Gitlab CE : how to configure Docker registry

Question

I'm going crazy trying to run a local Gitlab CE omnibus instance with its Docker registry and self-signed certificates.

I created the certicate, the key, the Docker network, and installed Gitlab from the Docker image like this :

docker run --hostname gitlab \
           --name gitlab \
           --net-alias=gitlab \
           --detach \
           --restart always \
           --net gitlabnetwork \
           --ip 172.50.0.10 \
           --publish 4443:443 \
           --publish 5005:5005 \
           --volume /tmp/gitlabConfig/:/etc/gitlab \
           --volume /tmp/gitlabLogs/:/var/log/gitlab \
           --volume /tmp/gitlabData/:/var/opt/gitlab \
           gitlab/gitlab-ce

I added an entry in /etc/hosts like this:

127.0.0.1 gitlab

Gitlab seems to be working well on https://gitlab:4443, everything is ok using the GUI. But I can't reach the registry. During a login docker the error message is as follows:

$ docker login https://gitlab:5005
Error response from daemon: Get https://gitlab:5005/v2/: Get https://gitlab/jwt/auth?account=root&client_id=docker&offline_token=true&service=container_registry: dial tcp 127.0.0.0.1:443: connect: connection refused

Same result with docker login https://127.0.0.1:5005

The gitlab_registry_access.log log this :

172.50.0.1 - - [19/Sep/2019:15:41:17 +0000] "GET /v2/ HTTP/1.1" 401 87 "" "docker/18.09.7 go/go1.10.1 git-commit/2d0083d kernel/4.15.0-62-generic os/linux arch/amd64 UpstreamClient(Docker-Client/18.09.7 \x5C(linux\x5C))"

Here are the parameters of the file gitlab.rb :

external_url 'https://gitlab'
registry_external_url 'https://gitlab:5005'
registry_nginx['enable'] = true
registry_nginx['ssl_certificate'] = '/etc/gitlab/ssl/gitlab.crt'
registry_nginx['ssl_certificate_key'] = '/etc/gitlab/ssl/gitlab.key'
registry_nginx['listen_port'] = '5005'
registry_nginx['listen_https'] = true

I've read and reread the doc, I don't see how I can get out of it. Any help is welcome.

UPDATE :

Moving forward. I think the problem comes from the configuration in the /var/opt/gitlab/registry/config.yml file :

auth:
  token:
    realm: https://gitlab/jwt/auth
    ...

It seems that it's not take into account the custom port. I think it should be

   realm: https://gitlab:4443/jwt/auth

I tried to edit it manually but gitlab-ctl reconfigure overwrites it...

Answer 1

Okay, it's solved!

The problem is clearly mentioned here: https://gitlab.com/gitlab-org/gitlab-foss/issues/22707 and here: Gitlab docker and external_url

The problem is that it is the internal address that is used during the registry authentication phase.

In my case, the Docker client was trying to join the authentication API on port 443, inaccessible since the container was reachable via port 4443 (mapped to 443).

Conclusion: the external_url port and the listening port of the container must be the same.

I modified gitlab.rb like this (no need for the other registry_nginx settings) :

external_url "https://gitlab:4443
registry_external_url "https://gitlab:5005

As for the start of the container:

--publish 4443:4443