From e57d47aea42726b9302ff92c6241f6a4df72b83f Mon Sep 17 00:00:00 2001
From: Michele Cereda <cereda.michele@gmail.com>
Date: Fri, 10 May 2024 00:39:35 +0200
Subject: [PATCH] chore(gitlab): try using docker compose

---
 docker/gitlab/.gitignore                      |  3 +
 docker/gitlab/docker-compose.yml              | 46 ++++++++++++
 docker/gitlab/gitlab_root_password.txt        |  1 +
 .../meta/{main.yml => requirements.yml}       |  0
 knowledge base/ansible.md                     | 16 ++++-
 knowledge base/docker.md                      | 53 +++++++++++++-
 knowledge base/gitlab.md                      | 21 ++++++
 snippets/ansible.tasks.yml                    | 71 +++++++++++++++++++
 snippets/check-port-is-reachable.sh           |  5 ++
 snippets/gitlab.docker.sh                     | 12 ++++
 .../{gitlab.omnibus.sh => gitlab.package.sh}  |  7 ++
 11 files changed, 232 insertions(+), 3 deletions(-)
 create mode 100644 docker/gitlab/.gitignore
 create mode 100644 docker/gitlab/docker-compose.yml
 create mode 100644 docker/gitlab/gitlab_root_password.txt
 rename examples/ansible/role.gitlab-omnibus-on-ec2/meta/{main.yml => requirements.yml} (100%)
 create mode 100644 snippets/gitlab.docker.sh
 rename snippets/{gitlab.omnibus.sh => gitlab.package.sh} (96%)

diff --git a/docker/gitlab/.gitignore b/docker/gitlab/.gitignore
new file mode 100644
index 0000000..0bc3b0e
--- /dev/null
+++ b/docker/gitlab/.gitignore
@@ -0,0 +1,3 @@
+/config
+/data
+/logs
diff --git a/docker/gitlab/docker-compose.yml b/docker/gitlab/docker-compose.yml
new file mode 100644
index 0000000..c0f1299
--- /dev/null
+++ b/docker/gitlab/docker-compose.yml
@@ -0,0 +1,46 @@
+---
+
+# sources:
+# - https://docs.gitlab.com/ee/install/docker.html#install-gitlab-using-docker-compose
+
+version: '3.6'
+secrets:
+  gitlab_root_password:
+    file: ./gitlab_root_password.txt
+services:
+  gitlab:
+    container_name: gitlab
+    image: gitlab/gitlab-ce:16.11.2-ce.0
+    restart: unless-stopped
+    hostname: gitlab.lan
+    environment:
+      GITLAB_OMNIBUS_CONFIG:
+        # add any other gitlab.rb configuration here, each on its own line
+        # https not accepteb y Let's Encrypt on .lan (not a valid public domain)
+        |
+        external_url 'http://gitlab.lan'
+        gitlab_rails['initial_root_password'] = File.read('/run/secrets/gitlab_root_password').gsub("\n", "")
+    ports:
+      - '8022:22'
+      - '8080:80'
+      - '8443:443'
+    volumes:
+      - ${PWD}/config:/etc/gitlab:Z
+      - ${PWD}/data:/var/opt/gitlab:Z
+      - ${PWD}/logs:/var/log/gitlab:Z
+    shm_size: 256m
+    secrets:
+      - gitlab_root_password
+    # healthcheck:
+    #   test: >-
+    #     test $(
+    #       curl --fail --insecure --location --output '/dev/null' --silent --show-error --write-out "%{http_code}"
+    #         'http://localhost/'
+    #     ) -eq 200 || exit 1
+    #   interval: 60s
+    #   timeout: 3s
+    #   retries: 3
+    #   start_period:
+    #     # it might take longer
+    #     # also keep an eye out for permission errors
+    #     300s
diff --git a/docker/gitlab/gitlab_root_password.txt b/docker/gitlab/gitlab_root_password.txt
new file mode 100644
index 0000000..c4a3771
--- /dev/null
+++ b/docker/gitlab/gitlab_root_password.txt
@@ -0,0 +1 @@
+StupidlyInsecur3-Passw0rd
diff --git a/examples/ansible/role.gitlab-omnibus-on-ec2/meta/main.yml b/examples/ansible/role.gitlab-omnibus-on-ec2/meta/requirements.yml
similarity index 100%
rename from examples/ansible/role.gitlab-omnibus-on-ec2/meta/main.yml
rename to examples/ansible/role.gitlab-omnibus-on-ec2/meta/requirements.yml
diff --git a/knowledge base/ansible.md b/knowledge base/ansible.md
index 04bab69..1811200 100644
--- a/knowledge base/ansible.md	
+++ b/knowledge base/ansible.md	
@@ -52,7 +52,7 @@ ansible -i 'localhost,' -c 'local' -km 'setup' 'localhost'
 # This will *not* execute the plays inside it.
 ansible-playbook 'path/to/playbook.yml' --syntax-check
 
-# Execute a playbook.
+# Execute playbooks.
 ansible-playbook 'path/to/playbook.yml' -i 'hosts.list'
 ansible-playbook … -i 'host1,host2,hostN,' -l 'hosts,list'
 ansible-playbook … -i 'host1,host2,other,' -l 'hosts-pattern'
@@ -71,6 +71,9 @@ ansible-playbook 'path/to/playbook.yml' --list-tasks
 ansible-playbook … --list-tasks --tags 'configuration,packages'
 ansible-playbook … --list-tasks --skip-tags 'system,user'
 
+# Debug playbooks.
+ANSIBLE_ENABLE_TASK_DEBUGGER=True ansible-playbook …
+
 # List roles installed from Galaxy.
 ansible-galaxy list
 
@@ -269,9 +272,10 @@ ansible-galaxy install -r 'requirements.yml'
 
 ### Role dependencies
 
+Set them up in `role/meta/main.yml`:
+
 ```yaml
 ---
-# role/meta/main.yml
 dependencies:
   - role: common
     vars:
@@ -282,6 +286,14 @@ dependencies:
       other_parameter: 12
 ```
 
+and/or in `role/meta/requirements.yml`:
+
+```yaml
+---
+collections:
+  - community.dns
+```
+
 ## Output formatting
 
 > Introduced in Ansible 2.5
diff --git a/knowledge base/docker.md b/knowledge base/docker.md
index dfdb332..f971c26 100644
--- a/knowledge base/docker.md	
+++ b/knowledge base/docker.md	
@@ -5,6 +5,7 @@
 1. [Daemon configuration](#daemon-configuration)
 1. [Images configuration](#images-configuration)
 1. [Containers configuration](#containers-configuration)
+1. [Health checks](#health-checks)
 1. [Advanced build with `buildx`](#advanced-build-with-buildx)
    1. [Create builders](#create-builders)
    1. [Build for specific platforms](#build-for-specific-platforms)
@@ -262,7 +263,55 @@ Docker mounts specific system files in all containers to forward its settings:
 …
 ```
 
-Those files come from the volume the docker container is using for its root, and are modified on the container's startup with the information from the CLI, the daemon itself and, when missing, the host.
+Those files come from the volume the docker container is using for its root, and are modified on the container's startup
+with the information from the CLI, the daemon itself and, when missing, the host.
+
+## Health checks
+
+The following have the same effect:
+
+<details><summary>Command line</summary>
+
+```sh
+docker run … \
+  --health-cmd 'curl --fail --insecure --silent --show-error http://localhost/ || exit 1' \
+  --health-interval '5m' \
+  --health-timeout '3s' \
+  --health-retries '4' \
+  --health-start-period '10s'
+```
+
+</details>
+<details><summary>Dockerfile</summary>
+
+```Dockerfile
+HEALTHCHECK --interval=5m --timeout=3s --start-period=10s --retries=4 \
+  CMD curl --fail --insecure --silent --show-error http://localhost/ || exit 1
+```
+
+</details>
+<details><summary>Docker-compose file</summary>
+
+```yaml
+version: '3.6'
+services:
+  web-server:
+    healthcheck:
+      test: curl --fail --insecure --silent --show-error http://localhost/ || exit 1
+      interval: 5m
+      timeout: 3s
+      retries: 4
+      start_period: 10s
+    …
+```
+
+</details><br/>
+
+The command's exit status indicates the health status of the container. The possible values are:
+
+- `0`: success - the container is healthy and ready for use
+- `1`: unhealthy - the container isn't working correctly
+- `2`: reserved - don't use this exit code
 
 ## Advanced build with `buildx`
 
@@ -313,6 +362,7 @@ docker load …
 - [Building multi-arch images for ARM and x86 with Docker Desktop]
 - [OpenContainers Image Spec]
 - [Docker ARG, ENV and .env - a Complete Guide]
+- [Configuring HealthCheck in docker-compose]
 
 <!--
   References
@@ -333,6 +383,7 @@ docker load …
 [arch linux wiki]: https://wiki.archlinux.org/index.php/Docker
 [cheatsheet]: https://collabnix.com/docker-cheatsheet/
 [configuring dns]: https://dockerlabs.collabnix.com/intermediate/networking/Configuring_DNS.html
+[configuring healthcheck in docker-compose]: https://medium.com/@saklani1408/configuring-healthcheck-in-docker-compose-3fa6439ee280
 [docker arg, env and .env - a complete guide]: https://vsupalov.com/docker-arg-env-variable-guide/
 [getting around docker's host network limitation on mac]: https://medium.com/@lailadahi/getting-around-dockers-host-network-limitation-on-mac-9e4e6bfee44b
 [opencontainers image spec]: https://specs.opencontainers.org/image-spec/
diff --git a/knowledge base/gitlab.md b/knowledge base/gitlab.md
index 59e2c95..a41c27b 100644
--- a/knowledge base/gitlab.md	
+++ b/knowledge base/gitlab.md	
@@ -18,6 +18,7 @@
 1. [Troubleshooting](#troubleshooting)
    1. [Use access tokens to clone projects](#use-access-tokens-to-clone-projects)
    1. [Pipeline fails with error `You are not allowed to download code from this project`](#pipeline-fails-with-error-you-are-not-allowed-to-download-code-from-this-project)
+   1. [Gitlab keeps answering with code 502](#gitlab-keeps-answering-with-code-502)
 1. [Further readings](#further-readings)
    1. [Sources](#sources)
 
@@ -639,6 +640,24 @@ Root cause: the user starting the pipeline does not have enough privileges to th
 
 Solution: give that user _developer_ access or have somebody else with enough privileges run it.
 
+### Gitlab keeps answering with code 502
+
+Refer [The docker images for gitlab-ce and gitlab-ee start workhorse with incorrect socket ownership].
+
+Error message example:
+
+> ==> /var/log/gitlab/nginx/gitlab_error.log <==<br/>
+> 2024/05/09 20:57:57 \[crit] 617#0: *26 connect() to unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket failed (13:
+> Permission denied) while connecting to upstream, client: 172.21.0.1, server: gitlab.lan, request: "GET / HTTP/2.0",
+> upstream: "http\://unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket:/", host: "gitlab.lan:8443"
+
+Context: Gitlab 16.11.2 CE running from Docker image.
+
+Root cause: the socket's permissions are mapped incorrectly.
+
+Solution: set the correct ownership with
+`docker exec 'gitlab' chown 'gitlab-www:git' '/var/opt/gitlab/gitlab-workhorse/sockets/socket'`.
+
 ## Further readings
 
 - Gitlab's helm [chart]
@@ -682,6 +701,7 @@ Solution: give that user _developer_ access or have somebody else with enough pr
 - [Restore GitLab]
 - [How to disable the Two-factor authentication in GitLab?]
 - [How to Upgrade Your Omnibus GitLab]
+- [The docker images for gitlab-ce and gitlab-ee start workhorse with incorrect socket ownership]
 
 <!--
   Reference
@@ -728,6 +748,7 @@ Solution: give that user _developer_ access or have somebody else with enough pr
 [sign-up restrictions]: https://docs.gitlab.com/ee/administration/settings/sign_up_restrictions.html
 [specify when jobs run with rules]: https://docs.gitlab.com/ee/ci/jobs/job_rules.html
 [support object storage bucket prefixes]: https://gitlab.com/gitlab-org/charts/gitlab/-/issues/3376
+[the docker images for gitlab-ce and gitlab-ee start workhorse with incorrect socket ownership]: https://gitlab.com/gitlab-org/gitlab/-/issues/349846#note_1516339762
 [tls]: https://docs.gitlab.com/charts/installation/tls.html
 [tutorial: use buildah in a rootless container with gitlab runner operator on openshift]: https://docs.gitlab.com/ee/ci/docker/buildah_rootless_tutorial.html
 [use ci/cd configuration from other files]: https://docs.gitlab.com/ee/ci/yaml/includes.html
diff --git a/snippets/ansible.tasks.yml b/snippets/ansible.tasks.yml
index c7c4c57..abb86a8 100644
--- a/snippets/ansible.tasks.yml
+++ b/snippets/ansible.tasks.yml
@@ -5,3 +5,74 @@
   ansible.builtin.file:
     path: /tmp/path/to/final/dir
     state: directory
+
+- name: Import tasks
+  block:
+    - name: By using absolute paths and special variables (preferred)
+      ansible.builtin.import_tasks:
+      file: "{{ role_path }}/tasks/install/{{ install_method }}.yml"
+    - name: By using paths relative to the including file
+      ansible.builtin.import_tasks:
+      file: pre-flight.yml
+
+- name: Conditionally include tasks
+  block:
+    - name: by leveraging the 'with_fileglob' loop filter (preferred)
+      ansible.builtin.include_tasks:
+        file: "{{ item }}"
+      with_fileglob: "{{ install_method }}.yml"
+    - name: by checking the files' existence
+      vars:
+        filename: "{{ install_method }}.yml"
+      when: lookup('ansible.builtin.fileglob', filename) != []
+      ansible.builtin.import_tasks:
+        file: "{{ filename }}"
+
+- name: Assertions
+  ansible.builtin.assert:
+    that:
+      - install_method in supported_install_methods
+      - external_url is ansible.builtin.url
+    fail_msg: What to say if any of the above conditions fail
+    success_msg: What to say if all of the above conditions succeed
+
+- name: Pretty print information
+  ansible.builtin.debug:
+    msg: >-
+      {{
+        dict([
+          [ 'install_method', install_method ],
+          [ 'install_method in supported_install_methods', install_method in supported_install_methods ],
+        ])
+      }}
+
+- name: Generate passwords
+  block:
+    - name: Randomly
+      ansible.builtin.debug:
+        msg: "{{ lookup('ansible.builtin.password', '/dev/null') }}"
+    - name: Specifying requirements
+      ansible.builtin.debug:
+        msg: "{{ lookup('ansible.builtin.password', '/dev/null length=32 chars=ascii_letters,digits,punctuation') }}"
+    - name: Random but idempotent, so it will not change at every execution
+      ansible.builtin.debug:
+        msg: "{{ lookup('ansible.builtin.password', '/dev/null', seed=inventory_hostname) }}"
+
+- name: Run containers
+  community.docker.docker_container:
+    name: gitlab
+    image: gitlab/gitlab-ce:16.11.2-ce.0
+    hostname: gitlab.lan
+    published_ports:
+      - "8022:22"
+      - "8080:80"
+      - "8443:443"
+    env:
+      GITLAB_OMNIBUS_CONFIG: >-
+        external_url 'http://gitlab.lan';
+    shm_size: 256m
+    volumes:
+      - ./config:/etc/gitlab:Z
+      - ./logs:/var/log/gitlab:Z
+      - ./data:/var/opt/gitlab:Z
+    auto_remove: true
diff --git a/snippets/check-port-is-reachable.sh b/snippets/check-port-is-reachable.sh
index 9743afa..2647f47 100644
--- a/snippets/check-port-is-reachable.sh
+++ b/snippets/check-port-is-reachable.sh
@@ -8,9 +8,14 @@
 nc -vz  -w '3' 'localhost' '80'
 nc -nvz -w '3' '127.0.0.1' '80'
 
+nc 'localhost' '22' -e true  # busybox's nc
+
 timeout '3' cat < '/dev/tcp/localhost/80'
 timeout '3' cat < '/dev/tcp/127.0.0.1/80'
 
+curl -fsS -o '/dev/null' -w "%{http_code}" --connect-timeout '3' 'http://www.example.org/'
+curl -fksS -o '/dev/null' -w "%{http_code}" --connect-timeout '3' 'https://www.example.org/'
+
 
 # UDP
 
diff --git a/snippets/gitlab.docker.sh b/snippets/gitlab.docker.sh
new file mode 100644
index 0000000..66f5aaa
--- /dev/null
+++ b/snippets/gitlab.docker.sh
@@ -0,0 +1,12 @@
+#!/usr/bin/env sh
+
+# Fix permission errors when it keeps answering 502 and this log message appears:
+# connect() to unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket failed (13: Permission denied)
+docker exec 'gitlab' chown 'gitlab-www:git' '/var/opt/gitlab/gitlab-workhorse/sockets/socket'
+
+# Given by Gitlab itself, but not sure it actually does anything
+docker exec 'gitlab' update-permissions
+
+# Health checks
+docker exec 'gitlab' curl -fksLS -o '/dev/null' -w "%{http_code}" 'https://localhost/'
+nc localhost 22 -e true
diff --git a/snippets/gitlab.omnibus.sh b/snippets/gitlab.package.sh
similarity index 96%
rename from snippets/gitlab.omnibus.sh
rename to snippets/gitlab.package.sh
index ec8f53a..db1d6f7 100644
--- a/snippets/gitlab.omnibus.sh
+++ b/snippets/gitlab.package.sh
@@ -108,6 +108,13 @@ sudo gitlab-rails runner '
 	user.save!
 '
 
+# Create tokens
+sudo gitlab-rails runner '
+	token = User.find_by_username('root').personal_access_tokens.create(scopes: [:api, :sudo], name: 'Automation');
+	token.set_token('TwentyCharacterToken.');
+	token.save!
+'
+
 # Disable users' two factor authentication.
 sudo gitlab-rails runner 'User.where(username: "anUsernameHere").each(&:disable_two_factor!)'
 sudo gitlab-rails runner 'User.update_all(otp_required_for_login: false, encrypted_otp_secret: nil)'