How to setup Gitlab's insecure container registry?

GitLab CI/CD
, , ,
1

I’m trying to configure self-hosted gitlab-ce docker container on localhost.

Gitlab runs fine, but I have problem with insecure container registry.

My Gitlab build fails when trying to login to the container repository.

I’m working on Windows 10 OS.

This is my gitlab-ci.yml configuration:

stages:
  - prepare

build-my-image:
  image: docker:19.03.14
  services:
    - name: docker:19.03.14-dind
      alias: docker
      command: ["--tls=false", "--insecure-registry=registry.domain.com:5000"]
  stage: prepare
  tags:
    - docker
  variables:
    DOCKER_HOST: tcp://docker:2375
    DOCKER_TLS_CERTDIR: ""
    GIT_STRATEGY: none
    GIT_CURL_VERBOSE: 1
    GIT_TRACE: 1
  before_script:
    - docker info
  script:
      - echo $CI_REGISTRY_USER
      - echo $CI_REGISTRY_PASSWORD
      - echo $CI_REGISTRY
      - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY

I have added address and IP map to /etc/host:

127.0.0.1 gitlab.domain.com
127.0.0.1 registry.domain.com

Later, I have modified docker daemon.json for insecure registry:

{
 "builder": {
  "gc": {
   "defaultKeepStorage": "20GB",
   "enabled": true
  }
 },
 "insecure-registries": [
    "registry.domain.com:5000"
 ],
 "experimental": false
}

In gitlab.rb config, I have set following parameters:

external_url 'http://gitlab.domain.com'
registry_external_url 'http://registry.domain.com'

### Settings used by GitLab application
gitlab_rails['registry_enabled'] = true
gitlab_rails['registry_port'] = "5000"
gitlab_rails['registry_path'] = "/var/opt/gitlab/gitlab-rails/shared/registry"

And this is Gitlab’s Runner config:

concurrent = 1
check_interval = 0
shutdown_timeout = 0

[session_server]
  session_timeout = 1800

[[runners]]
  name = "Gitlab Runner"
  url = "http://gitlab.domain.com"
  extra_hosts = ["registry.domain.com:127.0.0.1"]
  id = 2
  token = "my-token"
  token_obtained_at = 2023-08-14T07:38:15Z
  token_expires_at = 0001-01-01T00:00:00Z
  executor = "docker"
  [runners.cache]
    MaxUploadedArchiveSize = 0
  [runners.docker]
    tls_verify = false
    image = "ruby:2.7"
    privileged = true
    disable_entrypoint_overwrite = false
    oom_kill_disable = false
    disable_cache = false
    volumes = ["/cache"]
    shm_size = 0

These are my containers:

IMAGE     PORTS      NAMES
gitlab/gitlab-runner gitlab-runner
registry:2 0.0.0.0:5000->5000/tcp registry
gitlab/gitlab-ce:latest 0.0.0.0:22->22/tcp, 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp gitlab

The error I got in Gitlab build log is that I can’t connect to container registry:

$ docker info
WARNING: API is accessible on http://0.0.0.0:2375 without encryption.
         Access to the remote API is equivalent to root access on the host. Refer
         to the 'Docker daemon attack surface' section in the documentation for
         more information: https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface
Client:
 Debug Mode: false
Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 0
 Server Version: 19.03.14
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: container_version
 runc version: runvc_version
 init version: fec3683
 Security Options:
  seccomp
   Profile: default
 Kernel Version: 5.15.90.1-microsoft-standard-WSL2
 Operating System: Alpine Linux v3.12 (containerized)
 OSType: linux
 Architecture: x86_64
 CPUs: 8
 Total Memory: 7.719GiB
 Name: my_name
 ID:my_id
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  registry.domain.com:5000
  127.0.0.0/8
 Live Restore Enabled: false
 Product License: Community Engine

$ echo $CI_REGISTRY_USER
gitlab-ci-token

$ echo $CI_REGISTRY_PASSWORD
[MASKED]

$ echo $CI_REGISTRY
registry.domain.com:5000

$ docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get http://registry.domain.com:5000/v2/: dial tcp 127.0.0.1:5000: connect: connection refused
ERROR: Job failed: exit code 1

I should mention that I had mounted volume for docker.sock like this:

docker run -d --name gitlab-runner --restart always -v C:\my_path_to\gitlab\runner\config:/etc/gitlab-runner -v //var/run/docker.sock:/var/run/docker.sock gitlab/gitlab-runner

Also interesting thing is that when I try to log in to container repository from my computer’s command prompt, it says log in is successful even if I provide wrong credentials:

C:\Users\my_user\workspace\repository>docker login registry.domain.com:5000
Username: wrong+name
Password:
Login Succeeded

Maybe I configured DNS in /etc/host wrong. Can I solve it with only one address, etc: gitlab.domain.com (no need for registry.domain.com)?

I try to change settings, but can’t get it working. Can somebody help me?

2

Hey there,

Yes, if you use a port for a registry, then both Gitlab and Registry can be on same domain.

Have you tried adding the port (5000) to your registry_external_url?

Also, if I am not mistaken, you do not need a second container for Registry, it’s bundled with Gitlab container. So try removing that one, and publish port 5000:5000 on your Gitlab container.