Troubleshoot Common Issues
Solutions for frequently encountered problems with Angos.
Debug Logging
Enable detailed logging to diagnose issues:
# General debug
RUST_LOG=debug ./angos server
# Specific modules
RUST_LOG=info,angos::command::server::auth=debug ./angos server
# Multiple modules
RUST_LOG=info,angos::configuration=debug,angos::cache=debug ./angos server
Useful modules:
angos::configuration- Config loading/watchingangos::command::server::auth- Authenticationangos::cache- Pull-through cacheangos::registry::access_policy- Policy evaluation
Authentication Issues
"unauthorized: Access denied"
Cause: No credentials provided or invalid credentials.
Solutions:
-
Check credentials are correct:
curl -u user:password http://localhost:5000/v2/ -
For OIDC, verify token is valid:
curl -H "Authorization: Bearer $TOKEN" http://localhost:5000/v2/ -
Check access policy allows the action:
[global.access_policy]
default_allow = false
rules = ["identity.username != ''"]
"forbidden: access denied"
Cause: Authenticated but policy denies access.
Solutions:
-
Enable policy debug logging:
RUST_LOG=angos::registry::access_policy=debug -
Check rules match your identity and action
-
For OIDC, always check null first:
rules = ["identity.oidc != null && identity.oidc.claims['repo'].startsWith('myorg/')"]
OIDC Token Rejected
Causes:
- Token expired
- Issuer mismatch
- Audience mismatch
- JWKS fetch failure
Solutions:
- Verify token hasn't expired
- Check issuer exactly matches configuration
- Verify audience if
required_audienceis set - Ensure registry can reach OIDC provider:
curl https://token.actions.githubusercontent.com/.well-known/jwks
mTLS Certificate Rejected
Causes:
- Certificate not signed by trusted CA
- Certificate expired
- Wrong certificate format
Solutions:
-
Verify certificate chain:
openssl verify -CAfile ca.pem client.pem -
Check expiration:
openssl x509 -in client.pem -noout -dates -
Ensure PEM format for all certificates
Push/Pull Issues
"manifest unknown"
Cause: Manifest doesn't exist.
Solutions:
-
Verify the tag/digest exists:
curl http://localhost:5000/v2/namespace/image/tags/list -
For pull-through cache, check upstream connectivity
-
Check namespace spelling
"blob unknown"
Cause: Blob not found in storage.
Solutions:
- Re-push the image
- Check storage backend is accessible
- For S3, verify bucket permissions
"Tag immutable"
Cause: Attempting to overwrite an immutable tag.
Solutions:
- Use a different tag
- Add tag to exclusions:
immutable_tags_exclusions = ["^latest$", "^your-tag$"] - Disable immutability for the repository
Push Timeout
Causes:
- Large blob
- Slow network
- S3 timeout
Solutions:
-
Increase timeouts in S3 config:
[blob_store.s3]
operation_timeout_secs = 1800
operation_attempt_timeout_secs = 600 -
Check network connectivity
-
Consider chunked uploads
Pull-Through Cache Issues
"unexpected status code 401"
Cause: Upstream credentials invalid.
Solutions:
-
Verify upstream credentials:
docker login registry-1.docker.io -
Check credentials in config:
[[repository."library".upstream]]
url = "https://registry-1.docker.io"
username = "correct-user"
password = "correct-pass"
Cache Not Working
Symptoms: Every pull contacts upstream.
Solutions:
-
Enable cache debug logging:
RUST_LOG=angos::cache=debug -
Check immutable tags for optimization:
[repository."library"]
immutable_tags = true -
Verify storage is writable
Rate Limited by Upstream
Symptoms: 429 errors or slow pulls.
Solutions:
- Add upstream credentials (higher limits)
- Enable immutable tags to reduce checks
- Add more upstreams for fallback
Storage Issues
Filesystem Permissions
Symptoms: Permission denied errors.
Solutions:
# Check ownership
ls -la /data/registry
# Fix permissions
sudo chown -R $(id -u):$(id -g) /data/registry
S3 Connection Errors
Symptoms: Timeout or connection refused.
Solutions:
-
Verify endpoint URL:
curl $S3_ENDPOINT -
Check credentials:
aws s3 ls s3://your-bucket --endpoint-url $S3_ENDPOINT -
Verify region is correct
"lock already held"
Cause: Concurrent operations on same resource.
Solutions:
-
For multi-replica, configure Redis locking:
[metadata_store.fs.redis]
url = "redis://localhost:6379"
ttl = 10
max_retries = 100 -
Increase retry settings
-
Check for stuck processes
Configuration Issues
Config Not Reloading
Symptoms: Changes not taking effect.
Solutions:
-
Check config is valid:
./angos -c config.toml server # Will error on invalid -
Some settings require restart:
bind_address,port- TLS enable/disable
- Storage backend type
TLS Certificate Errors
Solutions:
-
Verify certificate files:
openssl x509 -in server.crt -noout -text
openssl rsa -in server.key -check -
Check certificate matches key:
openssl x509 -noout -modulus -in server.crt | openssl md5
openssl rsa -noout -modulus -in server.key | openssl md5 -
Ensure full chain is included
Web UI Issues
Blank Page
Solutions:
- Check browser console for errors
- Clear browser cache
- Verify
ui.enabled = true - Check access policy allows
ui-asset
403 on Browse
Solutions: Add to access policy:
rules = [
"request.action == 'ui-asset' || request.action == 'ui-config'",
"identity.username != '' && request.action.startsWith('list-')"
]
Performance Issues
High Memory Usage
Solutions:
-
Reduce concurrent requests:
[global]
max_concurrent_requests = 4 -
For S3, adjust chunk sizes:
[blob_store.s3]
multipart_part_size = "10MiB"
Slow Responses
Solutions:
- Check storage latency
- Enable Redis cache for multi-replica
- Reduce webhook timeouts
- Use immutable tags for cache optimization
Getting Help
- Check logs: Enable debug logging for the relevant module
- Verify config: Test with minimal configuration
- Test isolation: Isolate the failing component
- Report issues: https://github.com/project-angos/angos/issues