vorher wird benötigt:
- DNS A-Host Eintrag mit der IP des Hosts auf dem Gitlab in Zukunft mit Docker laufen wird.
Eine eigene Domain, in diesem Beispiel nutze ich Google Cloud DNS.
Du kannst aber auch ein kostenlosen Anbieter wie zB Duck.dns oder andere freie Anbieter nutzen. - Docker und Docker-compose sollte installiert sein.
- Installation des Traefik Proxy
Die Gitlab docker-compose installation:
Gitlab installiere ich mit der neuesten freien Community Version und Docker-Compose
Es wird LDAP mit angebunden und User müssen sich einmalig anmelden, damit im Backend im nach hinein der User gefunden und den Projekten zugeordnet werden kann!
Gitlab unterstützt:
pages.gitlab2.lab.dev for pages
docker.lab.dev for the own local docker registry
Volumes werden gespeichert unter:
./config:/etc/gitlab/
./logs:/var/log/gitlab/
./data:/var/opt/gitlab/
/etc/localtime:/etc/localtime:ro
Gitlab Runner Installation & Aktivierung
Dir Gitlab URL wird in der gitlab-runner config mit dem label Namen des Gitlab Containers konfiguriert, da er nur die interne IP des Gitlab Container für die Kommunikation benötigt
zB.: url = ‚http://gitlab‘
Nun noch den Sicherheits-Token aus dem Backend für den neuen runner holen unter:
„Admin-Area->runners“
Die gesamte Config steht in der Datei -> /docker/containers/gitlab/config/gitlab-runner/config.toml
Der runner muss einmalig manuell beim Gitlab Server registriert werden!
Einfach in der Console aufrufen->
docker exec -it gitlab_gitlab-runner_1 gitlab-runner register
Danach die Fragen beantworten und er sollte registriert sein.
Generelle Infos unter -> https://docs.gitlab.com/runner/commands/README.html#gitlab-runner-register
Integration des Slack mit Webhook
Erstelle einen neuen webhook in der Konfigurationsseite / Verwaltung von Slack.
-> https://Dein Workspacename/apps/
Dann im Gitlab Server unter „Gitlab -> Admin Area -> Settings -> Integration -> Slack Notification“ die URL des neu erstellten Webhook eintragen.
Dies Konfiguriert den generellen Webhook für alle Projekte und deren standard Einstellungen!
Diese können dann in den einzelnen Projekte aber noch einmal individuell angepasst werden.
Updates und Backups
Stelle das docker image zu gitlab/gitlab-ce:latest
Erstelle ein Backup mit: docker exec -t <container name> gitlab-backup create
Download der neuesten Version:
docker-compose pull
docker-compose up -d
Wenn Du tags für das Dockerfile benutzt musst du dieses entsprechend wieder in der Docker-Compose Datei anpassen!
Logs
Logs können in von den Docker container recht leicth eingesehen werden mit:
docker-compose logs -f
in dem betreffenden Verzeichnis wo die docker-compose Datei liegt
Zu Guter Letzt noch der Content der jeweiligen Dateien:
docker-compose.yml
version: '3.5'
services:
gitlab:
restart: always
image: gitlab/gitlab-ce:latest
container_name: gitlab
hostname: gitlab.lab.dev
environment:
GITLAB_OMNIBUS_CONFIG: |
external_url 'https://gitlab.lab.dev'
nginx['listen_port'] = 80
nginx['listen_https'] = false
nginx['http2_enabled'] = false
gitlab_rails['gitlab_shell_ssh_port'] = 2222
nginx['proxy_set_headers'] = {
"Host" => "$$http_host",
"X-Real-IP" => "$$remote_addr",
"X-Forwarded-For" => "$$proxy_add_x_forwarded_for",
"X-Forwarded-Proto" => "https",
"X-Forwarded-Ssl" => "on"
}
### REGISTRY ###
registry_external_url 'https://docker.lab.dev'
registry_nginx['enable'] = true
registry_nginx['listen_port'] = 80
registry_nginx['listen_https'] = false
registry_nginx['http2_enabled'] = false
registry_nginx['proxy_set_headers'] = {
"Host" => "$$http_host",
"X-Real-IP" => "$$remote_addr",
"X-Forwarded-For" => "$$proxy_add_x_forwarded_for",
"X-Forwarded-Proto" => "https",
"X-Forwarded-Ssl" => "on"
}
### PAGES ###
pages_external_url 'https://pages.lab.dev'
pages_nginx['listen_port'] = 80
pages_nginx['listen_https'] = false
pages_nginx['http2_enabled'] = false
pages_nginx['proxy_set_headers'] = {
"Host" => "$$http_host",
"X-Real-IP" => "$$remote_addr",
"X-Forwarded-For" => "$$proxy_add_x_forwarded_for",
"X-Forwarded-Proto" => "https",
"X-Forwarded-Ssl" => "on"
}
gitlab_pages['inplace_chroot'] = true
gitlab_pages['external_http'] = ['gitlab:5201']
### LDAP ###
gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
main:
label: 'Your AD'
host: 'YOUR AD IP'
port: 389
uid: 'userPrincipalName'
encryption: 'plain'
verify_certificates: true
bind_dn: 'CN=user,OU=Benutzer,OU=Administration,DC=XXXX,DC=de'
password: 'XXXXXXXX'
active_directory: true
base: 'DC=XXXX,DC=de'
user_filter: 'memberOf:XXXXX:=CN=dev-tools,OU=Gruppen,OU=Administration,DC=XXXXXX,DC=de'
username: 'sAMAccountName'
email: 'email'
name: 'cn'
first_name: 'givenName'
last_name: 'sn'
EOS
ports:
- "2222:22"
labels:
- "traefik.enable=true"
- "traefik.gitlab.frontend.rule=Host:gitlab.lab.dev"
- "traefik.gitlab.port=80"
- "traefik.registry.frontend.rule=Host:docker.lab.dev"
- "traefik.registry.port=80"
- "traefik.pages.frontend.rule=HostRegexp:{subdomain:[a-z]+}.pages.lab.dev"
- "traefik.pages.port=80"
- "traefik.frontend.entryPoints=websecure"
- "traefik.port=80"
# Host settings for GitLab itself
- traefik.http.middlewares.gitlab-https-redirect.redirectscheme.scheme=https
- traefik.http.routers.gitlab.middlewares=gitlab-https-redirect
- traefik.http.services.gitlab.loadbalancer.server.port=80
- traefik.http.routers.gitlab.tls=true
- traefik.http.routers.gitlab.rule=Host(`gitlab.lab.dev`)
- traefik.http.routers.gitlab.tls.certresolver=myresolver
- traefik.http.routers.gitlab.entrypoints=websecure
- traefik.docker.network=traefik_internal
- traefik.http.routers.docker.tls=true
- traefik.http.routers.docker.rule=Host(`docker.lab.dev`)
- traefik.http.routers.docker.tls.certresolver=myresolver
- traefik.http.routers.docker.entrypoints=websecure
- traefik.http.routers.pages.tls=true
- traefik.http.routers.pages.rule=Host(`pages.lab.dev`)
- traefik.http.routers.pages.tls.certresolver=myresolver
- traefik.http.routers.pages.entrypoints=websecure
expose:
- "80"
- "443"
- "5200"
volumes:
- ./config:/etc/gitlab/
- ./logs:/var/log/gitlab/
- ./data:/var/opt/gitlab/
- /etc/localtime:/etc/localtime:ro
networks:
- traefik_internal
gitlab-runner:
image: gitlab/gitlab-runner:alpine
restart: unless-stopped
privileged: true
depends_on:
- gitlab
volumes:
- ./config/gitlab-runner:/etc/gitlab-runner
- /var/run/docker.sock:/var/run/docker.sock
networks:
- traefik_internal
networks:
traefik_internal:
external:
name: traefik_internal
config.toml vom runner
concurrent = 1
check_interval = 0
[session_server]
session_timeout = 1800
[[runners]]
name = "gitlab-runner1"
url = "http://gitlab"
token = "Dein token vom Gitlab Server für den runner"
executor = "docker"
[runners.custom_build_dir]
[runners.cache]
[runners.cache.s3]
[runners.cache.gcs]
[runners.docker]
tls_verify = false
image = "docker:19.03.12"
privileged = false
disable_entrypoint_overwrite = false
oom_kill_disable = false
disable_cache = false
volumes = ["/cache"]
shm_size = 0
docker-compose.yml von traefik
version: '3.5'
services:
traefik:
restart: always
image: "traefik:v2.2.1"
container_name: "traefik"
command:
- "--log.level=DEBUG"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--entrypoints.websecure.http.tls.certResolver=myresolver"
- "--certificatesresolvers.myresolver.acme.storage=acme.json"
- "--certificatesResolvers.myresolver.acme.email=Deine Email@domain.de"
# Let's Encrypt staging server
# - "--certificatesResolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
- "--certificatesResolvers.myresolver.acme.dnsChallenge=true"
# - "--certificatesResolvers.myresolver.acme.dnsChallenge.disablePropagationCheck=true"
- "--certificatesResolvers.myresolver.acme.dnschallenge.provider=gcloud"
- "--certificatesResolvers.myresolver.acme.dnschallenge.resolvers=8.8.4.4:53,8.8.8.8:53"
- "--certificatesresolvers.myresolver.acme.dnschallenge.delayBeforeCheck=0"
ports:
- "80:80"
- "443:443"
- "8080:8080"
networks:
- traefik_internal
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./certs:/data/tls-conf
# Let's Encrypt Json with account-data and private-key
- ./letsencrypt:/letsencrypt
secrets:
- gcp_service_account
environment:
# GoogleCloud-DNS Token
- GCE_SERVICE_ACCOUNT_FILE=/run/secrets/gcp_service_account
- GCE_PROJECT=axial-analyzer-XXXX
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik_internal"
- "traefik.http.routers.traefik.entrypoints=web"
- "traefik.http.routers.traefik.rule=Host(`traefik2.lab.dev`)"
- "traefik.http.routers.traefik.tls=true"
- "traefik.http.routers.traefik.tls.certresolver=myresolver"
- "traefik.http.routers.traefik.tls.domains[0].main=lab.dev"
- "traefik.http.routers.traefik.tls.domains[0].sans=*.lab.dev"
- "traefik.http.routers.api.tls=true"
- "traefik.http.routers.api.entrypoints=websecure"
- "traefik.http.routers.api.rule=Host(`traefik2.lab.dev`)"
- "traefik.http.routers.api.service=api@internal"
- "traefik.http.routers.api.middlewares=auth"
- "traefik.http.middlewares.auth.basicauth.users=admin:XXXXXXXXXXXXX"
# Use Middlewares for a global redirect to https
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.permanent=true"
- "traefik.http.routers.redirs.rule=hostregexp(`{host:.+}`)"
- "traefik.http.routers.redirs.entrypoints=web"
- "traefik.http.routers.redirs.middlewares=redirect-to-https"
secrets:
# GoogleCloud-DNS Token
gcp_service_account:
file: ./secrets/axial-analyzer-xxxxxx.json
networks:
traefik_internal:
external:
name: traefik_internal
Optional Config für vsphere mit docker+machine
concurrent = 5
check_interval = 0
log_level = "info"
[session_server]
session_timeout = 2800
[[runners]] name = "vsphere"
limit = 10
url = "https://gitlab.lab.dev/"
token = "secret_XYZ"
executor = "docker+machine"
[runners.custom_build_dir]
[runners.ssh]
user = "docker"
password = "secret_XYZ"
identity_file = "./id_rsa"
[runners.docker]
tls_verify = false
image = "docker:latest"
privileged = false
disable_entrypoint_overwrite = false
oom_kill_disable = false
disable_cache = true
volumes = ["/var/run/docker.sock:/var/run/docker.sock", "/cache"]
shm_size = 0
[runners.cache]
[runners.cache.s3]
[runners.cache.gcs]
# [runners.cache.azure]
[runners.machine]
IdleCount = 0
IdleTime = 1800
# MaxBuilds = 10
MachineDriver = "vmwarevsphere"
MachineName = "gitlab-runner-vsphere-pool-1-%s"
MachineOptions = ["vmwarevsphere-username=USERNAME", "vmwarevsphere-password=Secret_XYZ", "vmwarevsphere-vcenter=VMWARE_CENTER_URL", "vmwarevsphere-datastore=ESXI-59-Local-AIF-01", "vmwarevsphere-memory-size=3096", "vmwarevsphere-disk-size=40960", "vmwarevsphere-cpu-count=3", "vmwarevsphere-network=Check", "vmwarevsphere-datacenter=DATACENTER_NAME", "vmwarevsphere-folder=test"]
OffPeakTimezone = ""
OffPeakIdleCount = 0
OffPeakIdleTime = 1200