Gitlab 系列1 --- 安装
一、概要
1. 环境
(1) CentOS 7.9.2009 (Core)
(2) Rocky Linux 9.3
2. 硬件需求
(1) CPU: 4核
(2) 内存: 4GB
(3) 安装所需空间: 2.5GB
二、安装
1. 安装依赖
(1) CentOS 7
sudo yum install -y policycoreutils-python perl openssh-server
(2) Rocky Linux 9
sudo dnf -y install curl policycoreutils python3-policycoreutils git
2. 启动sshd
sudo systemctl start sshd sudo systemctl enable sshd systemctl status sshd
3. 获取安装包
有两种获取安装包的方式,第一种通过脚本将Gitlab CE添加至本地仓库,然后执行yum install下载安装,另一种是手动下载离线安装包;
方法一:
curl -sS https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.rpm.sh | sudo bash
本文选择方法一。
方法二:
(1) 选择目标版本 https://mirrors.tuna.tsinghua.edu.cn/gitlab-ce/yum/el7/
(2) 下载安装包
wget https://mirrors.tuna.tsinghua.edu.cn/gitlab-ce/yum/el7/gitlab-ce-14.8.1-ce.0.el7.x86_64.rpm
3. 安装
(1) 在线安装
sudo yum -y install gitlab-ce
(2) 离线安装
sudo rpm -Uvh gitlab-ce-14.8.1-ce.0.el7.x86_64.rpm
三、配置
1. 配置文件
sudo vi /etc/gitlab/gitlab.rb
2. 基础配置
(1) 访问地址
external_url 'http://[服务器IP]:[服务器端口号]' external_url 'https://gitlab.example.com'
3. Prometheus
(1) 关闭Prometheus
prometheus_monitoring['enable'] = false
3. Puma
puma['worker_processes'] = 2
puma['min_threads'] = 1
puma['max_threads'] = 2
4. postgresql
##! **recommend value is 1/4 of total RAM, up to 14GB.** postgresql['shared_buffers'] = "1024MB" ... postgresql['max_worker_processes'] = 4 #数据库最大并发数
5. sidekiq
sidekiq['max_concurrency'] = 8
6. Nginx
(1) 准备证书
a. 生成私钥
openssl genrsa -out private/gitlab.key 4096
b. 生成CSR
openssl req -new -key private/gitlab.key -out private/gitlab.csr
c. 生成证书
openssl ca -keyfile private/ca.key -cert ca.cert.pem -in private/gitlab.csr -out certs/gitlab.crt
d. 生成DHParam证书
sudo openssl dhparam -out /etc/pki/CA/certs/dhparams.pem 2048
e. 移动证书和密钥
sudo mkdir /etc/gitlab/ssl sudo mv gitlab.crt /etc/gitlab/ssl sudo mv gitlab.key /etc/gitlab/ssl sudo mv ca.crt /etc/gitlab/ssl sudo mv dhparams.pem /etc/gitlab/ssl sudo chmod -R 755 /etc/gitlab
(2) 日志目录
sudo mkdir -p /var/log/gitlab/nginx sudo chmod -R 755 /var/log/gitlab
(3) 配置
nginx['redirect_http_to_https'] = true nginx['ssl_client_certificate'] = "/etc/gitlab/ssl/ca.crt" nginx['ssl_certificate'] = "/etc/gitlab/ssl/gitlab.crt" nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab.key" nginx['ssl_dhparam'] = "/etc/gitlab/ssl/dhparams.pem" ... nginx['custom_error_pages'] = { '404' => { 'title' => 'URL not found!', 'header' => 'URL not found!', 'message' => 'The resource that you request is not found!' } } ... nginx['log_directory'] = "/var/log/gitlab/nginx" nginx['error_log_level'] = "warn" nginx['worker_processes'] = 4
7. 加载配置
(1) 每次修改配置文件后均需要执行以下命令来重新加载配置项:
sudo gitlab-ctl reconfigure
(2) 获取初始用户名和密码
uid: root
pwd(该初始密钥有效期为首次登录后的24小时):
sudo cat /etc/gitlab/initial_root_password
(3) 修改密码
https://gitlab.example.com/-/profile/password/edit
8. 防火墙
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --permanent --add-port=端口号/tcp sudo systemctl reload firewalld
9. 测试
此时,你就可以通过访问external_url里面配置的地址来访问Gitlab了。
四、集成LDAP
1. 禁用用户管理
因为接下来我们会使用LDAP的账号,所以Gitlab自带的User and Account Management可以关闭,我们回到:
manage_accounts['enable'] = false
2. 配置 /etc/gitlab/gitlab.rb
(1) 不启用SSL
gitlab_rails['ldap_enabled'] = true gitlab_rails['ldap_servers'] = YAML.load <<-'EOS' main: # 'main' is the GitLab 'provider ID' of this LDAP server label: 'LDAP' host: '127.0.0.1' //LDAP server的host port: 389 //LDAP server的端口号 uid: 'uid' bind_dn: 'cn=admin,dc=example,dc=com' //需要绑定的LDAP节点,可以理解为Gitlab访问LDAP服务的账号 password: 'xxxxxx' //LDAP节点对应的密码 encryption: 'plain' # "start_tls" or "simple_tls" or "plain" //加密方式 verify_certificates: true active_directory: false //这里不是AD allow_username_or_email_login: true lowercase_usernames: false block_auto_created_users: false base: 'ou=People,dc=example,dc=com' user_filter: '' attributes: username: ['uid', 'userid', 'sAMAccountName'] email: ['mail', 'email', 'userPrincipalName'] name: 'cn' first_name: 'givenName' last_name: 'sn' EOS
(2) 启用SSL
gitlab_rails['ldap_enabled'] = true gitlab_rails['ldap_servers'] = YAML.load <<-'EOS' main: # 'main' is the GitLab 'provider ID' of this LDAP server label: 'LDAP' host: '127.0.0.1' //LDAP server的host port: 389 //LDAP server的端口号 uid: 'uid' bind_dn: 'cn=admin,dc=example,dc=com' //需要绑定的LDAP节点,可以理解为Gitlab访问LDAP服务的账号 password: 'xxxxxx' //LDAP节点对应的密码 encryption: 'start_tls' # "start_tls" or "simple_tls" or "plain" //加密方式 tls_options: ca_file: /etc/ssl/certs/ca.cert.pem verify_certificates: true active_directory: false //这里不是AD allow_username_or_email_login: true lowercase_usernames: false block_auto_created_users: false base: 'ou=People,dc=example,dc=com' user_filter: '' attributes: username: ['uid', 'userid', 'sAMAccountName'] email: ['mail', 'email', 'userPrincipalName'] name: 'cn' first_name: 'givenName' last_name: 'sn' EOS
3. 重载配置
sudo gitlab-ctl reconfigure
4. 校验LDAP配置
sudo gitlab-rake gitlab:ldap:check
此时访问Gitlab网站,会出现:
五、卸载
1. 卸载
sudo yum -y remove gitlab-ce sudo dnf -y remove gitlab-ce
2. 删除目录
sudo rm -rf /var/opt/gitlab sudo rm -rf /etc/gitlab
六、参考
1. 官方
https://about.gitlab.com/install/#centos-7
https://docs.gitlab.com/omnibus/
https://docs.gitlab.com/ee/install/requirements.html
https://docs.gitlab.com/omnibus/installation/index.html
https://docs.gitlab.com/omnibus/settings/rpi.html
2. Rocky Linux
https://computingforgeeks.com/install-gitlab-on-rocky-almalinux-9/
3. 其他
https://www.howtoforge.com/tutorial/how-to-install-and-configure-gitlab-ce-on-centos-7/
https://kifarunix.com/integrate-gitlab-with-openldap-for-authentication/
