自建gitlab服务器,证书过期问题

在仓库的处理方式

# 禁用 SSL 验证(不推荐长期使用)
git config http.sslVerify false
# 或者只对特定仓库禁用
cd /path/to/your/repo
git config http.sslVerify false

# 执行完操作后,重新启用
git config http.sslVerify true

在gitlab-runner的处理方式

[[runners]]
  name = "your-runner"
  url = "https://gitlib.dayuzhongxue.com"
  token = "your-token"
  tls-skip-verify = true  # 添加这行

gitlab服务器的处理

nginx不做强制跳转80至443

jenkins换源

步骤一:配置文件修改

 

cd /var/lib/jenkins/updates

执行如下替换命令:

sed -i 's/https:\/\/updates.jenkins.io\/download/https:\/\/mirrors.tuna.tsinghua.edu.cn\/jenkins/g' default.json
步骤二:重启jenkins后,进入插件管理--高级--最下面的url地址填写为:
https://mirrors.tuna.tsinghua.edu.cn/jenkins/updates/update-center.json

gitlab-ci的权限问题

利用gitlab-runner在gitlab上完成CI/CD遇见的权限坑

需要在gitlab上建立一个用户,例如:gitlab-runner用户

再将此用户加入需要CI/CD的项目中

如果需要需要登录其他服务器执行shell,则需要把gitlab-runner容器中的gitlab-runner用户的公钥复制到远端主机,并登录一次。

学习gitlab-runner

在项目根目录构造一个.gitlab-ci.yml文件。当开发和运维分开时,此文件必须被版本控制管理

现在本项目注册两个runner,tags名为:myproject,mycode

.gitlab-ci.yml的基本结构

## 定义流水线的阶段,可以自己定义名称,用来管理作业流程,默认stages为:build,test,deploy
## 作业顺序就是按照stages定义的顺序,自上而下的执行
## 不管job的编写顺序如何,只按照job内定义的stage顺序执行。
## 不同的job,使用同一个stage,会并行执行
stages:
    - build
    - test
    - deploy
## 第一条作业
job1:
    stage: build ## 指定作业阶段
    tags:   ## 指定作业的runner
        - mycode
    script:  ## 作业执行的脚本
        - "ssh root@目标主机 'sh /opt/data/git pull;exit'"
    only:    ## 针对哪个分支执行
        - dev
job2:
    stage: deploy
    tags: ## 一条流水线可以定义不同的tags
        - myproject
    script: ## 作业执行的脚本
        - "ssh root@目标主机 '/usr/bin/docker-compose -f /opt/data/docker-compose.yml'"
    only:
        - dev

补充:

runner的定义,其实是跟着项目走的,一个项目一个runner比较好

gitlab-server的备份迁移

gitlab-server基于docker搭建,备份迁移命令组如下:

## 备份
### 12.2以后版本
docker exec -t <container name> gitlab-backup create
### 12.1以前版本
docker exec -t <container name> gitlab-rake gitlab:backup:create

在backups目录里面,有名为xxx_gitlab_backup.tar
的文件

## 恢复
### 12.2以后版本
# Stop the processes that are connected to the database
docker exec -it <name of container> gitlab-ctl stop unicorn
docker exec -it <name of container> gitlab-ctl stop puma
docker exec -it <name of container> gitlab-ctl stop sidekiq

# Verify that the processes are all down before continuing
docker exec -it <name of container> gitlab-ctl status

# Run the restore
 12.2以后版本
docker exec -it <name of container> gitlab-backup restore BACKUP=xxxx
 ## 注意,没有_gitlab_backup.tar部分

# Run the restore 12.1以前版本
docker exec -it gitlab-server gitlab-rake gitlab:backup:restore BACKUP=xxxx ## 注意,没有_gitlab_backup.tar部分

# Restart the GitLab container
docker restart <name of container>

# Check GitLab
docker exec -it <name of container> gitlab-rake gitlab:check SANITIZE=true

gitlab-runner在容器内的用户

gitlab-runner使用docker运行时,在运行的时候,是在容器内使用gitlab-runner这个用户运行的

所以,如果要登陆到远端服务器,需要使用gitlab-runner这个用户身份

例如:

docker exec -it gitlab-runner /bin/bash
#su - gitlab-runner
$ssh-keygen
$ssh-copy-id 远端服务器用户名@远端服务器地址

这样,在.gitlab_ci.yml里面,就可以使用ssh免密登录远端服务器进行操作了

gitlab和gitlab-runner安装

先给出docker-compose.yml,慢慢追加细节

version: '3'
services:
    gitlab:
      image: 'fjcanyue/gitlab-ce-zh:latest'
      container_name: 'gitlab-server'
      restart: always
      hostname: 'gitserver' #填写计算机名即可
      environment:
        TZ: 'Asia/Shanghai'
        GITLAB_OMNIBUS_CONFIG: |
         external_url 'https://域名'  #访问地址
         # HTTPS配置
         nginx['enable'] = true
         nginx['redirect_http_to_https']= true
         nginx['ssl_certificate']= "/home/certs/xxx.pem"
         nginx['ssl_certificate_key']= "/home/certs/xxx.key"
         # 端口配置
         # gitlab_rails['gitlab_shell_ssh_port'] = 7022
         # unicorn['port'] = 8880
         # Email配置
         # gitlab_rails['smtp_enable'] = true
         # gitlab_rails['smtp_address'] = "smtp.exmail.qq.com"
         # gitlab_rails['smtp_port'] = 465
         # gitlab_rails['smtp_user_name'] = "system@gitlab.com"
         # gitlab_rails['smtp_password'] = "XXXXXXXXXX"
         # gitlab_rails['smtp_authentication'] = "login"
         # gitlab_rails['smtp_enable_starttls_auto'] = true
         # gitlab_rails['smtp_tls'] = true   
         # gitlab_rails['gitlab_email_from'] = 'system@gitlab.com'   
         # gitlab pages配置
         #pages_nginx['enable'] = true     #开启pages服务
         #pages_external_url 'https://appink.cn'      #Gitlab pages 域名
         #pages_nginx['redirect_http_to_https'] = true    #http转https
         #gitlab_pages['inplace_chroot'] = true    #Gitlab-ce pages
         #pages_nginx['ssl_certificate'] = "/home/certs/appink.cn/appink.cn.pem"    #证书路径
         #pages_nginx['ssl_certificate_key'] = "/home/certs/appink.cn/appink.cn.key"   #证书路径
      ports:
        - '80:80'        #http端口
        - '443:443'   #https端口
        # - '7022:7022'   #配置7022端口转发到容器的22端口上
      volumes:
        - ./gitlab/etc:/etc/gitlab             #Gitlab配置文件目录
        - gitlab:/var/opt/gitlab  #Gitlab数据目录
        - /var/log/gitlab/logs:/var/log/gitlab   #Gitlab日志目录
        - ./certs:/home/certs    #域名SSL证书目录
        - /etc/localtime:/etc/localtime:ro  #同步宿主机日期时间到容器

    runner: 
      image: 'gitlab/gitlab-runner:latest'
      container_name: gitlab-runner
      restart: always
      networks:
        - gitlab_default
      volumes:
        - ./config:/etc/gitlab-runner
        - /var/run/docker.sock:/var/run/docker.sock
networks:
  gitlab_default:
    external: true
volumes:
  gitlab:

追加:

使用nginx代理

将nginx和gitlab放在同一个docker网络下,必须开启gitlab自己的nginx,并配置gitlab自己的https,docker-compose.yml中关闭端口,然后使用nginx透传

server {
    listen       80;
    listen  [::]:80;
    server_name  xxx;



    location / {

       return 301 https://$host$request_uri;
    }
    
    location = /50x.html {
        root   /usr/share/nginx/html;
    }


}

server {
    listen 443 ssl http2;
    server_name xxx;
    ssl_certificate certs/xxx.pem;
    ssl_certificate_key certs/xxx.key;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;  #使用此加密套件。
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;   #使用该协议进行配置。
    ssl_prefer_server_ciphers on;

    location / {
        proxy_pass https://xxx:443; ###特别注意,此处切记要写端口号,切记切记
        aio threads;
        proxy_set_header  Host $host;
        proxy_set_header  X-Real-IP $remote_addr;
        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_redirect off;
        proxy_connect_timeout  600;
        proxy_read_timeout 600;
        proxy_send_timeout 600;
        proxy_buffers    8 512k;
        proxy_buffer_size 512k;
        client_max_body_size  2048M;
        client_body_buffer_size 256K;
    }
}

gitlab的备份及恢复

系统环境:

ubuntu 18.04;基于docker跑的gitlab中文版

备份

登入gitlab容器,执行
gitlab-rake gitlab:backup:create

拷贝

scp root@192.168.0.1:/var/opt/gitlab/backups/xxxx_gitlab_backup.tar /var/opt/gitlab/backups/xxxx_gitlab_backup.tar

恢复

登入新的gitlab服务器
更改文件权限
chmod 777 /var/opt/gitlab/backups/xxxx_gitlab_backup.tar
停止数据库连接器
gitlab-ctl stop unicorn
gitlab-ctl stop sidekiq
gitlab-rake gitlab:backup:restore BACKUP=xxxx ## 不用带后面的_gitlab_backup.tar

一个gitlab-server+gitlab-run的docker-compose.yml

version: '3'
services:
    gitlab:
      image: 'twang2218/gitlab-ce-zh:latest'
      container_name: 'gitlab-server'
      restart: always
      hostname: 'gitserver' #填写计算机名即可
      environment:
        TZ: 'Asia/Shanghai'
        GITLAB_OMNIBUS_CONFIG: |
         external_url 'https://xxxx'  #访问地址
         # HTTPS配置
         nginx['enable'] = true
         nginx['redirect_http_to_https']= true
         nginx['ssl_certificate']= "/home/certs/xxxxxx.pem"
         nginx['ssl_certificate_key']= "/home/certs/xxxxxx.key"
         # 端口配置
         # gitlab_rails['gitlab_shell_ssh_port'] = 7022
         # unicorn['port'] = 8880
         # Email配置
         # gitlab_rails['smtp_enable'] = true
         # gitlab_rails['smtp_address'] = "smtp.exmail.qq.com"
         # gitlab_rails['smtp_port'] = 465
         # gitlab_rails['smtp_user_name'] = "system@gitlab.com"
         # gitlab_rails['smtp_password'] = "XXXXXXXXXX"
         # gitlab_rails['smtp_authentication'] = "login"
         # gitlab_rails['smtp_enable_starttls_auto'] = true
         # gitlab_rails['smtp_tls'] = true   
         # gitlab_rails['gitlab_email_from'] = 'system@gitlab.com'   
         # gitlab pages配置
         #pages_nginx['enable'] = true     #开启pages服务
         #pages_external_url 'https://appink.cn'      #Gitlab pages 域名
         #pages_nginx['redirect_http_to_https'] = true    #http转https
         #gitlab_pages['inplace_chroot'] = true    #Gitlab-ce pages
         #pages_nginx['ssl_certificate'] = "/home/certs/appink.cn/appink.cn.pem"    #证书路径
         #pages_nginx['ssl_certificate_key'] = "/home/certs/appink.cn/appink.cn.key"   #证书路径
      ports:
        - '80:80'        #http端口
        - '443:443'   #https端口
        # - '7022:7022'   #配置7022端口转发到容器的22端口上
      volumes:
        - ./gitlab/etc:/etc/gitlab             #Gitlab配置文件目录
        - gitlab:/var/opt/gitlab  #Gitlab数据目录
        - /var/log/gitlab/logs:/var/log/gitlab   #Gitlab日志目录
        - ./certs:/home/certs    #域名SSL证书目录
        - /etc/localtime:/etc/localtime:ro  #同步宿主机日期时间到容器

    runner: 
      image: 'gitlab/gitlab-runner:latest'
      container_name: gitlab-runner
      restart: always
      networks:
        - gitlab_default
      volumes:
        - ./config:/etc/gitlab-runner
        - /var/run/docker.sock:/var/run/docker.sock
networks:
  gitlab_default:
    external: true
volumes:
  gitlab: