Link Search Menu Expand Document

Docker Registry in Nexus

This article describes the steps to deploy the external Docker registry in the designated Nexus server.


  1. Download the Nexus repository.

     # wget -P /etc/yum.repos.d/ https://repo.sonatype.com/repository/community-hosted/rpm/sonatype-community.repo
    
  2. Install the following software packages.

     # yum install docker wget -y
    
  3. Deploy and start the Nexus software.

     # yum install nexus-repository-manager
        
     # systemctl start nexus-repository-manager 
    
  4. Create the SSL certificates on the server based on the description highlighted in this link. The following nexus.crt certificate will be used during CDP PvC Data Services installation.

     # keytool -genkeypair -keystore keystore.jks -storepass password -alias jetty -keyalg RSA -keysize 2048 -validity 5000 -keypass password -dname 'CN=nexus.cdpkvm.cldr, OU=Sonatype, O=Sonatype, L=Unspecified, ST=Unspecified, C=SG' -ext 'SAN=DNS:nexus.cdpkvm.cldr' -ext "BC=ca:true"
    
     # keytool -exportcert -keystore keystore.jks -alias jetty -rfc > nexus.crt
    
     # keytool -importkeystore -srckeystore keystore.jks -destkeystore nexus.p12 -deststoretype PKCS12
    
     # openssl pkcs12 -nokeys -in nexus.p12 -out nexus.pem
    
     # openssl pkcs12 -nocerts -nodes -in nexus.p12 -out nexus.key
    
  5. Copy the JKS file to /opt/sonatype/sonatype-work/nexus3/etc/ssl/ directory.

     # cp keystore.jks /opt/sonatype/sonatype-work/nexus3/etc/ssl/
    
  6. Check that the hostname is correctly defined in the certificate.

     # openssl x509 -noout -text -in nexus.crt | grep -A1 X509v3
         X509v3 extensions:
             X509v3 Basic Constraints: 
                 CA:TRUE
             X509v3 Subject Alternative Name: 
                 DNS:nexus.cdpkvm.cldr
             X509v3 Subject Key Identifier: 
                 08:BF:E3:9F:53:50:0A:57:B5:BB:1E:E4:5A:D2:4E:0F:E1:10:5D:11
    
  7. Configure the /opt/sonatype/nexus3/etc/jetty/jetty-https.xml file. Sample is shown as follows.

     <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory$Server">
         <Set name="certAlias">jetty</Set>
         <Set name="KeyStorePath"><Property name="ssl.etc"/>/keystore.jks</Set>
         <Set name="KeyStorePassword">password</Set>
         <Set name="KeyManagerPassword">password</Set>
         <Set name="TrustStorePath"><Property name="ssl.etc"/>/keystore.jks</Set>
         <Set name="TrustStorePassword">password</Set>
         <Set name="EndpointIdentificationAlgorithm"></Set>
         <Set name="NeedClientAuth"><Property name="jetty.ssl.needClientAuth" default="false"/></Set>
         <Set name="WantClientAuth"><Property name="jetty.ssl.wantClientAuth" default="false"/></Set>
         <Set name="IncludeProtocols">
             <Array type="java.lang.String">
                 <Item>TLSv1.2</Item>
             </Array>
         </Set>
     </New>
    
  8. Configure the /opt/sonatype/sonatype-work/nexus3/etc/nexus.properties file. Sample is shown below.

     # Jetty section
     # application-port=8081
     # application-host=0.0.0.0
     # nexus-args=${jetty.etc}/jetty.xml,${jetty.etc}/jetty-http.xml,${jetty.etc}/jetty-requestlog.xml
     nexus-args=${jetty.etc}/jetty.xml,${jetty.etc}/jetty-http.xml,${jetty.etc}/jetty-https.xml,${jetty.etc}/jetty-requestlog.xml
        
     # nexus-context-path=/
     # Nexus section
     # nexus-edition=nexus-pro-edition
     # nexus-features=\
     #  nexus-pro-feature
     # nexus.hazelcast.discovery.isEnabled=true
     
     application-port-ssl=8443
     ssl.etc=${karaf.data}/etc/ssl
    
  9. Restart the Nexus service.

     # systemctl restart nexus-repository-manager 
    
  10. Log in to the Nexus portal https://nexus.cpdkvm.cldr:8443

    Setup the Docker repository with SSL port. In this demo, the SSL-enabled docker repository URL is https://nexus.cdpkvm.cldr:9999/cdppvc.

  11. Ensure that the port SSL port 9999 is up and running.

    # netstat -an | grep 999
    tcp        0      0 0.0.0.0:9998            0.0.0.0:*               LISTEN     
    tcp        0      0 0.0.0.0:9999            0.0.0.0:*               LISTEN  
    
  12. Test the SSL Docker URL. Note that an error “SEC_ERROR_UNTRUSTED_ISSUER” has occured.

    # curl -v -u admin:admin "https://nexus.cdpkvm.cldr:9999/v2/_catalog"
        
    * About to connect() to nexus.cdpkvm.cldr port 9999 (#0)
    *   Trying 10.15.4.177...
    * Connected to nexus.cdpkvm.cldr (10.15.4.177) port 9999 (#0)
    * Initializing NSS with certpath: sql:/etc/pki/nssdb
    *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none
    * Server certificate:
    * 	subject: CN=nexus.cdpkvm.cldr,OU=Sonatype,O=Sonatype,L=Unspecified,ST=Unspecified,C=SG
    * 	start date: Jun 25 12:33:15 2022 GMT
    * 	expire date: Mar 03 12:33:15 2036 GMT
    * 	common name: nexus.cdpkvm.cldr
    * 	issuer: CN=nexus.cdpkvm.cldr,OU=Sonatype,O=Sonatype,L=Unspecified,ST=Unspecified,C=SG
    * NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)
    * Peer's certificate issuer has been marked as not trusted by the user.
    * Closing connection 0
    curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
    More details here: http://curl.haxx.se/docs/sslcerts.html
    
    curl performs SSL certificate verification by default, using a "bundle"
    of Certificate Authority (CA) public keys (CA certs). If the default
    bundle file isn't adequate, you can specify an alternate file
    using the --cacert option.
    If this HTTPS server uses a certificate signed by a CA represented in
    the bundle, the certificate verification probably failed due to a
    problem with the certificate (it might be expired, or the name might
    not match the domain name in the URL).
    If you'd like to turn off curl's verification of the certificate, use
    the -k (or --insecure) option.
    
    
  13. Update the CA cert (nexus.crt) in the truststore of the server.

    # cp nexus.crt /etc/pki/ca-trust/source/anchors/
    # update-ca-trust extract
    
  14. Check that the CA cert has succesfully been imported into the truststore of the server.

    # openssl crl2pkcs7 -nocrl -certfile /etc/pki/tls/certs/ca-bundle.crt | openssl pkcs7 -print_certs | grep subject | grep nexus
    subject=/C=SG/ST=Unspecified/L=Unspecified/O=Sonatype/OU=Sonatype/CN=nexus.cdpkvm.cldr
    
  15. You may now curl the SSL-enabled Docker URL successfully.

    #  curl -u admin:admin "https://nexus.cdpkvm.cldr:9999/v2/_catalog" | jq
    % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
    Dload  Upload   Total   Spent    Left  Speed
    100  9711  100  9711    0     0  69165      0 --:--:-- --:--:-- --:--:-- 69364
    {
    "repositories": [
    
  16. Perform a test to ensure that you can login and pull the image from the Cloudera repository.

    # docker login https://nexus.cdpkvm.cldr:9999/cdppvc --username admin --password admin
    Login Succeeded
        
    # docker image ls
    REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
    
    # docker pull nexus.cdpkvm.cldr:9999/cdppvc/cloudera_thirdparty/fluent-bit:v1.4.6-3896242
    Trying to pull repository nexus.cdpkvm.cldr:9999/cdppvc/cloudera_thirdparty/fluent-bit ... 
    v1.4.6-3896242: Pulling from nexus.cdpkvm.cldr:9999/cdppvc/cloudera_thirdparty/fluent-bit
    f4816e38b7e0: Pull complete 
    7c949fdfdbff: Pull complete 
    f949750d27a4: Pull complete 
    fe54547c530b: Pull complete 
    Digest: sha256:d3d7a16bc8f3eb5782efde9b79945eeb5c67119361e1d8daf31f7421d795ff5f
    Status: Downloaded newer image for nexus.cdpkvm.cldr:9999/cdppvc/cloudera_thirdparty/fluent-bit:v1.4.6-3896242
        
    # docker image ls
    REPOSITORY                                                     TAG                 IMAGE ID            CREATED             SIZE
    nexus.cdpkvm.cldr:9999/cdppvc/cloudera_thirdparty/fluent-bit   v1.4.6-3896242      a5d1d3a3a3ef        2 years ago         220 MB
    
  17. For CDP PvC Data Services on Openshift platform, import the CA certificate nexus.crt into the Openshift platform using this method. This step is needed to prevent “x509: certificate signed by unknown authority” issue when the system attempts to pull the docker images from the above Docker registry in the process of provisioning the CDP Data Services Control Plane pods.


Back to top

All trademarks, logos, service marks and company names appeared here are the property of their respective owners.

Linkedin