说明

使用docker-compose部署gitlab-ce和runner

配置本机Nginx代理gitlab-ce容器中的Nginx

gitlab-ce架构

详细架构概述参考官方文档

gitlab-ce架构-ecffkqes.png

docker-compose.yml

version: '3.6'

services:
  gitlab:
    image: gitlab/gitlab-ce:16.8.1-ce.0
    restart: always
    # gitlab-ce域名,需要和external_url参数保持一致
    hostname: 'gitlab.example.com'
    container_name: gitlab
    networks:
      - gitlab
    environment:
      TZ: Asia/Shanghai
      GITLAB_OMNIBUS_CONFIG: |
        # 访问gitlab-ce的完整地址
        external_url 'https://gitlab.example.com'
        # 使用ssh访问gitlab-ce的域名,ssh://git@gitlab.example.com:9000/xxx/project.git
        gitlab_rails['gitlab_ssh_host'] = 'gitlab.example.com'
        # 使用ssh访问gitlab-ce的端口,!注意:该配置并不修改gitlab-ce自身的ssh监听端口
        gitlab_rails['gitlab_shell_ssh_port'] = 9000
        # 时区
        gitlab_rails['time_zone'] = 'Asia/Shanghai'
        # 禁用gitlab-ce自带Nginx的https功能
        nginx['listen_https'] = false
        # 指定gitlab-ce自带Nginx的监听端口
        nginx['listen_port'] = 443
        # gitlab-ce自带Nginx的最大包大小
        nginx['client_max_body_size'] = '1024m'
        # gitlab-ce自带Nginx的监听地址,所有ipv4地址
        nginx['listen_addresses'] = ['*']
        # 以下配置邮箱相关服务
        # 注意事项:
        #   1. smtp_user_name和gitlab_email_from为发件地址,需要一致
        #   2. 详细说明和示例见官方文档[https://docs.gitlab.com/ee/administration/incoming_email.html]
        gitlab_rails['smtp_enable'] = true
        gitlab_rails['smtp_address'] = "smtp.qq.com"
        gitlab_rails['smtp_port'] = 465
        gitlab_rails['smtp_user_name'] = "mymail@foxmail.com"
        gitlab_rails['smtp_password'] = "xxxxxx"
        gitlab_rails['smtp_authentication'] = "login"
        gitlab_rails['smtp_enable_starttls_auto'] = false
        gitlab_rails['smtp_tls'] = true
        gitlab_rails['gitlab_email_from'] = 'mymail@foxmail.com'
        gitlab_rails['smtp_domain'] = "smtp.qq.com"
        # 以下配置备份信息,分别是:
        #   1. 管理备份路径
        #   2. 配置备份路劲
        #   3. 生成的备份文件权限
        #   4. 备份保留时间,单位是秒
        # 注意:该配置不会自动备份,需要手动执行备份命令,
        #   备份配置文件:docker exec gitlab gitlab-ctl backup-etc
        #   备份整个实例(不包括配置文件):docker exec gitlab gitlab-backup create
        # gitlab_rails['manage_backup_path'] = true
        # gitlab_rails['backup_path'] = "/var/opt/gitlab/backups"
        # gitlab_rails['backup_archive_permissions'] = 0644
        # gitlab_rails['backup_keep_time'] = 604800
        # Nginx日志级别
        # nginx['error_log_level'] = "debug"
    ports:
      - '38922:22'  # ssh监听端口映射
      - '38929:443' # web监听端口映射
    volumes:
      # 配置文件、日志文件和数据文件挂载
      - '/gitlab-ce/gitlab/config:/etc/gitlab'
      - '/gitlab-ce/gitlab/logs:/var/log/gitlab'
      - '/gitlab-ce/gitlab/data:/var/opt/gitlab'
    shm_size: '8096m'  # 限制gitlab-ce总可用内存大小


  runner:
    image: gitlab/gitlab-runner:ubuntu-v16.6.2
    restart: always
    networks:
      - gitlab
    privileged: true
    container_name: runner
    environment:
      TZ: Asia/Shanghai
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /gitlab-ce/runner:/etc/gitlab-runner
      - /bin/docker:/bin/docker
      - /tmp/runner-cache:/cache
    # shm_size: '2048m'


networks:
  gitlab:
    name: gitlab

说明:

  • 为了简化配置,GitLab Nginx的web监听端口配置为443并且关闭HTTPS。
  • 使用 docker-compose up -d运行,如果没有镜像会自动拉取。

本机Nginx代理配置

1. 物理机Nginx配置

/etc/nginx/conf.d/gitlab-ce.conf

server {
    listen      443 ssl http2;
    server_name gitlab.example.com;

    keepalive_timeout   70;
    client_max_body_size 1024m;

    access_log  /var/log/nginx/gitlab/access.log;
    error_log   /var/log/nginx/gitlab/access.log;

    ssl_session_cache             shared:SSL:10m;
    ssl_certificate               cert/gitlab.example.com.crt;
    ssl_certificate_key           cert/gitlab.example.com.key;
    ssl_session_timeout           5m;
    ssl_protocols                 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers                   ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!3DES:!aNULL:!MD5:!ADH:!RC4;

    location / {
        proxy_pass http://127.0.0.1:58929;

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Ssl on;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_redirect off;
        proxy_ssl_server_name on;

    }
}

配置说明:

  • 日志目录必须存在
  • Nginx证书需要从域名服务商获取
  • 如果使用HTTP,需要把443端口换成80,并所有带 ssl关键字的配置注释掉,docker-compose.yml文件中的443端口换成80端口
  1. sock代理

/etc/nginx/nginx.conf

在http块上方添加以下内容

stream {
    log_format proxy '$remote_addr [$time_local] ' '$protocol $status $bytes_sent $bytes_received ' '$session_time "$upstream_addr" ' '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
    access_log  /var/log/nginx/stream.log  proxy;

    open_log_file_cache off;

    include /etc/nginx/conf.d/*.stream;

}

http {
......
}

/etc/nginx/conf.d/gitlab-ce.stream

upstream gitlab_ssh{
    server 127.0.0.1:38922;
}

server {
    listen      9000;
    proxy_connect_timeout 1h;
    proxy_pass gitlab_ssh;
}

配置好之后使用 nginx -t 命令检测配置文件, 看到ok字样,说明配置正确。

使配置生效:

  • 如果已经存在 stream块,使用 nginx -s reload命令使配置生效
  • 如果是新增 stream 块,使用 systemctl restart nginx重启Nginx