AzureTRE: Problem using Nexus to proxy docker hub

Describe the bug I am trying to setup nexus in the AzureTRE environment to proxy docker hub. I believe I have nexus setup correctly and appropriate docker hosts added the the firewall rules. When I try to run docker login from a VM running in a workspace shared service subnet I see error similar to what is described here. According to Sonatype docs docker needs to be exposed on a different port than the standard ssl port nexus is already running on. However nexus is running in an Azure App Service and I don’t see a way to expose custom ports. Steps to reproduce

setup Nexus to proxy docker hub
add *.docker.io and *.docker.com to firewall rules to allow nexus to access them
create workspace and start vm in shared services subnet
connect to vm using bastion and run docker login nexus-[tre_id].azurewebsites.net:[port]
see timeout error

Acceptance criteria

#1479
#1480
#1481
Configure Docker Hub proxy in Nexus using a standalone port

About this issue

Original URL
State: closed
Created 3 years ago
Comments: 16 (8 by maintainers)

Most upvoted comments

Scrap the multiple web app idea. The SSL certificate needs to be loaded into nexus - can’t do that with web apps as we don’t have access to the cert.

Could not configure HTTPS connector on port 5000 for docker repository dockerhub

Searching got me: “Docker registries are required to use HTTPS. This message means that you have not configured Jetty with a keystore from which it can load a TLS certificate for the Docker HTTPS connectors”

I see no option that to use a trusted SSL certificate, and in that case would run in docker on a VM/VMSS.

To get a trusted SSL, either

Need to procure a wildcard cert that can be used throughout the TRE (in the past has been a requirement for many production use cases).
Expose an endpoint publicly, get a lets encrypt cert, then make private - messy.
Use self signed certs and configure VMs to trust these certs… also not great.

marrobi on Mar 9, 2022

Have set up a meeting to discuss further after tomorrow’s stand-up - @tamirkamara have invited you if you’re able to attend as your input would be valued. If not feel free to post your thoughts on this ticket. Summary of the planned meeting discussion:

How best to enable two exposed ports (limited to one for app service) so we can proxy docker hub on a separate port to the general nexus port (as per https://help.sonatype.com/repomanager3/nexus-repository-administration/formats/docker-registry/ssl-and-repository-connector-configuration)
If we choose to host Nexus on container registry / VM to get around port issues, how we then plan to set up SSL certs in lieu of the app service provided one

jjgriff93 on Mar 9, 2022

Container instances could work, still need an SSL certificate. VM is potentially a better option - easier to mount disks, backup etc.

Either way I don’t think we can avoid generating SSL certificates with ACI or a VM.

marrobi on Mar 8, 2022

Sounds good. Can you please share more details on the plan once you have it? IIRC, I was the one who added this to begin with, so let me know if there’s something I can help with…

tamirkamara on Mar 2, 2022

Can this be assigned to me

oliver7598 on Mar 2, 2022