Google Container Registry + Google Compute Engine + Docker

2
votes

I am not able to figure out a way to get all three of these pieces of tech to work together.

I have Google Container Registry. In it, I have 2 private images, let's call them A and B. I want to create a single instance template that does the following:

  1. docker run -d gcr.io/project_id/A:latest
  2. docker run -d gcr.io/project_id/B:latest

That is all I need to do. I hoped to do it in a startup script, that way I could just use a plain image as my base and I could deploy it in prod.

Have tried all 3 versions of the Container Optimized OS, and all 3 versions of CoreOS. Each gives slightly different errors.

Some examples suggest using gcloud docker -- pull, but gcloud does not auth correctly in any of the 6 environments I have tried.

Other examples suggest using docker login -u oauth2accesstoken -p "$(gcloud auth application-default print-access-token)" https://gcr.io, this also fails.

The only other option I found was to do docker login -u _json_key -p "$(cat keyfile.json)" https://gcr.io, which DID allow me to then pull the GCE images. The downside to this approach, is how do I get that keyfile in the images? I guess I can make a custom image with the keyfile added, but I was trying to stick to a stock image that does my two docker run commands and no more. Is this impossible?

1
dockergoogle-compute-enginegoogle-container-registry
Perhaps a dumb question, but gcloud is not included as part of the container optimized OS images. Are you installing it as part of the startup script? How is this accomplished when these images have the partitions mounted noexec? - dk.

1 Answers

1
votes

What errors are you seeing, specifically?

docker-credential-gcr is able to pull access-tokens from GCE metadata. It can also pull the gcloud SDK's access token by executing gcloud config config-helper --format='value(credential.access_token) under the scenes. gcloud auth print-access-token was used in the past, but is not officially supported.