There are few things I love more than git. It’s part of my daily workflow, and I’m not even a developer by profession (any more). I frequently will git init folders just to have history, and to transfer things between servers. One thing I do often is create git repositories in my configuration folders on my servers so I can see what I changed, and roll back in case I royally mucked something up.
This isn’t a git primer, instead I want to share how I setup an instance of Gitlab on my DMZ docker that’s hosting a few external services for me. Compared to the vanilla installation guide, this is MILES easier to load via a docker. What does it give you? Well, future upgrades are easy, the whole database, configuration, and history is in a convenient and easy to backup folder structure, and finally the ability to move this server around as needed.
To get started, this tutorial assumes a few things.
- You have an Ubuntu linux server with docker installed.
- You’re already familiar with the basics of docker (this isn’t a tutorial for that either).
- You have a basic understanding of linux operations, moving files around, and what these commands mean.
- Your docker server/VM has 2 CPU cores and 2GB of RAM available.
So let’s get started!
Installing Gitlab
Create a nice directory structure to store you gitlab data. The three folders below represent the configuration of the server, the logs, and the data (database) for all of your commits. This is the only unique content inside the docker, so if you need to recreate your gitlab instance, you just need to make sure you’ve got a copy of these folders. Note: When you docker rm -v a docker container it does NOT delete mapped volume data. This makes upgrading a breeze since you can simply destroy the docker container, and restart it with the newest version.
mkdir -p /docker/containers/gitlab/config mkdir -p /docker/containers/gitlab/logs mkdir -p /docker/containers/gitlab/data
Create and run the initial docker gitlab instance. Yes, this is basically a working gitlab at this point. I know…
sudo docker run --detach \ --hostname git.yourserver.com \ --publish 80:80 --publish 2222:22 --publish 443:443\ --env GITLAB_OMNIBUS_CONFIG="external_url 'http://git.yourserver.com/'; external_url 'https://git.yourserver.com/'; gitlab_rails['gitlab_shell_ssh_port'] = 2222;"\ --name gitlab \ --restart always \ --volume /docker/containers/gitlab/config:/etc/gitlab \ --volume /docker/containers/gitlab/logs:/var/log/gitlab \ --volume /docker/containers/gitlab/data:/var/opt/gitlab \ gitlab/gitlab-ce:latest
Now everything seems pretty quiet on your terminal, and I’m sure you’re wondering what the heck is going on. Type this command to see the output of the docker in real time. To exit the stream just Ctrl+C.
docker logs -f gitlab
You’ll probably notice gitlab (rightfully) complaining about not being able to access your SSL directory! If you’re like me, and you want to obtain the beautiful coveted green lock, you have a few more steps to do.
Generating and Installing SSL certificates
Generate a Private Key
mkdir -p /docker/containers/gitlab/config/ssl/ cd /docker/containers/gitlab/config/ssl/ openssl genrsa -out git.yourserver.com.key 2048
Generate the certificate signing request (CSR)
openssl req -new -key git.yourserver.com.key -out git.yourserver.com.csr
Install your public cert
Go to your favorite SSL issuer and issue a cert for the subdomain. If you’re wondering which one it is, typically they bundle into folders. Open the Apache folder and pull the crt file with yourserver.com in the name.
Copy the git.yourserver.com.crt
file into the ssl directory
cp git.yourserver.com.crt /docker/containers/gitlab/config/ssl/
Set the appropriate security permissions to protect your keys.
chmod 700 /docker/containers/gitlab/config/ssl/ chmod 600 /docker/containers/gitlab/config/ssl/*
Enable SSL in GitLab
Edit /docker/containers/gitlab/config/gitlab.rb
to add SSL support. These lines should already be in your configuration file, just search for them and uncomment/edit as needed.
nginx['enable'] = true nginx['redirect_http_to_https'] = true nginx['redirect_http_to_https_port'] = 80 nginx['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt" nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key"
The above lines are basically enabling nginx, and telling the service to automatically redirect http requests to https (good thing!). It’s then looking for the ssl folder in the mapped volume you added earlier.
Note: You don’t have to worry about including the *.csr that was generated to support SSL. But don’t lose this file, as you’ll need it to renew your certs later on.
Build an Update Script
Create an update script and put it somewhere handy. I like to locate all of my update scripts in ~/bin
vi ~/bin/upgradegitlab
#!/bin/bash if [ "$(id -u)" != "0" ]; then echo "This script must be run as root" 1>&2 exit 1 fi # Define a timestamp function timestamp() { date +"%Y-%m-%d_%H-%M-%S" } timestamp echo "Pulling Latest from gitlab/gitlab-ce:latest" docker pull gitlab/gitlab-ce:latest echo "Stopping GitLab Container" docker stop gitlab echo "Backing up old Gitlab Container to gitlab_$(timestamp)" docker rename gitlab gitlab_$(timestamp) echo "Creating and starting new Gitlab Server" sudo docker run --detach \ --hostname git.yourserver.com \ --publish 80:80 --publish 2222:22 --publish 443:443\ --env GITLAB_OMNIBUS_CONFIG="external_url 'http://git.yourserver.com/'; external_url 'https://git.yourserver.com/'; gitlab_rails['gitlab_shell_ssh_port'] = 2222;"\ --name gitlab \ --restart always \ --volume /docker/containers/gitlab/config:/etc/gitlab \ --volume /docker/containers/gitlab/logs:/var/log/gitlab \ --volume /docker/containers/gitlab/data:/var/opt/gitlab \ gitlab/gitlab-ce:latest
Create and Enable the systemctl service
Note: You’ve already specified the –always flag. This is an optional step to give you a clean way to start/stop the container. I prefer to keep the –always enabled on the run command for docker just to make sure that if the docker container exits for some reason, it automatically restarts.
sudo vi /lib/systemd/system/gitlab.service
[Unit] Description=GitLab container Requires=gitlab.service After=gitlab.service [Service] User=root Restart=on-failure RestartSec=45 ExecStart=/usr/bin/docker start -a gitlab ExecStop=/usr/bin/docker stop -t 2 gitlab [Install] WantedBy=multi-user.target
Enable autostarting the gitlab service. Don’t worry this will not start two instances if you have used the –always command in docker.
systemctl enable gitlab.service systemctl start gitlab
Bonus: Update Sophos to point to virtual server
Create Sophos SSL certificate
Sophos requires a .p12 file in order to import the Cert into your Web Application Firewall. Create this from your previously built crts and keys. You may have to do this in a root shell since we changed privileges on this folder earlier.
openssl pkcs12 -export -in git.yourserver.com.crt -inkey git.yourserver.com.key -out git.yourserver.com.p12
Make sure you specify a password as Sophos will only allow import if a password exists.
Import the key into the certificate Manager
Create 2 “Real Webservers” to point to 80 and 443 on the application server
Create 2 “Virtual Webservers” to point to the two “Real Webservers” you created earlier. I’ve tested it with a limited custom firewall rule I created for WordPress – however your mileage may vary on protection levels.
Add a firewall rule under Network Protection -> NAT to enable port 2222 to the server
Finished!
That’s it! You now have a clean installation of GitLab running on your home docker server. A small server requires about 2 CPU cores, and 2 GB of memory. It chews up the memory on boot, but after that things settle down quite a bit. Just make sure you’ve added a reasonable delay on the startup of your management host to start this container if you’re over provisioning your RAM.