プライベートなDockerレジストリ（GitlabContainerRegistry） - 闘うITエンジニアの覚え書き

Gitlab の Container Registry でプライベートな Dockerレジストリを構築する。
※尚、ここでいう Gitlab は ストレージサービスとしてのそれではなく、OSS としての GitLab CE を指す。

mkdir work_gitlab_container
cd work_gitlab_container

mkdir certs
openssl req \
>     -newkey rsa:4096 -nodes -sha256 -keyout certs/サーバ名.key \
>     -x509 -days 365 -out certs/サーバ名.crt
Generating a 4096 bit RSA private key
..............................................................................................++
.............................................................................................................++
writing new private key to 'certs/サーバ名.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:JP
State or Province Name (full name) []:
Locality Name (eg, city) []:
Organization Name (eg, company) []:サーバ名
Organizational Unit Name (eg, section) []:
Common Name (eg, fully qualified host name) []:サーバ名
Email Address []:

.env

SERVER_NAME=サーバ名

docker-compose.yml

web:
  image: gitlab/gitlab-ce:latest
  restart: always
  hostname: localhost
  container_name: mygitlab
  environment:
    GITLAB_OMNIBUS_CONFIG: |
      external_url "https://${SERVER_NAME}"
      registry_external_url "https://${SERVER_NAME}:4567"
      registry_nginx['ssl_certificate'] = "/var/certs/${SERVER_NAME}.crt"
      registry_nginx['ssl_certificate_key'] = "/var/certs/${SERVER_NAME}.key"
  ports:
    - '80:80'
    - '443:443'
    - '8022:22'
    - '4567:4567'
  volumes:
    - './certs:/var/certs'

docker-compose up -d

しばらくすると、以下のようなログが出力され、コンテナがリスタートする。
※Let's Encrypt を利用して証明書周りのセットアップを行おうとしている模様。（自分で作成しているので不要なのだが）

docker logs -g mygitlab

    ================================================================================
    Error executing action `create` on resource 'letsencrypt_certificate[XXX.XXX.XXX.XXX]'
    ================================================================================

    :


Recipe: gitlab::gitlab-rails
  * execute[clear the gitlab-rails cache] action run
    - execute /opt/gitlab/bin/gitlab-rake cache:clear
Recipe: 
  * service[gitaly] action restart
    - restart service service[gitaly]
Recipe: gitaly::enable
  * runit_service[gitaly] action hup
    - send hup to runit_service[gitaly]
Recipe: 
  * service[gitlab-workhorse] action restart
    - restart service service[gitlab-workhorse]
  * service[registry] action restart
    - restart service service[registry]
  * service[gitlab-exporter] action restart
    - restart service service[gitlab-exporter]
  * service[redis-exporter] action restart
    - restart service service[redis-exporter]
  * service[prometheus] action restart
    - restart service service[prometheus]
Recipe: monitoring::prometheus
  * execute[reload prometheus] action run
    - execute /opt/gitlab/bin/gitlab-ctl hup prometheus
Recipe: 
  * service[alertmanager] action restart
    - restart service service[alertmanager]
  * service[postgres-exporter] action restart
    - restart service service[postgres-exporter]
  * service[grafana] action restart
    - restart service service[grafana]

Running handlers:
There was an error running gitlab-ctl reconfigure:

letsencrypt_certificate[XXX.XXX.XXX.XXX] (letsencrypt::http_authorization line 5) had an error: Acme::Client::Error::RejectedIdentifier:\
 acme_certificate[staging] (/opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/resources/certificate.rb line 25) had an error:\
 Acme::Client::Error::RejectedIdentifier: Error creating new order :: Cannot issue for "XXX.XXX.XXX.XXX": The ACME server can not issue a certificate for an IP address

Running handlers complete
Chef Client failed. 539 resources updated in 03 minutes 09 seconds

docker login サーバ名:4567

# 適当なイメージをpull
docker pull ubuntu

# タグ付け/プッシュ
docker image tag ubuntu サーバ名:4567/group1/myproject1
docker push サーバ名:4567/group1/myproject1

# ver2 をタグ付け/プッシュ
docker image tag ubuntu サーバ名:4567/group1/myproject1:ver2
docker push サーバ名:4567/group1/myproject1:ver2

プッシュ後の状態

サーバ名をIPアドレスにする場合は、証明書の Subject Alternative Name もチェックされるので、これを含む証明書を作成する必要がある。
でないと、docker login 時に以下のように怒られる。

Error response from daemon: Get https://192.168.0.12:4567/v2/: x509: cannot validate certificate for 192.168.0.12 because it doesn't contain any IP SANs

※参考: サーバ名がIPアドレスの場合のSSL証明書作成