须知DockerHub上的官方gitlab-ce镜像是基于Omnibus版本的封装gitlab-ce中的许多Omnibus版本组件需要经过配置后才会启用准备工作Gitlab默认占用了22、80、443
须知
- DockerHub上的官方gitlab-ce镜像是基于Omnibus版本的封装
- gitlab-ce中的许多Omnibus版本组件需要经过配置后才会启用
准备工作
Gitlab默认占用了22、80、443端口,所以需要留意避免Gitlab Docker服务和宿主机开放端口冲突
常见的如果宿主机开放了ssh服务,则需要如下迁移端口:
## SSHD端口变更 ### 基于安全性及避免与gitlab容器服务冲突# 迁移宿主机sshd服务的22默认端口至8022口上# 后期ssh连接注意使用8022端口访问sudo sed -i 's|#Port 22|Port 8022|' /etc/ssh/sshd_configsudo service sshd restartsudo netstat -anpt # 查看当前端口情况基于Docker两种模式搭建Gitlab
- 这里约定HTTPS证书和秘钥在/etc/certs目录
- 文件重命名为 domain.crt domain.key
1. 单服务启动模式
docker run -d --name gitlab --hostname gitlab.example.com /-e GITLAB_OMNIBUS_CONFIG=" external_url 'https://gitlab.example.com' gitlab_rails['gitlab_shell_ssh_port'] = 22 nginx['redirect_http_to_https'] = true nginx['ssl_dhparam'] = '/etc/gitlab/ssl/dhparam.pem' nginx['ssl_certificate'] = '/etc/gitlab/ssl/domain.crt' nginx['ssl_certificate_key'] = '/etc/gitlab/ssl/domain.key' nginx['custom_gitlab_server_config'] = 'location ^~ /.well-known {/n alias /var/opt/gitlab/letsencrypt/.well-known;/n}/n' high_availability['mountpoint'] = ['/etc/gitlab', '/var/log/gitlab' '/var/opt/gitlab' # 严格限定gitlab服务启动前,指定文件系统挂完毕" /-p 22:22 -p 80:80 -p 443:443 /-v /srv/gitlab/config:/etc/gitlab /-v /srv/gitlab/logs:/var/log/gitlab /-v /srv/gitlab/data:/var/opt/gitlab /-v /etc/certs:/etc/gitlab/ssl /--restart=always gitlab/gitlab-ce:latest2. Compose服务编排模式(推荐方式)
docker pull gitlab/gitlab-ce:latest############################ 多行命令开始 ##########################cat > docker-compose.yaml <<EOFversion: '2'services: Gitlab: image: 'gitlab/gitlab-ce:latest' container_name: 'gitlab' hostname: 'gitlab.example.com' restart: always ports: - '22:22' - '80:80' - '443:443' environment: GITLAB_OMNIBUS_CONFIG: | # Add any other gitlab.rb configuration here, each on its own line external_url 'https://gitlab.example.com' gitlab_rails['gitlab_shell_ssh_port'] = 22 nginx['redirect_http_to_https'] = true nginx['ssl_dhparam'] = "/etc/gitlab/ssl/dhparam.pem" nginx['ssl_certificate'] = "/etc/gitlab/ssl/domain.crt" nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/domain.key" nginx['custom_gitlab_server_config'] = "location ^~ /.well-known {/n alias /var/opt/gitlab/letsencrypt/.well-known;/n}/n" high_availability['mountpoint'] = ["/etc/gitlab", "/var/log/gitlab", "/var/opt/gitlab"] # 严格限定gitlab服务启动前,指定文件系统挂完毕 volumes: - /srv/gitlab/config:/etc/gitlab - /srv/gitlab/logs:/var/log/gitlab - /srv/gitlab/data:/var/opt/gitlab - /etc/certs:/etc/gitlab/sslEOF############################ 多行命令结束 ########################### 启动服务docker-compose -f docker-compose.yaml up -d启用邮件功能
Gitlab 的 Compose 配置 GITLAB_OMNIBUS_CONFIG 节点下增加如下几行:
########## 邮件服务配置 ########## gitlab_rails['smtp_enable'] = true gitlab_rails['smtp_address'] = "smtp.exmail.qq.com" gitlab_rails['smtp_port'] = 465 gitlab_rails['smtp_tls'] = true gitlab_rails['smtp_user_name'] = "账号" gitlab_rails['smtp_password'] = "密码" gitlab_rails['smtp_authentication'] = "login" gitlab_rails['smtp_enable_starttls_auto'] = true gitlab_rails['gitlab_email_from'] = "发件人邮箱"首次登陆Gitlab版本库时会提示设定root超管用户密码
Gitlab调优
gitlab对内存资源的消耗比较厉害
其中尤以 sidekiq队列 及 unicorn服务 两个组件对内存消耗最多
可以再容器启动时对相关参数进行微调:
unicorn['worker_processes'] = 1 unicorn['worker_memory_limit_min'] = "300 * 1 << 20" unicorn['worker_memory_limit_max'] = "400 * 1 << 20" unicorn['worker_timeout'] = 15 sidekiq['concurrency'] = 10 sidekiq_cluster['enable'] = false sidekiq_cluster['ha'] = false redis['maxclients'] = "100" nginx['worker_processes'] = 2 nginx['worker_connections'] = 512 nginx['keepalive_timeout'] = 300 nginx['cache_max_size'] = '200m' mattermost['enable'] = false mattermost_nginx['enable'] = false gitlab_pages['enable'] = false pages_nginx['enable'] = false postgresql['shared_buffers'] = "256MB" postgresql['max_connections'] = 30 postgresql['work_mem'] = "8MB" postgresql['maintenance_work_mem'] = "16MB" postgresql['effective_cache_size'] = "1MB" postgresql['checkpoint_timeout'] = "5min" postgresql['checkpoint_warning'] = "30s"配置调整后需要重载一下
docker exec gitlab gitlab-ctl reconfiguredocker-compose downdocker-compose up -dGitlab 启用 ContainerRegistry
ContainerRegistry是Gitlab内置的Docker Registry集成组件- 集成后每个项目可获得私有的
Docker镜像存储空间 ContainerRegistry可以复用Gitlab域名 或者 独立域名- 这里配置为复用域名(此时
ContainerRegistry将复用Gitlab的TLS证书)
docker-compose.yaml中Gitlab服务的GITLAB_OMNIBUS_CONFIG节点下增加如下配置:
registry_external_url "https://gitlab.example.com:4567" # ContainerRegistry的外部访问地址 registry_nginx['ssl_certificate'] = "/etc/gitlab/ssl/domain.crt" registry_nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/domain.key" gitlab_rails['registry_host'] = "gitlab.example.com" gitlab_rails['registry_port'] = "4567" gitlab_rails['registry_api_url'] = "http://localhost:5000" gitlab_rails['gitlab_default_projects_features_builds'] = false gitlab_rails['gitlab_default_projects_features_container_registry'] = false- 端口开放增加
- 4567:4567 - 服务重启
docker-compose restart Gitlab
ContainerRegistry 集成后可以通过 Gitlab 账户登录: docker login gitlab.example.com:4567
日常维护命令
# Gitlab维护docker exec gitlab gitlab-ctl status # gitlab各组件服务状态docker exec gitlab gitlab-ctl start/restart/stop [组件名] # gitlab所有组件的统一控制(其中Unicorn组件重启完成前GitLab会报502)docker exec gitlab gitlab-ctl tail [/var/log/gitlab下的某子目录] # 实时查看日志docker exec gitlab update-permissions # 修复gitlab版本升级后出现的权限问题docker exec gitlab gitlab-ctl reconfigure # 重载配置docker exec -t gitlab gitlab-rake gitlab:backup:create # 创建备份# ContainerRegistry维护docker exec gitlab gitlab-ctl registry-garbage-collect # 垃圾回收,清理废弃layer(registry停机)Import Repository(Repo By Url)
# 账号密码若存在特殊字符则需要url编码https://username:password@host:port/group/project.git