Docker使用ansible';Docker登录';和_json_键
我正在尝试编写一个ansible角色,该角色在从容器注册表中提取图像之前,首先向GCE实例执行Docker使用ansible';Docker登录';和_json_键,docker,ansible,google-compute-engine,Docker,Ansible,Google Compute Engine,我正在尝试编写一个ansible角色,该角色在从容器注册表中提取图像之前,首先向GCE实例执行docker登录。因为上面提到的问题,我需要这样做 首先,我尝试了下面的代码块 - name: Docker Login docker_login: registry: https://eu.gcr.io username: _json_key debug: true password: "{{ lookup('file', 'pulse-psg-863d9955d8
docker登录。因为上面提到的问题,我需要这样做
首先,我尝试了下面的代码块
- name: Docker Login
docker_login:
registry: https://eu.gcr.io
username: _json_key
debug: true
password: "{{ lookup('file', 'pulse-psg-863d9955d8a1.json')}}"
我得到的错误是(私钥已修改)
我一生都无法让它解析私钥。我怀疑它与星号字符(我不知道这是否只是在调试输出中屏蔽它,或者这是否是向前发送的内容)或\n字符有关
因此,我尝试登录到GCE机器,并尝试从命令行执行命令,如第二个答案所示。因此,首先我将密钥文件scp到机器上,然后:
JSON\u KEY=$(cat-keyfile.JSON)
sudo docker login-u_json_key-p“$json_key”https://gcr.io
虽然有一些警告,但我还是能够登录并从中提取图像。我得出的结论是,docker登录
ansible模块存在问题,因此决定尝试使用shell命令。因此:
- name: Docker Login using shell
shell: docker login -u _json_key -p "{{ lookup('file', 'keyfile.json') | replace('\n', '')}}" http://eu.gcr.io
这也不会成功
snip
"module_args": {
"_raw_params": "docker login -u _json_key -p \"{\n \"type\": \"service_account\",\n \"project_id\": \"id\",\n \"private_key_id\": \"863d9955d8a1e5e04a15b36ef80a787bc2\",\n \"private_key\": \"-----BEGIN PRIVATE KEY-----MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC2Z7c33lnCQDXFssGvg0t9xi9Aqk6x4cazQPUJ8j0Y+qWDBPL+ShHNSZwVykmAugC51KKInm5ik4IWTA5ict3VBRnWiutdxQK++icZ2yCuFlPMDFp2g2GQ4wl8bH1X3AtWgHO/nSWD3Rle7M/p9CUJq3K1EA07H9GKBJZmfGaoc4HA+OG8/j2Q7i8KmG9pFjKOAlQsHPdKKZqn4YeHPOTmARJgxw6PXbchAp+nPA7f7hpbmaK3XRNRxuB7cRIOU6EYaqBaHT73gmw8ulCHYSUWw+/P9ZquFjsnF8p7hzZ8pCOMSUwaLCQaDfqZvfcEoMqIaz9cOJdyjsZjOb1DLd2YtLCUNWldu5Nmh621L51bNh+clYpiSwOnD+ZhN5jrkIK9leeCdUVeg71+h2gzKJGHJBU=-----END PRIVATE KEY-----\",\n \"client_email\": \"duh-compute@developer.gserviceaccount.com\",\n \"client_id\": \"1115155168041\",\n \"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\",\n \"token_uri\": \"https://oauth2.googleapis.com/token\",\n \"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\",\n \"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/879255832886-compute%40developer.gserviceaccount.com\"\n}\" http://eu.gcr.io",
"_uses_shell": true,
"chdir": null,
"creates": null,
"executable": null,
"removes": null,
"stdin": null,
"warn": true
}
msg": "non-zero return code",
"rc": 1,
"start": "2019-07-29 18:31:55.246592",
"stderr": "\"docker login\" requires at most 1 argument.\nSee 'docker login --help'.\n\nUsage: docker login [OPTIONS] [SERVER]\n\nLog in to a Docker registry",
"stderr_lines": [
"\"docker login\" requires at most 1 argument.",
"See 'docker login --help'.",
"",
"Usage: docker login [OPTIONS] [SERVER]",
"",
"Log in to a Docker registry"
],
SNIP
我再次怀疑这是因为它不喜欢密钥的格式,但这一次是docker login
命令,而不是远程服务器(如前一种情况),它至少传输了密钥。在这两种情况下,挑战似乎都是在传输的文件中获取JSON格式的密钥,而无需任何额外字符,就像直接在命令行上运行命令时引用环境变量一样
我已经花了三天的大部分时间尝试自动创建一个GCE实例,并使它与docker一起工作—这应该是相当简单的事情 lookup
对json的解释很糟糕
解决方案是在密码字符串的开头插入空格password:{{lookup('file','pulse-psg-863d9955d8a1.json')}”
Bingo。这就是魔法。你介意解释一下这个空间的实际功能吗?如果你能链接到一些文档来解释它的话?还有一点需要注意的是,尝试使用shell模块shell:docker login-u_json_key-p{{lookup('file','pulse-psg-863d9955d8a1.json')}使用相同的方法(添加空间)http://eu.gcr.io
不起作用。所以这就更神秘了。可能空格对docker登录名有意义module@DevuAnsible团队的某个家伙解释说:嗯……事实上,我的JSON是类似对象的,以“{”开头角色。我读过这篇文章和其他类似的文章,但在3天的GCE和其他问题的冲击之后,我太累了,没法理解。你简洁的一行代码效果更好。我不确定他们是否已经修复了它。我更愿意去掉有空间的习惯。在<代码>“{lookup”中提到了一些东西('template','./bucket public.json.j2',convert_data=False)| string}”docker\u login:registry:https://eu.gcr.io 用户名:_json_密钥密码:{{lookup('password','pulse-psg-863d9955d8a1.json')}“snip
"module_args": {
"_raw_params": "docker login -u _json_key -p \"{\n \"type\": \"service_account\",\n \"project_id\": \"id\",\n \"private_key_id\": \"863d9955d8a1e5e04a15b36ef80a787bc2\",\n \"private_key\": \"-----BEGIN PRIVATE KEY-----MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC2Z7c33lnCQDXFssGvg0t9xi9Aqk6x4cazQPUJ8j0Y+qWDBPL+ShHNSZwVykmAugC51KKInm5ik4IWTA5ict3VBRnWiutdxQK++icZ2yCuFlPMDFp2g2GQ4wl8bH1X3AtWgHO/nSWD3Rle7M/p9CUJq3K1EA07H9GKBJZmfGaoc4HA+OG8/j2Q7i8KmG9pFjKOAlQsHPdKKZqn4YeHPOTmARJgxw6PXbchAp+nPA7f7hpbmaK3XRNRxuB7cRIOU6EYaqBaHT73gmw8ulCHYSUWw+/P9ZquFjsnF8p7hzZ8pCOMSUwaLCQaDfqZvfcEoMqIaz9cOJdyjsZjOb1DLd2YtLCUNWldu5Nmh621L51bNh+clYpiSwOnD+ZhN5jrkIK9leeCdUVeg71+h2gzKJGHJBU=-----END PRIVATE KEY-----\",\n \"client_email\": \"duh-compute@developer.gserviceaccount.com\",\n \"client_id\": \"1115155168041\",\n \"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\",\n \"token_uri\": \"https://oauth2.googleapis.com/token\",\n \"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\",\n \"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/879255832886-compute%40developer.gserviceaccount.com\"\n}\" http://eu.gcr.io",
"_uses_shell": true,
"chdir": null,
"creates": null,
"executable": null,
"removes": null,
"stdin": null,
"warn": true
}
msg": "non-zero return code",
"rc": 1,
"start": "2019-07-29 18:31:55.246592",
"stderr": "\"docker login\" requires at most 1 argument.\nSee 'docker login --help'.\n\nUsage: docker login [OPTIONS] [SERVER]\n\nLog in to a Docker registry",
"stderr_lines": [
"\"docker login\" requires at most 1 argument.",
"See 'docker login --help'.",
"",
"Usage: docker login [OPTIONS] [SERVER]",
"",
"Log in to a Docker registry"
],
SNIP