I describe here how to install and setup Gitlab-CE.
Change Git
The latest Gitlab-CE version needs git > 2.x. For CentOS7 install IUS Repo
rpm -ivh https://centos7.iuscommunity.org/ius-release.rpm
After, install yum-plugin-replace and replace official git with git2u
yum install yum-plugin-replace
yum replace git --replace-with git2u
Install Gitlab
Fetch Gitlab-ce repository
First, you need to set-up the repository:
curl -sS https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.rpm.sh | sudo bash
And Install Gitlab-ce packages
yum install gitlab-ce -y
Docker tip
If, like me, you use a Docker to run your CI, you should install docker-ce
usermod -aG docker gitlab-runner
Enable Gitlab-CE service
And Start
systemctl enable gitlab
systemctl enable gitlab-runsvdir.service
systemctl start gitlab
systemctl start gitlab-runsvdir.service
Install Lets Encrypt
To continue with the configuration, you should install Let’s Encrypt.
Enable Epel and install Certbot
yum install epel-release
yum install certbot
Create a directory to Let’s Encrypt use to ensure the domain point to the server where are installed.
mkdir -p /var/www/letsencrypt
Edit /etc/gitlab/gitlab.rb
and create a nginx redirect to this dir
vi /etc/gitlab/gitlab.rb
nginx['custom_gitlab_server_config'] = "location ^~ /.well-known {\n alias /var/www/letsencrypt/.well-known;\n}\n"
Reconfigure the Gitlab
gitlab-ctl reconfigure
And run certbot
command to request your certs
certbot certonly -a webroot --webroot-path=/var/www/letsencrypt -d gitlab.domaint.tld -d reg-gitlab.domain.tld
Configure Gitlab
You need to change some configs at /etc/gitlab/gitlab.rb
, but the most important for me are listed below.
Change time zone
gitlab_rails['time_zone'] = 'America/Sao_Paulo'
Change git data dir
In my case I created a mount point /gitlab
.
git_data_dirs({ "default" => { "path" => "/gitlab/git-data" } })
The Registry configs
Yes, I use a local registry to store the projects containers built by CI.
################################################################################
## Container Registry settings
##! Docs: https://docs.gitlab.com/ce/administration/container_registry.html
################################################################################
registry_external_url 'https://reg-gitlab.domain.tld'
### Settings used by GitLab application
gitlab_rails['registry_enabled'] = true
gitlab_rails['registry_host'] = "reg-gitlab.domain.tld"
gitlab_rails['registry_path'] = "/gitlab/registry"
Nginx configs
################################################################################
## GitLab Nginx
##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html
################################################################################
nginx['redirect_http_to_https'] = true
nginx['ssl_certificate'] = "/etc/letsencrypt/live/gitlab.domain.tld/fullchain.pem"
nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/gitlab.domain.tld/privkey.pem"
nginx['ssl_ciphers'] = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256"
nginx['ssl_prefer_server_ciphers'] = "on"
nginx['ssl_protocols'] = "TLSv1 TLSv1.1 TLSv1.2"
Nginx and the registry
################################################################################
## Registry NGINX
################################################################################
registry_nginx['enable'] = true
registry_nginx['redirect_http_to_https'] = true
registry_nginx['redirect_http_to_https_port'] = 80
registry_nginx['ssl_ciphers'] = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
registry_nginx['ssl_prefer_server_ciphers'] = "on"
registry_nginx['ssl_certificate'] = "/etc/letsencrypt/live/gitlab.domain.tld/fullchain.crt"
registry_nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/gitlab.domain.tld/privkey.pem"
Reconfigure the Gitlab
gitlab-ctl reconfigure
Install Gitlab-Runner
Fetch Gitlab-Runner repository
curl -sS https://packages.gitlab.com/install/repositories/runner/gitlab-ci-multi-runner/script.rpm.sh | sudo bash
And install the package
yum install gitlab-ci-multi-runner -y
Enable Gitlab-Runner service
and start
systemctl enable gitlab-runner.service
systemctl start gitlab-runner.service
Register a Runner
First of all, you need to get the token ID to register. It can be found https://gitlab.domain.tld/admin/runners
gitlab-ci-multi-runner register
You should ask something like that:
Running in system-mode.
Please enter the gitlab-ci coordinator URL (e.g. https://gitlab.com/):
https://gitlab.domain.tld/
Please enter the gitlab-ci token for this runner:
_z2PxQuMW7dAeHJPJ4jo
Please enter the gitlab-ci description for this runner:
[host.domain.tld]: docker-dind
Please enter the gitlab-ci tags for this runner (comma separated):
docker, dind
Whether to run untagged builds [true/false]:
[false]:
Whether to lock Runner to current project [true/false]:
[false]:
Registering runner... succeeded runner=_z2PxQuM
Please enter the executor: parallels, docker-ssh+machine, kubernetes, docker, docker-ssh, shell, ssh, virtualbox, docker+machine:
docker
Please enter the default Docker image (e.g. ruby:2.1):
docker:latest
Runner registered successfully. Feel free to start it, but if it's running already the config should be automatically reloaded!
It registered a docker-dind runner.
And change /etc/gitlab-runner/config.toml
[[runners]]
name = "docker-dind"
url = "https://gitlab.domain.tld/"
token = "vae7gu3shaid8xaikohfoojei1ha1h"
executor = "docker"
environment = ["VAR1=value1", "VAR2=value2"]
[runners.docker]
tls_verify = false
image = "docker:latest"
privileged = true
disable_cache = false
volumes = ["/cache", "/gitlab/docker-images-pipeline:/images:rw"]
services = ["docker:dind"]
shm_size = 0
[runners.cache]
Understand some configs:
environment = ["VAR1=value1", "VAR2=value2"]
: Use to pass an ENV to the runnerprivileged = true
: You need to give a privilege to container to use docker’in’dockervolumes = ["/cache", "/gitlab/docker-images-pipeline:/images:rw"]
: The last volume (docker-images-pipeline) is used to keep docker images during the pipeline steps. You can usedocker save -o /images/NameOfTheImage.img
to save anddocker load /images/NameOfTheImage.img
it again on the next step.services = ["docker:dind"]
: This entry call another container, in this case a dind, to run a service needed by the runner image. Dind service will run a Docker Daemon to provide the docker service to the runner.