I'm evaluating using Google Artifact Registry as a replacement for Nexus, and one thing that I have been unable to find in the documentation is if it is possible to mirror or proxy an official repository, for instance mavenCentral (like suggested on this site https://blog.sonatype.com/using-nexus-3-as-your-repository-part-1-maven-artifacts)
Has anyone else achieved this using Artifact Registry?
It is not currently possible to proxy/mirror upstream repositories with Artifact Registry. Support for upstream repositories is on the roadmap, with support for repos such as DockerHub, Maven, NPMJS and PyPi on the list. It will be a proxy / pull-through cache model.
I was also just looking into this and found there's already a mirror of Maven Central on GCP:
https://cloudplatform.googleblog.com/2015/11/faster-builds-for-Java-developers-with-Maven-Central-mirror.html
The question has been partly answered by #christiaan wrt: mirror or proxy mavenCentral (though that is the default fallback if there is no other maven repository is defined anyway).
The closest Google feature request is: maven repos proxying and/or caching public repos. Suggest all interested upvote the feature.
Of course, what I want to do is proxy my private repo, but need the public feature first to even have a shot at that.
Related
I am trying to figure out whether it is possible to configure my own nexus in front of public maven central and white-list which artifacts are available for internal projects.
so this is some kind of security layer, to make sure developers will not reference and pull some version or some artifacts that are not reviewed. but maybe there is a better way to achieve this.
right now all trusted jars are checked into repository, so this would be a step into better dependencies management while maintaining strict list of reviewed artifacts.
thanks for any ideas,
our company has a Maven Repository (Nexus Version 1.4.0 Open Source), this repository hosts company artifacts and also it configured with some proxy repositories (like Maven Central). now the problem is that Nexus can not access to some of the repositories including Maven Central. this is really frustrating.
in Nexus web interface the status of these broken repositories is : "In Service - Attempting to Proxy and Remote Unavailable".
I have no idea what to do.
Not really an answer but a couple thoughts that can lead to the solution:
Since January 2020 maven central moved to https - maybe you should configure nexus accordingly (see this blog post from sonatype)
There might be a network configuration (firewall or whatever) that restricts nexus to make a connection to the mvn central. Maybe its worth to consult with network / admin people.
Nexus itself must have logs - maybe you'll find some information there.
I have created a repository in Nexus. As I am the owner of this repository, it is of type : Hosted.
I was going through the book of Mastering Apache Maven 3.0 and it says that, it is not possible to perform a health check on the repositories which are
1.The Repository Type is Proxy.
2.The Repository Policy is not Snapshot.
3.The Repository is In Service.
I have the last 2 conditions satisfied in my repository. But, the type of my repository is Hosted as I have the repository in my local machine.
Is there anything which I can do for a health check of custom repositories in Nexus?
I have one more question. If I want to mark an artifact in my hosted repository, how should I do that? Or should I just delete the vulnerable artifact from the repository?
Thanks in Advance!
How could nexus perform a health check on your custom libs?
From the nexus docs
HDS exposes data about the components in the Central Repository and
other public repositories, including license information, security
vulnerability data, and other statistics like relative usage
popularity and age
HDS is
Hosted Data Services (HDS) run by Sonatype
None of that is available for your hosted custom libraries. You can't really expect sonatype to maintain a database about them, because it doesn't know about them. If you want this, move your libs to an open-source model with an appropriate licence and upload them to maven central.
I'm trying to figure out if its possible to reuse Artifactory's maven repo on the local machine where the Artifactory server is running. The following details what I am trying to do.
I have a server where Artifactory runs and I'm planning on setting up Jenkins on the same server. If possible, I would like to have only one maven repository on the server. Since Artifactory already runs there, I would expect it is maintaining some kind of a maven repository (I looked around for it but couldn't find it).
Currently, when Jenkins uses Maven to build a maven project, it downloads the dependent jars into a local maven repo (a .m2 folder) on the server. Instead of this, would it be possible to point the settings.xml that maven is using to some local folder under Artifactory where artifactory stores all the jars? Basically, I would like maven to think that all the jars are already available in a local repo (which artifactory is maintaining) and so it wouldnt have to download all the jars from artifactory.
If maven and artifactory can share the same repo folder, this would be possible. But if Artifactory uses its own strucuture to maintain the maven repository (something other than the structure maven follows with its .m2 folder) this would not be possible.
I should state that I have very minimal knowledge of Artifactory, other than the fact that it is a maven repository manager.
Answering my own question here, as more research suggests that this is not possible. I found another question here on SO that states:
Artifactory uses Java Content Repository (JCR) standard to store artifacts. It is an abstraction above various storage implementations, which include filesystem, relational databases, etc. In any case, JCR manages the store by checksums (to reduce size and bandwith), so the repository is not directly browesable in the filesystem. The default implementation is storing the binaries on the filesystem (inside $ARTIFACTORY_HOME/data/filestore and the metadata in Derby DB.
How Artifactory manages repos
A blog post by the Nexus guys also suggests that this is not possible.
Contrasting Nexus and Artifactory -> Contrast #2
According to the Maven documentation:
You can force Maven to use a single repository by having it mirror all repository requests. The repository must contain all of the desired artifacts, or be able to proxy the requests to other repositories. This setting is most useful when using an internal company repository with the Maven Repository Manager to proxy external requests.
To achieve this, set mirrorOf to *.
This StackOverflow question also suggests that setting mirrorOf is sufficient to block an external repository, so why does the Sonatype documentation suggest overloading central with an unreachable URL?
The bogus URL is really irrelevant - you can set it to the original one if you need to, or the URL of your repository manager - as long as the mirrorOf is applicable, it won't be used.
The reason these examples redefine central is to set policies on artifact requests to the default repositories. By default, Maven does not enable snapshot requests to central, and uses default update and checksum policies. Redeclaring central allows these to be overridden - in this case, to enable snapshot artifacts and plugins, and the mirror then redirects all of these to the repository manager. This avoids the need to declare the repositories in your POM (as long as all users have their settings correct).
I wrote that so I can tell you what I was thinking ;-)
The central repository definition needs to be updated to enable snapshot retrieval for at least one repo, otherwise Maven won't even ask the repository manager (pointed to by the mirrorOf) for any snapshots.
While not required, I like to change the definition of the url to be an invalid one also so if there is a misconfiguration somewhere else in the system, it becomes immediately obvious what is happening. Otherwise Maven may still reach out to Central and mask the problems. It's essentially a fail-fast setup.
There's more information on this topic in an old blog I wrote
maven needs project dependencies to be available locally for it to run. It does not care about how it is made available - whether manually installed (using mvn install:install-file), through a mirror or by from central repository. It will fail to run if it is unable to find dependencies.
The sonatype documentation that you are referring to is on using nexus to mirror/proxy repositories. The url specified should be a valid nexus url and cannot be unreachable.
The same is suggested in the SO question as well.