使用'mvn compile jib:build'推送到Docker Registry失败 [英] Failure on Push to Docker Registry using 'mvn compile jib:build '

问题描述

我正在尝试使用 Google JIB maven插件将docker映像构建并部署到私有注册表.但是，它由于访问私有注册表的问题而失败.

我已在 Windows 10 计算机上安装了 Docker Desktop v19.03.1 .接下来，我尝试使用Google JIB Maven插件构建我的Spring Boot应用程序，然后推送构建在私有注册表上的映像.

我已将CERT添加到"example.registry.com"到Windows受信任的CERTS.我能够使用docker命令验证这一点，如下所示登录私有注册表:-

docker登录example.registry.com

此命令返回成功的身份验证，这意味着我添加的CERT已被接受.

然后登录到私有注册表后，我可以使用docker命令行 Pull 和 PUSH 图像成功地将其成功"example.registry.com"./p>

下面是我的 POM.xml 文件.

 < plugin>< groupId> org.springframework.boot</groupId>< artifactId> spring-boot-maven-plugin</artifactId></plugin>< plugin>< groupId> com.google.cloud.tools</groupId>< artifactId> jib-maven-plugin</artifactId>< version> 1.5.1</version><配置><至>< image> example.registry.com/inventory-service-docker:1.0</image>< auth><用户名>纯文本用户名forRegistry</用户名>< password>普通的注册表密码</password></auth></to><来自>< image> openjdk:8</image></from><容器><端口><端口> 8089</端口></ports></容器>< allowInsecureRegistries> true</allowInsecureRegistries><！-在第一次运行时进行评论.--></configuration></plugin> 

当我从带有pom.xml文件的目录的控制台中运行"mvn compile jib:build"命令时，它确实开始处理，但是在稍后阶段失败，并出现以下错误:-

[错误]无法在项目清单服务上执行目标com.google.cloud.tools:jib-maven-plugin:1.5.1:build(default-cli)泊坞窗:构建映像失败，也许您应该使用支持HTTPS的注册表或设置配置参数'allowInsecureRegistries':无法在 https://example.registry.com/v2/inventory-service-docker/blobs/sha256:9cc2ad81d40d54dcae7fa5e8e17d9c34e8bba3b7c2cc7e26fb22734608bda32e 因为只有安全连接是允许的.

当按照上述错误的建议设置配置参数"allowInsecureRegistries"后运行相同的命令时，出现如下不同的错误:-

[错误]无法在项目清单服务上执行目标com.google.cloud.tools:jib-maven-plugin:1.5.1:build(default-cli)docker:构建映像失败:无法通过注册表example.registry.com/inventory-service-docker进行身份验证，原因是:sun.security.validator.ValidatorException:PKIX路径构建失败:sun.security.provider.certpath.SunCertPathBuilderException:找不到到所请求目标的有效认证路径

看起来有些配置在使用无法安全连接到example.registry.com的JIB时丢失.

解决方案

(在开始之前，请不要使用Jib 1.5.x，因为那些版本存在网络性能问题.)

JVM不使用Windows证书存储. doc 说

JRE的一个大问题是它完全忽略了Windows证书存储.与其使用Windows证书存储，不如使用其自己的实现

我在另一个答案中找到的Windows的一个潜在选择是使用 -Djavax.net.ssl.trustStoreType来启动Java.= WINDOWS-ROOT .但是我还没有验证自己是否行得通.

另一种方法是将证书添加到默认Java证书存储(信任库)文件( cacerts ).它通常位于< JDK>/lib/sercurity/或< JRE>/jre/lib/security/下.

有多种添加证书的方法(例如，使用各种GUI工具).例如，

• 在命令行上

  keytool.exe -import -storepass"changeit" -keystore"C:\ Program Files(x86)\ Java \ jre1.8.0_144 \ lib \ security \ cacerts" -alias certificate.cer -file"C:\ certificate.cer"-noprompt 

• 使用GUI KeyStore Explorer
的工具

最后，对于那些想获得更多有关解决此类Java证书问题的想法的人，请查看此https://example.registry.com/v2/inventory-service-docker/blobs/sha256:9cc2ad81d40d54dcae7fa5e8e17d9c34e8bba3b7c2cc7e26fb22734608bda32e because only secure connections are allowed.

When I run the same command after setting the configuration parameter 'allowInsecureRegistries' as suggested from above error, I get a different error as below :-

[ERROR] Failed to execute goal com.google.cloud.tools:jib-maven-plugin:1.5.1:build (default-cli) on project inventory-service-docker: Build image failed: Failed to authenticate with registry example.registry.com/inventory-service-docker because: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Looks like some config that I'm missing when using JIB that does not connect to 'example.registry.com' securely.

解决方案

(Before I start, please don't use Jib 1.5.x, as the those versions have a network performance issue.)

JVM doesn't make use of the Windows certificate stores. This doc says

One big problem of the JRE is that it completely ignores the Windows certificate stores. Instead of using the windows certificate store it uses its own implementation

One potential option for Windows I just found in another answer is to start Java with -Djavax.net.ssl.trustStoreType=WINDOWS-ROOT. But I haven't verified myself if this works.

Another way is to add your certificates to the default Java certificate store (truststore) file (cacerts). It is often located under <JDK>/lib/sercurity/ or <JRE>/jre/lib/security/.

There are multiple ways to add certificates (e.g., using various GUI tools). For example,

• on the command line

keytool.exe -import -storepass "changeit" -keystore "C:\Program Files (x86)\Java\jre1.8.0_144\lib\security\cacerts" -alias certificate.cer -file "C:\certificate.cer" -noprompt

• using a GUI tool called KeyStore Explorer

Lastly, for those who want to get some more ideas for troubleshooting this kind of Java cert issues, check out this comment.

这篇关于使用'mvn compile jib:build'推送到Docker Registry失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！