Gitlab CI/CD On Bare Metal
Nov 10, 2019
I’ll skip the part why you should embrace the devops culture and start migrating your legacy code to containers and everything. This post should help you if you got to the point of finding out how it works if you were to operate a self-hosted CI/CD system.
We adopted Gitlab as our CI/CD server and starting automating everything, from configuration to deployment. Automating your workflow helps developers skip spending time on toil and instead focus on delivering better software.
This setup runs on bare metal, on Ubuntu Servers with a multi-manager Docker Swarm cluster running on them. Managing such a setup requires somewhat deep understanding how containers work.
Every single piece of software runs in a container as a docker service and deployed within Gitlab CI/CD pipelines, even Gitlab Server itself. This is a nice abstraction that helps a lot when managing hundreds of services.
We use HAProxy as a reverse proxy, it handles all routing of traffic to and from those underlying services.
Configuring HAProxy for Gitlab Server
Before we install Gitlab, let’s configure the ports it will be served. I will cover only relevant parts of the configuration.
To reserve the default SSH port on the host machine, we will use a different TCP port for SSH communications on Gitlab server.
frontend gitlab_ssh
bind *:2289
mode tcp
option tcplog
tcp-request connection accept if { src 10.255.0.0/16 172.17.0.0/16 192.168.7.0/24 }
default_backend gitlab_ssh_backend
Here all the tcp connections coming to HAProxy container from port 2289
are redirected to gitlab_ssh_backend
, with some restriction to local subnets.
backend gitlab_ssh_backend
mode tcp
server gitlab_ssh_backend_service service.algosis.com.tr:2290 check
And this is the backend configuration, to identify which host:port
Gitlab server is listening TCP connections. Here it is service.algosis.com.tr:2290
.
We need another configuration for the web port. We want all http traffic to redirect to https port first. This redirect config is also used for every http connections coming from port 80
.
frontend www-http
bind *:80
http-request set-header X-Forwarded-Proto http
reqadd X-Forwarded-Proto:\ http
redirect scheme https if !{ ssl_fc }
Now here is the relevant https configuration. We’ll run Gitlab server under gitlab.algosis.com.tr
.
frontend www-https
bind *:443 ssl crt /etc/crt/algosis.com.tr.pem crt
# Gitlab web server
acl gitlab_algosis hdr_sub(host) -i gitlab.algosis.com.tr
http-request set-log-level silent if gitlab_algosis
use_backend gitlab_web_backend if gitlab_algosis
# Gitlab Container Registry
acl localip src 10.255.0.0/16 172.17.0.0/16 192.168.7.0/24
acl registry hdr_sub(host) -i registry.algosis.com.tr
use_backend registry_backend if registry localip
backend gitlab_web_backend
mode http
option forwardfor
server gitlab_web_backend_service service.algosis.com.tr:8089 check
backend registry_backend
mode http
option forwardfor
server registry_backend_service service.algosis.com.tr:12557 check
And the web backend of Gitlab server listens on service.algosis.com.tr:8089
.
Note that we also handle certificates on HAProxy, and won’t be providing Gitlab server a different certificate.
Gitlab is going to explode your HAProxy logs. If you want to filter them, you can add set-log-level silent
on your https-frontend.
We also use Gitlab Container Registry for storing and serving all of our container images. It runs on a different domain registry.algosis.com.tr
and on port 12557
. We also restricted its access to a bunch of local subnets.
Now we can configure Gitlab server to listen TCP and HTTPS connections on those ports.
Deploying Gitlab Server
Gitlab is deployed as a container, just as rest of the services. We will use Gitlab’s official Docker image. Since the container will be run as a Docker service, we will create a docker-compose file and deploy it with docker stack
command. We will do this manually right now since we don’t have an automated CI/CD pipeline yet.
version: '3.5'
services:
web:
image: 'gitlab/gitlab-ce:latest'
hostname: 'gitlab.algosis.com.tr'
environment:
GITLAB_OMNIBUS_CONFIG: |
external_url 'https://gitlab.algosis.com.tr'
registry_external_url 'https://registry.algosis.com.tr'
# Custom SSH port
gitlab_rails['gitlab_shell_ssh_port'] = 2289
# Backup configuration
gitlab_rails['backup_upload_connection'] = {
'provider' => 'AWS',
'region' => 'ams3',
'aws_access_key_id' => '<some-secret-value>',
'aws_secret_access_key' => '<some-secret-value>',
'endpoint' => 'https://<some-secret-value>.digitaloceanspaces.com'
}
gitlab_rails['backup_upload_remote_directory'] = 'algosis'
gitlab_rails['backup_keep_time'] = 604800
# Gitlab schedules check interval
gitlab_rails['pipeline_schedule_worker_cron'] = "* * * * *"
# Gitlab Email Setup
gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = "smtp.yandex.com.tr"
gitlab_rails['smtp_port'] = 465
gitlab_rails['smtp_user_name'] = "<some-secret-value>@algosis.com.tr"
gitlab_rails['smtp_password'] = "<some-secret-value>"
gitlab_rails['smtp_domain'] = "algosis.com.tr"
gitlab_rails['gitlab_email_from'] = '<some-secret-value>@algosis.com.tr'
gitlab_rails['smtp_authentication'] = "login"
gitlab_rails['smtp_tls'] = true
gitlab_rails['smtp_enable_starttls_auto'] = true
gitlab_rails['smtp_openssl_verify_mode'] = 'peer'
# Web and Registry Port configs
nginx['listen_port'] = 80
nginx['listen_https'] = false
registry_nginx['listen_port'] = 12557
registry_nginx['listen_https'] = false
ports:
- '8089:80'
- '2290:22'
- '12557:12557'
volumes:
- gitlab_config:/etc/gitlab
- gitlab_logs:/var/log/gitlab
- gitlab_data:/var/opt/gitlab
- gitlab_ssh:/etc/ssh
- ssl_certs:/certs
deploy:
restart_policy:
condition: any
delay: 5s
placement:
constraints:
- node.hostname == service
volumes:
gitlab_config:
external: true
gitlab_logs:
external: true
gitlab_data:
external: true
gitlab_ssh:
external: true
ssl_certs:
external: true
Now this is a lot to take in, so we better cover it piece by piece.
I think image, hostname and url parts are clear from haproxy configurations. Since we used a custom ssh port on HAProxy to reserve default ssh port on the host, we define it in gitlab_rails['gitlab_shell_ssh_port'] = 2289
.
The next part is backup configuration. Gitlab is capable of backing itself on an S3 bucket, so we configure our remote S3 bucket access keys. gitlab_rails['backup_keep_time'] = 604800
means we want Gitlab to keep its backup files on local as long as 604800 seconds, which is 7 days.
We are going to use Gitlab Schedules to operate our scheduled pipelines. gitlab_rails['pipeline_schedule_worker_cron'] = "* * * * *"
configuration tells Gitlab to check if there’s a new schedule every second, default is 12 hours as far as I remember and it’s pretty annoying.
You can configure a SMTP server if you want Gitlab to notify you on some certain operations such as pipeline failure, etc. This is really helpful when integrated with Mattermost - Gitlab’s open source Slack alternative - with some fancy bots.
Web port and registry port is configured as aligned with those in HAProxy. Here the container port 8089
is linked to 80
so nginx['listen_port'] = 80
and since HAProxy handles ssl certificates, nginx['listen_https'] = false
. Don’t worry, Gitlab is still configured to operate on an https domain. Similar configuration is applied for registry as well.
We want to persist some folders such as logs, git data and configurations, so we define docker volumes (externally) before we deploy this as a service. Also there are some docker service placement restrictions, but these are optional for now.
Save the file as docker-stack.yml
and deploy it with docker stack deploy --compose-file docker-stack.yml gitlab
and you should be good to go. It would take a while since docker needs to pull the image from Docker Hub registry before deploying the service.
Remember that for backup to run, we still need to trigger backup command with a scheduled pipeline, I will show it after we can use pipelines. For pipelines, we need what Gitlab calls a runner.
Deploying Gitlab Runners
Runners are Gitlab’s workers for your pipelines. Pipelines are configured with .gitlab-ci.yml
on each project and runners run the code defined in those configuration. I highly suggest you to read Gitlab docs for configuring Gitlab Runners.
For our setup, runners will also run as a container with a docker socket priviledge. This allows runners to create new containers on the underlying docker host. We’ll use official Gitlab runner docker image.
Runners can use different executors such as bash, docker etc. In our cluster every piece of code runs through docker so we will use docker executor. To be able to run docker commands in a container, we will also bind the docker socket to it. And finally, we will deploy a runner container on each nodes of our docker cluster, which means the service will be deployed in global
mode.
version: '3.5'
services:
runner:
image: 'gitlab/gitlab-runner:latest'
volumes:
- '/var/run/docker.sock:/var/run/docker.sock'
- gitlab-runner:/etc/gitlab-runner
environment:
- RUNNER_EXECUTER=docker
deploy:
mode: global
restart_policy:
condition: any
delay: 5s
volumes:
gitlab-runner:
external: true
You see that every docker volume we create is external so we need to manually create required volumes before deploying this configurations. Save this configuration in a file and deploy it like we did in Gitlab section. docker stack deploy --compose-file docker-stack.yml gitlab-runner
.
Now we have runner containers on each node but Gitlab and its runners are unaware of each other. Let’s help them communicate.
Registering Runners to Gitlab
Okay we now have bunch of Gitlab services running on our cluster. Next step is registering runner services to Gitlab so that it can start using them as pipeline workers. Again I strongly suggest you to read the official documentation for registering runners.
We will invoke register
command in runner containers, with some configuration. This command is actually interactive and very intuitive. It asks you a couple of questions to help you configure your runner. But we want everything to be automated and run through the pipeline so we might as well figure out a non-interactive way to do so. We will use same runners across all projects, so our runners will be shared
runners. We also deployed runners on each node of our cluster, so we better tag
them appropriately to identify the host runner is working on. We will use docker
executor, and we need a base docker image for the containers runners will create during executing pipeline jobs. Wow, containers everywhere, right?
Remember we wanted to be able to run docker commands in runners? That’s why we will use official docker image for running docker in docker. In fact, it’s called docker in docker (dind), and the image lies in docker hub. This docker image does not contain a lot of commands but for now it’s sufficient. We’ll later extend this image to add some capabilities such as running docker-compose
.
I suggest you to go ahead and try the interactive register command in runners, but you might as well sneak a peak to my non-interactive command here.
docker exec -it $RUNNER_CONTAINER gitlab-runner register \
--non-interactive \
--docker-tlsverify \
--url https://gitlab.algosis.com.tr \
--tag-list service,docker-builder,docker-stack \
--registration-token <some-secret-value> \
--docker-image docker:latest \
--executor docker \
--docker-pull-policy if-not-present \
--run-untagged=true \
--locked=false \
--docker-volumes /var/run/docker.sock:/var/run/docker.sock
You can obtain your own registration-token
on Gitlab Admin panel under Overview/Runners section.
As you add more projects, you are going to need multiple runners on your docker swarm nodes. You can register new runners with the same command we used.
You should be able to see your runners on Gitlab admin panel with unique runner tokens, shared type, and tags you provided.
Now let’s get those runners working.
Your First .gitlab-ci.yml
For a detailed configuration documentation, read official docs.
We deployed Gitlab manually, but we can let runners do the job for us. Keep the same docker-stack.yml
we used for Gitlab, but add a .gitlab-ci.yml
file as follows.
image: docker:latest
stages:
- deploy
- update
- backup
production:
stage: deploy
tags:
- docker-stack
script:
- docker stack deploy --compose-file docker-stack.yml gitlab
environment:
name: production
only:
changes:
- docker-stack.yml
except:
- schedules
Create a new project called gitlab
on your Gitlab instance. After committing and pushing configuration files to your project, a pipeline job should start running and when succeeded, your Gitlab container should be re-created, by Gitlab runners. Note that we defined our own custom stages, and used our gitlab runner tag that we defined when registering runners.
Adding Self-Update and Backup Capabilities to Gitlab
This pipeline won’t be running again unless there’s a commit to the project repository. But Gitlab releases are pretty frequent and you should keep it up to date. For this scheduled task, we can use Gitlab Schedules.
First, go to gitlab
project page and create a new schedule under CI/CD / Schedules. You can use one of the pre-defined interval patterns, such as every day (at 4:00am).
Now we can add an update job to our gitlab-ci.yml
configuration file.
update:
stage: update
tags:
- docker-stack
script:
- docker stack deploy --compose-file docker-stack.yml gitlab
environment:
name: production
only:
- schedules
Remember that we defined our own stages
in configuration such as deploy, update, backup
. Jobs will run in this order according to their stage, and jobs in the same stage will run parallel. We also don’t want update job to be run on each commit, so we restrict it to be run only on schedules
. Now you can test your schedule by clicking play button on CI/CD / Schedules page.
Similarly, we can add a backup job as well.
backup:
stage: backup
tags:
- service
script:
- docker ps --filter health=healthy --filter name=gitlab_web --format "{{.ID}}" | xargs -t -I {} docker exec -t {} gitlab-backup create SKIP=registry,artifacts STRATEGY=copy DIRECTORY=gitlab_backups
only:
- schedules
We are filtering gitlab_web
container and running gitlab-backup
command on it. We also skip registry,artifacts
since they would take a lot of space on backup. Read more on official docs.
This is roughly the first part of the topics I want to cover about our CI/CD system. I will announce it on twitter when I add new content here.