Enabling Docker Registry

Hello all.

I am trying to enable GitLab’s Docker registry, but after severeal days of trying and failing I am hoping that someone here can help me.

I am running GitLab on a Debian machine, installed via Debian packages from the official repository, which has been running flawlessy for a long time. I am using Apache2 as a frontend proxy because I am also running other web services on the same machine. I have therefore completely disabled nginx in GitLab. I am using a self-signed SSL certificate for https, and user authentication is done via an LDAP connection to my Windows AD server. This setup is working well. Getting the Docker Registry to work, though, is not going so well.

My GitLab URL is gitlab.mydomain.com, and I am using docker.mydomain.com (these are not the real domains, of course) for the registry just because I’ve gotten the impression that it would be easier to configure if they didn’t have the same URL.

Problem symptoms:

In the GUI:
I do not get a “Container Registry” entry under “Deploy”, and the “Settings | General” page gives error 500 for every project as long as gitlab_rails['registry_enabled'] is set to true.

On the command line on the same machine:

$ docker login localhost:5000
User: myname
Password: mypass
Error response from daemon: Get "http://localhost:5000/v2/": received unexpected HTTP status: 500 Internal Server Error

On the command line from a remote machine on the same LAN:

$ docker login docker.mydomain.com
User: myname
Password: mypass
Error response from daemon: Get "https://docker.mydomain.com/v2/": received unexpected HTTP status: 500 Internal Server Error

Using invalid credentials gives “Unathorized”, so the authentication mechanism seems to be working.

Here are the log entries for the registry when I give correct credentials:

2024-11-13_13:30:30.06096 time="2024-11-13T14:30:30.060+01:00" level=info msg="router info" config_http_addr="localhost:5000" config_http_host= config_http_net= config_http_prefix= config_http_relative_urls=false correlation_id=01JCJVFT9CV6CBD78FS65NHEDM environment=production go_version=go1.22.7 instance_id=25cbd535-af4f-4b65-ae3b-7f43f1ff8b06 method=GET path=/v2/ root_repo= router=gorilla/mux service=registry version=v4.10.0-gitlab
2024-11-13_13:30:30.06120 {"content_type":"application/json","correlation_id":"01JCJVFT9CV6CBD78FS65NHEDM","duration_ms":0,"host":"docker.mydomain.com","level":"info","method":"GET","msg":"access","proto":"HTTP/1.1","referrer":"","remote_addr":"127.0.0.1:34870","remote_ip":"127.0.0.1","status":401,"system":"http","time":"2024-11-13T14:30:30.061+01:00","ttfb_ms":0,"uri":"/v2/","user_agent":"docker/27.3.1 go/go1.22.7 git-commit/41ca978 kernel/6.1.0-26-amd64 os/linux arch/amd64 UpstreamClient(Docker-Client/27.3.1 \\(linux\\))","written_bytes":87}

I believe it must be a clue that the Docker application gives error 500 while the log file says error 401, but I do not know what (if anything) it implies.

This is current config I am using to try to get the Docker Registry to work:

/etc/gitlab/gitlab.rb:

registry_external_url 'https://docker.mydomain.com'
gitlab_rails['registry_enabled'] = true
gitlab_rails['registry_host'] = "docker.mydomain.com"
gitlab_rails['registry_port'] = "5000"
gitlab_rails['registry_api_url'] = "http://127.0.0.1:5000"
registry['enable'] = true
registry['registry_http_addr'] = "127.0.0.1:5000"
registry['rootcertbundle'] = "/etc/ssl/certs/ca-certificates.crt"
registry['internal_certificate'] = "/etc/gitlab/ssl/gitlab.mydomain.com.crt"
registry['internal_key'] = "/etc/gitlab/ssl/gitlab.mydomain.com.key"
nginx['enable'] = false

/etc/apache2/sites-enabled/docker.conf:

<VirtualHost docker.mydomain.com:80>
  ServerName docker.mydomain.com
  ServerSignature Off
  RewriteEngine on
  RewriteCond %{HTTPS} !=on
  RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [NE,R,L]
</VirtualHost>

<VirtualHost docker.mydomain.com:443>
  ServerName docker.mydomain.com
  SSLEngine on
  SSLProtocol all -SSLv2
  SSLHonorCipherOrder on
  SSLCipherSuite "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
  SSLCompression Off
  SSLCertificateFile /etc/ssl/certs/gitlab.mydomain.com.crt
  SSLCertificateKeyFile /etc/ssl/private/gitlab.mydomain.com.key
  SSLCACertificateFile /etc/ssl/certs/ca.mydomain.com.crt
  ServerSignature Off
  ProxyRequests Off
  ProxyPreserveHost On
  Header set Host "docker.mydomain.com"
  <Location />
    Require all granted
    ProxyPass http://127.0.0.1:5000/
    ProxyPassReverse http://127.0.0.1:5000/
  </Location>
  Header always set Docker-Distribution-Api-Version "registry/2.0"
  RequestHeader set X_FORWARDED_PROTO 'https'
  LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded
  ErrorLog /var/log/apache2/docker_error.log
  CustomLog /var/log/apache2/docker_forwarded.log common_forwarded
  CustomLog /var/log/apache2/docker_access.log combined env=!dontlog
  CustomLog /var/log/apache2/docker.log combined
</VirtualHost>

(The Apache file for gitlab.mydomain.com is based on an example from the GitLab pages, and is obvioiusly working so I am not showing it here.)

I am really stumped. I have been searching the web for help and examples, trying almost every combination of settings I can come up with. I’ve tried disabling the Apache server and relying on nginx instead. I’ve tried using an external registry container and pointing GitLab to it. But nothing works. Sometimes, though, I DO get a “Container Registry” entry under the “Deploy” menu, but that page always gives error 500 just like for the “Settings | General” page. Unfortunately, I haven’t been able to figure out exactly what I am doing to make it appear.

I would really appreciate any help, even just a nudge in the right direction. This is very frustrating, because it seems like this should be such an easy thing to do.

Thanks.