GitLab CE – Installation du serveur

GitLab CE – Installation du serveur

GitLab Community Edition est un système de gestion de développement collaboratif (ou forge) libre sous licence MIT née en 2011 et produite par GitLab Inc.
GitLab Enterprise Edition est sa version propriétaire aux fonctionnalités étendue.

Alternatives Open Source à GitLab CE :

 

Objectif

 

L’objectif de cet article est l’installation et la configuration d’un serveur auto-hébergé GitLab CE en version 10.7.3 sur une distribution Linux Debian Stretch 9.4 64bits.

 

Schéma logique

 

 

Pré-requis

 

1. Pré-requis avant réalisation

  • Un serveur Debian Jessie 9.4 64 bits fonctionnel (installation basique avec utilitaires usuels du système et service SSH)
  • Packages de base supplémentaires : resolvconf, tree, dnsutils
  • Domaine utilisé : opensharing.priv

 

2. Configuration réseau initiale

Serveur GitLabCE
FQDN gitlabce-test.opensharing.priv
Adresse IP 192.168.1.36
Réseau 192.168.1.0/24
Passerelle 192.168.1.1
dns-nameservers 192.168.1.11 192.168.1.12
dns-search opensharing.priv

 

Contenu initial du fichier /etc/network/interfaces :

auto lo
iface lo inet loopback

allow-hotplug enp0s3
iface enp0s3 inet static
	address 192.168.1.36
	netmask 255.255.255.0
	network 192.168.1.0
	broadcast 192.168.1.255
	gateway 192.168.1.1
	dns-search opensharing.priv
	dns-nameservers 192.168.1.11 192.168.1.12

 
Contenu initial du fichier /etc/hosts :

127.0.0.1	localhost.localdomain                 localhost
192.168.1.36	gitlabce-test.opensharing.priv        gitlabce-test
192.168.1.36	gitlabce.opensharing.priv             gitlabce

Rmq : L’adresse 127.0.1.1 doit être retirée sur un serveur à IP fixe et remplacée par cette dernière, tel que l’exemple ci-dessus.
 
Contenu initial du fichier /etc/host.conf :

order hosts, bind
multi on

 
Contenu initial du fichier /etc/resolv.conf :

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 192.168.1.11
nameserver 192.168.1.12
search opensharing.priv

Rmq :
Le fichier /etc/resolv.conf ne doit pas être édité dès lors que le paquet resolvconf a été installé.

Pour prendre en compte les modifications des fichiers de configuration relatifs au réseau, redémarrage du service réseau :

# systemctl restart networking
# ifup enp0s3

 

Optionnel : Création d’un alias global reprenant la commande ifconfig disparue sous Debian Stretch

# nano /etc/bash.bashrc

alias ifconfig='ip addr'

# source /etc/bash.bashrc

 

Réalisation

 

1. Installation des paquets pré-requis

# apt-get install curl openssh-server ca-certificates
# apt-get install postfix

Choisir Site Internet comme type de serveur de messagerie.

Puis renseigner le FQDN du serveur.

 

2. Installation du dépôt GitLab CE

# curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.deb.sh | sudo bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  5933    0  5933    0     0   3329      0 --:--:--  0:00:01 --:--:--  3331
Detected operating system as debian/stretch.
Checking for curl...
Detected curl...
Checking for gpg...
Detected gpg...
Running apt-get update... done.
Installing debian-archive-keyring which is needed for installing 
apt-transport-https on many Debian systems.
Installing apt-transport-https... done.
Installing /etc/apt/sources.list.d/gitlab_gitlab-ce.list...done.
Importing packagecloud gpg key... done.
Running apt-get update... done.

The repository is setup! You can now install packages.

 

3. Installation de GitLab CE depuis le nouveau dépôt

EXTERNAL_URL="http://gitlabce.opensharing.priv" apt-get install gitlab-ce
.............................................................
L'installation peut prendre plusieurs minutes (lignes omises)
.............................................................

       *.                  *.
      ***                 ***
     *****               *****
    .******             *******
    ********            ********
   ,,,,,,,,,***********,,,,,,,,,
  ,,,,,,,,,,,*********,,,,,,,,,,,
  .,,,,,,,,,,,*******,,,,,,,,,,,,
      ,,,,,,,,,*****,,,,,,,,,.
         ,,,,,,,****,,,,,,
            .,,,***,,,,
                ,*,.
  


     _______ __  __          __
    / ____(_) /_/ /   ____ _/ /_
   / / __/ / __/ /   / __ `/ __ \
  / /_/ / / /_/ /___/ /_/ / /_/ /
  \____/_/\__/_____/\__,_/_.___/
  

Thank you for installing GitLab!
GitLab should be available at http://gitlabce.opensharing.priv

Les éléments suivants, entre autres, ont été installés :

  • Python
  • Nginx
  • Redis
  • PostgreSQL
  • Postfix
  • Ruby
  • Prometheus

4. Première connexion post-installation

http://gitlabce.opensharing.priv

La fenêtre d’authentification s’affiche.
Choisir un mot de passe puis cliquer sur Change your password.

Se loguer ensuite avec l’identifiant root et le mot de passe nouvellement renseigné.

Le Dashboard apparait alors :

 

Pour aller plus loin

 

1. Contenu du fichier de configuration Nginx

# cat /var/opt/gitlab/nginx/conf/gitlab-http.conf 

# This file is managed by gitlab-ctl. Manual changes will be
# erased! To change the contents below, edit /etc/gitlab/gitlab.rb
# and run `sudo gitlab-ctl reconfigure`.

## GitLab
## Modified from https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/support/nginx/gitlab-ssl
## & https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/support/nginx/gitlab
##
## Lines starting with two hashes (##) are comments with information.
## Lines starting with one hash (#) are configuration parameters that can be uncommented.
##
##################################
##        CHUNKED TRANSFER      ##
##################################
##
## It is a known issue that Git-over-HTTP requires chunked transfer encoding [0]
## which is not supported by Nginx < 1.3.9 [1]. As a result, pushing a large object
## with Git (i.e. a single large file) can lead to a 411 error. In theory you can get
## around this by tweaking this configuration file and either:
## - installing an old version of Nginx with the chunkin module [2] compiled in, or
## - using a newer version of Nginx.
##
## At the time of writing we do not know if either of these theoretical solutions works.
## As a workaround users can use Git over SSH to push large files.
##
## [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99
## [1] https://github.com/agentzh/chunkin-nginx-module#status
## [2] https://github.com/agentzh/chunkin-nginx-module
##
###################################
##         configuration         ##
###################################

upstream gitlab-workhorse {
  server unix:/var/opt/gitlab/gitlab-workhorse/socket;
}


server {
  listen *:80;


  server_name gitlabce.opensharing.priv;
  server_tokens off; ## Don't show the nginx version number, a security best practice

  ## Increase this if you want to upload large attachments
  ## Or if you want to accept large git objects over http
  client_max_body_size 0;


  ## Real IP Module Config
  ## http://nginx.org/en/docs/http/ngx_http_realip_module.html

  ## HSTS Config
  ## https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
  add_header Strict-Transport-Security "max-age=31536000";

  ## Individual nginx logs for this GitLab vhost
  access_log  /var/log/gitlab/nginx/gitlab_access.log gitlab_access;
  error_log   /var/log/gitlab/nginx/gitlab_error.log;

  if ($http_host = "") {
    set $http_host_with_default "gitlabce.opensharing.priv";
  }

  if ($http_host != "") {
    set $http_host_with_default $http_host;
  }

  ## If you use HTTPS make sure you disable gzip compression
  ## to be safe against BREACH attack.
  

  ## https://github.com/gitlabhq/gitlabhq/issues/694
  ## Some requests take more than 30 seconds.
  proxy_read_timeout      3600;
  proxy_connect_timeout   300;
  proxy_redirect          off;
  proxy_http_version 1.1;

  proxy_set_header Host $http_host_with_default;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection $connection_upgrade;
  proxy_set_header X-Forwarded-Proto http;

  location ~ (\.git/gitlab-lfs/objects|\.git/info/lfs/objects/batch$) {
    proxy_cache off;
    proxy_pass http://gitlab-workhorse;
    proxy_request_buffering off;
  }

  location / {
    proxy_cache off;
    proxy_pass  http://gitlab-workhorse;
  }

  location /assets {
    proxy_cache gitlab;
    proxy_pass  http://gitlab-workhorse;
  }

  error_page 404 /404.html;
  error_page 422 /422.html;
  error_page 500 /500.html;
  error_page 502 /502.html;
  location ~ ^/(404|422|500|502)(-custom)?\.html$ {
    root /opt/gitlab/embedded/service/gitlab-rails/public;
    internal;
  }

  
}

 

2. Configuration HTTPS de Nginx

# nano /etc/gitlab/gitlab.rb

## GitLab URL
##! URL on which GitLab will be reachable.
##! For more details on configuring external_url see:
##! https://docs.gitlab.com/omnibus/settings/configuration.html#configuring-the-external-url-for-gitlab
external_url 'https://gitlabce.opensharing.priv'

Génération de la clef privée :

# openssl genrsa -out /etc/ssl/private/gitlabce.opensharing.priv.key 1024
Generating RSA private key, 1024 bit long modulus
...........................++++++
.......................++++++
e is 65537 (0x010001)

Demande de certificat à partir de la clef :

# openssl req -new -key /etc/ssl/private/gitlabce.opensharing.priv.key -out /etc/ssl/certs/gitlabce.opensharing.priv.csr
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank.
For some fields there will be a default value, if you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:Ile-de-France
Locality Name (eg, city) []:Paris
Organization Name (eg, company) [Internet Widgits Pty Ltd]:OpenSharing
Organizational Unit Name (eg, section) []:Service Informatique
Common Name (e.g. server FQDN or YOUR name) []:gitlabce.opensharing.priv
Email Address []:admin@opensharing.priv

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Construction du certificat :

# openssl x509 -req -days 365 -in /etc/ssl/certs/gitlabce.opensharing.priv.csr -signkey /etc/ssl/private/gitlabce.opensharing.priv.key -out /etc/ssl/certs/gitlabce.opensharing.priv.crt
Signature ok
subject=C = FR, ST = Ile-de-France, L = Paris, O = OpenSharing, OU = Service Informatique, CN = gitlabce.opensharing.priv, emailAddress = admin@opensharing.priv
Getting Private key

# mkdir -p /etc/gitlab/ssl
# chmod 700 /etc/gitlab/ssl
# cp /etc/ssl/private/gitlabce.opensharing.priv.key /etc/ssl/certs/gitlabce.opensharing.priv.crt /etc/gitlab/ssl/
# gitlab-ctl reconfigure

On peut maintenant saisir l'URL en HTTPS :

https://gitlabce.opensharing.priv

Le répondeur OCSP nous signifie que le certificat n'émane pas d'une autorité de certification reconnue, un message d'avertissement est donc émis.

Cliquer sur Avancé puis Ajouter une exception...

Il suffit ensuite de Confirmer l'exception de sécurité.

La connexion est maintenant sécurisée :

 

Références