创建一个能够从容器注册表中提取的 docker 就绪计算引擎 [英] Creating a docker ready compute engine capable of pulling from container-registry

问题描述

我们使用 terraform 设置 GCE 实例，然后使用 ansible-playbooks 来配置它们并将我们的服务放到机器上.

我在我们的组织中运行一个项目，需要从不同的项目中提取 docker 映像.图像托管在该其他项目的容器注册表中.

我理想的事件顺序是:

1. 使用 terraform 和正确配置的服务帐户在我的项目中创建 GCE.
2. 使用 ansible 在 GCE 上安装 docker.
3. 使用 ansible 模块 docker_container 从容器注册表中提取我想要的必要镜像.

这个看似简单的工作流程并不简单.起初，我发现只是运行 docker_container 会失败，因为 docker 需要先进行身份验证.鉴于我不想登录机器并使用凭证助手等进行设置，我唯一的方法是尝试运行命令docker login -u _json_key -phttp://gcr.io

如果我登录到有问题的机器，我可以让它直接在命令行上运行，但尝试使用 ansible docker-login 让它运行让我做噩梦 单独的问题 所以我想完全避免它.GCE 实例是使用创建期间预先配置的专用服务帐户创建的(使用 terraform).所有角色都已授予该帐户，因为如果我从命令行使用服务帐户密钥，我可以登录并提取图像.

我真正期望的是，在上面的第 1 步中，如果我使用具有所有正确凭据的 google 服务帐户，GCE 实例应该已经设置为与容器注册表通信.有没有办法使这项工作纯粹作为启动配置的一部分?我查看了 https://cloud.google.com/container-optimized-os/docs/ 但我还不想使用 chromeOS，此外我不知道即使它会开箱即用，尽管阅读文档感觉如此.

有没有办法预先设置一个 docker 就绪的 GCE 实例?如果没有，有没有人使用 docker login 尝试过基于 ansible 的工作流程并使其正常工作?

解决方案

您应该利用 GCE 原生 docker 功能(使用容器优化的操作系统！)，而不是手动安装 Docker 并对其进行配置.这允许在引导过程中拉取和启动映像.对于身份验证，您应该能够授权您的 Compute Engine 默认服务帐户 甚至从另一个项目访问 GCR 中的图像.或者创建并使用专用服务帐户，请参阅此文档 关于如何在实例中激活它.另请参阅此处，了解为服务帐户提供 IAM 角色.

要使用 Docker 映像创建 Compute Engine 实例，您可以使用此Gcloud 命令(不确定 Ansible 是否有等价物)

gcloud beta 计算实例 create-with-container

注意:考虑在 ServerFault 中发布此类问题，因为它将针对网络和系统管理员受众.StackOverflow 更适合开发者社区.

We set up GCE instances using terraform and then use ansible-playbooks in order to provision them and get our services onto the machines.

I'm running a project in our organisation which needs to pull a docker image from a different project. The images are hosted in a container registry in that other project.

My ideal sequence of events would be:

1. Create a GCE in my project using terraform with properly configured service-accounts.
2. Use ansible to install docker on the GCE.
3. Use ansible module docker_container to pull the necessary image I want from the container registry.

This seemingly simple workflow is not trivial. At first, I discovered that just running docker_container fails since docker needs to be authenticated first. Given that I don't want to login to the machine and set it up with the credential helper etc., the only way I have is to try and run the command docker login -u _json_key -p<jsonkeyfile> http://gcr.io

I can get this to run directly on the command line if i login to the machine in question but trying to get it to run using ansible docker-login is giving me nightmares separate question so I want to avoid it altogether. The GCE instance is created with a dedicated service account pre-configured during creation (with terraform). All the roles have been granted to the account as I can login and pull images if i use the service account key from the command line.

What I really expect is that in step 1 above, if I use a google service account with all the proper credentials, the GCE instance should already be set up to talk to the container registry. Is there a way to make this work purely as part of the startup configuration? I looked into https://cloud.google.com/container-optimized-os/docs/ but I don't want to go with chromeOS yet, besides I don't know even if that will be set up out of the box although it feels so from reading the documentation.

Is there a way to pre-setup a docker ready GCE instance? If not, has anyone tried out an ansible based workflow using docker login and got it to work?

解决方案

You should take advantage of GCE native docker capability (with container optimized OS!) instead of manually installing Docker and configuring it. This allows the image to be pulled and started as part of the booting process. For authentication you should be able to authorize your Compute Engine default service account to access the image in GCR even from another project. Alternatively create and use a dedicated service account, see this doc on how to activate it in an instance. Also see here about giving IAM roles to service accounts.

To create a Compute Engine instance with a Docker image you can use this Gcloud command (not sure if Ansible has an equivalent)

gcloud beta compute instances create-with-container

NB: Consider posting this type of question in ServerFault instead as it will be targeted to a network and system administrators audience. StackOverflow is more suited for developer community.

这篇关于创建一个能够从容器注册表中提取的 docker 就绪计算引擎的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！