Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-24496

anonymous docker pulls not working

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Out of scope
    • Affects Version/s: 3.24.0
    • Fix Version/s: None
    • Component/s: Docker
    • Labels:
      None

      Description

      I am unable to get anonymous docker pulls working.  I am using the Docker container (latest, custom built 3.24.1-01, but the hub-hosted 3.24.0-02 also fails in the same way.) I have nginx fronting the requests and doing SSL termination.

      $ docker pull host.example.com/nginx:latest
      Error response from daemon: unauthorized: access to the requested resource is not authorized
      

      Note I can "docker login" and then push/pull normally.

      It also seems that if I 'docker login', pull an image, 'docker logout', remove the local copy of the image, and pull again this works (and transfers data) – even fully removing the auth stanza for this host causes pull to still work, from that host – but not from other hosts on the same subnet.

      Also, direct access fails:

      docker pull 127.0.0.1:8083/nginx:latest
      Error response from daemon: unauthorized: access to the requested resource is not authorized
      

      I have verified a flow between nginx and nexus to look like: (host.example.com is replaced with the hostname nginx terminates)

      GET /v2/ HTTP/1.0
      Host: host.example.com
      X-Real-IP: 1.2.3.4
      X-Forwarded-For: 1.2.3.4
      X-Forwarded-Host: host.example.com
      X-Forwarded-Proto: https
      Connection: close
      User-Agent: docker/19.03.8 go/go1.12.17 git-commit/afacb8b kernel/4.19.76-linuxkit os/linux arch/amd64 UpstreamClient(Docker-Client/19.03.8 \(darwin\))
      Accept-Encoding: gzip
      
      HTTP/1.1 401 Unauthorized
      Date: Wed, 08 Jul 2020 19:13:44 GMT
      Server: Nexus/3.24.1-01 (OSS)
      X-Content-Type-Options: nosniff
      Content-Security-Policy: sandbox allow-forms allow-modals allow-popups allow-presentation allow-scripts allow-top-navigation
      X-XSS-Protection: 1; mode=block
      WWW-Authenticate: Bearer realm="https://host.example.com/v2/token",service="https://host.example.com/v2/token"
      Docker-Distribution-Api-Version: registry/2.0
      Content-Type: application/json
      Content-Length: 113
      
      {"errors":[{"code":"UNAUTHORIZED","message":"access to the requested resource is not authorized","detail":null}]}
      

       

      GET /v2/token?scope=repository%3Anginx%3Apull&service=https%3A%2F%2Fhost.example.com%2Fv2%2Ftoken HTTP/1.0
      Host: host.example.com
      X-Real-IP: 1.2.3.4
      X-Forwarded-For: 1.2.3.4
      X-Forwarded-Host: host.example.com
      X-Forwarded-Proto: https
      Connection: close
      User-Agent: docker/19.03.8 go/go1.12.17 git-commit/afacb8b kernel/4.19.76-linuxkit os/linux arch/amd64 UpstreamClient(Docker-Client/19.03.8 \(darwin\))
      Accept-Encoding: gzip
      
      HTTP/1.1 200 OK
      Date: Wed, 08 Jul 2020 19:13:44 GMT
      Server: Nexus/3.24.1-01 (OSS)
      X-Content-Type-Options: nosniff
      Content-Security-Policy: sandbox allow-forms allow-modals allow-popups allow-presentation allow-scripts allow-top-navigation
      X-XSS-Protection: 1; mode=block
      Content-Type: application/json
      Content-Length: 60
      
      {"token":"DockerToken.12345678-1234-1234-1234-123456789012"}
      

       

      GET /v2/nginx/manifests/latest HTTP/1.0
      Host: host.example.com
      X-Real-IP: 68.97.160.145
      X-Forwarded-For: 68.97.160.145
      X-Forwarded-Host: host.example.com
      X-Forwarded-Proto: https
      Connection: close
      User-Agent: docker/19.03.8 go/go1.12.17 git-commit/afacb8b kernel/4.19.76-linuxkit os/linux arch/amd64 UpstreamClient(Docker-Client/19.03.8 \(darwin\))
      Accept: application/vnd.docker.distribution.manifest.v2+json
      Accept: application/vnd.docker.distribution.manifest.list.v2+json
      Accept: application/vnd.oci.image.index.v1+json
      Accept: application/vnd.oci.image.manifest.v1+json
      Accept: application/vnd.docker.distribution.manifest.v1+prettyjws
      Accept: application/json
      Authorization: Bearer DockerToken.12345678-1234-1234-1234-123456789012
      Accept-Encoding: gzip
      
      HTTP/1.1 401 Unauthorized
      Date: Wed, 08 Jul 2020 19:13:44 GMT
      Server: Nexus/3.24.1-01 (OSS)
      X-Content-Type-Options: nosniff
      Content-Security-Policy: sandbox allow-forms allow-modals allow-popups allow-presentation allow-scripts allow-top-navigation
      X-XSS-Protection: 1; mode=block
      WWW-Authenticate: Bearer realm="https://docker-host.example.com/v2/token",service="https://host.example.com/v2/token"
      Docker-Distribution-Api-Version: registry/2.0
      Content-Type: application/json
      Content-Length: 113
      
      {"errors":[{"code":"UNAUTHORIZED","message":"access to the requested resource is not authorized","detail":null}]}
      

      nginx host config:

      server {
          server_name host.example.com;
          client_max_body_size 0;
      
          location / {
              proxy_pass http://127.0.0.1:8083/;
      	proxy_redirect off;
              proxy_set_header Host $host;
              proxy_set_header X-Real-IP $remote_addr;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header X-Forwarded-Host $server_name;
              proxy_set_header X-Forwarded-Proto $scheme;
          }
      
      ... ssl config here
      }
      

      I have the realms set up properly I believe (the docker bearer is listed, order is in the attached screenshot)

      I have anonymous user enabled, anonymous access enabled on the repo, and anonymous in the system as a whole. I have tried various anonymous user permissions including full admin rights, no luck.

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            skandragon Michael
            Last Updated By:
            Joe Tom Joe Tom
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Date of First Response:

                tigCommentSecurity.panel-title