Kaniko (GitLab CI, K8s) не может выполнить push в Nexus Repository Manager: UNAUTHORIZED: access to the requested resource is not authorized
мое задание GitLab CI собирает образ примера контейнера с Kaniko с помощью GitLab runner на K8s. Все службы находятся в моей локальной сети за статическим IP. Процесс сборки извлекает образ ArchLinux из моей первой службы реестра Nexus в защищенном домене A. Затем я пытаюсь вытолкнуть его в тот же реестр Nexus во второй репозиторий snapshot под вторым доменом B. Поэтому я использую того же пользователя Nexus. При попытке выполнить push возникает следующая ошибка:
$ /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination ${SNAPSHOT_CONTAINER_REGISTRY}/${IMAGE_NAME}
error checking push permissions -- make sure you entered the correct tag name,
and that you are authenticated correctly, and try again:
checking push permission for "B/example-app:dev-proto-kokosbot":
POST https://B/v2/example-app/blobs/uploads/:
UNAUTHORIZED: access to the requested resource is not authorized
Даже если я предоставлю пользователю cicd права администратора, я не могу выполнить push через kaniko. С помощью docker CLI проталкивание происходит без проблем, и я могу перейти на URL ошибки в браузере, и он работает...
Мой конфиг CI:
stages:
- build
variables:
COMMIT_SHORT_SHA: ${CI_COMMIT_SHA} at ${CI_COMMIT_BRANCH}
IMAGE_NAME: example-app:${CI_COMMIT_BRANCH}
build-job:
stage: build
image:
name: gcr.io/kaniko-project/executor:debug
entrypoint: [""]
script:
- echo [INFO] Start building container ${IMAGE_NAME}
- echo [INFO] Target container registry ${SNAPSHOT_CONTAINER_REGISTRY}
- mkdir -p /kaniko/.docker
- |
echo "{\"auths\":{
\"${CONTAINER_REGISTRY}\":{
\"auth\":\"${AUTH_REGISTRY}\"
}
},
\"${SNAPSHOT_CONTAINER_REGISTRY}\":{
\"auth\":\"${AUTH_REGISTRY}\"
}
}
}" > /kaniko/.docker/config.json
- less /kaniko/.docker/config.json
- >
/kaniko/executor
--context $CI_PROJECT_DIR
--dockerfile $CI_PROJECT_DIR/Dockerfile
--destination ${SNAPSHOT_CONTAINER_REGISTRY}/${IMAGE_NAME}
--no-push
- >
/kaniko/executor
--context $CI_PROJECT_DIR
--dockerfile $CI_PROJECT_DIR/Dockerfile
--destination ${SNAPSHOT_CONTAINER_REGISTRY}/${IMAGE_NAME}
Я понятия не имею, с чего начать, чтобы понять проблему, есть ли у кого-нибудь подсказка?
Приветствую, Kokos Bot.
- GitLab CE
- Nexus Repository Manager: Free editon
EDIT: Правильно ли я понимаю, что просто пользователь не распознается? Пользователь называется CICD, а не *UNKOWN.
Nexus log:
nexus_1 | 2021-02-11 06:48:20,719+0000 INFO [qtp874955081-232] *UNKNOWN org.apache.shiro.session.mgt.AbstractValidatingSessionManager - Enabling session validation scheduler...
nexus_1 | 2021-02-11 06:48:20,739+0000 INFO [qtp874955081-232] *UNKNOWN org.sonatype.nexus.internal.security.anonymous.AnonymousManagerImpl - Loaded configuration: OrientAnonymousConfiguration{enabled=false, userId='anonymous', realmName='NexusAuthorizingRealm'}
nexus_1 | 2021-02-11 06:48:20,741+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Servicing: GET /repository/dio-container-snapshot/v2/ (https://snapshot.container.ABC.ABC/repository/dio-container-snapshot/v2/)
nexus_1 | 2021-02-11 06:48:20,742+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Parsed path: RepositoryPath{repositoryName='dio-container-snapshot', remainingPath='/v2/'}
nexus_1 | 2021-02-11 06:48:20,742+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Looking for repository: dio-container-snapshot
nexus_1 | 2021-02-11 06:48:20,743+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Repository: RepositoryImpl$$EnhancerByGuice$$765e645e{type=hosted, format=docker, name='dio-container-snapshot'}
nexus_1 | 2021-02-11 06:48:20,743+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Dispatching to view facet: org.sonatype.nexus.repository.view.ConfigurableViewFacet$$EnhancerByGuice$$d744b4fe@6a0c93a4
nexus_1 | 2021-02-11 06:48:20,745+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.HttpResponseSenderSelector - Looking for HTTP response sender: docker
nexus_1 | 2021-02-11 06:48:20,747+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.Router - Request: Request{action='GET', path='/v2/', parameters={}, payload=HttpRequestPayloadAdapter{contentType='null', size=-1}, multipart=false}
nexus_1 | 2021-02-11 06:48:20,748+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.matchers.logic.AndMatcher - Matching: org.sonatype.nexus.repository.view.matchers.ActionMatcher@2503258 AND LiteralMatcher{literal='/v2/', ignoreCase=true}
nexus_1 | 2021-02-11 06:48:20,748+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.matchers.LiteralMatcher - Matching: /v2/=/v2/ ignore-case: true
nexus_1 | 2021-02-11 06:48:20,749+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.Context - Starting: Route{matcher=AndMatcher{matchers=[org.sonatype.nexus.repository.view.matchers.ActionMatcher@2503258, LiteralMatcher{literal='/v2/', ignoreCase=true}]}, handlers=[org.sonatype.nexus.repository.view.handlers.TimingHandler@38a76c9d, org.sonatype.nexus.repository.docker.internal.V2Handlers$_closure1@64b09cb9, org.sonatype.nexus.repository.docker.internal.V2Handlers$_closure18@60e34347, org.sonatype.nexus.repository.security.SecurityHandler@63226ff1, org.sonatype.nexus.repository.view.handlers.HandlerContributor@60e2348c, org.sonatype.nexus.repository.docker.internal.V2Handlers$_closure2@57297d]}
nexus_1 | 2021-02-11 06:48:20,749+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.Context - Proceeding: org.sonatype.nexus.repository.view.handlers.TimingHandler@38a76c9d
nexus_1 | 2021-02-11 06:48:20,749+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.Context - Proceeding: org.sonatype.nexus.repository.docker.internal.V2Handlers$_closure1@64b09cb9
nexus_1 | 2021-02-11 06:48:20,752+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.Context - Proceeding: org.sonatype.nexus.repository.docker.internal.V2Handlers$_closure18@60e34347
nexus_1 | 2021-02-11 06:48:20,752+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.Context - Proceeding: org.sonatype.nexus.repository.security.SecurityHandler@63226ff1
nexus_1 | 2021-02-11 06:48:20,800+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.Router - Response: Response{status=Status{successful=false, code=401, message='null'}, payload=StringPayload{size=113, charset=UTF-8, contentType='application/json'}}
nexus_1 | 2021-02-11 06:48:20,801+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Request: Request{action='GET', path='/v2/', parameters={}, payload=HttpRequestPayloadAdapter{contentType='null', size=-1}, multipart=false}
nexus_1 | 2021-02-11 06:48:20,801+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.DefaultHttpResponseSender - Sending response: Response{status=Status{successful=false, code=401, message='null'}, payload=StringPayload{size=113, charset=UTF-8, contentType='application/json'}}
nexus_1 | 2021-02-11 06:48:20,806+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Service completed
nexus_1 | 2021-02-11 06:48:20,820+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Servicing: POST /repository/dio-container-snapshot/v2/example-app/blobs/uploads/ (https://snapshot.container.ABC.ABC/repository/dio-container-snapshot/v2/example-app/blobs/uploads/)
nexus_1 | 2021-02-11 06:48:20,821+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Parsed path: RepositoryPath{repositoryName='dio-container-snapshot', remainingPath='/v2/example-app/blobs/uploads/'}
nexus_1 | 2021-02-11 06:48:20,821+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Looking for repository: dio-container-snapshot
nexus_1 | 2021-02-11 06:48:20,821+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Repository: RepositoryImpl$$EnhancerByGuice$$765e645e{type=hosted, format=docker, name='dio-container-snapshot'}
nexus_1 | 2021-02-11 06:48:20,821+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Dispatching to view facet: org.sonatype.nexus.repository.view.ConfigurableViewFacet$$EnhancerByGuice$$d744b4fe@6a0c93a4
nexus_1 | 2021-02-11 06:48:20,822+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.HttpResponseSenderSelector - Looking for HTTP response sender: docker
nexus_1 | 2021-02-11 06:48:20,822+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.Router - Request: Request{action='POST', path='/v2/example-app/blobs/uploads/', parameters={}, payload=HttpRequestPayloadAdapter{contentType='application/json', size=0}, multipart=false}
nexus_1 | 2021-02-11 06:48:20,822+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.matchers.logic.AndMatcher - Matching: org.sonatype.nexus.repository.view.matchers.ActionMatcher@2503258 AND LiteralMatcher{literal='/v2/', ignoreCase=true}
nexus_1 | 2021-02-11 06:48:20,823+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.matchers.logic.AndMatcher - Matching: org.sonatype.nexus.repository.view.matchers.ActionMatcher@2fb965f0 AND OrMatcher{matchers=[org.sonatype.nexus.repository.view.matchers.token.TokenMatcher@6264781a, org.sonatype.nexus.repository.view.matchers.token.TokenMatcher@3679c546]}
nexus_1 | 2021-02-11 06:48:20,823+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.matchers.logic.AndMatcher - Matching: org.sonatype.nexus.repository.view.matchers.ActionMatcher@291c9924 AND OrMatcher{matchers=[org.sonatype.nexus.repository.view.matchers.token.TokenMatcher@4deeef12, org.sonatype.nexus.repository.view.matchers.token.TokenMatcher@c0bea1d]}
nexus_1 | 2021-02-11 06:48:20,823+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.matchers.logic.AndMatcher - Matching: org.sonatype.nexus.repository.view.matchers.ActionMatcher@74a04d2f AND org.sonatype.nexus.repository.view.matchers.token.TokenMatcher@39b83f26
nexus_1 | 2021-02-11 06:48:20,823+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.matchers.logic.AndMatcher - Matching: org.sonatype.nexus.repository.view.matchers.ActionMatcher@314d17c AND org.sonatype.nexus.repository.view.matchers.token.TokenMatcher@501c8801
nexus_1 | 2021-02-11 06:48:20,824+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.matchers.token.TokenMatcher - Matching: /v2/example-app/blobs/uploads/~=TokenParser{pattern=\Q/v2/\E(?<name>.+)\Q/blobs/uploads/\E, variables=[var(name,.+)]}
nexus_1 | 2021-02-11 06:48:20,825+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.Context - Starting: Route{matcher=AndMatcher{matchers=[org.sonatype.nexus.repository.view.matchers.ActionMatcher@314d17c, org.sonatype.nexus.repository.view.matchers.token.TokenMatcher@501c8801]}, handlers=[org.sonatype.nexus.repository.view.handlers.TimingHandler@38a76c9d, org.sonatype.nexus.repository.docker.internal.V2Handlers$_closure1@64b09cb9, org.sonatype.nexus.repository.docker.internal.V2Handlers$_closure18@60e34347, org.sonatype.nexus.repository.security.SecurityHandler@63226ff1, org.sonatype.nexus.repository.view.handlers.HandlerContributor@60e2348c, org.sonatype.nexus.repository.storage.UnitOfWorkHandler@7ba0816b, org.sonatype.nexus.repository.docker.internal.V2Handlers$_closure3@4f48429e]}
nexus_1 | 2021-02-11 06:48:20,825+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.Context - Proceeding: org.sonatype.nexus.repository.view.handlers.TimingHandler@38a76c9d
nexus_1 | 2021-02-11 06:48:20,825+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.Context - Proceeding: org.sonatype.nexus.repository.docker.internal.V2Handlers$_closure1@64b09cb9
nexus_1 | 2021-02-11 06:48:20,825+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.Context - Proceeding: org.sonatype.nexus.repository.docker.internal.V2Handlers$_closure18@60e34347
nexus_1 | 2021-02-11 06:48:20,826+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.Context - Proceeding: org.sonatype.nexus.repository.security.SecurityHandler@63226ff1
nexus_1 | 2021-02-11 06:48:20,827+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.Router - Response: Response{status=Status{successful=false, code=401, message='null'}, payload=StringPayload{size=113, charset=UTF-8, contentType='application/json'}}
nexus_1 | 2021-02-11 06:48:20,827+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Request: Request{action='POST', path='/v2/example-app/blobs/uploads/', parameters={}, payload=HttpRequestPayloadAdapter{contentType='application/json', size=0}, multipart=false}
nexus_1 | 2021-02-11 06:48:20,828+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.DefaultHttpResponseSender - Sending response: Response{status=Status{successful=false, code=401, message='null'}, payload=StringPayload{size=113, charset=UTF-8, contentType='application/json'}}
nexus_1 | 2021-02-11 06:48:20,828+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Service completed
0
задан Kokos Bot
11 February 2021 в 08:52
Ссылка
1 ответ
Я нашел проблему. В конфигурации Docker есть одна неправильная скобка. К сожалению, в переменных окружения много скобок. Поэтому это нелегко заметить.
Тем удивительнее, что Kaniko, при всей многословности трассировки, не выплевывает ошибку...
1