Opened 3 months ago

Closed 3 months ago

#2438 closed task (fixed)

Create a geos and postgis docker repo on

Reported by: robe Owned by: sac@…
Priority: normal Milestone: Unplanned
Component: Systems Admin Keywords:


This is mostly to replace the private registry strk is currently running.

We will start by using it to hold images for our geos/postgis bots and maybe eventually expand the use for other things.

These should be separate repositories/

Change History (15)

comment:1 Changed 3 months ago by robe

For permissions add robe, strk for starters. We'll add one for jenkins bot later.

comment:2 Changed 3 months ago by jive

I setup the postgis one for your review:

  • postgis-docker repository created, allowed anonymous access, but turned off v1 api access
  • docker group now includes postgis-docker
  • setup postgis-admin role giving it permissions for the postgis-docker repository
  • robe and strk users have been granted postgis-admin role (they were both admins already but whatever)
  • created a local user postgisbuild user with the above postgis-admin role, it uses robe's email for notifications (please adjust this user as needed for your jenkin). This mirrors what was done for geoserver jenkins.

comment:5 Changed 3 months ago by strk

Do we need a specific port ?

[strk@liz:~] docker login
Username: strk
Error response from daemon: login attempt to failed with status: 404 Not Found

comment:6 Changed 3 months ago by robe

strk that's what I was saying that's the same error I get.

All the videos I've seen they explicitly have docker registry run on a separate port. Because you can't give a path for login.

I think we could just setup another domain like and have it connect to port 8083 or something in nexus. But wasn't sure if there was a way around that.

So I'm thinking we set docker to explicitly be on specific port (of course I would need to expose that too on the nexus docker (or maybe not maybe that could be a path)

and then goes to that.

comment:7 Changed 3 months ago by robe

aha here it describes the issue

The docker client does not allow a context as part of the path to a registry, as the namespace and image name are embedded in the URLs it uses. This is why requests to repositories on the repository manager are served on a specific and separate port from the rest of the application instead of how most other repositories serve content via a path i.e. <nexus-hostname>/<repositoryName>/<path to content> .

Last edited 3 months ago by robe (previous) (diff)

comment:8 Changed 3 months ago by robe

This one is interesting

It uses a single nginx proxy config, but if the agent is docker, then redirects to registry port, but don't see a way of getting around need to open an additional port on nexus docker container and if we have more than one docker reigstry I think we'll need a port for each so we should just put them in now.

comment:9 Changed 3 months ago by strk

DISCLAIMER: I did not read the articles in those links

Are you saying that Nexus does not allow having different permissions for writing in different subdirs ?

I do like the idea of using

comment:10 Changed 3 months ago by robe


I don't understand the lingo of registry vs. folder etc.

My understanding is with registry which is the way I think jive has it set up -- each registry can completely manage their roles/etc. I think if it's a single registry you can't but maybe one registry is sufficient.

But anyway the whole path issue is more of a limitation in docker itself, not nexus. That docker registries need to authenticate at the root because the path is encoded in the tag. DISCLAIMER - I may not know what I am talking about.

At anyrate thinking of copying over nexus container on osgeo4 to experiment. Need a backup there anyway. I think even though in theory I can open up ports on a docker container running -- it's not supported, so I'd rather shut it down and start it up with many ports which means there would be like 5 minutes of downtime while we do this. If there is no way around this whole having to run in a port.

I would think with nginx -- we could point a path like -> nexus.lxd:8081/docker

but I have not seen anyone doing that so maybe it's not doable.

Last edited 3 months ago by robe (previous) (diff)

comment:11 Changed 3 months ago by robe

Okay I was able to successfully login on my dev container. Had to add Docker Bearer Token Realm (to the nexus -> Realm ) section, in addition to using a separate port.

I'm still unclear if we can get away with just a single port for all docker repositories. Still experimenting with that.

comment:12 Changed 3 months ago by robe

found this thread which seems to do it without additional ports, just rewriting the docker calls

I'll give that a try in dev.

comment:13 Changed 3 months ago by robe

okay tried in dev and worked, I put in place on (without specifying any ports), just rewriting the path calls and was then able to log in with

docker login

But I haven't tried committing (and not sure what paths should be put in for push to differentiate the repos.

I was able to push in dev (but that was with port explicitly for postgis-docker, and then it appeared when I browsed both the docker and postgis-docker)

comment:14 Changed 3 months ago by robe

Okay I think I got this working. I created a new nginx config dedicated. I could put it all in the nexus one, but felt might be better to keep it separate. I'm planning to eventually take out all the /v2 stuff I put in on the nexus config.

So the way it works, all pushes must go thru the project repo


But pulls go thru

To test I copied over strk's images:

docker pull
docker tag
docker push

and that shows a new image in postgis-docker repository folder (and of course exposed in the docker group

committed at -

So key area of nginx script looks like this sorry about the crappy indentation, going to fix that next

 location ~ ^/(v1|v2)/[^/]+/?[^/]+/blobs/ {
           if ($request_method ~* (GET) ){
                        rewrite ^/(.*)$ /repository/docker/$1 last;
           if ($host = ){
                rewrite ^/(.*)$ /repository/postgis-docker/$1 last;
          if ($host = ){
                rewrite ^/(.*)$ /repository/geos-docker/$1 last;
          if ($host = ) {
                rewrite ^(.*)$ /repository/geoserver-docker/$1 last;

            rewrite ^/(.*)$ /repository/docker/$1 last;

      location ~ ^/(v1|v2)/ {
                if ($request_method ~* (GET) ){
                        rewrite ^/(.*)$ /repository/docker/$1 last;
                if ($host = ) {
                        rewrite ^/(.*)$ /repository/postgis-docker/$1 last;
                if ($host = ) {
                        rewrite ^/(.*)$ /repository/geos-docker/$1 last;
                if ($host = ) {
                        rewrite ^/(.*)$ /repository/geoserver-docker/$1 last;

                rewrite ^/(.*)$ /repository/docker/$1 last;

    location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                #try_files $uri $uri/ =404;
                client_max_body_size 0;
                include /etc/nginx/proxy_protocol_params;
                #need to change this if using https on server and have a redirect
                proxy_pass http://nexus.lxd:8081;
                proxy_redirect off;

comment:15 Changed 3 months ago by robe

Resolution: fixed
Status: newclosed

I'm going to close this out. I tested on one of the dronie agents by doing this

docker rmi  #if I don't do this then it just tags the pulled (smart enough to know it's already been pulled from another server)

docker pull

I also setup geos-docker and pushed the

jive - when you get the chance, can you confirm your group can push to

docker login
docker push ...
Note: See TracTickets for help on using tickets.