docker login with root user on Container-VM Image

Question

This is question about Google Container VM Image(beta) https://cloud.google.com/compute/docs/containers/vm-image/

I logged in a instance made by Container VM image. And run:

sudo /usr/share/google/dockercfg_update.sh

That script above does docker login to private container registry.

It causes error:

/usr/share/google/dockercfg_update.sh: 27: cannot create /root/.dockercfg: Read-only file system

/root directory seems to be read-only in the container-vm. How can I docker login by root user?

Answer 1

Since /root is read-only, your credentials cannot be stored there. You can add a non-root user to 'docker' group and run /usr/share/google/dockercfg_update.sh and docker login as that user.

From https://cloud.google.com/compute/docs/containers/vm-image/#accessing_private_google_container_registry

$ sudo usermod -a -G docker ${USER}
$ exec sudo su ${USER}
$ /usr/share/google/dockercfg_update.sh
$ docker pull gcr.io/YOUR_PROJECT/YOUR_IMAGE

How can I 'docker login' by root user

If you must invoke docker login or /usr/share/google/dockercfg_update.sh as root user (not recommended), a hacky way is to prefix HOME=/home/chronos/ to your commands. Ex:

# as 'root' user
$ HOME=/home/chronos/ /usr/share/google/dockercfg_update.sh
$ HOME=/home/chronos/ docker pull gcr.io/YOUR_PROJECT/YOUR_IMAGE

Answer 2

/root is read-only, so you can't run docker commands because you are not able to store the docker config (or any other files) generated by any authentication methods.

The solution is to run the docker commands as another user in order to save docker config properly.

Below are the steps to follow:

1) authenticate to Container Registry on a system where Cloud SDK is not available:

With an existing user (MYUSER):

sudo -u MYUSER docker-credential-gcr configure-docker

With a new generated user (NEWUSER):

sudo useradd -m NEWUSER
sudo -u NEWUSER docker-credential-gcr configure-docker

The -u flag executes the command as the specified user.

docker-credential-gcr configure-docker stores your credentials in your user home directory (an alternative to docker login). This way, you can use Docker's command-line tool to interact directly with Container Registry.

2) Create the docker group (if not exists) and add your user (required with NEWUSER or MYUSER with no permission to run Docker's commands):

sudo groupadd docker
sudo usermod -aG docker NEWUSER

3) If needed, restart the docker daemon:

sudo systemctl restart docker

In the end, you can access the docker images placed in your private container registry as MYUSER or NEWUSER. If you would like to run dockers:

sudo -u MYUSER docker run ........

The commands reported here work fine also in a startup-script and without the requirement of passwords.