1. 技术文章
  2. Jib-Maven-plugin with Jenkins scripted pipeline: how to log in to private docker registry?

Jib-Maven-plugin with Jenkins scripted pipeline: how to log in to private docker registry?

家住魔仙堡 提交于 2021-02-19 05:20:29

问题


Regarding this problem, I updated my JHipster-Application with scripted Jenkins pipeline and have now in Jenkinsfile (partly following these hints):

[...]

 def dockerImage
    withEnv(["DOCKER_CREDS=credentials('myregistry-login')"]) {
        stage('publish docker') {
            sh "./mvnw -X -ntp jib:build"
        }
    }

with Jenkins global credentials myregistry-login saved in my Jenkins-Server to my own docker registry v2 docker-container https://myregistry.mydomain.com (domain changed for security reasons). I can successfully do a $ docker login myregistry.mydomain.com (as well as docker login https://myregistry.mydomain.com as well as docker login myregistry.mydomain.com:443) from local bash with the user and password stored in myregistry-login.

In pom.xml (following these hints as well as this, this and this):

<plugin>
  <groupId>com.google.cloud.tools</groupId>
  <artifactId>jib-maven-plugin</artifactId>
  <configuration>
    <to>
      <image>myregistry.mydomain.com:443/username/imagename</image>
      <tags>
        <tag>${maven.build.timestamp}</tag>
        <tag>latest</tag>
      </tags>
      <auth>
        <username>${env.DOCKER_CREDS_USR}</username>
        <password>${env.DOCKER_CREDS_PSW}</password>
      </auth>
    </to>
    <container>
      <jvmFlags>
        <jvmFlag>-Xms512m</jvmFlag>
        <jvmFlag>-Xmx1G</jvmFlag>
        <jvmFlag>-Xdebug</jvmFlag>
      </jvmFlags>
      <mainClass>de.myproject_name.MyApp</mainClass>
    </container>
  </configuration>
</plugin>

where username, imagename and de.myproject_name.MyApp are placeholders here.

Unfortunately I get

[DEBUG] TIMING  Retrieving registry credentials for myregistry.mydomain.com:443
[DEBUG] No credentials could be retrieved for registry myregistry.mydomain.com:443
[...]
[ERROR] I/O error for image [myregistry.mydomain.com:443/username/imagename]:
[ERROR]     Connect to myregistry.mydomain.com:443 [myregistry.mydomain.com/xxx.xxx.xxx.xxx] failed: Connection refused (Connection refused)
[DEBUG] TIMED   Authenticating push to myregistry.mydomain.com:443 : 460.0 ms
[DEBUG] TIMED   Building and pushing image : 514.0 ms
[ERROR] I/O error for image [registry-1.docker.io/library/adoptopenjdk]:
[ERROR]     Socket closed

So the withEnv isn't forwarded to Maven and/or the jib-maven-plugin is not reading the <auth>-Tag, right? What am I still doing wrong? And why is there an I/O error to registry-1.docker.io?


回答1:


Finally I've got it working.

In Jenkinsfile I edit the JHipster generated code to:

    def dockerImage
    stage('publish docker') {
        withCredentials([usernamePassword(credentialsId: 'myregistry-login', passwordVariable: 'DOCKER_REGISTRY_PWD', usernameVariable: 'DOCKER_REGISTRY_USER')]) {
            sh "./mvnw -ntp jib:build"        }
    }

In pom.xml I put the jib-maven-plugin configuration:

<plugin>
  <groupId>com.google.cloud.tools</groupId>
  <artifactId>jib-maven-plugin</artifactId>
  <configuration>
    <from>
      <image>adoptopenjdk:11-jre-hotspot</image>
    </from>
    <to>
      <auth>
        <username>${DOCKER_REGISTRY_USER}</username>
         <password>${DOCKER_REGISTRY_PWD}</password>
       </auth>
       <image>myregistry.mydomain.com/myuser/my_image</image>
       <tags>
         <tag>${maven.build.timestamp}</tag>
         <tag>latest</tag>
       </tags>
     </to>
   <container>
     <jvmFlags>
       <jvmFlag>-Xms512m</jvmFlag>
       <jvmFlag>-Xmx1G</jvmFlag>
       <jvmFlag>-Xdebug</jvmFlag>
     </jvmFlags>
     <mainClass>com.mypackage.MyApp</mainClass>
     <entrypoint>
       <shell>bash</shell>
       <option>-c</option>
       <arg>chmod +x /entrypoint.sh &amp;&amp; sync &amp;&amp; /entrypoint.sh</arg>
     </entrypoint>
     <ports>
       <port>8080</port>
     </ports>
     <environment>
       <SPRING_OUTPUT_ANSI_ENABLED>ALWAYS</SPRING_OUTPUT_ANSI_ENABLED>
       <JHIPSTER_SLEEP>0</JHIPSTER_SLEEP>
     </environment>
     <creationTime>USE_CURRENT_TIMESTAMP</creationTime>
   </container>
  </configuration>
</plugin>

In my remote server setup my own docker registry v2 is running as a docker-container published via nginx-proxy with letsencrypt-nginx-proxy-companion. On the same custom network bridge runs my own jenkins server as another docker-container.

Some tests showed me that the container-name of the docker registry can not be named with the public DNS name of the registry (e.g. 'myregistry.mydomain.com' as container name). The jenkins docker-container gets the embedded docker dns server into resolv.conf, and docker will resolve the container-names of containers in the same network to the internal bridge-network IPs of these containers (only in case of custom docker networks).

I guess jib has to connect via ssl to push the docker image to the docker registry container and ssl has to be handled before the container with nginx-proxy, so the external address of the docker registry domain has to be used.

Also the docker hosts firewall has to be configured (according to this link) to allow traffic from the docker container jenkins through to the docker host. At the host it then goes back again to docker registry via nginx-proxy with ssl, right? In my case, this comes down to:

$ sudo firewall-cmd --info-zone=public
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp6s0
  sources: 
  [...] 
  rich rules: 
    rule family="ipv4" source address="172.26.0.13/32" accept


来源:https://stackoverflow.com/questions/59661871/jib-maven-plugin-with-jenkins-scripted-pipeline-how-to-log-in-to-private-docker

标签
maven
Docker
jenkins-pipeline
jhipster
Jib
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!