我正在使用traefik作为反向代理(以及letsencrypt 证书的管理(,并且我正在运行一个自托管的gitlab实例。GitLab 映像是一个包含所有服务的整体,这两个服务(注册表和 Git(都需要在同一个容器中提供。
使用下面显示的配置,gitlab 运行良好。
docker login registry.domain.com也在起作用。
但是导航到 gitlab 前端中的注册表会给我一个 500 错误。
gitlab 日志:
Errno::EADDRNOTAVAIL (Failed to open TCP connection to localhost:5000 (Cannot assign requested address - connect(2) for "localhost" port 5000)):
在我阅读的文档中,端口 5000 是 gitlab 注册表的默认端口。
所以我进入 gitlab 容器并尝试调用 localhost:5000:
$ docker exec -it gitlab /bin/bash
root@gitlab:/# curl -v http://localhost:5000
* Rebuilt URL to: http://localhost:5000/
* Trying 127.0.0.1...
* TCP_NODELAY set
* connect to 127.0.0.1 port 5000 failed: Connection refused
* Trying ::1...
* TCP_NODELAY set
* Immediate connect fail for ::1: Cannot assign requested address
* Trying ::1...
* TCP_NODELAY set
* Immediate connect fail for ::1: Cannot assign requested address
* Failed to connect to localhost port 5000: Connection refused
* Closing connection 0
curl: (7) Failed to connect to localhost port 5000: Connection refused
此外,没有5000...
root@gitlab:/# netstat -tanpu | grep -i listen
tcp 0 0 127.0.0.1:9093 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.11:33383 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:9100 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:9229 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:9168 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 638/nginx
tcp 0 0 127.0.0.1:8082 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:9236 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 21/sshd
tcp 0 0 0.0.0.0:8060 0.0.0.0:* LISTEN 638/nginx
tcp 0 0 127.0.0.1:9121 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:9090 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:9187 0.0.0.0:* LISTEN -
tcp6 0 0 :::9094 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN 21/sshd
那么我的配置中缺少什么?我必须如何处理 traefik 中的 5000 端口?
docker-compose.yml
version: '3.3'
services:
gitlab:
image: gitlab/gitlab-ce:latest
container_name: gitlab
environment:
GITLAB_OMNIBUS_CONFIG: |
external_url = 'https://gitlab.domain.com'
registry_external_url = 'https://registry.domain.com'
gitlab_rails['gitlab_shell_ssh_port'] = 2222
gitlab_rails['registry_enabled'] = true
ports:
- '2222:22'
networks:
- proxy
labels:
- traefik.enable=true
- traefik.gitlab.frontend.rule=Host:gitlab.domain.com
- traefik.gitlab.port=80
- traefik.reg.frontend.rule=Host:registry.domain.com
- traefik.reg.port=80
- traefik.docker.network=proxy
traefik:
image: traefik:1.7.3-alpine
restart: always
ports:
- 80:80
- 443:443
networks:
- proxy
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /opt/traefik/traefik.toml:/traefik.toml
- /opt/traefik/acme.json:/acme.json
labels:
- traefik.frontend.rule=Host:monitor.domain.com
- traefik.port=8080
container_name: traefik
networks:
proxy:
external: true
traefik.toml
defaultEntryPoints = ["https","http"]
[entryPoints]
[entryPoints.dashboard]
address = ":8080"
[entryPoints.dashboard.auth]
[entryPoints.dashboard.auth.basic]
users = ["admin:password"]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[api]
entrypoint="dashboard"
[docker]
domain = "domain.com"
watch = true
network = "proxy"
[acme]
email = "notifications@domain.com"
storage = "acme.json"
entryPoint = "https"
OnHostRule = true
[acme.httpChallenge]
entryPoint = "http"
首先:阅读"GitLab 容器注册表管理",确保:
- gitlab 注册表在您的综合映像中激活:默认情况下,您的 gitlab.rb 不会声明注册表。
- 您使用的是 https,而不是 http 作为 URL。
默认情况下,容器注册表在 HTTPS 下工作。可以使用 HTTP,但不建议使用,并且超出了本文档的范围。请阅读测试不安全的注册表。
其次,关于 traefik,你可以在 docker-gitlab 问题 1688 中看到一个例子,它确实向 GitLab 的注册表部分声明了一个 traefik front。
- traefik.enable=true - traefik.backend=registry.demo.com - traefik.frontend.rule=Host:registry.demo.com - traefik.docker.network=traefik-00 - traefik.port=5000
如果您确实需要使用 traefik 通过外部 http URL 公开内部"https port 5000"注册表,则在此线程中有一个示例。