You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We have a local GitLab registry with two peculiarities: #1 is that it's behind a TLS client authentication proxy, and #2 is that this proxy also munges the host name of the service, as the same GitLab registry is deployed in a private network under a different name.
Pulling images from docker CLI works, and it also works while pulling individual images from Portainer - either individually for images, or for an already existing container, but it fails with a 403 Forbidden when pulling the same images as a part of a stack (docker-compose file referencing the images).
Expected Behavior
(Re)deploying a stack works, including pulling required images.
Actual Behavior
failed to pull images of the stack: image1 Pulling image2 Pulling image3 Pulling image4 Pulling image5 Error image2 Error image1 Error image3 Error Error response from daemon: Head "https://fqdn/v2/path/manifests/on-prod-v4": denied: access forbidden
The fqdn is the proxy address and it's indeed accessible publicly (as we can pull docker images from it with the docker CLI and individual images with Portainer).
Steps to Reproduce
Not sure. You'd have to have a nginx proxy which does TLS client auth for incoming requests, and rewrites the host name to the internal one.
Portainer logs or screenshots
failed to pull images of the stack: image1 Pulling image2 Pulling image3 Pulling image4 Pulling image5 Error image2 Error image1 Error image3 Error Error response from daemon: Head "https://fqdn/v2/path/manifests/on-prod-v4": denied: access forbidden
If the last registry I added/updated was accountB, only the second stack will be able to be re-deployed, but the first stack will fail because of authentication permission.
If I go to the "Images Section" I am able to re-pull accountA/projectA:main and accountB/projectB:main images by selecting the appropriate registry.
If the last registry I added/updated was accountB, only the second stack will be able to be re-deployed, but the first stack will fail because of authentication permission.
If I go to the "Images Section" I am able to re-pull accountA/projectA:main and accountB/projectB:main images by selecting the appropriate registry.
I have the exact problem and it's really frustrating. Any updates on this?
Before you start please confirm the following.
Problem Description
We have a local GitLab registry with two peculiarities: #1 is that it's behind a TLS client authentication proxy, and #2 is that this proxy also munges the host name of the service, as the same GitLab registry is deployed in a private network under a different name.
Pulling images from docker CLI works, and it also works while pulling individual images from Portainer - either individually for images, or for an already existing container, but it fails with a 403 Forbidden when pulling the same images as a part of a stack (docker-compose file referencing the images).
Expected Behavior
(Re)deploying a stack works, including pulling required images.
Actual Behavior
failed to pull images of the stack: image1 Pulling image2 Pulling image3 Pulling image4 Pulling image5 Error image2 Error image1 Error image3 Error Error response from daemon: Head "https://fqdn/v2/path/manifests/on-prod-v4": denied: access forbidden
The fqdn is the proxy address and it's indeed accessible publicly (as we can pull docker images from it with the docker CLI and individual images with Portainer).
Steps to Reproduce
Not sure. You'd have to have a nginx proxy which does TLS client auth for incoming requests, and rewrites the host name to the internal one.
Portainer logs or screenshots
Portainer version
2.19.0
Portainer Edition
Community Edition (CE)
Platform and Version
Docker 24.0.6
OS and Architecture
Ubuntu 22.04
Browser
Chrome
What command did you use to deploy Portainer?
The text was updated successfully, but these errors were encountered: