Docker private registry, docker push is forbidden

Question

I setup a private registry, which run fine. Docker 1.10. I choose to change the host, and recreate the certificate. All run fine on my server, but on my customer server I can't push an image to the registry :

unable to ping registry endpoint https://my.customer.private.hostname:5000/v0/
 v2 ping attempt failed with error: Get https://my.customer.private.hostname:5000/v2/: Forbidden
 v1 ping attempt failed with error: Get https://my.customer.private.hostname:5000/v1/_ping: Forbidden

I can't find anybody else talking about 'forbidden' answer on Google. Where can I search to understand ? I already deleted the container, the image, uninstalled docker, reinstalled docker but still the same error. The only thing I do not delete is the thinpool used to store docker data (devicemapper).

Yes, and curl -k https://my.customer.private.hostname:5000/v2/_catalog give me a json record with my docker images. — Cédric Girard, Sep 16 '16 at 14:42
First of all we need to know if its a certificate issue. try `--insecure-registry myregistry:5000` option — Farhad Farahi, Sep 16 '16 at 16:07
My docker registry have a certificate built for it, and the CA certificate is given to each Docker installation in /etc/docker/certs.d/myregistry.domain.tld:5000/ca.crt, so my registry is not insecure. But I will try to be sure. — Cédric Girard, Sep 19 '16 at 12:29
Have you done a `docker login my.customer.private.hostname:5000`? I'd preface that with a `docker logout my.customer.private.hostname:5000` to make sure an old login isn't sitting around. — BMitch, Sep 19 '16 at 14:36
No, but there is no login on my private registry. I will try it. — Cédric Girard, Sep 20 '16 at 10:53

score 2 · Accepted Answer · answered Sep 26 '16 at 13:21

2

There is a systemd conf file for docker :

/etc/systemd/system/docker.service.d/http-proxy.conf

with

[Service] Environment="HTTP_PROXY=http://proxy:3128" Environment="NO_PROXY=localhost,127.0.0.0/8"

The registry IP was not localhost, so I needed to add the host to the NO_PROXY variable. I still not undestand why the first host worked. Restarting the registry container without https (http only) and using tcpdump help us to resolve this issue.

answered Sep 26 '16 at 13:21

Cédric Girard

417
2
12
25

Hooray: In my case, we used to have proxy, and no longer do, so this reminded me to delete the proxy settings. – Douglas Royds Oct 25 '17 at 03:02

score 0 · Answer 2 · answered Sep 22 '16 at 18:53

For me it is very strange that docker is trying to reach via https to 5000 port and then you made a curl with http to the same port and it worked.

Probably you are doing: docker pull my.customer.private.hostname:5000 xxx/yyy instead of docker pull my.customer.private.hostname xxx/yyy

Regards

Docker private registry, docker push is forbidden

2 Answers2