This article addresses a scenario where a Docker image that violates policy is successfully pulled from a Nexus Repository proxy, seemingly bypassing the Repository Firewall quarantine. This behavior typically occurs when multiple clients attempt to pull the same uncached image simultaneously.
Symptoms
Users may observe the following sequence of events:
-
Client A initiates a
docker pullfor a new, uncached image. The command hangs/waits while Repository Firewall analyzes the image. -
Client B initiates a
docker pullfor the same image while Client A is still waiting. -
Client A eventually receives a
403 Forbiddenerror, indicating the image was successfully quarantined. - Client B successfully downloads the image, bypassing the quarantine.
- Subsequent attempts to pull the image (after Client A's analysis finishes) correctly result in a 403 error.
Additionally, the nexus.log may contain warning messages indicating a timeout in the cooperative wait mechanism:
WARN [qtp...] com.sonatype.nexus.clm.internal.datastore.FirewallContributedHandler - Could not get latest quarantine status for asset ...: Cooperative wait timed out on firewall... (2 threads cooperating)
Cause
This behavior is the expected result of a specific configuration combination: the Cooperative Wait mechanism interacting with and advanced feature Fail-Open Mode.
When a new image is requested, Nexus Repository downloads and analyzes it. To prevent redundant processing, simultaneous requests for the same image "cooperate" by waiting for the initial analysis to complete. This wait period has a timeout.
If the analysis takes longer than the cooperative wait timeout, the waiting request (Client B) stops waiting. If Fail-Open Mode is enabled, Repository Firewall is configured to "fail open," meaning it will allow access to components when the quarantine status cannot be retrieved (due to timeout, connection failure, etc.). As a result, Client B is allowed to download the potentially malicious image because the system prioritized availability over enforcement during the timeout.
Solution
To prevent this behavior and ensure strict enforcement of quarantine policies, you must verify and adjust the Fail-Open Mode configuration.
Verify Fail-Open Configuration
Check if Fail-Open Mode is enabled by retrieving the current configuration via the REST API. Refer to the documentation to Get the Repository Firewall configuration. Look for the property failOpenModeEnabled. If its true, then the feature is enabled.
Disable Fail-Open Mode
If strict security is a priority over availability during timeouts, you should disable Fail-Open Mode. When disabled, requests that time out waiting for analysis will fail (typically with a 504 error) rather than allowing the download.
To disable this setting, use the REST API to update the configuration, setting "failOpenModeEnabled": false. See Configure the Repository Firewall Fail-Open Mode for detailed steps.