问题描述
我正在使用 shippable 将私有 docker 映像推送到 Google Container Registry,然后我想从本地笔记本电脑上或 Google Compute Engine 上的实例中提取该映像.
I'm using shippable to push private docker images to the Google Container Registry that I then want to pull from either locally on a laptop, or inside an instance on the Google Compute Engine.
我知道命令 gcloud preview docker pull gcr.io/projectID/image-name 有效,但我不能依赖 gcloud 安装在有人可能需要提取的每台机器上图片来自.
I know that the command gcloud preview docker pull gcr.io/projectID/image-name works, but I can't rely on gcloud being installed on every machine that someone may need to pull the image from.
如果我在我的机器上运行 docker-compose up -d 然后我得到以下错误:
If I run docker-compose up -d on my machine then I get the following error:
Pulling image gcr.io/projectID/image-name...
Pulling repository gcr.io/projectID/image-name
Traceback (most recent call last):
File "<string>", line 3, in <module>
File "/compose/build/docker-compose/out00-PYZ.pyz/compose.cli.main", line 31, in main
File "/compose/build/docker-compose/out00-PYZ.pyz/compose.cli.docopt_command", line 21, in sys_dispatch
File "/compose/build/docker-compose/out00-PYZ.pyz/compose.cli.command", line 27, in dispatch
File "/compose/build/docker-compose/out00-PYZ.pyz/compose.cli.docopt_command", line 24, in dispatch
File "/compose/build/docker-compose/out00-PYZ.pyz/compose.cli.command", line 59, in perform_command
File "/compose/build/docker-compose/out00-PYZ.pyz/compose.cli.main", line 464, in up
File "/compose/build/docker-compose/out00-PYZ.pyz/compose.project", line 208, in up
File "/compose/build/docker-compose/out00-PYZ.pyz/compose.service", line 214, in recreate_containers
File "/compose/build/docker-compose/out00-PYZ.pyz/compose.service", line 199, in create_container
File "/compose/build/docker-compose/out00-PYZ.pyz/compose.progress_stream", line 37, in stream_output
File "/compose/build/docker-compose/out00-PYZ.pyz/compose.progress_stream", line 50, in print_output_event
compose.progress_stream.StreamOutputError: Error: Status 403 trying to pull repository projectID/image-name: "Access denied."
有没有办法使用某种形式的 OAuth 或密钥来验证或访问图像?我想避免在需要拉取映像的每台机器上安装 gcloud,并且映像必须保持私有.
Is there any way to authenticate or access the image with some form of OAuth or keys? I want to avoid having to install gcloud on every machine that will ever need to pull the image, and the images have to remain private.
我已经尝试过 gcloud preview docker -a 但这不是我正在寻找的解决方案.
I have tried gcloud preview docker -a but that is not the solution I'm looking for.
在此先感谢您的帮助.
推荐答案
如果您想使用 vanilla docker 在不在 Google Compute Engine(即本地)中的机器上使用 Google Container Registry,您可以按照 Google 的说明进行操作.
If you want to work with the Google Container Registry on a machine not in the Google Compute Engine (i.e. local) using vanilla docker you can follow Google's instructions.
两种主要方法是使用访问令牌或 JSON 密钥文件.
The two main methods are using an access token or a JSON key file.
请注意,_token 和 _json_key 是您为用户名 (-u) 提供的实际值
Note that _token and _json_key are the actual values you provide for the username (-u)
访问令牌
$ docker login -e [email protected] -u _token -p "$(gcloud auth print-access-token)" https://gcr.io
JSON 密钥文件
$ docker login -e [email protected] -u _json_key -p "$(cat keyfile.json)" https://gcr.io
要创建密钥文件,您可以按照以下说明操作:
To create a key file you can follow these instructions:
- 打开凭据页面.
- 要设置新的服务帐户,请执行以下操作:
- 点击添加凭据 > 服务帐户.
- 选择是将服务帐号的公钥/私钥下载为标准 P12 文件还是可由 Google API 客户端库加载的 JSON 文件.
- 您的新公钥/私钥对已生成并下载到您的机器上;它是此密钥的唯一副本.您有责任安全地存储它.
这篇关于从没有 gcloud 的 Google Container Registry 中拉取私有 docker 镜像的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!