Unable to push to harbor image with http
See original GitHub issueEnvironment:
- Jib version: 1.5.0
- Build tool: Gradle
- OS: Mac OSX
- Repository: Harbor
Description of the issue:
I have insecure harbor registry for now and trying to push it and pushing it with property sendCredentialsOverHttp=true but push always times out
Expected behavior:
Should be able to push
Steps to reproduce:
/gradlew jib -DsendCredentialsOverHttp=true -Djib.to.image=dockerhub-1003850024.ap-south-1.elb.amazonaws.com/sample -Djib.console=plain
jib-gradle-plugin
Configuration:
jib {
to {
allowInsecureRegistries = true
tags = ['latest', '1.0.0-SNAPSHOT']
auth {
username = 'xyz'
password = 'xyz'
}
}
container {
ports = ['8080']
mainClass = "$mainClassName"
args = ["run", mainVerticleName, "-conf staging.json"]
jvmFlags = ['-Dvertx.logger-delegate-factory-class-name=io.vertx.core.logging.Log4j2LogDelegateFactory']
}
}
Log output:
➜ ./gradlew jib -DsendCredentialsOverHttp=true -Djib.to.image=dockerhub-1003850024.ap-south-1.elb.amazonaws.com/sample -Djib.console=plain
Starting a Gradle Daemon, 1 busy and 1 incompatible Daemons could not be reused, use --status for details
> Task :jib
Authentication over HTTP is enabled. It is strongly recommended that you do not enable this on a public network!
Containerizing application to dockerhub-1003850024.ap-south-1.elb.amazonaws.com/sample, dockerhub-1003850024.ap-south-1.elb.amazonaws.com/sample, dockerhub-1003850024.ap-south-1.elb.amazonaws.com/sample:1.0.0-SNAPSHOT...
Retrieving registry credentials for dockerhub-1003850024.ap-south-1.elb.amazonaws.com...
Getting base image gcr.io/distroless/java:8...
Building dependencies layer...
Building project dependencies layer...
Building resources layer...
Building classes layer...
> Task :jib FAILED
FAILURE: Build failed with an exception.
* What went wrong:
Execution failed for task ':jib'.
> com.google.cloud.tools.jib.plugins.common.BuildStepsExecutionException: Connect to dockerhub-1003850024.ap-south-1.elb.amazonaws.com:443 [dockerhub-1003850024.ap-south-1.elb.amazonaws.com/35.154.123.120, dockerhub-1003850024.ap-south-1.elb.amazonaws.com/13.234.102.169] failed: Operation timed out (Connection timed out)
* Try:
Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output. Run with --scan to get full insights.
* Get more help at https://help.gradle.org
Deprecated Gradle features were used in this build, making it incompatible with Gradle 6.0.
Use '--warning-mode all' to show the individual deprecation warnings.
See https://docs.gradle.org/5.5.1/userguide/command_line_interface.html#sec:command_line_warnings
BUILD FAILED in 2m 40s
8 actionable tasks: 1 executed, 7 up-to-date
Additional Information:
Push works fine with docker command-line
docker tag xyz:1.0.0-SNAPSHOT dockerhub-1003850024.ap-south-1.elb.amazonaws.com/sample/xyz:1.0.0-SNAPSHOT
docker push dockerhub-1003850024.ap-south-1.elb.amazonaws.com/sample/xyz:1.0.0-SNAPSHOT
Issue Analytics
- State:
- Created 4 years ago
- Comments:26 (15 by maintainers)
Top Results From Across the Web
Cannot push image v1.10.2 #11673 - goharbor/harbor - GitHub
I can't share the image, but i can tell you its 700MB. I setup Harbor with the Helm chart and using the filesystem...
Read more >Pulling and Pushing Images in the Docker Client - Harbor docs
In your Docker client is not configured for insecure registries, you will see the following error when you attempt to pull or push...
Read more >Pushing image to Harbor registry results in error "received ...
When trying to push image to Harbor registry We get the error "received unexpected HTTP status: 500 Internal Server Error"
Read more >Pushing a Docker image - Amazon ECR - AWS Documentation
You can push your container images to an Amazon ECR repository with the docker push command. Amazon ECR also supports creating and pushing...
Read more >HTTP API V2 - Docker Documentation
Resumable Push. Company X's build servers lose connectivity to docker registry before completing an image layer transfer. After connectivity returns, the build ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
I did an investigation, and I think it is the bug in recent Google HTTP Client versions that does not honor the given connection timeout. (Haven’t tested read timeout yet.) Jib 1.5.0 is affected, and I am positive that the timeout will work correctly on 1.4.0.
@riyaz looked at your last log. No wonder it takes > 20 minutes (with 1.5.0). At least it is indeed working but very inefficient because Jib first tries HTTPS (port 443) before trying HTTP (port 80) for every access to your registry. And this HTTPS-to-HTTP failover can happen only when the HTTPS attempt times out. The log shows that the timeout is about 75 seconds. That is, for every HTTP request Jib makes to your registry, it first has to wait for ~75 seconds. But I do see that the plain
http://
is very fast.That said, if you specify the port
:80
in your image reference (e.g.,...elb.amazonaws.com:80/sample/...
), I bet it will be very fast, as it will attempt the plain HTTP directly. Later you could add an additional tag using whatever means to have the correct name without the port part (:80
). Another dirty hack would be to somehow configure your firewall or network so that any connection attempt toamazonaws.com:443
drops immediately as @briandealwis said.But, I strongly recommend you make the port 443 work as a registry and close the insecure registry at port 80. I’m emphasizing again that by sending credentials over HTTP, anyone in the wild can capture and steal your username and password easily.
Given that you don’t have a secure registry, ECR seems rather the right choice. I would continue using it, at least until you set up SSL.
Thanks for the info. It’s good to know. We are baffled too.