Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/doc/administration/packages/container_registry.md
diff options
context:
space:
mode:
Diffstat (limited to 'doc/administration/packages/container_registry.md')
-rw-r--r--doc/administration/packages/container_registry.md78
1 files changed, 56 insertions, 22 deletions
diff --git a/doc/administration/packages/container_registry.md b/doc/administration/packages/container_registry.md
index 74483b65c4d..eb118709f94 100644
--- a/doc/administration/packages/container_registry.md
+++ b/doc/administration/packages/container_registry.md
@@ -580,6 +580,54 @@ However, this behavior is undesirable for registries used by internal hosts that
1. Save the file and [restart GitLab](../restart_gitlab.md#installations-from-source) for the changes to take effect.
+#### Encrypted S3 buckets
+
+You can use server-side encryption with AWS KMS for S3 buckets that have
+[SSE-S3 or SSE-KMS encryption enabled by default](https://docs.aws.amazon.com/kms/latest/developerguide/services-s3.html).
+Customer master keys (CMKs) and SSE-C encryption aren't supported since this requires sending the
+encryption keys in every request.
+
+For SSE-S3, you must enable the `encrypt` option in the registry settings. How you do this depends
+on how you installed GitLab. Follow the instructions here that match your installation method.
+
+For Omnibus GitLab installations:
+
+1. Edit `/etc/gitlab/gitlab.rb`:
+
+ ```ruby
+ registry['storage'] = {
+ 's3' => {
+ 'accesskey' => 's3-access-key',
+ 'secretkey' => 's3-secret-key-for-access-key',
+ 'bucket' => 'your-s3-bucket',
+ 'region' => 'your-s3-region',
+ 'regionendpoint' => 'your-s3-regionendpoint',
+ 'encrypt' => true
+ }
+ }
+ ```
+
+1. Save the file and [reconfigure GitLab](../restart_gitlab.md#omnibus-gitlab-reconfigure)
+ for the changes to take effect.
+
+For installations from source:
+
+1. Edit your registry configuration YML file:
+
+ ```yaml
+ storage:
+ s3:
+ accesskey: 'AKIAKIAKI'
+ secretkey: 'secret123'
+ bucket: 'gitlab-registry-bucket-AKIAKIAKI'
+ region: 'your-s3-region'
+ regionendpoint: 'your-s3-regionendpoint'
+ encrypt: true
+ ```
+
+1. Save the file and [restart GitLab](../restart_gitlab.md#installations-from-source)
+ for the changes to take effect.
+
### Storage limitations
Currently, there is no storage limitation, which means a user can upload an
@@ -617,8 +665,7 @@ In the examples below we set the Registry's port to `5001`.
## Disable Container Registry per project
If Registry is enabled in your GitLab instance, but you don't need it for your
-project, you can disable it from your project's settings. Read the user guide
-on how to achieve that.
+project, you can [disable it from your project's settings](../../user/project/settings/index.md#sharing-and-permissions).
## Use an external container registry with GitLab as an auth endpoint
@@ -777,6 +824,13 @@ notifications:
## Run the Cleanup policy now
+WARNING:
+If you're using a distributed architecture and Sidekiq is running on a different node, the cleanup
+policies don't work. To fix this, you must configure the `gitlab.rb` file on the Sidekiq nodes to
+point to the correct registry URL and copy the `registry.key` file to each Sidekiq node. For more
+information, see the [Sidekiq configuration](../sidekiq.md)
+page.
+
To reduce the amount of [Container Registry disk space used by a given project](../troubleshooting/gitlab_rails_cheat_sheet.md#registry-disk-space-usage-by-project),
administrators can clean up image tags
and [run garbage collection](#container-registry-garbage-collection).
@@ -892,26 +946,6 @@ understand the implications.
WARNING:
This is a destructive operation.
-When you run `registry-garbage-collect` with the -m flag, garbage collection unlinks manifests that
-are part of a multi-arch manifest, unless they're tagged in the same repository.
-See [this issue](https://gitlab.com/gitlab-org/container-registry/-/issues/149) for details.
-
-To work around this issue, instead of:
-
-```plaintext
-myrepo/multiarchmanifest:latest
-myrepo/manifest/amd-64:latest
-myrepo/manifest/arm:latest
-```
-
-Use:
-
-```plaintext
-myrepo/multiarchmanifest:latest
-myrepo/manifest:amd-64-latest
-myrepo/manifest:arm-latest
-```
-
The GitLab Container Registry follows the same default workflow as Docker Distribution:
retain untagged manifests and all layers, even ones that are not referenced directly. All content
can be accessed by using context addressable identifiers.
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-01 19:28:27 +0300