本文是 此长文中的部分内容,方便初学者照着操作。
问题描述
在运行 Jenkins 流水线时,进行 docker build 步骤时报错,提示拉取镜像失败:
+ . /home/jenkins/agent/env.txt
+ GIT_COMMIT=6ff45b2
+ docker build -t harbor.halfcoffee.com/ruoyi-gateway/ruoyi-gateway:6ff45b2-11 .
#0 building with "default" instance using docker driver
#1 [internal] load .dockerignore
#1 transferring context: 2B done
#1 DONE 0.0s
#2 [internal] load build definition from Dockerfile
#2 transferring dockerfile: 259B done
#2 DONE 0.0s
#3 [internal] load metadata for harbor.halfcoffee.com/ruoyi/openjdk:8-jre
#3 ERROR: failed to do request: Head "https://harbor.halfcoffee.com/v2/ruoyi/openjdk/manifests/8-jre": tls: failed to verify certificate: x509: certificate signed by unknown authority
------
> [internal] load metadata for harbor.halfcoffee.com/ruoyi/openjdk:8-jre:
------
WARNING: buildx: git was not found in the system. Current commit information was not captured by the build
Dockerfile:1
--------------------
1 | >>> FROM harbor.halfcoffee.com/ruoyi/openjdk:8-jre
2 | WORKDIR /usr/local/src/
3 | ADD ./ruoyi-gateway/target/ruoyi-gateway.jar /usr/local/src/ruoyi-gateway.jar
--------------------
ERROR: failed to solve: harbor.halfcoffee.com/ruoyi/openjdk:8-jre: failed to do request: Head "https://harbor.halfcoffee.com/v2/ruoyi/openjdk/manifests/8-jre": tls: failed to verify certificate: x509: certificate signed by unknown authority
[Pipeline] }
[Pipeline] // stage
[Pipeline] }
[Pipeline] // container
[Pipeline] }
[Pipeline] // node
[Pipeline] }
[Pipeline] // podTemplate
[Pipeline] End of Pipeline
ERROR: script returned exit code 1
Finished: FAILURE
环境信息
自己在内网内部署了私有 Harbor,使用 certbot 为 Harbor 创建了公信证书,但是可能因为 certbot 使用了中间 CA,导致 Client 访问 Harbor 时,还需要将 CA 加入到系统的证书信任列表中。(Harbor 使用 certbot 签发的证书用浏览器访问是没有问题的...)
关于 certbot 及 Harbor 证书详见:https://blog.halfcoffee.com/docs/cloudnative/harbor/harborhttps
如何让 Jenkins 流水线的 Pod 信任 Harbor
在我的环境中,Jenkins 使用 podtemplate 来自动创建 Pod 进行部署,使用的是 docker:24.0.6-dind 镜像,此镜像使用的是 Alpine Linux。
让此 Pod 信任 Harbor 的方式也很简单,将 Harbor 的 CA 根证书以及中间证书放在 Pod 的 /etc/ssl/certs 目录下即可。
在我的环境中 Worker 使用 CentOS 7.9,我已经按照此文章为宿主机做好了证书信任,因此可以将宿主机的证书挂载给 Pod 使用,具体的 PodTemplate 示例如下:
podTemplate(yaml: '''
apiVersion: v1
kind: Pod
spec:
volumes:
- name: docker-socket
emptyDir: {}
- name: hostcerts
hostPath:
path: /etc/pki/ca-trust/extracted/pem
containers:
- name: docker
image: docker:24.0.6
readinessProbe:
exec:
command: [sh, -c, "ls -S /var/run/docker.sock"]
command:
- sleep
args:
- 99d
env:
- name: AppName
value: "$AppName"
- name: harbor_url
value: "$harbor_url"
- name: JAVA_OPTS
value: "$JAVA_OPTS"
- name: NacosServer
value: "$NacosServer"
volumeMounts:
- name: docker-socket
mountPath: /var/run
- name: hostcerts
mountPath: /etc/ssl/certs
- name: docker-daemon
image: docker:24.0.6-dind
securityContext:
privileged: true
volumeMounts:
- name: docker-socket
mountPath: /var/run
- name: hostcerts
mountPath: /etc/ssl/certs
''')重要的部分有:
- 创建了名为 hostcerts 的 volume,使用 hostpath /etc/pki/ca-trust/extracted/pem(CentOS 默认存储 CA 证书的目录)
- 将 hostcerts volume 挂载到容器的 /etc/ssl/certs 目录
做好以上设置后,再次运行流水线就不会报 Harbor 证书相关的错误。
+ . /home/jenkins/agent/env.txt
+ GIT_COMMIT=fc351c6
+ docker build -t harbor.halfcoffee.com/ruoyi/ruoyi-gateway:fc351c6-26 .
#0 building with "default" instance using docker driver
#1 [internal] load build definition from Dockerfile
#1 transferring dockerfile: 259B done
#1 DONE 0.0s
#2 [internal] load .dockerignore
#2 transferring context: 2B done
#2 DONE 0.0s
#3 [internal] load metadata for harbor.halfcoffee.com/ruoyi/openjdk:8-jre
#3 DONE 0.1s
#4 [1/5] FROM harbor.halfcoffee.com/ruoyi/openjdk:8-jre@sha256:c9c3dcdb05062980d369c2126535266ada3120d4af35cfc50ff1ecbb63eb25c1
#4 resolve harbor.halfcoffee.com/ruoyi/openjdk:8-jre@sha256:c9c3dcdb05062980d369c2126535266ada3120d4af35cfc50ff1ecbb63eb25c1 done
#4 sha256:cb5b7ae361722f070eca53f35823ed21baa85d61d5d95cd5a95ab53d740cdd56 3.15MB / 10.87MB 0.1s
#4 sha256:c9c3dcdb05062980d369c2126535266ada3120d4af35cfc50ff1ecbb63eb25c1 1.58kB / 1.58kB done
#4 sha256:26ac3f63d29f23ef46e82e424b14a60cdc2e52b8de2b85e9acf109af1dd9dd2f 7.43kB / 7.43kB done
#4 sha256:0e29546d541cdbd309281d21a73a9d1db78665c1b95b74f32b009e0b77a6e1e3 6.31MB / 54.92MB 0.1s
#4 sha256:9b829c73b52b92b97d5c07a54fb0f3e921995a296c714b53a32ae67d19231fcd 4.19MB / 5.15MB 0.1s
#4 sha256:cb5b7ae361722f070eca53f35823ed21baa85d61d5d95cd5a95ab53d740cdd56 10.87MB / 10.87MB 0.2s
#4 sha256:0e29546d541cdbd309281d21a73a9d1db78665c1b95b74f32b009e0b77a6e1e3 15.70MB / 54.92MB 0.2s
#4 sha256:9b829c73b52b92b97d5c07a54fb0f3e921995a296c714b53a32ae67d19231fcd 5.15MB / 5.15MB 0.1s done
#4 sha256:99ce012bef046180a22ef3146fac08398ed1fec48c7b1609b9aed1801e42dfce 4.19MB / 5.65MB 0.2s
#4 sha256:cb5b7ae361722f070eca53f35823ed21baa85d61d5d95cd5a95ab53d740cdd56 10.87MB / 10.87MB 0.2s done
#4 sha256:0e29546d541cdbd309281d21a73a9d1db78665c1b95b74f32b009e0b77a6e1e3 26.87MB / 54.92MB 0.3s
#4 sha256:99ce012bef046180a22ef3146fac08398ed1fec48c7b1609b9aed1801e42dfce 5.65MB / 5.65MB 0.2s done
#4 sha256:22dc2a72d098601f2b48898ff5e748c316037366c46e554b830cb90ad15519ba 213B / 213B 0.2s done
#4 sha256:9c69a57e10d955041a2cb3ad37236bedbd7ad473dc42d5fa3d88f648affa3a12 3.49MB / 41.37MB 0.3s
#4 sha256:0e29546d541cdbd309281d21a73a9d1db78665c1b95b74f32b009e0b77a6e1e3 50.33MB / 54.92MB 0.5s
#4 sha256:9c69a57e10d955041a2cb3ad37236bedbd7ad473dc42d5fa3d88f648affa3a12 20.97MB / 41.37MB 0.5s
#4 sha256:0e29546d541cdbd309281d21a73a9d1db78665c1b95b74f32b009e0b77a6e1e3 54.92MB / 54.92MB 0.6s done
#4 sha256:9c69a57e10d955041a2cb3ad37236bedbd7ad473dc42d5fa3d88f648affa3a12 41.37MB / 41.37MB 0.7s done
#4 extracting sha256:0e29546d541cdbd309281d21a73a9d1db78665c1b95b74f32b009e0b77a6e1e3
#4 ...
#5 [internal] load build context
#5 transferring context: 88.65MB 0.8s done
#5 DONE 0.8s
#4 [1/5] FROM harbor.halfcoffee.com/ruoyi/openjdk:8-jre@sha256:c9c3dcdb05062980d369c2126535266ada3120d4af35cfc50ff1ecbb63eb25c1
#4 extracting sha256:0e29546d541cdbd309281d21a73a9d1db78665c1b95b74f32b009e0b77a6e1e3 1.8s done
#4 extracting sha256:9b829c73b52b92b97d5c07a54fb0f3e921995a296c714b53a32ae67d19231fcd
#4 extracting sha256:9b829c73b52b92b97d5c07a54fb0f3e921995a296c714b53a32ae67d19231fcd 0.2s done
#4 extracting sha256:cb5b7ae361722f070eca53f35823ed21baa85d61d5d95cd5a95ab53d740cdd56
#4 extracting sha256:cb5b7ae361722f070eca53f35823ed21baa85d61d5d95cd5a95ab53d740cdd56 0.2s done
#4 extracting sha256:99ce012bef046180a22ef3146fac08398ed1fec48c7b1609b9aed1801e42dfce
#4 extracting sha256:99ce012bef046180a22ef3146fac08398ed1fec48c7b1609b9aed1801e42dfce 0.2s done
#4 extracting sha256:22dc2a72d098601f2b48898ff5e748c316037366c46e554b830cb90ad15519ba done
#4 extracting sha256:9c69a57e10d955041a2cb3ad37236bedbd7ad473dc42d5fa3d88f648affa3a12
#4 extracting sha256:9c69a57e10d955041a2cb3ad37236bedbd7ad473dc42d5fa3d88f648affa3a12 0.7s done
#4 DONE 3.8s
#6 [2/5] WORKDIR /usr/local/src/
#6 DONE 0.1s
#7 [3/5] ADD ./ruoyi-gateway/target/ruoyi-gateway.jar /usr/local/src/ruoyi-gateway.jar
#7 DONE 0.1s
#8 [4/5] ADD app.yml .
#8 DONE 0.0s
#9 [5/5] ADD entrypoint.sh .
#9 DONE 0.0s
#10 exporting to image
#10 exporting layers
#10 exporting layers 0.3s done
#10 writing image sha256:aa967f78f39d9907acc1ac4fec2fa39895e86faedfce6ce378d75047ee9ebc4f done
#10 naming to harbor.halfcoffee.com/ruoyi/ruoyi-gateway:fc351c6-26 done
#10 DONE 0.3s