`docker pull` returns `denied: access forbidden` from private gitlab registry

Solution 1

If this is an authenticated registry, then you need to run docker login <registryurl> on the machine where you are building this.

This only needs to be done once per host. The command then caches the auth in a file

$ cat ~/.docker/config.json
{
    "auths": {
        "https://index.docker.io/v1/": {
            "auth": "......="
        }
    }
}

Solution 2

A login did not fix the problem for me. This may be specific to Mac, but just in case here is the Git issue

My comment on it:

Also experiencing this issue.

Dockerfile:

FROM <insert_private_registry>/test-image:latest

CLI

Both commands fail without a login to the private registry (expected)

    $ docker-compose up
    Building app
    Step 1/2 : FROM <insert_private_registry>/test-image:latest
    ERROR: Service 'app' failed to build: Get https://<insert_private_registry>/v2/test-image/manifests/latest: denied: access forbidden

    $ docker pull <insert_private_registry>/test-image:latest
    Error response from daemon: Get https://<insert_private_registry>/test-image/manifests/latest: denied: access forbidden

After logging in, a docker pull ... works while the docker-compose up fails to pull the image:

    $ docker login <insert_private_registry>
    Username: <insert>
    Password: <insert>
    Login Succeeded

    $ docker-compose up
    Building app
    Step 1/2 : FROM <insert_private_registry>/test-image:latest
    ERROR: Service 'app' failed to build: Get https://<insert_private_registry>/v2/test-image/manifests/latest: denied: access forbidden

    $ docker pull <insert_private_registry>/test-image:latest
    latest: Pulling from <insert_private_image_path>/test-image
    ...
    Status: Downloaded newer image for <insert_private_registry>/test-image:latest

Current Solution

Our current workaround is to explicitly pull the image prior to running the docker-compose containers:

    docker pull <insert_private_registry>/test-image:latest
    latest: Pulling from <insert_private_image_path>/test-image
    ...
    Status: Downloaded newer image for <insert_private_registry>/test-image:latest

    $ docker-compose up
    Building app
    Step 1/2 : FROM <insert_private_registry>/test-image:latest
    ...

Solution 3

I notice your URL scheme uses the http protocol - Docker needs to be configured to allow insecure registries.

Create or modify your daemon.json (required in one of the following locations):

Linux: /etc/docker/

Windows: C:\ProgramData\Docker\config\

With the contents:

{
    "insecure-registries" : [ "my.private.gitlab.registry:port" ]
}

Then restart Docker (not just the terminal session) and try again.

Once you've logged in with:

docker login my.private.gitlab.registry:port

As per tarun-lalwani's answer, this should then add the auth into the config, for future use (docker pull's etc.).

Author by

Zeinab Abbasimazar

Looking to attain a challenging and responsible position as a software engineer and software analyst in telecommunication and software industry which effectively utilizes my personal, professional and educational skills and experiences. I’m also looking forward to learn and experience more on big data concepts/solutions.

Updated on July 13, 2022