Dependency proxy error with non-ldap users

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Summary

In a self-hosted GitLab with LDAP active, non-LDAP users receive unauthorized: authentication required when pulling docker from dependency_proxy. If an LDAP user retried the job, it pulls the docker successfully.

The error appeared after starting to use the dependency proxy. Everything was working in the merge request, but we have a user for renovatebot. After merging the branch with the dependency proxy, all the pipelines in MRs from renovate started failing with the error stated in this issue.

Steps to reproduce

1. Create a user in admin (/admin/users/)
   • I've tested all the options, including Admin
2. Trigger a job in a repo, where the user has developer permissions in the Group
   • I've tested with maintainer permissions as well
3. The job fails with ERROR: Preparation failed: Error response from daemon: unauthorized: authentication required (executor_docker.go:168:0s) (complete log bellow)
4. Use an LDAP user to retry the job. The pull is successful, and the job passes.

Example Project

I think the error is related to LDAP. I assume it makes no sense to try to replicate in gitlab.com. If you disagree, let me know.

What is the current bug behavior?

Docker pulls from dependency_proxy don't work when the user is non-LDAP.

What is the expected correct behavior?

Docker pulls from dependency_proxy should work for all users (permissions above guest in the group).

Relevant logs and/or screenshots

.gitlab-ci.yml (partial)

image: "${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/python:3.6"
services:
- name: "${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/postgres:latest"
  alias: "postgres"

Note: I have the same error in projects that only use one image from the dependency proxy.

Job log

Running with gitlab-runner 11.5.0 (3afdaba6)
  on RUN01 12ccbb74
Using Docker executor with image gitlab.domain.com:443/group/dependency_proxy/containers/python:3.6 ...
Starting service gitlab.domain.com/group/dependency_proxy/containers/postgres:latest ...
Pulling docker image gitlab.domain.com:443/group/dependency_proxy/containers/postgres:latest ...
ERROR: Preparation failed: Error response from daemon: unauthorized: authentication required (executor_docker.go:168:0s)
Will be retried in 3s ...
Using Docker executor with image gitlab.domain.com:443/group/dependency_proxy/containers/python:3.6 ...
Starting service gitlab.domain.com/group/dependency_proxy/containers/postgres:latest ...
Pulling docker image gitlab.domain.com:443/group/dependency_proxy/containers/postgres:latest ...
ERROR: Preparation failed: Error response from daemon: unauthorized: authentication required (executor_docker.go:168:0s)
Will be retried in 3s ...
Using Docker executor with image gitlab.domain.com:443/group/dependency_proxy/containers/python:3.6 ...
Starting service gitlab.domain.com/group/dependency_proxy/containers/postgres:latest ...
Pulling docker image gitlab.domain.com:443/group/dependency_proxy/containers/postgres:latest ...
ERROR: Preparation failed: Error response from daemon: unauthorized: authentication required (executor_docker.go:168:0s)
Will be retried in 3s ...
ERROR: Job failed (system failure): Error response from daemon: unauthorized: authentication required (executor_docker.go:168:0s)

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info

System information
System:         Ubuntu 18.04
Proxy:          no
Current User:   git
Using RVM:      no
Ruby Version:   2.7.5p203
Gem Version:    3.1.4
Bundler Version:2.1.4
Rake Version:   13.0.6
Redis Version:  6.0.16
Git Version:    2.33.1.
Sidekiq Version:6.2.2
Go Version:     unknown

GitLab information
Version:        14.5.2-ee
Revision:       4511944420f
Directory:      /opt/gitlab/embedded/service/gitlab-rails
DB Adapter:     PostgreSQL
DB Version:     12.7
URL:            https://gitlab.
HTTP Clone URL: https://gitlab./some-group/some-project.git
SSH Clone URL:  git@:some-group/some-project.git
Elasticsearch:  no
Geo:            no
Using LDAP:     yes
Using Omniauth: yes
Omniauth Providers: gitlab

GitLab Shell
Version:        13.22.1
Repository storage paths:
- default:      /var/opt/gitlab/git-data/repositories
GitLab Shell path:              /opt/gitlab/embedded/service/gitlab-shell
Git:            /opt/gitlab/embedded/bin/git

Results of GitLab application Check

Expand for output related to the GitLab application check

Checking GitLab subtasks ...
Checking GitLab Shell ...
GitLab Shell: ... GitLab Shell version >= 13.22.1 ? ... OK (13.22.1)
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Internal API available: OK
Redis available via internal API: OK
gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Gitaly ...
Gitaly: ... default ... OK
Checking Gitaly ... Finished
Checking Sidekiq ...
Sidekiq: ... Running? ... yes
Number of Sidekiq processes (cluster/worker) ... 1/1
Checking Sidekiq ... Finished
Checking Incoming Email ...
Incoming Email: ... Reply by email is disabled in config/gitlab.yml
Checking Incoming Email ... Finished
Checking LDAP ...
LDAP: ... Server: ldapmain
LDAP authentication... Success
LDAP users with access to your GitLab server (only showing the first 100 results)
User output sanitized. Found 100 users of 100 limit.
Checking LDAP ... Finished
Checking GitLab App ...
Git configured correctly? ... yes
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... yes
Systemd unit files or init script exist? ... skipped (omnibus-gitlab has neither init script nor systemd units)
Systemd unit files or init script up-to-date? ... skipped (omnibus-gitlab has neither init script nor systemd units)
Projects have namespace: ...
34/1 ... yes
13/5 ... yes
14/6 ... yes
6/8 ... yes
15/9 ... yes
18/10 ... yes
6/11 ... yes
6/12 ... yes
11/13 ... yes
14/14 ... yes
14/15 ... yes
11/16 ... yes
11/17 ... yes
6/18 ... yes
15/21 ... yes
26/22 ... yes
26/23 ... yes
60/24 ... yes
9/26 ... yes
9/27 ... yes
9/28 ... yes
9/29 ... yes
9/30 ... yes
9/31 ... yes
14/32 ... yes
14/33 ... yes
7/34 ... yes
34/35 ... yes
34/37 ... yes
34/38 ... yes
34/39 ... yes
7/40 ... yes
18/43 ... yes
51/44 ... yes
33/45 ... yes
7/46 ... yes
36/47 ... yes
6/48 ... yes
6/49 ... yes
60/51 ... yes
60/52 ... yes
60/53 ... yes
60/54 ... yes
60/55 ... yes
61/56 ... yes
11/57 ... yes
11/58 ... yes
65/60 ... yes
14/62 ... yes
61/63 ... yes
69/70 ... yes
89/71 ... yes
69/73 ... yes
69/74 ... yes
65/75 ... yes
18/76 ... yes
14/77 ... yes
75/78 ... yes
75/84 ... yes
34/85 ... yes
80/86 ... yes
80/87 ... yes
80/88 ... yes
80/89 ... yes
64/90 ... yes
14/91 ... yes
61/92 ... yes
6/94 ... yes
61/95 ... yes
61/96 ... yes
89/97 ... yes
61/99 ... yes
95/100 ... yes
9/101 ... yes
9/102 ... yes
9/103 ... yes
Redis version >= 5.0.0? ... yes
Ruby version >= 2.7.2 ? ... yes (2.7.5)
Git version >= 2.33.0 ? ... yes (2.33.1)
Git user has default SSH configuration? ... yes
Active users: ... 63
Is authorized keys file accessible? ... yes
GitLab configured to store new projects in hashed storage? ... yes
All projects are in hashed storage? ... yes
Elasticsearch version 7.x (6.4 - 6.x deprecated to be removed in 13.8)? ... skipped (elasticsearch is disabled)
Checking GitLab App ... Finished
Checking GitLab subtasks ... Finished

Possible fixes

The current fix is to ask the devs to trigger the failed job. If an LDAP user triggers the job, the pull works.