From 56ef421b6eb73ed957f9430cf70be31371aaa0ae Mon Sep 17 00:00:00 2001 From: SolidNerd Date: Mon, 23 May 2016 22:59:44 +0200 Subject: [PATCH] Add Gitlab Container Registry --- .dockerignore | 1 + README.md | 26 ++- assets/runtime/config/gitlabhq/gitlab.yml | 18 +- assets/runtime/config/nginx/gitlab-registry | 53 +++++ assets/runtime/env-defaults | 19 ++ assets/runtime/functions | 64 ++++++ docs/container_registry.md | 227 ++++++++++++++++++++ 7 files changed, 392 insertions(+), 16 deletions(-) create mode 100644 assets/runtime/config/nginx/gitlab-registry create mode 100644 docs/container_registry.md diff --git a/.dockerignore b/.dockerignore index ccc3d6d24..4c5623110 100644 --- a/.dockerignore +++ b/.dockerignore @@ -6,3 +6,4 @@ README.md Changelog.md Makefile docker-compose.yml +docs diff --git a/README.md b/README.md index bc4d4033e..38a2c40b7 100644 --- a/README.md +++ b/README.md @@ -61,6 +61,8 @@ - [Import Repositories](#import-repositories) - [Upgrading](#upgrading) - [Shell Access](#shell-access) +- [Features](#features) + - [Container Registry](docs/container_registry.md) - [References](#references) # Introduction @@ -792,13 +794,14 @@ Below is the complete list of available options that can be used to customize yo - **GITLAB_INCOMING_EMAIL_ENABLED**: Enable or disable gitlab reply by email feature. Defaults to the value of `IMAP_ENABLED`. - **GITLAB_SIGNUP_ENABLED**: Enable or disable user signups (first run only). Default is `true`. - **GITLAB_PROJECTS_LIMIT**: Set default projects limit. Defaults to `100`. -- **GITLAB_USERNAME_CHANGE**: Enable or disable ability for users to change their username. Defaults is `true`. -- **GITLAB_CREATE_GROUP**: Enable or disable ability for users to create groups. Defaults is `true`. -- **GITLAB_PROJECTS_ISSUES**: Set if *issues* feature should be enabled by default for new projects. Defaults is `true`. -- **GITLAB_PROJECTS_MERGE_REQUESTS**: Set if *merge requests* feature should be enabled by default for new projects. Defaults is `true`. -- **GITLAB_PROJECTS_WIKI**: Set if *wiki* feature should be enabled by default for new projects. Defaults is `true`. -- **GITLAB_PROJECTS_SNIPPETS**: Set if *snippets* feature should be enabled by default for new projects. Defaults is `false`. -- **GITLAB_PROJECTS_BUILDS**: Set if *builds* feature should be enabled by default for new projects. Defaults is `true`. +- **GITLAB_USERNAME_CHANGE**: Enable or disable ability for users to change their username. Defaults to `true`. +- **GITLAB_CREATE_GROUP**: Enable or disable ability for users to create groups. Defaults to `true`. +- **GITLAB_PROJECTS_ISSUES**: Set if *issues* feature should be enabled by default for new projects. Defaults to `true`. +- **GITLAB_PROJECTS_MERGE_REQUESTS**: Set if *merge requests* feature should be enabled by default for new projects. Defaults to `true`. +- **GITLAB_PROJECTS_WIKI**: Set if *wiki* feature should be enabled by default for new projects. Defaults to `true`. +- **GITLAB_PROJECTS_SNIPPETS**: Set if *snippets* feature should be enabled by default for new projects. Defaults to `false`. +- **GITLAB_PROJECTS_BUILDS**: Set if *builds* feature should be enabled by default for new projects. Defaults to `true`. +- **GITLAB_PROJECTS_CONTAINER_REGISTRY**: Set if *container_registry* feature should be enabled by default for new projects. Defaults to `true`. - **GITLAB_WEBHOOK_TIMEOUT**: Sets the timeout for webhooks. Defaults to `10` seconds. - **GITLAB_TIMEOUT**: Sets the timeout for git commands. Defaults to `10` seconds. - **GITLAB_MAX_OBJECT_SIZE**: Maximum size (in bytes) of a git object (eg. a commit) in bytes. Defaults to `20971520`, i.e. `20` megabytes. @@ -823,6 +826,13 @@ Below is the complete list of available options that can be used to customize yo - **GITLAB_SSH_PORT**: The ssh port number. Defaults to `22`. - **GITLAB_RELATIVE_URL_ROOT**: The relative url of the GitLab server, e.g. `/git`. No default. - **GITLAB_TRUSTED_PROXIES**: Add IP address reverse proxy to trusted proxy list, otherwise users will appear signed in from that address. Currently only a single entry is permitted. No defaults. +- **GITLAB_REGISTRY_ENABLED**: Enables the GitLab Container Registry. Defaults to `false`. +- **GITLAB_REGISTRY_HOST**: Sets the Gitlab Registry Host. Defaults to `registry.example.com` +- **GITLAB_REGISTRY_PORT**: Sets the GitLab Registry Port. Defaults to `443`. +- **GITLAB_REGISTRY_API_URL**: Sets the Gitlab Registry API URL. Defaults to `http://localhost:5000` +- **GITLAB_REGISTRY_KEY_PATH**: Sets the GitLab Registry Key Path. Defaults to `config/registry.key` +- **GITLAB_REGISTRY_DIR**: Directory to store the container images will be shared with registry. Defaults to `$GITLAB_SHARED_DIR/registry` +- **GITLAB_REGISTRY_ISSUER**: Sets the Gitlab Registry Issuer. Defaults to `gitlab-issuer`. - **GITLAB_HTTPS**: Set to `true` to enable https support, disabled by default. - **SSL_SELF_SIGNED**: Set to `true` when using self signed ssl certificates. `false` by default. - **SSL_CERTIFICATE_PATH**: Location of the ssl certificate. Defaults to `/home/git/data/certs/gitlab.crt` @@ -830,6 +840,8 @@ Below is the complete list of available options that can be used to customize yo - **SSL_DHPARAM_PATH**: Location of the dhparam file. Defaults to `/home/git/data/certs/dhparam.pem` - **SSL_VERIFY_CLIENT**: Enable verification of client certificates using the `SSL_CA_CERTIFICATES_PATH` file. Defaults to `false` - **SSL_CA_CERTIFICATES_PATH**: List of SSL certificates to trust. Defaults to `/home/git/data/certs/ca.crt`. +- **SSL_REGISTRY_KEY_PATH**: Location of the ssl private key for gitlab container registry. Defaults to `/home/git/data/certs/registry.key` +- **SSL_REGISTRY_CERT_PATH**: Location of the ssl certificate for the gitlab container registy. Defaults to `/home/git/data/certs/registry.crt` - **NGINX_WORKERS**: The number of nginx workers to start. Defaults to `1`. - **NGINX_HSTS_ENABLED**: Advanced configuration option for turning off the HSTS configuration. Applicable only when SSL is in use. Defaults to `true`. See [#138](https://github.com/sameersbn/docker-gitlab/issues/138) for use case scenario. - **NGINX_HSTS_MAXAGE**: Advanced configuration option for setting the HSTS max-age in the gitlab nginx vHost configuration. Applicable only when SSL is in use. Defaults to `31536000`. diff --git a/assets/runtime/config/gitlabhq/gitlab.yml b/assets/runtime/config/gitlabhq/gitlab.yml index eded931d5..15ccad4fe 100644 --- a/assets/runtime/config/gitlabhq/gitlab.yml +++ b/assets/runtime/config/gitlabhq/gitlab.yml @@ -99,7 +99,7 @@ production: &base wiki: {{GITLAB_PROJECTS_WIKI}} snippets: {{GITLAB_PROJECTS_SNIPPETS}} builds: {{GITLAB_PROJECTS_BUILDS}} - container_registry: true + container_registry: {{GITLAB_PROJECTS_CONTAINER_REGISTRY}} ## Webhook settings # Number of seconds to wait for HTTP response after sending webhook HTTP POST request (default: 10) @@ -179,13 +179,13 @@ production: &base cron: "0 * * * *" registry: - # enabled: true - # host: registry.example.com - # port: 5005 - # api_url: http://localhost:5000/ # internal address to the registry, will be used by GitLab to directly communicate with API - # key_path: config/registry.key - # path: shared/registry - # issuer: gitlab-issuer + enabled: {{GITLAB_REGISTRY_ENABLED}} # Enables GitLab Container Registry Defaults to `true` + host: {{GITLAB_REGISTRY_HOST}} # registry.example.com + port: {{GITLAB_REGISTRY_PORT}} # 5005 + api_url: {{GITLAB_REGISTRY_API_URL}} # http://localhost:5000/ # internal address to the registry, will be used by GitLab to directly communicate with API + key: {{GITLAB_REGISTRY_KEY_PATH}} # config/registry.key + path: {{GITLAB_REGISTRY_DIR}} + issuer: {{GITLAB_REGISTRY_ISSUER}} # gitlab-issuer # # 2. GitLab CI settings @@ -393,7 +393,7 @@ production: &base idp_cert_fingerprint: '{{OAUTH_SAML_IDP_CERT_FINGERPRINT}}', idp_sso_target_url: '{{OAUTH_SAML_IDP_SSO_TARGET_URL}}', issuer: '{{OAUTH_SAML_ISSUER}}', - attribute_statements: { + attribute_statements: { first_name: ['{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME}}'], last_name: ['{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME}}'], name: ['{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME}}'], diff --git a/assets/runtime/config/nginx/gitlab-registry b/assets/runtime/config/nginx/gitlab-registry new file mode 100644 index 000000000..ac137b181 --- /dev/null +++ b/assets/runtime/config/nginx/gitlab-registry @@ -0,0 +1,53 @@ +## Lines starting with two hashes (##) are comments with information. +## Lines starting with one hash (#) are configuration parameters that can be uncommented. +## +################################### +## configuration ## +################################### + +## Redirects all HTTP traffic to the HTTPS host +server { + listen *:80; + server_name {{GITLAB_REGISTRY_HOST}}; + server_tokens off; ## Don't show the nginx version number, a security best practice + return 301 https://$http_host:$request_uri; + access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_registry_access.log; + error_log {{GITLAB_LOG_DIR}}/nginx/gitlab_registry_error.log; +} + +server { + # If a different port is specified in https://gitlab.com/gitlab-org/gitlab-ce/blob/8-8-stable/config/gitlab.yml.example#L182, + # it should be declared here as well + listen *:{{NGINX_REGISTRY_PROXY_PORT}} ssl http2; + server_name {{GITLAB_REGISTRY_HOST}}; + server_tokens off; ## Don't show the nginx version number, a security best practice + + client_max_body_size 0; + chunked_transfer_encoding on; + + ## Strong SSL Security + ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/ + ssl on; + ssl_certificate {{SSL_REGISTRY_CERT_PATH}}; + ssl_certificate_key {{SSL_REGISTRY_KEY_PATH}}; + + ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_prefer_server_ciphers on; + ssl_session_cache builtin:1000 shared:SSL:10m; + ssl_session_timeout 5m; + + access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_registry_access.log; + error_log {{GITLAB_LOG_DIR}}/nginx/gitlab_registry_error.log; + + location / { + proxy_set_header Host $http_host; # required for docker client's sake + proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_read_timeout 900; + + proxy_pass {{GITLAB_REGISTRY_API_URL}}; + } + +} diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index c056f18f7..741ef862f 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -72,6 +72,7 @@ GITLAB_PROJECTS_MERGE_REQUESTS=${GITLAB_PROJECTS_MERGE_REQUESTS:-true} GITLAB_PROJECTS_WIKI=${GITLAB_PROJECTS_WIKI:-true} GITLAB_PROJECTS_SNIPPETS=${GITLAB_PROJECTS_SNIPPETS:-false} GITLAB_PROJECTS_BUILDS=${GITLAB_PROJECTS_BUILDS:-true} +GITLAB_PROJECTS_CONTAINER_REGISTRY=${GITLAB_PROJECTS_CONTAINER_REGISTRY:-true} GITLAB_RELATIVE_URL_ROOT=${GITLAB_RELATIVE_URL_ROOT:-} GITLAB_TRUSTED_PROXIES=${GITLAB_TRUSTED_PROXIES:-} if [[ -z ${GITLAB_RELATIVE_URL_ROOT} || ${GITLAB_RELATIVE_URL_ROOT} == / ]]; then # should not be set to `/` @@ -110,6 +111,19 @@ GITLAB_NOTIFY_PUSHER=${GITLAB_NOTIFY_PUSHER:-false} GITLAB_ROBOTS_PATH=${GITLAB_ROBOTS_PATH:-${USERCONF_TEMPLATES_DIR}/gitlabhq/robots.txt} +## REGISTRY +GITLAB_REGISTRY_ENABLED=${GITLAB_REGISTRY_ENABLED:-false} +GITLAB_REGISTRY_DIR="${GITLAB_REGISTRY_DIR:-$GITLAB_SHARED_DIR/registry}" +GITLAB_REGISTRY_HOST=${GITLAB_REGISTRY_HOST:-registry.example.com} +GITLAB_REGISTRY_PORT=${GITLAB_REGISTRY_PORT:-443} +GITLAB_REGISTRY_API_URL=${GITLAB_REGISTRY_API_URL:-http://localhost:5000/} +GITLAB_REGISTRY_KEY_PATH=${GITLAB_REGISTRY_KEY_PATH:-config/registry.key} +GITLAB_REGISTRY_ISSUER=${GITLAB_REGISTRY_ISSUER:-gitlab-issuer} +#Sets the nginx restistry port +if [[ -z $GITLAB_REGISTRY_PORT ]]; then + NGINX_REGISTRY_PROXY_PORT=443 +fi + ## SSL SSL_SELF_SIGNED=${SSL_SELF_SIGNED:-false} SSL_CERTIFICATE_PATH=${SSL_CERTIFICATE_PATH:-$GITLAB_DATA_DIR/certs/gitlab.crt} @@ -117,6 +131,9 @@ SSL_KEY_PATH=${SSL_KEY_PATH:-$GITLAB_DATA_DIR/certs/gitlab.key} SSL_DHPARAM_PATH=${SSL_DHPARAM_PATH:-$GITLAB_DATA_DIR/certs/dhparam.pem} SSL_VERIFY_CLIENT=${SSL_VERIFY_CLIENT:-off} +SSL_REGISTRY_KEY_PATH=${SSL_REGISTRY_KEY_PATH:-$GITLAB_DATA_DIR/certs/registry.key} +SSL_REGISTRY_CERT_PATH=${SSL_REGISTRY_CERT_PATH:-$GITLAB_DATA_DIR/certs/registry.crt} + SSL_CA_CERTIFICATES_PATH=${SSL_CA_CERTIFICATES_PATH:-$CA_CERTIFICATES_PATH} # backward compatibility SSL_CA_CERTIFICATES_PATH=${SSL_CA_CERTIFICATES_PATH:-$GITLAB_DATA_DIR/certs/ca.crt} @@ -149,6 +166,8 @@ case ${GITLAB_HTTPS} in *) NGINX_X_FORWARDED_PROTO=${NGINX_X_FORWARDED_PROTO:-\$scheme} ;; esac +NGINX_REGISTRY_PROXY_PORT=${NGINX_REGISTRY_PROXY_PORT:-$GITLAB_REGISTRY_PORT} + ## MAIL DELIVERY SMTP_DOMAIN=${SMTP_DOMAIN:-www.gmail.com} SMTP_HOST=${SMTP_HOST:-smtp.gmail.com} diff --git a/assets/runtime/functions b/assets/runtime/functions index bbe148774..673c98ae9 100644 --- a/assets/runtime/functions +++ b/assets/runtime/functions @@ -17,6 +17,7 @@ GITLAB_ROBOTS_CONFIG="${GITLAB_INSTALL_DIR}/public/robots.txt" GITLAB_SHELL_CONFIG="${GITLAB_SHELL_INSTALL_DIR}/config.yml" GITLAB_NGINX_CONFIG="/etc/nginx/sites-enabled/gitlab" GITLAB_CI_NGINX_CONFIG="/etc/nginx/sites-enabled/gitlab_ci" +GITLAB_REGISTRY_NGINX_CONFIG="/etc/nginx/sites-enabled/gitlab-registry" # Compares two version strings `a` and `b` # Returns @@ -810,9 +811,34 @@ gitlab_configure_project_features() { GITLAB_PROJECTS_WIKI \ GITLAB_PROJECTS_SNIPPETS \ GITLAB_PROJECTS_BUILDS \ + GITLAB_PROJECTS_CONTAINER_REGISTRY \ GITLAB_WEBHOOK_TIMEOUT } +gitlab_configure_registry(){ + echo "Configuring gitlab::registry..." + if [[ $GITLAB_REGISTRY_PORT != 443 ]]; then + update_template ${GITLAB_CONFIG} \ + GITLAB_REGISTRY_ENABLED \ + GITLAB_REGISTRY_DIR \ + GITLAB_REGISTRY_HOST \ + GITLAB_REGISTRY_PORT \ + GITLAB_REGISTRY_API_URL \ + GITLAB_REGISTRY_KEY_PATH \ + GITLAB_REGISTRY_ISSUER + else + GITLAB_REGISTRY_PORT="" # Sets Registry Port to empty to set the key empty in the .gitlab-ci.yml + update_template ${GITLAB_CONFIG} \ + GITLAB_REGISTRY_ENABLED \ + GITLAB_REGISTRY_DIR \ + GITLAB_REGISTRY_HOST \ + GITLAB_REGISTRY_PORT \ + GITLAB_REGISTRY_API_URL \ + GITLAB_REGISTRY_KEY_PATH \ + GITLAB_REGISTRY_ISSUER + fi +} + nginx_configure_gitlab_ssl() { if [[ ${GITLAB_HTTPS} == true && -f ${SSL_CERTIFICATE_PATH} && -f ${SSL_KEY_PATH} && -f ${SSL_DHPARAM_PATH} ]]; then echo "Configuring nginx::gitlab::ssl..." @@ -879,6 +905,20 @@ nginx_configure_gitlab_ci() { fi } +nginx_configure_gitlab_registry() { + if [[ $GITLAB_REGISTRY_ENABLED == true && -f ${SSL_REGISTRY_CERT_PATH} && -f ${SSL_REGISTRY_KEY_PATH} ]]; then + echo "Configuring nginx::gitlab-registry..." + update_template ${GITLAB_REGISTRY_NGINX_CONFIG} \ + GITLAB_LOG_DIR \ + NGINX_REGISTRY_PROXY_PORT \ + GITLAB_REGISTRY_HOST \ + GITLAB_REGISTRY_API_URL \ + SSL_REGISTRY_KEY_PATH \ + SSL_REGISTRY_CERT_PATH + fi +} + + # _|_|_| _| _| _| # _| _| _| _| _|_|_| _| _|_|_| # _|_|_| _| _| _| _| _| _| _| @@ -961,6 +1001,7 @@ initialize_datadir() { chmod u+rwX ${GITLAB_SHARED_DIR} chown ${GITLAB_USER}: ${GITLAB_SHARED_DIR} + # create attifacts dir mkdir -p ${GITLAB_ARTIFACTS_DIR} chmod u+rwX ${GITLAB_ARTIFACTS_DIR} chown ${GITLAB_USER}: ${GITLAB_ARTIFACTS_DIR} @@ -974,6 +1015,13 @@ initialize_datadir() { chmod u+rwX ${GITLAB_LFS_OBJECTS_DIR} chown ${GITLAB_USER}: ${GITLAB_LFS_OBJECTS_DIR} + # create registry dir + if [[ ${GITLAB_REGISTRY_ENABLED} == true ]]; then + mkdir -p ${GITLAB_REGISTRY_DIR} + chmod u+rwX ${GITLAB_REGISTRY_DIR} + chown ${GITLAB_USER}: ${GITLAB_REGISTRY_DIR} + fi + # create the backups directory mkdir -p ${GITLAB_BACKUP_DIR} chown ${GITLAB_USER}: ${GITLAB_BACKUP_DIR} @@ -1035,6 +1083,11 @@ sanitize_datadir() { chmod -R u+rwX ${GITLAB_LFS_OBJECTS_DIR} chown -R ${GITLAB_USER}: ${GITLAB_LFS_OBJECTS_DIR} + if [[ ${GITLAB_REGISTRY_ENABLED} == true ]]; then + chmod -R u+rwX ${GITLAB_REGISTRY_DIR} + chown -R ${GITLAB_USER}: ${GITLAB_REGISTRY_DIR} + fi + find ${GITLAB_DATA_DIR}/uploads -type f -exec chmod 0644 {} \; find ${GITLAB_DATA_DIR}/uploads -type d -not -path ${GITLAB_DATA_DIR}/uploads -exec chmod 0755 {} \; chmod 0700 ${GITLAB_DATA_DIR}/uploads/ @@ -1115,6 +1168,15 @@ install_configuration_templates() { if [[ -n $GITLAB_CI_HOST ]]; then install_template root: nginx/gitlab_ci ${GITLAB_CI_NGINX_CONFIG} fi + + if [[ ${GITLAB_REGISTRY_ENABLED} == true ]]; then + if [[ -f ${SSL_REGISTRY_CERT_PATH} && -f ${SSL_REGISTRY_KEY_PATH} ]]; then + install_template root: nginx/gitlab-registry ${GITLAB_REGISTRY_NGINX_CONFIG} + else + echo "SSL key and certificates for Registry were not found" + echo "Assuming that the Registry is running behind an enabled load balancer" + fi + fi } configure_gitlab() { @@ -1160,6 +1222,7 @@ configure_gitlab() { gitlab_configure_gravatar gitlab_configure_analytics gitlab_configure_backups + gitlab_configure_registry # remove stale gitlab.socket rm -rf ${GITLAB_INSTALL_DIR}/tmp/sockets/gitlab.socket @@ -1186,6 +1249,7 @@ configure_nginx() { sed -i "s|worker_processes .*|worker_processes ${NGINX_WORKERS};|" /etc/nginx/nginx.conf nginx_configure_gitlab nginx_configure_gitlab_ci + nginx_configure_gitlab_registry } migrate_database() { diff --git a/docs/container_registry.md b/docs/container_registry.md new file mode 100644 index 000000000..6a18320a9 --- /dev/null +++ b/docs/container_registry.md @@ -0,0 +1,227 @@ +GitLab Container Registry +========================= +Since `8.8.0` GitLab introduces container registry. Container Registry is a feature that handles your authentication for a docker registry. + + +- [Prerequisites](#prerequisites) +- [Installation](#installation) +- [Maintenance](#maintenance) + - [Creating Backups](#creating-backups) + - [Restoring Backups](#restoring-backups) +- [Upgrading from an existing GitLab instance](#Upgrading-from-an-existing-GitLab-instance) + +# Prerequisites + - [Docker Distribution](https://github.com/docker/distribution) >= 2.4 + - [Docker GitLab](https://github.com/sameersbn/docker-gitlab) >= 8.8.5 + +# Installation +Starting a fresh installation with GitLab Container registry would be like this `docker-compose` file. + +## Generating certificate for authentication with the registry + +You can skip the following steps if you have a **trusted certificate**. + +- **Step 1**: Create a certs dir + ```bash + mkdir certs && cd certs + ``` + +- **Step 2**: Generate a private key and sign request for the private key +```bash +openssl req -nodes -newkey rsa:4096 -keyout registry-auth.key -out registry-auth.csr -subj "/CN=gitlab-issuer" +``` + +- **Step 3**: Sign your created privated key +```bash +openssl x509 -in registry-auth.csr -out registry-auth.crt -req -signkey registry-auth.key -days 3650 +``` + +## Docker Compose +```yml +version: '2' + +services: + redis: + restart: always + image: sameersbn/redis:latest + command: + - --loglevel warning + volumes: + - /srv/gitlab/redis:/var/lib/redis:Z + postgresql: + restart: always + image: sameersbn/postgresql:9.4-22 + volumes: + - /srv/gitlab/postgresql:/var/lib/postgresql:Z + enviroment: + - DB_USER=gitlab + - DB_PASS=password + - DB_NAME=gitlabhq_production + - DB_EXTENSION=pg_trgm + + gitlab: + restart: always + image: sameersbn/gitlab:8.8.5 + depends_on: + - redis + - postgresql + ports: + - "10080:80" + - "5500:5000" + - "10022:22" + volumes: + - /srv/gitlab/gitlab:/home/git/data:Z + - /srv/gitlab/logs:/var/log/gitlab + - ./certs:/certs + enviroment: + - DEBUG=false + + - DB_ADAPTER=postgresql + - DB_HOST=postgresql + - DB_PORT=5432 + - DB_USER=gitlab + - DB_PASS=password + - DB_NAME=gitlabhq_production + + - REDIS_HOST=redis + - REDIS_PORT=6379 + - GITLAB_SSH_PORT=1022 + - GITLAB_PORT=10080 + - GITLAB_HOST=localhost + + - GITLAB_SECRETS_DB_KEY_BASE=superrandomsecret + - GITLAB_REGISTRY_ENABLED=true + - GITLAB_REGISTRY_HOST=registry.gitlab.example.com + - GITLAB_REGISTRY_PORT=5500 + - GITLAB_REGISTRY_API_URL=http://registry:5000 + - GITLAB_REGISTRY_KEY_PATH=/certs/registry-auth.key + - SSL_REGISTRY_KEY_PATH=/certs/registry.key + - SSL_REGISTRY_CERT_PATH=/certs/registry.crt + + registry: + restart: always + image: registry:2.4.1 + volumes: + - /srv/gitlab/shared/registry:/registry + - ./certs:/certs + enviroment: + - REGISTRY_LOG_LEVEL=info + - REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/registry + - REGISTRY_AUTH_TOKEN_REALM=https://gitlab.example.com/jwt/auth + - REGISTRY_AUTH_TOKEN_SERVICE=container_registry + - REGISTRY_AUTH_TOKEN_ISSUER=gitlab-issuer + - REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/certs/registry-auth.crt + - REGISTRY_STORAGE_DELETE_ENABLED=true +``` +> **Important Notice** +> +> 1. Don't change `REGISTRY_AUTH_TOKEN_SERVICE`. It must have `container_registry` as value. +> 2. `REGISTRY_AUTH_TOKEN_REALM` need to be look like `http/s://gitlab.example.com/jwt/auth`. Endpoint must be `/jwt/auth` +> These configuration options are required by the GitLab Container Registry. + +The trick is here that you are mounting the registry data as volume from `$GITLAB_REGISTRY_DIR`. So this adds the ability to do backups and restore them. + + +# Maintenance + +## Creating Backups + +Creating Backups is the same like without a container registry. I would recommend to stop your registry container. + +```bash +docker stop registry gitlab && docker rm registry gitlab +``` + +Execute the rake task with a removeable container. +```bash +docker run --name gitlab -it --rm [OPTIONS] \ + sameersbn/gitlab:8.8.5 app:rake gitlab:backup:create +``` +## Restoring Backups + +Gitlab also defines a rake task to restore a backup. + +Before performing a restore make sure the container is stopped and removed to avoid container name conflicts. + +```bash +docker stop registry gitlab && docker rm registry gitlab +``` + +Execute the rake task to restore a backup. Make sure you run the container in interactive mode `-it`. + +```bash +docker run --name gitlab -it --rm [OPTIONS] \ + sameersbn/gitlab:8.8.5 app:rake gitlab:backup:restore +``` + +The list of all available backups will be displayed in reverse chronological order. Select the backup you want to restore and continue. + +To avoid user interaction in the restore operation, specify the timestamp of the backup using the `BACKUP` argument to the rake task. + +```bash +docker run --name gitlab -it --rm [OPTIONS] \ + sameersbn/gitlab:8.8.5 app:rake gitlab:backup:restore BACKUP=1417624827 +``` + +# Upgrading from an existing GitLab installation + + +If you want enable this feature for an existing instance of GitLab you need to do the following steps. + +- **Step 1**: Update the docker image. + +```bash +docker pull sameersbn/gitlab:8.8.5 +``` + +- **Step 2**: Stop and remove the currently running image + +```bash +docker stop gitlab && docker rm gitlab +``` + +- **Step 3**: Create a backup + +```bash +docker run --name gitlab -it --rm [OPTIONS] \ + sameersbn/gitlab:x.x.x app:rake gitlab:backup:create +``` + +- **Step 4**: Create a certs folder +Create an authentication certificate with [Generating certificate for authentication with the registry](#Generating-certificate-for-authentication-with-the-registry). + +- **Step 5**: Create an registry instance + +> **Important Notice** +> +> Storage of the registry must be mounted from gitlab from GitLab. +> GitLab must have the container of the registry storage folder to be able to create and restore backups + +```bash +docker run --name registry -d \ +--restart=always \ +-v /srv/gitlab/shared/registry:/registry \ +-v ./certs:/certs \ +--env 'REGISTRY_LOG_LEVEL=info' \ +--env 'REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/registry' \ +--env 'REGISTRY_AUTH_TOKEN_REALM=http://gitlab.example.com/jwt/auth' \ +--env 'REGISTRY_AUTH_TOKEN_SERVICE=container_registry' \ +--env 'REGISTRY_AUTH_TOKEN_ISSUER=gitlab-issuer' \ +--env 'REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/certs/registry-auth.crt' \ +--env 'REGISTRY_STORAGE_DELETE_ENABLED=true' \ +registry:2.4.1 +``` +- **Step 6**: Start the image + +```bash +docker run --name gitlab -d [PREVIOUS_OPTIONS] \ +-v /srv/gitlab/certs:/certs \ +--env 'SSL_REGISTRY_CERT_PATH=/certs/registry.crt' \ +--env 'SSL_REGISTRY_KEY_PATH=/certs/registry.key' \ +--env 'GITLAB_REGISTRY_ENABLED=true' \ +--env 'GITLAB_REGISTRY_HOST=registry.gitlab.example.com' \ +--env 'GITLAB_REGISTRY_API_URL=http://registry:5000/' \ +--env 'GITLAB_REGISTRY_KEY_PATH=/certs/registry-auth.key' \ +--link registry:registry +sameersbn/gitlab:8.8.5 +```