we should suppress further credential handling in that case , so that the following normal get call will use the already cached get result. |
|
🎉 This issue has been resolved in version 32.64.0 🎉 The release is available on:
Your semantic-release bot 📦🚀 |
How are you running Renovate?
Self-hosted
If you're self-hosting Renovate, tell us what version of Renovate you run.
32.6.0
Please select which platform you are using if self-hosting.
GitLab self-hosted
If you're self-hosting Renovate, tell us what version of the platform you run.
14.8.2
Was this something which used to work for you, and then stopped?
I never saw this working
Describe the bug
Using ACR. Fetching new docker image tags is failing.
I tried to reproduced the call and authentication performed by renovate.
I'm facing the same authentication issue.
Renovate is requesting a token with the following scope.
repository:upstream/rust:pull.Scope should be either
repository:upstream/rust:pull,metadata_readorrepository:upstream/rust:*Relevant debug logs
Logs
Have you created a minimal reproduction repository?
No reproduction repository
The text was updated successfully, but these errors were encountered: