问题描述
我正在尝试使用 Google JIB maven插件将docker映像构建并部署到私有注册表.但是,它由于访问私有注册表的问题而失败.
我已在 Windows 10 计算机上安装了 Docker Desktop v19.03.1 .接下来,我尝试使用Google JIB Maven插件构建我的Spring Boot应用程序,然后推送构建在私有注册表上的映像.
我已将CERT添加到"example.registry.com"到Windows受信任的CERTS.我能够使用docker命令验证这一点,如下所示登录私有注册表:-
docker登录example.registry.com
此命令返回成功的身份验证,这意味着我添加的CERT已被接受.
然后登录到私有注册表后,我可以使用docker命令行 Pull 和 PUSH 图像成功地将其成功"example.registry.com"./p>
下面是我的 POM.xml 文件.
< plugin>< groupId> org.springframework.boot</groupId>< artifactId> spring-boot-maven-plugin</artifactId></plugin>< plugin>< groupId> com.google.cloud.tools</groupId>< artifactId> jib-maven-plugin</artifactId>< version> 1.5.1</version><配置><至>< image> example.registry.com/inventory-service-docker:1.0</image>< auth><用户名>纯文本用户名forRegistry</用户名>< password>普通的注册表密码</password></auth></to><来自>< image> openjdk:8</image></from><容器><端口><端口> 8089</端口></ports></容器>< allowInsecureRegistries> true</allowInsecureRegistries><!-在第一次运行时进行评论.--></configuration></plugin> 当我从带有pom.xml文件的目录的控制台中运行"mvn compile jib:build"命令时,它确实开始处理,但是在稍后阶段失败,并出现以下错误:-
[错误]无法在项目清单服务上执行目标com.google.cloud.tools:jib-maven-plugin:1.5.1:build(default-cli)泊坞窗:构建映像失败,也许您应该使用支持HTTPS的注册表或设置配置参数'allowInsecureRegistries':无法在 https://example.registry.com/v2/inventory-service-docker/blobs/sha256:9cc2ad81d40d54dcae7fa5e8e17d9c34e8bba3b7c2cc7e26fb22734608bda32e 因为只有安全连接是允许的.
当按照上述错误的建议设置配置参数"allowInsecureRegistries"后运行相同的命令时,出现如下不同的错误:-
[错误]无法在项目清单服务上执行目标com.google.cloud.tools:jib-maven-plugin:1.5.1:build(default-cli)docker:构建映像失败:无法通过注册表example.registry.com/inventory-service-docker进行身份验证,原因是:sun.security.validator.ValidatorException:PKIX路径构建失败:sun.security.provider.certpath.SunCertPathBuilderException:找不到到所请求目标的有效认证路径
看起来有些配置在使用无法安全连接到example.registry.com的JIB时丢失.
(在开始之前,请不要使用Jib 1.5.x,因为那些版本存在网络性能问题.)
JVM不使用Windows证书存储. doc 说
我在另一个答案中找到的Windows的一个潜在选择是使用 -Djavax.net.ssl.trustStoreType来启动Java.= WINDOWS-ROOT .但是我还没有验证自己是否行得通.
另一种方法是将证书添加到默认Java证书存储(信任库)文件( cacerts ).它通常位于< JDK>/lib/sercurity/或< JRE>/jre/lib/security/下.
有多种添加证书的方法(例如,使用各种GUI工具).例如,
- 在命令行上
keytool.exe -import -storepass"changeit" -keystore"C:\ Program Files(x86)\ Java \ jre1.8.0_144 \ lib \ security \ cacerts" -alias certificate.cer -file"C:\ certificate.cer"-noprompt 最后,对于那些想获得更多有关解决此类Java证书问题的想法的人,请查看此评论.
I'm trying to build and deploy my docker image to a private registry using Google JIB maven plugin. However, it fails with issues accessing the private registry.
I have installed Docker Desktop v19.03.1 on my Windows 10 machine. Next I'm trying to using Google JIB Maven plugin to build my Spring Boot application and then push the image built on the private registry.
I have added the CERT to 'example.registry.com' to the Windows trusted CERTS. I was able to verify this using the docker command to login to private registry as below :-
docker login example.registry.com
This command returns success for authentication which means the CERT I added was accepted.
And Following the logon to the private registry, I'm able to PULL and PUSH images using docker command line to 'example.registry.com' successfully .
Below is my POM.xml file.
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
<plugin>
<groupId>com.google.cloud.tools</groupId>
<artifactId>jib-maven-plugin</artifactId>
<version>1.5.1</version>
<configuration>
<to>
<image>example.registry.com/inventory-service-docker:1.0</image>
<auth>
<username>plaintextusernameforRegistry</username>
<password>plaintestpasswordforRegistry</password>
</auth>
</to>
<from>
<image>openjdk:8</image>
</from>
<container>
<ports>
<port>8089</port>
</ports>
</container>
<allowInsecureRegistries>true</allowInsecureRegistries> <!-- this is commented on the first run.-->
</configuration>
</plugin>
When I run 'mvn compile jib:build' command from the console from the directory with pom.xml file, it does start the processing, however fails at a later stage with below error :-
[ERROR] Failed to execute goal com.google.cloud.tools:jib-maven-plugin:1.5.1:build (default-cli) on project inventory-service-docker: Build image failed, perhaps you should use a registry that supports HTTPS or set the configuration parameter 'allowInsecureRegistries': Failed to verify the server at https://example.registry.com/v2/inventory-service-docker/blobs/sha256:9cc2ad81d40d54dcae7fa5e8e17d9c34e8bba3b7c2cc7e26fb22734608bda32e because only secure connections are allowed.
When I run the same command after setting the configuration parameter 'allowInsecureRegistries' as suggested from above error, I get a different error as below :-
[ERROR] Failed to execute goal com.google.cloud.tools:jib-maven-plugin:1.5.1:build (default-cli) on project inventory-service-docker: Build image failed: Failed to authenticate with registry example.registry.com/inventory-service-docker because: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Looks like some config that I'm missing when using JIB that does not connect to 'example.registry.com' securely.
(Before I start, please don't use Jib 1.5.x, as the those versions have a network performance issue.)
JVM doesn't make use of the Windows certificate stores. This doc says
One potential option for Windows I just found in another answer is to start Java with -Djavax.net.ssl.trustStoreType=WINDOWS-ROOT. But I haven't verified myself if this works.
Another way is to add your certificates to the default Java certificate store (truststore) file (cacerts). It is often located under <JDK>/lib/sercurity/ or <JRE>/jre/lib/security/.
There are multiple ways to add certificates (e.g., using various GUI tools). For example,
- on the command line
keytool.exe -import -storepass "changeit" -keystore "C:\Program Files (x86)\Java\jre1.8.0_144\lib\security\cacerts" -alias certificate.cer -file "C:\certificate.cer" -noprompt
- using a GUI tool called KeyStore Explorer
Lastly, for those who want to get some more ideas for troubleshooting this kind of Java cert issues, check out this comment.
这篇关于使用'mvn compile jib:build'推送到Docker Registry失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!