Details
-
Bug
-
Resolution: Fixed
-
Major
-
3.12.1
-
3
Description
Create a proxy repository to docker hub. Put this in a group repository.
Then request a manifest from through the group repository that doesn't exist on docker hub:
http://localhost:8081/repository/docker-group/v2/fff/ggg/manifests/4.0.8r0
The remote will return an authorization error, causing the repository to auto-block:
2018-07-06 14:40:20,433-0500 WARN [qtp335821775-248] admin org.sonatype.nexus.repository.docker.internal.V2Handlers - Error: GET /v2/fff/ggg/manifests/4.0.8r0: 401 - org.sonatype.nexus.repository.docker.internal.V2Exception: authentication required
2018-07-06 14:40:41,441-0500 INFO [elasticsearch[441A7C2A-D43F4D99-9C18AFA3-F4D24CC1-BA03CB4F][management]T#2] *SYSTEM org.elasticsearch.cluster.routing.allocation.decider - [441A7C2A-D43F4D99-9C18AFA3-F4D24CC1-BA03CB4F] low disk watermark [85%] exceeded on [ggbWczR0QgqEeYJBh3TOpg][441A7C2A-D43F4D99-9C18AFA3-F4D24CC1-BA03CB4F][/Users/rseddon/temp/foo/sonatype-work/nexus3/elasticsearch/nexus/nodes/0] free: 67.8gb[14.5%], replicas will not be assigned to this node
2018-07-06 14:41:00,609-0500 INFO [Check Status https://registry-1.docker.io] admin org.sonatype.nexus.repository.httpclient.internal.HttpClientFacetImpl - Repository status for docker-io changed from AUTO_BLOCKED_UNAVAILABLE to AVAILABLE - reason n/a for n/a
2018-07-06 14:41:11,451-0500 INFO [elasticsearch[441A7C2A-D43F4D99-9C18AFA3-F4D24CC1-BA03CB4F][management]T#3] *SYSTEM org.elasticsearch.cluster.routing.allocation.decider - [441A7C2A-D43F4D99-9C18AFA3-F4D24CC1-BA03CB4F] low disk watermark [85%] exceeded on [ggbWczR0QgqEeYJBh3TOpg][441A7C2A-D43F4D99-9C18AFA3-F4D24CC1-BA03CB4F][/Users/rseddon/temp/foo/sonatype-work/nexus3/elasticsearch/nexus/nodes/0] free: 67.8gb[14.5%], replicas will not be assigned to this node
I'm not entirely sure why the remote returns unauthorized when it should return 404. It seems to be some sort of misguided attempt at security?
But the current behavior of auto-blocking potentially makes them unavailable for subsequent requests.
This behavior might be OK for a direct request to to a docker proxy repository (maybe). But it causes a real problem for group repositories. They can contain many docker proxy repositories, so it is expected that requests will be coming into them frequently be for images that don't exist on at least some of the remotes of their contained proxy repositories.
Attachments
Issue Links
- is caused by
-
NEXUS-16539 Nexus 3 does not auto-block on 401 responses from https://maven.oracle.com
-
- Closed
-
- relates
-
NEXUS-9508 Nexus auto-blocks repositories too aggressively
-
- Closed
-
-
NEXUS-26970 Docker proxy repository returns 502 when remote returns 401
-
- Closed
-
- supercedes
-
NEXUS-17086 Docker proxy auto-blocks when image not found on container-registry.oracle.com
-
- Closed
-