When working in a corporate environment, whether it is a commercial or non-commercial party, you’ll find restrictions apply to accessing the internet.
Very often, the servers hosted in such an environment are very tightly controlled and do not have internet access at all to keep things secure.
When you are working with publicly available Docker containers this sometimes becomes cumbersome, as you’ll have to revert to the age-old practice of sneakernetting to get the Docker images to your host.
In my case, things were even harder, as I also needed access to a (restricted) private repository by a third party. So what now?
Luckily, there are multiple products which can act like a proxy or ‘pull-through cache’ for Docker Registries, which is exactly what we need here. The machine hosting this proxy or cache needs internet access, and only that machine needs it. All other hosts in need of access to Docker Images can access the internet through this machine, which conveniently also caches the data so it only needs to be retrieved once to be distributed internally at a much faster pace.
Products like Sonatype Nexus, JFrog Artifactory and even Docker Registry can provide this exact functionality, and then some.
Here, I’ll use Sonatype Nexus to set this all up, mainly as this functionality is available in the OSS version (where Artifactory only provides it as part of their Pro-offering).
This post will show how to configure Nexus OSS to act as a pull-through cache for either the Docker Hub or a private repository, or a combination of them. It will also show how to configure the Docker clients to use your own cache when retrieving images.
- Sonatype Nexus OSS 3.13.0
- Docker 17.09 (and higher)
My setup consists of two Ubuntu LTS based VMs, one running a Docker container of Sonatype Nexus 3.13.0 (this machine is called docker-host), the other is running just Docker (and is called docker-client).
Please note that some networking-configuration might differ from your setup (e.g. IPs) but the method is the same. Also, please note that only the machine running Nexus OSS (docker-host) has access to the internet.
Configuring Nexus OSS
We are going to configure at least 3 things in Nexus, namely repositories and some security configuration.
Please note that this method should not be followed to the letter in a corporate environment as some performance considerations may apply,for instance to alter the Blobstore configuration.
Add Docker Proxy Repository for Docker Hub
Log on to your Nexus instance with administrative rights, and navigate to the Admin pages. Click on Repository -> Repositories, and click on ‘Create repository’.
Select the ‘docker (proxy)’ recipe and start the configuration.
You’ll need to add your unique name to this Proxy, and make sure it is ‘Online’.
Since we are living our lives on the danger side, we’re not going to offer the V1 API on this Repository (Uncheck ‘Enable Docker V1 API’), but we’ll allow anonymous access.
This is actually quite important, so here it is again:
Uncheck ‘Force Basic Authentication’.
This will allow our Docker Clients to connect to our Repository without providing credentials. Which is the easiest. https://s0.wp.com/wp-content/mu-plugins/wpcom-smileys/twemoji/2/72x72/1f..." alt="