Entries Tagged 'Linux' ↓

This weekend I’ve been installing Gitlab on a LXC guest. The host is running Ubuntu 12.04 and so is the guest. I tried to document my steps the best I could so I could share my experiences with it. Sometimes I had to go back a few steps so maybe something are garbled up but I believe this is still a good starting point on setting up gitlab on a Ubuntu server.

My main goals were:

• use as much software from the Ubuntu repositories as possible so I don’t have to worry about security updates et cetera
• keep the installation as simple as possible so I know when I look at it over 6 months
• keep the software (gitolite) in the default Ubuntu location(s)

The steps found on the Gitlab website are quite accurate so keep them in mind:

1. login as user, install git & generate ssh key
2. Install ruby 1.9.2
3. Install gitolite with umask 0007 and add your user to git group
4. logout & login again
5. Clone & setup gitlab (checkout project wiki on github)
6. Start server. Enjoy!

My global setup

• Installed Gitolite, Redis and Ruby from the default Ubuntu repositories
• Installed Nginx (nginx-full) with Ruby/Phusion Passenger support from the Brightbox testing repositories (stable didn’t yet support Ubuntu 12.04 Precise)
• Gitlab + dependencies are managed by bundler (build from source)
• Nginx is running as the gitlab user

Step 1: installing Nginx with Phusion Passenger (mod_rails) support on Ubuntu 12.04

add-apt-repository ppa:brightbox/passenger-nginx-testing
apt-get update
apt-get install nginx-full
cat <<EOF > /etc/nginx/conf.d/passenger.conf
passenger_root /usr/lib/phusion-passenger;
EOF

I had some troubles with this version of Nginx from Brightbox because of some missing mime-type config file. That was quickly solved by copying it from another server.

The configuration file of my gitlab virtual host I put in: /etc/nginx/sites-available/gitlab.host.tld.

The contents of that file can be found here.

Step 2: installing dependencies from Ubuntu sources

apt-get install gitolite ruby1.9.3 redis-server ruby-budler rake

For the gitolite configure screens: just keep hitting enter

Step 3: installing build dependencies for ruby gems needed by gitlab

apt-get install make libxml2-dev g++ libicu-dev ruby2.9.1-dev libmysqlclient-dev libsqlite3-dev

Step 4: setting up your gitlab user: creating it, giving it permissions and generating a ssh key

adduser --disabled-login --disabled-password --force-badname gitlab.host.tld
usermod --append --groups gitolite gitlab.host.tld
su -s /bin/bash gitlab.host.tld
ssh-keygen
exit

Step 5: configuring gitolite with the ssh public key of your gitlab user

(as root)

dpkg-reconfigure gitolite

The question about the public key can be answered with the contents of `/home/gitlab.host.tld/.ssh/id_rsa.pub`

Step 6: loosening the permissions so the gitlab user can reach the gitolite files

Only do this when you know what you’re doing!

chmod g+rw /var/lib/gitolite/repositories --recursive
chmod g+rw /var/lib/gitolite/.gitolite.rc

This works because we added our user gitlab.host.tld to the gitolite group remember?

Next: edit /var/lib/gitolite/.gitolite.rc and change this line:

$REPO_UMASK = 0077; # gets you 'rwx------'

to:

$REPO_UMASK = 0007; # rwxrwx---

This makes sure newly created files/directories by gitolite are also writable by the gitolite group.

Step 7: installing gitlab itself

If everything worked out the system is ready and gitlab itself can be installed:

su -s /bin/bash gitlab.host.tld
cd ~/public_html
git clone git://github.com/gitlabhq/gitlabhq.git .

Step 8: Install the gitlab dependencies

This one is tricky. Maybe I forgot to list some build dependencies or maybe the added some extra dependencies since I wrote this. If this doesn’t succeed: read the logs (especially mkfm.log).

bundle install --deployment

Step 9: configure gitlab

cp config/database.yml.example config/database.yml
cp config/gitlab.yml.example config/gitlab.yml

Here is my gitlab.yml

It has admin_uri defined twice because of bug #1052
If you wouldn’t define it twice (in git_host and git) the rake task `gitlab:app:status` would always fail when you run gitolite under the user `gitolite`.

You can find out the contents of your own database.yml

Step 10: installing the database and compiling the assets

bundle exec rake db:setup RAILS_ENV=production
bundle exec rake db:seed_fu RAILS_ENV=production
rake assets:precompile

Step 11: check if your gitlab user has access to gitolite

RAILS_ENV=production rake gitlab:app:status

Rembember bug #1052!

Step 12: starting resque workers

Start at least one resque worker:

./resque.sh

And maybe another one:

./resque.sh

The resque workers are background workers that do `stuff` in the background. I believe for example the adding of ssh keys to gitolite and the parsing of a commit and putting that in the database.

At first I forget to start the resque workers and my keys weren’t properly added to gitolite. The solution to that was in my case:

RAILS_ENV=production rake gitlab:gitolite:update_hooks
RAILS_ENV=production rake gitlab:gitolite:update_keys
RAILS_ENV=production rake gitlab:gitolite:update_repos

Step 13: restart nginx & surf to http://gitlab.host.tld

The title says it all

Finally

I copied all the commands from the servers’ bash history command. The order of the commands I wrote down on top of my head so there could be some mistakes there. If you spot something wrong or missing: just contact me of leave a comment.

Some excellent resources:

• http://blog.phusion.nl/2012/04/21/tutorial-setting-up-gitlab-on-debian-6/
• https://github.com/gitlabhq/gitlabhq/wiki

touch /etc/sysctl.d/60-ipv6.conf

echo "net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.accept_ra = 0
net.ipv6.conf.all.autoconf = 0
net.ipv6.conf.all.accept_ra = 0
" > /etc/sysctl.d/60-ipv6.conf

This will fix it after a reboot. I you want to change it imediately:

echo 0 > /proc/sys/net/ipv6/conf/all/autoconf
echo 0 > /proc/sys/net/ipv6/conf/all/accept_ra

The workflow: make two new images out of 4: combining 2×2 to make hdr’s. Then aligning them

sudo apt-get install hugin-tools enfuse
enfuse DSC_166* -o 1.jpg
enfuse DSC_167* -o 2.jpg
align_image_stack -a test.jpg 1.jpg 2.jpg

Then I put them next to eachother in GIMP :p

Everytime I install a new version of Ubuntu / Linux I’m hoping Zend Studio (the old/good one) will still be working. This time with Ubuntu 12.04 I again had to do this but it didn’t take longer than a couple of minutes.

First I had to install the java executable (otherwise I got a “java: not found” error message. Because the Sun JRE isn’t available anymore for Ubuntu (12.04) I installed the default one (icedtea I believe). To my amazing that worked perfectly!

Then I had to install some (i386) libs and it worked! libxcursor is need or else you’ll get a really ugly cursor in Zend Studio 5.

sudo apt-get install default-jre
sudo apt-get install libc6-i386 libxp6:i386 libxtst6:i386 libxcursor1:i386
ln -s /lib32/libc.so.6 /lib/libc.so.6

Since version 1.4.25 msmtp has support for a aliases file. I edited my ~/.msmtprc and added:

aliases ~/.aliases

~/.aliases:

root:           myemail@mydomain.tld

Only ~/.aliases didn’t get expanded to the full path:

http://sourceforge.net/mailarchive/forum.php?thread_name=1330871670.3229.1.camel%40polly&forum_name=msmtp-users

Other than that, it worked perfectly! Now I can send e-mails to root and have them delivered to my personal e-mailaddress.

openssl rsa -in www_silverpower_nl.key -out www_silverpower_nl.key.unencrypted

I wanted to make chromium (chrome) more secure. Just to be safe. I found out that the package apparmor-profiles on Ubuntu contained an apparmor profile for chromium-browser. I installed it and tried to enforce it without using the aa-enforce binary (which required the apparmor-utils package) but I couln’t get that to work. So I installed apparmor-utils anyway.

sudo apt-get install apparmor-profiles apparmor-utils
sudo aa-enforce /usr/bin/chromium-browser /usr/lib/chromium-browser/chromium-browser

When all is done, quit the chromium browser and restart it. Then, when you run aa-status it should list chromium-browser as ‘enforced’.

I tried to do the same thing for /usr/sbin/dovecot but that didn’t quite work. Dovecot threw errors like:

init: dovecot main process (8738) terminated with status 84

I tried fixing it but I didn’t get it to work so I gave up.

I got Apache- (mpm-itk), sickbeard, sabnzbd, couchpotato and spotweb running on my pandaboard. But apache really used up a lot of resources. So I decided to replace it with nginx. Nginx would be a reverse proxy and communicate via fastcgi with php.

This post describes how to set up Nginx. Not how to install sabnzbd, sickbeard, couchpotato or spotweb on your machine. I assume you know how to do that.

Step 1: install nginx

leon@panda:~$ sudo apt-get install nginx-light

Step 2: proxy stuff

Add all the important proxy stuff in one file so it can be included later on.

leon@panda:~$ cat /etc/nginx/conf.d/proxy.conf

proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffers 32 4k;

allow 192.168.1.0/24;
deny all;

Step 3: set up all the locations

Set up alle the locations (subdirectories on you http server) for sabnzbdplus, sickbeard, couchpotato and spotweb.

The important part from /etc/nginx/sites-enabled/default:

server {

location /sabnzbd {
include /etc/nginx/conf.d/proxy.conf;

proxy_pass http://localhost:9090;
}

location /sickbeard {
include /etc/nginx/conf.d/proxy.conf;

proxy_pass http://localhost:8081;
}

location /couchpotato {
include /etc/nginx/conf.d/proxy.conf;

proxy_pass http://localhost:5000/;
rewrite ^/couchpotato/?$ /couchpotato/movie/ permanent;
}

location /spotweb {
alias /home/leon/src/spotweb/spotweb.git; #not root directive

location ~* \.php$ {
fastcgi_pass localhost:9001; #defined in /etc/php5/fpm/pool.d/leon.conf
include fastcgi_params;
fastcgi_index index.php;
}
}

}

Sorry about the indentation… Anyone recomend a good code plugin for wordpress?

Step 4: setup php

Now we’re going to set up php for nginx with php5-fpm. This is a new module and isn’t available on older versions of ubuntu. I think it’s only available from ubuntu 10.10 and onwards.

leon@panda:~$ sudo apt-get install php5-fpm

Then edit /etc/php5/fpm/pool.d/leon.conf (in my case). I created another pool for my user (‘leon’) because I don’t want it to run under the user www-data or similar.

cat /etc/php5/fpm/pool.d/leon.conf

; Start a new pool named 'leon'.
[leon]
listen = 127.0.0.1:9001
user = leon
group = leon

pm = dynamic
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 4
pm.max_children = 4

Step 5: Restart everything and admire your work

leon@panda:~$ sudo service nginx restart
leon@panda:~$ sudo service php5-fmp restart

Footnotes:
I also tried to get it working with chroot = /home/leon in /etc/php5/fpm/pool.d/leon.conf but I couldn’t get spotweb working with mysql on port 3306. When chrooted you can’t access /var/run/mysqld/mysqld.sock. I’ll have to investigate that a bit more.

Also, you could remove /etc/php5/fpm/pool.d/www.conf if you don’t use it (like in my case):

cd /etc/php5/fpm/pool.d/
sudo mv www.conf www.conf.disabled
sudo service php5-fpm restart

Easy as:

/usr/bin/screen /dev/ttyUSB0 115200

I decided on enabling ufw (uncomplicated firewall) on my laptop (you can’t be secure enough). Too bad it isn’t enabled by default on Ubuntu. So I had to do this:

sudo ufw enable
sudo ufw default deny
sudo ufw deny "Dovecot POP3"
sudo ufw deny "Dovecot IMAP"
sudo ufw deny "Dovecot Secure IMAP"
sudo ufw deny "Dovecot Secure POP3"
sudo ufw status verbose