Unable to log in to container registry

I have Container Registry enabled on my Gitlab installation, and when I navigate to a project, I am prompted to run docker login registry.gitlab.mydomain.com. Here is the output from running that command:

$ docker login registry.gitlab.mydomain.com/                                                                                                                                           
Username: tgrosinger
Error response from daemon: Get https://registry.gitlab.mydomain.com/v2/: Get https://gitlab.mydomain.comjwt/auth?account=tgrosinger&client_id=docker&offline_token=true&service=container_registry: dial tcp: lookup gitlab.mydomain.comjwt on no such host

When I curl this URL manually, but insert a “/” in between “mydomain.comjwt” I get a very different (and seemingly more functional) response.

Where is this request URL coming from and why is it missing a slash? I have tried adding a trailing slash to my configured registry_external_url in /etc/gitlab/gitlab.rb however that had no effect.

I originally posted this in the issue tracker, but I think it might belong here more.

Details of my Gitlab Configuration
System information
System:         Ubuntu 16.04
Current User:   git
Using RVM:      no
Ruby Version:   2.3.5p376
Gem Version:    2.6.13
Bundler Version:1.13.7
Rake Version:   12.3.0
Redis Version:  3.2.11
Git Version:    2.13.6
Sidekiq Version:5.0.4
Go Version:     unknown

GitLab information
Version:        10.3.0
Revision:       fd9dd4c
Directory:      /opt/gitlab/embedded/service/gitlab-rails
DB Adapter:     postgresql
URL:            http://gitlab.mydomain.com
HTTP Clone URL: http://gitlab.mydomain.com/some-group/some-project.git
SSH Clone URL:  git@gitlab.mydomain.com:some-group/some-project.git
Using LDAP:     no
Using Omniauth: no

GitLab Shell
Version:        5.10.2
Repository storage paths:
- default:      /var/opt/gitlab/git-data/repositories
Hooks:          /opt/gitlab/embedded/service/gitlab-shell/hooks
Git:            /opt/gitlab/embedded/bin/git

I am seeing the following in the /var/log/registry/current logs when I make a login request from my Docker client:

2017-12-28_23:50:12.36125 time="2017-12-28T15:50:12.36117334-08:00" level=warning msg="error authorizing context: authorization token required" environment=production go.version=go1.8.1 http.request.host=registry.gitlab.mydomain.com http.request.id=cd95aebd-384c-420f-ad2c-915598ad72f0 http.request.method=GET http.request.remoteaddr= http.request.uri="/v2/" http.request.useragent="docker/17.09.1-ce go/go1.8.3 git-commit/19e2cf6 kernel/4.4.0-101-generic os/linux arch/amd64 UpstreamClient(Docker-Client/17.09.1-ce \\(linux\\))" instance.id=223fe576-0366-4e73-a8b4-52e41a573a0e service=registry version=v2.6.2-2-g91c17ef
2017-12-28_23:50:12.36137 - - [28/Dec/2017:15:50:12 -0800] "GET /v2/ HTTP/1.0" 401 87 "" "docker/17.09.1-ce go/go1.8.3 git-commit/19e2cf6 kernel/4.4.0-101-generic os/linux arch/amd64 UpstreamClient(Docker-Client/17.09.1-ce \\(linux\\))"

This seems to indicate that it knows about the correct domain that I am requesting. I am not sure where that missing slash is coming from.

Edit: Digging through the logs a little more, I can see that the request is making it through nginx on port 443 to the registry which is listening on localhost:5000. The registry is what outputs the log message above. I am not sure why from here it fails to connect to gitlab which is running locally.

I managed to get this working, but it required manually editing /var/opt/gitlab/registry/config.yml. Specifically, I needed to change the auth.token.realm to use https instead of http.

What setting do I need to modify in my /etc/gitlab/gitlab.rb to make this change unnecessary so it isn’t reverted next time I reconfigure?

Had a similar issue. Got auth.token.realm to configure correctly by setting the external_url to https in the gitlab.rb file. Take note this will require that you setup Gitlab for https using TLS certs and all that.

1 Like

I had the same problem, and found a more permanent solution without having Gitlab itself configure https.

registry['token_realm'] = "https://gitlab.example.com"
to your gitlab.rb file solved it for me.

How i found it:
In the Omnibus gitlab i found this: files/gitlab-cookbooks/registry/templates/default/registry-config.yml.erb · master · GitLab.org / omnibus-gitlab · GitLab
Using the variable token_realm i found this: files/gitlab-cookbooks/gitlab/libraries/registry.rb · master · GitLab.org / omnibus-gitlab · GitLab

Which shows that Gitlab indeed uses the external URL (which for me is the default). It can be manually overwritten easily.