sameersbn/gitlab:14.2.5

• Introduction
  • Changelog
• Contributing
• Team
• Issues
• Announcements
• Prerequisites
• Installation
• Quick Start
• Configuration
  • Data Store
  • Database
    • PostgreSQL (Recommended)
      • External PostgreSQL Server
      • Linking to PostgreSQL Container
      • Upgrading PostgreSQL
  • Redis
    • Internal Redis Server
    • External Redis Server
    • Linking to Redis Container
  • Mail
    • Reply by email
  • SSL
    • Generation of a Self Signed Certificate
    • Strengthening the server security
    • Installation of the SSL Certificates
    • Enabling HTTPS support
    • Configuring HSTS
    • Using HTTPS with a load balancer
    • Establishing trust with your server
    • Installing Trusted SSL Server Certificates
  • Deploy to a subdirectory (relative url root)
  • OmniAuth Integration
    • CAS3
    • Authentiq
    • Google
    • Twitter
    • GitHub
    • GitLab
    • BitBucket
    • SAML
    • Crowd
    • Microsoft Azure
    • Generic OAuth2
  • Gitlab Pages
  • External Issue Trackers
  • Host UID / GID Mapping
  • Piwik
  • Exposing ssh port in dockerized gitlab-ce
  • Available Configuration Parameters
• Maintenance
  • Creating Backups
  • Restoring Backups
  • Automated Backups
  • Amazon Web Services (AWS) Remote Backups
  • Google Cloud Storage (GCS) Remote Backups
  • Rake Tasks
  • Import Repositories
  • Upgrading
  • Shell Access
• Monitoring
  • Health Check
• Container Registry
• Deploy in Docker Swarm mode, with HTTPS handled by Traefik proxy and Docker Registry
• References

Introduction

Dockerfile to build a GitLab image for the Docker opensource container platform.

GitLab CE is set up in the Docker image using the install from source method as documented in the the official GitLab documentation.

For other methods to install GitLab please refer to the Official GitLab Installation Guide which includes a GitLab image for Docker.

Contributing

If you find this image useful here's how you can help:

• Send a Pull Request with your awesome new features and bug fixes
• Be a part of the community and help resolve Issues
• Support the development of this image with a donation

Team

• Niclas Mietz (solidnerd)
• Sameer Naik (sameersbn)

See Contributors for the complete list developers that have contributed to this project.

Issues

Docker is a relatively new project and is active being developed and tested by a thriving community of developers and testers and every release of docker features many enhancements and bugfixes.

Given the nature of the development and release cycle it is very important that you have the latest version of docker installed because any issue that you encounter might have already been fixed with a newer docker release.

Install the most recent version of the Docker Engine for your platform using the official Docker releases, which can also be installed using:

wget -qO- https://get.docker.com/ | sh

Fedora and RHEL/CentOS users should try disabling selinux with

setenforce 0

You may also set

DEBUG=true

If using the latest docker version and/or disabling selinux does not fix the issue then please file a issue request on the issues page.

In your issue report please make sure you provide the following information:

• The host distribution and release version.
• Output of the

  docker version

  command
• Output of the

  docker info

  command
• The

  docker run

  command you used to run the image (mask out the sensitive bits).

Prerequisites

Your docker host needs to have 1GB or more of available RAM to run GitLab. Please refer to the GitLab hardware requirements documentation for additional information.

Installation

Automated builds of the image are available on Dockerhub and is the recommended method of installation.

docker pull sameersbn/gitlab:14.2.5

You can also pull the

latest

docker pull sameersbn/gitlab:latest

Alternatively you can build the image locally.

docker build -t sameersbn/gitlab github.com/sameersbn/docker-gitlab

Quick Start

The quickest way to get started is using docker-compose.

wget https://raw.githubusercontent.com/sameersbn/docker-gitlab/master/docker-compose.yml

Generate random strings that are at least

64

GITLAB_SECRETS_OTP_KEY_BASE

GITLAB_SECRETS_DB_KEY_BASE

GITLAB_SECRETS_SECRET_KEY_BASE

• GITLAB_SECRETS_OTP_KEY_BASE

  is used to encrypt 2FA secrets in the database. If you lose or rotate this secret, none of your users will be able to log in using 2FA.

• GITLAB_SECRETS_DB_KEY_BASE

  is used to encrypt CI secret variables, as well as import credentials, in the database. If you lose or rotate this secret, you will not be able to use existing CI secrets.

• GITLAB_SECRETS_SECRET_KEY_BASE

  is used for password reset links, and other 'standard' auth features. If you lose or rotate this secret, password reset tokens in emails will reset.

Tip: You can generate a random string using

pwgen -Bsv1 64

and assign it as the value of

GITLAB_SECRETS_DB_KEY_BASE

.

Start GitLab using:

docker-compose up

Alternatively, you can manually launch the

gitlab

postgresql

redis

Step 1. Launch a postgresql container

docker run --name gitlab-postgresql -d \
    --env 'DB_NAME=gitlabhq_production' \
    --env 'DB_USER=gitlab' --env 'DB_PASS=password' \
    --env 'DB_EXTENSION=pg_trgm' \
    --volume /srv/docker/gitlab/postgresql:/var/lib/postgresql \
    sameersbn/postgresql:12-20200524

Step 2. Launch a redis container

docker run --name gitlab-redis -d \
    --volume /srv/docker/gitlab/redis:/data \
    redis:6.2

Step 3. Launch the gitlab container

docker run --name gitlab -d \
    --link gitlab-postgresql:postgresql --link gitlab-redis:redisio \
    --publish 10022:22 --publish 10080:80 \
    --env 'GITLAB_PORT=10080' --env 'GITLAB_SSH_PORT=10022' \
    --env 'GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alpha-numeric-string' \
    --env 'GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alpha-numeric-string' \
    --env 'GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alpha-numeric-string' \
    --volume /srv/docker/gitlab/gitlab:/home/git/data \
    sameersbn/gitlab:14.2.5

Please refer to Available Configuration Parameters to understand

GITLAB_PORT

NOTE: Please allow a couple of minutes for the GitLab application to start.

Point your browser to

http://localhost:10080

root

You should now have the GitLab application up and ready for testing. If you want to use this image in production then please read on.

The rest of the document will use the docker command line. You can quite simply adapt your configuration into a

docker-compose.yml

Configuration

Data Store

GitLab is a code hosting software and as such you don't want to lose your code when the docker container is stopped/deleted. To avoid losing any data, you should mount a volume at,

• /home/git/data

Note: that if you are using the

docker-compose

docker volume inpect

SELinux users are also required to change the security context of the mount point so that it plays nicely with selinux.

mkdir -p /srv/docker/gitlab/gitlab
sudo chcon -Rt svirt_sandbox_file_t /srv/docker/gitlab/gitlab

Volumes can be mounted in docker by specifying the

-v

docker run --name gitlab -d \
    --volume /srv/docker/gitlab/gitlab:/home/git/data \
    sameersbn/gitlab:14.2.5

Database

GitLab uses a database backend to store its data. You can configure this image to use PostgreSQL.

Note: GitLab requieres PostgreSQL now. So use an older image < 12.1 or migrate to PostgresSQL

PostgreSQL

NOTE: version 13.7.0 and later requires PostgreSQL version 12.x

External PostgreSQL Server

The image also supports using an external PostgreSQL Server. This is also controlled via environment variables.

CREATE ROLE gitlab with LOGIN CREATEDB PASSWORD 'password';
CREATE DATABASE gitlabhq_production;
GRANT ALL PRIVILEGES ON DATABASE gitlabhq_production to gitlab;

Additionally since GitLab

8.6.0

pg_trgm

gitlabhq_production

We are now ready to start the GitLab application.

Assuming that the PostgreSQL server host is 192.168.1.100

docker run --name gitlab -d \
    --env 'DB_HOST=192.168.1.100' \
    --env 'DB_NAME=gitlabhq_production' \
    --env 'DB_USER=gitlab' --env 'DB_PASS=password' \
    --volume /srv/docker/gitlab/gitlab:/home/git/data \
    sameersbn/gitlab:14.2.5

Linking to PostgreSQL Container

You can link this image with a postgresql container for the database requirements. The alias of the postgresql server container should be set to postgresql while linking with the gitlab image.

If a postgresql container is linked, only the

DB_HOST

DB_PORT

DB_NAME

DB_USER

DB_PASS

To illustrate linking with a postgresql container, we will use the sameersbn/postgresql image. When using postgresql image in production you should mount a volume for the postgresql data store. Please refer the README of docker-postgresql for details.

First, lets pull the postgresql image from the docker index.

docker pull sameersbn/postgresql:12-20200524

For data persistence lets create a store for the postgresql and start the container.

SELinux users are also required to change the security context of the mount point so that it plays nicely with selinux.

mkdir -p /srv/docker/gitlab/postgresql
sudo chcon -Rt svirt_sandbox_file_t /srv/docker/gitlab/postgresql

The run command looks like this.

docker run --name gitlab-postgresql -d \
    --env 'DB_NAME=gitlabhq_production' \
    --env 'DB_USER=gitlab' --env 'DB_PASS=password' \
    --env 'DB_EXTENSION=pg_trgm' \
    --volume /srv/docker/gitlab/postgresql:/var/lib/postgresql \
    sameersbn/postgresql:12-20200524

The above command will create a database named

gitlabhq_production

gitlab

password

gitlabhq_production

We are now ready to start the GitLab application.

docker run --name gitlab -d --link gitlab-postgresql:postgresql \
    --volume /srv/docker/gitlab/gitlab:/home/git/data \
    sameersbn/gitlab:14.2.5

Here the image will also automatically fetch the

DB_NAME

DB_USER

DB_PASS

docker run

• postgres
• sameersbn/postgresql
• orchardup/postgresql
• paintedfox/postgresql

Upgrading PostgreSQL

When this Gitlab image upgrades its dependency on specific version of PostgreSQL you will need to make sure to use corresponding version of PostgreSQL.

If you are setting a brand new install, there is no data migration involved. However, if you already have an existing setup, the PostgreSQL data will need to be migrated as you are upgrading the version of PostgreSQL.

If you are using PostgreSQL image other than sameersbn/postgresql you will need make sure that the image you are using can handle migration itself, or, you will need to migrate the data yourself before starting newer version of PostgreSQL.

Following project provides Docker image that handles migration of PostgreSQL data: tianon/postgres-upgrade

After migration of the data, verify that other PostgreSQL configuration files in its data folder are copied over as well. One such file is

pg_hba.conf

Redis

GitLab uses the redis server for its key-value data store. The redis server connection details can be specified using environment variables.

Internal Redis Server

The internal redis server has been removed from the image. Please use a linked redis container or specify a external redis connection.

External Redis Server

The image can be configured to use an external redis server. The configuration should be specified using environment variables while starting the GitLab image.

Assuming that the redis server host is 192.168.1.100

docker run --name gitlab -it --rm \
    --env 'REDIS_HOST=192.168.1.100' --env 'REDIS_PORT=6379' \
    sameersbn/gitlab:14.2.5

Linking to Redis Container

You can link this image with a redis container to satisfy gitlab's redis requirement. The alias of the redis server container should be set to redisio while linking with the gitlab image.

To illustrate linking with a redis container, we will use the redis image. Please refer the README for details.

First, lets pull the redis image from the docker index.

docker pull redis:6.2

Lets start the redis container

docker run --name gitlab-redis -d \
    --volume /srv/docker/gitlab/redis:/data \
    redis:6.2

We are now ready to start the GitLab application.

docker run --name gitlab -d --link gitlab-redis:redisio \
    sameersbn/gitlab:14.2.5

Mail

The mail configuration should be specified using environment variables while starting the GitLab image. The configuration defaults to using gmail to send emails and requires the specification of a valid username and password to login to the gmail servers.

If you are using Gmail then all you need to do is:

docker run --name gitlab -d \
    --env '[email protected]' --env 'SMTP_PASS=PASSWORD' \
    --volume /srv/docker/gitlab/gitlab:/home/git/data \
    sameersbn/gitlab:14.2.5

Please refer the Available Configuration Parameters section for the list of SMTP parameters that can be specified.

Reply by email

Since version

8.0.0

To enable this feature you need to provide IMAP configuration parameters that will allow GitLab to connect to your mail server and read mails. Additionally, you may need to specify

GITLAB_INCOMING_EMAIL_ADDRESS

IMAP_USER

If your email provider supports email sub-addressing then you should add the

+%{key}

GITLAB_INCOMING_EMAIL_ADDRESS=reply+%{key}@example.com

If you are using Gmail then all you need to do is:

docker run --name gitlab -d \
    --env 'IMAP_[email protected]' --env 'IMAP_PASS=PASSWORD' \
    --env 'GITLAB_INCOMING_EMAIL_ADDRESS=USER+%{key}@gmail.com' \
    --volume /srv/docker/gitlab/gitlab:/home/git/data \
    sameersbn/gitlab:14.2.5

Please refer the Available Configuration Parameters section for the list of IMAP parameters that can be specified.

SSL

Access to the gitlab application can be secured using SSL so as to prevent unauthorized access to the data in your repositories. While a CA certified SSL certificate allows for verification of trust via the CA, a self signed certificate can also provide an equal level of trust verification as long as each client takes some additional steps to verify the identity of your website. I will provide instructions on achieving this towards the end of this section.

Jump to the Using HTTPS with a load balancer section if you are using a load balancer such as hipache, haproxy or nginx.

To secure your application via SSL you basically need two things: - Private key (.key) - SSL certificate (.crt)

When using CA certified certificates, these files are provided to you by the CA. When using self-signed certificates you need to generate these files yourself. Skip to Strengthening the server security section if you are armed with CA certified SSL certificates.

Generation of a Self Signed Certificate

Generation of a self-signed SSL certificate involves a simple 3-step procedure:

STEP 1: Create the server private key

openssl genrsa -out gitlab.key 2048

STEP 2: Create the certificate signing request (CSR)

openssl req -new -key gitlab.key -out gitlab.csr

STEP 3: Sign the certificate using the private key and CSR

openssl x509 -req -days 3650 -in gitlab.csr -signkey gitlab.key -out gitlab.crt

Congratulations! You now have a self-signed SSL certificate valid for 10 years.

Strengthening the server security

This section provides you with instructions to strengthen your server security. To achieve this we need to generate stronger DHE parameters.

openssl dhparam -out dhparam.pem 2048

Installation of the SSL Certificates

Out of the four files generated above, we need to install the

gitlab.key

gitlab.crt

dhparam.pem

The default path that the gitlab application is configured to look for the SSL certificates is at

/home/git/data/certs

SSL_KEY_PATH

SSL_CERTIFICATE_PATH

SSL_DHPARAM_PATH

If you remember from above, the

/home/git/data

certs/

/home/git/data

gitlab.key

In case use of docker-compose ...

$>docker volume inspect

look for "< user >_gitlab-data" and copy the "certs" directory into the "Mountpoint"

mkdir -p /srv/docker/gitlab/gitlab/certs
cp gitlab.key /srv/docker/gitlab/gitlab/certs/
cp gitlab.crt /srv/docker/gitlab/gitlab/certs/
cp dhparam.pem /srv/docker/gitlab/gitlab/certs/
chmod 400 /srv/docker/gitlab/gitlab/certs/gitlab.key

Great! we are now just one step away from having our application secured.

Enabling HTTPS support

HTTPS support can be enabled by setting the

GITLAB_HTTPS

true

SSL_SELF_SIGNED

true

docker run --name gitlab -d \
    --publish 10022:22 --publish 10080:80 --publish 10443:443 \
    --env 'GITLAB_SSH_PORT=10022' --env 'GITLAB_PORT=10443' \
    --env 'GITLAB_HTTPS=true' --env 'SSL_SELF_SIGNED=true' \
    --volume /srv/docker/gitlab/gitlab:/home/git/data \
    sameersbn/gitlab:14.2.5

In this configuration, any requests made over the plain http protocol will automatically be redirected to use the https protocol. However, this is not optimal when using a load balancer.

Configuring HSTS

HSTS if supported by the browsers makes sure that your users will only reach your sever via HTTPS. When the user comes for the first time it sees a header from the server which states for how long from now this site should only be reachable via HTTPS - that's the HSTS max-age value.

With

NGINX_HSTS_MAXAGE

31536000

0

docker run --name gitlab -d \
 --env 'GITLAB_HTTPS=true' --env 'SSL_SELF_SIGNED=true' \
 --env 'NGINX_HSTS_MAXAGE=2592000' \
 --volume /srv/docker/gitlab/gitlab:/home/git/data \
 sameersbn/gitlab:14.2.5

If you want to completely disable HSTS set

NGINX_HSTS_ENABLED

false

Using HTTPS with a load balancer

Load balancers like nginx/haproxy/hipache talk to backend applications over plain http and as such the installation of ssl keys and certificates are not required and should NOT be installed in the container. The SSL configuration has to instead be done at the load balancer.

However, when using a load balancer you MUST set

GITLAB_HTTPS

true

SSL_SELF_SIGNED

true

With this in place, you should configure the load balancer to support handling of https requests. But that is out of the scope of this document. Please refer to Using SSL/HTTPS with HAProxy for information on the subject.

When using a load balancer, you probably want to make sure the load balancer performs the automatic http to https redirection. Information on this can also be found in the link above.

In summation, when using a load balancer, the docker command would look for the most part something like this:

docker run --name gitlab -d \
    --publish 10022:22 --publish 10080:80 \
    --env 'GITLAB_SSH_PORT=10022' --env 'GITLAB_PORT=443' \
    --env 'GITLAB_HTTPS=true' --env 'SSL_SELF_SIGNED=true' \
    --volume /srv/docker/gitlab/gitlab:/home/git/data \
    sameersbn/gitlab:14.2.5

Again, drop the

--env 'SSL_SELF_SIGNED=true'

In case GitLab responds to any kind of POST request (login, OAUTH, changing settings etc.) with a 422 HTTP Error, consider adding this to your reverse proxy configuration:

proxy_set_header X-Forwarded-Ssl on;

Establishing trust with your server

This section deals will self-signed ssl certificates. If you are using CA certified certificates, your done.

This section is more of a client side configuration so as to add a level of confidence at the client to be 100 percent sure they are communicating with whom they think they.

This is simply done by adding the servers certificate into their list of trusted certificates. On ubuntu, this is done by copying the

gitlab.crt

/usr/local/share/ca-certificates/

update-ca-certificates

Again, this is a client side configuration which means that everyone who is going to communicate with the server should perform this configuration on their machine. In short, distribute the

gitlab.crt

git clone https://git.local.host/gitlab-foss.git
fatal: unable to access 'https://git.local.host/gitlab-foss.git': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

You can do the same at the web browser. Instructions for installing the root certificate for firefox can be found here. You will find similar options chrome, just make sure you install the certificate under the authorities tab of the certificate manager dialog.

There you have it, that's all there is to it.

Installing Trusted SSL Server Certificates

If your GitLab CI server is using self-signed SSL certificates then you should make sure the GitLab CI server certificate is trusted on the GitLab server for them to be able to talk to each other.

The default path image is configured to look for the trusted SSL certificates is at

/home/git/data/certs/ca.crt

SSL_CA_CERTIFICATES_PATH

Copy the

ca.crt

ca.crt

By default, our own server certificate gitlab.crt is added to the trusted certificates list.

Deploy to a subdirectory (relative url root)

By default GitLab expects that your application is running at the root (eg. /). This section explains how to run your application inside a directory.

Let's assume we want to deploy our application to '/git'. GitLab needs to know this directory to generate the appropriate routes. This can be specified using the

GITLAB_RELATIVE_URL_ROOT

docker run --name gitlab -it --rm \
    --env 'GITLAB_RELATIVE_URL_ROOT=/git' \
    --volume /srv/docker/gitlab/gitlab:/home/git/data \
    sameersbn/gitlab:14.2.5

GitLab will now be accessible at the

/git

http://www.example.com/git

Note: The

GITLAB_RELATIVE_URL_ROOT

OmniAuth Integration

GitLab leverages OmniAuth to allow users to sign in using Twitter, GitHub, and other popular services. Configuring OmniAuth does not prevent standard GitLab authentication or LDAP (if configured) from continuing to work. Users can choose to sign in using any of the configured mechanisms.

Refer to the GitLab documentation for additional information.

CAS3

To enable the CAS OmniAuth provider you must register your application with your CAS instance. This requires the service URL GitLab will supply to CAS. It should be something like: https://git.example.com:443/users/auth/cas3/callback?url. By default handling for SLO is enabled, you only need to configure CAS for backchannel logout.

For example, if your cas server url is

https://sso.example.com

--env 'OAUTH_CAS3_SERVER=https://sso.example.com'

Authentiq

To enable the Authentiq OmniAuth provider for passwordless authentication you must register an application with Authentiq. Please refer to the GitLab documentation for the procedure to generate the client ID and secret key with Authentiq.

Once you have the API client id and client secret generated, configure them using the

OAUTH_AUTHENTIQ_CLIENT_ID

OAUTH_AUTHENTIQ_CLIENT_SECRET

For example, if your API key is

xxx

yyy

--env 'OAUTH_AUTHENTIQ_CLIENT_ID=xxx' --env 'OAUTH_AUTHENTIQ_CLIENT_SECRET=yyy'

You may want to specify

OAUTH_AUTHENTIQ_REDIRECT_URI

OAUTH_AUTHENTIQ_SCOPE

'aq:name email~rs address aq:push'

Google

To enable the Google OAuth2 OmniAuth provider you must register your application with Google. Google will generate a client ID and secret key for you to use. Please refer to the GitLab documentation for the procedure to generate the client ID and secret key with google.

Once you have the client ID and secret keys generated, configure them using the

OAUTH_GOOGLE_API_KEY

OAUTH_GOOGLE_APP_SECRET

For example, if your client ID is

xxx.apps.googleusercontent.com

yyy

--env 'OAUTH_GOOGLE_API_KEY=xxx.apps.googleusercontent.com' --env 'OAUTH_GOOGLE_APP_SECRET=yyy'

You can also restrict logins to a single domain by adding

--env "OAUTH_GOOGLE_RESTRICT_DOMAIN='example.com'"

Facebook

To enable the Facebook OAuth2 OmniAuth provider you must register your application with Facebook. Facebook will generate a API key and secret for you to use. Please refer to the GitLab documentation for the procedure to generate the API key and secret.

Once you have the API key and secret generated, configure them using the

OAUTH_FACEBOOK_API_KEY

OAUTH_FACEBOOK_APP_SECRET

For example, if your API key is

xxx

yyy

--env 'OAUTH_FACEBOOK_API_KEY=xxx' --env 'OAUTH_FACEBOOK_APP_SECRET=yyy'

Twitter

To enable the Twitter OAuth2 OmniAuth provider you must register your application with Twitter. Twitter will generate a API key and secret for you to use. Please refer to the GitLab documentation for the procedure to generate the API key and secret with twitter.

Once you have the API key and secret generated, configure them using the

OAUTH_TWITTER_API_KEY

OAUTH_TWITTER_APP_SECRET

For example, if your API key is

xxx

yyy

--env 'OAUTH_TWITTER_API_KEY=xxx' --env 'OAUTH_TWITTER_APP_SECRET=yyy'

GitHub

To enable the GitHub OAuth2 OmniAuth provider you must register your application with GitHub. GitHub will generate a Client ID and secret for you to use. Please refer to the GitLab documentation for the procedure to generate the Client ID and secret with github.

Once you have the Client ID and secret generated, configure them using the

OAUTH_GITHUB_API_KEY

OAUTH_GITHUB_APP_SECRET

For example, if your Client ID is

xxx

yyy

--env 'OAUTH_GITHUB_API_KEY=xxx' --env 'OAUTH_GITHUB_APP_SECRET=yyy'

Users of GitHub Enterprise may want to specify

OAUTH_GITHUB_URL

OAUTH_GITHUB_VERIFY_SSL

GitLab

To enable the GitLab OAuth2 OmniAuth provider you must register your application with GitLab. GitLab will generate a Client ID and secret for you to use. Please refer to the GitLab documentation for the procedure to generate the Client ID and secret with GitLab.

Once you have the Client ID and secret generated, configure them using the

OAUTH_GITLAB_API_KEY

OAUTH_GITLAB_APP_SECRET

For example, if your Client ID is

xxx

yyy

--env 'OAUTH_GITLAB_API_KEY=xxx' --env 'OAUTH_GITLAB_APP_SECRET=yyy'

BitBucket

To enable the BitBucket OAuth2 OmniAuth provider you must register your application with BitBucket. BitBucket will generate a Client ID and secret for you to use. Please refer to the GitLab documentation for the procedure to generate the Client ID and secret with BitBucket.

Once you have the Client ID and secret generated, configure them using the

OAUTH_BITBUCKET_API_KEY

OAUTH_BITBUCKET_APP_SECRET

For example, if your Client ID is

xxx

yyy

--env 'OAUTH_BITBUCKET_API_KEY=xxx' --env 'OAUTH_BITBUCKET_APP_SECRET=yyy'

SAML

GitLab can be configured to act as a SAML 2.0 Service Provider (SP). This allows GitLab to consume assertions from a SAML 2.0 Identity Provider (IdP) such as Microsoft ADFS to authenticate users. Please refer to the GitLab documentation.

The following parameters have to be configured to enable SAML OAuth support in this image:

OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL

OAUTH_SAML_IDP_CERT_FINGERPRINT

OAUTH_SAML_IDP_SSO_TARGET_URL

OAUTH_SAML_ISSUER

OAUTH_SAML_NAME_IDENTIFIER_FORMAT

You can also override the default "Sign in with" button label with

OAUTH_SAML_LABEL

Please refer to Available Configuration Parameters for the default configurations of these parameters.

Crowd

To enable the Crowd server OAuth2 OmniAuth provider you must register your application with Crowd server.

Configure GitLab to enable access the Crowd server by specifying the

OAUTH_CROWD_SERVER_URL

OAUTH_CROWD_APP_NAME

OAUTH_CROWD_APP_PASSWORD

Auth0

To enable the Auth0 OmniAuth provider you must register your application with auth0.

Configure the following environment variables

OAUTH_AUTH0_CLIENT_ID

OAUTH_AUTH0_CLIENT_SECRET

OAUTH_AUTH0_DOMAIN

Microsoft Azure

To enable the Microsoft Azure OAuth2 OmniAuth provider you must register your application with Azure. Azure will generate a Client ID, Client secret and Tenant ID for you to use. Please refer to the GitLab documentation for the procedure.

Once you have the Client ID, Client secret and Tenant ID generated, configure them using the

OAUTH_AZURE_API_KEY

OAUTH_AZURE_API_SECRET

OAUTH_AZURE_TENANT_ID

For example, if your Client ID is

xxx

yyy

zzz

--env 'OAUTH_AZURE_API_KEY=xxx' --env 'OAUTH_AZURE_API_SECRET=yyy' --env 'OAUTH_AZURE_TENANT_ID=zzz'

Generic OAuth2

To enable the Generic OAuth2 provider, you must register your application with your provider. You also need to confirm OAuth2 provider app's ID and secret, the client options and the user's response structure.

As an example this code has been tested with Keycloak, with the following variables:

OAUTH2_GENERIC_APP_ID

OAUTH2_GENERIC_APP_SECRET

OAUTH2_GENERIC_CLIENT_SITE

OAUTH2_GENERIC_CLIENT_USER_INFO_URL

OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL

OAUTH2_GENERIC_CLIENT_TOKEN_URL

OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT

OAUTH2_GENERIC_ID_PATH

OAUTH2_GENERIC_USER_UID

OAUTH2_GENERIC_USER_NAME

OAUTH2_GENERIC_USER_EMAIL

OAUTH2_GENERIC_NAME

See GitLab documentation and Omniauth-oauth2-generic documentation for more details.

Gitlab Pages

Gitlab Pages allows a user to host static websites from a project. Gitlab pages can be enabled with setting the envrionment variable

GITLAB_PAGES_ENABLED

true

Gitlab Pages Access Control

Since version

11.5.0

Gitlab pages access control requires additional configuration before activating it through the variable

GITLAB_PAGES_ACCESS_CONTROL

Gitab pages access control makes use of the Gitlab OAuth Module.

• Goto the Gitlab Admin area
• Select

  Applications

  in the menu
• Create

  New Application

  • Name:

    Gitlab Pages

  • Scopes:
    • api
  • Trusted: NO (Do not select)
  • Redirect URI: https://projects./auth

Note about the

Redirect URI

gitlab-pages

/auth

This means that if you run your gitlab pages at domain

pages.example.io

In the example above; the pages domain

projects

*.

gitlab-pages

Make sure to choose own which does not exist and make sure that the request is routed to the

gitlab-pages

After creating the OAuth application endpoint for the Gitlab Pages Daemon. Gitlab pages access control can now be enabled.

Add to following environment variables to your Gitlab Container.

| Variable | R/O | Description | |----------|-----|-------------| | GITLABPAGESACCESSCONTROL | Required | Set to

true

https://gitlab.example.io

https://projects.example.io

After you have enabled the gitlab pages access control. When you go to a project

General Settings

Permissions

External Issue Trackers

Since version

7.10.0

If you are using the docker-redmine image, you can one up the gitlab integration with redmine by adding

--volumes-from=gitlab

By using the above option the

/home/git/data/repositories

opensource/gitlab

/home/git/data/repositories/opensource/gitlab.git

Host UID / GID Mapping

Per default the container is configured to run gitlab as user and group

git

uid

gid

1000

1000

Also the container processes seem to be executed as the host's user/group

1000

uid

gid

git

USERMAP_UID

USERMAP_GID

git

docker run --name gitlab -it --rm [options] \
    --env "USERMAP_UID=$(id -u git)" --env "USERMAP_GID=$(id -g git)" \
    sameersbn/gitlab:14.2.5

When changing this mapping, all files and directories in the mounted data volume

/home/git/data

docker run --name gitlab -d [OPTIONS] \
    sameersbn/gitlab:14.2.5 app:sanitize

Piwik

If you want to monitor your gitlab instance with Piwik, there are two options to setup:

PIWIK_URL

PIWIK_SITE_ID

• PIWIK_URL=piwik.example.org

• PIWIK_SITE_ID=42

Available Configuration Parameters

Please refer the docker run command options for the

--env-file

Below is the complete list of available options that can be used to customize your gitlab installation.

| Parameter | Description | |-----------|-------------| |

DEBUG

true

TZ

UTC

Europe/Amsterdam

GITLAB_TIMEZONE

GITLAB_HOST

localhost

GITLAB_CI_HOST

GITLAB_PORT

443

GITLAB_HTTPS=true

80

GITLAB_SECRETS_DB_KEY_BASE

pwgen -Bsv1 64

GITLAB_CI_SECRETS_DB_KEY_BASE

GITLAB_SECRETS_SECRET_KEY_BASE

pwgen -Bsv1 64

GITLAB_SECRETS_OTP_KEY_BASE

pwgen -Bsv1 64

GITLAB_TIMEZONE

UTC

TZ

GITLAB_ROOT_PASSWORD

5iveL!fe

GITLAB_ROOT_EMAIL

[email protected]

GITLAB_EMAIL

SMTP_USER

[email protected]

GITLAB_EMAIL_DISPLAY_NAME

GitLab

GITLAB_EMAIL_REPLY_TO

GITLAB_EMAIL

[email protected]

GITLAB_EMAIL_SUBJECT_SUFFIX

GITLAB_EMAIL_ENABLED

SMTP_ENABLED

GITLAB_EMAIL_SMIME_ENABLE

false

GITLAB_EMAIL_SMIME_KEY_FILE

. |
| `GITLAB_EMAIL_SMIME_CERT_FILE` | Specifies the path to a S/MIME public certificate key in PEM format. Defaults to

GITLAB_DEFAULT_THEME

GITLAB_INCOMING_EMAIL_ADDRESS

IMAP_USER

[email protected]

GITLAB_INCOMING_EMAIL_ENABLED

IMAP_ENABLED

GITLAB_SIGNUP_ENABLED

true

GITLAB_IMPERSONATION_ENABLED

true

GITLAB_PROJECTS_LIMIT

100

GITLAB_USERNAME_CHANGE

true

GITLAB_CREATE_GROUP

true

GITLAB_PROJECTS_ISSUES

true

GITLAB_PROJECTS_MERGE_REQUESTS

true

GITLAB_PROJECTS_WIKI

true

GITLAB_PROJECTS_SNIPPETS

false

GITLAB_PROJECTS_BUILDS

true

GITLAB_PROJECTS_CONTAINER_REGISTRY

true

GITLAB_SHELL_CUSTOM_HOOKS_DIR

/home/git/gitlab-shell/hooks

GITLAB_WEBHOOK_TIMEOUT

10

GITLAB_NOTIFY_ON_BROKEN_BUILDS

true

GITLAB_NOTIFY_PUSHER

false

GITLAB_REPOS_DIR

/home/git/data/repositories

GITLAB_BACKUP_DIR

/home/git/data/backups

GITLAB_BACKUP_DIR_CHOWN

true

GITLAB_BACKUP_DIR_GROUP

GITLAB_BUILDS_DIR

/home/git/data/builds

GITLAB_DOWNLOADS_DIR

/home/git/data/tmp/downloads

GITLAB_SHARED_DIR

/home/git/data/shared

GITLAB_ARTIFACTS_ENABLED

true

GITLAB_ARTIFACTS_DIR

$GITLAB_SHARED_DIR/artifacts

AWS_ACCESS_KEY_ID

AWS_ACCESS_KEY_ID

AWS_SECRET_ACCESS_KEY

AWS_SECRET_ACCESS_KEY

AWS_REGION

us-east-1

AWS_HOST

$AWS_HOST

s3.amazon.com

AWS_ENDPOINT

http://127.0.0.1:9000

nil

AWS_PATH_STYLE

true

AWS_SIGNATURE_VERSION

4

GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT

GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL

GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION

/gcs/key.json

GITLAB_OBJECT_STORE_CONNECTION_PROVIDER

AWS

GITLAB_ARTIFACTS_OBJECT_STORE_ENABLED

false

GITLAB_ARTIFACTS_OBJECT_STORE_REMOTE_DIRECTORY

artifacts

GITLAB_ARTIFACTS_OBJECT_STORE_DIRECT_UPLOAD

false

GITLAB_ARTIFACTS_OBJECT_STORE_BACKGROUND_UPLOAD

false

GITLAB_ARTIFACTS_OBJECT_STORE_PROXY_DOWNLOAD

false

GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER

AWS

Google

$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER

AWS

GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID

$AWS_ACCESS_KEY_ID

GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY

$AWS_SECRET_ACCESS_KEY

GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_REGION

$AWS_REGION

GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_HOST

$AWS_HOST

GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT

http://127.0.0.1:9000

$AWS_ENDPOINT

GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE

$AWS_PATH_STYLE

GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION

$AWS_SIGNATURE_VERSION

GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT

$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT

GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL

$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL

GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION

$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION

/gcs/key.json

GITLAB_PIPELINE_SCHEDULE_WORKER_CRON

'19 * * * *'

GITLAB_LFS_ENABLED

true

GITLAB_LFS_OBJECTS_DIR

$GITLAB_SHARED_DIR/lfs-objects

GITLAB_LFS_OBJECT_STORE_ENABLED

false

GITLAB_LFS_OBJECT_STORE_REMOTE_DIRECTORY

lfs-object

GITLAB_LFS_OBJECT_STORE_BACKGROUND_UPLOAD

false

GITLAB_LFS_OBJECT_STORE_PROXY_DOWNLOAD

false

GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER

AWS

Google

$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER

AWS

GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID

AWS_ACCESS_KEY_ID

GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY

AWS_SECRET_ACCESS_KEY

GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_REGION

$AWS_REGION

GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_HOST

$AWS_HOST

GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT

http://127.0.0.1:9000

$AWS_ENDPOINT

GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE

AWS_PATH_STYLE

GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION

$AWS_SIGNATURE_VERSION

GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT

$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT

GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL

$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL

GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION

$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION

/gcs/key.json

GITLAB_PACKAGES_ENABLED

true

GITLAB_PACKAGES_DIR

$GITLAB_SHARED_DIR/packages

GITLAB_PACKAGES_OBJECT_STORE_ENABLED

false

GITLAB_PACKAGES_OBJECT_STORE_REMOTE_DIRECTORY

packages

GITLAB_PACKAGES_OBJECT_STORE_DIRECT_UPLOAD

false

GITLAB_PACKAGES_OBJECT_STORE_BACKGROUND_UPLOAD

false

GITLAB_PACKAGES_OBJECT_STORE_PROXY_DOWNLOAD

false

GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_PROVIDER

AWS

Google

$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER

AWS

GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID

$AWS_ACCESS_KEY_ID

GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY

$AWS_SECRET_ACCESS_KEY

GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_REGION

$AWS_REGION

GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_HOST

$AWS_HOST

GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ENDPOINT

http://127.0.0.1:9000

$AWS_ENDPOINT

GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE

AWS_PATH_STYLE

GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT

$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT

GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL

$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL

GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION

$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION

/gcs/key.json

GITLAB_UPLOADS_STORAGE_PATH

$GITLAB_SHARED_DIR/public

GITLAB_UPLOADS_BASE_DIR

GITLAB_UPLOADS_STORAGE_PATH

uploads/-/system

GITLAB_UPLOADS_OBJECT_STORE_ENABLED

false

GITLAB_UPLOADS_OBJECT_STORE_REMOTE_DIRECTORY

uploads

GITLAB_UPLOADS_OBJECT_STORE_BACKGROUND_UPLOAD

false

GITLAB_UPLOADS_OBJECT_STORE_PROXY_DOWNLOAD

false

GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER

AWS

Google

$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER

AWS

GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID

AWS_ACCESS_KEY_ID

GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY

AWS_SECRET_ACCESS_KEY

GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_REGION

$AWS_REGION

GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_HOST

$AWS_HOST

GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT

http://127.0.0.1:9000

$AWS_ENDPOINT

GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE

AWS_PATH_STYLE

GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION

$AWS_SIGNATURE_VERSION

GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT

$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT

GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL

$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL

GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION

$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION

/gcs/key.json

GITLAB_MATTERMOST_ENABLED

false

GITLAB_MATTERMOST_URL

https://mattermost.example.com

GITLAB_BACKUP_SCHEDULE

disable

daily

weekly

monthly

GITLAB_BACKUP_EXPIRY

GITLAB_BACKUP_PG_SCHEMA

GITLAB_BACKUP_ARCHIVE_PERMISSIONS

0600

GITLAB_BACKUP_TIME

HH:MM

04:00

GITLAB_BACKUP_SKIP

lfs,uploads

GITLAB_SSH_HOST

GITLAB_SSH_LISTEN_PORT

22

GITLAB_SSH_MAXSTARTUPS

10:30:60

GITLAB_SSH_PORT

$GITLAB_SSH_LISTEN_PORT

GITLAB_RELATIVE_URL_ROOT

/git

GITLAB_TRUSTED_PROXIES

GITLAB_REGISTRY_ENABLED

false

GITLAB_REGISTRY_HOST

registry.example.com

GITLAB_REGISTRY_PORT

443

GITLAB_REGISTRY_API_URL

http://localhost:5000

GITLAB_REGISTRY_KEY_PATH

config/registry.key

GITLAB_REGISTRY_DIR

$GITLAB_SHARED_DIR/registry

GITLAB_REGISTRY_ISSUER

gitlab-issuer

GITLAB_REGISTRY_GENERATE_INTERNAL_CERTIFICATES

true

$GITLAB_REGISTRY_KEY_PATH

/certs/registry.key

key

crt

/certs/registry.crt

GITLAB_PAGES_ENABLED

false

GITLAB_PAGES_DOMAIN

example.com

GITLAB_PAGES_DIR

$GITLAB_SHARED_DIR/pages

GITLAB_PAGES_PORT

80

GITLAB_PAGES_HTTPS

false

GITLAB_PAGES_ARTIFACTS_SERVER

true

GITLAB_PAGES_ARTIFACTS_SERVER_URL

GITLAB_PAGES_ARTIFACTS_SERVER

https://example.com/api/v4

GITLAB_PAGES_EXTERNAL_HTTP

GITLAB_PAGES_EXTERNAL_HTTPS

GITLAB_PAGES_ACCESS_CONTROL

true

GITLAB_PAGES_NGINX_PROXY

true

false

GITLAB_PAGES_ACCESS_SECRET

GITLAB_PAGES_ACCESS_CONTROL_SERVER

https://gitlab.example.io

GITLAB_PAGES_ACCESS_CLIENT_ID

GITLAB_PAGES_ACCESS_CLIENT_SECRET

GITLAB_PAGES_ACCESS_REDIRECT_URI

https://projects.example.io/auth

GITLAB_HTTPS

true

GITALY_CLIENT_PATH

/home/git/gitaly

GITALY_TOKEN

GITLAB_MONITORING_UNICORN_SAMPLER_INTERVAL

10

GITLAB_MONITORING_IP_WHITELIST

0.0.0.0/8

GITLAB_MONITORING_SIDEKIQ_EXPORTER_ENABLED

true

GITLAB_MONITORING_SIDEKIQ_EXPORTER_ADDRESS

0.0.0.0

GITLAB_MONITORING_SIDEKIQ_EXPORTER_PORT

3807

GITLAB_CONTENT_SECURITY_POLICY_ENABLED

true

GITLAB_CONTENT_SECURITY_POLICY_REPORT_ONLY

true

Content-Security-Policy-Report-Only

GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_BASE_URI

base-uri

Content-Security-Policy

GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CHILD_SRC

child-src

Content-Security-Policy

GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CONNECT_SRC

connect-src

Content-Security-Policy

'self' http://localhost:* ws://localhost:* wss://localhost:*

GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_DEFAULT_SRC

default-src

Content-Security-Policy

'self'

GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FONT_SRC

font-src

Content-Security-Policy

GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FORM_ACTION

form-action

Content-Security-Policy

GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_ANCESTORS

frame-ancestors

Content-Security-Policy

'self'

GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_SRC

frame-src

Content-Security-Policy

'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com

GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_IMG_SRC

img-src

Content-Security-Policy

* data: blob:

GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MANIFEST_SRC

manifest-src

Content-Security-Policy

GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MEDIA_SRC

media-src

Content-Security-Policy

GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_OBJECT_SRC

object-src

Content-Security-Policy

'none'

GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_SCRIPT_SRC

script-src

Content-Security-Policy

'self' 'unsafe-eval' http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com

GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_STYLE_SRC

style-src

Content-Security-Policy

'self' 'unsafe-inline'

GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_WORKER_SRC

worker-src

Content-Security-Policy

'self' blob:

GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_REPORT_URI

report-uri

Content-Security-Policy

SSL_SELF_SIGNED

true

false

SSL_CERTIFICATE_PATH

/home/git/data/certs/gitlab.crt

SSL_KEY_PATH

/home/git/data/certs/gitlab.key

SSL_DHPARAM_PATH

/home/git/data/certs/dhparam.pem

SSL_VERIFY_CLIENT

SSL_CA_CERTIFICATES_PATH

on

off

SSL_CA_CERTIFICATES_PATH

/home/git/data/certs/ca.crt

SSL_REGISTRY_KEY_PATH

/home/git/data/certs/registry.key

SSL_REGISTRY_CERT_PATH

/home/git/data/certs/registry.crt

SSL_PAGES_KEY_PATH

/home/git/data/certs/pages.key

SSL_PAGES_CERT_PATH

/home/git/data/certs/pages.crt

SSL_CIPHERS

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4

SSL_PROTOCOLS

TLSv1 TLSv1.1 TLSv1.2 TLSv1.3

SSL_PAGES_CIPHERS

SSL_CIPHERS

SSL_PAGES_PROTOCOLS

SSL_PROTOCOLS

SSL_REGISTRY_CIPHERS

SSL_CIPHERS

SSL_REGISTRY_PROTOCOLS

SSL_PROTOCOLS

NGINX_WORKERS

1

NGINX_SERVER_NAMES_HASH_BUCKET_SIZE

32

| Advanced configuration option for turning off the HSTS configuration. Applicable only when SSL is in use. Defaults to

. See [#138](https://github.com/sameersbn/docker-gitlab/issues/138) for use case scenario. |
|

| Advanced configuration option for setting the HSTS max-age in the gitlab nginx vHost configuration. Applicable only when SSL is in use. Defaults to

. |
|

| Enable

. Defaults to

. |
|

| Enable

header. Default to

|
|

| Advanced configuration option for the

setting in the gitlab nginx vHost configuration. Defaults to

when

is

, else defaults to

. |
|

| set to

if docker container runs behind a reverse proxy,you may not want the IP address of the proxy to show up as the client address.

by default. |
|

| You can have NGINX look for a different address to use by adding your reverse proxy to the

. Currently only a single entry is permitted. No defaults. |
|

| The hostname of the redis server. Defaults to

|
|

| The connection port of the redis server. Defaults to

. |
|

| The redis database number. Defaults to '0'. |
|

| The number of puma workers to start. Defaults to

. |
|

| Sets the timeout of puma worker processes. Defaults to

seconds. |
|

| The number of puma minimum threads. Defaults to

. |
|

| The number of puma maximum threads. Defaults to

. |
|

| Maximum memory size of per puma worker process. Defaults to

. |
|

| Maximum memory size of puma master process. Defaults to

. |
|

| The number of concurrent sidekiq jobs to run. Defaults to

|
|

| Timeout for sidekiq shutdown. Defaults to

|
|

| Non-zero value enables the SidekiqMemoryKiller. Defaults to

. For additional options refer [Configuring the MemoryKiller](http://doc.gitlab.com/ce/operations/sidekiq_memory_killer.html) |
|

| Sidekiq log format that will be used. Defaults to

|
|

| The database type. Currently only postgresql is supported. Over 12.1 postgres force. Possible values:

. Defaults to

. |
|

| The database encoding. For

values

this parameter defaults and

respectively. |
|

| The database server hostname. Defaults to

. |
|

| The database server port. Defaults to

for postgresql. |
|

| The database database name. Defaults to

|
|

| The database database user. Defaults to

|
|

| The database database password. Defaults to no password |
|

| The database database connection pool count. Defaults to

. |
|

| Whether use database prepared statements. No defaults. But set to

if you want to use with [PgBouncer](https://pgbouncer.github.io/) |
|

| Enable mail delivery via SMTP. Defaults to

if

is defined, else defaults to

. |
|

| SMTP domain. Defaults to

|
|

| SMTP server host. Defaults to

. |
|

| SMTP server port. Defaults to

. |
|

| SMTP username. |
|

| SMTP password. |
|

| Enable STARTTLS. Defaults to

. |
|

| Enable SSL/TLS. Defaults to

. |
|

| SMTP openssl verification mode. Accepted values are

,

,

and

. Defaults to

. |
|

| Specify the SMTP authentication method. Defaults to

if

is set. |
|

| Enable custom CA certificates for SMTP email configuration. Defaults to

. |
|

| Specify the

parameter for SMTP email configuration. Defaults to

. |
|

| Specify the

parameter for SMTP email configuration. Defaults to

. |
|

| Enable mail delivery via IMAP. Defaults to

if

is defined, else defaults to

. |
|

| IMAP server host. Defaults to

. |
|

| IMAP server port. Defaults to

. |
|

| IMAP username. |
|

| IMAP password. |
|

| Enable SSL. Defaults to

. |
|

| Enable STARTSSL. Defaults to

. |
|

| The name of the mailbox where incoming mail will end up. Defaults to

. |
|

| Enable LDAP. Defaults to

|
|

| Label to show on login tab for LDAP server. Defaults to 'LDAP' |
|

| LDAP Host |
|

| LDAP Port. Defaults to

|
|

| LDAP UID. Defaults to

|
|

| LDAP method, Possible values are

,

and

. Defaults to

|
|

| LDAP verify ssl certificate for installations that are using

or

. Defaults to

|
|

| Specifies the path to a file containing a PEM-format CA certificate. Defaults to

|
|

| Specifies the SSL version for OpenSSL to use, if the OpenSSL default is not appropriate. Example: 'TLSv1_1'. Defaults to

|
|

| No default. |
|

| LDAP password |
|

| Timeout, in seconds, for LDAP queries. Defaults to

. |
|

| Specifies if LDAP server is Active Directory LDAP server. If your LDAP server is not AD, set this to

. Defaults to

, |
|

| If enabled, GitLab will ignore everything after the first '@' in the LDAP username submitted by the user on login. Defaults to

if

is

, else

. |
|

| Locks down those users until they have been cleared by the admin. Defaults to

. |
|

| Base where we can search for users. No default. |
|

| Filter LDAP users. No default. |
|

| Attribute fields for the identification of a user. Default to

|
|

| Attribute fields for the shown mail address. Default to

|
|

| Attribute field for the used username of a user. Default to

. |
|

| Attribute field for the forename of a user. Default to

|
|

|  Attribute field for the surname of a user. Default to

|
|

| GitLab will lower case the username for the LDAP Server. Defaults to

|
|

| Set to

to [Disable LDAP web sign in](https://docs.gitlab.com/ce/administration/auth/ldap/#disable-ldap-web-sign-in), defaults to

|
|

| Enable OAuth support. Defaults to

if any of the support OAuth providers is configured, else defaults to

. |
|

| Automatically sign in with a specific OAuth provider without showing GitLab sign-in page. Accepted values are

,

,

,

,

,

,

,

,

,

and

. No default. |
|

| Comma separated list of oauth providers for single sign-on. This allows users to login without having a user account. The account is created automatically when authentication is successful. Accepted values are

,

,

,

,

,

,

,

,

,

and

. No default. |
|

| Locks down those users until they have been cleared by the admin. Defaults to

. |
|

| Look up new users in LDAP servers. If a match is found (same uid), automatically link the omniauth identity with the LDAP account. Defaults to

. |
|

| Allow users with existing accounts to login and auto link their account via SAML login, without having to do a manual login first and manually add SAML. Defaults to

. |
|

| Allow users with existing accounts to login and auto link their account via the defined Omniauth providers login, without having to do a manual login first and manually connect their chosen provider. Defaults to

. |
|

| Comma separated list if oauth providers to disallow access to

projects. Users creating accounts via these providers will have access internal projects. Accepted values are

,

,

,

,

,

,

,

,

,

and

. No default. |
|

| The "Sign in with" button label. Defaults to "cas3". |
|

| CAS3 server URL. No defaults. |
|

| Disable CAS3 SSL verification. Defaults to

. |
|

| CAS3 login URL. Defaults to

|
|

| CAS3 validation URL. Defaults to

|
|

| CAS3 logout URL. Defaults to

|
|

| Google App Client ID. No defaults. |
|

| Google App Client Secret. No defaults. |
|

| List of Google App restricted domains. Value is comma separated list of single quoted groups. Example:

. No defaults. |
|

| Facebook App API key. No defaults. |
|

| Facebook App API secret. No defaults. |
|

| Twitter App API key. No defaults. |
|

| Twitter App API secret. No defaults. |
|

| authentiq Client ID. No defaults. |
|

| authentiq Client secret. No defaults. |
|

| Scope of Authentiq Application Defaults to

|
|

|  Callback URL for Authentiq. No defaults. |
|

| GitHub App Client ID. No defaults. |
|

| GitHub App Client secret. No defaults. |
|

| Url to the GitHub Enterprise server. Defaults to https://github.com |
|

| Enable SSL verification while communicating with the GitHub server. Defaults to

. |
|

| GitLab App Client ID. No defaults. |
|

| GitLab App Client secret. No defaults. |
|

| BitBucket App Client ID. No defaults. |
|

| BitBucket App Client secret. No defaults. |
|

| Bitbucket URL. Defaults: https://bitbucket.org/ |
|

| The URL at which the SAML assertion should be received. When

, defaults to

else defaults to

. |
|

| The SHA1 fingerprint of the certificate. No Defaults. |
|

| The URL to which the authentication request should be sent. No defaults. |
|

| The name of your application. When

, defaults to

else defaults to

. |
|

| The "Sign in with" button label. Defaults to "Our SAML Provider". |
|

| Describes the format of the username required by GitLab, Defaults to

|
|

| Map groups attribute in a SAMLResponse to external groups. No defaults. |
|

| List of external groups in a SAMLResponse. Value is comma separated list of single quoted groups. Example:

. No defaults. |
|

| Map 'email' attribute name in a SAMLResponse to entries in the OmniAuth info hash, No defaults. See [GitLab documentation](http://doc.gitlab.com/ce/integration/saml.html#attribute_statements) for more details. |
|

| Map 'username' attribute in a SAMLResponse to entries in the OmniAuth info hash, No defaults. See [GitLab documentation](http://doc.gitlab.com/ce/integration/saml.html#attribute_statements) for more details. |
|

| Map 'name' attribute in a SAMLResponse to entries in the OmniAuth info hash, No defaults. See [GitLab documentation](http://doc.gitlab.com/ce/integration/saml.html#attribute_statements) for more details. |
|

| Map 'first_name' attribute in a SAMLResponse to entries in the OmniAuth info hash, No defaults. See [GitLab documentation](http://doc.gitlab.com/ce/integration/saml.html#attribute_statements) for more details. |
|

OAUTH_CROWD_SERVER_URL

OAUTH_CROWD_APP_NAME

OAUTH_CROWD_APP_PASSWORD

OAUTH_AUTH0_CLIENT_ID

OAUTH_AUTH0_CLIENT_SECRET

OAUTH_AUTH0_DOMAIN

OAUTH_AUTH0_SCOPE

openid profile email

OAUTH_AZURE_API_KEY

OAUTH_AZURE_API_SECRET

OAUTH_AZURE_TENANT_ID

OAUTH2_GENERIC_APP_ID

OAUTH2_GENERIC_APP_SECRET

OAUTH2_GENERIC_CLIENT_SITE

OAUTH2_GENERIC_CLIENT_USER_INFO_URL

OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL

OAUTH2_GENERIC_CLIENT_TOKEN_URL

OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT

OAUTH2_GENERIC_ID_PATH

OAUTH2_GENERIC_USER_UID

OAUTH2_GENERIC_USER_NAME

OAUTH2_GENERIC_USER_EMAIL

OAUTH2_GENERIC_NAME

GITLAB_GRAVATAR_ENABLED

true

GITLAB_GRAVATAR_HTTP_URL

http://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon

GITLAB_GRAVATAR_HTTPS_URL

https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon

USERMAP_UID

git

1000

USERMAP_GID

git

USERMAP_UID

1000

GOOGLE_ANALYTICS_ID

PIWIK_URL

PIWIK_SITE_ID

AWS_BACKUPS

false

AWS_BACKUP_REGION

AWS_BACKUP_ENDPOINT

AWS_BACKUP_ACCESS_KEY_ID

AWS_BACKUP_SECRET_ACCESS_KEY

AWS_BACKUP_BUCKET

AWS_BACKUP_MULTIPART_CHUNK_SIZE

AWS_BACKUP_ENCRYPTION

false

AWS_BACKUP_STORAGE_CLASS

STANDARD

AWS_BACKUP_SIGNATURE_VERSION

4

GCS_BACKUPS

false

GCS_BACKUP_ACCESS_KEY_ID

GCS_BACKUP_SECRET_ACCESS_KEY

GCS_BACKUP_BUCKET

GITLAB_ROBOTS_PATH

robots.txt

robots.txt

RACK_ATTACK_ENABLED

true

RACK_ATTACK_WHITELIST

127.0.0.1

RACK_ATTACK_MAXRETRY

10

RACK_ATTACK_FINDTIME

60

RACK_ATTACK_BANTIME

3600

GITLAB_WORKHORSE_TIMEOUT

5m0s

SENTRY_ENABLED

false

SENTRY_DSN

SENTRY_CLIENTSIDE_DSN

SENTRY_ENVIRONMENT

production

Docker secrets and configs

All the above environment variables can be put into a secrets or config file and then both docker-compose and Docker Swarm can import them into your gitlab container.

On startup, the gitlab container will source env vars from a config file labeled

gitlab-config

gitlab-secrets

See the example

contrib/docker-swarm/docker-compose.yml

gitlab.configs

gitlab.secrets

gitlab.configs

gitlab.secrets

file: ./gitlab.configs

file: ./gitlab.secrets

gitlab-configs

gitlab-secrets

If you're not using one of these files, then don't include its entry in the docker-compose file.

Maintenance

Creating backups

GitLab defines a rake task to take a backup of your gitlab installation. The backup consists of all git repositories, uploaded files and as you might expect, the sql database.

Before taking a backup make sure the container is stopped and removed to avoid container name conflicts.

docker stop gitlab && docker rm gitlab

Execute the rake task to create a backup.

docker run --name gitlab -it --rm [OPTIONS] \
    sameersbn/gitlab:14.2.5 app:rake gitlab:backup:create

A backup will be created in the backups folder of the Data Store. You can change the location of the backups using the

GITLAB_BACKUP_DIR

P.S. Backups can also be generated on a running instance using

docker exec

When using

docker-compose

docker-compose rm -sf gitlab
docker-compose run --rm gitlab app:rake gitlab:backup:create

Afterwards you can bring your Instance back with the following command:

docker-compose up -d

Restoring Backups

GitLab also defines a rake task to restore a backup.

Before performing a restore make sure the container is stopped and removed to avoid container name conflicts.

docker stop gitlab && docker rm gitlab

If this is a fresh database that you're doing the restore on, first you need to prepare the database:

docker run --name gitlab -it --rm [OPTIONS] \
    sameersbn/gitlab:14.2.5 app:rake db:setup

Execute the rake task to restore a backup. Make sure you run the container in interactive mode

-it

docker run --name gitlab -it --rm [OPTIONS] \
    sameersbn/gitlab:14.2.5 app:rake gitlab:backup:restore

The list of all available backups will be displayed in reverse chronological order. Select the backup you want to restore and continue.

To avoid user interaction in the restore operation, specify the timestamp, date and version of the backup using the

BACKUP

docker run --name gitlab -it --rm [OPTIONS] \
    sameersbn/gitlab:14.2.5 app:rake gitlab:backup:restore BACKUP=1515629493_2020_12_06_13.0.6

When using

docker-compose

docker-compose run --rm gitlab app:rake gitlab:backup:restore # List available backups
docker-compose run --rm gitlab app:rake gitlab:backup:restore BACKUP=1515629493_2020_12_06_13.10.0 # Choose to restore from 1515629493

Host Key Backups (ssh)

SSH keys are not backed up in the normal gitlab backup process. You will need to backup the

ssh/

Automated Backups

The image can be configured to automatically take backups

daily

weekly

monthly

GITLAB_BACKUP_SCHEDULE

Daily backups are created at

GITLAB_BACKUP_TIME

04:00

By default, when automated backups are enabled, backups are held for a period of 7 days. While when automated backups are disabled, the backups are held for an infinite period of time. This behavior can be configured via the

GITLAB_BACKUP_EXPIRY

Amazon Web Services (AWS) Remote Backups

The image can be configured to automatically upload the backups to an AWS S3 bucket. To enable automatic AWS backups first add

--env 'AWS_BACKUPS=true'

AWS_BACKUP_REGION

AWS_BACKUP_BUCKET

AWS_BACKUP_ACCESS_KEY_ID

AWS_BACKUP_SECRET_ACCESS_KEY

More details about the appropriate IAM user properties can found on doc.gitlab.com

For remote backup to selfhosted s3 compatible storage, use

AWS_BACKUP_ENDPOINT

AWS uploads are performed alongside normal backups, both through the appropriate

app:rake

Google Cloud Storage (GCS) Remote Backups

The image can be configured to automatically upload the backups to an Google Cloud Storage bucket. To enable automatic GCS backups first add

--env 'GCS_BACKUPS=true'

GCS_BACKUP_BUCKET

Interoperable storage access keys

GCS_BACKUP_ACCESS_KEY_ID

GCS_BACKUP_SECRET_ACCESS_KEY

More details about the Cloud storage interoperability properties can found on cloud.google.com/storage

GCS uploads are performed alongside normal backups, both through the appropriate

app:rake

Rake Tasks

The

app:rake

app:rake

docker run --name gitlab -it --rm [OPTIONS] \
    sameersbn/gitlab:14.2.5 app:rake gitlab:env:info

You can also use

docker exec

docker exec --user git -it gitlab bundle exec rake gitlab:env:info RAILS_ENV=production

Similarly, to import bare repositories into GitLab project instance

docker run --name gitlab -it --rm [OPTIONS] \
    sameersbn/gitlab:14.2.5 app:rake gitlab:import:repos

Or

docker exec -it gitlab sudo -HEu git bundle exec rake gitlab:import:repos RAILS_ENV=production

For a complete list of available rake tasks please refer https://github.com/gitlabhq/gitlabhq/tree/master/doc/raketasks or the help section of your gitlab installation.

P.S. Please avoid running the rake tasks for backup and restore operations on a running gitlab instance.

To use the

app:rake

docker-compose

# For stopped instances
docker-compose run --rm gitlab app:rake gitlab:env:info
docker-compose run --rm gitlab app:rake gitlab:import:repos

For running instances
docker-compose exec --user git gitlab bundle exec rake gitlab:env:info RAILS_ENV=production
docker-compose exec gitlab sudo -HEu git bundle exec rake gitlab:import:repos RAILS_ENV=production

Import Repositories

Copy all the bare git repositories to the

repositories/

gitlab:import:repos

docker run --name gitlab -it --rm [OPTIONS] \
    sameersbn/gitlab:14.2.5 app:rake gitlab:import:repos

Watch the logs and your repositories should be available into your new gitlab container.

See Rake Tasks for more information on executing rake tasks. Usage when using

docker-compose

Upgrading

Important Notice

Since GitLab release

8.6.0

PostgreSQL users should enable

pg_trgm

extension on the GitLab database. Refer to GitLab's Postgresql Requirements for more information

If you're using

sameersbn/postgresql

then please upgrade to

sameersbn/postgresql:12-20200524

or later and add

DB_EXTENSION=pg_trgm,btree_gist

to the environment of the PostgreSQL container (see: https://github.com/sameersbn/docker-gitlab/blob/master/docker-compose.yml#L8).

As of version 13.7.0, the required PostgreSQL is version 12.x. If you're using PostgreSQL image other than the above, please review section Upgrading PostgreSQL.

GitLabHQ releases new versions on the 22nd of every month, bugfix releases immediately follow. I update this project almost immediately when a release is made (at least it has been the case so far). If you are using the image in production environments I recommend that you delay updates by a couple of days after the gitlab release, allowing some time for the dust to settle down.

To upgrade to newer gitlab releases, simply follow this 4 step upgrade procedure.

Note

Upgrading to

sameersbn/gitlab:14.2.5

from

sameersbn/gitlab:7.x.x

can cause issues. It is therefore required that you first upgrade to

sameersbn/gitlab:8.0.5-1

before upgrading to

sameersbn/gitlab:8.1.0

or higher.

• Step 1: Update the docker image.

docker pull sameersbn/gitlab:14.2.5

• Step 2: Stop and remove the currently running image

docker stop gitlab
docker rm gitlab

• Step 3: Create a backup

docker run --name gitlab -it --rm [OPTIONS] \
    sameersbn/gitlab:x.x.x app:rake gitlab:backup:create

Replace

x.x.x

6.0.0

x.x.x

6.0.0

• Step 4: Start the image

Note: Since GitLab

8.0.0

you need to provide the

GITLAB_SECRETS_DB_KEY_BASE

parameter while starting the image.

Note: Since GitLab

8.11.0

you need to provide the

GITLAB_SECRETS_SECRET_KEY_BASE

and

GITLAB_SECRETS_OTP_KEY_BASE

parameters while starting the image. These should initially both have the same value as the contents of the

/home/git/data/.secret

file. See Available Configuration Parameters for more information on these parameters.

docker run --name gitlab -d [OPTIONS] sameersbn/gitlab:14.2.5

Shell Access

For debugging and maintenance purposes you may want access the containers shell. If you are using docker version

1.3.0

docker exec

docker exec -it gitlab bash

Monitoring

You can monitor your GitLab instance status as described in the official documentation, for example:

curl 'https://gitlab.example.com/-/liveness'

On success, the endpoint will return a

200

{
   "status": "ok"
}

To do that you will need to set the environment variable

GITLAB_MONITORING_IP_WHITELIST

Health Check

You can also set your

docker-compose.yml

version: '2.3'

services:
  gitlab:
    image: sameersbn/gitlab:14.2.5
    healthcheck:
      test: ["CMD", "/usr/local/sbin/healthcheck"]
      interval: 1m
      timeout: 5s
      retries: 5
      start_period: 2m

Then you will be able to consult the healthcheck log by executing:

docker inspect --format "{{json .State.Health }}" $(docker-compose ps -q gitlab) | jq

References

• https://github.com/gitlabhq/gitlabhq
• https://github.com/gitlabhq/gitlabhq/blob/master/doc/install/installation.md
• http://wiki.nginx.org/HttpSslModule
• https://raymii.org/s/tutorials/StrongSSLSecurityOnnginx.html
• https://github.com/gitlabhq/gitlab-recipes/blob/master/web-server/nginx/gitlab-ssl
• https://github.com/jpetazzo/nsenter
• https://jpetazzo.github.io/2014/03/23/lxc-attach-nsinit-nsenter-docker-0-9/