CODEWITHSUNDEEP
google-cloud-platformdocker-registrygoogle-kubernetes-enginegoogle-container-registry
user5082007
user5082007

Reputation:

how to use Google Container Registry

I tried to use Google Container Registry, but it did not work for me.

I wrote the following containers.yaml.

$ cat containers.yaml
version: v1
kind: Pod
spec:
  containers:
    - name: amazonssh
      image: asia.gcr.io/<project-id>/amazonssh
      imagePullPolicy: Always
 restartPolicy: Always
 dnsPolicy: Default

I run instance by the following command.

$ gcloud compute instances create containervm-amazonssh --image container-vm     --network product-network     --metadata-from-file google-container-manifest=containers.yaml --zone asia-east1-a --machine-type f1-micro

I set the following acl permission.

# gsutil acl ch -r -u <project-number>@developer.gserviceaccount.com:R gs://asia.artifacts.<project-id>.appspot.com

But Access denied occurs when docker pull image from Google Container Registry.

#  docker pull asia.gcr.io/<project-id>.a/amazonssh
Pulling repository asia.gcr.io/<project-id>.a/amazonssh
FATA[0000] Error: Status 403 trying to pull repository <project-id>/amazonssh: "Access denied."

Upvotes: 1

Views: 1003

Answers (2)

mattmoor
mattmoor

Reputation: 1707

You have an extra .a after project-id here, not sure if you ran the command that way?

docker pull asia.gcr.io/<project-id>.a/amazonssh

The container-vm has a cron job running gcloud docker -a as root, so you should be able to docker pull as root.

The kubelet, which launches the container-vm Docker containers also understands how to natively authenticate with GCR, so it should just work.

Feel free to reach out to us at [email protected]. It would be useful if you could include your project-id, and possibly the /var/log/kubelet.log from your container-vm.

Upvotes: 0

TimK
TimK

Reputation: 829

Can you verify from your instance that you can read data from your Google Cloud Storage bucket? This can be verified by:

$ curl -H 'Metadata-Flavor: Google' $SVC_ACCT/scopes
...
https://www.googleapis.com/auth/devstorage.full_control
https://www.googleapis.com/auth/devstorage.read_write
https://www.googleapis.com/auth/devstorage.read_only
...

If so then try:

On Google Compute Engine you can login without gcloud with:

$ METADATA=http://metadata.google.internal./computeMetadata/v1
$ SVC_ACCT=$METADATA/instance/service-accounts/default
$ ACCESS_TOKEN=$(curl -H 'Metadata-Flavor: Google' $SVC_ACCT/token \
    | cut -d'"' -f 4)
$ docker login -e [email protected] -u _token -p $ACCESS_TOKEN https://gcr.io

Then try your docker pull command again.

Upvotes: 4

Related Questions