5

I am trying to pull a docker container from our private GCP container registry on a regular VM instance (i.e. ubuntu-1904) running on Google Cloud, but I am getting the following error:

user@test ~ $ sudo docker pull example.io/docker-dev/name:v01

Error response from daemon: unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication

I followed those instructions, i.e., run the gcloud auth configure-docker command, which outputs a success message.

However, when running the docker pull command again, I get the exact same error.

A couple of extra tests that might help to provide feedback:

  • If I pull from a different registry, it works (for example, docker run hello-world pulls and runs the hello-world image)
  • I tested the same command (docker pull example.io/docker-dev/name:v01) on my local computer (Mac) instead of the vm instance and works perfectly.
  • I have also created vm instances and enable the option "Deploy a container image to this VM instance", providing the container address (example.io/docker-dev/name:v01), and also works. However, I don't want to use this option because it selects automatically a "Container-Optimized" boot disk, which I prefer not to use due to the limitations

Question: Why I cannot pull docker images from my private container registry on a Ubuntu o Debian VM, even though docker seems to work very well pulling images from other repositories (docker hub)?

leopal
  • 4,711
  • 1
  • 25
  • 35
David JM
  • 351
  • 1
  • 3
  • 11

3 Answers3

8

I did this yesterday. Just run gcloud auth configure-docker then run

VERSION=2.0.0
OS=linux  # or "darwin" for OSX, "windows" for Windows.
ARCH=amd64  # or "386" for 32-bit OSs, "arm64" for ARM 64.

After that you can download the docker-credential-gcr

wget "https://github.com/GoogleCloudPlatform/docker-credential-gcr/releases/download/v${VERSION}/docker-credential-gcr_${OS}_${ARCH}-${VERSION}.tar.gz"

Then run

tar cvzf --to-stdout ./docker-credential-gcr_linux_amd64-2.0.0.tar.gz /usr/bin/docker-credential-gcloud && sudo chmod +x /usr/bin/docker-credential-gcloud

And finally run

gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin https://gcr.io

Now you will be able to pull you image :)

Toni
  • 1,054
  • 7
  • 12
  • This should be the accepted answer and is required when you aren't running container-os which already has it installed. NOTE: `tar` yells at you about how you're using the slash for the path for some reason. `tar: Removing leading '/' from member names tar: /usr/bin/docker-credential-gcloud: Cannot stat: No such file or directory tar: Exiting with failure status due to previous errors` – Kevin Danikowski Aug 26 '21 at 23:18
7

For me, on a container-os optimized instance, it helped to just run:

docker-credential-gcr configure-docker

https://cloud.google.com/container-optimized-os/docs/how-to/run-container-instance#starting_a_docker_container_via_cloud-config

Note the default policy for compute instances:

VM instances, including those in Google Kubernetes Engine clusters, must have the correct storage access scopes configured to push or pull images. By default, VMs can pull images when Container Registry is in the same project.

rantoniuk
  • 1,083
  • 12
  • 18
  • Interesting, we selected the container option while creating the instance; though they would have run this automatically. – Oliver Dixon Aug 12 '22 at 10:39
0

If you run gcloud auth configure-docker, the auth information is saved under your personal directory. When you then run sudo docker pull example.io/docker-dev/name:v01, it looks for auth info under root directory and doesn't find anything there.

You should run both with or without sudo.

Lukasz
  • 47
  • 2