How to create a mirror of a private maven repository? - maven

We have Sonatype nexus repository where we publish artifacts. I want to mirror that repository in a different server located in a different office location. Is there a opensource tool to mirror an entire repository? Note: I am not talking about proxy repositories or caches. I want active mirroring with the two repositories more or less in sync.

You need to setup one as a main repository (basically the one you have) and then the second one in proxy configuration, see this detailed instruction:
https://help.sonatype.com/learning/repository-manager-3/first-time-installation-and-setup/lesson-2%3A-proxy-and-hosted-maven-repositories#app

Related

Should every application group have their own artifactory release/snapshot repo?

I want to setup Artifactory for a large company and I have a question:
Should every application group have their own set of snapshot and release repos so module collisions don't occur?
The best practice for setting up maven repositories in large companies is to have a SNAPSHOT and a RELEASE maven repo for a functional domain, group of applications or similar.
Probably you need remote repos for external dependencies that are in Maven Central or in other external repositories, in this case, you need to create a remote repo to access these dependencies.
Also, you can have a virtual repo to group all of these local and remote repositories.
For, example:
You have a banking website for personals finances with these maven repos:
SNAPSHOT maven repo: personal-finance-local-SNAPSHOT
RELEASE maven repo: personal-finance-local-RELEASE
You have a banking website for enterprise finances with these maven repos:
SNAPSHOT maven repo: enterprise-finance-local-SNAPSHOT
RELEASE even repo: enterprise-finance-local-RELEASE
If you have external dependencies in Maven Central, you can create two remote maven repos: remote-SNAPSHOT and remote-RELEASE
Finally, create a virtual maven repo in Artifactory to group all maven repos that you want, for example, all of this example. You can have the repo virtual-maven-SNAPSHOT and the virtual-maven-RELEASE where you can have all the SNAPSHOTs or all the RELEASEs dependencies.
If you don't want to have a virtual repo for SNAPSHOTs and another for release versions you can have an unique virtual repo like: virtual-maven
If the company is really that big,(beside the thing you mentioned) it has probably internal release procedures. Like, to be able to release a product even internally some quality assurance protocols must be fullfiled.
In this case, different groups should not able to access other groups repositories without this qa protocols being fullied.
Private repositories for each software group is way to go in this case. And if a group's products can be used internally, It should have another repo for internal releases where others can access.

health check of custom repositories in Nexus?

I have created a repository in Nexus. As I am the owner of this repository, it is of type : Hosted.
I was going through the book of Mastering Apache Maven 3.0 and it says that, it is not possible to perform a health check on the repositories which are
1.The Repository Type is Proxy.
2.The Repository Policy is not Snapshot.
3.The Repository is In Service.
I have the last 2 conditions satisfied in my repository. But, the type of my repository is Hosted as I have the repository in my local machine.
Is there anything which I can do for a health check of custom repositories in Nexus?
I have one more question. If I want to mark an artifact in my hosted repository, how should I do that? Or should I just delete the vulnerable artifact from the repository?
Thanks in Advance!
How could nexus perform a health check on your custom libs?
From the nexus docs
HDS exposes data about the components in the Central Repository and
other public repositories, including license information, security
vulnerability data, and other statistics like relative usage
popularity and age
HDS is
Hosted Data Services (HDS) run by Sonatype
None of that is available for your hosted custom libraries. You can't really expect sonatype to maintain a database about them, because it doesn't know about them. If you want this, move your libs to an open-source model with an appropriate licence and upload them to maven central.

Can Sonatype Nexus use maven's local repository

I now have a PC working as a Sonatype Nexus server and a development environment. I know Nexus stores artifacts for proxy type repository in SonatypRoot\sonatype-work\nexus\storage, and Maven will use a local repository to store artifacts (default directory is C:\USERS\USER_NAME\.m2\repository).
So the question comes when I'm using Maven with Nexus running on the same machine, because i have two copies of every artifact which is big waste of storage.
In Nexus's configuration tab for proxy type repository, there is an option named Override Local Storage Location.
My question is can I set this to my Maven's local repository?
That's a bad idea. One common purpose of nexus to publish artifact internally within your organisation. Typically this is done using mvn deploy. On the other hand your maven local repository serves purpose as a cache to avoid downloading stuff that has been obtained before. If you mix them together you might be accidentally publishing artifacts to your organisation while you just want to test locally in your PC.

Reusing Artifactory's maven repo

I'm trying to figure out if its possible to reuse Artifactory's maven repo on the local machine where the Artifactory server is running. The following details what I am trying to do.
I have a server where Artifactory runs and I'm planning on setting up Jenkins on the same server. If possible, I would like to have only one maven repository on the server. Since Artifactory already runs there, I would expect it is maintaining some kind of a maven repository (I looked around for it but couldn't find it).
Currently, when Jenkins uses Maven to build a maven project, it downloads the dependent jars into a local maven repo (a .m2 folder) on the server. Instead of this, would it be possible to point the settings.xml that maven is using to some local folder under Artifactory where artifactory stores all the jars? Basically, I would like maven to think that all the jars are already available in a local repo (which artifactory is maintaining) and so it wouldnt have to download all the jars from artifactory.
If maven and artifactory can share the same repo folder, this would be possible. But if Artifactory uses its own strucuture to maintain the maven repository (something other than the structure maven follows with its .m2 folder) this would not be possible.
I should state that I have very minimal knowledge of Artifactory, other than the fact that it is a maven repository manager.
Answering my own question here, as more research suggests that this is not possible. I found another question here on SO that states:
Artifactory uses Java Content Repository (JCR) standard to store artifacts. It is an abstraction above various storage implementations, which include filesystem, relational databases, etc. In any case, JCR manages the store by checksums (to reduce size and bandwith), so the repository is not directly browesable in the filesystem. The default implementation is storing the binaries on the filesystem (inside $ARTIFACTORY_HOME/data/filestore and the metadata in Derby DB.
How Artifactory manages repos
A blog post by the Nexus guys also suggests that this is not possible.
Contrasting Nexus and Artifactory -> Contrast #2

Good configuration for Archiva?

We have recently decided to use Maven as build system. I'm responsible to migrate all the projects from Ant to Maven. We also decided to use Apache Archiva to configure an internal repository in the company.
I see that Archiva create two repositories by default (internal and snapshots). I also see that it configures the internal repository to proxy the central and java.net repositories.
Are there some best practices regarding Archiva configuration?
In the Archiva documentation, there is a possibility to configure Maven to use only the internal repository and then access the remote repository through the internal repository. What do you think about this option?
Thanks for your help
A Maven repository manager is essential to support Enterprise Maven development. The Maven installer is merely a bootstrap, running Maven for the first time downloads everything it needs from the Maven Central repository in order to compile your project.
The benefits of using a Maven repository aree documented elsewhere but I'll summarize:
Efficiency. Repository acts as a cache for Maven Central artifacts
Resilience. Repository protects against remote repository failures or lack of internet connection
Repeatability. Storing common artifacts centrally, avoids shared build failures caused by developers maintaining their own local repositories.
Audit. If all 3rd party libraries used by development come from a single entry point in the build process one can assess how often they're used (based on download log files) and what kinds of licensing conditions apply.
To that end I'd encourage you to use the following Archiva features:
Locking down to only use Archiva. Configure Maven clients download everything from Archiva.
Virtual repositories for each team. Configure all the remote repositories used by teams centrally in Archiva instead of leaving the details to the teams themselves.
PS
I use Nexus for my Maven repository management, but the same concepts apply.

Resources