[JENKINS-75459] Setting Docker Workflow creds globally breaks agents using other registries #729
Description
Overview
When setting Docker Credentials globally (i.e. Manage Jenkins -> System -> "Declarative Pipeline (Docker)" -> "Registry credentials") with docker agent pipeline configuration it tries to pull the incorrect image.
Output
[Pipeline] withDockerRegistry $ docker login -u username -p ******** https://index.docker.io/v1/ WARNING! Using --password via the CLI is insecure. Use --password-stdin. WARNING! Your password will be stored unencrypted in /home/jenkins/workspace/REDACTED/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded [Pipeline] { [Pipeline] isUnix [Pipeline] withEnv [Pipeline] { [Pipeline] sh + docker inspect -f . public.ecr.aws/docker/library/ruby:3 Error: No such object: public.ecr.aws/docker/library/ruby:3 [Pipeline] sh + docker inspect -f . index.docker.io/public.ecr.aws/docker/library/ruby:3 Error: No such object: index.docker.io/public.ecr.aws/docker/library/ruby:3 [Pipeline] isUnix [Pipeline] withEnv [Pipeline] { [Pipeline] sh + docker pull index.docker.io/public.ecr.aws/docker/library/ruby:3 Error response from daemon: Head "https://public.ecr.aws/v2/docker/library/ruby/manifests/3": denied: Not Authorized [Pipeline] }
Reproduction
I have been able to reproduce with the latest Jenkins version and plugins listed above.
- Setup a Jenkins instance with version and plugins as above
- Create a Pipeline with this content:
pipeline { agent any stages { stage('AWS Public Mirror') { agent { docker { image 'public.ecr.aws/docker/library/ruby:3' reuseNode true } } steps { sh 'echo AWS Public Mirror' } } } }
- Run pipeline, it will succeed
- docker rmi the image it fetched
- Add some DockerHub Creds
- Configure Jenkins to use those credentials globally: Manage Jenkins -> System -> "Declarative Pipeline (Docker)" -> "Registry credentials"
- Re-Run the pipeline, it will fail with: denied: Not Authorized [Pipeline]
Final thoughts
- Looking into this issue brought me to this comparison of the specified image id and the generation of a fully qualified image id:
- We ran into this issue trying to prevent DockerHub Rate limits.
- The working method so far is either to not use DockerHub anywhere to avoid triggering a ratelimit and not use the global setting, or to specifically set registryCredentialsId anywhere we use an image from DockerHub. I was hoping to solve this by having those authenticated by default.
Originally reported by seanhood, imported from: Setting Docker Workflow creds globally breaks agents using other registries
- status: Open
- priority: Minor
- component(s): docker-workflow-plugin
- resolution: Unresolved
- votes: 0
- watchers: 1
- imported: 2025-12-07
Raw content of original issue
Overview
When setting Docker Credentials globally (i.e. Manage Jenkins -> System -> "Declarative Pipeline (Docker)" -> "Registry credentials") with docker agent pipeline configuration it tries to pull the incorrect image.
Output
[Pipeline] withDockerRegistry $ docker login -u username -p ******** https://index.docker.io/v1/ WARNING! Using --password via the CLI is insecure. Use --password-stdin. WARNING! Your password will be stored unencrypted in /home/jenkins/workspace/REDACTED/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded [Pipeline] { [Pipeline] isUnix [Pipeline] withEnv [Pipeline] { [Pipeline] sh + docker inspect -f . public.ecr.aws/docker/library/ruby:3 Error: No such object: public.ecr.aws/docker/library/ruby:3 [Pipeline] sh + docker inspect -f . index.docker.io/public.ecr.aws/docker/library/ruby:3 Error: No such object: index.docker.io/public.ecr.aws/docker/library/ruby:3 [Pipeline] isUnix [Pipeline] withEnv [Pipeline] { [Pipeline] sh + docker pull index.docker.io/public.ecr.aws/docker/library/ruby:3 Error response from daemon: Head "https://public.ecr.aws/v2/docker/library/ruby/manifests/3": denied: Not Authorized [Pipeline] }
Reproduction
I have been able to reproduce with the latest Jenkins version and plugins listed above.
- Setup a Jenkins instance with version and plugins as above
- Create a Pipeline with this content:
pipeline { agent any stages { stage('AWS Public Mirror') { agent { docker { image 'public.ecr.aws/docker/library/ruby:3' reuseNode true } } steps { sh 'echo AWS Public Mirror' } } } }
- Run pipeline, it will succeed
- docker rmi the image it fetched
- Add some DockerHub Creds
- Configure Jenkins to use those credentials globally: Manage Jenkins -> System -> "Declarative Pipeline (Docker)" -> "Registry credentials"
- Re-Run the pipeline, it will fail with: denied: Not Authorized [Pipeline]
Final thoughts
- Looking into this issue brought me to this comparison of the specified image id and the generation of a fully qualified image id:
- We ran into this issue trying to prevent DockerHub Rate limits.
- The working method so far is either to not use DockerHub anywhere to avoid triggering a ratelimit and not use the global setting, or to specifically set registryCredentialsId anywhere we use an image from DockerHub. I was hoping to solve this by having those authenticated by default.
environment
Jenkins: 2.492.2<br/>
Docker Commons Plugin Version 451.vd12c371eeeb_3 <br/>
Docker Pipeline Version 611.v16e84da_6d3ff