英文:
Unable to push docker image to heroku registry
问题
以下是您要求的翻译内容:
无法将Docker镜像推送到Heroku注册表。
根据Docker的说法,我已成功登录:
❯ docker login registry.heroku.com
使用现有凭据进行身份验证...
登录成功
之后,我运行mvn jib:build
,但出现了一些令人困惑的错误,指出我正在尝试推送到不安全的存储库,而输出中的URL看起来是安全的(以https开头)。
我做错了什么?
我正在使用以下的Jib配置:
<plugin>
<groupId>com.google.cloud.tools</groupId>
<artifactId>jib-maven-plugin</artifactId>
<version>2.5.2</version>
<configuration>
<to>
<image>registry.heroku.com/my-app</image>
</to>
</configuration>
</plugin>
带有-X选项的Maven的jib:build输出:
Caused by: org.apache.maven.plugin.MojoExecutionException: 构建镜像失败,也许您应该使用支持HTTPS的注册表,或设置配置参数'allowInsecureRegistries'
at com.google.cloud.tools.jib.maven.BuildImageMojo.execute (BuildImageMojo.java:169)
at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
at org.apache.maven.cli.MavenCli.execute (MavenCli.java:957)
at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:289)
at org.apache.maven.cli.MavenCli.main (MavenCli.java:193)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke (Method.java:566)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke (Method.java:566)
at org.apache.maven.wrapper.BootstrapMainStarter.start (BootstrapMainStarter.java:39)
at org.apache.maven.wrapper.WrapperExecutor.execute (WrapperExecutor.java:122)
at org.apache.maven.wrapper.MavenWrapperMain.main (MavenWrapperMain.java:61)
Caused by: com.google.cloud.tools.jib.api.InsecureRegistryException: 无法验证 https://registry.heroku.com/v2/myapp/blobs/sha256:0fe85c64a011626a777c0662f83b2d819954d4148d96ca5fc626bf99f7c3644d 处的服务器,因为只允许安全连接。
at com.google.cloud.tools.jib.registry.RegistryEndpointCaller.call (RegistryEndpointCaller.java:180)
at com.google.cloud.tools.jib.registry.RegistryEndpointCaller.call (RegistryEndpointCaller.java:115)
at com.google.cloud.tools.jib.registry.RegistryClient.callRegistryEndpoint (RegistryClient.java:592)
at com.google.cloud.tools.jib.registry.RegistryClient.checkBlob (RegistryClient.java:444)
at com.google.cloud.tools.jib.builder.steps.ObtainBaseImageLayerStep.lambda$makeListForSelectiveDownload$1 (ObtainBaseImageLayerStep.java:74)
at com.google.cloud.tools.jib.builder.steps.ObtainBaseImageLayerStep.call (ObtainBaseImageLayerStep.java:142)
at com.google.cloud.tools.jib.builder.steps.ObtainBaseImageLayerStep.call (ObtainBaseImageLayerStep.java:43)
at com.google.common.util.concurrent.TrustedListenableFutureTask$TrustedFutureInterruptibleTask.runInterruptibly (TrustedListenableFutureTask.java:125)
at com.google.common.util.concurrent.InterruptibleTask.run (InterruptibleTask.java:69)
at com.google.common.util.concurrent.TrustedListenableFutureTask.run (TrustedListenableFutureTask.java:78)
at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1128)
at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:628)
at java.lang.Thread.run (Thread.java:834)
Caused by: javax.net.ssl.SSLPeerUnverifiedException: 对等方未经身份验证
at sun.security.ssl.SSLSessionImpl.getPeerCertificates (SSLSessionImpl.java:526)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname (SSLConnectionSocketFactory.java:504)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket (SSLConnectionSocketFactory.java:437)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket (SSLConnectionSocketFactory.java:384)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect (DefaultHttpClientConnectionOperator.java:142)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect (PoolingHttpClientConnectionManager.java:374)
at org.apache.http.impl.execchain.MainClientExec.establishRoute (MainClientExec.java:393)
at org.apache.http.impl.execchain.MainClientExec.execute (MainClientExec.java:236)
at org.apache.http.impl.execchain.ProtocolExec.execute (ProtocolExec.java:186)
at org.apache.http.impl.client.InternalHttpClient.doExecute (InternalHttpClient.java:185)
at org.apache.http.impl.client.CloseableHttpClient.execute (CloseableHttpClient
英文:
I'm unable to push a docker image to the heroku registry.
I'm successfully logged in according to docker:
❯ docker login registry.heroku.com
Authenticating with existing credentials...
Login Succeeded
After that I run mvn jib:build
and I get some confusing error saying I'm trying to push to an unsecure repo while the url in de output looks secure ( starts with https ).
What am I doing wrong ?
I'm using the following jib config:
<plugin>
<groupId>com.google.cloud.tools</groupId>
<artifactId>jib-maven-plugin</artifactId>
<version>2.5.2</version>
<configuration>
<to>
<image>registry.heroku.com/my-app</image>
</to>
</configuration>
</plugin>
Maven output of jib:build wiht -X:
Caused by: org.apache.maven.plugin.MojoExecutionException: Build image failed, perhaps you should use a registry that supports HTTPS or set the configuration parameter 'allowInsecureRegistries'
at com.google.cloud.tools.jib.maven.BuildImageMojo.execute (BuildImageMojo.java:169)
at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
at org.apache.maven.cli.MavenCli.execute (MavenCli.java:957)
at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:289)
at org.apache.maven.cli.MavenCli.main (MavenCli.java:193)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke (Method.java:566)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke (Method.java:566)
at org.apache.maven.wrapper.BootstrapMainStarter.start (BootstrapMainStarter.java:39)
at org.apache.maven.wrapper.WrapperExecutor.execute (WrapperExecutor.java:122)
at org.apache.maven.wrapper.MavenWrapperMain.main (MavenWrapperMain.java:61)
Caused by: com.google.cloud.tools.jib.api.InsecureRegistryException: Failed to verify the server at https://registry.heroku.com/v2/myapp/blobs/sha256:0fe85c64a011626a777c0662f83b2d819954d4148d96ca5fc626bf99f7c3644d because only secure connections are allowed.
at com.google.cloud.tools.jib.registry.RegistryEndpointCaller.call (RegistryEndpointCaller.java:180)
at com.google.cloud.tools.jib.registry.RegistryEndpointCaller.call (RegistryEndpointCaller.java:115)
at com.google.cloud.tools.jib.registry.RegistryClient.callRegistryEndpoint (RegistryClient.java:592)
at com.google.cloud.tools.jib.registry.RegistryClient.checkBlob (RegistryClient.java:444)
at com.google.cloud.tools.jib.builder.steps.ObtainBaseImageLayerStep.lambda$makeListForSelectiveDownload$1 (ObtainBaseImageLayerStep.java:74)
at com.google.cloud.tools.jib.builder.steps.ObtainBaseImageLayerStep.call (ObtainBaseImageLayerStep.java:142)
at com.google.cloud.tools.jib.builder.steps.ObtainBaseImageLayerStep.call (ObtainBaseImageLayerStep.java:43)
at com.google.common.util.concurrent.TrustedListenableFutureTask$TrustedFutureInterruptibleTask.runInterruptibly (TrustedListenableFutureTask.java:125)
at com.google.common.util.concurrent.InterruptibleTask.run (InterruptibleTask.java:69)
at com.google.common.util.concurrent.TrustedListenableFutureTask.run (TrustedListenableFutureTask.java:78)
at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1128)
at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:628)
at java.lang.Thread.run (Thread.java:834)
Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates (SSLSessionImpl.java:526)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname (SSLConnectionSocketFactory.java:504)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket (SSLConnectionSocketFactory.java:437)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket (SSLConnectionSocketFactory.java:384)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect (DefaultHttpClientConnectionOperator.java:142)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect (PoolingHttpClientConnectionManager.java:374)
at org.apache.http.impl.execchain.MainClientExec.establishRoute (MainClientExec.java:393)
at org.apache.http.impl.execchain.MainClientExec.execute (MainClientExec.java:236)
at org.apache.http.impl.execchain.ProtocolExec.execute (ProtocolExec.java:186)
at org.apache.http.impl.client.InternalHttpClient.doExecute (InternalHttpClient.java:185)
at org.apache.http.impl.client.CloseableHttpClient.execute (CloseableHttpClient.java:83)
at org.apache.http.impl.client.CloseableHttpClient.execute (CloseableHttpClient.java:108)
at org.apache.http.impl.client.CloseableHttpClient.execute (CloseableHttpClient.java:56)
at com.google.api.client.http.apache.v2.ApacheHttpRequest.execute (ApacheHttpRequest.java:73)
at com.google.api.client.http.HttpRequest.execute (HttpRequest.java:1012)
at com.google.cloud.tools.jib.http.FailoverHttpClient.call (FailoverHttpClient.java:323)
at com.google.cloud.tools.jib.http.FailoverHttpClient.call (FailoverHttpClient.java:250)
at com.google.cloud.tools.jib.registry.RegistryEndpointCaller.call (RegistryEndpointCaller.java:139)
at com.google.cloud.tools.jib.registry.RegistryEndpointCaller.call (RegistryEndpointCaller.java:115)
at com.google.cloud.tools.jib.registry.RegistryClient.callRegistryEndpoint (RegistryClient.java:592)
at com.google.cloud.tools.jib.registry.RegistryClient.checkBlob (RegistryClient.java:444)
at com.google.cloud.tools.jib.builder.steps.ObtainBaseImageLayerStep.lambda$makeListForSelectiveDownload$1 (ObtainBaseImageLayerStep.java:74)
at com.google.cloud.tools.jib.builder.steps.ObtainBaseImageLayerStep.call (ObtainBaseImageLayerStep.java:142)
at com.google.cloud.tools.jib.builder.steps.ObtainBaseImageLayerStep.call (ObtainBaseImageLayerStep.java:43)
at com.google.common.util.concurrent.TrustedListenableFutureTask$TrustedFutureInterruptibleTask.runInterruptibly (TrustedListenableFutureTask.java:125)
at com.google.common.util.concurrent.InterruptibleTask.run (InterruptibleTask.java:69)
at com.google.common.util.concurrent.TrustedListenableFutureTask.run (TrustedListenableFutureTask.java:78)
at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1128)
at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:628)
at java.lang.Thread.run (Thread.java:834)
答案1
得分: 2
由于: javax.net.ssl.SSLPeerUnverifiedException: 对等体未经身份验证
该错误表明您的注册表 `registry.heroku.com` 是不安全的,或者至少您的系统认为它是不安全的(除非整个 TLS 验证流程中的某个地方存在错误,`registry.heroku.com` 在服务器端配置不正确,或者 `registry.heroku.com` 被黑客攻击,这是不常见的)。使用 `https://` 并不意味着连接是安全的;只有在您能够验证服务器时,它才是安全的。这就是当您访问不安全的网站时浏览器会发出警告的情况:
[![不安全网站][1]][1]
这也可能是由于本地代理或防火墙造成的(因为当我在浏览器中访问 `https://registry.heroku.com` 时,浏览器可以验证服务器)。
一些选项:
1. 接受风险并继续,通过设置 Jib 的 [`<allowInsecureRegistries>true`][2]。(确保没有人在窃听您的连接,也没有系统被入侵。)
2. _假设无法验证服务器的原因不是因为本地代理问题,而是因为服务器使用了自签名证书(即,服务器证书没有公开认可)_:通过将自签名证书存储到您的 JVM 的信任存储中,使您的服务器变得安全(或使您的系统认为它是安全的)。最实际的解决方案是使您的 JVM 相信 `registry.heroku.com` 是安全的。有许多如何文章和帖子。例如,
- https://github.com/GoogleContainerTools/jib/blob/master/docs/self_sign_cert.md
- https://davidjb.com/blog/2012/02/java-http-request-fails-with-javax-net-ssl-sslpeerunverifiedexception-peer-not-authenticated/
(但是,我不太确定 `registry.heroku.com` 是否在使用自签名证书,正如我所说,我的浏览器可以验证它。可能是其他原因导致您的机器无法验证服务器。值得追踪根本原因。)
[1]: https://i.stack.imgur.com/xUkAw.png
[2]: https://github.com/GoogleContainerTools/jib/tree/master/jib-maven-plugin#extended-usage
英文:
Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
The error indicates that your registry registry.heroku.com
is insecure, or at least your system believes that it's insecure (unless there is a bug somewhere in the whole TLS verification flow, registry.heroku.com
is mis-configured on the server side, or registry.heroku.com
is hacked, which is uncommon). Using https://
doesn't mean the connection is secure; it's secure only when you can verify the server. It's the same situation where the browser warns you when you visit an insecure site:
This could also be due to a local proxy or firewall (because when I access https://registry.heroku.com
on the browser, my browser can verify the server).
Some options:
-
Accept the risk and proceed by setting Jib's
<allowInsecureRegistries>true
. (Make sure no one is eavesdropping your connection and no system is compromised.) -
Assuming that the reason for being unable to verify the server is not because of a local proxy issue but because the server is using a self-signed certificate (i.e., the server certificate is not publicly endorsed): Secure your server (or make your system believe it's secure). The most practical solution would be to make your JVM believe that
registry.heroku.com
is secure by storing the self-signed certificate into your JVM's truststore. There are many how-to articles and posts. For example,- https://github.com/GoogleContainerTools/jib/blob/master/docs/self_sign_cert.md
- https://davidjb.com/blog/2012/02/java-http-request-fails-with-javax-net-ssl-sslpeerunverifiedexception-peer-not-authenticated/
(However, I am not too sure if
registry.heroku.com
is using a self-signed certificate, as I said my browser can verify it. Something else may be going on with interfering your machine to verify the server. It's worth tracking down the root cause.)
答案2
得分: 0
使用 Jib 插件部署到 Heroku 需要使用以下属性:
-Djib.to.auth.username=_
-Djib.to.auth.password=$YOUR_HEROKU_API_TOKEN
-Djib.to.image=registry.heroku.com/$YOUR_HEROKU_APP_NAME/web
英文:
To deploy to Heroku with Jib plugin you need to use the following properties:
-Djib.to.auth.username=_
-Djib.to.auth.password=$YOUR_HEROKU_API_TOKEN
-Djib.to.image=registry.heroku.com/$YOUR_HEROKU_APP_NAME/web
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论