This document describes the Nexus Docker registry setup for OpenSPP images and how to configure Woodpecker CI to push images successfully.
The Nexus repository uses different endpoints for different purposes:
- Internal Docker Registry:
172.20.0.26:8082(within Docker network) - Public Pull Access:
docker.acn.fr(public read-only) - Push Access:
docker-push.acn.fr(requires authentication)
The woodpeckerci/plugin-docker-buildx plugin often fails to authenticate with Nexus when using the plugin's built-in authentication mechanism.
Based on the working pattern from openspp-packaging-v2, use explicit Docker commands with manual login:
steps:
build-and-push:
image: docker:latest
privileged: true
environment:
NEXUS_USER:
from_secret: nexus_username
NEXUS_PASS:
from_secret: nexus_password
commands:
# Login explicitly
- echo "$NEXUS_PASS" | docker login 172.20.0.26:8082 -u "$NEXUS_USER" --password-stdin
# Build and push with buildx
- docker buildx create --use --name mybuilder
- docker buildx build --platform linux/amd64,linux/arm64 --push -t 172.20.0.26:8082/openspp/openspp:latest .Add these secrets to your Woodpecker repository settings:
- nexus_username or nexus_user: Your Nexus username
- nexus_password: Your Nexus password
Note: Different projects may use different secret names. The working configuration checks for both:
nexus_username(newer convention)nexus_user(older convention)
# Add secrets
woodpecker secret add openspp/openspp-packaging-docker \
--name nexus_username \
--value "your-username"
woodpecker secret add openspp/openspp-packaging-docker \
--name nexus_password \
--value "your-password"- Navigate to your repository in Woodpecker UI
- Go to Settings → Secrets
- Add the required secrets
The Nexus server is accessible at 172.20.0.26 within the Docker platform network:
- Port 8081: APT repository
- Port 8082: Docker registry
Test from within a Woodpecker pipeline:
test-connection:
image: alpine:latest
commands:
- apk add --no-cache curl
- curl -I http://172.20.0.26:8082/v2/See .woodpecker-working.yml for a complete working example that:
- Uses explicit Docker commands
- Handles authentication properly
- Supports multi-architecture builds
- Manages different tags for different events (tag, cron, push)
Use ci-docker-push.sh for manual pushing:
# Set credentials
export NEXUS_USER="your-username"
export NEXUS_PASSWORD="your-password"
# Build image
docker build -t openspp:latest .
# Push to Nexus
./ci-docker-push.sh openspp:latest-
Check secret names: Ensure using the correct secret names (nexus_username vs nexus_user)
-
Verify credentials: Test login manually:
echo "your-password" | docker login 172.20.0.26:8082 -u "your-username" --password-stdin
-
Check network access: Ensure the CI runner can reach 172.20.0.26:8082
- Repository exists: Verify the repository
openspp/opensppexists in Nexus - User permissions: Ensure the user has push permissions
- Image size: Check if there are size limits in Nexus
If 172.20.0.26:8082 is not accessible:
- Verify you're within the Docker platform network
- Check if the Nexus container is running
- Verify port 8082 is the correct Docker registry port
- Use explicit Docker commands instead of relying on plugin authentication
- Test locally first using the manual push script
- Use internal IPs (172.20.0.26) for CI/CD within the Docker network
- Tag appropriately based on build events (tag, cron, branch)
- Handle both secret naming conventions for compatibility
- Working example:
/Users/jeremi/Projects/134-openspp/openspp-packaging-v2/.woodpecker.yml - Nexus Docker Registry API: https://help.sonatype.com/repomanager3/integrations/docker-registry
- Docker Buildx Documentation: https://docs.docker.com/buildx/working-with-buildx/