- Introduction
- Contributing
- Team
- Issues
- Announcements
- Prerequisites
- Installation
- Quick Start
- Configuration
- Maintenance
- Monitoring
- Container Registry
- Deploy in Docker Swarm mode, with HTTPS handled by Traefik proxy and Docker Registry
- References
Dockerfile to build a GitLab image for the Docker opensource container platform.
GitLab CE is set up in the Docker image using the install from source method as documented in the the official GitLab documentation.
For other methods to install GitLab please refer to the Official GitLab Installation Guide which includes a GitLab image for Docker.
If you find this image useful here's how you can help:
- Send a Pull Request with your awesome new features and bug fixes
- Be a part of the community and help resolve Issues
- Support the development of this image with a donation
See Contributors for the complete list developers that have contributed to this project.
Docker is a relatively new project and is active being developed and tested by a thriving community of developers and testers and every release of docker features many enhancements and bugfixes.
Given the nature of the development and release cycle it is very important that you have the latest version of docker installed because any issue that you encounter might have already been fixed with a newer docker release.
Install the most recent version of the Docker Engine for your platform using the official Docker releases, which can also be installed using:
wget -qO- https://get.docker.com/ | shFedora and RHEL/CentOS users should try disabling selinux with setenforce 0 and check if resolves the issue. If it does than there is not much that I can help you with. You can either stick with selinux disabled (not recommended by redhat) or switch to using ubuntu.
You may also set DEBUG=true to enable debugging of the entrypoint script, which could help you pin point any configuration issues.
If using the latest docker version and/or disabling selinux does not fix the issue then please file a issue request on the issues page.
In your issue report please make sure you provide the following information:
- The host distribution and release version.
- Output of the
docker versioncommand - Output of the
docker infocommand - The
docker runcommand you used to run the image (mask out the sensitive bits).
Your docker host needs to have 1GB or more of available RAM to run GitLab. Please refer to the GitLab hardware requirements documentation for additional information.
Automated builds of the image are available on Dockerhub and is the recommended method of installation.
docker pull sameersbn/gitlab:13.8.1You can also pull the latest tag which is built from the repository HEAD
docker pull sameersbn/gitlab:latestAlternatively you can build the image locally.
docker build -t sameersbn/gitlab github.com/sameersbn/docker-gitlabThe quickest way to get started is using docker-compose.
wget https://raw.githubusercontent.com/sameersbn/docker-gitlab/master/docker-compose.ymlGenerate random strings that are at least 64 characters long for each of GITLAB_SECRETS_OTP_KEY_BASE, GITLAB_SECRETS_DB_KEY_BASE, and GITLAB_SECRETS_SECRET_KEY_BASE. These values are used for the following:
GITLAB_SECRETS_OTP_KEY_BASEis used to encrypt 2FA secrets in the database. If you lose or rotate this secret, none of your users will be able to log in using 2FA.GITLAB_SECRETS_DB_KEY_BASEis used to encrypt CI secret variables, as well as import credentials, in the database. If you lose or rotate this secret, you will not be able to use existing CI secrets.GITLAB_SECRETS_SECRET_KEY_BASEis used for password reset links, and other 'standard' auth features. If you lose or rotate this secret, password reset tokens in emails will reset.
Tip: You can generate a random string using
pwgen -Bsv1 64and assign it as the value ofGITLAB_SECRETS_DB_KEY_BASE.
Start GitLab using:
docker-compose upAlternatively, you can manually launch the gitlab container and the supporting postgresql and redis containers by following this three step guide.
Step 1. Launch a postgresql container
docker run --name gitlab-postgresql -d \
--env 'DB_NAME=gitlabhq_production' \
--env 'DB_USER=gitlab' --env 'DB_PASS=password' \
--env 'DB_EXTENSION=pg_trgm' \
--volume /srv/docker/gitlab/postgresql:/var/lib/postgresql \
sameersbn/postgresql:12-20200524Step 2. Launch a redis container
docker run --name gitlab-redis -d \
--volume /srv/docker/gitlab/redis:/var/lib/redis \
sameersbn/redis:4.0.9-2Step 3. Launch the gitlab container
docker run --name gitlab -d \
--link gitlab-postgresql:postgresql --link gitlab-redis:redisio \
--publish 10022:22 --publish 10080:80 \
--env 'GITLAB_PORT=10080' --env 'GITLAB_SSH_PORT=10022' \
--env 'GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alpha-numeric-string' \
--env 'GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alpha-numeric-string' \
--env 'GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alpha-numeric-string' \
--volume /srv/docker/gitlab/gitlab:/home/git/data \
sameersbn/gitlab:13.8.1Please refer to Available Configuration Parameters to understand GITLAB_PORT and other configuration options
NOTE: Please allow a couple of minutes for the GitLab application to start.
Point your browser to http://localhost:10080 and set a password for the root user account.
You should now have the GitLab application up and ready for testing. If you want to use this image in production then please read on.
The rest of the document will use the docker command line. You can quite simply adapt your configuration into a docker-compose.yml file if you wish to do so.
GitLab is a code hosting software and as such you don't want to lose your code when the docker container is stopped/deleted. To avoid losing any data, you should mount a volume at,
/home/git/data
Note that if you are using the docker-compose approach, this has already been done for you.
SELinux users are also required to change the security context of the mount point so that it plays nicely with selinux.
mkdir -p /srv/docker/gitlab/gitlab
sudo chcon -Rt svirt_sandbox_file_t /srv/docker/gitlab/gitlabVolumes can be mounted in docker by specifying the -v option in the docker run command.
docker run --name gitlab -d \
--volume /srv/docker/gitlab/gitlab:/home/git/data \
sameersbn/gitlab:13.8.1GitLab uses a database backend to store its data. You can configure this image to use PostgreSQL.
Note: GitLab requieres PostgreSQL now. So use an older image < 12.1 or migrate to PostgresSQL
NOTE: version 13.7.0 and later requires PostgreSQL version 12.x
The image also supports using an external PostgreSQL Server. This is also controlled via environment variables.
CREATE ROLE gitlab with LOGIN CREATEDB PASSWORD 'password';
CREATE DATABASE gitlabhq_production;
GRANT ALL PRIVILEGES ON DATABASE gitlabhq_production to gitlab;Additionally since GitLab 8.6.0 the pg_trgm extension should also be loaded for the gitlabhq_production database.
We are now ready to start the GitLab application.
Assuming that the PostgreSQL server host is 192.168.1.100
docker run --name gitlab -d \
--env 'DB_HOST=192.168.1.100' \
--env 'DB_NAME=gitlabhq_production' \
--env 'DB_USER=gitlab' --env 'DB_PASS=password' \
--volume /srv/docker/gitlab/gitlab:/home/git/data \
sameersbn/gitlab:13.8.1You can link this image with a postgresql container for the database requirements. The alias of the postgresql server container should be set to postgresql while linking with the gitlab image.
If a postgresql container is linked, only the DB_HOST and DB_PORT settings are automatically retrieved using the linkage. You may still need to set other database connection parameters such as the DB_NAME, DB_USER, DB_PASS and so on.
To illustrate linking with a postgresql container, we will use the sameersbn/postgresql image. When using postgresql image in production you should mount a volume for the postgresql data store. Please refer the README of docker-postgresql for details.
First, lets pull the postgresql image from the docker index.
docker pull sameersbn/postgresql:12-20200524For data persistence lets create a store for the postgresql and start the container.
SELinux users are also required to change the security context of the mount point so that it plays nicely with selinux.
mkdir -p /srv/docker/gitlab/postgresql
sudo chcon -Rt svirt_sandbox_file_t /srv/docker/gitlab/postgresqlThe run command looks like this.
docker run --name gitlab-postgresql -d \
--env 'DB_NAME=gitlabhq_production' \
--env 'DB_USER=gitlab' --env 'DB_PASS=password' \
--env 'DB_EXTENSION=pg_trgm' \
--volume /srv/docker/gitlab/postgresql:/var/lib/postgresql \
sameersbn/postgresql:12-20200524The above command will create a database named gitlabhq_production and also create a user named gitlab with the password password with access to the gitlabhq_production database.
We are now ready to start the GitLab application.
docker run --name gitlab -d --link gitlab-postgresql:postgresql \
--volume /srv/docker/gitlab/gitlab:/home/git/data \
sameersbn/gitlab:13.8.1Here the image will also automatically fetch the DB_NAME, DB_USER and DB_PASS variables from the postgresql container as they are specified in the docker run command for the postgresql container. This is made possible using the magic of docker links and works with the following images:
When this Gitlab image upgrades its dependency on specific version of PostgreSQL you will need to make sure to use corresponding version of PostgreSQL.
If you are setting a brand new install, there is no data migration involved. However, if you already have an existing setup, the PostgreSQL data will need to be migrated as you are upgrading the version of PostgreSQL.
If you are using PostgreSQL image other than sameersbn/postgresql you will need make sure that the image you are using can handle migration itself, or, you will need to migrate the data yourself before starting newer version of PostgreSQL.
Following project provides Docker image that handles migration of PostgreSQL data: tianon/postgres-upgrade
After migration of the data, verify that other PostgreSQL configuration files in its data folder are copied over as well. One such file is pg_hba.conf, it will need to be copied from old version data folder into new version data folder.
GitLab uses the redis server for its key-value data store. The redis server connection details can be specified using environment variables.
The internal redis server has been removed from the image. Please use a linked redis container or specify a external redis connection.
The image can be configured to use an external redis server. The configuration should be specified using environment variables while starting the GitLab image.
Assuming that the redis server host is 192.168.1.100
docker run --name gitlab -it --rm \
--env 'REDIS_HOST=192.168.1.100' --env 'REDIS_PORT=6379' \
sameersbn/gitlab:13.8.1You can link this image with a redis container to satisfy gitlab's redis requirement. The alias of the redis server container should be set to redisio while linking with the gitlab image.
To illustrate linking with a redis container, we will use the sameersbn/redis image. Please refer the README of docker-redis for details.
First, lets pull the redis image from the docker index.
docker pull sameersbn/redis:4.0.9-2Lets start the redis container
docker run --name gitlab-redis -d \
--volume /srv/docker/gitlab/redis:/var/lib/redis \
sameersbn/redis:4.0.9-2We are now ready to start the GitLab application.
docker run --name gitlab -d --link gitlab-redis:redisio \
sameersbn/gitlab:13.8.1The mail configuration should be specified using environment variables while starting the GitLab image. The configuration defaults to using gmail to send emails and requires the specification of a valid username and password to login to the gmail servers.
If you are using Gmail then all you need to do is:
docker run --name gitlab -d \
--env 'SMTP_USER=USER@gmail.com' --env 'SMTP_PASS=PASSWORD' \
--volume /srv/docker/gitlab/gitlab:/home/git/data \
sameersbn/gitlab:13.8.1Please refer the Available Configuration Parameters section for the list of SMTP parameters that can be specified.
Since version 8.0.0 GitLab adds support for commenting on issues by replying to emails.
To enable this feature you need to provide IMAP configuration parameters that will allow GitLab to connect to your mail server and read mails. Additionally, you may need to specify GITLAB_INCOMING_EMAIL_ADDRESS if your incoming email address is not the same as the IMAP_USER.
If your email provider supports email sub-addressing then you should add the +%{key} placeholder after the user part of the email address, eg. GITLAB_INCOMING_EMAIL_ADDRESS=reply+%{key}@example.com. Please read the documentation on reply by email to understand the requirements for this feature.
If you are using Gmail then all you need to do is:
docker run --name gitlab -d \
--env 'IMAP_USER=USER@gmail.com' --env 'IMAP_PASS=PASSWORD' \
--env 'GITLAB_INCOMING_EMAIL_ADDRESS=USER+%{key}@gmail.com' \
--volume /srv/docker/gitlab/gitlab:/home/git/data \
sameersbn/gitlab:13.8.1Please refer the Available Configuration Parameters section for the list of IMAP parameters that can be specified.
Access to the gitlab application can be secured using SSL so as to prevent unauthorized access to the data in your repositories. While a CA certified SSL certificate allows for verification of trust via the CA, a self signed certificate can also provide an equal level of trust verification as long as each client takes some additional steps to verify the identity of your website. I will provide instructions on achieving this towards the end of this section.
Jump to the Using HTTPS with a load balancer section if you are using a load balancer such as hipache, haproxy or nginx.
To secure your application via SSL you basically need two things:
- Private key (.key)
- SSL certificate (.crt)
When using CA certified certificates, these files are provided to you by the CA. When using self-signed certificates you need to generate these files yourself. Skip to Strengthening the server security section if you are armed with CA certified SSL certificates.
Generation of a self-signed SSL certificate involves a simple 3-step procedure:
STEP 1: Create the server private key
openssl genrsa -out gitlab.key 2048STEP 2: Create the certificate signing request (CSR)
openssl req -new -key gitlab.key -out gitlab.csrSTEP 3: Sign the certificate using the private key and CSR
openssl x509 -req -days 3650 -in gitlab.csr -signkey gitlab.key -out gitlab.crtCongratulations! You now have a self-signed SSL certificate valid for 10 years.
This section provides you with instructions to strengthen your server security. To achieve this we need to generate stronger DHE parameters.
openssl dhparam -out dhparam.pem 2048Out of the four files generated above, we need to install the gitlab.key, gitlab.crt and dhparam.pem files at the gitlab server. The CSR file is not needed, but do make sure you safely backup the file (in case you ever need it again).
The default path that the gitlab application is configured to look for the SSL certificates is at /home/git/data/certs, this can however be changed using the SSL_KEY_PATH, SSL_CERTIFICATE_PATH and SSL_DHPARAM_PATH configuration options.
If you remember from above, the /home/git/data path is the path of the data store, which means that we have to create a folder named certs/ inside /srv/docker/gitlab/gitlab/ and copy the files into it and as a measure of security we'll update the permission on the gitlab.key file to only be readable by the owner.
mkdir -p /srv/docker/gitlab/gitlab/certs
cp gitlab.key /srv/docker/gitlab/gitlab/certs/
cp gitlab.crt /srv/docker/gitlab/gitlab/certs/
cp dhparam.pem /srv/docker/gitlab/gitlab/certs/
chmod 400 /srv/docker/gitlab/gitlab/certs/gitlab.keyGreat! we are now just one step away from having our application secured.
HTTPS support can be enabled by setting the GITLAB_HTTPS option to true. Additionally, when using self-signed SSL certificates you need to the set SSL_SELF_SIGNED option to true as well. Assuming we are using self-signed certificates
docker run --name gitlab -d \
--publish 10022:22 --publish 10080:80 --publish 10443:443 \
--env 'GITLAB_SSH_PORT=10022' --env 'GITLAB_PORT=10443' \
--env 'GITLAB_HTTPS=true' --env 'SSL_SELF_SIGNED=true' \
--volume /srv/docker/gitlab/gitlab:/home/git/data \
sameersbn/gitlab:13.8.1In this configuration, any requests made over the plain http protocol will automatically be redirected to use the https protocol. However, this is not optimal when using a load balancer.
HSTS if supported by the browsers makes sure that your users will only reach your sever via HTTPS. When the user comes for the first time it sees a header from the server which states for how long from now this site should only be reachable via HTTPS - that's the HSTS max-age value.
With NGINX_HSTS_MAXAGE you can configure that value. The default value is 31536000 seconds. If you want to disable a already sent HSTS MAXAGE value, set it to 0.
docker run --name gitlab -d \
--env 'GITLAB_HTTPS=true' --env 'SSL_SELF_SIGNED=true' \
--env 'NGINX_HSTS_MAXAGE=2592000' \
--volume /srv/docker/gitlab/gitlab:/home/git/data \
sameersbn/gitlab:13.8.1If you want to completely disable HSTS set NGINX_HSTS_ENABLED to false.
Load balancers like nginx/haproxy/hipache talk to backend applications over plain http and as such the installation of ssl keys and certificates are not required and should NOT be installed in the container. The SSL configuration has to instead be done at the load balancer.
However, when using a load balancer you MUST set GITLAB_HTTPS to true. Additionally you will need to set the SSL_SELF_SIGNED option to true if self signed SSL certificates are in use.
With this in place, you should configure the load balancer to support handling of https requests. But that is out of the scope of this document. Please refer to Using SSL/HTTPS with HAProxy for information on the subject.
When using a load balancer, you probably want to make sure the load balancer performs the automatic http to https redirection. Information on this can also be found in the link above.
In summation, when using a load balancer, the docker command would look for the most part something like this:
docker run --name gitlab -d \
--publish 10022:22 --publish 10080:80 \
--env 'GITLAB_SSH_PORT=10022' --env 'GITLAB_PORT=443' \
--env 'GITLAB_HTTPS=true' --env 'SSL_SELF_SIGNED=true' \
--volume /srv/docker/gitlab/gitlab:/home/git/data \
sameersbn/gitlab:13.8.1Again, drop the --env 'SSL_SELF_SIGNED=true' option if you are using CA certified SSL certificates.
In case GitLab responds to any kind of POST request (login, OAUTH, changing settings etc.) with a 422 HTTP Error, consider adding this to your reverse proxy configuration:
proxy_set_header X-Forwarded-Ssl on; (nginx format)
This section deals will self-signed ssl certificates. If you are using CA certified certificates, your done.
This section is more of a client side configuration so as to add a level of confidence at the client to be 100 percent sure they are communicating with whom they think they.
This is simply done by adding the servers certificate into their list of trusted certificates. On ubuntu, this is done by copying the gitlab.crt file to /usr/local/share/ca-certificates/ and executing update-ca-certificates.
Again, this is a client side configuration which means that everyone who is going to communicate with the server should perform this configuration on their machine. In short, distribute the gitlab.crt file among your developers and ask them to add it to their list of trusted ssl certificates. Failure to do so will result in errors that look like this:
git clone https://git.local.host/gitlab-foss.git
fatal: unable to access 'https://git.local.host/gitlab-foss.git': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: noneYou can do the same at the web browser. Instructions for installing the root certificate for firefox can be found here. You will find similar options chrome, just make sure you install the certificate under the authorities tab of the certificate manager dialog.
There you have it, that's all there is to it.
If your GitLab CI server is using self-signed SSL certificates then you should make sure the GitLab CI server certificate is trusted on the GitLab server for them to be able to talk to each other.
The default path image is configured to look for the trusted SSL certificates is at /home/git/data/certs/ca.crt, this can however be changed using the SSL_CA_CERTIFICATES_PATH configuration option.
Copy the ca.crt file into the certs directory on the datastore. The ca.crt file should contain the root certificates of all the servers you want to trust. With respect to GitLab CI, this will be the contents of the gitlab_ci.crt file as described in the README of the docker-gitlab-ci container.
By default, our own server certificate gitlab.crt is added to the trusted certificates list.
By default GitLab expects that your application is running at the root (eg. /). This section explains how to run your application inside a directory.
Let's assume we want to deploy our application to '/git'. GitLab needs to know this directory to generate the appropriate routes. This can be specified using the GITLAB_RELATIVE_URL_ROOT configuration option like so:
docker run --name gitlab -it --rm \
--env 'GITLAB_RELATIVE_URL_ROOT=/git' \
--volume /srv/docker/gitlab/gitlab:/home/git/data \
sameersbn/gitlab:13.8.1GitLab will now be accessible at the /git path, e.g. http://www.example.com/git.
Note: The GITLAB_RELATIVE_URL_ROOT parameter should always begin with a slash and SHOULD NOT have any trailing slashes.
GitLab leverages OmniAuth to allow users to sign in using Twitter, GitHub, and other popular services. Configuring OmniAuth does not prevent standard GitLab authentication or LDAP (if configured) from continuing to work. Users can choose to sign in using any of the configured mechanisms.
Refer to the GitLab documentation for additional information.
To enable the CAS OmniAuth provider you must register your application with your CAS instance. This requires the service URL GitLab will supply to CAS. It should be something like: https://git.example.com:443/users/auth/cas3/callback?url. By default handling for SLO is enabled, you only need to configure CAS for backchannel logout.
For example, if your cas server url is https://sso.example.com, then adding --env 'OAUTH_CAS3_SERVER=https://sso.example.com' to the docker run command enables support for CAS3 OAuth. Please refer to Available Configuration Parameters for additional CAS3 configuration parameters.
To enable the Authentiq OmniAuth provider for passwordless authentication you must register an application with Authentiq. Please refer to the GitLab documentation for the procedure to generate the client ID and secret key with Authentiq.
Once you have the API client id and client secret generated, configure them using the OAUTH_AUTHENTIQ_CLIENT_ID and OAUTH_AUTHENTIQ_CLIENT_SECRET environment variables respectively.
For example, if your API key is xxx and the API secret key is yyy, then adding --env 'OAUTH_AUTHENTIQ_CLIENT_ID=xxx' --env 'OAUTH_AUTHENTIQ_CLIENT_SECRET=yyy' to the docker run command enables support for Authentiq OAuth.
You may want to specify OAUTH_AUTHENTIQ_REDIRECT_URI as well. The OAuth scope can be altered as well with OAUTH_AUTHENTIQ_SCOPE (defaults to 'aq:name email~rs address aq:push').
To enable the Google OAuth2 OmniAuth provider you must register your application with Google. Google will generate a client ID and secret key for you to use. Please refer to the GitLab documentation for the procedure to generate the client ID and secret key with google.
Once you have the client ID and secret keys generated, configure them using the OAUTH_GOOGLE_API_KEY and OAUTH_GOOGLE_APP_SECRET environment variables respectively.
For example, if your client ID is xxx.apps.googleusercontent.com and client secret key is yyy, then adding --env 'OAUTH_GOOGLE_API_KEY=xxx.apps.googleusercontent.com' --env 'OAUTH_GOOGLE_APP_SECRET=yyy' to the docker run command enables support for Google OAuth.
You can also restrict logins to a single domain by adding --env "OAUTH_GOOGLE_RESTRICT_DOMAIN='example.com'".
To enable the Facebook OAuth2 OmniAuth provider you must register your application with Facebook. Facebook will generate a API key and secret for you to use. Please refer to the GitLab documentation for the procedure to generate the API key and secret.
Once you have the API key and secret generated, configure them using the OAUTH_FACEBOOK_API_KEY and OAUTH_FACEBOOK_APP_SECRET environment variables respectively.
For example, if your API key is xxx and the API secret key is yyy, then adding --env 'OAUTH_FACEBOOK_API_KEY=xxx' --env 'OAUTH_FACEBOOK_APP_SECRET=yyy' to the docker run command enables support for Facebook OAuth.
To enable the Twitter OAuth2 OmniAuth provider you must register your application with Twitter. Twitter will generate a API key and secret for you to use. Please refer to the GitLab documentation for the procedure to generate the API key and secret with twitter.
Once you have the API key and secret generated, configure them using the OAUTH_TWITTER_API_KEY and OAUTH_TWITTER_APP_SECRET environment variables respectively.
For example, if your API key is xxx and the API secret key is yyy, then adding --env 'OAUTH_TWITTER_API_KEY=xxx' --env 'OAUTH_TWITTER_APP_SECRET=yyy' to the docker run command enables support for Twitter OAuth.
To enable the GitHub OAuth2 OmniAuth provider you must register your application with GitHub. GitHub will generate a Client ID and secret for you to use. Please refer to the GitLab documentation for the procedure to generate the Client ID and secret with github.
Once you have the Client ID and secret generated, configure them using the OAUTH_GITHUB_API_KEY and OAUTH_GITHUB_APP_SECRET environment variables respectively.
For example, if your Client ID is xxx and the Client secret is yyy, then adding --env 'OAUTH_GITHUB_API_KEY=xxx' --env 'OAUTH_GITHUB_APP_SECRET=yyy' to the docker run command enables support for GitHub OAuth.
Users of GitHub Enterprise may want to specify OAUTH_GITHUB_URL and OAUTH_GITHUB_VERIFY_SSL as well.
To enable the GitLab OAuth2 OmniAuth provider you must register your application with GitLab. GitLab will generate a Client ID and secret for you to use. Please refer to the GitLab documentation for the procedure to generate the Client ID and secret with GitLab.
Once you have the Client ID and secret generated, configure them using the OAUTH_GITLAB_API_KEY and OAUTH_GITLAB_APP_SECRET environment variables respectively.
For example, if your Client ID is xxx and the Client secret is yyy, then adding --env 'OAUTH_GITLAB_API_KEY=xxx' --env 'OAUTH_GITLAB_APP_SECRET=yyy' to the docker run command enables support for GitLab OAuth.
To enable the BitBucket OAuth2 OmniAuth provider you must register your application with BitBucket. BitBucket will generate a Client ID and secret for you to use. Please refer to the GitLab documentation for the procedure to generate the Client ID and secret with BitBucket.
Once you have the Client ID and secret generated, configure them using the OAUTH_BITBUCKET_API_KEY and OAUTH_BITBUCKET_APP_SECRET environment variables respectively.
For example, if your Client ID is xxx and the Client secret is yyy, then adding --env 'OAUTH_BITBUCKET_API_KEY=xxx' --env 'OAUTH_BITBUCKET_APP_SECRET=yyy' to the docker run command enables support for BitBucket OAuth.
GitLab can be configured to act as a SAML 2.0 Service Provider (SP). This allows GitLab to consume assertions from a SAML 2.0 Identity Provider (IdP) such as Microsoft ADFS to authenticate users. Please refer to the GitLab documentation.
The following parameters have to be configured to enable SAML OAuth support in this image: OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL, OAUTH_SAML_IDP_CERT_FINGERPRINT, OAUTH_SAML_IDP_SSO_TARGET_URL, OAUTH_SAML_ISSUER and OAUTH_SAML_NAME_IDENTIFIER_FORMAT.
You can also override the default "Sign in with" button label with OAUTH_SAML_LABEL.
Please refer to Available Configuration Parameters for the default configurations of these parameters.
To enable the Crowd server OAuth2 OmniAuth provider you must register your application with Crowd server.
Configure GitLab to enable access the Crowd server by specifying the OAUTH_CROWD_SERVER_URL, OAUTH_CROWD_APP_NAME and OAUTH_CROWD_APP_PASSWORD environment variables.
To enable the Auth0 OmniAuth provider you must register your application with auth0.
Configure the following environment variables OAUTH_AUTH0_CLIENT_ID, OAUTH_AUTH0_CLIENT_SECRET and OAUTH_AUTH0_DOMAIN to complete the integration.
To enable the Microsoft Azure OAuth2 OmniAuth provider you must register your application with Azure. Azure will generate a Client ID, Client secret and Tenant ID for you to use. Please refer to the GitLab documentation for the procedure.
Once you have the Client ID, Client secret and Tenant ID generated, configure them using the OAUTH_AZURE_API_KEY, OAUTH_AZURE_API_SECRET and OAUTH_AZURE_TENANT_ID environment variables respectively.
For example, if your Client ID is xxx, the Client secret is yyy and the Tenant ID is zzz, then adding --env 'OAUTH_AZURE_API_KEY=xxx' --env 'OAUTH_AZURE_API_SECRET=yyy' --env 'OAUTH_AZURE_TENANT_ID=zzz' to the docker run command enables support for Microsoft Azure OAuth.
To enable the Generic OAuth2 provider, you must register your application with your provider. You also need to confirm OAuth2 provider app's ID and secret, the client options and the user's response structure.
As an example this code has been tested with Keycloak, with the following variables: OAUTH2_GENERIC_APP_ID, OAUTH2_GENERIC_APP_SECRET, OAUTH2_GENERIC_CLIENT_SITE, OAUTH2_GENERIC_CLIENT_USER_INFO_URL, OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL, OAUTH2_GENERIC_CLIENT_TOKEN_URL, OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT, OAUTH2_GENERIC_ID_PATH, OAUTH2_GENERIC_USER_UID, OAUTH2_GENERIC_USER_NAME, OAUTH2_GENERIC_USER_EMAIL, OAUTH2_GENERIC_NAME,
See GitLab documentation and Omniauth-oauth2-generic documentation for more details.
Gitlab Pages allows a user to host static websites from a project. Gitlab pages can be enabled with setting the envrionment variable GITLAB_PAGES_ENABLED to true.
Since version 11.5.0 Gitlab pages supports access control. This allows only access to a published website if you are a project member, or have access to a certain project.
Gitlab pages access control requires additional configuration before activating it through the variable GITLAB_PAGES_ACCESS_CONTROL.
Gitab pages access control makes use of the Gitlab OAuth Module.
- Goto the Gitlab Admin area
- Select
Applicationsin the menu - Create
New Application- Name:
Gitlab Pages - Scopes:
- api
- Trusted: NO (Do not select)
- Redirect URI: https://projects.<GITLAB_PAGES_DOMAIN>/auth
- Name:
Note about the Redirect URI; this can be tricky to configure or figure out, What needs to be achieved is to following, the redirect URI needs to end up at the gitlab-pages daemon with the /auth endpoint.
This means that if you run your gitlab pages at domain pages.example.io this will be a wilcard domain where your projects are created based on their namespace. The best trick is to enter a NON-Existing gitlab project pages URI as the redirect URI.
In the example above; the pages domain projects has been chosen. This will cause the nginx, either the built in or your own loadbalancer to redirect *.<GITLAB_PAGES_DOMAIN> to the gitlab-pages daemon. Which will trigger the pages endpoint.
Make sure to choose own which does not exist and make sure that the request is routed to the gitlab-pages daemon if you are using your own HTTP load balancer in front of Gitlab.
After creating the OAuth application endpoint for the Gitlab Pages Daemon. Gitlab pages access control can now be enabled.
Add to following environment variables to your Gitlab Container.
| Variable | R/O | Description |
|---|---|---|
| GITLAB_PAGES_ACCESS_CONTROL | Required | Set to true to enable access control. |
| GITLAB_PAGES_ACCESS_SECRET | Optional | Secret Hash, minimal 32 characters, if omitted, it will be auto generated. |
| GITLAB_PAGES_ACCESS_CONTROL_SERVER | Required | Gitlab instance URI, example: https://gitlab.example.io |
| GITLAB_PAGES_ACCESS_CLIENT_ID | Required | Client ID from earlier generated OAuth application |
| GITLAB_PAGES_ACCESS_CLIENT_SECRET | Required | Client Secret from earlier genereated OAuth application |
| GITLAB_PAGES_ACCESS_REDIRECT_URI | Required | Redirect URI, non existing pages domain to redirect to pages daemon, https://projects.example.io |
After you have enabled the gitlab pages access control. When you go to a project General Settings -> Permissions you can choose the pages persmission level for the project.
Since version 7.10.0 support for external issue trackers can be enabled in the "Service Templates" section of the settings panel.
If you are using the docker-redmine image, you can one up the gitlab integration with redmine by adding --volumes-from=gitlab flag to the docker run command while starting the redmine container.
By using the above option the /home/git/data/repositories directory will be accessible by the redmine container and now you can add your git repository path to your redmine project. If, for example, in your gitlab server you have a project named opensource/gitlab, the bare repository will be accessible at /home/git/data/repositories/opensource/gitlab.git in the redmine container.
Per default the container is configured to run gitlab as user and group git with uid and gid 1000. The host possibly uses this ids for different purposes leading to unfavorable effects. From the host it appears as if the mounted data volumes are owned by the host's user/group 1000.
Also the container processes seem to be executed as the host's user/group 1000. The container can be configured to map the uid and gid of git to different ids on host by passing the environment variables USERMAP_UID and USERMAP_GID. The following command maps the ids to user and group git on the host.
docker run --name gitlab -it --rm [options] \
--env "USERMAP_UID=$(id -u git)" --env "USERMAP_GID=$(id -g git)" \
sameersbn/gitlab:13.8.1When changing this mapping, all files and directories in the mounted data volume /home/git/data have to be re-owned by the new ids. This can be achieved automatically using the following command:
docker run --name gitlab -d [OPTIONS] \
sameersbn/gitlab:13.8.1 app:sanitizeIf you want to monitor your gitlab instance with Piwik, there are two options to setup: PIWIK_URL and PIWIK_SITE_ID.
These options should contain something like:
PIWIK_URL=piwik.example.orgPIWIK_SITE_ID=42
Please refer the docker run command options for the --env-file flag where you can specify all required environment variables in a single file. This will save you from writing a potentially long docker run command. Alternatively you can use docker-compose. docker-compose users and Docker Swarm mode users can also use the secrets and config file options
Below is the complete list of available options that can be used to customize your gitlab installation.
All the above environment variables can be put into a secrets or config file and then both docker-compose and Docker Swarm can import them into your gitlab container.
On startup, the gitlab container will source env vars from a config file labeled gitlab-config, and then a secrets file labeled gitlab-secrets (both mounted in the default locations).
See the example contrib/docker-swarm/docker-compose.yml file, and the
example gitlab.configs and gitlab.secrets file.
You may as well choose file names other than the example source files (gitlab.configs and gitlab.secrets) and update
the file: ./gitlab.configs and file: ./gitlab.secrets references accordingly. But do not alter the config
keys gitlab-configs and
gitlab-secrets as they are currently
hardcoded and thus must be kept as in the example.
If you're not using one of these files, then don't include its entry in the docker-compose file.
GitLab defines a rake task to take a backup of your gitlab installation. The backup consists of all git repositories, uploaded files and as you might expect, the sql database.
Before taking a backup make sure the container is stopped and removed to avoid container name conflicts.
docker stop gitlab && docker rm gitlabExecute the rake task to create a backup.
docker run --name gitlab -it --rm [OPTIONS] \
sameersbn/gitlab:13.8.1 app:rake gitlab:backup:createA backup will be created in the backups folder of the Data Store. You can change the location of the backups using the GITLAB_BACKUP_DIR configuration parameter.
P.S. Backups can also be generated on a running instance using docker exec as described in the Rake Tasks section. However, to avoid undesired side-effects, I advice against running backup and restore operations on a running instance.
When using docker-compose you may use the following command to execute the backup.
docker-compose rm -sf gitlab
docker-compose run --rm gitlab app:rake gitlab:backup:createAfterwards you can bring your Instance back with the following command:
docker-compose up -dGitLab also defines a rake task to restore a backup.
Before performing a restore make sure the container is stopped and removed to avoid container name conflicts.
docker stop gitlab && docker rm gitlabIf this is a fresh database that you're doing the restore on, first you need to prepare the database:
docker run --name gitlab -it --rm [OPTIONS] \
sameersbn/gitlab:13.8.1 app:rake db:setupExecute the rake task to restore a backup. Make sure you run the container in interactive mode -it.
docker run --name gitlab -it --rm [OPTIONS] \
sameersbn/gitlab:13.8.1 app:rake gitlab:backup:restoreThe list of all available backups will be displayed in reverse chronological order. Select the backup you want to restore and continue.
To avoid user interaction in the restore operation, specify the timestamp, date and version of the backup using the BACKUP argument to the rake task.
docker run --name gitlab -it --rm [OPTIONS] \
sameersbn/gitlab:13.8.1 app:rake gitlab:backup:restore BACKUP=1515629493_2020_12_06_13.0.6When using docker-compose you may use the following command to execute the restore.
docker-compose run --rm gitlab app:rake gitlab:backup:restore # List available backups
docker-compose run --rm gitlab app:rake gitlab:backup:restore BACKUP=1515629493_2020_12_06_13.8.1 # Choose to restore from 1515629493SSH keys are not backed up in the normal gitlab backup process. You
will need to backup the ssh/ directory in the data volume by hand
and you will want to restore it prior to doing a gitlab restore.
The image can be configured to automatically take backups daily, weekly or monthly using the GITLAB_BACKUP_SCHEDULE configuration option.
Daily backups are created at GITLAB_BACKUP_TIME which defaults to 04:00 everyday. Weekly backups are created every Sunday at the same time as the daily backups. Monthly backups are created on the 1st of every month at the same time as the daily backups.
By default, when automated backups are enabled, backups are held for a period of 7 days. While when automated backups are disabled, the backups are held for an infinite period of time. This behavior can be configured via the GITLAB_BACKUP_EXPIRY option.
The image can be configured to automatically upload the backups to an AWS S3 bucket. To enable automatic AWS backups first add --env 'AWS_BACKUPS=true' to the docker run command. In addition AWS_BACKUP_REGION and AWS_BACKUP_BUCKET must be properly configured to point to the desired AWS location. Finally an IAM user must be configured with appropriate access permission and their AWS keys exposed through AWS_BACKUP_ACCESS_KEY_ID and AWS_BACKUP_SECRET_ACCESS_KEY.
More details about the appropriate IAM user properties can found on doc.gitlab.com
For remote backup to selfhosted s3 compatible storage, use AWS_BACKUP_ENDPOINT.
AWS uploads are performed alongside normal backups, both through the appropriate app:rake command and when an automatic backup is performed.
The image can be configured to automatically upload the backups to an Google Cloud Storage bucket. To enable automatic GCS backups first add --env 'GCS_BACKUPS=true' to the docker run command. In addition GCS_BACKUP_BUCKET must be properly configured to point to the desired GCS location.
Finally a couple of Interoperable storage access keys user must be created and their keys exposed through GCS_BACKUP_ACCESS_KEY_ID and GCS_BACKUP_SECRET_ACCESS_KEY.
More details about the Cloud storage interoperability properties can found on cloud.google.com/storage
GCS uploads are performed alongside normal backups, both through the appropriate app:rake command and when an automatic backup is performed.
The app:rake command allows you to run gitlab rake tasks. To run a rake task simply specify the task to be executed to the app:rake command. For example, if you want to gather information about GitLab and the system it runs on.
docker run --name gitlab -it --rm [OPTIONS] \
sameersbn/gitlab:13.8.1 app:rake gitlab:env:infoYou can also use docker exec to run raketasks on running gitlab instance. For example,
docker exec --user git -it gitlab bundle exec rake gitlab:env:info RAILS_ENV=productionSimilarly, to import bare repositories into GitLab project instance
docker run --name gitlab -it --rm [OPTIONS] \
sameersbn/gitlab:13.8.1 app:rake gitlab:import:reposOr
docker exec -it gitlab sudo -HEu git bundle exec rake gitlab:import:repos RAILS_ENV=productionFor a complete list of available rake tasks please refer https://github.com/gitlabhq/gitlabhq/tree/master/doc/raketasks or the help section of your gitlab installation.
P.S. Please avoid running the rake tasks for backup and restore operations on a running gitlab instance.
To use the app:rake command with docker-compose use the following command.
# For stopped instances
docker-compose run --rm gitlab app:rake gitlab:env:info
docker-compose run --rm gitlab app:rake gitlab:import:repos
# For running instances
docker-compose exec --user git gitlab bundle exec rake gitlab:env:info RAILS_ENV=production
docker-compose exec gitlab sudo -HEu git bundle exec rake gitlab:import:repos RAILS_ENV=productionCopy all the bare git repositories to the repositories/ directory of the data store and execute the gitlab:import:repos rake task like so:
docker run --name gitlab -it --rm [OPTIONS] \
sameersbn/gitlab:13.8.1 app:rake gitlab:import:reposWatch the logs and your repositories should be available into your new gitlab container.
See Rake Tasks for more information on executing rake tasks.
Usage when using docker-compose can also be found there.
Important Notice
Since GitLab release
8.6.0PostgreSQL users should enablepg_trgmextension on the GitLab database. Refer to GitLab's Postgresql Requirements for more informationIf you're using
sameersbn/postgresqlthen please upgrade tosameersbn/postgresql:12-20200524or later and addDB_EXTENSION=pg_trgm,btree_gistto the environment of the PostgreSQL container (see: https://github.com/sameersbn/docker-gitlab/blob/master/docker-compose.yml#L8).As of version 13.7.0, the required PostgreSQL is version 12.x. If you're using PostgreSQL image other than the above, please review section Upgrading PostgreSQL.
GitLabHQ releases new versions on the 22nd of every month, bugfix releases immediately follow. I update this project almost immediately when a release is made (at least it has been the case so far). If you are using the image in production environments I recommend that you delay updates by a couple of days after the gitlab release, allowing some time for the dust to settle down.
To upgrade to newer gitlab releases, simply follow this 4 step upgrade procedure.
Note
Upgrading to
sameersbn/gitlab:13.8.1fromsameersbn/gitlab:7.x.xcan cause issues. It is therefore required that you first upgrade tosameersbn/gitlab:8.0.5-1before upgrading tosameersbn/gitlab:8.1.0or higher.
- Step 1: Update the docker image.
docker pull sameersbn/gitlab:13.8.1- Step 2: Stop and remove the currently running image
docker stop gitlab
docker rm gitlab- Step 3: Create a backup
docker run --name gitlab -it --rm [OPTIONS] \
sameersbn/gitlab:x.x.x app:rake gitlab:backup:createReplace x.x.x with the version you are upgrading from. For example, if you are upgrading from version 6.0.0, set x.x.x to 6.0.0
- Step 4: Start the image
Note: Since GitLab
8.0.0you need to provide theGITLAB_SECRETS_DB_KEY_BASEparameter while starting the image.
Note: Since GitLab
8.11.0you need to provide theGITLAB_SECRETS_SECRET_KEY_BASEandGITLAB_SECRETS_OTP_KEY_BASEparameters while starting the image. These should initially both have the same value as the contents of the/home/git/data/.secretfile. See Available Configuration Parameters for more information on these parameters.
docker run --name gitlab -d [OPTIONS] sameersbn/gitlab:13.8.1For debugging and maintenance purposes you may want access the containers shell. If you are using docker version 1.3.0 or higher you can access a running containers shell using docker exec command.
docker exec -it gitlab bashYou can monitor your GitLab instance status as described in the official documentation, for example:
curl 'https://gitlab.example.com/-/liveness'On success, the endpoint will return a 200 HTTP status code, and a response like below.
{
"status": "ok"
}To do that you will need to set the environment variable GITLAB_MONITORING_IP_WHITELIST to allow your IP or subnet to make requests to your GitLab instance.
You can also set your docker-compose.yml healthcheck configuration to make periodic checks:
version: '2.3'
services:
gitlab:
image: sameersbn/gitlab:13.8.1
healthcheck:
test: ["CMD", "/usr/local/sbin/healthcheck"]
interval: 1m
timeout: 5s
retries: 5
start_period: 2mThen you will be able to consult the healthcheck log by executing:
docker inspect --format "{{json .State.Health }}" $(docker-compose ps -q gitlab) | jq- https://github.com/gitlabhq/gitlabhq
- https://github.com/gitlabhq/gitlabhq/blob/master/doc/install/installation.md
- http://wiki.nginx.org/HttpSslModule
- https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
- https://github.com/gitlabhq/gitlab-recipes/blob/master/web-server/nginx/gitlab-ssl
- https://github.com/jpetazzo/nsenter
- https://jpetazzo.github.io/2014/03/23/lxc-attach-nsinit-nsenter-docker-0-9/