无法将 Docker 镜像推送到 Heroku 镜像仓库。

huangapple go评论87阅读模式
英文:

Unable to push docker image to heroku registry

问题

以下是您要求的翻译内容:

无法将Docker镜像推送到Heroku注册表。

根据Docker的说法,我已成功登录:

❯ docker login registry.heroku.com
使用现有凭据进行身份验证...
登录成功

之后,我运行mvn jib:build,但出现了一些令人困惑的错误,指出我正在尝试推送到不安全的存储库,而输出中的URL看起来是安全的(以https开头)。
我做错了什么?

我正在使用以下的Jib配置:

  <plugin>
            <groupId>com.google.cloud.tools</groupId>
            <artifactId>jib-maven-plugin</artifactId>
            <version>2.5.2</version>
            <configuration>
                <to>
                    <image>registry.heroku.com/my-app</image>
                </to>
            </configuration>
  </plugin>

带有-X选项的Maven的jib:build输出:

    Caused by: org.apache.maven.plugin.MojoExecutionException: 构建镜像失败,也许您应该使用支持HTTPS的注册表,或设置配置参数'allowInsecureRegistries'
    at com.google.cloud.tools.jib.maven.BuildImageMojo.execute (BuildImageMojo.java:169)
    at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
    at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
    at org.apache.maven.cli.MavenCli.execute (MavenCli.java:957)
    at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:289)
    at org.apache.maven.cli.MavenCli.main (MavenCli.java:193)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
    at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:566)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
    at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:566)
    at org.apache.maven.wrapper.BootstrapMainStarter.start (BootstrapMainStarter.java:39)
    at org.apache.maven.wrapper.WrapperExecutor.execute (WrapperExecutor.java:122)
    at org.apache.maven.wrapper.MavenWrapperMain.main (MavenWrapperMain.java:61)
Caused by: com.google.cloud.tools.jib.api.InsecureRegistryException: 无法验证 https://registry.heroku.com/v2/myapp/blobs/sha256:0fe85c64a011626a777c0662f83b2d819954d4148d96ca5fc626bf99f7c3644d 处的服务器,因为只允许安全连接。
    at com.google.cloud.tools.jib.registry.RegistryEndpointCaller.call (RegistryEndpointCaller.java:180)
    at com.google.cloud.tools.jib.registry.RegistryEndpointCaller.call (RegistryEndpointCaller.java:115)
    at com.google.cloud.tools.jib.registry.RegistryClient.callRegistryEndpoint (RegistryClient.java:592)
    at com.google.cloud.tools.jib.registry.RegistryClient.checkBlob (RegistryClient.java:444)
    at com.google.cloud.tools.jib.builder.steps.ObtainBaseImageLayerStep.lambda$makeListForSelectiveDownload$1 (ObtainBaseImageLayerStep.java:74)
    at com.google.cloud.tools.jib.builder.steps.ObtainBaseImageLayerStep.call (ObtainBaseImageLayerStep.java:142)
    at com.google.cloud.tools.jib.builder.steps.ObtainBaseImageLayerStep.call (ObtainBaseImageLayerStep.java:43)
    at com.google.common.util.concurrent.TrustedListenableFutureTask$TrustedFutureInterruptibleTask.runInterruptibly (TrustedListenableFutureTask.java:125)
    at com.google.common.util.concurrent.InterruptibleTask.run (InterruptibleTask.java:69)
    at com.google.common.util.concurrent.TrustedListenableFutureTask.run (TrustedListenableFutureTask.java:78)
    at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1128)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:628)
    at java.lang.Thread.run (Thread.java:834)
Caused by: javax.net.ssl.SSLPeerUnverifiedException: 对等方未经身份验证
    at sun.security.ssl.SSLSessionImpl.getPeerCertificates (SSLSessionImpl.java:526)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname (SSLConnectionSocketFactory.java:504)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket (SSLConnectionSocketFactory.java:437)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket (SSLConnectionSocketFactory.java:384)
    at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect (DefaultHttpClientConnectionOperator.java:142)
    at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect (PoolingHttpClientConnectionManager.java:374)
    at org.apache.http.impl.execchain.MainClientExec.establishRoute (MainClientExec.java:393)
    at org.apache.http.impl.execchain.MainClientExec.execute (MainClientExec.java:236)
    at org.apache.http.impl.execchain.ProtocolExec.execute (ProtocolExec.java:186)
    at org.apache.http.impl.client.InternalHttpClient.doExecute (InternalHttpClient.java:185)
    at org.apache.http.impl.client.CloseableHttpClient.execute (CloseableHttpClient
英文:

I'm unable to push a docker image to the heroku registry.

I'm successfully logged in according to docker:

❯ docker login registry.heroku.com
Authenticating with existing credentials...
Login Succeeded

After that I run mvn jib:build and I get some confusing error saying I'm trying to push to an unsecure repo while the url in de output looks secure ( starts with https ).
What am I doing wrong ?

I'm using the following jib config:

  &lt;plugin&gt;
            &lt;groupId&gt;com.google.cloud.tools&lt;/groupId&gt;
            &lt;artifactId&gt;jib-maven-plugin&lt;/artifactId&gt;
            &lt;version&gt;2.5.2&lt;/version&gt;
            &lt;configuration&gt;
                &lt;to&gt;
                    &lt;image&gt;registry.heroku.com/my-app&lt;/image&gt;
                &lt;/to&gt;
            &lt;/configuration&gt;
  &lt;/plugin&gt;

Maven output of jib:build wiht -X:

    Caused by: org.apache.maven.plugin.MojoExecutionException: Build image failed, perhaps you should use a registry that supports HTTPS or set the configuration parameter &#39;allowInsecureRegistries&#39;
    at com.google.cloud.tools.jib.maven.BuildImageMojo.execute (BuildImageMojo.java:169)
    at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
    at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
    at org.apache.maven.cli.MavenCli.execute (MavenCli.java:957)
    at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:289)
    at org.apache.maven.cli.MavenCli.main (MavenCli.java:193)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
    at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:566)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
    at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:566)
    at org.apache.maven.wrapper.BootstrapMainStarter.start (BootstrapMainStarter.java:39)
    at org.apache.maven.wrapper.WrapperExecutor.execute (WrapperExecutor.java:122)
    at org.apache.maven.wrapper.MavenWrapperMain.main (MavenWrapperMain.java:61)
Caused by: com.google.cloud.tools.jib.api.InsecureRegistryException: Failed to verify the server at https://registry.heroku.com/v2/myapp/blobs/sha256:0fe85c64a011626a777c0662f83b2d819954d4148d96ca5fc626bf99f7c3644d because only secure connections are allowed.
    at com.google.cloud.tools.jib.registry.RegistryEndpointCaller.call (RegistryEndpointCaller.java:180)
    at com.google.cloud.tools.jib.registry.RegistryEndpointCaller.call (RegistryEndpointCaller.java:115)
    at com.google.cloud.tools.jib.registry.RegistryClient.callRegistryEndpoint (RegistryClient.java:592)
    at com.google.cloud.tools.jib.registry.RegistryClient.checkBlob (RegistryClient.java:444)
    at com.google.cloud.tools.jib.builder.steps.ObtainBaseImageLayerStep.lambda$makeListForSelectiveDownload$1 (ObtainBaseImageLayerStep.java:74)
    at com.google.cloud.tools.jib.builder.steps.ObtainBaseImageLayerStep.call (ObtainBaseImageLayerStep.java:142)
    at com.google.cloud.tools.jib.builder.steps.ObtainBaseImageLayerStep.call (ObtainBaseImageLayerStep.java:43)
    at com.google.common.util.concurrent.TrustedListenableFutureTask$TrustedFutureInterruptibleTask.runInterruptibly (TrustedListenableFutureTask.java:125)
    at com.google.common.util.concurrent.InterruptibleTask.run (InterruptibleTask.java:69)
    at com.google.common.util.concurrent.TrustedListenableFutureTask.run (TrustedListenableFutureTask.java:78)
    at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1128)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:628)
    at java.lang.Thread.run (Thread.java:834)
Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
    at sun.security.ssl.SSLSessionImpl.getPeerCertificates (SSLSessionImpl.java:526)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname (SSLConnectionSocketFactory.java:504)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket (SSLConnectionSocketFactory.java:437)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket (SSLConnectionSocketFactory.java:384)
    at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect (DefaultHttpClientConnectionOperator.java:142)
    at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect (PoolingHttpClientConnectionManager.java:374)
    at org.apache.http.impl.execchain.MainClientExec.establishRoute (MainClientExec.java:393)
    at org.apache.http.impl.execchain.MainClientExec.execute (MainClientExec.java:236)
    at org.apache.http.impl.execchain.ProtocolExec.execute (ProtocolExec.java:186)
    at org.apache.http.impl.client.InternalHttpClient.doExecute (InternalHttpClient.java:185)
    at org.apache.http.impl.client.CloseableHttpClient.execute (CloseableHttpClient.java:83)
    at org.apache.http.impl.client.CloseableHttpClient.execute (CloseableHttpClient.java:108)
    at org.apache.http.impl.client.CloseableHttpClient.execute (CloseableHttpClient.java:56)
    at com.google.api.client.http.apache.v2.ApacheHttpRequest.execute (ApacheHttpRequest.java:73)
    at com.google.api.client.http.HttpRequest.execute (HttpRequest.java:1012)
    at com.google.cloud.tools.jib.http.FailoverHttpClient.call (FailoverHttpClient.java:323)
    at com.google.cloud.tools.jib.http.FailoverHttpClient.call (FailoverHttpClient.java:250)
    at com.google.cloud.tools.jib.registry.RegistryEndpointCaller.call (RegistryEndpointCaller.java:139)
    at com.google.cloud.tools.jib.registry.RegistryEndpointCaller.call (RegistryEndpointCaller.java:115)
    at com.google.cloud.tools.jib.registry.RegistryClient.callRegistryEndpoint (RegistryClient.java:592)
    at com.google.cloud.tools.jib.registry.RegistryClient.checkBlob (RegistryClient.java:444)
    at com.google.cloud.tools.jib.builder.steps.ObtainBaseImageLayerStep.lambda$makeListForSelectiveDownload$1 (ObtainBaseImageLayerStep.java:74)
    at com.google.cloud.tools.jib.builder.steps.ObtainBaseImageLayerStep.call (ObtainBaseImageLayerStep.java:142)
    at com.google.cloud.tools.jib.builder.steps.ObtainBaseImageLayerStep.call (ObtainBaseImageLayerStep.java:43)
    at com.google.common.util.concurrent.TrustedListenableFutureTask$TrustedFutureInterruptibleTask.runInterruptibly (TrustedListenableFutureTask.java:125)
    at com.google.common.util.concurrent.InterruptibleTask.run (InterruptibleTask.java:69)
    at com.google.common.util.concurrent.TrustedListenableFutureTask.run (TrustedListenableFutureTask.java:78)
    at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1128)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:628)
    at java.lang.Thread.run (Thread.java:834)

答案1

得分: 2

由于: javax.net.ssl.SSLPeerUnverifiedException: 对等体未经身份验证
该错误表明您的注册表 `registry.heroku.com` 是不安全的,或者至少您的系统认为它是不安全的(除非整个 TLS 验证流程中的某个地方存在错误,`registry.heroku.com` 在服务器端配置不正确,或者 `registry.heroku.com` 被黑客攻击,这是不常见的)。使用 `https://` 并不意味着连接是安全的;只有在您能够验证服务器时,它才是安全的。这就是当您访问不安全的网站时浏览器会发出警告的情况:

[![不安全网站][1]][1]

这也可能是由于本地代理或防火墙造成的(因为当我在浏览器中访问 `https://registry.heroku.com` 时,浏览器可以验证服务器)。

一些选项:

1. 接受风险并继续,通过设置 Jib 的 [`<allowInsecureRegistries>true`][2]。(确保没有人在窃听您的连接,也没有系统被入侵。)

2. _假设无法验证服务器的原因不是因为本地代理问题,而是因为服务器使用了自签名证书(即,服务器证书没有公开认可)_:通过将自签名证书存储到您的 JVM 的信任存储中,使您的服务器变得安全(或使您的系统认为它是安全的)。最实际的解决方案是使您的 JVM 相信 `registry.heroku.com` 是安全的。有许多如何文章和帖子。例如,
   - https://github.com/GoogleContainerTools/jib/blob/master/docs/self_sign_cert.md
   - https://davidjb.com/blog/2012/02/java-http-request-fails-with-javax-net-ssl-sslpeerunverifiedexception-peer-not-authenticated/

    (但是,我不太确定 `registry.heroku.com` 是否在使用自签名证书,正如我所说,我的浏览器可以验证它。可能是其他原因导致您的机器无法验证服务器。值得追踪根本原因。)

  [1]: https://i.stack.imgur.com/xUkAw.png
  [2]: https://github.com/GoogleContainerTools/jib/tree/master/jib-maven-plugin#extended-usage
英文:
Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

The error indicates that your registry registry.heroku.com is insecure, or at least your system believes that it's insecure (unless there is a bug somewhere in the whole TLS verification flow, registry.heroku.com is mis-configured on the server side, or registry.heroku.com is hacked, which is uncommon). Using https:// doesn't mean the connection is secure; it's secure only when you can verify the server. It's the same situation where the browser warns you when you visit an insecure site:

无法将 Docker 镜像推送到 Heroku 镜像仓库。

This could also be due to a local proxy or firewall (because when I access https://registry.heroku.com on the browser, my browser can verify the server).

Some options:

  1. Accept the risk and proceed by setting Jib's &lt;allowInsecureRegistries&gt;true. (Make sure no one is eavesdropping your connection and no system is compromised.)

  2. Assuming that the reason for being unable to verify the server is not because of a local proxy issue but because the server is using a self-signed certificate (i.e., the server certificate is not publicly endorsed): Secure your server (or make your system believe it's secure). The most practical solution would be to make your JVM believe that registry.heroku.com is secure by storing the self-signed certificate into your JVM's truststore. There are many how-to articles and posts. For example,

    (However, I am not too sure if registry.heroku.com is using a self-signed certificate, as I said my browser can verify it. Something else may be going on with interfering your machine to verify the server. It's worth tracking down the root cause.)

答案2

得分: 0

使用 Jib 插件部署到 Heroku 需要使用以下属性:

    -Djib.to.auth.username=_
    -Djib.to.auth.password=$YOUR_HEROKU_API_TOKEN
    -Djib.to.image=registry.heroku.com/$YOUR_HEROKU_APP_NAME/web
英文:

To deploy to Heroku with Jib plugin you need to use the following properties:

    -Djib.to.auth.username=_
    -Djib.to.auth.password=$YOUR_HEROKU_API_TOKEN
    -Djib.to.image=registry.heroku.com/$YOUR_HEROKU_APP_NAME/web

huangapple
  • 本文由 发表于 2020年8月31日 19:36:38
  • 转载请务必保留本文链接:https://go.coder-hub.com/63670029.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定