GitLab Community Edition est un système de gestion de développement collaboratif (ou forge) libre sous licence MIT née en 2011 et produite par GitLab Inc.
GitLab Enterprise Edition est sa version propriétaire aux fonctionnalités étendue.
Alternatives Open Source à GitLab CE :
Objectif
L’objectif de cet article est l’installation et la configuration d’un serveur auto-hébergé GitLab CE en version 10.7.3 sur une distribution Linux Debian Stretch 9.4 64bits.
Schéma logique
Pré-requis
1. Pré-requis avant réalisation
- Un serveur Debian Jessie 9.4 64 bits fonctionnel (installation basique avec utilitaires usuels du système et service SSH)
- Packages de base supplémentaires : resolvconf, tree, dnsutils
- Domaine utilisé : opensharing.priv
2. Configuration réseau initiale
| Serveur GitLabCE | |
| FQDN | gitlabce-test.opensharing.priv |
| Adresse IP | 192.168.1.36 |
| Réseau | 192.168.1.0/24 |
| Passerelle | 192.168.1.1 |
| dns-nameservers | 192.168.1.11 192.168.1.12 |
| dns-search | opensharing.priv |
Contenu initial du fichier /etc/network/interfaces :
auto lo iface lo inet loopback allow-hotplug enp0s3 iface enp0s3 inet static address 192.168.1.36 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 gateway 192.168.1.1 dns-search opensharing.priv dns-nameservers 192.168.1.11 192.168.1.12
Contenu initial du fichier /etc/hosts :
127.0.0.1 localhost.localdomain localhost 192.168.1.36 gitlabce-test.opensharing.priv gitlabce-test 192.168.1.36 gitlabce.opensharing.priv gitlabce
Rmq : L’adresse 127.0.1.1 doit être retirée sur un serveur à IP fixe et remplacée par cette dernière, tel que l’exemple ci-dessus.
Contenu initial du fichier /etc/host.conf :
order hosts, bind multi on
Contenu initial du fichier /etc/resolv.conf :
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 192.168.1.11 nameserver 192.168.1.12 search opensharing.priv
Rmq :
Le fichier /etc/resolv.conf ne doit pas être édité dès lors que le paquet resolvconf a été installé.
Pour prendre en compte les modifications des fichiers de configuration relatifs au réseau, redémarrage du service réseau :
# systemctl restart networking # ifup enp0s3
Optionnel : Création d’un alias global reprenant la commande ifconfig disparue sous Debian Stretch
# nano /etc/bash.bashrc
alias ifconfig='ip addr'
# source /etc/bash.bashrc
Réalisation
1. Installation des paquets pré-requis
# apt-get install curl openssh-server ca-certificates # apt-get install postfix
Choisir Site Internet comme type de serveur de messagerie.
Puis renseigner le FQDN du serveur.
2. Installation du dépôt GitLab CE
# curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.deb.sh | sudo bash
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 5933 0 5933 0 0 3329 0 --:--:-- 0:00:01 --:--:-- 3331
Detected operating system as debian/stretch.
Checking for curl...
Detected curl...
Checking for gpg...
Detected gpg...
Running apt-get update... done.
Installing debian-archive-keyring which is needed for installing
apt-transport-https on many Debian systems.
Installing apt-transport-https... done.
Installing /etc/apt/sources.list.d/gitlab_gitlab-ce.list...done.
Importing packagecloud gpg key... done.
Running apt-get update... done.
The repository is setup! You can now install packages.
3. Installation de GitLab CE depuis le nouveau dépôt
EXTERNAL_URL="http://gitlabce.opensharing.priv" apt-get install gitlab-ce
.............................................................
L'installation peut prendre plusieurs minutes (lignes omises)
.............................................................
*. *.
*** ***
***** *****
.****** *******
******** ********
,,,,,,,,,***********,,,,,,,,,
,,,,,,,,,,,*********,,,,,,,,,,,
.,,,,,,,,,,,*******,,,,,,,,,,,,
,,,,,,,,,*****,,,,,,,,,.
,,,,,,,****,,,,,,
.,,,***,,,,
,*,.
_______ __ __ __
/ ____(_) /_/ / ____ _/ /_
/ / __/ / __/ / / __ `/ __ \
/ /_/ / / /_/ /___/ /_/ / /_/ /
\____/_/\__/_____/\__,_/_.___/
Thank you for installing GitLab!
GitLab should be available at http://gitlabce.opensharing.priv
Les éléments suivants, entre autres, ont été installés :
- Python
- Nginx
- Redis
- PostgreSQL
- Postfix
- Ruby
- Prometheus
4. Première connexion post-installation
http://gitlabce.opensharing.priv
La fenêtre d’authentification s’affiche.
Choisir un mot de passe puis cliquer sur Change your password.
Se loguer ensuite avec l’identifiant root et le mot de passe nouvellement renseigné.
Le Dashboard apparait alors :
Pour aller plus loin
1. Contenu du fichier de configuration Nginx
# cat /var/opt/gitlab/nginx/conf/gitlab-http.conf
# This file is managed by gitlab-ctl. Manual changes will be
# erased! To change the contents below, edit /etc/gitlab/gitlab.rb
# and run `sudo gitlab-ctl reconfigure`.
## GitLab
## Modified from https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/support/nginx/gitlab-ssl
## & https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/support/nginx/gitlab
##
## Lines starting with two hashes (##) are comments with information.
## Lines starting with one hash (#) are configuration parameters that can be uncommented.
##
##################################
## CHUNKED TRANSFER ##
##################################
##
## It is a known issue that Git-over-HTTP requires chunked transfer encoding [0]
## which is not supported by Nginx < 1.3.9 [1]. As a result, pushing a large object
## with Git (i.e. a single large file) can lead to a 411 error. In theory you can get
## around this by tweaking this configuration file and either:
## - installing an old version of Nginx with the chunkin module [2] compiled in, or
## - using a newer version of Nginx.
##
## At the time of writing we do not know if either of these theoretical solutions works.
## As a workaround users can use Git over SSH to push large files.
##
## [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99
## [1] https://github.com/agentzh/chunkin-nginx-module#status
## [2] https://github.com/agentzh/chunkin-nginx-module
##
###################################
## configuration ##
###################################
upstream gitlab-workhorse {
server unix:/var/opt/gitlab/gitlab-workhorse/socket;
}
server {
listen *:80;
server_name gitlabce.opensharing.priv;
server_tokens off; ## Don't show the nginx version number, a security best practice
## Increase this if you want to upload large attachments
## Or if you want to accept large git objects over http
client_max_body_size 0;
## Real IP Module Config
## http://nginx.org/en/docs/http/ngx_http_realip_module.html
## HSTS Config
## https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
add_header Strict-Transport-Security "max-age=31536000";
## Individual nginx logs for this GitLab vhost
access_log /var/log/gitlab/nginx/gitlab_access.log gitlab_access;
error_log /var/log/gitlab/nginx/gitlab_error.log;
if ($http_host = "") {
set $http_host_with_default "gitlabce.opensharing.priv";
}
if ($http_host != "") {
set $http_host_with_default $http_host;
}
## If you use HTTPS make sure you disable gzip compression
## to be safe against BREACH attack.
## https://github.com/gitlabhq/gitlabhq/issues/694
## Some requests take more than 30 seconds.
proxy_read_timeout 3600;
proxy_connect_timeout 300;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Host $http_host_with_default;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Forwarded-Proto http;
location ~ (\.git/gitlab-lfs/objects|\.git/info/lfs/objects/batch$) {
proxy_cache off;
proxy_pass http://gitlab-workhorse;
proxy_request_buffering off;
}
location / {
proxy_cache off;
proxy_pass http://gitlab-workhorse;
}
location /assets {
proxy_cache gitlab;
proxy_pass http://gitlab-workhorse;
}
error_page 404 /404.html;
error_page 422 /422.html;
error_page 500 /500.html;
error_page 502 /502.html;
location ~ ^/(404|422|500|502)(-custom)?\.html$ {
root /opt/gitlab/embedded/service/gitlab-rails/public;
internal;
}
}
2. Configuration HTTPS de Nginx
# nano /etc/gitlab/gitlab.rb
## GitLab URL ##! URL on which GitLab will be reachable. ##! For more details on configuring external_url see: ##! https://docs.gitlab.com/omnibus/settings/configuration.html#configuring-the-external-url-for-gitlab external_url 'https://gitlabce.opensharing.priv'
Génération de la clef privée :
# openssl genrsa -out /etc/ssl/private/gitlabce.opensharing.priv.key 1024
Generating RSA private key, 1024 bit long modulus
...........................++++++
.......................++++++
e is 65537 (0x010001)
Demande de certificat à partir de la clef :
# openssl req -new -key /etc/ssl/private/gitlabce.opensharing.priv.key -out /etc/ssl/certs/gitlabce.opensharing.priv.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank. For some fields there will be a default value, if you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:FR State or Province Name (full name) [Some-State]:Ile-de-France Locality Name (eg, city) []:Paris Organization Name (eg, company) [Internet Widgits Pty Ltd]:OpenSharing Organizational Unit Name (eg, section) []:Service Informatique Common Name (e.g. server FQDN or YOUR name) []:gitlabce.opensharing.priv Email Address []:admin@opensharing.priv Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
Construction du certificat :
# openssl x509 -req -days 365 -in /etc/ssl/certs/gitlabce.opensharing.priv.csr -signkey /etc/ssl/private/gitlabce.opensharing.priv.key -out /etc/ssl/certs/gitlabce.opensharing.priv.crt Signature ok subject=C = FR, ST = Ile-de-France, L = Paris, O = OpenSharing, OU = Service Informatique, CN = gitlabce.opensharing.priv, emailAddress = admin@opensharing.priv Getting Private key
# mkdir -p /etc/gitlab/ssl # chmod 700 /etc/gitlab/ssl # cp /etc/ssl/private/gitlabce.opensharing.priv.key /etc/ssl/certs/gitlabce.opensharing.priv.crt /etc/gitlab/ssl/ # gitlab-ctl reconfigure
On peut maintenant saisir l'URL en HTTPS :
https://gitlabce.opensharing.priv
Le répondeur OCSP nous signifie que le certificat n'émane pas d'une autorité de certification reconnue, un message d'avertissement est donc émis.
Cliquer sur Avancé puis Ajouter une exception...
Il suffit ensuite de Confirmer l'exception de sécurité.
La connexion est maintenant sécurisée :
