Search code examples
dockergoogle-cloud-storagegoogle-compute-enginegsutilgoogle-container-registry

Gsutil Not working in Dockerfile on Google Compute Engine

I'm a bit new to Docker and I'm trying to copy resources from my cloud bucket to my instance created with a docker image. I use gsutil with the following in my Dockerfile

# Install Google Cloud tools - Debian https://cloud.google.com/storage/docs/gsutil_install#deb
ENV CLOUD_SDK_REPO="cloud-sdk-stretch"
RUN echo "deb http://packages.cloud.google.com/apt $CLOUD_SDK_REPO main" | \
    tee -a /etc/apt/sources.list.d/google-cloud-sdk.list && \
    curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add - && \
    apt-get update && apt-get install -y google-cloud-sdk

# Setup Google Service Account
COPY service-account.json /etc/
ENV GOOGLE_APPLICATION_CREDENTIALS="/etc/service-account.json"

RUN gcloud auth activate-service-account --key-file=${GOOGLE_APPLICATION_CREDENTIALS}

# Copy the last updated ssl config
RUN gsutil cp -r gs://my-project.appspot.com/docker/etc/letsencrypt /etc/ && \
    gsutil cp -r gs://my-project.appspot.com/docker/etc/apache2/sites-available /etc/apache2/

When I run this on my machine locally, the files get copied correctly with gsutil. (They exist when I run the docker image)

When I deploy to Google Container Registry and Use the docker image on a GCE instance the files don't exist on the running docker image.

I can see from the google build logs that the gsutil appears to be working correctly and is copying the files (during the build process).

What am I doing wrong? Is this a bug?

Any help appreciated!

Solution

  • I suspect the files are in /etc/ but it's not clear from the snippet what your image does when you run it.

    The RUN steps you show above are run only when the image is built. RUN is used to run steps needed to install and build the software that runs in the container. Run steps are not run when you create a container from the image.

    So, if the files are copied correctly during docker build, they'll be present when that image is run. Where are you building the image? Once the image is built, deploying anywhere (including to GCR) and then running the image, won't affect the steps your show (because they were run during image creation).

    From what you show, it's not clear what happens when you run the image. If this is the entirety of your Dockerfile, then nothing will happen when you docker run.

    NB Your approach has security implications. Anyone who has the image can access your service account key. For data including keys (possibly also /letsencrypt/) and your config, it's good practice to reference these at docker run time and commonly using volumes|mounts.

    Do I assume that you're looking to run Apache with this image?