Bidhan Sthapit

Logging my devops journey

3 minute read

Nexus Production Learning Journey: Architecture, Automation & APIs

This document summarizes our step-by-step implementation of a production-ready Sonatype Nexus Repository instance on Ubuntu, mapping out everything from infrastructure hardening to API lifecycle automation using simple local authentication.

๐Ÿ—๏ธ 1. Infrastructure Hardening & Architecture

User & Directory Isolation

To enforce strict security boundaries, Nexus is never executed as the root administrative user. Instead, an isolated system service account is created:

sudo useradd -r -c "Nexus Repository Manager" -d /opt/nexus -s /bin/false nexus

Two distinct runtime directories isolate application binaries from persistent state data:

  • /opt/nexus: Core system binaries and configurations (~500MB).
  • /nexus-data: Binary large objects (Blobs), components, and internal databases (Grows continuously).

Multi-Volume Storage Strategy

To mirror an enterprise deployment, a dedicated secondary block volume (/dev/nvme1n1) is provisioned exclusively for storage data. This prevents rapid artifact growth from exhausting the primary OS disk partition.

  • Filesystem Selection: ext4 is selected for its robust journaling, crash consistency, and stability under large-file enterprise workloads.
  • Persistent Mount Layout: Configured with performance-optimized metadata updates using noatime in /etc/fstab: 
    LABEL=nexus-data /nexus-data ext4 defaults,noatime 0 2

OS Kernel & Resource Tuning

Nexus is built on a high-throughput JVM architecture requiring increased file handle ceilings and virtual memory allocations.

# /etc/security/limits.conf
nexus soft nofile 65536
nexus hard nofile 65536

# /etc/sysctl.conf
vm.max_map_count=262144

๐Ÿ› ๏ธ 2. Enterprise Configuration & Optimization

Bypassing Default Runtime Layouts

By editing the Java Virtual Machine tuning properties (bin/nexus.vmoptions), the default sonatype-work local storage paths are overridden to safely point to our isolated secondary volume:

-Dkaraf.data=/nexus-data
-Dkaraf.log=/nexus-data/log
-Djava.io.tmpdir=/nexus-data/tmp
  • Log Redirection: Protects the OS drive from multi-gigabyte audit trail generation.
  • Tmp Redirection: Directs multi-gigabyte build buffers (like large Docker layers) onto the secondary data volume.

Systemd Lifecycle Management

The application process lifecycle is wrapped into a native Linux systemd supervisor configuration to ensure automatic recovery on system crashes or hardware restarts:

# /etc/systemd/system/nexus.service
[Service]
Type=forking
LimitNOFILE=65536
ExecStart=/opt/nexus/nexus-latest/bin/nexus start
ExecStop=/opt/nexus/nexus-latest/bin/nexus stop
User=nexus
Group=nexus
Restart=on-abort

๐Ÿ” 3. Authentication & Access Management Architecture

To ensure immediate stability and eliminate complex single sign-on (SSO) cross-communication errors, this deployment utilizes a streamlined Simple Local Security Architecture.

Authentication is managed completely through local application security databases rather than external cloud identity providers:

  • The Administrator: Uses a hardened local admin profile backed by the systemโ€™s local database realm.
  • The Jenkins Pipeline: Leverages a highly scoped local user account (svc-jenkins-deployer) mapped straight to global artifact administration privileges (nx-admin). This allows Jenkins to pass static username/password basic credentials directly into backend APIs without browser redirections.

๐Ÿš€ 4. Master Command Lab: Programmatic API Uploads

The absolute core of our functional testing focused on navigating the distinct routing layers of the Nexus network topology.

The Storage Endpoint Endpoint (Why it fails on Web Forms)

  • Target Destination: http://<IP>:8081/repository/maven-releases/
  • Behavior: Expects a binary bitstream via standard HTTP PUT.
  • The Error: Sending multi-part form data via POST returns an immediate 405 Method Not Allowed because it lacks a form parser component.

The REST API Components Engine (The Production Automation Route)

  • Target Destination: http://<IP>:8081/service/rest/v1/components?repository=maven-releases
  • Behavior: Expects an HTTP POST carrying multi-part metadata parameters.
  • The Success: The engine automatically interprets parameters like groupId and artifactId, dynamically maps the proper directory sub-folders, saves the asset, and returns an HTTP 204 No Content confirmation.

Programmatic Bash Testing Suite

#!/bin/bash
NEXUS_IP="13.206.145.31"
USERNAME="svc-jenkins-deployer"
PASSWORD="your_secure_password"

# 1. API Component Upload (Returns HTTP 204)
curl -i -u "$USERNAME:$PASSWORD" \
  -X POST "http://$NEXUS_IP:8081/service/rest/v1/components?repository=maven-releases" \
  -F "maven2.groupId=com.mycompany.test" \
  -F "maven2.artifactId=dummy-app" \
  -F "maven2.version=1.0.0" \
  -F "maven2.asset1=@/tmp/dummy-app.jar" \
  -F "maven2.asset1.extension=jar"

# 2. Programmatic Metadata Search Query (Returns JSON)
curl -u "$USERNAME:$PASSWORD" \
  -X GET "http://$NEXUS_IP:8081/service/rest/v1/search?repository=maven-releases&name=dummy-app"

# 3. Public Health Check Monitoring (Returns HTTP 200 - No Auth Required)
curl -i -X GET "http://$NEXUS_IP:8081/service/rest/v1/status"

๐ŸŽฏ Key Takeaways

  • Decouple App Logic from App State: Always scale out a repository manager with an independent data volume. An accidental surge in large image uploads must never be allowed to overwhelm the root OS filesystem partition.
  • Enforce Version Immutability: Production release repositories must have their deployment policy explicitly set to Disable redeploy. This guarantees strict build accountability and prevents silent code overwrites in downstream target environments.
  • Simple Auth Streamlines Machine Lifecycles: Standardizing on clean, local service accounts removes interactive web layer dependencies, making API interaction reliable, readable, and easy to maintain within automation setups.
  • Target the Right API Contract: Remember that /repository/ endpoints are reserved for native compiler CLI tools execution paths utilizing binary PUT transfers, while /service/rest/ components interfaces exist exclusively to parse structured runtime metadata parameters via custom script automation.

You May Also Enjoy