Nexus docker registry is not working over IPV6 trying to login nor the docker image push from local machine

Sonatype Nexus Repository
, ,
1

"I’m having trouble connecting to my Sonatype Nexus Docker repository via IPv6. My environment is IPv6-only, and while IPv4 connectivity to Nexus works, IPv6 connections are failing. I’ve installed Sonatype Nexus on a Rocky Linux 8.10 server as a container.

When I attempt to log in using podman, I receive a “503 Service Unavailable” error:

podman login --tls-verify=false [ipv6address]:8085
Username:
Password:
Error: authenticating creds for “[IPV6_address]:8085”: pinging container registry [IPV6_address]:8085: received unexpected HTTP status: 503 Service Unavailable

Ipv4 success: podman login --tls-verify=false IPV4-address:8085 --username xxxxx --password xxxxx
Login Succeeded!

My Nexus configuration includes the following:

  1. I removed the line -Djava.net.preferIPv4Stack=true from $install_dir/bin/nexus.vmoptions.
  2. I added -Djava.net.preferIPv6Addresses=true to the Java arguments in $install_dir/bin/nexus.vmoptions to prefer IPv6 addresses.
  3. Enable the Docker Bearer Token Realm in Nexus Security Realms Tab.
  4. Not using LDAP for connectivity using local user credentials created on nexus.
  5. Nexus is listening on IPv6 for both ports 8081 (artifacts) and 8085 (Docker images), as shown by netstat:
    tcp6 35 0 :::8081 :::* LISTEN
    tcp6 2 0 :::8085 :::* LISTEN
    Port 8081 is used for artifacts, and port 8085 is used for Docker images. Any suggestions on how to troubleshoot this 503 error and get IPv6 connectivity working for my Docker repository?"
2

I think the first thing to figure out is whether Nexus is returning a 503 response, or whether a reverse proxy, load balancer, etc. is.

I’d suggest taking a look at the request log to see if it contains any 503 errors. If it does not, then the problem is external to Nexus.

3

Thanks for the suggestion! I’ve checked the logs, and here’s what I’ve found:
503 Service Unavailable error when trying to ping the Docker registry over IPv6.
There are Forbidden errors when attempting to ping via HTTPS, which indicates possible access control or authentication issues.
Podman is unable to find credentials for the repository over IPv6, and it also doesn’t seem to be able to communicate with the registry properly, as shown in the log:
I’ve checked the Nexus container logs and confirmed that Nexus is listening on IPv6 for both ports 8081 (artifacts) and 8085 (Docker images). I also verified that the Docker Bearer Token Realm is enabled in Nexus and that it should allow connections.

Logs:
INFO[0000] podman filtering at log level debug
DEBU[0000] Called login.PersistentPreRunE(podman login --log-level=debug --tls-verify=false [IPV6]:8085 --username xxx --password xxx)
DEBU[0000] Using conmon: “/usr/bin/conmon”
INFO[0000] Using sqlite as database backend
DEBU[0000] Using graph driver overlay
DEBU[0000] Using graph root /var/lib/containers/storage
DEBU[0000] Using run root /run/containers/storage
DEBU[0000] Using static dir /var/lib/containers/storage/libpod
DEBU[0000] Using tmp dir /run/libpod
DEBU[0000] Using volume path /var/lib/containers/storage/volumes
DEBU[0000] Using transient store: false
DEBU[0000] [graphdriver] trying provided driver “overlay”
DEBU[0000] Cached value indicated that overlay is supported
DEBU[0000] Cached value indicated that overlay is supported
DEBU[0000] Cached value indicated that metacopy is being used
DEBU[0000] Cached value indicated that native-diff is not being used
INFO[0000] Not using native diff for overlay, this may cause degraded performance for building images: kernel has CONFIG_OVERLAY_FS_REDIRECT_DIR enabled
DEBU[0000] backingFs=xfs, projectQuotaSupported=false, useNativeDiff=false, usingMetacopy=true
DEBU[0000] Initializing event backend file
DEBU[0000] Configured OCI runtime ocijail initialization failed: no valid executable found for OCI runtime ocijail: invalid argument
DEBU[0000] Configured OCI runtime kata initialization failed: no valid executable found for OCI runtime kata: invalid argument
DEBU[0000] Configured OCI runtime runsc initialization failed: no valid executable found for OCI runtime runsc: invalid argument
DEBU[0000] Configured OCI runtime crun-wasm initialization failed: no valid executable found for OCI runtime crun-wasm: invalid argument
DEBU[0000] Configured OCI runtime runj initialization failed: no valid executable found for OCI runtime runj: invalid argument
DEBU[0000] Configured OCI runtime youki initialization failed: no valid executable found for OCI runtime youki: invalid argument
DEBU[0000] Configured OCI runtime krun initialization failed: no valid executable found for OCI runtime krun: invalid argument
DEBU[0000] Configured OCI runtime crun initialization failed: no valid executable found for OCI runtime crun: invalid argument
DEBU[0000] Configured OCI runtime crun-vm initialization failed: no valid executable found for OCI runtime crun-vm: invalid argument
DEBU[0000] Using OCI runtime “/usr/bin/runc”
INFO[0000] Setting parallel job count to 25
DEBU[0000] Loading registries configuration “/etc/containers/registries.conf”
DEBU[0000] Loading registries configuration “/etc/containers/registries.conf.d/000-shortnames.conf”
DEBU[0000] Loading registries configuration “/etc/containers/registries.conf.d/001-rhel-shortnames.conf”
DEBU[0000] Loading registries configuration “/etc/containers/registries.conf.d/002-rhel-shortnames-overrides.conf”
DEBU[0000] No credentials matching [IPV6]:8085 found in /run/user/0/containers/auth.json
DEBU[0000] No credentials matching [IPV6]:8085 found in /root/.config/containers/auth.json
DEBU[0000] No credentials matching [IPV6]:8085 found in /root/.docker/config.json
DEBU[0000] No credentials matching [IPV6]:8085 found in /root/.dockercfg
DEBU[0000] No credentials for [IPV6]:8085 found
DEBU[0000] Looking for TLS certificates and private keys in /etc/docker/certs.d/[IPV6]:8085
DEBU[0000] GET https://[IPV6]:8085/v2/
DEBU[0000] Ping https://[IPV6]:8085/v2/ err Get “https://[IPV6/v2/”: Forbidden (&url.Error{Op:“Get”, URL:“https://[IPV6]:8085/v2/”, Err:(*errors.errorString)(0xc0002ae190)})
DEBU[0000] GET http://[IPV6]:8085/v2/
DEBU[0059] Ping http://[IPV6]:8085/v2/ status 503
DEBU[0059] GET https://[IPV6]:8085/v1/_ping
DEBU[0059] Ping https://[IPV6]:8085/v1/_ping err Get “https://[IPV6]:8085/v1/_ping”: Forbidden (&url.Error{Op:“Get”, URL:“https://[IPV6]:8085/v1/_ping”, Err:(*errors.errorString)(0xc0002aea60)})
DEBU[0059] GET http://[IPV6]:8085/v1/_ping
DEBU[0119] Ping http://[IPV6]:8085/v1/_ping status 503
Error: authenticating creds for “[IPV6]:8085”: pinging container registry [IPV6]:8085: received unexpected HTTP status: 503 Service Unavailable
DEBU[0119] Shutting down engines

4

Gentle reminder, Can anyone help here stuck due to this issue, any solution or updates?

5

Those aren’t logs from Nexus, you’d want to look at the logs from Nexus to determine whether Nexus is the source.

6

Can you please tell me which logs I should check? I have already reviewed the request logs, Nexus logs, and audit logs. I can see that in the audit logs IPv4 admin login request is appearing, but there is no record of any IPv6 requests for the Docker registry when I try to log in.

admin [03/Jun/2025:09:59:21 +0000] “GET /repository/virtual-5g-docker/v2/token?account=admin&service=http%3A%2F%2FIPV4%3A8085%2Fv2%2Ftoken HTTP/1.1” 200 - 60 7 “containers/5.29.5 (GitHub - containers/image: Work with containers’ images)” [qtp711871943-978]

Note: Currently using Nexus version OSS 3.76.0-03

7

If the request log of Nexus contains no entry while you’re using ipv6 than this suggests a networking issue as opposed to an issue with Nexus.

8

The curl command from local server to nexus is working on IPV6, only the docker (login, push or pull) commands for a docker hosted repository are not working on IPV6 tested on port 8082.
curl -6 -u XXXX:XXXX -v -g http://[IPV6]:8082/v2/

  • About to connect() to IPV6port 8082 (#0)

  • Trying IPV6…

  • Connected to IPV6 (IPV6) port 8082 (#0)

  • Server auth using Basic with user ‘test’

GET /v2/ HTTP/1.1

Authorization: Basic dGVzdDp0ZXN0

User-Agent: curl/7.29.0

Host: [IPV6]:8082

Accept: /

< HTTP/1.1 200 OK

< Date: Wed, 18 Jun 2025 09:31:16 GMT

< Server: Nexus/3.76.0-03 (OSS)

< X-Content-Type-Options: nosniff

< Content-Security-Policy: sandbox allow-forms allow-modals allow-popups allow-presentation allow-scripts allow-top-navigation

< X-XSS-Protection: 1; mode=block

< Docker-Distribution-Api-Version: registry/2.0

< Content-Length: 0

<

  • Connection #0 to host IPV6 left intact

docker login [ipv6]:8082 --username XXXX --password YYY

WARNING! Using --password via the CLI is insecure. Use --password-stdin.

Error response from daemon: Get “http://[ipv6]:8082/v2/”: context deadline exceeded (Client.Timeout exceeded while awaiting headers)

docker push [ipv6]:8082/DOCKER-REPO/DOCKER-IMAGE:tag

The push refers to repository [[ipv6]:8082/DOCKER-REPO/DOCKER-IMAGE:tag]

Get “http://[IPV6]:8082/v2/”: net/http: request canceled (Client.Timeout exceeded while awaiting headers)