Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-30911

401 response from a remote docker registry will cause an already cached docker asset to be reported as 404 not found


    • 0
    • 2
    • support-escalated
    • non-concept


      For a Docker proxy repo, when the component max age expires and Nexus makes a request to the remote registry for an already cached Docker asset e.g manifest, if the remote proxy returns a 401 response then the proxy repo will return to the client a 404 (not found) status code and "manifest unknown" message. This fails the download of a previously already cached asset still in the proxy repo.

      Similar to NEXUS-26642 and NEXUS-27623, issues between proxy and remote should not prevent already cached assets from being served.


      1. Two Nexus instance. On one instance create a hosted docker repository, on the other create a proxy docker repository to the hosted repo.
      2. Configure the remote to require authentication and configure the proxy repo with a user that has read permissions to the remote repo.
      3. Upload an image to the hosted repo.
      4. Pull the image via the proxy repo.
      5. Edit the username/password settings on the proxy repo so that they are incorrect.
      6. Invalidate the cache on the proxy repo and also remove the image from the client side.
      7. Request the image again. 

      The pull will fail with the following response if this was a manifests request.

      not found: manifest unknown: manifest unknown


      Set proxy repo component max age to -1. Setting component max age to -1, will prevent any tags already cached from being updated if the tags are republished with different hashes at the remote - ie. latest


        Issue Links



              Unassigned Unassigned
              hardeepn Hardeep Nagra
              Rich Seddon Rich Seddon
              NXRM - Optimus
              1 Vote for this issue
              9 Start watching this issue