使用Jenkins脚本化管道的Jib-Maven-plugin:如何登录到私有Docker注册表? [英] Jib-Maven-plugin with Jenkins scripted pipeline: how to log in to private docker registry?
问题描述
关于此问题,我使用脚本化的Jenkins管道更新了我的JHipster-Application,现在已经在Jenkinsfile
中(部分以下这些提示):
Regarding this problem, I updated my JHipster-Application with scripted Jenkins pipeline and have now in Jenkinsfile
(partly following these hints):
[...]
def dockerImage
withEnv(["DOCKER_CREDS=credentials('myregistry-login')"]) {
stage('publish docker') {
sh "./mvnw -X -ntp jib:build"
}
}
使用Jenkins全局凭据myregistry-login
保存在我的Jenkins服务器中到我自己的Docker注册表v2 docker-container https://myregistry.mydomain.com
(出于安全原因更改了域).我可以使用存储在myregistry-login
中的用户名和密码从本地bash成功地执行$ docker login myregistry.mydomain.com
(以及docker login https://myregistry.mydomain.com
和docker login myregistry.mydomain.com:443
).
with Jenkins global credentials myregistry-login
saved in my Jenkins-Server to my own docker registry v2 docker-container https://myregistry.mydomain.com
(domain changed for security reasons). I can successfully do a $ docker login myregistry.mydomain.com
(as well as docker login https://myregistry.mydomain.com
as well as docker login myregistry.mydomain.com:443
) from local bash with the user and password stored in myregistry-login
.
In pom.xml
(following these hints as well as this, this and this):
<plugin>
<groupId>com.google.cloud.tools</groupId>
<artifactId>jib-maven-plugin</artifactId>
<configuration>
<to>
<image>myregistry.mydomain.com:443/username/imagename</image>
<tags>
<tag>${maven.build.timestamp}</tag>
<tag>latest</tag>
</tags>
<auth>
<username>${env.DOCKER_CREDS_USR}</username>
<password>${env.DOCKER_CREDS_PSW}</password>
</auth>
</to>
<container>
<jvmFlags>
<jvmFlag>-Xms512m</jvmFlag>
<jvmFlag>-Xmx1G</jvmFlag>
<jvmFlag>-Xdebug</jvmFlag>
</jvmFlags>
<mainClass>de.myproject_name.MyApp</mainClass>
</container>
</configuration>
</plugin>
其中username
,imagename
和de.myproject_name.MyApp
是此处的占位符.
where username
, imagename
and de.myproject_name.MyApp
are placeholders here.
不幸的是我得到
[DEBUG] TIMING Retrieving registry credentials for myregistry.mydomain.com:443
[DEBUG] No credentials could be retrieved for registry myregistry.mydomain.com:443
[...]
[ERROR] I/O error for image [myregistry.mydomain.com:443/username/imagename]:
[ERROR] Connect to myregistry.mydomain.com:443 [myregistry.mydomain.com/xxx.xxx.xxx.xxx] failed: Connection refused (Connection refused)
[DEBUG] TIMED Authenticating push to myregistry.mydomain.com:443 : 460.0 ms
[DEBUG] TIMED Building and pushing image : 514.0 ms
[ERROR] I/O error for image [registry-1.docker.io/library/adoptopenjdk]:
[ERROR] Socket closed
因此,withEnv
不会转发到Maven和/或三角臂-maven-plugin无法读取<auth>
-Tag,对吗?我仍然在做错什么?
为何registry-1.docker.io
出现I/O错误?
So the withEnv
isn't forwarded to Maven and/or the jib-maven-plugin is not reading the <auth>
-Tag, right? What am I still doing wrong?
And why is there an I/O error to registry-1.docker.io
?
推荐答案
最后,我开始使用它了.
Finally I've got it working.
在Jenkinsfile
中,我将JHipster生成的代码编辑为:
In Jenkinsfile
I edit the JHipster generated code to:
def dockerImage
stage('publish docker') {
withCredentials([usernamePassword(credentialsId: 'myregistry-login', passwordVariable: 'DOCKER_REGISTRY_PWD', usernameVariable: 'DOCKER_REGISTRY_USER')]) {
sh "./mvnw -ntp jib:build" }
}
在pom.xml
中,我设置了jib-maven-plugin配置:
In pom.xml
I put the jib-maven-plugin configuration:
<plugin>
<groupId>com.google.cloud.tools</groupId>
<artifactId>jib-maven-plugin</artifactId>
<configuration>
<from>
<image>adoptopenjdk:11-jre-hotspot</image>
</from>
<to>
<auth>
<username>${DOCKER_REGISTRY_USER}</username>
<password>${DOCKER_REGISTRY_PWD}</password>
</auth>
<image>myregistry.mydomain.com/myuser/my_image</image>
<tags>
<tag>${maven.build.timestamp}</tag>
<tag>latest</tag>
</tags>
</to>
<container>
<jvmFlags>
<jvmFlag>-Xms512m</jvmFlag>
<jvmFlag>-Xmx1G</jvmFlag>
<jvmFlag>-Xdebug</jvmFlag>
</jvmFlags>
<mainClass>com.mypackage.MyApp</mainClass>
<entrypoint>
<shell>bash</shell>
<option>-c</option>
<arg>chmod +x /entrypoint.sh && sync && /entrypoint.sh</arg>
</entrypoint>
<ports>
<port>8080</port>
</ports>
<environment>
<SPRING_OUTPUT_ANSI_ENABLED>ALWAYS</SPRING_OUTPUT_ANSI_ENABLED>
<JHIPSTER_SLEEP>0</JHIPSTER_SLEEP>
</environment>
<creationTime>USE_CURRENT_TIMESTAMP</creationTime>
</container>
</configuration>
</plugin>
在我的远程服务器设置中,我自己的docker registry v2
作为通过nginx-proxy
与letsencrypt-nginx-proxy-companion
发布的docker-container运行.在同一自定义网桥上,将我的jenkins
服务器作为另一个docker-container运行.
In my remote server setup my own docker registry v2
is running as a docker-container published via nginx-proxy
with letsencrypt-nginx-proxy-companion
. On the same custom network bridge runs my own jenkins
server as another docker-container.
一些测试显示我无法使用注册表的公共DNS名称来命名docker注册表的容器名称(例如,将"myregistry.mydomain.com"作为容器名称). jenkins
docker-container将embedded docker dns server
放入resolv.conf
,并且docker会将同一网络中的容器的容器名称解析为这些容器的内部网桥IP(仅在自定义docker网络的情况下)
Some tests showed me that the container-name of the docker registry can not be named with the public DNS name of the registry (e.g. 'myregistry.mydomain.com' as container name). The jenkins
docker-container gets the embedded docker dns server
into resolv.conf
, and docker will resolve the container-names of containers in the same network to the internal bridge-network IPs of these containers (only in case of custom docker networks).
我想臂架必须通过ssl进行连接以将docker镜像推送到docker registry
容器,并且必须在使用nginx-proxy
的容器之前处理ssl,因此必须使用docker registry
域的外部地址
I guess jib has to connect via ssl to push the docker image to the docker registry
container and ssl has to be handled before the container with nginx-proxy
, so the external address of the docker registry
domain has to be used.
还必须配置docker主机防火墙(根据此链接),以允许来自docker容器的流量jenkins
到docker主机.然后在主机上,它使用ssl通过nginx-proxy
再次返回到docker registry
,对吗?就我而言,这归结为:
Also the docker hosts firewall has to be configured (according to this link) to allow traffic from the docker container jenkins
through to the docker host. At the host it then goes back again to docker registry
via nginx-proxy
with ssl, right? In my case, this comes down to:
$ sudo firewall-cmd --info-zone=public
public (active)
target: default
icmp-block-inversion: no
interfaces: enp6s0
sources:
[...]
rich rules:
rule family="ipv4" source address="172.26.0.13/32" accept
这篇关于使用Jenkins脚本化管道的Jib-Maven-plugin:如何登录到私有Docker注册表?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!