Portus Incorrect error message when registry not configured for token auth ("Error: registry does not implement v2 of the API.")

I decided to shelve my docker-compose setup and instead try to set up two VMs:

docker-reg.example.com - Registry (via Docker)
portus.example.com - Portus (installed RPM on OpenSuSE 13.2)

I'm trying to do everything correct, using my own certificates where necessary.

From portus.example.com, I verify that the certificates are set up correctly:

curl https://docker-reg.example.com/v2/
{}

However, when I try to add the registry to Portus, it says:

Error: registry does not implement v2 of the API.

I can see in my docker logs from the registry (and nginx proxy) that Portus is incorrect, because an HTTP 200 is being returned to him:

registry_1 | time="2015-10-27T23:13:55Z" level=info msg="response completed" http.request.host=docker-reg.example.com http.request.id=xxx http.request.method=GET http.request.remoteaddr=192.168.1.35 http.request.uri="/v2/" http.request.useragent=Ruby http.response.contenttype="application/json; charset=utf-8" http.response.duration=4.288973ms http.response.status=200 http.response.written=2 instance.id=xxx version=v2.1.1 
nginx_1    | nginx.1    | docker-reg.example.com 192.168.1.35 - - [27/Oct/2015:23:13:55 +0000] "GET /v2/ HTTP/1.1" 200 2 "-" "Ruby"
registry_1 | 172.17.0.121 - - [27/Oct/2015:23:13:55 +0000] "GET /v2/ HTTP/1.1" 200 2 "" "Ruby"

I don't know how to debug this any further.

Oct 27 '15 23:10 JonathonReinhart

You are using the old version of the registry, the one using API V1.

Please use the right version of the registry.

Oct 28 '15 06:10 flavio

Sorry, but I am not using the old registry. You can see in my curl command line that I'm accessing the /v2/ endpoint successfully.

Also, my docker-compose.yml:

registry:
  image: registry:2
  ...

Oct 28 '15 15:10 JonathonReinhart

@JonathonReinhart try image: registry:2.1.1 I think 2.1 is the minimum version supported according to the docs I read

Oct 28 '15 15:10 thenewguy

I figured it out... I would consider this a minor bug. Here's the code in question.

https://github.com/SUSE/Portus/blob/adea18a/app/models/registry.rb#L83

  def reachable?
    msg = ""

    begin
      r = client.reachable?

      # At this point, !r is only possible if the returned code is 404, which
      # according to the documentation we have to assume that the registry is
      # not implementing the v2 of the API.
      return "Error: registry does not implement v2 of the API." unless r

https://github.com/SUSE/Portus/blob/adea18a/lib/portus/registry_client.rb#L21

def reachable?
      res = perform_request("", "get", false)

      # If a 401 was retrieved, it means that at least the registry has been
      # contacted. In order to get a 200, this registry should be created and
      # an authorization requested. The former can be inconvenient, because we
      # might want to test whether the registry is reachable.
      !res.nil? && res.code.to_i == 401
    end

The problem is that I had rolled back my registry config to a point where it was not yet configured to use token auth.

So the problem is that the registry was in fact returning 200, when Portus was expecting a 401.

I think that means the logic here needs to be expanded to detect this case, and tell the user "Your registry is not configured for token authentication" instead of an incorrect "Not v2" message.

Oct 28 '15 15:10 JonathonReinhart

Another issue in the same area of the code:

If the registry is using an SSL certificate that cannot be verified by Portus, an OpenSSL::SSL::SSLError is raised. Luckily, the exception message indicates what went wrong: something about validation failing. However, Portus currently handles that exception like this:

    rescue OpenSSL::SSL::SSLError
      if use_ssl
        msg = "Error: using SSL, but the given registry is not using SSL."
      else
        msg = "Error: there's something wrong with your SSL configuration."
      end

In this case, the message is just plain wrong. The registry is using SSL. I feel that these error message hide too much from the user.

Oct 28 '15 21:10 JonathonReinhart

@JonathonReinhart agreed. I'll try to improve this error handling :)

Oct 29 '15 09:10 mssola

In my testing, I basically commented out the rescue cases, and changed included the whole exception message in msg. It wasn't as pretty, but it was a lifesaver during this critical point in the integration! :smile:

Oct 29 '15 11:10 JonathonReinhart

+1 I have the same problem

Nov 24 '15 14:11 ch3lo

+1

Jan 22 '16 23:01 Shuliyey

Fixed with PR https://github.com/SUSE/Portus/pull/687

Jan 26 '16 17:01 flavio

This issue needs 2 fix.

I tested the master and the initial problem isn't solved (Error: registry does not implement v2 of the API.), otherwise the https://github.com/SUSE/Portus/issues/503#issuecomment-151992938 was solved.

Mar 16 '16 18:03 ch3lo

Agreed, a proper fix should include the fix described in this comment.

Mar 17 '16 08:03 mssola

how is this not fixed 🙃

edit: not the best comment, marking it as spam

Nov 06 '18 21:11 ForsakenHarmony

oh wait it is, I did something wrong, got it right after 2 days

Nov 07 '18 21:11 ForsakenHarmony

2019 still not fixed. Without the comment from JonathonReinhart I would have been blind how to fix this and just assume that Portus is broken and moved on to other solutions.

May 14 '19 17:05 hholst80

Still happening. I'd also appreciate help in debugging why the registry is throwing a 401. @mssola Can you please help?

May 31 '20 19:05 phrfpeixoto

I managed to identify the issue within nginx. Thanks

May 31 '20 23:05 phrfpeixoto