I just built two images and pushed them to my registry (docker registry v2), one of them tagged with hub.domain.com/image:tag-amd64 and the other hub.domain.com/image:tag-arm64. Now i want to create hub.domain.com/image:tag as a manifest list of both so I can pull the image platform independent.
First I tried to just create the manifest like this:
$ docker manifest create hub.domain.com/image:tag hub.domain.com/image:tag-amd64 hub.domain.com/image:tag-arm64
failed to configure transport: unsupported registry version
Then I pulled both images to my local machine and then repeated the manifest creation with the same result.
Finally I tried tagging the iamges with local tags image:tag-a(rm|md)64 respectively and retried the creation:
$ docker tag hub.domain.com/image:tag-arm64 image:tag-arm64
$ docker tag hub.domain.com/image:tag-amd64 image:tag-amd64
$ docker manifest create hub.domain.com/image:tag image:tag-amd64 image:tag-arm64
errors:
denied: requested access to the resource is denied
unauthorized: authentication required
$ # I also logged in with:
$ docker login -u user hub.domain.com
Password: ....
Login Succeeded
What am I doing wrong?
I know that i can create multi-platform images with docker buildx, but in this case my dockerfile differs for each platform and I don't know how to merge these into one manifest.
Related
I am trying to pull a docker container from our private GCP container registry on a regular VM instance (i.e. ubuntu-1904) running on Google Cloud, but I am getting the following error:
user#test ~ $ sudo docker pull example.io/docker-dev/name:v01
Error response from daemon: unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication
I followed those instructions, i.e., run the gcloud auth configure-docker command, which outputs a success message.
However, when running the docker pull command again, I get the exact same error.
A couple of extra tests that might help to provide feedback:
If I pull from a different registry, it works (for example, docker run hello-world pulls and runs the hello-world image)
I tested the same command (docker pull example.io/docker-dev/name:v01) on my local computer (Mac) instead of the vm instance and works perfectly.
I have also created vm instances and enable the option "Deploy a container image to this VM instance", providing the container address (example.io/docker-dev/name:v01), and also works. However, I don't want to use this option because it selects automatically a "Container-Optimized" boot disk, which I prefer not to use due to the limitations
Question:
Why I cannot pull docker images from my private container registry on a Ubuntu o Debian VM, even though docker seems to work very well pulling images from other repositories (docker hub)?
I did this yesterday. Just run gcloud auth configure-docker then run
VERSION=2.0.0
OS=linux # or "darwin" for OSX, "windows" for Windows.
ARCH=amd64 # or "386" for 32-bit OSs, "arm64" for ARM 64.
After that you can download the docker-credential-gcr
wget "https://github.com/GoogleCloudPlatform/docker-credential-gcr/releases/download/v${VERSION}/docker-credential-gcr_${OS}_${ARCH}-${VERSION}.tar.gz"
Then run
tar cvzf --to-stdout ./docker-credential-gcr_linux_amd64-2.0.0.tar.gz /usr/bin/docker-credential-gcloud && sudo chmod +x /usr/bin/docker-credential-gcloud
And finally run
gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin https://gcr.io
Now you will be able to pull you image :)
For me, on a container-os optimized instance, it helped to just run:
docker-credential-gcr configure-docker
https://cloud.google.com/container-optimized-os/docs/how-to/run-container-instance#starting_a_docker_container_via_cloud-config
Note the default policy for compute instances:
VM instances, including those in Google Kubernetes Engine clusters,
must have the correct storage access scopes configured to push or pull
images. By default, VMs can pull images when Container Registry is in
the same project.
If you run gcloud auth configure-docker, the auth information is saved under your personal directory.
When you then run sudo docker pull example.io/docker-dev/name:v01, it looks for auth info under root directory and doesn't find anything there.
You should run both with or without sudo.
I built a Docker image that I pushed to Docker Hub under my account and removed locally after. But when I try to pull it, it throws the following error:
Error response from daemon: pull access denied for mightyspaj/dockerfile-assignment-1, repository does not exist or may require 'docker login'
I'm logged into the same account that owns the repository for this image and can perform other tasks (such as pushing) perfectly fine. The repository also definitely exists on Docker Hub, yet it fails when I try to pull it.
I've tried the following things:
Logging out of my account and back in again
Renaming config.json and regenerating it
Running an isolated Docker container with docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock:ro docker sh, then logging into my account and attempting to pull the image
Deleting and recreating the repository
All of these things still produce the same error. I'm baffled.
To note, both my client and engine versions are 17.12.0-ce. My OS is Ubuntu 17.10 (64-bit).
Console output
docker login
-> % docker login
Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one.
Username: mightyspaj
Password:
Login Succeeded
docker tag
-> % docker tag dockerfile-assignment-1:latest mightyspaj/dockerfile-assignment-1
docker push
-> % docker push mightyspaj/dockerfile-assignment-1
The push refers to repository [docker.io/mightyspaj/dockerfile-assignment-1]
8427a8e6a29f: Pushed
655a921743e8: Pushed
8aa44edb7524: Pushed
60f1a2dc4cd8: Mounted from library/node
9185fe936b87: Mounted from library/node
e53f74215d12: Mounted from library/node
latest: digest: sha256:6c68220ba84f13d0229ef4458f22369410bb98764b908a75be0849c3003de160 size: 1582
docker image rm
-> % docker image rm mightyspaj/dockerfile-assignment-1
Untagged: mightyspaj/dockerfile-assignment-1:latest
Untagged: mightyspaj/dockerfile-assignment-1#sha256:6c68220ba84f13d0229ef4458f22369410bb98764b908a75be0849c3003de160
docker image pull
-> % docker image pull mightyspaj/dockerfile-assignment-1
Using default tag: latest
Error response from daemon: pull access denied for mightyspaj/dockerfile-assignment-1, repository does not exist or may require 'docker login'
I could fix the same issue only when I made the repository public. Make sure the repository is public then this is the set of instructions I followed in command line:
Once logout from docker hub and login again.
1- docker logout
2- docker login --username=YOURUSERNAME
Enter password when asked
3- docker pull repositoryName"/"imageName[:tag]
if "tag" is not included the default value will be "latest".
Then check the images by docker images command to check if its been pulled.
After pulling is done I made the repository private again.
This solution is only valid on private docker repositories!!
First try to login on your private repo e.g:
docker login dockerrepo.example.com
Then
If you build new image with dockerfile based on image in your private repository then you must prefix your base image with private repository url:
FROM PRIVATE_REPO_URL + IMAGE_INFO
sample:
PRIVATE_REPO_URL --> dockerrepo.example.com
BASE_IMAGE --> samples/java/jdk:1.6
Your dockerfile look like this:
FROM dockerrepo.example.com/samples/java/jdk:1.6
I have a Dockerfile which is going to be implemented FROM a private registry's image. I build this file without any problem with Docker version 1.12.6, build 78d1802 and docker-compose version 1.8.0, build unknown, but in another machine which has Docker version 17.06.1-ce, build 874a737 and docker-compose version 1.16.1, build 6d1ac21, the docker-compose build returns:
FROM my.private.gitlab.registry:port/image:tag
http://my.private.gitlab.registry:port/v2/docker/image/manifests/tag: denied: access forbidden
docker pull my.private.gitlab.registry:port/image:tag returns the same.
Notice that I tried to get my.private.registry:port/image:tag and http://my.private.registry:port/v2/docker/image/manifests/tag has been catched.
If this is an authenticated registry, then you need to run docker login <registryurl> on the machine where you are building this.
This only needs to be done once per host. The command then caches the auth in a file
$ cat ~/.docker/config.json
{
"auths": {
"https://index.docker.io/v1/": {
"auth": "......="
}
}
}
A login did not fix the problem for me. This may be specific to Mac, but just in case here is the Git issue
My comment on it:
Also experiencing this issue.
Dockerfile:
FROM <insert_private_registry>/test-image:latest
CLI
Both commands fail without a login to the private registry (expected)
$ docker-compose up
Building app
Step 1/2 : FROM <insert_private_registry>/test-image:latest
ERROR: Service 'app' failed to build: Get https://<insert_private_registry>/v2/test-image/manifests/latest: denied: access forbidden
$ docker pull <insert_private_registry>/test-image:latest
Error response from daemon: Get https://<insert_private_registry>/test-image/manifests/latest: denied: access forbidden
After logging in, a docker pull ... works while the docker-compose up fails to pull the image:
$ docker login <insert_private_registry>
Username: <insert>
Password: <insert>
Login Succeeded
$ docker-compose up
Building app
Step 1/2 : FROM <insert_private_registry>/test-image:latest
ERROR: Service 'app' failed to build: Get https://<insert_private_registry>/v2/test-image/manifests/latest: denied: access forbidden
$ docker pull <insert_private_registry>/test-image:latest
latest: Pulling from <insert_private_image_path>/test-image
...
Status: Downloaded newer image for <insert_private_registry>/test-image:latest
Current Solution
Our current workaround is to explicitly pull the image prior to running the docker-compose containers:
docker pull <insert_private_registry>/test-image:latest
latest: Pulling from <insert_private_image_path>/test-image
...
Status: Downloaded newer image for <insert_private_registry>/test-image:latest
$ docker-compose up
Building app
Step 1/2 : FROM <insert_private_registry>/test-image:latest
...
I notice your URL scheme uses the http protocol - Docker needs to be configured to allow insecure registries.
Create or modify your daemon.json (required in one of the following locations):
Linux: /etc/docker/
Windows: C:\ProgramData\Docker\config\
With the contents:
{
"insecure-registries" : [ "my.private.gitlab.registry:port" ]
}
Then restart Docker (not just the terminal session) and try again.
Once you've logged in with:
docker login my.private.gitlab.registry:port
As per tarun-lalwani's answer, this should then add the auth into the config, for future use (docker pull's etc.).
In my case on Linux I can fix this error by adding sudo to my docker-compose up command.
I am trying to copy one of Bluemix registry , registry.ng.bluemix.net/XXXX/rhel:v5 to another i.e. registry.ng.bluemix.net/YYYY/rhel:v5
by using command , after logging into Bluemix account & space associated with XXXX
cf ic cpi registry.ng.bluemix.net/XXXX/rhel:v5 registry.ng.bluemix.net/YYYY/rhel:v5
Note, I have access to both the org, spaces.
Bluemix showing following message ...
Sending build context to Docker daemon 2.048kB
Error response from daemon: Build aborted with error: User does not have access to namespace 'YYYY' Build ID: 268-1502886177.269-12875
FAILED
Command failed
Please suggest, what could go wrong and is there a way to proceed forward ?
The build service currently only supports building from and to the oldest namespace owned by the targeted organization. This includes copying images using cf ic cpi.
To achieve what you want, you'll need to pull the image to your workstation, tag it, then push it back to the registry with the new name:
bx login <account with access to both namespaces>
bx cr login
docker pull registry.ng.bluemix.net/XXXX/rhel:v5
docker tag registry.ng.bluemix.net/XXXX/rhel:v5 registry.ng.bluemix.net/YYYY/rhel:v5
docker push registry.ng.bluemix.net/YYYY/rhel:v5
# Optional: remove the images from your machine: docker rmi registry.ng.bluemix.net/XXXX/rhel:v5 registry.ng.bluemix.net/YYYY/rhel:v5
I've just come over from tutum and and am trying to deploy to a docker cloud repository. I've created the repository and have tagged an existing image:
docker tag deploy foo/rtb
When I attempt to push my tagged image up like so:
docker push foo/rtb
I get this:
The push refers to a repository [docker.io/foo/rtb] (len: 0)
18118bb6b8ef: Preparing
unauthorized: access to the requested resource is not authorized
The repository exists and I've logged in to docker. Is there something I'm missing?
Interestingly enough, if I try to delete the image I get an error like this:
Error response from daemon: conflict: unable to delete 18118bb6b8ef
(must be forced) - image is referenced in one or more repositories
Error: failed to remove images: [18118bb6b8ef]
I had been using docker 1.9.1. That's the version in the Fedora 23 repo.
The kind folks at docker tech support recommended I upgrade to the latest 1.10.3
Upgrading then doing
docker logout
followed by
docker login
fixed everything up.
Did you tag your image ?
docker build --tag docker.io/<yourdockerhubname>/<appname> .
docker build --tag docker.io/moskalr/rtb .
docker push docker.io/<yourdockerhubname>/<appname>
docker push docker.io/moskalr/rtb
the push should respond with something which mentions the dockerhub image name