Develop Reference

Docker run results in error: layer does not exist

I'm trying to setup redmine (with postgres) on my raspberry pi 3 using docker-compose. It already worked once, but then I tried to install plugins and somehow managed to bork my system.
Now it won't let me start my database container anymore. Even creating a new postgres:12.8 container, yields the error layer does not exist:
$ docker run --rm -it postgres:12.8 bash
docker: Error response from daemon: layer does not exist.
I've already restarted the system twice, which sadly didn't change anything.
How can I get this to work again?
Additional info:
$ docker info
Client:
Debug Mode: false
Server:
Containers: 5
Running: 4
Paused: 0
Stopped: 1
Images: 65
Server Version: 19.03.13
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 8fba4e9a7d01810a393d5d25a3621dc101981175
runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd
init version: fec3683
Security Options:
seccomp
Profile: default
Kernel Version: 4.19.66-v7+
Operating System: Raspbian GNU/Linux 9 (stretch)
OSType: linux
Architecture: armv7l
CPUs: 4
Total Memory: 926.1MiB
Name: raspberrypi
ID: <redacted>
Docker Root Dir: /var/lib/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
WARNING: No swap limit support
WARNING: No cpu cfs quota support
WARNING: No cpu cfs period support
Update 1:
Removing the image (via docker rmi) doesn't stop the error.
$ docker run --rm -it postgres:12.8 bash
Unable to find image 'postgres:12.8' locally
12.8: Pulling from library/postgres
Digest: sha256:e10cd754296c1b3e93a121bcc64550d183df56f20bab47e08cacb123fb969b5e
Status: Downloaded newer image for postgres:12.8
docker: Error response from daemon: layer does not exist.
See 'docker run --help'.
Other images can be run as usual:
$ docker run --rm -it alpine bash
Unable to find image 'alpine:latest' locally
latest: Pulling from library/alpine
4ee0caa23b36: Pull complete
Digest: sha256:eb3e4e175ba6d212ba1d6e04fc0782916c08e1c9d7b45892e9796141b1d379ae
Status: Downloaded newer image for alpine:latest
/ # whoami
root
/ #

Nuking /var/lib/docker seems to get the system working again - this removes all images and lots of other docker-related data.
This doesn't feel like a great solution, but it'll have to do for now.
$ sudo service docker stop
$ docker ps
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
$ sudo rm -rf /var/lib/docker
$ sudo service docker start
$ docker run --rm -it postgres:12.8 bash
Unable to find image 'postgres:12.8' locally
12.8: Pulling from library/postgres
607f77084e8a: Pull complete
ce89a6184ac9: Pull complete
2a4e6e7ac863: Pull complete
f3b6f439172b: Pull complete
2e803a3461b4: Pull complete
467430f26cab: Pull complete
1a81afc37621: Pull complete
4ceea61b7b5c: Pull complete
1f5bfa96a004: Pull complete
b40859b8e537: Pull complete
c7b3bf3cab26: Pull complete
653c63793cd5: Pull complete
aad7328542d8: Pull complete
Digest: sha256:e10cd754296c1b3e93a121bcc64550d183df56f20bab47e08cacb123fb969b5e
Status: Downloaded newer image for postgres:12.8
root#8ba418515688:/#
References:
https://github.com/coreos/bugs/issues/1808
https://github.com/coreos/bugs/issues/1313

I have the error below and a restart of docker daemon seems to fix it. Still wondering what causes it in the first place.
level=error msg="Handler for POST /v1.41/containers/create returned error: layer does not exist"

Docker for windows hcsshim::PrepareLayer - failed failed in Win32: Access is denied. (0x5)

I am trying to build a docker image on docker for windows, always got this error
Docker info:
$ docker info
Client:
Debug Mode: false
Plugins:
buildx: Build with BuildKit (Docker Inc., v0.3.1-tp-docker)
app: Docker Application (Docker Inc., v0.8.0)
Server:
Containers: 8
Running: 0
Paused: 0
Stopped: 8
Images: 13
Server Version: 19.03.8
Storage Driver: windowsfilter (windows) lcow (linux)
Windows:
LCOW:
Logging Driver: json-file
Plugins:
Volume: local
Network: ics internal l2bridge l2tunnel nat null overlay private transparent
Log: awslogs etwlogs fluentd gcplogs gelf json-file local logentries splunk syslog
Swarm: inactive
Default Isolation: hyperv
Kernel Version: 10.0 18363 (18362.1.amd64fre.19h1_release.190318-1202)
Operating System: Windows 10 Pro Version 1909 (OS Build 18363.476)
OSType: windows
Architecture: x86_64
CPUs: 12
Total Memory: 31.92GiB
Name: G6CR726W911E
ID: 363S:P6KR:6TPB:INAE:DGT6:HRT3:QPAK:HZDE:6L5G:4IA3:XNUL:IZST
Docker Root Dir: D:\ProgramData\Docker
Debug Mode: true
File Descriptors: -1
Goroutines: 27
System Time: 2020-04-19T21:49:57.0907864+08:00
EventsListeners: 1
HTTP Proxy: company proxy placeholder
HTTPS Proxy: company proxy placeholder
Registry: https://index.docker.io/v1/
Labels:
Experimental: true
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine
Dockerfile:
FROM mcr.microsoft.com/dotnet/core/sdk:2.2 AS build
WORKDIR /src
COPY ["OktaMvcLogin.csproj", "./"]
RUN dotnet restore "./OktaMvcLogin.csproj"
COPY . .
RUN dotnet build "OktaMvcLogin.csproj" -c Release -o /app
Output Error:
$ docker build --target build -t oktamvclogin .
Sending build context to Docker daemon 6.451MB
Step 1/6 : FROM mcr.microsoft.com/dotnet/core/sdk:2.2 AS build
---> 7411befde57e
Step 2/6 : WORKDIR /src
---> Running in c727ea8e1662
hcsshim::PrepareLayer - failed failed in Win32: Access is denied. (0x5)
And this will trigger the company DLP exveption warning which thinks I am transfering data to external driver like USB driver. To do this I have to request an exception to change the group policy. However, the exception only lasts a short time. I have to request an exception again when I build a new image. This is not practical for development.
Can anyone explain why it thinks I am transfer data to external driver when I build docker image? Is there a workaround to bypass this?

I was also facing the similar issue. But solved it.
Please go to services in the machine where docker is running and change the LogOn account user from Local Service to your domain user account.
One challenge here, if you restart the docker desktop again, it will set the credential back to Local Service account for docker engine service.
I trying to find the solution for that. Mostly we can set in Docker JSON configuration file.

Failed to pull container images via short reference format

I have a problem downloading container images from a private docker registry.
The registry need no authentication credentials and is only available over the
internal network.
I have configured the registries in /etc/docker/daemon.json like the example
below. I have replaced the FQDN.
{
"exec-opts": ["native.cgroupdriver=systemd"],
"registry-mirrors": [
"https://customer-registry.example.com",
"https://location-a.dev.example.com:17519",
"https://location-b.dev.example.com:17519"
]
}
When I use the short reference format to download the container image
apvxw/build-env-go:4.2.1 I get the following error:
$ docker pull apvxw/build-env-go:4.2.1
Unable to find image 'apvxw/build-env-go:4.2.1' locally
/usr/bin/docker: Error response from daemon: pull access denied for
orbis-u/build-env-go, repository does not exist or may require 'docker login':
denied: requested access to the resource is denied.
When I use the long reference format docker can pull the image
$ docker pull customer-registry.example.com/apvxw/build-env-go:4.2.1
4.2.1: Pulling from apvxw/build-env-go:4.2.1
ac9208207ada: Already exists
5cf798ece9e5: Already exists
510bf5361e28: Already exists
b2f42d2b54d9: Pull complete
4b8be0bf5345: Pull complete
311322fb5cb6: Pull complete
Digest: sha256:f522ce0974ee41dfc7f16fc44682fee77e57bc056e37b27a4bf4885af3f5c375
Status: Downloaded newer image for customer-registry.example.com/apvxw/build-env-go:4.2.1
customer-registry.example.com/apvxw/build-env-go:4.2.1
The same behavior applies to the other configured docker registries.
I have also tested downloading container images via the registries with podman.
There the download via the short reference works fine.
Does anyone have an idea what the problem is because I can't download container
images under Arch using the short notation?
System and docker informations:
$ uname -a
Linux markus-pc 5.5.9-arch1-2 #1 SMP PREEMPT Thu, 12 Mar 2020 23:01:33 +0000 x86_64 GNU/Lin
$
$ docker info
Client:
Debug Mode: false
Server:
Containers: 10
Running: 0
Paused: 0
Stopped: 10
Images: 71
Server Version: 19.03.7-ce
Storage Driver: overlay2
Backing Filesystem: <unknown>
Supports d_type: true
Native Overlay Diff: false
Logging Driver: json-file
Cgroup Driver: systemd
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: d76c121f76a5fc8a462dc64594aea72fe18e1178.m
runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd
init version: fec3683
Security Options:
seccomp
Profile: default
Kernel Version: 5.5.9-arch1-2
Operating System: Arch Linux
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 15.54GiB
Name: markus-pc
ID: DKFK:PHVZ:LDGJ:54OG:5VJ5:5XYK:YDZR:DJFR:HZ7B:4HDT:LBEK:7JQ4
Docker Root Dir: /var/lib/docker
Debug Mode: false
Username: volkerraschek
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Registry Mirrors:
https://customer-registry.example.com/
https://location-a.dev.example.com:17519/
https://location-b.dev.example.com:17519/
Live Restore Enabled: false

In Docker
The default registry is configured to search images on docker hub which is docker.io. When you pull any image without domain name it will try to pull from docker.io, not from any other registry.
If you want to pull an image from a private registry, then you need to use long reference which is
docker pull <YOUR-DOMAIN>/apvxw/build-env-go:4.2.1
In Podman
You can configure multiple registries and podman searches in all registries whichever configured in the config file.
Location of podman configuration file is /etc/containers/registries.conf. and you can add the following lines in that which you might have already done.
[registries.search]
registries = ['docker.io', 'customer-registry.example.com', 'location-a.dev.example.com:17519', 'location-b.dev.example.com:17519']

'docker: invalid reference format' when docker repository is not explicitly specified

I'm running a Docker in Docker container in kubernetes through the Gitlab CI (there is a main image and dind is as a service). In the pod I can build docker images and push them, however any further manipulation or a simple docker run triggers an error of invalid reference format.
There are two additional insecure private repositories specified in the dind service specification. If I try to run docker images without a repo prefix specified, it fails. (note that the images are there, it's just their tag which doesn't have the repo specified)
bash-4.2# docker run hello-world
docker: invalid reference format.
See 'docker run --help'.
bash-4.2# docker run docker.io/hello-world
Hello from Docker!
This message shows that your installation appears to be working correctly.
To generate this message, Docker took the following steps:
1. The Docker client contacted the Docker daemon.
2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
(amd64)
3. The Docker daemon created a new container from that image which runs the
executable that produces the output you are currently reading.
4. The Docker daemon streamed that output to the Docker client, which sent it
to your terminal.
To try something more ambitious, you can run an Ubuntu container with:
$ docker run -it ubuntu bash
Share images, automate workflows, and more with a free Docker ID:
https://hub.docker.com/
For more examples and ideas, visit:
https://docs.docker.com/get-started/
bash-4.2#
I would expect the basic docker pull/run commands to pass and to use the images cached in the daemon even when their current tag doesn't contain a repository specified.
Added docker info
Containers: 3
Running: 1
Paused: 0
Stopped: 2
Images: 21
Server Version: 18.09.5
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: bb71b10fd8f58240ca47fbb579b9d1028eea7c84
runc version: 2b18fe1d885ee5083ef9f0838fee39b62d653e30
init version: fec3683
Security Options:
seccomp
Profile: default
Kernel Version: 4.14.35-1844.3.2.el7uek.x86_64
Operating System: Alpine Linux v3.9 (containerized)
OSType: linux
Architecture: x86_64
CPUs: 20
Total Memory: 125.5GiB
Name: runner-vppr4q7s-project-14503-concurrent-08qxbj
ID: HQ3U:HATA:TZUT:OLVS:MHRZ:F4DY:ENBD:Z5WH:FQBC:SGI3:BUUY:QIME
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
HTTP Proxy: xxxxxxxx
HTTPS Proxy: xxxxxxx
No Proxy: localhost,127.0.0.1,.xxxxxxxxxx
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
xxxxxxxxxxxx:5000
yyyyyyyyyyyy:5000
127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine
WARNING: API is accessible on http://0.0.0.0:2375 without encryption.
Access to the remote API is equivalent to root access on the host. Refer
to the 'Docker daemon attack surface' section in the documentation for
more information: https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
Registries:
Additionally:
bash-4.2# docker tag docker.io/hello-world:latest hello-world:v1
Error parsing reference: "hello-world:v1" is not a valid repository/tag: invalid reference format
bash-4.2# docker tag docker.io/hello-world:latest some:2000/hello-world:v1
bash-4.2# docker tag docker.io/hello-world:latest docker.io/hello-world:v1
(ok)
And docker images doesn't show the docker.io/hello-world:latest and docker.io/hello-world:v1 but shows some:2000/hello-world:v1

Can't pull image from docker, ProcessUtilityVMImage cannot find the path specified

I have made a .net core app and it is uploaded to docker hub
When I try to pull it to my own machine, (win 10) it just works
When I try to pull it to the server (server 2016) I get an error:
docker pull arrivaflg/flg:20180618104928
....
failed to register layer: re-exec error: exit status 1: output: ProcessUtilityVMImage \\?\C:\ProgramData\docker\windowsfilter\cf1f49a6508aaa657768d667c58779e571392a80be0ba7519fe0835ac2476402\UtilityVM: The system cannot find the path specified.
But the really interesting part is when I try to pull a specific microsoft image, I get the SAME error message. (this is the version 1709 visual studio uses in the docker file on my machine)
c:\tmp>docker pull microsoft/nanoserver:1709
1709: Pulling from microsoft/nanoserver
407ada6e90de: Extracting [==================================================>] 81.04MB/81.04MB
85710d780d68: Download complete
failed to register layer: re-exec error: exit status 1: output: ProcessUtilityVMImage \\?\C:\ProgramData\docker\windowsfilter\cf1f49a6508aaa657768d667c58779e571392a80be0ba7519fe0835ac2476402\UtilityVM: The system cannot find the path specified.
If I don't specify the version number (and it just defaults to latest) there is no problem with getting the nano server on the server
But still a problem with getting mine image to the server.
So I'm guessing I should use a specific version of the nano server.
I have tried with these in my dockerfile:
FROM microsoft/aspnetcore:2.0-nanoserver-1709 AS base
and
FROM microsoft/aspnetcore:2.0-nanoserver-1803 AS base
My server information:
C:\Windows\system32>docker info
Containers: 3
Running: 0
Paused: 0
Stopped: 3
Images: 3
Server Version: 17.06.2-ee-11
Storage Driver: windowsfilter
Windows:
Logging Driver: json-file
Plugins:
Volume: local
Network: l2bridge l2tunnel nat null overlay transparent
Log: awslogs etwlogs fluentd json-file logentries splunk syslog
Swarm: inactive
Default Isolation: process
Kernel Version: 10.0 14393 (14393.2312.amd64fre.rs1_release.180607-1919)
Operating System: Windows Server 2016 Datacenter
OSType: windows
Architecture: x86_64
CPUs: 2
Total Memory: 4GiB
Name: AWS1twAROS001
ID: IVVQ:GK2Q:DNJ7:PW6W:GYZ7:WYQM:65VV:Q4JM:6BEL:5CGQ:ISXY:AWEF
Docker Root Dir: C:\ProgramData\docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false

This error message typically indicates that the host system is running an older kernel version than that of the Docker image. As you can see in the table on the Windows Container Version Compatibility page, Windows Server 2016 doesn't support containers based on Windows Server version 1709 or Windows Server version 1803. However, Windows 10 version 1803 does support them through Hyper-V isolation mode, which is why the images were able to work correctly on your own machine.
Your attempts at using different base image versions are almost correct, you simply need the right tag for Windows Server 2016, as listed under the "Windows Server 2016 amd64 tags" section of the aspnetcore image page on Docker Hub:
FROM microsoft/aspnetcore:2.0-nanoserver-sac2016 AS base
This will use the build of the ASP.NET Core image that was built against the Windows Server 2016 version of the Nano Server image, which can then be used under a Windows Server 2016 host system.