Docker Swarm创建服务无法从远程存储库中提取
我已经在谷歌计算引擎上创建了一个双实例docker swarm Docker版本18.06.1-ce,在Ubuntu 18.04.1 LTS上构建e68fc7a 我创建了一个服务帐户:Docker Swarm创建服务无法从远程存储库中提取,docker,google-cloud-platform,docker-swarm,google-container-registry,Docker,Google Cloud Platform,Docker Swarm,Google Container Registry,我已经在谷歌计算引擎上创建了一个双实例docker swarm Docker版本18.06.1-ce,在Ubuntu 18.04.1 LTS上构建e68fc7a 我创建了一个服务帐户: gcloud iam service-accounts create ${KEY_NAME} --display-name "${KEY_DISPLAY_NAME}" gcloud projects add-iam-policy-binding $PROJECT --member serviceAccount:$
gcloud iam service-accounts create ${KEY_NAME} --display-name "${KEY_DISPLAY_NAME}"
gcloud projects add-iam-policy-binding $PROJECT --member serviceAccount:${KEY_NAME}@${PROJECT}.iam.gserviceaccount.com --role roles/storage.admin
gcloud iam service-accounts keys create --iam-account ${KEY_NAME}@${PROJECT}.iam.gserviceaccount.com key.json
将key.json传输到我的docker swarm master:
然后我运行了以下命令:
gcloud auth configure-docker
cat key.json | tr '\n' ' ' | docker login -u _json_key --password-stdin \
https://eu.gcr.io
docker login registry.gitlab.com -u $USERNAME -p $PASSWORD
我可以成功地从我的私有eu.gcr.io存储库中提取映像:
docker pull eu.gcr.io/$PROJECT/$IMAGE
因此,登录似乎可以正常工作,gcloud助手似乎安装正确
但在我的swarm中创建服务失败:
docker service create --replicas 2 --network overlay --name $NAME eu.gcr.io/$PROJECT/$IMAGE --with-registry-auth
image eu.gcr.io/$PROJECT/$IMAGE:latest could not be accessed on a registry to record
its digest. Each node will access eu.gcr.io/$PROJECT/$IMAGE:latest independently,
possibly leading to different nodes running different versions of the image.
qwdm524vggn50j4lzoe5paknj
overall progress: 0 out of 2 tasks
1/2: No such image: eu.gcr.io/$PROJECT/$IMAGE:latest
2/2: No such image: eu.gcr.io/$PROJECT/$IMAGE:latest
查看syslog可显示以下内容:
Aug 25 13:37:15 mgr-1 dockerd[1368]: time="2018-08-25T13:37:15.299064551Z" level=info msg="Attempting next endpoint for pull after error: unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication"
Aug 25 13:37:15 mgr-1 dockerd[1368]: time="2018-08-25T13:37:15.299168218Z" level=error msg="pulling image failed" error="unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication" module=node/agent/taskmanager node.id=xgozmc8iyjls7ulh4k3tvions service.id=qwdm524vggn50j4lzoe5paknj task.id=qrktpo34iuhiyl1rmbi71y4wg
AFAICS,我使用正确的服务帐户JSON登录到Google容器存储库(因为docker pull
works),我在docker create service
中添加了标志--with registry auth
,这是对docker create service
的回答,但仍然不起作用。docker-create-service
的工作方式是否类似于docker-pull
有没有办法解决这个问题
更新
我也尝试了Gitlab注册表,而不是Google容器注册表。在Gitlab站点上创建了注册表部署令牌,并输入了以下命令:
gcloud auth configure-docker
cat key.json | tr '\n' ' ' | docker login -u _json_key --password-stdin \
https://eu.gcr.io
docker login registry.gitlab.com -u $USERNAME -p $PASSWORD
那么这就行了:
docker pull registry.gitlab.com/$ORGANISATION/$PROJECT/$IMAGE
但此命令失败,并出现类似错误:
docker service create --replicas 2 --network overlay --name $NAME registry.gitlab.com/$ORGANISATION/$PROJECT/$IMAGE --with-registry-auth
image registry.gitlab.com/$ORGANISATION/$PROJECT/$IMAGE:latest could not be accessed on a registry to record
its digest. Each node will access registry.gitlab.com/$ORGANISATION/$PROJECT/$IMAGE:latest independently,
possibly leading to different nodes running different
versions of the image.
r5fqg94jrvt587le0fu779zaw
overall progress: 0 out of 2 tasks
1/2: No such image: $ORGANISATION/$PROJECT/$IMAGE:latest
2/2: No such image: $ORGANISATION/$PROJECT/$IMAGE:latest
并且/var/log/syslog
包含
Aug 25 21:56:14 mgr-1 dockerd[1368]: time="2018-08-25T21:56:14.615895063Z" level=error msg="pulling image failed" error="Get https://registry.gitlab.com/v2/$ORGANISATION/$PROJECT/$IMAGE/manifests/latest: denied: access forbidden" module=node/agent/taskmanager node.id=xgozmc8iyjls7ulh4k3tvions service.id=r5fqg94jrvt587le0fu779zaw task.id=huwpjtu1wujk527t84y7yvbvd
因此,docker create service似乎没有使用提供的凭据,而且问题与Google容器注册表或Gitlab注册表都没有关系?好的,我发现了问题。我必须使用:
docker service create --with-registry-auth --replicas 2 --network overlay --name $NAME registry.gitlab.com/$ORGANISATION/$PROJECT/$IMAGE
而不是
docker service create --replicas 2 --network overlay --name $NAME registry.gitlab.com/$ORGANISATION/$PROJECT/$IMAGE --with-registry-auth
在后一种情况下,--with registry auth
被视为my image的参数,而不是docker service create
调用的参数,因此没有使用身份验证从任一私有存储库中提取图像