Skip to content

Feature request/omnibus - container registry on unix domain socket

I have a personal gitlab instance installed via omnibus package and would like to have the built-in container registry listen on a unix domain socket similar to how gitlab workhorse can be configured to listen at say /var/opt/gitlab/gitlab-workhorse/socket.

From what I can tell the container registry itself do support listening on unix domain socket through manually editing its config.yml:

http:
  net: unix  <- NOT CONFIGURABLE
  addr: /var/opt/gitlab/registry/socket
  secret: "blahblahblah"
...

However this option isn't exposed to admins from gitlab.rb.

Now I've taken a quick stab at it and I have questions:

A proposed gitlab.rb config more or less looks like this:

###! **Do not change the following 3 settings unless you know what you are
###!   doing**
# gitlab_rails['registry_api_url'] = "http://localhost:5000"
# gitlab_rails['registry_key_path'] = "/var/opt/gitlab/gitlab-rails/certificate.key"
# gitlab_rails['registry_issuer'] = "omnibus-gitlab-issuer"

### Settings used by Registry application
# registry['enable'] = true
# registry['username'] = "registry"
# registry['group'] = "registry"
# registry['uid'] = nil
# registry['gid'] = nil
# registry['dir'] = "/var/opt/gitlab/registry"
registry['registry_http_net'] = "unix"
registry['registry_http_addr'] = "/var/opt/gitlab/registry/socket"
# registry['debug_addr'] = "localhost:5001"
# registry['log_directory'] = "/var/log/gitlab/registry"
# registry['env_directory'] = "/opt/gitlab/etc/registry/env"
# registry['env'] = {}
# registry['log_level'] = "info"
# registry['rootcertbundle'] = "/var/opt/gitlab/registry/certificate.crt"
# registry['health_storagedriver_enabled'] = true
# registry['storage_delete_enabled'] = true

I know omnibus will configure gitlab_rails['registry_api_url'] by default to "http://#{Gitlab['registry']['registry_http_addr']}" and I assume this scheme would not work automatically when registry_http_addr is a path (becomes http:///var/opt/gitlab/registry/socket) I'm not entirely confident that gitlab_rails would correctly parse a URL like this.

For now I can workaround by setting gitlab_rails['registry_api_url'] to a nginx proxied front end of the registry socket, but a broken default should be avoided I guess.

Any suggestions or answers are appreciated.