`docker pull` returns `denied: access forbidden` from private gitlab registry
Solution 1
If this is an authenticated registry, then you need to run docker login <registryurl>
on the machine where you are building this.
This only needs to be done once per host. The command then caches the auth in a file
$ cat ~/.docker/config.json
{
"auths": {
"https://index.docker.io/v1/": {
"auth": "......="
}
}
}
Solution 2
A login did not fix the problem for me. This may be specific to Mac, but just in case here is the Git issue
My comment on it:
Also experiencing this issue.
Dockerfile:
FROM <insert_private_registry>/test-image:latest
CLI
Both commands fail without a login to the private registry (expected)
$ docker-compose up
Building app
Step 1/2 : FROM <insert_private_registry>/test-image:latest
ERROR: Service 'app' failed to build: Get https://<insert_private_registry>/v2/test-image/manifests/latest: denied: access forbidden
$ docker pull <insert_private_registry>/test-image:latest
Error response from daemon: Get https://<insert_private_registry>/test-image/manifests/latest: denied: access forbidden
After logging in, a docker pull ...
works while the docker-compose up
fails to pull the image:
$ docker login <insert_private_registry>
Username: <insert>
Password: <insert>
Login Succeeded
$ docker-compose up
Building app
Step 1/2 : FROM <insert_private_registry>/test-image:latest
ERROR: Service 'app' failed to build: Get https://<insert_private_registry>/v2/test-image/manifests/latest: denied: access forbidden
$ docker pull <insert_private_registry>/test-image:latest
latest: Pulling from <insert_private_image_path>/test-image
...
Status: Downloaded newer image for <insert_private_registry>/test-image:latest
Current Solution
Our current workaround is to explicitly pull the image prior to running the docker-compose containers:
docker pull <insert_private_registry>/test-image:latest
latest: Pulling from <insert_private_image_path>/test-image
...
Status: Downloaded newer image for <insert_private_registry>/test-image:latest
$ docker-compose up
Building app
Step 1/2 : FROM <insert_private_registry>/test-image:latest
...
Solution 3
I notice your URL scheme uses the http protocol - Docker needs to be configured to allow insecure registries.
Create or modify your daemon.json
(required in one of the following locations):
Linux: /etc/docker/
Windows: C:\ProgramData\Docker\config\
With the contents:
{
"insecure-registries" : [ "my.private.gitlab.registry:port" ]
}
Then restart Docker (not just the terminal session) and try again.
Once you've logged in with:
docker login my.private.gitlab.registry:port
As per tarun-lalwani's answer, this should then add the auth into the config, for future use (docker pull
's etc.).
Zeinab Abbasimazar
Looking to attain a challenging and responsible position as a software engineer and software analyst in telecommunication and software industry which effectively utilizes my personal, professional and educational skills and experiences. I’m also looking forward to learn and experience more on big data concepts/solutions.
Updated on July 13, 2022Comments
-
Zeinab Abbasimazar almost 2 years
I have a
Dockerfile
which is going to be implementedFROM
a private registry's image. I build this file without any problem withDocker version 1.12.6, build 78d1802
anddocker-compose version 1.8.0, build unknown
, but in another machine which hasDocker version 17.06.1-ce, build 874a737
anddocker-compose version 1.16.1, build 6d1ac21
, thedocker-compose build
returns:FROM my.private.gitlab.registry:port/image:tag http://my.private.gitlab.registry:port/v2/docker/image/manifests/tag: denied: access forbidden
docker pull my.private.gitlab.registry:port/image:tag
returns the same.Notice that I tried to get
my.private.registry:port/image:tag
andhttp://my.private.registry:port/v2/docker/image/manifests/tag
has been catched. -
Jacob Stern about 4 yearsOne note on this: make sure that
<registryurl>
ismy.private.registry:port/path/to/repo
.docker login my.private.registry
did not give me sufficient permissions to pull the image. -
enyo over 3 yearsAs @JacobStern mentioned it's important to use the full path, but also: it's important to add the version! So it must be:
my.private.registry/path/to/repo:version