spring-boot:build-image在BitBucket Pipelines中失败,授权被插件管道拒绝

uidvcgyl  于 7个月前  发布在  Spring
关注(0)|答案(2)|浏览(88)

尝试在BitBucketpipeline中使用mvn spring-boot:build-image构建Sping Boot 3.1.5容器镜像,失败并返回错误:
插件管道拒绝授权:-v仅支持$BITBUCKET_CLONE_BLOCK及其子目录
似乎与this old issue有关。
有办法控制buildpack在构建过程中使用的文件夹吗?我想将其配置为仅存储workspace下的所有内容。
以下是Docker日志:

time="2023-11-03T19:12:56.885434830Z" level=warning msg="could not change group /var/run/docker.sock to docker: group docker not found"
time="2023-11-03T19:12:56.885648523Z" level=warning msg="Binding to IP address without --tlsverify is insecure and gives root access on this machine to everyone who has access to your network." host="tcp://0.0.0.0:2375"
time="2023-11-03T19:12:56.885666219Z" level=warning msg="Binding to an IP address, even on localhost, can also give access to scripts run in a browser. Be safe out there!" host="tcp://0.0.0.0:2375"
time="2023-11-03T19:12:57.885961215Z" level=warning msg="Binding to an IP address without --tlsverify is deprecated. Startup is intentionally being slowed down to show this message" host="tcp://0.0.0.0:2375"
time="2023-11-03T19:12:57.885989373Z" level=warning msg="Please consider generating tls certificates with client validation to prevent exposing unauthenticated root access to your network" host="tcp://0.0.0.0:2375"
time="2023-11-03T19:12:57.886017149Z" level=warning msg="You can override this by explicitly specifying '--tls=false' or '--tlsverify=false'" host="tcp://0.0.0.0:2375"
time="2023-11-03T19:12:57.886028707Z" level=warning msg="Support for listening on TCP without authentication or explicit intent to run without authentication will be removed in the next release" host="tcp://0.0.0.0:2375"
time="2023-11-03T19:13:12Z" level=warning msg="containerd config version `1` has been deprecated and will be removed in containerd v2.0, please switch to version `2`, see https://github.com/containerd/containerd/blob/main/docs/PLUGINS.md#version-header"
time="2023-11-03T19:13:12.926730931Z" level=warning msg="failed to load plugin io.containerd.snapshotter.v1.devmapper" error="devmapper not configured"
time="2023-11-03T19:13:12.927374579Z" level=warning msg="could not use snapshotter devmapper in metadata plugin" error="devmapper not configured"
time="2023-11-03T19:13:12.929579015Z" level=warning msg="failed to load plugin io.containerd.internal.v1.opt" error="mkdir /opt/containerd: read-only file system"
time="2023-11-03T19:13:12.929903334Z" level=error msg="failed to initialize a tracing processor \"otlp\"" error="no OpenTelemetry endpoint: skip plugin"
time="2023-11-03T19:13:12.997037717Z" level=warning msg="Your kernel does not support CPU realtime scheduler"
time="2023-11-03T19:13:12.997063850Z" level=warning msg="Your kernel does not support cgroup blkio weight"
time="2023-11-03T19:13:12.997071625Z" level=warning msg="Your kernel does not support cgroup blkio weight_device"
time="2023-11-03T19:13:48Z" level=info msg="Pipelines plugin request authorization." allowed=true method=POST plugin=pipelines uri="/v1.24/images/create?fromImage=docker.io%2Fpaketobuildpacks%2Fbuilder-jammy-base%3Alatest"
time="2023-11-03T19:14:15Z" level=info msg="Pipelines plugin request authorization." allowed=true method=GET plugin=pipelines uri="/v1.24/images/docker.io/paketobuildpacks/builder-jammy-base:latest/json"
time="2023-11-03T19:14:15Z" level=info msg="Pipelines plugin request authorization." allowed=true method=POST plugin=pipelines uri="/v1.24/images/create?fromImage=docker.io%2Fpaketobuildpacks%2Frun-jammy-base%3Alatest"
time="2023-11-03T19:14:17Z" level=info msg="Pipelines plugin request authorization." allowed=true method=GET plugin=pipelines uri="/v1.24/images/docker.io/paketobuildpacks/run-jammy-base:latest/json"
time="2023-11-03T19:14:17Z" level=info msg="Pipelines plugin request authorization." allowed=true method=POST plugin=pipelines uri=/v1.24/images/load
time="2023-11-03T19:14:17Z" level=info msg="Container create request." ArgsEscaped=false AttachStderr=false AttachStdin=false AttachStdout=false ExposedPorts="map[]" Healthcheck="<nil>" Labels="map[author:spring-boot]" MacAddress= NetworkDisabled=false OnBuild="[]" OpenStdin=false StdinOnce=false StopSignal= StopTimeout="<nil>" Tty=false plugin=pipelines
time="2023-11-03T19:14:17Z" level=info msg="Container create request." AutoRemove=false BlkioDeviceReadBps="[]" BlkioDeviceReadIOps="[]" BlkioDeviceWriteBps="[]" BlkioDeviceWriteIOps="[]" BlkioWeight=0 BlkioWeightDevice="[]" CPUCount=0 CPUPercent=0 CPUPeriod=0 CPUQuota=0 CPURealtimePeriod=0 CPURealtimeRuntime=0 CPUShares=0 CapAdd="[]" CapDrop="[]" Cgroup= CgroupParent= ConsoleSize="[0 0]" ContainerIDFile= CpusetCpus= CpusetMems= DNS="[]" DNSOptions="[]" DNSSearch="[]" DeviceCgroupRules="[]" Devices="[]" ExtraHosts="[]" GroupAdd="[]" IOMaximumBandwidth=0 IOMaximumIOps=0 Init="<nil>" IpcMode= Isolations= KernelMemory=0 Links="[]" LogConfig="{ map[]}" MaskedPaths="[]" Memory=0 MemoryReservation=0 MemorySwap=0 MemorySwappiness="<nil>" Mounts="[]" NanoCPUs=0 NetworkMode=default OomKillDisable="<nil>" OomScoreAdj=0 PidMode= PidsLimit="<nil>" PortBindings="map[]" Privileged=false PublishAllPorts=false ReadOnlyPaths="[]" RestartPolicy="{ 0}" Runtime= SecurityOpt="[label=disable]" ShmSize=0 StorageOpt="map[]" Sysctls="map[]" Ulimits="[]" UsernsMode= VolumeDriver= VolumesFrom="[]" plugin=pipelines
time="2023-11-03T19:14:17Z" level=info msg="Pipelines plugin request authorization." allowed=false method=POST plugin=pipelines uri=/v1.24/containers/create
time="2023-11-03T19:14:17.669873437Z" level=error msg="AuthZRequest for POST /v1.24/containers/create returned error: authorization denied by plugin pipelines: -v only supports $BITBUCKET_CLONE_DIR and its subdirectories"
time="2023-11-03T19:14:17Z" level=info msg="Pipelines plugin request authorization." allowed=true method=DELETE plugin=pipelines uri="/v1.24/volumes/pack-layers-cnovyjjtrm?force=1"
time="2023-11-03T19:14:17Z" level=info msg="Pipelines plugin request authorization." allowed=true method=DELETE plugin=pipelines uri="/v1.24/volumes/pack-app-bedsbabobb?force=1"
time="2023-11-03T19:14:17Z" level=info msg="Pipelines plugin request authorization." allowed=true method=DELETE plugin=pipelines uri="/v1.24/images/pack.local/builder/tfgunegkrx:latest?force=1"

字符串

spring-boot

2条答案

按热度按时间
ct2axkht

ct2axkht1#

Sping Boot 3.2版本(计划于2023年11月下旬发布)进行了一些增强,以更好地支持在BitBucket CI上使用buildpack构建映像。您现在可以在3.2 release candidate上尝试。
使用包含这些增强功能的版本,并假设BitBucket已经设置了环境变量DOCKER_HOST=tcp://172.17.0.1:2375,您可以像这样配置Maven构建:

<configuration>
          <docker>
            <host>tcp://172.17.0.1:2375</host>
            <bindHostToBuilder>true</bindHostToBuilder>
          </docker>
          <image>
            <securityOptions></securityOptions>
            <buildWorkspace>
              <bind>
                <source>/opt/atlassian/bitbucketci/agent/build/cache-${project.artifactId}.work</source>
              </bind>
            </buildWorkspace>
            <buildCache>
              <bind>
                <source>/opt/atlassian/bitbucketci/agent/build/cache-${project.artifactId}.build</source>
              </bind>
            </buildCache>
            <launchCache>
              <bind>
                <source>/opt/atlassian/bitbucketci/agent/build/cache-${project.artifactId}.launch</source>
              </bind>
            </launchCache>
          </image>
        </configuration>

字符串
您可以像这样配置Gradle构建:

tasks.named('bootBuildImage') {
    docker {
        host = "tcp://172.17.0.1:2375"
        bindHostToBuilder = true
        buildWorkspace {
            bind {
                source = "/opt/atlassian/bitbucketci/agent/build/cache-${project.name}.work"
            }
        }
        buildCache {
            bind {
                source = "/opt/atlassian/bitbucketci/agent/build/cache-${project.name}.build"
            }
        }
        launchCache {
            bind {
                source = "/opt/atlassian/bitbucketci/agent/build/cache-${project.name}.launch"
            }
        }
    }
}


有关一些背景信息,请参阅这些GitHub问题:

赞(0)分享  回复(0)举报  7个月前
j5fpnvbx

j5fpnvbx2#

@Scott的回答是有效的,但我决定在这里分享我自己的,我从插件配置中删除了一行,因为我发现它不是必需的。我还添加了更多的颜色来帮助其他人理解这里发生了什么。
您需要使用**Sping Boot 3.2+**才能使其工作。以下是截至撰写本文时使用的Maven插件配置。Gradle中也提供了相同的配置。
Buildpack的构建器需要一个位置来存储映像构建过程中的临时文件。默认情况下,buildpack使用Docker volumes,但Bitbucket只允许在/opt/atlassian/bitbucketci/agent/build//opt/atlassian/pipelines/agent/build/.*下指定here。因此,我们需要通过此处描述的新配置选项配置插件以将所有内容存储在其中一个文件夹下。
我们还需要:
1.通过将插件<securityOptions></securityOptions>配置设置为空,指示构建器容器在调用Docker API时不传递 PrincipalRole(参见此处)

  • 告诉构建器镜像(以及其中运行的所有进程)如何连接到BitBucket提供的Docker守护进程。这是通过以下方式实现的:
  • 在管道步骤中设置DOCKER_HOST环境变量,而不是在插件配置中设置(我尝试了两种选项)
  • 设置plugin docker.bindHostToBuilder选项为true,以指示构建器容器使用来自主机的docker配置(参见此处)

以下是我的整个插件配置:

<plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
                <configuration>
                    <excludes>
                        <exclude>
                            <groupId>org.projectlombok</groupId>
                            <artifactId>lombok</artifactId>
                        </exclude>
                    </excludes>
                    <docker>
                        <bindHostToBuilder>true</bindHostToBuilder>
                    </docker>
                    <image>
                        <env>
                            <BP_JVM_VERSION>${java.version}</BP_JVM_VERSION>
                        </env>
                        <securityOptions></securityOptions>
                        <buildWorkspace>
                            <bind>
                                <source>/opt/atlassian/bitbucketci/agent/build/cache-${project.artifactId}.work</source>
                            </bind>
                        </buildWorkspace>
                        <buildCache>
                            <bind>
                                <source>/opt/atlassian/bitbucketci/agent/build/cache-${project.artifactId}.build</source>
                            </bind>
                        </buildCache>
                        <launchCache>
                            <bind>
                                <source>/opt/atlassian/bitbucketci/agent/build/cache-${project.artifactId}.launch</source>
                            </bind>
                        </launchCache>
                    </image>
                </configuration>
            </plugin>

字符串
这是我的BitBucket步骤配置:

- step: build-container-image
        name: Build container image
        caches:
          - maven
          - docker
        script:
          - export DOCKER_HOST=tcp://172.17.0.1:2375
          - mvn spring-boot:build-image
        services:
          - docker


注意:这个解决方案是由@Scott Frederick(来自Spring团队)的辛勤工作和@Andrej Urvantsev的见解构建的(见这里)。

赞(0)分享  回复(0)举报  7个月前
我来回答

相关问题

    查看更多
    微信公众号

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备13028337号-1 大数据知识库 https://www.saoniuhuo.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com