Enabling 2FA gives container repository authentication error on CI for other users
Summary
In our environment we have a self-hosted GitLab CE running on version 11.2.3
and a container registry on the same host. We also have a docker based Gitlab runner on a separate machine for our CI jobs. The runner is on 11.2
and docker is on 18.06.1-ce
.
I'm an admin and I made some projects in an internal group to be able to create and share docker base images for CI builds amongst us. For example a base image for NodeJS, Maven, etc. Everything worked fine for months without any permission related issue until I turned on 2FA for my account. Right after I made this change, my colleagues weren't able to use my images in their CI builds. They faced this issue:
Pulling docker image gitlab.xxx.hu:4567/devops/mssql-service-container:latest ...
ERROR: Preparation failed: Error response from daemon: Get https://gitlab.xxx.hu:4567/v2/devops/mssql-service-container/manifests/latest: unauthorized: HTTP Basic: Access denied
You must use a personal access token with 'api' scope for Git over HTTP.
You can generate one at https://gitlab.xxx.hu/profile/personal_access_tokens (executor_docker.go:168:0s)
Will be retried in 3s ...
I thought that this happens because I'm the owner of those projects, so I transferred my ownership to a technical user without 2FA. I also made the gitlab
group public, just to check if that was the problem. I tried everything what came to my mind, but nothing helped. The issue disappeared right after I disabled 2FA in my account and my co-workers were able to use those base CI images in their build jobs.
Do you have any clue what was going on? I can't understand how my 2FA setting can affect the visibility of a public - or internal - container repository.