Details
-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
3.37.3
-
2
-
1
Description
ISSUE:
When deploying Nexus in container / cloud environments, we recommend customers to use -Dnexus.datastore.nexus arguments for external database details. New / changed values passed via these arguments are ignored by Nexus on startup causing failure.
CAUSE:
Nexus persists the external DB values in $karaf-data/etc/fabric/nexus-store.properties file on first startup.
On subsequent startups, this file takes precedence and any updated values (password change / db username change etc) passed via arguments are ignored.
This behavior defeats the purpose of using -Dnexus.datastore.nexus arguments.
REPRODUCE STEPS:
**(To make it simple, we can try below on non-container env)
- Provision a nexus instance with external DB and use nexus.vmoptions for passing -Dnexus.datastore.nexus arguments
[nexus@centos79 bin]$ pwd /opt/nexus-psql/nexus-3.37.3-02/bin [nexus@centos79 bin]$ tail -5 nexus.vmoptions -Dnexus.datastore.enabled=true -Dnexus.datastore.nexus.jdbcUrl=jdbc:postgresql://centos79.avsrini.net:5432/nexusdb -Dnexus.datastore.nexus.username=nexus -Dnexus.datastore.nexus.password=nexus123
2. Change postgresql user password at database side and update nexus.vmoptions file with new password
[nexus@centos79 bin]$ tail -5 nexus.vmoptions -Dnexus.datastore.enabled=true -Dnexus.datastore.nexus.jdbcUrl=jdbc:postgresql://centos79.avsrini.net:5432/nexusdb -Dnexus.datastore.nexus.username=nexus #-Dnexus.datastore.nexus.password=nexus123 -Dnexus.datastore.nexus.password=nexus345
3. Start nexus and it would fail with wrong credentials as below
2022-02-18 12:15:00,546+1100 ERROR [FelixStartLevel] *SYSTEM com.zaxxer.hikari.pool.HikariPool - nexus - Exception during pool initialization.2022-02-18 12:15:00,546+1100 ERROR [FelixStartLevel] *SYSTEM com.zaxxer.hikari.pool.HikariPool - nexus - Exception during pool initialization.org.postgresql.util.PSQLException: FATAL: password authentication failed for user "nexus" at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:613) at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:161) at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:213)
4. Datastore properties file still has old value
[root@centos79 fabric]# pwd
/opt/nexus-psql/sonatype-work/nexus3/etc/fabric
[root@centos79 fabric]# more nexus-store.properties
#2022-02-18 12:14:59,225+1100
#Fri Feb 18 12:14:59 AEDT 2022
password=nexus123
jdbcUrl=jdbc\:postgresql\://centos79.avsrini.net\:5432/nexusdb
username=nexus
EXPECTED RESULT:
Values passed via -Dnexus.datastore.nexus.* arguments should take precedence and update the nexus-store.properties file.
Not sure, if we need a new JIRA, but can we encrypt the password written to nexus-store.properties file, as its plain text now and not secured?
At minimum, the document should mention clearly that nexus-store.properties won't be removed by recreating container/pod even if the system properties -Dnexus.datastore.nexus.* are used.
