Author: Jase Batchelor
Install GitLab on a Lima VM instance running Debian.
This document shows how to set up a minimal instance with the following:
- configured for memory constrained environment
- single
group
and adeveloper
user - container registry
- Maven repository
This is primarily used for demos and to show modern CI / CD practices and tooling.
Sections
- Installation
- Configuration
- Provision demo configuration
- Validate Git repository access
- Validate container registry access
- Validate Maven repository access
- Links
Installation
Add the GitLab repository to Apt sources
curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.deb.sh | sudo bash
Example output
# % Total % Received % Xferd Average Speed Time Time Time Current
# Dload Upload Total Spent Left Speed
# 100 6865 100 6865 0 0 5487 0 0:00:01 0:00:01 --:--:-- 5483
# Detected operating system as debian/bullseye.
# Checking for curl...
# Detected curl...
# Checking for gpg...
# Detected gpg...
# Running apt-get update... done.
# Installing debian-archive-keyring which is needed for installing
# apt-transport-https on many Debian systems.
# Installing apt-transport-https... done.
# Installing /etc/apt/sources.list.d/gitlab_gitlab-ee.list...done.
# Importing packagecloud gpg key... done.
# Running apt-get update... done.
#
# The repository is setup! You can now install packages.
Install GitLab
Install GitLab using Apt
- Set root password
GITLAB_ROOT_PASSWORD
- Set external URL
EXTERNAL_URL
- note for local it is just using HTTP
# sudo apt-get install gitlab-ee
sudo GITLAB_ROOT_PASSWORD="password" EXTERNAL_URL="http://192.168.105.2" apt-get install gitlab-ee
Example output
# Reading package lists... Done
# Building dependency tree... Done
# Reading state information... Done
# The following additional packages will be installed:
# libatomic1
# The following NEW packages will be installed:
# gitlab-ee libatomic1
# 0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
# Need to get 1381 MB of archives.
# After this operation, 4407 MB of additional disk space will be used.
# Do you want to continue? [Y/n] y
# Get:1 http://deb.debian.org/debian bullseye/main arm64 libatomic1 arm64 10.2.1-6 [9468 B]
# Get:2 https://packages.gitlab.com/gitlab/gitlab-ee/debian bullseye/main arm64 gitlab-ee arm64 16.1.0-ee.0 [1381 MB]
# Fetched 1381 MB in 1min 40s (13.8 MB/s)
# Selecting previously unselected package libatomic1:arm64.
# (Reading database ... 26540 files and directories currently installed.)
# Preparing to unpack .../libatomic1_10.2.1-6_arm64.deb ...
# Unpacking libatomic1:arm64 (10.2.1-6) ...
# Selecting previously unselected package gitlab-ee.
# Preparing to unpack .../gitlab-ee_16.1.0-ee.0_arm64.deb ...
# Unpacking gitlab-ee (16.1.0-ee.0) ...
# Setting up libatomic1:arm64 (10.2.1-6) ...
# Setting up gitlab-ee (16.1.0-ee.0) ...
# It looks like GitLab has not been configured yet; skipping the upgrade script.
#
# *. *.
# *** ***
# ***** *****
# .****** *******
# ******** ********
# ,,,,,,,,,***********,,,,,,,,,
# ,,,,,,,,,,,*********,,,,,,,,,,,
# .,,,,,,,,,,,*******,,,,,,,,,,,,
# ,,,,,,,,,*****,,,,,,,,,.
# ,,,,,,,****,,,,,,
# .,,,***,,,,
# ,*,.
#
#
#
# _______ __ __ __
# / ____(_) /_/ / ____ _/ /_
# / / __/ / __/ / / __ `/ __ \
# / /_/ / / /_/ /___/ /_/ / /_/ /
# \____/_/\__/_____/\__,_/_.___/
#
#
# Thank you for installing GitLab!
# GitLab was unable to detect a valid hostname for your instance.
# Please configure a URL for your GitLab instance by setting `external_url`
# configuration in /etc/gitlab/gitlab.rb file.
# Then, you can start your GitLab instance by running the following command:
# sudo gitlab-ctl reconfigure
#
# For a comprehensive list of configuration options please see the Omnibus GitLab readme
# https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/README.md
#
# Help us improve the installation experience, let us know how we did with a 1 minute survey:
# https://gitlab.fra1.qualtrics.com/jfe/form/SV_6kVqZANThUQ1bZb?installation=omnibus&release=16-1
#
# Processing triggers for libc-bin (2.31-13+deb11u6) ...
Configuration
Configure GitLab for memory constrained environment and enable the container registry
Example: gitlab.rb
external_url 'http://192.168.105.2'
gitlab_rails['gitlab_email_enabled'] = false
# https://docs.gitlab.com/ee/administration/packages/container_registry.html
# Port 5000 by default
registry_external_url 'http://192.168.105.2:5000'
registry['enable'] = true
# https://docs.gitlab.com/omnibus/settings/memory_constrained_envs.html
puma['worker_processes'] = 0
postgresql['shared_buffers'] = "256MB"
# Author: https://twitter.com/nateberkopec/status/1370420826563096583
sidekiq['max_concurrency'] = 2
prometheus_monitoring['enable'] = false
gitlab_rails['env'] = {
'MALLOC_CONF' => 'dirty_decay_ms:1000,muzzy_decay_ms:1000'
}
Update /etc/gitlab/gitlab.rb
and restart / reconfigure GitLab
sudo cp gitlab/gitlab.rb /etc/gitlab/gitlab.rb
sudo gitlab-ctl reconfigure
Provision demo configuration
Login as the root
user with the password you configured during installation.
Create a personal access token
as per the steps in this guide:
Using the GitLab REST API this script will create the following:
- add a default
group
- (docs) - add default project
labels
- (docs) - add default
project(s)
- (docs) - add default project
board(s)
- (docs) - add a user with
developer
permissions - (docs) - add Lima VM
SSH key
to the user profile - (docs)
Run the gitlab-defaults.sh
script
#./gitlab-defaults.sh <IP Address> <GitLab Token>
./gitlab-defaults.sh 192.168.105.2 deadbeef
Validate Git repository access
Verify we can clone a repository.
From laptop, setup SSH to reuse the key created by Lima VM
# Add to SSH Agent
eval "$(ssh-agent -s)"
ssh-add ~/.lima/_config/user
Clone a repository
cd $HOME
git clone [email protected]:nakame/ci-templates.git
Troubleshoot SSH keys
Use the following commands to list SSH keys in use:
ssh -vT [email protected]
ssh -i ~/.lima/_config/user -vT [email protected]
Validate container registry access
https://docs.gitlab.com/ee/user/packages/container_registry/build_and_push_images.html You can use Docker commands to build and push container images to your Container Registry: Authenticate with the Container Registry. Run the Docker command to build or push. For example: To build: docker build -t registry.example.com/group/project/image .
To push: docker push registry.example.com/group/project/image
https://gitlab.com/gitlab-org/gitlab/-/issues/221259#proposal https://docs.docker.com/registry/insecure/ https://stackoverflow.com/questions/42211380/add-insecure-registry-to-docker https://www.oreilly.com/library/view/kubernetes-in-the/9781492043270/app03.html https://rakeshjain-devops.medium.com/set-up-a-private-docker-registry-insecure-on-ubuntu-18-04-part-1-bd320ff80e7 https://docs.docker.com/registry/ https://www.docker.com/blog/docker-registry-api-standardized-oci/ https://github.com/distribution/distribution https://www.docker.com/blog/how-to-use-your-own-registry-2/ Verify container registry
Use the Docker V2 API to verify the endpoint exists.
This will return an authentication error, but verifies endpoint existence
curl 192.168.105.2:5000/v2/_catalog
# {"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"registry","Class":"","Name":"catalog","ProjectPath":"","Action":"*"}]}]}
Use the Docker CLI to verify the endpoint exists.
Again, this will return an authentication error, but verifies endpoint existence
docker login -u jase -p "glpat-deadbeef" 192.168.105.2:5000
# WARNING! Using --password via the CLI is insecure. Use --password-stdin.
# Error response from daemon: Get "https://192.168.105.2:5000/v2/": http: server gave HTTP response to HTTPS client
Configure the Docker CLI to access an insecure repository.
Edit ~/.docker/daemon.json
vi ~/.docker/daemon.json
Add the insecure-registries
entry as per below:
{
"experimental": false,
"insecure-registries": [
"http://192.168.105.2:5000"
]
}
Log in again using the Docker CLI
docker login -u jase -p "glpat-deadbeef" 192.168.105.2:5000
# WARNING! Using --password via the CLI is insecure. Use --password-stdin.
# Login Succeeded
Test the repository
docker pull redhat/ubi8-micro:8.8-1@sha256:1910a0c45d71a1e4041a0aef43a147a1c2590b6bf1df0645ddf66d96a943b507
Validate Maven repository access
This one is kind of chicken and egg…
The response will not be valid until we deploy an artifact to the repository
The Maven package path, in the format:
file_name string yes The name of the Maven package file.
curl -L -H "Private-Token: glpat-deadbeef" http://192.168.105.2/api/v4/packages/maven/nakame/spring-demo/1.0.0
# {"message":"403 Forbidden"}
GitLab offers the ability to use Maven repositories (package repositories actually) at 3 different levels - namely instance, group and project.
Each requires slightly different configuration. See these links for examples:
- https://docs.gitlab.com/ee/user/packages/maven_repository/
- https://docs.gitlab.com/ee/user/packages/maven_repository/#endpoint-urls
- https://docs.gitlab.com/ee/user/packages/maven_repository/#edit-the-configuration-file-for-publishing
Links
Installation
- https://about.gitlab.com/install/#debian
- https://packages.gitlab.com/gitlab/gitlab-ee/install
- https://docs.gitlab.com/omnibus/settings/configuration.html#specify-the-external-url-at-the-time-of-installation
- https://docs.gitlab.com/omnibus/installation/index.html#set-up-the-initial-password
- https://docs.gitlab.com/omnibus/settings/memory_constrained_envs.html
- https://docs.gitlab.com/ee/install/next_steps.html
Container registry
- https://docs.gitlab.com/ee/administration/packages/container_registry.html
- https://docs.gitlab.com/ee/user/packages/container_registry/
- https://docs.gitlab.com/ee/user/packages/container_registry/build_and_push_images.html
- https://docs.gitlab.com/ee/user/packages/container_registry/authenticate_with_container_registry.html
- https://www.baeldung.com/ops/docker-registry-api-list-images-tags
- https://interestingittips.wordpress.com/2021/02/14/gitlab-container-registry/
General