Installation of GitLab with Using S3 storage for Small Teams

Introduction

Today we will install the very popular Git server solution with issue tracker and Wiki – GitLab.

What we need for the installation:

  1. GitLab must be used by small team of developers ( up to 10 team-members).
  2. GitLab must be secured with SSL certificate.
  3. Data that we will save not on a virtual disk of the virtual machine, but inside S3 storage which will be mounted inside operational system.

First of all we need to check what are the system requirments for GitLab: https://docs.gitlab.com/ce/install/requirements.html.

In this configuration with 10 team-members a VM with these configurations below should be suitable:

  • OS: CentOS7.
  • CPU: 1
  • RAM: 8 Gb
  • SSD: 20 Gb

Step 1: Pre-configuration of the Virtual Machine

When we are connecting to the Virtual Machine for the first time, best practice – change SSH standart port from standart port 22 to another random port number + in clear PILW.IO virtual machine is by default disabled firewall.

In your first login into VM, update all installed packages in OS by using command:

sudo yum update -y

When all packages are updated we can start to configure the new port for SSH. In this user guide we will use port 2019 for SSH conection.

Open SSH configuration file by using command:

sudo vi /etc/ssh/sshd_config

After that, we need to find commented record #Port 22, and change it into uncommented record Port 2019 and save this configuration file.

Now we need to enable this port using in SELinux. For this action, we will use the tool with name semanage. Use the command:

sudo semanage port -a -t ssh_port_t -p tcp 2019

For new SSH configuration to apply, we need to restart the SSH service:

sudo service sshd restart

When SSH port is changed, we need to install a firewall and configure it. For firewall in Linux, in this article we prefered using iptables service.

To install iptables we need to use command:

sudo yum install iptables-services -y

After package installation we need to start the service with this command:

sudo service iptables start

By default service ssh is enabled, but by default iptables using for this port 22. Save the current iptables config to file:

sudo iptables-save

We need to change enabled TCP port 22 to TCP port 2019 in rules. To make it easier, open iptables config file with command:

sudo vi /etc/sysconfig/iptables

And change the port from 22 to 2019 in rule:

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

When port is changed in iptables config file, you need to restart the iptables service:

sudo service iptables restart

Make sure that iptables service will be starting after each reboot. For this, use the command:

sudo systemctl enable iptables

Now everything is ready to go! Just to double check things, reboot your VM and check if the rules are working perfectly. For this action use command:

sudo reboot now

After this step, our SSH session will be lost. Waite couple of minutes and try to re-connect to your VM with the new SSH port – 2019.

Step 2: Installation of GitLab

Now we can start the deployment of GitLab.

As our first step, we will enable TCP web port 80 for GitLab in iptables. Open iptables config file, by command:

sudo vi /etc/sysconfig/iptables

And add this rule:

-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

When TCP port 80 is enabled in iptables config file, you need to restart the iptables service:

sudo service iptables restart

After this we can add the official GitLab Community Edition repository into our OS by the commands:

sudo curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.rpm.sh | sudo bash

Now we can start the installation of GitLab. In this user guide, GitLab will be available by DNS name gitlab-demo.hooldus.it, so we will be using this command:

sudo EXTERNAL_URL="http://gitlab-demo.hooldus.it" yum install -y gitlab-ce

When GitLab installation is finished, open it in your browser URL that you wrote before the package installation (in our case it is http://gitlab-demo.hooldus.it/) and setup GitLab “root” password.

Step 3: Configuration of SSL in GitLab

GitLab is now installed, but currently it is using not a secured web protocol HTTP. We need to configure SSL secured connection HTTPS. For us we will be using free Let’s Encrypt SSL certificate.

First, we need to enable TCP web port 443 for GitLab in iptables. To do that easily, open iptables config file with command:

sudo vi /etc/sysconfig/iptables

And add this rule:

-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT

When TCP port 443 is enabled in iptables config file, you need to restart the iptables service:

sudo service iptables restart

When iptables service is restarted, we need to install a package named “certbot” that can help us to generate Let’s Encrypt SSL Certificate easier. To do that, we need to use two commands:

sudo yum install -y epel-release
sudo yum install -y certbot

When package certbot is installed, create the directory where you will store Let’s Encrypt certificated by using command:

sudo mkdir -p /etc/gitlab/ssl/

When directory is created, we need make changes in the GitLab configuration file and setup a directory for Let’s Encript validation:

Open file /etc/gitlab/gitlab.rb:

sudo vi /etc/gitlab/gitlab.rb

After this action find string inside the configuration file:

# web_server['home'] = '/var/opt/gitlab/nginx'

When the configuration string is found, write the additional configuration string:

nginx['custom_gitlab_server_config'] = "location ^~ /.well-known { root /etc/gitlab/ssl; }"

Rebuild GitLab configuration by using command:

sudo gitlab-ctl reconfigure

When GitLab configuration is rebuilt, generate the Let’s Encrypt certificate by this command:

sudo certbot certonly --webroot --webroot-path=/etc/gitlab/ssl/ -d gitlab-demo.hooldus.it

Now we can see the SSL certificate was generated and we see locations of *.pem files. So we can start to configure a secured HTTPS connection for GitLab.

Open file /etc/gitlab/gitlab.rb:

sudo vi /etc/gitlab/gitlab.rb

Find string:

external_url 'http://gitlab-demo.hooldus.it'

and change protocol http to https

After this, you need to uncomment rule nginx[‘redirect_http_to_https’] and set value true for forcing users to redirect to HTTPS protocol, if they open GitLab web-service over HTTP protocol.

And as our last step – uncomment configuration rules nginx[‘ssl_certificate’] with nginx[‘ssl_certificate_key’] and write the correct paths of Let’s Encrypt SSL files. In our case it is:

nginx['ssl_certificate'] = "/etc/letsencrypt/live/gitlab-demo.hooldus.it/fullchain.pem"
nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/gitlab-demo.hooldus.it/privkey.pem"

When configuration file changes finished and saved – you need to rebuild GitLab configuration by using command:

sudo gitlab-ctl reconfigure

Let’s Encrypt certificate is valid only 90 days. We may need to configure autorenewal every 30 days. For this we need add one record into CronTab:

Use command:

sudo crontab -e

And add record:

0 1 1 * * /usr/bin/certbot renew --quiet --renew-hook "/usr/bin/gitlab-ctl restart nginx"

Congratulation! Secured SSL connection is configured with SSL certificate autorenewal.

Step 4: Configuration of S3 storage file system for GitLab repositories

For GitLab repositories we will use the low cost S3 storage instead of the usual VM storage.

First, we created an S3 storage in PILW.IO.

For mounting S3 storage inside our VM, we will use the tool s3fs-fuse. To install, use command:

sudo yum install -y s3fs-fuse

When the s3fs-fuse package is installed, you need to create a file where it will save the access and secret keys from S3 the storage. For file creation use command:

sudo vi /etc/gitlab/s3fs-passwd

And inside the file, insert your access and secret keys that separated with colon mark.

For security reasons, you need to set up 600 rights for the file with saved keys from S3 storage. For this action use command:

sudo chmod 600 /etc/gitlab/s3fs-passwd

Next step – create directory for S3 storage mounting. To do that, use command:

sudo mkdir /mnt/s3gitlab

You can try to mount S3 storage inside the directory /mnt/s3gitlab by using command:

sudo s3fs s3gitlab /mnt/s3gitlab -o passwd_file=/etc/gitlab/s3fs-passwd -o url=https://s3.pilw.io:8080/ -o use_path_request_style -o dbglevel=info

But this mount will be lost after the VM restart. For automount, you need to do the following actions:

Open fstab configuration file:

sudo vi /etc/fstab

And add new string with this parameters:

s3fs#s3gitlab /mnt/s3gitlab fuse _netdev,allow_other,use_path_request_style,url=https://s3.pilw.io:8080 0 0

Now we have to make changes in the default directory of repositories in GitLab configuration file:

Open file/etc/gitlab/gitlab.rb:

sudo vi /etc/gitlab/gitlab.rb

Uncomment section git_data_dirs and set this values:

git_data_dirs({
"default" => {
"path" => "/mnt/s3gitlab"
}
})

Rebuild GitLab configuration by using command:

sudo gitlab-ctl reconfigure

Mission accomplished! Now GitLab is configured with SSL and PILW.IO S3 storage.

0 Comments

Add Yours →

Leave a Reply