关于开启Container Registry，官方文档有做说明，emmm，一言难尽吧，特别简洁，然后自己开启的时候遇到了很多坑，算是记录一下吧。

官方文档：https://docs.gitlab.com/ee/user/packages/container_registry/

1、开启 Container Registry

gitlab官方文档有明确的说明，仅8.8版本及以上才有这个功能。

官方文档上是在界面端配置的，然而，我并没有看到这个配置，下面是我的版本号：

[root@localhost ssl]# cat /opt/gitlab/embedded/service/gitlab-rails/VERSION
13.2.3

直接修改gitlab配置文件： vim /etc/gitlab/gitlab.rb

//外部访问地址，此处被nginx代理，暴露给外部访问
registry_external_url 'http://xxx.com'
//启用
gitlab_rails['registry_enabled'] = true
//registry 服务ip
gitlab_rails['registry_host'] = "172.29.1.70"
//registry 服务真正端口
gitlab_rails['registry_port'] = "5000"

这里需要注意的是，registry_external_url是外部访问的url，如docker需要pull和push，都是访问该路径。然后，刷新配置，重启：

gitlab-ctl reconfigure
gitlab-ctl restart

这个时候，可以在浏览器访问下registry_external_url：

70921f0bb0c52804ec2575cf0bc777f.png

可以看到，是一个空白页面，别慌，正常现象。

2、Docker访问

私有镜像仓库搭好了，该用docker测试访问一下

[root@localhost mysql]# docker login http://xxx.com -u root -p xxx
Error response from daemon: Get https://xxx.com/v1/users/: http: server gave HTTP response to HTTPS client

访问报错，而且，指令中请求使用的是http协议，docker使用的却是https。在这个地方，搜了一下，有很多人是修改/etc/docker/daemon.json文件，添加以下配置：

"insecure-registries":["ip:port"]

然而，启动的时候报错，可能只有我这里有这个问题：

[root@localhost mysql]# systemctl status docker.service
● docker.service - Docker Application Container Engine
   Loaded: loaded (/usr/lib/systemd/system/docker.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since 二 2020-11-17 15:18:43 CST; 7s ago
     Docs: http://docs.docker.com
  Process: 18488 ExecStart=/usr/bin/dockerd-current --add-runtime docker-runc=/usr/libexec/docker/docker-runc-current --default-runtime=docker-runc --exec-opt native.cgroupdriver=systemd --userland-proxy-path=/usr/libexec/docker/docker-proxy-current --init-path=/usr/libexec/docker/docker-init-current --seccomp-profile=/etc/docker/seccomp.json $OPTIONS $DOCKER_STORAGE_OPTIONS $DOCKER_NETWORK_OPTIONS $ADD_REGISTRY $BLOCK_REGISTRY $INSECURE_REGISTRY $REGISTRIES (code=exited, status=1/FAILURE)
 Main PID: 18488 (code=exited, status=1/FAILURE)

11月 17 15:18:43 localhost.localdomain systemd[1]: Starting Docker Application Container Engine...
11月 17 15:18:43 localhost.localdomain dockerd-current[18488]: unable to configure the Docker daemon with file /etc/docker/daemon.json: the following direct...0:5050])
11月 17 15:18:43 localhost.localdomain systemd[1]: docker.service: main process exited, code=exited, status=1/FAILURE
11月 17 15:18:43 localhost.localdomain systemd[1]: Failed to start Docker Application Container Engine.
11月 17 15:18:43 localhost.localdomain systemd[1]: Unit docker.service entered failed state.
11月 17 15:18:43 localhost.localdomain systemd[1]: docker.service failed.
Hint: Some lines were ellipsized, use -l to show in full.

于是修改删除，重新启动，找到启动配置文件：/usr/lib/systemd/system/docker.service，这个文件（在systemctl status指令下能找到服务启动的文件）里面包含docker的配置文件所在的位置：

Description=Docker Application Container Engine
  3 Documentation=http://docs.docker.com
  4 After=network.target
  5 Wants=docker-storage-setup.service
  6 Requires=docker-cleanup.timer
  7 
  8 [Service]
  9 Type=notify
 10 NotifyAccess=main
 //以下引入配置文件及环境变量
 11 EnvironmentFile=-/run/containers/registries.conf
 12 EnvironmentFile=-/etc/sysconfig/docker
 13 EnvironmentFile=-/etc/sysconfig/docker-storage
 14 EnvironmentFile=-/etc/sysconfig/docker-network
 15 Environment=GOTRACEBACK=crash
 16 Environment=DOCKER_HTTP_HOST_COMPAT=1
 17 Environment=PATH=/usr/libexec/docker:/usr/bin:/usr/sbin
 18 ExecStart=/usr/bin/dockerd-current \
 19           --add-runtime docker-runc=/usr/libexec/docker/docker-runc-current \
 20           --default-runtime=docker-runc \
 21           --exec-opt native.cgroupdriver=systemd \
 22           --userland-proxy-path=/usr/libexec/docker/docker-proxy-current \
 23           --init-path=/usr/libexec/docker/docker-init-current \
 24           --seccomp-profile=/etc/docker/seccomp.json \
 25           $OPTIONS \
 26           $DOCKER_STORAGE_OPTIONS \
 27           $DOCKER_NETWORK_OPTIONS \
 28           $ADD_REGISTRY \
 29           $BLOCK_REGISTRY \
 30           $INSECURE_REGISTRY \
 31       $REGISTRIES
 32 ExecReload=/bin/kill -s HUP $MAINPID
 33 LimitNOFILE=1048576
 34 LimitNPROC=1048576
 35 LimitCORE=infinity
 36 TimeoutStartSec=0
 37 Restart=on-abnormal
 38 KillMode=process
 39 

于是，我在/etc/sysconfig/docker文件中修改：

OPTIONS='--selinux-enabled=false --insecure-registry xxx.com --log-driver=journald'

设置私有库，然后重启：

[root@localhost mysql]# service docker restart
Redirecting to /bin/systemctl restart docker.service
[root@localhost mysql]# systemctl status docker.service
● docker.service - Docker Application Container Engine
   Loaded: loaded (/usr/lib/systemd/system/docker.service; disabled; vendor preset: disabled)
   Active: active (running) since 二 2020-11-17 15:25:44 CST; 9s ago
     Docs: http://docs.docker.com
 Main PID: 23295 (dockerd-current)
   Memory: 22.9M
   CGroup: /system.slice/docker.service
           ├─23295 /usr/bin/dockerd-current --add-runtime docker-runc=/usr/libexec/docker/docker-runc-current --default-runtime=docker-runc --exec-opt native.cgroupd...
           └─23303 /usr/bin/docker-containerd-current -l unix:///var/run/docker/libcontainerd/docker-containerd.sock --metrics-interval=0 --start-timeout 2m --state-...

11月 17 15:25:43 localhost.localdomain dockerd-current[23295]: time="2020-11-17T15:25:43.481151266+08:00" level=info msg="libcontainerd: new containerd proc...: 23303"
11月 17 15:25:44 localhost.localdomain dockerd-current[23295]: time="2020-11-17T15:25:44.492774158+08:00" level=info msg="Graph migration to content-address...seconds"
11月 17 15:25:44 localhost.localdomain dockerd-current[23295]: time="2020-11-17T15:25:44.493754865+08:00" level=info msg="Loading containers: start."
11月 17 15:25:44 localhost.localdomain dockerd-current[23295]: time="2020-11-17T15:25:44.509437763+08:00" level=info msg="Firewalld running: false"
11月 17 15:25:44 localhost.localdomain dockerd-current[23295]: time="2020-11-17T15:25:44.567080971+08:00" level=info msg="Default bridge (docker0) is assign...address"
11月 17 15:25:44 localhost.localdomain dockerd-current[23295]: time="2020-11-17T15:25:44.595571883+08:00" level=info msg="Loading containers: done."
11月 17 15:25:44 localhost.localdomain dockerd-current[23295]: time="2020-11-17T15:25:44.612819377+08:00" level=info msg="Daemon has completed initialization"
11月 17 15:25:44 localhost.localdomain dockerd-current[23295]: time="2020-11-17T15:25:44.612848894+08:00" level=info msg="Docker daemon" commit="0be3e21/1.1...n=1.13.1
11月 17 15:25:44 localhost.localdomain dockerd-current[23295]: time="2020-11-17T15:25:44.618192007+08:00" level=info msg="API listen on /var/run/docker.sock"
11月 17 15:25:44 localhost.localdomain systemd[1]: Started Docker Application Container Engine.
Hint: Some lines were ellipsized, use -l to show in full.

启动成功，然后再登录：

[root@localhost mysql]# docker login http://xxx.com -u root -p xxx
Login Succeeded

登录成功！

ps：官方文档有说明，如果启用了双重验证（Two-Factor Authentication）则不应该输入密码，而是token：

 docker login xxx.com -u <username> -p <token>