更详细配置参考配置模版,此文档主要测试lfs与saml,并且使用这俩功能一定要开启https,并且证书可信
1 编写 docker-compose.yml
1.1 lfs配置
LFS 的指针文件是一个文本文件,存储在 Git 仓库中,对应大文件的内容存储在 LFS 服务器里,而不是 Git 仓库中,专门用来解决git存储大文件问题
不建议存放本地磁盘,建议上传到s3
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
| gitlab_rails['lfs_enabled'] = true gitlab_rails['object_store']['enabled'] = true gitlab_rails['object_store']['proxy_download'] = true gitlab_rails['object_store']['connection'] = { 'provider' => 'AWS', 'endpoint' => 'http://10.1.1.1:9000', 'path_style' => true, 'region' => 's-west-1', 'aws_access_key_id' => 'minioadmin', 'aws_secret_access_key' => 'qweasd', 'aws_signature_version' => 2, 'enable_signature_v4_streaming' => false } gitlab_rails['object_store']['objects']['lfs']['bucket'] = 'gitlab-lfs' gitlab_rails['object_store']['objects']['artifacts']['enabled'] = false gitlab_rails['object_store']['objects']['artifacts']['enabled'] = false gitlab_rails['object_store']['objects']['external_diffs']['enabled'] = false gitlab_rails['object_store']['objects']['uploads']['enabled'] = false gitlab_rails['object_store']['objects']['packages']['enabled'] = false gitlab_rails['object_store']['objects']['dependency_proxy']['enabled'] = false gitlab_rails['object_store']['objects']['terraform_state']['enabled'] = false gitlab_rails['object_store']['objects']['ci_secure_files']['enabled'] = false gitlab_rails['object_store']['objects']['pages']['enabled'] = false
|
1.2 ldap
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
| gitlab_rails['ldap_enabled'] = true gitlab_rails['ldap_servers'] = YAML.load <<-'EOS' main: label: 'LDAP' host: 'ccops.cc' port: 389 uid: 'sAMAccountName' method: 'plain' bind_dn: 'ccops' password: 'passwd' active_directory: true allow_username_or_email_login: true base: 'OU=User Accounts,DC=ccops,DC=cc' user_filter: '' group_base: 'OU=Notes Groups,OU=Groups,DC=ccops,DC=cc' admin_group: '' sync_ssh_keys: false EOS
|
1.3 sso配置
SSO是单点登录的简称,常用的SSO的协议有两种,分别是SAML和OAuth2。这里使用SAML
1.3.1 先配置 saml 配置
1.3.1.1 1.6 以前配置
1 2 3 4 5 6 7 8 9 10 11 12 13 14
| gitlab_rails['omniauth_auto_link_saml_user'] = true gitlab_rails['omniauth_allow_single_sign_on'] = ['saml'] gitlab_rails['omniauth_providers'] = [ { "name" => "saml", args: { assertion_consumer_service_url: 'https://gitlab.ccops.cc/users/auth/saml/callback', idp_cert_fingerprint: '6a:6a:26:1a:1e:1c:45:f9:a0:74:f2:eb:3e:41:d5:7e:51:dc:15:zd', idp_sso_target_url: 'https://stscn.ccops.cc/adfs/ls/IdpInqweedSignOn.aspx?loqwceRp=https://gitlab.ccops.cc', issuer: 'https://gitlab.ccops.cc', name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent' } } ]
|
1.3.1.2 1.6 以后配置
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
| gitlab_ra gitlab_rails['omniauth_allow_single_sign_on'] = ['saml'] gitlab_rails['omniauth_block_auto_created_users'] = false gitlab_rails['omniauth_auto_link_saml_user'] = true gitlab_rails['omniauth_providers'] = [ { name: "saml", label: "Provider name", args: { assertion_consumer_service_url: "https://gitlab.ccops.cc/users/auth/saml/callback", idp_cert_fingerprint: "43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8", idp_sso_target_url: "https://stscn.ccops.cc/adfs/ls/IdpInqweedSignOn.aspx?loqwceRp=https://gitlab.ccops.cc", issuer: "https://gitlab.ccops.cc", name_identifier_format: "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" } } ]
|
1.3.2 获取 gitlab 注册 saml 信息
1
| https://gitlab.ccops.cc/users/auth/saml/metadata
|
1.4 hooks
1
| gitaly['custom_hooks_dir'] = "/opt/custom_hooks"
|
1.4.1 添加脚本
1 2 3 4 5 6 7 8 9
| mkdir -p custom_hooks/pre-receive.d/
cat > custom_hooks/pre-receive.d/pre-recevie << EOF #!/bin/bash echo "测试提交" EOF
chown -R git.root custom_hooks/pre-receive.d chmod +x git.root custom_hooks/pre-receive.d/pre-receive.sh
|
1.5 ip透传
这里负载均衡使用 haproxy,部署参考 HAProxy+Keepalived使用
1.5.1 http 透传
1 2 3 4
| nginx['enable'] = true nginx['real_ip_header'] = 'X-Forwarded-For' nginx['real_ip_recursive'] = 'on' nginx['real_ip_trusted_addresses'] = [ "$HAPROXY_IP/32"]
|
1.5.2 tcp 透传
1 2 3 4
| nginx['enable'] = true nginx['proxy_protocol'] = true nginx['real_ip_header'] = 'proxy_protocol_addr' nginx['real_ip_trusted_addresses'] = [ "$HAPROXY_IP/32"]
|
1.6 完整配置
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90
| version: '3.6' services: web: image: gitlab-ce:15.11.4 restart: always hostname: 'gitlab.ccops.cc' environment: GITLAB_OMNIBUS_CONFIG: | external_url 'https://gitlab.ccops.cc' gitaly['custom_hooks_dir'] = "/opt/custom_hooks" gitlab_rails['gitlab_shell_ssh_port'] = 9922 gitlab_rails['lfs_enabled'] = true gitlab_rails['object_store']['enabled'] = true gitlab_rails['object_store']['proxy_download'] = true gitlab_rails['object_store']['connection'] = { 'provider' => 'AWS', 'endpoint' => 'http://10.1.1.1:9000', 'path_style' => true, 'region' => 's-west-1', 'aws_access_key_id' => 'minioadmin', 'aws_secret_access_key' => 'qweasd', 'aws_signature_version' => 2, 'enable_signature_v4_streaming' => false } gitlab_rails['object_store']['objects']['lfs']['bucket'] = 'gitlab-lfs' gitlab_rails['object_store']['objects']['artifacts']['enabled'] = false gitlab_rails['object_store']['objects']['artifacts']['enabled'] = false gitlab_rails['object_store']['objects']['external_diffs']['enabled'] = false gitlab_rails['object_store']['objects']['uploads']['enabled'] = false gitlab_rails['object_store']['objects']['packages']['enabled'] = false gitlab_rails['object_store']['objects']['dependency_proxy']['enabled'] = false gitlab_rails['object_store']['objects']['terraform_state']['enabled'] = false gitlab_rails['object_store']['objects']['ci_secure_files']['enabled'] = false gitlab_rails['object_store']['objects']['pages']['enabled'] = false gitlab_rails['omniauth_auto_link_saml_user'] = true gitlab_rails['omniauth_allow_single_sign_on'] = ['saml'] gitlab_rails['omniauth_providers'] = [ { "name" => "saml", args: { assertion_consumer_service_url: 'https://gitlab.ccops.cc/users/auth/saml/callback', # 通过这个链接获取gitlab信息 idp_cert_fingerprint: '6a:6a:26:1a:1e:1c:45:f9:a0:74:f2:eb:3e:41:d5:7e:51:dc:15:zd', idp_sso_target_url: 'https://stscn.ccops.cc/adfs/ls/IdpInqweedSignOn.aspx?loqwceRp=https://gitlab.ccops.cc', issuer: 'https://gitlab.ccops.cc', name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent' } } ] nginx['ssl_certificate'] = "/etc/gitlab/ssl/crt" nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/key" nginx['listen_addresses'] = ['0.0.0.0'] nginx['redirect_http_to_https'] = true # gitlab_rails['ldap_enabled'] = true # gitlab_rails['ldap_servers'] = YAML.load <<-'EOS' # main: # label: 'LDAP' # host: 'ccops.cc' # port: 389 # uid: 'sAMAccountName' # method: 'plain' # "tls" or "ssl" or "plain" # bind_dn: 'ccops' # password: 'passwd' # active_directory: true # allow_username_or_email_login: true # base: 'OU=User Accounts,DC=ccops,DC=cc' # user_filter: '' # group_base: 'OU=Notes Groups,OU=Groups,DC=ccops,DC=cc' # admin_group: '' # sync_ssh_keys: false # EOS ports: - '80:80' - '443:443' volumes: - './cert:/etc/gitlab/ssl' - './logs:/var/log/gitlab' - './data:/var/opt/gitlab' - './config:/etc/gitlab' - './custom_hooks:/opt/custom_hooks' shm_size: '256m'
docker-compose up -d
docker exec -it gitlab-web-1 grep 'Password:' /etc/gitlab/initial_root_password
docker exec -it gitlab-web-1 gitlab-rake "gitlab:password:reset[root]"
|
2 测试
2.1 lfs
2.1.1 仓库开启lfs
默认已经开启了
2.1.2 提交进行测试
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39
| root@ccops qwe]# git lfs install Updated git hooks. Git LFS initialized. [root@ccops qwe]# git lfs track *.tar Tracking "csi.tar" Tracking "k8s-install.tar" Tracking "plugin.tar" Tracking "sourcegraph.tar" [root@ccops qwe]# git add . [root@ccops qwe]# git commit -am "tst tar" [main b01ccc7] tst tar 2 files changed, 7 insertions(+) create mode 100644 csi.tar [root@ccops qwe]# ls csi.tar k8s-install.tar plugin.tar README.md sourcegraph.tar [root@ccops qwe]# git push warning: push.default 未设置,它的默认值将会在 Git 2.0 由 'matching' 修改为 'simple'。若要不再显示本信息并在其默认值改变后维持当前使用习惯, 进行如下设置:
git config --global push.default matching
若要不再显示本信息并从现在开始采用新的使用习惯,设置:
git config --global push.default simple
参见 'git help config' 并查找 'push.default' 以获取更多信息。 ('simple' 模式由 Git 1.7.11 版本引入。如果您有时要使用老版本的 Git, 为保持兼容,请用 'current' 代替 'simple' 模式)
Locking support detected on remote "origin". Consider enabling it with: $ git config lfs.https://oauth2:glpat-Aw6DKzhaYCReFrTx-Jww@gitlab.ccops.cc/gitlab-instance-3bd1d037/qwe.git/info/lfs.locksverify true Counting objects: 6, done.% (1/1), 123 KB | 0 B/s Delta compression using up to 8 threads. Compressing objects: 100% (4/4), done. Writing objects: 100% (4/4), 477 bytes | 0 bytes/s, done. Total 4 (delta 1), reused 0 (delta 0) To https://oauth2:glpat-Aw6DKzhaYCReFrTx-Jww@gitlab.ccops.cc/gitlab-instance-3bd1d037/qwe.git ea5c708..b01ccc7 main -> main
|
2.1.3 查看是否上传到s3
有lfs字段说明已经使用lfs了
2.1.4 minio里查看
2.2 sso
2.2.1 首页有SAML按钮
2.2.2 点击能直接跳转进来说名正常
2.3 hooks
1 2 3 4 5 6 7 8 9 10 11 12
| git push Username for 'http://gitlab.ccops.cc': root Password for 'http://root@gitlab.ccops.cc': Enumerating objects: 5, done. Counting objects: 100% (5/5), done. Delta compression using up to 8 threads Compressing objects: 100% (2/2), done. Writing objects: 100% (3/3), 262 bytes | 262.00 KiB/s, done. Total 3 (delta 1), reused 0 (delta 0), pack-reused 0 remote: 测试提交. To http://gitlab.ccops.cc/root/tst.git 04f7bd5..6a18d2a main -> main
|
2.4 ip透传
查看日志是否能获取到客户端 ip