Repository Management with Nexus
To manage Nexus repositories, log in as the administrative user and click on Repositories in the Views/Repositories menu in the left-hand Nexus menu.
Nexus provides for three different kinds of repositories - Proxy Repositories, Hosted Repositories and Virtual Repositories.
A proxy repository is a proxy of a remote repository. By default, Nexus ships with the following configured proxy repositories:
- Apache Snapshots
- This repository contains snapshot releases from the Apache Software Foundation.
- Codehaus Snapshots
- This repository contains snapshot released from Codehaus.
- This is the Central Repository containing release artifacts. Formerly known as Maven Central, it is the default built-in repository for Apache Maven and directly supported in other build tools like Gradle, SBT or Ant/Ivy. For Nexus OSS the URL http://repo1.maven.org/maven2/ is used, while Nexus Professional has the SSL secured version https://secure.central.sonatype.com/maven2/ preconfigured. Nexus OSS users and users of other repository managers can purchase usage of the secured version for a nominal fee.
A hosted repository is a repository which is hosted by Nexus. Maven ships with the following configured hosted repositories:
- 3rd Party
- This hosted repository should be used for third-party dependencies not available in the public Maven repositories. Examples of these dependencies could be commercial, proprietary libraries such as an Oracle JDBC driver that may be referenced by your organization.
- This hosted repository is where your organization will publish internal releases.
- This hosted repository is where your organization will publish internal snapshots.
This serves as an adaptor to and from different types of repositories. Currently Nexus supports conversion to and from Maven 1 repositories and Maven 2 repositories. In addition you can expose any repository format as a NuGet or OBR repository. For example a Maven 2 repository can contain OSGi Bundles, which can be exposed as a OSGi Bundle repository with the virtual repository Provider set to OBR.
By default it ships with a Central M1 shadow repository that exposes the Central repository in Maven 1 format.
The Repositories window displayed in Figure 6.9, “Repository Configuration Screen for a Proxy Repository” allows you to create, update and delete different repositories with the Add, Delete and Trash button. Use the Refresh button to update the displayed list of repositories and repository groups. The Trash button allows you to empy the trash folder into which deleted components are copied, when any delete operations are performed from the Nexus user interface.
By default the list of repositories displays the repositories configured and managed by the administrator. The drop down on the right of the Trash button allows you to switch the list of repositories and view the repositories managed by Nexus. There are staging repositories as documented in Chapter 11, Improved Releases with the Nexus Staging Suite or procurement repositories as documented in Chapter 10, Nexus Procurement Suite.
The list of repositories visible in Figure 6.9, “Repository Configuration Screen for a Proxy Repository” allows you to access more details for each repository by selecting a specific row and displays some information for each repository in the following columns:
- the name of the repository with repository groups displayed in bold
- the type of the repository with values of proxy, hosted or virtual for repositories or group for a repository group
- a button to trigger the creation or access the results of a repository health check as documented in Chapter 12, Repository Health Check
- the format used for the storage in the repository with values such as maven2, nuget, site or others
- the deployment policy that applies to this repository. Not all repository policies. The typical Maven format allows Snapshot and Release policies.
- Repository Status
- the status of the repository as well as further information about the status, for example information about SSL certification problems or the status of the remote repository even for a currently disabled proxy repository
- Repository Path
- the direct URL path that exposes the repository via http access and potentially allows access and directory browsing outside of the Nexus interface
Clicking on a colum header allows you to sort the list in ascending or descending order based on the column data.
If you perform a right clicking on a row you can trigger a number of actions on the current repository. These actions depend on the repository type and include:
- Expire Cache
- expire the cache of hosted or a proxy repository or a repository group
- Rebuild Metadata
- rebuid the metadata of a hosted Maven 2 repository
- Block Proxy / Allow Proxy
- toggle between allowing or blocking the remote repository configured in a proxy repository
- Put Out Of Service / Put in Service
- enable or disable the repository service making changing the availability of all components in it
- Repair Index / Update Index
- repair or update the index of a hosted or proxy repository or a repository group
Figure 6.9, “Repository Configuration Screen for a Proxy Repository” and Figure 6.10, “Repository Configuration Screen for a Proxy Repository” show the repository configuration screen for a proxy repository in Nexus. From this screen, you can manage the settings for proxying an external repository:
- Repository ID
- The repository ID is the identifier which will be used in the Nexus URL. For example, the central proxy repository has an ID of "central", this means that maven can access the repository directly at http://localhost:8081/nexus/content/repositories/central. The Repository ID must be unique in a given Nexus installation. ID is required.
- Repository Name
- The display name for a repository. Name is required.
- Repository Type
- The type of repository (proxy, hosted, or virtual). You can’t change the type of a repository, it is selected when you create a repository.
- Provider and Format
- Provider and Format define in what format Nexus exposes the repository to external tools. Supported formats depend on the installed plugins. Nexus Open Source includes support for Maven 1, Maven 2 and Site repositories. Nexus Professional adds support for NuGet and OBR and additional plugins can add support for P2 and P2 Update Site and other formats.
- Repository Policy
- If a proxy repository has a policy of release than it will only access released versions from the remote repository. If a proxy repository has a policy of snapshot, it will download snapshots from the remote repository.
- Default Storage Location
- Not editable, shown for reference. This is the default storage location for the local cached contents of the repository.
- Override Storage Location
- You can choose to override the storage location for a specific repository. You would do this if you were concerned about storage and wanted to put the contents of a specific repository (such as central) in a different location.
- Remote Repository Access
This section tells Nexus where to look for and how to interact with the remote Maven repository being proxied.
- Remote Storage Location
- This is the URL of the remote Maven repository, that needs to be configured for a proxy repository. When selecting the URL to proxy it is beneficial to avoid proxying remote repository groups. Proxying repository groups prevents some performance optimization in terms of accessing and retrieving the content of the remote repository. If you require components from the group that are found in different hosted repositories on the remote repository server it is better to create multiple proxy repositories that proxy the different hosted repositories from the remote server on your Nexus server instead of simply proxying the group.
- Download Remote Indexes
- This field controls the downloading of the remote indexes. If enabled, Nexus will download the index, if it exists, and use that for its searches as well as serve that up to any clients which ask for the index (like m2eclipse). The default for new proxy repositories is enabled, but all of the default repositories included in Nexus have this option disabled. To change this setting for one of the proxy repositories that ship with Nexus, change the option, save the repository, and then re-index the repository. Once this is done, artifact search will return every artifact available on the Maven Central repository.
- Auto Blocking Enabled
- If Auto blocking active is set to true, Nexus will automatically block a proxy repository if the remote repository becomes unavailable. While a proxy repository is blocked, artifacts will still be served to clients from a local cache, but Nexus will not attempt to locate an artifact in a remote repository. Nexus will periodically retest the remote repository and unblock the repository once it becomes available.
- File Content Validation
- If set to true, Nexus will perform a lightweight check on the content of downloaded files. This will prevent invalid content to be stored and proxied by Nexus, which otherwise can happen in cases where the remote repository (or some proxy between Nexus and the remote repository) for example returns an HTML page instead of the requested file.
- Checksum Policy
Sets the checksum policy for a remote repository. This option is set to Warn by default. The possible values of this setting are:
- Ignore - Ignore the checksums entirely
- Warn - Print a warning in the log if a checksum is not correct
- StrictIfExists - Refuse to cache an artifact if the calculated checksum is inconsistent with a checksum in the repository. Only perform this check if the checksum file is present.
- Strict - Refuse to cache an artifact if the calculated checksum is inconsistent or if there is no checksum for an artifact.
- This section allows you to set a Username, Password, NT LAN Host, and NT Lan Manager Domain for a remote repository.
- Access Settings
This section configures access settings for a repository.
- Deployment Policy
- This setting controls how a Hosted repository allows or disallows artifact deployment. If this policy is set to "Read Only", no deployment is allowed. If this policy is set to "Disable Redeploy", a client can only deploy a particular artifact once and any attempt to redeploy an artifact will result in an error. If this policy is set to "Allow Redeploy", clients can deploy artifacts to this repository and overwrite the same artifact in subsequent deployments. This option is visible for Hosted repositories as shown in Figure 6.11, “Repository Configuration Access Settings for a Hosted Repository”.
- Allow File Browsing
- When set to true, users can browse the contents of the repository with a web browser.
- Include in Search
- When set to true, this repository is search when you perform an Artifact Search in Nexus. If this setting is false, the contents of the repository are excluded from a search.
- Publish URL
- If this property is set to false, the repository will not be published on a URL, and you will not be able to access this repository remotely. You would set this configuration property to false if you want to prevent clients for connecting to this repository directly.
- Expiration Settings
Nexus maintains a local cache of artifacts and metadata, you can configure expiration parameters for a proxy repository. The expiration settings are:
- Not Found Cache TTL
- If Nexus fails to locate an artifact, it will cache this result for a given number of minutes. In other words, if Nexus can’t find an artifact in a remote repository, it will not repeated attempt to resolve this artifact until the Not Found Cache TTL time has been exceeded. The default for this setting is 1440 minutes (or 24 hours).
- Artifact Max Age
- Tells Nexus when that maximum age of an artifact is before it retrieves a new version from the remote repository. The default for this setting is -1 for a repository with a Release policy and 1440 for a repository with Snapshot policy.
- Metadata Max Age
- Nexus retrieves metadata from the remote repository. It will only retrieve updates to metadata after the Metadata Max Age has been exceeded. The default value for this setting is 1440 minutes (or 24 hours).
- Item Max Age
- Some items in a repository may be neither an artifact identified by the Maven GAV coordinates or metadata for such artifacts. This cache value applies determines the maximum age for these items before updates are retrieved.
- HTTP Request Settings
- This section lets you change the properties of the HTTP request to the remote repository. In this section you can configure the User Agent of the request, add parameters to a request, and set the timeout and retry behaviour. This section refers to the HTTP request made from Nexus to the remote Maven repository being proxied.
The Summary panel can be loaded by selecting a hosted, proxy, or
virtual repository and then clicking on the Summary
tab. The Summary tab of a hosted repository, as shown
in Figure 6.12, “Repository Summary Panel for a Hosted Repository”, displays the
distributionManagement settings which can be used to configure
Maven to publish artifacts to the hosted repository.
The Summary panel for a proxy repository, as shown in Figure 6.13, “Repository Summary Panel for a Proxy Repository”, contains all of the repository identifiers and configuration as well as a list of groups, in which the repository is contained.
The Summary panel for a virtual repository, as shown in Figure 6.14, “Repository Summary Panel for a Virtual Repository”, displays repository identifiers and configuration as well as in which groups the repository is contained.
One part of component lifecycle managemet is securing your component supply chain. The most important and widely used source for components for Java development and beyond is the Central Repository available at http://search.maven.org. It is the preconfigured default repository in Apache Maven and easily configured in other build systems as well.
Nexus Professional supports access to the Central Repository using HTTPS. This secure access to the Central Repository is the default configuration for Nexus Professional 2.2 and newer. It prevents anybody from gaining insight into the components you are downloading as well as compromising these components via Cross Build Injection XBI attacks.
The Remote Storage Location configured for the "Central" proxy repository is "https://secure.central.sonatype.com/maven2/" as displayed in Figure 6.15, “Default Configuration for the Central Repository Using HTTPS”.
The secure connection relies on an authentication token as well as Nexus running on a JVM with high-strength RSA cipher keys. The status of the secured access to the Central Repository can be inspected by accessing the "Secure Central " capability displayed in Figure 6.16, “Secure Central Capability”.
You can use the secure connection to the Central Repository on a
version of Nexus that was either upgraded from Nexus Open Source or
from an older version, where the Central location was
http://repo1.maven.org/maven2/. On Nexus 2.2 and newer you simply
replace the Remote Storage Location for the Central proxy repository
https://secure.central.sonatype.com/maven2/. The authentication
token will automatically be requested and configured.
The secure access can be used on older versions of Nexus as well, although the preferred approach is to update to Nexus 2.2 or higher. If you require secure access to the Central Repository on an older version of Nexus please contact Sonatype support to receive your authentication token and configuration instructions.
What happens when Nexus is unable to reach a remote repository? If you’ve defined a proxy repository, and the remote repository is unavailable Nexus will now automatically block the remote repository. Once a repository has been auto-blocked, Nexus will then periodically retest the remote repository and unblock the repository once it becomes available. You can control this behaviour by changing the Auto-blocking Active setting under the Remote Repository Access section of the proxy repository configuration as shown in the following figure: