`docker pull` returns `denied: access forbidden` from private gitlab registry

Question

I have a Dockerfile which is going to be implemented FROM a private registry's image. I build this file without any problem with Docker version 1.12.6, build 78d1802 and docker-compose version 1.8.0, build unknown, but in another machine which has Docker version 17.06.1-ce, build 874a737 and docker-compose version 1.16.1, build 6d1ac21, the docker-compose build returns:

FROM my.private.gitlab.registry:port/image:tag
http://my.private.gitlab.registry:port/v2/docker/image/manifests/tag: denied: access forbidden

docker pull my.private.gitlab.registry:port/image:tag returns the same.

Notice that I tried to get my.private.registry:port/image:tag and http://my.private.registry:port/v2/docker/image/manifests/tag has been catched.

Answer 1

In my case docker image name contains port reg.mygitlab.com:443/internal/ci-docker-base:python3 so that i need to to do was docker login reg.mygitlab.com:443 you see the 433 there that is important it sims like later on when docker is trying to pull images it will use the exact name which contains port too

Answer 2

In my case on Linux I can fix this error by adding sudo to my docker-compose up command.

Answer 3

If this is an authenticated registry, then you need to run docker login <registryurl> on the machine where you are building this.

This only needs to be done once per host. The command then caches the auth in a file

$ cat ~/.docker/config.json
{
    "auths": {
        "https://index.docker.io/v1/": {
            "auth": "......="
        }
    }
}

Answer 4

A login did not fix the problem for me. This may be specific to Mac, but just in case here is the Git issue

My comment on it:

Also experiencing this issue.

Dockerfile:

FROM <insert_private_registry>/test-image:latest

CLI

Both commands fail without a login to the private registry (expected)

    $ docker-compose up
    Building app
    Step 1/2 : FROM <insert_private_registry>/test-image:latest
    ERROR: Service 'app' failed to build: Get https://<insert_private_registry>/v2/test-image/manifests/latest: denied: access forbidden

    $ docker pull <insert_private_registry>/test-image:latest
    Error response from daemon: Get https://<insert_private_registry>/test-image/manifests/latest: denied: access forbidden

After logging in, a docker pull ... works while the docker-compose up fails to pull the image:

    $ docker login <insert_private_registry>
    Username: <insert>
    Password: <insert>
    Login Succeeded

    $ docker-compose up
    Building app
    Step 1/2 : FROM <insert_private_registry>/test-image:latest
    ERROR: Service 'app' failed to build: Get https://<insert_private_registry>/v2/test-image/manifests/latest: denied: access forbidden

    $ docker pull <insert_private_registry>/test-image:latest
    latest: Pulling from <insert_private_image_path>/test-image
    ...
    Status: Downloaded newer image for <insert_private_registry>/test-image:latest

Current Solution

Our current workaround is to explicitly pull the image prior to running the docker-compose containers:

    docker pull <insert_private_registry>/test-image:latest
    latest: Pulling from <insert_private_image_path>/test-image
    ...
    Status: Downloaded newer image for <insert_private_registry>/test-image:latest

    $ docker-compose up
    Building app
    Step 1/2 : FROM <insert_private_registry>/test-image:latest
    ...

Answer 5

I notice your URL scheme uses the http protocol - Docker needs to be configured to allow insecure registries.

Create or modify your daemon.json (required in one of the following locations):

Linux: /etc/docker/

Windows: C:\ProgramData\Docker\config\

With the contents:

{
    "insecure-registries" : [ "my.private.gitlab.registry:port" ]
}

Then restart Docker (not just the terminal session) and try again.

Once you've logged in with:

docker login my.private.gitlab.registry:port

As per tarun-lalwani's answer, this should then add the auth into the config, for future use (docker pull's etc.).