After upgrading Concourse from 7.x to 8.0.x, pipelines that pull images directly from Docker Hub (registry-1.docker.io) fail during the image check phase with the following error:

image check failed
failed to fetch manifest: Head "https://registry-1.docker.io/v2/<image>/manifests/latest": 
denied: <!DOCTYPE html>...<title>Just a moment...</title>...

Expected to affect any public Docker Hub image pulled from a Concourse 8.0 worker.

Concourse 8.0.x and later

Concourse v8.0 changed the default worker runtime from Guardian to containerd. Prior to v8.0, Concourse workers used the Guardian runtime, which delegated image pulling to the Docker daemon. Starting in Concourse v8.0, the default runtime was changed to containerd. Containerd pulls images using its own native Go-based HTTP client. This is a breaking change in the Concourse 8.0.0 release notes (PR #9372).

Change the image_resource type in the pipeline task config from docker-image to registry-image. Registry-image is implemented in Go and handles the full Docker Registry v2 Bearer token auth flow natively without requiring the Docker daemon.

# BEFORE — fails on Concourse 8.0
task-config: &task-config
  platform: linux
  image_resource:
    type: docker-image
    source:
      repository: amazon/aws-cli
      tag: latest

# AFTER — resolved
task-config: &task-config
  platform: linux
  image_resource:
    type: registry-image
    source:
      repository: amazon/aws-cli
      tag: latest