Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-17548

Docker proxy repositories auto-block for images that don't exist

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.12.1
    • Fix Version/s: 3.14.0
    • Component/s: Docker, Transport
    • Labels:
    • Story Points:
      3

      Description

      Create a proxy repository to docker hub.  Put this in a group repository.

      Then request a manifest from through the group repository that doesn't exist on docker hub:

      http://localhost:8081/repository/docker-group/v2/fff/ggg/manifests/4.0.8r0

      The remote will return an authorization error, causing the repository to auto-block:

       

      2018-07-06 14:40:20,433-0500 WARN  [qtp335821775-248] admin org.sonatype.nexus.repository.docker.internal.V2Handlers - Error: GET /v2/fff/ggg/manifests/4.0.8r0: 401 - org.sonatype.nexus.repository.docker.internal.V2Exception: authentication required
      2018-07-06 14:40:41,441-0500 INFO  [elasticsearch[441A7C2A-D43F4D99-9C18AFA3-F4D24CC1-BA03CB4F][management]T#2] *SYSTEM org.elasticsearch.cluster.routing.allocation.decider - [441A7C2A-D43F4D99-9C18AFA3-F4D24CC1-BA03CB4F] low disk watermark [85%] exceeded on [ggbWczR0QgqEeYJBh3TOpg][441A7C2A-D43F4D99-9C18AFA3-F4D24CC1-BA03CB4F][/Users/rseddon/temp/foo/sonatype-work/nexus3/elasticsearch/nexus/nodes/0] free: 67.8gb[14.5%], replicas will not be assigned to this node
      2018-07-06 14:41:00,609-0500 INFO  [Check Status https://registry-1.docker.io] admin org.sonatype.nexus.repository.httpclient.internal.HttpClientFacetImpl - Repository status for docker-io changed from AUTO_BLOCKED_UNAVAILABLE to AVAILABLE - reason n/a for n/a
      2018-07-06 14:41:11,451-0500 INFO  [elasticsearch[441A7C2A-D43F4D99-9C18AFA3-F4D24CC1-BA03CB4F][management]T#3] *SYSTEM org.elasticsearch.cluster.routing.allocation.decider - [441A7C2A-D43F4D99-9C18AFA3-F4D24CC1-BA03CB4F] low disk watermark [85%] exceeded on [ggbWczR0QgqEeYJBh3TOpg][441A7C2A-D43F4D99-9C18AFA3-F4D24CC1-BA03CB4F][/Users/rseddon/temp/foo/sonatype-work/nexus3/elasticsearch/nexus/nodes/0] free: 67.8gb[14.5%], replicas will not be assigned to this node

       

      I'm not entirely sure why the remote returns unauthorized when it should return 404.  It seems to be some sort of misguided attempt at security?

      But the current behavior of auto-blocking potentially makes them unavailable for subsequent requests.

      This behavior might be OK for a direct request to to a docker proxy repository (maybe). But it causes a real problem for group repositories. They can contain many docker proxy repositories, so it is expected that requests will be coming into them frequently be for images that don't exist on at least some of the remotes of their contained proxy repositories.

       

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              jstephens Joseph Stephens
              Reporter:
              rseddon Rich Seddon
              Last Updated By:
              Peter Lynch
              Team:
              NXRM - Cypher
              Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title