compose: Docker Compose fails to pull from private registry when using credential helper
Docker seems to authenticate and pull images fine, but docker-compose fails. The docker container URLs below have been redacted. This issue seems to be present in versions 1.13.0 and 1.14.0rc1.
$ docker pull us.gcr.io//mysql:latest
latest: Pulling from /mysql
10a267c67f42: Already exists
c2dcc7bb2a88: Pull complete
17e7a0445698: Pull complete
9a61839a176f: Pull complete
a1033d2f1825: Pull complete
0d6792140dcc: Pull complete
cd3adf03d6e6: Pull complete
d79d216fd92b: Pull complete
b3c25bdeb4f4: Pull complete
02556e8f331f: Pull complete
4bed508a9e77: Pull complete
47cc4a3f7009: Pull complete
Digest: sha256:b899cae2e17184411adde639bd61ba808ada6d01514213c5569862c88a8d5649
Status: Downloaded newer image for us.gcr.io//mysql:latest
$ docker-compose pull
Pulling mysql (us.gcr.io//mysql:latest)...
ERROR: repository us.gcr.io//mysql not found: does not exist or no pull access
$ docker-compose --verbose pull
...
compose.cli.verbose_proxy.proxy_callable: docker inspect_image <- ('us.gcr.io//mysql:latest')
compose.service.pull: Pulling mysql (us.gcr.io//mysql:latest)...
compose.cli.verbose_proxy.proxy_callable: docker pull <- ('us.gcr.io//mysql', tag='latest', stream=True)
docker.auth.get_config_header: Looking for auth config
docker.auth.resolve_authconfig: Looking for auth entry for 'us.gcr.io'
docker.auth.resolve_authconfig: No entry found
docker.auth.get_config_header: No auth config found
ERROR: compose.cli.errors.log_api_error: repository us.gcr.io//mysql not found: does not exist or no pull access
$ cat ~/.docker/config.json
{
"auths": {},
"credHelpers": {
"appengine.gcr.io": "gcr",
"asia.gcr.io": "gcr",
"b.gcr.io": "gcr",
"beta.gcr.io": "gcr",
"bucket.gcr.io": "gcr",
"eu.gcr.io": "gcr",
"gcr.io": "gcr",
"gcr.kubernetes.io": "gcr",
"us.gcr.io": "gcr",
"mirror.gcr.io": "gcr"
}
}
About this issue
- Original URL
- State: closed
- Created 7 years ago
- Reactions: 2
- Comments: 22
will create short-lived access for
['gcr.io', 'us.gcr.io', 'eu.gcr.io', 'asia.gcr.io', 'staging-k8s.gcr.io', 'k8s.gcr.io']
and will make your
docker-compose
workingIt’s quite funny, because this command is run if you try to pull
docker
image throughgcloud docker -- pull
, and makes yourdocker-compose
working magically 😄 Spent some time on figuring this out…Thanks! We do have an implementation for credential helpers support, but it seems it is outdated. Can you follow the instructions at the end of the README and check that it works?
I’ve ran
docker-credential-gcr configure-docker
with docker version17.03.2-ce
but I am still getting the error after running docker-compose 1.16.1:Running
docker pull gcr.io/$PROJECT_ID/$IMAGE_NAME
works just fine.Contents of ~/.docker/config.json (default, not edited):
I have to add that this docker-compose runs as an alias with the following command as found in https://cloud.google.com/community/tutorials/docker-compose-on-container-optimized-os:
Any idea what is missing here would be greatly appreciated.
works for me on docker-compose 1.16.1 after running
I’ve been using docker compose with GCR pulls for a while in CI nodes. What I had to do to get it working was:
At image creation ensure
docker-credential-gcr
is installed and the project is set, Activate a service account and perform adocker-credential-gcr configure-docker
I needed to use a generated service account json because I was not able to complete the procedure with the default credentials.Once al configured I had to do a docker login and then docker-compose was able to pull from a private GCR repo
The last step must be repeated before attempting any interaction with GCR, once logged in, it will work until the server is restarted.
This worked for me, not sure if it is the best option.
@shin- @ilyaBV was this fixed in the 1.15 release ? I can confirm that it’s still broken in 1.16 (and has to be fixed using the hack @ilyaBV mentioned above). would like to re-open this.
I’ve updated my config file to resemble the old style:
After doing that
docker-compose pull
anddocker pull
work, so this functions as a workaround and confirms that only the old credential helper method is supported.