Docker部署gitlab

发表于

下载指定版本的gitlab镜像

1
$ docker pull gitlab/gitlab-ce:9.3.4-ce.0

使用docker启动gitlab

添加 gitlab 启动脚本 gitlab.sh 。

1
2
3
4
5
6
7
8
9
10
#!/bin/bash
docker run -d --restart=always \
   -p 8443:443 \
   -p 8080:80 \
   -p 22:22 \
   --name gitlab \
   -v /data/volumes/gitlab/config:/etc/gitlab \
   -v /data/volumes/gitlab/logs:/var/log/gitlab \
   -v /data/volumes/gitlab/data:/var/opt/gitlab \
   gitlab/gitlab-ce:9.3.4-ce.0

修改 gitlab 配置文件

配置文件位置为: /data/volumes/gitlab/config/gitlab.rb 。
该配置文件添加了邮箱、数据备份、ldap、外部nginx 和 gitlab pages 的配置。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
# gitlab 外部URL
external_url 'https://git.zqifei.com'
 
# 开启ldap服务
gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
  main: # 'main' is the GitLab 'provider ID' of this LDAP server
    label: 'LDAP'
    host: 'ldap-server'
    port: 389
    uid: 'uid'
    method: 'plain' # "tls" or "ssl" or "plain"
    bind_dn: 'cn=admin,dc=zqifei,dc=com'
    base: 'cn=user,dc=zqifei,dc=com'
    password: 'ldap-password'
    active_directory: true
    allow_username_or_email_login: true
    block_auto_created_users: false
    user_filter: ''
    attributes:
      username: 'uid'
      email:    'email'
      name:     'cn'
      last_name: 'sn'
EOS
  
# gitlab 备份数据到AWS S3上
gitlab_rails['backup_keep_time'] = 604800
gitlab_rails['backup_upload_connection'] = {
 'provider' => 'AWS',
 'region' => 'you_aws_region',
 'aws_access_key_id' => 'you_aws_key_id',
 'aws_secret_access_key' => 'you_aws_access_key'
}
gitlab_rails['backup_upload_remote_directory'] = 'you_awk_bucket'
gitlab_rails['backup_multipart_chunk_size'] = 104857600
gitlab_rails['gitlab_shell_ssh_port'] = 22   #需要跟启动脚本的ssh端口对应
  
gitlab_rails['rack_attack_git_basic_auth'] = {
 'enabled' => false,
 'ip_whitelist' => ["127.0.0.1"],
 'maxretry' => 10,
 'findtime' => 60,
 'bantime' => 3600
}
  
# gitlab 邮箱配置
gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = "you_smtp_address"
gitlab_rails['smtp_port'] = 25
gitlab_rails['smtp_user_name'] = "you_smtp_user_name"
gitlab_rails['smtp_password'] = "you_smtp_password"
gitlab_rails['smtp_domain'] = "you_smtp_domain"
gitlab_rails['smtp_authentication'] = "login"
gitlab_rails['smtp_enable_starttls_auto'] = true
gitlab_rails['smtp_tls'] = false
gitlab_rails['smtp_openssl_verify_mode'] = 'none'
gitlab_rails['gitlab_email_from'] = "send_from_email_address"
user['git_user_email'] = "use_email"
unicorn['worker_timeout'] = 60
unicorn['worker_processes'] = 2
sidekiq['concurrency'] = 2
  
# 关闭gitlab内部nginx
nginx['enable'] = false
web_server['external_users'] = ['www-data']
 
# 开启gitlab pages服务
pages_external_url "http://pages.zqifei.com/"
gitlab_pages['enable'] = true
gitlab_pages['external_http'] = "pages.zqifei.com"
gitlab_pages['redirect_http'] = true
gitlab_pages['dir'] = "/var/opt/gitlab/gitlab-pages"
gitlab_pages['log_directory'] = "/var/log/gitlab/gitlab-pages"

使用外部nginx代理gitlab服务

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
$ cat /etc/nginx/conf.d/gitlab.conf

upstream gitlab-workhorse {
  server unix:/data/volumes/gitlab/data/gitlab-workhorse/socket fail_timeout=0;
}
  
## Redirects all HTTP traffic to the HTTPS host
server {
  ## Either remove "default_server" from the listen line below,
  ## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab
  ## to be served if you visit any address that your server responds to, eg.
  ## the ip address of the server (http://x.x.x.x/)
  listen 80;
  listen [::]:80;
  server_name git.zqifei.com; ## Replace this with something like gitlab.example.com
  server_tokens off; ## Don't show the nginx version number, a security best practice
  return 301 https://$http_host$request_uri;
  access_log  /var/log/nginx/gitlab_access.log;
  error_log   /var/log/nginx/gitlab_error.log;
}
## HTTPS host
server {
  listen 0.0.0.0:443 ssl;
  listen [::]:443 ipv6only=on ssl default_server;
  server_name git.zqifei.com; ## Replace this with something like gitlab.example.com
  server_tokens off; ## Don't show the nginx version number, a security best practice
  root /data/volumes/gitlab/public;
    
  ## Strong SSL Security
  ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
  ssl on;
  ssl_certificate /etc/nginx/ssl/git.zqifei.com.crt;
  ssl_certificate_key /etc/nginx/ssl/git.zqifei.com.key;
 
   
  # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 5m;
  
  ## See app/controllers/application_controller.rb for headers set
  ## [Optional] Enable HTTP Strict Transport Security
  ## HSTS is a feature improving protection against MITM attacks
  ## For more information see: https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
  # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
 
  ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL.
  ## Replace with your ssl_trusted_certificate. For more info see:
  ## - https://medium.com/devops-programming/4445f4862461
  ## - https://www.ruby-forum.com/topic/4419319
  ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
  # ssl_stapling on;
  # ssl_stapling_verify on;
  # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
  # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired
  # resolver_timeout 5s;
 
  ## [Optional] Generate a stronger DHE parameter:
  ##   sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
  ##
  # ssl_dhparam /etc/ssl/certs/dhparam.pem;
 
  ## Individual nginx logs for this GitLab vhost
  access_log  /var/log/nginx/gitlab_access.log;
  error_log   /var/log/nginx/gitlab_error.log;
   
  location / {
    client_max_body_size 0;
    gzip off;
 
    ## https://github.com/gitlabhq/gitlabhq/issues/694
    ## Some requests take more than 30 seconds.
    proxy_read_timeout      300;
    proxy_connect_timeout   300;
    proxy_redirect          off;
 
    proxy_http_version 1.1;
 
    proxy_set_header    Host                $http_host;
    proxy_set_header    X-Real-IP           $remote_addr;
    proxy_set_header    X-Forwarded-Ssl     on;
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto   $scheme;
    proxy_pass http://gitlab-workhorse;
  }
}

gitlab目录权限配置

在使用外部 nginx 时,gitlab 外挂到主机的目录权限需要进行修改,否则启动 gitlab 以后访问会报 404 。

1
2
3
4
$ usermod -aG docker www-data
$ setfacl -R -m user::rex /data/volumes/gitlab
$ setfacl -R -m group::rwx /data/volumes/gitlab
$ setfacl -R -m group::rwx /data/volumes/gitlab

恢复gitlab备份数据

将备份的数据传到容器内。

1
$ docker cp 1393513186_gitlab_backup.tar gitlab:/var/opt/gitlab/backups/

停止相关数据连接服务。

1
2
$ gitlab-ctl stop unicorn
$ gitlab-ctl stop sidekiq

从 1393513186 编号中备份恢复。

1
$ gitlab-rake gitlab:backup:restore BACKUP=1393513186

启动 gitlab 服务。

1
$ gitlab-ctl start

添加定时任务

在服务器上添加 crontab 任务,定时备份数据传到 AWS S3 上。

1
0 2 * * * docker exec gitlab gitlab-rake gitlab:backup:create

部署gitlab runner

下载 gitlab-runner 镜像。

1
$ docker pull gitlab/gitlab-runner:v9.3.0

启动脚本。

1
2
3
4
5
#!/bin/bash
docker run -d --name gitlab-runner --restart always \
 -v /data/volumes/gitlab-runner/config:/etc/gitlab-runner \
 -v /var/run/docker.sock:/var/run/docker.sock \
 gitlab/gitlab-runner:v9.3.0

注册gitlab runner

进入 gitlab runner 容器内执行注册命令。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
$ docker exec -it gitlab-runner bash
$ gitlab-runner register
1. 输入gitlab地址
Please enter the gitlab-ci coordinator URL (e.g. https://gitlab.com )
https://git.zqifei.com
  
2. gitlab的token(在gitlab的Admin Area中)或者仓库的token(仓库->设置->Runner)
Please enter the gitlab-ci token for this runner
***
  
3. gitlab Runner描述信息
Please enter the gitlab-ci description for this runner
[hostame] my-runner
  
4. gitlab Runner的标签 可以指定仓库 只使用固定标签的Runner构建
Please enter the gitlab-ci tags for this runner (comma separated):
docker
  
5. 选择 runner 是否运行未标记的工作
Whether to run untagged jobs [true/false]:
[false]: true
  
6. 选择是否锁定当前项目的运行程序
Whether to lock Runner to current project [true/false]:
[false]: false
  
7. 输入执行程序
Please enter the executor: ssh, docker+machine, docker-ssh+machine, kubernetes, docker, parallels, virtualbox, docker-ssh, shell:
docker
  
8. 选择编译的环境
Please enter the Docker image (eg. ruby:2.1):
alpine:latest

查看已经注册的 runner。

1
$ gitlab-runner list

注册成功后就可以在 gitlab 的页面查看到 ranner 了。