log*_*off 10 python python-keyring gcloud python-poetry google-artifact-registry
我有一个托管在Google Cloud Platform ArtifactRegistry中的 Python 库。此外,我有一个使用Poetry 的Python 项目,它依赖于该库。
\n这是我的项目文件pyproject.toml:
[tool.poetry]\nname = "Test"\nversion = "0.0.1"\ndescription = "Test project."\nauthors = [\n "Me <me@mycompany.com>"\n]\n\n[tool.poetry.dependencies]\npython = ">=3.8,<4.0"\nmylib = "0.1.1"\n\n[tool.poetry.dev-dependencies]\n"keyrings.google-artifactregistry-auth" = "^1.1.0"\nkeyring = "^23.9.0"\n\n[build-system]\nrequires = ["poetry-core>=1.1.0"]\nbuild-backend = "poetry.core.masonry.api"\n\n[[tool.poetry.source]]\nname = "my-lib"\nurl = "https://us-east4-python.pkg.dev/my-gcp-project/my-lib/simple/"\nsecondary = true\n\n为了启用我的私有存储库,我安装了gcloud CLI并使用我的凭据进行了身份验证。因此,当我运行此命令时,我会看到正确的结果,如下所示:
\n$ gcloud auth list\nACTIVE ACCOUNT\n...\n* <my-account>@appspot.gserviceaccount.com\n...\n此外,我将Python 密钥环与keyrings.google-artifactregistry-auth一起使用,正如您在项目文件中看到的那样。
\n因此,通过此设置,我可以运行poetry install,使用 GCP 的身份验证从我的私有工件注册表下载依赖项。
当我尝试在 Docker 容器中应用相同的原则时,问题就出现了。
\n我创建了一个像这样的 Docker 文件:
\n# syntax = docker/dockerfile:1.3\nFROM python:3.9\n\n# Install Poetry\nRUN curl -sSL https://install.python-poetry.org | python3 -\nENV PATH "${PATH}:/root/.local/bin"\n\n# Install Google Cloud SDK CLI\nARG GCLOUD_VERSION="401.0.0-linux-x86_64"\nRUN wget -q https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-${GCLOUD_VERSION}.tar.gz && \\\n tar -xf google-cloud-cli-*.tar.gz && \\\n ./google-cloud-sdk/install.sh --quiet && \\\n rm google-cloud-cli-*.tar.gz\nENV PATH "${PATH}:/google-cloud-sdk/bin"\n\n# install Google Artifact Rrgistry keyring integration\nRUN pip install keyrings.google-artifactregistry-auth\nRUN --mount=type=secret,id=GOOGLE_APPLICATION_CREDENTIALS ${GOOGLE_APPLICATION_CREDENTIALS} gcloud auth activate-service-account --key-file=/run/secrets/GOOGLE_APPLICATION_CREDENTIALS\nRUN gcloud auth list\nRUN keyring --list-backends\n\nWORKDIR /app\n\n# copy Poetry project files and install dependencies\nCOPY ./.env* ./\nCOPY ./pyproject.toml ./poetry.lock* ./\nRUN poetry install\n\n# copy source files\nCOPY ./app /app/app\n\n# run the program\nCMD poetry run python -m app.main\n\n如您所见,我按照此文档注入了 Google 凭据文件。这有效。我使用了 Docker BuildKit 的秘密,如此处所示(安全问题不是这个问题的问题)。因此,当我尝试构建图像时,出现身份验证错误(GOOGLE_APPLICATION_CREDENTIALS已正确设置为指向有效的密钥文件):
# syntax = docker/dockerfile:1.3\nFROM python:3.9\n\n# Install Poetry\nRUN curl -sSL https://install.python-poetry.org | python3 -\nENV PATH "${PATH}:/root/.local/bin"\n\n# Install Google Cloud SDK CLI\nARG GCLOUD_VERSION="401.0.0-linux-x86_64"\nRUN wget -q https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-${GCLOUD_VERSION}.tar.gz && \\\n tar -xf google-cloud-cli-*.tar.gz && \\\n ./google-cloud-sdk/install.sh --quiet && \\\n rm google-cloud-cli-*.tar.gz\nENV PATH "${PATH}:/google-cloud-sdk/bin"\n\n# install Google Artifact Rrgistry keyring integration\nRUN pip install keyrings.google-artifactregistry-auth\nRUN --mount=type=secret,id=GOOGLE_APPLICATION_CREDENTIALS ${GOOGLE_APPLICATION_CREDENTIALS} gcloud auth activate-service-account --key-file=/run/secrets/GOOGLE_APPLICATION_CREDENTIALS\nRUN gcloud auth list\nRUN keyring --list-backends\n\nWORKDIR /app\n\n# copy Poetry project files and install dependencies\nCOPY ./.env* ./\nCOPY ./pyproject.toml ./poetry.lock* ./\nRUN poetry install\n\n# copy source files\nCOPY ./app /app/app\n\n# run the program\nCMD poetry run python -m app.main\n\n如果我在 Docker 之外使用相同的 Google 凭据密钥文件逐行执行 Dockerfile 中的所有命令,那么我就可以正常工作了。
\n我什至尝试在图像内部进行调试,而不是执行poetry install或poetry run...命令,我看到了这一点,如果它有助于调试:
$ DOCKER_BUILDKIT=1 docker image build --secret id=GOOGLE_APPLICATION_CREDENTIALS,src=${GOOGLE_APPLICATION_CREDENTIALS} -t app-test .\n\n...\n#19 66.68 <c1>Source (my-lib):</c1> Authorization error accessing https://us-east4-python.pkg.dev/my-gcp-project/my-lib/simple/mylib/\n#19 68.21\n#19 68.21 RuntimeError\n#19 68.21\n#19 68.22 Unable to find installation candidates for mylib (0.1.1)\n...\n# gcloud auth list\n Credentialed Accounts\nACTIVE ACCOUNT\n* <my-account>@appspot.gserviceaccount.com\n\n最后,我什至尝试了以下方法:在 Docker 容器中的无头 Linux 系统上使用 Keyring,具有相同的结果:
\n# keyring --list-backends\nkeyrings.gauth.GooglePythonAuth (priority: 9)\nkeyring.backends.chainer.ChainerBackend (priority: -1)\nkeyring.backends.fail.Keyring (priority: 0)\n我什至尝试遵循另一个问题的建议。没有成功。
\ngcloudCLI 在容器内工作,测试其他命令。我的猜测是与 Keyring 的集成无法正常工作,但我不知道如何调试它。
如何在 Docker 容器内解决我的依赖关系?
\n最后,我找到了一个适合我的用例的解决方案。
主要有两个部分:
poetry self add keyrings.google-artifactregistry-auth
gcloud auth activate-service-account --key-file=key.json
就我而言,我使用BuildKit 秘密来处理它。
例如,Dockerfile 会是这样的:
FROM python:3.9
# Install Poetry
RUN curl -sSL https://install.python-poetry.org | python3 -
ENV PATH "${PATH}:/root/.local/bin"
# install Google Artifact Registry tools for Python as a Poetry plugin
RUN poetry self add keyrings.google-artifactregistry-auth
# Install Google Cloud SDK CLI
ARG GCLOUD_VERSION="413.0.0-linux-x86_64"
RUN wget -q https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-${GCLOUD_VERSION}.tar.gz && \
tar -xf google-cloud-cli-*.tar.gz && \
./google-cloud-sdk/install.sh --quiet && \
rm google-cloud-cli-*.tar.gz
ENV PATH "${PATH}:/google-cloud-sdk/bin"
# authenticate with gcloud using a BuildKit secret
RUN --mount=type=secret,id=gac.json \
gcloud auth activate-service-account --key-file=/run/secrets/gac.json
COPY ./pyproject.toml ./poetry.lock* /
RUN poetry install
# deauthenticate with gcloud once the dependencies are already installed to clean the image
RUN gcloud auth revoke --all
COPY ./app /app
WORKDIR /app
CMD ["whatever", "command", "you", "use"]
Docker 构建命令提供了秘密:
poetry self add keyrings.google-artifactregistry-auth
对于 Docker Compose,也有类似的方法:
gcloud auth activate-service-account --key-file=key.json
COMPOSE_DOCKER_CLI_BUILD=1 DOCKER_BUILDKIT=1 docker compose up --build
| 归档时间: |
|
| 查看次数: |
3907 次 |
| 最近记录: |