In view of the complicated operation of uploading a local ISO image on ECS to build a minimal mode environment,
we directly use the official public image CentOS7.2 of Alibaba Cloud.
Log in to Alibaba Cloud backend root and enter the webshell
Account management
passwd # 修改root密码 123edcxzaq (键盘上走一个圈)
useradd yunwei # 创建yunwei账户
passwd yunwei # 设定yunwei账户的密码 123edcxzaq (键盘上走一个圈)
usermod -aG wheel yunwei # 把yunwei账户加入wheel管理员组
id yunwei # 查看yunwei账号的属组情况
su - yunwei # 切换到yunwei账号及相应上下文账户环境
SSH service management
## SSHD端口变更 ##
# 基于安全性及避免与gitlab容器服务冲突
# 迁移阿里云sshd服务的22默认端口至8022口上
# 后期ssh连接注意使用8022端口访问
sudo sed -i 's|#Port 22|Port 8022|' /etc/ssh/sshd_config
sudo service sshd restart
sudo netstat -anpt # 查看当前端口情况
After exiting the WebShell, connect the yunwei account of the SecureCRT terminal to the ECS via SSH (pay attention to the correct ssh port)
Basic package installation
sudo yum install gcc gcc-c++ cmake vim wget git mlocate tree net-tools psmisc kernel-devel openssl-devel bash-completion
Docker installation
# 最新版docker安装
curl -fsSL https://get.docker.com/ | sudo sh # 安装最新版的docker
sudo mkdir /etc/docker
echo '{"registry-mirrors": ["https://docker.mirrors.ustc.edu.cn"]}' | sudo cat > /etc/docker/daemon.json # 更改为使用中科大的源
sudo systemctl enable docker.service # 设置开机启动
sudo systemctl start docker # 立即启动服务
# docker用户组管理
# 通过将用户加入到docker组,可以省去后期该用户在docker命令时的sudo前缀(docker实现的便利机制)
sudo groupadd docker
sudo usermod -aG docker $(whoami)
exit # 退出从而重新加载用户配置
# docker-compose安装
sudo curl -L "https://github.com/docker/compose/releases/download/1.9.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
docker-compose --version
View current hard disk resource consumption
df -hl # 查看磁盘使用空间
Create an HTTPS certificate
Authoritative CA agencies only issue certificates for domain names. Since the filing has not yet passed, IP-based self-signed certificates are temporarily used for processing.
sudo mkdir /etc/certs
cd /etc/certs
# 自签名证书需要有个备选的IP SANS校验信息
sudo sed -i '/\[ v3_ca \]/a\subjectAltName = IP:121.40.145.76' /etc/pki/tls/openssl.cnf
# 创建证书
sudo openssl req -newkey rsa:4096 -nodes -sha256 -keyout domain.key -x509 -days 365 -out domain.crt # 其中Common Name输入ip地址:121.40.145.76
sudo openssl dhparam -out dhparam.pem 1024 # 生成DHE参数文件增强ssl加密
# 服务器自身对该证书的信任配
sudo mkdir -p /etc/docker/certs.d/121.40.145.76:4567
sudo cp /etc/certs/domain.crt /etc/docker/certs.d/121.40.145.76:4567/
Do the following configuration on the client
# 配置客户端docker信任服务端的自签名证书
# 服务端证书拷贝至客户端docker的根证书信任目录
sudo mkdir -p /etc/docker/certs.d/121.40.145.76:4567
sudo scp -P 8022 [email protected]:/etc/certs/domain.crt /etc/docker/certs.d/121.40.145.76:4567/
# 自签名证书网站地址栏被Chrome标记为不安全
# 我们需要手动将自签名证书导入Chrome的根证书信任列表
# 本地打开一个shell将服务器上的证书下载到本地
scp -P 8022 [email protected]:/etc/certs/domain.crt .
# 然后配置Chrome: 设置 》 高级 》 HTTPS/SSL 》 管理证书 》 受信任的根证书颁发机构 》 导入
Start the service
sudo mkdir -p /srv/environment
sudo chmod 777 /srv/environment
cd /srv/environment
# 注册开机启动脚本
sudo chmod a+x /etc/rc.d/rc.local
sudo sed -i '$a sh /srv/environment/init.sh' /etc/rc.d/rc.local
###################
## 开机启动任务列表 ##
###################
# 启动docker编排服务
echo 'docker-compose -f /srv/environment/docker-compose.yaml up -d' | cat >> init.sh
Docker service orchestration configuration file initialization
cat > docker-compose.yaml <<EOF
version: '2'
services:
EOF
Gitlab version control service construction
docker pull gitlab/gitlab-ce:latest
############################ 多行命令开始 ##########################
cat >> docker-compose.yaml <<EOF
Gitlab:
image: 'gitlab/gitlab-ce:latest'
container_name: 'gitlab'
hostname: 'repo.sharemeiti.com'
restart: always
ports:
- '22:22'
- '8080:80'
- '8443:8443'
environment:
GITLAB_OMNIBUS_CONFIG: |
# Add any other gitlab.rb configuration here, each on its own line
external_url 'https://repo.sharemeiti.com:8443'
nginx['listen_port'] = 8443
nginx['redirect_http_to_https'] = true
nginx['listen_https'] = true
gitlab_rails['gitlab_shell_ssh_port'] = 22
nginx['ssl_dhparam'] = "/etc/gitlab/ssl/dhparam.pem"
nginx['ssl_certificate'] = "/etc/gitlab/ssl/domain.crt"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/domain.key"
nginx['custom_gitlab_server_config'] = "location ^~ /.well-known {\n alias /var/opt/gitlab/letsencrypt/.well-known;\n}\n"
high_availability['mountpoint'] = ["/etc/gitlab", "/var/log/gitlab", "/var/opt/gitlab"] # 严格限定gitlab服务启动前,指定文件系统挂载完毕
volumes:
- /srv/gitlab/config:/etc/gitlab
- /srv/gitlab/logs:/var/log/gitlab
- /srv/gitlab/data:/var/opt/gitlab
- /etc/certs:/etc/gitlab/ssl
EOF
############################ 多行命令结束 ##########################
docker-compose up -d
Gitlab repository access address: https://121.40.145.76
When you log in to the Gitlab repository for the first time, you will be prompted to set the root superuser password (set to 123edcxzaq here),
and you can see that the HTTPS small green lock in the browser address bar has been added
Gitlab enable ContainerRegistry
ContainerRegistry is a built-in Docker Registry integration component of Gitlab
docker-compose.yamlAdd the following configuration under theGITLAB_OMNIBUS_CONFIGnode :
registry_external_url "https://121.40.145.76:4567" # ContainerRegistry的外部访问地址
registry_nginx['ssl_certificate'] = "/etc/gitlab/ssl/domain.crt"
registry_nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/domain.key"
gitlab_rails['registry_host'] = "121.40.145.76"
gitlab_rails['registry_port'] = "4567"
gitlab_rails['registry_api_url'] = "http://localhost:5000"
gitlab_rails['gitlab_default_projects_features_builds'] = false
gitlab_rails['gitlab_default_projects_features_container_registry'] = false
- Port opening increased
- '4567:4567'(note that the new version of docker requires port mapping to be strictly in string format) - service restart
docker-compose restart Gitlab
ContainerRegistry login
ContainerRegistry After integration, you can log in through the Gitlabaccount log
in at the same time on the client and server
docker login 121.40.145.76:4567
{{o.name}}
{{m.name}}