Collectives™ on Stack Overflow
Find centralized, trusted content and collaborate around the technologies you use most.
Learn more about Collectives
Teams
Q&A for work
Connect and share knowledge within a single location that is structured and easy to search.
Learn more about Teams
I'm using Sonatype
Nexus
as a Private
Docker
Registry.
While it works with authenticated users, trying to use anonymous user to pull images doesn't work. This happens only on a docker client.
Using the
Nexus UI
(not logged in) I'm able to browse images on my repo. But trying to pull the images I get an 'Unauthorized' error.
The following is a capture stream of communication between the
Docker Client
and the Nexus repository:
Wireshark packet capture
This is strange, as the anonymous access is enabled, and according to the docs, I may have a
Docker Hosted Registry
(with
RW
access through
HTTPs
port) and a
Docker Group Registry
, pointing to a
Docker Hosted Registry
, with
RO/Anonymous
access.
This feature was added in Nexus 3.6. According to
the documentation
:
Under Security > Realms, enable the “Docker Bearer Token Realm”
Uncheck “Force basic authentication” in the repository configuration
–
–
–
Nexus caused me quite some headache until i found a rather obscure
sonatype post
that states not to change the anonymous realm.
So the steps I followed to get this working:
(tested in Nexus 3.19.1 to 3.38.1)
Same as the Answer by @andrewdotn (Enable the Docker Bearer Token
Realm in the Security > Realms section)
Enable the anonymous access FOR the
Local Authorizing Realm
(as stated in
the above mentioned link
)
Create the docker(proxy) Repository (in this example to proxy
hub.docker.com
)
3.1. enable the HTTP / HTTPS endpoint (depending if you ssl to nexus or use a reverse proxy)
3.2. enable
"Allow anonymous docker pull (Docker Bearer Token Realm required)"
3.3. enter
"https://registry-1.docker.io"
as
"Location of the remote repository"
(for the
docker-hub
)
3.4. set the
"Docker Index"
to use the docker hub index (aka.:
"Use Docker Hub"
)
3.5. save
make sure your anonymous user has the right to read the new repository (the default anon-role will allow read access to quite a bit more, but should already allow anon pull)
4.1. (
OPTIONAL
) If you want to restrict the anonymous user as much as possible (i.e.: to only allow docker pull) crate a role
"nx-docker_read"
(or similar) and give it the
"nx-repository-view-docker-
-read"*. (this will allow the any user in the group to pull images from any docker repository, that allows anon pull, but not see anything on the web-ui)
4.2. (
if u did 4.1
) now all that's left is to change the group of the anon user to ur new role (in my example
"nx-docker_read"
) and remove it from
"nx-anonymous"
=> anon-users can no longer brows nexus on the web-ui but can still pull images
–
–
–
–
Docker Registry API requires authentication for registry access, even for the pull operations so does Nexus 3.
Dockerhub always requires an access token, even for pulls.
But the reason why you can pull anonymously from dockerhub is that it uses a token server which automatically gives out access tokens to anonymous users.
This mecanism is not available for the moment with Nexus 3.0.1.
Perhaps it will be implemented (
https://issues.sonatype.org/browse/NEXUS-10813
).
So for the moment with Nexus 3, it will always require to be logged in before to pull an image (eventually with the anonymous user is your rights are setted this way).
Thanks for contributing an answer to Stack Overflow!
-
Please be sure to
answer the question
. Provide details and share your research!
But
avoid
…
-
Asking for help, clarification, or responding to other answers.
-
Making statements based on opinion; back them up with references or personal experience.
To learn more, see our
tips on writing great answers
.
