在 Docker 環境下安裝 GitLab

前言#

本文講述如何在 Debian 11 環境下使用 Docker 安裝 GitLab。

創建 Git 用戶組和用戶#

首先需要創建 git 的用戶組和用戶：

groupadd -g 998 git
useradd -m -u 998 -g git -s /bin/sh -d /home/git git

以上命令建議在安裝 Docker 之前執行。
已知使用 apt 安裝 Docker 會默認創建 GID 為 998 的 docker 組，會與 GitLab 的 git 組衝突，提前創建 GID 為 998 的組可避免手工修改。

安裝 Docker 和 Docker Compose#

參考：

創建應用#

創建 GitLab 應用及數據文件夾 /app/gitlab：

mkdir -p /app/gitlab
mkdir -p /app/gitlab/data/{config,logs,data}

創建 /app/gitlab/docker-compose.yaml 文件，內容如下：

version: '3'

services:
  gitlab:
    image: gitlab/gitlab-ce:14.7.2-ce.0
    container_name: gitlab
    restart: always
    privileged: true
    environment:
      GITLAB_OMNIBUS_CONFIG: |
        external_url 'https://example.com';
        nginx['enable'] = false;
        gitlab_rails['trusted_proxies'] = ['172.17.0.0/24', '10.0.0.0/8'];
        gitlab_workhorse['listen_network'] = 'tcp';
        gitlab_workhorse['listen_addr'] = '0.0.0.0:8181';
        gitlab_workhorse['gitlab_ssh_host'] = 'git.example.com';
    ports:
      - '8181:8181'
      - '2222:22'
    volumes:
      - /etc/localtime:/etc/localtime:ro
      # - /app/gitlab/data/data/.ssh/id_rsa.pub:/gitlab-data/ssh/authorized_keys:ro
      - /app/gitlab/data/config:/etc/gitlab
      - /app/gitlab/data/logs:/var/log/gitlab
      - /app/gitlab/data/data:/var/opt/gitlab
    shm_size: '256m'
    deploy:
      resources:
        limits:
          cpus: 2
          memory: 4G

其中，example.com 修改為 GitLab 的域名，git.example.com 修改為 SSH 的域名。

進入應用文件夾，拉取鏡像並初始化服務：

cd /app/gitlab
docker-compose pull
docker-compose up -d

配置#

首先停止服務：

docker-compose down

修改 /app/gitlab/data/config/gitlab.rb 文件，依次查找取消註釋並修改即可：

external_url 'https://example.com'
gitlab_rails['gitlab_ssh_host'] = 'git.example.com'
gitlab_rails['time_zone'] = 'Asia/Shanghai'
gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = "smtp.example.com"
gitlab_rails['smtp_port'] = 587
gitlab_rails['smtp_user_name'] = "smtp_user"
gitlab_rails['smtp_password'] = "smtp_password"
gitlab_rails['smtp_domain'] = "example.com"
gitlab_rails['smtp_authentication'] = "login"
gitlab_rails['smtp_enable_starttls_auto'] = true
gitlab_rails['gitlab_email_enabled'] = true
gitlab_rails['gitlab_email_from'] = 'noreply@example.com'
gitlab_rails['gitlab_email_display_name'] = 'Example'
gitlab_rails['gitlab_email_reply_to'] = 'noreply@example.com'
gitlab_rails['gitlab_default_theme'] = 2
gitlab_rails['gravatar_plain_url'] = 'https://gravatar.loli.net/avatar/%{hash}?s=%{size}&d=identicon'
gitlab_rails['gravatar_ssl_url'] = 'https://gravatar.loli.net/avatar/%{hash}?s=%{size}&d=identicon'
gitlab_shell['auth_file'] = "/var/opt/gitlab/.ssh/authorized_keys"

啟動服務，應用配置：

doker-compose up -d

SSH 轉發#

將容器內 SSH 密鑰映射到宿主機：

rm -rf /home/git/.ssh
ln -sf /app/gitlab/data/data/.ssh /home/git/.ssh

生成宿主機到容器的通信密鑰：

su - git
ssh-keygen

創建 gitlab-shell：

mkdir -p /opt/gitlab/embedded/service/gitlab-shell/bin
touch /opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell
chmod a+x /opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell

/opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell 的內容如下：

#!/bin/sh
ssh -i /home/git/.ssh/id_rsa -p 2222 -o StrictHostKeyChecking=no git@git.example.com "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@"

注意將 git.example.com 添加到 /etc/hosts 文件，指向 127.0.0.1 即可。

修改 docker-compose.yaml 文件，將掛載 /gitlab-data/ssh/authorized_keys 一行的註釋取消。

重啟服務：

docker-compose down
docker-compose up -d

配置 nginx 轉發#

nginx 配置文件示例：

upstream gitlab-workhorse {
  server 127.0.0.1:8181 fail_timeout=0;
}

server {
  listen 80;
  listen [::]:80 ipv6only=on;
  server_name example.com;
  server_tokens off;
  return 301 https://$http_host$request_uri;
}

server {
  listen 443 ssl;
  listen [::]:443 ipv6only=on ssl;
  server_name example.com;
  server_tokens off;

  include enable-ssl.conf;
  include enable-hsts.conf;

  ssl_certificate /data/ssl/example.com/fullchain.pem;
  ssl_certificate_key /data/ssl/example.com/privkey.pem;
  ssl_trusted_certificate /data/ssl/example.com/ca.pem;

  location / {
    client_max_body_size 0;
    gzip off;

    proxy_read_timeout 300;
    proxy_connect_timeout 300;
    proxy_redirect off;

    proxy_http_version 1.1;

    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-Ssl on;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_pass http://gitlab-workhorse;
  }
}

結尾#

瀏覽器打開 https://example.com，嘗試一下！