with apologies

Lab GitLab

Richard Mortier · April 19, 2017 · #tech #config #old

Recently had cause to do this as part of the SRG’s and OCaml Labs infrastructure. Thought it might be useful to make some notes, so here they are! Assuming your local sys-admin has kindly created you a suitable VM running Ubuntu with login credentials, etc, read on…

Note that several commands that follow must be run as root, via use of sudo below. Given that, think twice before just cutting and pasting them in, obviously… And I am not held responsible for anything either way!

Install Docker

On a new Ubuntu stretch/sid (testing) VM:

$ lsb_release -drc
Description:	Ubuntu 16.04.1 LTS
Release:	16.04
Codename:	xenial

Next, install up-to-date Docker:

sudo apt-get install apt-transport-https ca-certificates
apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 \
        --recv-keys 58118E89F3A912897C070ADBF76221572C52609D
sudo echo "deb https://apt.dockerproject.org/repo debian-stretch main" \
     > /etc/apt/sources.list.d/docker.list
sudo apt-get update
sudo apt-get install -y docker-engine

Tweak the systemd Docker configuration by adding a fragment to point all Docker to the /data partition, lest the root partition / fill:

cat > /etc/systemd/system/docker.service.d/data-disk.conf <<EOF
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H fd:// -g /data/docker
EOF

Then start the Docker daemon and run hello-world just to check all is well:

sudo systemctl daemon-reload
sudo service docker start

Finally, test the install by running hello-world:

$ docker run hello-world

Hello from Docker!
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:
 1. The Docker client contacted the Docker daemon.
 2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
 3. The Docker daemon created a new container from that image which runs the
    executable that produces the output you are currently reading.
 4. The Docker daemon streamed that output to the Docker client, which sent it
    to your terminal.

To try something more ambitious, you can run an Ubuntu container with:
 $ docker run -it ubuntu bash

Share images, automate workflows, and more with a free Docker Hub account:
 https://hub.docker.com

For more examples and ideas, visit:
 https://docs.docker.com/engine/userguide/

If appropriate, you may also wish to add yourself to the docker user group:

sudo usermod -aG docker $(whoami)

GitLab

Assuming you have rights to run docker, install and run Gitlab-CE:

S=128.232.xxx.yyy
H=gitlab.srg.cl.cam.ac.uk
docker run --detach \
     --hostname $H \
     --publish $S:443:443 \
     --publish $S:80:80 \
     --publish $S:2222:22 \
     --name gitlab \
     --restart always \
     --volume /data/gitlab/config:/etc/gitlab \
     --volume /data/gitlab/logs:/var/log/gitlab \
     --volume /data/gitlab/data:/var/opt/gitlab \
     --volume /data/gitlab/backups:/var/opt/gitlab/backups \
     --volume /data/gitlab/sync:/var/opt/gitlab/sync \
     --env HOST_UID=$$(id -u) --env HOST_GID=$$(id -g) \
     mor1/gitlab-ce-cron:latest

…or use the make start target in the Makefile in the related GitHub repo.

TLS Certificates

Self-certified certificates:

openssl req -nodes -newkey rsa:2048 -keyout gitlab.srg.cl.cam.ac.uk.key -out gitlab.srg.cl.cam.ac.uk.csr
cd ssl
chmod 600 *
openssl x509 -req -days 1460 -in gitlab.srg.cl.cam.ac.uk.csr -signkey gitlab.srg.cl.cam.ac.uk.key -out gitlab.srg.cl.cam.ac.uk.crt

Run Backups

Recovering Password

To change the root password you need to use the Ruby-on-Rails console to access the relevant object, modify it, and save it back:

gitlab-rails console production

irb(main):001:0> user = User.where(id: 1).first
=> #<User id: 1, email: "admin@example.com", created_at: "2016-11-16 22:57:21", updated_at: "2016-12-05 23:42:50", name: "Administrator", admin: true, projects_limit: 10, skype: "", linkedin: "", twitter: "", authentication_token: "secrettoken", theme_id: 2, bio: nil, username: "root", can_create_group: true, can_create_team: false, state: "active", color_scheme_id: 1, password_expires_at: nil, created_by_id: nil, last_credential_check_at: nil, avatar: nil, hide_no_ssh_key: false, website_url: "", notification_email: "admin@example.com", hide_no_password: false, password_automatically_set: false, location: nil, encrypted_otp_secret: nil, encrypted_otp_secret_iv: nil, encrypted_otp_secret_salt: nil, otp_required_for_login: false, otp_backup_codes: nil, public_email: "", dashboard: 0, project_view: 0, consumed_timestep: nil, layout: 0, hide_project_limit: false, otp_grace_period_started_at: nil, ldap_email: false, external: false, organization: nil>
irb(main):002:0> user.password = 'secretpassword'
=> "secretpassword"
irb(main):003:0> user.password_confirmation = 'secretpassword'
=> "secretpassword"
irb(main):004:0> user.save!
Enqueued ActionMailer::DeliveryJob (Job ID: 5f74573d-dfa2-4778-b365-cbebd88e454e) to Sidekiq(mailers) with arguments: "DeviseMailer", "password_change", "deliver_now", gid://gitlab/User/1
=> true
irb(main):005:0>

gitlab-ctl reconfigure

Hook up to GitHub

Per https://docs.gitlab.com/ce/integration/omniauth.html#initial-omniauth-configuration and https://docs.gitlab.com/ce/integration/github.html:

Edit via sudo docker exec -it gitlab /bin/bash:

root@gitlab:/# vi /etc/gitlab/gitlab.rb
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml', 'github']
gitlab_rails['omniauth_block_auto_created_users'] = true

Email

Use SMTP via <ppsw.cam.ac.uk>, for which the from address must have a valid MX record and not be under <cam.ac.uk> per http://help.uis.cam.ac.uk/email-telephony-and-collaboration/email/technical/sending.

Configuration can be tested via the console:

Notify.test_email('your@email.address, 'Hello World', 'This is a test message').deliver_now