How do I setup an insecure GitLab Container Registry on an instance of the GitLab Omnibus Docker Container?

Hi,

Maybe I’m doing the setup wrong, but I can’t seem to get the container registry to work. For some background, my GitLab server is not outward facing at all, but I’m hoping to make use of the container registry.

I guess to start, this is my docker-compose setup:

version: '3.7'

services:
    web:
        image: 'gitlab/gitlab-ce:latest'
        restart: always
        hostname: '10.1.1.13'
        environment:
            GITLAB_OMNIBUS_CONFIG: |
                external_url 'http://10.1.1.13'
                registry_external_url 'http://10.1.1.13:5000'
                # Add any other gitlab.rb configuration here, each on its own line
                gitlab_rails['smtp_enable'] = true
                gitlab_rails['smtp_address'] = "smtp.gmail.com"
                gitlab_rails['smtp_port'] = 587
                gitlab_rails['smtp_user_name'] = "email@gmail.com"
                gitlab_rails['smtp_password'] = "password"
                gitlab_rails['smtp_domain'] = "smtp.gmail.com"
                gitlab_rails['smtp_authentication'] = "login"
                gitlab_rails['smtp_enable_starttls_auto'] = true
                gitlab_rails['smtp_tls'] = false
                gitlab_rails['smtp_openssl_verify_mode'] = 'peer'
                gitlab_rails['gitlab_email_from'] = 'email@gmail.com'
                gitlab_rails['gitlab_email_reply_to'] = 'email@gmail.com'
        ports:
            - '80:80'
            - '443:443'
            - '22:22'
            - '5000:5000'
        volumes:
            - '/docker/gitlab/config:/etc/gitlab'
            - '/docker/gitlab/logs:/var/log/gitlab'
            - '/docker/gitlab/data:/var/opt/gitlab'
            - '/docker/registry:/var/opt/gitlab/gitlab-rails/shared/registry'
        networks:
            - externalDockerBridgeNetwork

networks:
    externalDockerBridgeNetwork:
        external: true

According to this: https://docs.gitlab.com/ee/administration/container_registry.html#enable-the-container-registry
I only needed to configure a domain name as per instructions here: https://docs.gitlab.com/ee/administration/container_registry.html#container-registry-domain-configuration
from there, of the two methods it offered, the method I chose was: https://docs.gitlab.com/ee/administration/container_registry.html#configure-container-registry-under-an-existing-gitlab-domain
and I added this line registry_external_url 'http://10.1.1.13:5000' to my docker-compose file under environment. I did not add the other two lines pertaining to the certificates because I planned to setup an insecure registry, and do not have a certificate.
I also got the volume in the docker-compose file: /docker/registry:/var/opt/gitlab/gitlab-rails/shared/registry from here: https://docs.gitlab.com/ee/administration/container_registry.html#container-registry-storage-path
I restarted with docker-compose down and docker-compose up -d afterwards.

Then, I followed this link: https://docs.docker.com/registry/insecure/#deploy-a-plain-http-registry
and created a file named /etc/docker/daemon.json on my client machine and put this in it:

{
  "insecure-registries" : ["10.1.1.13:5000"]
}

from there, I restarted my daemon with sudo systemctl restart docker and tried docker login 10.1.1.13:5000
but I get this error: Error response from daemon: login attempt to http://10.1.1.13:5000/v2/ failed with status: 400 Bad Request

What am I doing wrong?

I get the sneaking suspicion that I’ve followed instructions to enable the feature on GitLab, but literally did nothing to setup and start a registry

2 Likes

@weilun I am also in the same scenario and facing same issue. Did you find any solution for this?

1 Like

Hello! I had the same situation and got it working somehow. What i did in docker-compose.yaml (including only the parts important for enabling the registry):

    gitlab:
        container_name: gitlab
        image: 'gitlab/gitlab-ce:13.7.3-ce.0'
        hostname: 'git.example.com'
...
        environment:
            GITLAB_OMNIBUS_CONFIG: |
...
                external_url 'http://git.example.com'
...
                registry_external_url 'http://registry.example.com'
                registry['enable'] = true
        volumes:
...
            - '/opt/gitlab/registry:/var/opt/gitlab/gitlab-rails/shared/registry'
...

Note that i use only http here because there this container exposes no ports but another container with nginx connects to it via internal docker network and makes tls termination.

Then docker-compose up -d to restart gitlab with the new config.

And when the gitlab container fully started i did docker exec gitlab gitlab-ctl reconfigure.

And i put 127.0.0.1 registry.example.com into /etc/hosts to allow using the name specified in the gitlab config env var.

After all that i could make docker login sucessfully using the url http://registry.example.com.

The core point here is running gitlab-ctl reconfigure inside gitlab container and using domain name for registry_external_url instead of ip address because it gets into gitlab’s nginx config.

docker exec gitlab cat /var/opt/gitlab/nginx/conf/gitlab-registry.conf:
...
server {
  listen *:80;
  server_name registry.example.com;
...
    proxy_pass          http://localhost:5000;
...

So this is how it works. When u do docker login it sends server name in http headers and nginx knows exactly that it needs to route the request to docker container registry that is listening on port 5000 inside gitlab container. And this way u can use standard port for docker container registry that seems much better than using additional port.

It might be useful to mention that after successful docker login i could not do docker push, i always was getting some authentication error from docker push. So i had to add this to docker-compose.yaml (per GitLab Container Registry administration | GitLab):

    gitlab:
...
        environment:
            GITLAB_OMNIBUS_CONFIG: |
...
                registry_external_url 'http://registry.example.com'
                registry['enable'] = true
                registry['env'] = {
                  "REGISTRY_HTTP_RELATIVEURLS" => true
                }

and run docker-compose up -d and docker exec gitlab gitlab-ctl reconfigure again. After that i could do docker login and docker push.