Gitlab Registry and certFile

purefan · October 25, 2024, 8:40pm

Hello!

I am having problems setting up gitlab registry, I found this other question here but it is not answered and quite old.

Gitlab registry requires a certFile and a keyFile. I have security.acme.certs.“my-domain.tld” create cert files so even when my gitlab is in my home network it is served via HTTPS. I thought I could use the same cert files but there seem to be 3 users (docker, gitlab and docker-registry) at play and I keep having problems with permissions.

My best attempt so far is with a custom systemd service that copies the cert files from acme to /etc/gitlab-registry. This makes nixos build and switch work, gitlab itself works fine except when I try to do anything with the registry, then I get a 500 and journalctl shows

(Permission denied @ rb_sysopen - /etc/gitlab-registry/key.pem)

key.pem is owned by docker-registry and I even tried chmod 777, no luck.

How are others setting up their gitlab-registry? or am I misunderstanding something perhaps related to docker and gitlab here?

I basically want to make docker images from my pipelines and store them in gitlab.

MatthieuB · October 25, 2024, 9:53pm

Hi, I don’t reminder why but my gitlab registry cert and key files have the following permissions:
Owner: docker-registry
Group: gitlab
chmod: 0440

They are located in /var/run/secrets however.

purefan · October 25, 2024, 10:25pm

Wow @MatthieuB that really takes me further! when I changed the group I got a new error:

ActionView::Template::Error (incorrect pkey type: id-ecPublicKey):

how are you generating your certs? I let security.acme do it for me like this:

security = {
    rtkit.enable = true;

    acme = {
      defaults = {
        email = "myself@mydomain.tld";
      };

      acceptTerms = true;
      certs = {
        "git.mydomain.tld" = {
          email = "myself@mydomain.tld";
          dnsProvider = "cloudflare";
          webroot = null;
          credentialsFile = "/etc/cloudflare.ini";
          extraDomainNames = [ "git.mydomain.tld" ];
          keyType = "rsa2048";
        };
      };
    };
  };

and these I also use in nginx proxying gitlab

MatthieuB · October 25, 2024, 10:45pm

Nice

I did not generate the certiifcates, I retrieved them from my old gitlab. I’ve just check it is a 4096 bits RSA.

For info I recently filled an issue because my registry is always running on port 5000 whatever I configure, it would be nice if you can confirm if you also encounter this.

purefan · October 26, 2024, 2:24pm

man you really saved me here! much obliged! I changed my “sync service” to generate RSA certs instead of copying the ones generated by ACME and my registry seems to be working, at least I no longer get 500 errors when visiting the page in gitlab ui.

About the port, Im going to give this a try, I suppose the goal is to docker login on another port other than 5000. Initially I can confirm that my services.gitlab.registry.externalPort = 8084; and this:
docker login :8084
gives me

Error response from daemon: Get “https://:8084/v2/”: dial tcp :8084: connect: connection refused

but docker login :5000 results in

Error response from daemon: Get “https://:5000/v2/”: tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config

which means its at least listening on that port. Will play around with this because I think it would be nice to docker login from my desktop machine, and port 5000 is too common to just proxy through nginx, something else will probably try to use that port, will ping you in the github issue when I find something

Again, thank you so much!

MatthieuB · October 26, 2024, 6:22pm

Glad I could help and thank you for the feedback

Ah yes I created a test VM today and the simplest is to set the certificate paths as string and let the service gitlab-registry-cert.service generate them.

I did more tests and opened a PR to fix this port issue, for now you can set services.dockerRegistry.port if you want another port.

services.gitlab.registry.port is the port to expose the registry service, externalPort should match your web proxy port, or if you are not using a proxy it should be the same port for both options. By example my config looks like:

services.gitlab.registry =  {
  port = 5000;
  externalAddress = "registry.example.com";
  externalPort = 443;
};

services.nginx.virtualHosts."registry.example.com" = {
  enableACME = true;
  forceSSL = true;
  locations."/" = {
    extraConfig = ''
      client_max_body_size 0;
    '';
    proxyPass = "http://127.0.0.1:${toString config.services.gitlab.registry.port}";
  };
};