Alex-Devera/tpotce
1
0
Fork 0
mirror of https://github.com/telekom-security/tpotce.git synced 2025-04-29 19:58:52 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
tpotce/docker/tanner/snare/dist/pages/1/8ca6d490766990471a6658d4b8a30529

380 lines
31 KiB
Text
Raw Normal View History

add 10 personas for snare
2018-08-14 14:20:55 +00:00
<!DOCTYPE html>
<html class="" lang="en">
<head prefix="og: http://ogp.me/ns#">
<meta charset="utf-8"/>
<meta content="IE=edge" http-equiv="X-UA-Compatible"/>
<meta content="object" property="og:type"/>
<meta content="GitLab" property="og:site_name"/>
<meta content="Container registry · Project · User · Help" property="og:title"/>
<meta content="GitLab Community Edition" property="og:description"/>
<meta content="http://172.20.254.127/assets/gitlab_logo-7ae504fe4f68fdebb3c2034e36621930cd36ea87924c11ff65dbcb8ed50dca58.png" property="og:image"/>
<meta content="64" property="og:image:width"/>
<meta content="64" property="og:image:height"/>
<meta content="http://172.20.254.127/help/user/project/container_registry.md" property="og:url"/>
<meta content="summary" property="twitter:card"/>
<meta content="Container registry · Project · User · Help" property="twitter:title"/>
<meta content="GitLab Community Edition" property="twitter:description"/>
<meta content="http://172.20.254.127/assets/gitlab_logo-7ae504fe4f68fdebb3c2034e36621930cd36ea87924c11ff65dbcb8ed50dca58.png" property="twitter:image"/>
<title>Container registry · Project · User · Help · GitLab</title>
<meta content="GitLab Community Edition" name="description"/>
<link data-original-href="/assets/favicon-7901bd695fb93edb07975966062049829afb56cf11511236e61bcf425070e36e.png" href="/assets/favicon-7901bd695fb93edb07975966062049829afb56cf11511236e61bcf425070e36e.png" id="favicon" rel="shortcut icon" type="image/png"/>
<link href="/assets/application-266f2bfa52ff531258d13c702895a14fd5994ca591fa2df7338da00ab18c99ac.css" media="all" rel="stylesheet"/>
<link href="/assets/print-c8ff536271f8974b8a9a5f75c0ca25d2b8c1dceb4cff3c01d1603862a0bdcbfc.css" media="print" rel="stylesheet"/>
<script>
//<![CDATA[
window.gon={};gon.api_version="v4";gon.default_avatar_url="http://172.20.254.127/assets/no_avatar-849f9c04a3a0d0cea2424ae97b27447dc64a7dbfae83c036c45b403392f0e8ba.png";gon.max_file_size=10;gon.asset_host=null;gon.webpack_public_path="/assets/webpack/";gon.relative_url_root="";gon.shortcuts_path="/help/shortcuts";gon.user_color_scheme="white";gon.gitlab_url="http://172.20.254.127";gon.revision="63daf37";gon.gitlab_logo="/assets/gitlab_logo-7ae504fe4f68fdebb3c2034e36621930cd36ea87924c11ff65dbcb8ed50dca58.png";gon.sprite_icons="/assets/icons-07542808fffaf82e9b57b144464ea42620b32f65ce441c01528d23d4b96d5f11.svg";gon.sprite_file_icons="/assets/file_icons-7262fc6897e02f1ceaf8de43dc33afa5e4f9a2067f4f68ef77dcc87946575e9e.svg";gon.emoji_sprites_css_path="/assets/emoji_sprites-289eccffb1183c188b630297431be837765d9ff4aed6130cf738586fb307c170.css";gon.test_env=false;gon.suggested_label_colors=["#0033CC","#428BCA","#44AD8E","#A8D695","#5CB85C","#69D100","#004E00","#34495E","#7F8C8D","#A295D6","#5843AD","#8E44AD","#FFECDB","#AD4363","#D10069","#CC0033","#FF0000","#D9534F","#D1D100","#F0AD4E","#AD8D43"];
//]]>
</script>
<script defer="defer" src="/assets/webpack/runtime.9fcb75d4.bundle.js"></script>
<script defer="defer" src="/assets/webpack/main.a66b6c66.chunk.js"></script>
<script defer="defer" src="/assets/webpack/pages.help.show.c42c0700.chunk.js"></script>
<meta content="authenticity_token" name="csrf-param">
<meta content="y9k8koJajnakk6cSfJI3l8kPJYphDVXcwEULmFn7dao04T1SvWyVs8Y6vmbEByJu78c9qnyi1QySCiPYGX5DXw==" name="csrf-token">
<meta content="origin-when-cross-origin" name="referrer"/>
<meta content="width=device-width, initial-scale=1, maximum-scale=1" name="viewport"/>
<meta content="#474D57" name="theme-color"/>
<link href="/assets/touch-icon-iphone-5a9cee0e8a51212e70b90c87c12f382c428870c0ff67d1eb034d884b78d2dae7.png" rel="apple-touch-icon" type="image/x-icon"/>
<link href="/assets/touch-icon-ipad-a6eec6aeb9da138e507593b464fdac213047e49d3093fc30e90d9a995df83ba3.png" rel="apple-touch-icon" sizes="76x76" type="image/x-icon"/>
<link href="/assets/touch-icon-iphone-retina-72e2aadf86513a56e050e7f0f2355deaa19cc17ed97bbe5147847f2748e5a3e3.png" rel="apple-touch-icon" sizes="120x120" type="image/x-icon"/>
<link href="/assets/touch-icon-ipad-retina-8ebe416f5313483d9c1bc772b5bbe03ecad52a54eba443e5215a22caed2a16a2.png" rel="apple-touch-icon" sizes="152x152" type="image/x-icon"/>
<link color="rgb(226, 67, 41)" href="/assets/logo-d36b5212042cebc89b96df4bf6ac24e43db316143e89926c0db839ff694d2de4.svg" rel="mask-icon"/>
<meta content="/assets/msapplication-tile-1196ec67452f618d39cdd85e2e3a542f76574c071051ae7effbfde01710eb17d.png" name="msapplication-TileImage"/>
<meta content="#30353E" name="msapplication-TileColor"/>
</meta></meta></head>
<body class="ui-indigo " data-group="" data-page="help:show" data-project="">
<header class="navbar navbar-gitlab qa-navbar navbar-expand-sm">
<a class="sr-only gl-accessibility" href="#content-body" tabindex="1">Skip to content</a>
<div class="container-fluid">
<div class="header-content">
<div class="title-container">
<h1 class="title">
<a href="/" id="logo" title="Dashboard"><svg class="tanuki-logo" height="24" viewbox="0 0 36 36" width="24">
<path class="tanuki-shape tanuki-left-ear" d="M2 14l9.38 9v-9l-4-12.28c-.205-.632-1.176-.632-1.38 0z" fill="#e24329"></path>
<path class="tanuki-shape tanuki-right-ear" d="M34 14l-9.38 9v-9l4-12.28c.205-.632 1.176-.632 1.38 0z" fill="#e24329"></path>
<path class="tanuki-shape tanuki-nose" d="M18,34.38 3,14 33,14 Z" fill="#e24329"></path>
<path class="tanuki-shape tanuki-left-eye" d="M18,34.38 11.38,14 2,14 6,25Z" fill="#fc6d26"></path>
<path class="tanuki-shape tanuki-right-eye" d="M18,34.38 24.62,14 34,14 30,25Z" fill="#fc6d26"></path>
<path class="tanuki-shape tanuki-left-cheek" d="M2 14L.1 20.16c-.18.565 0 1.2.5 1.56l17.42 12.66z" fill="#fca326"></path>
<path class="tanuki-shape tanuki-right-cheek" d="M34 14l1.9 6.16c.18.565 0 1.2-.5 1.56L18 34.38z" fill="#fca326"></path>
</svg>
<span class="logo-text d-none d-sm-block">
<svg viewbox="0 0 617 169" xmlns="http://www.w3.org/2000/svg"><path d="M315.26 2.97h-21.8l.1 162.5h88.3v-20.1h-66.5l-.1-142.4M465.89 136.95c-5.5 5.7-14.6 11.4-27 11.4-16.6 0-23.3-8.2-23.3-18.9 0-16.1 11.2-23.8 35-23.8 4.5 0 11.7.5 15.4 1.2v30.1h-.1m-22.6-98.5c-17.6 0-33.8 6.2-46.4 16.7l7.7 13.4c8.9-5.2 19.8-10.4 35.5-10.4 17.9 0 25.8 9.2 25.8 24.6v7.9c-3.5-.7-10.7-1.2-15.1-1.2-38.2 0-57.6 13.4-57.6 41.4 0 25.1 15.4 37.7 38.7 37.7 15.7 0 30.8-7.2 36-18.9l4 15.9h15.4v-83.2c-.1-26.3-11.5-43.9-44-43.9M557.63 149.1c-8.2 0-15.4-1-20.8-3.5V70.5c7.4-6.2 16.6-10.7 28.3-10.7 21.1 0 29.2 14.9 29.2 39 0 34.2-13.1 50.3-36.7 50.3m9.2-110.6c-19.5 0-30 13.3-30 13.3v-21l-.1-27.8h-21.3l.1 158.5c10.7 4.5 25.3 6.9 41.2 6.9 40.7 0 60.3-26 60.3-70.9-.1-35.5-18.2-59-50.2-59M77.9 20.6c19.3 0 31.8 6.4 39.9 12.9l9.4-16.3C114.5 6 97.3 0 78.9 0 32.5 0 0 28.3 0 85.4c0 59.8 35.1 83.1 75.2 83.1 20.1 0 37.2-4.7 48.4-9.4l-.5-63.9V75.1H63.6v20.1h38l.5 48.5c-5 2.5-13.6 4.5-25.3 4.5-32.2 0-53.8-20.3-53.8-63-.1-43.5 22.2-64.6 54.9-64.6M231.43 2.95h-21.3l.1 27.3v94.3c0 26.3 11.4 43.9 43.9 43.9 4.5 0 8.9-.4 13.1-1.2v-19.1c-3.1.5-6.4.7-9.9.7-17.9 0-25.8-9.2-25.8-24.6v-65h35.7v-17.8h-35.7l-.1-38.5M155.96 165.47h21.3v-124h-21.3v124M155.96 24.37h21.3V3.07h-21.3v21.3"></path></svg>
</span>
</a></h1>
<ul class="list-unstyled navbar-sub-nav">
<li class="home"><a class="dashboard-shortcuts-projects" href="/explore" title="Projects">Projects
</a></li><li class=""><a class="dashboard-shortcuts-groups" href="/explore/groups" title="Groups">Groups
</a></li><li class=""><a class="dashboard-shortcuts-snippets" href="/explore/snippets" title="Snippets">Snippets
</a></li><li>
<a href="/help" title="About GitLab CE">Help</a>
</li>
</ul>
</div>
<div class="navbar-collapse collapse">
<ul class="nav navbar-nav">
<li class="nav-item d-none d-sm-none d-md-block m-auto">
<div class="search search-form">
<form accept-charset="UTF-8" action="/search" class="form-inline" method="get"><input name="utf8" type="hidden" value="✓"/><div class="search-input-container">
<div class="search-input-wrap">
<div class="dropdown" data-url="/search/autocomplete">
<input aria-label="Search" autocomplete="off" class="search-input dropdown-menu-toggle no-outline js-search-dashboard-options" data-issues-path="/dashboard/issues" data-mr-path="/dashboard/merge_requests" id="search" name="search" placeholder="Search" spellcheck="false" tabindex="1" type="search"/>
<button class="hidden js-dropdown-search-toggle" data-toggle="dropdown" type="button"></button>
<div class="dropdown-menu dropdown-select">
<div class="dropdown-content"><ul>
<li class="dropdown-menu-empty-item">
<a>
Loading...
</a>
</li>
</ul>
</div><div class="dropdown-loading"><i aria-hidden="true" class="fa fa-spinner fa-spin" data-hidden="true"></i></div>
</div>
<svg class="s16 search-icon"><use xlink:href="/assets/icons-07542808fffaf82e9b57b144464ea42620b32f65ce441c01528d23d4b96d5f11.svg#search"></use></svg>
<svg class="s16 clear-icon js-clear-input"><use xlink:href="/assets/icons-07542808fffaf82e9b57b144464ea42620b32f65ce441c01528d23d4b96d5f11.svg#close"></use></svg>
</div>
</div>
</div>
<input class="js-search-group-options" id="group_id" name="group_id" type="hidden"/>
<input class="js-search-project-options" id="search_project_id" name="project_id" type="hidden" value=""/>
<input id="repository_ref" name="repository_ref" type="hidden"/>
<div class="search-autocomplete-opts hide" data-autocomplete-path="/search/autocomplete"></div>
</form></div>
</li>
<li class="nav-item d-inline-block d-sm-none d-md-none">
<a aria-label="Search" data-container="body" data-placement="bottom" data-toggle="tooltip" href="/search" title="Search"><svg class="s16"><use xlink:href="/assets/icons-07542808fffaf82e9b57b144464ea42620b32f65ce441c01528d23d4b96d5f11.svg#search"></use></svg>
</a></li>
<li class="nav-item">
<div>
<a class="btn btn-sign-in" href="/users/sign_in?redirect_to_referer=yes">Sign in / Register</a>
</div>
</li>
</ul>
</div>
<button class="navbar-toggler d-block d-sm-none" type="button">
<span class="sr-only">Toggle navigation</span>
<svg class="s12 more-icon js-navbar-toggle-right"><use xlink:href="/assets/icons-07542808fffaf82e9b57b144464ea42620b32f65ce441c01528d23d4b96d5f11.svg#more"></use></svg>
<svg class="s12 close-icon js-navbar-toggle-left"><use xlink:href="/assets/icons-07542808fffaf82e9b57b144464ea42620b32f65ce441c01528d23d4b96d5f11.svg#close"></use></svg>
</button>
</div>
</div>
</header>
<div class="layout-page">
<div class="content-wrapper">
<div class="mobile-overlay"></div>
<div class="alert-wrapper">
<nav class="breadcrumbs container-fluid container-limited" role="navigation">
<div class="breadcrumbs-container">
<div class="breadcrumbs-links js-title-container">
<ul class="list-unstyled breadcrumbs-list js-breadcrumbs-list">
<li><a href="/help">Help</a><svg class="s8 breadcrumbs-list-angle"><use xlink:href="/assets/icons-07542808fffaf82e9b57b144464ea42620b32f65ce441c01528d23d4b96d5f11.svg#angle-right"></use></svg></li>
<li>
<h2 class="breadcrumbs-sub-title"><a href="/help/user/project/container_registry.md">Help</a></h2>
</li>
</ul>
</div>
</div>
</nav>
<div class="flash-container flash-container-page">
</div>
</div>
<div class="container-fluid container-limited ">
<div class="content" id="content-body">
<div class="documentation wiki prepend-top-default">
<h1 dir="auto">
<a aria-hidden="true" class="anchor" href="#gitlab-container-registry" id="user-content-gitlab-container-registry"></a>GitLab Container Registry</h1>
<blockquote dir="auto">
<p><strong>Notes:</strong>
<a href="https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/4040" rel="nofollow noreferrer noopener" target="_blank">Introduced</a> in GitLab 8.8.</p>
</blockquote>
<ul dir="auto">
<li>Docker Registry manifest <code>v1</code> support was added in GitLab 8.9 to support Docker
versions earlier than 1.10.</li>
<li>This document is about the user guide. To learn how to enable GitLab Container
Registry across your GitLab instance, visit the
<a href="/administration/container_registry.md">administrator documentation</a>.</li>
<li>Starting from GitLab 8.12, if you have 2FA enabled in your account, you need
to pass a <a href="/profile/personal_access_tokens.md">personal access token</a> instead of your password in order to
login to GitLab's Container Registry.</li>
<li>Multiple level image names support was added in GitLab 9.1</li>
</ul>
<p dir="auto">With the Docker Container Registry integrated into GitLab, every project can
have its own space to store its Docker images.</p>
<p dir="auto">You can read more about Docker Registry at <a href="https://docs.docker.com/registry/introduction/" rel="nofollow noreferrer noopener" target="_blank">https://docs.docker.com/registry/introduction/</a>.</p>
<h2 dir="auto">
<a aria-hidden="true" class="anchor" href="#enable-the-container-registry-for-your-project" id="user-content-enable-the-container-registry-for-your-project"></a>Enable the Container Registry for your project</h2>
<p dir="auto">NOTE: <strong>Note:</strong>
If you cannot find the Container Registry entry under your project's settings,
that means that it is not enabled in your GitLab instance. Ask your administrator
to enable it.</p>
<ol dir="auto">
<li>First, ask your system administrator to enable GitLab Container Registry
following the <a href="/administration/container_registry.md">administration documentation</a>.
If you are using GitLab.com, this is enabled by default so you can start using
the Registry immediately. Currently there is a soft (10GB) size restriction for
registry on GitLab.com, as part of the <a href="repository/index.html#repository-size">repository size limit</a>.</li>
<li>Go to your <a href="settings/index.md#sharing-and-permissions">project's General settings</a>
and enable the <strong>Container Registry</strong> feature on your project. For new
projects this might be enabled by default. For existing projects
(prior GitLab 8.8), you will have to explicitly enable it.</li>
<li>Hit <strong>Save changes</strong> for the changes to take effect. You should now be able
to see the <strong>Registry</strong> link in the sidebar.</li>
</ol>
<p dir="auto"><a class="no-attachment-icon" href="/img/container_registry.png" rel="noopener noreferrer" target="_blank"><img alt="Container Registry" class="lazy" data-src="img/container_registry.png" src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="/></a></p>
<h2 dir="auto">
<a aria-hidden="true" class="anchor" href="#build-and-push-images" id="user-content-build-and-push-images"></a>Build and push images</h2>
<blockquote dir="auto">
<p><strong>Notes:</strong></p>
</blockquote>
<ul dir="auto">
<li>Moving or renaming existing container registry repositories is not supported
once you have pushed images because the images are signed, and the
signature includes the repository name.</li>
<li>To move or rename a repository with a container registry you will have to
delete all existing images.</li>
</ul>
<p dir="auto">If you visit the <strong>Registry</strong> link under your project's menu, you can see the
explicit instructions to login to the Container Registry using your GitLab
credentials.</p>
<p dir="auto">For example if the Registry's URL is <code>registry.example.com</code>, the you should be
able to login with:</p>
<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span class="line" id="LC1" lang="plaintext">docker login registry.example.com</span></code></pre>
<p dir="auto">Building and publishing images should be a straightforward process. Just make
sure that you are using the Registry URL with the namespace and project name
that is hosted on GitLab:</p>
<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span class="line" id="LC1" lang="plaintext">docker build -t registry.example.com/group/project/image .</span>
<span class="line" id="LC2" lang="plaintext">docker push registry.example.com/group/project/image</span></code></pre>
<p dir="auto">Your image will be named after the following scheme:</p>
<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span class="line" id="LC1" lang="plaintext">&lt;registry URL&gt;/&lt;namespace&gt;/&lt;project&gt;/&lt;image&gt;</span></code></pre>
<p dir="auto">GitLab supports up to three levels of image repository names.</p>
<p dir="auto">Following examples of image tags are valid:</p>
<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span class="line" id="LC1" lang="plaintext">registry.example.com/group/project:some-tag</span>
<span class="line" id="LC2" lang="plaintext">registry.example.com/group/project/image:latest</span>
<span class="line" id="LC3" lang="plaintext">registry.example.com/group/project/my/image:rc1</span></code></pre>
<h2 dir="auto">
<a aria-hidden="true" class="anchor" href="#use-images-from-gitlab-container-registry" id="user-content-use-images-from-gitlab-container-registry"></a>Use images from GitLab Container Registry</h2>
<p dir="auto">To download and run a container from images hosted in GitLab Container Registry,
use <code>docker run</code>:</p>
<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span class="line" id="LC1" lang="plaintext">docker run [options] registry.example.com/group/project/image [arguments]</span></code></pre>
<p dir="auto">For more information on running Docker containers, visit the
<a href="https://docs.docker.com/engine/userguide/intro/" rel="nofollow noreferrer noopener" target="_blank">Docker documentation</a>.</p>
<h2 dir="auto">
<a aria-hidden="true" class="anchor" href="#control-container-registry-from-within-gitlab" id="user-content-control-container-registry-from-within-gitlab"></a>Control Container Registry from within GitLab</h2>
<p dir="auto">GitLab offers a simple Container Registry management panel. Go to your project
and click <strong>Registry</strong> in the project menu.</p>
<p dir="auto">This view will show you all tags in your project and will easily allow you to
delete them.</p>
<h2 dir="auto">
<a aria-hidden="true" class="anchor" href="#build-and-push-images-using-gitlab-ci" id="user-content-build-and-push-images-using-gitlab-ci"></a>Build and push images using GitLab CI</h2>
<blockquote dir="auto">
<p><strong>Note:</strong>
This feature requires GitLab 8.8 and GitLab Runner 1.2.</p>
</blockquote>
<p dir="auto">Make sure that your GitLab Runner is configured to allow building Docker images by
following the <a href="/ci/docker/using_docker_build.md">Using Docker Build</a>
and <a href="../../ci/docker/using_docker_build.md#using-the-gitlab-container-registry">Using the GitLab Container Registry documentation</a>.</p>
<h2 dir="auto">
<a aria-hidden="true" class="anchor" href="#using-with-private-projects" id="user-content-using-with-private-projects"></a>Using with private projects</h2>
<blockquote dir="auto">
<p>Personal Access tokens were <a href="https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/11845" rel="nofollow noreferrer noopener" target="_blank">introduced</a> in GitLab 9.3.
Project Deploy Tokens were <a href="https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/17894" rel="nofollow noreferrer noopener" target="_blank">introduced</a> in GitLab 10.7</p>
</blockquote>
<p dir="auto">If a project is private, credentials will need to be provided for authorization.
The preferred way to do this, is either by using a <a href="/profile/personal_access_tokens.md">personal access tokens</a> or a <a href="/project/deploy_tokens/index.md">project deploy token</a>.
The minimal scope needed for both of them is <code>read_registry</code>.</p>
<p dir="auto">Example of using a personal access token:</p>
<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span class="line" id="LC1" lang="plaintext">docker login registry.example.com -u &lt;your_username&gt; -p &lt;your_access_token&gt;</span></code></pre>
<h2 dir="auto">
<a aria-hidden="true" class="anchor" href="#troubleshooting-the-gitlab-container-registry" id="user-content-troubleshooting-the-gitlab-container-registry"></a>Troubleshooting the GitLab Container Registry</h2>
<h3 dir="auto">
<a aria-hidden="true" class="anchor" href="#basic-troubleshooting" id="user-content-basic-troubleshooting"></a>Basic Troubleshooting</h3>
<ol dir="auto">
<li>
<p>Check to make sure that the system clock on your Docker client and GitLab server have
been synchronized (e.g. via NTP).</p>
</li>
<li>
<p>If you are using an S3-backed Registry, double check that the IAM
permissions and the S3 credentials (including region) are correct. See <a href="https://docs.docker.com/registry/storage-drivers/s3/" rel="nofollow noreferrer noopener" target="_blank">the
sample IAM policy</a>
for more details.</p>
</li>
<li>
<p>Check the Registry logs (e.g. <code>/var/log/gitlab/registry/current</code>) and the GitLab production logs
for errors (e.g. <code>/var/log/gitlab/gitlab-rails/production.log</code>). You may be able to find clues
there.</p>
</li>
</ol>
<h4 dir="auto">
<a aria-hidden="true" class="anchor" href="#enable-the-registry-debug-server" id="user-content-enable-the-registry-debug-server"></a>Enable the registry debug server</h4>
<p dir="auto">The optional debug server can be enabled by setting the registry debug address
in your <code>gitlab.rb</code> configuration.</p>
<pre class="code highlight js-syntax-highlight ruby" lang="ruby" v-pre="true"><code><span class="line" id="LC1" lang="ruby"><span class="n">registry</span><span class="p">[</span><span class="s1">'debug_addr'</span><span class="p">]</span> <span class="o">=</span> <span class="s2">"localhost:5001"</span></span></code></pre>
<p dir="auto">After adding the setting, <a href="../../administration/restart_gitlab.md#omnibus-gitlab-reconfigure">reconfigure</a> GitLab to apply the change.</p>
<p dir="auto">Use curl to request debug output from the debug server:</p>
<pre class="code highlight js-syntax-highlight shell" lang="shell" v-pre="true"><code><span class="line" id="LC1" lang="shell">curl localhost:5001/debug/health</span>
<span class="line" id="LC2" lang="shell">curl localhost:5001/debug/vars</span></code></pre>
<h3 dir="auto">
<a aria-hidden="true" class="anchor" href="#advanced-troubleshooting" id="user-content-advanced-troubleshooting"></a>Advanced Troubleshooting</h3>
<blockquote dir="auto">
<p><strong>NOTE:</strong> The following section is only recommended for experts.</p>
</blockquote>
<p dir="auto">Sometimes it's not obvious what is wrong, and you may need to dive deeper into
the communication between the Docker client and the Registry to find out
what's wrong. We will use a concrete example in the past to illustrate how to
diagnose a problem with the S3 setup.</p>
<h4 dir="auto">
<a aria-hidden="true" class="anchor" href="#unexpected-403-error-during-push" id="user-content-unexpected-403-error-during-push"></a>Unexpected 403 error during push</h4>
<p dir="auto">A user attempted to enable an S3-backed Registry. The <code>docker login</code> step went
fine. However, when pushing an image, the output showed:</p>
<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span class="line" id="LC1" lang="plaintext">The push refers to a repository [s3-testing.myregistry.com:4567/root/docker-test/docker-image]</span>
<span class="line" id="LC2" lang="plaintext">dc5e59c14160: Pushing [==================================================&gt;] 14.85 kB</span>
<span class="line" id="LC3" lang="plaintext">03c20c1a019a: Pushing [==================================================&gt;] 2.048 kB</span>
<span class="line" id="LC4" lang="plaintext">a08f14ef632e: Pushing [==================================================&gt;] 2.048 kB</span>
<span class="line" id="LC5" lang="plaintext">228950524c88: Pushing 2.048 kB</span>
<span class="line" id="LC6" lang="plaintext">6a8ecde4cc03: Pushing [==&gt; ] 9.901 MB/205.7 MB</span>
<span class="line" id="LC7" lang="plaintext">5f70bf18a086: Pushing 1.024 kB</span>
<span class="line" id="LC8" lang="plaintext">737f40e80b7f: Waiting</span>
<span class="line" id="LC9" lang="plaintext">82b57dbc5385: Waiting</span>
<span class="line" id="LC10" lang="plaintext">19429b698a22: Waiting</span>
<span class="line" id="LC11" lang="plaintext">9436069b92a3: Waiting</span>
<span class="line" id="LC12" lang="plaintext">error parsing HTTP 403 response body: unexpected end of JSON input: ""</span></code></pre>
<p dir="auto">This error is ambiguous, as it's not clear whether the 403 is coming from the
GitLab Rails application, the Docker Registry, or something else. In this
case, since we know that since the login succeeded, we probably need to look
at the communication between the client and the Registry.</p>
<p dir="auto">The REST API between the Docker client and Registry is <a href="https://docs.docker.com/registry/spec/api/" rel="nofollow noreferrer noopener" target="_blank">described
here</a>. Normally, one would just
use Wireshark or tcpdump to capture the traffic and see where things went
wrong. However, since all communication between Docker clients and servers
are done over HTTPS, it's a bit difficult to decrypt the traffic quickly even
if you know the private key. What can we do instead?</p>
<p dir="auto">One way would be to disable HTTPS by setting up an <a href="https://docs.docker.com/registry/insecure/" rel="nofollow noreferrer noopener" target="_blank">insecure
Registry</a>. This could introduce a
security hole and is only recommended for local testing. If you have a
production system and can't or don't want to do this, there is another way:
use mitmproxy, which stands for Man-in-the-Middle Proxy.</p>
<h4 dir="auto">
<a aria-hidden="true" class="anchor" href="#mitmproxy" id="user-content-mitmproxy"></a>mitmproxy</h4>
<p dir="auto"><a href="https://mitmproxy.org/" rel="nofollow noreferrer noopener" target="_blank">mitmproxy</a> allows you to place a proxy between your
client and server to inspect all traffic. One wrinkle is that your system
needs to trust the mitmproxy SSL certificates for this to work.</p>
<p dir="auto">The following installation instructions assume you are running Ubuntu:</p>
<ol dir="auto">
<li>
<p>Install mitmproxy (see <a href="http://docs.mitmproxy.org/en/stable/install.html" rel="nofollow noreferrer noopener" target="_blank">http://docs.mitmproxy.org/en/stable/install.html</a>)</p>
</li>
<li>
<p>Run <code>mitmproxy --port 9000</code> to generate its certificates.
Enter <kbd>CTRL</kbd>-<kbd>C</kbd> to quit.</p>
</li>
<li>
<p>Install the certificate from <code>~/.mitmproxy</code> to your system:</p>
<pre class="code highlight js-syntax-highlight shell" lang="shell" v-pre="true"><code><span class="line" id="LC1" lang="shell"><span class="nb">sudo cp</span> ~/.mitmproxy/mitmproxy-ca-cert.pem /usr/local/share/ca-certificates/mitmproxy-ca-cert.crt</span>
<span class="line" id="LC2" lang="shell"><span class="nb">sudo </span>update-ca-certificates</span></code></pre>
</li>
</ol>
<p dir="auto">If successful, the output should indicate that a certificate was added:</p>
<pre class="code highlight js-syntax-highlight shell" lang="shell" v-pre="true"><code><span class="line" id="LC1" lang="shell">Updating certificates <span class="k">in</span> /etc/ssl/certs... 1 added, 0 removed<span class="p">;</span> <span class="k">done</span><span class="nb">.</span></span>
<span class="line" id="LC2" lang="shell">Running hooks <span class="k">in</span> /etc/ca-certificates/update.d....done.</span></code></pre>
<p dir="auto">To verify that the certificates are properly installed, run:</p>
<pre class="code highlight js-syntax-highlight shell" lang="shell" v-pre="true"><code><span class="line" id="LC1" lang="shell">mitmproxy <span class="nt">--port</span> 9000</span></code></pre>
<p dir="auto">This will run mitmproxy on port <code>9000</code>. In another window, run:</p>
<pre class="code highlight js-syntax-highlight shell" lang="shell" v-pre="true"><code><span class="line" id="LC1" lang="shell">curl <span class="nt">--proxy</span> http://localhost:9000 https://httpbin.org/status/200</span></code></pre>
<p dir="auto">If everything is setup correctly, you will see information on the mitmproxy window and
no errors from the curl commands.</p>
<h4 dir="auto">
<a aria-hidden="true" class="anchor" href="#running-the-docker-daemon-with-a-proxy" id="user-content-running-the-docker-daemon-with-a-proxy"></a>Running the Docker daemon with a proxy</h4>
<p dir="auto">For Docker to connect through a proxy, you must start the Docker daemon with the
proper environment variables. The easiest way is to shutdown Docker (e.g. <code>sudo initctl stop docker</code>)
and then run Docker by hand. As root, run:</p>
<pre class="code highlight js-syntax-highlight shell" lang="shell" v-pre="true"><code><span class="line" id="LC1" lang="shell"><span class="nb">export </span><span class="nv">HTTP_PROXY</span><span class="o">=</span><span class="s2">"http://localhost:9000"</span></span>
<span class="line" id="LC2" lang="shell"><span class="nb">export </span><span class="nv">HTTPS_PROXY</span><span class="o">=</span><span class="s2">"https://localhost:9000"</span></span>
<span class="line" id="LC3" lang="shell">docker daemon <span class="nt">--debug</span></span></code></pre>
<p dir="auto">This will launch the Docker daemon and proxy all connections through mitmproxy.</p>
<h4 dir="auto">
<a aria-hidden="true" class="anchor" href="#running-the-docker-client" id="user-content-running-the-docker-client"></a>Running the Docker client</h4>
<p dir="auto">Now that we have mitmproxy and Docker running, we can attempt to login and push
a container image. You may need to run as root to do this. For example:</p>
<pre class="code highlight js-syntax-highlight shell" lang="shell" v-pre="true"><code><span class="line" id="LC1" lang="shell">docker login s3-testing.myregistry.com:4567</span>
<span class="line" id="LC2" lang="shell">docker push s3-testing.myregistry.com:4567/root/docker-test/docker-image</span></code></pre>
<p dir="auto">In the example above, we see the following trace on the mitmproxy window:</p>
<p dir="auto"><a class="no-attachment-icon" href="/img/mitmproxy-docker.png" rel="noopener noreferrer" target="_blank"><img alt="mitmproxy output from Docker" class="lazy" data-src="img/mitmproxy-docker.png" src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="/></a></p>
<p dir="auto">The above image shows:</p>
<ul dir="auto">
<li>The initial PUT requests went through fine with a 201 status code.</li>
<li>The 201 redirected the client to the S3 bucket.</li>
<li>The HEAD request to the AWS bucket reported a 403 Unauthorized.</li>
</ul>
<p dir="auto">What does this mean? This strongly suggests that the S3 user does not have the right
<a href="http://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectHEAD.html" rel="nofollow noreferrer noopener" target="_blank">permissions to perform a HEAD request</a>.
The solution: check the <a href="https://docs.docker.com/registry/storage-drivers/s3/" rel="nofollow noreferrer noopener" target="_blank">IAM permissions again</a>.
Once the right permissions were set, the error will go away.</p>
</div>
</div>
</div>
</div>
</div>
</body>
</html>
Reference in a new issue Copy permalink