Gitlab
GitLab Inc. is an open-core company that provides GitLab, a DevOps software package that combines the ability to develop, secure, and operate software in a single application. The open source software project was created by Ukrainian developer Dmitriy Zaporozhets and Dutch developer Sytse Sijbrandij.
Installation
# will work but not recommended
curl -L "https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.rpm.sh" | sudo bash
# install gitlab-ce
wget https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.rpm.sh
chmod +x script.rpm.sh
os=el dist=8 ./script.rpm.sh
sudo yum install gitlab-ce
#or
sudo dnf install gitlab-ce
# install gitlab runner
wget https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.rpm.sh
chmod +x script.rpm.sh.1
os=el dist=8 ./script.rpm.sh.1
sudo yum install gitlab-runner
#or
sudo dnf install gitlab-runner
sudo tee /etc/yum.repos.d/gitlab_gitlab-ce.repo<<"EOF"
[gitlab_gitlab-ce]
name=gitlab_gitlab-ce
baseurl=https://packages.gitlab.com/gitlab/gitlab-ce/el/8/\$basearch
repo_gpgcheck=1
gpgcheck=1
enabled=1
gpgkey=https://packages.gitlab.com/gitlab/gitlab-ce/gpgkey
https://packages.gitlab.com/gitlab/gitlab-ce/gpgkey/gitlab-gitlab-ce-3D645A26AB9FBD22.pub.gpg
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
metadata_expire=300
EOF
gitlab-ctl status
vi /etc/gitlab/gitlab.rb
sed -i 's/#.*$//;/^$/d' /etc/gitlab/gitlab.rb
gitlab-ctl reconfigure
gitlab-rake gitlab:check SANITIZE=true
gitlab-ctl status
Configuration
Gitlab regonfiguration
# Configuration
gitlab-ctl status
cat > /etc/gitlab/gitlab.rb <<"EOF"
external_url 'https://git.lichnak.cz'
gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = "mail.lichnak.cz"
gitlab_rails['smtp_port'] = 587
gitlab_rails['smtp_user_name'] = "gitlab@lichnak.cz"
gitlab_rails['smtp_password'] = "00000000000000000000000000000"
gitlab_rails['smtp_domain'] = "mail.lichnak.cz"
gitlab_rails['smtp_authentication'] = "login"
gitlab_rails['smtp_enable_starttls_auto'] = true
gitlab_rails['smtp_openssl_verify_mode'] = 'peer'
gitlab_rails['gitlab_email_from'] = 'gitlab@lichnak.cz'
gitlab_rails['gitlab_email_reply_to'] = 'gitlab@lichnak.cz'
gitlab_rails['monitoring_whitelist'] = ['127.0.0.0/8', '::1/128', '10.0.0.0/26', '192.168.0.0/24']
gitlab_rails['omniauth_providers'] = [
{
"name" => "azure_oauth2",
"args" => {
"client_id" => "00000000-0000-0000-0000-000000000000",
"client_secret" => "0000000000000000000.0000000000000",
"tenant_id" => "00000000-0000-0000-0000-000000000000",
}
}
]
gitlab_rails['omniauth_allow_single_sign_on'] = ['azure_oauth2']
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['sync_profile_from_provider'] = ['azure_oauth2']
gitlab_rails['sync_profile_attributes'] = ['name', 'email']
registry_external_url "https://registry.lichnak.cz"
pages_external_url "https://pages.lichnak.eu/"
gitlab_pages['enable'] = true
gitlab_pages['access_control'] = true
mattermost_external_url "https://mattermost.lichnak.cz"
mattermost_nginx['redirect_http_to_https'] = true
letsencrypt['enable'] = true
external_url "https://git.lichnak.cz"
letsencrypt['auto_renew_hour'] = "12"
letsencrypt['auto_renew_minute'] = "30"
letsencrypt['auto_renew_day_of_month'] = "*/7"
gitlab_rails['packages_enabled'] = true
EOF
gitlab-ctl reconfigure
gitlab-rake gitlab:check SANITIZE=true
gitlab-ctl status
cat /etc/sysconfig/ip*
iptables -L
iptables -S
vi /etc/ssh/sshd_config
systemctl restart sshd
systemctl status iptables
iptables -S
cat /etc/gitlab/initial_root_password
sudo gitlab-rake "gitlab:password:reset[root]"
dnf install tar -y
git --version
dnf groupinstall "Development Tools"
dnf install -y wget perl-CPAN gettext-devel perl-devel openssl-devel zlib-devel curl-devel expat-devel getopt asciidoc xmlto docbook2X
dnf install -y wget perl-CPAN gettext-devel perl-devel openssl-devel zlib-devel curl-devel expat-devel getopt asciidoc xmlto docbook2X
dnf install -y gettext-devel curl-devel expat-devel openssl-devel perl-CPAN perl-devel zlib-devel unzip cmake gcc make
export VER="2.37.3"
wget https://github.com/git/git/archive/v${VER}.tar.gz
tar -xvf v${VER}.tar.gz
rm -f v${VER}.tar.gz
dnf install -y gettext-devel curl-devel expat-devel openssl-devel perl-CPAN perl-devel zlib-devel unzip cmake gcc make wget
wget https://github.com/git/git/archive/v${VER}.tar.gz
tar -xvf v${VER}.tar.gz
rm -f v${VER}.tar.gz
ll
cd git-${VER}/
make configure
./configure --prefix=/usr
make
make install
git --version
gitlab-rake gitlab:check SANITIZE=true
gitlab-rake gitlab:backup:create STRATEGY=copy
gitlab-ctl status
rm /etc/gitlab/.gitlab.rb.swp
vi /etc/gitlab/gitlab.rb
gitlab-ctl reconfigure
dnf --showduplicate list gitlab-ce
gitlab-rake gitlab:check SANITIZE=true
gitlab-rake gitlab:backup:create STRATEGY=copy
dnf install tmux
gitlab-rake gitlab:doctor:secrets
dnf --showduplicate list gitlab-ce
dnf update gitlab-ce-15.3.2-ce.0.el8
uname -a
gitlab-rake gitlab:check SANITIZE=truegitlab-rake gitlab:check SANITIZE=true
gitlab-rake gitlab:backup:create STRATEGY=copy
find / -type f -name "*_gitlab_backup.tar"
find /opt -type f -name "*_gitlab_backup.tar"
ls -la
ls /opt/gitlab/
find /opt -type f -name "*.tar"
find / -type f -name "*.tar"
cd /var/opt/gitlab/backups/
gitlab-rake gitlab:check SANITIZE=true
dnf update -y
exit
gitlab-ctl status
dnf update
curl "https://packages.gitlab.com/gpg.key" -o /tmp/omnibus_gitlab_gpg.key
sudo rpm --import /tmp/omnibus_gitlab_gpg.key
dnf update
rpm --import https://packages.gitlab.com/gitlab/gitlab-ce/gpgkey/gitlab-gitlab-ce-3D645A26AB9FBD22.pub.gpg
rpm -q gpg-pubkey-f27eab47-60d4a67e --qf '%{name}-%{version}-%{release} --> %{summary}'
dnf update
sudo rm -r /var/cache/dnf
dnf update
tail -f /var/log/messages
systemctl | grep git
journalctl session-1069016.scope
systemctl status session-1069016.scope
systemctl | grep git
systemctl status session-2026299.scope
gitlab-rake gitlab:check SANITIZE=true
dnf update
gitlab-rake gitlab:backup:create STRATEGY=copy
systemctl status session-1069016.scope
gitlab-rake gitlab:check SANITIZE=true
df -hT
gitlab-rake gitlab:backup:create STRATEGY=copy
df -hT
dnf update -y
exit
gitlab-rake gitlab:env:info
grep gitlab /opt/gitlab/version-manifest.txt
dnf update -y
git --version
Docker remote access
Docker able to enable remote connections, that you execute command in your local terminal but execution of it redirects to the remote docker machine.
In my case, I need that because I running Gitlab-CI pipeline that’s build image and I want automatically update it for the running container on the server.
Server settings
You need configure docker daemon to listen external interface in the file /etc/docker/daemon.json:
{
"hosts": ["unix:///var/run/docker.sock", "tcp://0.0.0.0:2376"],
"tls": true,
"tlscacert": "/etc/ssl/docker/certs/ca.pem",
"tlscert": "/etc/ssl/docker/certs/server-cert.pem",
"tlskey": "/etc/ssl/docker/certs/server-key.pem",
"tlsverify": true
}
2376 – listen post on which docker listen for incoming connections (you must allow it on firewall too. In next lines stats certificates path used for client authentification, you need to generate it in the next step.
For easy certificate generation, you can use script create-certs.sh, create directory (/etc/ssl/docker/), switch into that directory, download the script and grant execution privileges.
mkdir /etc/ssl/docker/ && cd /etc/ssl/docker/
cat > create-certs.sh <<"EOF"
#!/bin/bash
#see https://docs.docker.com/engine/security/https/
EXPIRATIONDAYS=700
CASUBJSTRING="/C=GB/ST=London/L=London/O=ExampleCompany/OU=IT/CN=example.com/emailAddress=test@example.com"
while [[ $# -gt 1 ]]
do
key="$1"
case $key in
-m|--mode)
MODE="$2"
shift
;;
-h|--hostname)
NAME="$2"
shift
;;
-hip|--hostip)
SERVERIP="$2"
shift
;;
-pw|--password)
PASSWORD="$2"
shift
;;
-t|--targetdir)
TARGETDIR="$2"
shift
;;
-e|--expirationdays)
EXPIRATIONDAYS="$2"
shift
;;
--ca-subj)
CASUBJSTRING="$2"
shift
;;
*)
# unknown option
;;
esac
shift
done
echo "Mode $MODE"
echo "Host/Clientname $NAME"
echo "Host IP $SERVERIP"
echo "Targetdir $TARGETDIR"
echo "Expiration $EXPIRATIONDAYS"
programname=$0
function usage {
echo "usage: $programname -m ca -h example.de [-hip 1.2.3.4] -pw my-secret -t /target/dir [-e 365]"
echo " -m|--mode 'ca' to create CA, 'server' to create server cert, 'client' to create client cert"
echo " -h|--hostname|-n|--name DNS hostname for the server or name of client"
echo " -hip|--hostip host's IP - default: none"
echo " -pw|--password Password for CA Key generation"
echo " -t|--targetdir Targetdir for certfiles and keys"
echo " -e|--expirationdays certificate expiration in day - default: 700 days"
echo " --ca-subj subj string for ca cert - default: Example String..."
exit 1
}
function createCA {
openssl genrsa -aes256 -passout pass:$PASSWORD -out $TARGETDIR/ca-key.pem 4096
openssl req -passin pass:$PASSWORD -new -x509 -days $EXPIRATIONDAYS -key $TARGETDIR/ca-key.pem -sha256 -out $TARGETDIR/ca.pem -subj $CASUBJSTRING
chmod 0400 $TARGETDIR/ca-key.pem
chmod 0444 $TARGETDIR/ca.pem
}
function checkCAFilesExist {
if [[ ! -f "$TARGETDIR/ca.pem" || ! -f "$TARGETDIR/ca-key.pem" ]]; then
echo "$TARGETDIR/ca.pem or $TARGETDIR/ca-key.pem not found. Create CA first with '-m ca'"
exit 1
fi
}
function createServerCert {
checkCAFilesExist
if [[ -z $SERVERIP ]]; then
IPSTRING=""
else
IPSTRING=",IP:$SERVERIP"
fi
openssl genrsa -out $TARGETDIR/server-key.pem 4096
openssl req -subj "/CN=$NAME" -new -key $TARGETDIR/server-key.pem -out $TARGETDIR/server.csr
echo "subjectAltName = DNS:$NAME$IPSTRING" > $TARGETDIR/extfile.cnf
openssl x509 -passin pass:$PASSWORD -req -days $EXPIRATIONDAYS -in $TARGETDIR/server.csr -CA $TARGETDIR/ca.pem -CAkey $TARGETDIR/ca-key.pem -CAcreateserial -out $TARGETDIR/server-cert.pem -extfile $TARGETDIR/extfile.cnf
rm $TARGETDIR/server.csr $TARGETDIR/extfile.cnf $TARGETDIR/ca.srl
chmod 0400 $TARGETDIR/server-key.pem
chmod 0444 $TARGETDIR/server-cert.pem
}
function createClientCert {
checkCAFilesExist
openssl genrsa -out $TARGETDIR/client-key.pem 4096
openssl req -subj "/CN=$NAME" -new -key $TARGETDIR/client-key.pem -out $TARGETDIR/client.csr
echo "extendedKeyUsage = clientAuth" > $TARGETDIR/extfile.cnf
openssl x509 -passin pass:$PASSWORD -req -days $EXPIRATIONDAYS -in $TARGETDIR/client.csr -CA $TARGETDIR/ca.pem -CAkey $TARGETDIR/ca-key.pem -CAcreateserial -out $TARGETDIR/client-cert.pem -extfile $TARGETDIR/extfile.cnf
rm $TARGETDIR/client.csr $TARGETDIR/extfile.cnf $TARGETDIR/ca.srl
chmod 0400 $TARGETDIR/client-key.pem
chmod 0444 $TARGETDIR/client-cert.pem
mv $TARGETDIR/client-key.pem $TARGETDIR/client-$NAME-key.pem
mv $TARGETDIR/client-cert.pem $TARGETDIR/client-$NAME-cert.pem
}
if [[ -z $MODE || ($MODE != "ca" && -z $NAME) || -z $PASSWORD || -z $TARGETDIR ]]; then
usage
fi
mkdir -p $TARGETDIR
if [[ $MODE = "ca" ]]; then
createCA
elif [[ $MODE = "server" ]]; then
createServerCert
elif [[ $MODE = "client" ]]; then
createClientCert
else
usage
fi
EOF
chmod +x create-certs.sh
Generate 3 certificates for the docker (CA, server, and client)
./create-certs.sh -m ca -pw KEY-PASSWORD -t certs -e 900
./create-certs.sh -m server -h myserver.example.com -pw KEY-PASSWORD -t certs -e 365
./create-certs.sh -m client -h client1 -pw KEY-PASSWORD -t certs -e 365
KEY-PASSWORD – change to your’s random string, it used for private key protection. All generated certificates will be placed in the /etc/ssl/docker/certs/.
Restart the docker and now it is ready to accept the incoming connection.
Client setup
You can find so many variations for client configuration, but in general, all of them come down to one – adding a few environment variables. Docker must be installed on the client machine.
On Linux or MacOS create an alias for bash (file ~/.bashrc). Pay attention, in the alias, stated certificates paths that already generated on the server, you must to copy it to the client machine ca.pem, client-client1-cert.pem and key client-client1-key.pem
alias docker-remote="docker \
--tlsverify \
-H=your-remote-server.org:2376 \
--tlscacert=/home/user/.docker/ca.pem \
--tlscert=/home/user/.docker/client-client1-cert.pem \
--tlskey=/home/user/.docker/client-client1-key.pem"
Gitlab CI/CD
https://docs.gitlab.com/ee/development/cicd/templates.html
docker.yml template:
.docker_config_dind:
variables:
DOCKER_CONFIG_GITLABKIT_REGISTRY: $CI_REGISTRY
DOCKER_DRIVER: overlay2
image: docker:20.03.12
services:
- name: docker:20.03.12-dind
alias: docker
.docker_config_platform:
variables:
DOCKER_CONFIG_PLATFORM_REGISTRY: $CI_REGISTRY/platform/images
.docker_config_gitlab:
variables:
DOCKER_CONFIG_GITLAB_IMAGE: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
.docker_build:
extends:
- .docker_config_dind
- .docker_config_gitlab
variables:
DOCKER_BUILD_CONTEXT: "."
DOCKER_BUILD_DOCKERFILE: Dockerfile
script:
- if [[ -z $DOCKER_BUILD_CONTEXT ]]; then ( echo "required"; exit 1 ); fi
- if [[ -z $DOCKER_BUILD_DOCKERFILE ]]; then ( echo "required"; exit 1 ); fi
- if [[ -z $DOCKER_CONFIG_GITLAB_IMAGE ]]; then ( echo "required"; exit 1 ); fi
- docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
- docker build --pull $DOCKER_BUILD_OPTS -t $DOCKER_CONFIG_GITLAB_IMAGE -f $DOCKER_BUILD_DOCKERFILE $DOCKER_BUILD_CONTEXT
- docker push $DOCKER_CONFIG_GITLAB_IMAGE
.docker_test:
extends: .docker_config_gitlab
image: $DOCKER_CONFIG_GITLAB_IMAGE
.docker_release:
extends:
- .docker_config_dind
- .docker_config_gitlab
- .docker_config_platform
variables:
DOCKER_RELEASE_REGISTRY: $DOCKER_CONFIG_PLATFORM_REGISTRY
script:
- if [[ -z $DOCKER_CONFIG_GITLAB_IMAGE ]]; then ( echo "required"; exit 1 ); fi
- if [[ -z $DOCKER_RELEASE_USER ]]; then ( echo "required"; exit 1 ); fi
- if [[ -z $DOCKER_RELEASE_PASSWORD ]]; then ( echo "required"; exit 1 ); fi
- if [[ -z $DOCKER_RELEASE_NAME ]]; then ( echo "required"; exit 1 ); fi
- if [[ -z $DOCKER_RELEASE_TAG && -z $DOCKER_RELEASE_TAG_FILE ]]; then ( echo "DOCKER_RELEASE_TAG or DOCKER_RELEASE_TAG_FILE required"; exit 1 ); fi
- if [[ -z $DOCKER_RELEASE_REGISTRY ]]; then ( echo "required"; exit 1 ); fi
- docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
- docker pull $DOCKER_CONFIG_GITLAB_IMAGE
- docker login -u $DOCKER_RELEASE_USER -p $DOCKER_RELEASE_PASSWORD $CI_REGISTRY
- if [[ -s "$DOCKER_RELEASE_TAG_FILE" ]]; then tag=$( cat $DOCKER_RELEASE_TAG_FILE ); else tag=$DOCKER_RELEASE_TAG; fi
- docker_release_target=$DOCKER_RELEASE_REGISTRY/$DOCKER_RELEASE_NAME:$tag
- docker tag $DOCKER_CONFIG_GITLAB_IMAGE $docker_release_target
- docker push $docker_release_target
.docker_deploy:
extends:
- .docker_config_dind
- .docker_config_gitlab
- .docker_config_platform
variables:
DOCKER_RELEASE_REGISTRY: $DOCKER_CONFIG_PLATFORM_REGISTRY
before_script:
- if [[ -z $DOCKER_CONFIG_GITLAB_IMAGE ]]; then ( echo "required"; exit 1 ); fi
- if [[ -z $DOCKER_RELEASE_USER ]]; then ( echo "required"; exit 1 ); fi
- if [[ -z $DOCKER_RELEASE_PASSWORD ]]; then ( echo "required"; exit 1 ); fi
- if [[ -z $DOCKER_RELEASE_NAME ]]; then ( echo "required"; exit 1 ); fi
- if [[ -z $DOCKER_RELEASE_TAG && -z $DOCKER_RELEASE_TAG_FILE ]]; then ( echo "DOCKER_RELEASE_TAG or DOCKER_RELEASE_TAG_FILE required"; exit 1 ); fi
- if [[ -z $DOCKER_RELEASE_REGISTRY ]]; then ( echo "required"; exit 1 ); fi
- if [[ -z $DOCKER_REMOTE_HOST ]]; then ( echo "required"; exit 1 ); fi
- if [[ -z $DOCKER_CACERT ]]; then ( echo "required"; exit 1 ); fi
- if [[ -z $$DOCKER_CERT ]]; then ( echo "required"; exit 1 ); fi
- if [[ -z $DOCKER_KEY ]]; then ( echo "required"; exit 1 ); fi
- docker login -u $DOCKER_RELEASE_USER -p $DOCKER_RELEASE_PASSWORD $CI_REGISTRY
- cp $DOCKER_CACERT ~/.docker/ca.pem && cp $DOCKER_CERT ~/.docker/cert.pem && cp $DOCKER_KEY ~/.docker/key.pem
- export DOCKER_HOST=$DOCKER_REMOTE_HOST DOCKER_TLS_VERIFY=1
- docker stop $CI_PROJECT_NAME || true
- docker rm $CI_PROJECT_NAME || true
- docker rmi $CI_REGISTRY_IMAGE:latest
- docker pull $CI_REGISTRY_IMAGE:latest
vault.yml template:
.vault_secrets:
variables:
HOSTED_VAULT_URL: https://vault.lichnak.cz
image: vault:latest
before_script:
# Vault's address can be provided here or as CI/CD variable
- export VAULT_ADDR=$HOSTED_VAULT_URL
# Authenticate and get token. Token expiry time and other properties can be configured
# when configuring JWT Auth - https://www.vaultproject.io/api-docs/auth/jwt#parameters-1
- export VAULT_TOKEN="$(vault write -field=token auth/jwt/login role=$CI_PROJECT_NAME jwt=$CI_JOB_JWT)"
.gitlab-ci.yml in tf image build project:
# when to trigger pipeline runs
workflow:
rules:
# never run for scheduled pipelines
# remove this rule if some of your jobs need to be scheduled
- if: '$CI_PIPELINE_SOURCE == "schedule"'
when: never
# run for merge requests
- if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
when: always
# run on master branch (after merge)
- if: '$CI_COMMIT_BRANCH == "master"'
when: always
# run on release tags
- if: "$CI_COMMIT_TAG =~ /^release-*/"
when: always
stages:
- secrets
- build
- test
- publish
- deploy
include:
- project: platform/templates
ref: v0.0.3
file: lib/docker.yml
- project: platform/templates
ref: v0.0.5
file: lib/vault.yml
- template: Security/Secret-Detection.gitlab-ci.yml
- template: Security/Dependency-Scanning.gitlab-ci.yml
- template: Security/SAST.gitlab-ci.yml
variables:
SECURE_LOG_LEVEL: error
read_staging_secrets:
extends: .vault_secrets
stage: secrets
script:
- export REMOTE_DOCKER_CACERT="$(vault kv get -field=cacert secrets/$CI_PROJECT_NAME/staging/dockercacert)"
- export REMOTE_DOCKER_CERT="$(vault kv get -field=cert secrets/$CI_PROJECT_NAME/staging/dockercert)"
- export REMOTE_DOCKER_KEY="$(vault kv get -field=key secrets/$CI_PROJECT_NAME/staging/dockerkey)"
- export PLATFORM_DEPLOY_USER="$(vault kv get -field=user secrets/$CI_PROJECT_NAME/staging/platformuser)"
- export PLATFORM_DEPLOY_PASSWORD="$(vault kv get -field=password secrets/$CI_PROJECT_NAME/staging/platformpass)"
- export GOOGLE_OAUTH_CLIENT_ID="$(vault kv get -field=id secrets/$CI_PROJECT_NAME/staging/gcp_client_id)"
- export GOOGLE_OAUTH_CLIENT_SECRET="$(vault kv get -field=secret secrets/$CI_PROJECT_NAME/staging/gcp_client_credential)"
.sast:
stage: test
allow_failure: true
variables:
SAST_EXPERIMENTAL_FEATURES: "true"
only:
- develop-*
build_docker:
extends: .docker_build
stage: build
variables:
DOCKER_TAG: $CI_COMMIT_SHORT_SHA
DOCKER_RELEASE_NAME: terraform-python
DOCKER_RELEASE_USER: $PLATFORM_DEPLOY_USER
DOCKER_RELEASE_PASSWORD: $PLATFORM_DEPLOY_PASSWORD
versioned_release:
extends: .docker_release
stage: publish
variables:
DOCKER_RELEASE_TAG: $CI_COMMIT_REF_NAME
DOCKER_RELEASE_NAME: terraform-python
DOCKER_RELEASE_USER: $PLATFORM_DEPLOY_USER
DOCKER_RELEASE_PASSWORD: $PLATFORM_DEPLOY_PASSWORD
only:
- /^v[0-9]+\.[0-9]+\.[0-9]+\-[0-9]+\.[0-9]$/
before_script:
- DOCKER_RELEASE_TAG="${CI_COMMIT_REF_NAME:1}"
latest_release:
extends: .docker_release
stage: publish
variables:
DOCKER_RELEASE_TAG: latest
DOCKER_RELEASE_NAME: terraform-python
DOCKER_RELEASE_USER: $PLATFORM_DEPLOY_USER
DOCKER_RELEASE_PASSWORD: $PLATFORM_DEPLOY_PASSWORD
only:
- main
latest_deploy:
extends: .docker_deploy
stage: deploy
variables:
DOCKER_RELEASE_TAG: latest
DOCKER_RELEASE_NAME: terraform-python
DOCKER_RELEASE_USER: $PLATFORM_DEPLOY_USER
DOCKER_RELEASE_PASSWORD: $PLATFORM_DEPLOY_PASSWORD
DOCKER_REMOTE_HOST: tcp://suska.home.lichnak.cz:2376
DOCKER_CACERT: $REMOTE_DOCKER_CACERT
DOCKER_CERT: $REMOTE_DOCKER_CERT
DOCKER_KEY: $REMOTE_DOCKER_KEY
script:
- docker run --name $CI_PROJECT_NAME -d
-p 127.0.0.1:5000:5000 --restart unless-stopped
-e DATABASE_URL="$DATABASE_URL"
-e SECRET_KEY=$SECRET_KEY
-e GOOGLE_OAUTH_CLIENT_ID=$GOOGLE_OAUTH_CLIENT_ID
-e GOOGLE_OAUTH_CLIENT_SECRET=$GOOGLE_OAUTH_CLIENT_SECRET
-e SENTRY_ENV=$SENTRY_ENV
-e SENTRY_DSN="$SENTRY_DSN"
$DOCKER_RELEASE_REGISTRY/$DOCKER_RELEASE_NAME:$DOCKER_RELEASE_TAG
only:
- main
Backup and restore
# Backups
gitlab-rake gitlab:backup:create STRATEGY=copy
# Restore
