GitLab Enterprise Edition

由于有部分 repo 不愿意在公共的在线仓库托管平台 GitHub, GitLab (SaaS) 上分享公布,并且更加熟悉一下 DevOps 方面的知识,因此选择 self-hosted 的 GitLab 服务,当然私下也在用 Azure DevOps,这里就不细说

The most-comprehensive AI-powered DevSecOps platform | GitLab

Azure DevOps Services | Microsoft Azure

GitLab 简介

GitLab Website

GitLab 是一个基于 Git 的集成软件开发平台,由 GitLab 公司开发。它提供了代码仓库托管服务、DevOps平台、wiki、在线编辑、问题跟踪功能以及 CI/CD 等功能。GitLab 支持多种编程语言,包括 Ruby、Go 和Vue.js,并且可以在多个平台上运行,如 x86-64 和 ARMhf。GitLab 有社区版和商业版两种版本,社区版是基于 MIT 许可证的开源软件,而商业版则包含专有组件。

[scode type="yellow" size=""]Powered by Microsoft Copilot & Wikipedia[/scode]

GitLab 架构

GitLab Application Architecture

Prerequisites

Installation system requirements | GitLab

Linux package (Omnibus) [截至 1/4/2024 最新版是 v16.10,本教程是基于 v16.9]

磁碟空间

至少要预留 2.5 GB 的磁碟空间为 GitLab 的安装做准备,推荐是用 SSD(固态硬碟)

CPU

CPU 取决于预期的 workload 和用户数量,推荐 4 cores(支持 500 用户)以上

RAM

至少要 4GB(支持 500 用户)及其以上,建议服务器上至少有 2GB 以上的 Swap 交换空间

本次教程使用 Hetzner ARM64 (CAX21) 服务器,image 选用系统镜像 Ubuntu 22.04 LTS,准备 GitLab Enterprise Edition (GitLab EE | GitLab 企业版) 安装

至于为什么我推荐用 GitLab EE,而非 CE,其实官方也说了首选 EE,对于企业来说可以灵活添加订阅不必从 CE 升级至 EE,对于个人来说通过企业版的 Registration Features Program 免费使用一些企业版的功能或是可以破解使用 EE

下面的跳转链接可以使用 Hetzner 的 App image 快速搭建 GitLab Community Editon (GitLab CE | GitLab 社区版)

GitLab CE

注册 Hetzner Cloud (Referral Link)

安装部署

安装并配置必要组件

apt-get update
apt-get install -y curl openssh-server ca-certificates tzdata perl

添加 EE 的 repository

curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.deb.sh | sudo bash

gitlab/gitlab-ee - Installation · packages.gitlab.com- Bash Scripts

带入环境变量(EXTERNAL_URL 即外部通过浏览器等工具访问 GitLab 实例的地址)

sudo EXTERNAL_URL="https://gitlab.example.com" apt-get install gitlab-ee
# List available versions: apt-cache madison gitlab-ee
# Specifiy version: sudo EXTERNAL_URL="https://gitlab.example.com" apt-get install gitlab-ee=16.2.3-ee.0
# Pin the version to limit auto-updates: sudo apt-mark hold gitlab-ee
# Show what packages are held back: sudo apt-mark showhold

安装成功后应该有 GitLab 的 ASCII ART LOGO

     _______ __  __          __
    / ____(_) /_/ /   ____ _/ /_
   / / __/ / __/ /   / __ `/ __ \
  / /_/ / / /_/ /___/ /_/ / /_/ /
  \____/_/\__/_____/\__,_/_.___/

       *.                  *.
      ***                 ***
     *****               *****
    .******             *******
    ********            ********
   ,,,,,,,,,***********,,,,,,,,,
  ,,,,,,,,,,,*********,,,,,,,,,,,
  .,,,,,,,,,,,*******,,,,,,,,,,,,
      ,,,,,,,,,*****,,,,,,,,,.
         ,,,,,,,****,,,,,,
            .,,,***,,,,
                ,*,.
  


     _______ __  __          __
    / ____(_) /_/ /   ____ _/ /_
   / / __/ / __/ /   / __ `/ __ \
  / /_/ / / /_/ /___/ /_/ / /_/ /
  \____/_/\__/_____/\__,_/_.___/

由于安装时未截图,只能用升级成功后的界面凑合

Upgrade GitLab Successfully

配置环境

如果系统未在之前安装 NGINX,则安装 gitlab-ee 后是会内置的 NGINX,此处不用内置的 NGINX,用自己独立安装的 NGINX

先备份主要配置文件 gitlab.rbcp gitlab.rb gitlab.rb.bak,之后可以作对比

NGINX

/etc/gitlab/gitlab.rb 该主要配置文件中 disable 内置 NGINX,并指定 web server 进程用户一般是 www-data or www,自行检查

# Define the external url
external_url 'http://git.example.com'

# Disable the built-in nginx
nginx['enable'] = false

# Define the web server process user (ubuntu/nginx)
web_server['external_users'] = ['www-data']

Vhost

NGINX vhost 可参考官方写法

NGINX settings | GitLab

如下是我的 vhost configuration

upstream gitlab-workhorse {
  server unix://var/opt/gitlab/gitlab-workhorse/sockets/socket fail_timeout=0;
}

#upstream gitlab-workhorse {
#  server localhost:8082;
#}

server
    {
        listen 80;
        listen [::]:80;
        server_name code.microcharon.dev ;
        index index.html index.htm index.php default.html default.htm default.php;
        root  /home/wwwroot/code.microcharon.dev;

        #include rewrite/none.conf;
        #error_page   404   /404.html;

        # Deny access to PHP files in specific directory
        #location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }

        include enable-php.conf;

        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
        {
            expires      30d;
        }

        location ~ .*\.(js|css)?$
        {
            expires      12h;
        }

        location ~ /.well-known {
            allow all;
        }

        location ~ /\.
        {
            deny all;
        }

        location / {
            return 301 https://$host$request_uri;
        }

        access_log  /home/wwwlogs/code.microcharon.dev.log;
    }

server
    {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        server_name code.microcharon.dev ;
        index index.html index.htm index.php default.html default.htm default.php;
        root  /home/wwwroot/code.microcharon.dev;

        ssl_certificate /usr/local/nginx/conf/ssl/code.microcharon.dev/fullchain.cer;
        ssl_certificate_key /usr/local/nginx/conf/ssl/code.microcharon.dev/code.microcharon.dev.key;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
        ssl_session_cache builtin:1000 shared:SSL:10m;
        # openssl dhparam -out /usr/local/nginx/conf/ssl/dhparam.pem 2048
        ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;

        include rewrite/none.conf;
        #error_page   404   /404.html;

        # Deny access to PHP files in specific directory
        #location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }

        include enable-php.conf;

#        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
#        {
#            expires      30d;
#        }

#        location ~ .*\.(js|css)?$
#        {
#            expires      12h;
#        }

#        location ~ /.well-known {
#            allow all;
#        }

#        location ~ /\.
#        {
#            deny all;
#        }

        location / {
          proxy_pass http://gitlab-workhorse;
          proxy_set_header Host $http_host;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection upgrade;
          proxy_set_header REMOTE_ADDR $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-Proto https;
          proxy_set_header X-Forwarded-Ssl on;
        }

        access_log  /home/wwwlogs/code.microcharon.dev.log;
    }

可以注意到如果是主配置用的 unix 套接字来监听网络请求如下,则使用如上的第一个 upstream

##! Duration to wait for all requests to finish (e.g. "10s" for 10
##! seconds). By default this is disabled to preserve the existing
##! behavior of fast shutdown. This should not be set higher than 30
##! seconds, since gitlab-ctl will wait up to 30 seconds (as defined by
##! the SVWAIT variable) and report a timeout error if the process has
##! not shut down.
# gitlab_workhorse['shutdown_timeout'] = nil
# gitlab_workhorse['listen_network'] = "unix"
# gitlab_workhorse['listen_umask'] = 000
# gitlab_workhorse['listen_addr'] = "/var/opt/gitlab/gitlab-workhorse/sockets/socket"
# gitlab_workhorse['auth_backend'] = "http://localhost:8080"

若想用 TCP 监听模式则更改此段配置为

# gitlab_workhorse['shutdown_timeout'] = nil
gitlab_workhorse['listen_network'] = "tcp"
# gitlab_workhorse['listen_umask'] = 000
gitlab_workhorse['listen_addr'] = "http://localhost:8082"
# gitlab_workhorse['auth_backend'] = "http://localhost:8080"

另外设置可信代理为

gitlab_rails['trusted_proxies'] = ['localhost', '127.0.0.1']

此时不使用第一段 upstream,使用上述的第二段

upstream gitlab-workhorse {
  server localhost:8082;
}

如无问题,则重新加载配置并 reload NGINX

gitlab-ctl reconfigure

#根据情况选择性重启
#gitlab-ctl restart

systemctl restart nginx
#或者
#service nginx restart

配置root密码

初次安装 GitLab 后若未自定义密码的话会提供随机密码

自定义强密码

如何自定义强密码,安装时追加 GITLAB_ROOT_PASSWORD="" 环境变量

GITLAB_ROOT_PASSWORD="<strongpassword>" EXTERNAL_URL="http://gitlab.example.com" apt install gitlab-ee

或者在第一次重新配置 GitLab 前在主配置文件设置配置如下

gitlab_rails['initial_root_password'] = '<my_strong_password>'

Install GitLab with the Linux package | GitLab

获取初始密码

若未自定义强密码,则通过如下命令获取 root 的密码,此密码只会暂时在此路径下存放 24 小时,请及时保管

cat /etc/gitlab/initial_root_password
# WARNING: This value is valid only in the following conditions

#          1. If provided manually (either via `GITLAB_ROOT_PASSWORD` environment variable or via `gitlab_rails['initial_root_password']` setting in `gitlab.rb`, it was provided before database was seeded for the firs$

#          2. Password hasn't been changed manually, either via UI or via command line.

#

#          If the password shown here doesn't work, you must reset the admin password following https://docs.gitlab.com/ee/security/reset_user_password.html#reset-your-root-password.

Password: YOUR_PASSWORD

# NOTE: This file will be automatically deleted in the first reconfigure run after 24 hours.

进入登陆页面,管理员账号默认是 root,密码即为刚才所获取的。登录成功后即可在 admin area 里更改密码

Index page

重置密码

若忘记管理员密码,则通过如下两种命令行方式重置密码

Rake Task
sudo gitlab-rake "gitlab:password:reset[root]"
Rails Console
sudo gitlab-rails console

#方法一:查找用户名root
user = User.find_by_username 'root'

#方法二:查找 root 用户名ID
user = User.find(1)

#方法三:通过查找邮箱
user = User.find_by(email: '[email protected]')

若生成随机密码

new_password = ::User.random_password
user.password = new_password
user.password_confirmation = new_password
user.password_automatically_set = false

若自定义强密码

new_password = 'examplepassword'
user.password = new_password
user.password_confirmation = new_password
user.password_automatically_set = false
#可选:通知管理员已更改密码
user.send_only_admin_changed_your_password_notification!

#保存改动
user.save!

#退出 rails 控制台
exit

Reset a user's password | GitLab

常见安装error

422 Error

GitLab 422 Error

The change you requested was rejected (422) (gitlab.com)

此处按照他人的经历添加的如下 proxy_set_header 至 vhost

Access gitlab return 422 error | zeven's blog (zeven0707.github.io)

proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Ssl on;

502 Error

最常见的便是 502 error

NGINX 502 Bad Gateway

Wating for GitLab to boot - HTTP 502

Waiting for GitLab to boot

Waiting for GitLab to boot
HTTP 502
It can take up to a few minutes for GitLab to boot completely.

This page will automatically reload every 5 seconds.

出现这种错误,无非要考虑几个方面

  • 主机配置过低
  • 端口被占用
  • 主配置文件错误配置
  • NGINX 错误 vhost 配置

我在初次安装后同样遇到如上 GitLab 502 问题,排查了很久,发现 puma 服务默认的默认端口 8080 与我 docker 某 container 的端口冲突,修改至其它端口即可

puma['port'] = 8089

502 Whoops, GitLab is taking too much time to respond - Stack Overflow

参考资料

What is Gitlab and How it works? An Overview and Its Use Cases? - DevOpsSchool.com

Download and install GitLab | GitLab

How To Install and Configure GitLab on Ubuntu | DigitalOcean

gitlab服务部署及使用-腾讯云开发者社区-腾讯云 (tencent.com)

GitLab Docs | GitLab

NGINX settings | GitLab

ubuntu - Forwarding to GitLab Subdomain with Existing Nginx Installation - Stack Overflow

6. CenOS7安装GitLab(使用外部Nginx配置)并配置HTTPS协议 — hellogit 1.0 documentation (meigit.readthedocs.io)

Reset a user's password | GitLab

Access gitlab return 422 error | zeven's blog (zeven0707.github.io)

502 Whoops, GitLab is taking too much time to respond - Stack Overflow

[scode type="blue" size=""]还会有下一篇继续介绍 GitLab 的升级备份、卸载、进阶配置、常规使用等章节[/scode]

标签: Linux, GitLab, DevOps

添加新评论