Skip to content

Unauthorized authentication required when pushing large docker container in Gitlab SaaS

Summary

Manually pushing a large docker container (2.06GB) from my machine to a private repository fails after a few minutes with the following error:

unauthorized: authentication required

However, pushing a smaller docker container (920MB) (the official python image from docker) to the same private repository succeeds. Note that previously I have been able to push a larger version of this exact same image in the past. So I am not sure what has changed in Gitlab SAAS since then that is now causing this issue.

Steps to reproduce

  1. Create a personal access token with the scopes: api, read_api, read_repository, write_repository, read_registry, write_registry. Probably only the last 2 are really needed.
  2. Login to the docker registry by issuing the command cat ~/my_password.txt | docker login --username <username> --password-stdin where my_password.txt contains the token you just created. You should receive feedback that it was successful and can even inspect that it was added to your credentials manager (I am using wincred). Note you may want to update the documentation as it warns that passing the token on the command line is not safe and you should instead use the way I have described that is in the docker documentation.
  3. Pull a small image, e.g. the official python image from docker and tag it with the name of your private repo.
  4. Push the image and you should see that it is successful.
  5. Pull or build a large image, e.g. over 2GB and tag it with the name of your private repo.
  6. Push the image and you should see that it fails after a few minutes with the error unauthorized: authentication required.

Example Project

Not sure how difficult this is to do. I have a few ideas. Let me know if you absolutely need this. Looking back at some issues in the past I see this problem has popped up a few times before.

What is the current bug behavior?

The small images is pushed to the container registry successfully but the large image fails with the authentication error described.

Possible Solutions

Now the documentation already says that Gitlab has a default token expiration of 5 minutes and that you should expect this error when pushing large images.

Either the large image should be pushed to the container registry with the current configuration. Or if that is not possible, then there should be access to be able to extend the default token expiration above 5 minutes for the registry when using Gitlab.com. I presume that the Admin area > Settings > CI/CD > Container Registry > Authorization token duration (minutes) only exists on self-managed Gitlab instances and not on Gitlab SAAS because I do not see it anywhere.

Output of checks

This bug happens on GitLab.com.

Status Updates

2022-07-01

See #361279 (comment 1012697106)

Edited by Manuel Grabowski