由于需要,我需要弄一个私有的gitlab,在这里记录一下配置,防止今后踩坑。
坑
外部 Nginx 配置 GitLab
踩了好多坑啊 orz
编辑 /etc/gitlab/gitlab.rb
改以下行为
web_server['external_users'] = ['nginx', 'gitlab-www', 'git']
# ...
nginx['enable'] = false然后新建一个 gitlab.conf 到 /etc/nginx/conf.d(根据自己 nginx 的配置来,我默认是 include 到 conf.d 文件夹里的所有 .conf)
upstream gitlab-workhorse {
server unix:/var/opt/gitlab/gitlab-rails/sockets/gitlab.socket fail_timeout=0;
}
map $http_upgrade $connection_upgrade_gitlab_ssl {
default upgrade;
'' close;
}
log_format gitlab_ssl_access $remote_addr - $remote_user [$time_local] "$request_method $gitlab_ssl_filtered_request_uri $server_protocol" $status $body_bytes_sent "$gitlab_ssl_filtered_http_referer" "$http_user_agent";
map $request_uri $gitlab_ssl_temp_request_uri_1 {
default $request_uri;
~(?i)^(?<start>.*)(?<temp>[\?&]private[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
}
map $gitlab_ssl_temp_request_uri_1 $gitlab_ssl_temp_request_uri_2 {
default $gitlab_ssl_temp_request_uri_1;
~(?i)^(?<start>.*)(?<temp>[\?&]authenticity[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
}
map $gitlab_ssl_temp_request_uri_2 $gitlab_ssl_filtered_request_uri {
default $gitlab_ssl_temp_request_uri_2;
~(?i)^(?<start>.*)(?<temp>[\?&]feed[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
}
map $http_referer $gitlab_ssl_filtered_http_referer {
default $http_referer;
~^(?<temp>.*)\? $temp;
}
server {
## Either remove "default_server" from the listen line below,
## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab
## to be served if you visit any address that your server responds to, eg.
## the ip address of the server (http://x.x.x.x/)
listen 0.0.0.0:80;
listen [::]:80 ipv6only=on default_server;
server_name gitlab.example.com; ## Replace this with something like gitlab.example.com
server_tokens off; ## Don't show the nginx version number, a security best practice
return 301 https://$http_host$request_uri;
access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access;
error_log /var/log/nginx/gitlab_error.log;
}
server {
listen 0.0.0.0:443 ssl;
listen [::]:443 ipv6only=on ssl default_server;
server_name gitlab.example.com; ## Replace this with something like gitlab.example.com
server_tokens off; ## Don't show the nginx version number, a security best practice
ssl on;
ssl_certificate /path/to/public.crt;
ssl_certificate_key /path/to/private.key;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
real_ip_header X-Real-IP; ## X-Real-IP or X-Forwarded-For or proxy_protocol
real_ip_recursive off; ## If you enable 'on'
access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access;
error_log /var/log/nginx/gitlab_error.log;
location / {
client_max_body_size 0;
gzip off;
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade_gitlab_ssl;
proxy_pass http://gitlab-workhorse;
}
error_page 404 /404.html;
error_page 422 /422.html;
error_page 500 /500.html;
error_page 502 /502.html;
error_page 503 /503.html;
location ~ ^/(404|422|500|502|503)\.html$ {
root /opt/gitlab/embedded/service/gitlab-rails/public;
internal;
}
}但这样做完以后,访问 gitlab 时,所有的 assets 什么资源全部 404、302,解决方法是,编辑 /opt/gitlab/embedded/service/gitlab-rails/config/environments/production.rb
将 config.public_file_server.enabled 改成 true,之后再 sudo gitlab-ctl restart
服务器环境
腾讯云的1核2G服务器,ubuntu 16.04 LTS,官网给出的GitLab配置需求可以在https://docs.gitlab.com/ce/install/requirements.html找到
由于内存太少,需要弄点虚拟内存
sudo swapon -s // 查看当前是否已经有swap分区
sudo fallocate -l 2G /swapfile // 弄一个2G的swapfile分区
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile添加到开机启动sudo vi /etc/fstab,在后面加上
/swapfile none swap sw 0 0GitLab安装
也可以参考https://mirrors.tuna.tsinghua.edu.cn/help/gitlab-ce/
sudo apt-get install git curl openssh-server ca-certificates postfix
curl https://packages.gitlab.com/gpg.key 2> /dev/null | sudo apt-key add - &>/dev/null
sudo vi /etc/apt/sources.list.d/gitlab-ce.list # 加上deb https://mirrors.tuna.tsinghua.edu.cn/gitlab-ce/ubuntu xenial main
sudo apt-get update
sudo apt-get install gitlab-ce防火墙设置一下
sudo ufw allow http
sudo ufw allow https
sudo ufw allow OpenSSH查看防火墙状态 sudo ufw status
配置https和邮件,内存优化
编辑 /etc/gitlab/gitlab.rb,更改以下项
external_url 'https://xxx'
### Email Settings
gitlab_rails['gitlab_email_enabled'] = true
gitlab_rails['gitlab_email_from'] = 'gitlab@xxxx.com'
gitlab_rails['gitlab_email_display_name'] = 'GitLab'
gitlab_rails['gitlab_email_reply_to'] = 'gitlab@xxxx.com'
gitlab_rails['gitlab_email_subject_suffix'] = ''
### GitLab email server settings
###! Docs: https://docs.gitlab.com/omnibus/settings/smtp.html
###! **Use smtp instead of sendmail/postfix.**
gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = "smtp.xxxx.com"
gitlab_rails['smtp_port'] = 465
gitlab_rails['smtp_user_name'] = "gitlab@xxxx.com"
gitlab_rails['smtp_password'] = "xxxxxx"
gitlab_rails['smtp_domain'] = "xxxx.com"
gitlab_rails['smtp_authentication'] = "login"
gitlab_rails['smtp_enable_starttls_auto'] = true
gitlab_rails['smtp_tls'] = true
###! **Can be: 'none', 'peer', 'client_once', 'fail_if_no_peer_cert'**
###! Docs: http://api.rubyonrails.org/classes/ActionMailer/Base.html
gitlab_rails['smtp_openssl_verify_mode'] = 'none'
### https
nginx['enable'] = true
nginx['redirect_http_to_https'] = true
nginx['ssl_certificate'] = "/path/to/some.pem"
nginx['ssl_certificate_key'] = "/path/to/some.key"
### optimize memory
unicorn['worker_processes'] = 2
postgresql['shared_buffers'] = "128MB"
postgresql['max_worker_processes'] = 4然后用以下命令来生效
sudo gitlab-ctl reconfigure
sudo gitlab-ctl restart测试是否能发送邮件
sudo gitlab-rails console
Notify.test_email('your_test_email@test.com', 'xx', 'xx').deliver_nowSonarQube
代码质量很重要的,所以还得搞这么一个玩意
由于服务器太low,估计跑不起SonarQube。。。所以我就想到了一个大但的想法。。在本地虚拟机跑一个SonarQube,当需要看代码质量的时候开虚拟机就好233
所以接下来就是一个ubuntu 16.04.5 LTS单独配SonarQube的说明了
虚拟机装好ubuntu 16.04.5 LTS server后,是不能复制粘贴的。。所以还是用ssh好一点。但刚装好的系统是没有openssh的,所以需要装一下
sudo apt install openssh-server然后是换源https://mirrors.tuna.tsinghua.edu.cn/help/ubuntu/,用我大清tuna的吧,还免流量呢hhh
接下来是正式装这玩意了
sudo apt install software-properties-common
sudo add-apt-repository ppa:webupd8team/java
sudo apt update
sudo apt install oracle-java8-installer vim unzip postgresql postgresql-contrib
sudo systemctl start postgresql
sudo systemctl enable postgresql
sudo passwd postgres
su postgres
createuser sonar
psql
ALTER USER sonar WITH ENCRYPTED password 'StrongPassword';
CREATE DATABASE sonar OWNER sonar;
\q
wget -c https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-6.7.6.zip
sudo unzip sonarqube-6.7.6.zip -d /opt
sudo mv /opt/sonarqube-6.7.6 /opt/sonarqube
sudo chown -R ubuntu:ubuntu /opt/sonarqube
vim /opt/sonarqube/conf/sonar.properties修改相关项为
sonar.jdbc.username=sonar
sonar.jdbc.password=StrongPassword
sonar.jdbc.url=jdbc:postgresql://localhost/sonar然后编辑/etc/systemd/system/sonar.service为
[Unit]
Description=SonarQube service
After=syslog.target network.target
[Service]
Type=forking
ExecStart=/opt/sonarqube/bin/linux-x86-64/sonar.sh start
ExecStop=/opt/sonarqube/bin/linux-x86-64/sonar.sh stop
User=ubuntu
Group=ubuntu
Restart=always
[Install]
WantedBy=multi-user.target然后
sudo systemctl start sonar
sudo systemctl enable sonar我们还要装一个nginx
sudo apt install nginx编辑 sudo vim /etc/nginx/sites-available/default,改成
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name localhost;
location / {
proxy_pass http://localhost:9000;
}
}最后
sudo systemctl restart nginx现在可以通过ip访问网站了。SonarQube默认用户名密码都是admin。在 Administration -> Marketplace 里搜gitlab,然后装上插件。最后根据插件内容相应设置一下即可。
GitLab Runner
同上,我需要在本地跑runner
sudo apt install docker docker-compose
sudo wget -O /usr/local/bin/gitlab-runner https://gitlab-runner-downloads.s3.amazonaws.com/latest/binaries/gitlab-runner-linux-amd64
sudo chmod +x /usr/local/bin/gitlab-runner
sudo useradd --comment 'GitLab Runner' --create-home gitlab-runner --shell /bin/bash
sudo gitlab-runner install --user=gitlab-runner --working-directory=/home/gitlab-runner
sudo gitlab-runner start
sudo gitlab-runner register一把梭下来即可
GiaLab CI/CD Error 500
$ gitlab-rails console
> Ci::Runner.all.update_all(token_encrypted: nil)
$ gitlab-rails dbconsole
> UPDATE projects SET runners_token = null, runners_token_encrypted = null;.gitlab-ci.yml 能用到的一些环境变量
https://docs.gitlab.com/ce/ci/variables/predefined_variables.html
.gitlab-ci.yml 访问不同的 service
https://docs.gitlab.com/ce/ci/docker/using_docker_images.html#accessing-the-services
使用本地镜像
编辑文件 /etc/gitlab-runner/config.toml,在 [runners.docker] 内加入一句 pull_policy = "if-not-present"
更改一下镜像内的 hosts
编辑文件 /etc/gitlab-runner/config.toml,在 [runners.docker] 内加入一句 extra_hosts = ["xxx.com:127.0.0.1"]
