Install Gitlab CE

Install Gitlab CE

I describe here how to install and setup Gitlab-CE.

Change Git

The latest Gitlab-CE version needs git > 2.x.
For CentOS7 install IUS Repo

rpm -ivh https://centos7.iuscommunity.org/ius-release.rpm

After, install yum-plugin-replace and replace official git with git2u

yum install yum-plugin-replace
yum replace git --replace-with git2u

Install Gitlab

Fetch Gitlab-ce repository

First, you need to set-up the repository:

curl -sS https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.rpm.sh | sudo bash

And Install Gitlab-ce packages

yum install gitlab-ce -y

Docker tip

If, like me, you use a Docker to run your CI, you should install docker-ce

usermod -aG docker gitlab-runner

Enable Gitlab-CE service

And Start

systemctl enable gitlab
systemctl enable gitlab-runsvdir.service
systemctl start gitlab
systemctl start gitlab-runsvdir.service

Install Lets Encrypt

To continue with the configuration, you should install Let’s Encrypt.

Enable Epel and install Certbot

yum install epel-release
yum install certbot

Create a directory to Let’s Encrypt use to ensure the domain point to the server where are installed.

mkdir -p /var/www/letsencrypt

Edit /etc/gitlab/gitlab.rb and create a nginx redirect to this dir

vi /etc/gitlab/gitlab.rb

nginx['custom_gitlab_server_config'] = "location ^~ /.well-known {\n alias /var/www/letsencrypt/.well-known;\n}\n"

Reconfigure the Gitlab

gitlab-ctl reconfigure

And run certbot command to request your certs

certbot certonly -a webroot --webroot-path=/var/www/letsencrypt -d gitlab.domaint.tld -d reg-gitlab.domain.tld

Configure Gitlab

You need to change some configs at /etc/gitlab/gitlab.rb, but the most important for me are listed below.

Change time zone

gitlab_rails['time_zone'] = 'America/Sao_Paulo'

Change git data dir

In my case I created a mount point /gitlab.

git_data_dirs({ "default" => { "path" => "/gitlab/git-data" } })

The Registry configs

Yes, I use a local registry to store the projects containers built by CI.

################################################################################
## Container Registry settings
##! Docs: https://docs.gitlab.com/ce/administration/container_registry.html
################################################################################

registry_external_url 'https://reg-gitlab.domain.tld'

### Settings used by GitLab application
gitlab_rails['registry_enabled'] = true
gitlab_rails['registry_host'] = "reg-gitlab.domain.tld"
gitlab_rails['registry_path'] = "/gitlab/registry"

Nginx configs

################################################################################
## GitLab Nginx
##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html
################################################################################

nginx['redirect_http_to_https'] = true

nginx['ssl_certificate'] = "/etc/letsencrypt/live/gitlab.domain.tld/fullchain.pem"
nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/gitlab.domain.tld/privkey.pem"
nginx['ssl_ciphers'] = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256"
nginx['ssl_prefer_server_ciphers'] = "on"

nginx['ssl_protocols'] = "TLSv1 TLSv1.1 TLSv1.2"

Nginx and the registry

################################################################################
## Registry NGINX
################################################################################

registry_nginx['enable'] = true
registry_nginx['redirect_http_to_https'] = true
registry_nginx['redirect_http_to_https_port'] = 80
registry_nginx['ssl_ciphers'] = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
registry_nginx['ssl_prefer_server_ciphers'] = "on"
registry_nginx['ssl_certificate'] = "/etc/letsencrypt/live/gitlab.domain.tld/fullchain.crt"
registry_nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/gitlab.domain.tld/privkey.pem"

Reconfigure the Gitlab

gitlab-ctl reconfigure

Install Gitlab-Runner

Fetch Gitlab-Runner repository

curl -sS https://packages.gitlab.com/install/repositories/runner/gitlab-ci-multi-runner/script.rpm.sh | sudo bash

And install the package

yum install gitlab-ci-multi-runner -y

Enable Gitlab-Runner service

and start

systemctl enable gitlab-runner.service
systemctl start gitlab-runner.service

Register a Runner

First of all, you need to get the token ID to register. It can be found https://gitlab.domain.tld/admin/runners

gitlab-ci-multi-runner register

You should ask something like that:

Running in system-mode.                            

Please enter the gitlab-ci coordinator URL (e.g. https://gitlab.com/):
https://gitlab.domain.tld/
Please enter the gitlab-ci token for this runner:
_z2PxQuMW7dAeHJPJ4jo
Please enter the gitlab-ci description for this runner:
[host.domain.tld]: docker-dind
Please enter the gitlab-ci tags for this runner (comma separated):
docker, dind
Whether to run untagged builds [true/false]:
[false]:
Whether to lock Runner to current project [true/false]:
[false]:
Registering runner... succeeded runner=_z2PxQuM
Please enter the executor: parallels, docker-ssh+machine, kubernetes, docker, docker-ssh, shell, ssh, virtualbox, docker+machine:
docker
Please enter the default Docker image (e.g. ruby:2.1):
docker:latest
Runner registered successfully. Feel free to start it, but if it's running already the config should be automatically reloaded!

It registered a docker-dind runner.

And change /etc/gitlab-runner/config.toml

[[runners]]
name = "docker-dind"
url = "https://gitlab.domain.tld/"
token = "vae7gu3shaid8xaikohfoojei1ha1h"
executor = "docker"
environment = ["VAR1=value1", "VAR2=value2"]
[runners.docker]
tls_verify = false
image = "docker:latest"
privileged = true
disable_cache = false
volumes = ["/cache", "/gitlab/docker-images-pipeline:/images:rw"]
services = ["docker:dind"]
shm_size = 0
[runners.cache]

Understand some configs:

  • environment = ["VAR1=value1", "VAR2=value2"]: Use to pass an ENV to the runner
  • privileged = true: You need to give a privilege to container to use docker’in’docker
  • volumes = ["/cache", "/gitlab/docker-images-pipeline:/images:rw"]: The last volume (docker-images-pipeline)
    is used to keep docker images during the pipeline steps. You can use docker save -o /images/NameOfTheImage.img
    to save and docker load /images/NameOfTheImage.img it again on the next step.
  • services = ["docker:dind"]: This entry call another container, in this case a dind, to run a service needed
    by the runner image. Dind service will run a Docker Daemon to provide the docker service to the runner.