This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
инструмент_gitlab [2024/02/05 09:54] val [Клиент OpenID] |
инструмент_gitlab [2024/09/14 06:40] (current) val [Пример shell docker] |
||
---|---|---|---|
Line 38: | Line 38: | ||
server# curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.deb.sh | bash | server# curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.deb.sh | bash | ||
- | server# time EXTERNAL_URL="http://server.corpX.un" apt-get install gitlab-ce | + | server# time EXTERNAL_URL="http://$(hostname)" apt-get install gitlab-ce |
... | ... | ||
real 38m49.787s !!! Загрузка может прерываться, надо повторять команду !!! | real 38m49.787s !!! Загрузка может прерываться, надо повторять команду !!! | ||
Line 57: | Line 57: | ||
web: | web: | ||
image: 'gitlab/gitlab-ce:latest' | image: 'gitlab/gitlab-ce:latest' | ||
+ | # image: 'gitlab/gitlab-ce:16.7.4-ce.0' | ||
restart: always | restart: always | ||
hostname: 'server.corpX.un' | hostname: 'server.corpX.un' | ||
Line 62: | Line 63: | ||
GITLAB_ROOT_PASSWORD: "strongpassword" | GITLAB_ROOT_PASSWORD: "strongpassword" | ||
GITLAB_OMNIBUS_CONFIG: | | GITLAB_OMNIBUS_CONFIG: | | ||
+ | prometheus_monitoring['enable'] = false | ||
+ | gitlab_rails['registry_enabled'] = true | ||
+ | gitlab_rails['registry_host'] = "server.corpX.un" | ||
external_url 'http://server.corpX.un' | external_url 'http://server.corpX.un' | ||
- | # gitlab_rails['initial_root_password'] = 'strongpassword' | + | registry_external_url 'http://server.corpX.un' |
- | # registry_external_url 'http://server.corpX.un' | + | gitlab_rails['registry_port'] = "5000" |
- | # gitlab_rails['registry_enabled'] = true | + | registry['registry_http_addr'] = "server.corpX.un:5000" |
- | # gitlab_rails['registry_host'] = "server.corpX.un" | + | # external_url 'https://server.corpX.un' |
- | # gitlab_rails['registry_port'] = "5000" | + | # registry_external_url 'https://server.corpX.un:5000' |
- | # registry['registry_http_addr'] = "server.corpX.un:5000" | + | # gitlab_rails['registry_port'] = "5050" |
- | # prometheus_monitoring['enable'] = false | + | # registry['registry_http_addr'] = "server.corpX.un:5050" |
- | # external_url 'https://gitlab.bmstu.ru:8443' | + | |
- | # registry_external_url 'https://gitlab.bmstu.ru:5050' | + | |
ports: | ports: | ||
- '80:80' | - '80:80' | ||
- | # - '8443:8443' | + | # - '443:443' |
- '2222:22' | - '2222:22' | ||
- '5000:5000' | - '5000:5000' | ||
- | # - '5050:5050' | ||
volumes: | volumes: | ||
- '/etc/gitlab:/etc/gitlab' | - '/etc/gitlab:/etc/gitlab' | ||
Line 83: | Line 84: | ||
- '/srv/gitlab/data:/var/opt/gitlab' | - '/srv/gitlab/data:/var/opt/gitlab' | ||
shm_size: '256m' | shm_size: '256m' | ||
+ | logging: | ||
+ | driver: "json-file" | ||
+ | options: | ||
+ | max-size: "2048m" | ||
</code><code> | </code><code> | ||
# ### cat /etc/gitlab/ssl/gitlab.bmstu.ru.{crt,key} | # ### cat /etc/gitlab/ssl/gitlab.bmstu.ru.{crt,key} | ||
Line 107: | Line 112: | ||
<code> | <code> | ||
- | root@node1,2,3:~# curl "http://server.corpX.un/api/v4/projects/2/repository/files/docker-compose.yml/raw?ref=master" | tee docker-compose.yml | + | root@node1,2,3:~# curl "http://server.corpX.un/api/v4/projects/2/repository/files/docker-compose.yml/raw" | tee docker-compose.yml |
или, для НЕ публичных проектов | или, для НЕ публичных проектов | ||
Line 195: | Line 200: | ||
<code> | <code> | ||
- | # mkdir /etc/gitlab/ssl/ | + | mkdir -p /etc/gitlab/ssl/ |
- | # cp wild.crt /etc/gitlab/ssl/$(hostname).crt | + | cp wild.crt -v /etc/gitlab/ssl/$(hostname).crt |
- | # cp wild.key /etc/gitlab/ssl/$(hostname).key | + | cp wild.key -v /etc/gitlab/ssl/$(hostname).key |
# cat /etc/gitlab/gitlab.rb | # cat /etc/gitlab/gitlab.rb | ||
Line 248: | Line 253: | ||
# host: 'server2.corpX.un' | # host: 'server2.corpX.un' | ||
port: 389 | port: 389 | ||
- | uid: 'uid' | + | # uid: 'uid' |
- | # uid: 'sAMAccountName' | + | uid: 'sAMAccountName' |
- | bind_dn: 'cn=admin,dc=corpX,dc=un' | + | # bind_dn: 'cn=admin,dc=corpX,dc=un' |
- | password: 'secret' | + | # password: 'secret' |
- | # bind_dn: 'cn=Administrator,cn=Users,dc=corpX,dc=un' | + | bind_dn: 'cn=Administrator,cn=Users,dc=corpX,dc=un' |
- | # password: 'Pa$$w0rd' | + | password: 'Pa$$w0rd' |
encryption: 'plain' | encryption: 'plain' | ||
- | active_directory: false | + | # active_directory: false |
- | # active_directory: true | + | active_directory: true |
base: 'dc=corpX,dc=un' | base: 'dc=corpX,dc=un' | ||
EOS | EOS | ||
Line 268: | Line 273: | ||
* [[https://docs.gitlab.com/runner/install/linux-manually.html|Install GitLab Runner manually on GNU/Linux]] | * [[https://docs.gitlab.com/runner/install/linux-manually.html|Install GitLab Runner manually on GNU/Linux]] | ||
- | * [[https://val.bmstu.ru/unix/Git/gitlab-runner_amd64.deb]] (15.0.0) | + | * [[https://val.bmstu.ru/unix/Git/gitlab-runner_amd64.deb]] (16.10.0) |
<code> | <code> | ||
- | # apt install gitlab-runner # достаточно для shell executor но не отображает команды ci/cd в gitlab | + | # wget http://gate.isp.un/unix/Git/gitlab-runner_amd64.deb |
- | или | + | ##2 часа## curl -LJO "https://gitlab-runner-downloads.s3.amazonaws.com/latest/deb/gitlab-runner_amd64.deb" |
- | # wget http://gate.isp.un/unix/Git/gitlab-runner_amd64.deb | ||
- | ##2 часа## curl -LJO "https://gitlab-runner-downloads.s3.amazonaws.com/latest/deb/gitlab-runner_amd64.deb" | ||
# dpkg -i gitlab-runner_amd64.deb | # dpkg -i gitlab-runner_amd64.deb | ||
</code> | </code> | ||
Line 301: | Line 304: | ||
<code> | <code> | ||
- | # gitlab-runner register -n --executor "shell" -u http://server.corp13.un -r "NNNNNNNNNNNNNNNNNNNNNNNNNNNN" | + | # gitlab-runner register -n --executor "shell" -u http://server.corpX.un -r "NNNNNNNNNNNNNNNNNNNNNNNNNNNN" |
</code> | </code> | ||
+ | |||
+ | или по инструкции в "New instance runner" | ||
Перезапускать не нужно | Перезапускать не нужно | ||
+ | |||
+ | <code> | ||
+ | # gitlab-runner verify | ||
+ | </code> | ||
<code> | <code> | ||
Line 312: | Line 321: | ||
</code><code> | </code><code> | ||
# systemctl restart gitlab-runner | # systemctl restart gitlab-runner | ||
- | |||
- | # gitlab-runner verify | ||
</code> | </code> | ||
Line 321: | Line 328: | ||
<code> | <code> | ||
+ | gate:~### docker stop gitlab-runner; docker rm gitlab-runner | ||
gate:~### rm /srv/gitlab-runner/config/config.toml | gate:~### rm /srv/gitlab-runner/config/config.toml | ||
Line 448: | Line 456: | ||
<code> | <code> | ||
- | # Надо назначить в GitLab (Settings -> CI/CD -> Variables) | + | # Можно назначить в GitLab (Settings -> CI/CD -> Variables) |
- | export MY_CI_REGISTRY=server.corpX.un:5000 | + | # export MY_CI_REGISTRY=server.corpX.un:5000 |
- | export MY_CI_REGISTRY_IMAGE=student/webd | + | # export MY_CI_REGISTRY_IMAGE=student/webd |
- | # Можно использовать встроенные CI_REGISTRY и CI_REGISTRY_IMAGE | + | # или использовать встроенные CI_REGISTRY и CI_REGISTRY_IMAGE |
- | # поскольку используем этот же проект GitLab как registry | + | # поскольку используем этот же проект GitLab как Registry |
- | # в GitLab будет устанавлено автоматически | + | # в GitLab будет установлено автоматически после git commit -m "ver 1.2" и git push |
- | export CI_COMMIT_MESSAGE="ver 1.2" | + | # export CI_COMMIT_MESSAGE="ver 1.2" |
</code> | </code> | ||
Line 465: | Line 473: | ||
VER="$(echo $CI_COMMIT_MESSAGE | sed 's/[^a-zA-Z0-9\.]//g')" | VER="$(echo $CI_COMMIT_MESSAGE | sed 's/[^a-zA-Z0-9\.]//g')" | ||
- | # need only one time | + | # needed once |
# docker login -u $MY_CI_REGISTRY_USER -p $MY_CI_REGISTRY_PASSWORD $MY_CI_REGISTRY | # docker login -u $MY_CI_REGISTRY_USER -p $MY_CI_REGISTRY_PASSWORD $MY_CI_REGISTRY | ||
# docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY | # docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY | ||
docker build -t webd webd | docker build -t webd webd | ||
- | #docker build --no-cache -t webd webd | ||
- | docker tag webd $MY_CI_REGISTRY/$MY_CI_REGISTRY_IMAGE:$VER | + | #docker run --rm -e MYMODE=TEST webd || exit 1 |
- | docker tag webd $MY_CI_REGISTRY/$MY_CI_REGISTRY_IMAGE | + | |
- | #docker tag webd $CI_REGISTRY_IMAGE:$VER | + | #docker tag webd $MY_CI_REGISTRY/$MY_CI_REGISTRY_IMAGE:$VER |
- | #docker tag webd $CI_REGISTRY_IMAGE | + | #docker tag webd $MY_CI_REGISTRY/$MY_CI_REGISTRY_IMAGE |
+ | docker tag webd $CI_REGISTRY_IMAGE:$VER | ||
+ | docker tag webd $CI_REGISTRY_IMAGE | ||
# previously need: docker login ... | # previously need: docker login ... | ||
- | docker push $MY_CI_REGISTRY/$MY_CI_REGISTRY_IMAGE:$VER | + | #docker push $MY_CI_REGISTRY/$MY_CI_REGISTRY_IMAGE:$VER |
- | docker push $MY_CI_REGISTRY/$MY_CI_REGISTRY_IMAGE | + | #docker push $MY_CI_REGISTRY/$MY_CI_REGISTRY_IMAGE |
- | #docker push $CI_REGISTRY_IMAGE:$VER | + | docker push $CI_REGISTRY_IMAGE:$VER |
- | #docker push $CI_REGISTRY_IMAGE | + | docker push $CI_REGISTRY_IMAGE |
</code><code> | </code><code> | ||
gitlab-runner@server:~/webd$ cat .gitlab-ci.yml | gitlab-runner@server:~/webd$ cat .gitlab-ci.yml | ||
Line 494: | Line 503: | ||
stage: lintertest | stage: lintertest | ||
script: | script: | ||
- | - echo $(date) "Do a test webd here" >> /tmp/Bash.gitlab-ci.log | + | # - echo $(date) "Do a test webd here" >> /tmp/Bash.gitlab-ci.log |
- shellcheck webd/webd | - shellcheck webd/webd | ||
tags: | tags: | ||
Line 502: | Line 511: | ||
stage: build | stage: build | ||
script: | script: | ||
- | - echo $(date) "Do a build webd here" >> /tmp/Bash.gitlab-ci.log | + | # - echo $(date) "Do a build webd here" >> /tmp/Bash.gitlab-ci.log |
- | # - env | tee /tmp/Bash.gitlab-ci.log | + | # - env | tee -a /tmp/Bash.gitlab-ci.log |
- sh build.sh | - sh build.sh | ||
tags: | tags: | ||
Line 511: | Line 520: | ||
# stage: deploy | # stage: deploy | ||
# script: | # script: | ||
- | # - echo $(date) "Do your deploy webd to k8s here" >> /tmp/Bash.gitlab-ci.log | ||
# - sh deploy.sh | # - sh deploy.sh | ||
# tags: | # tags: | ||
Line 685: | Line 693: | ||
===== Клиент OpenID ===== | ===== Клиент OpenID ===== | ||
- | <code> | ||
- | |||
- | https://docs.gitlab.com/ee/administration/auth/oidc.html | ||
- | https://gitlab.com/gitlab-org/gitlab/-/issues/196193 | + | * [[https://docs.gitlab.com/ee/administration/auth/oidc.html|You can use GitLab as a client application with OpenID Connect as an OmniAuth provider]] |
+ | * [[https://gitlab.com/gitlab-org/gitlab/-/issues/196193|use self-signed to integate gitlab with keycloak but see error: certificate verify failed (self signed certificate))]] | ||
+ | * [[https://forum.gitlab.com/t/using-keycloak-as-sso-for-gitlab-with-pre-existing-users-no-autocreate/67833|Using Keycloak as SSO for Gitlab with pre-existing users (no autocreate)]] | ||
+ | <code> | ||
# cp server.crt /etc/gitlab/trusted-certs/ | # cp server.crt /etc/gitlab/trusted-certs/ | ||
или | или | ||
# cp ca.crt /etc/gitlab/trusted-certs/ | # cp ca.crt /etc/gitlab/trusted-certs/ | ||
+ | # cat /etc/gitlab/gitlab.rb | ||
+ | </code><code> | ||
+ | ... | ||
gitlab_rails['omniauth_providers'] = [ | gitlab_rails['omniauth_providers'] = [ | ||
{ | { | ||
name: "openid_connect", # do not change this parameter | name: "openid_connect", # do not change this parameter | ||
- | label: "Keycloak corp20", # optional label for login button, defaults to "Openid Connect" | + | label: "Keycloak", # optional label for login button, defaults to "Openid Connect" |
args: { | args: { | ||
name: "openid_connect", | name: "openid_connect", | ||
scope: ["openid", "profile", "email"], | scope: ["openid", "profile", "email"], | ||
response_type: "code", | response_type: "code", | ||
- | issuer: "https://server.corp20.un:8443/realms/corp20/", | + | # issuer: "https://keycloak.example.com/realms/myrealm", |
+ | issuer: "https://keycloak.corpX.un/realms/corpX", | ||
client_auth_method: "query", | client_auth_method: "query", | ||
discovery: true, | discovery: true, | ||
Line 709: | Line 721: | ||
pkce: true, | pkce: true, | ||
client_options: { | client_options: { | ||
+ | # identifier: "<YOUR CLIENT ID>", | ||
identifier: "any-client", | identifier: "any-client", | ||
+ | # secret: "<YOUR CLIENT SECRET>", | ||
secret: "anystring", | secret: "anystring", | ||
- | redirect_uri: "http://gate.corp20.un/users/auth/openid_connect/callback" | + | # redirect_uri: "https://gitlab.example.com/users/auth/openid_connect/callback" |
+ | redirect_uri: "https://gate.corpX.un/users/auth/openid_connect/callback" | ||
} | } | ||
} | } | ||
} | } | ||
] | ] | ||
+ | ... | ||
</code> | </code> | ||
+ | |||
+ | * [[#Проверка конфигурации и перезапуск]] | ||
+ | * User -> Profile -> Account -> Select a service to sign in with -> Keycloak | ||