48

I have a Dockerfile which is going to be implemented FROM a private registry's image. I build this file without any problem with Docker version 1.12.6, build 78d1802 and docker-compose version 1.8.0, build unknown, but in another machine which has Docker version 17.06.1-ce, build 874a737 and docker-compose version 1.16.1, build 6d1ac21, the docker-compose build returns:

FROM my.private.gitlab.registry:port/image:tag
http://my.private.gitlab.registry:port/v2/docker/image/manifests/tag: denied: access forbidden

docker pull my.private.gitlab.registry:port/image:tag returns the same.

Notice that I tried to get my.private.registry:port/image:tag and http://my.private.registry:port/v2/docker/image/manifests/tag has been catched.

Martijn Pieters
  • 1,048,767
  • 296
  • 4,058
  • 3,343
Zeinab Abbasimazar
  • 9,835
  • 23
  • 82
  • 131

5 Answers5

75

If this is an authenticated registry, then you need to run docker login <registryurl> on the machine where you are building this.

This only needs to be done once per host. The command then caches the auth in a file

$ cat ~/.docker/config.json
{
    "auths": {
        "https://index.docker.io/v1/": {
            "auth": "......="
        }
    }
}
Federico Zancan
  • 4,846
  • 4
  • 44
  • 60
Tarun Lalwani
  • 142,312
  • 9
  • 204
  • 265
  • 11
    One note on this: make sure that `` is `my.private.registry:port/path/to/repo`. `docker login my.private.registry` did not give me sufficient permissions to pull the image. – Jacob Stern Apr 23 '20 at 17:26
  • 6
    As @JacobStern mentioned it's important to use the full path, but also: it's important to add the version! So it must be: `my.private.registry/path/to/repo:version` – enyo Aug 13 '20 at 11:51
  • 2
    what to put in auth .... ? – Chanrithisak Phok Nov 11 '22 at 14:34
  • readers pay attention to the port, it really matters if docker image name contains the port you must specify the port while login too `docker login :` and if no port is in docker image name then only `docker login ` – Seyed Hussein Mirzaki May 16 '23 at 15:29
9

A login did not fix the problem for me. This may be specific to Mac, but just in case here is the Git issue

My comment on it:

Also experiencing this issue.

Dockerfile:

FROM <insert_private_registry>/test-image:latest

CLI

Both commands fail without a login to the private registry (expected)

    $ docker-compose up
    Building app
    Step 1/2 : FROM <insert_private_registry>/test-image:latest
    ERROR: Service 'app' failed to build: Get https://<insert_private_registry>/v2/test-image/manifests/latest: denied: access forbidden

    $ docker pull <insert_private_registry>/test-image:latest
    Error response from daemon: Get https://<insert_private_registry>/test-image/manifests/latest: denied: access forbidden

After logging in, a docker pull ... works while the docker-compose up fails to pull the image:

    $ docker login <insert_private_registry>
    Username: <insert>
    Password: <insert>
    Login Succeeded

    $ docker-compose up
    Building app
    Step 1/2 : FROM <insert_private_registry>/test-image:latest
    ERROR: Service 'app' failed to build: Get https://<insert_private_registry>/v2/test-image/manifests/latest: denied: access forbidden

    $ docker pull <insert_private_registry>/test-image:latest
    latest: Pulling from <insert_private_image_path>/test-image
    ...
    Status: Downloaded newer image for <insert_private_registry>/test-image:latest

Current Solution

Our current workaround is to explicitly pull the image prior to running the docker-compose containers:

    docker pull <insert_private_registry>/test-image:latest
    latest: Pulling from <insert_private_image_path>/test-image
    ...
    Status: Downloaded newer image for <insert_private_registry>/test-image:latest

    $ docker-compose up
    Building app
    Step 1/2 : FROM <insert_private_registry>/test-image:latest
    ...
Isaiah
  • 484
  • 5
  • 16
6

I notice your URL scheme uses the http protocol - Docker needs to be configured to allow insecure registries.

Create or modify your daemon.json (required in one of the following locations):

Linux: /etc/docker/

Windows: C:\ProgramData\Docker\config\

With the contents:

{
    "insecure-registries" : [ "my.private.gitlab.registry:port" ]
}

Then restart Docker (not just the terminal session) and try again.

Once you've logged in with:

docker login my.private.gitlab.registry:port

As per tarun-lalwani's answer, this should then add the auth into the config, for future use (docker pull's etc.).

Michael
  • 7,348
  • 10
  • 49
  • 86
2

In my case on Linux I can fix this error by adding sudo to my docker-compose up command.

Coen000
  • 79
  • 5
  • 1
    Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Mar 13 '22 at 14:37
1

In my case docker image name contains port reg.mygitlab.com:443/internal/ci-docker-base:python3 so that i need to to do was docker login reg.mygitlab.com:443 you see the 433 there that is important it sims like later on when docker is trying to pull images it will use the exact name which contains port too

Seyed Hussein Mirzaki
  • 321
  • 3
  • 7