Gitlab with Container Registry behind reverse proxy - docker

Does anyone have a running installation of nginx as a reverse proxy, unbound from gitlab where the internal gitlab container registry is running?
I've setup nginx and gitlab in docker containers and I can access gitlab with a suburl e.g. my.domain.com/gitlab/. However when I try to access the container registry for an example project I either end up getting Bad Gateway when using docker login or the container registry shows an error when accessing the site:
Docker connection error We are having trouble connecting to the Container Registry. Please try refreshing the page. If this error persists, please review the troubleshooting documentation .
I've been trying to figure out what settings I need for days and I don't understand what's going wrong, so if anyone can help I'd be really grateful.

Related

Docker context defined with https resulting an error reaching out to port 80

I have setup a docker registry using docker-compose, largely following the recipe published by Docker here: https://docs.docker.com/registry/recipes/nginx/
Nginx and my registry start, and I am able to issue docker login from a different machine:
docker login https://myhost.mydomain.net
Once logged in I can push and pull images as expected.
Now I need a way to manage content in the remote registry. To that end, I defined a context:
docker context create myregistry-prod --docker "host=https://myhost.mydomain.net"
The command results in this message, which appears to arise during basic authentication:
error during connect: Post "http://myhost.mydomain.net/v1.24/auth": dial tcp 192.168.176.71:80: connectex: No connection could be made because the target machine actively refused it.
I assumed that a context using https would operate inside a TLS connection, so I'm surprised to see the client attempting to open port 80. By design, I have no program listening on port 80, hence the connection is refused.
Note that I am able to fetch the catalog using this URL in a browser, https://myhost.mydomain.net/v2/_catalog . The browser prompts for basic credentials, I supply them and get back the expected result. It appears that the Docker API working as expected passing through the Nginx container and being serviced by the registry container.
So, the question is, how do I go about diagnosing the issue? Did I make an error defining the context?
I'm quite sure I have a misunderstanding. This is my first attempt at docker compose and my first attempt at using nginx in front of Docker Registry. I will redact and post nginx.conf and docker-compose.yml if you need them but I am guessing it's a client-side problem. Any help you might offer will be greatly appreciated.

Gitlab runner stucks while pulling docker image

I was trying to run my gitlab-ci in my hosted gitlab server and I picked docker for gitlab-runner executer but in pipline it got stucked and doesn't work.
What should I do to fix this?
Seems the same issue, the Machine on which the docker is running, is sitting behind a proxy server, which is why its getting stuck when its trying to pull the image.
If you are able to login to the machine and check the internet access..
Check if you are using some kind of proxy or not?
Your ID may have SSO to Proxy and hence your ID works .. if the gitlab-runner service runs on a different account, that account may not have internet access

Got AuthorizedOnly when pulling images behind corporate proxy

I’ve trying to get docker working behind a corporate proxy. Following the document here:
https://docs.docker.com/config/daemon/systemd/#httphttps-proxy
Basically adding:
[Service]
Environment=“HTTP_PROXY=http://[username]:[password]#127.0.0.1:3128/”
under
/etc/systemd/system/docker.service.d/http-proxy.conf
Restart docker and all.
But when running “docker pull hello-world” or “sudo docker pull hello-world”, got this error:
centos7 ~]$ docker pull hello-world
Using default tag: latest
Trying to pull repository docker. io/library/hello-world …
Pulling repository docker. io/library/hello-world
Error while pulling image: Get https:
/index.docker.io/v1/repositories/library/hello-world/images: AuthorizedOnly
Looks around the web, but couldn’t find any “AuthorizedOnly” error reported before.
docker -v
Docker version 1.12.6, build 3e8e77d/1.12.6
Any hints/help appreciated.
Found the issue: It's not the problem with docker proxy configuration. It was the proxy itself that blocks hub.docker.com.
To resolve this particular problem, I have use a different proxy with less restrictions.
Thanks all!
Double-check your enterprise proxy URL.
Usually, an enterprise proxy does not reside on localhost (127.0.0.1), but on a specific IP address.
Usually, HTTPS_PROXY needs to be set as well (to the same HTTP URL)
Usually, NO_PROXY needs to be set, at least to localhost, to avoid contacting the proxy for every remote query.

GitLab container does not communicate with GitLab Container Registry container

I use this docker-compose file to create a GitLab installation along with the GitLab Container Registry enabled.
All containers start nicely, but when I try to access the container registry via a new GitLab project, I get a 500 error.
From Kitematic, in the registry container logs I see this
http: TLS handshake error from 192.168.99.1:54873: tls: first record does not look like a TLS handshake
I am not an expert in security, but from my research I think it has to do with the self-signed certificate that GitLab expects.
Is this the problem? How should I proceed?

Cannot login to Nexus 3 docker registry

I have set up an AWS EC2 instance with Docker, Nexus3 and a Docker repository in Nexus with HTTP port 8123 and all the necessary settings so that I can see it from Docker. I have added after a lengthy research the right options in my docker config file so that when I run docker info I can see my insecure registry set to the right IP address. I can access the url of the Nexus manager from my machine without any problems and I can create repositories etc.
I then try to do a docker login from within my EC2 instance like this:
docker login -u admin -p admin123 my_ip_address:8123
And after a while I get this:
Error response from daemon: Get http://my_ip_address/v1/users/: dial tcp my_ip_address:8123: i/o timeout
I have tried so many things to fix this and nothing seems to work. I spent so far an entire day trying to understand why docker login cannot see my Nexus3 registry.
Any ideas?

Resources