[NEXUS-17548] Docker proxy repositories auto-block for images that don't exist - Sonatype JIRA

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 3.12.1
Fix Version/s: 3.14.0
Component/s: Docker, Transport
Labels:
- supportant

Story Points:
3

Description

Create a proxy repository to docker hub. Put this in a group repository.

Then request a manifest from through the group repository that doesn't exist on docker hub:

http://localhost:8081/repository/docker-group/v2/fff/ggg/manifests/4.0.8r0

The remote will return an authorization error, causing the repository to auto-block:

2018-07-06 14:40:20,433-0500 WARN [qtp335821775-248] admin org.sonatype.nexus.repository.docker.internal.V2Handlers - Error: GET /v2/fff/ggg/manifests/4.0.8r0: 401 - org.sonatype.nexus.repository.docker.internal.V2Exception: authentication required
2018-07-06 14:40:41,441-0500 INFO [elasticsearch[441A7C2A-D43F4D99-9C18AFA3-F4D24CC1-BA03CB4F][management]T#2] *SYSTEM org.elasticsearch.cluster.routing.allocation.decider - [441A7C2A-D43F4D99-9C18AFA3-F4D24CC1-BA03CB4F] low disk watermark [85%] exceeded on [ggbWczR0QgqEeYJBh3TOpg][441A7C2A-D43F4D99-9C18AFA3-F4D24CC1-BA03CB4F][/Users/rseddon/temp/foo/sonatype-work/nexus3/elasticsearch/nexus/nodes/0] free: 67.8gb[14.5%], replicas will not be assigned to this node
2018-07-06 14:41:00,609-0500 INFO [Check Status https://registry-1.docker.io] admin org.sonatype.nexus.repository.httpclient.internal.HttpClientFacetImpl - Repository status for docker-io changed from AUTO_BLOCKED_UNAVAILABLE to AVAILABLE - reason n/a for n/a
2018-07-06 14:41:11,451-0500 INFO [elasticsearch[441A7C2A-D43F4D99-9C18AFA3-F4D24CC1-BA03CB4F][management]T#3] *SYSTEM org.elasticsearch.cluster.routing.allocation.decider - [441A7C2A-D43F4D99-9C18AFA3-F4D24CC1-BA03CB4F] low disk watermark [85%] exceeded on [ggbWczR0QgqEeYJBh3TOpg][441A7C2A-D43F4D99-9C18AFA3-F4D24CC1-BA03CB4F][/Users/rseddon/temp/foo/sonatype-work/nexus3/elasticsearch/nexus/nodes/0] free: 67.8gb[14.5%], replicas will not be assigned to this node

I'm not entirely sure why the remote returns unauthorized when it should return 404. It seems to be some sort of misguided attempt at security?

But the current behavior of auto-blocking potentially makes them unavailable for subsequent requests.

This behavior might be OK for a direct request to to a docker proxy repository (maybe). But it causes a real problem for group repositories. They can contain many docker proxy repositories, so it is expected that requests will be coming into them frequently be for images that don't exist on at least some of the remotes of their contained proxy repositories.

Attachments

Issue Links

is caused by

NEXUS-16539 Nexus 3 does not auto-block on 401 responses from https://maven.oracle.com

Closed

relates

NEXUS-9508 Nexus auto-blocks repositories too aggressively

Closed

NEXUS-26970 Docker proxy repository returns 502 when remote returns 401

Closed

supercedes

NEXUS-17086 Docker proxy auto-blocks when image not found on container-registry.oracle.com

Closed

Activity

People

Assignee:: Joseph Stephens

Reporter:: Rich Seddon

Last Updated By:: Maksym Lukaretkyi

Team:: NXRM - Cypher

Votes:: 1 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 07/06/18 07:40 PM

Updated:: 11/10/21 01:40 PM

Resolved:: 09/12/18 10:25 AM

Date of First Response:: 09/Jul/18 11:18 AM