[JENKINS-75459] Setting Docker Workflow creds globally breaks agents using other registries

Overview

When setting Docker Credentials globally (i.e. Manage Jenkins -> System -> "Declarative Pipeline (Docker)" -> "Registry credentials") with docker agent pipeline configuration it tries to pull the incorrect image.

Output

<pre>
[Pipeline] withDockerRegistry
$ docker login -u username -p ******** https://index.docker.io/v1/
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /home/jenkins/workspace/REDACTED/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
[Pipeline] {
[Pipeline] isUnix
[Pipeline] withEnv
[Pipeline] {
[Pipeline] sh
+ docker inspect -f . public.ecr.aws/docker/library/ruby:3

Error: No such object: public.ecr.aws/docker/library/ruby:3
[Pipeline] sh
+ docker inspect -f . index.docker.io/public.ecr.aws/docker/library/ruby:3

Error: No such object: index.docker.io/public.ecr.aws/docker/library/ruby:3
[Pipeline] isUnix
[Pipeline] withEnv
[Pipeline]

{ [Pipeline] sh + docker pull index.docker.io/public.ecr.aws/docker/library/ruby:3 Error response from daemon: Head "https://public.ecr.aws/v2/docker/library/ruby/manifests/3": denied: Not Authorized [Pipeline] }
</pre>
 

Reproduction

I have been able to reproduce with the latest Jenkins version and plugins listed above.
<ol>
	<li>Setup a Jenkins instance with version and plugins as above</li>
	<li>Create a Pipeline with this content:

<pre>
pipeline {
  agent any
  stages {
    stage('AWS Public Mirror') {
      agent {
        docker {
          image 'public.ecr.aws/docker/library/ruby:3'
          reuseNode true
        }
      }
      steps {
        sh 'echo AWS Public Mirror'
      }
    }
  }
}</pre></li>
</ol>


<ol>
	<li>Run pipeline, it will succeed</li>
	<li>docker rmi the image it fetched</li>
	<li>Add some DockerHub Creds</li>
	<li>Configure Jenkins to use those credentials globally: Manage Jenkins -> System -> "Declarative Pipeline (Docker)" -> "Registry credentials"</li>
	<li>Re-Run the pipeline, it will fail with: denied: Not Authorized &#91;Pipeline&#93;</li>
</ol>


 

Final thoughts
<ul>
	<li>Looking into this issue brought me to this comparison of the specified image id and the generation of a fully qualified image id: <a href="https://github.com/jenkinsci/docker-workflow-plugin/blob/d3d06101cbc6e96e6d47c4c67517239e05dfafa5/src/main/resources/org/jenkinsci/plugins/docker/workflow/Docker.groovy#L129" class="external-link" target="_blank" rel="nofollow noopener">https://github.com/jenkinsci/docker-workflow-plugin/blob/d3d06101cbc6e96e6d47c4c67517239e05dfafa5/src/main/resources/org/jenkinsci/plugins/docker/workflow/Docker.groovy#L129</a></li>
	<li>We ran into this issue trying to prevent DockerHub Rate limits.</li>
	<li>The working method so far is either to not use DockerHub anywhere to avoid triggering a ratelimit and not use the global setting, or to specifically set <tt>registryCredentialsId</tt> anywhere we use an image from DockerHub. I was hoping to solve this by having those authenticated by default.</li>
</ul>


---
<details><summary>Originally reported by <a href="https://issues.jenkins.io/secure/ViewProfile.jspa?name=seanhood">seanhood</a>, imported from: <a class="original-jira-link" href="https://issues.jenkins.io/browse/JENKINS-75459" target="_blank">Setting Docker Workflow creds globally breaks agents using other registries</a></summary>
<ul>
<li>status: Open
<li>priority: Minor
<li>component(s): docker-workflow-plugin
<li>resolution: Unresolved
<li>votes: 0
<li>watchers: 1
<li>imported: 2025-12-07
</ul>
<details><summary>Raw content of original issue</summary>

<pre>
Overview

When setting Docker Credentials globally (i.e. Manage Jenkins -&gt; System -&gt; "Declarative Pipeline (Docker)" -&gt; "Registry credentials") with docker agent pipeline configuration it tries to pull the incorrect image.

Output
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">[Pipeline] withDockerRegistry
$ docker login -u username -p ******** https://index.docker.io/v1/
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /home/jenkins/workspace/REDACTED/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
[Pipeline] {
[Pipeline] isUnix
[Pipeline] withEnv
[Pipeline] {
[Pipeline] sh
+ docker inspect -f . public.ecr.aws/docker/library/ruby:3

Error: No such object: public.ecr.aws/docker/library/ruby:3
[Pipeline] sh
+ docker inspect -f . index.docker.io/public.ecr.aws/docker/library/ruby:3

Error: No such object: index.docker.io/public.ecr.aws/docker/library/ruby:3
[Pipeline] isUnix
[Pipeline] withEnv
[Pipeline]

{ [Pipeline] sh + docker pull index.docker.io/public.ecr.aws/docker/library/ruby:3 Error response from daemon: Head "https://public.ecr.aws/v2/docker/library/ruby/manifests/3": denied: Not Authorized [Pipeline] }
</pre>
</div></div>
 

Reproduction

I have been able to reproduce with the latest Jenkins version and plugins listed above.
<ol>
	<li>Setup a Jenkins instance with version and plugins as above</li>
	<li>Create a Pipeline with this content:
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">pipeline {
  agent any
  stages {
    stage('AWS Public Mirror') {
      agent {
        docker {
          image 'public.ecr.aws/docker/library/ruby:3'
          reuseNode true
        }
      }
      steps {
        sh 'echo AWS Public Mirror'
      }
    }
  }
}</pre>
</div></div></li>
</ol>


<ol>
	<li>Run pipeline, it will succeed</li>
	<li>docker rmi the image it fetched</li>
	<li>Add some DockerHub Creds</li>
	<li>Configure Jenkins to use those credentials globally: Manage Jenkins -&gt; System -&gt; "Declarative Pipeline (Docker)" -&gt; "Registry credentials"</li>
	<li>Re-Run the pipeline, it will fail with: denied: Not Authorized &#91;Pipeline&#93;</li>
</ol>


 

Final thoughts
<ul>
	<li>Looking into this issue brought me to this comparison of the specified image id and the generation of a fully qualified image id: <a href="https://github.com/jenkinsci/docker-workflow-plugin/blob/d3d06101cbc6e96e6d47c4c67517239e05dfafa5/src/main/resources/org/jenkinsci/plugins/docker/workflow/Docker.groovy#L129" class="external-link" target="_blank" rel="nofollow noopener">https://github.com/jenkinsci/docker-workflow-plugin/blob/d3d06101cbc6e96e6d47c4c67517239e05dfafa5/src/main/resources/org/jenkinsci/plugins/docker/workflow/Docker.groovy#L129</a></li>
	<li>We ran into this issue trying to prevent DockerHub Rate limits.</li>
	<li>The working method so far is either to not use DockerHub anywhere to avoid triggering a ratelimit and not use the global setting, or to specifically set <tt>registryCredentialsId</tt> anywhere we use an image from DockerHub. I was hoping to solve this by having those authenticated by default.</li>
</ul>
</pre>
</details>
</details>
<details><summary>environment</summary>

```
Jenkins: 2.492.2 
Docker Commons Plugin Version 451.vd12c371eeeb_3 
Docker Pipeline Version 611.v16e84da_6d3ff
```
</details>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[JENKINS-75459] Setting Docker Workflow creds globally breaks agents using other registries #729

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

[JENKINS-75459] Setting Docker Workflow creds globally breaks agents using other registries #729

Description

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions