search

sonatype / nexus-public

Sonatype Nexus Repository Open-source codebase mirror
https://www.sonatype.com/products/repository-oss-download
Eclipse Public License 1.0
1.96k stars 578 forks source link

Nexus 3.73.0 can't proxy quay.io docker repository #493

Open becryptrichard opened 1 month ago

becryptrichard commented 1 month ago

Hi Everyone,

I'm currently running Nexus 3.73.0 in a docker container on a Linux host. I have set up a proxy for the Docker registry quay.io. When I pull an image it starts downloading and then errors out on a layer. The nexus logs errors fetching the data from quay.io.

Has anyone else seen this? It works if I bypass Nexus and go direct.

Log output as follows

2024-10-15 11:00:05,404+0000 DEBUG [qtp1127354808-680]  anonymous org.sonatype.nexus.repository.docker.internal.datastore.recipe.DockerProxyFacetImpl - Fetching: GET https://quay.io/v2/jetstack/cert-manager-controller/blobs/sha256:2df365faf0e3007f983fadd7a65ba51d41b488eb2ed8fc70f4bf97043cfea560 HTTP/1.1
2024-10-15 11:00:05,404+0000 DEBUG [qtp1127354808-680]  anonymous org.sonatype.nexus.repository.docker.internal.datastore.recipe.DockerProxyFacetImpl - Fetching Request Headers: []
2024-10-15 11:00:05,404+0000 DEBUG [qtp1127354808-680]  anonymous org.sonatype.nexus.repository.docker.internal.datastore.store.DockerForeignLayersDAO.getForeignLayerUrls - ==>  Preparing: SELECT * FROM docker_foreign_layers WHERE digest = ?;
2024-10-15 11:00:05,404+0000 DEBUG [qtp1127354808-683]  anonymous org.sonatype.nexus.repository.docker.internal.datastore.store.DockerForeignLayersDAO.getForeignLayerUrls - ==> Parameters: sha256:5dc732ec4d6374629da47c3dbcbdc609048ce09a114bbc9dd54f5a61de3236f1(String)
2024-10-15 11:00:05,408+0000 DEBUG [qtp1127354808-683]  anonymous org.sonatype.nexus.repository.docker.internal.datastore.store.DockerForeignLayersDAO.getForeignLayerUrls - <==      Total: 0
2024-10-15 11:00:05,408+0000 DEBUG [qtp1127354808-680]  anonymous org.sonatype.nexus.repository.docker.internal.datastore.store.DockerForeignLayersDAO.getForeignLayerUrls - ==> Parameters: sha256:2df365faf0e3007f983fadd7a65ba51d41b488eb2ed8fc70f4bf97043cfea560(String)
2024-10-15 11:00:05,409+0000 DEBUG [qtp1127354808-680]  anonymous org.sonatype.nexus.repository.docker.internal.datastore.store.DockerForeignLayersDAO.getForeignLayerUrls - <==      Total: 0
2024-10-15 11:00:05,410+0000 DEBUG [qtp1127354808-683]  anonymous org.sonatype.nexus.repository.docker.internal.httpclient.DockerRedirectStrategy - Redirect requested to location 'https://cdn03.quay.io/quayio-production-s3/sha256/5d/5dc732ec4d6374629da47c3dbcbdc609048ce09a114bbc9dd54f5a61de3236f1?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAI5LUAQGPZRPNKSJA%2F20241014%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241014T130256Z&X-Amz-Expires=600&X-Amz-SignedHeaders=host&X-Amz-Signature=4aa3d0165dd7c8c968451ccd91a809607cb38ac6ea362864a19a2da6b0059d4e&cf_sign=AzrJvEPiMPl2tLhE5uHjxerdqK4fNvgYNz53jaNvnmkl4Mwos3kdlVn%2FZ6kHQCmPY07qR2rb7dysAAN0ZmdB%2FfVKOKynLfdls6MGdNaA3EiBqew6N6QPHZdkPnJ2472lTnoxnigEoo7a1vtasBECLvzxE%2BrKGuwmQa1IDhA5byqB4oiKLwmJVC%2B49HEznSIZJY8hrtsd0vbAVJ21GCdMqRQr5IO6u%2Bw5c8qn4ZN1RKB834CC%2Bzl0703%2F413kEM1KjCqgPtBZ6qeEXBhkmtEpDt9%2FLeNpHdOqvuClM04VxrVLI0NyMB3ayHnxrUs5RNZRhBRvVzUBWLRb7Hy91TBPMQ%3D%3D&cf_expiry=1728911576&region=us-east-1&namespace=jetstack&repo_name=cert-manager-controller'
2024-10-15 11:00:05,410+0000 DEBUG [qtp1127354808-680]  anonymous org.sonatype.nexus.repository.docker.internal.httpclient.DockerRedirectStrategy - Redirect requested to location 'https://cdn03.quay.io/quayio-production-s3/sha256/2d/2df365faf0e3007f983fadd7a65ba51d41b488eb2ed8fc70f4bf97043cfea560?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAI5LUAQGPZRPNKSJA%2F20241014%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241014T130256Z&X-Amz-Expires=600&X-Amz-SignedHeaders=host&X-Amz-Signature=224e5582e8d53cd7bfddd18b34a68583f39603ec8467b401940e05a0cf061d6e&cf_sign=cAtFCJEIhZDCbX07ahiQHUZUcWU7HV%2BcXOSI1geUvrCv5SNzspY7ExExJJ4qKaZgpB6rfxTNF7c6wLp1PAREa%2FNYP33LRF%2BGC%2FXYBGvDDYkeTGKdMLAoUtGdqw7kMWMgmj2XcyZZFUMI%2BhlyvSxkILapH3ju%2BFRvwecxaWd7Sn3w4Pi%2FZz9%2FYTodPPSSHJ2YcTmQJ9880KOzUMpkdqNf0z7mQJZAGvSHmrs%2BCbbfVKdBeXuujtmTGrGQxt8t7tpObdIU27fL1KVB8%2FeA%2BR3HIPx3oWQ8uVS%2Ff82VXMNZIQFMvfJAsgtDPl0vrwEnKK%2Bf0%2F8sRkAA9OCSrQb0O4xhpA%3D%3D&cf_expiry=1728911576&region=us-east-1&namespace=jetstack&repo_name=cert-manager-controller'
2024-10-15 11:00:05,417+0000 WARN  [qtp1127354808-648]  anonymous org.sonatype.nexus.repository.docker.internal.DockerFacetUtils - Could not parse error response Unrecognized token 'URL': was expecting (JSON String, Number, Array, Object or token 'null', 'true' or 'false')

Thanks,

BenjaminSchweizer commented 1 month ago

Wild guess, but i think you need to active Foreign Layer Caching in the settings of your quay.io proxy repo , and then add the quay cdns to the allowed urls.

image

The same for dockerhub, there are also some image where some layers a referenced to another registry url, for example:

ElCoyote27 commented 3 weeks ago

You could probably do with a single regexp: https?://cdn([0-9]{0,2})?\.quay\.io (Trying that now...)

ElCoyote27 commented 3 weeks ago

Also, Foreign Layer Caching defaults to '.*' so that should cover -everything-.