I have a GitLab project gitlab.com/my-group/my-project which has a CI pipeline that builds an image and pushes it to the project's GitLab registry registry.gitlab.com/my-group/my-project:tag. I want to deploy this image to Google Compute Engine, where I have a VM running docker.
Easy enough to do it manually by ssh'ing into the VM, then docker login registry.gitlab.com and docker run ... registry.gitlab.com/my-group/my-project:tag. Except the docker login command is interactive, which is a no-go for CI. It can accept a username and password on the command line, but that hardly feels like the right thing to do, even if my login info is in a secret variable (storing my GitLab login credentials in a GitLab secret variable?...)
This is the intended workflow on the Deploy stage of the pipeline:
Either install the gcloud tool or use an image with it preinstalled
gcloud compute ssh my-gce-vm-name --quiet --command \
"docker login registry.gitlab.com && docker run registry.gitlab.com/my-group/my-project:tag"
Since the gcloud command would be running within the GitLab CI Runner, it could have access to secret variables, but is that really the best way to log in to the GitLab Registry over ssh from GitLab?
I'll answer my own question in case anyone else stumbles upon it. GitLab creates ephemeral access tokens for each build of the pipeline that give the user gitlab-ci-token access to the GitLab Registry. The solution was to log in as the gitlab-ci-token user in the build.
.gitlab-ci.yml (excerpt):
deploy:
stage: deploy
before_script:
- gcloud compute ssh my-instance-name --command "docker login registry.gitlab.com/my-group/my-project -u gitlab-ci-token -p $CI_BUILD_TOKEN"
The docker login command creates a local configuration file in which your credentials are stored at $HOME/.docker/config.json that looks like this (also see the documentation on this):
{
"auths": {
"<registry-url>": {
"auth": "<credentials>"
}
}
}
As long as the config.json file is present on your host and your credentials (in this case simply being stored as base64("<username>:<password>")) do not change, there is no need to run docker login on every build or to store your credentials as variables for your CI job.
My suggestion would be to simply ensure that the config.json file is present on your target machine (either by running docker login once manually or by deploying the file using whatever configuration management tool you like). This saves you from handling the login and managing credentials within your build pipeline.
Regarding the SSH login per se; this should work just fine. If you really want to eliminate the SSH login, you could setup the Docker engine on your target machine to listen on an external socket, configure authentication and encryption using TLS client certificates as described in the official documentation and directly talk to the remote server's Docker API from within the build job:
variables:
DOCKER_HOST: "tcp://<target-server>:2376"
DOCKER_TLS_VERIFY: "1"
script:
- docker run registry.gitlab.com/my-group/my-project:tag
We had the same "problem" on other hosting providers. Our solution is to use some kind of custom script which runs on the target machine and can be called via a Rest-Api Endpoint (secured by Basic-Auth or what ever).
So you could just trigger the remote host to do the docker login and upgrade your service without granting SSH Access via gitlab-ci.
While pushing the docker image (after successful login) from my host I am getting "unauthorized: authentication required".
Details below.
-bash-4.2# docker login --username=asamba --email=anand.sambamoorthy#gmail.com
WARNING: login credentials saved in /root/.docker/config.json
*Login Succeeded*
-bash-4.2#
-bash-4.2# docker push asamba/docker-whale
Do you really want to push to public registry? [y/n]: y
The push refers to a repository [docker.io/asamba/docker-whale] (len: 0)
faa2fa357a0e: Preparing
unauthorized: authentication required
Docker version: 1.9.1 (both client and server)
http://hub.docker.com has the repo created as well (asamba/docker-whale).
The /var/log/messages shows 403, I dont know if this docker. See below.
Apr 16 11:39:03 localhost journal: time="2016-04-16T11:39:03.884872524Z" level=info msg="{Action=push, Username=asamba, LoginUID=1001, PID=2125}"
Apr 16 11:39:03 localhost journal: time="2016-04-16T11:39:03.884988574Z" level=error msg="Handler for POST /v1.21/images/asamba/docker-whale/push returned error: Error: Status 403 trying to push repository asamba/docker-whale to official registry: needs to be forced"
Apr 16 11:39:03 localhost journal: time="2016-04-16T11:39:03.885013241Z" level=error msg="HTTP Error" err="Error: Status 403 trying to push repository asamba/docker-whale to official registry: needs to be forced" statusCode=403
Apr 16 11:39:05 localhost journal: time="2016-04-16T11:39:05.420188969Z" level=info msg="{Action=push, Username=asamba, LoginUID=1001, PID=2125}"
Apr 16 11:39:06 localhost kernel: XFS (dm-4): Mounting V4 Filesystem
Apr 16 11:39:06 localhost kernel: XFS (dm-4): Ending clean mount
Apr 16 11:39:07 localhost kernel: XFS (dm-4): Unmounting Filesystem
Any help is appreciated, please let me know if you need further info. I did the push with -f as well. No luck!
You'll need to log in to Docker.
Step 1: log in to docker hub
Based on #KaraPirinc's comment, in Docker version 17 in order to log in:
docker login -u username --password-stdin
Then enter your password when asked.
Step 2: create a repository in the docker hub.
Let's say "mysqlserver:sql".
docker push <user username>/mysqlserver:sql
OK! never mind; I found the solution. with 403 Suspected that the HTTP is not going to the right URL.
Change the file which has the login credentials stored the ~/.docker/config.json from the default generated of
{
"auths": {
"docker.io": {
"auth": "XXXXXXXXXXXXX",
"email": "x.y#gmail.com"
}
}
}
to - Note the change from docker.io -> index.docker.io/v1. That is the change.
{
"auths": {
"https://index.docker.io/v1/": {
"auth": "XXXXXXXXXXXXX",
"email": "x.y#gmail.com"
}
}
}
Hope that helps.
Note that the auth field should be 'username:password" base64 encoded.
for example: "username:password" base64 encoded is "dXNlcm5hbWU6cGFzc3dvcmQ="
so your file would contain:
"auth": "dXNlcm5hbWU6cGFzc3dvcmQ="
The solution you posted is not working for me...
This is what works for me:
Create the repository with the desired name.
When committing the image, name the image like the repository, including the username <dockerusername>/desired-name. For example, radu/desired-name.
if you are using heroku, be sure you did not forget to "heroku container:login" before pushing.
The problem newbies face is that we tend to treat docker hub repository just like a maven repository and think that it might contain many a different files, folders and other contents.
A docker repository on the other hand is just a single image, it does not contain anything else. It can hold different versions of the same image, but its going to contain just one image.
So, name your repository on docker hub the same name as the image you want to push into it, and use your dockerhub username as prefix. For eg, if your username is myusername and your image name is docker-whale , make sure to name your dockerhub repository as docker-whale and use the below commands to tag and push your image to repository:
docker logout # to make sure you're logged out and not cause any clashes
docker tag <imageId> myusername/docker-whale # use :1.0.0 for specific version, default is 'latest'
docker login --username=myusername # use the username/pwd to login to docker hub
docker push myusername/docker-whale # use :1.0.0 for pushing specific version, default is 'latest'
I had the same problem but i fixed it with push with specified url.
as: docker login -u https://index.docker.io/v1/
console output:
The push refers to a repository [docker.io/<username>/richcity]
adc9144127c1: Preparing
4db5654f7a64: Preparing
ce71ae73bc60: Preparing
e8e980243ee4: Preparing
d773e991f7d2: Preparing
bae23f4bbe95: Waiting
5f70bf18a086: Waiting
3d3e4e34386e: Waiting
e72d5d9d5d30: Waiting
8d1d75696199: Waiting
bdf5b19f60a4: Waiting
c8bd8922fbb7: Waiting
unauthorized: authentication required
1010deiMac:dockerspace whoami$ docker login -u <username> https://index.docker.io/v1/
Password:
Login Succeeded
1010deiMac:dockerspace whoami$ docker push <username>/richcity
The push refers to a repository [docker.io/<username>/richcity]
adc9144127c1: Pushed
4db5654f7a64: Pushed
ce71ae73bc60: Pushed
e8e980243ee4: Pushed
d773e991f7d2: Pushed
bae23f4bbe95: Pushed
5f70bf18a086: Pushed
3d3e4e34386e: Pushing [=============> ] 45.07 MB/165.4 MB
e72d5d9d5d30: Pushed
8d1d75696199: Pushing [> ] 1.641 MB/118.1 MB
bdf5b19f60a4: Pushing [============> ] 142 MB/568.4 MB
c8bd8922fbb7: Pushing [========================> ] 59.44 MB/121.8 MB
I was running into a similar issue with a similarly unhelpful error message, but it turned out to be because I was trying to push an image that I had built against a docker-machine managed instance.
When I logged into the instance itself, did docker login and docker push everything worked fine.
In case it helps anyone, I managed to resolve this with the following command at the prompt:
az acr login -n MyContainerName
After this, I could run docker push successfully.
Though the standard process is to login and then push to docker registry, trick to get over this particular problem is to login by providing username and password in same line.
So :
docker login -u xxx -p yyy sampledockerregistry.com/myapp
docker push sampledockerregistry.com/myapp
Works
whereas
docker login sampledockerregistry.com
username : xxx
password : yyy
Login Succeeded
docker push sampledockerregistry.com/myapp
Fails
Even I logged in and checked all the configuration, it still does not work !!!
It turned out that when I build my docker, I forget to put my username before the repo name
docker build docker-meteor-build
(build successfully)
And then when I pushed to my repository, I used
docker push myname/docker-meteor-build
It will show the unauthorized authentication required
So, solution is then name of build and the push should be exactly the same
docker build myname/docker-meteor-build
docker push myname/docker-meteor-build
Here the solution for my case ( private repos, free account plan)
https://success.docker.com/Datacenter/Solve/Getting_%22unauthorized%3A_authentication_required%22_when_trying_to_push_image_to_DTR
The image build name to push has to have the same name of the repos.
Example:
repos on docker hub is: accountName/resposName
image build name "accountName/resposName" -> docker build -t accountName/resposName
then type
docker push accountName/resposName:latest
That's all.
My problem was an invalid Authorization token after 5 minutes.
The push took more than 5 minutes because of the image size.
I've fixed it by increasing the "Authorization token duration" to 10 minutes.
If you are pushing a new private image for the first time, make sure your subscription supports this extra image.
Docker allows you to have 6 private images named, even if you only pay for 5, but not to push that 6th image. The lack of an informative message is confusing and irritating.
What worked for me was to create a new repository and rename the image with
$ docker tag image_id myname/server:latest
Make sure you have more slots for private images.
In my case I converted a user into an organization and it lost it's one free private image, so previous pushes that worked, no longer worked.
Same problem here, during pushing image:
unauthorized: authentication required
What I did:
docker login --username=yourhubusername --email=youremail#company.com
Which it printed:
--email is deprecated (but login succeeded still)
Solution: use the latest login syntax.
docker login
It will ask for both username and password interactively. Then the image push just works.
Even after using the new syntax, my ~/.docker/config.json looks like this after logged in:
{
"auths": {
"https://index.docker.io/v1/": {}
},
"credsStore": "osxkeychain"
}
So the credential is in macOS' keychain.
Try docker logout first, then relogin with docker login
You can mv the xxx/.docker/config.json file somewhere for handle it.
Then try to login again for create new config.json file.
#mv xx/.docker/config.json xx/.docker/config_old.json
#docker login https://index.docker.io/v1/
Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one.
Username: YOUR USERNAME
Password: YOUR PASSWORD
WARNING! Your password will be stored unencrypted in /xxx/.docker/config.json.
Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
I had a similar problem.
Error response from daemon: Get https://registry-1.docker.io/v2/hadolint/hadolint/manifests/latest: unauthorized: incorrect username or password
I found out out that even if I login successfully with the docker login command, any pull failed.
I tried to clean up the ~/.docker/config.json but nothing improved.
Looking in the config file I've seen that the credentials were not saved there but in a "credsStore": "secretservice".
In Linux this happen to be the seahorse or Passwords and Keys tool.
I checked there and I cleanup all the docker hub login.
After this a new docker login worked as expected.
in your configuration file ~/.docker/config.json add
{
"auths": {
"https://index.docker.io/v1/": {
"auth": "XXXXXXXXXXXXX",
"email": "my_email#gmail.com"
}
}
}
where XXXXX is base64 encoding of your username:password (the : is included) of https://hub.docker.com
in my case i had the same error with a pull. the problem (under windows) was provoked by double docker running process, so a kill them all and restart one service and it works .
I have received similar error for sudo docker push /sudo docker pull on ecr repository.This is because aws cli installed in my user(abc) and docker installed in root user.I have tried to run sudo docker push on my user(abc)
Fixed this by installed aws cli in root , configured aws using aws configure in root and run sudo docker push to ecr on root user
If you running windows 7 docker Registry
Start **Docker Quick Start terminal** run (this terminal enables connection ) Until you pushed images , that will keep token alive .
Login
docker login
Make sure you tag the image with username
docker build -f Dockerfile -t 'username'/imagename
push image
docker image push username/imagename
Note: image name all lowercase
I tried all the methods I can find online and failed. Then I read this post and get some ideas from #Alex answer. Then I search about ""credsStore": "osxkeychain"" which is used in my config.json. The I follow this link https://docs.docker.com/engine/reference/commandline/login/ to logout and then login again. Finally, I can push my image successfully.
I had the same problem and I can fix it.
change the ~/.docker/config.json file as below
{
"auths": {
"XxX": {
"auth": "XxX"
}
}
}
and do not forget to restart docker service.
service docker restart
enjoy
i was facing the same problem with Heroku and Docker, the solution was
docker login
docker build . -t <project_name>
heroku container:login
heroku container:push web -a <project_name>
I had the same problem but I fixed it with push with a specified URL:
docker login -u https://index.docker.io/v1/
Just curious to know what could be the cause for this issue?
Old post but had same issue and couldn't find the answer.
NOTE: the Docker tag is case sensitive to Azure loginserver name.
I was uploading to Azure container. Container was named "LearnContainer81"
Loginserver was "learncontainer81.azurecr.io"
When I did the tag in Docker, I did it with "LearnContainer81.azurecr.io/X" and it gives unauthorised. Did tag again in lowercase as per Loginserver for Azure. This then uploaded fine.
Its the problem with the proxy.
Turn off the VPN if you are working on any.
https://forums.docker.com/t/failed-with-status-401-unauthorized/11023/3
I'm using my self-hosted docker registry, where I terminate HTTPS/SSL first on another server (such as nginx or trafficserver), and then pass the traffic to registry over non-encrypted HTTP. After a lot of research, I managed to get it to work.
i) the problem is caused by not having X-Forwarded-Proto -header set in PATCH -requests, resulting in 401 error. See https://github.com/distribution/distribution/issues/1177#issuecomment-155718420
ii) nginx version 18 (and lower such as Ubuntu Bionic and Focal) seems not to pass the
proxy_set_header X-Forwarded-Proto https;
for PATCH (POST works ok), but nginx version 21 works ok.
Also Apache Trafficserver seems to pass the headers properly, once enabled.
Make sure your docker repositry name matches your local docker repo name.
e.g lets say if you local repo name "kavashgar/nodjsapp"
then your should also have a repo names "kavashgar" in docker hub