安装篇 - 自建GitLab在线仓库托管服务
由于有部分 repo 不愿意在公共的在线仓库托管平台 GitHub, GitLab (SaaS) 上分享公布,并且更加熟悉一下 DevOps 方面的知识,因此选择 self-hosted 的 GitLab 服务,当然私下也在用 Azure DevOps,这里就不细说
The most-comprehensive AI-powered DevSecOps platform | GitLab
Azure DevOps Services | Microsoft Azure
GitLab 简介
GitLab 是一个基于 Git 的集成软件开发平台,由 GitLab 公司开发。它提供了代码仓库托管服务、DevOps平台、wiki、在线编辑、问题跟踪功能以及 CI/CD 等功能。GitLab 支持多种编程语言,包括 Ruby、Go 和Vue.js,并且可以在多个平台上运行,如 x86-64 和 ARMhf。GitLab 有社区版和商业版两种版本,社区版是基于 MIT 许可证的开源软件,而商业版则包含专有组件。
[scode type="yellow" size=""]Powered by Microsoft Copilot & Wikipedia[/scode]
GitLab 架构
Prerequisites
Installation system requirements | GitLab
Linux package (Omnibus) [截至 1/4/2024 最新版是 v16.10,本教程是基于 v16.9]
磁碟空间
至少要预留 2.5 GB 的磁碟空间为 GitLab 的安装做准备,推荐是用 SSD(固态硬碟)
CPU
CPU 取决于预期的 workload 和用户数量,推荐 4 cores(支持 500 用户)以上
RAM
至少要 4GB(支持 500 用户)及其以上,建议服务器上至少有 2GB 以上的 Swap 交换空间
本次教程使用 Hetzner ARM64 (CAX21) 服务器,image 选用系统镜像 Ubuntu 22.04 LTS,准备 GitLab Enterprise Edition (GitLab EE | GitLab 企业版) 安装
至于为什么我推荐用 GitLab EE,而非 CE,其实官方也说了首选 EE,对于企业来说可以灵活添加订阅不必从 CE 升级至 EE,对于个人来说通过企业版的 Registration Features Program 免费使用一些企业版的功能或是可以破解使用 EE
下面的跳转链接可以使用 Hetzner 的 App image 快速搭建 GitLab Community Editon (GitLab CE | GitLab 社区版)
注册 Hetzner Cloud (Referral Link)
安装部署
安装并配置必要组件
apt-get update
apt-get install -y curl openssh-server ca-certificates tzdata perl
添加 EE 的 repository
curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.deb.sh | sudo bash
gitlab/gitlab-ee - Installation · packages.gitlab.com- Bash Scripts
带入环境变量(EXTERNAL_URL 即外部通过浏览器等工具访问 GitLab 实例的地址)
sudo EXTERNAL_URL="https://gitlab.example.com" apt-get install gitlab-ee
# List available versions: apt-cache madison gitlab-ee
# Specifiy version: sudo EXTERNAL_URL="https://gitlab.example.com" apt-get install gitlab-ee=16.2.3-ee.0
# Pin the version to limit auto-updates: sudo apt-mark hold gitlab-ee
# Show what packages are held back: sudo apt-mark showhold
安装成功后应该有 GitLab 的 ASCII ART LOGO
_______ __ __ __
/ ____(_) /_/ / ____ _/ /_
/ / __/ / __/ / / __ `/ __ \
/ /_/ / / /_/ /___/ /_/ / /_/ /
\____/_/\__/_____/\__,_/_.___/
*. *.
*** ***
***** *****
.****** *******
******** ********
,,,,,,,,,***********,,,,,,,,,
,,,,,,,,,,,*********,,,,,,,,,,,
.,,,,,,,,,,,*******,,,,,,,,,,,,
,,,,,,,,,*****,,,,,,,,,.
,,,,,,,****,,,,,,
.,,,***,,,,
,*,.
_______ __ __ __
/ ____(_) /_/ / ____ _/ /_
/ / __/ / __/ / / __ `/ __ \
/ /_/ / / /_/ /___/ /_/ / /_/ /
\____/_/\__/_____/\__,_/_.___/
由于安装时未截图,只能用升级成功后的界面凑合
配置环境
如果系统未在之前安装 NGINX,则安装 gitlab-ee 后是会内置的 NGINX,此处不用内置的 NGINX,用自己独立安装的 NGINX
先备份主要配置文件 gitlab.rb
,cp gitlab.rb gitlab.rb.bak
,之后可以作对比
NGINX
在 /etc/gitlab/gitlab.rb
该主要配置文件中 disable 内置 NGINX,并指定 web server 进程用户一般是 www-data
or www
,自行检查
# Define the external url
external_url 'http://git.example.com'
# Disable the built-in nginx
nginx['enable'] = false
# Define the web server process user (ubuntu/nginx)
web_server['external_users'] = ['www-data']
Vhost
NGINX vhost 可参考官方写法
如下是我的 vhost configuration
upstream gitlab-workhorse {
server unix://var/opt/gitlab/gitlab-workhorse/sockets/socket fail_timeout=0;
}
#upstream gitlab-workhorse {
# server localhost:8082;
#}
server
{
listen 80;
listen [::]:80;
server_name code.microcharon.dev ;
index index.html index.htm index.php default.html default.htm default.php;
root /home/wwwroot/code.microcharon.dev;
#include rewrite/none.conf;
#error_page 404 /404.html;
# Deny access to PHP files in specific directory
#location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }
include enable-php.conf;
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}
location ~ .*\.(js|css)?$
{
expires 12h;
}
location ~ /.well-known {
allow all;
}
location ~ /\.
{
deny all;
}
location / {
return 301 https://$host$request_uri;
}
access_log /home/wwwlogs/code.microcharon.dev.log;
}
server
{
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name code.microcharon.dev ;
index index.html index.htm index.php default.html default.htm default.php;
root /home/wwwroot/code.microcharon.dev;
ssl_certificate /usr/local/nginx/conf/ssl/code.microcharon.dev/fullchain.cer;
ssl_certificate_key /usr/local/nginx/conf/ssl/code.microcharon.dev/code.microcharon.dev.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
ssl_session_cache builtin:1000 shared:SSL:10m;
# openssl dhparam -out /usr/local/nginx/conf/ssl/dhparam.pem 2048
ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;
include rewrite/none.conf;
#error_page 404 /404.html;
# Deny access to PHP files in specific directory
#location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }
include enable-php.conf;
# location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
# {
# expires 30d;
# }
# location ~ .*\.(js|css)?$
# {
# expires 12h;
# }
# location ~ /.well-known {
# allow all;
# }
# location ~ /\.
# {
# deny all;
# }
location / {
proxy_pass http://gitlab-workhorse;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection upgrade;
proxy_set_header REMOTE_ADDR $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Ssl on;
}
access_log /home/wwwlogs/code.microcharon.dev.log;
}
可以注意到如果是主配置用的 unix 套接字来监听网络请求如下,则使用如上的第一个 upstream
##! Duration to wait for all requests to finish (e.g. "10s" for 10
##! seconds). By default this is disabled to preserve the existing
##! behavior of fast shutdown. This should not be set higher than 30
##! seconds, since gitlab-ctl will wait up to 30 seconds (as defined by
##! the SVWAIT variable) and report a timeout error if the process has
##! not shut down.
# gitlab_workhorse['shutdown_timeout'] = nil
# gitlab_workhorse['listen_network'] = "unix"
# gitlab_workhorse['listen_umask'] = 000
# gitlab_workhorse['listen_addr'] = "/var/opt/gitlab/gitlab-workhorse/sockets/socket"
# gitlab_workhorse['auth_backend'] = "http://localhost:8080"
若想用 TCP 监听模式则更改此段配置为
# gitlab_workhorse['shutdown_timeout'] = nil
gitlab_workhorse['listen_network'] = "tcp"
# gitlab_workhorse['listen_umask'] = 000
gitlab_workhorse['listen_addr'] = "http://localhost:8082"
# gitlab_workhorse['auth_backend'] = "http://localhost:8080"
另外设置可信代理为
gitlab_rails['trusted_proxies'] = ['localhost', '127.0.0.1']
此时不使用第一段 upstream,使用上述的第二段
upstream gitlab-workhorse {
server localhost:8082;
}
如无问题,则重新加载配置并 reload NGINX
gitlab-ctl reconfigure
#根据情况选择性重启
#gitlab-ctl restart
systemctl restart nginx
#或者
#service nginx restart
配置root密码
初次安装 GitLab 后若未自定义密码的话会提供随机密码
自定义强密码
如何自定义强密码,安装时追加 GITLAB_ROOT_PASSWORD="
GITLAB_ROOT_PASSWORD="<strongpassword>" EXTERNAL_URL="http://gitlab.example.com" apt install gitlab-ee
或者在第一次重新配置 GitLab 前在主配置文件设置配置如下
gitlab_rails['initial_root_password'] = '<my_strong_password>'
Install GitLab with the Linux package | GitLab
获取初始密码
若未自定义强密码,则通过如下命令获取 root 的密码,此密码只会暂时在此路径下存放 24 小时,请及时保管
cat /etc/gitlab/initial_root_password
# WARNING: This value is valid only in the following conditions
# 1. If provided manually (either via `GITLAB_ROOT_PASSWORD` environment variable or via `gitlab_rails['initial_root_password']` setting in `gitlab.rb`, it was provided before database was seeded for the firs$
# 2. Password hasn't been changed manually, either via UI or via command line.
#
# If the password shown here doesn't work, you must reset the admin password following https://docs.gitlab.com/ee/security/reset_user_password.html#reset-your-root-password.
Password: YOUR_PASSWORD
# NOTE: This file will be automatically deleted in the first reconfigure run after 24 hours.
进入登陆页面,管理员账号默认是 root,密码即为刚才所获取的。登录成功后即可在 admin area 里更改密码
重置密码
若忘记管理员密码,则通过如下两种命令行方式重置密码
Rake Task
sudo gitlab-rake "gitlab:password:reset[root]"
Rails Console
sudo gitlab-rails console
#方法一:查找用户名root
user = User.find_by_username 'root'
#方法二:查找 root 用户名ID
user = User.find(1)
#方法三:通过查找邮箱
user = User.find_by(email: '[email protected]')
若生成随机密码
new_password = ::User.random_password
user.password = new_password
user.password_confirmation = new_password
user.password_automatically_set = false
若自定义强密码
new_password = 'examplepassword'
user.password = new_password
user.password_confirmation = new_password
user.password_automatically_set = false
#可选:通知管理员已更改密码
user.send_only_admin_changed_your_password_notification!
#保存改动
user.save!
#退出 rails 控制台
exit
Reset a user's password | GitLab
常见安装error
422 Error
The change you requested was rejected (422) (gitlab.com)
此处按照他人的经历添加的如下 proxy_set_header 至 vhost
Access gitlab return 422 error | zeven's blog (zeven0707.github.io)
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Ssl on;
502 Error
最常见的便是 502 error
Waiting for GitLab to boot
HTTP 502
It can take up to a few minutes for GitLab to boot completely.
This page will automatically reload every 5 seconds.
出现这种错误,无非要考虑几个方面
- 主机配置过低
- 端口被占用
- 主配置文件错误配置
- NGINX 错误 vhost 配置
我在初次安装后同样遇到如上 GitLab 502 问题,排查了很久,发现 puma 服务默认的默认端口 8080 与我 docker 某 container 的端口冲突,修改至其它端口即可
puma['port'] = 8089
502 Whoops, GitLab is taking too much time to respond - Stack Overflow
参考资料
What is Gitlab and How it works? An Overview and Its Use Cases? - DevOpsSchool.com
Download and install GitLab | GitLab
How To Install and Configure GitLab on Ubuntu | DigitalOcean
gitlab服务部署及使用-腾讯云开发者社区-腾讯云 (tencent.com)
ubuntu - Forwarding to GitLab Subdomain with Existing Nginx Installation - Stack Overflow
6. CenOS7安装GitLab(使用外部Nginx配置)并配置HTTPS协议 — hellogit 1.0 documentation (meigit.readthedocs.io)
Reset a user's password | GitLab
Access gitlab return 422 error | zeven's blog (zeven0707.github.io)
502 Whoops, GitLab is taking too much time to respond - Stack Overflow
[scode type="blue" size=""]还会有下一篇继续介绍 GitLab 的升级备份、卸载、进阶配置、常规使用等章节[/scode]