须知
- DockerHub上的官方gitlab-ce镜像是基于Omnibus版本的封装
- gitlab-ce中的许多Omnibus版本组件需要经过配置后才会启用
准备工作
Gitlab默认占用了22、80、443
端口,所以需要留意避免Gitlab Docker服务和宿主机开放端口冲突
常见的如果宿主机开放了ssh服务,则需要如下迁移端口:
## SSHD端口变更 ##
# 基于安全性及避免与gitlab容器服务冲突
# 迁移宿主机sshd服务的22默认端口至8022口上
# 后期ssh连接注意使用8022端口访问
sudo sed -i 's|#Port 22|Port 8022|' /etc/ssh/sshd_config
sudo service sshd restart
sudo netstat -anpt # 查看当前端口情况
基于Docker两种模式搭建Gitlab
- 这里约定HTTPS证书和秘钥在/etc/certs目录
- 文件重命名为 domain.crt domain.key
1. 单服务启动模式
docker run -d --name gitlab --hostname gitlab.example.com \
-e GITLAB_OMNIBUS_CONFIG="
external_url 'https://gitlab.example.com'
gitlab_rails['gitlab_shell_ssh_port'] = 22
nginx['redirect_http_to_https'] = true
nginx['ssl_dhparam'] = '/etc/gitlab/ssl/dhparam.pem'
nginx['ssl_certificate'] = '/etc/gitlab/ssl/domain.crt'
nginx['ssl_certificate_key'] = '/etc/gitlab/ssl/domain.key'
nginx['custom_gitlab_server_config'] = 'location ^~ /.well-known {\n alias /var/opt/gitlab/letsencrypt/.well-known;\n}\n'
high_availability['mountpoint'] = ['/etc/gitlab', '/var/log/gitlab' '/var/opt/gitlab' # 严格限定gitlab服务启动前,指定文件系统挂完毕
" \
-p 22:22 -p 80:80 -p 443:443 \
-v /srv/gitlab/config:/etc/gitlab \
-v /srv/gitlab/logs:/var/log/gitlab \
-v /srv/gitlab/data:/var/opt/gitlab \
-v /etc/certs:/etc/gitlab/ssl \
--restart=always gitlab/gitlab-ce:latest
2. Compose服务编排模式(推荐方式)
docker pull gitlab/gitlab-ce:latest
############################ 多行命令开始 ##########################
cat > docker-compose.yaml <<EOF
version: '2'
services:
Gitlab:
image: 'gitlab/gitlab-ce:latest'
container_name: 'gitlab'
hostname: 'gitlab.example.com'
restart: always
ports:
- '22:22'
- '80:80'
- '443:443'
environment:
GITLAB_OMNIBUS_CONFIG: |
# Add any other gitlab.rb configuration here, each on its own line
external_url 'https://gitlab.example.com'
gitlab_rails['gitlab_shell_ssh_port'] = 22
nginx['redirect_http_to_https'] = true
nginx['ssl_dhparam'] = "/etc/gitlab/ssl/dhparam.pem"
nginx['ssl_certificate'] = "/etc/gitlab/ssl/domain.crt"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/domain.key"
nginx['custom_gitlab_server_config'] = "location ^~ /.well-known {\n alias /var/opt/gitlab/letsencrypt/.well-known;\n}\n"
high_availability['mountpoint'] = ["/etc/gitlab", "/var/log/gitlab", "/var/opt/gitlab"] # 严格限定gitlab服务启动前,指定文件系统挂完毕
volumes:
- /srv/gitlab/config:/etc/gitlab
- /srv/gitlab/logs:/var/log/gitlab
- /srv/gitlab/data:/var/opt/gitlab
- /etc/certs:/etc/gitlab/ssl
EOF
############################ 多行命令结束 ##########################
# 启动服务
docker-compose -f docker-compose.yaml up -d
启用邮件功能
Gitlab 的 Compose 配置 GITLAB_OMNIBUS_CONFIG 节点下增加如下几行:
########## 邮件服务配置 ##########
gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = "smtp.exmail.qq.com"
gitlab_rails['smtp_port'] = 465
gitlab_rails['smtp_tls'] = true
gitlab_rails['smtp_user_name'] = "账号"
gitlab_rails['smtp_password'] = "密码"
gitlab_rails['smtp_authentication'] = "login"
gitlab_rails['smtp_enable_starttls_auto'] = true
gitlab_rails['gitlab_email_from'] = "发件人邮箱"
首次登陆Gitlab版本库时会提示设定root超管用户密码
Gitlab调优
gitlab对内存资源的消耗比较厉害
其中尤以 sidekiq队列 及 unicorn服务 两个组件对内存消耗最多
可以再容器启动时对相关参数进行微调:
unicorn['worker_processes'] = 1
unicorn['worker_memory_limit_min'] = "300 * 1 << 20"
unicorn['worker_memory_limit_max'] = "400 * 1 << 20"
unicorn['worker_timeout'] = 15
sidekiq['concurrency'] = 10
sidekiq_cluster['enable'] = false
sidekiq_cluster['ha'] = false
redis['maxclients'] = "100"
nginx['worker_processes'] = 2
nginx['worker_connections'] = 512
nginx['keepalive_timeout'] = 300
nginx['cache_max_size'] = '200m'
mattermost['enable'] = false
mattermost_nginx['enable'] = false
gitlab_pages['enable'] = false
pages_nginx['enable'] = false
postgresql['shared_buffers'] = "256MB"
postgresql['max_connections'] = 30
postgresql['work_mem'] = "8MB"
postgresql['maintenance_work_mem'] = "16MB"
postgresql['effective_cache_size'] = "1MB"
postgresql['checkpoint_timeout'] = "5min"
postgresql['checkpoint_warning'] = "30s"
配置调整后需要重载一下
docker exec gitlab gitlab-ctl reconfigure
docker-compose down
docker-compose up -d
Gitlab 启用 ContainerRegistry
ContainerRegistry
是Gitlab
内置的Docker Registry
集成组件- 集成后每个项目可获得私有的
Docker
镜像存储空间 ContainerRegistry
可以复用Gitlab
域名 或者 独立域名- 这里配置为复用域名(此时
ContainerRegistry
将复用Gitlab
的TLS
证书)
docker-compose.yaml
中Gitlab服务的GITLAB_OMNIBUS_CONFIG
节点下增加如下配置:
registry_external_url "https://gitlab.example.com:4567" # ContainerRegistry的外部访问地址
registry_nginx['ssl_certificate'] = "/etc/gitlab/ssl/domain.crt"
registry_nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/domain.key"
gitlab_rails['registry_host'] = "gitlab.example.com"
gitlab_rails['registry_port'] = "4567"
gitlab_rails['registry_api_url'] = "http://localhost:5000"
gitlab_rails['gitlab_default_projects_features_builds'] = false
gitlab_rails['gitlab_default_projects_features_container_registry'] = false
- 端口开放增加
- 4567:4567
- 服务重启
docker-compose restart Gitlab
ContainerRegistry
集成后可以通过 Gitlab
账户登录: docker login gitlab.example.com:4567
日常维护命令
# Gitlab维护
docker exec gitlab gitlab-ctl status # gitlab各组件服务状态
docker exec gitlab gitlab-ctl start/restart/stop [组件名] # gitlab所有组件的统一控制(其中Unicorn组件重启完成前GitLab会报502)
docker exec gitlab gitlab-ctl tail [/var/log/gitlab下的某子目录] # 实时查看日志
docker exec gitlab update-permissions # 修复gitlab版本升级后出现的权限问题
docker exec gitlab gitlab-ctl reconfigure # 重载配置
docker exec -t gitlab gitlab-rake gitlab:backup:create # 创建备份
# ContainerRegistry维护
docker exec gitlab gitlab-ctl registry-garbage-collect # 垃圾回收,清理废弃layer(registry停机)
Import Repository(Repo By Url)
# 账号密码若存在特殊字符则需要url编码
https://username:password@host:port/group/project.git