Menu
I am trying to pull a docker container from our private GCP container registry on a regular VM instance (i.e. ubuntu-1904) running on Google Cloud, but I am getting the following error:
user@test ~ $ sudo docker pull example.io/docker-dev/name:v01
Error response from daemon: unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication
I followed those instructions, i.e., run the gcloud auth configure-docker command, which outputs a success message.
However, when running the docker pull command again, I get the exact same error.
A couple of extra tests that might help to provide feedback:
docker run hello-world pulls and runs the hello-world image)docker pull example.io/docker-dev/name:v01) on my local computer (Mac) instead of the vm instance and works perfectly. example.io/docker-dev/name:v01), and also works. However, I don't want to use this option because it selects automatically a "Container-Optimized" boot disk, which I prefer not to use due to the limitations
Question: Why I cannot pull docker images from my private container registry on a Ubuntu o Debian VM, even though docker seems to work very well pulling images from other repositories (docker hub)?
703
Google Cloud Platform has many tools for working with and running containerized apps using Docker, including managed Kubernetes and serverless container execution. We'll discuss how to get a container service running on GCP.
Using Google’s Private Container Registry with Docker Google’s Container Registry provides a managed and private repository for storing your Docker images. With a simple gcloud command you can push and pull to your private google project repository.
Note: Container Registry does not support Docker chunked uploads. Some container image tools support uploading large container images with either chunked uploads or a single monolithic upload . You must use monolithic uploads when you push container images to Container Registry.
To push any local image to Container Registry using Docker or another third-party tool, you need to first tag it with the registry name and then push the image. The following factors might impact uploads for large images: Any request sent to Container Registry has a 2 hour timeout limit.
Pulling public images from Docker Hub You can pull official Docker images, Docker-certified images, and custom images stored in Docker Hub in your build step by specifying the name of the image in the name field. Cloud Build will first pull the specified image from Docker Hub and then use the image to run the build step.
I did this yesterday. Just run gcloud auth configure-docker then run
VERSION=2.0.0
OS=linux # or "darwin" for OSX, "windows" for Windows.
ARCH=amd64 # or "386" for 32-bit OSs, "arm64" for ARM 64.
After that you can download the docker-credential-gcr
wget "https://github.com/GoogleCloudPlatform/docker-credential-gcr/releases/download/v${VERSION}/docker-credential-gcr_${OS}_${ARCH}-${VERSION}.tar.gz"
Then run
tar cvzf --to-stdout ./docker-credential-gcr_linux_amd64-2.0.0.tar.gz /usr/bin/docker-credential-gcloud && sudo chmod +x /usr/bin/docker-credential-gcloud
And finally run
gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin https://gcr.io
Now you will be able to pull you image :)
177
For me, on a container-os optimized instance, it helped to just run:
docker-credential-gcr configure-docker
https://cloud.google.com/container-optimized-os/docs/how-to/run-container-instance#starting_a_docker_container_via_cloud-config
Note the default policy for compute instances:
VM instances, including those in Google Kubernetes Engine clusters, must have the correct storage access scopes configured to push or pull images. By default, VMs can pull images when Container Registry is in the same project.
24
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
