Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Problem using Nexus to proxy docker hub

See original GitHub issue

Describe the bug I am trying to setup nexus in the AzureTRE environment to proxy docker hub. I believe I have nexus setup correctly and appropriate docker hosts added the the firewall rules. When I try to run docker login from a VM running in a workspace shared service subnet I see error similar to what is described here. According to Sonatype docs docker needs to be exposed on a different port than the standard ssl port nexus is already running on. However nexus is running in an Azure App Service and I don’t see a way to expose custom ports. Steps to reproduce

setup Nexus to proxy docker hub
add *.docker.io and *.docker.com to firewall rules to allow nexus to access them
create workspace and start vm in shared services subnet
connect to vm using bastion and run docker login nexus-[tre_id].azurewebsites.net:[port]
see timeout error

Acceptance criteria

#1479
#1480
#1481
Configure Docker Hub proxy in Nexus using a standalone port

Issue Analytics

State:
Created 2 years ago
Comments:16 (8 by maintainers)

Top GitHub Comments

1reaction

marrobicommented, Mar 9, 2022

Scrap the multiple web app idea. The SSL certificate needs to be loaded into nexus - can’t do that with web apps as we don’t have access to the cert.

Could not configure HTTPS connector on port 5000 for docker repository dockerhub

Searching got me: “Docker registries are required to use HTTPS. This message means that you have not configured Jetty with a keystore from which it can load a TLS certificate for the Docker HTTPS connectors”

I see no option that to use a trusted SSL certificate, and in that case would run in docker on a VM/VMSS.

To get a trusted SSL, either

Need to procure a wildcard cert that can be used throughout the TRE (in the past has been a requirement for many production use cases).
Expose an endpoint publicly, get a lets encrypt cert, then make private - messy.
Use self signed certs and configure VMs to trust these certs… also not great.

1reaction

jjgriff93commented, Mar 9, 2022

Have set up a meeting to discuss further after tomorrow’s stand-up - @tamirkamara have invited you if you’re able to attend as your input would be valued. If not feel free to post your thoughts on this ticket. Summary of the planned meeting discussion:

How best to enable two exposed ports (limited to one for app service) so we can proxy docker hub on a separate port to the general nexus port (as per https://help.sonatype.com/repomanager3/nexus-repository-administration/formats/docker-registry/ssl-and-repository-connector-configuration)
If we choose to host Nexus on container registry / VM to get around port issues, how we then plan to set up SSL certs in lieu of the app service provided one