主页 / server / 问题 / 1053189
Accepted
Kokos Bot
Asked: 2021-02-11 18:47:20 +0800 CST

Kaniko(GitLab CI,K8s)无法推送到 Nexus Repository Manager:UNAUTHORIZED:未授权访问请求的资源

  • 772

我的 GitLab CI 作业使用 Kaniko 在 K8s 上使用 GitLab 运行器构建示例容器映像。所有服务都在我的 LAN 中,位于静态 IP 后面。构建过程从安全域 A 下的第一个 Nexus 注册表服务中提取 ArchLinux 映像。然后我尝试将其推送到同一个 Nexus 注册表到第二个域 B 下的第二个快照存储库中。因此我使用相同的 Nexus 用户。如果作业尝试推送,则会导致以下错误:

$ /kaniko/executor  --context $CI_PROJECT_DIR  --dockerfile $CI_PROJECT_DIR/Dockerfile  --destination ${SNAPSHOT_CONTAINER_REGISTRY}/${IMAGE_NAME}

error checking push permissions -- make sure you entered the correct tag name, 
and that you are authenticated correctly, and try again: 
checking push permission for "B/example-app:dev-proto-kokosbot": 
POST https://B/v2/example-app/blobs/uploads/: 
UNAUTHORIZED: access to the requested resource is not authorized

即使我授予 cicd 用户管理员权限,我也无法超越 kaniko。使用 docker CLI 推送没有问题,我可以在浏览器中访问错误的 URL,它可以工作......

我的 CI 配置:

stages:
  - build

variables:
  COMMIT_SHORT_SHA: ${CI_COMMIT_SHA} at ${CI_COMMIT_BRANCH}
  IMAGE_NAME: example-app:${CI_COMMIT_BRANCH}
  
build-job:
  stage: build
  image:
    name: gcr.io/kaniko-project/executor:debug
    entrypoint: [""]
  script:
    - echo [INFO] Start building container ${IMAGE_NAME}
    - echo [INFO] Target container registry ${SNAPSHOT_CONTAINER_REGISTRY}
    - mkdir -p /kaniko/.docker
    - |
      echo "{\"auths\":{
        \"${CONTAINER_REGISTRY}\":{
          \"auth\":\"${AUTH_REGISTRY}\"
          }
        },
        \"${SNAPSHOT_CONTAINER_REGISTRY}\":{
          \"auth\":\"${AUTH_REGISTRY}\"
          }
        }        
      }" > /kaniko/.docker/config.json
    - less /kaniko/.docker/config.json
    - >
      /kaniko/executor 
      --context $CI_PROJECT_DIR 
      --dockerfile $CI_PROJECT_DIR/Dockerfile 
      --destination ${SNAPSHOT_CONTAINER_REGISTRY}/${IMAGE_NAME}
      --no-push
    - >
      /kaniko/executor 
      --context $CI_PROJECT_DIR 
      --dockerfile $CI_PROJECT_DIR/Dockerfile 
      --destination ${SNAPSHOT_CONTAINER_REGISTRY}/${IMAGE_NAME}

我不知道从哪里开始理解这个问题,有没有人有线索?

问候, Kokos Bot。

  • GitLab CE
  • Nexus Repository Manager:免费版

编辑:我是否正确理解只是无法识别用户?用户被称为 CICD 而不是 *UNKOWN。

连结日志:

nexus_1  | 2021-02-11 06:48:20,719+0000 INFO  [qtp874955081-232] *UNKNOWN org.apache.shiro.session.mgt.AbstractValidatingSessionManager - Enabling session validation scheduler...
nexus_1  | 2021-02-11 06:48:20,739+0000 INFO  [qtp874955081-232] *UNKNOWN org.sonatype.nexus.internal.security.anonymous.AnonymousManagerImpl - Loaded configuration: OrientAnonymousConfiguration{enabled=false, userId='anonymous', realmName='NexusAuthorizingRealm'}
nexus_1  | 2021-02-11 06:48:20,741+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Servicing: GET /repository/dio-container-snapshot/v2/ (https://snapshot.container.ABC.ABC/repository/dio-container-snapshot/v2/)
nexus_1  | 2021-02-11 06:48:20,742+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Parsed path: RepositoryPath{repositoryName='dio-container-snapshot', remainingPath='/v2/'}
nexus_1  | 2021-02-11 06:48:20,742+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Looking for repository: dio-container-snapshot
nexus_1  | 2021-02-11 06:48:20,743+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Repository: RepositoryImpl$$EnhancerByGuice$$765e645e{type=hosted, format=docker, name='dio-container-snapshot'}
nexus_1  | 2021-02-11 06:48:20,743+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Dispatching to view facet: org.sonatype.nexus.repository.view.ConfigurableViewFacet$$EnhancerByGuice$$d744b4fe@6a0c93a4
nexus_1  | 2021-02-11 06:48:20,745+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.HttpResponseSenderSelector - Looking for HTTP response sender: docker
nexus_1  | 2021-02-11 06:48:20,747+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.Router - Request: Request{action='GET', path='/v2/', parameters={}, payload=HttpRequestPayloadAdapter{contentType='null', size=-1}, multipart=false}
nexus_1  | 2021-02-11 06:48:20,748+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.matchers.logic.AndMatcher - Matching: org.sonatype.nexus.repository.view.matchers.ActionMatcher@2503258 AND LiteralMatcher{literal='/v2/', ignoreCase=true}
nexus_1  | 2021-02-11 06:48:20,748+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.matchers.LiteralMatcher - Matching: /v2/=/v2/ ignore-case: true
nexus_1  | 2021-02-11 06:48:20,749+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.Context - Starting: Route{matcher=AndMatcher{matchers=[org.sonatype.nexus.repository.view.matchers.ActionMatcher@2503258, LiteralMatcher{literal='/v2/', ignoreCase=true}]}, handlers=[org.sonatype.nexus.repository.view.handlers.TimingHandler@38a76c9d, org.sonatype.nexus.repository.docker.internal.V2Handlers$_closure1@64b09cb9, org.sonatype.nexus.repository.docker.internal.V2Handlers$_closure18@60e34347, org.sonatype.nexus.repository.security.SecurityHandler@63226ff1, org.sonatype.nexus.repository.view.handlers.HandlerContributor@60e2348c, org.sonatype.nexus.repository.docker.internal.V2Handlers$_closure2@57297d]}
nexus_1  | 2021-02-11 06:48:20,749+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.Context - Proceeding: org.sonatype.nexus.repository.view.handlers.TimingHandler@38a76c9d
nexus_1  | 2021-02-11 06:48:20,749+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.Context - Proceeding: org.sonatype.nexus.repository.docker.internal.V2Handlers$_closure1@64b09cb9
nexus_1  | 2021-02-11 06:48:20,752+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.Context - Proceeding: org.sonatype.nexus.repository.docker.internal.V2Handlers$_closure18@60e34347
nexus_1  | 2021-02-11 06:48:20,752+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.Context - Proceeding: org.sonatype.nexus.repository.security.SecurityHandler@63226ff1
nexus_1  | 2021-02-11 06:48:20,800+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.Router - Response: Response{status=Status{successful=false, code=401, message='null'}, payload=StringPayload{size=113, charset=UTF-8, contentType='application/json'}}
nexus_1  | 2021-02-11 06:48:20,801+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Request: Request{action='GET', path='/v2/', parameters={}, payload=HttpRequestPayloadAdapter{contentType='null', size=-1}, multipart=false}
nexus_1  | 2021-02-11 06:48:20,801+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.DefaultHttpResponseSender - Sending response: Response{status=Status{successful=false, code=401, message='null'}, payload=StringPayload{size=113, charset=UTF-8, contentType='application/json'}}
nexus_1  | 2021-02-11 06:48:20,806+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Service completed
nexus_1  | 2021-02-11 06:48:20,820+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Servicing: POST /repository/dio-container-snapshot/v2/example-app/blobs/uploads/ (https://snapshot.container.ABC.ABC/repository/dio-container-snapshot/v2/example-app/blobs/uploads/)
nexus_1  | 2021-02-11 06:48:20,821+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Parsed path: RepositoryPath{repositoryName='dio-container-snapshot', remainingPath='/v2/example-app/blobs/uploads/'}
nexus_1  | 2021-02-11 06:48:20,821+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Looking for repository: dio-container-snapshot
nexus_1  | 2021-02-11 06:48:20,821+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Repository: RepositoryImpl$$EnhancerByGuice$$765e645e{type=hosted, format=docker, name='dio-container-snapshot'}
nexus_1  | 2021-02-11 06:48:20,821+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Dispatching to view facet: org.sonatype.nexus.repository.view.ConfigurableViewFacet$$EnhancerByGuice$$d744b4fe@6a0c93a4
nexus_1  | 2021-02-11 06:48:20,822+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.HttpResponseSenderSelector - Looking for HTTP response sender: docker
nexus_1  | 2021-02-11 06:48:20,822+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.Router - Request: Request{action='POST', path='/v2/example-app/blobs/uploads/', parameters={}, payload=HttpRequestPayloadAdapter{contentType='application/json', size=0}, multipart=false}
nexus_1  | 2021-02-11 06:48:20,822+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.matchers.logic.AndMatcher - Matching: org.sonatype.nexus.repository.view.matchers.ActionMatcher@2503258 AND LiteralMatcher{literal='/v2/', ignoreCase=true}
nexus_1  | 2021-02-11 06:48:20,823+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.matchers.logic.AndMatcher - Matching: org.sonatype.nexus.repository.view.matchers.ActionMatcher@2fb965f0 AND OrMatcher{matchers=[org.sonatype.nexus.repository.view.matchers.token.TokenMatcher@6264781a, org.sonatype.nexus.repository.view.matchers.token.TokenMatcher@3679c546]}
nexus_1  | 2021-02-11 06:48:20,823+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.matchers.logic.AndMatcher - Matching: org.sonatype.nexus.repository.view.matchers.ActionMatcher@291c9924 AND OrMatcher{matchers=[org.sonatype.nexus.repository.view.matchers.token.TokenMatcher@4deeef12, org.sonatype.nexus.repository.view.matchers.token.TokenMatcher@c0bea1d]}
nexus_1  | 2021-02-11 06:48:20,823+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.matchers.logic.AndMatcher - Matching: org.sonatype.nexus.repository.view.matchers.ActionMatcher@74a04d2f AND org.sonatype.nexus.repository.view.matchers.token.TokenMatcher@39b83f26
nexus_1  | 2021-02-11 06:48:20,823+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.matchers.logic.AndMatcher - Matching: org.sonatype.nexus.repository.view.matchers.ActionMatcher@314d17c AND org.sonatype.nexus.repository.view.matchers.token.TokenMatcher@501c8801
nexus_1  | 2021-02-11 06:48:20,824+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.matchers.token.TokenMatcher - Matching: /v2/example-app/blobs/uploads/~=TokenParser{pattern=\Q/v2/\E(?<name>.+)\Q/blobs/uploads/\E, variables=[var(name,.+)]}
nexus_1  | 2021-02-11 06:48:20,825+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.Context - Starting: Route{matcher=AndMatcher{matchers=[org.sonatype.nexus.repository.view.matchers.ActionMatcher@314d17c, org.sonatype.nexus.repository.view.matchers.token.TokenMatcher@501c8801]}, handlers=[org.sonatype.nexus.repository.view.handlers.TimingHandler@38a76c9d, org.sonatype.nexus.repository.docker.internal.V2Handlers$_closure1@64b09cb9, org.sonatype.nexus.repository.docker.internal.V2Handlers$_closure18@60e34347, org.sonatype.nexus.repository.security.SecurityHandler@63226ff1, org.sonatype.nexus.repository.view.handlers.HandlerContributor@60e2348c, org.sonatype.nexus.repository.storage.UnitOfWorkHandler@7ba0816b, org.sonatype.nexus.repository.docker.internal.V2Handlers$_closure3@4f48429e]}
nexus_1  | 2021-02-11 06:48:20,825+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.Context - Proceeding: org.sonatype.nexus.repository.view.handlers.TimingHandler@38a76c9d
nexus_1  | 2021-02-11 06:48:20,825+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.Context - Proceeding: org.sonatype.nexus.repository.docker.internal.V2Handlers$_closure1@64b09cb9
nexus_1  | 2021-02-11 06:48:20,825+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.Context - Proceeding: org.sonatype.nexus.repository.docker.internal.V2Handlers$_closure18@60e34347
nexus_1  | 2021-02-11 06:48:20,826+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.Context - Proceeding: org.sonatype.nexus.repository.security.SecurityHandler@63226ff1
nexus_1  | 2021-02-11 06:48:20,827+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.view.Router - Response: Response{status=Status{successful=false, code=401, message='null'}, payload=StringPayload{size=113, charset=UTF-8, contentType='application/json'}}
nexus_1  | 2021-02-11 06:48:20,827+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Request: Request{action='POST', path='/v2/example-app/blobs/uploads/', parameters={}, payload=HttpRequestPayloadAdapter{contentType='application/json', size=0}, multipart=false}
nexus_1  | 2021-02-11 06:48:20,828+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.DefaultHttpResponseSender - Sending response: Response{status=Status{successful=false, code=401, message='null'}, payload=StringPayload{size=113, charset=UTF-8, contentType='application/json'}}
nexus_1  | 2021-02-11 06:48:20,828+0000 DEBUG [qtp874955081-232] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Service completed
kubernetes gitlab containers nexus continuous-integration

1 个回答

  1. Best Answer

    我发现了问题。Docker 配置中有一个错误的支架。不幸的是,环境变量有很多括号。因此,这并不容易引起注意。

    更让人吃惊的是,鹿晗子,追根究底,竟然不吐槽……

    • 1

相关问题