April 22, 2009

Maven Setting for Using a Single Repo Manager

In a previous post I have tried to explain why it's a good idea to define your Maven repository in your settings.xml file instead of the POM.

Of course, there is some information available on how to do this, for instance in the Maven Settings Reference, the Mirrors Guide, or the great Nexus book from Sonatype.

Nevertheless, this setup of repositories, proxies and mirrors can be a bit tricky (and is quite confusing when just starting with Maven), so here is how we did that.

How should it look like?

We use the Nexus repository manager and especially do like the repository groups which combine repositories into single logical repo. (This feature is also implemented by other products like Archiva or Artifactory, see this Feature Matrix).

Now, here is the approach we want to implement:

  • Access the repository group "internal" for release and snapshot versions of all internal artifacts that have been produced by our company
  • Use the "public" repository group to provide release versions of all external artifacts (we don't want external snapshots!)
  • For downloading plugins, use both the "public" as well as the "internal" repository group to get release versions (we don't want to use snaphot version of plugins!)
  • Don't use any other repository than "public" or "internal", no matter what is configured in project's POM, inherited POM, transitive dependencies, dependencies of plugins, etc. -- never ever!


Defining the Repositories

This is the required repository definition:

  • We use a profile (that is activated by default) to group the repositories. This is actually not required, but gives a bit more flexibility.
  • For artifact resolution, there are two repositories with id "central" and "internal" to provide public (external) respectively internal artifacts.
  • The definition for "central" repository is overriding (by using the same id) the "central" repository already defined in the implicit super POM, which is using repo1.maven.org for downloads.
  • The given URLs are only bogus and are overridden by mirror settings – see below.
  • Additionally, we define the same two repositories "central" and "internal" as plugin repositories (required by Maven to find plugins). However, in contrast to artifacts, snapshots are not allowed at all.

And here is how the code looks like:

<profiles>
<profile>
<id>repo-config</id>
<activation>
<activeByDefault>true</activeByDefault>
</activation>

<repositories>
<!-- repo "central": override Maven default,
mirrored to Nexus group "public" -->
<repository>
<id>central</id>
<url>http://central</url>
<releases>
<enabled>true</enabled>
<updatePolicy>never</updatePolicy>
<checksumPolicy>ignore</checksumPolicy>
</releases>
<snapshots>
<enabled>false</enabled>
</snapshots>
</repository>
<!-- repo "internal": provides internal release and snapshot artifacts,
mirrored to Nexus group "internal" -->
<repository>
<id>internal</id>
<url>http://internal</url>
<releases>
<enabled>true</enabled>
<updatePolicy>never</updatePolicy>
<checksumPolicy>ignore</checksumPolicy>
</releases>
<snapshots>
<enabled>true</enabled>
<updatePolicy>always</updatePolicy>
<checksumPolicy>ignore</checksumPolicy>
</snapshots>
</repository>
</repositories>

<pluginRepositories>
<!-- plugin-repo "central": override Maven default,
mirrored to Nexus group "public" -->
<pluginRepository>
<id>central</id>
<url>http://central</url>
<releases>
<enabled>true</enabled>
<updatePolicy>never</updatePolicy>
<checksumPolicy>ignore</checksumPolicy>
</releases>
<snapshots>
<enabled>false</enabled>
</snapshots>
</pluginRepository>
<!-- plugin-repo "internal": provides internal plugin releases,
mirrored to Nexus group "internal" -->
<pluginRepository>
<id>internal</id>
<url>http://internal</url>
<releases>
<enabled>true</enabled>
<updatePolicy>never</updatePolicy>
<checksumPolicy>ignore</checksumPolicy>
</releases>
<snapshots>
<enabled>false</enabled>
</snapshots>
</pluginRepository>
</pluginRepositories>

</profile>
</profiles>

Defining the Mirrors

After defining the repositories, two issues are left: we have to specify the correct URLs, and to make sure nobody uses any other repository. Both of this is done with the <mirrors> definition.

  • Repository with id "internal" is mapped to the URL of the "internal" Nexus group; that is, Maven uses that URL instead of what is given with the repository definition (the bogus URL http://internal).
  • Every other repository (specified by using <mirrorOf>*</mirrorOf>) is mapped to the URL of the "public" Nexus group.
  • This last definition not only maps the "central" repository to the correct URL, but also any other repository and hence ensures every request is locked down to the internal repository manager.

Again, here is the section from settings.xml file:

<mirrors>
<mirror>
<id>nexus-internal</id>
<name>Nexus internal repository group</name>
<url>http://our-nexus-server:8081/nexus/content/groups/internal</url>
<mirrorOf>internal</mirrorOf>
</mirror>
<mirror>
<id>nexus-public</id>
<name>Nexus public repository group</name>
<url>http://our-nexus-server:8081/nexus/content/groups/public</url>
<mirrorOf>*</mirrorOf>
</mirror>
</mirrors>

What about the Proxy?

The <proxy> section in the settings.xml file can be used to define a network proxy that is used for some or all of your HTTP requests. In our configuration, since the Nexus repository manager is running on an internal server and Maven is configured to not connect to any other server, we just don't need this setting.

See Configuring a proxy for more details on Maven Proxies. BTW, it should now be very clear that mirrors in the Maven world are something completely different than proxies...

2 comments:

  1. Just curious why you chose to create a separate group for internal and external repos? We usually recommend people use one group for simplicity.

    ReplyDelete
  2. @Brian - good point... I should have explained this better, probably.

    The main reason is to make sure snapshot versions are only used for internal artifacts (provided by Nexus group "internal"), not public ones (group "public"). We know the same can be achieved by adequate Nexus configuration (make sure to only add repositories of "release" policy to the "public" group), but having this additional protection in the Maven settings seemed safer to us -- albeit configuration is a bit more cumbersome. It is critical for us to make sure we don't use snapshots of external libraries within customer projects, that's why I still think this is a reasonable approach.

    Moreover, our organization of Nexus groups hasn't been optimal in the beginning. We mixed up release and snapshot repositories in the "public" group which turned out to be a bad idea. Now we use well-defined groups (like "public release repos", "public snapshot repos", "all public repos" etc.) to have a clean separation, which is useful for scheduled tasks and also is the requisite to use only one group in the settings.

    ReplyDelete