feat(bootstrap): fall back to anonymous pull when registry credentials are rejected#351
Closed
feat(bootstrap): fall back to anonymous pull when registry credentials are rejected#351
Conversation
…s are rejected When pulling container images from ghcr.io, credentials are always sent. If the token lacks access to a specific repo (e.g., a public repo the caller's PAT cannot read), the pull fails with a 401/403 even though an unauthenticated pull would succeed. Add fallback logic across all three pull paths: - ensure_image() (local Docker daemon): detect auth failure from the pull stream and retry with no credentials. - pull_remote_image() (remote SSH daemon): same pattern using the new consume_pull_stream() helper. - cluster-entrypoint.sh (k3s/containerd): validate credentials via the GHCR token endpoint before writing auth config to registries.yaml; skip auth block when credentials are rejected so containerd uses anonymous pulls. Also adds is_auth_failure() helper that matches 401/403 status codes and common Docker error messages (pull access denied, unauthorized, denied: access forbidden), curl to the cluster runtime image for the credential test, and updated error diagnosis messaging.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
When pulling container images from ghcr.io, credentials are always sent. If the token lacks access to a specific repo (e.g., a public repo the caller's PAT cannot read), the pull fails with 401/403 even though an unauthenticated pull would succeed. This PR adds fallback-to-anonymous logic across all three image pull paths.
Changes
crates/openshell-bootstrap/src/image.rs: Addedis_auth_failure()helper that detects auth errors by HTTP status (401/403) and message patterns. Addedconsume_pull_stream()helper for reusable stream consumption. Modifiedpull_remote_image()to retry anonymously on auth failure. Added 6 unit tests.crates/openshell-bootstrap/src/docker.rs: Modifiedensure_image()to detect auth failure mid-stream, break out, and retry withNonecredentials.deploy/docker/cluster-entrypoint.sh: Addedtest_registry_credentials()shell function that validates credentials against the GHCR token endpoint via curl before writing auth config toregistries.yaml. Skips auth block when credentials are rejected so containerd falls back to anonymous pulls.deploy/docker/Dockerfile.cluster: Addedcurlto runtime stage dependencies for the credential validation test.crates/openshell-bootstrap/src/errors.rs: Updateddiagnose_image_pull_auth_failureto mention that anonymous fallback was also attempted.Testing
mise run pre-commitpassesis_auth_failuretests)Checklist