My spring-boot projekts builds its docker image on bitbucket.org using the spring-boot-maven-plugin with its build-image goal. On pipelines we always get the following maven error:
Docker API call to 'localhost:2375/v1.24/containers/create' failed with status code 403 "Forbidden"
In the docker log I found the following
time="2021-03-25T11:30:59Z" level=info msg="Container create request." ArgsEscaped=false AttachStderr=false AttachStdin=false AttachStdout=false ExposedPorts="map[]" Healthcheck="<nil>" Labels="map[author:spring-boot]" MacAddress= NetworkDisabled=false OnBuild="[]" OpenStdin=false StdinOnce=false StopSignal= StopTimeout="<nil>" Tty=false plugin=pipelines
time="2021-03-25T11:30:59Z" level=info msg="Container create request." AutoRemove=false BlkioDeviceReadBps="[]" BlkioDeviceReadIOps="[]" BlkioDeviceWriteBps="[]" BlkioDeviceWriteIOps="[]" BlkioWeight=0 BlkioWeightDevice="[]" CPUCount=0 CPUPercent=0 CPUPeriod=0 CPUQuota=0 CPURealtimePeriod=0 CPURealtimeRuntime=0 CPUShares=0 CapAdd="[]" CapDrop="[]" Capabilities="[]" Cgroup= CgroupParent= ConsoleSize="[0 0]" ContainerIDFile= CpusetCpus= CpusetMems= DNS="[]" DNSOptions="[]" DNSSearch="[]" DeviceCgroupRules="[]" Devices="[]" ExtraHosts="[]" GroupAdd="[]" IOMaximumBandwidth=0 IOMaximumIOps=0 Init="<nil>" IpcMode= Isolations= KernelMemory=0 Links="[]" LogConfig="{ map[]}" MaskedPaths="[]" Memory=0 MemoryReservation=0 MemorySwap=0 MemorySwappiness="<nil>" Mounts="[]" NanoCPUs=0 NetworkMode=default OomKillDisable="<nil>" OomScoreAdj=0 PidMode= PidsLimit="<nil>" PortBindings="map[]" Privileged=false PublishAllPorts=false ReadOnlyPaths="[]" RestartPolicy="{ 0}" Runtime= SecurityOpt="[]" ShmSize=0 StorageOpt="map[]" Sysctls="map[]" Ulimits="[]" UsernsMode= VolumeDriver= VolumesFrom="[]" plugin=pipelines
time="2021-03-25T11:30:59Z" level=info msg="Pipelines plugin request authorization." allowed=false method=POST plugin=pipelines uri=/v1.24/containers/createtime="2021-03-25T11:30:59.233599182Z" level=error msg="AuthZRequest for POST /v1.24/containers/create returned error: authorization denied by plugin pipelines: -v only supports $BITBUCKET_CLONE_DIR and its subdirectories"
I found a few posts with similar problems but no real explanation what is going wrong and if there is anything i can do about it.
There is an atlassian ticket where someone references this log https://jira.atlassian.com/browse/BCLOUD-17592
I know that on my local machine there are lots of named volumes on the creator container
Related
I am trying to install cloudflow 2.0.25 version in the eks cluster using helm. But the pod goes to CrashLoopBackOff status with below error:
ERROR [ActorSystemImpl] - Unexpected error starting cloudflow operator, terminating.
io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: POST at: https://172.20.0.1/apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions. Message: the server could not find the requested resource. Received status: Status(apiVersion=v1, code=404, details=StatusDetails(causes=[], group=null, kind=null, name=null, retryAfterSeconds=null, uid=null, additionalProperties={}), kind=Status, message=the server could not find the requested resource, metadata=ListMeta(_continue=null, remainingItemCount=null, resourceVersion=null, selfLink=null, additionalProperties={}), reason=NotFound, status=Failure, additionalProperties={}).
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:570)
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:509)
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:474)
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:435)
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleCreate(OperationSupport.java:250)
at io.fabric8.kubernetes.client.dsl.base.BaseOperation.handleCreate(BaseOperation.java:871)
at io.fabric8.kubernetes.client.dsl.base.BaseOperation.create(BaseOperation.java:366)
at io.fabric8.kubernetes.client.dsl.base.BaseOperation.create(BaseOperation.java:85)
at cloudflow.operator.Main$.checkCRD(Main.scala:140)
at cloudflow.operator.Main$.main(Main.scala:61)
at cloudflow.operator.Main.main(Main.scala)
Please help how to resolve the issue ?
I tried creating crd and then also created custom_roles and rolebindings but it didn't work.
I use containerd to launch docker image inside my K8S. I can't put proxy on my env and have no internet access on node vm.
I've install a JCR to be able to get docker image and provide it as a mirror.
This JCR has internet access.
When I look inside K8S I always see that it is not able to pull sandbox image "k8s.gcr.io/pause:3.1" it always goes on i/o timeout
I put inside my Jcr several docker repote repository
docker-remote https://registry-1.docker.io/
k8s.gcr.io https://k8s.gcr.io/
and a virtual named docker
I put inside my containerd.toml
...
[plugins.cri.registry]
[plugins.cri.registry.mirrors]
[plugins.cri.registry.mirrors."*"]
endpoint = ["https://docker.jcr.mydomain"]
[plugins.cri.registry.mirrors."docker.io"]
endpoint = ["https://docker.jcr.mydomain"]
[plugins.cri.registry.mirrors."k8s.gcr.io"]
endpoint = ["https://docker.jcr.mydomain"]
And then it's able to pull the image but I really don't understand why it isn't able to pull this image with the "" wild card.
I cannot do this for all docker registry I need to find a solution to make the "" work.
Another pb occured with the quay.io
For the docker registy quay.io I never manage to mirror it
Even if I put
...
[plugins.cri.registry]
[plugins.cri.registry.mirrors]
[plugins.cri.registry.mirrors."*"]
endpoint = ["https://docker.jcr.mydomain"]
[plugins.cri.registry.mirrors."docker.io"]
endpoint = ["https://docker.jcr.mydomain"]
[plugins.cri.registry.mirrors."quai.io"]
endpoint = ["https://docker.jcr.mydomain"]
and for this image quay.io/coreos/flannel:v0.11.0-amd64
this is the result:
Pulling image "quay.io/coreos/flannel:v0.11.0-amd64"
Warning Failed 13s (x3 over 54s) kubelet, 121a9964-9914-4548-b576-69d6ac1f88d8.k8s Failed to pull image "quay.io/coreos/flannel:v0.11.0-amd64": rpc error: code = Unknown desc = failed to pull and unpack image "quay.io/coreos/flannel:v0.11.0-amd64": failed to resolve reference "quay.io/coreos/flannel:v0.11.0-amd64": unexpected status code [manifests v0.11.0-amd64]: 403 Forbidden
Warning Failed 13s (x3 over 54s) kubelet, 121a9964-9914-4548-b576-69d6ac1f88d8.k8s Error: ErrImagePull
Normal BackOff 1s (x3 over 54s) kubelet, 121a9964-9914-4548-b576-69d6ac1f88d8.k8s Back-off pulling image "quay.io/coreos/flannel:v0.11.0-amd64"
Warning Failed 1s (x3 over 54s) kubelet, 121a9964-9914-4548-b576-69d6ac1f88d8.k8s Error: ImagePullBackOff
I found the reason of why the "quay.io/coreos/flannel:v0.11.0-amd64" failed.
It's because it has a severe CVE inside this image and so on the Artifactory repository forbidde the download.
see https://quay.io/repository/coreos/flannel?tab=tags
When I run my maven build pointing to the JFrog Artifactory setup I see the following error in the log:
2020-05-14T04:41:01.640Z [jfrt ] [ERROR] [dcb2a29d3c46472e] [o.a.r.RemoteRepoBase:806 ] [http-
nio-8081-exec-1] - IO error while trying to download resource
'jcenter:org/springframework/security/spring-security-web/4.2.2.RELEASE/spring-security-web-
4.2.2.RELEASE.jar': **javax.net.ssl.SSLException: Connection reset**
2020-05-14T04:41:01.641Z [jfrt ] [WARN ] [dcb2a29d3c46472e] [o.a.e.DownloadServiceImpl:266 ] [http-
nio-8081-exec-1] - **Sending HTTP error code 404: Connection reset**
I have checked the connectivity to the jcenter repo from within the Artifactory admin conosole, and its says that its able to connect.
Require your assistance.
Regards
Please check the URL you are using for JCenter and make sure it is using secure HTTP - https://jcenter.bintray.com.
Starting in January 2020, JCenter is only serving requests made with HTTPS. From that point on, all requests made with HTTP are denied and any builds that use a JCenter URL with the non-secure HTTP protocol will fail.
For more info see the following blog post.
I'm working with GitLab (free edition) pipelines and started receiving the error below on a pipeline that was working.
This is a minimal example from my .gitlab-ci.yml that reproduce the error (Although I don't think it is related to my code):
default:
image: node:10-alpine
stages:
- build
build:
stage: build
script:
- npm install
artifacts:
paths:
- node_modules/
only:
- Staging
.
.
.
Error's log:
64 packages are looking for funding
run `npm fund` for details
Running after_script
Saving cache
Uploading artifacts for successful job
Uploading artifacts...
node_modules/: found 62788 matching files
WARNING: Uploading artifacts to coordinator... failed id=512111 responseStatus=400 Bad Request status=400 Bad Request token=4Dwaaa
WARNING: Retrying... context=artifacts-uploader error=invalid argument
WARNING: Uploading artifacts to coordinator... failed id=512111 responseStatus=400 Bad Request status=400 Bad Request token=4Dwaaa
WARNING: Retrying... context=artifacts-uploader error=invalid argument
WARNING: Uploading artifacts to coordinator... failed id=512111 responseStatus=400 Bad Request status=400 Bad Request token=4Dwaaa
FATAL: invalid argument
ERROR: Job failed: exit code 1
Found this thread in Stackoverfow but it is related to different status error.
There are multiple threads (1 , 2 , 3 ) on this issue on Gitlab forum but it is hard to understand the cause of the problem and how to resolve it.
Any help will be highly appriciated.
I've deployed Nexus OSS 3.6 and it's being served on http://server:8082/nexus
I have configured a docker-hub proxy using the instructions in http://www.sonatype.org/nexus/2017/02/16/using-nexus-3-as-your-repository-part-3-docker-images/ and have configured the docker-group to serve under port 18000
I can perform the following:
docker login server:18000
docker search server:18000/jenkins
but when I run:
docker pull server:18000/jenkins
i get the following error:
Error response from daemon: Get http://10.105.139.17:18000/v2/jenkins/manifests/latest:
error parsing HTTP 400 response body: invalid character '<'
looking for beginning of value:
"<html>\n<head>\n<meta http-equiv=\"Content-Type\"
content=\"text/html;charset=ISO-8859-1\"/>\n<title>
Error 400 </title>\n</head>\n<body>\n<h2>HTTP ERROR: 400</h2>\n
<p>Problem accessing /nexus/v2/token.
Reason:\n<pre> Not a Docker request</pre></p>\n<hr />
Powered by Jetty:// 9.3.20.v20170531<hr/>\n
</body>\n</html>\n"
My jetty nexus.properties config file is:
# Jetty section
application-port=8082
application-host=0.0.0.0
# nexus-args=${jetty.etc}/jetty.xml,${jetty.etc}/jetty-http.xml,${jetty.etc}/jetty-requestlog.xml
nexus-context-path=/nexus
# Nexus section
# nexus-edition=nexus-pro-edition
# nexus-features=\
# nexus-pro-feature
Could anyone offer any suggestions on how to fix this please?
I have the same problem when I enabled the anonymous read on some docker repository.
Repositories->Docker hosted->Check the checkbox (Disable to allow anonymous pull) from the repository.
seems you need to upgrade Nexus to 3.6.1 according to :
https://issues.sonatype.org/browse/NEXUS-14488
in order to allow anonymous read again