Nexus 3.6.0 as Docker registry and anonymous read
1,861 views
Skip to first unread message
Diego Najar
Oct 11, 2017, 4:09:12 AM10/11/17
to Nexus Users
Hi,
I'm working with Nexus 3.6.0-02, and I would like to enable the feature anonymous read for a docker repository on Nexus, but when I enabled it I have the next message:
$ docker login
Username: dockerPassword:
Error response from daemon: Get https://example.com/v2/: error parsing HTTP 400 response body: invalid character '<' looking for beginning of value: "<html>\n<head>\n<meta http-equiv=\"Content-Type\" content=\"text/html;charset=ISO-8859-1\"/>\n<title>Error 400 </title>\n</head>\n<body>\n<h2>HTTP ERROR: 400</h2>\n<p>Problem accessing /nexus/v2/token. Reason:\n<pre> Not a Docker request</pre></p>\n<hr /><a href=\"http://eclipse.org/jetty\">Powered by Jetty:// 9.3.20.v20170531</a><hr/>\n</body>\n</html>\n"When I check the feature from the repository (Disable to allow anonymous pull) is possible to do the login.
How I enable the Anonymous read on the repository:
- Repositories->Docker hosted->un-check the checkbox (Disable to allow anonymous pull) from the repository
- Anonymous->checked Allow anonymous users to access the server
- Realms->Docker Bearer Token Realm
What I'm missing?
I can get for example the catalog, in both cases, enabled and disable the anonymous repository.
Note: Unnecessary use of -X or --request, GET is already inferred.* Trying xxx...* TCP_NODELAY set* Connected to example.com (xxx) port 443 (#0)* Initializing NSS with certpath: sql:/etc/pki/nssdb* CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none* ALPN/NPN, server did not agree to a protocol* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256* Server certificate:* subject: CN=*.xxxx.* start date: Oct 03 00:00:00 2016 GMT* expire date: Nov 03 12:00:00 2017 GMT* common name: *.xxxx.* issuer: CN=Amazon,OU=Server CA 1B,O=Amazon,C=US> GET /v2/_catalog HTTP/1.1> Host: example.com> User-Agent: curl/7.51.0> Accept: */*> < HTTP/1.1 200 OK< Content-Type: application/json< Date: Tue, 10 Oct 2017 13:55:05 GMT< Docker-Distribution-Api-Version: registry/2.0< Server: Nexus/3.6.0-02 (OSS)< X-Content-Type-Options: nosniff< X-Frame-Options: SAMEORIGIN< Content-Length: 27< Connection: keep-alive< * Curl_http_done: called premature == 0* Connection #0 to host example.com left intact
{"repositories":["alpine"]}
Thanks!
Peter Lynch
Oct 12, 2017, 4:34:59 PM10/12/17
to Diego Najar, Nexus Users
On Wed, Oct 11, 2017 at 5:09 AM, Diego Najar <dign...@gmail.com> wrote:
Hi,I'm working with Nexus 3.6.0-02, and I would like to enable the feature anonymous read for a docker repository on Nexus, but when I enabled it I have the next message:
The error message indicates a "Problem accessing /nexus/v2/token" . That is not a valid endpoint for a docker repository. Docker expects to access a host and port at the root only. For example https://example.com/v2/token . It looks like you may have a reverse proxy trying to map the Nexus webapp context / to /nexus.
All docker requests reaching Nexus must not be remapped onto a /nexus context path. All requests must arrive at the root ( ie. slash only ). Then Nexus will use the port being used to determine which repository to map this too.
When I check the feature from the repository (Disable to allow anonymous pull) is possible to do the login.
This works only as a confusing side-effect of authenticating being allowed when the regular server port is used.
--
You received this message because you are subscribed to the Google Groups "Nexus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nexus-users+unsubscribe@glists.sonatype.com.
To post to this group, send email to nexus...@glists.sonatype.com.
To view this discussion on the web visit https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/2cd51d21-bebd-4c61-81e8-ec297cbc4839%40glists.sonatype.com.
For more options, visit https://groups.google.com/a/glists.sonatype.com/d/optout.
Diego Najar
Oct 12, 2017, 6:28:23 PM10/12/17
to Nexus Users
The reverse proxy you mention is doing by Nexus, to keep compatibility with Nexus 2, https://help.sonatype.com/display/NXRM3/Installation#Installation-ChangingtheContextPath
Anyway, I received a message from Joseph and he mentions there is a bug when we use this context /nexus.
To unsubscribe from this group and stop receiving emails from it, send an email to nexus-users...@glists.sonatype.com.
Rich Seddon
Oct 12, 2017, 6:57:58 PM10/12/17
to Nexus Users
Anyway, I received a message from Joseph and he mentions there is a bug when we use this context /nexus.
Not sure what you mean by this?
You cannot use context "/nexus" with a docker repository, you must use context path "/". This isn't due to a bug, it's the way the docker protocol works.
Regards,
Rich
Peter Lynch
Oct 13, 2017, 2:50:42 PM10/13/17
to Diego Najar, Nexus Users
On Thu, Oct 12, 2017 at 7:28 PM, Diego Najar <dign...@gmail.com> wrote:
The reverse proxy you mention is doing by Nexus, to keep compatibility with Nexus 2, https://help.sonatype.com/display/NXRM3/Installation#Installation-ChangingtheContextPathAnyway, I received a message from Joseph and he mentions there is a bug when we use this context /nexus.
I see the bug now which will be fixed in an upcoming version: https://issues.sonatype.org/browse/NEXUS-14488
To unsubscribe from this group and stop receiving emails from it, send an email to nexus-users+unsubscribe@glists.sonatype.com.
To post to this group, send email to nexus...@glists.sonatype.com.
To view this discussion on the web visit https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/7055b24c-6f97-497e-914a-967c170c1b58%40glists.sonatype.com.
Reply all
Reply to author
Forward
0 new messages