Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-18705

repository-changelog requests from Nexus 3 upgrade can trigger Nexus 2 outbound requests even though proxy repository is blocked

    Details

      Description

      Problem

      The Nexus 2 -> Nexus 3 Upgrade process involves Nexus 3 sending changelog requests to Nexus 2. The changelog requests can force Nexus 2 to resolve sha1 files for artifacts from proxy repository remotes, even if the Nexus 2 proxy repository is manually or automatically blocked.

      Evidence

      Nexus 2 nexus.log showing a repo called sunjava is automatically blocked
      2018-12-17 19:46:49 INFO  [Checker-sunjava] - org.sonatype.nexus.proxy.maven.maven2.M2Repository-sunjava - Next attempt to auto-unblock the "Sun Java Repo" (id=sunjava) repository by checking its remote peer health will occur in 5 minutes.
      
      2018-12-17 19:46:49 INFO  [roxy-3-thread-7] - org.sonatype.nexus.proxy.storage.remote.httpclient.HttpClientRemoteStorage - Initializing remote transport for proxy repository "Sun Java Repo" [id=sunjava]...
      
      2018-12-17 19:46:55 INFO  [Checker-sunjava] - org.sonatype.nexus.proxy.maven.maven2.M2Repository-sunjava - Next attempt to auto-unblock the "Sun Java Repo" (id=sunjava) repository by checking its remote peer health will occur in 2 minutes.
      
      ....
      
      2018-12-17 20:50:55 INFO  [Checker-sunjava] - org.sonatype.nexus.proxy.maven.maven2.M2Repository-sunjava - Next attempt to auto-unblock the "Sun Java Repo" (id=sunjava) repository by checking its remote peer health will occur in 42 minutes.
      
      Nexus 2 request.log showing a changelog request was being handled
      10.21.97.45 - - [17/Dec/2018:20:27:12 -0500] "GET /service/siesta/migrationagent/repository-changelog?after=000a0000000000019f3b&limit=100 HTTP/1.1" 500 46906 37754
      
      Nexus 2 nexus.log showing that outbound sha1 requests were being made despite the blocked status of the sunjava repo
      2018-12-17 20:27:12 DEBUG [p1301339208-390] - remote.storage.outbound - [sunjava] GET http://download.java.net/maven/2/com/sun/faces/jsf-api/2.0.3/jsf-api-2.0.3.pom.sha1 -> HTTP/1.1 404 Not Found; 1.957 s
      2018-12-17 20:27:12 ERROR [p1301339208-390] - org.sonatype.nexus.web.internal.ErrorPageFilter - Internal error
      org.eclipse.jetty.io.EofException: null
      
      Nexus 2 thread proving an inbound changelog request triggers sha1 resolution from remotes
      qtp16864241-317 id=317 state=RUNNABLE (running in native)
          at java.net.SocketInputStream.socketRead0(Native Method)
          at java.net.SocketInputStream.socketRead(SocketInputStream.java:116)
          at java.net.SocketInputStream.read(SocketInputStream.java:171)
          at java.net.SocketInputStream.read(SocketInputStream.java:141)
          at org.apache.http.impl.io.SessionInputBufferImpl.streamRead(SessionInputBufferImpl.java:136)
          at org.apache.http.impl.io.SessionInputBufferImpl.fillBuffer(SessionInputBufferImpl.java:152)
          at org.apache.http.impl.io.SessionInputBufferImpl.readLine(SessionInputBufferImpl.java:270)
          at org.apache.http.impl.conn.DefaultHttpResponseParser.parseHead(DefaultHttpResponseParser.java:140)
          at org.apache.http.impl.conn.DefaultHttpResponseParser.parseHead(DefaultHttpResponseParser.java:57)
          at org.apache.http.impl.io.AbstractMessageParser.parse(AbstractMessageParser.java:260)
          at org.apache.http.impl.DefaultBHttpClientConnection.receiveResponseHeader(DefaultBHttpClientConnection.java:161)
          at org.apache.http.impl.conn.CPoolProxy.receiveResponseHeader(CPoolProxy.java:153)
          at org.apache.http.protocol.HttpRequestExecutor.doReceiveResponse(HttpRequestExecutor.java:271)
          at org.apache.http.protocol.HttpRequestExecutor.execute(HttpRequestExecutor.java:123)
          at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:254)
          at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:195)
          at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:86)
          at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:108)
          at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
          at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
          at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57)
          at org.sonatype.nexus.proxy.storage.remote.httpclient.HttpClientRemoteStorage.doExecuteRequest(HttpClientRemoteStorage.java:569)
          at org.sonatype.nexus.proxy.storage.remote.httpclient.HttpClientRemoteStorage.executeRequest(HttpClientRemoteStorage.java:521)
          at org.sonatype.nexus.proxy.storage.remote.httpclient.HttpClientRemoteStorage.retrieveItem(HttpClientRemoteStorage.java:216)
          at org.sonatype.nexus.proxy.maven.ChecksumContentValidator.doRetrieveChecksumItem(ChecksumContentValidator.java:191)
          at org.sonatype.nexus.proxy.maven.ChecksumContentValidator.doRetrieveSHA1(ChecksumContentValidator.java:162)
          at org.sonatype.nexus.proxy.maven.AbstractMavenRepository.doRetrieveItem(AbstractMavenRepository.java:390)
          at org.sonatype.nexus.proxy.maven.maven2.M2Repository.doRetrieveItem(M2Repository.java:398)
          at org.sonatype.nexus.proxy.repository.AbstractRepository.retrieveItem(AbstractRepository.java:760)
          at com.sonatype.nexus.migrationagent.repository.RepositoryMigratorSupport.resolveItem(RepositoryMigratorSupport.java:310)
          at com.sonatype.nexus.migrationagent.repository.RepositoryMigratorSupport.extract(RepositoryMigratorSupport.java:264)
          at com.sonatype.nexus.migrationagent.repository.RepositoryMigrator$extract.call(Unknown Source)
          at com.sonatype.nexus.migrationagent.rest.RepositoryChangelogResource$_get_closure1$_closure2.doCall(RepositoryChangelogResource.groovy:117)
      

      Consequences

      This behaviour can make upgrade to Nexus 3 impossible for repositories which have local content that are still depended on. Requests from Nexus 3 will timeout waiting for Nexus 2 to resolve the entire changelog artifacts sha1 files from remotes which don't respond.

      Expected

      When a Nexus 2 repository is Blocked, no outbound requests to its configured remote URL should be made at all, even as a consequence of inbound Nexus 3 upgrade related requests. Thus changelog requests from Nexus 3 should perform very quickly and timeouts can be avoided.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              dbradicich Damian Bradicich
              Reporter:
              plynch Peter Lynch
              Last Updated By:
              Joe Tom Joe Tom
              Team:
              NXRM - Tron
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title