我正在尝试编写一个 ansible 角色,首先执行以下操作docker login
从容器注册表中提取映像之前,将其复制到 GCE 实例。由于提到的问题,我需要这样做here https://stackoverflow.com/questions/57259054/creating-a-docker-ready-compute-engine-capable-of-pulling-from-container-registr.
首先我尝试了下面的代码块
- name: Docker Login
docker_login:
registry: https://eu.gcr.io
username: _json_key
debug: true
password: "{{ lookup('file', 'pulse-psg-863d9955d8a1.json')}}"
我得到的错误是(私钥已修改)
fatal: [en1-a-sftp-delivery-0]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"api_version": null,
"cacert_path": null,
"cert_path": null,
"config_path": "~/.docker/config.json",
"debug": true,
"docker_host": null,
"email": null,
"filter_logger": false,
"key_path": null,
"password": "{'private_key': '-----BEGIN PRIVATE KEY-----\\vU5K1MuTpTQGEzg\\nuywOlHw7ZLEj4u65vxrnzpiCOw6Pu7IVZq9R2JPhAoGAFnpxIA4RxuB7cRIOU6EY\\naqBaHT73gmw8ulCHYSUWw+/P9ZquFjsnF8p7hzZ8pCOMSUwaLCQaDfqZvfcEoMqI\\naz9cOJdyjsZjOb1DLd2YtLCUNWldu5Nmh621L51bNh+clYpiSwOnD+ZhN5jrkIK9\\nleeCdUVeg71+h2gzKJGHJBU=\\n-----END PRIVATE KEY-----\\n', 'private_key_id': '********', 'token_uri': '********', 'auth_provider_x509_cert_url': '********', 'auth_uri': '********', 'client_email': '********', 'client_id': '********', 'project_id': '********', 'type': '********', 'client_x509_cert_url': '********'}",
"reauthorize": false,
"registry": "https://eu.gcr.io",
"registry_url": "https://eu.gcr.io",
"ssl_version": null,
"state": "present",
"timeout": null,
"tls": null,
"tls_hostname": null,
"tls_verify": null,
"username": "_json_key"
}
},
"msg": "Logging into https://eu.gcr.io for user _json_key failed - 500 Server Error: Internal Server Error (\"{\"message\":\"Get https://eu.gcr.io/v2/: unknown: Unable to parse json key.\"}\")"
}
我一生都无法让它解析私钥。我怀疑它与星号字符(我不知道这是否只是在调试输出中将其屏蔽,或者是否是接下来发送的字符)或 \n 字符有关。
因此,我尝试登录 GCE 机器并尝试从命令行执行命令,如第二个答案所示here https://stackoverflow.com/questions/29291576/access-google-container-registry-without-the-gcloud-client。所以首先我将密钥文件 scp 到机器上,然后:
JSON_KEY=$(cat keyfile.json)
sudo docker login -u _json_key -p "$JSON_KEY" https://gcr.io
这有一些警告,但此后我能够登录并提取图像。我的结论是,这是一个问题docker login
ansible 模块,因此决定尝试使用 shell 命令。所以:
- name: Docker Login using shell
shell: docker login -u _json_key -p "{{ lookup('file', 'keyfile.json') | replace('\n', '')}}" http://eu.gcr.io
这也不成功
snip
"module_args": {
"_raw_params": "docker login -u _json_key -p \"{\n \"type\": \"service_account\",\n \"project_id\": \"id\",\n \"private_key_id\": \"863d9955d8a1e5e04a15b36ef80a787bc2\",\n \"private_key\": \"-----BEGIN PRIVATE KEY-----MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC2Z7c33lnCQDXFssGvg0t9xi9Aqk6x4cazQPUJ8j0Y+qWDBPL+ShHNSZwVykmAugC51KKInm5ik4IWTA5ict3VBRnWiutdxQK++icZ2yCuFlPMDFp2g2GQ4wl8bH1X3AtWgHO/nSWD3Rle7M/p9CUJq3K1EA07H9GKBJZmfGaoc4HA+OG8/j2Q7i8KmG9pFjKOAlQsHPdKKZqn4YeHPOTmARJgxw6PXbchAp+nPA7f7hpbmaK3XRNRxuB7cRIOU6EYaqBaHT73gmw8ulCHYSUWw+/P9ZquFjsnF8p7hzZ8pCOMSUwaLCQaDfqZvfcEoMqIaz9cOJdyjsZjOb1DLd2YtLCUNWldu5Nmh621L51bNh+clYpiSwOnD+ZhN5jrkIK9leeCdUVeg71+h2gzKJGHJBU=-----END PRIVATE KEY-----\",\n \"client_email\": \"[email protected] /cdn-cgi/l/email-protection\",\n \"client_id\": \"1115155168041\",\n \"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\",\n \"token_uri\": \"https://oauth2.googleapis.com/token\",\n \"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\",\n \"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/879255832886-compute%40developer.gserviceaccount.com\"\n}\" http://eu.gcr.io",
"_uses_shell": true,
"chdir": null,
"creates": null,
"executable": null,
"removes": null,
"stdin": null,
"warn": true
}
msg": "non-zero return code",
"rc": 1,
"start": "2019-07-29 18:31:55.246592",
"stderr": "\"docker login\" requires at most 1 argument.\nSee 'docker login --help'.\n\nUsage: docker login [OPTIONS] [SERVER]\n\nLog in to a Docker registry",
"stderr_lines": [
"\"docker login\" requires at most 1 argument.",
"See 'docker login --help'.",
"",
"Usage: docker login [OPTIONS] [SERVER]",
"",
"Log in to a Docker registry"
],
SNIP
我再次怀疑这是因为它不喜欢密钥的格式,但这次是docker login
命令而不是至少传输密钥的远程服务器(如前面的情况)。在这两种情况下,挑战似乎都是在传输的文件中获取以 JSON 格式存储的密钥,而无需任何额外字符,就像直接在命令行上运行命令时引用环境变量时所做的那样。
我花了 3 天的大部分时间尝试自动化拥有一个 GCE 实例并使其与 docker 一起工作,这应该是相当简单的事情。