Docker pull from Nexus proxy Error response from daemon : unknown: unknown

Question

After configuring a Nexus docker registry and proxy "dockerhub-proxy" like described here :

• https://help.sonatype.com/repomanager3/formats/docker-registry/proxy-repository-for-docker?_ga=2.92128602.1162476489.1558444570-958347079.1551460270

• https://mtijhof.wordpress.com/2018/07/23/using-nexus-oss-as-a-proxy-cache-for-docker-images/

I'm able to push images to the nexus registry after docker login but impossible to pull image from docker hub via the nexus proxy "dockerhub-proxy" and the error gives no details :

Error response from daemon: unknown: unknown

This is for a docker daemon client running on Docker Desktop Windows :

Version 2.0.0.3 (31259) Channel: stable Build: 8858db3 Engine: 18.09.2

I tried already from a Linux EC2 instance via docker client and it works well :

[root@ip-host-daemon docker]# docker pull ip_nexus_host:port_http_connector_nexus_proxy/mongo Using default tag: latest latest: Pulling from mongo Digest: sha256:29d7ca01f9b7e3812a831ff143620e93ddf5e34bb9ac672d91140e064158a0fc Status: Downloaded newer image for ip_nexus_host:port_http_connector_nexus_proxy/mongo:latest

I have no idea why on windows it does not work

PS C:\Dev\workspace> docker push my_dns/nexus/repository/dockerhub-proxy/image-name:1.0.1 The push refers to repository [my_dns/nexus/repository/dockerhub-proxy/image-name] 0bca66726bc2: Pushed 1.0.1: digest: sha256:0736228548d13e8d39fba5a0ed5cd8a7719074318fe9f8ddfc395fd454afc01f size: 528 PS C:\Dev\workspace> docker pull my_dns/nexus/repository/dockerhub-proxy/mysql:latest **Error response from daemon: unknown: unknown**

I'm looking for the ability to pull via Docker Windows client daemon an official docker image from Docker Hub like mongo for instance passing by a Nexus proxy configured on a nexus OSS and exposed via http connector into Nexus Group (which contains both host and proxy), Nexus OSS hosted on AWS EC2 linux instance VPC/private subnet without any public hostname/EIP but via an ELB/ALB.

Thanks for your help

Answer 1

According to this article :

https://support.sonatype.com/hc/en-us/articles/115013153887-Docker-Repository-Configuration-and-Client-Connection

Your nexus expose HTTP(S) connectors accessible for docker CLI via this syntax :

docker pull <nexus-hostname>:<port_nexus_docker_group>/<dockerHubImage>:<officialTag>
docker push <nexus-hostname>:<port_nexus_docker_host>/<yourImage>:<yourTag>

If your Nexus has public DNS in your VPC, it's obvious, just open each port on the security group of your EC2 instance hosting and running Nexus server to allow inbound network traffic from your IP range/CIDR source.

If your Nexus has private IP in private subnet in your VPC, just put a AWS-ELB Network Load balancer in front of it on same VPC on public subnet with two TCP listeners for each HTTP(S) port exposed (nexus-group and nexus-hosted) which redirect on two TCP targets group with instance target type on your EC2 instance ID hosting your nexus server, this will redirect network traffic from your public DNS to your ELB and then to your Nexus EC2 instance.

Please notice that we are not using AWS-ELB Application Load Balancer because it works only with HTTP listeners and Docker does not support the use of a context to specify the path to the repository when you launch docker CLI, by default it's HTTP(S) and there is intermediate call with URL Path pattern /v2/* for all of them.

After correct setup and config, you will be able to docker login, pull and push images to your internal nexus repository like this sample powershell session :

Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS D:\> docker login <host_redirect_to_NLB>:<port_nexus_docker_group>
Username: tarik
Password:
Login Succeeded
PS D:\> docker login <host_redirect_to_NLB>:<port_nexus_docker_host>
Username: tarik
Password:
Login Succeeded
PS D:\> docker pull <host_redirect_to_NLB>:<port_nexus_docker_group>/amazonlinux
Using default tag: latest
latest: Pulling from amazonlinux
72d97abdfae3: Pull complete
Digest: sha256:04f5ea9fec3f1f514451ea7c1a1a77a7c023787cb6cc066cc6d0413b56cd0eac
Status: Downloaded newer image for <host_redirect_to_NLB>:<port_nexus_docker_group>/amazonlinux:latest
PS D:\> docker tag <host_redirect_to_NLB>:<port_nexus_docker_group>/amazonlinux <host_redirect_to_NLB>:<port_nexus_docker_host>/tarik-awslinux:1.0
PS D:\> docker push <host_redirect_to_NLB>:<port_nexus_docker_host>/tarik-awslinux:1.0
The push refers to repository [<host_redirect_to_NLB>:<port_nexus_docker_host>/tarik-awslinux]
f387c8b346c8: Pushed
1.0: digest: sha256:04f5ea9fec3f1f514451ea7c1a1a77a7c023787cb6cc066cc6d0413b56cd0eac size: 529
PS D:\> more C:\Users\Tarik\.docker\config.json
{
        "auths": {
                "<host_redirect_to_NLB>:<port_nexus_docker_host>": {},
                "<host_redirect_to_NLB>:<port_nexus_docker_group>": {}
        },
        "HttpHeaders": {
                "User-Agent": "Docker-Client/18.09.2 (windows)"
        },
        "credsStore": "wincred",
        "stackOrchestrator": "swarm"
}

PS D:\> more C:\Users\Tarik\.docker\daemon.json
{
  "registry-mirrors": [
    "https://<host_redirect_to_NLB>:<port_nexus_docker_group>"
  ],
  "insecure-registries": [
    "<host_redirect_to_NLB>:<port_nexus_docker_host>",
    "<host_redirect_to_NLB>:<port_nexus_docker_group>"
  ],
  "disable-legacy-registry": true,
  "debug": true,
  "experimental": false
}