Description
Info: I am using Linux, Docker Engine-only, and no credential helper; I haven't tried any other use cases (I imagine a credential helper makes this trickier).
It appears that the docker-model-runner container takes its config.json from the local system on startup. However, this file is not synced from the system while the model-runner is running, meaning any docker login actions will not be reflected into the model runner, and any docker model push that requires the new auth will fail with a standard "insufficient scope". This is confusing as it suggests that some additional configuration on the registry side is required (regular pushes succeed).
Restarting the model-runner container syncs the updated config.json and credentials can be successfully resolved, so it's not a real issue, but there's no indication in the CLI that a restart is required or that credentials are not synced; I had to dig around to figure this out.
Reproducing
# Stop runner and logout
docker model stop-runner
docker logout
# Start runner and login
docker model start-runner
docker login -u [username]
# Attempt to push a model
docker model push ... # fails, even though you just logged in
# Check config.json inside model runner
docker exec docker-model-runner cat /home/modelrunner/.docker/config.json # does not contain new entry
# Restart model-runner and retry
docker model restart runner
docker model push ... # succeeds
docker exec docker-model-runner cat /home/modelrunner/.docker/config.json # contains new entry
Version
-
docker model version:
Client:
Version: v1.2.1
OS/Arch: linux/amd64
Server:
Version: v1.2.1
Engine: Docker Engine
-
docker version:
Client: Docker Engine - Community
Version: 29.5.2
API version: 1.54
Go version: go1.26.3
Git commit: 79eb04c
Built: Wed May 20 14:42:04 2026
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 29.5.2
API version: 1.54 (minimum version 1.40)
Go version: go1.26.3
Git commit: 568f755
Built: Wed May 20 14:38:16 2026
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: v2.2.4
GitCommit: 193637f7ee8ae5f5aa5248f49e7baa3e6164966e
runc:
Version: 1.3.5
GitCommit: v1.3.5-0-g488fc13e
docker-init:
Version: 0.19.0
GitCommit: de40ad0
Description
Info: I am using Linux, Docker Engine-only, and no credential helper; I haven't tried any other use cases (I imagine a credential helper makes this trickier).
It appears that the docker-model-runner container takes its
config.jsonfrom the local system on startup. However, this file is not synced from the system while the model-runner is running, meaning anydocker loginactions will not be reflected into the model runner, and anydocker model pushthat requires the new auth will fail with a standard "insufficient scope". This is confusing as it suggests that some additional configuration on the registry side is required (regular pushes succeed).Restarting the model-runner container syncs the updated config.json and credentials can be successfully resolved, so it's not a real issue, but there's no indication in the CLI that a restart is required or that credentials are not synced; I had to dig around to figure this out.
Reproducing
Version
docker model version:
docker version: