Self-hosted Gitlab registry: Connection refused for localhost:5000

Question

I'm using traefik as a reverse proxy (and for management for the letsencrypt certificates) and I'm running a self hosted gitlab instance. GitLab image is a monolithic with all the services into it, both of the services (Registry and Git) need to be served in the same container.

With the configuration shown below gitlab is running well.

docker login registry.domain.com is also working.

But navigating to the registry in the gitlab frontend gives me a 500 error.

The gitlab logs:

Errno::EADDRNOTAVAIL (Failed to open TCP connection to localhost:5000 (Cannot assign requested address - connect(2) for "localhost" port 5000)):

In the docs I read, that the port 5000 is default for gitlab registry.

So I went into the gitlab container and tried to call for localhost:5000:

$ docker exec -it gitlab /bin/bash

root@gitlab:/# curl -v http://localhost:5000
* Rebuilt URL to: http://localhost:5000/
*   Trying 127.0.0.1...
* TCP_NODELAY set
* connect to 127.0.0.1 port 5000 failed: Connection refused
*   Trying ::1...
* TCP_NODELAY set
* Immediate connect fail for ::1: Cannot assign requested address
*   Trying ::1...
* TCP_NODELAY set
* Immediate connect fail for ::1: Cannot assign requested address
* Failed to connect to localhost port 5000: Connection refused
* Closing connection 0
curl: (7) Failed to connect to localhost port 5000: Connection refused

Furthermore there is no 5000...

root@gitlab:/# netstat -tanpu | grep -i listen
tcp        0      0 127.0.0.1:9093          0.0.0.0:*               LISTEN      -               
tcp        0      0 127.0.0.11:33383        0.0.0.0:*               LISTEN      -               
tcp        0      0 127.0.0.1:9100          0.0.0.0:*               LISTEN      -               
tcp        0      0 127.0.0.1:9229          0.0.0.0:*               LISTEN      -               
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      -               
tcp        0      0 127.0.0.1:9168          0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      638/nginx       
tcp        0      0 127.0.0.1:8082          0.0.0.0:*               LISTEN      -               
tcp        0      0 127.0.0.1:9236          0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      21/sshd         
tcp        0      0 0.0.0.0:8060            0.0.0.0:*               LISTEN      638/nginx       
tcp        0      0 127.0.0.1:9121          0.0.0.0:*               LISTEN      -               
tcp        0      0 127.0.0.1:9090          0.0.0.0:*               LISTEN      -               
tcp        0      0 127.0.0.1:9187          0.0.0.0:*               LISTEN      -               
tcp6       0      0 :::9094                 :::*                    LISTEN      -               
tcp6       0      0 :::22                   :::*                    LISTEN      21/sshd 

So what am I missing in my configuration? How do I have to handle the 5000 port in traefik?

docker-compose.yml

version: '3.3'

services:
  gitlab:
    image: gitlab/gitlab-ce:latest
    container_name: gitlab
    environment:
      GITLAB_OMNIBUS_CONFIG: |
        external_url = 'https://gitlab.domain.com'
        registry_external_url = 'https://registry.domain.com'
        gitlab_rails['gitlab_shell_ssh_port'] = 2222
        gitlab_rails['registry_enabled'] = true
    ports:
      - '2222:22'
    networks:
      - proxy
    labels:
      - traefik.enable=true
      - traefik.gitlab.frontend.rule=Host:gitlab.domain.com
      - traefik.gitlab.port=80
      - traefik.reg.frontend.rule=Host:registry.domain.com
      - traefik.reg.port=80
      - traefik.docker.network=proxy
  traefik:
    image: traefik:1.7.3-alpine
    restart: always
    ports:
      - 80:80
      - 443:443
    networks:
      - proxy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /opt/traefik/traefik.toml:/traefik.toml
      - /opt/traefik/acme.json:/acme.json
    labels:
      - traefik.frontend.rule=Host:monitor.domain.com
      - traefik.port=8080
    container_name: traefik

networks:
  proxy:
    external: true

traefik.toml

defaultEntryPoints = ["https","http"]

[entryPoints]
  [entryPoints.dashboard]
  address = ":8080"
    [entryPoints.dashboard.auth]
      [entryPoints.dashboard.auth.basic]
        users = ["admin:password"]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
  [entryPoints.https.tls]

[api]
entrypoint="dashboard"

[docker]
domain = "domain.com"
watch = true
network = "proxy"

[acme]
email = "[email protected]"
storage = "acme.json"
entryPoint = "https"
OnHostRule = true
  [acme.httpChallenge]
  entryPoint = "http"

Answer 1

First: reading "GitLab Container Registry administration ", make sure that:

• gitlab registry is activated in your Omnibus image: your gitlab.rb, by default, does not declare a registry.
• you are using https, not http as an URL.

The container registry works under HTTPS by default. Using HTTP is possible but not recommended and out of the scope of this document. Read Test an insecure registry.

Second, regarding traefik, you can see an example in docker-gitlab issue 1688, which does declare a traefik front to the registry part of GitLab.

- traefik.enable=true
- traefik.backend=registry.demo.com
- traefik.frontend.rule=Host:registry.demo.com
- traefik.docker.network=traefik-00
- traefik.port=5000

If you really need to expose your internal "https port 5000" registry through an external http URL with traefik, you have an example in this thread.