Summary

This is a troubleshooting guide that will cover the common issues, errors you receive when integrating a DTR with Aqua. It will include suggestions and tips on how to address and resolve the issues you may experience.


Environment

Aqua CSP 5.0

Docker Trusted Registry (DTR) 2.7.6


Symptoms & Solutions


Symptom 1 - "[Failed] Registry connection: Verifying authentication".

  • Upon entering the DTR credentials on the Image Registry Integration page for connecting to the DTR and then clicking on Test Connection, you receive an error message as demonstrated below;


[Failed] Registry connection: Verifying authentication
failed authenticating with registry, please verify credentials



Solution to Symptom 1 - Ensure that you have entered the correct credentials.

  • The common cause for this error message is likely due to incorrect credentials that have been entered. A recommended solution would be to ensure that the credentials that you have entered for the DTR integration are correct and have been validated. A successful authentication will show the following check as Finished, as demonstrated below;



Symptom 2 - "Failed Registry connection: Validating registry type".

  • Upon clicking on Test Connection after applying the details for the DTR, you receive an error message as demonstrated below;


[Failed] Registry connection: Validating registry type

https://www.example.com:8443/v2/
Get https://www.example.com:8443/v2/: dial tcp: lookup www.example.com on 10.0.0.10:53: no such host



Solution to Symptom 2 - Ensure that the DTR URL you have entered valid and reachable.

  • The cause for this error message is likely due to the DTR URL entered being incorrect or unresolvable. A recommendation be to check and ensure that the DTR URL is valid and reachable from where the Aqua Console is deployed in your environment. If you are using a fully qualified domain name (FQDN) for the DTR, it is recommended to also ensure that you are able to conduct a DNS lookup to the domain name from where the Aqua Console is deployed.
  • A successful registry validation will show the following check as Finished, as demonstrated below;



Symptom 3 - "connect: connection refused".

  • Upon clicking on Test Connection after applying the details for the DTR, you receive an error message as demonstrated below;


[Failed] Registry connection: Validating registry type

https://www.example.com/v2/
Get https://www.example.com/v2/: dial tcp 00.00.000.000:443: connect: connection refused


2020-08-28 17:01:43.915 ERROR v2/v2.go:183 Failed getting /v2/ {"url": "https://www.example.com", "error": "Get https://www.example.com/v2/: dial tcp 00.00.000.000:443: connect: connection refused"}
bitbucket.org/scalock/server/common/libregistry/v2.(*V2).AuthenticateNewRegistry
/go/src/bitbucket.org/scalock/server/common/libregistry/v2/v2.go:183
bitbucket.org/scalock/server/common/libregistry/v2.New
/go/src/bitbucket.org/scalock/server/common/libregistry/v2/v2.go:155
bitbucket.org/scalock/server/common/libregistry/dtr.New
/go/src/bitbucket.org/scalock/server/common/libregistry/dtr/dtr.go:68
bitbucket.org/scalock/server/common/libregistry.NewWithType
/go/src/bitbucket.org/scalock/server/common/libregistry/libregistry.go:137
bitbucket.org/scalock/server/common/libregistry.ValidateRegistrySteps.func1
/go/src/bitbucket.org/scalock/server/common/libregistry/libregistry.go:211




Solution to Symptom 3 - Explicitly specify the correct port number in the DTR URL.

  • The cause for this error message is likely due to the port of the DTR URL entered is incorrect or has not been explicitly specified. In the example above, the DTR is not being served on port 443 but on 8443 instead. To resolve this, by adding the correct port number to the DTR URL, you should be able to validate the registry.
  • A successful registry validation will show the following check as Finished, as demonstrated below;



Symptom 4 - Cannot pull down images from DTR after a successful configuration.

  • You have been able to enter all of the required details correctly for the DTR and the Test Connection succeeded - and you saved your new DTR integration. But when you try to pull down the images so that Aqua can scan and register the images from the DTR -- this is unsuccessful.


Solution to Symptom 4 - Ensure the DTR user account permissions are correct/sufficient. 

  • The cause for this issue is likely due to user account permissions being insufficient for Aqua to pull down and scan the images from the DTR registry. A recommendation would be check and ensure that the user account has the correct permissions in your DTR settings. Below is a screenshot of team permission levels in DTR demonstrated;


  



Related Information

  1. https://docs.mirantis.com/docker-enterprise/v3.0/dockeree-products/dtr.html
  2. https://docs.mirantis.com/docker-enterprise/v3.0/dockeree-products/dtr/dtr-admin/manage-users/permission-levels.html