Pull private docker images from Google Container R

2019-02-03 16:20发布

I'm using shippable to push private docker images to the Google Container Registry that I then want to pull from either locally on a laptop, or inside an instance on the Google Compute Engine.

I know that the command gcloud preview docker pull gcr.io/projectID/image-name works, but I can't rely on gcloud being installed on every machine that someone may need to pull the image from.

If I run docker-compose up -d on my machine then I get the following error:

Pulling image gcr.io/projectID/image-name...
Pulling repository gcr.io/projectID/image-name
Traceback (most recent call last):
  File "<string>", line 3, in <module>
  File "/compose/build/docker-compose/out00-PYZ.pyz/compose.cli.main", line 31, in main
  File "/compose/build/docker-compose/out00-PYZ.pyz/compose.cli.docopt_command", line 21, in sys_dispatch
  File "/compose/build/docker-compose/out00-PYZ.pyz/compose.cli.command", line 27, in dispatch
  File "/compose/build/docker-compose/out00-PYZ.pyz/compose.cli.docopt_command", line 24, in dispatch
  File "/compose/build/docker-compose/out00-PYZ.pyz/compose.cli.command", line 59, in perform_command
  File "/compose/build/docker-compose/out00-PYZ.pyz/compose.cli.main", line 464, in up
  File "/compose/build/docker-compose/out00-PYZ.pyz/compose.project", line 208, in up
  File "/compose/build/docker-compose/out00-PYZ.pyz/compose.service", line 214, in recreate_containers
  File "/compose/build/docker-compose/out00-PYZ.pyz/compose.service", line 199, in create_container
  File "/compose/build/docker-compose/out00-PYZ.pyz/compose.progress_stream", line 37, in stream_output
  File "/compose/build/docker-compose/out00-PYZ.pyz/compose.progress_stream", line 50, in print_output_event
compose.progress_stream.StreamOutputError: Error: Status 403 trying to pull repository projectID/image-name: "Access denied."

Is there any way to authenticate or access the image with some form of OAuth or keys? I want to avoid having to install gcloud on every machine that will ever need to pull the image, and the images have to remain private.

I have tried gcloud preview docker -a but that is not the solution I'm looking for.

Thank you in advance for any help.

1条回答
Luminary・发光体
2楼-- · 2019-02-03 16:53

If you want to work with the Google Container Registry on a machine not in the Google Compute Engine (i.e. local) using vanilla docker you can follow Google's instructions.

The two main methods are using an access token or a JSON key file.

Note that _token and _json_key are the actual values you provide for the username (-u)

Access Token

$ docker login -e 1234@5678.com -u _token -p "$(gcloud auth print-access-token)" https://gcr.io

JSON Key File

$ docker login -e 1234@5678.com -u _json_key -p "$(cat keyfile.json)" https://gcr.io

To create a key file you can follow these instructions:

  1. Open the Credentials page.
  2. To set up a new service account, do the following:
    • Click Add credentials > Service account.
    • Choose whether to download the service account's public/private key as a standard P12 file, or as a JSON file that can be loaded by a Google API client library.
    • Your new public/private key pair is generated and downloaded to your machine; it serves as the only copy of this key. You are responsible for storing it securely.

You can view Google's documentation on generating a key file here.

查看更多
登录 后发表回答