I am running GitLab CI on an EC2. In one of my steps, I pull an image from my private nexus registry.
I am able to login to registry
podman login --tls-verify=false -u {user}
I am also able to pull an image from that registry
podman pull --tls-verify=false private/nexus/repo/image:1
If, however, I try to build a dockerfile with the same image, I get an error.
FROM private/nexus/repo/image:1
...
Trying to build the above image results in invalid status code from registry 404 not found.
I have no idea what the issue is.
Related
I've been given a Docker image stored in the gitlab container registry, registry.gitlab.com.
I have a gitlab acount, with a password, and I am able to do a docker login:
docker login registry.gitlab.com
After I do that, I no longer get an authentication error when I try to do a docker command against that registry.
And the documentation for using that registry seems clear:
Go to your project or group’s Packages and registries > Container Registry and find the image you want.
Next to the image name, select Copy.
Use docker run with the image link:
docker run [options] registry.example.com/group/project/image [arguments]
https://docs.gitlab.com/ee/user/packages/container_registry/
But when I run any kind of docker command with the group/project/image I just copied, I just get the "manifest unknown" docker error, which normally indicates that the image is missing or mis-spelled.
So, maybe gitlab is broken, or maybe the gitlab documentation is wrong, or maybe there is something wrong with that particular image, or maybe it doesn't work using docker on WSL through Docker Desktop on Win10, or maybe ... I just haven't set up something correctly.
FWIW, Docker Desktop is a Windows service/application that proxies 'docker' commands in Windows, sending them to a docker instance running on WSL. It's normally transparent. It maintains a local registry, and seems to have some way of connecting to docker hub, but I've never used it with any other registry.
I'd like to pull that image into my local registry. What should I do different?
How to pull images from a private repository using containerd?
I using the below containerd command to pull an image from a private repository, but it's failing with the below error message.
sudo crictl pull qtech/graphql:latest
FATA[0002] pulling image: rpc error: code = Unknown desc = failed to pull and unpack image "docker.io/qtech/graphql:latest": failed to resolve reference "docker.io/qtech/graphql:latest": pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed
I did log in using my docker credentials and pulled the same image with success.
azureuser#zk-master:~$ sudo docker login
Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one.
Username: qtech
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
azureuser#zk-master:~$ sudo docker pull qtech/graphql:latest
latest: Pulling from qtech/graphql
40e059520d19: Pull complete
e640ca4424de: Pull complete
3ee146eff338: Pull complete
7a51ccd0399b: Pull complete
c49798e0169e: Pull complete
519f1a159b82: Pull complete
6200637fe07c: Pull complete
5789d71f6f43: Pull complete
Digest: sha256:186ba59f4d3ccb03fd84888fc33aa12a8854f23e566c6e5a870ef7a43c3fb1f1
Status: Downloaded newer image for qtech/graphql:latest
docker.io/qtech/graphql:latest
azureuser#zk-master:~$
But containerd seems to be not picking up those credentials during run time.
So how to pull images from a private repository using containerd?
This worked for me:
crictl pull --creds "UserName:Password" "image details from private registry#SHA details"
If I run the 'docker pull' command to pull an image directly from docker hub, it works fine.
But when I pull the image via Artifactory, i.e. with docker hub as the remote repository, then I got this error:
Error response from daemon: manifest for //image1:1.0.0 not found: manifest unknown: The named manifest is not known to the registry.
Another note is, if the image doesn't have the "image path", it works fine.
What is going wrong here? Thanks for your help!
Maybe repo is empty. Check on dockerhub
But it seems to get the following error. I have cloned the package and have access rights to it.
failed to load cache key: pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed
EDIT
This error seems to be due to docker on M1 chip and not because of any repo access. The error is same when I run getting-started guide. I can't build anything using Docker for Desktop on Mac.
EDIT 2
I tried building with sudo and it worked fine. The error seems to be with Repository builds as they don't use sudo and I have been updating DOCKER_BUILD_SUDO=sudo but the issue persists.
The problem is not the access to the repository, but to the image registry:
pull access denied ... insufficient_scope
If you have the credentials, prior to building issue a docker login command. If not, you'll need to either ask for them the maintainer or you're out of luck unless you find an alternative (public) image and replace it in the Dockerfile.
So, we have permissions setup on who can push to the docker registry in artifactory. Now, I created a dockercfg file in $HOME/.dockercfg on my mac and added the username and passing using the curl command:
curl -uaaaaa:bbbbbbb "https://docker.io/v2/auth" >> $HOME/.dockercfg
After that when I try to push an image to docker registry, it fails with the below error:
unauthorized: The client does not have permission to push to the repository.
When I look at the docker request.log in the registry, I see its trying to push as anonymous from my mac. This is very confusing. Even though I have the $HOME/.dockercfg which has a user.
I also tried the docker login docker.io way but that too isnt helping.
It seems that the artifactory docker registry isnt able to find the user info when I am pushing from my mac and shows as anonymous.
My artifactory server version is 4.5.0 and docker 1.12.0-rc2.
Can anybody please help.
To the best of my knowledge Docker 1.12 no longer supports configuration placed under ~/.dockercfg instead it should be placed under ~/.docker/config.json --> In any case the method you're using was relevant for the older docker clients, you should use docker login to authenticate your docker client with Artifactory.
As a side note, Your version of Artifactory is a bit old - newer versions have made significant changes to support the newer Docker versions so you should upgrade before trying again.
Also remember to configure your Reverse Proxy to work with Artifactory and that you also probably need to set up Docker (and your reverse proxy) to use self-signed certificates.