I'm trying to pull a container from a private gcloud registry from a gcloud VM using service account for authentication. The VM and registry are in the same project. No matter what I do I always get Error response from daemon: unauthorized.
XXX#sandbox:~$ gcloud auth configure-docker gcr.io
WARNING: Your config file at [/home/XXX/.docker/config.json] contains these credential helper entries:
{
"credHelpers": {
"gcr.io": "gcloud"
}
}
Adding credentials for: gcr.io
gcloud credential helpers already registered correctly.
XXX#sandbox:~$ sudo docker pull gcr.io/MY-PROJECT-ID/MY-IMAGE:latest
Error response from daemon: unauthorized: You don't have the needed permissions to perform
this operation, and you may have invalid credentials. To authenticate your request, follow
the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication
The service account has Storage Admin role for the gcr.io storage bucket:
The VM has storage access enabled as Read-Write:
The VM was stopped, restarted multiple times. Docker is up to date:
XXX#sandbox:~$ which docker
/usr/bin/docker
XXX#sandbox:~$ sudo docker version
Client: Docker Engine - Community
Version: 19.03.8
API version: 1.40
Go version: go1.12.17
Git commit: afacb8b7f0
Built: Wed Mar 11 01:26:02 2020
OS/Arch: linux/amd64
Experimental: false
Server: Docker Engine - Community
Engine:
Version: 19.03.8
API version: 1.40 (minimum version 1.12)
Go version: go1.12.17
Git commit: afacb8b7f0
Built: Wed Mar 11 01:24:36 2020
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.2.13
GitCommit: 7ad184331fa3e55e52b890ea95e65ba581ae3429
runc:
Version: 1.0.0-rc10
GitCommit: dc9208a3303feef5b3839f4323d9beb36df0a9dd
docker-init:
Version: 0.18.0
GitCommit: fec3683
I can get it to work using JSON keyfile but not with the recommended gcloud auth configure-docker. I guess there is some yet another undocumented switch or permission that I need to flip but I just can't see.
You can pass the account or the impersonate-service-account to the command:
gcloud auth configure-docker --account
gcloud auth configure-docker ----impersonate-service-account
When you run with sudo you change the environment and it will not authenticate to the gcr.io, thus the unauthorized.
Related
I'm trying to create an ECS context using Docker so that I can deploy to AWS using the Docker Compose CLI
docker context create ecs <my context name>
But am receiving the following error:
"docker context create" requires exactly 1 argument.
See 'docker context create --help'.
Usage: docker context create [OPTIONS] CONTEXT
Create a context
I've edited my /etc/docker/daemon.json to include
{
"experimental": true
}
My Docker Compose CLI is version 2.14.2 and both the Client and Server show experimental as true
Client:
Version: 20.10.22
API version: 1.41
Go version: go1.19.4
Git commit: 3a2c30b63a
Built: Tue Dec 20 20:43:40 2022
OS/Arch: linux/amd64
Context: default
Experimental: true
Server:
Engine:
Version: 20.10.22
API version: 1.41 (minimum version 1.12)
Go version: go1.19.4
Git commit: 42c8b31499
Built: Tue Dec 20 20:42:46 2022
OS/Arch: linux/amd64
Experimental: true
containerd:
Version: v1.6.14
GitCommit: 9ba4b250366a5ddde94bb7c9d1def331423aa323.m
runc:
Version: 1.1.4
GitCommit: v1.1.4-0-g5fd4c4d1
docker-init:
Version: 0.19.0
GitCommit: de40ad0
This should be available in Docker since 19.03
https://docs.docker.com/cloud/ecs-integration/#install-the-docker-compose-cli-on-linux
So far I've only been able to create an ECS context by installing Docker with the experimental Arch package for Docker Desktop instead of Docker Compose Standalone. The weird thing is, Docker Desktop's Docker Compose version is only 2.13.
This also might be related to this question:
docker context create ecs myecs - requires exactly one argument
I am having an issue on login to docker from my Ubuntu 18.04.5 LTS
This is the command I run to login docker
sudo docker login -u myname -p mypass
This is the error I've got
Error response from daemon: Get https://registry-1.docker.io/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
I did searches on google and seems it is not quite a common issue to everyone.
This is my docker version
Client: Docker Engine - Community
Version: 19.03.12
API version: 1.40
Go version: go1.13.10
Git commit: 48a66213fe
Built: Mon Jun 22 15:45:36 2020
OS/Arch: linux/amd64
Experimental: false
Server: Docker Engine - Community
Engine:
Version: 19.03.12
API version: 1.40 (minimum version 1.12)
Go version: go1.13.10
Git commit: 48a66213fe
Built: Mon Jun 22 15:44:07 2020
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.2.13
GitCommit: 7ad184331fa3e55e52b890ea95e65ba581ae3429
runc:
Version: 1.0.0-rc10
GitCommit: dc9208a3303feef5b3839f4323d9beb36df0a9dd
docker-init:
Version: 0.18.0
GitCommit: fec3683
Basically, there are what I have done so far:
run sudo docker run hello-world to verify that my docker is runner properly
Hello from Docker!
This message shows that your installation appears to be working correctly.
...
run sudo vi ~/.docker/config.json to add "HttpHeaders
{
"auths": {},
"HttpHeaders": {
"User-Agent": "Docker-Client/19.03.12 (linux)"
}
}
run sudo vi /etc/docker/daemon.json to add dns then reload daemon and restar docker
{
"dns": ["8.8.8.8","8.8.4.4" ]
}
run curl https://registry-1.docker.io/v2/ and sure enough I've got this
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":null}]}
As people were talking about proxy server, I also did a test run curl https://google.com aand get respons, does it mean that my server is not reside behind a proxy?
Unfortunately, after try several combinations of above solutions, I'm still not able to login to docker.
Does anyone has any advice?
I'm facing an unauthorized issue when using docker buildx build --platform linux/amd64 -f Dockerfile -t gcr.io/<bucket>/<image>:1.0.0 --push . when pushing to gcr.io/<bucket>. I listed one platform here, but the problem is the same with multiple platforms.
However, it works when doing a --load action followed by a manual docker push:
docker buildx build --platform linux/amd64 -f Dockerfile -t gcr.io/<bucket>/<image>:1.0.0 --load .
docker push gcr.io/<bucket>/<image>:1.0.0
What is the proper configuration I need to be able to use docker buildx build with --push directly to push to a GCR registry? I'm authenticated to GCP with gcloud auth login and did gcloud auth configure-docker. The standard docker push works so I assume the configuration is good for this use case.
If you don't know the answer but know how where I could get support from GCR team about this, please post the link in a comment and I'll follow up there to see what's wrong.
Some information about my setup:
$ gcloud --version
Google Cloud SDK 377.0.0
alpha 2022.03.10
bigtable
bq 2.0.74
cbt 0.11.0
core 2022.03.10
gsutil 5.8
kubectl 1.21.9
minikube 1.25.2
$ docker version
Client:
Cloud integration: v1.0.22
Version: 20.10.12
API version: 1.41
Go version: go1.16.12
Git commit: e91ed57
Built: Mon Dec 13 11:46:56 2021
OS/Arch: darwin/arm64
Context: default
Experimental: true
Server: Docker Engine - Community
Engine:
Version: 20.10.12
API version: 1.41 (minimum version 1.12)
Go version: go1.16.12
Git commit: 459d0df
Built: Mon Dec 13 11:43:07 2021
OS/Arch: linux/arm64
Experimental: false
containerd:
Version: 1.4.12
GitCommit: 7b11cfaabd73bb80907dd23182b9347b4245eb5d
runc:
Version: 1.0.2
GitCommit: v1.0.2-0-g52b36a2
docker-init:
Version: 0.19.0
GitCommit: de40ad0
I have just set up a local VM running Nexus. I have configured a Docker repository on port 5000. I have a separate VM running Docker. I have configured the repository in /etc/docker/daemon.json as so:
{
"insecure-registries": ["192.168.0.5:5000", "nexus:5000"]
}
I then restarted the Docker service. and I have run the command:
docker login 192.168.0.5:5000
I am prompted for a username and password, and when I enter them it returns with::
Error response from daemon: Get https://registry-1.docker.io/v2/: unauthorized: incorrect username or password
I have checked the Docker documentation, and other online resources on how to login to a local docker repository, but I have exactly the same configuration and it just always throws this error.
If I try to push my image, it attempts to contact the local repository, but it complains there are no credentials (as well it should):
[root#docker repo]$ docker tag repo 192.168.0.5:5000/repo
[root#docker repo]$ docker image push 192.168.0.5:5000/repo
Using default tag: latest
The push refers to repository [192.168.0.5:5000/repo]
7d5760c4aa8d: Preparing
3102e53269f4: Preparing
2f140462f3bc: Preparing
63c99163f472: Preparing
ccdbb80308cc: Preparing
no basic auth credentials
Am I missing something?
I am experiencing the same but only with MacOS "Docker Desktop" installations. On Windows it's working as expected.
Client:
Cloud integration: 1.0.17
Version: 20.10.8
API version: 1.41
Go version: go1.16.6
Git commit: 3967b7d
Built: Fri Jul 30 19:55:20 2021
OS/Arch: darwin/amd64
Context: default
Experimental: true
Server: Docker Engine - Community
Engine:
Version: 20.10.8
API version: 1.41 (minimum version 1.12)
Go version: go1.16.6
Git commit: 75249d8
Built: Fri Jul 30 19:52:31 2021
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.4.9
GitCommit: e25210fe30a0a703442421b0f60afac609f950a3
runc:
Version: 1.0.1
GitCommit: v1.0.1-0-g4144b63
docker-init:
Version: 0.19.0
GitCommit: de40ad0
As I am trying to login to a local registry (using Artifactory) I've checked the reverse proxy's logs. The MacOS client doesn't even try to reach the local registry.
I have been trying to pull a docker image; which has been pushed successfully to the private jfrog repository using the same terminal and in same session. There comes no issues while pushing the image, however on doing a pull it is getting failed with the following region.
[xxxx#xxxx~]$ sudo docker pull docker-repo/xxxx-xxxx-xxx/xx/tomcat-xx:latest
Error response from daemon: missing signature key
If anyone can help what could be reason for this? The difference I can see wrt to the image I pushed through this terminal and the images which are already present in jfrog repo is that manifest has cetain properties associated with them. However, there are no properties present in jfrog repo wrt to image I pushed from this terminal.
Following are the details for reference:
$ sudo docker version
Client: Docker Engine - Community
Version: 19.03.5
API version: 1.40
Go version: go1.12.12
Git commit: 633a0ea
Built: Wed Nov 13 07:25:41 2019
OS/Arch: linux/amd64
Experimental: false
Server: Docker Engine - Community
Engine:
Version: 19.03.5
API version: 1.40 (minimum version 1.12)
Go version: go1.12.12
Git commit: 633a0ea
Built: Wed Nov 13 07:24:18 2019
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.2.10
GitCommit: b34a5c8af56e510852c35414db4c1f4fa6172339
runc:
Version: 1.0.0-rc8+dev
GitCommit: 3e425f80a8c931f88e6d94a8c831b9d5aa481657
docker-init:
Version: 0.18.0
GitCommit: fec3683
Is there anything I am missing at configuration end. Kindly help.
Thanks.
I had the same problem with JFrog Artifactory. For me, it helped to give annotate permissions to the user pushing the image, as suggested here.