gitlab 使用

安装

https://docs.gitlab.com/ee/install/docker.html

volume目录

mkdir  -p  /mnt/oss/gitlab/{config,logs,data}

docker-compose.yml

docker-compose.yml
version: '3.6'
services:
  web:
    image: 'gitlab/gitlab-ce:16.6.2-ce.0'
    restart: always
    container_name: gitlab
    # hostname: 'gitlab-ce' #hostname标签是设置容器的主机名
    environment:
      GITLAB_OMNIBUS_CONFIG: |
        external_url 'https://gitlab.ui.k8s.cn:18443'
        letsencrypt['enable'] = false
        gitlab_rails['gitlab_ssh_host'] = 'gitlab.ui.k8s.cn'
        gitlab_rails['gitlab_shell_ssh_port'] = 2224
        gitlab_rails['gravatar_enabled'] = true
        #### For HTTPS
        gitlab_rails['gravatar_ssl_url'] = "https://seccdn.libravatar.org/avatar/%{hash}?s=%{size}&d=identicon"
        #### Use this line instead for HTTP
        # gitlab_rails['gravatar_plain_url'] = "http://cdn.libravatar.org/avatar/%{hash}?s=%{size}&d=identicon"


        #gitlab_rails['initial_root_password'] = 'c123456;'


        #复制crt证书到挂载目录
        nginx['ssl_certificate'] = "/etc/gitlab/ssl/gitlab.ui.k8s.cn.crt"
        nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab.ui.k8s.cn.key"


        #配置http自动跳转到https协议的地址;
        nginx['redirect_http_to_https'] = true


        nginx['enable'] = true
        nginx['client_max_body_size'] = '250m'
         #配置监听容器内的443端口,注意不是外面主机的443端口
        nginx['listen_port'] = 443


        nginx['ssl_protocols'] = "TLSv1.1 TLSv1.2"
        nginx['logrotate_frequency'] = "weekly"
        nginx['logrotate_rotate'] = 52
        nginx['logrotate_compress'] = "compress"
        nginx['logrotate_method'] = "copytruncate"
        nginx['logrotate_delaycompress'] = "delaycompress"


        nginx['proxy_set_headers'] = {
           "X-Forwarded-Proto" => "https",
           "X-Forwarded-Ssl" => "on",
        }


        nginx['custom_error_pages'] = {
           '404' => {
           'title' => 'Example title',
           'header' => 'Example header',
           'message' => 'Example message'
           }
        }


        # gitlab_rails['smtp_enable'] = true
        # gitlab_rails['smtp_address'] = "smtp.example.com"
        # gitlab_rails['smtp_port'] = 587
        # gitlab_rails['smtp_user_name'] = "no-reply@example.com"
        # gitlab_rails['smtp_password'] = "changeMeToSomethingGood"
        # gitlab_rails['smtp_domain'] = "example.com"
        # gitlab_rails['smtp_authentication'] = "login"
        # gitlab_rails['smtp_enable_starttls_auto'] = true
    ports:
      - '8980:80'
      - '18443:443'
      - '2224:22'
    volumes:
      - '/mnt/oss/gitlab/config:/etc/gitlab'
      - '/mnt/oss/gitlab/logs:/var/log/gitlab'
      - '/mnt/oss/gitlab/data:/var/opt/gitlab'
      - '/mnt/oss/gitlab/certs:/etc/gitlab/ssl'
    shm_size: '256m'


  gitlab-runner:
    image: 'gitlab/gitlab-runner:v16.9.0'
    restart: unless-stopped
    container_name: 'gitlab-runner'
    depends_on:
      - web
    privileged: true
    extra_hosts:
    - "gitlab.ui.k8s.cn:192.168.122.1" # 添加主机名
    volumes:
      - /mnt/oss/gitlab/runner/config:/etc/gitlab-runner
      - /var/run/docker.sock:/var/run/docker.sock
      - /mnt/oss/gitlab/certs/gitlab.ui.k8s.cn.crt:/home/gitlab-runner/gitlab.ui.k8s.cn.crt  
 

修改密码

https://docs.gitlab.com/ee/security/reset_user_password.html

❯ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
5c93a696c65e gitlab/gitlab-ce:16.6.2-ce.0 “/assets/wrapper” 7 minutes ago Up 7 minutes (healthy) 443/tcp, 0.0.0.0:2224->22/tcp, :::2224->22/tcp, 0.0.0.0:8929->80/tcp, :::8929->80/tcp gitlab-web-1
❯ docker exec -it 5c93 gitlab-rails console
-——————————————————————————-
Ruby: ruby 3.0.6p216 (2023-03-30 revision 23a532679b) [x86_64-linux]
GitLab: 16.6.2 (d2d66de7163) FOSS
GitLab Shell: 14.30.0
PostgreSQL: 13.12
-———————————————————–[ booted in 25.71s ]
Loading production environment (Rails 7.0.8)
irb(main):001:0> user = User.where(id:1).first
=> #<User id:1 @root>
irb(main):002:0> user.password=’cs123456’
=> “cs123456”
irb(main):003:0> user.save!
=> true
irb(main):004:0> exit

头像

https://docs.gitlab.com/ee/administration/libravatar.html

https://blog.csdn.net/qq_28550263/article/details/129100636

用户

ssh

ssh-keygen -t rsa -C "cs@test.com" -f ~/.ssh/id_rsa_personal

ssh-add ~/.ssh/id_rsa_personal

密码

initial_root_password

$ docker exec -it `docker ps | grep gitlab | awk '{print $1}'` gitlab-rails console -e production
  irb> user = User.where(id: 1).first
  irb> user.password = 'new_password'
  irb> user.password_confirmation = 'new_password'
  irb> user.save!

CICD

.gitlab-ci.yml https://docs.gitlab.com/ee/ci/examples/

gitlab-ci.yml

#只在特定分支或标签上运行job
only:
    - master  #branches 
    - v1.27.16 #tags
    
   #只在特定文件或目录更改时运行job 
    only:
    changes:
      - "app/**/*"
      - "tests/**/*"  
      
      
      #只在推送到特定的Kubernetes环境时运行job
    only:
        - kubernetes: production  #kubernetes在production环境

runner

❯ docker exec -it gitlab-runner bash

root@12687d11d44d:/# ls -l /home/gitlab-runner/gitlab.ui.k8s.cn.crt
-rw-r–r– 1 root root 1476 Feb 12 06:27 /home/gitlab-runner/gitlab.ui.k8s.cn.crt
root@12687d11d44d:/# gitlab-runner register --url https://gitlab.ui.k8s.cn:18443 \
--token glrt-sxEp2iazjXgPkXNCKMA7 \
--tls-ca-file=/home/gitlab-runner/gitlab.ui.k8s.cn.crt
Runtime platform arch=amd64 os=linux pid=27 revision=656c1943 version=16.9.0
Running in system-mode.

Enter the GitLab instance URL (for example, https://gitlab.com/):
[https://gitlab.ui.k8s.cn:18443]\: 上面url指定直接回车
Verifying runner… is valid runner=sxEp2iazj
Enter a name for the runner. This is stored only in the local config.toml file:

[12687d11d44d]: test_dev 配置文件runner的name
Enter an executor: custom, shell, parallels, docker+machine, kubernetes, docker-autoscaler, instance, ssh, virtualbox, docker, docker-windows:
docker
Enter the default Docker image (for example, ruby:2.7):
python:3.10
Runner registered successfully. Feel free to start it, but if it’s running already the config should be automatically reloaded!

Configuration (with the authentication token) was saved in “/etc/gitlab-runner/config.toml”

配置

[runners.docker]

https://docs.gitlab.cn/runner/configuration/advanced-configuration.html#runnersdocker-%E9%83%A8%E5%88%86

自定义构建目录

https://docs.gitlab.cn/runner/configuration/advanced-configuration.html#runnerscustom_build_dir-%E9%83%A8%E5%88%86

stages:
  - build
 
build_job:
  stage: build
  script:
    - echo "Building the project"
  variables:
    GIT_CLONE_PATH: "$CI_BUILDS_DIR/$CI_PROJECT_PATH_SLUG"

cache

[runners.cache]
   # 激活缓存的类型为：s3
   Type = "s3"
   # 是否共享缓存
   # 如果不共享，则会根据 [[runners]] 中的 token 前 8 位创建文件夹，每个 [[runners]] 缓存仅自己能使用
   Shared = false
   [runners.cache.s3]
       # 缓存服务器的地址+端口
     ServerAddress = "192.168.80.14:9000"
     # Access Keys 账户凭证
           AccessKey = "hCfpQlQuEXtBYEAw"
     SecretKey = "kHH5RwzCRiRUtujKlNRZZZFpuANm6Yr1"
       # 创建的 Buckets 名称
     BucketName = "bucket-1"
       # 设置为 true 代表不使用 https
     Insecure = true

示例

docker

docker-compose.yml

docker-compose.yml
version: '3.6'
services:
  web:
    image: 'gitlab/gitlab-ce:16.6.2-ce.0'
    restart: always
    container_name: gitlab
    environment:
      GITLAB_OMNIBUS_CONFIG: |
        external_url 'https://gitlab.ui.k8s.cn:18443'
        letsencrypt['enable'] = false
        gitlab_rails['gitlab_ssh_host'] = 'gitlab.ui.k8s.cn'
        gitlab_rails['gitlab_shell_ssh_port'] = 2224
        gitlab_rails['gravatar_enabled'] = true
        #### For HTTPS
        gitlab_rails['gravatar_ssl_url'] = "https://seccdn.libravatar.org/avatar/%{hash}?s=%{size}&d=identicon"
        #### Use this line instead for HTTP
        # gitlab_rails['gravatar_plain_url'] = "http://cdn.libravatar.org/avatar/%{hash}?s=%{size}&d=identicon"


        #gitlab_rails['initial_root_password'] = 'c123456;'


        #复制crt证书到挂载目录
        nginx['ssl_certificate'] = "/etc/gitlab/ssl/gitlab.ui.k8s.cn.crt"
        nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab.ui.k8s.cn.key"


        #配置http自动跳转到https协议的地址;
        nginx['redirect_http_to_https'] = true


        nginx['enable'] = true
        nginx['client_max_body_size'] = '250m'
         #配置监听容器内的443端口,注意不是外面主机的443端口
        nginx['listen_port'] = 443


        nginx['ssl_protocols'] = "TLSv1.1 TLSv1.2"
        nginx['logrotate_frequency'] = "weekly"
        nginx['logrotate_rotate'] = 52
        nginx['logrotate_compress'] = "compress"
        nginx['logrotate_method'] = "copytruncate"
        nginx['logrotate_delaycompress'] = "delaycompress"


        nginx['proxy_set_headers'] = {
           "X-Forwarded-Proto" => "https",
           "X-Forwarded-Ssl" => "on",
        }


        nginx['custom_error_pages'] = {
           '404' => {
           'title' => 'Example title',
           'header' => 'Example header',
           'message' => 'Example message'
           }
        }


        # gitlab_rails['smtp_enable'] = true
        # gitlab_rails['smtp_address'] = "smtp.example.com"
        # gitlab_rails['smtp_port'] = 587
        # gitlab_rails['smtp_user_name'] = "no-reply@example.com"
        # gitlab_rails['smtp_password'] = "changeMeToSomethingGood"
        # gitlab_rails['smtp_domain'] = "example.com"
        # gitlab_rails['smtp_authentication'] = "login"
        # gitlab_rails['smtp_enable_starttls_auto'] = true
    ports:
      - '8980:80'
      - '18443:443'
      - '2224:22'
    volumes:
      - '/mnt/oss/gitlab/config:/etc/gitlab'
      - '/mnt/oss/gitlab/logs:/var/log/gitlab'
      - '/mnt/oss/gitlab/data:/var/opt/gitlab'
      - '/mnt/oss/gitlab/certs:/etc/gitlab/ssl'
    shm_size: '256m'
    networks:
      - gitlab-network


  gitlab-runner:
    image: 'gitlab/gitlab-runner:v16.9.0'
    restart: unless-stopped
    container_name: 'gitlab-runner'
    depends_on:
      - web
    privileged: true
    extra_hosts:
    - "gitlab.ui.k8s.cn:192.168.122.1" # 添加主机名
    - "k8s.org:192.168.122.1" # 添加主机名
    volumes:
      - /mnt/oss/gitlab/runner/config:/etc/gitlab-runner
      - /var/run/docker.sock:/var/run/docker.sock
      - /mnt/oss/gitlab/certs/gitlab.ui.k8s.cn.crt:/home/gitlab-runner/gitlab.ui.k8s.cn.crt
    networks:
      - gitlab-network
networks:
  gitlab-network:
    driver: bridge  

gitlab-runner config.toml

config.toml
[[runners]]
  name = "test_dev"
  url = "https://gitlab.ui.k8s.cn:18443"
  id = 4
  token = "glrt-sxEp2iazjXgPkXNCKMA7"
  token_obtained_at = 2024-02-22T11:29:02Z
  token_expires_at = 0001-01-01T00:00:00Z
  tls-ca-file = "/home/gitlab-runner/gitlab.ui.k8s.cn.crt"
  executor = "docker"
  [runners.cache]
    MaxUploadedArchiveSize = 0
  [runners.docker]
    extra_hosts = ["gitlab.ui.k8s.cn:192.168.122.1"]
    tls_verify = false
    image = "k8s.org/cs/docker:20.10.16"
    privileged = true
    disable_entrypoint_overwrite = false
    oom_kill_disable = false
    disable_cache = false
    volumes = ["/var/run/docker.sock:/var/run/docker.sock", "/cache","/home/cs/.docker/config.json:/root/.docker/config.json:ro"]
    shm_size = 0
    pull_policy = "if-not-present"
  [[runners.docker.services]]
      name = "k8s.org/cs/python:3.10.2"  

Dockerfile

Dockerfile
FROM k8s.org/cs/python:3.10.2
#自定义描述
MAINTAINER cs
# 环境变量设置时区 与本地时区一致
ENV TZ=Asia/Shanghai
#创建容器目录
RUN mkdir -p /opt/test
#将本地包打入容器
ADD . /opt/test
#环境
RUN pip install -r /opt/test/requirements.txt  -i https://mirrors.aliyun.com/pypi/simple/
#绑定端口
EXPOSE 5000
#启动
CMD ["python","/opt/test/hello.py"]
  

.gitlab_ci.yml

gitlab_ci.yml
default: # 定义了一个默认的参数,如果 job 里没有 参数，就使用这个
  # only:
  #   - main
  #   - /^issue-.*$/
  #   - merge_requests
  tags:  #指定流水线使用哪个runner去运行，只能定义到一个具体的项目，tags的取值范围是该项目可见的runner
    - dev
  # services:
  #   - name: k8s.org/cs/docker:20.10.16
  before_script:
    - echo "before......"
    - docker  info
  after_script:
    - echo "end ....."






stages:          # List of stages for jobs, and their order of execution
  - build
build-job:       # This job runs in the build stage, which runs first.
  stage: build
  only: #限定某些分支或者某些tag
    changes:
      - README
  except:
    refs:
      - main  
  script:
    - echo "build the code..."
    - pwd
    - ls -l
    - docker build  -t k8s.org/cs/test:0.0.1 .
    - docker push  k8s.org/cs/test:0.0.1
  

shell

https://docs.gitlab.cn/runner/executors/shell.html

scp 推送

异常

CI/CD 500

❯ sudo cat   /mnt/oss/gitlab/logs/gitlab-rails/production.log | grep -C 5 -m1 'aes256_gcm_decrypt'
    10:       #js-project-runner-registration-dropdown{ data: { registration_token: @project.runners_token, project_id: @project.id } }
    11:   - else
    12:     = _('Please contact an admin to create runners.')
    13:     = link_to _('Learn more.'), help_page_path('administration/settings/continuous_integration', anchor: 'restrict-runner-registration-by-all-users-in-an-instance'), target: '_blank', rel: 'noopener noreferrer'
  
lib/gitlab/crypto_helper.rb:28:in `aes256_gcm_decrypt'
app/models/concerns/token_authenticatable_strategies/encryption_helper.rb:16:in `decrypt_token'
app/models/concerns/token_authenticatable_strategies/encrypted.rb:78:in `get_encrypted_token'
app/models/concerns/token_authenticatable_strategies/encrypted.rb:113:in `token_set?'
app/models/concerns/token_authenticatable_strategies/base.rb:50:in `ensure_token!'
app/models/concerns/token_authenticatable.rb:54:in `block in add_authentication_token_field'

关键字 aes256_gcm_decrypt 清空/mnt/oss/gitlab/config/gitlab-secrets.json导致

grep -C 5 -m1

A/B/C 匹配后/匹配前/匹配前后 接行数

m1 匹配一次就停止

docker job

repository拉取超时

Failed to connect to xxxxxx after 129591 ms: Couldn’t connect to server

#config.toml

[runners.docker]
#network_mode = “bridge”
extra_hosts = [“gitlab.ui.k8s.cn:192.168.122.1”]

push unauthorized

harbor可以pull ，是因为仓库设置了anonymous 可以pull

printf "my_username:my_password" | openssl base64 -A
Y3M6Q3MxMjM0NTY=

修改 runner 的 config.toml

https://docs.gitlab.cn/jh/ci/docker/using_docker_images.html#%E9%85%8D%E7%BD%AE-runner

[[runners]]
  environment = ["DOCKER_AUTH_CONFIG={\"auths\":{\"ip:prot\":{\"auth\":\"Y3M6Q3MxMjM0NTY=\"}}}"]
  
  before_script:
  - mkdir -p $HOME/.docker
  - echo $DOCKER_AUTH_CONFIG > $HOME/.docker/config.json

或 https://docs.gitlab.cn/jh/ci/docker/using_docker_build.html#%E9%80%89%E9%A1%B9-3%E4%BD%BF%E7%94%A8-docker_auth_config

 [runners.docker]
volumes = ["/var/run/docker.sock:/var/run/docker.sock", "/cache","/home/cs/.docker/config.json:/root/.docker/config.json:ro"]

使用该方式.gitlab-ci.yml无需其他处理