0

I'm running a Container-Optimized OS VM on GCE (with Docker 17.03.2) and would like to use docker-compose to manage the containers. docker-compose isn't installed on COS, but it can be run from a container using the image docker/compose, as described in this tutorial:

docker run \
    -v /var/run/docker.sock:/var/run/docker.sock \
    -v "$PWD:/rootfs/$PWD" \
    -w="/rootfs/$PWD" \
    docker/compose:1.14.0 up

The images I want to access are in a private Google Container Registry, which requires a docker login for pull access. How can I run the docker/compose image to access the private registry?

The COS VM is already authorized to access the registry, and I have a service account JSON file on the VM, but can that be passed to the compose image to login before running the up command?

Todd M
  • 322
  • 2
  • 8

4 Answers4

0

Using the _json_key anthentication from GCR's advanced authentication docs, does the following script work?

docker run \ -v /var/run/docker.sock:/var/run/docker.sock \ -v "$PWD:/rootfs/$PWD" \ -w="/rootfs/$PWD" \ docker/compose:1.14.0 \ /bin/bash -c "docker login -u _json_key -p $(cat keyfile.json) https://gcr.io; up"

jsand
  • 595
  • 4
  • 8
  • I'm not able to get that to work. I believe the entrypoint for the image is `docker-compose`, so passing a shell command to that won't work. I think I'll have to create a new image from docker/compose, override the entrypoint, run `docker login`, and then `docker-compose up`. – Todd M Jul 14 '17 at 23:05
  • Ah sorry, the command sent to bash would be: `/bin/bash -c "docker login -u _json_key -p $(cat keyfile.json) https://gcr.io; docker-compose up"` Does the command fail with the bash invocation? – jsand Jul 17 '17 at 23:55
0

You want to use this method to authenticate.

mattmoor
  • 1,677
  • 14
  • 9
  • I understand you can pass a JSON file to `docker login`, but how do you run that command from the container before `docker-compose up` is run? – Todd M Jul 14 '17 at 23:07
0

The best solution I found was to authenticate on the Docker host and then mount the docker config into the docker-compose container:

docker login -u _json_key -p "$(cat keyfile.json)" https://gcr.io
docker run \
    -v /var/run/docker.sock:/var/run/docker.sock \
    -v /root/.docker:/root/.docker \
    -v "$PWD:$PWD" \
    -w="$PWD" \
    docker/compose:1.14.0 \
    up
Todd M
  • 322
  • 2
  • 8
  • This gives and error saying `docker: Error response from daemon: error while creating mount source path '/root/.docker': mkdir /root/.docker: read-only file system.` – Debdut Goswami Jun 01 '21 at 18:55
0

An alternative to directly using the service account JSON credentials, given the COS VM is already authorized to access the registry (e.g. the attached service account has GCS view access to the project hosting the image), is to run the /usr/share/google/dockercfg_update.sh script shipped with COS:

#!/bin/sh
# Copyright 2015 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.

set -eu

AUTH_DATA="$(curl -s -f -m 10 "http://metadata/computeMetadata/v1/instance/service-accounts/default/token" \
  -H "Metadata-Flavor: Google")"
R=$?
if [ ${R} -ne 0 ]; then
  echo "curl for auth token exited with status ${R}" >&2
  exit ${R}
fi

AUTH="$(echo "${AUTH_DATA}" \
| tr -d '{}' \
| sed 's/,/\n/g' \
| awk -F ':' '/access_token/ { print "_token:" $2 }' \
| tr -d '"\n' \
| base64 -w 0)"

if [ -z "${AUTH}" ]; then
  echo "Auth token not found in AUTH_DATA ${AUTH_DATA}" >&2
  exit 1
fi

D="${HOME}/.docker"
mkdir -p "${D}"
cat > "${D}/config.json" <<EOF
{
 "auths":{
  "https://container.cloud.google.com":{"auth": "${AUTH}"},
  "https://gcr.io":{"auth": "${AUTH}"},
  "https://b.gcr.io":{"auth": "${AUTH}"},
  "https://us.gcr.io":{"auth": "${AUTH}"},
  "https://eu.gcr.io":{"auth": "${AUTH}"},
  "https://asia.gcr.io":{"auth": "${AUTH}"},
  "https://beta.gcr.io":{"auth": "${AUTH}"}
 }
}
EOF

This has the benefits of being maintained by Google and avoids having to manage service account credentials.

MrAlias
  • 1,316
  • 15
  • 26
  • This method is now deprecated in 2019. You should use `docker-credential-gcr configure-docker`. – jmcd May 17 '19 at 06:11