👍

Running GitLab on Docker - s6/7

2022/12/03に公開

日本語記事準備中-シリーズ前後記事リンク追加予定

first post: Cheap Home LAN Playground Using Docker

This is the sixth post, and this time I am going to start using another machine to run GitLab which is a bit demanding and might not work smoothly on a machine with 4G memory.

What's on my LAN so far

Let us first see what I have so far in the list and diagram below.

  • Unbound, DNS server
  • Nginx, web server, reverse proxy, SSL offloading
  • Jupyter Notebook, web service
  • Authelia, authentication server

Second physical server

Since the number of user is limited, there is not much of a load to the host PC so far. However, GitLab is a bit demanding service, and the detail is described in the official document.

https://docs.gitlab.com/ee/install/requirements.html

When I first ran GitLab years back, I tried it on the same machine running services mentioned above. Things did work, but performance was degraded. This is when I decided to bring in another machine. And so the second machine will come into picture for the rest of this blog series. This second machine is configured with 192.168.1.55.

Depending on how capable your current machine is, you may continue on with the rest of the series on the same machine you have been playing with.

Running GitLab using Docker

The GitLab official document explains everything, and let me follow them through.

https://docs.gitlab.com/ee/install/docker.html#install-gitlab-using-docker-compose

As always, let me create a directory for GitLab at $HOME/mylan/gitlab, and place docker-compose.yml file there.

mkdir -p $HOME/mylan/gitlab
cd $HOMEmylan/gitlab

This is the image I am using.

https://hub.docker.com/r/gitlab/gitlab-ce

This is the docker-compose.yml file. I am naming this gitlab.mylan.local, and later I will need to update rp and dns accordingly. I am exposing only port 80 for now, as my client access will be https, first hitting the reverse proxy, and then the further connection between the rp and gitlab will be on plain http.

As for the volumes, I am creating two volumes for log and data. And the configuration directory /etc/gitlab in the container will be mapped with ./config which is $HOME/mylan/gitlab/config. Once the container runs, GitLab will launch with all its configuration files in /etc/gitlab and Docker will bind it on ./config directory.

services:
  gitlab:
    image: 'gitlab/gitlab-ce:15.5.1-ce.0'
    restart: always
    hostname: 'gitlab.mylan.local'
    container_name: gitlab
    environment:
      GITLAB_OMNIBUS_CONFIG: |
        external_url 'http://gitlab.mylan.local'
    ports:
      - '80:80'
    volumes:
      - type: bind
        source: ./config
        target: /etc/gitlab
      - type: bind
        source: mylan_gitlab_log_volume
        target: /var/log/gitlab
      - type: bind
        source: mylan_gitlab_data_volume
        target: /var/opt/gitlab

volumes:
  mylan_gitlab_log_volume: {}
  mylan_gitlab_data_volume: {}

Let me go ahead and run this. And before I access the service, let me then prepare DNS and reverse proxy for gitlab.mylan.local.

DNS record for gitlab.mylan.local

Let me go ahead and update $HOME/mylan/dns/config/a-records.conf file to add gitlab.mylan.local. The second machine that will run GitLab has 192.168.1.55, but since the access will be through reverse proxy using https, I need to have DNS point the access to rp on 192.168.1.56. I will go ahead and restart the container so that the new record is available on DNS server.

# A Record
     #local-data: "somecomputer.local. A 192.168.1.1"
     local-data: "jupyter.mylan.local. A 192.168.1.56"
     local-data: "login.mylan.local. A 192.168.1.56"
     local-data: "gitlab.mylan.local. A 192.168.1.56"

# PTR Record
     #local-data-ptr: "192.168.1.1 somecomputer.local."
     local-data-ptr: "192.168.1.56 jupyter.mylan.local."

Reverse proxy for GitLab

I will then add one server config in rp. GitLab has built-in 2FA, so I will not include Authelia.

I have just copied the jupyter.conf file as gitlab.conf in $HOME/mylan/rp/conf.d and changed the server_name and upstream, and removed lines related to Authelia.

I am going to just use the same TLS configuration as the certificate I generated covers *.mylan.local.

Let me also go ahead and restart the rp container to have this reverse proxy running.

$ cat $HOME/mylan/rp/conf.d/gitlab.conf
server {
    listen 443 ssl http2;
    server_name gitlab.mylan.local;

    # docker resolver
    resolver 127.0.0.11 valid=30s;

    # tls
    include /etc/nginx/tls/tls.conf;

    location / {
        set $upstream 192.168.1.55:80;
        proxy_pass http://$upstream;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
    }
}

Accessing GitLab

Let me open up my browser to access https://gitlab.mylan.local. It shows me the GitLab login page.

Initial login as root

The user automatically created is root and its initial password can be found at /etc/gitlab/initial_root_password file. Below docker exec works, but since I am mapping $HOME/mylan/gitlab/config to the config directory in the container, I can also find the same password file at $HOME/mylan/gitlab/config/initial_root_password.

$ docker exec gitlab grep 'Password:' /etc/gitlab/initial_root_password
Password: 5EtRD56Y1KX3+fxdSvbaqX5DPaJ5DM9T1wnYBzjSE80=

What to do on my first login?

Congratulations! You are logged in as root. Let's update the password, and it's all yours. You may find tutorials and start guides available out there, or go through these two pages in the official document and change however you like.

https://docs.gitlab.com/ee/administration/get_started.html

https://docs.gitlab.com/ee/install/next_steps.html

I am planning to cover GitLab Runner and GitLab Pages in this series, starting from the next post. And in the rest of this post, I will write about changes I would make, considering to someday expose it so that I can use it even when I am outside.

As briefly mentioned in the first post of this series, I am actually running my own GitLab and other services using my public DNS domain so that I can use them at home and outside.

Update root password and profile

As already mentioned, let us find "Edit Password" page in the user settings menu and change the root user password. Also see other menus such as emails, account, and notifications to set email address and 2FA for the root account.

Sign-up restrictions

https://docs.gitlab.com/ee/user/admin_area/settings/sign_up_restrictions.html

I disable self sign-up so that random person cannot create their account to use my GitLab.

Create user account

I will create a user account and will use GitLab as user instead of administrator.

https://docs.gitlab.com/ee/user/profile/account/create_accounts.html

When you manually create a user account, as the UI tells you, the password reset link will be sent to the email specified. In my case, I am creating a new user "ghost" with "ghost@mylan.local" email address which will go nowhere, and of course I have not configured SMTP for this GitLab either. What I do is I create a new user "ghost", and as root I edit the user and set an initial password, I logout from root, re-login as "ghost" with the initial password set, then finally set the password I want to use for this new user "ghost" as GitLab asks me to reset the password in my first login for this newly created user too.

First login as user

Now I login using user account, "ghost". I change my public avatar from default image, change commit email to a private email address available in the pull down, and enable 2FA.

When I enable 2FA, I can no longer use the first factor password string to do git operation such as git push over https. I can use access token instead of password.

https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html

Creating first project

Let me then create a project and try out basic git operations.

I create a new blank project on GitLab GUI, naming it "mylan". There is an option to Initialize repository with README. Let me use this (selected by default) so that the project gets created with initial commit with auto-generated README.md file.

https://docs.gitlab.com/ee/gitlab-basics/start-using-git.html#convert-a-local-directory-into-a-repository

Configuring git

Let me go back to my first machine running reverse proxy server, configure git, and put all $HOME/mylan files in the repository.

Let me first configure the username and email address used in git operation. The user account I created on my GitLab was "ghost", so that is going to be the username. In the profile settings, I changed the commit email to an anonymous one, so that is the one I use to configure git. And the default branch name on GitLab is "main" so I configure git the same.

git config --global user.name "ghost"
git config --global user.email "2-ghost@users.noreply.gitlab.mylan.local"
git config --global init.defaultBranch main

As for the credentials to use GitLab as user "ghost", I need to generate personal access token. Here is the same link again on how to create the token. I chose "read_repository" and "write_repository" as the scopes.

https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html#create-a-personal-access-token

Now I configure git with credentials to use Git over HTTPS. I run these lines below, and have to finish the input with empty line.

git credential-store --file ~/.git-credentials store
protocol=https
host=gitlab.mylan.local
username=ghost
password={access_token_here}

I have previously installed root CA certificate on my client machine, but I have not done the same for my host machine running Docker and everything. For git to trust certain root CA certificate, let me run following to copy the root CA certificate to the home directory, and configure git to use this certificate when accessing https://gitlab.mylan.local.

cd
cp mylan/openssl/rootCA.crt .
git config --global http."https://gitlab.mylan.local/".sslCAInfo ~/rootCA.crt

Git operation

I have done all these, and finally I am ready to use git.

I go to the existing directory $HOME/mylan, turn this directory into a git repository and add existing files, download/merge the existing initial repository commit with the README file, and finally push/upload existing data.

cd $HOME/mylan

# initialize directory as git repo and add all existing files
git init
git branch main
git add -A && git commit -m "init"

# set remote, download/merge from existing repo created on GitLab GUI
# then upload/push
git remote add origin https://gitlab.mylan.local/ghost/mylan.git
git fetch origin
git merge origin/main --allow-unrelated-histories
git push --set-upstream origin main

From here onward, you can add/edit files under $HOME/mylan, git add to stage file(s), git commit to commit the change, and git push to upload the commits done to the project repository on GitLab server.

Closing

Now I have GitLab server running on my second machine. I have added Nginx server config and DNS record so my client machine can access GitLab at https://gitlab.mylan.local.

In the next post, I will continue to work on GitLab to cover GitLab Runner and GitLab Pages.

next: GitLab Runner and GitLab Pages

Discussion