Project:Infrastructure/Gitlab

From Gentoo Wiki
Jump to: navigation, search

Gitlab

Gitlab is currently deployed in a testing capacity on gitlab.gentoo.org (noddie) and is not yet publicly available.

Gitlab Runner

Gitlab runner is configured via gitlab::runner puppet class. Currently there is 1 node configured so we can test. Gitlab runner uses the upstream gitlab runner container to manage the runner software. We currently use the docker executor but we are considering other executors (such as libvirt) for better security protection from runner jobs.

Gitlab server

We currently use the upstream omnibus container for gitlab; this nominally includes a bunch of stuff (redis, postgres, unicorn, etc.) We may consider a more fragmented approach for future production deployments.

Gitlab Authentication

Gitlab supports 'native' gitlab accounts (e.g. accounts created in gitlab.gentoo.org) but also supports Gentoo's LDAP environment for gentoo developers.

LDAP

Gentoo developers can sign in by entering their LDAP username (email address without the @gentoo.org bits) and their LDAP password. Don't sign in with your Gentoo email address; that will not work.

SSH

The physical machine hosting gitlab has 2 IPs (both on v4 and v6.) sshing to gitlab.gentoo.org will try to connect to the specific IP for gitlab and you will be connected to gitlab's ssh.

Gitlab's ssh uses its own set of host keys and wrappers like a normal gitlab.

Infra Note

If you want to "ssh to gitlab" to inspect the service, you have to ssh to the physical host; not the service name. The service name always points to the containerized ssh.

What about Gitolite?

Currently we plan to keep gentoo repos mastered in gitolite. We can set up automatic pushes to gitlab in gitolite configs. We will consider migrating repos to gitlab in the future.

TODOs for gitlab setup

  • The LDAP integration has bad email integration, we need to tune the email attributes.
 * antarus: This does not look fixable without patches.
  • Backup /var/lib/gitlab to amazon s3.
  • Add Icinga monitoring for https (done)
  • Add infra-status.gentoo.org lines for gitlab.
  • Enable LDAP server verification (Done).

Future items (after prod launch.)

  • Set up a gitolite config attribute to auto-push to gitlab.gentoo.org