Categories
DevOps

How to install GitLab on Raspberry Pi

Install GitLab on Raspberry Pi.

I will use previous LXD setup on Raspberry Pi 4 with DietPi operating system.

Update operating system

Update package index.

$ sudo apt update

Upgrade operating system.

$ sudo apt upgrade

Additional IP address

I will assign an additional IP address to a Raspberry Pi network interface as I want to use this dedicated IP address exclusively for GitLab application.

$ cat /etc/network/interfaces
# Drop-in configs
source interfaces.d/*

# WiFi
allow-hotplug wlan0
iface wlan0 inet static
address 172.16.1.1
netmask 255.255.0.0

iface wlan0 inet static
address 172.16.2.1
netmask 255.255.0.0

gateway 172.16.0.1
wireless-power off
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

Reboot operating system.

$ sudo systemctl reboot

Inspect newly assigned IP address.

$ ip --brief address show wlan0
wlan0            UP             172.16.1.1/16 172.16.2.1/16 

Update SSH daemon configuration

DietPi is using Dropbear by default, but it does not work well in this specific use case, so install OpenSSH Server.

We need to use DietPi utilities to perform this operation over SSH.

$ sudo dietpi-software list | grep SSH
ID 0 | =0 | OpenSSH Client: Feature-rich SSH, SFTP and SCP client |
ID 104 | =2 | Dropbear: Lightweight SSH server | | https://dietpi.com/docs/software/ssh/#dropbear
ID 105 | =0 | OpenSSH Server: Feature-rich SSH server with SFTP and SCP support | | https://dietpi.com/docs/software/ssh/#openssh
$ sudo dietpi-software install 105
[  OK  ] DietPi-Software | Initialised database
[  OK  ] DietPi-Software | Reading database

 DietPi-Software
─────────────────────────────────────────────────────
 Mode: Automated install

[  OK  ] DietPi-Software | Installing OpenSSH Server: Feature-rich SSH server with SFTP and SCP support
[  OK  ] DietPi-Software | Free space check: path=/ | available=110718 MiB | required=500 MiB
[  OK  ] DietPi-Software | DietPi-Userdata validation: /mnt/dietpi_userdata
[  OK  ] DietPi-Software | Checking network connectivity
[  OK  ] DietPi-Software | Checking DNS resolver
[  OK  ] Network time sync | Completed
[ SUB1 ] DietPi-Services > unmask 
[  OK  ] DietPi-Services | unmask : haproxy
[  OK  ] DietPi-Services | unmask : cron
[ SUB1 ] DietPi-Services > stop 
[  OK  ] DietPi-Services | stop : cron
[  OK  ] DietPi-Services | stop : haproxy
[  OK  ] DietPi-Software | mkdir -p /mnt/dietpi_userdata/Music /mnt/dietpi_userdata/Pictures /mnt/dietpi_userdata/Video /mnt/dietpi_userdata/downloads /var/www /opt /usr/local/bin
[  OK  ] DietPi-Software | chown dietpi:dietpi /mnt/dietpi_userdata/Music /mnt/dietpi_userdata/Pictures /mnt/dietpi_userdata/Video /mnt/dietpi_userdata/downloads
[  OK  ] DietPi-Software | chmod 0775 /mnt/dietpi_userdata/Music /mnt/dietpi_userdata/Pictures /mnt/dietpi_userdata/Video /mnt/dietpi_userdata/downloads
[ INFO ] DietPi-Software | APT update, please wait...
Hit:1 https://archive.raspberrypi.org/debian bullseye InRelease
Hit:2 https://deb.debian.org/debian bullseye InRelease
Hit:3 https://deb.debian.org/debian bullseye-updates InRelease
Get:4 https://deb.debian.org/debian-security bullseye-security InRelease [44.1 kB]
Hit:5 https://deb.debian.org/debian bullseye-backports InRelease
Fetched 44.1 kB in 3s (16.9 kB/s)
Reading package lists...
[  OK  ] DietPi-Software | APT update

 DietPi-Software
─────────────────────────────────────────────────────
 Step: Checking for prerequisite software


 DietPi-Software
─────────────────────────────────────────────────────
 Step: Installing OpenSSH Server: Feature-rich SSH server with SFTP and SCP support

[  OK  ] DietPi-Software | systemctl stop dropbear
[ INFO ] DietPi-Software | APT install for: openssh-server openssh-client, please wait...
debconf: delaying package configuration, since apt-utils is not installed                                                                                                                             
Selecting previously unselected package ucf.
(Reading database ... 21383 files and directories currently installed.)
Preparing to unpack .../archives/ucf_3.0043_all.deb ...                
Moving old data out of the way                                                                     
Unpacking ucf (3.0043) ...                                                                         
Selecting previously unselected package libwrap0:arm64.
Preparing to unpack .../libwrap0_7.6.q-31_arm64.deb ...
Unpacking libwrap0:arm64 (7.6.q-31) ...                                                            
Selecting previously unselected package openssh-sftp-server.
Preparing to unpack .../openssh-sftp-server_1%3a8.4p1-5_arm64.deb ...
Unpacking openssh-sftp-server (1:8.4p1-5) ...                                                      
Selecting previously unselected package runit-helper.
Preparing to unpack .../runit-helper_2.10.3_all.deb ...
Unpacking runit-helper (2.10.3) ...
Selecting previously unselected package openssh-server.
Preparing to unpack .../openssh-server_1%3a8.4p1-5_arm64.deb ...
Unpacking openssh-server (1:8.4p1-5) ...
Setting up runit-helper (2.10.3) ...
Setting up openssh-sftp-server (1:8.4p1-5) ...
Setting up libwrap0:arm64 (7.6.q-31) ...
Setting up ucf (3.0043) ...
Setting up openssh-server (1:8.4p1-5) ...

Creating config file /etc/ssh/sshd_config with new version
Creating SSH2 RSA key; this may take some time ...
3072 SHA256:Y8ogYfCSTbdZbr9OkF93dMSfeprSeu5NfRUcMitK6ZU root@DietPi (RSA)
Creating SSH2 ECDSA key; this may take some time ...
256 SHA256:YvRBQ/nt6KzEgezuR+6MDNint9gJvsCzYxfUIaYZcEM root@DietPi (ECDSA)
Creating SSH2 ED25519 key; this may take some time ...
256 SHA256:NdKVtEyXBQWZ/Dh6YJ5b1mHTH0XHyt3vS48EWfWex4A root@DietPi (ED25519)
Created symlink /etc/systemd/system/sshd.service → /lib/systemd/system/ssh.service.
Created symlink /etc/systemd/system/multi-user.target.wants/ssh.service → /lib/systemd/system/ssh.service.
rescue-ssh.target is a disabled or a static unit, not starting it.
Processing triggers for libc-bin (2.31-13+rpt2+rpi1) ...
[  OK  ] DietPi-Software | APT install for: openssh-server openssh-client
[  OK  ] DietPi-Software | Comment in /etc/ssh/sshd_config converted to setting: PermitRootLogin yes
[  OK  ] DietPi-Software | systemctl enable ssh

 DietPi-Software
─────────────────────────────────────────────────────
 Step: Uninstalling Dropbear: Lightweight SSH server

[ INFO ] DietPi-Software | APT purge for: dropbear*, please wait...
(Reading database ... 21496 files and directories currently installed.)
Removing dropbear (2020.81-3) ...
Removing dropbear-bin (2020.81-3) ...
Removing libtomcrypt1:arm64 (1.18.2-5) ...
Removing libtommath1:arm64 (1.2.0-6) ...
Processing triggers for libc-bin (2.31-13+rpt2+rpi1) ...
(Reading database ... 21457 files and directories currently installed.)
Purging configuration files for dropbear (2020.81-3) ...
[  OK  ] DietPi-Software | APT purge for: dropbear*

 DietPi-Software
─────────────────────────────────────────────────────
 Step: Finalising uninstall

[  OK  ] DietPi-Software | systemctl daemon-reload
[  OK  ] DietPi-Software | systemctl unmask dbus
[  OK  ] DietPi-Software | systemctl start dbus
[  OK  ] DietPi-Software | systemctl unmask systemd-logind
[  OK  ] DietPi-Software | systemctl start systemd-logind
2021-11-17 13:39:07 [ INFO ] DietPi-RAMlog | Storing /var/log to /var/tmp/dietpi/logs/dietpi-ramlog_store...
2021-11-17 13:39:07 [  OK  ] DietPi-RAMlog | Stored /var/log to /var/tmp/dietpi/logs/dietpi-ramlog_store.
[ SUB1 ] DietPi-Services > dietpi_controlled 
[  OK  ] DietPi-Services | dietpi_controlled : haproxy
[  OK  ] DietPi-Services | dietpi_controlled : cron

 DietPi-Software
─────────────────────────────────────────────────────
 Step: Install completed

[  OK  ] DietPi-Survey | Sending survey data
[ SUB1 ] DietPi-Services > restart 
[  OK  ] DietPi-Services | restart : haproxy
[  OK  ] DietPi-Services | restart : cron
[ INFO ] DietPi-Software | Starting installed services, not controlled by DietPi-Services
[  OK  ] DietPi-Software | systemctl start ssh

Ensure that it will listen on a single IP address.

$ sudo sed -i -e  "s/#ListenAddress 0.0.0.0/ListenAddress 172.16.1.1/"  /etc/ssh/sshd_config

Restart SSH service.

$ sudo systemctl restart sshd

Ensure that it is listening on a single IP address.

$ sudo ss -tlpn
State               Recv-Q              Send-Q                           Local Address:Port                            Peer Address:Port              Process                                         
LISTEN              0                   32                                 10.114.53.1:53                                   0.0.0.0:*                  users:(("dnsmasq",pid=1677,fd=7))              
LISTEN              0                   128                                 172.16.1.1:22                                   0.0.0.0:*                  users:(("sshd",pid=633,fd=3))                  

Create LXD instance

I am using Raspberry Pi 4 with DietPi operating system, aarch64 architecture.

$ uname -a
Linux DietPi 5.10.63-v8+ #1459 SMP PREEMPT Wed Oct 6 16:42:49 BST 2021 aarch64 GNU/Linux

Search for Ubuntu 20.04.3 LTS (Focal Fossa) image.

$ sudo -i lxc image list images: architecture=arm64 os=Ubuntu release=focal
+-----------------------------+--------------+--------+-------------------------------------+--------------+-----------------+----------+-------------------------------+
|            ALIAS            | FINGERPRINT  | PUBLIC |             DESCRIPTION             | ARCHITECTURE |      TYPE       |   SIZE   |          UPLOAD DATE          |
+-----------------------------+--------------+--------+-------------------------------------+--------------+-----------------+----------+-------------------------------+
| ubuntu/focal (7 more)       | 4d05260235b7 | yes    | Ubuntu focal arm64 (20211114_08:44) | aarch64      | CONTAINER       | 97.76MB  | Nov 14, 2021 at 12:00am (UTC) |
+-----------------------------+--------------+--------+-------------------------------------+--------------+-----------------+----------+-------------------------------+
| ubuntu/focal (7 more)       | 7664234ba371 | yes    | Ubuntu focal arm64 (20211114_08:44) | aarch64      | VIRTUAL-MACHINE | 239.38MB | Nov 14, 2021 at 12:00am (UTC) |
+-----------------------------+--------------+--------+-------------------------------------+--------------+-----------------+----------+-------------------------------+
| ubuntu/focal/cloud (3 more) | b34bd4e8a06c | yes    | Ubuntu focal arm64 (20211114_08:44) | aarch64      | VIRTUAL-MACHINE | 262.69MB | Nov 14, 2021 at 12:00am (UTC) |
+-----------------------------+--------------+--------+-------------------------------------+--------------+-----------------+----------+-------------------------------+
| ubuntu/focal/cloud (3 more) | fbea3bbeffa9 | yes    | Ubuntu focal arm64 (20211114_08:44) | aarch64      | CONTAINER       | 112.38MB | Nov 14, 2021 at 12:00am (UTC) |
+-----------------------------+--------------+--------+-------------------------------------+--------------+-----------------+----------+-------------------------------+
|                             | 0e6724185d46 | yes    | Ubuntu focal arm64 (20211113_07:42) | aarch64      | CONTAINER       | 101.32MB | Nov 13, 2021 at 12:00am (UTC) |
+-----------------------------+--------------+--------+-------------------------------------+--------------+-----------------+----------+-------------------------------+
|                             | 1ef2f2f42455 | yes    | Ubuntu focal arm64 (20211112_07:42) | aarch64      | VIRTUAL-MACHINE | 239.31MB | Nov 12, 2021 at 12:00am (UTC) |
+-----------------------------+--------------+--------+-------------------------------------+--------------+-----------------+----------+-------------------------------+
|                             | 01e2c1616e4a | yes    | Ubuntu focal arm64 (20211113_07:42) | aarch64      | VIRTUAL-MACHINE | 239.31MB | Nov 13, 2021 at 12:00am (UTC) |
+-----------------------------+--------------+--------+-------------------------------------+--------------+-----------------+----------+-------------------------------+
|                             | 4cc95e7aecd7 | yes    | Ubuntu focal arm64 (20211112_07:42) | aarch64      | CONTAINER       | 112.38MB | Nov 12, 2021 at 12:00am (UTC) |
+-----------------------------+--------------+--------+-------------------------------------+--------------+-----------------+----------+-------------------------------+
|                             | 8b17689d7ff1 | yes    | Ubuntu focal arm64 (20211112_07:42) | aarch64      | VIRTUAL-MACHINE | 262.38MB | Nov 12, 2021 at 12:00am (UTC) |
+-----------------------------+--------------+--------+-------------------------------------+--------------+-----------------+----------+-------------------------------+
|                             | 9bbf2a08a5fb | yes    | Ubuntu focal arm64 (20211113_07:42) | aarch64      | CONTAINER       | 97.76MB  | Nov 13, 2021 at 12:00am (UTC) |
+-----------------------------+--------------+--------+-------------------------------------+--------------+-----------------+----------+-------------------------------+
|                             | 44df16720440 | yes    | Ubuntu focal arm64 (20211112_07:42) | aarch64      | CONTAINER       | 88.65MB  | Nov 12, 2021 at 12:00am (UTC) |
+-----------------------------+--------------+--------+-------------------------------------+--------------+-----------------+----------+-------------------------------+
|                             | 47c2afda0b28 | yes    | Ubuntu focal arm64 (20211113_07:42) | aarch64      | CONTAINER       | 88.73MB  | Nov 13, 2021 at 12:00am (UTC) |
+-----------------------------+--------------+--------+-------------------------------------+--------------+-----------------+----------+-------------------------------+
|                             | 48ce6843b5c4 | yes    | Ubuntu focal arm64 (20211114_08:44) | aarch64      | CONTAINER       | 100.71MB | Nov 14, 2021 at 12:00am (UTC) |
+-----------------------------+--------------+--------+-------------------------------------+--------------+-----------------+----------+-------------------------------+
|                             | 04288b617a5b | yes    | Ubuntu focal arm64 (20211113_07:42) | aarch64      | VIRTUAL-MACHINE | 262.56MB | Nov 13, 2021 at 12:00am (UTC) |
+-----------------------------+--------------+--------+-------------------------------------+--------------+-----------------+----------+-------------------------------+
|                             | 7141a7f194ce | yes    | Ubuntu focal arm64 (20211112_07:42) | aarch64      | CONTAINER       | 101.64MB | Nov 12, 2021 at 12:00am (UTC) |
+-----------------------------+--------------+--------+-------------------------------------+--------------+-----------------+----------+-------------------------------+
|                             | 12151b6307fb | yes    | Ubuntu focal arm64 (20211113_07:42) | aarch64      | CONTAINER       | 112.37MB | Nov 13, 2021 at 12:00am (UTC) |
+-----------------------------+--------------+--------+-------------------------------------+--------------+-----------------+----------+-------------------------------+
|                             | c5a43ce69ea8 | yes    | Ubuntu focal arm64 (20211114_08:44) | aarch64      | CONTAINER       | 89.29MB  | Nov 14, 2021 at 12:00am (UTC) |
+-----------------------------+--------------+--------+-------------------------------------+--------------+-----------------+----------+-------------------------------+
|                             | d5473410cfe5 | yes    | Ubuntu focal arm64 (20211112_07:42) | aarch64      | CONTAINER       | 97.76MB  | Nov 12, 2021 at 12:00am (UTC) |
+-----------------------------+--------------+--------+-------------------------------------+--------------+-----------------+----------+-------------------------------+

Inspect image.

$ sudo -i lxc image info images:ubuntu/focal
Fingerprint: 4d05260235b770941e1b4eb59cf039810d3cd651a4425a5451cb5b45328bd2ae
Size: 97.76MB
Architecture: aarch64
Type: container
Public: yes
Timestamps:
    Created: 2021/11/14 00:00 UTC
    Uploaded: 2021/11/14 00:00 UTC
    Expires: never
    Last used: never
Properties:
    os: Ubuntu
    release: focal
    architecture: arm64
    description: Ubuntu focal arm64 (20211114_08:44)
    variant: default
    serial: 20211114_08:44
    type: squashfs
Aliases:
    - ubuntu/focal/default
    - ubuntu/focal/default/arm64
    - ubuntu/20.04/default
    - ubuntu/20.04/default/arm64
    - ubuntu/focal
    - ubuntu/focal/arm64
    - ubuntu/20.04
    - ubuntu/20.04/arm64
Cached: no
Auto update: disabled
Profiles: []

Copy this image.

$ sudo -i lxc image copy images:ubuntu/focal/arm64 local:
Image copied successfully!      

Create an alias.

$ sudo -i lxc image alias create local:ubuntu/focal 4d05260235b7

Display local images.

$ sudo -i lxc image list
+--------------+--------------+--------+--------------------------------------+--------------+-----------+---------+------------------------------+
|    ALIAS     | FINGERPRINT  | PUBLIC |             DESCRIPTION              | ARCHITECTURE |   TYPE    |  SIZE   |         UPLOAD DATE          |
+--------------+--------------+--------+--------------------------------------+--------------+-----------+---------+------------------------------+
| ubuntu/focal | 4d05260235b7 | no     | Ubuntu focal arm64 (20211114_08:44)  | aarch64      | CONTAINER | 97.76MB | Nov 14, 2021 at 4:26pm (UTC) |
+--------------+--------------+--------+--------------------------------------+--------------+-----------+---------+------------------------------+

Create gitlab instance.

$ sudo -i lxc launch local:ubuntu/focal gitlab
Creating gitlab
Starting gitlab

Do not use temporary filesystem for /var/log directory as this directory will be used by an application.

Install GitLab application

Enter gitlab instance.

$ sudo -i lxc exec gitlab bash
root@gitlab:~#

Add a host entry to use local applications like Grafana.

root@gitlab:~# echo "127.0.0.1 git.octocat.lab" | tee -a /etc/host

Install packages required to add an official repository.

root@gitlab:~# apt install gnupg apt-transport-https curl

Add a repository key.

root@gitlab:~# curl -L https://packages.gitlab.com/gitlab/gitlab-ee/gpgkey | apt-key add -

Add Enterprise Edition repository (use ce instead of ee for Community Edition).

root@gitlab:~# cat << EOF | tee /etc/apt/sources.list.d/gitlab.list
deb https://packages.gitlab.com/gitlab/gitlab-ee/ubuntu/ focal main
deb-src https://packages.gitlab.com/gitlab/gitlab-ee/ubuntu/ focal main
EOF

Update package index.

root@gitlab:~# apt update

Check if the package is available.

root@gitlab:~# apt search gitlab-ce
Sorting... Done
Full Text Search... Done
gitlab-ee/focal 14.4.2-ee.0 arm64
  GitLab Enterprise Edition (including NGINX, Postgres, Redis)

Display package info.

root@gitlab:~# apt info  gitlab-ee
Package: gitlab-ee
Version: 14.4.2-ee.0
Priority: extra
Section: misc
Maintainer: GitLab, Inc. <support@gitlab.com>
Installed-Size: 3255 MB
Depends: openssh-server, libatomic1
Conflicts: gitlab-ce, gitlab
Replaces: gitlab-ce, gitlab
Homepage: https://about.gitlab.com/
Download-Size: 1010 MB
APT-Sources: https://packages.gitlab.com/gitlab/gitlab-ee/ubuntu focal/main arm64 Packages
Description: GitLab Enterprise Edition (including NGINX, Postgres, Redis)

N: There are 115 additional records. Please use the '-a' switch to see them.

Install GitLab Enterprise Edition. Provide external address, but use HTTP protocol as HTTPS will try to obtain Lets Encrypt certificate.

root@gitlab:~# EXTERNAL_URL="http://git.octocat.lab" apt-get install gitlab-ee
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  libatomic1 libwrap0 ncurses-term openssh-server openssh-sftp-server python3-certifi python3-chardet python3-distro python3-idna python3-requests python3-urllib3 ssh-import-id wget
Suggested packages:
  molly-guard monkeysphere ssh-askpass ufw python3-cryptography python3-openssl python3-socks
The following NEW packages will be installed:
  gitlab-ee libatomic1 libwrap0 ncurses-term openssh-server openssh-sftp-server python3-certifi python3-chardet python3-distro python3-idna python3-requests python3-urllib3 ssh-import-id wget
0 upgraded, 14 newly installed, 0 to remove and 0 not upgraded.
Need to get 1011 MB of archives.
After this operation, 3264 MB of additional disk space will be used.
Do you want to continue? [Y/n] 
[...]
Creating config file /etc/ssh/sshd_config with new version
Creating SSH2 RSA key; this may take some time ...
3072 SHA256:DEOMazhntQXBelo92vNKVwbke8Ge/skBb94fk8nSQ48 root@smiling-monster (RSA)
Creating SSH2 ECDSA key; this may take some time ...
256 SHA256:lACn2vLueZr/6Z8mL9YJD1HazDPwOMokgV1kq4En0LI root@smiling-monster (ECDSA)
Creating SSH2 ED25519 key; this may take some time ...
256 SHA256:K0Pq5i92fWyg2fk+39ajF3UbutUJyHvMAEoc5mS9v1M root@smiling-monster (ED25519)
Created symlink /etc/systemd/system/sshd.service → /lib/systemd/system/ssh.service.
Created symlink /etc/systemd/system/multi-user.target.wants/ssh.service → /lib/systemd/system/ssh.service.
rescue-ssh.target is a disabled or a static unit, not starting it.
Setting up python3-requests (2.22.0-2ubuntu1) ...
Setting up gitlab-ee (14.4.2-ee.0) ...
Starting Chef Infra Client, version 15.17.4
resolving cookbooks for run list: ["gitlab-ee"]
Synchronizing Cookbooks:
  - gitlab-ee (0.0.1)
  - package (0.1.0)
  - gitlab (0.0.1)
  - consul (0.1.0)
  - patroni (0.1.0)
  - pgbouncer (0.1.0)
  - runit (5.1.3)
  - logrotate (0.1.0)
  - postgresql (0.1.0)
  - redis (0.1.0)
  - monitoring (0.1.0)
  - registry (0.1.0)
  - mattermost (0.1.0)
  - gitaly (0.1.0)
  - praefect (0.1.0)
  - gitlab-kas (0.1.0)
  - gitlab-pages (0.1.0)
  - letsencrypt (0.1.0)
  - nginx (0.1.0)
  - acme (4.1.3)
  - crond (0.1.0)
Installing Cookbook Gems:
Compiling Cookbooks...
[...]
Notes:
Default admin account has been configured with following details:
Username: root
Password: You didn't opt-in to print initial root password to STDOUT.
Password stored to /etc/gitlab/initial_root_password. This file will be cleaned up in first reconfigure run after 24 hours.

NOTE: Because these credentials might be present in your log files in plain text, it is highly recommended to reset the password following https://docs.gitlab.com/ee/security/reset_user_password.html#reset-your-root-password.

Running handlers complete
Chef Infra Client failed. 441 resources updated in 06 minutes 39 seconds

Notes:
Default admin account has been configured with following details:
Username: root
Password: You didn't opt-in to print initial root password to STDOUT.
Password stored to /etc/gitlab/initial_root_password. This file will be cleaned up in first reconfigure run after 24 hours.

NOTE: Because these credentials might be present in your log files in plain text, it is highly recommended to reset the password following https://docs.gitlab.com/ee/security/reset_user_password.html#reset-your-root-password.

gitlab Reconfigured!

       *.                  *.
      ***                 ***
     *****               *****
    .******             *******
    ********            ********
   ,,,,,,,,,***********,,,,,,,,,
  ,,,,,,,,,,,*********,,,,,,,,,,,
  .,,,,,,,,,,,*******,,,,,,,,,,,,
      ,,,,,,,,,*****,,,,,,,,,.
         ,,,,,,,****,,,,,,
            .,,,***,,,,
                ,*,.
  


     _______ __  __          __
    / ____(_) /_/ /   ____ _/ /_
   / / __/ / __/ /   / __ `/ __ \
  / /_/ / / /_/ /___/ /_/ / /_/ /
  \____/_/\__/_____/\__,_/_.___/
  

Thank you for installing GitLab!
GitLab should be available at http://git.octocat.lab

For a comprehensive list of configuration options please see the Omnibus GitLab readme
https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/README.md

Help us improve the installation experience, let us know how we did with a 1 minute survey:
https://gitlab.fra1.qualtrics.com/jfe/form/SV_6kVqZANThUQ1bZb?installation=omnibus&release=14-4

Setting up ssh-import-id (5.10-0ubuntu1) ...
Attempting to convert /etc/ssh/ssh_import_id
Processing triggers for systemd (245.4-4ubuntu3.13) ...
Processing triggers for libc-bin (2.31-0ubuntu9.2) ...

Inspect initial password for root user.

root@gitlab:~# cat /etc/gitlab/initial_root_password
# WARNING: This value is valid only in the following conditions
#          1. If provided manually (either via `GITLAB_ROOT_PASSWORD` environment variable or via `gitlab_rails['initial_root_password']` setting in `gitlab.rb`, it was provided before database was seeded for the first time (usually, the first reconfigure run).
#          2. Password hasn't been changed manually, either via UI or via command line.
#
#          If the password shown here doesn't work, you must reset the admin password following https://docs.gitlab.com/ee/security/reset_user_password.html#reset-your-root-password.

Password: NCTlbpxN2yE5amSdfx7bzzlEn8KIZzdo0V+9mYbeVYY=

# NOTE: This file will be automatically deleted in the first reconfigure run after 24 hours.

Update firewall configuration

Display container information to determine IP address.

$ sudo -i lxc list
+--------+---------+---------------------+------+-----------+-----------+
|  NAME  |  STATE  |        IPV4         | IPV6 |   TYPE    | SNAPSHOTS |
+--------+---------+---------------------+------+-----------+-----------+
| gitlab | RUNNING | 10.114.53.10 (eth0) |      | CONTAINER | 0         |
+--------+---------+---------------------+------+-----------+-----------+

Add a https service to a public zone.

$ sudo firewall-cmd --add-service=https --zone=public 
success

Add a rich language rule to forward SSH port on a dedicated IP address to this container.

$ sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" destination address="172.16.2.1" forward-port port="22" protocol="tcp" to-port="22" to-addr="10.114.53.10"' 
success

Display current firewall configuration.

$ sudo firewall-cmd --get-active-zones
public
  interfaces: eth0 wlan0
trusted
  interfaces: lxdbr0
$ sudo firewall-cmd --list-services --zone=public 
https ssh
$ sudo firewall-cmd --list-rich-rules --zone=public 
rule family="ipv4" destination address="172.16.2.1" forward-port port="22" protocol="tcp" to-port="22" to-addr="10.114.53.10"

Make this configuration permanent.

$ sudo firewall-cmd --runtime-to-permanent
success

Install and configure load balancer

Update GitLab configuration to whitelist access to monitoring endpoints.

root@gitlab:~# vim /etc/gitlab/gitlab.rb
[...]

### Monitoring settings
###! IP whitelist controlling access to monitoring endpoints
gitlab_rails['monitoring_whitelist'] = ['127.0.0.0/8', '::1/128', '10.114.53.1']

[...]

Update GitLab configuration.

root@gitlab:~# gitlab-ctl reconfigure

Install HAProxy a fast and reliable load balancing reverse proxy.

$ sudo apt install haproxy

Generate self-signed wildcard certificate.

$ sudo openssl req -subj "/commonName=*.octocat.lab/" -x509 -nodes -days 365 -newkey rsa:2048 -keyout - -out - | sudo tee /etc/ssl/certs/octocat.pem

Update HAProxy configuration.

$ cat /etc/haproxy/haproxy.cfg                                                                                                                                                         
global                                                                                             
        log /dev/log    local0                                                                     
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 30s 
        user haproxy                  
        group haproxy
        daemon                                                                                                                                                                                        
                                                 
        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-
POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http


resolvers local_resolvers
        nameserver lxdns 10.114.53.1:53

frontend frontend_https
        mode http

        bind :80
        bind :443 ssl crt /etc/ssl/certs/octocat.pem
        http-request redirect scheme https unless { ssl_fc }

        acl is_lxd_gitlab  hdr(host) -i git.octocat.lab
        use_backend lxd_gitlab_backend if is_lxd_gitlab

backend lxd_gitlab_backend
        option forwardfor
        option splice-auto
        option httpchk GET /-/liveness
     
        server gitlab gitlab.lxd:80 resolvers local_resolvers check inter 2s fastinter 1s downinter 5s fall 3 rise 2

Check HAProxy configuration.

$ sudo haproxy -f /etc/haproxy/ -c
[WARNING] 319/020205 (189855) : parsing [/etc/haproxy//haproxy.cfg:55] : 'server gitlab' : could not resolve address 'gitlab.lxd', disabling server.
Warnings were found.
Configuration file is valid

Restart load balancer.

$ sudo systemctl restart haproxy

That is all!