Skip to content

Project access tokens rejected for container registry after upgrading to GitLab 13.7

Summary

All project access tokens have stopped working (401 denied) for pulling containers after updating to GitLab 13.7.1 from 13.6.3. Podman under Fedora CoreOS is used as client.

Steps to reproduce

For GitLab Core:

  1. Open any project with the container registry feature enabled.
  2. Open settings/access_tokens
  3. Check read_registry
  4. Attempt to log in with Podman using the selected name and generated password:
[root@foo ~]# podman login --authfile=/root/.docker/config.json gitdocker.example.com
Username: foo.bar.example.com
Password: 
Error: error logging into "gitdocker.example.com": invalid username/password

Note: Using the bot account's name instead of the token name yields the same behaviour. Both worked with GitLab 13.6. Installations where the login has worked previously show the same issue.

Example Project

Unfortunately I cannot create a project to reproduce it on GitLab.com, because the feature requires a subscription.

What is the current bug behavior?

The PAT is rejected and registry read access is denied.

What is the expected correct behavior?

The PAT should be accepted for container registry access like in GitLab 13.6.

Relevant logs and/or screenshots

Podman debug log:

DEBU[0036] Looking for TLS certificates and private keys in /etc/docker/certs.d/gitdocker.example.com 
DEBU[0036] Loading registries configuration "/etc/containers/registries.conf" 
DEBU[0036] GET https://gitdocker.example.com/v2/           
DEBU[0036] Ping https://gitdocker.example.com/v2/ status 401 
DEBU[0036] GET https://git.example.com/jwt/auth?account=foo.bar.example.com&service=container_registry 
DEBU[0036] error logging into "gitdocker.example.com": unable to retrieve auth token: invalid username/password: unauthorized: HTTP Basic: Access denied 
Error: error logging into "gitdocker.example.com": invalid username/password

In GitLab's logs I unfortunately only find an nginx entry where the /jwt/auth endpoint is shown with a 401 return value. No details seem to be logged as to why access was denied. I tried grepping by the token/bot name and timestamps.

Output of checks

N/A, gitlab:check output is included below.

Results of GitLab environment info

GitLab runs under Podman on Fedora CoreOS (latest).

Expand for output related to GitLab environment info 
[root@gitlab config]# podman exec -it gitlab gitlab-rake gitlab:env:info

System information
System:		
Current User:	git
Using RVM:	no
Ruby Version:	2.7.2p137
Gem Version:	3.1.4
Bundler Version:2.1.4
Rake Version:	13.0.1
Redis Version:	5.0.9
Git Version:	2.29.0
Sidekiq Version:5.2.9
Go Version:	unknown

GitLab information
Version:	13.7.1
Revision:	c97c8073a0e
Directory:	/opt/gitlab/embedded/service/gitlab-rails
DB Adapter:	PostgreSQL
DB Version:	11.9
URL:		https://git.example.com
HTTP Clone URL:	https://git.example.com/some-group/some-project.git
SSH Clone URL:	git@git.example.com:some-group/some-project.git
Using LDAP:	yes
Using Omniauth:	no

GitLab Shell
Version:	13.14.0
Repository storage paths:
- default: 	/var/opt/gitlab/git-data/repositories
GitLab Shell path:		/opt/gitlab/embedded/service/gitlab-shell
Git:		/opt/gitlab/embedded/bin/git

Results of GitLab application Check

Expand for output related to the GitLab application check 
[root@gitlab config]# podman exec -it gitlab gitlab-rake gitlab:check SANITIZE=true
Checking GitLab subtasks ...

Checking GitLab Shell ...


GitLab Shell: ... GitLab Shell version >= 13.14.0 ? ... OK (13.14.0)
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Internal API available: OK
Redis available via internal API: OK
gitlab-shell self-check successful


Checking GitLab Shell ... Finished


Checking Gitaly ...


Gitaly: ... default ... OK


Checking Gitaly ... Finished


Checking Sidekiq ...


Sidekiq: ... Running? ... yes
Number of Sidekiq processes ... 1


Checking Sidekiq ... Finished


Checking Incoming Email ...


Incoming Email: ... Reply by email is disabled in config/gitlab.yml


Checking Incoming Email ... Finished


Checking LDAP ...


LDAP: ... Server: ldapmain
LDAP authentication... Success
LDAP users with access to your GitLab server (only showing the first 100 results)
User output sanitized. Found 10 users of 100 limit.


Checking LDAP ... Finished


Checking GitLab App ...


Git configured correctly? ... yes
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... yes
Init script exists? ... skipped (omnibus-gitlab has no init script)
Init script up-to-date? ... skipped (omnibus-gitlab has no init script)
Projects have namespace: ...
5/2 ... yes
5/4 ... yes
5/7 ... yes
5/8 ... yes
5/9 ... yes
5/11 ... yes
5/12 ... yes
5/13 ... yes
5/15 ... yes
12/17 ... yes
5/20 ... yes
5/21 ... yes
5/22 ... yes
5/25 ... yes
5/29 ... yes
6/30 ... yes
5/31 ... yes
6/33 ... yes
18/34 ... yes
9/37 ... yes
20/40 ... yes
13/42 ... yes
5/45 ... yes
4/46 ... yes
9/47 ... yes
20/49 ... yes
5/51 ... yes
5/52 ... yes
20/54 ... yes
9/57 ... yes
5/59 ... yes
5/60 ... yes
5/61 ... yes
5/63 ... yes
5/65 ... yes
5/66 ... yes
5/69 ... yes
3/70 ... yes
5/71 ... yes
5/73 ... yes
20/74 ... yes
5/78 ... yes
6/81 ... yes
13/82 ... yes
24/83 ... yes
24/84 ... yes
24/85 ... yes
5/86 ... yes
23/87 ... yes
23/88 ... yes
9/89 ... yes
23/91 ... yes
5/97 ... yes
6/98 ... yes
28/99 ... yes
28/100 ... yes
28/101 ... yes
28/102 ... yes
13/103 ... yes
28/105 ... yes
5/106 ... yes
5/107 ... yes
2/108 ... yes
4/109 ... yes
5/110 ... yes
5/111 ... yes
5/112 ... yes
5/113 ... yes
13/114 ... yes
5/115 ... yes
3/116 ... yes
4/118 ... yes
28/119 ... yes
4/121 ... yes
4/122 ... yes
4/123 ... yes
5/124 ... yes
5/125 ... yes
28/126 ... yes
13/127 ... yes
5/128 ... yes
5/129 ... yes
5/131 ... yes
5/133 ... yes
4/134 ... yes
5/135 ... yes
5/136 ... yes
20/137 ... yes
28/138 ... yes
5/139 ... yes
8/140 ... yes
4/141 ... yes
5/142 ... yes
5/143 ... yes
13/145 ... yes
5/146 ... yes
30/147 ... yes
5/149 ... yes
5/151 ... yes
5/152 ... yes
13/153 ... yes
5/154 ... yes
12/155 ... yes
5/156 ... yes
6/157 ... yes
5/158 ... yes
5/159 ... yes
5/160 ... yes
5/161 ... yes
5/162 ... yes
5/163 ... yes
5/164 ... yes
5/165 ... yes
13/166 ... yes
5/167 ... yes
5/168 ... yes
5/169 ... yes
5/170 ... yes
5/171 ... yes
5/174 ... yes
5/175 ... yes
5/176 ... yes
13/177 ... yes
4/178 ... yes
5/179 ... yes
5/181 ... yes
5/182 ... yes
28/183 ... yes
28/184 ... yes
28/185 ... yes
12/186 ... yes
5/187 ... yes
13/188 ... yes
5/189 ... yes
13/191 ... yes
5/192 ... yes
5/193 ... yes
5/194 ... yes
6/195 ... yes
5/196 ... yes
13/197 ... yes
23/198 ... yes
9/199 ... yes
13/200 ... yes
13/201 ... yes
2/202 ... yes
5/205 ... yes
13/206 ... yes
5/207 ... yes
5/208 ... yes
5/209 ... yes
5/211 ... yes
5/212 ... yes
43/213 ... yes
5/214 ... yes
20/215 ... yes
5/217 ... yes
5/218 ... yes
5/220 ... yes
20/221 ... yes
20/222 ... yes
5/223 ... yes
5/224 ... yes
5/225 ... yes
20/226 ... yes
5/227 ... yes
38/228 ... yes
5/229 ... yes
5/230 ... yes
5/232 ... yes
23/233 ... yes
5/235 ... yes
5/236 ... yes
2/237 ... yes
51/238 ... yes
51/239 ... yes
5/240 ... yes
20/241 ... yes
5/242 ... yes
52/243 ... yes
52/244 ... yes
13/245 ... yes
5/246 ... yes
5/247 ... yes
2/248 ... yes
5/250 ... yes
20/252 ... yes
5/256 ... yes
5/257 ... yes
5/258 ... yes
5/259 ... yes
58/260 ... yes
58/261 ... yes
58/262 ... yes
20/264 ... yes
5/295 ... yes
5/296 ... yes
2/297 ... yes
23/298 ... yes
20/299 ... yes
20/300 ... yes
5/301 ... yes
20/302 ... yes
9/303 ... yes
20/305 ... yes
61/307 ... yes
5/308 ... yes
61/309 ... yes
61/310 ... yes
61/312 ... yes
38/314 ... yes
61/315 ... yes
38/316 ... yes
12/318 ... yes
12/319 ... yes
12/320 ... yes
62/321 ... yes
38/323 ... yes
12/324 ... yes
12/325 ... yes
61/326 ... yes
12/327 ... yes
12/328 ... yes
38/329 ... yes
62/330 ... yes
12/331 ... yes
5/332 ... yes
5/333 ... yes
62/334 ... yes
62/335 ... yes
12/337 ... yes
64/338 ... yes
38/339 ... yes
61/341 ... yes
12/342 ... yes
38/343 ... yes
12/344 ... yes
12/345 ... yes
20/347 ... yes
12/348 ... yes
Redis version >= 4.0.0? ... yes
Ruby version >= 2.7.2 ? ... yes (2.7.2)
Git version >= 2.29.0 ? ... yes (2.29.0)
Git user has default SSH configuration? ... yes
Active users: ... 16
Is authorized keys file accessible? ... yes
GitLab configured to store new projects in hashed storage? ... yes
All projects are in hashed storage? ... yes


Checking GitLab App ... Finished


Checking GitLab subtasks ... Finished

Possible fixes

N/A. I have looked over the changelog and there is a change (!47247 (merged)) related to PATs, but nothing stands out that would cause the issue I describe here.