How to pull private image from GCR during startup script?

984 views
Skip to first unread message

Brian Wawok

unread,
May 13, 2017, 6:04:40 PM5/13/17
to gce-discussion
Tried about 30 combinations of the following, not having much luck. My best guess is something like:

1) Setup a default service account for the VM with access to GCR

2) Put an instance startup script something like

METADATA=http://metadata.google.internal/computeMetadata/v1



SVC_ACCT=$METADATA/instance/service-accounts/default

ACCESS_TOKEN=$(curl -H 'Metadata-Flavor: Google' $SVC_ACCT/token  | cut -d'"' -f 4)


docker login -u _token -p $ACCESS_TOKEN https://gcr.io
docker run -d gcr.io/<project id>/<app name>:<hash>


3) Start the instance


On CoreOS, nothing happens from my startup script (side note, how do I see startup script logs on container os?). But if I log in as myself, I can run the commands either as my user or root, and they work (I assume startup scripts run as root)

On ContainerOS, nothing happens from my startup script. Running as myself works, but running as root fails (/root/.config is read-only error).

I have also investigated routes with the gcloud command or the cloud-sdk gcloud docker image without success either.


Any ideas? I would prefer to get it to work on Container-OS, but if not then I guess I will take a solution for CoreOS..




Kamran (Google Cloud Support)

unread,
May 14, 2017, 7:12:18 PM5/14/17
to gce-discussion

Hello Brian,

As described in this document the Chromium OS rootfs is mounted read-only. As such running "docker login" command will fail to create and store encoded credentials in /root/.docker/config.json file. As a workaround you can run your startup script as another user or a sudoer (if it needs superuser permissions). Other method of configuring your instance when it boots up is using cloud-init by setting user-data metadata key. This approach is described in this article. This method is applicable to both cos and CoreOS VMs.

For seeing startup script logs you can use the following command:

sudo journalctl -u google-startup-scripts.service


I hope this helps.

Kamran (Google Cloud Support)

unread,
May 14, 2017, 7:15:40 PM5/14/17
to gce-discussion

For more information about Docker Engine credential stores please visit this article.

Sincerely,
Reply all
Reply to author
Forward
0 new messages