https://rancher.com/ logo
#rancher-desktop
Title
# rancher-desktop
e

early-lunch-37616

11/30/2022, 6:48 PM
Hi everyone, I'm hoping someone can help me figure out a docker auth issue I'm having. Using Rancher Desktop with nerdctl I'm getting 403 auth errors when trying to pull images from GCR. I'm logged in with nerdctl and was able to pull images when using dockerCLI. Any ideas?
r

rapid-eye-50641

11/30/2022, 10:12 PM
Hi Josh, How do you login to GCR using nerdctl?
Also, do you need to be logged into pull from this registry?
e

early-lunch-37616

11/30/2022, 10:13 PM
I didn't log in explicitly to GCR. I did
nerdctl login
and then
gcloud auth configure-docker <http://us-central1-docker.pkg.dev|us-central1-docker.pkg.dev>
This works with the Docker CLI
r

rapid-eye-50641

11/30/2022, 10:16 PM
is it possible for you to share the full
pull
command?
e

early-lunch-37616

11/30/2022, 10:17 PM
One sec, I switched back to docker cli earlier so I could unblock myself
nerdctl image pull <http://us-central1-docker.pkg.dev/[my-docker-image]|us-central1-docker.pkg.dev/[my-docker-image]> --debug
logs:
Copy code
DEBU[0000] verification process skipped                 
DEBU[0000] Ignoring hosts dir "/etc/containerd/certs.d"  error="stat /etc/containerd/certs.d: no such file or directory"
DEBU[0000] Ignoring hosts dir "/etc/docker/certs.d"      error="stat /etc/docker/certs.d: no such file or directory"
DEBU[0000] The image will be unpacked for platform {"arm64" "linux" "" [] "v8"}, snapshotter "overlayfs". 
DEBU[0000] fetching                                      image="us-central1-docker.pkg.dev/activated-manage/ai/eve:base-v10"
DEBU[0000] resolving                                     host=us-central1-docker.pkg.dev
DEBU[0000] do request                                    host=us-central1-docker.pkg.dev request.header.accept="application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, */*" request.header.user-agent=containerd/1.6.0+unknown request.method=HEAD url="<https://us-central1-docker.pkg.dev/v2/activated-manage/ai/eve/manifests/base-v10>"
us-central1-docker.pkg.dev/activated-manage/ai/eve:base-v10: resolving      |--------------------------------------| 
elapsed: 0.1 s                                               total:   0.0 B (0.0 B/s)                                         
DEBU[0000] fetch response received                       host=us-central1-docker.pkg.dev response.header.content-length=102 response.header.content-type=application/json response.header.date="Wed, 30 Nov 2022 22:20:43 GMT" response.header.docker-distribution-api-version=registry/2.0 response.header.www-authenticate="Bearer realm=\"<https://us-central1-docker.pkg.dev/v2/token>\",service=\"us-central1-docker.pkg.dev\",scope=\"repository:activated-manage/ai/eve:pull\"" response.header.x-content-type-options=nosniff response.header.x-frame-options=SAMEORIGIN response.header.x-xss-protection=0 response.status="401 Unauthorized" url="<https://us-central1-docker.pkg.dev/v2/activated-manage/ai/eve/manifests/base-v10>"
DEBU[0000] Unauthorized                                  header="Bearer realm=\"<https://us-central1-docker.pkg.dev/v2/token>\",service=\"us-central1-docker.pkg.dev\",scope=\"repository:activated-manage/ai/eve:pull\"" host=us-central1-docker.pkg.dev
DEBU[0000] do request                                    host=us-central1-docker.pkg.dev request.header.accept="application/vnd.docker.distribution.manifest.v2+json, application/vnus-central1-docker.pkg.dev/activated-manage/ai/eve:base-v10: resolving      |--------------------------------------| 
elapsed: 0.2 s                                               total:   0.0 B (0.0 B/s)                                         
INFO[0000] trying next host                              error="failed to authorize: failed to fetch anonymous token: unexpected status from GET request to <https://us-central1-docker.pkg.dev/v2/token?scope=repository%3Aactivated-manage%2Fai%2Feve%3Apull&service=us-central1-docker.pkg.dev>: 403 Forbidden" host=us-central1-docker.pkg.dev
FATA[0000] failed to resolve reference "us-central1-docker.pkg.dev/activated-manage/ai/eve:base-v10": failed to authorize: failed to fetch anonymous token: unexpected status from GET request to <https://us-central1-docker.pkg.dev/v2/token?scope=repository%3Aactivated-manage%2Fai%2Feve%3Apull&service=us-central1-docker.pkg.dev>: 403 Forbidden
👍 1
r

rapid-eye-50641

11/30/2022, 10:24 PM
let me try few things from my end..
In general, if you have configured your
~/.docker/config.json
to use credential helpers then there's no need to explicitly login using
docker login
or
nerdctl login
.. You can directly execute commands such as
push
that need authentication .. and the CLI in the background makes use of the credential helpers to get the login token and perform the operations..
For GCP, your
~/.docker/config.json
could look something like..
Copy code
{
  "credsStore": "wincred",
  "credHelpers": {
    "us-central1-docker.pkg.dev": "gcloud"
  }
}
... and you can then authenticate with GCP using below commands before running any
docker
or
nerdctl
commands that need authentication..
Copy code
gcloud auth login
gcloud auth activate-service-account  <your-service-account-id>@<your-organization>.<http://iam.gserviceaccount.com|iam.gserviceaccount.com>  --key-file=your-key-file.json
e

early-lunch-37616

11/30/2022, 10:32 PM
That makes sense in principle, but I'm not sure why it's not working for me. I assure you I'm authed into gcloud
And was able to pull the images just fine when using the dockercli
My config file looks like:
Copy code
{
  "auths": {
    "<https://index.docker.io/v1/>": {}
  },
  "credsStore": "desktop",
  "credHelpers": {
    "us-central1-docker.pkg.dev": "gcloud"
  }
}
Any other ideas?
r

rapid-eye-50641

11/30/2022, 10:44 PM
Your config file looks as expected to me.. I need to try few things myself before i can suggest something..
e

early-lunch-37616

11/30/2022, 10:46 PM
Okay, I appreciate your help. I'm going to have to take off soon, will check in tomorrow.
👍 1
Hi there, I'm available if you have any other suggestions
r

rapid-eye-50641

12/01/2022, 7:11 PM
Hi, for some reason, my desktop environment is broke and couldn't investigate this.. Hopefully I get my env working again soon and I will continue the investigation.. Please hang in there.
30 Views