创建能够从容器注册表中提取的docker ready计算引擎 [英] Creating a docker ready compute engine capable of pulling from container-registry
问题描述
我们使用terraform设置了GCE实例,然后使用ansible-playbooks来提供它们并将我们的服务提供到这些机器上.
我正在我们组织中运行一个项目,该项目需要从其他项目中提取docker映像.图像托管在该其他项目的容器注册表中.
我理想的事件发生顺序是:
- 使用带有正确配置的服务帐户的terraform在我的项目中创建GCE.
- 使用ansible在GCE上安装docker.
- 使用ansible模块
docker_container
从容器注册表中提取所需的图像.
这种看似简单的工作流程并非微不足道.最初,我发现仅运行docker_container失败,因为首先需要对docker进行身份验证.鉴于我不想登录到计算机并使用凭据助手等对其进行设置,因此,我唯一的方法是尝试运行命令
docker login -u _json_key -p<jsonkeyfile> http://gcr.io
如果我登录到有问题的计算机,我可以直接在命令行上运行它,但是尝试使用ansible docker-login
运行它正在给我做噩梦 https://cloud.google.com/container-optimized-os/docs/,但我还不想使用chromeOS,此外,尽管从阅读文档中可以感觉到,即使设置是开箱即用,我也不知道.
是否可以预设置一个可用于Docker的GCE实例?如果不是,是否有人使用docker login
尝试了基于ansible的工作流程并使之正常工作?
您应利用 Compute Engine默认服务帐户甚至可以从另一个项目访问GCR中的图像.或者,创建并使用专用服务帐户,请参见此文档有关如何在实例中激活它的信息.另请参阅此处有关为服务帐户分配IAM角色
要使用Docker映像创建Compute Engine实例,您可以使用以下 Gcloud命令(不确定Ansible是否具有等效命令)
gcloud beta compute instances create-with-container
NB:考虑将此类问题发布在ServerFault中,因为它将针对网络和系统管理员读者. StackOverflow更适合开发人员社区. p>
We set up GCE instances using terraform and then use ansible-playbooks in order to provision them and get our services onto the machines.
I'm running a project in our organisation which needs to pull a docker image from a different project. The images are hosted in a container registry in that other project.
My ideal sequence of events would be:
- Create a GCE in my project using terraform with properly configured service-accounts.
- Use ansible to install docker on the GCE.
- Use ansible module
docker_container
to pull the necessary image I want from the container registry.
This seemingly simple workflow is not trivial. At first, I discovered that just running docker_container fails since docker needs to be authenticated first. Given that I don't want to login to the machine and set it up with the credential helper etc., the only way I have is to try and run the command
docker login -u _json_key -p<jsonkeyfile> http://gcr.io
I can get this to run directly on the command line if i login to the machine in question but trying to get it to run using ansible docker-login
is giving me nightmares separate question so I want to avoid it altogether.
The GCE instance is created with a dedicated service account pre-configured during creation (with terraform). All the roles have been granted to the account as I can login and pull images if i use the service account key from the command line.
What I really expect is that in step 1 above, if I use a google service account with all the proper credentials, the GCE instance should already be set up to talk to the container registry. Is there a way to make this work purely as part of the startup configuration? I looked into https://cloud.google.com/container-optimized-os/docs/ but I don't want to go with chromeOS yet, besides I don't know even if that will be set up out of the box although it feels so from reading the documentation.
Is there a way to pre-setup a docker ready GCE instance? If not, has anyone tried out an ansible based workflow using docker login
and got it to work?
You should take advantage of GCE native docker capability (with container optimized OS!) instead of manually installing Docker and configuring it. This allows the image to be pulled and started as part of the booting process. For authentication you should be able to authorize your Compute Engine default service account to access the image in GCR even from another project. Alternatively create and use a dedicated service account, see this doc on how to activate it in an instance. Also see here about giving IAM roles to service accounts.
To create a Compute Engine instance with a Docker image you can use this Gcloud command (not sure if Ansible has an equivalent)
gcloud beta compute instances create-with-container
NB: Consider posting this type of question in ServerFault instead as it will be targeted to a network and system administrators audience. StackOverflow is more suited for developer community.
这篇关于创建能够从容器注册表中提取的docker ready计算引擎的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!