在没有gcloud客户端的情况下访问Google容器注册表 [英] Access google container registry without the gcloud client

问题描述

我有一个要在其上开始运行容器的CoreOS docker主机，但是当尝试使用docker命令从google容器私有注册表(

I have a CoreOS docker host that I want to start running containers on, but when trying to use the docker command to fetch the image from the google container private registry (https://cloud.google.com/tools/container-registry/), I get a 403. I did some searching, but I'm not sure how to attach authentication (or where to generate the user+pass bundle to use with the docker login command).

有人从Google私有容器中抽出任何运气吗?我不能安装gcloud命令，因为coreos并不是python附带的，这是必须的

Has anybody had any luck pulling from the google private containers? I can't install the gcloud command because coreos doesn't come with python, which is a requirement

docker run -p 80:80 gcr.io/prj_name/image_name
Unable to find image 'gcr.io/prj_name/image_name:latest' locally
Pulling repository gcr.io/prj_name/image_name
FATA[0000] HTTP code: 403

更新:从@mattmoor和@Jesse获得答案后:

Update: after getting answers from @mattmoor and @Jesse:

我要从中提取的计算机确实具有devaccess

The machine that I'm pulling from does have devaccess

curl -H 'Metadata-Flavor: Google' http://metadata.google.internal./computeMetadata/v1/instance/service-accounts/default/scopes
https://www.googleapis.com/auth/bigquery
https://www.googleapis.com/auth/cloud-platform
https://www.googleapis.com/auth/compute
https://www.googleapis.com/auth/datastore
----> https://www.googleapis.com/auth/devstorage.read_only
https://www.googleapis.com/auth/logging.admin
https://www.googleapis.com/auth/sqlservice.admin
https://www.googleapis.com/auth/taskqueue
https://www.googleapis.com/auth/userinfo.email

此外，我尝试使用_token登录方法

Additionally, I tried using the _token login method

jenkins@riskjenkins:/home/andre$ ACCESS_TOKEN=$(curl -H 'Metadata-Flavor: Google' 'http://metadata.google.internal./computeMetadata/v1/instance/service-accounts/default/token' | cut -d'"' -f 4)
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   142  100   142    0     0  14686      0 --:--:-- --:--:-- --:--:-- 15777
jenkins@riskjenkins:/home/andre$ echo $ACCESS_TOKEN
**************(redacted, but looks valid)
jenkins@riskjenkins:/home/andre$ docker login -e not@val.id -u _token -p $ACCESS_TOKEN http://gcr.io
Login Succeeded
jenkins@riskjenkins:/home/andre$ docker run gcr.io/prj_name/image_name
Unable to find image 'gcr.io/prj_name/image_name:latest' locally
Pulling repository gcr.io/prj_name/image_name
FATA[0000] HTTP code: 403

推荐答案

Google容器注册表身份验证方案仅需使用:

The Google Container Registry authentication scheme is to simply use:

username: '_token'
password: {oauth access token}

在Google Compute Engine上，您可以使用以下方式登录而无需:

On Google Compute Engine you can login without gcloud with:

$ METADATA=http://metadata.google.internal./computeMetadata/v1
$ SVC_ACCT=$METADATA/instance/service-accounts/default
$ ACCESS_TOKEN=$(curl -H 'Metadata-Flavor: Google' $SVC_ACCT/token \
    | cut -d'"' -f 4)
$ docker login -e not@val.id -u '_token' -p $ACCESS_TOKEN https://gcr.io

{asia，eu，us，b} .gcr.io 上的更新

要访问本地化存储库中托管的存储库，应在上述docker login命令中登录到相应的主机名.

To access a repository hosted in a localized repository, you should login to the appropriate hostname in the above docker login command.

更新有关_token的报价

从Docker 1.8版开始，docker登录要求-u选项位于qoutes或以字母开头.

As of docker version 1.8, docker login requires the -u option to be in qoutes or start with a letter.

一些诊断提示...

通过以下方法检查您是否具有Cloud Storage作用域:

Check that you have the Cloud Storage scope via:

$ curl -H 'Metadata-Flavor: Google' $SVC_ACCT/scopes
...
https://www.googleapis.com/auth/devstorage.full_control
https://www.googleapis.com/auth/devstorage.read_write
https://www.googleapis.com/auth/devstorage.read_only
...

注意::"docker pull"需要"read_only"，但是"docker push"需要"read_write".

NOTE: "docker pull" requires "read_only", but "docker push" requires "read_write".

要让此机器人访问另一个项目中的存储桶，需要执行一些步骤.

To give this robot access to a bucket in another project, there are a few steps.

首先，通过以下方式找出VM服务帐户(也称为机械手)的身份:

First, find out the VM service account (aka robot)'s identity via:

$ curl -H 'Metadata-Flavor: Google' $SVC_ACCT/email
1234567890@developer.gserviceaccount.com

接下来，有三个重要的ACL要更新:

Next, there are three important ACLs to update:

1)存储桶ACL(需要列出对象等)

1) Bucket ACL (needed to list objects, etc)

PROJECT_ID=correct-answer-42
ROBOT=1234567890@developer.gserviceaccount.com
gsutil acl ch -u $ROBOT:R gs://artifacts.$PROJECT_ID.appspot.com

2)存储桶默认ACL(将来的#3模板)

2) Bucket Default ACL (template for future #3)

gsutil defacl ch -u $ROBOT:R gs://artifacts.$PROJECT_ID.appspot.com

3)对象ACL(仅当存储桶为非空时才需要)

3) Object ACLs (only needed when the bucket is non-empty)

gsutil -m acl ch -R -u $ROBOT:R gs://artifacts.$PROJECT_ID.appspot.com

为什么这还没有出现在我们的正式文档中，部分原因是我们想要一个更好的高级故事，但是tl; dr我们尊重GCS ACL.

Part of why this isn't in our official documentation yet is that we want a better high-level story for it, but tl;dr we respect GCS ACLs.

这篇关于在没有gcloud客户端的情况下访问Google容器注册表的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！