1、简介
GitLab 是一个自托管的 Git 仓库管理工具,它提供了源代码管理、代码审查、问题跟踪、持续集成和部署等功能。通过 GitLab,团队成员可以协作开发和管理软件项目。在本文中,我们将介绍如何在 Linux 系统上安装 GitLab。
2、硬件和软件要求
- 4 核 CPU
- 4 GB 内存
- 2 GB 硬盘空间
3、安装
Ubuntu:
sudo apt-get install -y curl openssh-server ca-certificates tzdata perl postfix
CE
curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.deb.sh | sudo bash
sudo EXTERNAL_URL=”访问域名” yum install -y gitlab-ce
访问域名要写全:https://gitlab.example.com
EE
curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.deb.sh | sudo bash
sudo EXTERNAL_URL=”访问域名” yum install -y gitlab-ee
Centos:sudo yum install -y curl policycoreutils-python perl postfix
Check if opening the firewall is needed with: sudo systemctl status firewalld
sudo firewall-cmd –permanent –add-service=http
sudo firewall-cmd –permanent –add-service=https
sudo systemctl reload firewalld
sudo systemctl enable postfix
sudo systemctl start postfix
CE
curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.rpm.sh | sudo bash
sudo EXTERNAL_URL=”访问域名” yum install -y gitlab-ce
EE
curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.rpm.sh | sudo bash
sudo EXTERNAL_URL=”访问域名” yum install -y gitlab-ee
* 安装完成后随机密码在/etc/gitlab/initial_root_password文件中,或者设置初始密码
设置初始密码
要提供自定义初始 root 密码,您有两个选择:
- 如果服务器的主机名设置正确,则将`GITLAB_ROOT_PASSWORD`环境变量传递给安装命令。如果在安装期间 GitLab 没有自动执行重新配置,则必须将`GITLAB_ROOT_PASSWORD`变量传递给第一次`gitlab-ctl reconfigure`运行。GITLAB_ROOT_PASSWORD=’PASSWORD’ yum install -y gitlab-ee
- 在第一次重新配置之前,编辑`/etc/gitlab/gitlab.rb`(如果不存在则创建它)并设置:gitlab_rails[‘initial_root_password’] = ”
# 4、配置
## 4.1 配置访问域名(可选)vim /etc/gitlab/gitlab.rb
顶部附近是`external_url`配置线。更新它以匹配您的域。更改`http`为`https`以便GitLab会自动将用户重定向到受Let's加密证书保护的站点:external_url ‘https://example.com‘
接下来,查找`letsencrypt['contact_emails']`设置。此设置定义了一个电子邮件地址列表,如果您的域存在问题,Let的加密项目可以用来与您联系。取消注释并填写此内容是一个好主意,以便您知道任何问题:letsencrypt[‘contact_emails’] = [‘sammy@example.com’]
## 4.2 SMTP配置(可选)vim /etc/gitlab/gitlab.rb
gitlab_rails[‘smtp_enable’] = true
gitlab_rails[‘smtp_address’] = “smtp.exmail.qq.com”
gitlab_rails[‘smtp_port’] = 465
gitlab_rails[‘smtp_user_name’] = “xxxx@xx.com”
gitlab_rails[‘smtp_password’] = “password”
gitlab_rails[‘smtp_authentication’] = “login”
gitlab_rails[‘smtp_enable_starttls_auto’] = true
gitlab_rails[‘smtp_tls’] = true
gitlab_rails[‘gitlab_email_from’] = ‘xxxx@xx.com’
gitlab_rails[‘smtp_domain’] = “exmail.qq.com”
保存并关闭文件。运行以下命令重新配置Gitlab:生效配置文件
sudo gitlab-ctl reconfigure
## 4.3自定义https证书(可选)将你的ssl证书放入/etc/gitlab/ssl/
修改gitlab配置文件
sudo vim /etc/gitlab/gitlab.rb
external_url ‘https://域名‘
nginx[‘enable’] = true
nginx[‘redirect_http_to_https’] = true # 访问http自动跳转https
nginx[‘ssl_certificate’] = “/etc/gitlab/ssl/域名的ssl证书.crt”
nginx[‘ssl_certificate_key’] = “/etc/gitlab/ssl/域名的ssl证书.key”
生效配置文件
sudo gitlab-ctl reconfigure
## 4.4相关命令检查配置
gitlab-ctl check-config
重启服务
gitlab-ctl restart
启动服务
gitlab-ctl start
查看服务状态
gitlab-ctl status
停止服务
gitlab-ctl stop
查看服务列表
gitlab-ctl service-list
查看日志
gitlab-ctl tail
## 4.5 gitlab 自带Nginx与原Nginx冲突的解决方案
### 4.5.1 修改gitlab.rbvim /etc/gitlab/gitlab.rb
nginx[‘enable’] = false
gitlab_workhorse[‘listen_network’] = “tcp”
gitlab_workhorse[‘listen_addr’] = “127.0.0.1:8088”
nginx[‘listen_port’] = 8088
nginx[‘listen_https’] = true
web_server[‘external_users’] = [‘www’]
web_server[‘username’] = ‘www’
gitlab_workhorse[‘listen_network’] = “tcp”
gitlab_workhorse[‘listen_addr’] = “127.0.0.1:8088”
### 4.5.2 修改nginx默认配置文件vim /etc/local/nginx/conf/nginx.conf
user www www;
worker_processes auto;
worker_cpu_affinity auto;
error_log /home/wwwlogs/nginx_error.log crit;
pid /usr/local/nginx/logs/nginx.pid;
Specifies the value for maximum file descriptors that can be opened by this process.
worker_rlimit_nofile 51200;
events
{
use epoll;
worker_connections 51200;
multi_accept off;
accept_mutex off;
}
http
{
include mime.types;
default_type application/octet-stream;
server_names_hash_bucket_size 128;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
client_max_body_size 50m;
sendfile on;
sendfile_max_chunk 512k;
tcp_nopush on;
keepalive_timeout 60;
tcp_nodelay on;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 256k;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.1;
gzip_comp_level 2;
gzip_types text/plain application/javascript application/x-javascript text/javascript text/css application/xml application/xml+rss;
gzip_vary on;
gzip_proxied expired no-cache no-store private auth;
gzip_disable "MSIE [1-6].";
#limit_conn_zone $binary_remote_addr zone=perip:10m;
##If enable limit_conn_zone,add "limit_conn perip 10;" to server section.
include /opt/gitlab/embedded/conf/mime.types;
proxy_cache_path proxy_cache keys_zone=gitlab:10m max_size=1g levels=1:2;
proxy_cache gitlab;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# Remove private_token from the request URI
# In: /foo?private_token=unfiltered&authenticity_token=unfiltered&rss_token=unfiltered&...
# Out: /foo?private_token=[FILTERED]&authenticity_token=unfiltered&rss_token=unfiltered&...
map $request_uri $temp_request_uri_1 {
default $request_uri;
~(?i)^(?<start>.*)(?<temp>[?&]private[-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
}
# Remove authenticity_token from the request URI
# In: /foo?private_token=[FILTERED]&authenticity_token=unfiltered&rss_token=unfiltered&...
# Out: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=unfiltered&...
map $temp_request_uri_1 $temp_request_uri_2 {
default $temp_request_uri_1;
~(?i)^(?<start>.*)(?<temp>[?&]authenticity[-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
}
# Remove rss_token from the request URI
# In: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=unfiltered&...
# Out: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=[FILTERED]&...
map $temp_request_uri_2 $filtered_request_uri {
default $temp_request_uri_2;
~(?i)^(?<start>.*)(?<temp>[?&]rss[-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
}
# A version of the referer without the query string
map $http_referer $filtered_http_referer {
default $http_referer;
~^(?<temp>.*)? $temp;
}
upstream gitlab-workhorse {
server 127.0.0.1:8088;
}
server_tokens off;
access_log off;server
{
listen 80 default_server reuseport;
listen [::]:80 default_server ipv6only=on;
server_name _;
index index.html index.htm index.php;
root /home/wwwroot/default;
#error_page 404 /404.html;
# Deny access to PHP files in specific directory
#location ~ /(wp-content|uploads|wp-includes|images)/.*.php$ { deny all; }
include enable-php.conf;
location /nginx_status
{
stub_status on;
access_log off;
}
location ~ .*.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}
location ~ .*.(js|css)?$
{
expires 12h;
}
location ~ /.well-known {
allow all;
}
location ~ /.
{
deny all;
}
access_log /home/wwwlogs/access.log;
}include vhost/*.conf;
}
### 4.5.3 修改gitlab网页配置vim /usr/local/nginx/conf/vhost/gitlab.conf
server {
listen *:80;
server_name gitlab.xxx.net;
server_tokens off; ## Don’t show the nginx version number, a security best practice
location / {
return 301 https://gitlab.xxx.net:443$request_uri;
}
health checks configuration
include /var/opt/gitlab/nginx/conf/gitlab-health.conf;
access_log /var/log/gitlab/nginx/gitlab_access.log;
error_log /var/log/gitlab/nginx/gitlab_error.log;
}
server {
listen *:443 ssl http2;
server_name gitlab.xxx.net;
server_tokens off; ## Don’t show the nginx version number, a security best practice
Increase this if you want to upload large attachments
Or if you want to accept large git objects over http
client_max_body_size 250m;
Strong SSL Security
https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
ssl_certificate /opt/certs/gitlab/gitlab.crt;
ssl_certificate_key /opt/certs/gitlab/gitlab.key;
GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
ssl_ciphers ‘ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:AES256-GCM-SHA384’;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_session_timeout 1d;
Real IP Module Config
http://nginx.org/en/docs/http/ngx_http_realip_module.html
HSTS Config
https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
add_header Strict-Transport-Security “max-age=63072000”;
Rails sets a default policy of strict-origin-when-cross-origin, so
hide that and just send the one we’ve configured for nginx
proxy_hide_header Referrer-Policy;
add_header Referrer-Policy strict-origin-when-cross-origin;
Individual nginx logs for this GitLab vhost
access_log /var/log/gitlab/nginx/gitlab_access.log;
error_log /var/log/gitlab/nginx/gitlab_error.log;
if ($http_host = “”) {
set $http_host_with_default “gitlab.xxxx.net”;
}
if ($http_host != “”) {
set $http_host_with_default $http_host;
}
gzip on;
gzip_static on;
gzip_comp_level 2;
gzip_http_version 1.1;
gzip_vary on;
gzip_disable “msie6”;
gzip_min_length 250;
gzip_proxied no-cache no-store private expired auth;
gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript application/json;
https://github.com/gitlabhq/gitlabhq/issues/694
Some requests take more than 30 seconds.
proxy_read_timeout 3600;
proxy_connect_timeout 300;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Host $http_host_with_default;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Ssl on;
location ~ (/api/vd/jobs/d+/artifacts$|.git/git-receive-pack$|.git/gitlab-lfs/objects|.git/info/lfs/objects/batch$) {
proxy_cache off;
proxy_pass http://gitlab-workhorse;
proxy_request_buffering off;
}
location /-/grafana/ {
proxy_pass http://localhost:3000/;
}
health checks configuration
include /var/opt/gitlab/nginx/conf/gitlab-health.conf;
location / {
proxy_cache off;
proxy_pass http://gitlab-workhorse;
}
location /assets {
add_header X-Content-Type-Options nosniff;
proxy_cache gitlab;
proxy_pass http://gitlab-workhorse;
}
error_page 404 /404.html;
error_page 500 /500.html;
error_page 502 /502.html;
location ~ ^/(404|500|502)(-custom)?.html$ {
root /opt/gitlab/embedded/service/gitlab-rails/public;
internal;
}
}
生效配置文件
gitlab-ctl reconfigure
重启nginx服务
systemctl restart nginx
## 4.6 gitlab头像不显示
使用以下命令更改GitLab默认使用的头像引用URL:vim /var/opt/gitlab/gitlab-rails/etc/gitlab.yml
plain_url: http://sdn.geekzu.org/avatar/%{hash}?s=%{size}&d=identicon
ssl_url: https://sdn.geekzu.org/avatar/%{hash}?s=%{size}&d=identicon
重新启动gitlab
gitlab-ctl restart
这种方法重新配置后会失效,建议使用下面这一种vim /etc/gitlab/gitlab.rb
Gravatar Settings
gitlab_rails[‘gravatar_plain_url’] = ‘http://sdn.geekzu.org/avatar/%{hash}?s=%{size}&d=identicon‘
gitlab_rails[‘gravatar_ssl_url’] = ‘https://sdn.geekzu.org/avatar/%{hash}?s=%{size}&d=identicon‘
重新配置gitlab
gitlab-ctl reconfigure
重启gitlab
gitlab-ctl restart
# 5、Gitlab Runner部署
## 5.1 添加官方Gitlab库
For Debian/Ubuntu/Mint:curl -L “https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.deb.sh” | sudo bash
For RHEL/CentOS/Fedora:curl -L “https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.rpm.sh” | sudo bash
## 5.2 安装最新版Gitlab Runner
For Debian/Ubuntu/Mint:sudo apt-get install gitlab-runner
For RHEL/CentOS/Fedora:yum install gitlab-runner
## 5.3 To register a runner under Linuxgitlab-runner register
查看运行状态gitlab-runner status
