Help us understand the problem. What is going on with this article?

さくらVPSにGitLab5.1をインストールするまで

More than 5 years have passed since last update.

2013/06/05時点

各所でさんざん書かれてますがさくらVPSの初期起動直後からのまとめ記事は見つからなかったので備忘録。
セキュリティとかはちょっと気にしたつもりだけど甘いかもしれないので各自補完でお願いします。
viエディタの使い方、git自体の使い方とかは別途参考サイトを御覧ください。
(これ書いてる時点で再度確認してみたら5.2がリリースされてた!なんてこったい!)

目的

  • GitLabを導入
  • Apache使ってhttps
  • 通知にメール使うけどメールサーバーまでは立てない
  • ちょっとセキュリティに気を使う
  • バックアップとかは別の機会に

環境

プラン さくらVPS 1G
サーバーOS CentOS6.4
操作環境 OSX ターミナル

設定メモ

ホスト名 www00000.sakura.ne.jp
ユーザー名 testuser
通知用メールアドレス testuser@gmail.com
DBユーザー名 gitlab
DBパスワード gitlab
  • ログインは鍵接続のみ
  • root権限は追加したユーザーでログイン後に「su -」か「sudo」
  • 鍵ペアはPuttyで事前に作成済

参考URL

接続

ssh root@www00000.sakura.ne.jp

アカウント設定

操作用アカウント追加、パスワード設定、wheel追加

useradd testuser
passwd testuser
usermod -G wheel testuser

wheelの実行権限追加

visudo
## Allows people in group wheel to run all commands
- # %wheel  ALL=(ALL)       ALL
+ %wheel  ALL=(ALL)       ALL

鍵の設定

mkdir /home/testuser/.ssh
vi /home/testuser/.ssh/authorized_keys
#puttyで作成した公開鍵を記入
+ ssh-rsa AAAA~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~== rsa-key

鍵の権限設定

chown testuser:testuser /home/testuser/.ssh/
chown testuser:testuser /home/testuser/.ssh/authorized_key
chmod 700 /home/testuser.ssh/
chmod 600 /home/testuser.ssh/authorized_key

sshの接続設定

vi /etc/ssh/sshd_config
#rootでのログオン禁止
- PermitRootLogin yes
+ PermitRootLogin no

#公開鍵認証でのログイン許可
- #PubkeyAuthentication yes
+ PubkeyAuthentication yes

#パスワードでのログイン禁止
- #PasswordAuthentication yes
+ PasswordAuthentication no
/etc/init.d/sshd restart

logwatch(ログ監視ツール)導入

接続情報とかのログをまとめてメールで送ってくれるツール。
正直毎日来るので煩わしいけど生存確認も出来るしセキュリティ的にも良いので導入。

yum -y install logwatch
vi /etc/logwatch/conf/logwatch.conf
+ MailTo = testuser@gmail.com

外部レポジトリ(EPEL)追加

sudo rpm --import http://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL
sudo rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

denyhosts(不正アクセス対策ツール)導入

sshに対する不正アクセスとかを察知してアクセス拒否とかを自動的にしてくれるツール。
サーバー公開してると結構アタック来るので対策として導入。

yum -y install denyhosts
/etc/init.d/denyhosts start
chkconfig denyhosts on
vi /var/lib/denyhosts/allowed-hosts
#固定IPがあれば設定
+ 100.100.100.100

iptables(ファイアウォール)設定

必要なポートを設定。

22 ssh
25 smtp
80 http
443 https
9412 git
vi /etc/sysconfig/iptables
+ *filter
+ :INPUT ACCEPT [0:0]
+ :FORWARD ACCEPT [0:0]
+ :OUTPUT ACCEPT [0:0]
+ -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+ -A INPUT -p icmp -j ACCEPT
+ -A INPUT -i lo -j ACCEPT
+ -A INPUT -i eth+ -j ACCEPT
+ -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
+ -A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
+ -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
+ -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
+ -A INPUT -m state --state NEW -m tcp -p tcp --dport 9412 -j ACCEPT
+ -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
+ -A FORWARD -p icmp -j ACCEPT
+ -A FORWARD -i lo -j ACCEPT
+ -A FORWARD -i eth+ -j ACCEPT
+ -A INPUT -j REJECT --reject-with icmp-host-prohibited
+ -A FORWARD -j REJECT --reject-with icmp-host-prohibited
+ COMMIT
/etc/rc.d/init.d/iptables restart

必要そうなパッケージ一気にインストール

使ってないものもあるかもしれませんが精査してません…。

yum install vim-enhanced httpd readline readline-devel ncurses-devel gdbm-devel glibc-devel tcl-devel openssl-devel curl-devel expat-devel db4-devel byacc sqlite-devel gcc-c++ libyaml libyaml-devel libffi libffi-devel libxml2 libxml2-devel libxslt libxslt-devel libicu libicu-devel python-devel redis sudo mysql-server wget mysql-devel crontabs logwatch logrotate perl-Time-HiRes libxslt-devel libyaml-devel libxml2-devel gdbm-devel libffi-devel zlib zlib-devel openssl-devel libyaml-devel readline readline-devel curl-devel openssl-devel pcre-devel git memcached-devel valgrind-devel mysql-devel ImageMagick-devel ImageMagick libicu libicu-devel libffi-devel make bzip2 autoconf automake libtool bison iconv-devel redis gcc-c++ patch readline readline-devel zlib zlib-devel libyaml-devel libffi-devel openssl-devel make bzip2 autoconf automake libtool bison

checkinstall追加

2013/06/09 追記
コメントでご指摘頂いた通りこちらの項目は不要でしたので削除〜。

# cd /usr/local/src
# git clone https://github.com/ngyuki/checkinstall.git
# cd checkinstall/
# make
# make install
# mkdir -p ~/rpmbuild/SOURCES
# checkinstall --pkgversion=1.6.3
# rpm -ivh ~/rpmbuild/RPMS/x86_64/checkinstall-1.6.3-1.x86_64.rpm
# yum install --enablerepo=epel make gcc zlib-devel openssl-devel readline-devel ncurses-devel gdbm-devel db4-devel libffi-devel tk-devel libyaml-devel

Ruby関連インストール

bash -s stable < <(curl -s https://raw.github.com/wayneeseguin/rvm/master/binscripts/rvm-installer)
source /etc/profile.d/rvm.sh
rvm install ruby 1.9.3

gem install bundler --no-rdoc --no-ri
gem install charlock_holmes --version '0.6.9' --no-rdoc --no-ri
gem install sanitize -v '2.0.3'
gem install jquery-rails -v '2.1.3'

MySQLインストール

chkconfig mysqld on
service mysqld start
mysql_secure_installation
mysql -u root -p mysql
CREATE USER gitlab@localhost IDENTIFIED BY 'gitlab';
CREATE DATABASE gitlab_production;
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER ON gitlab_production.* TO gitlab@localhost;

redis起動

chkconfig redis on
service redis start

gitユーザー追加

adduser --system --shell /bin/bash --comment 'GitLab' --create-home --home-dir /home/git git
su - git

mkdir .ssh
touch .ssh/authorized_keys
chmod 700 .ssh
chmod 600 .ssh/authorized_keys

exit

Gitのユーザー設定

git config --global user.name  "GitLab"
git config --global user.email "gitlab@example.com"

exit

gitlab-shellインストール

su - git

git clone https://github.com/gitlabhq/gitlab-shell.git
cd gitlab-shell
git checkout -b v1.4.0 v1.4.0

cp config.yml.example config.yml
sed -i 's|http://localhost/|http://localhost:9292/|' config.yml
diff -u config.yml.example config.yml

 ./bin/install

exit

GitLabインストール

su - git

git clone https://github.com/gitlabhq/gitlabhq.git gitlab
cd gitlab
git checkout 5-1-stable

cp config/gitlab.yml.example config/gitlab.yml
vi config/gitlab.yml
diff -u config/gitlab.yml.example config/gitlab.yml
gitlab.yml
- host: localhost
- port: 80
- https: false
+ host: www00000.sakura.ne.jp
+ port: 443
+ https: true:

- email_from: gitlab@localhost
+ email_from: admin@www00000.sakura.ne.jp

- support_email: support@localhost
+ support_email: admin@www00000.sakura.ne.jp
chown -R git log/
chown -R git tmp/
chmod -R u+rwX log/
chmod -R u+rwX tmp/
cp config/puma.rb.example config/puma.rb
vi config/puma.rb
puma.rb
- bind “unix://#{application_path}/tmp/sockets/gitlab.socket”
+ # bind “unix://#{application_path}/tmp/sockets/gitlab.socket”
cp config/database.yml.mysql config/database.yml
vi config/database.yml
database.yml
- username: root
- password: "secure password"
+ username: gitlab
+ password: gitlab
cd ~
mkdir gitlab-satellites

cd gitlab
bundle install --deployment --without development test postgres
bundle exec rake gitlab:setup RAILS_ENV=production

exit

GitLabの起動スクリプト導入&実行

curl --output /etc/init.d/gitlab https://raw.github.com/gitlabhq/gitlab-recipes/5-1-stable/init.d/gitlab
chmod +x /etc/init.d/gitlab
chkconfig --add gitlab

service gitlab start

SSL導入

yum -y install mod_ssl
cd /etc/pki/tls/certs/
sed -i 's/365/3650/g' Makefile
make server.crt

vi /etc/httpd/conf.d/ssl.conf
+ SSLCertificateFile /etc/pki/tls/certs/server.crt
+ SSLCertificateKeyFile /etc/pki/tls/certs/server.key

+ ServerName www00000.sakura.ne.jp
+ ProxyRequests Off
+ <Proxy *>
+     Order deny,allow
+     Allow from all
+ </Proxy>
+ ProxyPreserveHost On
+ ProxyPass / http://localhost:9292/
+ ProxyPassReverse / http://localhost:9292/

Apache用バーチャルホスト設定

vi /etc/httpd/conf.d/gitlab.conf
+ <VirtualHost *:80>
+     Redirect / https://www00000.sakura.ne.jp/
+ </VirtualHost>
/etc/init.d/httpd restart

postfix設定

vi /etc/postfix/main.cf
+ myhostname = www00000.sakura.ne.jp
+ mydomain = www00000.sakura.ne.jp
+ myorigin = $mydomain
+ inet_interfaces = all
+ mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
+ mynetworks = 127.0.0.0/8
+ home_mailbox = Maildir/
+ smtpd_banner = $myhostname ESMTP unknown
+ smtpd_sasl_auth_enable = yes
+ smtpd_sasl_local_domain = $myhostname
+ smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
mkdir -p ~/Maildir/{new,cur,tmp}
mkdir -p /etc/skel/Maildir/{new,cur,tmp}

service saslauthd start
chkconfig saslauthd on

service postfix start
chkconfig postfix on

確認

***

5.2に関しては必須環境とか変わってなかったので要所要所で出てきてる5.1を5.2に変えれば行けるんじゃね!?

Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
Comments
Sign up for free and join this conversation.
If you already have a Qiita account
Why do not you register as a user and use Qiita more conveniently?
You need to log in to use this function. Qiita can be used more conveniently after logging in.
You seem to be reading articles frequently this month. Qiita can be used more conveniently after logging in.
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away