`docker pull` returns `denied: access forbidden` from private gitlab registry

Question

I have a Dockerfile which is going to be implemented FROM a private registry's image. I build this file without any problem with Docker version 1.12.6, build 78d1802 and docker-compose version 1.8.0, build unknown, but in another machine which has Docker version 17.06.1-ce, build 874a737 and docker-compose version 1.16.1, build 6d1ac21, the docker-compose build returns:

FROM my.private.gitlab.registry:port/image:tag
http://my.private.gitlab.registry:port/v2/docker/image/manifests/tag: denied: access forbidden

docker pull my.private.gitlab.registry:port/image:tag returns the same.

Notice that I tried to get my.private.registry:port/image:tag and http://my.private.registry:port/v2/docker/image/manifests/tag has been catched.

Answer 1

If this is an authenticated registry, then you need to run docker login <registryurl> on the machine where you are building this.

This only needs to be done once per host. The command then caches the auth in a file

$ cat ~/.docker/config.json
{
    "auths": {
        "https://index.docker.io/v1/": {
            "auth": "......="
        }
    }
}

Answer 2

A login did not fix the problem for me. This may be specific to Mac, but just in case here is the Git issue

My comment on it:

Also experiencing this issue.

Dockerfile:

FROM <insert_private_registry>/test-image:latest

CLI

Both commands fail without a login to the private registry (expected)

    $ docker-compose up
    Building app
    Step 1/2 : FROM <insert_private_registry>/test-image:latest
    ERROR: Service 'app' failed to build: Get https://<insert_private_registry>/v2/test-image/manifests/latest: denied: access forbidden

    $ docker pull <insert_private_registry>/test-image:latest
    Error response from daemon: Get https://<insert_private_registry>/test-image/manifests/latest: denied: access forbidden

After logging in, a docker pull ... works while the docker-compose up fails to pull the image:

    $ docker login <insert_private_registry>
    Username: <insert>
    Password: <insert>
    Login Succeeded

    $ docker-compose up
    Building app
    Step 1/2 : FROM <insert_private_registry>/test-image:latest
    ERROR: Service 'app' failed to build: Get https://<insert_private_registry>/v2/test-image/manifests/latest: denied: access forbidden

    $ docker pull <insert_private_registry>/test-image:latest
    latest: Pulling from <insert_private_image_path>/test-image
    ...
    Status: Downloaded newer image for <insert_private_registry>/test-image:latest

Current Solution

Our current workaround is to explicitly pull the image prior to running the docker-compose containers:

    docker pull <insert_private_registry>/test-image:latest
    latest: Pulling from <insert_private_image_path>/test-image
    ...
    Status: Downloaded newer image for <insert_private_registry>/test-image:latest

    $ docker-compose up
    Building app
    Step 1/2 : FROM <insert_private_registry>/test-image:latest
    ...

Answer 3

I notice your URL scheme uses the http protocol - Docker needs to be configured to allow insecure registries.

Create or modify your daemon.json (required in one of the following locations):

Linux: /etc/docker/

Windows: C:\ProgramData\Docker\config\

With the contents:

{
    "insecure-registries" : [ "my.private.gitlab.registry:port" ]
}

Then restart Docker (not just the terminal session) and try again.

Once you've logged in with:

docker login my.private.gitlab.registry:port

As per tarun-lalwani's answer, this should then add the auth into the config, for future use (docker pull's etc.).

Answer 4

In my case on Linux I can fix this error by adding sudo to my docker-compose up command.