Details
Description
For a Docker proxy repo, when the component max age expires and Nexus makes a request to the remote registry for an already cached Docker asset e.g manifest, if the remote proxy returns a 401 response then the proxy repo will return to the client a 404 (not found) status code and "manifest unknown" message. This fails the download of a previously already cached asset still in the proxy repo.
Similar to NEXUS-26642 and NEXUS-27623, issues between proxy and remote should not prevent already cached assets from being served.
Reproduce
- Two Nexus instance. On one instance create a hosted docker repository, on the other create a proxy docker repository to the hosted repo.
- Configure the remote to require authentication and configure the proxy repo with a user that has read permissions to the remote repo.
- Upload an image to the hosted repo.
- Pull the image via the proxy repo.
- Edit the username/password settings on the proxy repo so that they are incorrect.
- Invalidate the cache on the proxy repo and also remove the image from the client side.
- Request the image again.
The pull will fail with the following response if this was a manifests request.
not found: manifest unknown: manifest unknown
Workaround
Set proxy repo component max age to -1. Setting component max age to -1, will prevent any tags already cached from being updated if the tags are republished with different hashes at the remote - ie. latest
Attachments
Issue Links
- is related to
-
NEXUS-26642 a removed docker asset at a remote will cause an already cached docker asset to be removed from a proxy repository when component age expires
-
- Closed
-
-
NEXUS-27623 403 response from a remote will cause an already cached docker asset to also return a 403 from a proxy repository when component age expires
-
- Closed
-