K
Q

how to use Google Container Registry

7/5/2015

I tried to use Google Container Registry, but it did not work for me.

I wrote the following containers.yaml.

$ cat containers.yaml
version: v1
kind: Pod
spec:
  containers:
    - name: amazonssh
      image: asia.gcr.io/<project-id>/amazonssh
      imagePullPolicy: Always
 restartPolicy: Always
 dnsPolicy: Default

I run instance by the following command.

$ gcloud compute instances create containervm-amazonssh --image container-vm     --network product-network     --metadata-from-file google-container-manifest=containers.yaml --zone asia-east1-a --machine-type f1-micro

I set the following acl permission.

# gsutil acl ch -r -u <project-number>@developer.gserviceaccount.com:R gs://asia.artifacts.<project-id>.appspot.com

But Access denied occurs when docker pull image from Google Container Registry.

#  docker pull asia.gcr.io/<project-id>.a/amazonssh
Pulling repository asia.gcr.io/<project-id>.a/amazonssh
FATA[0000] Error: Status 403 trying to pull repository <project-id>/amazonssh: "Access denied."
--
docker-registry
google-cloud-platform
google-container-registry
google-kubernetes-engine

Similar Questions

Http On Google Container Engine
kubernetes setup on baremetal centos 7
gcloud docker pull fails with Untar exit status 2 unexpected fault address
k8s - Kubernetes - Service Update - Error

2 Answers

8/27/2015

You have an extra .a after project-id here, not sure if you ran the command that way?

docker pull asia.gcr.io/<project-id>.a/amazonssh

The container-vm has a cron job running gcloud docker -a as root, so you should be able to docker pull as root.

The kubelet, which launches the container-vm Docker containers also understands how to natively authenticate with GCR, so it should just work.

Feel free to reach out to us at gcr-contact@google.com. It would be useful if you could include your project-id, and possibly the /var/log/kubelet.log from your container-vm.

-- mattmoor
Source: StackOverflow
7/8/2015

Can you verify from your instance that you can read data from your Google Cloud Storage bucket? This can be verified by:

$ curl -H 'Metadata-Flavor: Google' $SVC_ACCT/scopes
...
https://www.googleapis.com/auth/devstorage.full_control
https://www.googleapis.com/auth/devstorage.read_write
https://www.googleapis.com/auth/devstorage.read_only
...

If so then try:

On Google Compute Engine you can login without gcloud with:

$ METADATA=http://metadata.google.internal./computeMetadata/v1
$ SVC_ACCT=$METADATA/instance/service-accounts/default
$ ACCESS_TOKEN=$(curl -H 'Metadata-Flavor: Google' $SVC_ACCT/token \
    | cut -d'"' -f 4)
$ docker login -e not@val.id -u _token -p $ACCESS_TOKEN https://gcr.io

Then try your docker pull command again.

-- TimK
Source: StackOverflow