0

I am trying to pull docker image from Nexus repo without using the registry mirror in the command line and it is throwing an error. If I use the registry mirror in the pull it is succeeding but the image name is not I would like.

My docker version is:

Docker version 20.10.8, build 3967b7d

My nexus version is

Sonatype Nexus Repository ManagerOSS 3.31.1-01

docker system info:

Insecure Registries:
  xxx.xxx.x.xxx:8083
  127.0.0.0/8

 Registry Mirrors:
  http://xxx.xxx.x.xxx:8083/

When I run: sudo docker pull xxx.xxx.x.xxx:8083/mongo:4.2.3, it succeeds and the debug info is:

DEBU[2021-08-17T10:37:19.364681226-04:00] Calling HEAD /_ping                          
DEBU[2021-08-17T10:37:19.365301100-04:00] Calling POST /v1.41/images/create?fromImage=192.168.9.175%3A8083%2Fmongo&tag=4.2.3 
DEBU[2021-08-17T10:37:19.367151579-04:00] Trying to pull xxx.xxx.x.xxx:8083/mongo from https://xxx.xxx.x.xxx:8083 v2 
WARN[2021-08-17T10:37:19.374915464-04:00] Error getting v2 registry: Get https://xxx.xxx.x.xxx:8083/v2/: http: server gave HTTP response to HTTPS client 
INFO[2021-08-17T10:37:19.374944418-04:00] Attempting next endpoint for pull after error: Get https://xxx.xxx.x.xxx:8083/v2/: http: server gave HTTP response to HTTPS client 
DEBU[2021-08-17T10:37:19.374964188-04:00] Trying to pull xxx.xxx.x.xxx:8083/mongo from http://xxx.xxx.x.xxx:8083 v2 
DEBU[2021-08-17T10:37:19.398630498-04:00] Fetching manifest from remote                 digest="sha256:92814bb60dc673bb68b6aca0b24bcb8738d7b2c267b97ce62fa92adc3746a0ea" error="<nil>" remote="192.168.9.175:8083/mongo:4.2.3"
DEBU[2021-08-17T10:37:19.429454057-04:00] Pulling ref from V2 registry: xxx.xxx.x.xxx:8083/mongo:4.2.3

When I run: sudo docker pull mongo:4.2.3 it fails to pull the image from Nexus with an error and pulls from docker.io on the next try. Debug info as below:

DEBU[2021-08-17T10:26:25.078886904-04:00] Calling HEAD /_ping                          
DEBU[2021-08-17T10:26:25.079306196-04:00] Calling GET /v1.41/info                      
DEBU[2021-08-17T10:26:25.097994642-04:00] Calling POST /v1.41/images/create?fromImage=mongo&tag=4.2.3 
DEBU[2021-08-17T10:26:25.099642151-04:00] Trying to pull mongo from http://xxx.xxx.x.xxx:8083/ v2 
INFO[2021-08-17T10:26:25.116000813-04:00] **Attempting next endpoint for pull after error: manifest unknown: manifest unknown** 
DEBU[2021-08-17T10:26:25.116039299-04:00] Trying to pull mongo from https://registry-1.docker.io v2 
DEBU[2021-08-17T10:26:25.305043063-04:00] Fetching manifest from remote                 digest="sha256:58b25d51baa11a85b6aedf7c4e05710d12a27ddc2883e2692e7d58527d98bd73" error="<nil>" remote="docker.io/library/mongo:4.2.3"
DEBU[2021-08-17T10:26:25.360955030-04:00] Pulling ref from V2 registry: mongo:4.2.3    
DEBU[2021-08-17T10:26:25.361036645-04:00] docker.io/library/mongo:4.2.3 resolved to a manifestList object with 5 entries; looking for a unknown/amd64 match

Issue with Image name:

REPOSITORY                 TAG       IMAGE ID       CREATED         SIZE
xxx.xxx.x.xxx:8083/mongo   4.2.3     97a9a3e85158   17 months ago   386MB

Any guidance on this would help.

Nexus Docker ( xxx.xxx.x.xxx:8083) is pointed to hosted Type on port 8083 and the mongo:4.2.3 is uploaded into this docker type. We ultimately want to use this in a air gapped system where there is no internet connection.

Gopi
  • 3
  • 1
  • 3
  • Can you confirm that http://xxx.xxx.x.xxx:8083/ is actually pointing to a nexus registry configured as a proxy of docker.io (and not a simple hosted registry only containing the images you would like to distribute locally....). Moreover, can you give details on how you configured this proxy, more specifically how the index is configured on this proxy (from registry, dockerhub or custom). Please don't reply in comments, edit your question. Thanks. – Zeitounator Aug 17 '21 at 16:48

2 Answers2

3

There are three things going on here:

I am trying to pull docker image from Nexus repo without using the registry mirror in the command line and it is throwing an error. If I use the registry mirror in the pull it is succeeding but the image name is not I would like.

I'm going to recommend changing your likes. :)

If you want to pull from a specific registry, then use that registry in the image name. Trying to refer to your local registry with short names is merging two different image registry namespaces, which means it's trivial to run an image from the wrong namespace and result in a security breach. This was a large issue for other package repositories (see "dependency confusion" attacks) that docker was not susceptible to because they require the registry name as part of the image name (the only exception being Docker Hub). Even RedHat who tried to get options like add-registry and block-registry into the upstream docker engine (and failed, these options only ever appeared in a RedHat specific fork) is now telling users that it was a very bad idea and now their users are exposed to security vulnerabilities they can't easily fix because removing the feature will break lots of user environments.

Next, why doesn't the pull go to your registry? Because your image name doesn't match that of Docker Hub. Official images without a username are actually under the library repository. This is typically hidden from view, but you can do things like docker pull library/alpine or even docker pull docker.io/library/alpine instead of docker pull alpine, and all 3 will be pulling from the same place.

The fix is to run

docker pull xxx.xxx.x.xxx:8083/mongo:4.2.3
docker tag xxx.xxx.x.xxx:8083/mongo:4.2.3 xxx.xxx.x.xxx:8083/library/mongo:4.2.3
docker push xxx.xxx.x.xxx:8083/library/mongo:4.2.3

The last issue I actually can't help you with, it comes from the error message you're seeing when pulling from Hub, which should work:

docker.io/library/mongo:4.2.3 resolved to a manifestList object with 5 entries; looking for a unknown/amd64 match

The unknown/amd64 is unexpected to me, typically that would be linux/amd64 so there is something unexpected with the platform you're running your commands on. If you want to get into debugging that, update your question with docker info. You can try working around that with:

docker pull --platform linux/amd64 mongo:4.2.3

to force the platform, but that still doesn't explain why it doesn't know your current platform.

BMitch
  • 231,797
  • 42
  • 475
  • 450
  • Thanks so much Mitch tagging it to the extra path with library did the trick. I was able to pull images without the URL in the air gapped environment. – Gopi Aug 26 '21 at 14:42
0

I guess you are trying to set your nexus docker repository to be the default one for the machine in the sealed network.

that needs changing because of the following from docker documentation:

Tag an image for a private repository

  • To push an image to a private registry and not the central Docker registry you must tag it with the registry hostname and port (if needed).

$ docker tag 0e5574283393 myregistryhost:5000/fedora/httpd:version1.0

with more upfront configuration and upkeep but no changes requiered for the client machines

Is if you have a DNS server in your network you could point docker.io to your nexus host ip address and put a proxy to intercept the communication and redirect and adapt the requests as they were to the nexus docker registry

Hopes this solves your pickle :)

Update 1:

It could be that you need to also change /etc/containers/registries.conf like specified here to only or also specify your nexus docker registry.

Update 2: Before letting Gopi give up entirely, I would suggest using Podman as an alternative to Docker. Podman is a daemon-less container engine that works by forking processes to handle each running container. It seamlessly works with docker images thanks to the OCI standard, and on top of that, the only change when using it is replacing the docker command prefix with podman since all the commands are exactly the same. Podman was created by RedHat so by default it searches RedHat repos and you can add your own too as shown in this article that I mentioned before.

Noam Yizraeli
  • 4,446
  • 18
  • 35
  • Thanks Noam appreciate your response. The docker tag was already done. The image that I need to download from nexus is already pushed to Nexus and is available to pull. So mainly I am not able to pull that image from the client when I do not specify the host and port number, though they are present as Registry Mirrors in daemon.json on the client. I tried adding add-registry and block-registry but throwing errors ": the following directives don't match any configuration option: add-registry" [link](https://docs.docker.com/engine/reference/commandline/dockerd/#on-linux) – Gopi Aug 18 '21 at 15:25
  • did you install docker with 1.XX versioning or docker-ce with 17/8/9/20 versioning? and what exact version do you have? ive used docker-ce 18 or 19. also make sure the json formated correctly and restart the docker service for the config to take place – Noam Yizraeli Aug 18 '21 at 19:09
  • My docker version is: Docker version 20.10.8, build 3967b7d. Like in the link https://docs.docker.com/engine/reference/commandline/dockerd/#on-linux add-registry does not seem to be a part of allowable configuration – Gopi Aug 19 '21 at 12:22
  • I've edited my answer, can you please check if that option works for you? – Noam Yizraeli Aug 19 '21 at 15:52
  • Thanks so much Noam for trying to help me out with different solutions. I also tried this but with no success. I guess there is no way to do this based on this link https://stackoverflow.com/questions/40455658/is-there-any-way-to-pull-an-image-from-private-registry-and-cut-u – Gopi Aug 20 '21 at 15:26
  • @Gopi I've updated my question again, hope this "last" option would do the trick ;) – Noam Yizraeli Aug 21 '21 at 16:20