TABLE OF CONTENTS
- Docker Repository Group configuration
- Parameters of Nexus Registry URL
- Configuration of user credentials in Nexus Registry
- Security of Nexus Registries (HTTP and HTTPS mode)
Nexus Repository OSS supports storing Docker images in its repositories, since Version 3 of the product. While it mostly implements the Docker V2 registry API, it needs some configurations to support integration from Aqua for scanning images.
This topic explains the configurations required in Sonatype Nexus Repository OSS for integration from Aqua.
Configuration of Docker Registry Group
While creating repositories in Nexus OSS, you should configure a TCP port (HTTP or HTTPS) for each repository to push images into this repository. A Docker registry will be created specifically for this repository on the chosen ports. You should then provide URL of this specific registry to the Aqua Server, in order to scan images from the registry. it is extremely tedious to add a registry for each repository hosted in your Nexus OSS. Therefore, it is highly recommended to use the Nexus Repository Group feature, which allows you to create a read-only registry for multiple repositories.
You can easily create a new repository of provider docker (group), add all relevant repositories to it, and set HTTP/HTTPS ports. For more information, refer to the Sonatype Nexus document, Managing Repository Groups. You can supply the registry URL of this group with Aqua admin for integration of Aqua with Nexus Repository. For more information, refer to General Configurations for Image Registries and Repositories.
Parameters of Nexus Registry URL
URL of the registry (whether it is a repository-specific registry or a repository group) has the following parameters:
- Selected protocol (http:// or https://)
- IP address/domain name of the Nexus server
- Selected port
For example, if you set the repository connector to use HTTP on port 8080, and the IP address of the server is 172.30.2.4, then the URL that you should supply to the Aqua admin for integration is http://172.30.2.4:8080/.
Configuration of user credentials in Nexus Registry
All Nexus registries are private. You should supply a username and password to the Aqua admin for integration from Aqua to a specific Nexus registry. To configure a user to access to your Docker repositories:
- Create a role first with read-only access to your Docker repositories.
- Configure a user by adding the role that you have created, from the Security > Users page in the left-hand main menu. This user can be used to integrate Aqua with Nexus registry as Username.
Security of Nexus Registries (HTTP and HTTPS mode)
If your Nexus registries are not secure, which means if they are running on HTTP only, or are running on HTTPS with an invalid certificate or a self-signed certificate, your images cannot be scanned by Aqua. To fix this, Docker daemon on the host on which the Aqua Server is installed, should be configured with the --insecure-registry option for each registry that you want to scan. For more information, refer to the Docker document, Test an insecure registry.