使用gcloud和具有“所有者”权限的服务帐户推送泊坞窗图像时出现“500内部服务器错误”

时间:2016-02-03 12:47:20

标签: docker gcloud google-kubernetes-engine google-container-registry

我正在尝试将Docker容器图像推送到Google容器引擎注册表:

$ sudo gcloud docker push gcr.io/<my_project>/node
The push refers to a repository [gcr.io/<my_project>/node] (len: 1)
24c43271ae0b: Image already exists 
70a0868daa56: Image already exists 
1d86f57ee56d: Image already exists 
a46b473f6491: Image already exists 
a1ac8265769f: Image already exists 
290bb858e1c3: Image already exists 
d6fc4b5b4917: Image already exists 
3842411e5c4c: Image already exists 
7a01cc5f27b1: Image already exists 
dbacfa057b30: Image already exists 
latest: digest: sha256:02be2e66ad2fe022f433e228aa43f32d969433402820035ac8826880dbc325e4 size: 17236
Received unexpected HTTP status: 500 Internal Server Error

我无法使命令更详细。两者都没有:

$ sudo gcloud docker push gcr.io/<my_project>/node --verbosity info

也不应该使用这个命令:

$ sudo gcloud docker --log-level=info push gcr.io/sigma-cairn-99810/node
usage: gcloud docker  [EXTRA_ARGS ...] [optional flags]
ERROR: (gcloud.docker) unrecognized arguments: --log-level=info

根据文档(请参阅EXTRA_ARGS)和--log-level=info是有效的泊坞窗选项:

SYNOPSIS
    gcloud docker [EXTRA_ARGS ...] [--authorize-only, -a]
        [--docker-host DOCKER_HOST]
        [--server SERVER,[SERVER,...], -s SERVER,[SERVER,...]; default="gcr.io,us.gcr.io,eu.gcr.io,asia.gcr.io,b.gcr.io,bucket.gcr.io,appengine.gcr.io"]
        [GLOBAL-FLAG ...]
...    

POSITIONAL ARGUMENTS
     [EXTRA_ARGS ...]
        Arguments to pass to docker.

我正在使用GCP在我的container-vm计算机实例上安装的默认服务帐户。我已将{strong>所有者权限授予<my_project>中的所有资源。

更新:

正在运行sudo gsutil ls -bL gs://artifacts.<my_project>.appspot.com

gs://artifacts.<my_project>.appspot.com/ :
    Storage class:          STANDARD
    Location constraint:        US
    Versioning enabled:     None
    Logging configuration:      None
    Website configuration:      None
    CORS configuration:         None
    Lifecycle configuration:    None
    ACL:                []
    Default ACL:            []

如果我在使用我的非服务帐户进行身份验证后执行相同操作,则会同时获得ACLDefault ACL

ACL:                
  [
    {
      "entity": "project-owners-262451203973",
      "projectTeam": {
        "projectNumber": "262451203973",
        "team": "owners"
      },
      "role": "OWNER"
    },
    {
      "entity": "project-editors-262451203973",
      "projectTeam": {
        "projectNumber": "262451203973",
        "team": "editors"
      },
      "role": "OWNER"
    },
    {
      "entity": "project-viewers-262451203973",
      "projectTeam": {
        "projectNumber": "262451203973",
        "team": "viewers"
      },
      "role": "READER"
    }
  ]
Default ACL:            
  [
    {
      "entity": "project-owners-262451203973",
      "projectTeam": {
        "projectNumber": "262451203973",
        "team": "owners"
      },
      "role": "OWNER"
    },
    {
      "entity": "project-editors-262451203973",
      "projectTeam": {
        "projectNumber": "262451203973",
        "team": "editors"
      },
      "role": "OWNER"
    },
    {
      "entity": "project-viewers-262451203973",
      "projectTeam": {
        "projectNumber": "262451203973",
        "team": "viewers"
      },
      "role": "READER"
    }
  ]

1 个答案:

答案 0 :(得分:1)

您可以运行sudo gsutil ls -bL gs://artifacts.<my_project>.appspot.com并查看您是否可以访问GCS存储桶。这将验证docker镜像的存储权限。

虽然我认为您应该通过添加到所有者来获得许可,但这将验证您是否这样做。

对于EXTRA_ARGS,我认为--log-level="info"仅对命令docker daemon有效,docker push无法识别--log-level="info"

更新

通过再次查看日志,您正在推送一个主要存在的图像,因为&#34;图像已经存在&#34;日志条目表示。在第一个新写入步骤失败了。这表明问题似乎可能是您最初使用的实例只有只读范围。

可以请运行此命令并共享输出。 curl -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/instance/service-accounts/default/scopes

我们正在寻找范围https://www.googleapis.com/auth/devstorage.read_write

可能发生的情况是该实例最初并非使用此范围创建,并且由于实例上的范围无法修改,因此只能保持读取。

如果是这种情况,解决方案可能会创建一个新实例。

我们将提交一个错误,以确保在此类情况下提供更好的消息传递。

相关问题
最新问题