Adding IBM Cloud Docker Registry Feed fails with error in "RetrieveAuthenticationToken"

Hi,

I’m trying to configure an external Docker Feed from an IBM Cloud (Bluemix) private registry.
Following IBM’s guide for setting up a service account, I’ve created a “Bluemix Container Registry” token

I can log in with this successfully on the command line:

cat bluemix-token.txt | docker login -u token --password-stdin registry.eu-gb.bluemix.net

Screen Shot 2018-07-02 at 10.49.32.jpg1832×110 67.8 KB

But testing in Octopus gives an error:

Octopus v2018.5.6

Unable to retrieve authentication token required to perform operation.

System.Exception
   at Octopus.Core.Packages.Docker.DockerRegistryOAuthClient.RetrieveAuthenticationToken
   at Octopus.Core.Packages.Docker.DockerRegistryOAuthClient.GetAuthRequestHeader
   at Octopus.Core.Packages.Docker.DockerRegistryOAuthClient.Get

Screen Shot 2018-07-02 at 10.49.58.png2256×678 66.6 KB

This is using the configuration details as follows (in the same format as your AWS guide):

• URL: https://registry.eu-gb.bluemix.net
• Registry Path: [Left blank]
• Credentials:
  • Username: token
  • Password: <token_value>

I’m running Octopus version v2018.5.6 and I think IBM Cloud/Bluemix is running a v2 registry for Docker. I’ve checked the Octopus logs on the box, but can’t see any extra useful info being logged out, though it gives more of the stacktrace:

2018-07-02 11:44:58.2865   1816    265 ERROR  Unhandled error on request: ${OCTOPUS_INSTANCE_BASE_URL}/api/feeds/${OCTOPUS_EXTERNAL_FEED_ID}/packages/search?term=test&take=10 ${SOME_GUID} by ${MY_OCTOPUS_USERNAME} : Unable to retrieve authentication token required to perform operation.
System.Exception: Unable to retrieve authentication token required to perform operation.
   at Octopus.Core.Packages.Docker.DockerRegistryOAuthClient.<RetrieveAuthenticationToken>d__6.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Octopus.Core.Packages.Docker.DockerRegistryOAuthClient.<GetAuthRequestHeader>d__7.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Octopus.Core.Packages.Docker.DockerRegistryOAuthClient.<Get>d__4.MoveNext()

Please let me know if I can give any other useful details.

Hi Dave,
It sounds like something in the API reponse coming back from BlueMix is not what Octopus is expecting. We have had issues in the past, for example Proget v4.6.7, where the provider said they had implemented standard V2 Docker Registry API however had built something in-house that wasn’t quite compliant.

We don’t currently have a BlueMix account set up to test the connections to their repository however have put through a request. Hopefully ol’ Big Blue comes back soon with credentials so i can test through Octopus. If you have some temporary read-only credentials I can use I’d be happy to give those a try however I understand if that’s not possible.

Within Octopus we try to interact with the details provided directly over HTTPS so in the meantime we should be able to replicate some of it manually, either through the browser or a HTTP tool like PostMan:

1. Based on the URL you provided above could you first try load https://registry.eu-gb.bluemix.net/v2. You should get a 401 (Unauthorized) with a Www-Authenticate header with a value like Bearer realm="https://registry.eu-gb.bluemix.net/oauth/token",service="registry"
2. Take the details from this field and try to make another request. In my case this looks something like https://registry.eu-gb.bluemix.net/oauth/token?service=registry.
3. You will be prompted with a login. In my case I can go no further, but if you add your credentials you should get a token in the response.
4. Assuming you get the token above then you should be able to perform the above request again but this time adding a an authorization header in the HTTP request with this token Authorization: Bearer <token>.
5. If all goes well you should get a 200 response.

My apologies that the above steps are a little convoluted but as soon as I get some credentials ill give it a try myself. In the meantime ill also look at adding a but more logging to see if there is any more details that can be obtained from the responses.

Thanks for your patience,
Cheers
Rob

Hi Robert,

thanks for your reply and detailed explanation. I’m working with Dave and replying on his behave.

On step 3 submitting a user’s credentials, I get a bad request (400) with the following json response:

{
“errors”:[
{
“code”:“UNSUPPORTED”,
“message”:“The requested authentication method is not supported. Run the bx cr login command. To use registry tokens, use docker login -u token and your registry token as the password.”,
“detail”:“The requested authentication method is not supported. Run the bx cr login command. To use registry tokens, use docker login -u token and your registry token as the password.”
}
]
}

I’ll see if I can organize a read only account.

Thanks,
Danie