`docker pull` returns `denied: access forbidden` from private gitlab registry

Question

I have a Dockerfile which is going to be implemented FROM a private registry's image. I build this file without any problem with Docker version 1.12.6, build 78d1802 and docker-compose version 1.8.0, build unknown, but in another machine which has Docker version 17.06.1-ce, build 874a737 and docker-compose version 1.16.1, build 6d1ac21, the docker-compose build returns:

FROM my.private.gitlab.registry:port/image:tag
http://my.private.gitlab.registry:port/v2/docker/image/manifests/tag: denied: access forbidden

docker pull my.private.gitlab.registry:port/image:tag returns the same.

Notice that I tried to get my.private.registry:port/image:tag and http://my.private.registry:port/v2/docker/image/manifests/tag has been catched.

If this is a authenticated registry then you need to run `docker login ` on the machine where you are building this. This only needs to be done once — Tarun Lalwani, Sep 26 '17 at 06:29
@TarunLalwani, it returned `Unauthorized: authentication required`. Maybe it's related to my permissions on gitlab. I'll check and let you know. — Zeinab Abbasimazar, Sep 26 '17 at 06:48
@TarunLalwani, you've pointed to the exact cause. Please post it as an answer, so I can approve. — Zeinab Abbasimazar, Sep 26 '17 at 09:03

score 53 · Accepted Answer · edited Oct 04 '21 at 10:40

53

If this is an authenticated registry, then you need to run docker login <registryurl> on the machine where you are building this.

This only needs to be done once per host. The command then caches the auth in a file

$ cat ~/.docker/config.json
{
    "auths": {
        "https://index.docker.io/v1/": {
            "auth": "......="
        }
    }
}

edited Oct 04 '21 at 10:40

Federico Zancan

4,778
4
43
60

answered Sep 26 '17 at 09:06

Tarun Lalwani

133,941
8
173
238

6

One note on this: make sure that `` is `my.private.registry:port/path/to/repo`. `docker login my.private.registry` did not give me sufficient permissions to pull the image. – Jacob Stern Apr 23 '20 at 17:26
3

As @JacobStern mentioned it's important to use the full path, but also: it's important to add the version! So it must be: `my.private.registry/path/to/repo:version` – enyo Aug 13 '20 at 11:51

Isaiah · Answer 2 · 2021-09-06T21:47:02.613

A login did not fix the problem for me. This may be specific to Mac, but just in case here is the Git issue

My comment on it:

Also experiencing this issue.

Dockerfile:

FROM <insert_private_registry>/test-image:latest

CLI

Both commands fail without a login to the private registry (expected)

    $ docker-compose up
    Building app
    Step 1/2 : FROM <insert_private_registry>/test-image:latest
    ERROR: Service 'app' failed to build: Get https://<insert_private_registry>/v2/test-image/manifests/latest: denied: access forbidden

    $ docker pull <insert_private_registry>/test-image:latest
    Error response from daemon: Get https://<insert_private_registry>/test-image/manifests/latest: denied: access forbidden

After logging in, a docker pull ... works while the docker-compose up fails to pull the image:

    $ docker login <insert_private_registry>
    Username: <insert>
    Password: <insert>
    Login Succeeded

    $ docker-compose up
    Building app
    Step 1/2 : FROM <insert_private_registry>/test-image:latest
    ERROR: Service 'app' failed to build: Get https://<insert_private_registry>/v2/test-image/manifests/latest: denied: access forbidden

    $ docker pull <insert_private_registry>/test-image:latest
    latest: Pulling from <insert_private_image_path>/test-image
    ...
    Status: Downloaded newer image for <insert_private_registry>/test-image:latest

Current Solution

Our current workaround is to explicitly pull the image prior to running the docker-compose containers:

    docker pull <insert_private_registry>/test-image:latest
    latest: Pulling from <insert_private_image_path>/test-image
    ...
    Status: Downloaded newer image for <insert_private_registry>/test-image:latest

    $ docker-compose up
    Building app
    Step 1/2 : FROM <insert_private_registry>/test-image:latest
    ...

Michael · Answer 3 · 2017-09-26T09:28:37.673

I notice your URL scheme uses the http protocol - Docker needs to be configured to allow insecure registries.

Create or modify your daemon.json (required in one of the following locations):

Linux: /etc/docker/

Windows: C:\ProgramData\Docker\config\

With the contents:

{
    "insecure-registries" : [ "my.private.gitlab.registry:port" ]
}

Then restart Docker (not just the terminal session) and try again.

Once you've logged in with:

docker login my.private.gitlab.registry:port

As per tarun-lalwani's answer, this should then add the auth into the config, for future use (docker pull's etc.).

score -1 · Answer 4 · answered Mar 13 '22 at 13:11

-1

In my case on Linux I can fix this error by adding sudo to my docker-compose up command.

answered Mar 13 '22 at 13:11

Coen000

39
4

1

Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Mar 13 '22 at 14:37

`docker pull` returns `denied: access forbidden` from private gitlab registry

4 Answers4

Dockerfile:

CLI

Current Solution

Linked