Google Container Registry + Google Compute Engine + Docker

Question

I am not able to figure out a way to get all three of these pieces of tech to work together.

I have Google Container Registry. In it, I have 2 private images, let's call them A and B. I want to create a single instance template that does the following:

1. docker run -d gcr.io/project_id/A:latest
2. docker run -d gcr.io/project_id/B:latest

That is all I need to do. I hoped to do it in a startup script, that way I could just use a plain image as my base and I could deploy it in prod.

Have tried all 3 versions of the Container Optimized OS, and all 3 versions of CoreOS. Each gives slightly different errors.

Some examples suggest using gcloud docker -- pull, but gcloud does not auth correctly in any of the 6 environments I have tried.

Other examples suggest using docker login -u oauth2accesstoken -p "$(gcloud auth application-default print-access-token)" https://gcr.io, this also fails.

The only other option I found was to do docker login -u _json_key -p "$(cat keyfile.json)" https://gcr.io, which DID allow me to then pull the GCE images. The downside to this approach, is how do I get that keyfile in the images? I guess I can make a custom image with the keyfile added, but I was trying to stick to a stock image that does my two docker run commands and no more. Is this impossible?

Answer 1

What errors are you seeing, specifically?

docker-credential-gcr is able to pull access-tokens from GCE metadata. It can also pull the gcloud SDK's access token by executing gcloud config config-helper --format='value(credential.access_token) under the scenes. gcloud auth print-access-token was used in the past, but is not officially supported.