GCP：无法从 ubuntu/debian VM 实例上的 GCP 私有容器注册表中提取 docker 镜像

Question

I am trying to pull a docker container from our private GCP container registry on a regular VM instance (ie ubuntu-1904 ) running on Google Cloud, but I am getting the following error:

user@test ~ $ sudo docker pull example.io/docker-dev/name:v01

Error response from daemon: unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication

I followed those instructions, ie, run the gcloud auth configure-docker command, which outputs a success message.

However, when running the docker pull command again, I get the exact same error.

A couple of extra tests that might help to provide feedback:

• If I pull from a different registry, it works (for example, docker run hello-world pulls and runs the hello-world image)
• I tested the same command ( docker pull example.io/docker-dev/name:v01 ) on my local computer (Mac) instead of the vm instance and works perfectly.
• I have also created vm instances and enable the option "Deploy a container image to this VM instance", providing the container address ( example.io/docker-dev/name:v01 ), and also works. However, I don't want to use this option because it selects automatically a "Container-Optimized" boot disk, which I prefer not to use due to the limitations

Question : Why I cannot pull docker images from my private container registry on a Ubuntu o Debian VM, even though docker seems to work very well pulling images from other repositories (docker hub)?

Answer 1

I did this yesterday. Just run gcloud auth configure-docker then run

VERSION=2.0.0
OS=linux  # or "darwin" for OSX, "windows" for Windows.
ARCH=amd64  # or "386" for 32-bit OSs, "arm64" for ARM 64.

After that you can download the docker-credential-gcr

wget "https://github.com/GoogleCloudPlatform/docker-credential-gcr/releases/download/v${VERSION}/docker-credential-gcr_${OS}_${ARCH}-${VERSION}.tar.gz"

Then run

tar cvzf --to-stdout ./docker-credential-gcr_linux_amd64-2.0.0.tar.gz /usr/bin/docker-credential-gcloud && sudo chmod +x /usr/bin/docker-credential-gcloud

And finally run

gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin https://gcr.io

Now you will be able to pull you image :)

Answer 2

For me, on a container-os optimized instance, it helped to just run:

docker-credential-gcr configure-docker

https://cloud.google.com/container-optimized-os/docs/how-to/run-container-instance#starting_a_docker_container_via_cloud-config

Note thedefault policy for compute instances:

VM instances, including those in Google Kubernetes Engine clusters, must have the correct storage access scopes configured to push or pull images. By default, VMs can pull images when Container Registry is in the same project.

Answer 3

If you run gcloud auth configure-docker, the auth information is saved under your personal directory. When you then run sudo docker pull example.io/docker-dev/name:v01, it looks for auth info under root directory and doesn't find anything there.

You should run both with or without sudo.