Debian Question posted in
The oficial documentation can be found here.

GCP: Unable to pull docker images from our GCP private container registry on ubuntu/debian VM instances

I am trying to pull a docker container from our private GCP container registry on a regular VM instance (i.e. ubuntu-1904) running on Google Cloud, but I am getting the following error:

user@test ~ $ sudo docker pull example.io/docker-dev/name:v01

Error response from daemon: unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication

I followed those instructions, i.e., run the gcloud auth configure-docker command, which outputs a success message.

However, when running the docker pull command again, I get the exact same error.

A couple of extra tests that might help to provide feedback:

  • If I pull from a different registry, it works (for example, docker run hello-world pulls and runs the hello-world image)
  • I tested the same command (docker pull example.io/docker-dev/name:v01) on my local computer (Mac) instead of the vm instance and works perfectly.
  • I have also created vm instances and enable the option “Deploy a container image to this VM instance”, providing the container address (example.io/docker-dev/name:v01), and also works. However, I don’t want to use this option because it selects automatically a “Container-Optimized” boot disk, which I prefer not to use due to the limitations

Question:
Why I cannot pull docker images from my private container registry on a Ubuntu o Debian VM, even though docker seems to work very well pulling images from other repositories (docker hub)?

Tags:

3

Answers


  1. 0

    I did this yesterday. Just run gcloud auth configure-docker then run

    VERSION=2.0.0
OS=linux  # or "darwin" for OSX, "windows" for Windows.
ARCH=amd64  # or "386" for 32-bit OSs, "arm64" for ARM 64.

    After that you can download the docker-credential-gcr

    wget "https://github.com/GoogleCloudPlatform/docker-credential-gcr/releases/download/v${VERSION}/docker-credential-gcr_${OS}_${ARCH}-${VERSION}.tar.gz"

    Then run

    tar cvzf --to-stdout ./docker-credential-gcr_linux_amd64-2.0.0.tar.gz /usr/bin/docker-credential-gcloud && sudo chmod +x /usr/bin/docker-credential-gcloud

    And finally run

    gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin https://gcr.io

    Now you will be able to pull you image 🙂

    Login or Signup to reply.
  2. 0

    If you run gcloud auth configure-docker, the auth information is saved under your personal directory.
    When you then run sudo docker pull example.io/docker-dev/name:v01, it looks for auth info under root directory and doesn’t find anything there.

    You should run both with or without sudo.

    Login or Signup to reply.
  3. 0

    For me, on a container-os optimized instance, it helped to just run:

    docker-credential-gcr configure-docker

    https://cloud.google.com/container-optimized-os/docs/how-to/run-container-instance#starting_a_docker_container_via_cloud-config

    Note the default policy for compute instances:

    VM instances, including those in Google Kubernetes Engine clusters,
    must have the correct storage access scopes configured to push or pull
    images. By default, VMs can pull images when Container Registry is in
    the same project.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search