Use GitLab Registry as a Registry Mirror for the Runner

Hi,

we are running GitLab for a while now without any issue regarding to the Docker Runners. But recently we run into docker hubs rate limits. I discussed with my colleague what our options are. We came up with the idea to use our GitLabs Registry as a Registry Mirror. This could reduces any overhead that we might have with all other solutions - so we wanted to give it a shot.

So our setup is pretty simple:

We are running gitlab and the gitlab runner as a docker container. I then configured the Registry Mirror on the host system as described here Registry as a pull through cache | Docker Documentation.

cat /etc/docker/daemon.json
{
  "registry-mirrors": ["https://registry.example.com"]
}

After that it was a matter of restarting docker then verifying it with the following command

docker info
[...]
Registry Mirrors:
 https://registry.example.com/

Looks like everything is in order.

I spun up docker logs -f gitlab to see any possible logs regarding the registry and did a docker pull node:latest. As expected everything worked.

Now here is the actual problem: If I use a docker image in the CI/CD pipeline I can see that pulling the image failed due to a unauthorized request.

==> /var/log/gitlab/gitlab-rails/production.log <==

Started GET "/jwt/auth?scope=repository%3Alibrary%2Fnode%3Apull&service=container_registry" for <ip> at 2021-02-04 07:12:39 +0000

Processing by JwtController#auth as HTML

Parameters: {"scope"=>"repository:library/node:pull", "service"=>"container_registry"}

Completed 403 Forbidden in 24ms (Views: 0.4ms | ActiveRecord: 1.8ms | Elasticsearch: 0.0ms | Allocations: 6107)

I would love to hear what you guys think about my approach.
Thanks a lot for your time

  • tuna