Docker-gitlab: "getsockopt: connection refused" when execute "docker login" on my own registry

I have the exact same problem. My setting are nearly identical to yours.

Maybe you made a typo: registry.gitlab.colaspomies.fr:5500 or registry.gitlab.mysite.fr:5500?

... Sorry mistake when I write the issue. I wrote mysite instead of colaspomies. I just forget to replace it when I wrote the issue. I change it.

In my case I am positive that I am typing it correctly.

Me too I am typing correctly in my configuration !

Try set the GITLAB_REGISTRY_PORT to 5000 (I think you could remove the 5500:5500 from gitlab)

Also you should connect to port 5000 (the registry itself) docker login -u gitlab-ci-token -p $CI_BUILD_TOKEN registry.gitlab.mysite.fr:5000

The registry will then use GitLab to authenticate.

Okay so I try different case and for each I reinstall all :

• stop & rm all docker
• rm /srv/docker/gitlab && rm /srv/docker/gitlab-runner
• recreate ssl certificate
• execute docker-compose
• reinstall gitlab-runner

1 - set GITLAB_REGISTRY_PORT to 5000
2 - connect direct to port 5000 with docker login
3 - set GITLAB_REGISTRY_PORT to 5000 && connect direct to port 5000 with docker login

And I've got the same error :

Error response from daemon: Get https://registry.gitlab.mysite.fr:5500/v1/users/: dial tcp XX.XX.XX.XX:5500: getsockopt: connection refused

Mmm... That's strange because 5500 shouldn't be defined anywhere.

I applied (or I try to apply) the method defined here for the registry

If you want more information this is ALL commands I execute :

• Before all, in my domain name page configuration I set :

gitlab.mysite.fr -> my server IP
registry.gitlab.mysite.fr -> my server IP

• Stop all my docker and delete them

docker stop gitlab-runner mysite_gitlab_1 mysite_registry_1 mysite_postgresql_1 mysite_redis_1;
docker rm gitlab-runner mysite_gitlab_1 mysite_registry_1 mysite_postgresql_1 mysite_redis_1;

• Clean the persistant directory for gitlab and create certificate (with root user)

rm -r /srv/docker/gitlab;
mkdir -p /srv/docker/gitlab/gitlab_registry/certs;
cd /srv/docker/gitlab/gitlab_registry/certs;
openssl req -nodes -newkey rsa:4096 -keyout registry-auth.key -out registry-auth.csr -subj "/CN=gitlab-issuer";
openssl x509 -in registry-auth.csr -out registry-auth.crt -req -signkey registry-auth.key -days 3650;

• Execute docker-compose with this this docker-compose.yml (same as define upper in the issue) : docker-compose.yml
  docker-compose up -d
• Waiting until gitlab is avaible at gitlab.mysite.fr (~5min)
• Connect to gitlab.mysite.fr and do :
  
  
  
  • Set root mdp
  
  
  • Create new user (myuser) and connect with it
  
  
  • Create new project : my-other-site.fr
  
  
• Clean the persistant directory for gitlab-runner (with user root)
  rm -r /srv/docker/gitlab-runner
• Create gitlab-runner with docker

docker run -d --name gitlab-runner --restart always \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v /srv/docker/gitlab-runner/config:/etc/gitlab-runner \
  gitlab/gitlab-runner:latest

• Register the gitlab-runner to my gitlab (with the url and token get from the runner part of gitlab)

docker exec -it gitlab-runner gitlab-ci-multi-runner register -n \
  --url http://gitlab.mysite.fr/ci \
  --registration-token TOKEN_FROM_GITLAB \
  --executor docker \
  --description "My Docker Runner" \
  --docker-image "docker:latest" \
  --docker-volumes /var/run/docker.sock:/var/run/docker.sock

• From my computer I add some file in the repo
  
  
  
  • A codedirectory wich contains an index.html file
  
  
  • A Dockerfile : Dockerfile
  
  
  • A .gitlab-ci.yml : .gitlab-ci.yml
  
  
• When I push this the gitlab-ci is activate and execute the before_script :
  docker login -u gitlab-ci-token -p $CI_BUILD_TOKEN registry.gitlab.mysite.fr:5500
• TADAAAAAAAA !!! In the logs of the pipeline we can see that we have the error :
  Error response from daemon: Get https://registry.gitlab.mysite.fr:5500/v1/users/: dial tcp XX.XX.XX.XX:5500: getsockopt: connection refused

I execute all these steps and nothing more !

I see.

So after diggin' through, I've found the cause and a solution.

Short story: you should not want to use self-signed certificates in production. It's a pain because every docker client has to have your .crt.

When using a self-signed:

• As stated on the registry docs: "Be sure to use the name myregistrydomain.com as a CN." In this case 'gitlab-issuer' is not a valid CN, use registry.gitlab.mysite.fr.
• Copy your generated registry-auth.crt file to /etc/docker/certs.d/registry.gitlab.mysite.fr:5000/ca.crt on the machine where the Docker daemon is running.
• The docker daemon has to be initialised with the --insecure-registry-flag. I did apply this with my docker-machine thanks to this post (see comment from RAY at MAY 14, 2016)
• Add port "5000:5000" to the registry service, else the runner is unable to connect to it. (I assume the 5500 on the gitlab service is not being used, therefore could be removed)
• Add these env vars to the registry service: (see the docs)
  REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry-auth.crt
REGISTRY_HTTP_TLS_KEY=/certs/registry-auth.key
• Make sure you have the docker.sock mounted with your gitlab-multi-runner
• Make sure to mount the docker.sock inside your runners:
  docker exec -it gitlab-runner vi /etc/gitlab-runner/config.toml
  and add the docker.sock:
  volumes = ["/cache", "/var/run/docker.sock:/var/run/docker.sock"]

Since I've done a lot of trail and error, it could be that some steps are unnecessary. I hope I did not forget anything. 😅

I recommend to use valid ssl certificates for the registry as well as GitLab itself. Use LetsEncrypt for instance.

Just seeing your latest comment 😅

Woh ! Okay I will try all of this tomorow. I know for valid ssl and i program to add letsencrypt (need to learn how to use it before). I will comment with the result tomorow and hope close the issue

Okay so It's work but not totaly. I do all the modification you tell me to do and I connect to port 5000 and not to port 5500 in the docker login command.

The issue now is that I can't connect to my registry page in gitlab (http://gitlab.mysite.fr/myuser/myproject/container_registry).

This problem appear only when I add these line in my registry docker :

    - REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry-auth.crt
    - REGISTRY_HTTP_TLS_KEY=/certs/registry-auth.key

And when these line are not here I can connect to my registry page but I cant connect to the registry with docker login. I will try to use LetsEncrypt and tell you if it's work but if you have some idea to solve this problem with self signed certificate it will be awsome !!

mmm... maybe you could find the cause by inspecting logs:
docker exec -it ..._gitlab_1 tail -n 100 /var/log/gitlab/gitlab/production.log ?

Started GET "/myuser/my-other-site.fr/container_registry" for XX.XX.XX.XX at 2016-09-15 23:44:59 +0200
Processing by Projects::ContainerRegistryController#index as HTML
Parameters: {"namespace_id"=>"myuser", "project_id"=>"my-other-site.fr"}
Completed 500 Internal Server Error in 381ms (ActiveRecord: 13.5ms)

Faraday::ConnectionFailed (wrong status line: "x15x03x01x00x02x02"):
lib/container_registry/client.rb:19:in repository_tags' lib/container_registry/repository.rb:22:inmanifest'
lib/container_registry/repository.rb:31:in tags' app/controllers/projects/container_registry_controller.rb:8:inindex'
lib/gitlab/request_profiler/middleware.rb:15:in call' lib/gitlab/middleware/go.rb:16:incall'

Could you paste your current docker-compose.yml?

In my last docker-compose I had - GITLAB_REGISTRY_API_URL=http://registry:5000 for gitlab container. I change it with - GITLAB_REGISTRY_API_URL=https://registry:5000 and now I got the error :

Started GET "/myuser/my-other-site.fr/container_registry" for XX.XX.XX.XX at 2016-09-16 00:02:54 +0200
Processing by Projects::ContainerRegistryController#index as HTML
  Parameters: {"namespace_id"=>"myuser", "project_id"=>"my-other-site.fr"}
Completed 500 Internal Server Error in 397ms (ActiveRecord: 18.5ms)

Faraday::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed):
  lib/container_registry/client.rb:19:in `repository_tags'
  lib/container_registry/repository.rb:22:in `manifest'
  lib/container_registry/repository.rb:31:in `tags'
  app/controllers/projects/container_registry_controller.rb:8:in `index'
  lib/gitlab/request_profiler/middleware.rb:15:in `call'
  lib/gitlab/middleware/go.rb:16:in `call'

Do you want my all docker-compose ?

Ok. Maybe with a stripped down env list.