Cannot pull registry docker image stored on Gitlab.com in a private group project on production server

bryanmramsamy · September 19, 2024, 7:15pm

Problem to solve

I’m unable to pull my docker images from registry.gitlab.com on my production server (Ubuntu 24.04). The images are built and pushed through GitLab CI/CD pipelines and stored in the GitLab container registry.

I’m using a Deploy Token to authenticate, and the project is private and belongs to a group, not an individual account.

Here are the errors I’m seeing:

Error 1:

error pulling image configuration: download failed after attempts=1: denied: <?xml version='1.0' encoding='UTF-8'?><Error><Code>AccessDenied</Code><Message>Access denied.</Message></Error>

Error 2:

error pulling image configuration: download failed after attempts=1: denied: 
<html><head>
<meta http-equiv="content-type" content="text/html;charset=utf-8">
<title>403 Forbidden</title>
</head>
<body text=#000000 bgcolor=#ffffff>
<h1>Error: Forbidden</h1>
<h2>Your client does not have permission to get URL <code>/gitlab/docker/registry/v2/blobs/sha256/.../data</code> from this server.</h2>
<h2></h2>
</body></html>

This works perfectly on my local machine, but I can’t figure out what could be missing on the production server.

Steps to reproduce

I built the Docker images through a GitLab pipeline. Building it locally should do it too.
Push the GitLab container registry locally or through the pipeline.
Generate a Deploy Token or an Access token with read_registry right (on group level or on project level)
Login with docker login registry.gitlab.com by using the token generated at step 3.
When I run only on my production machine docker pull registry.gitlab.com/<group>/<project>:<tag>, I get the errors above.
Using the same token when login, I can pull the image on my local machine without any issue.

I’ve followed the steps in the GitLab documentation for creating and using a Deploy Token for Docker Registry access.
I also tried to use an Access Token on both the group which owns the project and my own individual user account. The project is private, and I’ve made sure the Deploy Token has the correct read_registry permission.

Configuration

I’m using GitLab SaaS, and the project is a private repository belonging to a group.

Versions

GitLab.com SaaS

Production server: Ubuntu 24.04

Docker version on production server: Docker version 27.3.0

Helpful resources

I’ve consulted the following documentation, but the issue persists:

Using GitLab Container Registry

Deploy Tokens

Has anyone faced similar issues, or is there something specific to production environments or Deploy Token setups that could cause this? Any guidance would be appreciated.

Topic		Replies	Views
Pulling Docker image from GitLab Container Registry stopped working, only for one project GitLab CI/CD ci , docker , pipelines	13	66103	March 19, 2024
Containerd can't can not pull image from gitlab-registry GitLab CI/CD	0	2409	February 27, 2023
Gitlab runner can not pull image from local registry GitLab CI/CD ci , runner , registry	2	1227	December 19, 2023
Docker image pulling issue Self-managed	4	187	June 7, 2023
Unable to pull image from gitlab registry for one project (all other repositories are fine) How to Use GitLab ci , docker , pipelines	0	896	February 16, 2023