For learning GitLab CI/CD pipeline stuff, I had the idea to install GitLab on my notebook. To make things easy to setup, I use Docker and on top of it Portainer CE. With this I can use Docker Compose configurations with a WebUI.
When I was writting this blogpost, GitLab 17.2 was the current released version, I wanted to use GitLab CE. I only want to use this GitLab installation from my notebook. First thing I learned: using localhost is not really possible. The hostname of the notebook is thinkpad, so the configurations will also use this DNS-name and the GitLab installation will be available by https://thinkpad/.
To setup the GitLab CE installation and a GitLab-Runner, I use the following Docker Compose configuration.
Warning: starting of the GitLab instance can take some time!
version: '3.6'
services:
gitlab:
image: gitlab/gitlab-ce:17.2.1-ce.0
container_name: gitlab
restart: always
hostname: 'thinkpad'
networks:
- gitlab-network
environment:
GITLAB_OMNIBUS_CONFIG: |
# Add any other gitlab.rb configuration here, each on its own line
external_url 'https://thinkpad'
ports:
- '80:80'
- '443:443'
- '22:22'
volumes:
- gitlab-config:/etc/gitlab
- gitlab-logs:/var/log/gitlab
- gitlab-data:/var/opt/gitlab
shm_size: '256m'
gitlab-runner:
image: gitlab/gitlab-runner:latest
container_name: gitlab-runner
restart: always
networks:
- gitlab-network
volumes:
- gitlab-runner-config:/etc/gitlab-runner
- /var/run/docker.sock:/var/run/docker.sock
volumes:
gitlab-config:
gitlab-logs:
gitlab-data:
gitlab-runner-config:
networks:
gitlab-network:
After that, it was not possible to register the GitLab-Runner with the GitLab-instance. When I tried to register, I got errors like
x509: certificate signed by unknown authority
or
tls: failed to verify certificate: x509: certificate relies on legacy Common Name field, use SANs instead
I had to create my own X509 certificates and made them available in the GitLab and GitLab-Runner containers (or more precise inside of the volumes that contains the configurations).
The paths used in the commands below are based on the Docker Compose configuration up here. If you use different volume names, you have to adjust the names below. I needed to execute the commands as root, so a
sudo su -
was done first. First the new certificate is created, important is the part with the subjectAltName configuration.
cd /var/lib/docker/volumes/gitlab_gitlab-config/_data/ssl/
openssl genrsa -out thinkpad-ca.key 2048
openssl req -new -x509 -days 365 -key thinkpad-ca.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=Acme Root CA" -out thinkpad-ca.crt
openssl req -newkey rsa:2048 -nodes -keyout thinkpad.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=*.thinkpad" -out thinkpad.csr
openssl x509 -req -extfile <(printf "subjectAltName=DNS:thinkpad") -days 365 -in thinkpad.csr -CA thinkpad-ca.crt -CAkey thinkpad-ca.key -CAcreateserial -out thinkpad.crt
Check that the right hostname is configured into the certificate:
openssl s_client -connect thinkpad:443 </dev/null 2>/dev/null | openssl x509 -noout -text | grep DNS:
In my case it returned
DNS:thinkpad
Now we have to link the certificate files into the GitLab-Runner configuration.
ln -s /var/lib/docker/volumes/gitlab_gitlab-config/_data/ssl/thinkpad.crt thinkpad.crt
ln -s /var/lib/docker/volumes/gitlab_gitlab-config/_data/ssl/thinkpad.key thinkpad.key
Restart the GitLab and GitLab-Runner instance.
When the GitLab instance is back online, try register the GitLab-Runner.
docker exec -it gitlab-runner gitlab-runner register
Runtime platform arch=amd64 os=linux pid=52 revision=9882d9c7 version=17.2.1
Runninginsystem-mode.
Enter the GitLab instance URL (for example, https://gitlab.com/):
https://thinkpad/
Enter the registration token:
glrt-somevalues
Verifying runner... is valid runner=yaoFUzzEE
Enter a name for the runner. This is stored only in the local config.toml file:
[b018679db44f]: instance
Enter an executor: custom, docker, docker-windows, docker-autoscaler, shell, ssh, parallels, virtualbox, docker+machine, kubernetes, instance:
docker
Enter the default Docker image (for example, ruby:2.7):
alpine:latest
Runner registered successfully. Feel free to start it, but if it's running already the config should be automatically reloaded!
Configuration (with the authentication token) was saved in "/etc/gitlab-runner/config.toml"
After that, the GitLab-Runner is shown in GitLab as online.
We need to give the GitLab-Runner the certificates for the CA and the GitLab instance. Without it, the connection could not be established:
cd /var/lib/docker/volumes/gitlab_gitlab-runner-config/_data/certs
cp /var/lib/docker/volumes/gitlab_gitlab-config/_data/ssl/thinkpad-ca.crt ca.crt
cp /var/lib/docker/volumes/gitlab_gitlab-config/_data/ssl/thinkpad.crt .
cp /var/lib/docker/volumes/gitlab_gitlab-config/_data/ssl/thinkpad.key .
After that, restart the GitLab-Runner with
docker restart gitlab-runner
If you login the first time to your GitLab instance and you are wondering, where you can find the initial root passwort (and yes, username is root):
/var/lib/docker/volumes/gitlab_gitlab-config/initial_root_password