[英]GCP: Unable to pull docker images from our GCP private container registry on ubuntu/debian VM instances
I am trying to pull a docker container from our private GCP container registry on a regular VM instance (ie ubuntu-1904
) running on Google Cloud, but I am getting the following error:我正在尝试从 Google Cloud 上运行的常规 VM 实例(即
ubuntu-1904
)上的私有 GCP 容器注册表中提取 docker 容器,但出现以下错误:
user@test ~ $ sudo docker pull example.io/docker-dev/name:v01
Error response from daemon: unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication
I followed those instructions, ie, run the gcloud auth configure-docker
command, which outputs a success message.我按照这些说明进行操作,即运行
gcloud auth configure-docker
命令,该命令会输出一条成功消息。
However, when running the docker pull
command again, I get the exact same error.但是,再次运行
docker pull
命令时,我得到完全相同的错误。
A couple of extra tests that might help to provide feedback:一些可能有助于提供反馈的额外测试:
docker run hello-world
pulls and runs the hello-world
image)docker run hello-world
拉取并运行hello-world
映像)docker pull example.io/docker-dev/name:v01
) on my local computer (Mac) instead of the vm instance and works perfectly.docker pull example.io/docker-dev/name:v01
)并且运行良好。example.io/docker-dev/name:v01
), and also works.example.io/docker-dev/name:v01
),并且也有效。 However, I don't want to use this option because it selects automatically a "Container-Optimized" boot disk, which I prefer not to use due to the limitationsQuestion : Why I cannot pull docker images from my private container registry on a Ubuntu o Debian VM, even though docker seems to work very well pulling images from other repositories (docker hub)?问题:为什么我无法从 Ubuntu o Debian VM 上的私有容器注册表中提取 docker 映像,即使 docker 似乎可以很好地从其他存储库(docker hub)提取映像?
I did this yesterday.我昨天做了这个。 Just run
gcloud auth configure-docker
then run只需运行
gcloud auth configure-docker
然后运行
VERSION=2.0.0
OS=linux # or "darwin" for OSX, "windows" for Windows.
ARCH=amd64 # or "386" for 32-bit OSs, "arm64" for ARM 64.
After that you can download the docker-credential-gcr之后,您可以下载 docker-credential-gcr
wget "https://github.com/GoogleCloudPlatform/docker-credential-gcr/releases/download/v${VERSION}/docker-credential-gcr_${OS}_${ARCH}-${VERSION}.tar.gz"
Then run然后运行
tar cvzf --to-stdout ./docker-credential-gcr_linux_amd64-2.0.0.tar.gz /usr/bin/docker-credential-gcloud && sudo chmod +x /usr/bin/docker-credential-gcloud
And finally run最后运行
gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin https://gcr.io
Now you will be able to pull you image :)现在你将能够拉你的形象:)
For me, on a container-os optimized instance, it helped to just run:对我来说,在容器操作系统优化的实例上,它有助于运行:
docker-credential-gcr configure-docker
https://cloud.google.com/container-optimized-os/docs/how-to/run-container-instance#starting_a_docker_container_via_cloud-config https://cloud.google.com/container-optimized-os/docs/how-to/run-container-instance#starting_a_docker_container_via_cloud-config
Note thedefault policy for compute instances:请注意计算实例的默认策略:
VM instances, including those in Google Kubernetes Engine clusters, must have the correct storage access scopes configured to push or pull images.
虚拟机实例(包括 Google Kubernetes Engine 集群中的实例)必须具有配置为推送或拉取映像的正确存储访问范围。 By default, VMs can pull images when Container Registry is in the same project.
默认情况下,当 Container Registry 在同一个项目中时,VM 可以拉取镜像。
If you run gcloud auth configure-docker, the auth information is saved under your personal directory.如果您运行 gcloud auth configure-docker,认证信息将保存在您的个人目录下。 When you then run sudo docker pull example.io/docker-dev/name:v01, it looks for auth info under root directory and doesn't find anything there.
然后,当您运行 sudo docker pull example.io/docker-dev/name:v01 时,它会在根目录下查找身份验证信息,但在那里找不到任何内容。
You should run both with or without sudo.您应该在有或没有 sudo 的情况下运行。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.