How to list the published container images in the Google Container Registry using gcloud or another CLI

Question

Is there a gcloud API or other command line interface (CLI) to access the list of published container images in the private Google Container Registry? (That is the container registry inside a Google Cloud Platform project)

gcloud container does not seem to help:

$ gcloud container
Usage: gcloud container [optional flags] <group | command>
  group may be           clusters | operations
  command may be         get-server-config

Deploy and manage clusters of machines for running containers.

flags:
  --zone ZONE, -z ZONE   The compute zone (e.g. us-central1-a) for the cluster

global flags:
  Run `gcloud -h` for a description of flags available to all commands.

command groups:
  clusters               Deploy and teardown Google Container Engine clusters.
  operations             Get and list operations for Google Container Engine
                         clusters.

commands:
  get-server-config      Get Container Engine server config.

I also don't want to use gcloud docker to list images because this wants to connect to a particular docker daemon that I don't have. Unless there is a way to tell gcloud docker to connect to a remote public docker daemon that can read the private containers pushed to the registry through my project.

Answer 1

We just released a new command to list the images in your repository! You can try it out with:

gcloud alpha container images list --repository=gcr.io/$MYREPOSITORY

If you want to see the specific tags for an image you can use:

gcloud alpha container images list-tags gcr.io/$MYREPOSITORY/$MYIMAGE

Answer 2

The answer given by Robert Bailey is good for certain tasks, but might be missing what you specifically want to do. Nonetheless, your comments in reply to his answer are not so much faults of his answer as of your own understanding of what the commands which "fail" actually mean to do.

As far as your second comment,

Using docker I get the following error (for the reasons mentioned above; I also edited the question): Cannot connect to the Docker daemon. Is the docker daemon running on this host?

This is a result of the docker daemon not running. Check if it's running via ps aux | grep docker. You can refer to the Docker documentation to determine how to properly install and run it.

As far as your first comment,

Using curl I get: {"errors":[{"code":"DENIED","message":"Failed to read tags for repository '<my_project>/<my_image>'"}]}. I have to authenticate somehow to access the images in a private registry. I don't want to use docker because that means I have to have a docker daemon available. I only want to see if a container image with a particular version is in the Container Registry. So what I need is an API to the Container Registry in the Google Developer Console.

You wouldn't be able to curl the image unless it was public, as mentioned in Robert's latest comment, or unless you somehow provided some great oauth headers during the curl's invocation.

You should use gcloud docker to attempt to list the images in the registry, as you would for other docker registries. The gcloud container command group is the wrong one for your desired task. You can see below an output from gcloud version 96.0.0 (latest as of this comment) for the docker command group:

$ gcloud docker
Usage: docker [OPTIONS] COMMAND [arg...]
       docker daemon [ --help | ... ]
       docker [ --help | -v | --version ]

A self-sufficient runtime for containers.

Options:

  --config=~/.docker                 Location of client config files
  -D, --debug=false                  Enable debug mode
  --disable-legacy-registry=false    Do not contact legacy registries
  -H, --host=[]                      Daemon socket(s) to connect to
  -h, --help=false                   Print usage
  -l, --log-level=info               Set the logging level
  --tls=false                        Use TLS; implied by --tlsverify
  --tlscacert=~/.docker/ca.pem       Trust certs signed only by this CA
  --tlscert=~/.docker/cert.pem       Path to TLS certificate file
  --tlskey=~/.docker/key.pem         Path to TLS key file
  --tlsverify=false                  Use TLS and verify the remote
  -v, --version=false                Print version information and quit

Commands:
    attach    Attach to a running container
    build     Build an image from a Dockerfile
    commit    Create a new image from a container's changes
    cp        Copy files/folders between a container and the local filesystem
    create    Create a new container
    diff      Inspect changes on a container's filesystem
    events    Get real time events from the server
    exec      Run a command in a running container
    export    Export a container's filesystem as a tar archive
    history   Show the history of an image
    images    List images
    import    Import the contents from a tarball to create a filesystem image
    info      Display system-wide information
    inspect   Return low-level information on a container or image
    kill      Kill a running container
    load      Load an image from a tar archive or STDIN
    login     Register or log in to a Docker registry
    logout    Log out from a Docker registry
    logs      Fetch the logs of a container
    network   Manage Docker networks
    pause     Pause all processes within a container
    port      List port mappings or a specific mapping for the CONTAINER
    ps        List containers
    pull      Pull an image or a repository from a registry
    push      Push an image or a repository to a registry
    rename    Rename a container
    restart   Restart a container
    rm        Remove one or more containers
    rmi       Remove one or more images
    run       Run a command in a new container
    save      Save an image(s) to a tar archive
    search    Search the Docker Hub for images
    start     Start one or more stopped containers
    stats     Display a live stream of container(s) resource usage statistics
    stop      Stop a running container
    tag       Tag an image into a repository
    top       Display the running processes of a container
    unpause   Unpause all processes within a container
    version   Show the Docker version information
    volume    Manage Docker volumes
    wait      Block until a container stops, then print its exit code

Run 'docker COMMAND --help' for more information on a command.

You should use gcloud docker search gcr.io/project-id to check which images are in the repository. gcloud has your credentials, so it can talk to the private registry as long as you're authenticated as an appropriate user on the project.

---

Finally, as an added resource: The Cloud Platform docs have a whole article about working with Google Container Registry.

Answer 3

If you know the project that is hosting the images (e.g. google-containers) you can list images with

gcloud docker search gcr.io/google_containers

For an individual image (e.g. the pause image in the google-containers project), you can check the versions with

curl https://gcr.io/v2/google-containers/pause/tags/list

Answer 4

I've just found a far simpler way to check for specific images. Once you have authenticated gcloud, use it to generate access tokens for reading from your private registry:

curl -u "oauth2accesstoken:$(gcloud auth print-access-token)" https://gcr.io/v2/<projectName>/<imageName>/tags/list

Answer 5

My best solution so far without having a local docker available and without being able to connect to a remote docker (this would still require at least the local docker client but not the local daemon running), is to SSH into a Container Cluster instance that runs docker and have my search done there and getting the result in my original script:

gcloud compute ssh <container_cluster_instance> -C "sudo gcloud docker search ..."

Of course, to avoid all verbose output (like SSH/Terminal welcome messages) I use some arguments to silent the execution a bit:

gcloud compute ssh --ssh-flag="-q" "$INSTANCE_NAME" -o LogLevel=quiet -C "sudo gcloud docker search ..."