- 參考
- 注意
- 無特別說明,文檔中的命令都以 root 執行
1. 安裝 Gitlab
1.1. 操作系統 CentOS 6.8
|
|
1.1.1. 配置第三方 yum 庫
Add EPEL repository
-
Download the GPG key
wget -O /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6 https://getfedora.org/static/0608B895.txt rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
-
檢查是否配置成功:
rpm -qa gpg* gpg-pubkey-0608b895-4bd22942
-
安裝 epel-release-6-8.noarch package, which will enable EPEL repository on your system:
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
Add Remi’s RPM repository
-
Download the GPG key
wget -O /etc/pki/rpm-gpg/RPM-GPG-KEY-remi http://rpms.famillecollet.com/RPM-GPG-KEY-remi rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-remi
-
檢查是否配置成功:
rpm -qa gpg* gpg-pubkey-00f97f56-467e318a
-
安裝 remi-release-6 package, which will enable remi-safe repository on your system:
rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-6.rpm
檢查 yum庫是否配置成功
|
沒成功,手動enable
|
1.1.2. 安裝 yum 軟件包
|
-
注意
如果有些包(eg. gdbm-devel, libffi-devel and libicu-devel)安裝不了,嘗試執行:yum-config-manager --enable rhel-6-server-optional-rpms
1.1.3. 安裝 mail 服務器
推薦 postfix
|
1.1.4. 配置缺省的 Editor
|
取消鏈接
rm -i /usr/bin/editor
1.2. 從 源碼 安裝 Git(2.7.4 or higher)
|
將 Git 的執行目錄 加入到 $PATH
修改 config/gitlab.yml ,將 git bin_path 改爲 /usr/local/bin/git.
1.3. 安裝 Ruby(2.1)
|
1.3.1. Install the Bundler Gem
|
1.4. 安裝 Go
從 GitLab 8.0 開始, http請求是由 gitlab 的 workhorse 處理的,workhorse 是一個 Go 程序。
|
1.5. 配置 GitLab 的系統用戶
|
-
In order to include /usr/local/bin to git user’s PATH, one way is to edit the sudoers file.
As root run:visudo
將
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
改爲
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
1.6. 安裝數據庫
1.6.1. PostgreSQL(9.3)
-
安裝
yum remove postgresql rpm -Uvh http://yum.postgresql.org/9.3/redhat/rhel-6-x86_64/pgdg-centos93-9.3-2.noarch.rpm yum install postgresql93-server postgresql93-devel postgresql93-contrib mv /etc/init.d/{postgresql-9.3,postgresql} service postgresql initdb
-
啓動
service postgresql start
-
配置自啓動
chkconfig postgresql on
-
配置用戶名&密碼
su - postgres psql -d template1 psql (9.4.3) Type "help" for help. template1=# CREATE USER git CREATEDB; CREATE ROLE template1=# CREATE DATABASE gitlabhq_production OWNER git; CREATE DATABASE template1=# CREATE EXTENSION IF NOT EXISTS pg_trgm; template1=# \q exit # exit uid=postgres, return to root
配置完成後,嘗試用git用戶登錄
sudo -u git psql -d gitlabhq_production
檢查 pg_trgm extension 是否安裝
SELECT true AS enabled FROM pg_available_extensions WHERE name = 'pg_trgm' AND installed_version IS NOT NULL;
-
配置權限
/var/lib/pgsql/9.3/data/pg_hba.conf
修改 ident 爲 trusthost all all 127.0.0.1/32 trust
1.6.2. MySQL(5.5.14 or later)
-
安裝 MySQL ,並設置自啓動
yum install -y mysql-server mysql-devel chkconfig mysqld on service mysqld start
-
版本最低 5.5.14
mysql --version
-
Secure your installation
mysql_secure_installation
-
Create a user for GitLab
CREATE USER 'git'@'localhost' IDENTIFIED BY '$password';
-
設置 使用 INNODB 引擎
SET storage_engine=INNODB;
如果設置失敗,檢查下 MySQL config files (e.g. /etc/mysql/.cnf, /etc/mysql/conf.d/) ,是否”innodb = off”.
-
Create the GitLab production database
CREATE DATABASE IF NOT EXISTS `gitlabhq_production` DEFAULT CHARACTER SET `utf8` COLLATE `utf8_unicode_ci`;
-
Grant the GitLab user necessary permissions on the table
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, CREATE TEMPORARY TABLES, DROP, INDEX, ALTER, LOCK TABLES, REFERENCES ON `gitlabhq_production`.* TO 'git'@'localhost';
-
檢查下新用戶、新數據庫
sudo -u git -H mysql -u git -p -D gitlabhq_production
1.7. 安裝Redis( at least Redis 2.8 )
|
-
配置 redis
cp /etc/redis.conf /etc/redis.conf.orig
-
禁止通過tcp訪問redis,將 port 設置爲 0 即可。
sed 's/^port .*/port 0/' /etc/redis.conf.orig | sudo tee /etc/redis.conf
-
Enable Redis socket for default CentOS path:
echo 'unixsocket /var/run/redis/redis.sock' | sudo tee -a /etc/redis.conf echo -e 'unixsocketperm 0770' | sudo tee -a /etc/redis.conf
-
Create the directory which contains the socket
mkdir /var/run/redis chown redis:redis /var/run/redis chmod 755 /var/run/redis
-
Persist the directory which contains the socket, if applicable
if [ -d /etc/tmpfiles.d ]; then echo 'd /var/run/redis 0755 redis redis 10d -' | sudo tee -a /etc/tmpfiles.d/redis.conf fi
-
重啓 Redis ,使設置生效
service redis restart
-
將 git 用戶加入 redis group
usermod -aG redis git
-
1.8. 安裝 Gitlab
安裝到 git 用戶的home目錄
# We'll install GitLab into home directory of the user "git"
cd /home/git
# Clone GitLab repository
sudo -u git -H git clone https://gitlab.com/gitlab-org/gitlab-ce.git -b 8-9-stable gitlab
# 2017-04 9-1-stable 能用了
# sudo -u git -H git clone https://gitlab.com/gitlab-org/gitlab-ce.git -b 9-1-stable gitlab
# Go to GitLab installation folder
cd /home/git/gitlab
# Copy the example GitLab config
sudo -u git -H cp config/gitlab.yml.example config/gitlab.yml
# Update GitLab config file, follow the directions at top of file
sudo -u git -H editor config/gitlab.yml
# Copy the example secrets file
sudo -u git -H cp config/secrets.yml.example config/secrets.yml
sudo -u git -H chmod 0600 config/secrets.yml
# Make sure GitLab can write to the log/ and tmp/ directories
sudo chown -R git log/
sudo chown -R git tmp/
sudo chmod -R u+rwX,go-w log/
sudo chmod -R u+rwX tmp/
# Make sure GitLab can write to the tmp/pids/ and tmp/sockets/ directories
sudo chmod -R u+rwX tmp/pids/
sudo chmod -R u+rwX tmp/sockets/
# Create the public/uploads/ directory
sudo -u git -H mkdir public/uploads/
# Make sure only the GitLab user has access to the public/uploads/ directory
# now that files in public/uploads are served by gitlab-workhorse
sudo chmod 0700 public/uploads
sudo chmod ug+rwX,o-rwx /home/git/repositories/
# Change the permissions of the directory where CI build traces are stored
sudo chmod -R u+rwX builds/
# Change the permissions of the directory where CI artifacts are stored
sudo chmod -R u+rwX shared/artifacts/
# Copy the example Unicorn config
sudo -u git -H cp config/unicorn.rb.example config/unicorn.rb
# Find number of cores
nproc
# Enable cluster mode if you expect to have a high load instance
# Ex. change amount of workers to 3 for 2GB RAM server
# Set the number of workers to at least the number of cores
sudo -u git -H editor config/unicorn.rb
# Copy the example Rack attack config
sudo -u git -H cp config/initializers/rack_attack.rb.example config/initializers/rack_attack.rb
# Configure Git global settings for git user
# 'autocrlf' is needed for the web editor
sudo -u git -H git config --global core.autocrlf input
# Disable 'git gc --auto' because GitLab already runs 'git gc' when needed
sudo -u git -H git config --global gc.auto 0
# Configure Redis connection settings
sudo -u git -H cp config/resque.yml.example config/resque.yml
# Change the Redis socket path if you are not using the default CentOS configuration
sudo -u git -H editor config/resque.yml
1.8.1. 配置數據庫連接
# PostgreSQL only:
sudo -u git cp config/database.yml.postgresql config/database.yml
# MySQL only:
sudo -u git cp config/database.yml.mysql config/database.yml
# MySQL and remote PostgreSQL only:
# Update username/password in config/database.yml.
# You only need to adapt the production settings (first part).
# If you followed the database guide then please do as follows:
# Change 'secure password' with the value you have given to $password
# You can keep the double quotes around the password
sudo -u git -H editor config/database.yml
# PostgreSQL and MySQL:
# Make config/database.yml readable to git only
sudo -u git -H chmod o-rwx config/database.yml
1.8.2. Install Gems
國內記得改一下 ruby-china 的源,不然很慢
cd /home/git/gitlab
# For PostgreSQL (note, the option says "without ... mysql")
sudo -u git -H bundle config build.pg --with-pg-config=/usr/pgsql-9.3/bin/pg_config
sudo -u git -H bundle install --deployment --without development test mysql aws kerberos
# Or for MySQL (note, the option says "without ... postgres")
sudo -u git -H bundle install --deployment --without development test postgres aws kerberos
1.8.3. Install GitLab shell
GitLab Shell is an SSH access and repository management software developed specially for GitLab.
# Run the installation task for gitlab-shell (replace `REDIS_URL` if needed):
sudo -u git -H bundle exec rake gitlab:shell:install[v3.0.0] REDIS_URL=unix:/var/run/redis/redis.sock RAILS_ENV=production
# By default, the gitlab-shell config is generated from your main GitLab config.
# You can review (and modify) the gitlab-shell config as follows:
sudo -u git -H editor /home/git/gitlab-shell/config.yml
# Ensure the correct SELinux contexts are set
# Read http://wiki.centos.org/HowTos/Network/SecuringSSH
restorecon -Rv /home/git/.ssh
1.8.4. Install gitlab-workhorse
|
1.8.5. 初始化數據庫
|
1.8.6. 備份 secrets.yml
The secrets.yml file stores encryption keys for sessions and secure variables. Backup secrets.yml someplace safe.
1.8.7. 配置 GitLab 自啓動
|
1.8.8. 設置日誌備份
|
1.8.9. 檢查 GitLab 的環境配置
|
|
1.8.10. Compile assets
|
|
1.8.11. 啓動 GitLab
|
|
1.9. 配置 Web 服務器
1.9.1. Nginx( 1.10.2-1.el6 )
-
安裝 Nginx
yum update yum -y install nginx chkconfig nginx on
-
Site Configuration
1
cp lib/support/nginx/gitlab /etc/nginx/conf.d/gitlab.conf
-
Add nginx user to git group
1 2
usermod -a -G git nginx chmod g+rx /home/git/
-
檢查 nginx 配置文件
1
nginx -t
-
重啓 Nginx
1
service nginx restart
1.9.2. Apache
-
GitLab-Workhorse
配合 apache , workhorse 要做相應修改。Change gitlab_workhorse_options in /etc/default/gitlab to the following:
1
gitlab_workhorse_options="-listenUmask 0 -listenNetwork tcp -listenAddr 127.0.0.1:8181 -authBackend http://127.0.0.1:8080"
然後重啓GitLab
1
service gitlab restart
-
HTTP 配置
yum -y install httpd chkconfig httpd on wget -O /etc/httpd/conf.d/gitlab.conf https://gitlab.com/gitlab-org/gitlab-recipes/raw/master/web-server/apache/gitlab-apache22.conf sed -i 's/logs\///g' /etc/httpd/conf.d/gitlab.conf
-
HTTPS 配置
yum -y install httpd mod_ssl chkconfig httpd on wget -O /etc/httpd/conf.d/gitlab.conf https://gitlab.com/gitlab-org/gitlab-recipes/raw/master/web-server/apache/gitlab-ssl-apache22.conf mv /etc/httpd/conf.d/ssl.conf{,.bak} sed -i 's/logs\///g' /etc/httpd/conf.d/gitlab.conf
- make sure the path to your certificates is valid.
- Add LoadModule ssl_module /etc/httpd/modules/mod_ssl.so in /etc/httpd/conf/httpd.conf.
-
SELinux 配置
setsebool -P httpd_can_network_connect on setsebool -P httpd_can_network_relay on setsebool -P httpd_read_user_content on semanage -i - <<EOF fcontext -a -t user_home_dir_t '/home/git(/.*)?' fcontext -a -t ssh_home_t '/home/git/.ssh(/.*)?' fcontext -a -t httpd_sys_content_t '/home/git/gitlab/public(/.*)?' fcontext -a -t httpd_sys_content_t '/home/git/repositories(/.*)?' EOF restorecon -R /home/git
- Note: semanage is part of the policycoreutils-python package.
-
Other httpd security considerations
-
In /etc/httpd/conf/httpd.conf
ServerTokens Prod ServerSignature Off TraceEnable Off
-
mod_ssl 在壓縮時候有漏洞
Apache httpd 2.2.15 (official release), mod_ssl enables compression over SSL by default. 所以要關閉
# add the following line to /etc/sysconfig/httpd. export OPENSSL_NO_DEFAULT_ZLIB=1
httpd 2.2.24 and greater 版本在 httpd.conf 可以設置
1
SSLCompression Off
-
某些apache mode 要禁用
#LoadModule deflate_module modules/mod_deflate.so #LoadModule suexec_module modules/mod_suexec.so
-
重啓 apache
1
service httpd start
-
1.10. 配置防火牆
|
1.11. 最後檢查安裝結果
|
1.12. 首次登陸
默認管理員是 root 用戶, 首次登陸設置密碼。
root 用戶登錄 》 右上角 Admin Area 圖標 》 Overview
例如,本次安裝完成後,Overview 頁面顯示組件情況:
|
|
1.12.1. Health Check
root 用戶登錄 》 右上角 Admin Area 圖標 》 Monitoring 》 Health Check
2. 重啓 Gitlab
-
Nginx + PostgreSQL 組合
service redis start service postgresql start service gitlab start service nginx start
3. 問題 Trouble Shooting
- 參考
http://blog.csdn.net/johnnycode/article/details/41947581
http://axilleas.me/en/blog/2013/selinux-policy-for-nginx-and-gitlab-unix-socket-in-fedora-19/
3.1. 都裝好了,nginx 不能訪問 gitlab-workhorse,permission denied
訪問 Gitlab,提示 403 Forbidden…………
- 查看日誌
|
|
-
分析
這是由於Selinux權限控制導致的,發現 socket 文件不能方法,查看socket文件權限描述後面有個點,如下:root@localhost: /home/git/gitlab # ll tmp/sockets total 0 srwxrwxrwx. 1 git git 0 Nov 21 10:42 gitlab.socket srwxrwxrwx. 1 git git 0 Nov 21 10:42 gitlab-workhorse.socket
解決辦法是,關閉selinux,或者配置安全策略
3.1.1. 可選方法,關閉Selinux
-
臨時關閉
1
# setenforce 0 #關閉 Selinux
-
永久關閉
修改 /etc/selinux/config 文件,修改 SELINUX=disabled,重啓後查看:getenforce Disabled
3.1.2. 可選方法,添加 security module
|
4. Gitlab 9.1.0
4.1. 修改 unicorn 端口
默認 unicorn 端口是 8080,容易和其他app衝突
- 修改方法
/home/git/gitlab/config/unicorn.rb
|