Improve handling of servers blocked from container registry

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Description

I recently had my production server blocked from the GitLab.com container registry for 12 hours because of a mistake in my CI configuration. Basically, I forgot to add a step to publish a new image before deploying a new service so my production Docker swarm was left repeatedly requesting an image that didn't exist. After a while GitLab (quite rightly) decided this was a problem server and blocked its IP address. I accept that this is a necessary reaction to defend against DDOS attacks, but I have a couple of issues with the way this is implemented at the moment:

1. the response to Docker requests does not make it clear when a server has been blocked (as opposed to just failing authentication or some other issue), making it difficult to determine why Docker is unable to fetch container images. The only error message I could find was in the Error column of the docker service ps output:

Error response from daemon: Get https://registry.gitlab.com/v2/: error parsing HTTP 403 response body: invalid character 'F' looking for beginning of value: "Forbidden\n"

2. there is no means of lifting the block early after taking steps to prevent the server from resuming problematic behaviour.

Proposal

I think a few things can be done to help out anyone dealing with a blocked server in future:

1. Improve the error output for blocked requests so that the Docker logs will show clearly why the request was refused - make sure the response body for rejected Docker requests is in a format Docker understands.
2. Add a section or page to project registry settings within GitLab to list server IPs that have been blocked from the registry because of requests to that project's registry namespace.
3. Allow a user logged into the GitLab interface to manually unblock servers that have been blocked from the registry. To prevent an attacker from automating the unblocking process, I imagine there would need to be some form of human test on this form (e.g. reCAPTCHA)