Proxied Docker Repository fails to pull images

sverre.moe · March 9, 2021, 4:08pm

I have set up 2 Docker Registry proxies

SUSE: https://registry.suse.com
HTTPS Connector 38382
Allow anonymous docker pull
Docker Index: Use proxy registry

Docker Hub: https://registry-1.docker.io
HTTPS Connector 38383
Allow anonymous docker pull
Docker Index: Use Docker Hub

I got the Docker Hub registry URL from this documentation:
https://help.sonatype.com/repomanager3/formats/docker-registry/proxy-repository-for-docker

All these are combined within a Docker Group along with our own internal hosted Docker registry. This group has HTTPS Connector on port 38380.

Pulling from the internal hosted registry works fine through the docker group.
Pulling from SUSE images through the group:
docker pull nexus.company.com:38380/suse/sle15:15.2
15.2: Pulling from suse/sle15
f3d2df4815db: Pulling fs layer
error pulling image configuration: unknown blob
Pulling from Docker Hub images through the group:
docker pull nexus.company.com:38380/opensuse/leap:15.2
Error response from daemon: manifest for nexus.company.com:38380/opensuse/leap:15.2 not found: manifest unknown: manifest unknown

When I try to pull from the proxied registries directly.

Pulling directly from SUSE proxy
docker pull nexus.company.com:38382/suse/sle15:15.2
15.2: Pulling from suse/sle15
f3d2df4815db: Pulling fs layer
error pulling image configuration: unauthorized: access to the requested resource is not authorized

Pulling from Docker Hub proxy
docker pull nexus.company.com:38383/opensuse/leap:15.2
Error response from daemon: unauthorized: access to the requested resource is not authorized

What does this mean?
Is it our Nexus or the proxy registry who says it is not authorized?
Anonymous pull is toggled, and I have the Docker Bearer Token Realm in Realms.

I have even tried docker login, but that does not help.

So, three problems:

Why doesn’t Nexus search the proxied registries when using the Group?
Why is it saying Unauthorized when using the proxied registries directly through their connector port?
What was the problem I got with the blobstore for the one proxy repository?

sverre.moe · March 11, 2021, 6:32pm

It seems so easy how to configure Nexus to proxy Docker Hub, but I cannot fathom why it does not work.
I have tried every configuration I can think of.

On the Nexus server, I am able to pull directly from Docker Hub using docker.

Why is it saying I am not authorized? It will not work with docker login either.

sverre.moe · March 17, 2021, 5:26pm

I am not sure what the problem was.
We have fixed it.

We moved our Nexus server to a different network segment.
Disabled HTTP and HTTPS Proxy in Nexus settings.
Firewall opening have been made to the external registries.
Now the group pull retrieves from the external registries.

Perhaps some problem with HTTPS Proxy was the cause.

blackclaws.kearal · April 14, 2021, 7:31pm

For me this solved the problem:

Basically add a default role to every authenticated user as nx-anonymous:
nexus configuration → system → capabilities → create capability → default role