diff --git a/README.md b/README.md index e7e8b4a..23b61bc 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,7 @@ This will: * Create the `npm-group`, `npm-hosted` and `npmjs.org-proxy` repositories. * Create the `powershell-group`, `powershell-hosted` and `powershellgallery.com-proxy` repositories. * Create the `chocolatey-group`, `chocolatey-hosted` and `chocolatey.org-proxy` repositories. + * Create the `docker-group`, `docker-hosted` and `docker-hub-proxy` repositories. * Configure the NuGet `nuget-hosted` repository to accept pushing with an API key. * Configure Nexus through Groovy scripts. * Schedule a task to remove the old snapshots from the `maven-snapshots` repository. diff --git a/provision/provision-nexus.sh b/provision/provision-nexus.sh index 0baf97b..f16a8db 100644 --- a/provision/provision-nexus.sh +++ b/provision/provision-nexus.sh @@ -492,6 +492,113 @@ http \ EOF +# create the docker-hosted docker registry repository. +# see https://help.sonatype.com/en/docker-registry.html +http \ + --check-status \ + --auth "$api_auth" \ + POST \ + https://$nexus_domain/service/rest/v1/repositories/docker/hosted \ + <<'EOF' +{ + "name": "docker-hosted", + "online": true, + "storage": { + "blobStoreName": "default", + "strictContentTypeValidation": true, + "writePolicy": "allow_once", + "latestPolicy": true + }, + "component": { + "proprietaryComponents": true + }, + "docker": { + "v1Enabled": false, + "forceBasicAuth": true, + "httpPort": 6003 + } +} +EOF + + +# create the docker hub registry proxy repository. +# see https://help.sonatype.com/en/docker-registry.html +# NB as-of docker 19.03.5, there is still no way to specify a registry mirror credentials... +# as such, we cannot use our docker-group registry, instead we must use the docker-proxy +# registry, enable the Docker Bearer Token Realm and allow anonymous access to it. +# see https://github.com/moby/moby/issues/30880 +# NB this will make https://nexus.example.com:5002/v2/library/debian/manifests/buster-slim proxy +# to https://registry-1.docker.io/v2/library/debian/manifests/buster-slim +# https://registry-1.docker.io/v2/library/golang/tags/list +http \ + --check-status \ + --auth "$api_auth" \ + POST \ + https://$nexus_domain/service/rest/v1/repositories/docker/proxy \ + <<'EOF' +{ + "name": "docker-hub-proxy", + "online": true, + "storage": { + "blobStoreName": "default", + "strictContentTypeValidation": true + }, + "proxy": { + "remoteUrl": "https://registry-1.docker.io", + "contentMaxAge": 1440, + "metadataMaxAge": 1440 + }, + "negativeCache": { + "enabled": true, + "timeToLive": 1440 + }, + "httpClient": { + "blocked": false, + "autoBlock": true + }, + "docker": { + "v1Enabled": false, + "forceBasicAuth": true, + "httpPort": 6002 + }, + "dockerProxy": { + "indexType": "HUB", + "cacheForeignLayers": true + } +} +EOF + + +# create the docker-group docker group repository. +# see https://help.sonatype.com/en/docker-registry.html +http \ + --check-status \ + --auth "$api_auth" \ + POST \ + https://$nexus_domain/service/rest/v1/repositories/docker/group \ + <<'EOF' +{ + "name": "docker-group", + "online": true, + "storage": { + "blobStoreName": "default", + "strictContentTypeValidation": true + }, + "group": { + "memberNames": [ + "docker-hosted", + "docker-hub-proxy" + ] + }, + "docker": { + "v1Enabled": false, + "forceBasicAuth": true, + "httpPort": 6001 + } +} +EOF + + # configure nexus ldap with a groovy script. if [ "$config_authentication" = 'ldap' ]; then bash /vagrant/provision/execute-provision-ldap.groovy-script.sh diff --git a/provision/provision-nexus/src/main/groovy/provision.groovy b/provision/provision-nexus/src/main/groovy/provision.groovy index fe2f608..14c6673 100644 --- a/provision/provision-nexus/src/main/groovy/provision.groovy +++ b/provision/provision-nexus/src/main/groovy/provision.groovy @@ -26,23 +26,6 @@ capabilityRegistry.all.findAll {it.context().type().toString().startsWith("Outre //]) -// create a docker registry repository backed by the default blob store. -repository.createDockerHosted("docker-hosted", 6003, null, "default", true, true, WritePolicy.ALLOW, true) -// create a docker proxy repository backed by the default blob store. -// see https://help.sonatype.com/repomanager3/formats/docker-registry -// TODO set Allow Nexus Repository Manager to download and cache foreign layers. -// NB as-of docker 19.03.5, there is still no way to specify a registry mirror credentials... -// as such, we cannot use our docker-group registry, instead we must use the docker-proxy -// registry, enable the Docker Bearer Token Realm and allow anonymous access to it. -// see https://github.com/moby/moby/issues/30880 -// NB this will make https://nexus.example.com:5002/v2/library/debian/manifests/buster-slim proxy -// to https://registry-1.docker.io/v2/library/debian/manifests/buster-slim -// https://registry-1.docker.io/v2/library/golang/tags/list -repository.createDockerProxy("docker-hub-proxy", "https://registry-1.docker.io", "HUB", null, 6002, null, "default", true, true, false) -// create a docker group repository that merges the docker-hosted and docker-hub-proxy together. -repository.createDockerGroup("docker-group", 6001, null, ["docker-hosted", "docker-hub-proxy"], true, "default", true) - - // set the base url. this is used when sending emails. // see https://help.sonatype.com/display/NXRM3/Configuration#Configuration-BaseURLCreation core.baseUrl("https://" + java.net.InetAddress.localHost.canonicalHostName)