Sometimes “Access denied” when pulling Docker image from public project
I have a public Docker project on GitLab: Bitosis / docker-dita-ot · GitLab
The project has a CI pipeline that builds the Docker image and pushes it to the GitLab registry. The project visibility is “public” and the Container registry is set to “Everyone with access”. According to the documentation that means that everyone on the internet has access, which is my intention.
Now when I log in to a server (silver) and try to pull this image it works as expected:
serrano@silver:~$ docker run registry.gitlab.com/bitosis/docker-dita-ot:latest bash
Unable to find image 'registry.gitlab.com/bitosis/docker-dita-ot:latest' locally
latest: Pulling from bitosis/docker-dita-ot
f45c08f0facb: Pull complete
Digest: sha256:0687792a7356b982f54be9bbff9bf951badaaf7f02eaede69a29789f0fcd835d
Status: Downloaded newer image for registry.gitlab.com/bitosis/docker-dita-ot:latest
DITA-OT init process complete.
Now when I try to do the same thing on another server (gold), which is configured exactly the same way as silver:
serrano@gold:~$ docker run registry.gitlab.com/bitosis/docker-dita-ot:latest bash
Unable to find image 'registry.gitlab.com/bitosis/docker-dita-ot:latest' locally
docker: Error response from daemon: Head "https://registry.gitlab.com/v2/bitosis/docker-dita-ot/manifests/latest": unauthorized: HTTP Basic: Access denied. The provided password or token is incorrect or your account has 2FA enabled and you must use a personal access token instead of a password. See https://gitlab.com/help/user/profile/account/two_factor_authentication#troubleshooting.
See 'docker run --help'.
But trying to pull any other Docker image works fine:
serrano@gold:~$ docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
c1ec31eb5944: Pull complete
Digest: sha256:d000bc569937abbe195e20322a0bde6b2922d805332fd6d8a68b19f524b7d21d
Status: Downloaded newer image for hello-world:latest
Hello from Docker!
Now this is where it gets really weird. If I try to pull the image as root, it works:
serrano@gold:~$ sudo docker run registry.gitlab.com/bitosis/docker-dita-ot:latest bash
Unable to find image 'registry.gitlab.com/bitosis/docker-dita-ot:latest' locally
latest: Pulling from bitosis/docker-dita-ot
f45c08f0facb: Pull complete
Digest: sha256:0687792a7356b982f54be9bbff9bf951badaaf7f02eaede69a29789f0fcd835d
Status: Downloaded newer image for registry.gitlab.com/bitosis/docker-dita-ot:latest
/usr/local/bin/docker-entrypoint.sh: ignoring /docker-entrypoint-init.d/*
DITA-OT init process complete.
Can anyone tell me why it doesn’t work as expected on gold? Both servers are running Debian 11 and are configured the same way with Ansible.