6

I have a Docker image pushed to Google Container Registry at gcr.io/my-project/my-image:latest. In the same project, I created a Google Compute Engine instance based on COS (Container-Optimized OS) with a read access to Google Storage (enabled by default). I also gave a read access to Google Storage to its service account.

However, I can't pull the image from the GCE instance:

$docker pull gcr.io/my-project/my-image:latest
Error response from daemon: repository gcr.io/my-project/my-image not found: does not exist or no pull access

The doc says:

To pull private Docker images from a Compute Engine instance, ensure that your instance has read permission for the image's bucket. This is configured correctly by default if your instance and the image bucket are in the same Google Cloud Platform project.

GalloCedrone
  • 371
  • 1
  • 9
Sony
  • 221
  • 2
  • 8
  • Since some of the answers are now deprecated, you can find multiple up-to-date ways to authenticate a GCE instance to Container Registry on [this documentation page](https://cloud.google.com/container-registry/docs/advanced-authentication). – kennysong Jul 21 '21 at 11:46

3 Answers3

6

This command automatically logs the Docker client in GCR:

docker-credential-gcr configure-docker

Sony
  • 221
  • 2
  • 8
1

In order to pull images from the Google Cloud Registry you need to use the relative gcloud command.

Note that if you use the standard Docker command line tool you will have to set up manually authorisation since it is not aware of Google permissions or what is a service account.

gcloud docker -- pull gcr.io/my-project/my-image

You can check the relative documentation here.

If your application can't use the gcloud command-line tool to authenticate to Google Container Registry, you can use docker login directly to authenticate. This allows the use of third-party continuous integration solutions and cluster management technology with Container Registry. You can check more info here.

GalloCedrone
  • 371
  • 1
  • 9
  • I think it is not needed, please see the quote from the doc. – Sony Mar 05 '18 at 14:55
  • I will try to replicate and check if it is possible, but I think that if you do not configure the instance you cannot simply run `docker` and having the authentication to the Google Registry working, as https://cloud.google.com/container-registry/docs/advanced-authentication shows – GalloCedrone Mar 05 '18 at 15:12
  • To use `gcloud` command it is the way the official documentation advise to follow: "We strongly recommend that you use the gcloud docker command to log in to Container Registry when possible. This provides secure, short-lived access to your project resources. These alternatives should only be used when required, and when the security implications are understood." – GalloCedrone Mar 05 '18 at 15:13
0

If you want to push an image to Container-Optimized OS you have just to check the [Deploy a container image to this VM instance] and put the path of your registry image {gcr.io/my-project/my-image} on the shown field when creating the COS instance. you can find more info here

Alioua
  • 381
  • 1
  • 8