Problem using Nexus to proxy docker hub #1089
Comments
marrobi
changed the title
|
Can this be assigned to me |
|
@oliver7598 do you have an idea on how to address this? |
|
@tamirkamara myself and @jjgriff93 are going to pair on this as a priority over the next sprint |
|
Sounds good. Can you please share more details on the plan once you have it? |
|
This doc will be useful - might be we add a second app service just for docker? |
|
Current challenge is exposing a second port in App Service to allow docker hub connections, which is prevented by this limitation: https://docs.microsoft.com/en-us/archive/blogs/waws/things-you-should-know-web-apps-and-linux#you-can-only-expose-one-port-to-the-outside-worldapplies-to-web-app-for-containers |
|
Potential solution is moving nexus to container instances which does support multiple ports, Oliver and I will do some investigation into this |
|
Container instances could work, still need an SSL certificate. VM is potentially a better option - easier to mount disks, backup etc. Either way I don't think we can avoid generating SSL certificates with ACI or a VM. |
|
@jjgriff93 do you think this would work... Create a new web app - that shares the same config and data store. The second web app exposes the docker proxy port. The first (existing web app) is used for the user interface. Not sure if that would work. |
|
We had this thought also, will require some testing as to whether Nexus would support that - I don't think we'd be able to configure anything because we couldn't post configuration to the Nexus API to set up the docker proxy if we've exposed a different port for that instance |
|
Have set up a meeting to discuss further after tomorrow's stand-up - @tamirkamara have invited you if you're able to attend as your input would be valued. If not feel free to post your thoughts on this ticket. Summary of the planned meeting discussion:
|
|
Scrap the multiple web app idea. The SSL certificate needs to be loaded into nexus - can't do that with web apps as we don't have access to the cert.
Searching got me: I see no option that to use a trusted SSL certificate, and in that case would run in docker on a VM/VMSS. To get a trusted SSL, either
|
|
Possible approach for working with private VM endpoint proposed by @marrobi in a discussion on this (in terms of supporting dev environments) |
|
Have added two new issues (see above) to start tracking the work on this |
|
The three tasks associated with this bug are close, and the PR #1584 is merged, so closing this one out. Thanks all! |
|
Re-opening as #1584 was a dependency to get this one closed, but now that the dependency is in main we can configure docker hub as a repository in nexus as per this story to resolve the original issue |
Describe the bug
I am trying to setup nexus in the AzureTRE environment to proxy docker hub. I believe I have nexus setup correctly and appropriate docker hosts added the the firewall rules. When I try to run
docker loginfrom a VM running in a workspace shared service subnet I see error similar to what is described here. According to Sonatype docs docker needs to be exposed on a different port than the standard ssl port nexus is already running on. However nexus is running in an Azure App Service and I don't see a way to expose custom ports.Steps to reproduce
*.docker.ioand*.docker.comto firewall rules to allow nexus to access themdocker login nexus-[tre_id].azurewebsites.net:[port]Acceptance criteria
The text was updated successfully, but these errors were encountered: