setting gitlab with docker registry error 500

2
votes

I have running docker with docker registry on example.domain.com

docker run -d -p 5000:5000 --restart=always --name registry \
-v /etc/ssl/certs/:/certs \
-e REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/var/lib/registry \
-v /git/docker_registry:/var/lib/registry \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/server.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/server.key \
registry:2

I can push and pull to this docker registry but when i try to connect it with gitlab which is running on the same machine example.domain.com using gitlab.yml config:

  registry:
    enabled: true
    host: example.domain.com
    port: 5005
    api_url: http://localhost:5000/
    key: /etc/ssl/certs/server.key
    path: /git/docker_registry

In web browser enabling docker registry on project works fine, but when i go to project page and open Regisry page i get error 500

Gitlab logs shows:

Started POST "/api/v3/internal/allowed" for 10.10.200.96 at 2016-11-25 10:15:01 +0100
Started POST "/api/v3/internal/allowed" for 10.10.200.96 at 2016-11-25 10:15:01 +0100
Started POST "/api/v3/internal/allowed" for 10.10.200.96 at 2016-11-25 10:15:01 +0100
Started GET "/data-access-servicess/centipede-rest/container_registry" for 10.11.0.232 at 2016-11-25 10:15:01 +0100
Processing by Projects::ContainerRegistryController#index as HTML
  Parameters: {"namespace_id"=>"data-access-servicess", "project_id"=>"centipede-rest"}
Completed 500 Internal Server Error in 195ms (ActiveRecord: 25.9ms)

Faraday::ConnectionFailed (wrong status line: "\x15\x03\x01\x00\x02\x02"):
  lib/container_registry/client.rb:19:in `repository_tags'
  lib/container_registry/repository.rb:22:in `manifest'
  lib/container_registry/repository.rb:31:in `tags'
  app/controllers/projects/container_registry_controller.rb:8:in `index'
  lib/gitlab/request_profiler/middleware.rb:15:in `call'
  lib/gitlab/middleware/go.rb:16:in `call'

and Docker Registry log:

2016/11/25 09:15:01 http: TLS handshake error from 172.17.0.1:44608: tls: first record does not look like a TLS handshake
1
dockergitlabdocker-registry
Did you configure nginx reverse proxy in front of the registry as detailed in the instructions: gitlab.com/help/administration/container_registry.md config is here: gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/support/nginx/…jaxxstorm
Unfortunately we are using Gitlab Bitnami stack and it runs Apache. This is the point where im completely lost, as configuring nginx (should it run gitlab as well or its just proxy for registry ?)Martin

1 Answers

3
votes

The problem is that gitlab tries to connect to the registry via http and not httpS. Hence your are getting the TLS handshake error.

Change your gitlab config from

registry:
  api_url: http://localhost:5000/

to

registry:
  api_url: https://localhost:5000/

If you are using a self-signed certificate, don't forget to trust it on the machine where gitlab is installed. See -> https://docs.docker.com/registry/insecure/#troubleshooting-insecure-registry