Gitlab部署

1、简介

GitLab 是一个自托管的 Git 仓库管理工具，它提供了源代码管理、代码审查、问题跟踪、持续集成和部署等功能。通过 GitLab，团队成员可以协作开发和管理软件项目。在本文中，我们将介绍如何在 Linux 系统上安装 GitLab。

2、硬件和软件要求

• 4 核 CPU
• 4 GB 内存
• 2 GB 硬盘空间

3、安装

Ubuntu：

sudo apt-get install -y curl openssh-server ca-certificates tzdata perl postfix

# CE
curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.deb.sh | sudo bash
sudo EXTERNAL_URL="访问域名" yum install -y gitlab-ce

# 访问域名要写全：https://gitlab.example.com

# EE
curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.deb.sh | sudo bash
sudo EXTERNAL_URL="访问域名" yum install -y gitlab-ee

Centos：

sudo yum install -y curl policycoreutils-python perl postfix

# Check if opening the firewall is needed with: sudo systemctl status firewalld
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo systemctl reload firewalld

sudo systemctl enable postfix
sudo systemctl start postfix
# CE
curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.rpm.sh | sudo bash
sudo EXTERNAL_URL="访问域名" yum install -y gitlab-ce

# EE
curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.rpm.sh | sudo bash
sudo EXTERNAL_URL="访问域名" yum install -y gitlab-ee

• 安装完成后随机密码在/etc/gitlab/initial_root_password文件中，或者设置初始密码

设置初始密码
要提供自定义初始 root 密码，您有两个选择：

• 如果服务器的主机名设置正确，则将GITLAB_ROOT_PASSWORD环境变量传递给安装命令。如果在安装期间 GitLab 没有自动执行重新配置，则必须将GITLAB_ROOT_PASSWORD变量传递给第一次gitlab-ctl reconfigure运行。

  GITLAB_ROOT_PASSWORD='PASSWORD' yum install -y gitlab-ee

• 在第一次重新配置之前，编辑/etc/gitlab/gitlab.rb（如果不存在则创建它）并设置：

  gitlab_rails['initial_root_password'] = '<my_strong_password>'

4、配置

4.1 配置访问域名（可选）

vim /etc/gitlab/gitlab.rb

顶部附近是external_url配置线。更新它以匹配您的域。更改http为https以便GitLab会自动将用户重定向到受Let’s加密证书保护的站点：

external_url 'https://example.com'

接下来，查找letsencrypt['contact_emails']设置。此设置定义了一个电子邮件地址列表，如果您的域存在问题，Let的加密项目可以用来与您联系。取消注释并填写此内容是一个好主意，以便您知道任何问题：

letsencrypt['contact_emails'] = ['sammy@example.com']

4.2 SMTP配置（可选）

vim /etc/gitlab/gitlab.rb

gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = "smtp.exmail.qq.com"
gitlab_rails['smtp_port'] = 465
gitlab_rails['smtp_user_name'] = "xxxx@xx.com"
gitlab_rails['smtp_password'] = "password"
gitlab_rails['smtp_authentication'] = "login"
gitlab_rails['smtp_enable_starttls_auto'] = true
gitlab_rails['smtp_tls'] = true
gitlab_rails['gitlab_email_from'] = 'xxxx@xx.com'
gitlab_rails['smtp_domain'] = "exmail.qq.com"

保存并关闭文件。运行以下命令重新配置Gitlab：

# 生效配置文件
sudo gitlab-ctl reconfigure

4.3自定义https证书（可选）

# 将你的ssl证书放入/etc/gitlab/ssl/
# 修改gitlab配置文件
sudo vim /etc/gitlab/gitlab.rb

external_url 'https://域名'
nginx['enable'] = true
nginx['redirect_http_to_https'] = true # 访问http自动跳转https
nginx['ssl_certificate'] = "/etc/gitlab/ssl/域名的ssl证书.crt"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/域名的ssl证书.key"

# 生效配置文件
sudo gitlab-ctl reconfigure

4.4相关命令

# 检查配置
gitlab-ctl check-config

# 重启服务
gitlab-ctl restart

# 启动服务
gitlab-ctl start

# 查看服务状态
gitlab-ctl status

# 停止服务
gitlab-ctl stop

# 查看服务列表
gitlab-ctl service-list

# 查看日志
gitlab-ctl tail

4.5 gitlab 自带Nginx与原Nginx冲突的解决方案

4.5.1 修改gitlab.rb

vim /etc/gitlab/gitlab.rb

nginx['enable'] = false

gitlab_workhorse['listen_network'] = "tcp"
gitlab_workhorse['listen_addr'] = "127.0.0.1:8088"

nginx['listen_port'] = 8088
nginx['listen_https'] = true

web_server['external_users'] = ['www']
web_server['username'] = 'www'

gitlab_workhorse['listen_network'] = "tcp"
gitlab_workhorse['listen_addr'] = "127.0.0.1:8088"

4.5.2 修改nginx默认配置文件

vim /etc/local/nginx/conf/nginx.conf

user  www www;

worker_processes auto;
worker_cpu_affinity auto;

error_log  /home/wwwlogs/nginx_error.log  crit;

pid        /usr/local/nginx/logs/nginx.pid;

#Specifies the value for maximum file descriptors that can be opened by this process.
worker_rlimit_nofile 51200;

events
    {
        use epoll;
        worker_connections 51200;
        multi_accept off;
        accept_mutex off;
    }

http
    {
        include       mime.types;
        default_type  application/octet-stream;

        server_names_hash_bucket_size 128;
        client_header_buffer_size 32k;
        large_client_header_buffers 4 32k;
        client_max_body_size 50m;

        sendfile on;
        sendfile_max_chunk 512k;
        tcp_nopush on;

        keepalive_timeout 60;

        tcp_nodelay on;

        fastcgi_connect_timeout 300;
        fastcgi_send_timeout 300;
        fastcgi_read_timeout 300;
        fastcgi_buffer_size 64k;
        fastcgi_buffers 4 64k;
        fastcgi_busy_buffers_size 128k;
        fastcgi_temp_file_write_size 256k;

        gzip on;
        gzip_min_length  1k;
        gzip_buffers     4 16k;
        gzip_http_version 1.1;
        gzip_comp_level 2;
        gzip_types     text/plain application/javascript application/x-javascript text/javascript text/css application/xml application/xml+rss;
        gzip_vary on;
        gzip_proxied   expired no-cache no-store private auth;
        gzip_disable   "MSIE [1-6]\.";

        #limit_conn_zone $binary_remote_addr zone=perip:10m;
        ##If enable limit_conn_zone,add "limit_conn perip 10;" to server section.
        include /opt/gitlab/embedded/conf/mime.types;

        proxy_cache_path proxy_cache keys_zone=gitlab:10m max_size=1g levels=1:2;
        proxy_cache gitlab;

        map $http_upgrade $connection_upgrade {
            default upgrade;
            ''      close;
        }

        # Remove private_token from the request URI
        # In:  /foo?private_token=unfiltered&authenticity_token=unfiltered&rss_token=unfiltered&...
        # Out: /foo?private_token=[FILTERED]&authenticity_token=unfiltered&rss_token=unfiltered&...
        map $request_uri $temp_request_uri_1 {
          default $request_uri;
          ~(?i)^(?<start>.*)(?<temp>[\?&]private[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
        }

        # Remove authenticity_token from the request URI
        # In:  /foo?private_token=[FILTERED]&authenticity_token=unfiltered&rss_token=unfiltered&...
        # Out: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=unfiltered&...
        map $temp_request_uri_1 $temp_request_uri_2 {
          default $temp_request_uri_1;
          ~(?i)^(?<start>.*)(?<temp>[\?&]authenticity[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
        }

        # Remove rss_token from the request URI
        # In:  /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=unfiltered&...
        # Out: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=[FILTERED]&...
        map $temp_request_uri_2 $filtered_request_uri {
          default $temp_request_uri_2;
          ~(?i)^(?<start>.*)(?<temp>[\?&]rss[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
        }

        # A version of the referer without the query string
        map $http_referer $filtered_http_referer {
          default $http_referer;
          ~^(?<temp>.*)\? $temp;
        }

        upstream gitlab-workhorse {
          server 127.0.0.1:8088;
        }
        server_tokens off;
        access_log off;

server
    {
        listen 80 default_server reuseport;
        #listen [::]:80 default_server ipv6only=on;
        server_name _;
        index index.html index.htm index.php;
        root  /home/wwwroot/default;

        #error_page   404   /404.html;

        # Deny access to PHP files in specific directory
        #location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }

        include enable-php.conf;

        location /nginx_status
        {
            stub_status on;
            access_log   off;
        }

        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
        {
            expires      30d;
        }

        location ~ .*\.(js|css)?$
        {
            expires      12h;
        }

        location ~ /.well-known {
            allow all;
        }

        location ~ /\.
        {
            deny all;
        }

        access_log  /home/wwwlogs/access.log;
    }
include vhost/*.conf;
}

4.5.3 修改gitlab网页配置

vim /usr/local/nginx/conf/vhost/gitlab.conf

server {
  listen *:80;

  server_name gitlab.xxx.net;
  server_tokens off; ## Don't show the nginx version number, a security best practice


  location / {
    return 301 https://gitlab.xxx.net:443$request_uri;
  }

  # health checks configuration
  include /var/opt/gitlab/nginx/conf/gitlab-health.conf;

  access_log  /var/log/gitlab/nginx/gitlab_access.log;
  error_log   /var/log/gitlab/nginx/gitlab_error.log;
}

server {
  listen *:443 ssl http2;


  server_name gitlab.xxx.net;
  server_tokens off; ## Don't show the nginx version number, a security best practice

  ## Increase this if you want to upload large attachments
  ## Or if you want to accept large git objects over http
  client_max_body_size 250m;

  ## Strong SSL Security
  ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
  ssl_certificate /opt/certs/gitlab/gitlab.crt;
  ssl_certificate_key /opt/certs/gitlab/gitlab.key;

  # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
  ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:AES256-GCM-SHA384';
  ssl_protocols  TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers off;
  ssl_session_cache  shared:SSL:10m;
  ssl_session_tickets off;
  ssl_session_timeout  1d;


  ## Real IP Module Config
  ## http://nginx.org/en/docs/http/ngx_http_realip_module.html

  ## HSTS Config
  ## https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
  add_header Strict-Transport-Security "max-age=63072000";

  # Rails sets a default policy of strict-origin-when-cross-origin, so
  # hide that and just send the one we've configured for nginx
  proxy_hide_header Referrer-Policy;
  add_header Referrer-Policy strict-origin-when-cross-origin;

  ## Individual nginx logs for this GitLab vhost
  access_log  /var/log/gitlab/nginx/gitlab_access.log;
  error_log   /var/log/gitlab/nginx/gitlab_error.log;

  if ($http_host = "") {
    set $http_host_with_default "gitlab.xxxx.net";
  }

  if ($http_host != "") {
    set $http_host_with_default $http_host;
  }

  gzip on;
  gzip_static on;
  gzip_comp_level 2;
  gzip_http_version 1.1;
  gzip_vary on;
  gzip_disable "msie6";
  gzip_min_length 250;
  gzip_proxied no-cache no-store private expired auth;
  gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript application/json;

  ## https://github.com/gitlabhq/gitlabhq/issues/694
  ## Some requests take more than 30 seconds.
  proxy_read_timeout      3600;
  proxy_connect_timeout   300;
  proxy_redirect          off;
  proxy_http_version 1.1;

  proxy_set_header Host $http_host_with_default;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection $connection_upgrade;
  proxy_set_header X-Forwarded-Proto https;
  proxy_set_header X-Forwarded-Ssl on;

  location ~ (/api/v\d/jobs/\d+/artifacts$|\.git/git-receive-pack$|\.git/gitlab-lfs/objects|\.git/info/lfs/objects/batch$) {
    proxy_cache off;
    proxy_pass http://gitlab-workhorse;
    proxy_request_buffering off;
  }

  location /-/grafana/ {
    proxy_pass http://localhost:3000/;
  }


  # health checks configuration
  include /var/opt/gitlab/nginx/conf/gitlab-health.conf;

  location / {
    proxy_cache off;
    proxy_pass  http://gitlab-workhorse;
  }

  location /assets {
    add_header X-Content-Type-Options nosniff;
    proxy_cache gitlab;
    proxy_pass  http://gitlab-workhorse;
  }

  error_page 404 /404.html;
  error_page 500 /500.html;
  error_page 502 /502.html;
  location ~ ^/(404|500|502)(-custom)?\.html$ {
    root /opt/gitlab/embedded/service/gitlab-rails/public;
    internal;
  }
}

# 生效配置文件
gitlab-ctl reconfigure

# 重启nginx服务
systemctl restart nginx

4.6 gitlab头像不显示

使用以下命令更改GitLab默认使用的头像引用URL：

vim /var/opt/gitlab/gitlab-rails/etc/gitlab.yml

plain_url: http://sdn.geekzu.org/avatar/%{hash}?s=%{size}&d=identicon  
ssl_url: https://sdn.geekzu.org/avatar/%{hash}?s=%{size}&d=identicon

# 重新启动gitlab
gitlab-ctl restart

这种方法重新配置后会失效，建议使用下面这一种

vim /etc/gitlab/gitlab.rb

### Gravatar Settings
gitlab_rails['gravatar_plain_url'] = 'http://sdn.geekzu.org/avatar/%{hash}?s=%{size}&d=identicon'
gitlab_rails['gravatar_ssl_url'] = 'https://sdn.geekzu.org/avatar/%{hash}?s=%{size}&d=identicon'

# 重新配置gitlab
gitlab-ctl reconfigure

# 重启gitlab
gitlab-ctl restart

5、Gitlab Runner部署

5.1 添加官方Gitlab库

For Debian/Ubuntu/Mint:

curl -L "https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.deb.sh" | sudo bash

For RHEL/CentOS/Fedora:

curl -L "https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.rpm.sh" | sudo bash

5.2 安装最新版Gitlab Runner

For Debian/Ubuntu/Mint:

sudo apt-get install gitlab-runner

For RHEL/CentOS/Fedora:

yum install gitlab-runner

5.3 To register a runner under Linux

gitlab-runner register

查看运行状态

gitlab-runner status