Set up Container Registry Help

Hello,
I have GitLab installed on my server ‘Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-169-generic x86_64)’.
I installed via ‘apt install gitlab-ee’.
I have been asked to set up Container Registry so that our developer team can manage the docker solutions they create.
I have read through instructions at GitLab container registry | GitLab but I do not get any options in my projects or groups for the registry.
I am using a self signed certificate.
Here is what I have for my gitlab.rb

### /etc/gitlab/gitlab.rb

external_url 'http://10.2.3.221'

### Email Settings
 gitlab_rails['smtp_enable'] = true
 gitlab_rails['smtp_address'] = "smtp.mydomain.local"
 gitlab_rails['smtp_port'] = 25
 gitlab_rails['smtp_domain'] = "mydomain.local"
 gitlab_rails['smtp_tls'] = false
 gitlab_rails['smtp_pool'] = false
 gitlab_rails['smtp_openssl_verify_mode'] = 'none'
 gitlab_rails['gitlab_email_from'] = 'gitlab_no-reply@mydomain.local'
 gitlab_rails['gitlab_email_display_name'] = 'GitLab_No-Reply'
 gitlab_rails['gitlab_email_reply_to'] = 'gitlab_no-reply@mydomain.local'

### Registry Settings
registry_external_url 'https://10.2.3.221'

gitlab_rails['registry_enabled'] = true
gitlab_rails['registry_host'] = "10.2.3.221"

registry['enable'] = true
registry['registry_http_addr'] = "localhost:5000"
registry['log_directory'] = "/var/log/gitlab/registry"
registry['env_directory'] = "/opt/gitlab/etc/registry/env"
registry_nginx['enable'] = true
registry_nginx['listen_port'] = 443
registry_nginx['ssl_certificate'] = "/etc/gitlab/ssl/10.2.3.221.crt"
registry_nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/10.2.3.221.key"

I am running gitlab in a docker container and I just had to add the following line and it gave me the options. The same should be for ‘omnibus’ installations.

registry_external_url 'https://gitlab.example.com:5050'

You should only really need that other stuff if the registry is running on a different server. Is that the case or is it running on the same gitlab instance?

1 Like

@jesse.cain Were you able to try my solution?

From your configuration it seems like you are running the registry on the same server as the rest of Gitlab. You shouldn’t have to add any other configuration that the line below. Make sure to add the specified port to it!

### Registry Settings
registry_external_url 'https://10.2.3.221:5050'

I did try it and still do not get any options for it under groups or projects. If I check the enabled features in the admin dashboard it shows enabled.

I go through docker compose for my instance, here is the configuration through that. Its basically lines that are then passed to overwrite a default gitlab.rb. You can see that really the only thing that I changed was the registry_external_url to enable it since I use a cert that is a wildcard for *.mattfody.dev

    environment:
      GITLAB_OMNIBUS_CONFIG: |
        external_url 'https://gitlab.example.com'
        registry_external_url 'https://gitlab.example.com:5050'
        nginx['redirect_http_to_https'] = true
        letsencrypt['enable'] = false
        postgresql['enable'] = false
        gitlab_rails['db_adapter'] = 'postgresql'
        gitlab_rails['db_encoding'] = 'utf8'
        gitlab_rails['db_database'] = $GITLAB_DB_NAME
        gitlab_rails['db_username'] = $GITLAB_DB_USER
        gitlab_rails['db_password'] = $GITLAB_DB_PASS
        gitlab_rails['db_host'] = $GITLAB_DB_IP
        gitlab_rails['db_port'] = $GITLAB_DB_PORT
        postgresql['version'] = 14
        gitlab_rails['gitlab_shell_ssh_port'] = $SSH_PORT

Here is a default list of the registry info, like i mentioned everything is commented out by default.

root@gitlab:/# cat /etc/gitlab/gitlab.rb | grep registry
# gitlab_rails['gitlab_default_projects_features_container_registry'] = true
#    "SKIP" => "db,uploads,repositories,builds,artifacts,lfs,registry,pages"
##! Docs: https://docs.gitlab.com/ee/administration/packages/container_registry.html
# registry_external_url 'https://registry.example.com'
# gitlab_rails['registry_enabled'] = true
# gitlab_rails['registry_host'] = "registry.gitlab.example.com"
# gitlab_rails['registry_port'] = "5005"
# gitlab_rails['registry_path'] = "/var/opt/gitlab/gitlab-rails/shared/registry"
# gitlab_rails['registry_notification_secret'] = nil
# gitlab_rails['registry_api_url'] = "http://127.0.0.1:5000"
# gitlab_rails['registry_key_path'] = "/var/opt/gitlab/gitlab-rails/certificate.key"
# gitlab_rails['registry_issuer'] = "omnibus-gitlab-issuer"
# registry['enable'] = true
# registry['username'] = "registry"
# registry['group'] = "registry"
# registry['uid'] = nil
# registry['gid'] = nil
# registry['dir'] = "/var/opt/gitlab/registry"
# registry['registry_http_addr'] = "127.0.0.1:5000"
# registry['debug_addr'] = "localhost:5001"
# registry['log_directory'] = "/var/log/gitlab/registry"
# registry['env_directory'] = "/opt/gitlab/etc/registry/env"
# registry['env'] = {
# registry['log_level'] = "info"
# registry['log_formatter'] = "text"
# registry['rootcertbundle'] = "/var/opt/gitlab/registry/certificate.crt"
# registry['health_storagedriver_enabled'] = true
# registry['middleware'] = nil
# registry['storage_delete_enabled'] = true
# registry['validation_enabled'] = false
# registry['autoredirect'] = false
# registry['compatibility_schema1_enabled'] = false
# registry['database'] = nil
###! Docs: https://docs.gitlab.com/ee/administration/packages/container_registry.html#configure-storage-for-the-container-registry
# registry['storage'] = {
###! Docs: https://docs.gitlab.com/ee/administration/packages/container_registry.html?tab=Linux+package+%28Omnibus%29#configure-a-metadata-database-for-the-container-registry
# registry['database'] = {
#   'dbname' => 'registry',
# registry['notifications'] = [
### Default registry notifications
# registry['default_notifications_timeout'] = "500ms"
# registry['default_notifications_threshold'] = 5
# registry['default_notifications_backoff'] = "1s"
# registry['default_notifications_headers'] = {}
# this "Registry NGINX" section, using the key `registry_nginx`.  However, those
# `registry_nginx['some_setting']` and should be set separately.
# registry_nginx['enable'] = false
# registry_nginx['proxy_set_headers'] = {
# When the registry is automatically enabled using the same domain as `external_url`,
# registry_nginx['listen_port'] = 5050
# gitlab_rails['geo_secondary_registry_consistency_worker'] = "* * * * *"
# gitlab_rails['geo_registry_replication_enabled'] = true
# gitlab_rails['geo_registry_replication_primary_api_url'] = 'https://example.com:5050'

Another thing to check would possibly be firewall? If you are blocking the port maybe that is causing issue? But that is just a bit of a guess.

There are no firewall, and I would still expect to be able to see the available images and the setting selections described in the instructions to be present.
From the docs:
On the left sidebar, select Search or go to and find your project or group.
For:
A group, select Operate > Container Registry.
A project, select Deploy > Container Registry.

Also there is no option described regarding the setting of permissions to the registry.

  1. On the left sidebar, select Search or go to and find your project.
  2. Select Settings > General.
  3. Expand the section Visibility, project features, permissions.
  4. Under Container Registry, select an option from the dropdown list:
  • Everyone With Access (Default): The container registry is visible to everyone with access to the project. If the project is public, the container registry is also public. If the project is internal or private, the container registry is also internal or private.
  • Only Project Members: The container registry is visible only to project members with at least the Reporter role. This visibility is similar to the behavior of a private project with Container Registry visibility set to Everyone With Access.
  1. Select Save changes.

Here are some comments and concerns about the configuration you posted.

# this conflicts with other lines in the config, host and port
registry['registry_http_addr'] = "localhost:5000"

# this would block or be blocked by the website using this port, should use 5000 or some other port
registry_nginx['listen_port'] = 443

# gitlab assumes these if using the same host
registry_nginx['ssl_certificate'] = "/etc/gitlab/ssl/10.2.3.221.crt"
registry_nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/10.2.3.221.key"

Are you able to share your configuration again if there have been any other changes?

So are you saying that registry['registry_http_addr'] = and registry_nginx['listen_port'] = are the same setting in two different syntax? Is there a post missing from this thread or am I misunderstanding your statement. I did not post that my config contained registry_nginx['listen_port'] = 443. I do have the cert/key as shown I have tried it both declared and assumed default without any difference. My current config (container registry still not working)

external_url 'http://10.2.3.221'

### Email Settings
 gitlab_rails['smtp_enable'] = true
 gitlab_rails['smtp_address'] = "smtp.mydomain.local"
 gitlab_rails['smtp_port'] = 25
 gitlab_rails['smtp_domain'] = "mydomain.local"
 gitlab_rails['smtp_tls'] = false
 gitlab_rails['smtp_pool'] = false
 gitlab_rails['smtp_openssl_verify_mode'] = 'none'
 gitlab_rails['gitlab_email_from'] = 'gitlab_no-reply@mydomain.local'
 gitlab_rails['gitlab_email_display_name'] = 'GitLab_No-Reply'
 gitlab_rails['gitlab_email_reply_to'] = 'gitlab_no-reply@mydomain.local'

### Registry Settings
registry_external_url 'https://10.2.3.221:5050'

The registry[registry_http_addr] and the registry_nginx['listen_port'] are two different things, I was just making comment that they were changed from the original and using a port that would block the website.

This was in your first post, 3rd line from the bottom of the code section. I thought that it was then part of your configuration that you were trying to run.

Here is what I have from the default gitlab.rb.

# registry['registry_http_addr'] = "127.0.0.1:5000"
# registry_nginx['listen_port'] = 5050

Is there any error messages seen during the gitlab-ctl reconfigure step?

I do not see that I posted that (registry_nginx['listen_port'] = 443) but I don’t want to get bogged down on that issue.
I do not see any errors during reconfigure.
Here is the output from when it runs the recipe for registry:
Recipe: registry::enable

  • directory[create /var/opt/gitlab/registry] action create (up to date)
  • account[Docker registry user and group] action create
    • group[Docker registry user and group] action create (up to date)
    • linux_user[Docker registry user and group] action create (up to date)
      (up to date)
  • directory[create /var/opt/gitlab/registry and set the owner] action create (up to date)
  • directory[/var/log/gitlab/registry] action create (up to date)
  • env_dir[/opt/gitlab/etc/registry/env] action create
    • directory[/opt/gitlab/etc/registry/env] action create (up to date)
    • file[/opt/gitlab/etc/registry/env/SSL_CERT_DIR] action create (up to date)
      (up to date)
  • directory[/data/gitlab/git-data/repositories/containers] action create (up to date)
  • file[/var/opt/gitlab/registry/gitlab-registry.crt] action create (up to date)
  • template[/var/opt/gitlab/registry/config.yml] action create (up to date)
  • service[registry] action nothing (skipped due to action :nothing)
  • runit_service[registry] action enable
    • ruby_block[restart_service] action nothing (skipped due to action :nothing)
    • ruby_block[restart_log_service] action nothing (skipped due to action :nothing)
    • ruby_block[reload_log_service] action nothing (skipped due to action :nothing)
    • directory[/opt/gitlab/sv/registry] action create (up to date)
    • template[/opt/gitlab/sv/registry/run] action create (up to date)
    • directory[/opt/gitlab/sv/registry/log] action create (up to date)
    • directory[/opt/gitlab/sv/registry/log/main] action create (up to date)
    • template[/opt/gitlab/sv/registry/log/config] action create (up to date)
    • ruby_block[verify_chown_persisted_on_registry] action nothing (skipped due to action :nothing)
    • link[/var/log/gitlab/registry/config] action create (up to date)
    • template[/opt/gitlab/sv/registry/log/run] action create (up to date)
    • directory[/opt/gitlab/sv/registry/env] action create (up to date)
    • ruby_block[Delete unmanaged env files for registry service] action run (skipped due to only_if)
    • template[/opt/gitlab/sv/registry/check] action create (skipped due to only_if)
    • template[/opt/gitlab/sv/registry/finish] action create (skipped due to only_if)
    • directory[/opt/gitlab/sv/registry/control] action create (up to date)
    • link[/opt/gitlab/init/registry] action create (up to date)
    • file[/opt/gitlab/sv/registry/down] action nothing (skipped due to action :nothing)
    • directory[/opt/gitlab/service] action create (up to date)
    • link[/opt/gitlab/service/registry] action create (up to date)
    • ruby_block[wait for registry service socket] action run (skipped due to not_if)
    • file[/var/log/gitlab/registry/current] action touch (skipped due to only_if)
      (up to date)
  • version_file[Create version file for Registry] action create
    • file[/var/opt/gitlab/registry/VERSION] action create (up to date)
      (up to date)

Here is the output if I run a sudo gitlab-ctl restart
ok: run: alertmanager: (pid 1422742) 1s
ok: run: gitaly: (pid 1422753) 0s
ok: run: gitlab-exporter: (pid 1422768) 0s
ok: run: gitlab-kas: (pid 1422790) 1s
ok: run: gitlab-workhorse: (pid 1422799) 0s
ok: run: logrotate: (pid 1422809) 0s
ok: run: nginx: (pid 1422815) 1s
ok: run: node-exporter: (pid 1422823) 0s
ok: run: postgres-exporter: (pid 1422830) 1s
ok: run: postgresql: (pid 1422840) 0s
ok: run: prometheus: (pid 1422849) 1s
ok: run: puma: (pid 1422860) 0s
ok: run: redis: (pid 1422865) 0s
ok: run: redis-exporter: (pid 1422872) 0s
ok: run: registry: (pid 1422878) 1s
ok: run: sidekiq: (pid 1422896) 0s

The reconfigure log in /var/log/gitlab/reconfigure/1704297728.log (latest) does not show any outstanding issues other than a bunch of modules that have: does not have a log_group or default logdir mode defined. Setting to 0700. as an entry but those are working so it doesn’t appear to be any real issue.

sudo cat /var/log/gitlab/registry/current gives me :
2024-01-03_16:09:32.73310 time=“2024-01-03T16:09:32.733Z” level=info msg=“attempting to stop server gracefully…” database_drain_timeout=0s http_drain_timeout=0s quit_signal=terminated
2024-01-03_16:09:32.73311 time=“2024-01-03T16:09:32.733Z” level=info msg=“graceful shutdown successful” database_drain_timeout=0s http_drain_timeout=0s quit_signal=terminated
2024-01-03_16:09:32.78614 time=“2024-01-03T16:09:32.786Z” level=info msg=“storage backend redirection enabled” environment=production go_version=go1.20.11 instance_id=201013ca-5f02-4fca-b846-5c6eccfd67d4 service=registry version=v3.87.0-gitlab
2024-01-03_16:09:32.78620 time=“2024-01-03T16:09:32.786Z” level=info msg=“using inmemory blob descriptor cache” environment=production go_version=go1.20.11 instance_id=201013ca-5f02-4fca-b846-5c6eccfd67d4 service=registry version=v3.87.0-gitlab
2024-01-03_16:09:32.78628 time=“2024-01-03T16:09:32.786Z” level=info msg=“Starting upload purge in 30m0s” environment=production go_version=go1.20.11 instance_id=201013ca-5f02-4fca-b846-5c6eccfd67d4 service=registry version=v3.87.0-gitlab
2024-01-03_16:09:32.78644 time=“2024-01-03T16:09:32.786Z” level=info msg=“listening on 127.0.0.1:5000” environment=production go_version=go1.20.11 instance_id=201013ca-5f02-4fca-b846-5c6eccfd67d4 service=registry version=v3.87.0-gitlab

So I am not seeing anything that shows an issue.

Can you SSH into the server running gitlab and tail the registry log file.

tail -f /var/log/gitlab/registry/current

Then open a web browser and navigate to your registry location https://10.2.3.221:5050. You should see a blank screen if everything is working. New lines should appear in the terminal after hitting that webpage if the registry is up and functioning correctly.

The new lines should be something like

2024-01-03_22:12:26.55049 {"content_type":"","correlation_id":"","duration_ms":0,"host":"gitlab.example.com:5050","level":"info","method":"GET","msg":"access","proto":"HTTP/1.1","referrer":"","remote_addr":"127.0.0.1:36628","remote_ip":"127.0.0.1","status":200,"system":"http","time":"2024-01-03T22:12:26.550Z","ttfb_ms":0,"uri":"/","user_agent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0","written_bytes":0}

Sorry to say but this whole thread may be mute. Just following the documents I was logged in as an administrator for the GitLab instance but not a member of any of the groups or projects using the site. I was able to add/remove people from projects and groups and make other changes to the site but I am a system administrator and not a consumer of the application. Even though I did not see the settings referred to in the documentation I decided to try and connect to the Image Registry from one of the Docker servers and received a permission denied. So after a bit of digging around to try and figure out why I decided to make myself a member of a group and project and after doing that and navigating to the project, lo and behold the required settings were available.
So the documentation should be updated to state that you must be a member of the group or project that you are trying to use with Image Registry in order to manage that registry regardless of any other access you have to the site.

@mattfody67 Thank you for your time. Not sure if you’ve heard the colloquialism “When we assume we make an ass out of u and me”… It appears that was my problem all along.

1 Like