Skip to main content

Docker Authentication

Docker Bearer Token Realm and Access to Docker Repositories

Different security realms are used in different contexts (i.e., when using different clients/means to access repositories) to specify where the user is defined. In Sonatype Nexus Repository, the Docker Bearer Token Realm is required in order to access Docker repositories through a Docker client or other container image manager (e.g., Docker Desktop, Docker Engine, Podman, etc.). It is also required in order to allow anonymous pulls from Docker repositories.

If you plan to access Docker repositories through a Docker client and/or would like to allow anonymous pulls from Docker repositories, enable the Docker Bearer Token Realm as described in the Realms help topic.

Anonymous user access to a Docker repository's content is determined by their nx-view read privileges. (See the Privileges help topic for more information.)

Authenticated Access to Docker Repositories

If access to a repository requires the user to be authenticated, Docker will check for authentication access in the .docker/config.jsonfile on your local machine. If authentication is not found, you will need to perform a docker login command.

Unless you are using a Docker subdomain connector, the docker login command observes the following syntax for the desired repository or repository group:

docker login <nexus-hostname>:<repository-port>

If you are using a subdomain connector, the command will look like the following:

docker login <subdomain>.<nexus-hostname>

Provide your Sonatype Nexus Repository username and password as well as an email address (optional).

This authentication is persisted in ~/.docker/config.json and reused for any subsequent interactions against that repository.

You will need to perform a login for each repository and repository group that you wish to access.

Tip

If you are using continuous integration or automation to push to Docker repositories, setting up persisted authenticated access like this is especially helpful as it removes the need to keep loging in for each interaction.

Unauthenticated Access to Docker Repositories

Anonymous access to Docker repositories requires configuration in two places: within the Anonymous Access page as well as through each Docker repository's configuration form. This is because general anonymous access is controlled through the main Anonymous Access configuration while anonymous Docker pulls are controlled through each individual repository's configuration.

Note

Remember that allowing anonymous Docker pulls or accessing Docker repositories through a Docker client or other container image manager also requires enabling the Docker Bearer Token Realm. Anonymous user access to a Docker repository's content is determined by their nx-view read privileges. (See the Privileges help topic for more information.)

  1. To allow anonymous Docker pulls from a repository, first, ensure you have enabled the Docker Bearer Token Realm (See the Realms help topic).

  2. Navigate to AdministrationRepository → Repositories, and either create a new Docker repository or select an existing Docker repository.

  3. Locate and select the Allow anonymous docker pull checkbox.

Perform the above steps for each Docker repository for wish you which to enable anonymous Docker pulls. Enabling anonymous pulls for a group will only allow anonymous pulls when using the group connector; if you use one of the member connectors, Sonatype Nexus Repository will use that individual member's anonymous pull setting even if it differs from the group.

Docker repository configuration form with Allow anonymous docker pull checkbox highlighted