Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-19097

Log spam when remote docker repository returns 400 or 401 and no credentials are configured or remote requires bearer token

    Details

    • Story Points:
      1

      Description

      Configure a docker proxy repository with a remote URL of "https://gcr.io". Then request a manifest that does not exist on the remote through the proxy repository:

      https://localhost:8081/repository/docker-gcr-proxy/v2/abcd/efgh/manifests/1472

      This will result in a warning in the log along with a stack trace because the bearer token can't be retrieved.  The "https://gcr.io" allows anonymous access, but it will return 401 rather than 404 for images that don't exist on it.  I believe the official docker registry also behaves this way.  The result of this is that you get extremely noisy logs if you are requesting docker images through a group repository, since inevitably some of them won't exist on the remote.

      Expected:  A 401 should be logged at as it currently does, with no stack trace.  

      2019-02-11 00:04:50,847-0700 WARN [qtp-952548213-606] admin org.sonatype.nexus.repository.docker.internal.V2Handlers - Error: GET /v2/abcd/efgh/manifests/1472: 401 - org.sonatype.nexus.repository.docker.internal.V2Exception: authentication required
      2019-02-11 00:04:51,117-0700 WARN [qtp-952548213-513] admin org.sonatype.nexus.repository.docker.internal.auth.BearerScheme - Failed to retrieve docker bearer token
      org.apache.http.auth.AuthenticationException: Could not retrieve token from https://gcr.io/v2/token. Status code: 401
      at org.sonatype.nexus.repository.docker.internal.DockerProxyFacetImpl.executeOK(DockerProxyFacetImpl.java:514)
      at org.sonatype.nexus.repository.docker.internal.DockerProxyFacetImpl.retrieveBearerToken(DockerProxyFacetImpl.java:457)
      at org.sonatype.nexus.repository.docker.internal.DockerProxyFacetImpl.access$3(DockerProxyFacetImpl.java:442)
      at org.sonatype.nexus.repository.docker.internal.DockerProxyFacetImpl$2.retrieveBearerToken(DockerProxyFacetImpl.java:841)
      at org.sonatype.nexus.repository.docker.internal.auth.DockerAuthHttpClientContext$2.getToken(DockerAuthHttpClientContext.java:76)
      at org.sonatype.nexus.repository.docker.internal.auth.BearerScheme.authenticate(BearerScheme.java:105)
      at org.apache.http.impl.auth.HttpAuthenticator.doAuth(HttpAuthenticator.java:239)
      at org.apache.http.impl.auth.HttpAuthenticator.generateAuthResponse(HttpAuthenticator.java:202)
      at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:263)
      at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
      at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
      at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111)
      at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
      at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:72)
      at org.sonatype.nexus.repository.httpclient.FilteredHttpClientSupport.lambda$0(FilteredHttpClientSupport.java:56)
      at org.sonatype.nexus.repository.httpclient.FilteredHttpClientSupport$$Lambda$377.00000000042A7760.call(Unknown Source)
      at org.sonatype.nexus.repository.httpclient.internal.BlockingHttpClient.filter(BlockingHttpClient.java:123)
      at org.sonatype.nexus.repository.httpclient.FilteredHttpClientSupport.doExecute(FilteredHttpClientSupport.java:56)
      at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
      at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
      at org.sonatype.nexus.repository.docker.internal.DockerProxyFacetImpl.execute(DockerProxyFacetImpl.java:325)
      at org.sonatype.nexus.repository.proxy.ProxyFacetSupport.fetch(ProxyFacetSupport.java:405)
      at org.sonatype.nexus.repository.proxy.ProxyFacetSupport.fetch(ProxyFacetSupport.java:375)
      at org.sonatype.nexus.repository.proxy.ProxyFacetSupport.doGet(ProxyFacetSupport.java:245)
      at org.sonatype.nexus.repository.docker.internal.DockerProxyFacetImpl.doGet(DockerProxyFacetImpl.java:859)
      at org.sonatype.nexus.repository.proxy.ProxyFacetSupport.lambda$1(ProxyFacetSupport.java:234)
      at org.sonatype.nexus.repository.proxy.ProxyFacetSupport$$Lambda$376.00000000042A6A20.call(Unknown Source)
      at org.sonatype.nexus.common.io.CooperatingFuture.performCall(CooperatingFuture.java:122)
      at com.sonatype.nexus.hazelcast.internal.io.DistributedCooperatingFuture.performCall(DistributedCooperatingFuture.java:50)
      at org.sonatype.nexus.common.io.CooperatingFuture.call(CooperatingFuture.java:64)
      at org.sonatype.nexus.common.io.ScopedCooperationFactorySupport$ScopedCooperation.cooperate(ScopedCooperationFactorySupport.java:99)
      at org.sonatype.nexus.repository.proxy.ProxyFacetSupport.get(ProxyFacetSupport.java:225)
      at org.sonatype.nexus.repository.proxy.ProxyHandler.handle(ProxyHandler.java:50)
      at org.sonatype.nexus.repository.view.Context.proceed(Context.java:80)
      at org.sonatype.nexus.repository.view.handlers.LastDownloadedHandler.handle(LastDownloadedHandler.java:54)
      at org.sonatype.nexus.repository.view.Context.proceed(Context.java:80)
      at org.sonatype.nexus.repository.storage.UnitOfWorkHandler.handle(UnitOfWorkHandler.java:39)
      at org.sonatype.nexus.repository.view.Context.proceed(Context.java:80)
      at org.sonatype.nexus.repository.view.Context$proceed.call(Unknown Source)
      at org.sonatype.nexus.repository.docker.internal.V2Handlers$_closure16.doCall(V2Handlers.groovy:269)
      at sun.reflect.GeneratedMethodAccessor245.invoke(Unknown Source)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
      at java.lang.reflect.Method.invoke(Method.java:508)
      at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:98)
      at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:325)
      at org.codehaus.groovy.runtime.metaclass.ClosureMetaClass.invokeMethod(ClosureMetaClass.java:264)
      at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1034)
      at groovy.lang.Closure.call(Closure.java:418)

      A 400 response may also be logged with a similar large stack trace at WARN level:

      2019-02-25 08:16:19,886-0700 WARN  [qtp62377353-128296]  example org.sonatype.nexus.repository.docker.internal.auth.BearerScheme - Failed to retrieve docker bearer token
      org.apache.http.auth.AuthenticationException: Could not retrieve token from https://gcr.io/v2/token. Status code: *400*
      	at org.sonatype.nexus.repository.docker.internal.DockerProxyFacetImpl.executeOK(DockerProxyFacetImpl.java:507)
      	at org.sonatype.nexus.repository.docker.internal.DockerProxyFacetImpl.retrieveBearerToken(DockerProxyFacetImpl.java:450)
      	at org.sonatype.nexus.repository.docker.internal.DockerProxyFacetImpl.access$3(DockerProxyFacetImpl.java:435)
      	at org.sonatype.nexus.repository.docker.internal.DockerProxyFacetImpl$2.retrieveBearerToken(DockerProxyFacetImpl.java:833)
      	at org.sonatype.nexus.repository.docker.internal.auth.DockerAuthHttpClientContext$2.getToken(DockerAuthHttpClientContext.java:76)
      	at org.sonatype.nexus.repository.docker.internal.auth.BearerScheme.authenticate(BearerScheme.java:105)
      	at org.apache.http.impl.auth.HttpAuthenticator.doAuth(HttpAuthenticator.java:239)
      	at org.apache.http.impl.auth.HttpAuthenticator.generateAuthResponse(HttpAuthenticator.java:202)
      	at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:263)
      	at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
      	at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
      	at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111)
      	at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
      	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:72)
      	at org.sonatype.nexus.repository.httpclient.FilteredHttpClientSupport.lambda$0(FilteredHttpClientSupport.java:56)
      	at org.sonatype.nexus.repository.httpclient.FilteredHttpClientSupport.dt_access$112(FilteredHttpClientSupport.java)
      	at org.sonatype.nexus.repository.httpclient.internal.BlockingHttpClient.filter(BlockingHttpClient.java:123)
      	at org.sonatype.nexus.repository.httpclient.FilteredHttpClientSupport.doExecute(FilteredHttpClientSupport.java:56)
      	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
      	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
      	at org.sonatype.nexus.repository.docker.internal.DockerProxyFacetImpl.execute(DockerProxyFacetImpl.java:318)
      	at org.sonatype.nexus.repository.proxy.ProxyFacetSupport.fetch(ProxyFacetSupport.java:405)
      	at org.sonatype.nexus.repository.proxy.ProxyFacetSupport.fetch(ProxyFacetSupport.java:375)
      	at org.sonatype.nexus.repository.proxy.ProxyFacetSupport.doGet(ProxyFacetSupport.java:245)
      	at org.sonatype.nexus.repository.docker.internal.DockerProxyFacetImpl.doGet(DockerProxyFacetImpl.java:851)
      	at org.sonatype.nexus.repository.proxy.ProxyFacetSupport.lambda$1(ProxyFacetSupport.java:234)
      
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              moncef Moncef Ben-Soula
              Reporter:
              rseddon Rich Seddon
              Last Updated By:
              Peter Lynch Peter Lynch
              Team:
              NXRM - Cypher
              Votes:
              2 Vote for this issue
              Watchers:
              8 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title