基於 Docker 搭建Gitlab + ContainerRegistry

須知

• DockerHub上的官方gitlab-ce鏡像是基於Omnibus版本的封裝
• gitlab-ce中的許多Omnibus版本組件須要通過配置後纔會啓用

準備工做

Gitlab默認佔用了2二、80、443端口，因此須要留意避免Gitlab Docker服務和宿主機開放端口衝突
常見的若是宿主機開放了ssh服務，則須要以下遷移端口：

## SSHD端口變動 ##
# 基於安全性及避免與gitlab容器服務衝突
# 遷移宿主機sshd服務的22默認端口至8022口上
# 後期ssh鏈接注意使用8022端口訪問
sudo sed -i 's|#Port 22|Port 8022|' /etc/ssh/sshd_config
sudo service sshd restart
sudo netstat -anpt  # 查看當前端口狀況

基於Docker兩種模式搭建Gitlab

• 這裏約定HTTPS證書和祕鑰在/etc/certs目錄
• 文件重命名爲 domain.crt domain.key

1. 單服務啓動模式

docker run -d --name gitlab --hostname gitlab.example.com \
-e GITLAB_OMNIBUS_CONFIG="
    external_url 'https://gitlab.example.com'
    gitlab_rails['gitlab_shell_ssh_port'] = 22
    nginx['redirect_http_to_https'] = true
    nginx['ssl_dhparam'] = '/etc/gitlab/ssl/dhparam.pem'
    nginx['ssl_certificate'] = '/etc/gitlab/ssl/domain.crt'
    nginx['ssl_certificate_key'] = '/etc/gitlab/ssl/domain.key'
    nginx['custom_gitlab_server_config'] = 'location ^~ /.well-known {\n alias /var/opt/gitlab/letsencrypt/.well-known;\n}\n'
    high_availability['mountpoint'] = ['/etc/gitlab', '/var/log/gitlab' '/var/opt/gitlab'  # 嚴格限定gitlab服務啓動前，指定文件系統掛完畢
" \
-p 22:22 -p 80:80 -p 443:443 \
-v /srv/gitlab/config:/etc/gitlab \
-v /srv/gitlab/logs:/var/log/gitlab \
-v /srv/gitlab/data:/var/opt/gitlab \
-v /etc/certs:/etc/gitlab/ssl \
--restart=always gitlab/gitlab-ce:latest

2. Compose服務編排模式(推薦方式)

docker pull gitlab/gitlab-ce:latest

############################ 多行命令開始 ##########################
cat > docker-compose.yaml <<EOF
version: '2'

services:

  Gitlab:
    image: 'gitlab/gitlab-ce:latest'
    container_name: 'gitlab'
    hostname: 'gitlab.example.com'
    restart: always
    ports:
      - '22:22'
      - '80:80'
      - '443:443'
    environment:
      GITLAB_OMNIBUS_CONFIG: |
        # Add any other gitlab.rb configuration here, each on its own line
        external_url 'https://gitlab.example.com'
        gitlab_rails['gitlab_shell_ssh_port'] = 22
        nginx['redirect_http_to_https'] = true
        nginx['ssl_dhparam'] = "/etc/gitlab/ssl/dhparam.pem"
        nginx['ssl_certificate'] = "/etc/gitlab/ssl/domain.crt"
        nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/domain.key"
        nginx['custom_gitlab_server_config'] = "location ^~ /.well-known {\n alias /var/opt/gitlab/letsencrypt/.well-known;\n}\n"
        high_availability['mountpoint'] = ["/etc/gitlab", "/var/log/gitlab", "/var/opt/gitlab"]  # 嚴格限定gitlab服務啓動前，指定文件系統掛完畢
    volumes:
      - /srv/gitlab/config:/etc/gitlab
      - /srv/gitlab/logs:/var/log/gitlab
      - /srv/gitlab/data:/var/opt/gitlab
      - /etc/certs:/etc/gitlab/ssl
EOF
############################ 多行命令結束 ##########################

# 啓動服務
docker-compose -f docker-compose.yaml up -d

啓用郵件功能
Gitlab 的 Compose 配置 GITLAB_OMNIBUS_CONFIG 節點下增長以下幾行：

########## 郵件服務配置 ##########
        gitlab_rails['smtp_enable'] = true
        gitlab_rails['smtp_address'] = "smtp.exmail.qq.com"
        gitlab_rails['smtp_port'] = 465
        gitlab_rails['smtp_tls'] = true
        gitlab_rails['smtp_user_name'] = "帳號"
        gitlab_rails['smtp_password'] = "密碼"
        gitlab_rails['smtp_authentication'] = "login"
        gitlab_rails['smtp_enable_starttls_auto'] = true       
        gitlab_rails['gitlab_email_from'] = "發件人郵箱"

首次登錄Gitlab版本庫時會提示設定root超管用戶密碼

Gitlab調優
gitlab對內存資源的消耗比較厲害
其中尤以 sidekiq隊列 及 unicorn服務 兩個組件對內存消耗最多
能夠再容器啓動時對相關參數進行微調：

unicorn['worker_processes'] = 1 
        unicorn['worker_memory_limit_min'] = "300 * 1 << 20"
        unicorn['worker_memory_limit_max'] = "400 * 1 << 20"
        unicorn['worker_timeout'] = 15
        sidekiq['concurrency'] = 10
        sidekiq_cluster['enable'] = false
        sidekiq_cluster['ha'] = false
        redis['maxclients'] = "100"
        nginx['worker_processes'] = 2 
        nginx['worker_connections'] = 512 
        nginx['keepalive_timeout'] = 300 
        nginx['cache_max_size'] = '200m'
        mattermost['enable'] = false
        mattermost_nginx['enable'] = false
        gitlab_pages['enable'] = false
        pages_nginx['enable'] = false
        postgresql['shared_buffers'] = "256MB"
        postgresql['max_connections'] = 30
        postgresql['work_mem'] = "8MB"
        postgresql['maintenance_work_mem'] = "16MB"
        postgresql['effective_cache_size'] = "1MB"
        postgresql['checkpoint_timeout'] = "5min"
        postgresql['checkpoint_warning'] = "30s"

配置調整後須要重載一下

docker exec gitlab gitlab-ctl reconfigure
docker-compose down
docker-compose up -d

---

Gitlab 啓用 ContainerRegistry

• ContainerRegistry是Gitlab內置的Docker Registry集成組件
• 集成後每一個項目可得到私有的 Docker 鏡像存儲空間
• ContainerRegistry 能夠複用 Gitlab 域名 或者 獨立域名
• 這裏配置爲複用域名（此時ContainerRegistry 將複用 Gitlab 的 TLS 證書）

1. docker-compose.yaml中Gitlab服務的 GITLAB_OMNIBUS_CONFIG 節點下增長以下配置：

registry_external_url "https://gitlab.example.com:4567"  # ContainerRegistry的外部訪問地址
        registry_nginx['ssl_certificate'] = "/etc/gitlab/ssl/domain.crt"
        registry_nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/domain.key"
        gitlab_rails['registry_host'] = "gitlab.example.com"
        gitlab_rails['registry_port'] = "4567"
        gitlab_rails['registry_api_url'] = "http://localhost:5000"
        gitlab_rails['gitlab_default_projects_features_builds'] = false
        gitlab_rails['gitlab_default_projects_features_container_registry'] = false

2. 端口開放增長 - 4567:4567
3. 服務重啓 docker-compose restart Gitlab

ContainerRegistry 集成後能夠經過 Gitlab 帳戶登陸： docker login gitlab.example.com:4567

---

平常維護命令

# Gitlab維護
docker exec gitlab gitlab-ctl status  # gitlab各組件服務狀態
docker exec gitlab gitlab-ctl start/restart/stop [組件名]  # gitlab全部組件的統一控制（其中Unicorn組件重啓完成前GitLab會報502）
docker exec gitlab gitlab-ctl tail [/var/log/gitlab下的某子目錄]  # 實時查看日誌

docker exec gitlab update-permissions  # 修復gitlab版本升級後出現的權限問題
docker exec gitlab gitlab-ctl reconfigure  # 重載配置
docker exec -t gitlab gitlab-rake gitlab:backup:create  # 建立備份

# ContainerRegistry維護
docker exec gitlab gitlab-ctl registry-garbage-collect  # 垃圾回收，清理廢棄layer（registry停機）

---

Import Repository(Repo By Url)

# 帳號密碼若存在特殊字符則須要url編碼
https://username:password@host:port/group/project.git