Docker private registry, docker push is forbidden

Logan_B · April 28, 2022, 8:11pm

I setup a private registry, which run fine. Docker 1.10. I choose to change the host, and recreate the certificate. All run fine on my server, but on my customer server I can't push an image to the registry :

unable to ping registry endpoint https://my.customer.private.hostname:5000/v0/
 v2 ping attempt failed with error: Get https://my.customer.private.hostname:5000/v2/: Forbidden
 v1 ping attempt failed with error: Get https://my.customer.private.hostname:5000/v1/_ping: Forbidden

I can't find anybody else talking about 'forbidden' answer on Google. Where can I search to understand ? I already deleted the container, the image, uninstalled docker, reinstalled docker but still the same error. The only thing I do not delete is the thinpool used to store docker data (devicemapper).

Mason_D · April 28, 2022, 8:15pm

There is a systemd conf file for docker :

/etc/systemd/system/docker.service.d/http-proxy.conf

with

[Service] Environment="HTTP_PROXY=http://proxy:3128" Environment="NO_PROXY=localhost,127.0.0.0/8"

The registry IP was not localhost, so I needed to add the host to the NO_PROXY variable. I still not undestand why the first host worked. Restarting the registry container without https (http only) and using tcpdump help us to resolve this issue.

Ali · April 28, 2022, 8:20pm

For me it is very strange that docker is trying to reach via https to 5000 port and then you made a curl with http to the same port and it worked.

Probably you are doing: docker pull my.customer.private.hostname:5000 xxx/yyy instead of docker pull my.customer.private.hostname xxx/yyy

Regards

Jaime_curly · April 28, 2022, 8:25pm

My docker registry have a certificate built for it, and the CA certificate is given to each Docker installation in /etc/docker/certs.d/myregistry.domain.tld:5000/ca.crt, so my registry is not insecure. But I will try to be sure.

Miller_A · April 28, 2022, 8:29pm

You changed the host, did you update dns records?

Carol_B · April 28, 2022, 8:34pm

Yes, and curl -k https://my.customer.private.hostname:5000/v2/_catalog give me a json record with my docker images.

Brynn_M · April 28, 2022, 8:39pm

First of all we need to know if its a certificate issue. try --insecure-registry myregistry:5000 option

Rowan_R · April 28, 2022, 8:43pm

Have you done a docker login my.customer.private.hostname:5000? I’d preface that with a docker logout my.customer.private.hostname:5000 to make sure an old login isn’t sitting around.

Brice_T · April 28, 2022, 8:48pm

No, but there is no login on my private registry. I will try it.