Moby: Docker service update --image "could not accessed on a registry to record its digest"

In the same style, docker service has downloaded an image of 5 days ago but there is a new image every day in the registry.
${REGISTRY}:5000/${IMAGENAME} <none> c4dad25bfd4a 5 days ago 1.2GB
If i run docker pull i download the last version

When updating services that need credentials to pull the image, you need to pass --with-registry-auth. Images pulled for a service take a different path than a regular docker pull, because the actual pull is performed on each node in the swarm where an instance is deployed. To pull an image, the swarm cluster needs to have the credentials stored (so that the credentials can be passed on to the node it performs the pull on).

Even though the "node" in this case is your _local_ node, swarm takes the same approach (otherwise it would only be able to pull the image on the local node, but not on any of the other nodes).

Setting the --with-registry-auth option passes your locally stored credentials to the daemon, and stores them in the raft store. After that, the image digest is resolved (using those credentials), and the image is pulled on the node that the task is scheduled on (again, using the credentials that were stored in the service).

Can you confirm if passing --with-registry-auth makes the problem go away?

Ok i have not set --with-registry-auth in the command line but why the image downloaded by the service is not the last version ?

but why the image downloaded by the service is not the last version ?

If the service failed to connect to the registry, it didn't resolve the latest digest, so uses any image with the specified image:tag that was already present on the host. Based on your description, docker service update did not pull a new image at all.

Also be aware that when updating the image without changing image:tag, the service may not _update_ the definition (i.e., re-resolve the image), unless --force is set (but I'd have to double check).

Yes it's true i have already gone this scenarios but this time i have installed our application on a new virtual machine. We have a script which is in charge to deploy the application. It runs 4 docker stacks with the command line docker stack deploy --with-registry-auth.... I use this script on another environnement which deploy every night our application and for this environnement i have one manager and 2 workers. The manager does not host containers.
With this same script i have deployed the same application but this time the images was not the latest.
Docker service has downloaded images but not the latest version. I am sure that the image has
been downloaded by docker service because the version is defined to <none>.

I use docker stack deploy and the option --force is not present to this command. https://docs.docker.com/engine/reference/commandline/stack_deploy/
Do you have a solution to force the downloading of the latest version every time with docker stack deploy?

For docker stack deploy, there's a --resolve-image=always option, but IIRC, that's the default, so it should resolve the latest image (given that it has the right credentials);

With this same script i have deployed the same application but this time the images was not the latest. Docker service has downloaded images but not the latest version.

What user does the script run as, and is that use logged in? If the script runs as a different user, it will look in _that_ user's home directory for the credentials

I use the same user.

same bug here https://github.com/moby/moby/issues/34299

No #34299 is not the same. The problem I write there is not because of inaccessibility of private registry images.

I close this post i will open a new with more information if the problem occurs agin

I still get the same error, i.e.:

image dockersamples/visualiser:stable could not be accessed on a registry to record
its digest. Each node will access dockersamples/visualiser:stable independently,
possibly leading to different nodes running different
versions of the image.

Even when using --resolve-image=always and --with-registry-auth. I'm literally following the instructions from https://docs.docker.com/get-started/part5/#add-a-new-service-and-redeploy. Everything was working perfectly before. Does someone have any other idea on how to solve this?

@majstrooker I'm having the same issue.

@majstrooker @XLMBuildManager does it still deploy correctly even with that message? What I found was that it may be a timing issue with Sonatype nexus. I wonder if I can speed it up.

Actually something is really borky with Sonatype Nexus and docker there, I am not sure which part itself is broken, but I didn't have any issues with registry:2

@majstrooker I am using github registry and facing the same issue. Initial Deployment is successful but anything after that I get the error:

image <image_url> could not be accessed on a registry to record its digest. 

Each node will access <image_url> independently, possibly leading to different nodes running different versions of the image.

Did you find any solution?

@gurleensethi that's a known issue with GitHub's registry. The GitHub image registry currently isn't compliant with the registry specification and doesn't implement all options, see https://github.com/containerd/containerd/issues/3291#issuecomment-579804848

that's a known issue with GitHub's registry. The GitHub image registry currently isn't compliant with the registry specification and doesn't implement all options

FYI, for those that find this via search. The GitHub Container Registry https://ghcr.io/ is compliant with the spec and this should work correctly when connecting to ghcr.io but won't work when trying with docker.pkg.github.com.