Add Gitlab Container Registry

.dockerignore

@@ -6,3 +6,4 @@ README.md
 Changelog.md
 Makefile
 docker-compose.yml
+docs

README.md

@@ -61,6 +61,8 @@
     - [Import Repositories](#import-repositories)
     - [Upgrading](#upgrading)
     - [Shell Access](#shell-access)
+- [Features](#features)
+ - [Container Registry](docs/container_registry.md)
 - [References](#references)
 
 # Introduction
@@ -792,13 +794,14 @@ Below is the complete list of available options that can be used to customize yo
 - **GITLAB_INCOMING_EMAIL_ENABLED**: Enable or disable gitlab reply by email feature. Defaults to the value of `IMAP_ENABLED`.
 - **GITLAB_SIGNUP_ENABLED**: Enable or disable user signups (first run only). Default is `true`.
 - **GITLAB_PROJECTS_LIMIT**: Set default projects limit. Defaults to `100`.
-- **GITLAB_USERNAME_CHANGE**: Enable or disable ability for users to change their username. Defaults is `true`.
-- **GITLAB_CREATE_GROUP**: Enable or disable ability for users to create groups. Defaults is `true`.
-- **GITLAB_PROJECTS_ISSUES**: Set if *issues* feature should be enabled by default for new projects. Defaults is `true`.
-- **GITLAB_PROJECTS_MERGE_REQUESTS**: Set if *merge requests* feature should be enabled by default for new projects. Defaults is `true`.
-- **GITLAB_PROJECTS_WIKI**: Set if *wiki* feature should be enabled by default for new projects. Defaults is `true`.
-- **GITLAB_PROJECTS_SNIPPETS**: Set if *snippets* feature should be enabled by default for new projects. Defaults is `false`.
-- **GITLAB_PROJECTS_BUILDS**: Set if *builds* feature should be enabled by default for new projects. Defaults is `true`.
+- **GITLAB_USERNAME_CHANGE**: Enable or disable ability for users to change their username. Defaults to `true`.
+- **GITLAB_CREATE_GROUP**: Enable or disable ability for users to create groups. Defaults to `true`.
+- **GITLAB_PROJECTS_ISSUES**: Set if *issues* feature should be enabled by default for new projects. Defaults to `true`.
+- **GITLAB_PROJECTS_MERGE_REQUESTS**: Set if *merge requests* feature should be enabled by default for new projects. Defaults to `true`.
+- **GITLAB_PROJECTS_WIKI**: Set if *wiki* feature should be enabled by default for new projects. Defaults to `true`.
+- **GITLAB_PROJECTS_SNIPPETS**: Set if *snippets* feature should be enabled by default for new projects. Defaults to `false`.
+- **GITLAB_PROJECTS_BUILDS**: Set if *builds* feature should be enabled by default for new projects. Defaults to `true`.
+- **GITLAB_PROJECTS_CONTAINER_REGISTRY**: Set if *container_registry* feature should be enabled by default for new projects. Defaults to `true`.
 - **GITLAB_WEBHOOK_TIMEOUT**: Sets the timeout for webhooks. Defaults to `10` seconds.
 - **GITLAB_TIMEOUT**: Sets the timeout for git commands. Defaults to `10` seconds.
 - **GITLAB_MAX_OBJECT_SIZE**: Maximum size (in bytes) of a git object (eg. a commit) in bytes. Defaults to `20971520`, i.e. `20` megabytes.
@@ -823,6 +826,13 @@ Below is the complete list of available options that can be used to customize yo
 - **GITLAB_SSH_PORT**: The ssh port number. Defaults to `22`.
 - **GITLAB_RELATIVE_URL_ROOT**: The relative url of the GitLab server, e.g. `/git`. No default.
 - **GITLAB_TRUSTED_PROXIES**: Add IP address reverse proxy to trusted proxy list, otherwise users will appear signed in from that address. Currently only a single entry is permitted. No defaults.
+- **GITLAB_REGISTRY_ENABLED**: Enables the GitLab Container Registry. Defaults to `false`.
+- **GITLAB_REGISTRY_HOST**: Sets the Gitlab Registry Host. Defaults to `registry.example.com`
+- **GITLAB_REGISTRY_PORT**: Sets the GitLab Registry Port. Defaults to `443`.
+- **GITLAB_REGISTRY_API_URL**: Sets the Gitlab Registry API URL. Defaults to `http://localhost:5000`
+- **GITLAB_REGISTRY_KEY_PATH**: Sets the GitLab Registry Key Path. Defaults to `config/registry.key`
+- **GITLAB_REGISTRY_DIR**: Directory to store the container images will be shared with registry. Defaults to `$GITLAB_SHARED_DIR/registry`
+- **GITLAB_REGISTRY_ISSUER**: Sets the Gitlab Registry Issuer. Defaults to `gitlab-issuer`.
 - **GITLAB_HTTPS**: Set to `true` to enable https support, disabled by default.
 - **SSL_SELF_SIGNED**: Set to `true` when using self signed ssl certificates. `false` by default.
 - **SSL_CERTIFICATE_PATH**: Location of the ssl certificate. Defaults to `/home/git/data/certs/gitlab.crt`
@@ -830,6 +840,8 @@ Below is the complete list of available options that can be used to customize yo
 - **SSL_DHPARAM_PATH**: Location of the dhparam file. Defaults to `/home/git/data/certs/dhparam.pem`
 - **SSL_VERIFY_CLIENT**: Enable verification of client certificates using the `SSL_CA_CERTIFICATES_PATH` file. Defaults to `false`
 - **SSL_CA_CERTIFICATES_PATH**: List of SSL certificates to trust. Defaults to `/home/git/data/certs/ca.crt`.
+- **SSL_REGISTRY_KEY_PATH**: Location of the ssl private key for gitlab container registry. Defaults to `/home/git/data/certs/registry.key`
+- **SSL_REGISTRY_CERT_PATH**: Location of the ssl certificate for the gitlab container registy. Defaults to `/home/git/data/certs/registry.crt`
 - **NGINX_WORKERS**: The number of nginx workers to start. Defaults to `1`.
 - **NGINX_HSTS_ENABLED**: Advanced configuration option for turning off the HSTS configuration. Applicable only when SSL is in use. Defaults to `true`. See [#138](https://github.com/sameersbn/docker-gitlab/issues/138) for use case scenario.
 - **NGINX_HSTS_MAXAGE**: Advanced configuration option for setting the HSTS max-age in the gitlab nginx vHost configuration. Applicable only when SSL is in use. Defaults to `31536000`.

assets/runtime/config/gitlabhq/gitlab.yml

@@ -99,7 +99,7 @@ production: &base
       wiki: {{GITLAB_PROJECTS_WIKI}}
       snippets: {{GITLAB_PROJECTS_SNIPPETS}}
       builds: {{GITLAB_PROJECTS_BUILDS}}
-      container_registry: true
+      container_registry: {{GITLAB_PROJECTS_CONTAINER_REGISTRY}}
 
     ## Webhook settings
     # Number of seconds to wait for HTTP response after sending webhook HTTP POST request (default: 10)
@@ -179,13 +179,13 @@ production: &base
       cron: "0 * * * *"
 
   registry:
-    # enabled: true
-    # host: registry.example.com
-    # port: 5005
-    # api_url: http://localhost:5000/ # internal address to the registry, will be used by GitLab to directly communicate with API
-    # key_path: config/registry.key
-    # path: shared/registry
-    # issuer: gitlab-issuer
+    enabled: {{GITLAB_REGISTRY_ENABLED}}    # Enables GitLab Container Registry Defaults to `true`
+    host: {{GITLAB_REGISTRY_HOST}}          # registry.example.com
+    port: {{GITLAB_REGISTRY_PORT}}          # 5005
+    api_url: {{GITLAB_REGISTRY_API_URL}}    # http://localhost:5000/ # internal address to the registry, will be used by GitLab to directly communicate with API
+    key: {{GITLAB_REGISTRY_KEY_PATH}}       # config/registry.key
+    path: {{GITLAB_REGISTRY_DIR}}
+    issuer: {{GITLAB_REGISTRY_ISSUER}}      # gitlab-issuer
 
   #
   # 2. GitLab CI settings
@@ -393,7 +393,7 @@ production: &base
                   idp_cert_fingerprint: '{{OAUTH_SAML_IDP_CERT_FINGERPRINT}}',
                   idp_sso_target_url: '{{OAUTH_SAML_IDP_SSO_TARGET_URL}}',
                   issuer: '{{OAUTH_SAML_ISSUER}}',
-                  attribute_statements: { 
+                  attribute_statements: {
                     first_name: ['{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME}}'],
                     last_name: ['{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME}}'],
                     name: ['{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME}}'],

assets/runtime/config/nginx/gitlab-registry

@@ -0,0 +1,53 @@
+## Lines starting with two hashes (##) are comments with information.
+## Lines starting with one hash (#) are configuration parameters that can be uncommented.
+##
+###################################
+##         configuration         ##
+###################################
+
+## Redirects all HTTP traffic to the HTTPS host
+server {
+  listen *:80;
+  server_name  {{GITLAB_REGISTRY_HOST}};
+  server_tokens off; ## Don't show the nginx version number, a security best practice
+  return 301 https://$http_host:$request_uri;
+  access_log  {{GITLAB_LOG_DIR}}/nginx/gitlab_registry_access.log;
+  error_log   {{GITLAB_LOG_DIR}}/nginx/gitlab_registry_error.log;
+}
+
+server {
+  # If a different port is specified in https://gitlab.com/gitlab-org/gitlab-ce/blob/8-8-stable/config/gitlab.yml.example#L182,
+  # it should be declared here as well
+  listen *:{{NGINX_REGISTRY_PROXY_PORT}} ssl http2;
+  server_name {{GITLAB_REGISTRY_HOST}};
+  server_tokens off; ## Don't show the nginx version number, a security best practice
+
+  client_max_body_size 0;
+  chunked_transfer_encoding on;
+
+  ## Strong SSL Security
+  ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
+  ssl on;
+  ssl_certificate {{SSL_REGISTRY_CERT_PATH}};
+  ssl_certificate_key {{SSL_REGISTRY_KEY_PATH}};
+
+  ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4';
+  ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
+  ssl_prefer_server_ciphers on;
+  ssl_session_cache  builtin:1000  shared:SSL:10m;
+  ssl_session_timeout  5m;
+
+  access_log  {{GITLAB_LOG_DIR}}/nginx/gitlab_registry_access.log;
+  error_log   {{GITLAB_LOG_DIR}}/nginx/gitlab_registry_error.log;
+
+  location / {
+    proxy_set_header  Host              $http_host;   # required for docker client's sake
+    proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
+    proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
+    proxy_set_header  X-Forwarded-Proto $scheme;
+    proxy_read_timeout                  900;
+
+    proxy_pass {{GITLAB_REGISTRY_API_URL}};
+  }
+
+}

assets/runtime/env-defaults

@@ -72,6 +72,7 @@ GITLAB_PROJECTS_MERGE_REQUESTS=${GITLAB_PROJECTS_MERGE_REQUESTS:-true}
 GITLAB_PROJECTS_WIKI=${GITLAB_PROJECTS_WIKI:-true}
 GITLAB_PROJECTS_SNIPPETS=${GITLAB_PROJECTS_SNIPPETS:-false}
 GITLAB_PROJECTS_BUILDS=${GITLAB_PROJECTS_BUILDS:-true}
+GITLAB_PROJECTS_CONTAINER_REGISTRY=${GITLAB_PROJECTS_CONTAINER_REGISTRY:-true}
 GITLAB_RELATIVE_URL_ROOT=${GITLAB_RELATIVE_URL_ROOT:-}
 GITLAB_TRUSTED_PROXIES=${GITLAB_TRUSTED_PROXIES:-}
 if [[ -z ${GITLAB_RELATIVE_URL_ROOT} || ${GITLAB_RELATIVE_URL_ROOT} == / ]]; then # should not be set to `/`
@@ -110,6 +111,19 @@ GITLAB_NOTIFY_PUSHER=${GITLAB_NOTIFY_PUSHER:-false}
 
 GITLAB_ROBOTS_PATH=${GITLAB_ROBOTS_PATH:-${USERCONF_TEMPLATES_DIR}/gitlabhq/robots.txt}
 
+## REGISTRY
+GITLAB_REGISTRY_ENABLED=${GITLAB_REGISTRY_ENABLED:-false}
+GITLAB_REGISTRY_DIR="${GITLAB_REGISTRY_DIR:-$GITLAB_SHARED_DIR/registry}"
+GITLAB_REGISTRY_HOST=${GITLAB_REGISTRY_HOST:-registry.example.com}
+GITLAB_REGISTRY_PORT=${GITLAB_REGISTRY_PORT:-443}
+GITLAB_REGISTRY_API_URL=${GITLAB_REGISTRY_API_URL:-http://localhost:5000/}
+GITLAB_REGISTRY_KEY_PATH=${GITLAB_REGISTRY_KEY_PATH:-config/registry.key}
+GITLAB_REGISTRY_ISSUER=${GITLAB_REGISTRY_ISSUER:-gitlab-issuer}
+#Sets the nginx restistry port
+if [[ -z $GITLAB_REGISTRY_PORT ]]; then
+  NGINX_REGISTRY_PROXY_PORT=443
+fi
+
 ## SSL
 SSL_SELF_SIGNED=${SSL_SELF_SIGNED:-false}
 SSL_CERTIFICATE_PATH=${SSL_CERTIFICATE_PATH:-$GITLAB_DATA_DIR/certs/gitlab.crt}
@@ -117,6 +131,9 @@ SSL_KEY_PATH=${SSL_KEY_PATH:-$GITLAB_DATA_DIR/certs/gitlab.key}
 SSL_DHPARAM_PATH=${SSL_DHPARAM_PATH:-$GITLAB_DATA_DIR/certs/dhparam.pem}
 SSL_VERIFY_CLIENT=${SSL_VERIFY_CLIENT:-off}
 
+SSL_REGISTRY_KEY_PATH=${SSL_REGISTRY_KEY_PATH:-$GITLAB_DATA_DIR/certs/registry.key}
+SSL_REGISTRY_CERT_PATH=${SSL_REGISTRY_CERT_PATH:-$GITLAB_DATA_DIR/certs/registry.crt}
+
 SSL_CA_CERTIFICATES_PATH=${SSL_CA_CERTIFICATES_PATH:-$CA_CERTIFICATES_PATH} # backward compatibility
 SSL_CA_CERTIFICATES_PATH=${SSL_CA_CERTIFICATES_PATH:-$GITLAB_DATA_DIR/certs/ca.crt}
 
@@ -149,6 +166,8 @@ case ${GITLAB_HTTPS} in
   *)    NGINX_X_FORWARDED_PROTO=${NGINX_X_FORWARDED_PROTO:-\$scheme} ;;
 esac
 
+NGINX_REGISTRY_PROXY_PORT=${NGINX_REGISTRY_PROXY_PORT:-$GITLAB_REGISTRY_PORT}
+
 ## MAIL DELIVERY
 SMTP_DOMAIN=${SMTP_DOMAIN:-www.gmail.com}
 SMTP_HOST=${SMTP_HOST:-smtp.gmail.com}

assets/runtime/functions

@@ -17,6 +17,7 @@ GITLAB_ROBOTS_CONFIG="${GITLAB_INSTALL_DIR}/public/robots.txt"
 GITLAB_SHELL_CONFIG="${GITLAB_SHELL_INSTALL_DIR}/config.yml"
 GITLAB_NGINX_CONFIG="/etc/nginx/sites-enabled/gitlab"
 GITLAB_CI_NGINX_CONFIG="/etc/nginx/sites-enabled/gitlab_ci"
+GITLAB_REGISTRY_NGINX_CONFIG="/etc/nginx/sites-enabled/gitlab-registry"
 
 # Compares two version strings `a` and `b`
 # Returns
@@ -810,9 +811,34 @@ gitlab_configure_project_features() {
     GITLAB_PROJECTS_WIKI \
     GITLAB_PROJECTS_SNIPPETS \
     GITLAB_PROJECTS_BUILDS \
+    GITLAB_PROJECTS_CONTAINER_REGISTRY \
     GITLAB_WEBHOOK_TIMEOUT
 }
 
+gitlab_configure_registry(){
+  echo "Configuring gitlab::registry..."
+  if [[ $GITLAB_REGISTRY_PORT != 443 ]]; then
+    update_template ${GITLAB_CONFIG} \
+      GITLAB_REGISTRY_ENABLED \
+      GITLAB_REGISTRY_DIR \
+      GITLAB_REGISTRY_HOST \
+      GITLAB_REGISTRY_PORT \
+      GITLAB_REGISTRY_API_URL \
+      GITLAB_REGISTRY_KEY_PATH \
+      GITLAB_REGISTRY_ISSUER
+  else
+    GITLAB_REGISTRY_PORT="" # Sets Registry Port to empty to set the key empty in the  .gitlab-ci.yml
+    update_template ${GITLAB_CONFIG} \
+      GITLAB_REGISTRY_ENABLED \
+      GITLAB_REGISTRY_DIR \
+      GITLAB_REGISTRY_HOST \
+      GITLAB_REGISTRY_PORT \
+      GITLAB_REGISTRY_API_URL \
+      GITLAB_REGISTRY_KEY_PATH \
+      GITLAB_REGISTRY_ISSUER
+  fi
+}
+
 nginx_configure_gitlab_ssl() {
   if [[ ${GITLAB_HTTPS} == true && -f ${SSL_CERTIFICATE_PATH} && -f ${SSL_KEY_PATH} && -f ${SSL_DHPARAM_PATH} ]]; then
     echo "Configuring nginx::gitlab::ssl..."
@@ -879,6 +905,20 @@ nginx_configure_gitlab_ci() {
   fi
 }
 
+nginx_configure_gitlab_registry() {
+  if [[ $GITLAB_REGISTRY_ENABLED == true && -f ${SSL_REGISTRY_CERT_PATH} && -f ${SSL_REGISTRY_KEY_PATH} ]]; then
+    echo "Configuring nginx::gitlab-registry..."
+    update_template ${GITLAB_REGISTRY_NGINX_CONFIG} \
+      GITLAB_LOG_DIR \
+      NGINX_REGISTRY_PROXY_PORT \
+      GITLAB_REGISTRY_HOST \
+      GITLAB_REGISTRY_API_URL \
+      SSL_REGISTRY_KEY_PATH \
+      SSL_REGISTRY_CERT_PATH
+  fi
+}
+
+
 #   _|_|_|              _|        _|  _|
 #   _|    _|  _|    _|  _|_|_|    _|        _|_|_|
 #   _|_|_|    _|    _|  _|    _|  _|  _|  _|
@@ -961,6 +1001,7 @@ initialize_datadir() {
   chmod u+rwX ${GITLAB_SHARED_DIR}
   chown ${GITLAB_USER}: ${GITLAB_SHARED_DIR}
 
+  # create attifacts dir
   mkdir -p ${GITLAB_ARTIFACTS_DIR}
   chmod u+rwX ${GITLAB_ARTIFACTS_DIR}
   chown ${GITLAB_USER}: ${GITLAB_ARTIFACTS_DIR}
@@ -974,6 +1015,13 @@ initialize_datadir() {
   chmod u+rwX ${GITLAB_LFS_OBJECTS_DIR}
   chown ${GITLAB_USER}: ${GITLAB_LFS_OBJECTS_DIR}
 
+  # create registry dir
+  if [[ ${GITLAB_REGISTRY_ENABLED} == true ]]; then
+    mkdir -p ${GITLAB_REGISTRY_DIR}
+    chmod u+rwX ${GITLAB_REGISTRY_DIR}
+    chown ${GITLAB_USER}: ${GITLAB_REGISTRY_DIR}
+  fi
+
   # create the backups directory
   mkdir -p ${GITLAB_BACKUP_DIR}
   chown ${GITLAB_USER}: ${GITLAB_BACKUP_DIR}
@@ -1035,6 +1083,11 @@ sanitize_datadir() {
   chmod -R u+rwX ${GITLAB_LFS_OBJECTS_DIR}
   chown -R ${GITLAB_USER}: ${GITLAB_LFS_OBJECTS_DIR}
 
+  if [[ ${GITLAB_REGISTRY_ENABLED} == true ]]; then
+    chmod -R u+rwX ${GITLAB_REGISTRY_DIR}
+    chown -R ${GITLAB_USER}: ${GITLAB_REGISTRY_DIR}
+  fi
+
   find ${GITLAB_DATA_DIR}/uploads -type f -exec chmod 0644 {} \;
   find ${GITLAB_DATA_DIR}/uploads -type d -not -path ${GITLAB_DATA_DIR}/uploads -exec chmod 0755 {} \;
   chmod 0700 ${GITLAB_DATA_DIR}/uploads/
@@ -1115,6 +1168,15 @@ install_configuration_templates() {
   if [[ -n $GITLAB_CI_HOST ]]; then
     install_template root: nginx/gitlab_ci ${GITLAB_CI_NGINX_CONFIG}
   fi
+
+  if [[ ${GITLAB_REGISTRY_ENABLED} == true ]]; then
+    if [[ -f ${SSL_REGISTRY_CERT_PATH} && -f ${SSL_REGISTRY_KEY_PATH} ]]; then
+      install_template root: nginx/gitlab-registry ${GITLAB_REGISTRY_NGINX_CONFIG}
+    else
+      echo "SSL key and certificates for Registry were not found"
+      echo "Assuming that the Registry is running behind an enabled load balancer"
+    fi
+  fi
 }
 
 configure_gitlab() {
@@ -1160,6 +1222,7 @@ configure_gitlab() {
   gitlab_configure_gravatar
   gitlab_configure_analytics
   gitlab_configure_backups
+  gitlab_configure_registry
 
   # remove stale gitlab.socket
   rm -rf ${GITLAB_INSTALL_DIR}/tmp/sockets/gitlab.socket
@@ -1186,6 +1249,7 @@ configure_nginx() {
   sed -i "s|worker_processes .*|worker_processes ${NGINX_WORKERS};|" /etc/nginx/nginx.conf
   nginx_configure_gitlab
   nginx_configure_gitlab_ci
+  nginx_configure_gitlab_registry
 }
 
 migrate_database() {

docs/container_registry.md

@@ -0,0 +1,227 @@
+GitLab Container Registry
+=========================
+Since `8.8.0` GitLab introduces container registry. Container Registry is a feature that handles your authentication for a docker registry.
+
+
+- [Prerequisites](#prerequisites)
+- [Installation](#installation)
+- [Maintenance](#maintenance)
+    - [Creating Backups](#creating-backups)
+    - [Restoring Backups](#restoring-backups)
+- [Upgrading from an existing GitLab instance](#Upgrading-from-an-existing-GitLab-instance)
+
+# Prerequisites
+  - [Docker Distribution](https://github.com/docker/distribution) >= 2.4
+  - [Docker GitLab](https://github.com/sameersbn/docker-gitlab) >= 8.8.5
+
+# Installation
+Starting a fresh installation with GitLab Container registry would be like this `docker-compose` file.
+
+## Generating certificate for authentication with the registry
+
+You can skip the following steps if you have a **trusted certificate**.
+
+- **Step 1**: Create a certs dir
+ ```bash
+ mkdir certs && cd certs
+ ```
+
+- **Step 2**: Generate a private key and sign request for the private key
+```bash
+openssl req -nodes -newkey rsa:4096 -keyout registry-auth.key -out registry-auth.csr -subj "/CN=gitlab-issuer"
+```
+
+- **Step 3**: Sign your created privated key
+```bash
+openssl x509 -in registry-auth.csr -out registry-auth.crt -req -signkey registry-auth.key -days 3650
+```
+
+## Docker Compose
+```yml
+version: '2'
+
+services:
+  redis:
+    restart: always
+    image: sameersbn/redis:latest
+    command:
+    - --loglevel warning
+    volumes:
+    - /srv/gitlab/redis:/var/lib/redis:Z
+  postgresql:
+    restart: always
+    image: sameersbn/postgresql:9.4-22
+    volumes:
+    - /srv/gitlab/postgresql:/var/lib/postgresql:Z
+    enviroment:
+    - DB_USER=gitlab
+    - DB_PASS=password
+    - DB_NAME=gitlabhq_production
+    - DB_EXTENSION=pg_trgm
+
+  gitlab:
+    restart: always
+    image: sameersbn/gitlab:8.8.5
+    depends_on:
+    - redis
+    - postgresql
+    ports:
+    - "10080:80"
+    - "5500:5000"
+    - "10022:22"
+    volumes:
+    - /srv/gitlab/gitlab:/home/git/data:Z
+    - /srv/gitlab/logs:/var/log/gitlab
+    - ./certs:/certs
+    enviroment:
+    - DEBUG=false
+
+    - DB_ADAPTER=postgresql
+    - DB_HOST=postgresql
+    - DB_PORT=5432
+    - DB_USER=gitlab
+    - DB_PASS=password
+    - DB_NAME=gitlabhq_production
+
+    - REDIS_HOST=redis
+    - REDIS_PORT=6379
+    - GITLAB_SSH_PORT=1022
+    - GITLAB_PORT=10080
+    - GITLAB_HOST=localhost
+
+    - GITLAB_SECRETS_DB_KEY_BASE=superrandomsecret
+    - GITLAB_REGISTRY_ENABLED=true
+    - GITLAB_REGISTRY_HOST=registry.gitlab.example.com
+    - GITLAB_REGISTRY_PORT=5500
+    - GITLAB_REGISTRY_API_URL=http://registry:5000
+    - GITLAB_REGISTRY_KEY_PATH=/certs/registry-auth.key
+    - SSL_REGISTRY_KEY_PATH=/certs/registry.key
+    - SSL_REGISTRY_CERT_PATH=/certs/registry.crt
+
+  registry:
+    restart: always
+    image: registry:2.4.1
+    volumes:
+     - /srv/gitlab/shared/registry:/registry
+     - ./certs:/certs
+    enviroment:
+    - REGISTRY_LOG_LEVEL=info
+    - REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/registry
+    - REGISTRY_AUTH_TOKEN_REALM=https://gitlab.example.com/jwt/auth
+    - REGISTRY_AUTH_TOKEN_SERVICE=container_registry
+    - REGISTRY_AUTH_TOKEN_ISSUER=gitlab-issuer
+    - REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/certs/registry-auth.crt
+    - REGISTRY_STORAGE_DELETE_ENABLED=true
+```
+> **Important Notice**
+>
+> 1. Don't change `REGISTRY_AUTH_TOKEN_SERVICE`. It must have `container_registry` as value.
+> 2. `REGISTRY_AUTH_TOKEN_REALM` need to be look like `http/s://gitlab.example.com/jwt/auth`. Endpoint must be `/jwt/auth`
+> These configuration options are required by the GitLab Container Registry.
+
+The trick is here that you are mounting the registry data as volume from `$GITLAB_REGISTRY_DIR`. So this adds the ability to do backups and restore them.
+
+
+# Maintenance
+
+## Creating Backups
+
+Creating Backups is the same like without a container registry. I would recommend to stop your registry container.
+
+```bash
+docker stop registry gitlab && docker rm registry gitlab
+```
+
+Execute the rake task with a removeable container.
+```bash
+docker run --name gitlab -it --rm [OPTIONS] \
+    sameersbn/gitlab:8.8.5 app:rake gitlab:backup:create
+```
+## Restoring Backups
+
+Gitlab also defines a rake task to restore a backup.
+
+Before performing a restore make sure the container is stopped and removed to avoid container name conflicts.
+
+```bash
+docker stop registry gitlab && docker rm registry gitlab
+```
+
+Execute the rake task to restore a backup. Make sure you run the container in interactive mode `-it`.
+
+```bash
+docker run --name gitlab -it --rm [OPTIONS] \
+    sameersbn/gitlab:8.8.5 app:rake gitlab:backup:restore
+```
+
+The list of all available backups will be displayed in reverse chronological order. Select the backup you want to restore and continue.
+
+To avoid user interaction in the restore operation, specify the timestamp of the backup using the `BACKUP` argument to the rake task.
+
+```bash
+docker run --name gitlab -it --rm [OPTIONS] \
+    sameersbn/gitlab:8.8.5 app:rake gitlab:backup:restore BACKUP=1417624827
+```
+
+# Upgrading from an existing GitLab installation
+
+
+If you want enable this feature for an existing instance of GitLab you need to do the following steps.
+
+- **Step 1**: Update the docker image.
+
+```bash
+docker pull sameersbn/gitlab:8.8.5
+```
+
+- **Step 2**: Stop and remove the currently running image
+
+```bash
+docker stop gitlab && docker rm gitlab
+```
+
+- **Step 3**: Create a backup
+
+```bash
+docker run --name gitlab -it --rm [OPTIONS] \
+    sameersbn/gitlab:x.x.x app:rake gitlab:backup:create
+```
+
+- **Step 4**: Create a certs folder
+Create an authentication certificate with [Generating certificate for authentication with the registry](#Generating-certificate-for-authentication-with-the-registry).
+
+- **Step 5**: Create an registry instance
+
+> **Important Notice**
+>
+> Storage of the registry must be mounted from gitlab from GitLab.
+> GitLab must have the container of the registry storage folder to be able to create and restore backups
+
+```bash
+docker run --name registry -d \
+--restart=always \
+-v /srv/gitlab/shared/registry:/registry \
+-v ./certs:/certs \
+--env 'REGISTRY_LOG_LEVEL=info' \
+--env 'REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/registry' \
+--env 'REGISTRY_AUTH_TOKEN_REALM=http://gitlab.example.com/jwt/auth' \
+--env 'REGISTRY_AUTH_TOKEN_SERVICE=container_registry' \
+--env 'REGISTRY_AUTH_TOKEN_ISSUER=gitlab-issuer' \
+--env 'REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/certs/registry-auth.crt' \
+--env 'REGISTRY_STORAGE_DELETE_ENABLED=true' \
+registry:2.4.1
+```
+- **Step 6**: Start the image
+
+```bash
+docker run --name gitlab -d [PREVIOUS_OPTIONS] \
+-v /srv/gitlab/certs:/certs \
+--env 'SSL_REGISTRY_CERT_PATH=/certs/registry.crt' \
+--env 'SSL_REGISTRY_KEY_PATH=/certs/registry.key' \
+--env 'GITLAB_REGISTRY_ENABLED=true' \
+--env 'GITLAB_REGISTRY_HOST=registry.gitlab.example.com' \
+--env 'GITLAB_REGISTRY_API_URL=http://registry:5000/' \
+--env 'GITLAB_REGISTRY_KEY_PATH=/certs/registry-auth.key' \
+--link registry:registry
+sameersbn/gitlab:8.8.5
+```