docker-credential-gcr: Unable to access Container Registry images despite running `docker-credential-gcr configure-docker` using docker-compose in Container Optimized OS

This might have to do with the difference between running it as your user, or having root run it. The Google Container Optimized OS has /root/ locked down as read only, but your /home/<your_user> is writable, so running commands as your user would put .docker/config.json into /home/<your_user>/.docker/config.json, whereas having some boot script run as root would try and write that into /root/.docker. I’m not sure this is your exact problem, but see if it is. I’m having an issue around this with Google’s Datalab using custom Docker images.

I managed to crack the case! I needed to use the devstorage.read_only scope for the service account. I’m using terraform so it was as simple as:

  # ...
  service_account {
    scopes = [
      "https://www.googleapis.com/auth/compute.readonly",
      # The next line was all I needed to add
      "https://www.googleapis.com/auth/devstorage.read_only"
    ]
  }
}

You can use a docker-compose container with docker-credential-gcr added to it, ala: https://hub.docker.com/r/cryptopants/docker-compose-gcr

It’s a drop-in replacement for the containerized docker-compose suggested by COS docs, and can pull from private gcr.io seamlessly.

alias docker-compose='docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v "$PWD:$PWD" -w="$PWD" cryptopants/docker-compose-gcr'

I had the same issue as OP, I ended up with:

SECRET="$(echo "https://gcr.io" | docker-credential-gcr get | jq '.Secret')"
docker login -u _token -p "${SECRET}" https://gcr.io
function docker-compose()
{
    docker run \
        -i --rm \
        -v /var/run/docker.sock:/var/run/docker.sock \
        -v ~/.docker:/root/.docker \
        docker/compose:1.16.1 \
        "${@}"
}

Make sure the machine has access to jq. I’m not sure if this is a recommended or secure practice, but its working for me.

the problem is Python 3 is not supported by the Google Cloud SDK. we need to use python 2 install python2 and run below command export CLOUDSDK_PYTHON=python2 run the compose file it worked for me.

Did anyone try - gcloud auth login

Worked for me, I feel my kubectl setup deleted the creds.

I’ve been doing a docker pull for each file in the docker compose as suggested by ernsheong.

The following script will automate that:

PATH_TO_DOCKER_COMPOSE='./docker/docker-compose.yaml'

cat $PATH_TO_DOCKER_COMPOSE | grep '    image: ' | while read -r line ; do
    IMAGE_NAME="${line/'image: '/''}" 
    docker pull $IMAGE_NAME
done

I’m on COS and also had similar problems. The documentation for COS makes it seem like it should be as simple as running 2 commands.

$ docker-credential-gcr configure-docker
$ docker run --rm gcr.io/<your-project>/<your-image>

The file gets created in ~/.docker/config.json. But I couldn’t pull the private image to run it. I can successfully pull public images.

After bashing my head against the wall for most of the day I tried the login command docker-credential-gcr gcr-login. After I followed those instructions I can now successfully pull images from the private registry. This doesn’t seem scriptable so I’m unsure how I should proceed with my infrastructure setup via Terraform. Any insight would be greatly appreciated.