publish specific images in google container registry

Marat Komarov

unread,

Jan 26, 2017, 10:59:05 AM1/26/17

to gce-discussion

Hello everyone,

I need to publish several images in my container registry, while leave the rest as private. Previously I used custom registry bucket fo this. But they are officially deprecated, and starting from February 15th, 2017 no more supported by Google https://cloud.google.com/container-registry/docs/support/deprecation-notices

New access control guide only defines a way to publish the entire Docker registry https://cloud.google.com/container-registry/docs/access-control

Any thoughts, how to share individual image within a Docker registry?

Thanks,

Marat

Carlos (Cloud Platform Support)

unread,

Jan 26, 2017, 3:39:12 PM1/26/17

to gce-discussion

Hi Marat,

From what I read in the documentation what you are trying to achieve is possible. You will need to use the Cloud Storage commands to setup specific ACLs over the individual objects (images). Additional information can be found here.

Marat Komarov

unread,

Jan 31, 2017, 4:27:02 AM1/31/17

to gce-discussion

I've figured out how to do it.

The solution is not quite simple and requires reading image manifest file from GS and setting permissions for specific images.

Also you need to re-publish repository each time you "gcloud docker -- push" the new image.

For those, who need it:

Assuming $project is your GCE project name, and $repository is a single repository you want to share

1) Publish repository metadata

$ hash=$(gsutil cat gs://artifacts.$project.appspot.com/containers/repositories/library/$repository/tag_latest)

$ gsutil acl ch -u AllUsers:R gs://artifacts.$project.appspot.com/containers/repositories/library/$repository/tag_latest

$ gsutil acl ch -u AllUsers:R gs://artifacts.$project.appspot.com/containers/repositories/library/$repository/manifest_$hash

2) Publish image layers

$ gsutil cat gs://artifacts.$project.appspot.com/containers/repositories/library/$repository/manifest_$hash > manifest.json

$ hash=$(jq -r '.config.digest' manifest.json) && gsutil acl ch -u AllUsers:R gs://artifacts.$project.appspot.com/containers/images/$hash

$ for hash in $(jq -r '.layers[].digest' manifest.json); do gsutil acl ch -u AllUsers:R gs://artifacts.$project.appspot.com/containers/images/$hash; done

$ rm -f manifest.json

Regards,

Marat

Marat Komarov

unread,

Feb 13, 2017, 2:46:17 PM2/13/17

to gce-discussion

Now I need to list tags (using registry v2 api https://docs.docker.com/registry/spec/api/#/listing-image-tags)

And `GET /v2/$repository/tags/list` doesn't work with 403 even when I publish everything under gs://artifacts.$project.appspot.com/containers/repositories/library/$repository

curl https://gcr.io/v2/$project/$repository/tags/list

{"errors":[{"code":"DENIED","message":"Failed to read tags for host 'gcr.io', repository '/v2/$project/$repository/tags/list'"}]}

Any thoughts?

Reply all

Reply to author

Forward