Dear All,
We are trying to setup a GitLab private container registry as nexus docker proxy repository. Nexus is running in as airgap environment and accessing gitlab via proxy server. We have trusted all the required SSL certs (of gitlab and proxy) in Nexus.
However when we are trying to pull images stored in gitlab, we keep getting manifest unknown error as mentioned below. We also notice that nexus automatically adds v2
in front of registry name, not sure if there is any way to avoid this.
admin org-sonatype.nexus. repository. docker. internal. v2Handlers - Is the remote url a valid docker endpoint? Remote host https://registry.qutlab.com/ with path /v2/<registry_name>/manifests /<version> did not return the expected response. Error message: manitest unknown
Kindly suggest if we need to configure some properties differently, and how can we overcome this issue?
TIA.
1 Like
I too have run into this and am hoping for a solution.
Just to share quick update on this (still issue persists):
- We further figured out that proxy doesn’t have any role (or concern) here
- If we allow all outbound internet traffic (from nexus server) this starts to work fine
- But if we only allow
registry.gitlab.com
traffic this gives the error as shared above.
So now the question is - Which additional URLs (outbound) we need to allow/whitelist so this would work fine.
What was ur config in nexus to make it work. I can’t seem to get it to work at all and I don’t have any outbound firewall rules
@legoguy1000 As I mentioned above, its still not yet fixed for us as we are not allowed to make server internet facing to allow all outbound traffic.
Is you server airgap? If you have internet access then standard nexus docker proxy configuration should work.
Hi,
Having the same error.
My guess is that you have to also allow cdn.registry.gitlab-static.net for nexus to be able to download the blobs (see GitLab.com Container Registry to use Google Cloud CDN | GitLab).
Hi @thinard Yes seems that is correct, for us it worked after whitelisting below 3 URLs:
1 Like
gitlab.com is indeed required for authentication reasons.
Error response from daemon: Head "https://registry.gitlab.com/v2/gitlab-org/cluster-integration/gitlab-agent/agentk/manifests/latest": Get "https://gitlab.com/jwt/auth?scope=repository%3Agitlab-org%2Fcluster-integration%2Fgitlab-agent%2Fagentk%3Apull&service=container_registry": net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)