问题描述
我无法将docker映像推送到heroku注册表中。
我已根据docker成功登录:
❯ docker login registry.heroku.com
Authenticating with existing credentials...
Login Succeeded
此后,我运行mvn jib:build
并收到一些令人困惑的错误,说我正在尝试推送到不安全的存储库,而输出中的URL看起来是安全的(以https开头)。
我在做什么错了?
我正在使用以下臂架配置:
<plugin>
<groupId>com.google.cloud.tools</groupId>
<artifactId>jib-maven-plugin</artifactId>
<version>2.5.2</version>
<configuration>
<to>
<image>registry.heroku.com/my-app</image>
</to>
</configuration>
</plugin>
Caused by: org.apache.maven.plugin.MojoExecutionException: Build image Failed,perhaps you should use a registry that supports HTTPS or set the configuration parameter 'allowInsecureRegistries'
at com.google.cloud.tools.jib.maven.BuildImageMojo.execute (BuildImageMojo.java:169)
at org.apache.maven.plugin.DefaultBuildpluginManager.executeMojo (DefaultBuildpluginManager.java:137)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
at org.apache.maven.cli.MavenCli.execute (MavenCli.java:957)
at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:289)
at org.apache.maven.cli.MavenCli.main (MavenCli.java:193)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke (Method.java:566)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke (Method.java:566)
at org.apache.maven.wrapper.BootstrapMainStarter.start (BootstrapMainStarter.java:39)
at org.apache.maven.wrapper.WrapperExecutor.execute (WrapperExecutor.java:122)
at org.apache.maven.wrapper.MavenWrapperMain.main (MavenWrapperMain.java:61)
Caused by: com.google.cloud.tools.jib.api.InsecureRegistryException: Failed to verify the server at https://registry.heroku.com/v2/myapp/blobs/sha256:0fe85c64a011626a777c0662f83b2d819954d4148d96ca5fc626bf99f7c3644d because only secure connections are allowed.
at com.google.cloud.tools.jib.registry.RegistryEndpointCaller.call (RegistryEndpointCaller.java:180)
at com.google.cloud.tools.jib.registry.RegistryEndpointCaller.call (RegistryEndpointCaller.java:115)
at com.google.cloud.tools.jib.registry.RegistryClient.callRegistryEndpoint (RegistryClient.java:592)
at com.google.cloud.tools.jib.registry.RegistryClient.checkBlob (RegistryClient.java:444)
at com.google.cloud.tools.jib.builder.steps.ObtainBaseImageLayerStep.lambda$makeListForSelectiveDownload$1 (ObtainBaseImageLayerStep.java:74)
at com.google.cloud.tools.jib.builder.steps.ObtainBaseImageLayerStep.call (ObtainBaseImageLayerStep.java:142)
at com.google.cloud.tools.jib.builder.steps.ObtainBaseImageLayerStep.call (ObtainBaseImageLayerStep.java:43)
at com.google.common.util.concurrent.TrustedListenableFutureTask$TrustedFutureInterruptibleTask.runInterruptibly (TrustedListenableFutureTask.java:125)
at com.google.common.util.concurrent.InterruptibleTask.run (InterruptibleTask.java:69)
at com.google.common.util.concurrent.TrustedListenableFutureTask.run (TrustedListenableFutureTask.java:78)
at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1128)
at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:628)
at java.lang.Thread.run (Thread.java:834)
Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates (SSLSessionImpl.java:526)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname (SSLConnectionSocketFactory.java:504)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createlayeredSocket (SSLConnectionSocketFactory.java:437)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket (SSLConnectionSocketFactory.java:384)
at org.apache.http.impl.conn.DefaultHttpClientConnectionoperator.connect (DefaultHttpClientConnectionoperator.java:142)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect (PoolingHttpClientConnectionManager.java:374)
at org.apache.http.impl.execchain.MainClientExec.establishRoute (MainClientExec.java:393)
at org.apache.http.impl.execchain.MainClientExec.execute (MainClientExec.java:236)
at org.apache.http.impl.execchain.ProtocolExec.execute (ProtocolExec.java:186)
at org.apache.http.impl.client.InternalHttpClient.doExecute (InternalHttpClient.java:185)
at org.apache.http.impl.client.CloseableHttpClient.execute (CloseableHttpClient.java:83)
at org.apache.http.impl.client.CloseableHttpClient.execute (CloseableHttpClient.java:108)
at org.apache.http.impl.client.CloseableHttpClient.execute (CloseableHttpClient.java:56)
at com.google.api.client.http.apache.v2.ApacheHttpRequest.execute (ApacheHttpRequest.java:73)
at com.google.api.client.http.HttpRequest.execute (HttpRequest.java:1012)
at com.google.cloud.tools.jib.http.FailoverHttpClient.call (FailoverHttpClient.java:323)
at com.google.cloud.tools.jib.http.FailoverHttpClient.call (FailoverHttpClient.java:250)
at com.google.cloud.tools.jib.registry.RegistryEndpointCaller.call (RegistryEndpointCaller.java:139)
at com.google.cloud.tools.jib.registry.RegistryEndpointCaller.call (RegistryEndpointCaller.java:115)
at com.google.cloud.tools.jib.registry.RegistryClient.callRegistryEndpoint (RegistryClient.java:592)
at com.google.cloud.tools.jib.registry.RegistryClient.checkBlob (RegistryClient.java:444)
at com.google.cloud.tools.jib.builder.steps.ObtainBaseImageLayerStep.lambda$makeListForSelectiveDownload$1 (ObtainBaseImageLayerStep.java:74)
at com.google.cloud.tools.jib.builder.steps.ObtainBaseImageLayerStep.call (ObtainBaseImageLayerStep.java:142)
at com.google.cloud.tools.jib.builder.steps.ObtainBaseImageLayerStep.call (ObtainBaseImageLayerStep.java:43)
at com.google.common.util.concurrent.TrustedListenableFutureTask$TrustedFutureInterruptibleTask.runInterruptibly (TrustedListenableFutureTask.java:125)
at com.google.common.util.concurrent.InterruptibleTask.run (InterruptibleTask.java:69)
at com.google.common.util.concurrent.TrustedListenableFutureTask.run (TrustedListenableFutureTask.java:78)
at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1128)
at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:628)
at java.lang.Thread.run (Thread.java:834)
解决方法
Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
该错误表明您的注册表registry.heroku.com
不安全,或者至少您的系统认为它不安全(除非整个TLS验证流程中的某个地方存在错误,否则registry.heroku.com
的配置错误服务器端或registry.heroku.com
被黑客入侵,这是罕见的)。使用https://
并不表示连接安全。仅当您可以验证服务器时,它才是安全的。在浏览不安全网站时浏览器警告您的情况也是如此:
这也可能是由于本地代理或防火墙所致(因为当我在浏览器上访问https://registry.heroku.com
时,我的浏览器可以验证服务器)。
一些选项:
-
接受风险,然后设置Jib的
<allowInsecureRegistries>true
。 (确保没有人在窃听您的连接,并且没有系统受到损害。) -
假定无法验证服务器的原因不是由于本地代理问题,而是因为服务器使用的是自签名证书(即,服务器证书未公开认可) :保护服务器(或使系统认为它是安全的)。最实用的解决方案是通过将自签名证书存储到JVM的信任库中,使JVM相信
registry.heroku.com
是安全的。有许多how-to文章和帖子。例如,- https://github.com/GoogleContainerTools/jib/blob/master/docs/self_sign_cert.md
- https://davidjb.com/blog/2012/02/java-http-request-fails-with-javax-net-ssl-sslpeerunverifiedexception-peer-not-authenticated/
(但是,我不太确定
registry.heroku.com
是否正在使用自签名证书,正如我所说的,我的浏览器可以对其进行验证。干扰您的计算机以验证服务器的其他情况可能正在发生。值得找出根本原因。)