使用Jenkins脚本化管道的Jib-Maven-plugin:如何登录到私有Docker注册表? [英] Jib-Maven-plugin with Jenkins scripted pipeline: how to log in to private docker registry?

问题描述

关于此问题，我使用脚本化的Jenkins管道更新了我的JHipster-Application，现在已经在Jenkinsfile中(部分以下这些提示):

Regarding this problem, I updated my JHipster-Application with scripted Jenkins pipeline and have now in Jenkinsfile (partly following these hints):

[...]

 def dockerImage
    withEnv(["DOCKER_CREDS=credentials('myregistry-login')"]) {
        stage('publish docker') {
            sh "./mvnw -X -ntp jib:build"
        }
    }

使用Jenkins全局凭据myregistry-login保存在我的Jenkins服务器中到我自己的Docker注册表v2 docker-container https://myregistry.mydomain.com(出于安全原因更改了域).我可以使用存储在myregistry-login中的用户名和密码从本地bash成功地执行$ docker login myregistry.mydomain.com(以及docker login https://myregistry.mydomain.com和docker login myregistry.mydomain.com:443).

with Jenkins global credentials myregistry-login saved in my Jenkins-Server to my own docker registry v2 docker-container https://myregistry.mydomain.com (domain changed for security reasons). I can successfully do a $ docker login myregistry.mydomain.com (as well as docker login https://myregistry.mydomain.com as well as docker login myregistry.mydomain.com:443) from local bash with the user and password stored in myregistry-login.

在pom.xml中(遵循这些提示以及此，

In pom.xml (following these hints as well as this, this and this):

<plugin>
  <groupId>com.google.cloud.tools</groupId>
  <artifactId>jib-maven-plugin</artifactId>
  <configuration>
    <to>
      <image>myregistry.mydomain.com:443/username/imagename</image>
      <tags>
        <tag>${maven.build.timestamp}</tag>
        <tag>latest</tag>
      </tags>
      <auth>
        <username>${env.DOCKER_CREDS_USR}</username>
        <password>${env.DOCKER_CREDS_PSW}</password>
      </auth>
    </to>
    <container>
      <jvmFlags>
        <jvmFlag>-Xms512m</jvmFlag>
        <jvmFlag>-Xmx1G</jvmFlag>
        <jvmFlag>-Xdebug</jvmFlag>
      </jvmFlags>
      <mainClass>de.myproject_name.MyApp</mainClass>
    </container>
  </configuration>
</plugin>

其中username，imagename和de.myproject_name.MyApp是此处的占位符.

where username, imagename and de.myproject_name.MyApp are placeholders here.

不幸的是我得到

[DEBUG] TIMING  Retrieving registry credentials for myregistry.mydomain.com:443
[DEBUG] No credentials could be retrieved for registry myregistry.mydomain.com:443
[...]
[ERROR] I/O error for image [myregistry.mydomain.com:443/username/imagename]:
[ERROR]     Connect to myregistry.mydomain.com:443 [myregistry.mydomain.com/xxx.xxx.xxx.xxx] failed: Connection refused (Connection refused)
[DEBUG] TIMED   Authenticating push to myregistry.mydomain.com:443 : 460.0 ms
[DEBUG] TIMED   Building and pushing image : 514.0 ms
[ERROR] I/O error for image [registry-1.docker.io/library/adoptopenjdk]:
[ERROR]     Socket closed

因此，withEnv不会转发到Maven和/或三角臂-maven-plugin无法读取<auth> -Tag，对吗?我仍然在做错什么? 为何registry-1.docker.io出现I/O错误?

So the withEnv isn't forwarded to Maven and/or the jib-maven-plugin is not reading the <auth>-Tag, right? What am I still doing wrong? And why is there an I/O error to registry-1.docker.io?

推荐答案

最后，我开始使用它了.

Finally I've got it working.

在Jenkinsfile中，我将JHipster生成的代码编辑为:

In Jenkinsfile I edit the JHipster generated code to:

    def dockerImage
    stage('publish docker') {
        withCredentials([usernamePassword(credentialsId: 'myregistry-login', passwordVariable: 'DOCKER_REGISTRY_PWD', usernameVariable: 'DOCKER_REGISTRY_USER')]) {
            sh "./mvnw -ntp jib:build"        }
    }

在pom.xml中，我设置了jib-maven-plugin配置:

In pom.xml I put the jib-maven-plugin configuration:

<plugin>
  <groupId>com.google.cloud.tools</groupId>
  <artifactId>jib-maven-plugin</artifactId>
  <configuration>
    <from>
      <image>adoptopenjdk:11-jre-hotspot</image>
    </from>
    <to>
      <auth>
        <username>${DOCKER_REGISTRY_USER}</username>
         <password>${DOCKER_REGISTRY_PWD}</password>
       </auth>
       <image>myregistry.mydomain.com/myuser/my_image</image>
       <tags>
         <tag>${maven.build.timestamp}</tag>
         <tag>latest</tag>
       </tags>
     </to>
   <container>
     <jvmFlags>
       <jvmFlag>-Xms512m</jvmFlag>
       <jvmFlag>-Xmx1G</jvmFlag>
       <jvmFlag>-Xdebug</jvmFlag>
     </jvmFlags>
     <mainClass>com.mypackage.MyApp</mainClass>
     <entrypoint>
       <shell>bash</shell>
       <option>-c</option>
       <arg>chmod +x /entrypoint.sh &amp;&amp; sync &amp;&amp; /entrypoint.sh</arg>
     </entrypoint>
     <ports>
       <port>8080</port>
     </ports>
     <environment>
       <SPRING_OUTPUT_ANSI_ENABLED>ALWAYS</SPRING_OUTPUT_ANSI_ENABLED>
       <JHIPSTER_SLEEP>0</JHIPSTER_SLEEP>
     </environment>
     <creationTime>USE_CURRENT_TIMESTAMP</creationTime>
   </container>
  </configuration>
</plugin>

在我的远程服务器设置中，我自己的docker registry v2作为通过nginx-proxy与letsencrypt-nginx-proxy-companion发布的docker-container运行.在同一自定义网桥上，将我的jenkins服务器作为另一个docker-container运行.

In my remote server setup my own docker registry v2 is running as a docker-container published via nginx-proxy with letsencrypt-nginx-proxy-companion. On the same custom network bridge runs my own jenkins server as another docker-container.

一些测试显示我无法使用注册表的公共DNS名称来命名docker注册表的容器名称(例如，将"myregistry.mydomain.com"作为容器名称). jenkins docker-container将embedded docker dns server放入resolv.conf，并且docker会将同一网络中的容器的容器名称解析为这些容器的内部网桥IP(仅在自定义docker网络的情况下)

Some tests showed me that the container-name of the docker registry can not be named with the public DNS name of the registry (e.g. 'myregistry.mydomain.com' as container name). The jenkins docker-container gets the embedded docker dns server into resolv.conf, and docker will resolve the container-names of containers in the same network to the internal bridge-network IPs of these containers (only in case of custom docker networks).

我想臂架必须通过ssl进行连接以将docker镜像推送到docker registry容器，并且必须在使用nginx-proxy的容器之前处理ssl，因此必须使用docker registry域的外部地址

I guess jib has to connect via ssl to push the docker image to the docker registry container and ssl has to be handled before the container with nginx-proxy, so the external address of the docker registry domain has to be used.

还必须配置docker主机防火墙(根据此链接)，以允许来自docker容器的流量jenkins到docker主机.然后在主机上，它使用ssl通过nginx-proxy再次返回到docker registry，对吗?就我而言，这归结为:

Also the docker hosts firewall has to be configured (according to this link) to allow traffic from the docker container jenkins through to the docker host. At the host it then goes back again to docker registry via nginx-proxy with ssl, right? In my case, this comes down to:

$ sudo firewall-cmd --info-zone=public
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp6s0
  sources: 
  [...] 
  rich rules: 
    rule family="ipv4" source address="172.26.0.13/32" accept

这篇关于使用Jenkins脚本化管道的Jib-Maven-plugin:如何登录到私有Docker注册表?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！