Sonatype is looking through the archives and re-posting popular articles for those new to Sonatype tools.
The first blog in the series is by Sonatype software developer Juven Xu, on backing up Nexus.
Nexus is the industry leading repository manager that helps reduce build times and increase your control of open source artifacts by managing software artifacts required for development, deployment, and provisioning. Nexus greatly simplifies the maintenance of your own internal repositories and access to external repositories such as Maven Central. With Nexus you can completely control access to, and deployment of, every artifact in your organization from a single location.
If you are already using Nexus, this article will teach you how to back up your repository manager (if you don’t use Nexus, you can click here for more information).
To backup Nexus simply means to make a copy of your Nexus files for safekeeping. The copy should be stored on different hardware, other than the original one. For example, you might want to copy your Nexus settings in the sonatype-work/nexus/config folder to a removable hard disk.
It is important to backup your Nexus files because sometimes things fail. Hard disk might crash, files might be deleted by other programs, even ourselves might delete important files by mistake. With a backup, you will be protected from these frustrating events.
Sonatype helps open source projects by providing free Maven repository hosting and Maven central repository sync. There are hundreds of projects using this great service. As a result, I’ve received many questions from users, and a large amount of them is about ’401′. It is sometimes the case that when people try to deploy artifacts into Nexus using Maven, the deployment fails and they receive a 401 error.
The general definition of ’401′ can be bound at the HTTP RFC. Briefly speaking, a ’401′ error occurs when the server asks for user authentication but the client can not provide it. In Nexus, this means the Nexus server asks you log in first before doing things like deploying artifacts. So when you get a 401 on deploying artifacts to Nexus, you need to make sure you provide correct credentials.
Here is a check list you can follow:
Part of my daily routine involves managing the Sonatype OSS Repository, a free, hosted Nexus Professional instance for hosting open source project repositories . There are more than 100 projects hosted on the OSS instance, and each project has at least one release repository, one snapshot repository, and one repository group. When we started offering this service I would create two repositories and a single repository group for each project, but as community adoption increased, I found that managing hundreds of repositories was become a very complicated and time-consuming task. In this post, I’m going to discuss how I consolidated hundreds of repositories down to a single release repository, snapshot repository, and repository group. I’m also going to discuss how I used Nexus security settings to partition these consolidated repositories, providing necessary isolation between separate projects.
If you are running a large instance of Nexus to manage internal development, or if you are responsible for an open source project’s installation of Nexus, you can use the approach outlined in this post. Continue reading
If you recently installed Nexus and have started using it to support internal development and collaboration, you will likely want to know how to configure backups to capture your configuration files and repository data. Any system as central to your development effort as a repository manager needs to be backed up on a daily basis. Hard drives and power supplies fail, and critical repository artifacts in a hosted repository may be inadvertently deleted.
In this post, I go through the recommended procedures for backing up a Nexus installation. I discuss which files and directories need to be backed up, and I make some specific recommendations about backup configuration. Luckily, Nexus was designed to use the filesystem to store both configuration and repository data. This means that backing up your Nexus installation is as easy as configuring an automated backup tool such as amanda or a simple backup script that uses rsync. There is no database to export or server to suspend for the duration of the backup. Backing up or restoring a Nexus installation is as easy as copying a set of files. Continue reading
If you use a tool that downloads artifacts from the Central Maven repository, you need to make sure that you are making an effort to validate that these artifacts have a valid PGP signature that can be verified against a public key server. If you don’t validate signatures, then you have no guarantee that what you are downloading is the original artifact. One way to to verify signatures on artifacts is to use a repository manager like Nexus Professional. In Nexus Professional you can configure the procurement suite to check every downloaded artifact for a valid PGP signature and validate the signature against a public keyserver.
If you are developing software using Maven, you should generate a PGP signature for your releases. Releasing software with valid signatures means that your customers can verify that a software artifact was generated by the original author and that it hasn’t been modified by anyone in transit. Most large OSS forges like the Apache Software Foundation require all projects to be released by a release manager whose key has been signed by other members of the organization, and if you want to synchronize your software artifacts to Maven central you are required to provide pgp signatures.
In this post, I show you how to configure your Maven project to generate a valid signature using GPG. GnuPG ( aka. GPG ) is a freely available implementation of the OpenPGP standard. It’s available for both Windows and Unix-like computers. GPG provides you with the capability to generate a signature, manage keys, and verify signatures. In the following sections, I will introduce GPG as well as maven-gpg-plugin which provides Maven goals to generate signatures for a release.