Troubleshoot Replicated Proxy Service

This guide will help you troubleshoot issues related to the Replicated Proxy Service. Follow these steps to identify and resolve common problems.

1. Verify Registry Configuration

First, ensure that the registry endpoint is correctly configured via Vendor Portal or with Replicated CLI

replicated registry ls

Expected output:

PROVIDER     ENDPOINT                                             AUTHTYPE
ecr          193516486740.dkr.ecr.ap-southeast-2.amazonaws.com    accesskey

If the output doesn’t show the expected registry, review your Replicated configuration.

2. Test Registry Authentication

Verify that the authentication configuration is correct:

replicated registry test <registry> --image <image>

Successful authentication:

Registry connection appears ok

Failed authentication:

Registry connection failed with status 401

3. Inspect Image from Private Registry

Use skopeo or your preferred container images CLI to inspect the image directly from the private registry:

skopeo inspect docker://193516486740.dkr.ecr.ap-southeast-2.amazonaws.com/<image> | jq

Sample output:

{
  "Name": "193516486740.dkr.ecr.ap-southeast-2.amazonaws.com/gerard",
  "Digest": "sha256:6457d53fb065d6f250e1504b9bc42d5b6c65941d57532c072d929dd0628977d0",
  "RepoTags": [
    "latest"
  ],
  "Created": "2024-01-27T00:30:48.743965523Z",
  "DockerVersion": "20.10.23",
  "Labels": null,
  "Architecture": "amd64",
  "Os": "linux",
  "Layers": [
    "sha256:4abcf20661432fb2d719aaf90656f55c287f8ca915dc1c92ec14ff61e67fbaf8"
  ],
  "LayersData": [
    {
      "MIMEType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
      "Digest": "sha256:4abcf20661432fb2d719aaf90656f55c287f8ca915dc1c92ec14ff61e67fbaf8",
      "Size": 3408729,
      "Annotations": null
    }
  ],
  "Env": [
    "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
  ]
}

Ensure that the required image tag is available in the JSON output.

4. Test image pull via Replicated Proxy

Finally, test pulling the image by connecting to the Replicated Proxy directly.

Get the registry credential username:password from existing secret in Kubernetes. The secret should be of type kubernetes.io/dockerconfigjson with naming convention of <app-slug>-registry

export APP_SLUG=<your_app_slug>
export REGISTRY=<proxy.replicated.com OR custom domain>
export CREDS=$(kubectl get secret $APP_SLUG-registry -o jsonpath='{.data.\.dockerconfigjson}' | base64 -d | jq -r ".auths[\"$REGISTRY\"].auth" | base64 -d)

Test image pull with ctr

sudo ctr images pull -u $CREDS $REGISTRY/proxy/$APP_SLUG/<image:tag>

Successful pull sample output:

proxy.replicated.com/proxy/<app-slug>/193516486740.dkr.ecr.ap-southeast-2.amazonaws.com/<image:tag>: resolved       |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:b99dff2e6b5e90260534efc6eb8bda6001859cb350e6c24067c505616a61afcf:                                done           |++++++++++++++++++++++++++++++++++++++|
config-sha256:6e32ae02d1e8c4aa6a8c7439c9cd430db50bc38ac7aff32ebc87c8ca36272ac1:                                  done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:cbc47022ee338ad066c7bafa3d0647a8104564403053dd9e624a970a6099bf4b:                                   done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:f1c1bc08e5d6f5cdcd4a360e22c4eb32353dba076fd66cf0bfab630b240fe34f:                                   done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:0f2184fe5ad83d7f98704f5183454666c6cd05babea1f8ed9cd0df84dae2c41d:                                   done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:344197a120544316a0a53414d55e7485b4c58ecbe3e92ca7a3f4f532eafc9e40:                                   done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:c158987b05517b6f2c5913f3acef1f2182a32345a304fe357e3ace5fadcad715:                                   done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:1558431db48b9fa26098243bff8b8f8e02c05efd7027dee46580daa823b9d6bf:                                   done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:c999b5bed5bfb843496c389c1e5564f6f4d32f6b226698e4b4498265f5d99e12:                                   done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:f6b6ea6fa830cc548cce4e367920e1d2f097506b35f439b33f45340699c005de:                                   done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:68554efeeace362e2063b001923a87c77ea467cf46e76d21d6b04ce12d8273e2:                                   done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:5bacf9fa5da05433596827d36351bb69194de4387cc926c8824eeff67191c873:                                   done           |++++++++++++++++++++++++++++++++++++++|
elapsed: 10.6s                                                                                                   total:  46.0 M (4.3 MiB/s)
unpacking linux/amd64 sha256:b99dff2e6b5e90260534efc6eb8bda6001859cb350e6c24067c505616a61afcf...
done: 4.18518749s

Alternatively, use skopeo to download the image locally:

skopeo copy --src-creds $CREDS docker://$REGISTRY/proxy/$APP_SLUG/<image:tag> docker-archive:<image_name>

Successful download sample output:

Getting image source signatures
Copying blob c158987b0551 done   |
Copying blob 68554efeeace done   |
Copying blob c999b5bed5bf done   |
Copying blob cbc47022ee33 done   |
Copying blob 0f2184fe5ad8 done   |
Copying blob 1558431db48b done   |
Copying blob f6b6ea6fa830 done   |
Copying blob f1c1bc08e5d6 done   |
Copying blob 344197a12054 done   |
Copying blob 5bacf9fa5da0 done   |
Copying config 6e32ae02d1 done   |
Writing manifest to image destination

If you encounter persistent issues after following these steps, please contact Replicated support and provide the outputs from these commands for further assistance.