401 Unauthorized

[Elisabetta Ronchieri]

Hi,

I am using jib to create an image and push it in the gitlab registry or docker hub registry.  I would like to share with you my problem.

I have specified my URL project https://gitlab.com/joda70/demojib

In the CI, I have the following settings:

build:
  stage: build
  image: maven:latest
  variables:
    DOCKER_CONFIG: $PWD/.docker/config.json
    MAVEN_OPTS: "-Dhttps.protocols=TLSv1.2 -Dmaven.repo.local=$CI_PROJECT_DIR/.m2/repository -Djava.awt.headless=true"
    MAVEN_CLI_OPTS: "--batch-mode --errors --fail-at-end --show-version -DinstallAtEnd=true -DdeployAtEnd=true"

  script:
    - env | sort
    - id
    - mvn ${MAVEN_CLI_OPTS} -Djib.id=${CI_REGISTRY} -Djib.auth.user=gitlab-ci-token -Djib.auth.password=${CI_TOKEN_PASSWORD} -e -X clean package jib:build

Inside the project I have the file settings.xml:

<settings>
  <servers>
    <server>
	<id>${env.CI_REGISTRY}</id>
        <username>gitlab-ci-token</username>
	<password>${env.CI_TOKEN_PASSWORD}</password>
    </server>
  </servers>
</settings>


Inside the project I also have .docker/config.json with the following settings:

{
	"auths": {
                "registry.gitlab.com": {
                        "auth": ${CI_TOKEN_PASSWORD}

        },
        "HttpHeaders": {
                "User-Agent": "Docker-Client/19.03.3 (linux)"
        }
}

In the pom.xml file I have:

                        <plugin>
		            <groupId>com.google.cloud.tools</groupId>
                            <artifactId>jib-maven-plugin</artifactId>
                            <version>${jib-maven-plugin.version}</version>		
                            <configuration>
			       <to>
				  <image>joda70/${project.artifactId}:${project.version}</image>
			       </to>
		            </configuration>
		        </plugin>

 In my local working directory, I am able to create and push image with jib:build on docker.hub. 
The main difference with this setup is that on my local machine I have docker client installed.

Do I have to install docker client on the maven image?

Best regards
Elisabetta

[Chanseok Oh]

Hi Elisabetta,

No, you don't need Docker (whether daemon or client).

Since you are pass -Djib.auth.user=gitlab-ci-token -Djib.auth.password=${CI_TOKEN_PASSWORD} on the command-line, all the other auth sources (Maven settings.xml or Docker config.json) are completely irrelevant. (The others have no chance to be considered at all.) Therefore, Jib will use gitlab-ci-token and ${CI_TOKEN_PASSWORD} as the username and the password. You'll see a log message like

Using credentials from to.auth for joda70/...

BTW, Jib doesn't have a config param jib.id, so -Djib.id=${CI_REGISTRY} has no effect on Jib. That said, I think the problem is that you thought you are pushing to a gitlab registry. However, it looks like you are pushing to Docker Hub. The image reference yoda70/... seems to point to Docker Hub. And yet, the username you are using is not yoda70 but gitlab-ci-token. If you haven't realized, the image reference determines the URL of the registry. (It embeds the server URL unless it is Docker Hub.) For example, localhost:5000/... or my.private.registry.com/...

[Chanseok Oh]

Oh, and another problem is that it is -Djib.to.auth.username instead of -Djib.auth.user. And -Djib.to.auth.password instead of -Djib.auth.password.