This section explains how to troubleshoot common Container Registry and Docker issues.
Domain-scoped projects
If you receive the error invalid reference format
, one problem may be that
you have a domain-scoped project.
If your project is scoped to your domain, then the project ID includes the
domain and a colon, for example: example.com:my-project
. See
Domain-scoped projects
for how to work with projects IDs that include a domain.
Error: Status 405: v1 Registry API is disabled.
If you continuously encounter an error such as "v1 Registry API is disabled" when pulling or pushing images, ensure that your hostname, project ID, image name, and tag or digest are spelled correctly.
To see your image's tags and digest, run the following command:
gcloud container images list-tags [HOSTNAME]/[PROJECT-ID]/[IMAGE]
For example:
gcloud container images list-tags gcr.io/my-project/my-image
For more information about listing image tags and digests, see Managing Images.
Permission issues
The following sections describe solutions for specific permissions issues. Always make sure that you have the required permissions to push or pull. See Permissions and roles.
Permission issues related to uniform bucket-level access
If you have enabled uniform bucket-level access on a storage bucket that is used by Container Registry, then you might have access issues pushing and pulling to Container Registry.
To fix access issues, ensure that you have the required permissions to push or pull. These permissions are listed in Permissions and roles.
Permission issues related to Docker setup on your local machine
If you encounter a permission denied
error, such as the following example:
FATA[0000] Post http://var/run/docker.sock/v1.17/images/gcr.io/container-engine-docs/example/push?tag=: dial unix /var/run/docker.sock: permission denied
ERROR: (gcloud.docker) A Docker command did not run successfully.
Tried to run: 'docker push gcr.io/container-engine-docs/example'
Exit code: 1
You may need to add yourself to the docker
user group.
Run the following command in your shell or terminal window:
sudo usermod -a -G docker ${USER}
Restart your system after adding yourself to the docker
user group.
Permission issues when communicating with Container Registry
If you encounter a permission error like the following:
Permission denied: Unable to create the repository, please check that you have access to do so
Verify that billing is enabled for your project.
Verify your access:
Ensure that you are authenticated for
gcloud
by running the following command:gcloud init
Ensure that Docker is configured to use
gcloud
as a Container Registry credential helper by running the following command:gcloud auth configure-docker
Verify that
docker-credential-gcloud
can be executed:docker-credential-gcloud list
You should see a JSON object with your target registry as one of its keys. For example:
{ "https://asia.gcr.io": "oauth2accesstoken", "https://eu.gcr.io": "oauth2accesstoken", "https://gcr.io": "oauth2accesstoken", "https://us.gcr.io": "oauth2accesstoken" }
Next, check that you have permission to write to Cloud Storage in the project you are pushing to. If not, ask an admin to grant access to your user and try again.
If the problem persists after you have the correct permission, it may be that your access token is obtained without one of these scopes:
https://www.googleapis.com/auth/devstorage.read_write
https://www.googleapis.com/auth/devstorage.full_control
To verify this, first obtain the access token yourself. This varies from application to application, for example if you are using an access token from a Compute Engine default service account, you can follow instruction here to get it.
Once you have obtained the access token yourself, you can use this command to look at the scopes used in obtaining the access token:
curl -H "Authorization: Bearer <your access token>" https://www.googleapis.com/oauth2/v1/tokeninfo
In case the mentioned scopes aren't included, fix the problem to make sure to include them when obtaining the access token in your code. For an example, for tokens generated specifically for the default service account on your Compute Engine virtual machine, you will need to fix the scope setting for that virtual machine and recreate it.
Permission issues pushing and pulling images
The VM instance that pushes or pulls images must be correctly configured with the required IAM permissions and access scopes to access the Container Registry storage bucket. For information about the required settings, see Using Container Registry with Google Cloud.
ImagePullBackoff error from Google Kubernetes Engine
GKE returns an ImagePullBackoff
error when it is unable to pull
an image from a registry. The error might occur because the image cannot be
found or because your nodes do not have permissions
to pull from the registry. By default GKE nodes have permissions
to pull images from Container Registry when the registry is in the same
Google Cloud project as your nodes.
The GKE documentation includes steps to identify the root cause and resolve the issue.
Organization policy enforcement
Organization policy constraints can affect usage of Container Registry when they apply to services that Container Registry uses, including constraints that require use of customer-managed encryption keys (CMEK).
Bad Request error when pushing an image
When the Cloud Storage API is in the Deny
policy list for the
constraint constraints/gcp.restrictNonCmekServices
, you cannot push images
to Container Registry if the underlying storage buckets aren't encrypted
with CMEK. The following message is returned:
unknown: Bad Request
When constraints/gcp.restrictCmekCryptoKeyProjects
is configured,
storage buckets must be encrypted with a CryptoKey from an allowed project,
folder, or organization. Existing buckets that are not compliant must be
configured to use the required key by default.
To encrypt your storage buckets, refer to the Cloud Storage instructions. The bucket name for a registry host has one of the following formats:
artifacts.PROJECT-ID.appspot.com
for images stored on the hostgcr.io
STORAGE-REGION.artifacts.PROJECT-ID.appspot.com
for images stored onasia.gcr.io
,eu.gcr.io
, orus.gcr.io
.
The gcr Pub/Sub topic was not automatically created
When you activate the Container Registry API in a
Google Cloud project, Container Registry tries to automatically create a
Pub/Sub topic with the topic ID gcr
using Google-managed
encryption keys.
When the Pub/Sub API is in the Deny
policy list for the
constraint constraints/gcp.restrictNonCmekServices
, topics must be encrypted
with CMEK. Requests to create a topic without CMEK encryption will fail.
To create the gcr
topic with CMEK encryption, see the Pub/Sub
instructions for encrypting topics.
Quota Limits
If you exceed Container Registry's quota limit, you may see an error messages like this:
Error: Status 429 trying to pull repository [...] "Quota Exceeded."
To avoid exceeding the fixed quota limit, you can:
- Increase the number of IP addresses talking to Container Registry. Quotas are per IP address.
- Add retries that introduce a delay. For example, you could use exponential backoff.
Invalid registry endpoint with boot2docker
If you're having trouble reaching the Container Registry from a boot2docker environment:
docker push gcr.io/example/sample
Error response from daemon: invalid registry endpoint https://gcr.io/v0/:
unable to ping registry endpoint https://gcr.io/v0/
v2 ping attempt failed with error: Get https://gcr.io/v2/:
x509: certificate has expired or is not yet valid
v1 ping attempt failed with error: Get https://gcr.io/v1/_ping:
x509: certificate has expired or is not yet valid.
If this private registry supports only HTTP or HTTPS with an unknown CA
certificate, please add `--insecure-registry gcr.io` to the daemon's
arguments. In the case of HTTPS, if you have access to the registry's CA
certificate, no need for the flag; simply place the CA certificate at
/etc/docker/certs.d/gcr.io/ca.crt
You may need to restart boot2docker:
boot2docker stop
boot2docker start
Error about pushing a root-level image
When you try to push a container image, the push fails with a message that includes:
Pushing to root-level images is disabled
This message indicates that you tagged the image with the hostname and image, but did not include the project ID.
Tag the image using the correct image path format:
HOSTNAME/PROJECT-ID/IMAGE:TAG
For example: gcr.io/web-project/web-app:1.0
.
Docker on Mac
If you encounter any issues with Docker on Mac, you might need to try a workaround. Errors can include unresponsive Docker push/pull operations, or a network error similar to the following:
Post https://us.gcr.io/v2/[repo name]/blobs/uploads/: dial tcp xx.xxx.xx.xx:xxx: i/o timeout
If you encounter these errors, try these steps:
Run the
docker-machine restart default
command in the Mac terminal to restart the Docker daemon.Ensure that "Securely store docker logins in macOS keychain" is not enabled in Docker's Preferences menu.
Ensure that you're running the most recent Docker version.