为啥使用gitlab ee

对开发最大的好处就是ee版可以结合elasticsearch进行代码搜索。

在上一家,一开始部署的gitlab也是ce版本,后来发现基本没法全局搜索代码,就换成了ee试用。

当时怎么部署的基本忘了,这几天重新部署了下,写个文档记录。

gitalb ee许可证相关操作

gitlab ee的许可证密钥文件是提供给用户可以自行替换的,然后就能颁发许可证,并且也给了使用说明文档:https://www.rubydoc.info/gems/gitlab-license/

而许可证的生成可以查看usage用例里面直接写着的怎么生成需要的license文件了,就差没设置plan属性。。。。结合license定义文件就知道有哪些可以设置的了:https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/app/models/license.rb

并且不用自行搭建ruby环境,直接在gitlab容器内,sudo gitlab-rails console进入ruby环境,同时省去各种依赖的下载安装和引入。

参考https://www.rubydoc.info/gems/gitlab-license/中的Usage,在设置license.restrictions时把plan也写上。

irb(main):043:1* license.restrictions  = {
irb(main):044:1*   active_user_count: 10000,
irb(main):045:1*   plan: 'ultimate'
irb(main):046:0> }

结合docker的挂载替换文件功能,就可以把许可证密钥替换成自己签发的,然后再上传生成的许可证文件即可。

      - '{{GITLAB_HOME}}/license/license_key.pub:/opt/gitlab/embedded/service/gitlab-rails/.license_encryption_key.pub'

这应该不算破解。。。毕竟人家连许可证公钥的生成都直接提供文档了。。。

20231005更新

这个过程可以做成ruby脚本然后用rails runner运行。

require 'openssl'

# Generate a key pair. You should do this only once.
key_pair = OpenSSL::PKey::RSA.generate(2048)

# Define path to save the files
# path = ENV['HOME']
path = "/tmp"


# Write it to a file to use in the license generation application.
File.open("#{path}/license_key", "w") { |f| f.write(key_pair.to_pem) }

# Extract the public key.
public_key = key_pair.public_key
# Write it to a file to ship along with the main application.
File.open("#{path}/license_key.pub", "w") { |f| f.write(public_key.to_pem) }

# In the license generation application, load the private key from a file.
private_key = OpenSSL::PKey::RSA.new File.read("#{path}/license_key")
Gitlab::License.encryption_key = private_key

# Build a new license.
license = Gitlab::License.new

# License information to be rendered as a table in the admin panel.
# E.g.: "This instance of GitLab Enterprise Edition is licensed to:"
# Specific keys don't matter, but there needs to be at least one.
license.licensee = {
  "Name"    => "Douwe Maan",
  "Company" => "GitLab B.V.",
  "Email"   => "douwe@gitlab.com"
}

# The date the license starts.
# Required.
license.starts_at = Date.new(2015, 4, 24)

# The date the license expires. Setting it to 2099 as per request.
license.expires_at = Date.new(2099, 12, 31)

# The below dates are hardcoded in the license so that you can play with the
# period after which there are "repercussions" to license expiration.

# The date admins will be notified about the license's pending expiration.
# Not required.
license.notify_admins_at = Date.new(2099, 12, 25)

# The date regular users will be notified about the license's pending expiration.
# Not required.
license.notify_users_at = Date.new(2099, 12, 31)

# The date "changes" like code pushes, issue or merge request creation
# or modification and project creation will be blocked.
# Not required.
license.block_changes_at = Date.new(2100, 1, 7)

# Restrictions bundled with this license.
# Not required, to allow unlimited-user licenses for things like educational organizations.
license.restrictions = {
  # The maximum allowed number of active users.
  # Not required.
  plan: 'ultimate',
  active_user_count: 10000
}

puts "License:"
puts license

# Export the license, which encrypts and encodes it.
data = license.export

puts "Exported license:"
puts data

# Write the license to a file to send to a customer.
File.open("#{path}/GitLabBV.gitlab-license", "w") { |f| f.write(data) }

# In the customer's application, load the public key from a file.
public_key = OpenSSL::PKey::RSA.new File.read("#{path}/license_key.pub")
Gitlab::License.encryption_key = public_key

# Read the license from a file.
data = File.read("#{path}/GitLabBV.gitlab-license")

# Import the license, which decodes and decrypts it.
$license = Gitlab::License.import(data)

puts "Imported license:"
puts $license

可以保存至/etc/gitlab/license_script.rb

并使用sudo gitlab-rails runner /etc/gitlab/license_script.rb运行,注意/etc/gitlab/license_script.rb可以归属于git用户。

之后就在/tmp中生成了公钥文件和许可证文件。

sudo cp /tmp/license_key.pub /opt/gitlab/embedded/service/gitlab-rails/.license_encryption_key.pub

重新启动服务即可上传许可证来使其生效。

注意如果是linux package包安装方式的话每次升级后都要这么操作下(因为安装更新的过程中公钥会被替换回来),而如果是docker方式的话就不用。

部署gitlab

用ansible结合gitlab部署,最为重要的是这个模板文件:

version: '2.2'
services:
  web:
    image: 'gitlab/gitlab-ee:14.0.10-ee.0'
    restart: always
    hostname: '{{SERVICE_FQDN}}'
    environment:
      GITLAB_OMNIBUS_CONFIG: |
        external_url 'https://{{SERVICE_FQDN}}'
        # Add any other gitlab.rb configuration here, each on its own line
    ports:
      - '{{SERVICE_ADDR}}:80:80'
      - '{{SERVICE_ADDR}}:443:443'
      - '{{SERVICE_ADDR}}:22:22'
    volumes:
      - '{{GITLAB_HOME}}/config:/etc/gitlab'
      - '{{GITLAB_HOME}}/logs:/var/log/gitlab'
      - '{{GITLAB_HOME}}/data:/var/opt/gitlab'
      - '{{GITLAB_HOME}}/license/license_key.pub:/opt/gitlab/embedded/service/gitlab-rails/.license_encryption_key.pub'
      - '/etc/letsencrypt/live/{{SERVICE_FQDN}}/fullchain.pem:/etc/gitlab/ssl/{{SERVICE_FQDN}}.crt'
      - '/etc/letsencrypt/live/{{SERVICE_FQDN}}/privkey.pem:/etc/gitlab/ssl/{{SERVICE_FQDN}}.key'
    networks:
      - gitlabinner
  es:
    image: docker.elastic.co/elasticsearch/elasticsearch:7.14.1
    container_name: es
    environment:
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
      - discovery.type=single-node
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - /srv/elasticsearch/data:/usr/share/elasticsearch/data
    networks:
      - gitlabinner

networks:
  gitlabinner:
    driver: bridge

第一次docker-compose up后进入gitlab ruby环境生成license_key.pub文件和设置过plan的许可证文件,再第二次docker-compose up。

其它

每三个月手动跑以下命令更新证书。 sudo certbot certonly --manual --agree-tos -m XXX@XXXX.cn --no-eff-email --manual-public-ip-logging-ok --preferred-challenges=dns -d XXXXX.com.cn

参考上述[manually-configuring-https]https://docs.gitlab.com/omnibus/settings/nginx.html#manually-configuring-https时候设置 letsencrypt[‘enable’] false后会出错,不设置此项。

在gitlab管理界面中配置http://es:9200,并且开启index。

中文搜索功能,还得按[说明]https://www.elastic.co/guide/en/elasticsearch/plugins/current/analysis-smartcn.html配置下es

可以设置双ip,让gitlab通过第二个ip来暴露22端口(主机的ssh指定了第一个IP),即模板文件中的SERVICE_ADDR。

参考

https://www.rubydoc.info/gems/gitlab-license/,usage用例里面直接写着怎么生成需要的license文件了,就差没设置plan属性。。。。结合license定义文件就知道有哪些可以设置的了:https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/app/models/license.rb

不用gem install,然后这个’gitlab-license’是gitalb官方的,它也引用了这个,上面的文章其实都不用自己搭建ruby环境,只要在已有的gitlab带的环境中干这事就行了,然后也不用修改rb文件,只要在用gitlab-license生成license时候指定plan参数就行。最后其实关键的一点就是替换带原有的pub文件就行,才会认,所以这个不算破解,因为它都把这些列出来让人用了。。。。

https://docs.gitlab.com/ee/install/docker.html

让docker用其它ip的22端口,https://stackoverflow.com/questions/25036895/how-to-expose-docker-containers-ip-and-port-to-outside-docker-host-without-port