问题描述
有没有人想出如何从 docker compose 中的 containerrrr 瞭望塔映像中的私有 GCR 存储库中提取?
对于上下文,我在主机中运行了 gcloud auth configure-docker
,并将这些卷添加到了望塔:
version: "3.4"
services:
app:
image: gcr.io/<proj>/<img>:latest
watchtower:
image: containrrr/watchtower
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /root/.docker/config.json:/config.json
- /root/.config/gcloud:/.config/gcloud
- /usr/lib/google-cloud-sdk:/usr/lib/google-cloud-sdk
command: --interval 10
environment:
- PATH=$PATH:/usr/lib/google-cloud-sdk/bin
- HOME=/
labels:
- com.centurylinklabs.watchtower.enable=false
它一直在说
watchtower_1 | time="2021-06-03T22:36:13Z" level=info msg="Unable to update container \"/gce_app_1\": Error response from daemon: unauthorized: You don't have the needed permissions to perform this operation,and you may have invalid credentials. To authenticate your request,follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication. Proceeding to next."
解决方法
我不熟悉 Watchtower,但熟悉 GCR。
如果您想对 GCR 进行身份验证,然后仅通过 Docker Registry API 的客户端(即 docker [push|pull]
等)与其交互,那么您可能需要考虑创建一个合适的 IAM 服务帐户,一个密钥并通过卷安装将密钥安装到 Watchtower 中。然后,您将能够使用 docker login ...
进行身份验证,而无需安装|使用 Google Cloud SDK (gcloud
)。
见: https://cloud.google.com/container-registry/docs/advanced-authentication#json-key
,我找到了解决方案。需要注意的是,gcloud 助手需要安装 python 才能工作。因此,即使您将所有配置和二进制文件添加到瞭望塔容器中,它仍然无法正常运行。
作为解决方案,我想出了一个最小的 docker 镜像,它同时安装了 watchtower 和 python3。它是yspreen/watchtower
。您可以在 github 上找到完整的自述文件,但这里是摘要:
version: "3.4"
services:
app:
image: gcr.io/<project>/<image>:latest
watchtower:
image: yspreen/watchtower
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /root/.docker/config.json:/config.json
- /root/.config/gcloud:/.config/gcloud
- /usr/lib/google-cloud-sdk:/usr/lib/google-cloud-sdk
command: --cleanup --interval 10
environment:
- PATH=$PATH:/usr/lib/google-cloud-sdk/bin
- HOME=/
labels:
- com.centurylinklabs.watchtower.enable=false
配置文件:
{
"credsStore": "gcloud","credHelpers": {
"gcr.io": "gcloud","us.gcr.io": "gcloud","eu.gcr.io": "gcloud","asia.gcr.io": "gcloud","staging-k8s.gcr.io": "gcloud","marketplace.gcr.io": "gcloud"
}
}