更详细配置参考配置模版,此文档主要测试lfs与saml,并且使用这俩功能一定要开启https,并且证书可信

1 编写 docker-compose.yml

1.1 lfs配置

LFS 的指针文件是一个文本文件,存储在 Git 仓库中,对应大文件的内容存储在 LFS 服务器里,而不是 Git 仓库中,专门用来解决git存储大文件问题
不建议存放本地磁盘,建议上传到s3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
gitlab_rails['lfs_enabled'] = true
gitlab_rails['object_store']['enabled'] = true
gitlab_rails['object_store']['proxy_download'] = true
gitlab_rails['object_store']['connection'] = {
'provider' => 'AWS',
'endpoint' => 'http://10.1.1.1:9000',
'path_style' => true,
'region' => 's-west-1',
'aws_access_key_id' => 'minioadmin',
'aws_secret_access_key' => 'qweasd',
'aws_signature_version' => 2,
'enable_signature_v4_streaming' => false
}
gitlab_rails['object_store']['objects']['lfs']['bucket'] = 'gitlab-lfs'
gitlab_rails['object_store']['objects']['artifacts']['enabled'] = false
gitlab_rails['object_store']['objects']['artifacts']['enabled'] = false
gitlab_rails['object_store']['objects']['external_diffs']['enabled'] = false
gitlab_rails['object_store']['objects']['uploads']['enabled'] = false
gitlab_rails['object_store']['objects']['packages']['enabled'] = false
gitlab_rails['object_store']['objects']['dependency_proxy']['enabled'] = false
gitlab_rails['object_store']['objects']['terraform_state']['enabled'] = false
gitlab_rails['object_store']['objects']['ci_secure_files']['enabled'] = false
gitlab_rails['object_store']['objects']['pages']['enabled'] = false

1.2 ldap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
main:
label: 'LDAP'
host: 'ccops.cc'
port: 389
uid: 'sAMAccountName'
method: 'plain' # "tls" or "ssl" or "plain"
bind_dn: 'ccops'
password: 'passwd'
active_directory: true
allow_username_or_email_login: true
base: 'OU=User Accounts,DC=ccops,DC=cc'
user_filter: ''
group_base: 'OU=Notes Groups,OU=Groups,DC=ccops,DC=cc'
admin_group: ''
sync_ssh_keys: false
EOS

1.3 sso配置

SSO是单点登录的简称,常用的SSO的协议有两种,分别是SAML和OAuth2。这里使用SAML

1.3.1 先配置 saml 配置

1.3.1.1 1.6 以前配置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
gitlab_rails['omniauth_auto_link_saml_user'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
gitlab_rails['omniauth_providers'] = [
{
"name" => "saml",
args: {
assertion_consumer_service_url: 'https://gitlab.ccops.cc/users/auth/saml/callback', # saml 验证通过会回调这地址进行登录
idp_cert_fingerprint: '6a:6a:26:1a:1e:1c:45:f9:a0:74:f2:eb:3e:41:d5:7e:51:dc:15:zd',
idp_sso_target_url: 'https://stscn.ccops.cc/adfs/ls/IdpInqweedSignOn.aspx?loqwceRp=https://gitlab.ccops.cc',
issuer: 'https://gitlab.ccops.cc',
name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
}
}
]
1.3.1.2 1.6 以后配置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
gitlab_ra
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_auto_link_saml_user'] = true
gitlab_rails['omniauth_providers'] = [
{
name: "saml",
label: "Provider name", # optional label for login button, defaults to "Saml"
args: {
assertion_consumer_service_url: "https://gitlab.ccops.cc/users/auth/saml/callback",
idp_cert_fingerprint: "43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8",
idp_sso_target_url: "https://stscn.ccops.cc/adfs/ls/IdpInqweedSignOn.aspx?loqwceRp=https://gitlab.ccops.cc",
issuer: "https://gitlab.ccops.cc",
name_identifier_format: "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
}
}
]

1.3.2 获取 gitlab 注册 saml 信息

1
https://gitlab.ccops.cc/users/auth/saml/metadata

1.4 hooks

1
gitaly['custom_hooks_dir'] = "/opt/custom_hooks"

1.4.1 添加脚本

1
2
3
4
5
6
7
8
9
mkdir -p custom_hooks/pre-receive.d/

cat > custom_hooks/pre-receive.d/pre-recevie << EOF
#!/bin/bash
echo "测试提交"
EOF

chown -R git.root custom_hooks/pre-receive.d
chmod +x git.root custom_hooks/pre-receive.d/pre-receive.sh

1.5 ip透传

这里负载均衡使用 haproxy,部署参考 HAProxy+Keepalived使用

1.5.1 http 透传

1
2
3
4
nginx['enable'] = true
nginx['real_ip_header'] = 'X-Forwarded-For'
nginx['real_ip_recursive'] = 'on'
nginx['real_ip_trusted_addresses'] = [ "$HAPROXY_IP/32"]

1.5.2 tcp 透传

1
2
3
4
nginx['enable'] = true
nginx['proxy_protocol'] = true
nginx['real_ip_header'] = 'proxy_protocol_addr'
nginx['real_ip_trusted_addresses'] = [ "$HAPROXY_IP/32"]

1.6 完整配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
version: '3.6'
services:
web:
image: gitlab-ce:15.11.4
restart: always
# network_mode: "host" #主机网络
hostname: 'gitlab.ccops.cc'
environment:
GITLAB_OMNIBUS_CONFIG: |
external_url 'https://gitlab.ccops.cc'
gitaly['custom_hooks_dir'] = "/opt/custom_hooks"
gitlab_rails['gitlab_shell_ssh_port'] = 9922
gitlab_rails['lfs_enabled'] = true
gitlab_rails['object_store']['enabled'] = true
gitlab_rails['object_store']['proxy_download'] = true
gitlab_rails['object_store']['connection'] = {
'provider' => 'AWS',
'endpoint' => 'http://10.1.1.1:9000',
'path_style' => true,
'region' => 's-west-1',
'aws_access_key_id' => 'minioadmin',
'aws_secret_access_key' => 'qweasd',
'aws_signature_version' => 2,
'enable_signature_v4_streaming' => false
}
gitlab_rails['object_store']['objects']['lfs']['bucket'] = 'gitlab-lfs'
gitlab_rails['object_store']['objects']['artifacts']['enabled'] = false
gitlab_rails['object_store']['objects']['artifacts']['enabled'] = false
gitlab_rails['object_store']['objects']['external_diffs']['enabled'] = false
gitlab_rails['object_store']['objects']['uploads']['enabled'] = false
gitlab_rails['object_store']['objects']['packages']['enabled'] = false
gitlab_rails['object_store']['objects']['dependency_proxy']['enabled'] = false
gitlab_rails['object_store']['objects']['terraform_state']['enabled'] = false
gitlab_rails['object_store']['objects']['ci_secure_files']['enabled'] = false
gitlab_rails['object_store']['objects']['pages']['enabled'] = false
gitlab_rails['omniauth_auto_link_saml_user'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
gitlab_rails['omniauth_providers'] = [
{
"name" => "saml",
args: {
assertion_consumer_service_url: 'https://gitlab.ccops.cc/users/auth/saml/callback', # 通过这个链接获取gitlab信息
idp_cert_fingerprint: '6a:6a:26:1a:1e:1c:45:f9:a0:74:f2:eb:3e:41:d5:7e:51:dc:15:zd',
idp_sso_target_url: 'https://stscn.ccops.cc/adfs/ls/IdpInqweedSignOn.aspx?loqwceRp=https://gitlab.ccops.cc',
issuer: 'https://gitlab.ccops.cc',
name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
}
}
]
nginx['ssl_certificate'] = "/etc/gitlab/ssl/crt"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/key"
nginx['listen_addresses'] = ['0.0.0.0']
nginx['redirect_http_to_https'] = true
# gitlab_rails['ldap_enabled'] = true
# gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
# main:
# label: 'LDAP'
# host: 'ccops.cc'
# port: 389
# uid: 'sAMAccountName'
# method: 'plain' # "tls" or "ssl" or "plain"
# bind_dn: 'ccops'
# password: 'passwd'
# active_directory: true
# allow_username_or_email_login: true
# base: 'OU=User Accounts,DC=ccops,DC=cc'
# user_filter: ''
# group_base: 'OU=Notes Groups,OU=Groups,DC=ccops,DC=cc'
# admin_group: ''
# sync_ssh_keys: false
# EOS
ports:
- '80:80'
- '443:443'
volumes:
# - './sshd_config:/etc/ssh/sshd_config'
- './cert:/etc/gitlab/ssl'
- './logs:/var/log/gitlab'
- './data:/var/opt/gitlab'
- './config:/etc/gitlab'
- './custom_hooks:/opt/custom_hooks'
shm_size: '256m'
# 启动
docker-compose up -d

# 查看密码
docker exec -it gitlab-web-1 grep 'Password:' /etc/gitlab/initial_root_password

# 或者直接强制重置密码
docker exec -it gitlab-web-1 gitlab-rake "gitlab:password:reset[root]"

2 测试

2.1 lfs

2.1.1 仓库开启lfs

默认已经开启了
image.png

2.1.2 提交进行测试

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
root@ccops qwe]# git lfs install
Updated git hooks.
Git LFS initialized.
[root@ccops qwe]# git lfs track *.tar
Tracking "csi.tar"
Tracking "k8s-install.tar"
Tracking "plugin.tar"
Tracking "sourcegraph.tar"
[root@ccops qwe]# git add .
[root@ccops qwe]# git commit -am "tst tar"
[main b01ccc7] tst tar
2 files changed, 7 insertions(+)
create mode 100644 csi.tar
[root@ccops qwe]# ls
csi.tar k8s-install.tar plugin.tar README.md sourcegraph.tar
[root@ccops qwe]# git push
warning: push.default 未设置,它的默认值将会在 Git 2.0 由 'matching'
修改为 'simple'。若要不再显示本信息并在其默认值改变后维持当前使用习惯,
进行如下设置:

git config --global push.default matching

若要不再显示本信息并从现在开始采用新的使用习惯,设置:

git config --global push.default simple

参见 'git help config' 并查找 'push.default' 以获取更多信息。
'simple' 模式由 Git 1.7.11 版本引入。如果您有时要使用老版本的 Git,
为保持兼容,请用 'current' 代替 'simple' 模式)

Locking support detected on remote "origin". Consider enabling it with:
$ git config lfs.https://oauth2:glpat-Aw6DKzhaYCReFrTx-Jww@gitlab.ccops.cc/gitlab-instance-3bd1d037/qwe.git/info/lfs.locksverify true
Counting objects: 6, done.% (1/1), 123 KB | 0 B/s
Delta compression using up to 8 threads.
Compressing objects: 100% (4/4), done.
Writing objects: 100% (4/4), 477 bytes | 0 bytes/s, done.
Total 4 (delta 1), reused 0 (delta 0)
To https://oauth2:glpat-Aw6DKzhaYCReFrTx-Jww@gitlab.ccops.cc/gitlab-instance-3bd1d037/qwe.git
ea5c708..b01ccc7 main -> main

2.1.3 查看是否上传到s3

有lfs字段说明已经使用lfs了
image.png

2.1.4 minio里查看

image.png

2.2 sso

2.2.1 首页有SAML按钮

image.png

2.2.2 点击能直接跳转进来说名正常

image.png

2.3 hooks

1
2
3
4
5
6
7
8
9
10
11
12
git push
Username for 'http://gitlab.ccops.cc': root
Password for 'http://root@gitlab.ccops.cc':
Enumerating objects: 5, done.
Counting objects: 100% (5/5), done.
Delta compression using up to 8 threads
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 262 bytes | 262.00 KiB/s, done.
Total 3 (delta 1), reused 0 (delta 0), pack-reused 0
remote: 测试提交. # 这里显示脚本执行结果
To http://gitlab.ccops.cc/root/tst.git
04f7bd5..6a18d2a main -> main

2.4 ip透传

查看日志是否能获取到客户端 ip