debugdockerMinor
Why am I unable to push docker image in gce (gcr.io)?
Viewed 0 times
whyimagedockerunablepushgcegcr
Problem
I created a new VM instance on my GCE compute engine (I have Owner permissions). On that instance, I installed git, docker, and gcloud - everything is done under
I was hoping I can use that VM instance to deploy images to GCR, but whatever I do - I cannot seem to have sufficient permissions to push the images from that instance.
-
To tag and push the docker image, I use this::
docker tag [SOURCE_IMAGE] [HOSTNAME]/[PROJECT-ID]/[IMAGE]
and
Notice: It seems that at this stage (2018)
Notice: The bucket is NOT created yet, so setting permissions on the Storage console is out of the question at this point.
What could be the reason for the Permission Denied problem ?
sudo su. I was hoping I can use that VM instance to deploy images to GCR, but whatever I do - I cannot seem to have sufficient permissions to push the images from that instance.
- I granted "Storage Admin" along with the "Editor" permissions to the VM Instance (autogenerated) IAM service-account.
- When I run
docker login eu.gcr.ioI receiveLogin Succeededwith no problems.
- I copied both a p12 key and a .json key to the .ssh folder (I generated them on the IAM console) - but that had no use too.
-
To tag and push the docker image, I use this::
docker tag [SOURCE_IMAGE] [HOSTNAME]/[PROJECT-ID]/[IMAGE]
and
docker push [HOSTNAME]/[PROJECT-ID]/[IMAGE]Notice: It seems that at this stage (2018)
gcloud docker -- push is obsolete (and it didn't work for me as well...) Notice: The bucket is NOT created yet, so setting permissions on the Storage console is out of the question at this point.
What could be the reason for the Permission Denied problem ?
Solution
From the Before you begin section of the instructions you referenced:
Make sure that you:
This is specified in more details in Using Container Registry with Google Cloud Platform:
To push private Docker images from a Compute Engine instance, your
instance must have
the image's bucket.
So the GCS bucket corresponding to
It's true, the instructions you referenced mention in Push the tagged image to Container Registry:
When you push an image to a registry with a new hostname, Container
Registry creates a storage bucket in the specified multi-regional
location.
So I believe you'd have to:
Make sure that you:
- Have access to the registries which you will be pushing to and pulling from
This is specified in more details in Using Container Registry with Google Cloud Platform:
To push private Docker images from a Compute Engine instance, your
instance must have
read-write or full-control permission tothe image's bucket.
So the GCS bucket corresponding to
gcr.io (or whichever GCR domain you want to use) and the desired cloud project must already be created and your GCE instance's service account must have the necessary role/permissions for push operations.It's true, the instructions you referenced mention in Push the tagged image to Container Registry:
When you push an image to a registry with a new hostname, Container
Registry creates a storage bucket in the specified multi-regional
location.
So I believe you'd have to:
- first create create the bucket by executing a push to the desired GCR domain and project, but:
- from your own computer (or some machine which is not a GCE instance, but YMMV)
- using the credentials of an acceptable identity, not the GCE instance service account's ones. I'd try with a real user credentials, I'm not sure if a service account's ones would cut it.
- after the bucket is created add to its access control the GCE instance service account's role/permissions for push operations
- then perform pushes from the GCE instance
Context
StackExchange DevOps Q#5215, answer score: 1
Revisions (0)
No revisions yet.