I'm at my wits trying to get Docker images from Google Container Registry onto a Google Compute Engine instance. (The images I need have been successfully uploaded to GCR.)
I've logged in using gcloud auth login and then tried gcloud docker pull -- us.gcr.io/app-999/app which results in ERROR: (gcloud.docker) Docker is not installed..
I've tried to authenticate using oauth and pulling via a normal docker call. I see my credentials when I look at the file at .docker/config.json. Doing that, it looks like it's going to work, but ultimatly ends like this:
mbname#instance-1 ~ $ docker pull -- us.gcr.io/app-999/app
Using default tag: latest
latest: Pulling from app-999/app
b7f33cc0b48e: Pulling fs layer
43a564ae36a3: Pulling fs layer
b294f0e7874b: Pulling fs layer
eb34a236f836: Waiting
error pulling image configuration: unauthorized: authentication required
which looks like progress, because at least it attempted to download something.
I've tried both of these things on my local machine as well and both methods were successful.
Am I missing something?
Thanks for your help.
P.S. I've also tried loading a container from another registry (
Docker Hub) and that worked fine, but I need more than one container and want to keep expenses down.
After contacting Google support they informed me that there is a bug in the CoreOS gcloud alias. This bug is fixed by overwriting the alias in the shell as follows:
alias gcloud='(docker images google/cloud-sdk || docker pull google/cloud-sdk) > /dev/null;docker run -t -i --net=host -v $HOME/.config:/.config -v /var/run/docker.sock:/var/run/docker.sock -v /usr/bin/docker:/usr/bin/docker google/cloud-sdk gcloud'
I've tried this and it works now.
docker should be included in the latest versions of gcloud. You can update to the latest version of gcloud by running gcloud components update
Related
I'm working on google container optimised OS (COS) trying to pull an image from Google Container Registry using docker-compose. I completed the the authentication using docker-credential-gcr.
Now
docker pull gcr.io/projectname/nextjs works
however
> docker-compose pull
Pulling nextjs ... error
ERROR: for nextjs unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials.
the problem was that the docker-compose alias did not support the gcr authentication.
The following steps fixed it.
Delete ~/.docker/config.json
change the alias in .bashrc to:
alias docker-compose='docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v "$PWD:$PWD" -w="$PWD" cryptopants/docker-compose-gcr'
docker pull cryptopants/docker-compose-gcr
docker-credential-gcr configure-docker
docker-compose pull works
I am trying to pull a docker container from our private GCP container registry on a regular VM instance (i.e. ubuntu-1904) running on Google Cloud, but I am getting the following error:
user#test ~ $ sudo docker pull example.io/docker-dev/name:v01
Error response from daemon: unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication
I followed those instructions, i.e., run the gcloud auth configure-docker command, which outputs a success message.
However, when running the docker pull command again, I get the exact same error.
A couple of extra tests that might help to provide feedback:
If I pull from a different registry, it works (for example, docker run hello-world pulls and runs the hello-world image)
I tested the same command (docker pull example.io/docker-dev/name:v01) on my local computer (Mac) instead of the vm instance and works perfectly.
I have also created vm instances and enable the option "Deploy a container image to this VM instance", providing the container address (example.io/docker-dev/name:v01), and also works. However, I don't want to use this option because it selects automatically a "Container-Optimized" boot disk, which I prefer not to use due to the limitations
Question:
Why I cannot pull docker images from my private container registry on a Ubuntu o Debian VM, even though docker seems to work very well pulling images from other repositories (docker hub)?
I did this yesterday. Just run gcloud auth configure-docker then run
VERSION=2.0.0
OS=linux # or "darwin" for OSX, "windows" for Windows.
ARCH=amd64 # or "386" for 32-bit OSs, "arm64" for ARM 64.
After that you can download the docker-credential-gcr
wget "https://github.com/GoogleCloudPlatform/docker-credential-gcr/releases/download/v${VERSION}/docker-credential-gcr_${OS}_${ARCH}-${VERSION}.tar.gz"
Then run
tar cvzf --to-stdout ./docker-credential-gcr_linux_amd64-2.0.0.tar.gz /usr/bin/docker-credential-gcloud && sudo chmod +x /usr/bin/docker-credential-gcloud
And finally run
gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin https://gcr.io
Now you will be able to pull you image :)
For me, on a container-os optimized instance, it helped to just run:
docker-credential-gcr configure-docker
https://cloud.google.com/container-optimized-os/docs/how-to/run-container-instance#starting_a_docker_container_via_cloud-config
Note the default policy for compute instances:
VM instances, including those in Google Kubernetes Engine clusters,
must have the correct storage access scopes configured to push or pull
images. By default, VMs can pull images when Container Registry is in
the same project.
If you run gcloud auth configure-docker, the auth information is saved under your personal directory.
When you then run sudo docker pull example.io/docker-dev/name:v01, it looks for auth info under root directory and doesn't find anything there.
You should run both with or without sudo.
So I have my docker image uploaded to my projects registry. I can navigate to https://console.cloud.google.com/gcr/images/ and I see my Image listed there.
Now I want to run a VM on this project and on this one use docker to run this very image.
This is the command within my VM:
sudo /usr/bin/docker run eu.gcr.io/my-project-name/example001
The response is:
Unable to find image 'eu.gcr.io/.../example001:latest' locally
/usr/bin/docker: Error response from daemon: unauthorized: You don't have the needed permissions to perform this op
eration, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.goo
gle.com/container-registry/docs/advanced-authentication.
See '/usr/bin/docker run --help'.
Please see the image attached. I can list my images if I define "eu.gcr.io/..." as my project path. However the machine seems to run on ".gcr.io" so therefor not able to access my image? How would I fix this - and why is my image on "eu.gcr.io" and the machine on ".gcr.io", I cant find a method to change this (either move the image to gcr.io or move the machine to, eu.gcr.io). However I'm not sure if this is the issue.
Maybe it is an authentication issue with docker?
VM basically cannot be on ".gcr.io", it can run in non-European region/zone, but it shouldn't be a problem.
From GCP access control point of view registry is just a bucket.
So I believe first thing you need to check is that VM has access to Google Cloud Storage.
With gcloud:
gcloud compute instances describe <instance-name>
check if VM has scope to read from devstorage:
serviceAccounts:
- email: ...-compute#developer.gserviceaccount.com
scopes:
- https://www.googleapis.com/auth/devstorage.read_only
- ...
This scope should be in place to read from registry:
https://www.googleapis.com/auth/devstorage.read_only
If you don't have such scope on VM, but have there gcloud configured, you can use gcloud as credential helper:
gcloud auth configure-docker
as stated in doc you referred: https://cloud.google.com/container-registry/docs/advanced-authentication#gcloud_as_a_docker_credential_helper
The answer is found here:
https://serverfault.com/questions/900026/gcp-no-access-to-container-registry-from-compute-engine
It is the docker command which needs the authorization. Not the hostname (eu.gcr.io) is the issue here. I used 'gcloud docker -- pull ...' command to get the image from the repository to use within my VM.
after you create linux VM on GCP, SSH to it, you have to install Google SDK 1 using Cloud SDK with scripts]1 or manually.
If you are running Ubuntu follow the documentation here if you are installing with Red Hat or CentOS follow the documentation here after finishing the Google SDK you have to Run gcloud init to initialize the SDK, just open a terminal and tape [gcloud init] you have to configure your profile. after that you have to install Docker
sudo apt-get -y install docker-ce
sudo systemctl start docker
You need to have access to the registries which you will be pushing to and pulling from.
Configured Docker to use gcloud as a credential helper. To use gcloud as the crediential helper, run the command:
gcloud auth configure-docker
After that you can pull or push images on your registry using the gcloud command with the docker as shown below:
Push: gcloud docker -- push gcr.io/google-containers/example-image:latest
pull: gcloud docker -- pull gcr.io/google-containers/example-image:latest
I am a newbie to Docker and getting hands on with Docker Toolbox in my PC which is behind a corporate proxy. After some SO answers I was able to solve X509 Unauth cert and Proxy issues. Then I was able to do docker search elastic which lists all the images in the dockerhub. But when I tried to pull the official image with docker pull elastic it throws below error. Tried a couple of solutions from google to do docker login and checked but nothing is working out so far. Any solution would be much apprecicated.
raj#localpc MINGW64 ~/DockerWS/app1
$ docker search elastic
NAME DESCRIPTION
STARS OFFICIAL AUTOMATED
elasticsearch Elasticsearch is a powerful open source se
... 2667 [OK]
kibana Kibana gives shape to any kind of data s.
.. 1081 [OK]
itzg/elasticsearch Provides an easily configurable Elasticsea
... 63 [OK]
nshou/elasticsearch-kibana Elasticsearch-6.1.2 Kibana-6.1.2
48 [OK]
kubernetes/fluentd-elasticsearch An image that ingests Docker container log
... 21
raj#localpc MINGW64 ~/DockerWS/app1
$ docker pull elastic
Using default tag: latest
Error response from daemon: unauthorized: authentication required
Thanks.
Raj
The reason is that there is no elastic image available with exactly that name. The search results show for instance elasticsearch or nshou/elasticsearch-kibana which have to be used in the docker pull command.
docker pull elasticsearch would be the solution to use the official ElasticSearch image.
Instead of searching in the terminal you could also use DockerHub directy and copy&paste the docker pull command shown in the right section, e.g. https://hub.docker.com/_/elasticsearch/
The Dockerhub elastic search image has beed deprecated. You can try to pull from the official images using:
docker pull docker.elastic.co/elasticsearch/elasticsearch:6.1.2
I am able to happily pull most images, except the following:
docker pull jwilder/nginx-proxy
The following is the error message:
Using default tag: latest
Pulling repository docker.io/jwilder/nginx-proxy
Network timed out while trying to connect to https://index.docker.io/v1/repositories/jwilder/nginx-proxy/images. You may want to check your internet connection or if you are behind a proxy.
Seems like pulling this particular image is affected due to many issues mentioned here - https://github.com/docker/docker/issues/15603
Docker 1.9 could potentially solve this.
I solved it by creating a new docker machine and pulling the image from there. Then did a docker save and docker load onto my original docker-machine.
This solved my issue as mentioned on https://github.com/docker/docker/issues/15603#issuecomment-133151849
$ docker-machine stop default
$ docker images -q | xargs docker rmi
$ docker-machine start default