英文:
Google Container Registry: Permission issue while trying to pull/push images with authenticated credentials
问题
在Ubuntu-22中,google-cloud
已通过snap
商店安装:
> whereis gcloud
gcloud:/snap/bin/gcloud
> snap list | grep google
google-cloud-sdk 432.0.0 346 latest/stable google-cloud-sdk** classic
Docker也通过snap
安装了:
> snap list | grep docker
docker 20.10.24 2893 latest/stable canonical**
我已经通过以下方式对我的帐户进行了私有GCR的身份验证:
> gcloud auth login
您的浏览器已打开以访问:
https://accounts.google.com/o/oauth2/auth?...<long_url>
您现在已登录为 [<my_email@address.com>]。
您当前的项目是 [<desired_project_name>]。您可以通过运行以下命令更改此设置:
$ gcloud config set project PROJECT_ID
请再次检查登录过程:
> gcloud auth list
Credentialed Accounts
ACTIVE ACCOUNT
* <my_email@address.com>
要设置活动帐户,请运行:
$ gcloud config set account `ACCOUNT`
但是,当我尝试拉取或推送任何映像时,我遇到了以下权限问题:
unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication
我能够在浏览器中访问我尝试从私有GCR中拉取的映像,这让我认为这是与在终端中执行docker pull
时的凭据相关的问题。
我在这里错过了什么?
PS:这个问题中的解决方案对我不起作用 https://stackoverflow.com/questions/59599316/unable-to-push-to-google-container-registry-permission-issue
编辑:
如评论中所要求,在auth login
之前,我还执行了一步,即gcloud auth configure-docker
,如下所示:
> gcloud auth configure-docker
Adding credentials for all GCR repositories.
WARNING: A long list of credential helpers may cause delays running 'docker build'. We recommend passing the registry name to configure only the registry you are using.
After update, the following will be written to your Docker config file located at
[/home/<user>/.docker/config.json]:
{
"credHelpers": {
"gcr.io": "gcloud",
"us.gcr.io": "gcloud",
...
}
}
Do you want to continue (Y/n)?
Docker configuration file updated.
英文:
In Ubuntu-22, google-cloud
has been installed through snap
store;
> whereis gcloud
gcloud: /snap/bin/gcloud
> snap list | grep google
google-cloud-sdk 432.0.0 346 latest/stable google-cloud-sdk** classic
Docker has been installed via snap
too;
> snap list | grep docker
docker 20.10.24 2893 latest/stable canonical**
And I have authenticated my account to a private GCR as below;
> gcloud auth login
Your browser has been opened to visit:
https://accounts.google.com/o/oauth2/auth?...<long_url>
You are now logged in as [<my_email@address.com>].
Your current project is [<desired_project_name>]. You can change this setting by running:
$ gcloud config set project PROJECT_ID
Double-checked the login process;
> gcloud auth list
Credentialed Accounts
ACTIVE ACCOUNT
* <my_email@address.com>
To set the active account, run:
$ gcloud config set account `ACCOUNT`
But, when I try to pull or push any image, I hit the following permission issue;
unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication
I am able to access to the image which I try to pull from the private GCR in my browser, this makes me think that it is an issue related to creds while performing docker pull
in my terminal.
What am I missing here?
PS: The solution in this question did not work for me https://stackoverflow.com/questions/59599316/unable-to-push-to-google-container-registry-permission-issue
EDIT:
As it is asked in the comments, I need to mention that I have performed one more step before auth login
which is gcloud auth configure-docker
as below;
> gcloud auth configure-docker
Adding credentials for all GCR repositories.
WARNING: A long list of credential helpers may cause delays running 'docker build'. We recommend passing the registry name to configure only the registry you are using.
After update, the following will be written to your Docker config file located at
[/home/<user>/.docker/config.json]:
{
"credHelpers": {
"gcr.io": "gcloud",
"us.gcr.io": "gcloud",
...
}
}
Do you want to continue (Y/n)?
Docker configuration file updated.
答案1
得分: 1
发布此内容作为社区wiki,以供所有人查看。
解决docker的权限问题是通过使用APT软件包管理器重新安装docker来解决的。正如John Hanley所说,该问题似乎是通过snap安装Docker时出现的错误。建议使用APT来安装Docker,Docker自己也建议这样做。
还值得注意的是,您应该始终删除/卸载先前的安装。根据这篇帖子,也建议始终使用snap或apt,因为它们不能共存。
英文:
Posting this as a community wiki for everyone's visibility.
The permission issue with the docker was resolve by re-installing the docker with APT package manager. As said by John Hanley, the issue appears to be a bug with how the Docker was installed via snap. Using APT to install Docker is recommended by Docker themselves.
Its also important to note that you should always remove/uninstall previous installations. According to this post, its also recommended to use either snap or apt all the way, as they can't co-exist.
答案2
得分: 1
卸载 snap
安装并使用包管理器 apt
安装 docker
已经解决了我的问题。
我观察到两种安装方式之间的差异如下:
- 使用
snap
,一旦执行gcloud auth login
并将我重定向到浏览器,身份验证只需选择 Google 帐号(请查看我问题中的第3个代码块,不会要求输入authorization code
)。 - 使用
apt
,在选择所需的 Google 帐号后,我会被重定向到另一页,需要提供authorization code
,然后在终端中输入;
> gcloud auth login
Your browser has been opened to visit:
https://accounts.google.com/o/oauth2/auth?...<长网址>
Enter authorization code: <从浏览器复制的代码> // 这就是区别!!
You are now logged in as [<我的邮箱地址>].
Your current project is [<期望的项目名称>]. You can change this setting by running:
$ gcloud config set project PROJECT_ID
感谢 @JohnHanley 指出 docker
推荐使用 apt
安装。
英文:
Removing snap
installation and installing docker
with package manager apt
has fixed my issue.
The difference I have observed between two installations;
- With
snap
, oncegcloud auth login
directs me to browser, authentication was completed by choosing google account only (Please see the 3rd code block in my question, noauthorization code
was asked). - With
apt
, after choosing the desired google account, I was directed to another page where theauthorization code
was provided which needed to be entered in the terminal;
> gcloud auth login
Your browser has been opened to visit:
https://accounts.google.com/o/oauth2/auth?...<long_url>
Enter authorization code: <Code_from_browser> // This is the difference!!
You are now logged in as [<my_email@address.com>].
Your current project is [<desired_project_name>]. You can change this setting by running:
$ gcloud config set project PROJECT_ID
Thank you @JohnHanley pointed out that docker
recommends apt
installation.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论