Reputation: 102237
Can I use cloud run with self-hosted/private docker image registry?
When I deployed with my self-hosted(private) Docker image registry, got this error:
This service will require authentication to be invoked.
Deploying container to Cloud Run service [serverless-functions-go] in project [PROJECT_ID] region [us-central1]
X Deploying new service...
. Creating Revision...
. Routing traffic...
Deployment failed
ERROR: (gcloud.beta.run.deploy) Invalid image provided in the revision template. Expected [region.]gcr.io/repo-path[:tag or @digest], obtained dtr.artifacts.xxx.com/xxxxx/xxxx/serverless-functions-go:latest
Before pulling the image from my private docker image registry, I need to use the command like:
docker login [options]
How can I solve this issue?
Upvotes: 3
Views: 3596
Answers (3)
Reputation: 1686
Neither the question nor the multiple answers hit the heart of the problem (for the latest state of products in Aug 2024).
The heart of the problem is not whether the image is private (i.e., an image that requires a credential/password for docker pull). That problem alone can be solved (at least in 2024) by setting up a Google Artifactory Registry (GAR) in remote repo mode -- GAR allows us to supply the backend repo's credential. So, for example, Cloud Run can -- via GAR -- docker pull a private image from https://hub.docker.com with your Docker Hub credential.
The heart of the problem is that the backend repo (e.g., a JFrog Artifactory) must listen on a public IP address (or having a proxy which listens on a public IP). In other words, consider this command:
gcloud run jobs create ... --image=us-docker.pkg.dev/.../my-image:latest
The --image must point to a public IP (or a DNS hostname that resolves to a public IP.) So, if we install a JFrog Artifactory on a VM on our VPC and listens on a private IP only (without a public IP), then Cloud Run's docker pull will have no network connectivity to that private IP.
- Note 1: Cloud Run's VPC connectivity feature is for runtime (during
docker run), not for deployment time (duringdocker pull). So, it won't solve this problem. - Note 2: GAR in
remotemode requires that a backend repo (such as JFrog) must listen on a public IP also. So, using GAR as a proxy to JFrog (if JFrog listens on a private IP) won't solve our problem, either.
My conclusion: If our backend repo (e.g., JFrog) doesn't listen on a public IP -- either directly or via a proxy (and regardless of whether it requires credential) -- then Cloud Run won't work. There's no solution to provide network connectivity for the docker pull stage of Cloud Run.
Upvotes: 0
Reputation: 6822
2024 Update:
Yes, you can.
GCR.io is deprecated, see: https://cloud.google.com/container-registry/docs/deprecations/container-registry-deprecation
According to the updated CloudRun documentation:
You can directly use container images stored in Artifact Registry, or Docker Hub. Google recommends the use of Artifact Registry.
You can use container images from other public or private registries (like JFrog Artifactory, Nexus, or GitHub Container Registry), by setting up an Artifact Registry remote repository.
Upvotes: 1
Reputation: 81346
Can I use cloud run with private docker container registry?
No, not at this time. See "Images you can deploy" in the Cloud Run documentation.
Upvotes: 6
Related Questions
- Deploy a container to Cloud Run after pushing to Artifact Registry automaticlly
- Pushing an image to Google Container Registry from inside a Docker container
- Deploy multiple Cloudrun service with same dockerimage
- Google Cloud Code's Cloud Run extension stores the Docker image in Cloud Storage instead of Artifact Registry
- Moving images from Docker registry to GCR
- Cloud Run deployment using image from last revision
- Is it possible to use Google Cloud Run to Docker Pull?
- How do I run private docker images on Google Container Engine
- Can I use docker image registry from google cloud build?
- Docker image registry/repository on private cloudfoundry