Pulling Docker image from GitLab Container Registry stopped working, only for one project

I use the GitLab.com free plan to host certain projects for my clients in separate namespaces.

I have some base Docker images hosted in a private repository’s container registry in GitLab. I reference this image from other projects in other namespaces. Furthermore, I’m the sole developer in those namespaces, so It’s clear I have access rights to these docker images on that other repository.

Now, for some reason, I see an error in one project when it tries to pull the docker image:

Failed to pull image with policy "always": Error response from daemon: pull access denied for registry.gitlab.com/<url-to-image>, repository does not exist or may require 'docker login': denied: requested access to the resource is denied (manager.go:203:0s)

This didn’t happen 10 days ago, but happens now. For no particular reason. There was no change regarding the CI setup. And it only seems to happen in that one project. I use it exactly in the same way as 10 days ago, when it worked.

I already tried switching to a different Docker image published in the same container registry as the one failing. But this fails too.

So, the main questions now are

  • Were there any significant GitLab CI changes since May 23 that might cause this?
  • Is there any limitation how often a project can pull images from the container registry in GitLab?
  • Are there any other limitations I might need to know of that could cause the issue?

I have the same user permissions in all projects, in the ones where it still works and the single one, where it doesn’t. I can also pull the image locally.

Any inputs what to look for?

Hi @renestalder did you fix this in the end? I’ve had the same problem with images pulled from Docker Hub.

The only workaround I found was to set the project to public, while restricting all access to the features except the container registry to members only. I found no real solution.

Oh, that’s interesting, thanks. It hadn’t occurred to me that project visibility might be relevant here.

Facing the same problem without the possibility to make the project public, I took the following approach:

  1. Create a deploy key with “read registry” permission in the repo for the “source” image

  2. Pull this image in the pipeline of your target repo (docker login/docker pull/docker logout) using the deploy key created above

  3. Now you have this image available locally in your build environment and can access it.

In my case I needed the Docker image located in source repo’s registry as the base image for my Dockerfile in the target repo. The code in the target repo’s pipeline looks basically like this:

  script:
    - docker login -u "$BASE_IMAGE_TOKEN_USER" -p "$BASE_IMAGE_TOKEN_PASSWORD" "$CI_REGISTRY"
    - docker pull "$CI_REGISTRY/my_source_repo:my_source_image_tag"
    - docker logout

BASE_IMAGE_TOKEN_USER and BASE_IMAGE_TOKEN_PASSWORD contain the deploy key created in the source repo stored in CI/CD variables.

I opened a new issue as I also stumpled upon this: "docker pull" with deploy token fails on registry.gitlab.com - but only on public repos which have restricted docker registry to project members (#370039) · Issues · GitLab.org / GitLab · GitLab