rapid-exabyte-76685
04/28/2022, 5:03 AMgcloud auth activate-service-account
with environment variables containing the service account key.
2. Runs gcloud auth configure-docker <http://europe-docker.pkg.dev|europe-docker.pkg.dev>
so that we get Docker configured to use the appropriate credential helper... after running this we have ~/.docker/config.json
with the following content...
{
"credHelpers": {
"europe-docker.pkg.dev": "gcloud"
}
}
where gcloud
is actually a suffix that gets translated into docker-credential-gcloud
./pants package ::
to build the Docker container images... if I ran docker images ls
at this point I would see the new container images with the expected tags../pants publish ::
step is failing due to a permissions error...
denied: Permission "artifactregistry.repositories.downloadArtifacts" denied on resource "projects/<gcp-project>/locations/europe/repositories/<repository>"
where <gcp-project>
is the name of my GCP project and <repository>
is the name of my repository (located in the GCP europe region, hence <http://europe-docker.pkg.dev|europe-docker.pkg.dev>
as the registry in the credHelpers key. Let's say <gcp-project>
is banana
and <repository>
is dev
from here on...docker push <http://europe-docker.pkg.dev/banana/dev/my-docker-image:my-tag|europe-docker.pkg.dev/banana/dev/my-docker-image:my-tag>
this works just finedocker login <https://europe-docker.pkg.dev>
...Authenticating with existing credentials...
WARNING! Your password will be stored unencrypted in /home/circleci/.docker/config.json.
Configure a credential helper to remove this warning. See
<https://docs.docker.com/engine/reference/commandline/login/#credentials-store>
./pants publish ::
works just fine[docker]
build_args = ["GCP_ARTIFACTS_REGISTRY"]
tools = ["gcloud"] # docker-credential-gcloud and gcloud are in the same directory
[docker.registries.banana]
address = "europe-docker.pkg.dev/banana"
default = true
docker_image
targets have repository="{build_args.GCP_ARTIFACTS_REGISTRY}"
where GCP_ARTIFACTS_REGISTRY
has the same value as <repository>
(basically dev
) and [docker] build_args
contains GCP_ARTIFACTS_REGISTRY
fast-nail-55400
04/28/2022, 5:38 AM[subprocess-environment].env_vars
to set the PATH
to include the location of docker-credential-gcloud
?rapid-exabyte-76685
04/28/2022, 5:38 AMdocker-credential-gcloud
fast-nail-55400
04/28/2022, 5:40 AM[docker].env_vars
option which may only apply to Docker invocations. https://www.pantsbuild.org/docs/docker#docker-configurationcurved-television-6568
04/28/2022, 5:45 AMrapid-exabyte-76685
04/28/2022, 5:50 AMgcloud
and docker-credential-gcloud
are shell scripts. both located in ~/google-cloud-sdk/bin
and I get the same result from having pants.toml say tools = ["gcloud"]
and tools = ["docker-credential-gcloud"]
- not sure what other binaries I might have to reference... should I be expecting some sort of 'could not find x' message in that case though?-ldebug
I observe...
[Warning] One or more build-args [BRANCH GCP_ARTIFACTS_REGISTRY SHORT_GIT_HASH] were not consumed
Successfully built b3b3a866dce5
Successfully tagged europe-docker.pkg.dev/banana/dev/my-image:my-branch
Successfully tagged europe-docker.pkg.dev/banana/dev/my-image:a-git-hash
but I have in a BUILD
...
image_tags=[
"{build_args.BRANCH}",
"{build_args.SHORT_GIT_HASH}",
],
repository="{build_args.GCP_ARTIFACTS_REGISTRY}/my-image",
curved-television-6568
04/28/2022, 5:56 AMrapid-exabyte-76685
04/28/2022, 6:02 AMIt doesn't help that you have multiple scripts in the same folder,Not sure I understand here, unfortunately that's how the GCP SDK installs itself. At any rate, I have just a single entry in
tools
and it doesn't appear to matter if it is "gcloud"
or "docker-credential-gcloud"
[docker] tools = ["gcloud"]
entry still required, or is [docker] env_vars = ["PATH"]
sufficient[docker] env_vars = [ ..., "PATH", ]
curved-television-6568
04/28/2022, 7:08 AM[docker] tools
section of your config instead.It doesn’t help that you have multiple scripts in the same folder, pants will single the ones you point out so doesn’t use the residing dir as path right off.What I was trying to say was this: If you list
gcloud
in the tools
list, the Pants execution sandbox will be setup so that PATH has gcloud
on it, but any other files from the same directory as gcloud will not be on the PATH.
This is to keep the sandbox as hermetically small as possible, and not leak unspecified tools.--no-process-cleanup
and then execute the __run.sh
script from the sandbox invoking docker, as you may see output about missing binaries that way, that you otherwise don’t.rapid-exabyte-76685
04/29/2022, 1:50 AMPreserving local process execution dir /tmp/process-execution<hash> for ...
log line for the publish step... I see ones immediately prior to the log output tied to building the Docker images, and if I change into that directory and run __run.sh
then I get the image built again but doesn't attempt to publish.curved-television-6568
04/29/2022, 5:53 AMwitty-crayon-22786
04/29/2022, 8:53 PMrun
goal has something custom for this: https://www.pantsbuild.org/docs/reference-run#section-cleanup … but other consumers don’t currently.