diff options
Diffstat (limited to 'doc/administration/packages/container_registry.md')
-rw-r--r-- | doc/administration/packages/container_registry.md | 78 |
1 files changed, 56 insertions, 22 deletions
diff --git a/doc/administration/packages/container_registry.md b/doc/administration/packages/container_registry.md index 74483b65c4d..eb118709f94 100644 --- a/doc/administration/packages/container_registry.md +++ b/doc/administration/packages/container_registry.md @@ -580,6 +580,54 @@ However, this behavior is undesirable for registries used by internal hosts that 1. Save the file and [restart GitLab](../restart_gitlab.md#installations-from-source) for the changes to take effect. +#### Encrypted S3 buckets + +You can use server-side encryption with AWS KMS for S3 buckets that have +[SSE-S3 or SSE-KMS encryption enabled by default](https://docs.aws.amazon.com/kms/latest/developerguide/services-s3.html). +Customer master keys (CMKs) and SSE-C encryption aren't supported since this requires sending the +encryption keys in every request. + +For SSE-S3, you must enable the `encrypt` option in the registry settings. How you do this depends +on how you installed GitLab. Follow the instructions here that match your installation method. + +For Omnibus GitLab installations: + +1. Edit `/etc/gitlab/gitlab.rb`: + + ```ruby + registry['storage'] = { + 's3' => { + 'accesskey' => 's3-access-key', + 'secretkey' => 's3-secret-key-for-access-key', + 'bucket' => 'your-s3-bucket', + 'region' => 'your-s3-region', + 'regionendpoint' => 'your-s3-regionendpoint', + 'encrypt' => true + } + } + ``` + +1. Save the file and [reconfigure GitLab](../restart_gitlab.md#omnibus-gitlab-reconfigure) + for the changes to take effect. + +For installations from source: + +1. Edit your registry configuration YML file: + + ```yaml + storage: + s3: + accesskey: 'AKIAKIAKI' + secretkey: 'secret123' + bucket: 'gitlab-registry-bucket-AKIAKIAKI' + region: 'your-s3-region' + regionendpoint: 'your-s3-regionendpoint' + encrypt: true + ``` + +1. Save the file and [restart GitLab](../restart_gitlab.md#installations-from-source) + for the changes to take effect. + ### Storage limitations Currently, there is no storage limitation, which means a user can upload an @@ -617,8 +665,7 @@ In the examples below we set the Registry's port to `5001`. ## Disable Container Registry per project If Registry is enabled in your GitLab instance, but you don't need it for your -project, you can disable it from your project's settings. Read the user guide -on how to achieve that. +project, you can [disable it from your project's settings](../../user/project/settings/index.md#sharing-and-permissions). ## Use an external container registry with GitLab as an auth endpoint @@ -777,6 +824,13 @@ notifications: ## Run the Cleanup policy now +WARNING: +If you're using a distributed architecture and Sidekiq is running on a different node, the cleanup +policies don't work. To fix this, you must configure the `gitlab.rb` file on the Sidekiq nodes to +point to the correct registry URL and copy the `registry.key` file to each Sidekiq node. For more +information, see the [Sidekiq configuration](../sidekiq.md) +page. + To reduce the amount of [Container Registry disk space used by a given project](../troubleshooting/gitlab_rails_cheat_sheet.md#registry-disk-space-usage-by-project), administrators can clean up image tags and [run garbage collection](#container-registry-garbage-collection). @@ -892,26 +946,6 @@ understand the implications. WARNING: This is a destructive operation. -When you run `registry-garbage-collect` with the -m flag, garbage collection unlinks manifests that -are part of a multi-arch manifest, unless they're tagged in the same repository. -See [this issue](https://gitlab.com/gitlab-org/container-registry/-/issues/149) for details. - -To work around this issue, instead of: - -```plaintext -myrepo/multiarchmanifest:latest -myrepo/manifest/amd-64:latest -myrepo/manifest/arm:latest -``` - -Use: - -```plaintext -myrepo/multiarchmanifest:latest -myrepo/manifest:amd-64-latest -myrepo/manifest:arm-latest -``` - The GitLab Container Registry follows the same default workflow as Docker Distribution: retain untagged manifests and all layers, even ones that are not referenced directly. All content can be accessed by using context addressable identifiers. |