Gitlab-ce14.5.2搭建配置全流程记录

Gitlab-ce14.5.2搭建配置全流程记录

---

前言

记录gitlab搭建流程，方便日后回顾

服务器配置：阿里云4c16g，CentOS7.8.2003 x86_64

---

0. 安装前确认

• 如果服务器从未安装过gitlab，可以跳过此条

• 如果安装过任意版本gitlab，包括docker安装，请仔细的，一步不差的执行下面的步骤，这个坑浪费了我服务器十几G的流量费

  1. 原生安装过gitlab：

     # 停止gitlab服务
     gitlab-ctl stop
     
     # 查看gitlab进程
     ps aux | grep gitlab
     
     # 挨个杀掉
     kill 1 2 3 4 5
     # 杀完再ps aux | grep gitlab确认一遍
     
     # 删除所有包含gitlab的文件
     find / -name gitlab | xargs rm -rf
     
     # yum卸载gitlab
     yum remove gitlab
     

  2. docker容器安装过gitlab

     # 停止gitlab容器
     docker stop gitlab
     
     # (可选)清除gitlab容器和镜像
     docker rm gitlab
     docker rmi gitlab
     
     # 查看gitlab进程
     ps aux | grep gitlab
     
     # 挨个杀掉
     kill 1 2 3 4 5
     # 杀完再ps aux | grep gitlab确认一遍
     
     # 删除所有包含gitlab的文件
     find / -name gitlab | xargs rm -rf
     

1. 安装

按照官网安装流程

1. Install and configure the necessary dependencies

​	On CentOS 7 (and RedHat/Oracle/Scientific Linux 7), the commands below will also open HTTP, HTTPS and SSH access in the system firewall. This is an optional step, and you can skip it if you intend to access GitLab only from your local network.

> 1.安装并配置必须的依赖
>
> ​	在CentOS7（红帽、oracle、Scientific Linux 7）系统版本上，下面的命令将在系统防火墙中同时开启HTTP，HTTPS和SSH访问。这是个**可选步骤**，如果你想仅通过局域网访问gitlab，你可以跳过这步。

sudo yum install -y curl policycoreutils-python openssh-server perl
# Enable OpenSSH server daemon if not enabled: sudo systemctl status sshd
sudo systemctl enable sshd
sudo systemctl start sshd

# Check if opening the firewall is needed with: sudo systemctl status firewalld
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo systemctl reload firewalld

​	Next, install Postfix to send notification emails. If you want to use another solution to send emails please skip this step and[configure an external SMTP server](https://docs.gitlab.com/omnibus/settings/smtp.html) after GitLab has been installed.

> 接下来，安装Postfix来发送通知邮件，如果你想用其他邮件解决方案，请跳过此步并在Gitlab安装完成后[配置其他SMTP服务器](https://docs.gitlab.com/omnibus/settings/smtp.html)

sudo yum install postfix
sudo systemctl enable postfix
sudo systemctl start postfix

During Postfix installation a configuration screen may appear. Select 'Internet Site' and press enter. Use your server's external DNS for 'mail name' and press enter. If additional screens appear, continue to press enter to accept the defaults.

> 在Postfix安装期间，有可能弹出一个配置界面，选择`Internet Site`并按下回车，使用服务器的外部DNS作为`mail name`并按下回车，如果有额外的界面弹出，继续按回车以接受默认配置

2. Add the GitLab package repository and install the package

​	Add the GitLab package repository.

> 2.添加Gitlab的Yum源并安装
>
> 添加Yum源

curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.rpm.sh | sudo bash

​	Next, install the GitLab package. Make sure you have correctly [set up your DNS](https://docs.gitlab.com/omnibus/settings/dns.html), and change `https://gitlab.example.com`to the URL at which you want to access your GitLab instance. Installation will automatically configure and start GitLab at that URL.

​	For `https://` URLs, GitLab will automatically [request a certificate with Let's Encrypt](https://docs.gitlab.com/omnibus/settings/ssl.html#lets-encrypthttpsletsencryptorg-integration), which requires inbound HTTP access and a [valid hostname](https://docs.gitlab.com/omnibus/settings/dns.html). You can also [use your own certificate](https://docs.gitlab.com/omnibus/settings/nginx.html#manually-configuring-https) or just use `http://` (without `s`).

If you would like to specify a custom password for the initial administrator user (`root`), check the [documentation](https://docs.gitlab.com/omnibus/installation/index.html#set-up-the-initial-password). If a password is not specified, a random password will be automatically generated.

> ​	接下来，安装Gitlab。确保你已正确[配置DNS](https://docs.gitlab.com/omnibus/settings/dns.html)，并且将`https://gitlab.example.com`修改为你想访问Gitlab的URL，安装程序会自动配置并启动Gitlab在此URL上。==这里建议使用nginx做反向代理来访问Gitlab，因此URL可以配置为`http://127.0.0.1:port`，用于nginx反向代理==
>
> ​	对于`https://`的URL，Gitlab将会自动[从Let’s Encrypt申请证书](https://docs.gitlab.com/omnibus/settings/ssl.html#lets-encrypthttpsletsencryptorg-integration)，这要求拥有HTTP访问权限和[有效域名](https://docs.gitlab.com/omnibus/settings/dns.html)。你也可以通过`http://`使用[自己的域名](https://docs.gitlab.com/omnibus/settings/nginx.html#manually-configuring-https)
>
> ​	如果你希望自定义初始化root账号的密码，可以查看[文档](https://docs.gitlab.com/omnibus/installation/index.html#set-up-the-initial-password)，如果初始化密码未指定，一个随机的密码将会自动生成。==这里没有必要自定义密码，安装完成后将生成随机密码文件`/etc/gitlab/initial_root_password`，登录root账号后修改即可==

sudo EXTERNAL_URL="http://127.0.0.1:port" yum install -y gitlab-ce

3. Browse to the hostname and login

​	Unless you provided a custom password during installation, a password will be randomly generated and stored for 24 hours in `/etc/gitlab/initial_root_password`. Use this password with username `root` to login.

​	See our [documentation for detailed instructions on installing and configuration](https://docs.gitlab.com/omnibus/README.html#installation-and-configuration-using-omnibus-package).

> 3.访问域名并登录
>
> ​	除非你在安装时指定了自定义初始化密码，随机密码已生成在`/etc/gitlab/initial_root_password`并保存24小时，使用这个密码和root用户名登录
>
> ​	查看我们的[安装和配置的详细指引文档](https://docs.gitlab.com/omnibus/README.html#installation-and-configuration-using-omnibus-package)

4. Set up your communication preferences

​	Visit our [email subscription preference center](https://about.gitlab.com/company/preference-center/) to let us know when to communicate with you. We have an explicit email opt-in policy so you have complete control over what and how often we send you emails.

​	Twice a month, we send out the GitLab news you need to know, including new features, integrations, docs, and behind the scenes stories from our dev teams. For critical security updates related to bugs and system performance, sign up for our dedicated security newsletter.

**Important note:** If you do not opt-in to the security newsletter, you will not receive security alerts.

> 4.设置你的联系方式
>
> ​	访问我们的[邮件订阅配置中心](https://about.gitlab.com/company/preference-center/)来让我们知道何时联系你。balabala就是让你订阅垃圾邮件呢，不用看
>
> **重要提示**：如果你不订阅垃圾邮件，你就收不到垃圾邮件（废话文学了属于是）

5. Recommended next steps

​	After completing your installation, consider the [recommended next steps](https://docs.gitlab.com/ee/install/next_steps.html), including authentication options and sign-up restrictions.

> 5.推荐的下一步操作
>
> ​	在安装完成后，可以考虑[下一步操作](https://docs.gitlab.com/ee/install/next_steps.html)，包括认证选项和注册限制

---

• 安装成功的提示

Notes:
Default admin account has been configured with following details:
Username: root
Password: You didn't opt-in to print initial root password to STDOUT.
Password stored to /etc/gitlab/initial_root_password. This file will be cleaned up in first reconfigure run after 24 hours.
NOTE: Because these credentials might be present in your log files in plain text, it is highly recommended to reset the password following https://docs.gitlab.com/ee/security/reset_user_password.html#reset-your-root-password.
It looks like GitLab has not been configured yet; skipping the upgrade script.

       *.                  *.
      ***                 ***
     *****               *****
    .******             *******
    ********            ********
   ,,,,,,,,,***********,,,,,,,,,
  ,,,,,,,,,,,*********,,,,,,,,,,,
  .,,,,,,,,,,,*******,,,,,,,,,,,,
      ,,,,,,,,,*****,,,,,,,,,.
         ,,,,,,,****,,,,,,
            .,,,***,,,,
                ,*,.
  


     _______ __  __          __
    / ____(_) /_/ /   ____ _/ /_
   / / __/ / __/ /   / __ \`/ __ \
  / /_/ / / /_/ /___/ /_/ / /_/ /
  \____/_/\__/_____/\__,_/_.___/

> 这里狐狸有可能不出现，以是否能访问到页面为准。如果访问502，可以稍等一两分钟再试。如果访问500，恭喜你大概率安装失败了（掩面），看日志排查问题吧

• 可能出现的错误及解决方法

  1. Let’s Encrypt申请ssl证书时报错，无须理会，修改配置文件即可

     ​ 如果第二步中的URL配置了https://，会有申请ssl证书的报错如下：

     ================================================================================
     Error executing action `run` on resource 'ruby_block[create certificate for YOUR.CUSTOM.URL]'
     ================================================================================
     

  2. 如果之前安装过gitlab，有可能在/etc/gitlab目录下残留之前的配置文件gitlab.rb。或者之前仓库的数据库文件。此时，安装后不会在/etc/gitlab/initial_root_password生成随机密码，因为安装程序没有执行完成。

     ​ 这里我没有留下安装失败的yum打印，但是可以通过查看gitlab状态及日志排查问题

     # 查看组件状态
     > gitlab-ctl status
     run: alertmanager: (pid 10305) 1429s; run: log: (pid 4494) 18684s
     run: gitaly: (pid 31632) 19913s; run: log: (pid 30663) 20032s
     run: gitlab-exporter: (pid 5254) 18619s; run: log: (pid 4333) 18702s
     run: gitlab-workhorse: (pid 31590) 19916s; run: log: (pid 31299) 19949s
     run: grafana: (pid 5336) 18615s; run: log: (pid 5009) 18640s
     run: logrotate: (pid 1789) 2048s; run: log: (pid 30578) 20045s
     run: nginx: (pid 5231) 18620s; run: log: (pid 31312) 19948s
     run: node-exporter: (pid 5248) 18620s; run: log: (pid 4306) 18706s
     run: postgres-exporter: (pid 5323) 18615s; run: log: (pid 4565) 18678s
     run: postgresql: (pid 30845) 20025s; run: log: (pid 30866) 20022s
     down: prometheus: 0s, normally up, want up; run: log: (pid 4413) 18689s
     run: puma: (pid 10154) 1439s; run: log: (pid 31227) 19959s
     run: redis: (pid 30590) 20042s; run: log: (pid 30599) 20041s
     run: redis-exporter: (pid 5266) 18619s; run: log: (pid 4363) 18696s
     run: sidekiq: (pid 10066) 1446s; run: log: (pid 31253) 19955s
     
     # 持续打印日志
     > gitlab-ctl tail
     

     ​ 可以一边打印日志，一边访问来排查问题。附上gitlab的issue地址

---

2. 配置文件介绍

不太清楚从哪个版本开始，gitlab把所有组件的配置文件集成在了/etc/gitlab/gitlab.rb里，并且基本每个配置项都有详细的解释和文档链接。所以如果你需要修改配置，请直接来这个配置文件中搜索修改，强烈建议修改前复制一份备份。在修改后，执行gitlab-ctl reconfigure来校验并重载配置。

---

3. 配置邮件服务

还是按照官网的步骤

If you would rather send application email via an SMTP server instead of via Sendmail, add the following configuration information to/etc/gitlab/gitlab.rb and run gitlab-ctl reconfigure.

如果你希望通过SMTP服务发送应用邮件，而不是Sendmail，添加以下配置

Your smtp_password should not contain any String delimiters used in Ruby or YAML (f.e. ') to avoid unexpected behavior during the processing of config settings.

There are example configurations at the end of this page.

你的smtp_password配置项不应该包含任何Ruby或YAML的字符串分隔符（比如‘）以避免解析配置时的未知行为

页面底部有配置的示例（并没有，自己跳去官网示例看吧）

gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = "smtp.server"
gitlab_rails['smtp_port'] = 465
gitlab_rails['smtp_user_name'] = "smtp user"
gitlab_rails['smtp_password'] = "smtp password"
gitlab_rails['smtp_domain'] = "example.com"
gitlab_rails['smtp_authentication'] = "login"
gitlab_rails['smtp_enable_starttls_auto'] = true
gitlab_rails['smtp_openssl_verify_mode'] = 'peer'

# If your SMTP server does not like the default 'From: gitlab@localhost' you
# can change the 'From' with this setting.
gitlab_rails['gitlab_email_from'] = 'gitlab@example.com'
gitlab_rails['gitlab_email_reply_to'] = 'noreply@example.com'

# If your SMTP server is using a self signed certificate or a certificate which 
# is signed by a CA which is not trusted by default, you can specify a custom ca file.
# Please note that the certificates from /etc/gitlab/trusted-certs/ are
# not used for the verification of the SMTP server certificate.
gitlab_rails['smtp_ca_file'] = '/path/to/your/cacert.pem'

SMTP connection pooling

Introduced in GitLab 13.5.

You can enable SMTP connection pooling with the following setting:

gitlab_rails['smtp_pool'] = true

This allows Sidekiq workers to reuse SMTP connections for multiple jobs. The maximum number of connections in the pool follows the maximum concurrency configuration for Sidekiq.

SMTP连接池

自GitLab13.5开始

你可以通过以下配置开启SMTP连接池

gitlab_rails['smtp_pool'] = true

这将允许Sidekiq进程在多任务中重复使用SMTP连接。连接池的最大数量在此文档中

Using encrypted credentials

Introduced in GitLab 14.3.

Instead of storing the SMTP credentials in the configuration files as plain text, you can optionally use an encrypted file for the SMTP credentials. To use this feature, you first need to enable GitLab encrypted configuration.

The encrypted configuration for SMTP exists in an encrypted YAML file. By default the file will be created at /var/opt/gitlab/gitlab-rails/shared/encrypted_configuration/smtp.yaml.enc. This location is configurable in the GitLab configuration.

The unencrypted contents of the file should be a subset of the settings from your smtp_*' settings in the gitlab_rails configuration block.

The supported configuration items for the encrypted file are:

• user_name
• password

The encrypted contents can be configured with the SMTP secret edit Rake command.

Configuration

If initially your SMTP configuration looked like:

1. In /etc/gitlab/gitlab.rb:

  gitlab_rails['smtp_enable'] = true
  gitlab_rails['smtp_address'] = "smtp.server"
  gitlab_rails['smtp_port'] = 465
  gitlab_rails['smtp_user_name'] = "smtp user"
  gitlab_rails['smtp_password'] = "smtp password"
  gitlab_rails['smtp_domain'] = "example.com"
  gitlab_rails['smtp_authentication'] = "login"
  gitlab_rails['smtp_enable_starttls_auto'] = true
  gitlab_rails['smtp_openssl_verify_mode'] = 'peer'

1. Edit the encrypted secret:

   sudo gitlab-rake gitlab:smtp:secret:edit EDITOR=vim
   

2. The unencrypted contents of the SMTP secret should be entered like:

   user_name: 'smtp user'
   password: 'smtp password'
   

3. Edit /etc/gitlab/gitlab.rb and remove the settings for smtp_user_name and smtp_password.

4. Reconfigure GitLab:

   sudo gitlab-ctl reconfigure
   

使用加密的凭证

自GitLab14.3开始

你可以选择性的使用加密文件保存SMTP凭证，而不是将凭证明文存储在配置文件中。要使用这个功能，首先需要开启GitLab加密配置（默认开启）

SMTP的加密配置储存在加密的YAML文件中。此文件缺省创建与/var/opt/gitlab/gitlab-rails/shared/encrypted_configuration/smtp.yaml.enc。这个文件的未知可以在配置文件中指定

文件中未加密内容应该是’ gitlab_rails ‘配置块中的’ smtp_*’ '设置的子集。

加密文件所支持的配置项有：

• user_name
• password

加密内容可以通过SMTP secret edit Rake command编辑

配置

最开始配置文件应该长这个样子

1. 在/etc/gitlab/gitlab.rb中

  gitlab_rails['smtp_enable'] = true
  gitlab_rails['smtp_address'] = "smtp.server"
  gitlab_rails['smtp_port'] = 465
  gitlab_rails['smtp_user_name'] = "smtp user"
  gitlab_rails['smtp_password'] = "smtp password"
  gitlab_rails['smtp_domain'] = "example.com"
  gitlab_rails['smtp_authentication'] = "login"
  gitlab_rails['smtp_enable_starttls_auto'] = true
  gitlab_rails['smtp_openssl_verify_mode'] = 'peer'

1. 编辑加密的内容

   sudo gitlab-rake gitlab:smtp:secret:edit EDITOR=vim
   

2. 解密后的SMTP内容示例

   user_name: 'smtp user'
   password: 'smtp password'
   

3. 编辑/etc/gitlab/gitlab.rb，删掉其中的smtp_user_name 和smtp_password配置项

4. 重载配置

   sudo gitlab-ctl reconfigure
   

---

这里我用了微软家的outlook邮箱，按照官网下面的示例

gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = "smtp-mail.outlook.com"
gitlab_rails['smtp_port'] = 587
gitlab_rails['smtp_user_name'] = "username@outlook.com"
gitlab_rails['smtp_password'] = "password"
gitlab_rails['smtp_domain'] = "smtp-mail.outlook.com"
gitlab_rails['smtp_authentication'] = "login"
gitlab_rails['smtp_enable_starttls_auto'] = true
gitlab_rails['smtp_openssl_verify_mode'] = 'peer'

然后重载配置，测试邮件发送

> gitlab-ctl reconfigure
> gitlab-rails console
--------------------------------------------------------------------------------
 Ruby:         ruby 2.7.5p203 (2021-11-24 revision f69aeb8314) [x86_64-linux]
 GitLab:       14.5.2 (76ceea558aa) FOSS
 GitLab Shell: 13.22.1
 PostgreSQL:   12.7
--------------------------------------------------------------------------------
Loading production environment (Rails 6.1.4.1)
irb(main):001:0> Notify.test_email('TEST@RECIVER.EMAIL', '邮件主题', '邮件内容').deliver_now
Delivered mail 61bae77e2b59c_2bb95a50224f6@husky.mail (2141.5ms)
=> #<Mail::Message:154740, Multipart: false, Headers: <Date: Thu, 16 Dec 2021 15:15:10 +0800>, <From: gitlab <TEST@DELEVER.EMAIL>>, <Reply-To: gitlab <TEST@DELEVER.EMAIL>>, <To: TEST@RECIVER.EMAIL>, <Message-ID: <messageID>>, <Subject: 邮件主题>, <Mime-Version: 1.0>, <Content-Type: text/html; charset=UTF-8>, <Content-Transfer-Encoding: 7bit>, <Auto-Submitted: auto-generated>, <X-Auto-Response-Suppress: All>>

这样就是发送成功了，去收件箱看看吧

• 可能出现的错误及解决方法

  1. 调用报错：OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=error: wrong version number)

     ​ 这个问题存在于你所使用的SMTP邮件服务器所使用的TLS加密方式版本不一致/不支持TLS加密方式，贴一个issue的传送门自己排查吧

  2. 调用等待一下后报错：Net::OpenTimeout (execution expired)

     ​ 这个问题是SMTP服务器的端口号或地址不正确，官网示例里的配置还是挺详细的，可以对照排查一下

4. 未完待续