Access denied to resource when attempting to pull image. #27913
Description
Issue Description
Getting requested access to resource denied when running podman-compose up and podman pull.
Done podman login for both container-registry.oracle.com and docker.io, with login being successful, yet we get the same error.
Steps to reproduce the issue
Steps to reproduce the issue (done from a directory with docker-compose.yml present)
- podman-compose up -d
- select image between:
2.1 container-registry.oracle.com/osixia/openldap:1.5.0
2.2 docker.io/osixia/openldap:1.5.0
alternatively:
- podman pull osixia/openldap:1.5.0
2.1 container-registry.oracle.com/osixia/openldap:1.5.0
2.2 docker.io/osixia/openldap:1.5.0
Describe the results you received
get error message (either podman-compose up or podman pull:
Error: unable to copy from source docker://container-registry.oracle.com/osixia/openldap:1.5.0: initializing source docker://container-registry.oracle.com/osixia/openldap:1.5.0: reading manifest 1.5.0 in container-registry.oracle.com/osixia/openldap: requested access to the resource is denied
Describe the results you expected
Expect image do download
podman info output
host:
arch: amd64
buildahVersion: 1.41.5
cgroupControllers:
- cpuset
- cpu
- io
- memory
- hugetlb
- pids
- rdma
- misc
cgroupManager: systemd
cgroupVersion: v2
conmon:
package: conmon-2.1.12-1.el9.x86_64
path: /usr/bin/conmon
version: 'conmon version 2.1.12, commit: b3f4044f63d830049366c05304a1d5d558571e85'
cpuUtilization:
idlePercent: 97.28
systemPercent: 1.67
userPercent: 1.05
cpus: 6
databaseBackend: sqlite
distribution:
distribution: ol
variant: server
version: "9.6"
eventLogger: journald
freeLocks: 2043
hostname: [redacted]
idMappings:
gidmap: null
uidmap: null
kernel: 5.14.0-611.16.1.el9_7.x86_64
linkmode: dynamic
logDriver: journald
memFree: 5671399424
memTotal: 7818354688
networkBackend: netavark
networkBackendInfo:
backend: netavark
dns:
package: aardvark-dns-1.14.0-1.el9.x86_64
path: /usr/libexec/podman/aardvark-dns
version: aardvark-dns 1.14.0
package: netavark-1.14.1-1.el9_6.x86_64
path: /usr/libexec/podman/netavark
version: netavark 1.14.1
ociRuntime:
name: crun
package: crun-1.23.1-2.el9_6.x86_64
path: /usr/bin/crun
version: |-
crun version 1.23.1
commit: d20b23dba05e822b93b82f2f34fd5dada433e0c2
rundir: /run/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
os: linux
pasta:
executable: /usr/bin/pasta
package: passt-0^20250217.ga1e48a0-13.el9_6.x86_64
version: ""
remoteSocket:
exists: true
path: /run/podman/podman.sock
rootlessNetworkCmd: pasta
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: false
seccompEnabled: true
seccompProfilePath: /usr/share/containers/seccomp.json
selinuxEnabled: false
serviceIsRemote: false
slirp4netns:
executable: /usr/bin/slirp4netns
package: slirp4netns-1.3.2-1.el9.x86_64
version: |-
slirp4netns version 1.3.2
commit: 0f13345bcef588d2bb70d662d41e92ee8a816d85
libslirp: 4.4.0
SLIRP_CONFIG_VERSION_MAX: 3
libseccomp: 2.5.2
swapFree: 1073737728
swapTotal: 1073737728
uptime: 0h 44m 26.00s
variant: ""
plugins:
authorization: null
log:
- k8s-file
- none
- passthrough
- journald
network:
- bridge
- macvlan
- ipvlan
volume:
- local
registries:
search:
- container-registry.oracle.com
- docker.io
store:
configFile: /etc/containers/storage.conf
containerStore:
number: 0
paused: 0
running: 0
stopped: 0
graphDriverName: overlay
graphOptions:
overlay.mountopt: nodev,metacopy=on
graphRoot: /var/lib/containers/storage
graphRootAllocated: 10401873920
graphRootUsed: 919556096
graphStatus:
Backing Filesystem: xfs
Native Overlay Diff: "false"
Supports d_type: "true"
Supports shifting: "true"
Supports volatile: "true"
Using metacopy: "true"
imageCopyTmpDir: /var/tmp
imageStore:
number: 0
runRoot: /run/containers/storage
transientStore: false
volumePath: /var/lib/containers/storage/volumes
version:
APIVersion: 5.6.0
Built: 1766095902
BuiltTime: Thu Dec 18 19:11:42 2025
GitCommit: ""
GoVersion: go1.25.3 (Red Hat 1.25.3-1.el9_7)
Os: linux
OsArch: linux/amd64
Version: 5.6.0Podman in a container
No
Privileged Or Rootless
Privileged
Upstream Latest Release
Yes
Additional environment details
podman pull with --log-level=debug
INFO[0000] podman filtering at log level debug
DEBU[0000] Called pull.PersistentPreRunE(podman pull --log-level=debug osixia/openldap:1.5.0)
INFO[0000] Setting parallel job count to 19
DEBU[0000] Using conmon: "/usr/bin/conmon"
INFO[0000] Using sqlite as database backend
DEBU[0000] Using graph driver overlay
DEBU[0000] Using graph root /var/lib/containers/storage
DEBU[0000] Using run root /run/containers/storage
DEBU[0000] Using static dir /var/lib/containers/storage/libpod
DEBU[0000] Using tmp dir /run/libpod
DEBU[0000] Using volume path /var/lib/containers/storage/volumes
DEBU[0000] Using transient store: false
DEBU[0000] [graphdriver] trying provided driver "overlay"
DEBU[0000] Cached value indicated that overlay is supported
DEBU[0000] Cached value indicated that overlay is supported
DEBU[0000] Cached value indicated that metacopy is being used
DEBU[0000] Cached value indicated that native-diff is not being used
INFO[0000] Not using native diff for overlay, this may cause degraded performance for building images: kernel has CONFIG_OVERLAY_FS_REDIRECT_DIR enabled
DEBU[0000] backingFs=xfs, projectQuotaSupported=false, useNativeDiff=false, usingMetacopy=true
DEBU[0000] Initializing event backend journald
DEBU[0000] Configured OCI runtime ocijail initialization failed: no valid executable found for OCI runtime ocijail: invalid argument
DEBU[0000] Configured OCI runtime crun-vm initialization failed: no valid executable found for OCI runtime crun-vm: invalid argument
DEBU[0000] Configured OCI runtime kata initialization failed: no valid executable found for OCI runtime kata: invalid argument
DEBU[0000] Configured OCI runtime runsc initialization failed: no valid executable found for OCI runtime runsc: invalid argument
DEBU[0000] Configured OCI runtime youki initialization failed: no valid executable found for OCI runtime youki: invalid argument
DEBU[0000] Configured OCI runtime krun initialization failed: no valid executable found for OCI runtime krun: invalid argument
DEBU[0000] Configured OCI runtime crun-wasm initialization failed: no valid executable found for OCI runtime crun-wasm: invalid argument
DEBU[0000] Configured OCI runtime runc initialization failed: no valid executable found for OCI runtime runc: invalid argument
DEBU[0000] Configured OCI runtime runj initialization failed: no valid executable found for OCI runtime runj: invalid argument
DEBU[0000] Using OCI runtime "/usr/bin/crun"
DEBU[0000] Pulling image osixia/openldap:1.5.0 (policy: always)
DEBU[0000] Looking up image "osixia/openldap:1.5.0" in local containers storage
DEBU[0000] Normalized platform linux/amd64 to {amd64 linux [] }
DEBU[0000] Loading registries configuration "/etc/containers/registries.conf"
DEBU[0000] Loading registries configuration "/etc/containers/registries.conf.d/000-shortnames.conf"
DEBU[0000] Trying "localhost/osixia/openldap:1.5.0" ...
DEBU[0000] reference "[overlay@/var/lib/containers/storage+/run/containers/storage:overlay.mountopt=nodev,metacopy=on]localhost/osixia/openldap:1.5.0" does not resolve to an image ID
DEBU[0000] Trying "container-registry.oracle.com/osixia/openldap:1.5.0" ...
DEBU[0000] reference "[overlay@/var/lib/containers/storage+/run/containers/storage:overlay.mountopt=nodev,metacopy=on]container-registry.oracle.com/osixia/openldap:1.5.0" does not resolve to an image ID
DEBU[0000] Trying "docker.io/osixia/openldap:1.5.0" ...
DEBU[0000] reference "[overlay@/var/lib/containers/storage+/run/containers/storage:overlay.mountopt=nodev,metacopy=on]docker.io/osixia/openldap:1.5.0" does not resolve to an image ID
DEBU[0000] Trying "docker.io/osixia/openldap:1.5.0" ...
DEBU[0000] reference "[overlay@/var/lib/containers/storage+/run/containers/storage:overlay.mountopt=nodev,metacopy=on]docker.io/osixia/openldap:1.5.0" does not resolve to an image ID
DEBU[0000] Trying "osixia/openldap:1.5.0" ...
✔ container-registry.oracle.com/osixia/openldap:1.5.0
DEBU[0003] Normalized platform linux/amd64 to {amd64 linux [] }
DEBU[0003] Attempting to pull candidate container-registry.oracle.com/osixia/openldap:1.5.0 for osixia/openldap:1.5.0
DEBU[0003] parsed reference into "[overlay@/var/lib/containers/storage+/run/containers/storage:overlay.mountopt=nodev,metacopy=on]container-registry.oracle.com/osixia/openldap:1.5.0"
Trying to pull container-registry.oracle.com/osixia/openldap:1.5.0...
DEBU[0003] Copying source image //container-registry.oracle.com/osixia/openldap:1.5.0 to destination image [overlay@/var/lib/containers/storage+/run/containers/storage:overlay.mountopt=nodev,metacopy=on]container-registry.oracle.com/osixia/openldap:1.5.0
DEBU[0003] Using registries.d directory /etc/containers/registries.d
DEBU[0003] Trying to access "container-registry.oracle.com/osixia/openldap:1.5.0"
DEBU[0003] Found credentials for container-registry.oracle.com/osixia/openldap in credential helper containers-auth.json in file /run/containers/0/auth.json
DEBU[0003] No signature storage configuration found for container-registry.oracle.com/osixia/openldap:1.5.0, using built-in default file:///var/lib/containers/sigstore
DEBU[0003] Looking for TLS certificates and private keys in /etc/docker/certs.d/container-registry.oracle.com
DEBU[0003] GET https://container-registry.oracle.com/v2/
DEBU[0004] Ping https://container-registry.oracle.com/v2/ status 401
DEBU[0004] GET https://container-registry.oracle.com/auth?account=mateus.cavanholi%40bb.com.br&scope=repository%3Aosixia%2Fopenldap%3Apull&service=Oracle+Registry
DEBU[0004] Increasing token expiration to: 60 seconds
DEBU[0004] GET https://container-registry.oracle.com/v2/osixia/openldap/manifests/1.5.0
DEBU[0005] Detected insufficient_scope error, will retry request with updated scope
DEBU[0005] GET https://container-registry.oracle.com/auth?account[redacted]&scope=repository%3Aosixia%2Fopenldap%3Apull&scope=repository%3Aosixia%2Fopenldap%3Apull&service=Oracle+Registry
DEBU[0005] Increasing token expiration to: 60 seconds
DEBU[0005] GET https://container-registry.oracle.com/v2/osixia/openldap/manifests/1.5.0
DEBU[0005] Content-Type from manifest GET is "application/json; charset=utf-8"
DEBU[0005] Discarding non-primary errors:
DEBU[0005] unauthorized: authentication required
DEBU[0005] Accessing "container-registry.oracle.com/osixia/openldap:1.5.0" failed: reading manifest 1.5.0 in container-registry.oracle.com/osixia/openldap: requested access to the resource is denied
DEBU[0005] Error pulling candidate container-registry.oracle.com/osixia/openldap:1.5.0: unable to copy from source docker://container-registry.oracle.com/osixia/openldap:1.5.0: initializing source docker://container-registry.oracle.com/osixia/openldap:1.5.0: reading manifest 1.5.0 in container-registry.oracle.com/osixia/openldap: requested access to the resource is denied
Error: unable to copy from source docker://container-registry.oracle.com/osixia/openldap:1.5.0: initializing source docker://container-registry.oracle.com/osixia/openldap:1.5.0: reading manifest 1.5.0 in container-registry.oracle.com/osixia/openldap: requested access to the resource is denied
DEBU[0005] Shutting down enginesAdditional information
Already check with our firewall and proxy department and there is no blocking on our side.
