This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

The 'docker-credential-gcr' binary in Container-Optimized OS should be portable

Posted on 09-29-2022 01:44 PM
pndurette
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi,

Couldn't find another place to ask about this, apologies if this isn't the right spot.

Is it possible to have a statically-linked 'docker-credential-gcr' binary Container-Optimized OS images? The ones build on GitHub are, but the ones included in COS images are dynamically-linked, hence not portable.

Use-case:

We are doing 'Docker-in-Docker' on Container-Optimized OS. The images that need to be pulled from inside our container are on Artifact Registry, hence we are using ‘docker-credential-gcr’, which we volume mount to our container to pull Artifact Registry credentials from the metadata server without having to store them. Sadly the ‘docker-credential-gcr’ binary on the COS image is dynamically linked so it most likely won't work in another environment/container because it won’t necessarily have the right libraries (glibc etc).

We could install it ourselves, but we would rather depend solely on the COS image that is regularly updated and patched.

Thanks!

0 3 674
Topic Labels
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
cristianrm
Staff
Reply posted on --/--/---- --:-- AM

As shown in the limitations section of the Container-Optimized OS:

  • Container-Optimized OS is not supported outside of the Google Cloud Platform environment.

Therefore, they are not meant to be portable.

This is shown remarked in the Use cases for Container-Optimized OS section:

Container-Optimized OS may not be the right choice for you in the following cases:

  • You want your image and OS application to be fully supported outside Google Cloud Platform.
0 Likes

Posted on --/--/---- --:-- AM
pndurette
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Thanks a lot for the quick answer!

Appreciate the answer and I understand. By portable, I meant the way this 'docker-credential-gcr' (/usr/bin/docker-credential-gcr) Go executable is compiled (statically-linked vs dynamically-linked), so it can be mounted and used within our container from within COS. We are still using COS as its meant to be used.

I tried to find the place where COS is built, but it might not be public.

We can always fallback to downloading it ourselves from GitHub (https://github.com/GoogleCloudPlatform/docker-credential-gcr), which is what we'll have to do. But my goal here was just to see if there was a way to tell the COS team to build that executable statically so it can be used as-is to get GCR and GAR credentials from within a container itself. 

Thanks!

0 Likes

Posted on --/--/---- --:-- AM
cristianrm
Staff
In response to pndurette
Reply posted on --/--/---- --:-- AM

In this case, you could make your request through the Feature requests, using the following issue tracker:

Please note that:

You can also request and vote for new Google Cloud features. Unlike issue reports, we don't immediately triage new feature requests. Instead, we wait for a feature to have a handful of stars and, hopefully, comments from several users about how the feature would be useful.
0 Likes
Top Labels in this Space
Top Solution Authors
View all