chore(gitlab): try using docker compose

2026-02-08 21:34:25 +00:00 · 2024-05-10 00:39:35 +02:00
parent 2215e8c784
commit e57d47aea4
11 changed files with 232 additions and 3 deletions
--- a/docker/gitlab/.gitignore
+++ b/docker/gitlab/.gitignore
@@ -0,0 +1,3 @@
+/config
+/data
+/logs
--- a/docker/gitlab/docker-compose.yml
+++ b/docker/gitlab/docker-compose.yml
@@ -0,0 +1,46 @@
+---
+
+# sources:
+# - https://docs.gitlab.com/ee/install/docker.html#install-gitlab-using-docker-compose
+
+version: '3.6'
+secrets:
+  gitlab_root_password:
+    file: ./gitlab_root_password.txt
+services:
+  gitlab:
+    container_name: gitlab
+    image: gitlab/gitlab-ce:16.11.2-ce.0
+    restart: unless-stopped
+    hostname: gitlab.lan
+    environment:
+      GITLAB_OMNIBUS_CONFIG:
+        # add any other gitlab.rb configuration here, each on its own line
+        # https not accepteb y Let's Encrypt on .lan (not a valid public domain)
+        |
+        external_url 'http://gitlab.lan'
+        gitlab_rails['initial_root_password'] = File.read('/run/secrets/gitlab_root_password').gsub("\n", "")
+    ports:
+      - '8022:22'
+      - '8080:80'
+      - '8443:443'
+    volumes:
+      - ${PWD}/config:/etc/gitlab:Z
+      - ${PWD}/data:/var/opt/gitlab:Z
+      - ${PWD}/logs:/var/log/gitlab:Z
+    shm_size: 256m
+    secrets:
+      - gitlab_root_password
+    # healthcheck:
+    #   test: >-
+    #     test $(
+    #       curl --fail --insecure --location --output '/dev/null' --silent --show-error --write-out "%{http_code}"
+    #         'http://localhost/'
+    #     ) -eq 200 || exit 1
+    #   interval: 60s
+    #   timeout: 3s
+    #   retries: 3
+    #   start_period:
+    #     # it might take longer
+    #     # also keep an eye out for permission errors
+    #     300s
--- a/docker/gitlab/gitlab_root_password.txt
+++ b/docker/gitlab/gitlab_root_password.txt
@@ -0,0 +1 @@
+StupidlyInsecur3-Passw0rd
--- a/examples/ansible/role.gitlab-omnibus-on-ec2/meta/requirements.yml
+++ b/examples/ansible/role.gitlab-omnibus-on-ec2/meta/requirements.yml
--- a/base/ansible.md
+++ b/base/ansible.md
@@ -52,7 +52,7 @@ ansible -i 'localhost,' -c 'local' -km 'setup' 'localhost'
 # This will *not* execute the plays inside it.
 ansible-playbook 'path/to/playbook.yml' --syntax-check

-# Execute a playbook.
+# Execute playbooks.
 ansible-playbook 'path/to/playbook.yml' -i 'hosts.list'
 ansible-playbook … -i 'host1,host2,hostN,' -l 'hosts,list'
 ansible-playbook … -i 'host1,host2,other,' -l 'hosts-pattern'
@@ -71,6 +71,9 @@ ansible-playbook 'path/to/playbook.yml' --list-tasks
 ansible-playbook … --list-tasks --tags 'configuration,packages'
 ansible-playbook … --list-tasks --skip-tags 'system,user'

+# Debug playbooks.
+ANSIBLE_ENABLE_TASK_DEBUGGER=True ansible-playbook …
+
 # List roles installed from Galaxy.
 ansible-galaxy list

@@ -269,9 +272,10 @@ ansible-galaxy install -r 'requirements.yml'

 ### Role dependencies

+Set them up in `role/meta/main.yml`:
+
 ```yaml
 ---
-# role/meta/main.yml
 dependencies:
  - role: common
    vars:
@@ -282,6 +286,14 @@ dependencies:
      other_parameter: 12
 ```

+and/or in `role/meta/requirements.yml`:
+
+```yaml
+---
+collections:
+  - community.dns
+```
+
 ## Output formatting

 > Introduced in Ansible 2.5
--- a/base/docker.md
+++ b/base/docker.md
@@ -5,6 +5,7 @@
 1. [Daemon configuration](#daemon-configuration)
 1. [Images configuration](#images-configuration)
 1. [Containers configuration](#containers-configuration)
+1. [Health checks](#health-checks)
 1. [Advanced build with `buildx`](#advanced-build-with-buildx)
   1. [Create builders](#create-builders)
   1. [Build for specific platforms](#build-for-specific-platforms)
@@ -262,7 +263,55 @@ Docker mounts specific system files in all containers to forward its settings:
 …
 ```

-Those files come from the volume the docker container is using for its root, and are modified on the container's startup with the information from the CLI, the daemon itself and, when missing, the host.
+Those files come from the volume the docker container is using for its root, and are modified on the container's startup
+with the information from the CLI, the daemon itself and, when missing, the host.
+
+## Health checks
+
+The following have the same effect:
+
+<details><summary>Command line</summary>
+
+```sh
+docker run … \
+  --health-cmd 'curl --fail --insecure --silent --show-error http://localhost/ || exit 1' \
+  --health-interval '5m' \
+  --health-timeout '3s' \
+  --health-retries '4' \
+  --health-start-period '10s'
+```
+
+</details>
+<details><summary>Dockerfile</summary>
+
+```Dockerfile
+HEALTHCHECK --interval=5m --timeout=3s --start-period=10s --retries=4 \
+  CMD curl --fail --insecure --silent --show-error http://localhost/ || exit 1
+```
+
+</details>
+<details><summary>Docker-compose file</summary>
+
+```yaml
+version: '3.6'
+services:
+  web-server:
+    healthcheck:
+      test: curl --fail --insecure --silent --show-error http://localhost/ || exit 1
+      interval: 5m
+      timeout: 3s
+      retries: 4
+      start_period: 10s
+    …
+```
+
+</details><br/>
+
+The command's exit status indicates the health status of the container. The possible values are:
+
+- `0`: success - the container is healthy and ready for use
+- `1`: unhealthy - the container isn't working correctly
+- `2`: reserved - don't use this exit code

 ## Advanced build with `buildx`

@@ -313,6 +362,7 @@ docker load …
 - [Building multi-arch images for ARM and x86 with Docker Desktop]
 - [OpenContainers Image Spec]
 - [Docker ARG, ENV and .env - a Complete Guide]
+- [Configuring HealthCheck in docker-compose]

 <!--
  References
@@ -333,6 +383,7 @@ docker load …
 [arch linux wiki]: https://wiki.archlinux.org/index.php/Docker
 [cheatsheet]: https://collabnix.com/docker-cheatsheet/
 [configuring dns]: https://dockerlabs.collabnix.com/intermediate/networking/Configuring_DNS.html
+[configuring healthcheck in docker-compose]: https://medium.com/@saklani1408/configuring-healthcheck-in-docker-compose-3fa6439ee280
 [docker arg, env and .env - a complete guide]: https://vsupalov.com/docker-arg-env-variable-guide/
 [getting around docker's host network limitation on mac]: https://medium.com/@lailadahi/getting-around-dockers-host-network-limitation-on-mac-9e4e6bfee44b
 [opencontainers image spec]: https://specs.opencontainers.org/image-spec/
--- a/base/gitlab.md
+++ b/base/gitlab.md
@@ -18,6 +18,7 @@
 1. [Troubleshooting](#troubleshooting)
   1. [Use access tokens to clone projects](#use-access-tokens-to-clone-projects)
   1. [Pipeline fails with error `You are not allowed to download code from this project`](#pipeline-fails-with-error-you-are-not-allowed-to-download-code-from-this-project)
+   1. [Gitlab keeps answering with code 502](#gitlab-keeps-answering-with-code-502)
 1. [Further readings](#further-readings)
   1. [Sources](#sources)

@@ -639,6 +640,24 @@ Root cause: the user starting the pipeline does not have enough privileges to th

 Solution: give that user _developer_ access or have somebody else with enough privileges run it.

+### Gitlab keeps answering with code 502
+
+Refer [The docker images for gitlab-ce and gitlab-ee start workhorse with incorrect socket ownership].
+
+Error message example:
+
+> ==> /var/log/gitlab/nginx/gitlab_error.log <==<br/>
+> 2024/05/09 20:57:57 \[crit] 617#0: *26 connect() to unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket failed (13:
+> Permission denied) while connecting to upstream, client: 172.21.0.1, server: gitlab.lan, request: "GET / HTTP/2.0",
+> upstream: "http\://unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket:/", host: "gitlab.lan:8443"
+
+Context: Gitlab 16.11.2 CE running from Docker image.
+
+Root cause: the socket's permissions are mapped incorrectly.
+
+Solution: set the correct ownership with
+`docker exec 'gitlab' chown 'gitlab-www:git' '/var/opt/gitlab/gitlab-workhorse/sockets/socket'`.
+
 ## Further readings

 - Gitlab's helm [chart]
@@ -682,6 +701,7 @@ Solution: give that user _developer_ access or have somebody else with enough pr
 - [Restore GitLab]
 - [How to disable the Two-factor authentication in GitLab?]
 - [How to Upgrade Your Omnibus GitLab]
+- [The docker images for gitlab-ce and gitlab-ee start workhorse with incorrect socket ownership]

 <!--
  Reference
@@ -728,6 +748,7 @@ Solution: give that user _developer_ access or have somebody else with enough pr
 [sign-up restrictions]: https://docs.gitlab.com/ee/administration/settings/sign_up_restrictions.html
 [specify when jobs run with rules]: https://docs.gitlab.com/ee/ci/jobs/job_rules.html
 [support object storage bucket prefixes]: https://gitlab.com/gitlab-org/charts/gitlab/-/issues/3376
+[the docker images for gitlab-ce and gitlab-ee start workhorse with incorrect socket ownership]: https://gitlab.com/gitlab-org/gitlab/-/issues/349846#note_1516339762
 [tls]: https://docs.gitlab.com/charts/installation/tls.html
 [tutorial: use buildah in a rootless container with gitlab runner operator on openshift]: https://docs.gitlab.com/ee/ci/docker/buildah_rootless_tutorial.html
 [use ci/cd configuration from other files]: https://docs.gitlab.com/ee/ci/yaml/includes.html
--- a/snippets/ansible.tasks.yml
+++ b/snippets/ansible.tasks.yml
@@ -5,3 +5,74 @@
  ansible.builtin.file:
    path: /tmp/path/to/final/dir
    state: directory
+
+- name: Import tasks
+  block:
+    - name: By using absolute paths and special variables (preferred)
+      ansible.builtin.import_tasks:
+      file: "{{ role_path }}/tasks/install/{{ install_method }}.yml"
+    - name: By using paths relative to the including file
+      ansible.builtin.import_tasks:
+      file: pre-flight.yml
+
+- name: Conditionally include tasks
+  block:
+    - name: by leveraging the 'with_fileglob' loop filter (preferred)
+      ansible.builtin.include_tasks:
+        file: "{{ item }}"
+      with_fileglob: "{{ install_method }}.yml"
+    - name: by checking the files' existence
+      vars:
+        filename: "{{ install_method }}.yml"
+      when: lookup('ansible.builtin.fileglob', filename) != []
+      ansible.builtin.import_tasks:
+        file: "{{ filename }}"
+
+- name: Assertions
+  ansible.builtin.assert:
+    that:
+      - install_method in supported_install_methods
+      - external_url is ansible.builtin.url
+    fail_msg: What to say if any of the above conditions fail
+    success_msg: What to say if all of the above conditions succeed
+
+- name: Pretty print information
+  ansible.builtin.debug:
+    msg: >-
+      {{
+        dict([
+          [ 'install_method', install_method ],
+          [ 'install_method in supported_install_methods', install_method in supported_install_methods ],
+        ])
+      }}
+
+- name: Generate passwords
+  block:
+    - name: Randomly
+      ansible.builtin.debug:
+        msg: "{{ lookup('ansible.builtin.password', '/dev/null') }}"
+    - name: Specifying requirements
+      ansible.builtin.debug:
+        msg: "{{ lookup('ansible.builtin.password', '/dev/null length=32 chars=ascii_letters,digits,punctuation') }}"
+    - name: Random but idempotent, so it will not change at every execution
+      ansible.builtin.debug:
+        msg: "{{ lookup('ansible.builtin.password', '/dev/null', seed=inventory_hostname) }}"
+
+- name: Run containers
+  community.docker.docker_container:
+    name: gitlab
+    image: gitlab/gitlab-ce:16.11.2-ce.0
+    hostname: gitlab.lan
+    published_ports:
+      - "8022:22"
+      - "8080:80"
+      - "8443:443"
+    env:
+      GITLAB_OMNIBUS_CONFIG: >-
+        external_url 'http://gitlab.lan';
+    shm_size: 256m
+    volumes:
+      - ./config:/etc/gitlab:Z
+      - ./logs:/var/log/gitlab:Z
+      - ./data:/var/opt/gitlab:Z
+    auto_remove: true
--- a/snippets/check-port-is-reachable.sh
+++ b/snippets/check-port-is-reachable.sh
@@ -8,9 +8,14 @@
 nc -vz  -w '3' 'localhost' '80'
 nc -nvz -w '3' '127.0.0.1' '80'

+nc 'localhost' '22' -e true  # busybox's nc
+
 timeout '3' cat < '/dev/tcp/localhost/80'
 timeout '3' cat < '/dev/tcp/127.0.0.1/80'

+curl -fsS -o '/dev/null' -w "%{http_code}" --connect-timeout '3' 'http://www.example.org/'
+curl -fksS -o '/dev/null' -w "%{http_code}" --connect-timeout '3' 'https://www.example.org/'
+

 # UDP

--- a/snippets/gitlab.docker.sh
+++ b/snippets/gitlab.docker.sh
@@ -0,0 +1,12 @@
+#!/usr/bin/env sh
+
+# Fix permission errors when it keeps answering 502 and this log message appears:
+# connect() to unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket failed (13: Permission denied)
+docker exec 'gitlab' chown 'gitlab-www:git' '/var/opt/gitlab/gitlab-workhorse/sockets/socket'
+
+# Given by Gitlab itself, but not sure it actually does anything
+docker exec 'gitlab' update-permissions
+
+# Health checks
+docker exec 'gitlab' curl -fksLS -o '/dev/null' -w "%{http_code}" 'https://localhost/'
+nc localhost 22 -e true
--- a/snippets/gitlab.package.sh
+++ b/snippets/gitlab.package.sh
@@ -108,6 +108,13 @@ sudo gitlab-rails runner '
 	user.save!
 '

+# Create tokens
+sudo gitlab-rails runner '
+	token = User.find_by_username('root').personal_access_tokens.create(scopes: [:api, :sudo], name: 'Automation');
+	token.set_token('TwentyCharacterToken.');
+	token.save!
+'
+
 # Disable users' two factor authentication.
 sudo gitlab-rails runner 'User.where(username: "anUsernameHere").each(&:disable_two_factor!)'
 sudo gitlab-rails runner 'User.update_all(otp_required_for_login: false, encrypted_otp_secret: nil)'