I have a service account and key json file contents in my process. Trying to spawn "docker gcr.io/my-project/my-image" to upload images to container registry.
I tried docker login -u _json_key -p "$(cat keyfile.json)" https://[HOSTNAME] from Advanced Authentication tutorial, which returns success during login, but still docker push returns error:
You do not currently have an active account selected.
Please run:
$ gcloud auth login
Ideally, I would like to trigger docker push without configuring gcloud SDK. Also would not want to store key json contents to a file. I'd like to keep it in process memory.
The correct command to run for docker clients 18.03 and newer is gcloud auth configure-docker.
If you read the fine print for your command docker login -u _json_key -p "$(cat keyfile.json)" https://[HOSTNAME] it mentions for older Docker clients e.g. several years old. This is not the correct command to run today.
With the constant improvements, new features, Kubernetes, etc. you do not want to be running old commands or configurations.
gcloud auth configure-docker
Related
I'm trying to set-up a Cloud SQL Auth proxy with a Cloud SQL for MySQL instance.
I'm following this guide but without success.
so I'm creating a new VM instance. Once it has been created I'm running the following command in the cloud shell
gcloud beta compute ssh --zone "europe-west2-c" "nameinstance" --tunnel-through-iap --project "my_project"
From what I understand this allow me to connect to my instance. Then I'm running the following command:
docker pull gcr.io/cloudsql-docker/gce-proxy:1.19.1
all good. then I'm kind of lost as when entering gcloud sql instances describe Cloud_SQL_instance_name I got the following error gcloud: command not found
and when entering docker run -d \\ -p 127.0.0.1:3306:3306 \\ gcr.io/cloudsql-docker/gce-proxy:1.19.1 /cloud_sql_proxy \\ -instances=sql_connection_name=tcp:0.0.0.0:3306 I have the following error docker: invalid reference format.
Ultimately, and if I'm right, I should be able to execute successfully the following command mysql -u USERNAME -p --host 127.0.0.1
Container Optimized OS (or COS) target is simple: run containers. That's all. All the other capacity of linux have been deactivated, to keep the kernel small, to reduce the attack surface, and to limit the point of failure (with third party binaries, like gcloud).
Thus, run container with docker (or docker-containerd).
# interactive mode
docker run -ti google/cloud-sdk:latest gcloud version
# Script mode
docker run --entrypoint gcloud google/cloud-sdk:latest version
It works as is in startup script. If you log into the VM and want to run these commands, add a sudo before to have the permission to run the binaries.
So, you will be able to run Cloud SQL proxy in a container, Gcloud in a container, and also MySQL client in a container. Forget the fact to run something without container (and docker run command). And think also to redirect the port correct when you run your containers.
In OpenShift, I want to deploy application by using docker image which its location is on the private docker registry. To do this I have written the following command from terminal by using OpenShift Container Platform Command Line Interface (oc CLI)
oc new-app --docker-image=myregistry.com/mycompany/myimage --name=private --insecure-registry=true
I received an error which type is 407 proxy authentication when I run the above command. Because, To pull the image from my private registry need to authentication. I have a secret for this authentication, too, but I don't know how can add the secret to above command.
Could you help me, please? or another way ...
Finally, I could have solved. The problem is lack of steps while creating secret for private docker registry. The all steps are:
1) If you do not already have a Docker credentials file for the secured registry, you can create a secret by running:
$ oc create secret docker-registry <pull_secret_name> \
--docker-server=<registry_server> \
--docker-username=<user_name> \
--docker-password=<password> \
--docker-email=<email>
2) To use a secret for pulling images for Pods, you must add the secret to your service account:
$ oc secrets link default <pull_secret_name> --for=pull
3) To use a secret for pushing and pulling build images, the secret must be mountable inside of a Pod. You can do this by running:
$ oc secrets link builder <pull_secret_name>
https://docs.openshift.com/container-platform/4.1/openshift_images/managing-images/using-image-pull-secrets.html
As per the documentation, monitoring is shipped with OKD.
OKD ships with a pre-configured and self-updating monitoring stack that is based on the Prometheus open source project and its wider eco-system. It provides monitoring of cluster components and ships with a set of alerts to immediately notify the cluster administrator about any occurring problems and a set of Grafana dashboards.
Further, as per the documentation, this command should show links for various monitoring tools. oc -n openshift-monitoring get routes
When I run the oc command with system user, I get a message as: No resources found.
The installation does not go through.
git clone https://github.com/openshift/cluster-monitoring-operator
cd cluster-monitoring-operator
oc apply -f manifests/
Error messages:
namespace "openshift-monitoring" created
serviceaccount "cluster-monitoring-operator" created
unable to decode "manifests/0000_50_cluster_monitoring_operator_02-role.yaml": no kind "ClusterRole" is registered for version "rbac.authorization.k8s.io/v1beta1"
unable to decode "manifests/0000_50_cluster_monitoring_operator_03-role-binding.yaml": no kind "ClusterRoleBinding" is registered for version "rbac.authorization.k8s.io/v1beta1"
unable to decode "manifests/0000_50_cluster_monitoring_operator_04-deployment.yaml": no kind "Deployment" is registered for version "apps/v1"
unable to decode "manifests/0000_50_cluster_monitoring_operator_05-clusteroperator.yaml": no kind "ClusterOperator" is registered for version "config.openshift.io/v1"
unable to decode "manifests/0000_90_cluster_monitoring_operator_00-operatorgroup.yaml": no kind "OperatorGroup" is registered for version "operators.coreos.com/v1"
So, how do we enable monitoring with minishift?
You can follow this to install prometheus in minishift:
https://github.com/minishift/minishift-addons/tree/master/add-ons/prometheus
Be sure that you login as admin. If you encounter problem to login as admin, you can follow these steps:
minishift ssh
[docker#example ~]$ sudo su
[root#example ~]# export KUBECONFIG=/var/lib/minishift/base/openshift-apiserver/admin.kubeconfig PATH="$PATH:/var/lib/minishift/bin"
[root#example ~]# oc adm policy add-cluster-role-to-user cluster-admin admin
[root#example ~]# exit
[docker#example ~]$ exit
oc login -u admin -p admin
oc whoami
You will see you login as admin.
When I enter the command to apply the prometheus, I encountered this problem:
minishift addons apply prometheus --addon-env namespace=kube-system
-- Applying addon 'prometheus':.Error applying the add-on: Error executing command 'oc new-app -f prometheus.yaml -p NAMESPACE=#{namespace} -n #{namespace}'.
Solution:
login Minishift as admin using "oc login -u admin -p admin".
go to the namespace "kube-system" by "oc project kube-system".
click on "Add to project" -> "import YAML/JSON".
clone the prometheus addon in your local machine from https://github.com/minishift/minishift-addons.git
import the ../minishift-addons/add-ons/prometheus/prometheus.yml into the "kube-system" namespace.
Afterwards, the prometheus will be deployed.
You can access the prometheus graph UI: https://prometheus-kube-system.$minishift-host-ip-address.nip.io.
When I push Docker image into OpenShift registry, is it private? Looking into About page in my OpenShift console, it says I can push to registry.rh-us-east-1.openshift.com registry. When I log in, I can nicely push:
oc whoami -t # to get token
docker login -u <username> -p <token> registry.rh-us-east-1.openshift.com
docker tag xyz registry.rh-us-east-1.openshift.com/xyz/xyz
docker push registry.rh-us-east-1.openshift.com/xyz/xyz
And the question is: if I do not share mine username/token with anybody, is the image in that registry private (i.e. can not be accessed by anybody else except for my OpenShift Online account)?
Correct, it will only be visible to you as a user when you log into the image registry using docker login and to the service accounts in your OpenShift project which need to be able to pull the image from the image registry to deploy it.
I am using the Openshift Online platform. I am trying to build a custom docker image locally (on my mac) and push it to the registry of my project on Openshift online.
I am unable to do that. Can someone please advise what the registry URL should be?
I have tried using the following:
registry.starter-us-east-1.openshift.com
registry.access.redhat.com
The full command I am trying to use to login is below however I am not getting a response. The screen just waits.
docker login -u username -e any_email_address -p token_value registry_service_host:port
My intent, after completing above, is to then try and push the image that I have built locally.
Any advice on the above or else alternate approaches would be appreciated. Thank you.
For to discover Openshift Online URL registry, use the following steps bellow:
After you clicked "Copy Login Command" buttom, you copy oc login command;
Run oc login command in the terminal;
Afterwards login, run oc registry info in the terminal.
The registry is at --> registry.<cluster-id>.openshift.com.
For starter tier US East region, the cluster id is --> starter-us-east-1.
So, the registry can be found at --> registry.starter-us-east-1.openshift.com.
Once you know the docker registry endpoint, you can follow the instructions at:
https://docs.openshift.com/online/dev_guide/managing_images.html#accessing-the-internal-registry
to login and pull/push images from/to the registry.
In short, use:
docker login -u `oc whoami` -e `oc whoami` -p `oc whoami -t` \
https://registry.starter-us-east-1.openshift.com
For future reference, the details for accessing the registry will appear in the About page from the help drop down menu, albeit right now for Online that change hasn't managed to propogate into production, although already visible in newer versions of OpenShift.
The OpenShift internal registry is used internally by default to import images from external repositories. If you need to use it as a repository to pull and push images from your machine, you have to run the following command to allow the default route.
oc patch config.imageregistry cluster -n openshift-image-registry --type merge -p '{"spec": {"defaultRoute": true}}'
Then run
oc get route -n openshift-image-registry
to find the registry URL.
When pushing an image, use the following way to push it to the required project.
[URL]/[project]/[image]:[tag]
To login using docker or podman.
TOKEN = $(oc whoami -t)
podman login -u anything -p ${TOKEN} [URL]