The reason for a LXC container is to allow continuous updates on a Linux OS having long LTS support.
In this case it is Debian LTS using unattended upgrades which only needs updating the repository
key manually every few years.
Install LXC container environment.
apt-get install lxc
Show possible lxc container OS-es.
ls -la /usr/share/lxc/templates/
Create an LXC container.
Container type from selection out of list.
lxc-create -n <container-name> -t download
Container immediate of type debian.
lxc-create -n <container-name> -t debian
Enable restart after a host reboot
Add these lines to the configuration file at /var/lib/lxc/<container-name>/config
Enable auto start of this container.
lxc.start.auto = 1
Delay start this container 30 seconds from when the host starts.
lxc.start.delay = 30
The following lines need kernel options "cgroup_enable=memory swapaccount=1".
Limit memory to 1 GByte
lxc.cgroup.memory.limit_in_bytes = 1G
Total usage or memory + swap to 1G. Note the second setting is for overall memory + swap, not just swap usage.
lxc.cgroup.memory.memsw.limit_in_bytes = 2G
When needed to add host kernel options for cgroup and swapaccount to allow limiting memory resources.
Set the GRUB_CMDLINE_LINUX value as follows in file /etc/default/grub file.
GRUB_CMDLINE_LINUX="cgroup_enable=memory swapaccount=1"
Update grub with the following command update-grub so next boot the made changes are in effect.
GitLab Install on LXC container
Grab hold of the root console.
lxc-attach -n <container-name>
Install GitLab needed packages
apt install wget openssh-server ca-certificates postfix systemd-cron
Get the script to install the gitlab package
Get the script
wget "https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.deb.sh"
Execute the script
bash script.deb.sh
Actually install the package since it is available now.
apt-get install gitlab-ce
Reconfigure after failure.
gitlab-ctl reconfigure
Work-around to fix reconfigure to comment out a command that fails.
I modified /opt/gitlab/embedded/cookbooks/gitlab/definitions/sysctl.rb like that:
# Load the settings right away
execute "load sysctl conf" do
#command "cat /etc/sysctl.conf /etc/sysctl.d/*.conf | sysctl -e -p -"
action :nothing
end
Fix nginx problem "422 The change you requested was rejected."
This fix will be un done when gitlab-ctl reconfigure is called.
Update: It Seems to be fixed now (2016-03) and not needed anymore.
Add line
proxy_set_header X-Forwarded-Ssl on;
at 'location / {' section in file /var/opt/gitlab/nginx/conf/gitlab-http.conf
joe /var/opt/gitlab/nginx/conf/gitlab-http.conf
Restart gitlab to make it have effect.
gitlab-ctl restart
Fix for when gitlab becomes very slow because of swapping to memory.
Change swappiness to 10 from default 60.
See WikiPedia Swappiness for more details.
sysctl -w vm.swappiness=10
##
## Remove traceable headers.
##
<IfModule headers_module>
Header unset Server
Header unset X-Powered-By
</IfModule>
##
## Rewrite http to https
##
<VirtualHost *:80>
ServerName <gitlab-hostname>
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
LogLevel info
ErrorLog ${APACHE_LOG_DIR}/gitlab-error.log
CustomLog ${APACHE_LOG_DIR}/gitlab-access.log clf
DocumentRoot "/home/sites/apps/websrv/www"
<IfModule rewrite_module>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</IfModule>
</VirtualHost>
##
## Live site applications HTTPS
##
<IfModule ssl_module>
<VirtualHost *:443>
ServerName <gitlab-hostname>
LogLevel info
ErrorLog ${APACHE_LOG_DIR}/gitlab-error.log
CustomLog ${APACHE_LOG_DIR}/gitlab-access.log clf
SSLEngine On
SSLCertificateFile /home/sites/apps/websrv/wildcard.certificate.nl.crt
SSLCertificateKeyFile /home/sites/apps/websrv/wildcard.certificate.nl.key
SSLCertificateChainFile /home/sites/apps/websrv/RapidSSL_SHA256_CA_-_G3.crt
SSLCertificateChainFile /home/sites/apps/websrv/GeoTrust_Global_CA.crt
SSLCertificateChainFile /home/sites/apps/websrv/GeoTrust_RapidSSL_SHA2_CA-bundle.crt
# Prevent usage SSLv3.
SSLProtocol All -SSLv2 -SSLv3
# Enable all relevant secure ciphers (and disable insecure ones)
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
SSLHonorCipherOrder on
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
## SSLProxyEngine On
ProxyRequests Off
ServerSignature Off
ProxyPreserveHost On
AllowEncodedSlashes NoDecode
<Location />
Order deny,allow
Allow from all
ProxyPass http://<lxc-container-ip>/
ProxyPassReverse http://<lxc-container-ip>/
</Location>
</VirtualHost>
</IfModule>
Login on website for the first time using username root and password 5iveL!fe.
Install package on the GitLab container which does the trick apt install unattended-upgrades
Configure the package dpkg-reconfigure -plow unattended-upgrades.
Set e-mail and auto reboot after upgrade.
Edit file /etc/apt/apt.conf.d/50unattended-upgrades
joe /etc/apt/apt.conf.d/50unattended-upgrades
Edit file '/etc/apt/apt.conf.d/50unattended-upgrades' and add or merge the content below.
// Automatically upgrade packages from these (origin:archive) pairs
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}-security";
"${distro_id}:${distro_codename}-updates";
"*packages.gitlab.com/gitlab/gitlab-ce:${distro_codename}";
// "${distro_id}:${distro_codename}-proposed";
// "${distro_id}:${distro_codename}-backports";
};
# This is just a partial section.
Unattended-Upgrade::Origins-Pattern {
// Codename based matching:
// This will follow the migration of a release through different
// archives (e.g. from testing to stable and later oldstable).
"o=Debian,n=jessie";
"o=Debian,n=jessie-updates";
// "o=Debian,n=jessie-proposed-updates";
"o=Debian,n=jessie,l=Debian-Security";
// AvO: added for GitLab
"origin=${distro_id},archive=${distro_codename}-security";
"origin=https://packages.gitlab.com/gitlab/gitlab-ce,archive=${distro_codename}";
}
For testing upgrades execute the command unattended-upgrade --debug --dry-run.
Open /etc/gitlab/gitlab.rb file in an editor and append the following configuration.
Note: GitLab CE only allows for one LDAP server (
main) to be configured.
gitlab_rails['ldap_enabled'] = true
gitlab_rails['prevent_ldap_sign_in'] = false
gitlab_rails['ldap_servers'] = {
'main' => {
'label' => 'LDAP Scanframe',
'host' => 'app.scanframe.com',
'port' => 636,
'encryption' => 'simple_tls',
'verify_certificates' => true,
'timeout' => 10,
'active_directory' => false,
'bind_dn' => 'cn=pam,ou=services,dc=scanframe,dc=com',
'password' => 'the-pam-password',
'base' => 'ou=users,dc=scanframe,dc=com',
'user_filter' => '(&(objectClass=inetOrgPerson)(memberOf=cn=gitlab,ou=systems,dc=scanframe,dc=com)(employeeType=active))',
'lowercase_usernames' => 'false',
'retry_empty_result_with_codes' => [80],
'allow_username_or_email_login' => true,
'block_auto_created_users' => false,
# User mappings from OpenLDAP to GitLab. Groups are only configurable for EE and not for CE.
'uid' => 'uid',
'email' => 'mail',
'name' => 'displayName',
'first_name' => 'givenName',
'last_name' => 'sn'
# Mapping 'jpegPhoto' as Avatar is 8 years in the making :(
# (See: https://gitlab.com/gitlab-org/gitlab/-/issues/15136)
}
}
After saving the file execute the following command to make it effective.
gitlab-ctl reconfigure
Originates from GitLab documentation
Tail logs in a console on the server
If you want to ‘tail’, i.e. view live log updates of
GitLab logs you can use gitlab-ctl tail.
Tail all logs and press Ctrl-C to exit.
gitlab-ctl tail
Tail only a log subdirectory located in /var/log/gitlab.
For example subdirectory gitlab-rails.
gitlab-ctl tail gitlab-rails
Tail only a single log file located in /var/log/gitlab.
For example nginx/gitlab_error.log.
gitlab-ctl tail nginx/gitlab_error.log