Reputation: 93
Unable to pull image from private GCR from Container Optimized Compute Engine
Can't get what I'm doing wrong...
Performed next steps on fresh compute engine instance based on Container Optimized OS:
docker-credential-gcr configure-dockersudo docker run --detach --name=echo --net=esp_net gcr.io/around-dev/firebase-service-image:latest
And got the following:
Unable to find image 'gcr.io/around-dev/firebase-service-image:latest' locally Pulling repository gcr.io/around-dev/firebase-service-image docker: unauthorized: authentication required. See 'docker run --help'.
Then tried actually to login with docker-credential-gcr gcr-login and run, but still got the same error.
After all my .docker/.config.json looks like:
{
"auths": {},
"credHelpers": {
"asia.gcr.io": "gcr",
"eu.gcr.io": "gcr",
"gcr.io": "gcr",
"staging-k8s.gcr.io": "gcr",
"us.gcr.io": "gcr"
}
Obviously no credentials stored. Can someone explain to me what I'm doing wrong? Thanks in advance.
Upvotes: 9
Views: 4450
Answers (5)
Reputation: 51
Another option is to use gcloud-image in docker, which is a docker base image himself
Assuming that you have service account key file in $PWD/gcr-auth.json Just need pass down docker-socks and your service json key in volume
docker run -exec \
-v $PWD:$PWD \
-v /var/run/docker.sock:/var/run/docker.sock \
google/cloud-sdk \
sh -c
'gcloud auth activate-service-account --key-file=/somepath/gcr-auth.json && gcloud docker -- pull gcr.io/some-project/myimage:latest'
After pulling done, the image is back on the host
Upvotes: 0
Reputation: 36626
I'm on COS and also had similar problems. The documentation for COS makes it seem like it should be as simple as running 2 commands.
$ docker-credential-gcr configure-docker
$ docker run --rm gcr.io/<your-project>/<your-image>
The file gets created in ~/.docker/config.json. But I couldn't pull the private image to run it. I can successfully pull public images.
After bashing my head against the wall for most of the day I tried the login command docker-credential-gcr gcr-login. I have 2factor auth setup on my account and when I ran that command it gave me a URL that I had to visit to enter an auth token. After I followed those instructions I can now successfully pull images from the private registry.
I'm unsure if this is the correct workflow as it is not covered in the documentation.
Upvotes: -1
Reputation: 1107
If you have a private VPC and an instance without an external IP, you can get a timeout error. A way to fix this is the enable private_ip_google_access on a subnet level. This let's you access google resources with a few exceptions without needing an external IP address on your instance.
Upvotes: 1
Reputation: 314
I encountered the same problem when I wanted to push an image to GCR. I also ran docker with sudo. I solved my problem by adding my user to the docker usergroup, as found on the docker postinstall guide:
sudo groupadd docker
sudo usermod -aG docker $USER
Then logout and login again
Upvotes: 0
Reputation: 261
Why you're seeing this
You're seeing this error because you ran docker-credential-gcr configure-docker without sudo and then sudo docker run .... When running sudo docker, it looks for the configuration file in /root/.docker/ and doesn't find anything, thus throwing the authentication required error.
Why running sudo docker-credential-gcr configure-docker won't fix it
When you're running COS, you don't have write access to all directories. Only a few directories are writable and /root isn't one of them. Because of that, running docker-credential-gcr as root fails since it can't write the docker config file inside the $HOME directory (that happens to be /root).
More details on writable directories: https://cloud.google.com/container-optimized-os/docs/concepts/security#filesystem
Fixing it
1 - Override $HOME
sudo HOME=/home/root /usr/bin/docker-credential-gcr configure-docker
sudo HOME=/home/root docker run --detach --name=echo --net=esp_net gcr.io/around-dev/firebase-service-image:latest
2 - Manually specify a config file location
You can also include the path to the docker config directory with each command. For example, if you know docker is configured with credentials in the /home/root/.docker directory, you could run the following command: sudo docker --config /home/root/.docker pull gcr.io/my-project/alpine:3.2
Upvotes: 16
Related Questions
- Authenticate Google Compute Engine (GCE) to Pull Image from Google Container Registry (GCR)
- Pull private docker images from Google Container Registry w/o gcloud
- GKE can't pull image from GCR
- Can't pull images from GCP Container Registry
- Pulling a image from gcr.to fails
- GCE doesn't deploy GCR image correctly
- Unable to pull image from gcr.io
- Permission denied when pulling Docker image from Google Cloud Container Registry
- Can't Pull Docker Image From Google Container Registry on Compute Engine
- google container engine having problems pulling image from container registry