Install GitLab on Raspberry Pi.
I will use previous LXD setup on Raspberry Pi 4 with DietPi operating system.
Update operating system
Update package index.
$ sudo apt update
Upgrade operating system.
$ sudo apt upgrade
Additional IP address
I will assign an additional IP address to a Raspberry Pi network interface as I want to use this dedicated IP address exclusively for GitLab application.
$ cat /etc/network/interfaces
# Drop-in configs source interfaces.d/* # WiFi allow-hotplug wlan0 iface wlan0 inet static address 172.16.1.1 netmask 255.255.0.0 iface wlan0 inet static address 172.16.2.1 netmask 255.255.0.0 gateway 172.16.0.1 wireless-power off wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
Reboot operating system.
$ sudo systemctl reboot
Inspect newly assigned IP address.
$ ip --brief address show wlan0
wlan0 UP 172.16.1.1/16 172.16.2.1/16
Update SSH daemon configuration
DietPi is using Dropbear by default, but it does not work well in this specific use case, so install OpenSSH Server.
We need to use DietPi utilities to perform this operation over SSH.
$ sudo dietpi-software list | grep SSH
ID 0 | =0 | OpenSSH Client: Feature-rich SSH, SFTP and SCP client | ID 104 | =2 | Dropbear: Lightweight SSH server | | https://dietpi.com/docs/software/ssh/#dropbear ID 105 | =0 | OpenSSH Server: Feature-rich SSH server with SFTP and SCP support | | https://dietpi.com/docs/software/ssh/#openssh
$ sudo dietpi-software install 105
[ OK ] DietPi-Software | Initialised database [ OK ] DietPi-Software | Reading database DietPi-Software ───────────────────────────────────────────────────── Mode: Automated install [ OK ] DietPi-Software | Installing OpenSSH Server: Feature-rich SSH server with SFTP and SCP support [ OK ] DietPi-Software | Free space check: path=/ | available=110718 MiB | required=500 MiB [ OK ] DietPi-Software | DietPi-Userdata validation: /mnt/dietpi_userdata [ OK ] DietPi-Software | Checking network connectivity [ OK ] DietPi-Software | Checking DNS resolver [ OK ] Network time sync | Completed [ SUB1 ] DietPi-Services > unmask [ OK ] DietPi-Services | unmask : haproxy [ OK ] DietPi-Services | unmask : cron [ SUB1 ] DietPi-Services > stop [ OK ] DietPi-Services | stop : cron [ OK ] DietPi-Services | stop : haproxy [ OK ] DietPi-Software | mkdir -p /mnt/dietpi_userdata/Music /mnt/dietpi_userdata/Pictures /mnt/dietpi_userdata/Video /mnt/dietpi_userdata/downloads /var/www /opt /usr/local/bin [ OK ] DietPi-Software | chown dietpi:dietpi /mnt/dietpi_userdata/Music /mnt/dietpi_userdata/Pictures /mnt/dietpi_userdata/Video /mnt/dietpi_userdata/downloads [ OK ] DietPi-Software | chmod 0775 /mnt/dietpi_userdata/Music /mnt/dietpi_userdata/Pictures /mnt/dietpi_userdata/Video /mnt/dietpi_userdata/downloads [ INFO ] DietPi-Software | APT update, please wait... Hit:1 https://archive.raspberrypi.org/debian bullseye InRelease Hit:2 https://deb.debian.org/debian bullseye InRelease Hit:3 https://deb.debian.org/debian bullseye-updates InRelease Get:4 https://deb.debian.org/debian-security bullseye-security InRelease [44.1 kB] Hit:5 https://deb.debian.org/debian bullseye-backports InRelease Fetched 44.1 kB in 3s (16.9 kB/s) Reading package lists... [ OK ] DietPi-Software | APT update DietPi-Software ───────────────────────────────────────────────────── Step: Checking for prerequisite software DietPi-Software ───────────────────────────────────────────────────── Step: Installing OpenSSH Server: Feature-rich SSH server with SFTP and SCP support [ OK ] DietPi-Software | systemctl stop dropbear [ INFO ] DietPi-Software | APT install for: openssh-server openssh-client, please wait... debconf: delaying package configuration, since apt-utils is not installed Selecting previously unselected package ucf. (Reading database ... 21383 files and directories currently installed.) Preparing to unpack .../archives/ucf_3.0043_all.deb ... Moving old data out of the way Unpacking ucf (3.0043) ... Selecting previously unselected package libwrap0:arm64. Preparing to unpack .../libwrap0_7.6.q-31_arm64.deb ... Unpacking libwrap0:arm64 (7.6.q-31) ... Selecting previously unselected package openssh-sftp-server. Preparing to unpack .../openssh-sftp-server_1%3a8.4p1-5_arm64.deb ... Unpacking openssh-sftp-server (1:8.4p1-5) ... Selecting previously unselected package runit-helper. Preparing to unpack .../runit-helper_2.10.3_all.deb ... Unpacking runit-helper (2.10.3) ... Selecting previously unselected package openssh-server. Preparing to unpack .../openssh-server_1%3a8.4p1-5_arm64.deb ... Unpacking openssh-server (1:8.4p1-5) ... Setting up runit-helper (2.10.3) ... Setting up openssh-sftp-server (1:8.4p1-5) ... Setting up libwrap0:arm64 (7.6.q-31) ... Setting up ucf (3.0043) ... Setting up openssh-server (1:8.4p1-5) ... Creating config file /etc/ssh/sshd_config with new version Creating SSH2 RSA key; this may take some time ... 3072 SHA256:Y8ogYfCSTbdZbr9OkF93dMSfeprSeu5NfRUcMitK6ZU root@DietPi (RSA) Creating SSH2 ECDSA key; this may take some time ... 256 SHA256:YvRBQ/nt6KzEgezuR+6MDNint9gJvsCzYxfUIaYZcEM root@DietPi (ECDSA) Creating SSH2 ED25519 key; this may take some time ... 256 SHA256:NdKVtEyXBQWZ/Dh6YJ5b1mHTH0XHyt3vS48EWfWex4A root@DietPi (ED25519) Created symlink /etc/systemd/system/sshd.service → /lib/systemd/system/ssh.service. Created symlink /etc/systemd/system/multi-user.target.wants/ssh.service → /lib/systemd/system/ssh.service. rescue-ssh.target is a disabled or a static unit, not starting it. Processing triggers for libc-bin (2.31-13+rpt2+rpi1) ... [ OK ] DietPi-Software | APT install for: openssh-server openssh-client [ OK ] DietPi-Software | Comment in /etc/ssh/sshd_config converted to setting: PermitRootLogin yes [ OK ] DietPi-Software | systemctl enable ssh DietPi-Software ───────────────────────────────────────────────────── Step: Uninstalling Dropbear: Lightweight SSH server [ INFO ] DietPi-Software | APT purge for: dropbear*, please wait... (Reading database ... 21496 files and directories currently installed.) Removing dropbear (2020.81-3) ... Removing dropbear-bin (2020.81-3) ... Removing libtomcrypt1:arm64 (1.18.2-5) ... Removing libtommath1:arm64 (1.2.0-6) ... Processing triggers for libc-bin (2.31-13+rpt2+rpi1) ... (Reading database ... 21457 files and directories currently installed.) Purging configuration files for dropbear (2020.81-3) ... [ OK ] DietPi-Software | APT purge for: dropbear* DietPi-Software ───────────────────────────────────────────────────── Step: Finalising uninstall [ OK ] DietPi-Software | systemctl daemon-reload [ OK ] DietPi-Software | systemctl unmask dbus [ OK ] DietPi-Software | systemctl start dbus [ OK ] DietPi-Software | systemctl unmask systemd-logind [ OK ] DietPi-Software | systemctl start systemd-logind 2021-11-17 13:39:07 [ INFO ] DietPi-RAMlog | Storing /var/log to /var/tmp/dietpi/logs/dietpi-ramlog_store... 2021-11-17 13:39:07 [ OK ] DietPi-RAMlog | Stored /var/log to /var/tmp/dietpi/logs/dietpi-ramlog_store. [ SUB1 ] DietPi-Services > dietpi_controlled [ OK ] DietPi-Services | dietpi_controlled : haproxy [ OK ] DietPi-Services | dietpi_controlled : cron DietPi-Software ───────────────────────────────────────────────────── Step: Install completed [ OK ] DietPi-Survey | Sending survey data [ SUB1 ] DietPi-Services > restart [ OK ] DietPi-Services | restart : haproxy [ OK ] DietPi-Services | restart : cron [ INFO ] DietPi-Software | Starting installed services, not controlled by DietPi-Services [ OK ] DietPi-Software | systemctl start ssh
Ensure that it will listen on a single IP address.
$ sudo sed -i -e "s/#ListenAddress 0.0.0.0/ListenAddress 172.16.1.1/" /etc/ssh/sshd_config
Restart SSH service.
$ sudo systemctl restart sshd
Ensure that it is listening on a single IP address.
$ sudo ss -tlpn
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 32 10.114.53.1:53 0.0.0.0:* users:(("dnsmasq",pid=1677,fd=7))
LISTEN 0 128 172.16.1.1:22 0.0.0.0:* users:(("sshd",pid=633,fd=3))
Create LXD instance
I am using Raspberry Pi 4 with DietPi operating system, aarch64 architecture.
$ uname -a
Linux DietPi 5.10.63-v8+ #1459 SMP PREEMPT Wed Oct 6 16:42:49 BST 2021 aarch64 GNU/Linux
Search for Ubuntu 20.04.3 LTS (Focal Fossa) image.
$ sudo -i lxc image list images: architecture=arm64 os=Ubuntu release=focal
+-----------------------------+--------------+--------+-------------------------------------+--------------+-----------------+----------+-------------------------------+ | ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCHITECTURE | TYPE | SIZE | UPLOAD DATE | +-----------------------------+--------------+--------+-------------------------------------+--------------+-----------------+----------+-------------------------------+ | ubuntu/focal (7 more) | 4d05260235b7 | yes | Ubuntu focal arm64 (20211114_08:44) | aarch64 | CONTAINER | 97.76MB | Nov 14, 2021 at 12:00am (UTC) | +-----------------------------+--------------+--------+-------------------------------------+--------------+-----------------+----------+-------------------------------+ | ubuntu/focal (7 more) | 7664234ba371 | yes | Ubuntu focal arm64 (20211114_08:44) | aarch64 | VIRTUAL-MACHINE | 239.38MB | Nov 14, 2021 at 12:00am (UTC) | +-----------------------------+--------------+--------+-------------------------------------+--------------+-----------------+----------+-------------------------------+ | ubuntu/focal/cloud (3 more) | b34bd4e8a06c | yes | Ubuntu focal arm64 (20211114_08:44) | aarch64 | VIRTUAL-MACHINE | 262.69MB | Nov 14, 2021 at 12:00am (UTC) | +-----------------------------+--------------+--------+-------------------------------------+--------------+-----------------+----------+-------------------------------+ | ubuntu/focal/cloud (3 more) | fbea3bbeffa9 | yes | Ubuntu focal arm64 (20211114_08:44) | aarch64 | CONTAINER | 112.38MB | Nov 14, 2021 at 12:00am (UTC) | +-----------------------------+--------------+--------+-------------------------------------+--------------+-----------------+----------+-------------------------------+ | | 0e6724185d46 | yes | Ubuntu focal arm64 (20211113_07:42) | aarch64 | CONTAINER | 101.32MB | Nov 13, 2021 at 12:00am (UTC) | +-----------------------------+--------------+--------+-------------------------------------+--------------+-----------------+----------+-------------------------------+ | | 1ef2f2f42455 | yes | Ubuntu focal arm64 (20211112_07:42) | aarch64 | VIRTUAL-MACHINE | 239.31MB | Nov 12, 2021 at 12:00am (UTC) | +-----------------------------+--------------+--------+-------------------------------------+--------------+-----------------+----------+-------------------------------+ | | 01e2c1616e4a | yes | Ubuntu focal arm64 (20211113_07:42) | aarch64 | VIRTUAL-MACHINE | 239.31MB | Nov 13, 2021 at 12:00am (UTC) | +-----------------------------+--------------+--------+-------------------------------------+--------------+-----------------+----------+-------------------------------+ | | 4cc95e7aecd7 | yes | Ubuntu focal arm64 (20211112_07:42) | aarch64 | CONTAINER | 112.38MB | Nov 12, 2021 at 12:00am (UTC) | +-----------------------------+--------------+--------+-------------------------------------+--------------+-----------------+----------+-------------------------------+ | | 8b17689d7ff1 | yes | Ubuntu focal arm64 (20211112_07:42) | aarch64 | VIRTUAL-MACHINE | 262.38MB | Nov 12, 2021 at 12:00am (UTC) | +-----------------------------+--------------+--------+-------------------------------------+--------------+-----------------+----------+-------------------------------+ | | 9bbf2a08a5fb | yes | Ubuntu focal arm64 (20211113_07:42) | aarch64 | CONTAINER | 97.76MB | Nov 13, 2021 at 12:00am (UTC) | +-----------------------------+--------------+--------+-------------------------------------+--------------+-----------------+----------+-------------------------------+ | | 44df16720440 | yes | Ubuntu focal arm64 (20211112_07:42) | aarch64 | CONTAINER | 88.65MB | Nov 12, 2021 at 12:00am (UTC) | +-----------------------------+--------------+--------+-------------------------------------+--------------+-----------------+----------+-------------------------------+ | | 47c2afda0b28 | yes | Ubuntu focal arm64 (20211113_07:42) | aarch64 | CONTAINER | 88.73MB | Nov 13, 2021 at 12:00am (UTC) | +-----------------------------+--------------+--------+-------------------------------------+--------------+-----------------+----------+-------------------------------+ | | 48ce6843b5c4 | yes | Ubuntu focal arm64 (20211114_08:44) | aarch64 | CONTAINER | 100.71MB | Nov 14, 2021 at 12:00am (UTC) | +-----------------------------+--------------+--------+-------------------------------------+--------------+-----------------+----------+-------------------------------+ | | 04288b617a5b | yes | Ubuntu focal arm64 (20211113_07:42) | aarch64 | VIRTUAL-MACHINE | 262.56MB | Nov 13, 2021 at 12:00am (UTC) | +-----------------------------+--------------+--------+-------------------------------------+--------------+-----------------+----------+-------------------------------+ | | 7141a7f194ce | yes | Ubuntu focal arm64 (20211112_07:42) | aarch64 | CONTAINER | 101.64MB | Nov 12, 2021 at 12:00am (UTC) | +-----------------------------+--------------+--------+-------------------------------------+--------------+-----------------+----------+-------------------------------+ | | 12151b6307fb | yes | Ubuntu focal arm64 (20211113_07:42) | aarch64 | CONTAINER | 112.37MB | Nov 13, 2021 at 12:00am (UTC) | +-----------------------------+--------------+--------+-------------------------------------+--------------+-----------------+----------+-------------------------------+ | | c5a43ce69ea8 | yes | Ubuntu focal arm64 (20211114_08:44) | aarch64 | CONTAINER | 89.29MB | Nov 14, 2021 at 12:00am (UTC) | +-----------------------------+--------------+--------+-------------------------------------+--------------+-----------------+----------+-------------------------------+ | | d5473410cfe5 | yes | Ubuntu focal arm64 (20211112_07:42) | aarch64 | CONTAINER | 97.76MB | Nov 12, 2021 at 12:00am (UTC) | +-----------------------------+--------------+--------+-------------------------------------+--------------+-----------------+----------+-------------------------------+
Inspect image.
$ sudo -i lxc image info images:ubuntu/focal
Fingerprint: 4d05260235b770941e1b4eb59cf039810d3cd651a4425a5451cb5b45328bd2ae
Size: 97.76MB
Architecture: aarch64
Type: container
Public: yes
Timestamps:
Created: 2021/11/14 00:00 UTC
Uploaded: 2021/11/14 00:00 UTC
Expires: never
Last used: never
Properties:
os: Ubuntu
release: focal
architecture: arm64
description: Ubuntu focal arm64 (20211114_08:44)
variant: default
serial: 20211114_08:44
type: squashfs
Aliases:
- ubuntu/focal/default
- ubuntu/focal/default/arm64
- ubuntu/20.04/default
- ubuntu/20.04/default/arm64
- ubuntu/focal
- ubuntu/focal/arm64
- ubuntu/20.04
- ubuntu/20.04/arm64
Cached: no
Auto update: disabled
Profiles: []
Copy this image.
$ sudo -i lxc image copy images:ubuntu/focal/arm64 local:
Image copied successfully!
Create an alias.
$ sudo -i lxc image alias create local:ubuntu/focal 4d05260235b7
Display local images.
$ sudo -i lxc image list
+--------------+--------------+--------+--------------------------------------+--------------+-----------+---------+------------------------------+ | ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCHITECTURE | TYPE | SIZE | UPLOAD DATE | +--------------+--------------+--------+--------------------------------------+--------------+-----------+---------+------------------------------+ | ubuntu/focal | 4d05260235b7 | no | Ubuntu focal arm64 (20211114_08:44) | aarch64 | CONTAINER | 97.76MB | Nov 14, 2021 at 4:26pm (UTC) | +--------------+--------------+--------+--------------------------------------+--------------+-----------+---------+------------------------------+
Create gitlab instance.
$ sudo -i lxc launch local:ubuntu/focal gitlab
Creating gitlab Starting gitlab
Do not use temporary filesystem for /var/log directory as this directory will be used by an application.
Install GitLab application
Enter gitlab instance.
$ sudo -i lxc exec gitlab bash
root@gitlab:~#
Add a host entry to use local applications like Grafana.
root@gitlab:~# echo "127.0.0.1 git.octocat.lab" | tee -a /etc/host
Install packages required to add an official repository.
root@gitlab:~# apt install gnupg apt-transport-https curl
Add a repository key.
root@gitlab:~# curl -L https://packages.gitlab.com/gitlab/gitlab-ee/gpgkey | apt-key add -
Add Enterprise Edition repository (use ce instead of ee for Community Edition).
root@gitlab:~# cat << EOF | tee /etc/apt/sources.list.d/gitlab.list deb https://packages.gitlab.com/gitlab/gitlab-ee/ubuntu/ focal main deb-src https://packages.gitlab.com/gitlab/gitlab-ee/ubuntu/ focal main EOF
Update package index.
root@gitlab:~# apt update
Check if the package is available.
root@gitlab:~# apt search gitlab-ce
Sorting... Done Full Text Search... Done gitlab-ee/focal 14.4.2-ee.0 arm64 GitLab Enterprise Edition (including NGINX, Postgres, Redis)
Display package info.
root@gitlab:~# apt info gitlab-ee
Package: gitlab-ee Version: 14.4.2-ee.0 Priority: extra Section: misc Maintainer: GitLab, Inc. <support@gitlab.com> Installed-Size: 3255 MB Depends: openssh-server, libatomic1 Conflicts: gitlab-ce, gitlab Replaces: gitlab-ce, gitlab Homepage: https://about.gitlab.com/ Download-Size: 1010 MB APT-Sources: https://packages.gitlab.com/gitlab/gitlab-ee/ubuntu focal/main arm64 Packages Description: GitLab Enterprise Edition (including NGINX, Postgres, Redis) N: There are 115 additional records. Please use the '-a' switch to see them.
Install GitLab Enterprise Edition. Provide external address, but use HTTP protocol as HTTPS will try to obtain Lets Encrypt certificate.
root@gitlab:~# EXTERNAL_URL="http://git.octocat.lab" apt-get install gitlab-ee
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
libatomic1 libwrap0 ncurses-term openssh-server openssh-sftp-server python3-certifi python3-chardet python3-distro python3-idna python3-requests python3-urllib3 ssh-import-id wget
Suggested packages:
molly-guard monkeysphere ssh-askpass ufw python3-cryptography python3-openssl python3-socks
The following NEW packages will be installed:
gitlab-ee libatomic1 libwrap0 ncurses-term openssh-server openssh-sftp-server python3-certifi python3-chardet python3-distro python3-idna python3-requests python3-urllib3 ssh-import-id wget
0 upgraded, 14 newly installed, 0 to remove and 0 not upgraded.
Need to get 1011 MB of archives.
After this operation, 3264 MB of additional disk space will be used.
Do you want to continue? [Y/n]
[...]
Creating config file /etc/ssh/sshd_config with new version
Creating SSH2 RSA key; this may take some time ...
3072 SHA256:DEOMazhntQXBelo92vNKVwbke8Ge/skBb94fk8nSQ48 root@smiling-monster (RSA)
Creating SSH2 ECDSA key; this may take some time ...
256 SHA256:lACn2vLueZr/6Z8mL9YJD1HazDPwOMokgV1kq4En0LI root@smiling-monster (ECDSA)
Creating SSH2 ED25519 key; this may take some time ...
256 SHA256:K0Pq5i92fWyg2fk+39ajF3UbutUJyHvMAEoc5mS9v1M root@smiling-monster (ED25519)
Created symlink /etc/systemd/system/sshd.service → /lib/systemd/system/ssh.service.
Created symlink /etc/systemd/system/multi-user.target.wants/ssh.service → /lib/systemd/system/ssh.service.
rescue-ssh.target is a disabled or a static unit, not starting it.
Setting up python3-requests (2.22.0-2ubuntu1) ...
Setting up gitlab-ee (14.4.2-ee.0) ...
Starting Chef Infra Client, version 15.17.4
resolving cookbooks for run list: ["gitlab-ee"]
Synchronizing Cookbooks:
- gitlab-ee (0.0.1)
- package (0.1.0)
- gitlab (0.0.1)
- consul (0.1.0)
- patroni (0.1.0)
- pgbouncer (0.1.0)
- runit (5.1.3)
- logrotate (0.1.0)
- postgresql (0.1.0)
- redis (0.1.0)
- monitoring (0.1.0)
- registry (0.1.0)
- mattermost (0.1.0)
- gitaly (0.1.0)
- praefect (0.1.0)
- gitlab-kas (0.1.0)
- gitlab-pages (0.1.0)
- letsencrypt (0.1.0)
- nginx (0.1.0)
- acme (4.1.3)
- crond (0.1.0)
Installing Cookbook Gems:
Compiling Cookbooks...
[...]
Notes:
Default admin account has been configured with following details:
Username: root
Password: You didn't opt-in to print initial root password to STDOUT.
Password stored to /etc/gitlab/initial_root_password. This file will be cleaned up in first reconfigure run after 24 hours.
NOTE: Because these credentials might be present in your log files in plain text, it is highly recommended to reset the password following https://docs.gitlab.com/ee/security/reset_user_password.html#reset-your-root-password.
Running handlers complete
Chef Infra Client failed. 441 resources updated in 06 minutes 39 seconds
Notes:
Default admin account has been configured with following details:
Username: root
Password: You didn't opt-in to print initial root password to STDOUT.
Password stored to /etc/gitlab/initial_root_password. This file will be cleaned up in first reconfigure run after 24 hours.
NOTE: Because these credentials might be present in your log files in plain text, it is highly recommended to reset the password following https://docs.gitlab.com/ee/security/reset_user_password.html#reset-your-root-password.
gitlab Reconfigured!
*. *.
*** ***
***** *****
.****** *******
******** ********
,,,,,,,,,***********,,,,,,,,,
,,,,,,,,,,,*********,,,,,,,,,,,
.,,,,,,,,,,,*******,,,,,,,,,,,,
,,,,,,,,,*****,,,,,,,,,.
,,,,,,,****,,,,,,
.,,,***,,,,
,*,.
_______ __ __ __
/ ____(_) /_/ / ____ _/ /_
/ / __/ / __/ / / __ `/ __ \
/ /_/ / / /_/ /___/ /_/ / /_/ /
\____/_/\__/_____/\__,_/_.___/
Thank you for installing GitLab!
GitLab should be available at http://git.octocat.lab
For a comprehensive list of configuration options please see the Omnibus GitLab readme
https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/README.md
Help us improve the installation experience, let us know how we did with a 1 minute survey:
https://gitlab.fra1.qualtrics.com/jfe/form/SV_6kVqZANThUQ1bZb?installation=omnibus&release=14-4
Setting up ssh-import-id (5.10-0ubuntu1) ...
Attempting to convert /etc/ssh/ssh_import_id
Processing triggers for systemd (245.4-4ubuntu3.13) ...
Processing triggers for libc-bin (2.31-0ubuntu9.2) ...
Inspect initial password for root user.
root@gitlab:~# cat /etc/gitlab/initial_root_password
# WARNING: This value is valid only in the following conditions # 1. If provided manually (either via `GITLAB_ROOT_PASSWORD` environment variable or via `gitlab_rails['initial_root_password']` setting in `gitlab.rb`, it was provided before database was seeded for the first time (usually, the first reconfigure run). # 2. Password hasn't been changed manually, either via UI or via command line. # # If the password shown here doesn't work, you must reset the admin password following https://docs.gitlab.com/ee/security/reset_user_password.html#reset-your-root-password. Password: NCTlbpxN2yE5amSdfx7bzzlEn8KIZzdo0V+9mYbeVYY= # NOTE: This file will be automatically deleted in the first reconfigure run after 24 hours.
Update firewall configuration
Display container information to determine IP address.
$ sudo -i lxc list
+--------+---------+---------------------+------+-----------+-----------+ | NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS | +--------+---------+---------------------+------+-----------+-----------+ | gitlab | RUNNING | 10.114.53.10 (eth0) | | CONTAINER | 0 | +--------+---------+---------------------+------+-----------+-----------+
Add a https service to a public zone.
$ sudo firewall-cmd --add-service=https --zone=public
success
Add a rich language rule to forward SSH port on a dedicated IP address to this container.
$ sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" destination address="172.16.2.1" forward-port port="22" protocol="tcp" to-port="22" to-addr="10.114.53.10"'
success
Display current firewall configuration.
$ sudo firewall-cmd --get-active-zones
public interfaces: eth0 wlan0 trusted interfaces: lxdbr0
$ sudo firewall-cmd --list-services --zone=public
https ssh
$ sudo firewall-cmd --list-rich-rules --zone=public
rule family="ipv4" destination address="172.16.2.1" forward-port port="22" protocol="tcp" to-port="22" to-addr="10.114.53.10"
Make this configuration permanent.
$ sudo firewall-cmd --runtime-to-permanent
success
Install and configure load balancer
Update GitLab configuration to whitelist access to monitoring endpoints.
root@gitlab:~# vim /etc/gitlab/gitlab.rb
[...] ### Monitoring settings ###! IP whitelist controlling access to monitoring endpoints gitlab_rails['monitoring_whitelist'] = ['127.0.0.0/8', '::1/128', '10.114.53.1'] [...]
Update GitLab configuration.
root@gitlab:~# gitlab-ctl reconfigure
Install HAProxy a fast and reliable load balancing reverse proxy.
$ sudo apt install haproxy
Generate self-signed wildcard certificate.
$ sudo openssl req -subj "/commonName=*.octocat.lab/" -x509 -nodes -days 365 -newkey rsa:2048 -keyout - -out - | sudo tee /etc/ssl/certs/octocat.pem
Update HAProxy configuration.
$ cat /etc/haproxy/haproxy.cfg
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-
POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
resolvers local_resolvers
nameserver lxdns 10.114.53.1:53
frontend frontend_https
mode http
bind :80
bind :443 ssl crt /etc/ssl/certs/octocat.pem
http-request redirect scheme https unless { ssl_fc }
acl is_lxd_gitlab hdr(host) -i git.octocat.lab
use_backend lxd_gitlab_backend if is_lxd_gitlab
backend lxd_gitlab_backend
option forwardfor
option splice-auto
option httpchk GET /-/liveness
server gitlab gitlab.lxd:80 resolvers local_resolvers check inter 2s fastinter 1s downinter 5s fall 3 rise 2
Check HAProxy configuration.
$ sudo haproxy -f /etc/haproxy/ -c
[WARNING] 319/020205 (189855) : parsing [/etc/haproxy//haproxy.cfg:55] : 'server gitlab' : could not resolve address 'gitlab.lxd', disabling server. Warnings were found. Configuration file is valid
Restart load balancer.
$ sudo systemctl restart haproxy
That is all!