moby: Cannot provide multiple logins for the same docker registry

Description

There’s no chance to log into the same registry using different credentials to access to different images within.

Steps to reproduce the issue:

  1. docker login https://registry.example.com/team1 - provide user & password.
  2. docker image pull registry.example.com/team1/image1 - OK.
  3. docker login https://registry.example.com/team2

Describe the results you received:

Authenticating with existing credentials...
Login Succeeded

But, of course, I won’t be able to pull registry.example.com/team2/image2.

Describe the results you expected:

I expected to be able to provide different logins for different namespaces.

Additional information you deem important (e.g. issue happens only occasionally):

The use case I have at hand for this bug is deploying with a Gitlab registry. See their bug report in https://gitlab.com/gitlab-org/gitlab-ce/issues/47767.

Gitlab provides a different namespace per project, under the same registry server. It also allows you to define a deploy token per project. Thus, if you need to deploy 2 projects into the same docker server, it’s not possible to use both tokens at the same time.

However, it is easy to imagine that the same problem can happen on any other registry.

Output of docker version:

Client:
 Version:       17.12.0-ce
 API version:   1.35
 Go version:    go1.9.2
 Git commit:    c97c6d6
 Built: Wed Dec 27 20:11:19 2017
 OS/Arch:       linux/amd64

Server:
 Engine:
  Version:      17.12.0-ce
  API version:  1.35 (minimum version 1.12)
  Go version:   go1.9.2
  Git commit:   c97c6d6
  Built:        Wed Dec 27 20:09:53 2017
  OS/Arch:      linux/amd64
  Experimental: false

Output of docker info:

Containers: 51
 Running: 51
 Paused: 0
 Stopped: 0
Images: 250
Server Version: 17.12.0-ce
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: journald
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 89623f28b87a6004d4b785663257362d1658a729
runc version: b2567b37d7b75eb4cf325b77297b140ea686ce8f
init version: 949e6fa
Security Options:
 apparmor
 seccomp
  Profile: default
Kernel Version: 4.15.0-29-generic
Operating System: Ubuntu 16.04.3 LTS
OSType: linux
Architecture: x86_64
CPUs: 16
Total Memory: 62.91GiB
Name: ****
ID: CJB5:Q2UM:YQDG:NATW:Z6LW:HZW2:3ZHX:N2KF:TGGI:4ZPC:TMBX:6YJW
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
 os=Ubuntu 16.04.3 LTS
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

Additional environment details (AWS, VirtualBox, physical, etc.):

Physical, although it doesn’t matter for this issue AFAICS.

About this issue

  • Original URL
  • State: open
  • Created 6 years ago
  • Reactions: 86
  • Comments: 18 (1 by maintainers)

Most upvoted comments

I wonder if anybody cares about this besides Gordon… 🙄

+47
yajo on Oct 8, 2018

Interesting, that there seem to be not that much people facing this issue… I have had to work around this limitation quite often. So I wonder how we can get this rolling?

+27
mindrunner on Oct 8, 2019

The whole “login” paradigm is… well… typical docker.

It should be possible to pass credentials to registry operations. With command line switches and/or environment variables.

+7
bluikko on Jul 6, 2021

Same problem here on GitLab. The only workaround is to create a service user with the exact set of permissions for each use case. It is very difficult to keep track of this service users and their permissions and since GitLab is pay-per-seat, this can get quite costly.

+6
TheKangaroo on Nov 9, 2020

Same issue here, I am using Gitlab’s auto-build-image to build my project which use an image (as FROM) from another user container registry. the build.sh always overwrites the login to its own registry, so we can’t use images from another users as FROM. If we change CI_REGISTRY_USER CI_REGISTRY_PASSWORD, it’ll not push compiled image to its own registry. It’s frustrating.

+6
david9991 on Mar 5, 2020

Any news here?

+6
fishhead108 on Dec 2, 2019

Any news here?

+4
ZelphirKaltstahl on Jun 5, 2023

I believe the fundamental problem is that docker ~/.docker/config.json "auths" is hostname+port based, not hostname+port+path based. so each login just overwrites the previous login to the same hostname+port.

+4
glensc on Feb 2, 2020

It gets even worse with buildx.

E.g.: you have images in two repositories/namespaces of the same registry:

Without buildx I got around it like this:

docker login registry.example.com <with credentials for registryA>
docker pull registry.example.com/registryA/my-image
docker logout registry.example.com
docker login registry.example.com <with credentials for registryB>
docker tag registry.example.com/registryA/my-image registry.example.com/registryB/my-image
docker push registry.example.com/registryB/my-image

But if I try this with buildx imagetools, I get either ERROR: pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed or ERROR: server message: insufficient_scope: authorization failed, because I cannot switch authentication between pull and push.

docker buildx imagetools create -t registry.example.com/registryB/my-image registry.example.com/registryA/my-image

One thing you can do is to create multiple configs and point docker to use the appropriate one for your commands. Was new to me as well, but docker supports a CLI argument to point it to the correct config dir:

docker --config $YOUR_SPECIALIZED_CONFIG_DIR <your actual docker command>
+1
ZelphirKaltstahl on Sep 22, 2023

Hi, this ticket has a long time opened. Is it something that is not solved yet or simply someone forgot to close it?

I found two workarounds:

And, I did not try it, but maybe it is also possible to use an alias in the host file (or DNS server) to have a different hostname for each registry.

My question is, is still necessary to use one of these workarounds, or has it been solved in any way?

+1
andresmoschini on Dec 7, 2020
Read more comments on GitHub
← moby: Cannot overwrite file through volume - rpc error: code = 2 desc = "oci runtime error: could not synchronise with container process: not a directory"
moby: Cannot pull image →