Overview

When setting Docker Credentials globally (i.e. Manage Jenkins -> System -> "Declarative Pipeline (Docker)" -> "Registry credentials") with docker agent pipeline configuration it tries to pull the incorrect image.

Output

[Pipeline] withDockerRegistry
$ docker login -u username -p ******** https://index.docker.io/v1/
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /home/jenkins/workspace/REDACTED/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
[Pipeline] {
[Pipeline] isUnix
[Pipeline] withEnv
[Pipeline] {
[Pipeline] sh
+ docker inspect -f . public.ecr.aws/docker/library/ruby:3

Error: No such object: public.ecr.aws/docker/library/ruby:3
[Pipeline] sh
+ docker inspect -f . index.docker.io/public.ecr.aws/docker/library/ruby:3

Error: No such object: index.docker.io/public.ecr.aws/docker/library/ruby:3
[Pipeline] isUnix
[Pipeline] withEnv
[Pipeline]

{ [Pipeline] sh + docker pull index.docker.io/public.ecr.aws/docker/library/ruby:3 Error response from daemon: Head "https://public.ecr.aws/v2/docker/library/ruby/manifests/3": denied: Not Authorized [Pipeline] }

Reproduction

I have been able to reproduce with the latest Jenkins version and plugins listed above.

1. Setup a Jenkins instance with version and plugins as above
2. Create a Pipeline with this content:

   pipeline {
     agent any
     stages {
       stage('AWS Public Mirror') {
         agent {
           docker {
             image 'public.ecr.aws/docker/library/ruby:3'
             reuseNode true
           }
         }
         steps {
           sh 'echo AWS Public Mirror'
         }
       }
     }
   }

1. Run pipeline, it will succeed
2. docker rmi the image it fetched
3. Add some DockerHub Creds
4. Configure Jenkins to use those credentials globally: Manage Jenkins -> System -> "Declarative Pipeline (Docker)" -> "Registry credentials"
5. Re-Run the pipeline, it will fail with: denied: Not Authorized [Pipeline]

Final thoughts

• Looking into this issue brought me to this comparison of the specified image id and the generation of a fully qualified image id: https://github.com/jenkinsci/docker-workflow-plugin/blob/d3d06101cbc6e96e6d47c4c67517239e05dfafa5/src/main/resources/org/jenkinsci/plugins/docker/workflow/Docker.groovy#L129
• We ran into this issue trying to prevent DockerHub Rate limits.
• The working method so far is either to not use DockerHub anywhere to avoid triggering a ratelimit and not use the global setting, or to specifically set registryCredentialsId anywhere we use an image from DockerHub. I was hoping to solve this by having those authenticated by default.