Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
  • Blog
  • Pricing
  • Documentation
Yandex project
© 2025 Yandex.Cloud LLC
Yandex Container Registry
  • Getting started
  • Yandex Container Solution
  • Access management
  • Pricing policy
  • Terraform reference
  • Monitoring metrics
  • Audit Trails events
  • Troubleshooting
  • FAQ

FAQ about Container Registry

Written by
Yandex Cloud
Improved by
amatol
Updated at April 15, 2025

Why is the latest tag missing or applied to a Docker image that is not the last one pushed?Why is the latest tag missing or applied to a Docker image that is not the last one pushed?

The reason is that you specified a different tag when pushing the Docker image.

The Docker client assigns the latest tag automatically if the Docker image is created and pushed without a tag. You can also specify the latest tag explicitly.

Warning

The tag latest doesn't mean that the Docker image was the latest one pushed.

We don't recommend overwriting tags. Use a unique tag for each Docker image version. This way you can use the same Docker image version on all your VMs with identical specifications and more easily identify causes of problems.

How do I make a registry public?How do I make a registry public?

You can grant the container-registry.images.puller role for your registry to the All users public group.

Alert

This makes all Docker images in the registry available without authentication.

Do not assign the container-registry.images.pusher, editor, or admin roles for the registry to the public group. This will enable anyone with your registry ID to use the registry.

I encountered an error. What should I do?I encountered an error. What should I do?

See Troubleshooting in Container Registry. It lists common errors and ways to solve them.

Can I get the logs of what I do when I work with Yandex Cloud?Can I get the logs of what I do when I work with Yandex Cloud?

Yes, you can request information about operations with your resources from Yandex Cloud. For more information, see Data requests.

What does the "Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock" error mean?What does the "Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock" error mean?

You are not running commands as a root user.

You can use sudo or configure non-root access.

How do I diagnose Credential Helper performance?How do I diagnose Credential Helper performance?

  • Check under which OS user and on which host the CLI commands are run. This must be the user that the Credential Helper is configured for and on whose behalf the yc container registry configure-docker command was run. The corresponding line must appear in the file /home/<user>/.docker/config.json. If you are working on a virtual machine, make sure you have the Credential helper configured there as well.

  • Check if the Credential Helper is displayed in PATH when running commands. During authentication in Container Registry using the Credential Helper, Docker accesses the docker-credential-yc binary file. Make sure this binary file is available in PATH for the user working with Docker. For example, if Docker is used with sudo, then configure-docker must be run with sudo, too. You can check this with either echo cr.yandex | docker-credential-yc get or echo cr.yandex | sudo docker-credential-yc get command, if using sudo to run commands. If everything works fine, you will get a response in {"Username":"iam","Secret":"***<IAM token>***"} format.

  • If the commands run in interactive mode but fail in non-interactive mode, check the .bashrc file. The yc and docker-credential-yc programs are installed in a directory that is not usually available in the default PATH. In this case, the following lines are added to the .bashrc file:

    # The next line updates PATH for Yandex Cloud CLI
    if [ -f '/home/<user>/yandex-cloud/path.bash.inc' ]; then source '/home/<user>/yandex-cloud/path.bash.inc'; fi
    

    The top section of the .bashrc file contains a condition preventing its commands from running non-interactively. That is why the commands can run when connecting to the VM manually, but fail to run when doing so via SSH.

What does "Error response from daemon: pull access denied for <cr.yandex/registry_ID/Docker_image_name>, repository does not exist or may require 'docker login': denied: Permission denied ; requestId = <request_ID>" mean?What does "Error response from daemon: pull access denied for <cr.yandex/registry_ID/Docker_image_name>, repository does not exist or may require 'docker login': denied: Permission denied ; requestId = <request_ID>" mean?

The IP address that the pull Docker image request is received from has no PULL permission.

Add rules that allow pulling image for this IP in the registry settings or delete all rules and try again.

Was the article helpful?

Previous
Troubleshooting
Yandex project
© 2025 Yandex.Cloud LLC