douzhi7451 2017-07-02 09:51
浏览 100

Google容器注册表Golang Moby身份验证

I'm using google container registry to host my docker images. I'm also using the moby client for golang to interact with it. I'm using the JSON service key approach which seems to work fine with RegistryLogin. The response text is Login Successful. However, I have no idea how to use the returned authentication key with ImagePull. Under the hood setting RegistryAuth appears to set whatever string passed as the X-Registry-Auth header, Google doesn't seem to mention this anywhere.

I've tried passing the returned key as RegistryAuth, I've tried running RegistryLogin and then just pulling without RegistryAuth. I've tried base64 encoding my auth config and sending that in RegistryAuth. No matter what I try I get "Error response from daemon: repository xxx not found: does not exist or no pull access". Running docker login and then docker pull with the same details works fine on cli. My code is:

authConfig := types.AuthConfig{
    Username:      "_json_key",
    Password:      string(decodedKey),
    ServerAddress: "https://gcr.io",
}

_, err = engine.Client.RegistryLogin(ctx, authConfig)
if err != nil {
    return err
}

responseBody, err := engine.Client.ImagePull(ctx, image, types.ImagePullOptions{
})
defer responseBody.Close()

if err != nil {
    return err
}

decodedKey is the JSON key file content. Any ideas how to get this to work?

  • 写回答

1条回答 默认 最新

  • duanjing7651 2018-12-31 03:53
    关注

    (I assume you've already figured it out or have figured out an alternative method, but I'll document it here for the next person)

    You need to marshal it to JSON, then base64 encode it. I haven't seen this documented anywhere except the code for the docker cli.

    Unfortunately, when I tried to include github.com/docker/cli/cli/command I got this error, due to the way the cli repo's vendor directory gets included in go's package source path:

    ./gcp.go:73:47: cannot use authc (type "github.com/docker/docker/api/types".AuthConfig)
as type "github.com/docker/cli/vendor/github.com/docker/docker/api/types".AuthConfig
in argument to command.EncodeAuthToBase64

    The Go compiler doesn't recognize that they are the same type, which is annoying. But it's simple enough to replicate the functionality:

    buf, _ = json.Marshal(authConfig)

regauth := base64.URLEncoding.EncodeToString(buf)

pullopts := types.ImagePullOptions{RegistryAuth:regauth}

responseBody, err := engine.Client.ImagePull(ctx, image, pullopts)

...

    *IMHO, a better implementation would be to have a types.RequestPrivilegeFunc in the pullopts that gets the access_token field from http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token on the fly. That way there's no app credentials to worry about securing. I haven't tried that yet, myself.

    Hopefully that helps, despite it being 18 months late. :)

    FWIW, Google support wasn't able to provide any information about this, and the gcr.io and docker documentation didn't provide much to go on, either. The solution was in getting the cli auth set up and then hacking a custom version of the docker cli tool so that I could see what was really going on.

    *EDIT: So I tried this but AFAICT the PrivilegeFunc function declared in PullOptions is never called. I have no idea why. Too bad, it seemed like a much cleaner solution. The procedural code above works for me, though.

    评论

报告相同问题?

悬赏问题

  • ¥100 set_link_state
  • ¥15 虚幻5 UE美术毛发渲染
  • ¥15 CVRP 图论 物流运输优化
  • ¥15 Tableau online 嵌入ppt失败
  • ¥100 支付宝网页转账系统不识别账号
  • ¥15 基于单片机的靶位控制系统
  • ¥15 真我手机蓝牙传输进度消息被关闭了,怎么打开?(关键词-消息通知)
  • ¥15 装 pytorch 的时候出了好多问题,遇到这种情况怎么处理?
  • ¥20 IOS游览器某宝手机网页版自动立即购买JavaScript脚本
  • ¥15 手机接入宽带网线,如何释放宽带全部速度