Description
On a single Docker host managed by Komodo, pulling from a private Docker registry works with one registry account but consistently fails with a second account for the same registry domain. The failing account works correctly with another management tool (Portainer) on the same host, so the problem appears specific to how Komodo handles this account.
Environment
-
Komodo version: 1.19.5
-
Docker Engine: 29.0.2 (build 8108357)
-
Host OS: Debian GNU/Linux 11 (bullseye)
-
Setup: single Docker host, no Swarm
-
Network: outbound internet via HTTP/HTTPS proxy
-
Private registry: Harbor-based registry at a custom domain (called here my.private-registry.example.com) using robot/service accounts for authentication.
Registry accounts in Komodo
Two registry accounts are configured under Settings → Providers → Registry Accounts:
- Account A
- Account B
Both are robot/service accounts created in the Harbor registry. The tokens are alphanumeric only (no special characters).
What works
-
In Portainer on this host, configured with Account A (app1-robot), stacks that pull
my.private-registry.example.com/app1/app1:1.0.0 work without issues (images are pulled from the registry when needed).
-
In Portainer on this host, configured with Account B (app2-robot), the following service works and can be fully re-pulled:
services:
app2:
image: "my.private-registry.example.com/app2/app2:0.14.0"
container_name: "app2"
restart: "unless-stopped"
ports:
- "9080:8080"
After removing the image from the host and redeploying the stack in Portainer with “pull image” enabled, the image is fetched from the registry without errors.
- In Komodo, when Account A is selected for stacks that use
my.private-registry.example.com/app1/app1:1.0.0, Komodo can pull and redeploy these stacks correctly. Authentication with the registry works for Account A.
What fails in Komodo
Whenever Account B (app2-robot) is selected in Komodo for a stack that uses the App2 image, Komodo fails to log in to the registry.
Minimal compose used for testing in Komodo:
services:
app2-test:
image: my.private-registry.example.com/app2/app2:0.14.0
Komodo stack configuration (Advanced):
Resulting error in the Komodo UI:
ERROR: Failed to login to image registry
TRACE:
1: Domain: 'my.private-registry.example.com' | Account: 'app2-robot'
2: Registry my.private-registry.example.com login error
3: Error response from daemon: Get "https://my.private-registry.example.com/v2/": unauthorized:
4: End of trace
So Komodo successfully reaches the registry (no timeout), but the login attempt using Account B is rejected as unauthorized. Using the same credentials in Portainer on the same host works as expected for the same image and tag.
Additional observations
-
Both registry accounts use the same domain and are configured in the same way in Komodo (each with its own username and token).
-
Both robot accounts and their tokens are stored in a password manager and copied into Portainer and Komodo; Portainer can authenticate and pull with Account B, Komodo cannot.
-
Other images and registries managed by Komodo on this host (including the App1 image via Account A) work fine through the same Docker daemon and proxy configuration.
-
Network/proxy configuration appears correct because:
- Komodo can successfully pull from the same registry with Account A.
- Portainer can pull the App2 image with Account B on the same host and Docker Engine.
Expected behavior
Komodo should authenticate against my.private-registry.example.com using Account B (app2-robot) and pull my.private-registry.example.com/app2/app2:0.14.0, just like Portainer does on the same host with the same credentials.
Actual behavior
All attempts by Komodo to authenticate with the registry using Account B fail with:
Error response from daemon: Get "https://my.private-registry.example.com/v2/": unauthorized:
while Account A works in Komodo, and Account B works in Portainer on the same Docker host.
Questions
Is there a known issue in Komodo when using multiple accounts for the same registry domain?
Could Komodo be mixing up or mis-mapping registry accounts internally when they share the same Domain value?
Is there a way to enable more verbose logging (e.g. seeing the docker login arguments without secrets) to help diagnose why Account B is rejected as unauthorized while the same credentials work in other tools?
Thank you for your help and any hints on how to debug or work around this problem.
Xyrus
Description
On a single Docker host managed by Komodo, pulling from a private Docker registry works with one registry account but consistently fails with a second account for the same registry domain. The failing account works correctly with another management tool (Portainer) on the same host, so the problem appears specific to how Komodo handles this account.
Environment
Komodo version: 1.19.5
Docker Engine: 29.0.2 (build 8108357)
Host OS: Debian GNU/Linux 11 (bullseye)
Setup: single Docker host, no Swarm
Network: outbound internet via HTTP/HTTPS proxy
Private registry: Harbor-based registry at a custom domain (called here my.private-registry.example.com) using robot/service accounts for authentication.
Registry accounts in Komodo
Two registry accounts are configured under Settings → Providers → Registry Accounts:
Domain: my.private-registry.example.com
Username: app1-robot
Token:
Domain: my.private-registry.example.com
Username: app2-robot
Token:
Both are robot/service accounts created in the Harbor registry. The tokens are alphanumeric only (no special characters).
What works
In Portainer on this host, configured with Account A (app1-robot), stacks that pull
my.private-registry.example.com/app1/app1:1.0.0 work without issues (images are pulled from the registry when needed).
In Portainer on this host, configured with Account B (app2-robot), the following service works and can be fully re-pulled:
After removing the image from the host and redeploying the stack in Portainer with “pull image” enabled, the image is fetched from the registry without errors.
my.private-registry.example.com/app1/app1:1.0.0, Komodo can pull and redeploy these stacks correctly. Authentication with the registry works for Account A.
What fails in Komodo
Whenever Account B (app2-robot) is selected in Komodo for a stack that uses the App2 image, Komodo fails to log in to the registry.
Minimal compose used for testing in Komodo:
Komodo stack configuration (Advanced):
Image Registry: my.private-registry.example.com
Account: app2-robot
Pre Pull Images: enabled
Resulting error in the Komodo UI:
So Komodo successfully reaches the registry (no timeout), but the login attempt using Account B is rejected as unauthorized. Using the same credentials in Portainer on the same host works as expected for the same image and tag.
Additional observations
Both registry accounts use the same domain and are configured in the same way in Komodo (each with its own username and token).
Both robot accounts and their tokens are stored in a password manager and copied into Portainer and Komodo; Portainer can authenticate and pull with Account B, Komodo cannot.
Other images and registries managed by Komodo on this host (including the App1 image via Account A) work fine through the same Docker daemon and proxy configuration.
Network/proxy configuration appears correct because:
Expected behavior
Komodo should authenticate against my.private-registry.example.com using Account B (app2-robot) and pull my.private-registry.example.com/app2/app2:0.14.0, just like Portainer does on the same host with the same credentials.
Actual behavior
All attempts by Komodo to authenticate with the registry using Account B fail with:
Error response from daemon: Get "https://my.private-registry.example.com/v2/": unauthorized:while Account A works in Komodo, and Account B works in Portainer on the same Docker host.
Questions
Is there a known issue in Komodo when using multiple accounts for the same registry domain?
Could Komodo be mixing up or mis-mapping registry accounts internally when they share the same Domain value?
Is there a way to enable more verbose logging (e.g. seeing the docker login arguments without secrets) to help diagnose why Account B is rejected as unauthorized while the same credentials work in other tools?
Thank you for your help and any hints on how to debug or work around this problem.
Xyrus