Gitalb gotchas

From I Will Fear No Evil
Revision as of 17:07, 3 February 2022 by Chubbard (talk | contribs)
Jump to navigation Jump to search

Source Notes

Enable GitLab Container Registry on an instance running HAProxy.

Edit /etc/gitlab/gitlab.rb GitLab configuration file to define registry address.
  registry_external_url 'https://registry.example.org/'

Beware, parameters like nginx['listen_https'] = false and nginx['listen_port'] = 80 have no effect here.

Ensure that /etc/gitlab/ssl directory exists.
  $ sudo mkdir /etc/gitlab/ssl

Generate a self-signed SSL certificate.
  $ sudo openssl req -subj "/commonName=registry.example.org/" -x509 -nodes -days 730 -newkey rsa:2048 -keyout /etc/gitlab/ssl/registry.example.org.key -out /etc/gitlab/ssl/registry.example.org.crt

Reconfigure GitLab instance.
  $ sudo gitlab-ctl reconfigure

Working config for iwillfearnoevil.com

Caution must be used, as using a WC cert, does to allow for registry.gitlab, and TBH should be by IP. However the ELB/HAProxy host can have the registry and forward to 5050 for outside world connections

External URL is what the local machine is offering, a different name can be used on a LB and forward TO that external URL. Same deal with registry, however it is an odd duck. Recommend using IP address from what is seen over the internet.

Gitlab BUG describing this behavior

external_url 'http://gitlab01.iwillfearnoevil.com'

letsencrypt['enable'] = false
registry_external_url 'https://192.168.15.190:5050'

nginx['enable'] = true
nginx['redirect_http_to_https'] = true
nginx['ssl_certificate'] = '/etc/gitlab/ssl/iwillfearnoevil.com.pem'
nginx['ssl_certificate_key'] = '/etc/gitlab/ssl/iwillfearnoevil.com.pem'

registry_nginx['enable'] = true
registry_nginx['listen_port'] = 5050
registry_nginx['ssl_certificate'] = '/etc/gitlab/ssl/iwillfearnoevil.com.pem'
registry_nginx['ssl_certificate_key'] = '/etc/gitlab/ssl/iwillfearnoevil.com.pem'

Login gotcha: you must sudo!!

chubbard@guyver-office:~$ docker login --username chubbard gitlab01.iwillfearnoevil.com:5050
Password: 
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.24/auth: dial unix /var/run/docker.sock: connect: permission denied
chubbard@guyver-office:~$ sudo docker login --username chubbard gitlab01.iwillfearnoevil.com:5050
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
chubbard@guyver-office:~$ 

Error message when doing docker login due to no X11 Fix for X11 error

The simplest solution to fix the “Cannot autolaunch D-Bus without X11 $DISPLAY” error is to install pass—the standard UNIX password manager. You do not need to remove docker-compose! However, the pass depends on gpg, so you will need to install two applications.

You can install pass and gpg using the following command:

Ubuntu / Debian

sudo apt-get install pass gnupg2

# create a gpg2 key
gpg2 --gen-key

# create the password store using the gpg user id
pass init $gpg_id