Warning: file_get_contents(/data/phpspider/zhask/data//catemap/9/google-cloud-platform/3.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Docker Swarm创建服务无法从远程存储库中提取_Docker_Google Cloud Platform_Docker Swarm_Google Container Registry - Fatal编程技术网
Fatal编程技术网
  • docker/
  • Docker Swarm创建服务无法从远程存储库中提取

Docker Swarm创建服务无法从远程存储库中提取

docker google-cloud-platform

Docker Swarm创建服务无法从远程存储库中提取,docker,google-cloud-platform,docker-swarm,google-container-registry,Docker,Google Cloud Platform,Docker Swarm,Google Container Registry,我已经在谷歌计算引擎上创建了一个双实例docker swarm Docker版本18.06.1-ce,在Ubuntu 18.04.1 LTS上构建e68fc7a 我创建了一个服务帐户: gcloud iam service-accounts create ${KEY_NAME} --display-name "${KEY_DISPLAY_NAME}" gcloud projects add-iam-policy-binding $PROJECT --member serviceAccount:$

我已经在谷歌计算引擎上创建了一个双实例docker swarm

Docker版本18.06.1-ce,在Ubuntu 18.04.1 LTS上构建e68fc7a

我创建了一个服务帐户:

gcloud iam service-accounts create ${KEY_NAME} --display-name "${KEY_DISPLAY_NAME}"
gcloud projects add-iam-policy-binding $PROJECT --member serviceAccount:${KEY_NAME}@${PROJECT}.iam.gserviceaccount.com --role roles/storage.admin
gcloud iam service-accounts keys create --iam-account ${KEY_NAME}@${PROJECT}.iam.gserviceaccount.com key.json
将key.json传输到我的docker swarm master:

然后我运行了以下命令:

gcloud auth configure-docker
cat key.json | tr '\n' ' ' | docker login -u _json_key --password-stdin \
    https://eu.gcr.io

docker login registry.gitlab.com -u $USERNAME -p $PASSWORD
我可以成功地从我的私有eu.gcr.io存储库中提取映像:

docker pull eu.gcr.io/$PROJECT/$IMAGE
因此,登录似乎可以正常工作,gcloud助手似乎安装正确

但在我的swarm中创建服务失败:

docker service create --replicas 2 --network overlay --name $NAME eu.gcr.io/$PROJECT/$IMAGE --with-registry-auth
image eu.gcr.io/$PROJECT/$IMAGE:latest could not be accessed on a registry to record
its digest. Each node will access eu.gcr.io/$PROJECT/$IMAGE:latest independently,
possibly leading to different nodes running different versions of the image.
qwdm524vggn50j4lzoe5paknj
overall progress: 0 out of 2 tasks 
1/2: No such image: eu.gcr.io/$PROJECT/$IMAGE:latest 
2/2: No such image: eu.gcr.io/$PROJECT/$IMAGE:latest
查看syslog可显示以下内容:

Aug 25 13:37:15 mgr-1 dockerd[1368]: time="2018-08-25T13:37:15.299064551Z" level=info msg="Attempting next endpoint for pull after error: unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication"
Aug 25 13:37:15 mgr-1 dockerd[1368]: time="2018-08-25T13:37:15.299168218Z" level=error msg="pulling image failed" error="unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication" module=node/agent/taskmanager node.id=xgozmc8iyjls7ulh4k3tvions service.id=qwdm524vggn50j4lzoe5paknj task.id=qrktpo34iuhiyl1rmbi71y4wg
AFAICS,我使用正确的服务帐户JSON登录到Google容器存储库(因为
docker pull
works),我在
docker create service
中添加了标志
--with registry auth
,这是对
docker create service
的回答,但仍然不起作用。
docker-create-service
的工作方式是否类似于
docker-pull

有没有办法解决这个问题

更新

我也尝试了Gitlab注册表,而不是Google容器注册表。在Gitlab站点上创建了注册表部署令牌,并输入了以下命令:

gcloud auth configure-docker
cat key.json | tr '\n' ' ' | docker login -u _json_key --password-stdin \
    https://eu.gcr.io

docker login registry.gitlab.com -u $USERNAME -p $PASSWORD
那么这就行了:

docker pull registry.gitlab.com/$ORGANISATION/$PROJECT/$IMAGE
但此命令失败,并出现类似错误:

docker service create --replicas 2 --network overlay  --name $NAME registry.gitlab.com/$ORGANISATION/$PROJECT/$IMAGE --with-registry-auth

image registry.gitlab.com/$ORGANISATION/$PROJECT/$IMAGE:latest could not be accessed on a registry to record
its digest. Each node will access registry.gitlab.com/$ORGANISATION/$PROJECT/$IMAGE:latest independently,
possibly leading to different nodes running different
versions of the image.
r5fqg94jrvt587le0fu779zaw
overall progress: 0 out of 2 tasks 
1/2: No such image: $ORGANISATION/$PROJECT/$IMAGE:latest
2/2: No such image: $ORGANISATION/$PROJECT/$IMAGE:latest
并且
/var/log/syslog
包含

Aug 25 21:56:14 mgr-1 dockerd[1368]: time="2018-08-25T21:56:14.615895063Z" level=error msg="pulling image failed" error="Get https://registry.gitlab.com/v2/$ORGANISATION/$PROJECT/$IMAGE/manifests/latest: denied: access forbidden" module=node/agent/taskmanager node.id=xgozmc8iyjls7ulh4k3tvions service.id=r5fqg94jrvt587le0fu779zaw task.id=huwpjtu1wujk527t84y7yvbvd
因此,docker create service似乎没有使用提供的凭据,而且问题与Google容器注册表或Gitlab注册表都没有关系?

好的,我发现了问题。我必须使用:

docker service create --with-registry-auth --replicas 2 --network overlay  --name $NAME registry.gitlab.com/$ORGANISATION/$PROJECT/$IMAGE
而不是

docker service create --replicas 2 --network overlay  --name $NAME registry.gitlab.com/$ORGANISATION/$PROJECT/$IMAGE --with-registry-auth
在后一种情况下,
--with registry auth
被视为my image的参数,而不是
docker service create
调用的参数,因此没有使用身份验证从任一私有存储库中提取图像