'Nexus Docker Registry - Failling anonymous pull

I'm using Sonatype Nexus as a Private Docker Registry.

While it works with authenticated users, trying to use anonymous user to pull images doesn't work. This happens only on a docker client.

Using the Nexus UI (not logged in) I'm able to browse images on my repo. But trying to pull the images I get an 'Unauthorized' error.

The following is a capture stream of communication between the Docker Client and the Nexus repository:

Wireshark packet capture

This is strange, as the anonymous access is enabled, and according to the docs, I may have a Docker Hosted Registry (with RW access through HTTPs port) and a Docker Group Registry, pointing to a Docker Hosted Registry, with RO/Anonymous access.



Solution 1:[1]

This feature was added in Nexus 3.6. According to the documentation:

  1. Under Security > Realms, enable the “Docker Bearer Token Realm”
  2. Uncheck “Force basic authentication” in the repository configuration

Solution 2:[2]

Nexus caused me quite some headache until i found a rather obscure sonatype post that states not to change the anonymous realm.

So the steps I followed to get this working: (tested in Nexus 3.19.1 to 3.38.1)

  1. Same as the Answer by @andrewdotn (Enable the Docker Bearer Token Realm in the Security > Realms section)

  2. Enable the anonymous access FOR the Local Authorizing Realm (as stated in the above mentioned link)

  3. Create the docker(proxy) Repository (in this example to proxy hub.docker.com)

3.1. enable the HTTP / HTTPS endpoint (depending if you ssl to nexus or use a reverse proxy)

3.2. enable "Allow anonymous docker pull (Docker Bearer Token Realm required)"

3.3. enter "https://registry-1.docker.io" as "Location of the remote repository" (for the docker-hub)

3.4. set the "Docker Index" to use the docker hub index (aka.: "Use Docker Hub")

3.5. save

  1. make sure your anonymous user has the right to read the new repository (the default anon-role will allow read access to quite a bit more, but should already allow anon pull)

4.1. (OPTIONAL) If you want to restrict the anonymous user as much as possible (i.e.: to only allow docker pull) crate a role "nx-docker_read" (or similar) and give it the "nx-repository-view-docker--read"*. (this will allow the any user in the group to pull images from any docker repository, that allows anon pull, but not see anything on the web-ui)

4.2. (if u did 4.1) now all that's left is to change the group of the anon user to ur new role (in my example "nx-docker_read") and remove it from "nx-anonymous" => anon-users can no longer brows nexus on the web-ui but can still pull images

Solution 3:[3]

Docker Registry API requires authentication for registry access, even for the pull operations so does Nexus 3. Dockerhub always requires an access token, even for pulls. But the reason why you can pull anonymously from dockerhub is that it uses a token server which automatically gives out access tokens to anonymous users. This mecanism is not available for the moment with Nexus 3.0.1. Perhaps it will be implemented (https://issues.sonatype.org/browse/NEXUS-10813).

So for the moment with Nexus 3, it will always require to be logged in before to pull an image (eventually with the anonymous user is your rights are setted this way).

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1
Solution 2
Solution 3 vbe