`docker login` success false positive for Docker Hub registry
cavcrosby opened this issue · comments
Problem description
docker login registry-1.docker.io
returns success when using a username and personal access token for the Docker Hub registry (or registry-1.docker.io
). However, I am unable to pull any of my private images once successfully authenticated. For example, when I run docker pull cavcrosby/k8s101-hello-go
I receive the following error: Error response from daemon: pull access denied for cavcrosby/k8s101-hello-go, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
.
I don't appear to be the only one either who has run into this issue either, see #2285 (comment). However, said individual from the linked issue reported getting things to work with a user(name) and password but in 2023 MFA/2FA is a no-brainer and I can't see myself turning it off.
That said, I managed to work around this issue by modifying the registry portion of my image to explicitly mention the Docker Hub registry. So the command now was docker pull registry-1.docker.io/cavcrosby/k8s101-hello-go
. This worked, but it isn't something I would have expected to append considering I believe the Docker Hub registry is the default registry used for Docker images.
Perhaps I'm just missing something here.
docker info
output
Docker Info:
Client: Docker Engine - Community
Version: 24.0.5
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.11.2
Path: /usr/libexec/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v2.20.2
Path: /usr/libexec/docker/cli-plugins/docker-compose
Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 41
Server Version: 24.0.5
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 1
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 8165feabfdfe38c65b599c4993d227328c231fca
runc version: v1.1.8-0-g82f18fe
init version: de40ad0
Security Options:
apparmor
seccomp
Profile: builtin
Kernel Version: 6.4.6-76060406-generic
Operating System: Pop!_OS 22.04 LTS
OSType: linux
Architecture: x86_64
CPUs: 16
Total Memory: 62.71GiB
Name: Ron
ID: YNLD:RFIN:MX4C:4EK2:ZBZB:4MDY:7J77:RJUE:5HYE:2ALU:TTIM:6XQ4
Docker Root Dir: /var/lib/docker
Debug Mode: true
File Descriptors: 22
Goroutines: 34
System Time: 2023-08-14T23:08:47.699611061-04:00
EventsListeners: 0
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Task List
- This is NOT a security issue
- I do NOT have a Docker subscription
- I have looked through other issues and they do NOT apply to me
When you run docker login registry-1.docker.io
the authentication details are put in your local credential store based on the key of the registry you are authenticating against. In this case, that is registry-1.docker.io
. Then, when you run docker pull cavcrosby/k8s101-hello-go
Docker engine looks up authentication details in the credential store based on the key http://index.docker.io
and there is nothing there, so it thinks you are not authenticated against Docker Hub.
I recommend that whatever registry you use in one docker
command should be used in all others.
e.g. docker login registry-1.docker.io
and docker pull registry-1.docker.io/cavcrosby/k8s101-hello-go
e.g. docker login
and docker pull cavcrosby/k8s101-hello-go
Either of these examples should work. As humans, we know those point to the same registry, Docker Hub Registry, but Docker engine doesn't understand that.
I appreciate the clarifications, this gives me a better idea of what's going then. I will now close this issue out because it seems this behavior is intended.