Update image registry doesn't work.

[pbalogh-sa]

BUG REPORT : Anchore-engine cannot update registries

Version of Anchore Engine and Anchore CLI if applicable: anchore-engine:

Engine DB Version: 0.0.13
Engine Code Version: 0.8.0

anchore-cli:

anchore-cli, version 0.9.0

What happened:

anchore-cli --json registry update --registry-type awsecr xxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com XXXXX xxxxxxx
{
    "detail": {
        "error_codes": []
    },
    "httpcode": 406,
    "message": "cannot ping supplied registry with supplied credentials - exception: failed check to access registry (https://xxxxxxxx.dkr.ecr.us-east-1.amazonaws.com,) - exception: cannot access/parse registry metadata for awsecr registry type - exception: 'registry_meta'"
}

What did you expect to happen: Registry update should work.

Any relevant log output from /var/log/anchore:

[service:api] 2021-01-15 15:14:35+0000 [_GenericHTTPChannelProtocol,1161312,10.0.0.26] [PoolThread-twisted.internet.reactor-0] [anchore_engine.clients.services.internal/dispatch()] [ERROR] Failed client call to service catalog for url: http://anchore-engine-anchore-engine-catalog:8082/v1/system/registries/xxxxxxx.dkr.ecr.us-east-1.amazonaws.com. Response: {'httpcode': 406, 'anchore_error_raw': 'b\'{\\n  "detail": {\\n    "error_codes": []\\n  },\\n  "httpcode": 406,\\n  "message": "cannot ping supplied registry with supplied credentials - exception: failed check to access registry (https://xxxxxxxx.dkr.ecr.us-east-1.amazonaws.com,) - exception: cannot access/parse registry metadata for awsecr registry type - exception: \\\'registry_meta\\\'"\\n}\\n\'', 'anchore_error_json': {'detail': {'error_codes': []}, 'httpcode': 406, 'message': "cannot ping supplied registry with supplied credentials - exception: failed check to access registry (https://xxxxxxxx.dkr.ecr.us-east-1.amazonaws.com,) - exception: cannot access/parse registry metadata for awsecr registry type - exception: 'registry_meta'"}}

How to reproduce the issue: Try to update a registry

[zhill]

Thanks @pbalogh-sa .Can you confirm if this is present in engine 0.9.0 as well?

[pbalogh-sa]

The bug is present in engine 0.9.0 as well.

version: Engine DB Version: 0.0.14 Engine Code Version: 0.9.0

The response was the same:

Error: cannot ping supplied registry with supplied credentials - exception: failed check to access registry (https://602401143452.dkr.ecr.eu-west-2.amazonaws.com,) - exception: cannot access/parse registry metadata for awsecr registry type - exception: 'registry_meta'
HTTP Code: 406
Detail: {'error_codes': []}

[zhill]

Thanks @pbalogh-sa for following up

[zhill]

@pbalogh-sa are you giving a docker username/password there for an ECR registry? For ECR you can use an accesskey and secret key or give it an iam role to use. Options are detailed here: https://engine.anchore.io/docs/usage/cli_usage/registries/ecr_configuration/. Which method are you using? That will help with triage and debugging.

[zhill]

This appears to be specific to the awsecr type. I don't see this behavior against DockerHub or other credential types.

[pbalogh-sa]

I added the awsecr type registry using aws access key and secret access key.

anchore-cli  add --registry-type awsecr xxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com AWS_ACCESS_KEY AWS_SECRET_ACCESS_KEY

After it, I tried to update using the access key and secret access key again:

anchore-cli update --registry-type awsecr xxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com AWS_ACCESS_KEY AWS_SECRET_ACCESS_KEY

[zhill]

@pbalogh-sa thanks, I'll target this for the next release after 0.9.1, its too late to make that release. Until then, can you remove and then re-add the new credential?

[zhill]

This isn't going to make 0.9.2, I'm going to re-target it for the next release after that.