Reputation: 3528
Pulling from google container registry in Jenkins scripted pipeline on compute engine vm
I've setup Jenkins on a Google Cloud compute engine vm. Docker is installed, and I'm successfully using a scripted pipeline to pull and run public docker images. I can't seem to pull from Google Container registry though, and I can't find any examples of how to do this in a scripted pipeline. Here's my Jenkinsfile:
node {
checkout scm
docker.image('mysql:5.7').withRun('--env MYSQL_DATABASE=my_db --env MYSQL_ROOT_PASSWORD=password -p 3306:3306') { c ->
docker.image('mysql:5.7').inside("--link ${c.id}:db") {
/* Wait until mysql service is up */
sh 'while ! mysqladmin ping -hdb --silent; do sleep 1; done'
}
/* Fails here */
docker.image('gcr.io/my-project/my-image').withRun("--link ${c.id}:db --env MYSQL_HOST=localhost --env MYSQL_USER=root --env MYSQL_PWD=password --env MYSQL_DB=my_db --network=host")
}
}
It seems like since I'm on a compute engine vm, there shouldn't need to be any credential configuration for Jenkins (clearly I'm wrong). I've run gcloud auth configure-docker on the vm, and I can easily ssh in and pull the image I want from gcr.io with a simple docker pull. When jenkins tries to pull though, I get Error response from daemon: unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication.
Any ideas?
Edit:
I've discovered wrapping my pull step with docker.withRegistry() works, but this requires me to add my gcloud credentials via the Jenkins interface. It seems strange that I need to do this since Jenkins is already running on a compute engine vm that has the correct auth and docker correctly configured to be able to pull from gcr.io. Is there some special way Jenkins (or the docker pipeline plugin) is running docker that it somehow doesn't have the same authentication that docker has when run manually on the vm?
Upvotes: 1
Views: 1239
Answers (2)
Reputation: 3528
Cracked this, and it was a bit silly. While I did indeed setup auth correctly for my user on the vm, I did not do this for the jenkins user on the vm. After ssh-ing into the vm, I needed to do:
sudo su jenkins
gcloud auth configure-docker
This adds the gcloud config for docker to jenkins' home directory. Then you have no need for withRegistry or any additional jenkins credential configuration. Nice and clean if you are doing this on a vm.
Upvotes: 1
Reputation: 79
It looks like that you’re running into some auth issues with Jenkins & Docker on a GCE VM.
This document may help [1], and also, did you have the chance of looking into a helper [2]?
[1] https://googleapis.dev/python/google-api-core/latest/auth.html#using-google-compute-engine
[2] https://cloud.google.com/container-registry/docs/advanced-authentication#helpers
Upvotes: 0
Related Questions
- Push to google container registry fails: Retrying
- Unable to push image to GCR from Jenkins Pipeline
- Jenkins Pipeline Build with Docker, Google Registry, and Google Auth Plugin
- Google Container Registry and Jenkins
- How do I pull a Docker image from one private registry and push it to a second different private registry in Jenkins pipeline
- Failing to Push docker image from Jenkins on GCE instance to google container registry
- How to push a docker image to Google Container Registry using fabric8 maven plugin from Jenkins pipeline: unauthorized
- Connect Jenkins to GCP container registry
- Jenkins Declarative Pipeline Docker Registry
- How to do use Google Container Registry with the docker CLI