Troubleshoot Common Issues
Solutions for frequently encountered problems with Angos.
Debug Logging
Enable detailed logging to diagnose issues:
# General debug
RUST_LOG=debug ./angos server
# Specific modules
RUST_LOG=info,angos::auth=debug ./angos server
# Multiple modules
RUST_LOG=info,angos::configuration=debug,angos::cache=debug ./angos server
Useful modules:
angos::configuration- Config loading/watchingangos::auth- Authenticationangos::cache- Pull-through cacheangos::registry::access_policy- Policy evaluation
Authentication Issues
"unauthorized: Access denied"
Cause: No credentials provided or invalid credentials.
Solutions:
-
Check credentials are correct:
curl -u user:password http://localhost:8000/v2/ -
For OIDC, verify token is valid:
curl -H "Authorization: Bearer $TOKEN" http://localhost:8000/v2/ -
Check access policy allows the action:
[global.access_policy]default = "deny"rules = ["identity.username != ''"]
"forbidden: access denied"
Cause: Authenticated but policy denies access.
Solutions:
-
Enable policy debug logging:
RUST_LOG=angos::registry::access_policy=debug -
Check rules match your identity and action
-
For OIDC, always check null first:
rules = ["identity.oidc != null && identity.oidc.claims['repo'].startsWith('myorg/')"]
OIDC Token Rejected
Causes:
- Token expired
- Issuer mismatch
- Audience mismatch
- Token signed after OIDC provider key rotation
Solutions:
- Verify token hasn't expired
- Check issuer exactly matches configuration
- Verify audience if
required_audienceis set - Ensure registry can reach OIDC provider:
If a token uses a newcurl https://token.actions.githubusercontent.com/.well-known/jwks
kid, Angos refreshes JWKS once outside the cache before rejecting it.
OIDC Provider Unavailable
If Angos cannot fetch or parse the provider discovery document or JWKS, it returns 503 instead of treating the token as bad credentials.
Solutions:
- Ensure registry can reach the OIDC provider over the network
- Check provider status and JWKS/discovery endpoints
- Verify proxy, DNS, and firewall settings
mTLS Certificate Rejected
Causes:
- Certificate not signed by trusted CA
- Certificate expired
- Wrong certificate format
Solutions:
-
Verify certificate chain:
openssl verify -CAfile ca.pem client.pem -
Check expiration:
openssl x509 -in client.pem -noout -dates -
Ensure PEM format for all certificates
Malformed certificates receive a generic Invalid certificate response. Enable debug logs to see parser details server-side.
Push/Pull Issues
"manifest unknown"
Cause: Manifest doesn't exist.
Solutions:
-
Verify the tag/digest exists:
curl http://localhost:8000/v2/namespace/image/tags/list -
For pull-through cache, check upstream connectivity
-
Check namespace spelling
"blob unknown"
Cause: Blob not found in storage.
Solutions:
- Re-push the image
- Check storage backend is accessible
- For S3, verify bucket permissions
"Tag immutable"
Cause: Attempting to overwrite an immutable tag.
Solutions:
- Use a different tag
- Add tag to exclusions:
immutable_tags_exclusions = ["^latest$", "^your-tag$"]
- Disable immutability for the repository
Push Timeout
Causes:
- Large blob
- Slow network
- S3 timeout
Solutions:
-
Increase timeouts in S3 config:
[blob_store.s3]operation_timeout_secs = 1800operation_attempt_timeout_secs = 600 -
Check network connectivity
-
Consider chunked uploads
Pull-Through Cache Issues
"unexpected status code 401"
Cause: Upstream credentials invalid.
Solutions:
-
Verify upstream credentials:
docker login registry-1.docker.io -
Check credentials in config:
[[repository."library".upstream]]url = "https://registry-1.docker.io"username = "correct-user"password = "correct-pass"
Cache Not Working
Symptoms: Every pull contacts upstream.
Solutions:
-
Enable cache debug logging:
RUST_LOG=angos::cache=debug -
Check immutable tags for optimization:
[repository."library"]immutable_tags = true -
Verify storage is writable
Rate Limited by Upstream
Symptoms: 429 errors or slow pulls.
Solutions:
- Add upstream credentials (higher limits)
- Enable immutable tags to reduce checks
- Add more upstreams for fallback
Storage Issues
Filesystem Permissions
Applies only to filesystem storage ([blob_store.fs] or [metadata_store.fs]). For S3 backends, check IAM permissions and bucket policies instead.
Symptoms: Permission denied errors.
Solutions:
# Check ownership
ls -la /data/registry
# Fix permissions
sudo chown -R $(id -u):$(id -g) /data/registry
S3 Connection Errors
Symptoms: Timeout or connection refused.
Solutions:
-
Verify endpoint URL:
curl $S3_ENDPOINT -
Check credentials:
aws s3 ls s3://your-bucket --endpoint-url $S3_ENDPOINT -
Verify region is correct
"lock already held"
Cause: Concurrent operations on same resource.
Solutions for Redis locking:
-
Configure Redis locking:
[metadata_store.fs.lock_strategy.redis]url = "redis://localhost:6379"ttl = 10 -
For high contention, increase
max_retriesandretry_delay_ms. Redis retries use exponential backoff capped at 1s, plus jitter. -
Increase TTL if operations take longer
-
Check for stuck processes
Solutions for S3 locking:
-
Stale locks under the
.tx-locks/prefix are automatically recovered after TTL expiry -
If operations take longer than the TTL, increase
ttl_secs(minimum: 9):[metadata_store.s3.lock_strategy.s3]ttl_secs = 60The heartbeat interval is automatically set to
ttl_secs / 3, so this example will heartbeat every 20 seconds. -
For high contention, increase
max_retriesandretry_delay_ms:[metadata_store.s3.lock_strategy.s3]max_retries = 200retry_delay_ms = 100 -
If the startup probe fails, your S3 provider may not support conditional writes; fall back to Redis locking instead. S3 locking is only supported when using S3 for metadata storage; it cannot be used with filesystem metadata stores.
Configuration Issues
Config Not Reloading
Symptoms: Changes not taking effect.
Solutions:
-
Check config is valid:
./angos -c config.toml server # Will error on invalid -
Some settings require restart:
bind_address,port- TLS enable/disable
- Storage backend type
TLS Certificate Errors
Solutions:
-
Verify certificate files:
openssl x509 -in server.crt -noout -textopenssl rsa -in server.key -check -
Check certificate matches key:
openssl x509 -noout -modulus -in server.crt | openssl md5openssl rsa -noout -modulus -in server.key | openssl md5 -
Ensure full chain is included
Web UI Issues
Blank Page
Solutions:
- Check browser console for errors
- Clear browser cache
- Verify
ui.enabled = true - Check access policy allows
ui-asset
403 on Browse
Solutions: Add to access policy:
rules = [
"request.action == 'ui-asset' || request.action == 'ui-config'",
"identity.username != '' && request.action.startsWith('list-')"
]
Performance Issues
High Memory Usage
Solutions:
-
Reduce concurrent requests:
[global]max_concurrent_requests = 4 -
For S3, adjust chunk sizes:
[blob_store.s3]multipart_part_size = "10MiB"
Slow Responses
Solutions:
- Check storage latency
- Enable Redis cache for multi-replica
- Reduce webhook timeouts
- Use immutable tags for cache optimization
Getting Help
- Check logs: Enable debug logging for the relevant module
- Verify config: Test with minimal configuration
- Test isolation: Isolate the failing component
- Report issues: https://github.com/project-angos/angos/issues