Channels
academy
amazon
arm
azure
cabpr
chinese
ci-cd
danish
deutsch
developer
elemental
epinio
espanol
events
extensions
fleet
français
gcp
general
harvester
harvester-dev
hobbyfarm
hypper
japanese
k3d
k3os
k3s
k3s-contributor
kim
kubernetes
kubewarden
lima
logging
longhorn-dev
longhorn-storage
masterclass
mesos
mexico
nederlands
neuvector-security
office-hours
one-point-x
onlinemeetup
onlinetraining
opni
os
ozt
phillydotnet
portugues
rancher-desktop
rancher-extensions
rancher-setup
rancher-wrangler
random
rfed_ara
rio
rke
rke2
russian
s3gw
service-mesh
storage
submariner
supermicro-sixsq
swarm
terraform-controller
terraform-provider-rancher2
terraform-provider-rke
theranchcast
training-0110
training-0124
training-0131
training-0207
training-0214
training-1220
ukranian
v16-v21-migration
vsphere
windows
Title
e
early-lunch-37616
11/30/2022, 6:48 PMHi everyone, I'm hoping someone can help me figure out a docker auth issue I'm having. Using Rancher Desktop with nerdctl I'm getting 403 auth errors when trying to pull images from GCR. I'm logged in with nerdctl and was able to pull images when using dockerCLI. Any ideas?
r
rapid-eye-50641
11/30/2022, 10:12 PMHi Josh, How do you login to GCR using nerdctl?
Also, do you need to be logged into pull from this registry?
e
early-lunch-37616
11/30/2022, 10:13 PMI didn't log in explicitly to GCR. I did
nerdctl logingcloud auth configure-docker <http://us-central1-docker.pkg.dev|us-central1-docker.pkg.dev>This works with the Docker CLI
r
rapid-eye-50641
11/30/2022, 10:16 PMis it possible for you to share the full
pulle
early-lunch-37616
11/30/2022, 10:17 PMOne sec, I switched back to docker cli earlier so I could unblock myself
nerdctl image pull <http://us-central1-docker.pkg.dev/[my-docker-image]|us-central1-docker.pkg.dev/[my-docker-image]> --debuglogs:
DEBU[0000] verification process skipped
DEBU[0000] Ignoring hosts dir "/etc/containerd/certs.d" error="stat /etc/containerd/certs.d: no such file or directory"
DEBU[0000] Ignoring hosts dir "/etc/docker/certs.d" error="stat /etc/docker/certs.d: no such file or directory"
DEBU[0000] The image will be unpacked for platform {"arm64" "linux" "" [] "v8"}, snapshotter "overlayfs".
DEBU[0000] fetching image="us-central1-docker.pkg.dev/activated-manage/ai/eve:base-v10"
DEBU[0000] resolving host=us-central1-docker.pkg.dev
DEBU[0000] do request host=us-central1-docker.pkg.dev request.header.accept="application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, */*" request.header.user-agent=containerd/1.6.0+unknown request.method=HEAD url="<https://us-central1-docker.pkg.dev/v2/activated-manage/ai/eve/manifests/base-v10>"
us-central1-docker.pkg.dev/activated-manage/ai/eve:base-v10: resolving |--------------------------------------|
elapsed: 0.1 s total: 0.0 B (0.0 B/s)
DEBU[0000] fetch response received host=us-central1-docker.pkg.dev response.header.content-length=102 response.header.content-type=application/json response.header.date="Wed, 30 Nov 2022 22:20:43 GMT" response.header.docker-distribution-api-version=registry/2.0 response.header.www-authenticate="Bearer realm=\"<https://us-central1-docker.pkg.dev/v2/token>\",service=\"us-central1-docker.pkg.dev\",scope=\"repository:activated-manage/ai/eve:pull\"" response.header.x-content-type-options=nosniff response.header.x-frame-options=SAMEORIGIN response.header.x-xss-protection=0 response.status="401 Unauthorized" url="<https://us-central1-docker.pkg.dev/v2/activated-manage/ai/eve/manifests/base-v10>"
DEBU[0000] Unauthorized header="Bearer realm=\"<https://us-central1-docker.pkg.dev/v2/token>\",service=\"us-central1-docker.pkg.dev\",scope=\"repository:activated-manage/ai/eve:pull\"" host=us-central1-docker.pkg.dev
DEBU[0000] do request host=us-central1-docker.pkg.dev request.header.accept="application/vnd.docker.distribution.manifest.v2+json, application/vnus-central1-docker.pkg.dev/activated-manage/ai/eve:base-v10: resolving |--------------------------------------|
elapsed: 0.2 s total: 0.0 B (0.0 B/s)
INFO[0000] trying next host error="failed to authorize: failed to fetch anonymous token: unexpected status from GET request to <https://us-central1-docker.pkg.dev/v2/token?scope=repository%3Aactivated-manage%2Fai%2Feve%3Apull&service=us-central1-docker.pkg.dev>: 403 Forbidden" host=us-central1-docker.pkg.dev
FATA[0000] failed to resolve reference "us-central1-docker.pkg.dev/activated-manage/ai/eve:base-v10": failed to authorize: failed to fetch anonymous token: unexpected status from GET request to <https://us-central1-docker.pkg.dev/v2/token?scope=repository%3Aactivated-manage%2Fai%2Feve%3Apull&service=us-central1-docker.pkg.dev>: 403 Forbidden👍 1
r
rapid-eye-50641
11/30/2022, 10:24 PMlet me try few things from my end..
In general, if you have configured your
~/.docker/config.jsondocker loginnerdctl loginpushFor GCP, your
~/.docker/config.json{
"credsStore": "wincred",
"credHelpers": {
"us-central1-docker.pkg.dev": "gcloud"
}
}dockernerdctlgcloud auth login
gcloud auth activate-service-account <your-service-account-id>@<your-organization>.<http://iam.gserviceaccount.com|iam.gserviceaccount.com> --key-file=your-key-file.jsone
early-lunch-37616
11/30/2022, 10:32 PMThat makes sense in principle, but I'm not sure why it's not working for me. I assure you I'm authed into gcloud
And was able to pull the images just fine when using the dockercli
My config file looks like:
{
"auths": {
"<https://index.docker.io/v1/>": {}
},
"credsStore": "desktop",
"credHelpers": {
"us-central1-docker.pkg.dev": "gcloud"
}
}Any other ideas?
r
rapid-eye-50641
11/30/2022, 10:44 PMYour config file looks as expected to me.. I need to try few things myself before i can suggest something..
e
early-lunch-37616
11/30/2022, 10:46 PMOkay, I appreciate your help. I'm going to have to take off soon, will check in tomorrow.
👍 1
Hi there, I'm available if you have any other suggestions
r
rapid-eye-50641
12/01/2022, 7:11 PMHi, for some reason, my desktop environment is broke and couldn't investigate this.. Hopefully I get my env working again soon and I will continue the investigation.. Please hang in there.