从COS上运行的docker / compose容器访问私有的Google Container Registry

你想使用这个方法进行身份validation。

使用GCR的高级validation文档中的_json_key validation ，以下脚本是否工作？

docker run \ -v /var/run/docker.sock:/var/run/docker.sock \ -v "$PWD:/rootfs/$PWD" \ -w="/rootfs/$PWD" \ docker/compose:1.14.0 \ /bin/bash -c "docker login -u _json_key -p $(cat keyfile.json) https://gcr.io; up"

我find的最佳解决scheme是在Docker主机上进行身份validation，然后将dockerconfiguration挂载到docker-compose容器中：

 docker login -u _json_key -p "$(cat keyfile.json)" https://gcr.io docker run \ -v /var/run/docker.sock:/var/run/docker.sock \ -v /root/.docker:/root/.docker \ -v "$PWD:$PWD" \ -w="$PWD" \ docker/compose:1.14.0 \ up 

如果COS VM已被授权访问registry（例如，附加的服务帐户具有GCS视图访问托pipe映像的项目），则直接使用服务帐户JSON凭据的替代方法是运行/usr/share/google/dockercfg_update.sh COS附带的/usr/share/google/dockercfg_update.sh脚本：

 #!/bin/sh # Copyright 2015 The Chromium OS Authors. All rights reserved. # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. set -eu AUTH_DATA="$(curl -s -f -m 10 "http://metadata/computeMetadata/v1/instance/service-accounts/default/token" \ -H "Metadata-Flavor: Google")" R=$? if [ ${R} -ne 0 ]; then echo "curl for auth token exited with status ${R}" >&2 exit ${R} fi AUTH="$(echo "${AUTH_DATA}" \ | tr -d '{}' \ | sed 's/,/\n/g' \ | awk -F ':' '/access_token/ { print "_token:" $2 }' \ | tr -d '"\n' \ | base64 -w 0)" if [ -z "${AUTH}" ]; then echo "Auth token not found in AUTH_DATA ${AUTH_DATA}" >&2 exit 1 fi D="${HOME}/.docker" mkdir -p "${D}" cat > "${D}/config.json" <<EOF { "auths":{ "https://container.cloud.google.com":{"auth": "${AUTH}"}, "https://gcr.io":{"auth": "${AUTH}"}, "https://b.gcr.io":{"auth": "${AUTH}"}, "https://us.gcr.io":{"auth": "${AUTH}"}, "https://eu.gcr.io":{"auth": "${AUTH}"}, "https://asia.gcr.io":{"auth": "${AUTH}"}, "https://beta.gcr.io":{"auth": "${AUTH}"} } } EOF 

这具有由Google维护的好处，并避免必须pipe理服务帐户凭证。