GitLab部署与维护
安装
推荐使用omnibus打包版本进行安装和部署,官方提供了软件仓库部署。官方仓库托管在S3上,国内比较慢,因此建议直接使用清华大学镜像站
# 添加官方仓库
curl https://packages.gitlab.com/gpg.key 2> /dev/null | sudo apt-key add -
echo "deb https://mirrors.tuna.tsinghua.edu.cn/gitlab-ce/ubuntu $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/gitlab-ce.list
sudo apt update
# 安装/升级gitlab-ce
sudo apt install -y gitlab-ce
配置
详细的配置和维护等内容参考官方文档: https://docs.gitlab.com/ce/administration/
/etc/gitlab/gitlab.rb配置文件参考:
external_url '外部访问地址'
# 腾讯企业邮参考配置
gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = "smtp.exmail.qq.com"
gitlab_rails['smtp_port'] = 465
gitlab_rails['smtp_user_name'] = "邮箱地址"
gitlab_rails['smtp_password'] = "邮箱密码"
gitlab_rails['smtp_authentication'] = "login"
gitlab_rails['smtp_enable_starttls_auto'] = true
gitlab_rails['smtp_tls'] = true
gitlab_rails['gitlab_email_enabled'] = true
gitlab_rails['gitlab_email_from'] = '邮箱地址'
gitlab_rails['gitlab_email_display_name'] = 'GitLab'
gitlab_rails['gitlab_email_reply_to'] = 'noreply@域名'
#gitlab_rails['gitlab_default_projects_features_builds'] = false
gitlab_rails['gitlab_default_can_create_group'] = false
#unicorn['port'] = 8001
#nginx['listen_port'] = 8000
nginx['listen_addresses'] = ["unix:/var/run/gitlab/nginx.sock"]
nginx['listen_https'] = false
# Backup config
gitlab_rails['backup_path'] = '/data/gitlab_backups'
# limit backup lifetime to 7 days - 604800 seconds
gitlab_rails['backup_keep_time'] = 604800
以上配置假定服务器会被复用,因此配置gitlab的nginx只监听unix domain socket,通过服务器上的nginx反向代理访问gitlab。omnibus nginx详情配置参考官方文档: https://docs.gitlab.com/omnibus/settings/nginx.html。
服务器上的Nginx反向代理到GitLab的nginx的配置参考如下(下面使用了之前文章提到的安全SSL配置):
upstream gitlab-nginx {
server unix:/var/run/gitlab/nginx.sock:443;
}
server {
listen 80;
listen 443 ssl http2;
server_name git.domain.com;
ssl_certificate /etc/letsencrypt/live/git.domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/git.domain.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_dhparam dhparam.pem;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_ecdh_curve secp384r1;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 223.5.5.5 114.114.114.114 valid=300s;
resolver_timeout 5s;
# add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
# Increase this if you want to upload larger attachments
client_max_body_size 0;
root /dev/null;
index index.html;
location / {
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://gitlab-nginx;
}
location /.well-known {
root /usr/share/nginx/html;
}
if ($scheme != "https") {
return 301 https://$http_host$request_uri;
}
}
每次gitlab.rb配置文件修改之后需要通过sudo gitlab-ctl reconfigure命令生效。
Gitlab CI/CD
gitlab支持一个自带的CI工具,详情参考官方文档: https://docs.gitlab.com/ce/ci/
同样清华大学有gitlab-ci-runner的镜像仓库,安装的时候也可以考虑使用镜像仓库: https://mirrors.tuna.tsinghua.edu.cn/help/gitlab-runner/
日常维护
服务管理
gitlab-ce omnibus会注册一个服务gitlab-runsvdir,并且会设置开机自启动。因此直接通过service manager管理这个服务。
此外,gitlab omnibus还提供一个命令行工具gitlab-ctl,也可以直接使用这个命令管理gitlab服务:
sudo gitlab-ctl start/stop/restart/status
查看日志也可以通过sudo gitlab-ctl tail命令同时tail -f多个日志文件。最主要的日志文件是/var/log/gitlab/gitlab-rails/production.log,如果遇到gitlab启动失败,或者某些功能不正常,主要需要关注这个日志文件有无报错,看看是本身服务的问题,还是遇到了gitlab本身的BUG。
备份
由于git本身是分布式版本控制系统,备份显得不是特别的重要,需要备份的话参考官方备份还原文档: https://docs.gitlab.com/omnibus/settings/backups.html
参考crontab:
0 0 * * * /usr/bin/gitlab-rake gitlab:backup:create > /dev/null && (tar -Jcf /data/gitlab_backups/etc-gitlab.tar.xz -C /etc/gitlab/ .)
