Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docker hub credentials 401 Unauthorized #1256

Closed
mhamdisemah opened this issue Nov 17, 2018 · 22 comments
Closed

docker hub credentials 401 Unauthorized #1256

mhamdisemah opened this issue Nov 17, 2018 · 22 comments

Comments

@mhamdisemah
Copy link

jib-maven-plugin Configuration: 

<plugin>
                <groupId>com.google.cloud.tools</groupId>
                <artifactId>jib-maven-plugin</artifactId>
                <version>0.10.0</version>
                <configuration>
                    <to>
                        <image>registry.hub.docker.com/mhamdisemah/demo-jib</image>
                        <auth>
                            <username>mhamdisemah</username>
                            <password>mypass</password>
                        </auth>
                    </to>
                </configuration>
            </plugin>

Log output:
Failed to execute goal com.google.cloud.tools:jib-maven-plugin:0.10.0:build (default-cli) on project demo_jib_docker: Build image failed, perhaps you should make sure your credentials for 'registry.hub.docker.com' are set up correctly: Unauthorized for registry.hub.docker.com/mhamdisemah/demo-jib: 401 Unauthorized
[ERROR] {"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Class":"","Name":"mhamdisemah/demo-jib","Action":"pull"},{"Type":"repository","Class":"","Name":"mhamdisemah/demo-jib","Action":"push"}]}]}
@coollog
Copy link
Contributor

coollog commented Nov 19, 2018

Hi @mhamdisemah , do the same credentials work if you used docker to push an image to mhamdisemah/demo-jib? (after logging in with docker login)

@mhamdisemah
Copy link
Author

docker login work well with my credentials but jib give me this error it seems credentials problems, can you explain more

@rschlick
Copy link

rschlick commented Nov 27, 2018
edited by chanseokoh
Loading

Hello,

I have similar problem when Jib is pushing the image.
When I use docker push. There is no problem.

GRAVE: Got more than one input Future failure. Logging failures after the first
com.google.cloud.tools.jib.registry.RegistryUnauthorizedException: Unauthorized for MY_URL:1026/image_name
        at com.google.cloud.tools.jib.registry.RegistryEndpointCaller.call(RegistryEndpointCaller.java:262)
        at com.google.cloud.tools.jib.registry.RegistryEndpointCaller.fallBackToHttp(RegistryEndpointCaller.java:191)
        at com.google.cloud.tools.jib.registry.RegistryEndpointCaller.handleUnverifiableServerException(RegistryEndpointCaller.java:180)
        at com.google.cloud.tools.jib.registry.RegistryEndpointCaller.callWithAllowInsecureRegistryHandling(RegistryEndpointCaller.java:155)
        at com.google.cloud.tools.jib.registry.RegistryEndpointCaller.call(RegistryEndpointCaller.java:142)
        at com.google.cloud.tools.jib.registry.RegistryClient.callRegistryEndpoint(RegistryClient.java:339)
        at com.google.cloud.tools.jib.registry.RegistryClient.pushBlob(RegistryClient.java:288)
        at com.google.cloud.tools.jib.builder.steps.PushBlobStep.call(PushBlobStep.java:88)
        at com.google.cloud.tools.jib.builder.steps.PushBlobStep.call(PushBlobStep.java:36)
        at com.google.common.util.concurrent.CombinedFuture$CallableInterruptibleTask.runInterruptibly(CombinedFuture.java:181)
        at com.google.common.util.concurrent.InterruptibleTask.run(InterruptibleTask.java:57)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)
Caused by: com.google.api.client.http.HttpResponseException: 403 Forbidden
{"errors":[{"code":"UNAUTHORIZED","message":"The client does not have permission to push to the repository.","detail":{}}]}
        at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:1070)
        at com.google.cloud.tools.jib.http.Connection.send(Connection.java:168)
        at com.google.cloud.tools.jib.registry.RegistryEndpointCaller.call(RegistryEndpointCaller.java:232)
        ... 13 more

I have configured the plugin like this:

                  <plugin>
                    <groupId>com.google.cloud.tools</groupId>
                    <artifactId>jib-maven-plugin</artifactId>
                    <version>0.10.0</version>
                    <configuration>
                        <from>
                            <image>xxxx:1026/xxx/openjdk-8-alpine</image>
                            <auth>
                                <username>XXXX</username>
                                <password>XXXXX</password>
                            </auth>
                        </from>

                        <to>
                            <image>xxxxxx:1026/xxxx/${project.artifactId}</image>
                            <auth>
                                <username>xxxxxx</username>
                                <password>xxxxx</password>
                            </auth>
                        </to>
                        <allowInsecureRegistries>true</allowInsecureRegistries>
                    </configuration>
                    <executions>
                        <execution>
                            <phase>package</phase>
                            <goals>
                                <goal>build</goal>
                            </goals>
                        </execution>
                    </executions>
                </plugin>

@chanseokoh
Copy link
Member

@rschlick the exception shows that you are communicating with your registry over HTTP instead of HTTPS. Jib does not send credentials over HTTP, unless you set the system property sendCredentialsOverHttp. However, using sendCredentialsOverHttp is discouraged.

@rschlick
Copy link

rschlick commented Nov 27, 2018
edited
Loading

@rschlick the exception shows that you are communicating with your registry over HTTP instead of HTTPS. Jib does not send credentials over HTTP, unless you set the system property sendCredentialsOverHttp. However, using sendCredentialsOverHttp is discouraged.

Thanks for the info. It's working now :)

@briandealwis
Copy link
Member

@mhamdisemah is it possible that your password has some values that need to be encoded to be placed in XML?

Jib will use your Docker credentials (~/.docker/config.json) so if you're able to push using docker push then you can remove your <auth> section.

@yanhongwang
Copy link

yanhongwang commented Feb 25, 2019
edited
Loading

Hello all,

I execute 'docker pull' and 'docker push' in command line without error.
My private docker registry doesn't have limitation of authorization.

In my pom.xml

        <plugin>
          <groupId>com.google.cloud.tools</groupId>
          <artifactId>jib-maven-plugin</artifactId>
          <version>1.0.0</version>
          <configuration>
            <from><image>gcr.io/distroless/java:debug</image></from>
            <to><image>privateDockerRegistry:5000/myimage:jib</image></to>
            <allowInsecureRegistries>true</allowInsecureRegistries>
            <container><useCurrentTimestamp>true</useCurrentTimestamp></container>
          </configuration>
        </plugin>

When I execute the command:
$ mvn compile jib:build
And I have also similar error....

[ERROR] Failed to execute goal com.google.cloud.tools:jib-maven-plugin:1.0.0:build (default-cli) on project myimage: Build image failed, perhaps you should make sure you have permissions for privateDockerRegistry:5000/myimage: Unauthorized for privateDockerRegistry:5000/myimage: 403 Forbidden

Thanks very much.

@yanhongwang
Copy link

In my environment, I also need to go out pass through proxy server.
I refer to this article,
#525 (comment)

I had tried with -Dhttps.proxyHost=... -Dhttps.proxyPort-... -Dhttp.proxyHost=... -Dhttp.proxyPort=
It didn't work...

@chanseokoh
Copy link
Member

chanseokoh commented Feb 25, 2019
edited
Loading

@yanhongwang

When I execute the command:
$ mvn compile jib:build

I think your private registry at port 5000 is HTTP (not HTTPS). Did you set the system property sendCredentialsOverHttp somewhere? (#1256 (comment))

And we don't recommend using an insecure or HTTP registry.

@yanhongwang
Copy link

Hello @chanseokoh

No, I didn't set sendCredentialsOverHttp this property.
Because this privateDockerRegistry:5000 is isolated in intranet by firewall,
So we don't have credential on that.

@chanseokoh
Copy link
Member

Hmm... that's interesting. If the registry has no password at all, it's puzzling that it's returning 403 Forbidden.

@chanseokoh
Copy link
Member

It'd be worth trying the system property sendCredentialsOverHttp anyway to see if it works. But as I said, we discourage its usage in general.

@yanhongwang
Copy link

yanhongwang commented Feb 25, 2019
edited by chanseokoh
Loading

@chanseokoh

I try with sendCredentialsOverHttp and execute the command:

mvn -Dhttp.proxyHost=myproxy -Dhttp.proxyPort=3128 -Dhttps.proxyHost=myproxy -Dhttps.proxyPort=3128 -Djib.httpTimeout=0 -DsendCredentialsOverHttp=true --file ./pom-jib.xml compile jib:build

[ERROR] Failed to execute goal com.google.cloud.tools:jib-maven-plugin:1.0.0:build (default-cli) on project my-project: Build image failed, perhaps you should make sure you have permissions for privateDockerRegistry:5000/dockerimage: Unauthorized for privateDockerRegistry:5000/dockerimage: 403 Forbidden
[ERROR] 
[ERROR] <html><head>
[ERROR] <meta type="copyright" content="Copyright (C) 1996-2018 The Squid Software Foundation and contributors">
[ERROR] <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
[ERROR] <title>ERROR: The requested URL could not be retrieved</title>
[ERROR] <style type="text/css"><!--
[ERROR]  /*
[ERROR]  * Copyright (C) 1996-2018 The Squid Software Foundation and contributors
[ERROR]  *
[ERROR]  * Squid software is distributed under GPLv2+ license and includes
[ERROR]  * contributions from numerous individuals and organizations.
[ERROR]  * Please see the COPYING and CONTRIBUTORS files for details.
[ERROR]  */
....
....

@briandealwis
Copy link
Member

@yanhongwang are you sure your HTTP and HTTPS proxy is on the same port? That 403 error looks like it's being reported by your proxy rather than the registry. Can you check your proxy logs?

@briandealwis
Copy link
Member

And could you please try to obtain a network trace?

@yanhongwang
Copy link

yanhongwang commented Feb 26, 2019
edited by chanseokoh
Loading

Hello @briandealwis

Yes, in my case, HTTP and HTTPS are the same URL and port.

bash-4.4# mvn -Djava.util.logging.config.file=./mylogging.properties -DjibSerialize=true -Dhttp.proxyHost=myproxy -Dhttp.proxyPort=3128 -Dhttps.proxyHost=myproxy -Dhttps.proxyPort=3128 -DsendCredentialsOverHttp=true --file ./pom-jib.xml compile jib:build
[INFO] Scanning for projects...
[INFO] 
[INFO] -------< de.mycompany.myproduct.myservice:my-image >--------
[INFO] Building my-image 1.0-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- jacoco-maven-plugin:0.7.2.201409121644:prepare-agent (default) @ my-image ---
[INFO] argLine set to -javaagent:/root/.m2/repository/org/jacoco/org.jacoco.agent/0.7.2.201409121644/org.jacoco.agent-0.7.2.201409121644-runtime.jar=destfile=/home/jenkins/workspace/myservice/myservice/./target/jacoco.exec,append=true
[INFO] 
[INFO] --- maven-resources-plugin:2.6:resources (default-resources) @ my-image ---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] Copying 1 resource
[INFO] Copying 1 resource
[INFO] 
[INFO] --- maven-compiler-plugin:3.3:compile (default-compile) @ my-image ---
[INFO] Nothing to compile - all classes are up to date
[INFO] 
[INFO] --- jib-maven-plugin:1.0.0:build (default-cli) @ my-image ---
[WARNING] Authentication over HTTP is enabled. It is strongly recommended that you do not enable this on a public network!
[WARNING] Setting image creation time to current time; your image may not be reproducible.
[INFO] 
[INFO] Containerizing application to myregistry:5000/myimage:jib...
[INFO] Executing tasks:
[INFO] [===                           ] 10.0% complete
[INFO] > authenticating push to myregistry:5000
Feb 26, 2019 10:46:54 AM com.google.api.client.http.HttpRequest execute
CONFIG: -------------- REQUEST  --------------
GET https://myregistry:5000/v2/
Accept: 
Accept-Encoding: gzip
User-Agent: jib 1.0.0 Google-HTTP-Java-Client/1.23.0 (gzip)

Feb 26, 2019 10:46:54 AM com.google.api.client.http.HttpRequest execute
CONFIG: curl -v --compressed -H 'Accept: ' -H 'Accept-Encoding: gzip' -H 'User-Agent: jib 1.0.0 Google-HTTP-Java-Client/1.23.0 (gzip)' -- 'https://myregistry:5000/v2/'
Feb 26, 2019 10:46:54 AM com.google.api.client.http.HttpResponse <init>
CONFIG: -------------- RESPONSE --------------
HTTP/1.1 403 Forbidden
Server: squid
Mime-Version: 1.0
Date: Tue, 26 Feb 2019 09:52:45 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3414
X-Squid-Error: ERR_ACCESS_DENIED 0
X-Cache: MISS from synnefo-proxy
X-Cache-Lookup: NONE from synnefo-proxy:3128
Connection: keep-alive

Feb 26, 2019 10:46:54 AM com.google.api.client.util.LoggingByteArrayOutputStream close
CONFIG: Total: 3,414 bytes
Feb 26, 2019 10:46:54 AM com.google.api.client.util.LoggingByteArrayOutputStream close
CONFIG: 
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2018 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>ERROR: The requested URL could not be retrieved</title>
<style type="text/css"><!--
 /*
 * Copyright (C) 1996-2018 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */

/*
 Stylesheet for Squid Error pages
 Adapted from design by Free CSS Templates
 http://www.freecsstemplates.org
 Released for free under a Creative Commons Attribution 2.5 License
*/

/* Page basics */
* {
 font-family: verdana, sans-serif;
}

html body {
 margin: 0;
 padding: 0;
 background: #efefef;
 font-size: 12px;
 color: #1e1e1e;
}

/* Page displayed title area */
#titles {
 margin-left: 15px;
 padding: 10px;
 padding-left: 100px;
 background: url('/squid-internal-static/icons/SN.png') no-repeat left;
}

/* initial title */
#titles h1 {
 color: #000000;
}
#titles h2 {
 color: #000000;
}

/* special event: FTP success page titles */
#titles ftpsuccess {
 background-color:#00ff00;
 width:100%;
}

/* Page displayed body content area */
#content {
 padding: 10px;
 background: #ffffff;
}

/* General text */
p {
}

/* error brief description */
#error p {
}

/* some data which may have caused the problem */
#data {
}

/* the error message received from the system or other software */
#sysmsg {
}

pre {
    font-family:sans-serif;
}

/* special event: FTP / Gopher directory listing */
#dirmsg {
    font-family: courier;
    color: black;
    font-size: 10pt;
}
#dirlisting {
    margin-left: 2%;
    margin-right: 2%;
}
#dirlisting tr.entry td.icon,td.filename,td.size,td.date {
    border-bottom: groove;
}
#dirlisting td.size {
    width: 50px;
    text-align: right;
    padding-right: 5px;
}

/* horizontal lines */
hr {
 margin: 0;
}

/* page displayed footer area */
#footer {
 font-size: 9px;
 padding-left: 10px;
}


body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
 --></style>
</head><body id="ERR_ACCESS_DENIED">
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>

<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a href="myregistry:5000">myregistry:5000</a></p>

<blockquote id="error">
<p><b>Access Denied.</b></p>
</blockquote>

<p>Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.</p>

<p>Your cache administrator is <a href="mailto:[email protected]?subject=CacheErrorInfo%20-%20ERR_ACCESS_DENIED&amp;body=CacheHost%3A%20synnefo-proxy%0D%0AErrPage%3A%20ERR_ACCESS_DENIED%0D%0AErr%3A%20%5Bnone%5D%0D%0ATimeStamp%3A%20Tue,%2026%20Feb%202019%2009%3A52%3A45%20GMT%0D%0A%0D%0AClientIP%3A%2010.0.244.61%0D%0A%0D%0AHTTP%20Request%3A%0D%0ACONNECT%20%2F%20HTTP%2F1.1%0AProxy-Connection%3A%20Keep-Alive%0D%0AHost%3A%20myregistry%3A5000%0D%0A%0D%0A%0D%0A">[email protected]</a>.</p>
<br>
</div>

<hr>
<div id="footer">
<p>Generated Tue, 26 Feb 2019 09:52:45 GMT by synnefo-proxy (squid)</p>
<!-- ERR_ACCESS_DENIED -->
</div> Executing tasks:
[INFO] [======                        ] 20.0% complete
[INFO] > pulling base image manifest
Feb 26, 2019 10:46:54 AM com.google.api.client.http.HttpRequest execute
CONFIG: -------------- REQUEST  --------------
GET https://gcr.io/v2/distroless/java/manifests/debug
Accept: application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.v2+json,application/vnd.docker.distribution.manifest.v1+json
Accept-Encoding: gzip
User-Agent: jib 1.0.0 jib-maven-plugin Google-HTTP-Java-Client/1.23.0 (gzip)

Feb 26, 2019 10:46:54 AM com.google.api.client.http.HttpRequest execute
CONFIG: curl -v --compressed -H 'Accept: application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.v2+json,application/vnd.docker.distribution.manifest.v1+json' -H 'Accept-Encoding: gzip' -H 'User-Agent: jib 1.0.0 jib-maven-plugin Google-HTTP-Java-Client/1.23.0 (gzip)' -- 'https://gcr.io/v2/distroless/java/manifests/debug'
Feb 26, 2019 10:46:55 AM com.google.api.client.http.HttpResponse <init>
CONFIG: -------------- RESPONSE --------------
HTTP/1.1 200 OK
Docker-Distribution-API-Version: registry/2.0
Content-Type: application/vnd.docker.distribution.manifest.v2+json
Content-Length: 1370
Docker-Content-Digest: sha256:212b252e5ff6f47ded6143ebfd924bc7ba45ca627e7a2c20149049c01dc57f86
Date: Tue, 26 Feb 2019 09:46:55 GMT
Server: Docker Registry
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alt-Svc: quic=":443"; ma=2592000; v="44,43,39"

Feb 26, 2019 10:46:55 AM com.google.api.client.util.LoggingByteArrayOutputStream close
CONFIG: Total: 1,370 bytes
Feb 26, 2019 10:46:55 AM com.google.api.client.util.LoggingByteArrayOutputStream close
CONFIG: {
   "schemaVersion": 2,
   "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
   "config": {
      "mediaType": "application/vnd.docker.container.image.v1+json",
      "size": 1258,
      "digest": "sha256:908d338d162ebaaaf16c0fca82010f05d0b283438686a6f22e706707b5ef8323"
   },
   "layers": [
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 653647,
         "digest": "sha256:b94e0ff719209f5b24e42cae8fc22942852e78e967e212c8b32e8a0fc4637e6c"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 7326227,
         "digest": "sha256:5f5edd681dcbc3a4a9df93e200e59e1708031e65b2299970eabdc91a78cc8234"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 598661,
         "digest": "sha256:f012627546b6c39ead9fbdad0612610c021cf0e31b1e49a2afb0f52f2b3ba248"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 643663,
         "digest": "sha256:3e010093287c245d72a774033b4cddd6451a820bfbb1948c97798e1838858dd2"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 39049528,
         "digest": "sha256:a7d4171a9938a270086e73d7d95ea3f196cf1951a81c7a153fc55290607022a6"
      }
   ]
}
Feb 26, 2019 10:46:55 AM com.google.api.client.http.HttpRequest execute
CONFIG: -------------- REQUEST  --------------
GET https://gcr.io/v2/distroless/java/blobs/sha256:908d338d162ebaaaf16c0fca82010f05d0b283438686a6f22e706707b5ef8323
Accept: 
Accept-Encoding: gzip
User-Agent: jib 1.0.0 jib-maven-plugin Google-HTTP-Java-Client/1.23.0 (gzip)

Feb 26, 2019 10:46:55 AM com.google.api.client.http.HttpRequest execute
CONFIG: curl -v --compressed -H 'Accept: ' -H 'Accept-Encoding: gzip' -H 'User-Agent: jib 1.0.0 jib-maven-plugin Google-HTTP-Java-Client/1.23.0 (gzip)' -- 'https://gcr.io/v2/distroless/java/blobs/sha256:908d338d162ebaaaf16c0fca82010f05d0b283438686a6f22e706707b5ef8323'
Feb 26, 2019 10:46:55 AM com.google.api.client.http.HttpResponse <init>
CONFIG: -------------- RESPONSE --------------
HTTP/1.1 302 Found
Docker-Distribution-API-Version: registry/2.0
Location: https://storage.googleapis.com/artifacts.distroless.appspot.com/containers/images/sha256:908d338d162ebaaaf16c0fca82010f05d0b283438686a6f22e706707b5ef8323
Content-Type: application/json
Content-Encoding: gzip
Date: Tue, 26 Feb 2019 09:46:55 GMT
Server: Docker Registry
Cache-Control: private
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alt-Svc: quic=":443"; ma=2592000; v="44,43,39"
Transfer-Encoding: chunked

Feb 26, 2019 10:46:55 AM com.google.api.client.http.HttpRequest execute
CONFIG: -------------- REQUEST  --------------
GET https://storage.googleapis.com/artifacts.distroless.appspot.com/containers/images/sha256:908d338d162ebaaaf16c0fca82010f05d0b283438686a6f22e706707b5ef8323
Accept: 
Accept-Encoding: gzip
User-Agent: jib 1.0.0 jib-maven-plugin Google-HTTP-Java-Client/1.23.0 (gzip)

Feb 26, 2019 10:46:55 AM com.google.api.client.http.HttpRequest execute
CONFIG: curl -v --compressed -H 'Accept: ' -H 'Accept-Encoding: gzip' -H 'User-Agent: jib 1.0.0 jib-maven-plugin Google-HTTP-Java-Client/1.23.0 (gzip)' -- 'https://storage.googleapis.com/artifacts.distroless.appspot.com/containers/images/sha256:908d338d162ebaaaf16c0fca82010f05d0b283438686a6f22e706707b5ef8323'
Feb 26, 2019 10:46:56 AM com.google.api.client.http.HttpResponse <init>
CONFIG: -------------- RESPONSE --------------
HTTP/1.1 200 OK
X-GUploader-UploadID: AEnB2UpV7gtEM7vtX1ruFJCzMvqo2qToRqiMpbwvVVxb6zVMyFUaF90rH5TkQFDCKIAkhIgUj-L4lppz9J8b4-lIZ1BsexKsvw
Expires: Tue, 26 Feb 2019 10:15:25 GMT
Date: Tue, 26 Feb 2019 09:15:25 GMT
Last-Modified: Mon, 25 Feb 2019 21:09:47 GMT
ETag: "bb1dbdeaf92082cbe01085604d34bc48"
x-goog-generation: 1551128987334220
x-goog-metageneration: 1
x-goog-stored-content-encoding: identity
x-goog-stored-content-length: 1258
Content-Type: application/octet-stream
x-goog-hash: crc32c=5ELQ3A==
x-goog-hash: md5=ux296vkggsvgEIVgTTS8SA==
x-goog-storage-class: STANDARD
Accept-Ranges: bytes
Content-Length: 1258
Server: UploadServer
Cache-Control: public, max-age=3600
Age: 18Executing tasks:
[INFO] [========                      ] 25.0% complete
[INFO] > pulling base image manifest
Feb 26, 2019 10:46:56 AM com.google.api.client.util.LoggingByteArrayOutputStream close
CONFIG: Total: 1,258 bytes
Feb 26, 2019 10:46:56 AM com.google.api.client.util.LoggingByteArrayOutputStream close
CONFIG: {"architecture": "amd64", "author": "Bazel", "config": {"Entrypoint": ["/usr/bin/java", "-XX:+UnlockExperimentalVMOptions", "-XX:+UseCGroupMemoryLimitForHeap", "-jar"], "Env": ["JAVA_VERSION=8u181", "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/busybox", "SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt"]}, "created": "1970-01-01T00:00:00Z", "history": [{"author": "Bazel", "created": "1970-01-01T00:00:00Z", "created_by": "bazel build ..."}, {"author": "Bazel", "created": "1970-01-01T00:00:00Z", "created_by": "bazel build ..."}, {"author": "Bazel", "created": "1970-01-01T00:00:00Z", "created_by": "bazel build ..."}, {"author": "Bazel", "created": "1970-01-01T00:00:00Z", "created_by": "bazel build ..."}, {"author": "Bazel", "created": "1970-01-01T00:00:00Z", "created_by": "bazel build ..."}], "os": "linux", "rootfs": {"diff_ids": ["sha256:d99570028c52961737dc516fe610562e38b7bcb3e1b4b213e4d0c08bb963d725", "sha256:87c74
[INFO] Container entrypoint set to [java, -cp, /app/resources:/app/classes:/app/libs/*, de.mycompany.myproduct.myservice.myserviceApplication]
[INFO] Executing tasks:
[INFO] [==================            ] 60.0% complete
[INFO] > setting up to push layers
[INFO] > setting up to push layers
[INFO] 
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 4.075 s
[INFO] Finished at: 2019-02-26T10:46:56+01:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal com.google.cloud.tools:jib-maven-plugin:1.0.0:build (default-cli) on project my-image: Build image failed, perhaps you should make sure you have permissions for myregistry:5000/myimage: Unauthorized for myregistry:5000/myimage: 403 Forbidden
[ERROR] 
[ERROR] <html><head>
[ERROR] <meta type="copyright" content="Copyright (C) 1996-2018 The Squid Software Foundation and contributors">
[ERROR] <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
[ERROR] <title>ERROR: The requested URL could not be retrieved</title>
[ERROR] <style type="text/css"><!--
[ERROR]  /*
[ERROR]  * Copyright (C) 1996-2018 The Squid Software Foundation and contributors
[ERROR]  *
[ERROR]  * Squid software is distributed under GPLv2+ license and includes
[ERROR]  * contributions from numerous individuals and organizations.
[ERROR]  * Please see the COPYING and CONTRIBUTORS files for details.
[ERROR]  */
[ERROR] 
[ERROR] /*
[ERROR]  Stylesheet for Squid Error pages
[ERROR]  Adapted from design by Free CSS Templates
[ERROR]  http://www.freecsstemplates.org
[ERROR]  Released for free under a Creative Commons Attribution 2.5 License
[ERROR] */
[ERROR] 
[ERROR] /* Page basics */
[ERROR] * {
[ERROR] 	font-family: verdana, sans-serif;
[ERROR] }
[ERROR] 
[ERROR] html body {
[ERROR] 	margin: 0;
[ERROR] 	padding: 0;
[ERROR] 	background: #efefef;
[ERROR] 	font-size: 12px;
[ERROR] 	color: #1e1e1e;
[ERROR] }
[ERROR] 
[ERROR] /* Page displayed title area */
[ERROR] #titles {
[ERROR] 	margin-left: 15px;
[ERROR] 	padding: 10px;
[ERROR] 	padding-left: 100px;
[ERROR] 	background: url('/squid-internal-static/icons/SN.png') no-repeat left;
[ERROR] }
[ERROR] 
[ERROR] /* initial title */
[ERROR] #titles h1 {
[ERROR] 	color: #000000;
[ERROR] }
[ERROR] #titles h2 {
[ERROR] 	color: #000000;
[ERROR] }
[ERROR] 
[ERROR] /* special event: FTP success page titles */
[ERROR] #titles ftpsuccess {
[ERROR] 	background-color:#00ff00;
[ERROR] 	width:100%;
[ERROR] }
[ERROR] 
[ERROR] /* Page displayed body content area */
[ERROR] #content {
[ERROR] 	padding: 10px;
[ERROR] 	background: #ffffff;
[ERROR] }
[ERROR] 
[ERROR] /* General text */
[ERROR] p {
[ERROR] }
[ERROR] 
[ERROR] /* error brief description */
[ERROR] #error p {
[ERROR] }
[ERROR] 
[ERROR] /* some data which may have caused the problem */
[ERROR] #data {
[ERROR] }
[ERROR] 
[ERROR] /* the error message received from the system or other software */
[ERROR] #sysmsg {
[ERROR] }
[ERROR] 
[ERROR] pre {
[ERROR]     font-family:sans-serif;
[ERROR] }
[ERROR] 
[ERROR] /* special event: FTP / Gopher directory listing */
[ERROR] #dirmsg {
[ERROR]     font-family: courier;
[ERROR]     color: black;
[ERROR]     font-size: 10pt;
[ERROR] }
[ERROR] #dirlisting {
[ERROR]     margin-left: 2%;
[ERROR]     margin-right: 2%;
[ERROR] }
[ERROR] #dirlisting tr.entry td.icon,td.filename,td.size,td.date {
[ERROR]     border-bottom: groove;
[ERROR] }
[ERROR] #dirlisting td.size {
[ERROR]     width: 50px;
[ERROR]     text-align: right;
[ERROR]     padding-right: 5px;
[ERROR] }
[ERROR] 
[ERROR] /* horizontal lines */
[ERROR] hr {
[ERROR] 	margin: 0;
[ERROR] }
[ERROR] 
[ERROR] /* page displayed footer area */
[ERROR] #footer {
[ERROR] 	font-size: 9px;
[ERROR] 	padding-left: 10px;
[ERROR] }
[ERROR] 
[ERROR] 
[ERROR] body
[ERROR] :lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
[ERROR] :lang(he) { direction: rtl; }
[ERROR]  --></style>
[ERROR] </head><body id="ERR_ACCESS_DENIED">
[ERROR] <div id="titles">
[ERROR] <h1>ERROR</h1>
[ERROR] <h2>The requested URL could not be retrieved</h2>
[ERROR] </div>
[ERROR] <hr>
[ERROR] 
[ERROR] <div id="content">
[ERROR] <p>The following error was encountered while trying to retrieve the URL: <a href="myregistry:5000">myregistry:5000</a></p>
[ERROR] 
[ERROR] <blockquote id="error">
[ERROR] <p><b>Access Denied.</b></p>
[ERROR] </blockquote>
[ERROR] 
[ERROR] <p>Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.</p>
[ERROR] 
[ERROR] <p>Your cache administrator is <a href="mailto:[email protected]?subject=CacheErrorInfo%20-%20ERR_ACCESS_DENIED&amp;body=CacheHost%3A%20synnefo-proxy%0D%0AErrPage%3A%20ERR_ACCESS_DENIED%0D%0AErr%3A%20%5Bnone%5D%0D%0ATimeStamp%3A%20Tue,%2026%20Feb%202019%2009%3A52%3A45%20GMT%0D%0A%0D%0AClientIP%3A%2010.0.244.61%0D%0A%0D%0AHTTP%20Request%3A%0D%0ACONNECT%20%2F%20HTTP%2F1.1%0AProxy-Connection%3A%20Keep-Alive%0D%0AHost%3A%20myregistry%3A5000%0D%0A%0D%0A%0D%0A">[email protected]</a>.</p>
[ERROR] <br>
[ERROR] </div>
[ERROR] 
[ERROR] <hr>
[ERROR] <div id="footer">
[ERROR] <p>Generated Tue, 26 Feb 2019 09:52:45 GMT by synnefo-proxy (squid)</p>
[ERROR] <!-- ERR_ACCESS_DENIED -->
[ERROR] </div>
[ERROR] </body></html>
[ERROR] -> [Help 1]
[ERROR] 
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] 
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException

@chanseokoh
Copy link
Member

@yanhongwang I think it's the Squid proxy server that's denying the proxy request, and the error has nothing to do with the registry authentication. (sendCredentialsOverHttp probably not needed.)

HTTP/1.1 403 Forbidden
Server: squid
...
X-Squid-Error: ERR_ACCESS_DENIED 0

Seems like it's the Squid output that says its access control configuration prevents your proxy request.

<p>Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.</p>

<p>Your cache administrator is <a href="mailto:[email protected]?subject=CacheErrorInfo%20-%20ERR_ACCESS_DENIED&amp;body=CacheHost%3A%20synnefo-proxy%0D%0AErrPage%3A%20ERR_ACCESS_DENIED%0D%0AErr%3A%20%5Bnone%5D%0D%0ATimeStamp%3A%20Tue,%2026%20Feb%202019%2009%3A52%3A45%20GMT%0D%0A%0D%0AClientIP%3A%2010.0.244.61%0D%0A%0D%0AHTTP%20Request%3A%0D%0ACONNECT%20%2F%20HTTP%2F1.1%0AProxy-Connection%3A%20Keep-Alive%0D%0AHost%3A%20myregistry%3A5000%0D%0A%0D%0A%0D%0A">[email protected]</a>.</p>

And I think this happens only for internal access, for example. The proxy works when requesting gcr.io or googleapis.com. Maybe for internal network access, you need a password?

I suggest you consult your network administrator to figure out what's going on. I believe they will be able to help you out after looking at the log.

@briandealwis
Copy link
Member

The call to fetch https://myregistry:5000/v2/ is failing with a 403 due to a proxy configuration clamp. But the fetch to gcr.io/distroless/java succeeds.

So I suspect that you shouldn't be accessing your registry through the proxy. You should be be able to set http.nonProxyHosts to pass-through calls directly to your registry. There are examples on the Java guide for proxies.

@yanhongwang
Copy link

yanhongwang commented Feb 27, 2019
edited
Loading

@chanseokoh
You are right, sendCredentialsOverHttp is not needed.

@briandealwis
Thansk for this hint of http.nonProxyHosts. It works now!!!

Before doing that. I always set proxy by environment variable in shell (http_proxy, https_proxy and no_proxy),
But, in this case proxy seem must be indicated within command line, right?

Now I try to set up proxy (http, https and no_proxy) in /root/.m2/settings.xml and only with command
mvn --file ./pom-jib.xml compile jib:build

/root/.m2/settings.xml

<proxies>
  <proxy>
    <active>true</active>
    <protocol>http</protocol>
    <port>3128</port>
    <host>myproxy</host>
    <nonProxyHosts>myregistry</nonProxyHosts>
  </proxy>
  <proxy>
    <active>true</active>
    <protocol>https</protocol>
    <port>3128</port>
    <host>myproxy</host>
    <nonProxyHosts>myregistry</nonProxyHosts>
  </proxy>
</proxies>

And why does that show error?

[ERROR] Failed to execute goal com.google.cloud.tools:jib-maven-plugin:1.0.0:build (default-cli) on project myservice: Build image failed, perhaps you should make sure that the registry you configured exists/is spelled properly: Unknown host gcr.io -> [Help 1]

@chanseokoh
Copy link
Member

Before doing that. I always set proxy by environment variable in shell (http_proxy, https_proxy and no_proxy),
But, in this case proxy seem must be indicated within command line, right?

The implementation reads proxy info from the system properties you've been using. It doesn't pick up any particular environment variables for proxy info (unless you provide the system properties through a JVM-wide environment variables by, e.g., setting JAVA_TOOLS_OPTIONS+= -Dhttp.nonProxyHosts`.) So, you've been doing right with setting the system properties.

I don't find anything particularly wrong with settings.xml besides that you are not giving different <id>s to them. Check this example. Make sure you provide different id strings. However, I'm not sure if that's the cause. Run $ mvn help:effective-settings at the root of your project to see if it picks up the proxy settings. If it still doesn't work, please upload the full stack trace.

@yanhongwang
Copy link

@chanseokoh

You are right.
I missed <id> in settings.xml.

It works now. Thanks very much.

@chanseokoh chanseokoh mentioned this issue Feb 28, 2019
Closed
@chanseokoh
Copy link
Member

chanseokoh commented Jun 6, 2019
edited
Loading

Closing a stale issue. For those who encounter 401 (Unauthorized) or 403 (Forbidden, DEFINED), check out these FAQs:

https://github.com/GoogleContainerTools/jib/blob/master/docs/faq.md#what-should-i-do-when-the-registry-responds-with-forbidden-or-denied

https://github.com/GoogleContainerTools/jib/blob/master/docs/faq.md#what-should-i-do-when-the-registry-responds-with-unauthorized

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@briandealwis @rschlick @coollog @yanhongwang @chanseokoh @mhamdisemah