Private registry accessible from docker binary but not with docker-compose

General
1

I have a private registry using github.com/cesanta/docker_auth for authentication. Using docker pull on the command line (either directly or through swarm) works just fine. The image is pulled and all is well. But, when using docker-compose (and also Rancher) I get an error that the image is not found.

Looking at the logs of the registry show that when it works, first it hits the registry, gets a 401 response which will contain the authentication information, and then all requests from then on are 2XX and work fine. But when it doesn’t work, using docker-compose, it gets the expected initial 401 on the v2 API, but then falls back to the v1 API until it fails with a 404 trying to pull the image.

I’m assuming that there’s something wrong with my set up of the registry that is making it not work. It’s strange that it does work with the command line but not with other Docker API clients (compose, Rancher).

Here’s the logs from the registry when the pull fails:

$ docker logs --tail=0 -f dockerregistry_registry_1
time="2016-08-02T00:01:48.592133651Z" level=warning msg="error authorizing context: authorization token required" go.version=go1.6.2 http.request.host=registry.izeni.net http.request.id=b8fe7954-e3ba-4100-b101-df4b9c1686df http.request.method=GET http.request.remoteaddr=66.219.247.102 http.request.uri="/v2/" http.request.useragent="docker/1.12.0 go/go1.6.3 git-commit/8eab29e kernel/4.4.16-boot2docker os/linux arch/amd64 UpstreamClient(Go-http-client/1.1)" instance.id=73e9371b-8f08-414c-8f9f-55cc7b81cf6a version=v2.4.1
172.18.0.4 - - [02/Aug/2016:00:01:48 +0000] "GET /v2/ HTTP/1.1" 401 87 "" "docker/1.12.0 go/go1.6.3 git-commit/8eab29e kernel/4.4.16-boot2docker os/linux arch/amd64 UpstreamClient(Go-http-client/1.1)"
time="2016-08-02T00:01:48.969633465Z" level=warning msg="error authorizing context: insufficient scope" go.version=go1.6.2 http.request.host=registry.izeni.net http.request.id=64a657ee-8dd3-489c-9b10-36ea1c38d103 http.request.method=GET http.request.remoteaddr=66.219.247.102 http.request.uri="/v2/timey/backend/manifests/latest" http.request.useragent="docker/1.12.0 go/go1.6.3 git-commit/8eab29e kernel/4.4.16-boot2docker os/linux arch/amd64 UpstreamClient(Go-http-client/1.1)" instance.id=73e9371b-8f08-414c-8f9f-55cc7b81cf6a vars.name="timey/backend" vars.reference=latest version=v2.4.1
172.18.0.4 - - [02/Aug/2016:00:01:48 +0000] "GET /v2/timey/backend/manifests/latest HTTP/1.1" 401 145 "" "docker/1.12.0 go/go1.6.3 git-commit/8eab29e kernel/4.4.16-boot2docker os/linux arch/amd64 UpstreamClient(Go-http-client/1.1)"
172.18.0.4 - - [02/Aug/2016:00:01:49 +0000] "GET /v1/_ping HTTP/1.1" 404 19 "" "docker/1.12.0 go/go1.6.3 git-commit/8eab29e kernel/4.4.16-boot2docker os/linux arch/amd64 UpstreamClient(Go-http-client/1.1)"
172.18.0.4 - - [02/Aug/2016:00:01:49 +0000] "GET /v1/repositories/timey/backend/images HTTP/1.1" 404 19 "" "docker/1.12.0 go/go1.6.3 git-commit/8eab29e kernel/4.4.16-boot2docker os/linux arch/amd64 UpstreamClient(Go-http-client/1.1)"

EDIT: I checked the logs of my authentication server and do not see any access to it when doing the pull docker-compose.