When I try to sign a docker image in GCR or GAR I use:
docker trust sign name:label
But I get this error: Error: error contacting notary server: unknown: Project 'project:XXX' not found or deleted
Anyone have found a way in order to work with signed docker images and Google Cloud?
Related
I have created some images in the Gitlab Container Registry. I am unable to pull them using docker on my local system. The login command succeeds but when I type the following command:
docker pull reg-gitlab-project.company.com/services/palimited/integrationservices/springbootproject/springbootproject:latest
I am getting the following error
Error response from daemon: Head "https://reg-gitlab-project.company.com/v2/services/palimited/integrationservices/springbootproject/springbootproject/manifests/latest": denied: access forbidden
I am unable to figure out why this error is occuring? Can anyone guide me.
You need to authenticate with the container registry at reg-gitlab-project.company.com before issuing a docker pull command.
See, GitLab Docs: Authenticate with the Container Registry.
I am using minikube to develop my Kubernetes application. I have a private azure registry where my images are saved. Whenever I start the app, k8s start to pull an image. It throws the following error
Failed to pull image "myregistry.azurecr.io/myapp:mytag": rpc error: code = Unknown desc = Error response from daemon: Get https://myregistry.azurecr.io/v2/myapp/manifests/mytag: unauthorized: authentication required, visit https://aka.ms/acr/authorization for more information.
I am configuring my minikube using this documentation. where first, I log-in to acr using below command,
az acr login --name myregistry.azurecr.io --expose-token
And after using the token provided by the above command, I log-in to my private docker-registry by the below command in minikube ssh.
docker login myregistry.azurecr.io -u 00000000-0000-0000-0000-000000000000
After that as per mention in the document, I copy the .docker/config.json to /var/lib/kubelet/config.json in minikube ssh. Still I am facing above error.
If I manually pull the image using the docker pull command, it works. I tried with imagepullsecret also and it is working. But from the above method, getting an authentication error. Do I have missing any step here? Can you please help me?
Thanks...
It seems all the steps are right. Maybe you can check if you really copy the config file to all the minikube nodes. In default, the command minikube ssh connect the control plane. You can check if the nodes' IP addresses is right when you copy the config file to them.
But in my opinion, it's not a good way to use the way like this. It's better and more convenient to use the imagePullSecret and service account.
$ docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
5b0f327be733: Pulling fs layer
C:\Program Files\Docker Toolbox\docker.exe: error pulling image configuration: G
et https://dseasb33srnrn.cloudfront.net/registry-v2/docker/registry/v2/blobs/sha
256/05/05a3bd381fc2470695a35f230afefd7bf978b566253199c4ae5cc96fafa29b37/data?Exp
ires=1505372640&Signature=LO9Nt0XkgRBYWohS5zpTJFLWKzikKcF0579euysBEXpTGOT8CsWO5p
JBRUxpp-0HtcNlB7bF4RjbGprTjcUUIgkFs8pE5uY9z6AoBADfE~XyFYOul9alK-uYulne52EnvLkNfh
NQO~xR4Y-whwop79R9tiWZuZl8ueTzas2GFYE_&Key-Pair-Id=APKAJECH5M7VWIS5YZ6Q: x509: c
ertificate signed by unknown authority.
See 'C:\Program Files\Docker Toolbox\docker.exe run --help'.
Any advice on how to proceed?
Your docker engine is trying to contact the registry and having some sort of CDN, firewall, or corporate proxy issue trying to have a proper "conversation" with the registry. It's pretty similar to being on hotel or public WiFi that has a "walled garden" that hasn't been processed through yet.
Unless you have a persistent network issue, it could be temporal, and as someone else suggested a docker pull hello-world:latest may work. If you have a corporate proxy, you may have to make sure the Docker toolbox/Docker for Windows configuration has this proxy configured properly to have network access.
I am trying to push a Docker image to Google Container Registry from a CircleCI build, as per their instructions. However, pushing to GCR fails due to an apparent authentication error:
Using 'push eu.gcr.io/realtimemusic-147914/realtimemusic-test/realtimemusic-test' for DOCKER_ARGS.
The push refers to a repository [eu.gcr.io/realtimemusic-147914/realtimemusic-test/realtimemusic-test] (len: 1)
Post https://eu.gcr.io/v2/realtimemusic-147914/realtimemusic-test/realtimemusic-test/blobs/uploads/: token auth attempt for registry: https://eu.gcr.io/v2/token?account=oauth2accesstoken&scope=repository%3Arealtimemusic-147914%2Frealtimemusic-test%2Frealtimemusic-test%3Apush%2Cpull&service=eu.gcr.io request failed with status: 403 Forbidden
I've prior to pushing the Docker image authenticated the service account against Google Cloud:
echo $GCLOUD_KEY | base64 --decode > ${HOME}/client-secret.json
gcloud auth activate-service-account --key-file ${HOME}/client-secret.json
gcloud config set project $GCLOUD_PROJECT_ID
Then I build the image and push it to GCR:
docker build -t $EXTERNAL_REGISTRY_ENDPOINT/realtimemusic-test -f docker/test/Dockerfile .
gcloud docker push -- $EXTERNAL_REGISTRY_ENDPOINT/realtimemusic-test
What am I doing wrong here?
Have you tried using the _json_key method for authenticating with Docker?
https://cloud.google.com/container-registry/docs/advanced-authentication
After that, please use naked 'docker' (without 'gcloud').
If you are pushing docker image using google cloud sdk. You can use temporary authorization with the following command:
gcloud docker --authorize-only
The above command gives you a temporary authorization for pushing and pulling images using docker.
You can refer this link for details Gcloud docker.
Hope it helps to solve your issue.
After many retries... I solved using access token:
gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin https://[HOSTNAME]
The service account requires permission to write to the Cloud Storage bucket containing the container registry. Granting the service account either the project editor role or write access to the bucket (via ACL) solves the issue. The latter should be preferable since the account doesn't receive wider permissions than it needs.
I have my own docker registry secured with a selfsigned certificate.
On other servers, I'm able to login on the registry and pull/push images from it. So that seems to work fine.
But when I want to create an app from the image using OpenShift it does not seem te work:
oc new-app ec2-xxx:5000/test/image1
error: can't look up Docker image "ec2-xx/test/image1": Internal error occurred: Get https://ec2-xxx:5000/v2/: x509: certificate signed by unknown authority
error: no match for "ec2-xxx:5000/test/image1"
What could be the issue?
I'm able to login in the registry and pull the image manual.
Try adding "--insecure-registry" to new-app command
oc new-app ec2-xxx:5000/test/image1 --insecure-registry