Setting up a Dockerized GitLab at Home

There are few things I love more than git. It’s part of my daily workflow, and I’m not even a developer by profession (any more). I frequently will git init folders just to have history, and to transfer things between servers. One thing I do often is create git repositories in my configuration folders on my servers so I can see what I changed, and roll back in case I royally mucked something up.

This isn’t a git primer, instead I want to share how I setup an instance of Gitlab on my DMZ docker that’s hosting a few external services for me. Compared to the vanilla installation guide, this is MILES easier to load via a docker. What does it give you? Well, future upgrades are easy, the whole database, configuration, and history is in a convenient and easy to backup folder structure, and finally the ability to move this server around as needed.

To get started, this tutorial assumes a few things.

  1. You have an Ubuntu linux server with docker installed.
  2. You’re already familiar with the basics of docker (this isn’t a tutorial for that either).
  3. You have a basic understanding of linux operations, moving files around, and what these commands mean.
  4. Your docker server/VM has 2 CPU cores and 2GB of RAM available.

So let’s get started!

Read More…

Installing Gitlab

Create a nice directory structure to store you gitlab data. The three folders below represent the configuration of the server, the logs, and the data (database) for all of your commits. This is the only unique content inside the docker, so if you need to recreate your gitlab instance, you just need to make sure you’ve got a copy of these folders. Note: When you docker rm -v a docker container it does NOT delete mapped volume data. This makes upgrading a breeze since you can simply destroy the docker container, and restart it with the newest version.

mkdir -p /docker/containers/gitlab/config
mkdir -p /docker/containers/gitlab/logs
mkdir -p /docker/containers/gitlab/data

Create and run the initial docker gitlab instance. Yes, this is basically a working gitlab at this point. I know…

sudo docker run --detach \
--hostname git.yourserver.com \
--publish 80:80 --publish 2222:22 --publish 443:443\
--env GITLAB_OMNIBUS_CONFIG="external_url 'http://git.yourserver.com/'; external_url 'https://git.yourserver.com/'; gitlab_rails['gitlab_shell_ssh_port'] = 2222;"\
--name gitlab \
--restart always \
--volume /docker/containers/gitlab/config:/etc/gitlab \
--volume /docker/containers/gitlab/logs:/var/log/gitlab \
--volume /docker/containers/gitlab/data:/var/opt/gitlab \
gitlab/gitlab-ce:latest

Now everything seems pretty quiet on your terminal, and I’m sure you’re wondering what the heck is going on. Type this command to see the output of the docker in real time. To exit the stream just Ctrl+C.

docker logs -f gitlab

You’ll probably notice gitlab (rightfully) complaining about not being able to access your SSL directory! If you’re like me, and you want to obtain the beautiful coveted green lock, you have a few more steps to do.

Generating and Installing SSL certificates

Generate a Private Key

mkdir -p /docker/containers/gitlab/config/ssl/
cd /docker/containers/gitlab/config/ssl/
openssl genrsa -out git.yourserver.com.key 2048

Generate the certificate signing request (CSR)

openssl req -new -key git.yourserver.com.key -out git.yourserver.com.csr

Install your public cert

Go to your favorite SSL issuer and issue a cert for the subdomain. If you’re wondering which one it is, typically they bundle into folders. Open the Apache folder and pull the crt file with yourserver.com in the name.

Copy the git.yourserver.com.crt file into the ssl directory

cp git.yourserver.com.crt /docker/containers/gitlab/config/ssl/

Set the appropriate security permissions to protect your keys.

chmod 700 /docker/containers/gitlab/config/ssl/
chmod 600 /docker/containers/gitlab/config/ssl/*

Enable SSL in GitLab

Edit /docker/containers/gitlab/config/gitlab.rb to add SSL support. These lines should already be in your configuration file, just search for them and uncomment/edit as needed.

nginx['enable'] = true
nginx['redirect_http_to_https'] = true
nginx['redirect_http_to_https_port'] = 80
nginx['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key"

The above lines are basically enabling nginx, and telling the service to automatically redirect http requests to https (good thing!). It’s then looking for the ssl folder in the mapped volume you added earlier.

Note: You don’t have to worry about including the *.csr that was generated to support SSL. But don’t lose this file, as you’ll need it to renew your certs later on.

Build an Update Script

Create an update script and put it somewhere handy. I like to locate all of my update scripts in ~/bin

vi ~/bin/upgradegitlab
#!/bin/bash
if [ "$(id -u)" != "0" ]; then
echo "This script must be run as root" 1>&2
exit 1
fi
# Define a timestamp function
timestamp() {
date +"%Y-%m-%d_%H-%M-%S"
}
timestamp
echo "Pulling Latest from gitlab/gitlab-ce:latest"
docker pull gitlab/gitlab-ce:latest
echo "Stopping GitLab Container"
docker stop gitlab
echo "Backing up old Gitlab Container to gitlab_$(timestamp)"
docker rename gitlab gitlab_$(timestamp)
echo "Creating and starting new Gitlab Server"
sudo docker run --detach \
--hostname git.yourserver.com \
--publish 80:80 --publish 2222:22 --publish 443:443\
--env GITLAB_OMNIBUS_CONFIG="external_url 'http://git.yourserver.com/'; external_url 'https://git.yourserver.com/'; gitlab_rails['gitlab_shell_ssh_port'] = 2222;"\
--name gitlab \
--restart always \
--volume /docker/containers/gitlab/config:/etc/gitlab \
--volume /docker/containers/gitlab/logs:/var/log/gitlab \
--volume /docker/containers/gitlab/data:/var/opt/gitlab \
gitlab/gitlab-ce:latest

Create and Enable the systemctl service

Note: You’ve already specified the –always flag. This is an optional step to give you a clean way to start/stop the container. I prefer to keep the –always enabled on the run command for docker just to make sure that if the docker container exits for some reason, it automatically restarts.

sudo vi /lib/systemd/system/gitlab.service
[Unit]
Description=GitLab container
Requires=gitlab.service
After=gitlab.service
[Service]
User=root
Restart=on-failure
RestartSec=45
ExecStart=/usr/bin/docker start -a gitlab
ExecStop=/usr/bin/docker stop -t 2 gitlab
[Install]
WantedBy=multi-user.target

Enable autostarting the gitlab service. Don’t worry this will not start two instances if you have used the –always command in docker.

systemctl enable gitlab.service
systemctl start gitlab

Bonus: Update Sophos to point to virtual server

Create Sophos SSL certificate

Sophos requires a .p12 file in order to import the Cert into your Web Application Firewall. Create this from your previously built crts and keys. You may have to do this in a root shell since we changed privileges on this folder earlier.

openssl pkcs12 -export -in  git.yourserver.com.crt -inkey git.yourserver.com.key -out git.yourserver.com.p12

Make sure you specify a password as Sophos will only allow import if a password exists.

Import the key into the certificate Manager

Create 2 “Real Webservers” to point to 80 and 443 on the application server
Create 2 “Virtual Webservers” to point to the two “Real Webservers” you created earlier. I’ve tested it with a limited custom firewall rule I created for WordPress – however your mileage may vary on protection levels.

Add a firewall rule under Network Protection -> NAT to enable port 2222 to the server

Finished!

That’s it! You now have a clean installation of GitLab running on your home docker server. A small server requires about 2 CPU cores, and 2 GB of memory. It chews up the memory on boot, but after that things settle down quite a bit. Just make sure you’ve added a reasonable delay on the startup of your management host to start this container if you’re over provisioning your RAM.

Loading Disqus Comments ...
Loading Facebook Comments ...