Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-30911

401 response from a remote docker registry will cause an already cached docker asset to be reported as 404 not found

    Details

    • Story Points:
      0
    • InvestmentLayer:
      support-escalated

      Description

      For a Docker proxy repo, when the component max age expires and Nexus makes a request to the remote registry for an already cached Docker asset e.g manifest, if the remote proxy returns a 401 response then the proxy repo will return to the client a 404 (not found) status code and "manifest unknown" message. This fails the download of a previously already cached asset still in the proxy repo.

      Similar to NEXUS-26642 and NEXUS-27623, issues between proxy and remote should not prevent already cached assets from being served.

      Reproduce

      1. Two Nexus instance. On one instance create a hosted docker repository, on the other create a proxy docker repository to the hosted repo.
      2. Configure the remote to require authentication and configure the proxy repo with a user that has read permissions to the remote repo.
      3. Upload an image to the hosted repo.
      4. Pull the image via the proxy repo.
      5. Edit the username/password settings on the proxy repo so that they are incorrect.
      6. Invalidate the cache on the proxy repo and also remove the image from the client side.
      7. Request the image again. 

      The pull will fail with the following response if this was a manifests request.

      not found: manifest unknown: manifest unknown

      Workaround

      Set proxy repo component max age to -1. Setting component max age to -1, will prevent any tags already cached from being updated if the tags are republished with different hashes at the remote - ie. latest

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              hardeepn Hardeep Nagra
              Last Updated By:
              Joe Tom Joe Tom
              Team:
              NXRM - IMMORTALS
              Votes:
              1 Vote for this issue
              Watchers:
              9 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title