8

Can't get what I'm doing wrong...

Performed next steps on fresh compute engine instance based on Container Optimized OS:

  • docker-credential-gcr configure-docker
  • sudo docker run --detach --name=echo --net=esp_net gcr.io/around-dev/firebase-service-image:latest

And got the following:

Unable to find image 'gcr.io/around-dev/firebase-service-image:latest' locally Pulling repository gcr.io/around-dev/firebase-service-image docker: unauthorized: authentication required. See 'docker run --help'.

Then tried actually to login with docker-credential-gcr gcr-login and run, but still got the same error. After all my .docker/.config.json looks like:

 {
        "auths": {},
        "credHelpers": {
                "asia.gcr.io": "gcr",
                "eu.gcr.io": "gcr",
                "gcr.io": "gcr",
                "staging-k8s.gcr.io": "gcr",
                "us.gcr.io": "gcr"
        }

Obviously no credentials stored. Can someone explain to me what I'm doing wrong? Thanks in advance.

Igor Ekishev
  • 83
  • 1
  • 3

5 Answers5

15

Why you're seeing this

You're seeing this error because you ran docker-credential-gcr configure-docker without sudo and then sudo docker run .... When running sudo docker, it looks for the configuration file in /root/.docker/ and doesn't find anything, thus throwing the authentication required error.

Why running sudo docker-credential-gcr configure-docker won't fix it

When you're running COS, you don't have write access to all directories. Only a few directories are writable and /root isn't one of them. Because of that, running docker-credential-gcr as root fails since it can't write the docker config file inside the $HOME directory (that happens to be /root).

More details on writable directories: https://cloud.google.com/container-optimized-os/docs/concepts/security#filesystem

Fixing it

1 - Override $HOME

sudo HOME=/home/root /usr/bin/docker-credential-gcr configure-docker

sudo HOME=/home/root docker run --detach --name=echo --net=esp_net gcr.io/around-dev/firebase-service-image:latest

2 - Manually specify a config file location

You can also include the path to the docker config directory with each command. For example, if you know docker is configured with credentials in the /home/root/.docker directory, you could run the following command: sudo docker --config /home/root/.docker pull gcr.io/my-project/alpine:3.2

Philippe Deslauriers
  • 251
  • 1
  • 3
1

If you have a private VPC and an instance without an external IP, you can get a timeout error. A way to fix this is the enable private_ip_google_access on a subnet level. This let's you access google resources with a few exceptions without needing an external IP address on your instance.

akaltar
  • 1,002
  • 1
  • 19
  • 25
0

I encountered the same problem when I wanted to push an image to GCR. I also ran docker with sudo. I solved my problem by adding my user to the docker usergroup, as found on the docker postinstall guide:

sudo groupadd docker
sudo usermod -aG docker $USER

Then logout and login again

Casper Gerritsen
  • 314
  • 3
  • 13
  • Make sure you log out and back in again rather than restarting the instance. In my case this was resetting the docker group – sam Jun 04 '20 at 20:08
0

Another option is to use gcloud-image in docker, which is a docker base image himself

Assuming that you have service account key file in $PWD/gcr-auth.json Just need pass down docker-socks and your service json key in volume

docker run -exec \
-v $PWD:$PWD \
-v /var/run/docker.sock:/var/run/docker.sock \
google/cloud-sdk \
sh -c
 'gcloud auth activate-service-account --key-file=/somepath/gcr-auth.json && gcloud docker -- pull gcr.io/some-project/myimage:latest'

After pulling done, the image is back on the host

MichaelC
  • 51
  • 4
-1

I'm on COS and also had similar problems. The documentation for COS makes it seem like it should be as simple as running 2 commands.

$ docker-credential-gcr configure-docker
$ docker run --rm gcr.io/<your-project>/<your-image>

The file gets created in ~/.docker/config.json. But I couldn't pull the private image to run it. I can successfully pull public images.

After bashing my head against the wall for most of the day I tried the login command docker-credential-gcr gcr-login. I have 2factor auth setup on my account and when I ran that command it gave me a URL that I had to visit to enter an auth token. After I followed those instructions I can now successfully pull images from the private registry.

I'm unsure if this is the correct workflow as it is not covered in the documentation.

Alex
  • 34,776
  • 10
  • 53
  • 68