我在 Google Compute Engine 上创建了一个两个实例的 docker swarm。
Docker 版本 18.06.1-ce,在 Ubuntu 18.04.1 LTS 上构建 e68fc7a
我创建了一个服务帐户:
gcloud iam service-accounts create ${KEY_NAME} --display-name "${KEY_DISPLAY_NAME}"
gcloud projects add-iam-policy-binding $PROJECT --member serviceAccount:${KEY_NAME}@${PROJECT}.iam.gserviceaccount.com --role roles/storage.admin
gcloud iam service-accounts keys create --iam-account ${KEY_NAME}@${PROJECT}.iam.gserviceaccount.com key.json
将 key.json 转移到我的 docker swarm master:
然后我运行了以下命令:
gcloud auth configure-docker
cat key.json | tr '\n' ' ' | docker login -u _json_key --password-stdin \
https://eu.gcr.io
我可以成功地从我的私有(private) eu.gcr.io 存储库中提取图像:
docker pull eu.gcr.io/$PROJECT/$IMAGE
因此,登录似乎可以正常工作,并且 gcloud 帮助程序似乎已正确安装。
但是在我的 swarm 中创建服务失败了:
docker service create --replicas 2 --network overlay --name $NAME eu.gcr.io/$PROJECT/$IMAGE --with-registry-auth
image eu.gcr.io/$PROJECT/$IMAGE:latest could not be accessed on a registry to record
its digest. Each node will access eu.gcr.io/$PROJECT/$IMAGE:latest independently,
possibly leading to different nodes running different versions of the image.
qwdm524vggn50j4lzoe5paknj
overall progress: 0 out of 2 tasks
1/2: No such image: eu.gcr.io/$PROJECT/$IMAGE:latest
2/2: No such image: eu.gcr.io/$PROJECT/$IMAGE:latest
查看 syslog 显示以下内容:
Aug 25 13:37:15 mgr-1 dockerd[1368]: time="2018-08-25T13:37:15.299064551Z" level=info msg="Attempting next endpoint for pull after error: unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication"
Aug 25 13:37:15 mgr-1 dockerd[1368]: time="2018-08-25T13:37:15.299168218Z" level=error msg="pulling image failed" error="unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication" module=node/agent/taskmanager node.id=xgozmc8iyjls7ulh4k3tvions service.id=qwdm524vggn50j4lzoe5paknj task.id=qrktpo34iuhiyl1rmbi71y4wg
AFAICS,我使用正确的服务帐户 JSON 登录到 Google 容器存储库(如
docker pull 有效),我添加了标志 --with-registry-auth至docker create service这是 similar questions 的答案,但它仍然不起作用。是 docker create service工作类似于 docker pull ?有什么想法可以解决这个问题吗?
更新
我也尝试了 Gitlab Registry 而不是 Google Container Registry。在 Gitlab 站点上创建了一个注册表部署 token ,并输入了以下命令:
docker login registry.gitlab.com -u $USERNAME -p $PASSWORD
然后这只是工作:
docker pull registry.gitlab.com/$ORGANISATION/$PROJECT/$IMAGE
但是此命令失败并出现类似错误:
docker service create --replicas 2 --network overlay --name $NAME registry.gitlab.com/$ORGANISATION/$PROJECT/$IMAGE --with-registry-auth
image registry.gitlab.com/$ORGANISATION/$PROJECT/$IMAGE:latest could not be accessed on a registry to record
its digest. Each node will access registry.gitlab.com/$ORGANISATION/$PROJECT/$IMAGE:latest independently,
possibly leading to different nodes running different
versions of the image.
r5fqg94jrvt587le0fu779zaw
overall progress: 0 out of 2 tasks
1/2: No such image: $ORGANISATION/$PROJECT/$IMAGE:latest
2/2: No such image: $ORGANISATION/$PROJECT/$IMAGE:latest
和
/var/log/syslog包含Aug 25 21:56:14 mgr-1 dockerd[1368]: time="2018-08-25T21:56:14.615895063Z" level=error msg="pulling image failed" error="Get https://registry.gitlab.com/v2/$ORGANISATION/$PROJECT/$IMAGE/manifests/latest: denied: access forbidden" module=node/agent/taskmanager node.id=xgozmc8iyjls7ulh4k3tvions service.id=r5fqg94jrvt587le0fu779zaw task.id=huwpjtu1wujk527t84y7yvbvd
看来
docker create service不使用提供的凭据,并且该问题与 Google Container Registry 或 Gitlab Registry 无关?
最佳答案
好的,我发现了问题。我不得不使用:
docker service create --with-registry-auth --replicas 2 --network overlay --name $NAME registry.gitlab.com/$ORGANISATION/$PROJECT/$IMAGE
而不是
docker service create --replicas 2 --network overlay --name $NAME registry.gitlab.com/$ORGANISATION/$PROJECT/$IMAGE --with-registry-auth
在后一种情况下,
--with-registry-auth被认为是我的形象的一个论据,而不是 docker service create调用,因此没有使用身份验证从任一私有(private)存储库中提取图像。
关于Docker Swarm 创建服务无法从远程存储库中提取,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/52017900/