一、架构选型与规划
1.1 高可用主备架构方案
企业级GitLab高可用部署主要有以下几种主流方案:
方案一:DRBD + Pacemaker + Corosync(主备模式)
该架构为Active/Passive(主/备)模式,只有主节点运行GitLab服务并挂载存储,备节点通过DRBD实时同步数据。当主节点宕机时,Pacemaker自动将VIP和存储切换到备节点。此方案适合中小型企业,硬件成本低,约比单节点增加40%。
方案二:GitLab Geo(地理分布式)
GitLab企业版(EE)原生提供的Geo功能,可实现完整的实例级复制。主站点可读写,辅助站点只读,支持自动故障转移。需要GitLab Premium或Ultimate订阅。
方案三:分层高可用架构(官方参考架构)
将GitLab各组件拆分部署:前端负载均衡(HAProxy/Nginx)+ 多个GitLab应用节点 + PostgreSQL集群(Patroni+etcd)+ Redis Sentinel + 共享存储(NFS/Ceph)。适合大规模企业。
本文推荐方案一(DRBD + Pacemaker) ,性价比高、部署相对简单,适合大多数企业场景。如团队规模超过200人,建议升级到方案三。
1.2 硬件配置建议
| 团队规模 | CPU | 内存 | 存储 | 网络 |
|---|---|---|---|---|
| 5-20人 | 4核 | 8GB | 100GB SSD | 100Mbps |
| 20-100人 | 8核 | 16GB | 500GB NVMe SSD | 1Gbps |
| 100人以上 | 16核+ | 32GB+ | RAID10 SSD阵列 | 多网卡绑定 |
⚠️ 生产环境强烈建议使用SSD存储,GitLab官方建议禁用swap分区。
1.3 服务器规划示例
| 角色 | 主机名 | IP地址 | 配置 |
|---|---|---|---|
| 主节点 | gitlab-primary | 192.168.1.10 | 8核16G + 500GB SSD |
| 备节点 | gitlab-secondary | 192.168.1.11 | 8核16G + 500GB SSD |
| 虚拟IP(VIP) | gitlab.local | 192.168.1.100 | 浮动IP |
二、基础环境准备(两台节点均需执行)
2.1 系统更新与依赖安装
bash
# 更新系统
sudo apt update && sudo apt upgrade -y
# 安装必要依赖
sudo apt install -y \
curl \
openssh-server \
ca-certificates \
tzdata \
perl \
postfix \
wget \
gnupg \
lsb-release \
software-properties-common安装postfix时,如选择"Internet Site",输入你的邮件域名;如暂不需要邮件功能可跳过。
2.2 配置防火墙
bash
sudo ufw allow 22/tcp # SSH访问
sudo ufw allow 80/tcp # HTTP服务
sudo ufw allow 443/tcp # HTTPS服务
sudo ufw allow 9090/tcp # Prometheus监控(可选)
sudo ufw enable2.3 系统优化配置
bash
# 禁用swap(GitLab官方建议)
sudo swapoff -a
sudo sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab
# 配置时区
sudo timedatectl set-timezone Asia/Shanghai
# 优化系统文件句柄限制
echo "fs.file-max = 65536" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p2.4 配置SSH免密登录(主备节点间)
bash
# 在主节点生成SSH密钥
ssh-keygen -t rsa -b 4096 -N "" -f ~/.ssh/id_rsa
# 将公钥复制到备节点
ssh-copy-id root@192.168.1.11
# 同样在备节点生成并复制到主节点
ssh-keygen -t rsa -b 4096 -N "" -f ~/.ssh/id_rsa
ssh-copy-id root@192.168.1.10三、安装GitLab
3.1 添加GitLab官方仓库
使用官方源(国外服务器较快):
bash
curl -sS https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.deb.sh | sudo bash使用国内清华镜像源(推荐国内用户):
bash
# 信任GitLab GPG公钥
curl -fsSL https://packages.gitlab.com/gpg.key | sudo gpg --dearmor -o /usr/share/keyrings/gitlab_gitlab-ee-archive-keyring.gpg
# 添加源
echo "deb [signed-by=/usr/share/keyrings/gitlab_gitlab-ee-archive-keyring.gpg] https://mirrors.tuna.tsinghua.edu.cn/gitlab-ee/ubuntu $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/gitlab-ee.list
sudo apt update💡 如使用社区版(CE),将上述命令中的
gitlab-ee替换为gitlab-ce。企业版(EE)提供更多高可用特性,生产环境建议使用企业版。
3.2 安装GitLab
bash
# 安装企业版(设置外部访问URL)
sudo EXTERNAL_URL="https://gitlab.local" apt-get install -y gitlab-ee如果尚未配置域名和SSL证书,可先使用IP地址:
EXTERNAL_URL="http://192.168.1.10"
3.3 初始配置
bash
# 编辑主配置文件
sudo vim /etc/gitlab/gitlab.rb基础配置项:
ruby
# 外部访问地址
external_url 'https://gitlab.local'
# 时区
gitlab_rails['time_zone'] = 'Asia/Shanghai'
# 数据存储目录(后续将迁移到共享存储)
git_data_dirs({
"default" => {
"path" => "/var/opt/gitlab/git-data"
}
})
# 邮件配置(可选)
gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = "smtp.your-email.com"
gitlab_rails['smtp_port'] = 587
gitlab_rails['smtp_user_name'] = "gitlab@your-email.com"
gitlab_rails['smtp_password'] = "your-password"
gitlab_rails['smtp_domain'] = "your-email.com"
gitlab_rails['smtp_authentication'] = "login"
gitlab_rails['smtp_enable_starttls_auto'] = true
gitlab_rails['gitlab_email_from'] = 'gitlab@your-email.com'3.4 应用配置并启动
bash
sudo gitlab-ctl reconfigure该命令会启动所有必要服务,耗时几分钟。
3.5 验证安装
bash
# 查看服务状态
sudo gitlab-ctl status
# 获取初始root密码
sudo cat /etc/gitlab/initial_root_password四、高可用核心组件配置
4.1 配置共享存储(DRBD)
DRBD实现两台服务器间数据的实时块级同步。
在两台节点上安装DRBD:
bash
sudo apt install -y drbd-utils在主节点创建DRBD配置文件:
bash
sudo vim /etc/drbd.d/gitlab.resconf
resource gitlab {
protocol C;
meta-disk internal;
device /dev/drbd0;
disk /dev/sdb; # 请替换为实际的数据盘设备
net {
cram-hmac-alg sha1;
shared-secret "your-secure-secret-key";
}
on gitlab-primary {
address 192.168.1.10:7789;
}
on gitlab-secondary {
address 192.168.1.11:7789;
}
}初始化DRBD资源(两台节点执行):
bash
# 创建元数据
sudo drbdadm create-md gitlab
# 启动DRBD服务
sudo systemctl enable drbd
sudo systemctl start drbd
# 在主节点提升为Primary
sudo drbdadm primary --force gitlab
# 创建文件系统(仅在主节点执行)
sudo mkfs.ext4 /dev/drbd0
# 挂载存储
sudo mkdir -p /mnt/gitlab-data
sudo mount /dev/drbd0 /mnt/gitlab-data配置自动挂载:
bash
echo '/dev/drbd0 /mnt/gitlab-data ext4 defaults,noatime 0 0' | sudo tee -a /etc/fstab4.2 配置GitLab使用共享存储
修改GitLab数据目录:
bash
sudo vim /etc/gitlab/gitlab.rbruby
# 将数据目录指向共享存储
git_data_dirs({
"default" => {
"path" => "/mnt/gitlab-data/git-data"
}
})
# 仓库存储路径
gitlab_rails['repository_storage_dirs'] = {
"default" => "/mnt/gitlab-data/git-data/repositories"
}
# 上传文件存储
gitlab_rails['uploads_directory'] = "/mnt/gitlab-data/uploads"迁移现有数据到共享存储(如已存在数据):
bash
# 停止GitLab服务
sudo gitlab-ctl stop
# 迁移数据
sudo rsync -av /var/opt/gitlab/ /mnt/gitlab-data/
# 重新配置并启动
sudo gitlab-ctl reconfigure
sudo gitlab-ctl start4.3 配置PostgreSQL高可用(Patroni + etcd)
GitLab官方推荐使用Patroni + etcd实现PostgreSQL自动主备切换。
在两台节点安装etcd和Patroni:
bash
sudo apt install -y etcd patroni patroni-pgq配置etcd集群(两台节点):
bash
sudo vim /etc/default/etcd主节点配置:
conf
ETCD_NAME="etcd1"
ETCD_INITIAL_ADVERTISE_PEER_URLS="http://192.168.1.10:2380"
ETCD_LISTEN_PEER_URLS="http://0.0.0.0:2380"
ETCD_LISTEN_CLIENT_URLS="http://0.0.0.0:2379"
ETCD_ADVERTISE_CLIENT_URLS="http://192.168.1.10:2379"
ETCD_INITIAL_CLUSTER="etcd1=http://192.168.1.10:2380,etcd2=http://192.168.1.11:2380"
ETCD_INITIAL_CLUSTER_STATE="new"备节点将IP替换为192.168.1.11,ETCD_NAME改为etcd2。
启动etcd:
bash
sudo systemctl enable etcd
sudo systemctl start etcd配置Patroni:
bash
sudo vim /etc/patroni/patroni.ymlyaml
scope: gitlab
name: gitlab-pg-1 # 主节点为1,备节点为2
restapi:
listen: 0.0.0.0:8008
connect_address: 192.168.1.10:8008 # 备节点改为备节点IP
etcd:
hosts:
- 192.168.1.10:2379
- 192.168.1.11:2379
bootstrap:
dcs:
ttl: 30
loop_wait: 10
retry_timeout: 10
maximum_lag_on_failover: 1048576
postgresql:
use_pg_rewind: true
parameters:
max_connections: 200
shared_buffers: 256MB
wal_level: replica
hot_standby: "on"
max_wal_senders: 10
max_replication_slots: 10
wal_log_hints: "on"
postgresql:
listen: 0.0.0.0:5432
connect_address: 192.168.1.10:5432 # 备节点改为备节点IP
data_dir: /mnt/gitlab-data/postgresql
pgpass: /tmp/pgpass
authentication:
replication:
username: replicator
password: your-replica-password
superuser:
username: postgres
password: your-superuser-password
parameters:
unix_socket_directories: /var/run/postgresql启动Patroni:
bash
sudo systemctl enable patroni
sudo systemctl start patroni配置GitLab使用外部PostgreSQL:
ruby
# /etc/gitlab/gitlab.rb
postgresql['enable'] = false
gitlab_rails['db_host'] = '192.168.1.10' # 或使用VIP
gitlab_rails['db_port'] = 5432
gitlab_rails['db_username'] = 'gitlab'
gitlab_rails['db_password'] = 'gitlab-db-password'
gitlab_rails['db_database'] = 'gitlabhq_production'4.4 配置Redis高可用(Redis Sentinel)
安装Redis(两台节点):
bash
sudo apt install -y redis-server配置Redis主从:
主节点 /etc/redis/redis.conf:
conf
bind 0.0.0.0
port 6379
requirepass your-redis-password
masterauth your-redis-password备节点 /etc/redis/redis.conf:
conf
bind 0.0.0.0
port 6379
requirepass your-redis-password
masterauth your-redis-password
replicaof 192.168.1.10 6379配置Redis Sentinel(两台节点):
bash
sudo vim /etc/redis/sentinel.confconf
bind 0.0.0.0
port 26379
sentinel monitor gitlab-redis 192.168.1.10 6379 2
sentinel auth-pass gitlab-redis your-redis-password
sentinel down-after-milliseconds gitlab-redis 5000
sentinel failover-timeout gitlab-redis 60000启动服务:
bash
sudo systemctl enable redis-server redis-sentinel
sudo systemctl start redis-server redis-sentinel配置GitLab使用Redis Sentinel:
ruby
# /etc/gitlab/gitlab.rb
redis['enable'] = false
gitlab_rails['redis_host'] = '192.168.1.10'
gitlab_rails['redis_port'] = 6379
gitlab_rails['redis_password'] = 'your-redis-password'4.5 配置负载均衡与VIP漂移(Keepalived)
安装Keepalived(两台节点):
bash
sudo apt install -y keepalived主节点配置 /etc/keepalived/keepalived.conf:
conf
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass your-auth-password
}
virtual_ipaddress {
192.168.1.100/24 dev eth0
}
track_script {
check_gitlab
}
}
vrrp_script check_gitlab {
script "/usr/local/bin/check_gitlab.sh"
interval 5
weight -10
}备节点配置(state改为BACKUP,priority改为90)。
健康检查脚本 /usr/local/bin/check_gitlab.sh:
bash
#!/bin/bash
if curl -s -o /dev/null -w "%{http_code}" http://localhost:80/ | grep -q "200\|302"; then
exit 0
else
exit 1
fibash
sudo chmod +x /usr/local/bin/check_gitlab.sh
sudo systemctl enable keepalived
sudo systemctl start keepalived4.6 配置Nginx负载均衡(可选)
如需在前端增加负载均衡层:
bash
sudo apt install -y nginxnginx
# /etc/nginx/sites-available/gitlab
upstream gitlab_backend {
server 192.168.1.10:80 max_fails=3 fail_timeout=30s;
server 192.168.1.11:80 max_fails=3 fail_timeout=30s backup;
keepalive 32;
}
server {
listen 80;
server_name gitlab.local;
location / {
proxy_pass http://gitlab_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Connection "";
}
}五、配置SSL证书(HTTPS)
5.1 使用Let's Encrypt免费证书
bash
sudo apt install -y certbot python3-certbot-nginx
# 申请证书(需已配置域名解析)
sudo certbot certonly --nginx -d gitlab.yourdomain.com
# 自动续期
echo "0 3 * * * root /usr/bin/certbot renew --quiet" | sudo tee /etc/cron.d/certbot-renew5.2 配置GitLab使用SSL
ruby
# /etc/gitlab/gitlab.rb
external_url 'https://gitlab.yourdomain.com'
nginx['redirect_http_to_https'] = true
nginx['ssl_certificate'] = "/etc/letsencrypt/live/gitlab.yourdomain.com/fullchain.pem"
nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/gitlab.yourdomain.com/privkey.pem"
nginx['ssl_protocols'] = "TLSv1.2 TLSv1.3"六、监控与告警配置
6.1 启用GitLab内置监控
ruby
# /etc/gitlab/gitlab.rb
prometheus['enable'] = true
prometheus['listen_address'] = '0.0.0.0:9090'
node_exporter['enable'] = true
node_exporter['listen_address'] = '0.0.0.0:9100'
redis_exporter['enable'] = true
redis_exporter['listen_address'] = '0.0.0.0:9121'
postgres_exporter['enable'] = true
postgres_exporter['listen_address'] = '0.0.0.0:9187'
gitlab_exporter['enable'] = true
gitlab_exporter['listen_address'] = '0.0.0.0:9168'6.2 安装Grafana可视化
bash
sudo apt install -y grafana
sudo systemctl enable grafana-server
sudo systemctl start grafana-server访问 http://gitlab.local:3000,添加Prometheus数据源,导入GitLab官方仪表盘。
6.3 关键告警阈值
建议设置以下告警:
-
PostgreSQL连接数 > 最大值的80%
-
Redis内存使用 > 8GB
-
仓库存储空间 > 90%
-
Sidekiq队列积压 > 1000
-
HTTP 500错误率 > 1%
七、备份策略
7.1 定期备份
bash
# 创建完整备份
sudo gitlab-rake gitlab:backup:create
# 备份配置文件
sudo tar -czf /mnt/gitlab-data/backups/gitlab-config-$(date +%Y%m%d).tar.gz /etc/gitlab/7.2 自动化备份脚本
bash
#!/bin/bash
# /usr/local/bin/gitlab-backup.sh
BACKUP_DIR="/mnt/gitlab-data/backups"
DATE=$(date +%Y%m%d_%H%M%S)
# 创建备份
sudo gitlab-rake gitlab:backup:create
# 备份配置文件
sudo tar -czf ${BACKUP_DIR}/gitlab-config-${DATE}.tar.gz /etc/gitlab/
# 保留最近7天的备份
find ${BACKUP_DIR} -name "*.tar" -mtime +7 -delete
find ${BACKUP_DIR} -name "*.tar.gz" -mtime +7 -deletebash
# 添加到crontab(每天凌晨2点执行)
echo "0 2 * * * /usr/local/bin/gitlab-backup.sh" | sudo tee -a /etc/crontab八、故障转移与恢复
8.1 手动故障转移(主节点故障时)
bash
# 在备节点上
# 1. 提升DRBD为Primary
sudo drbdadm primary gitlab
# 2. 挂载存储
sudo mount /dev/drbd0 /mnt/gitlab-data
# 3. 启动GitLab
sudo gitlab-ctl start
# 4. 提升Keepalived为MASTER(或等待自动切换)
sudo systemctl restart keepalived8.2 自动故障转移
通过Keepalived + DRBD + Pacemaker组合可实现自动故障转移。配置Pacemaker资源管理:
bash
sudo apt install -y pacemaker corosync
# 配置Corosync集群
sudo vim /etc/corosync/corosync.conf
# 添加资源:VIP、DRBD、GitLab服务
sudo pcs resource create gitlab-vip IPaddr2 ip=192.168.1.100
sudo pcs resource create gitlab-drbd drbd ...
sudo pcs resource create gitlab-service systemd:gitlab-runsvdir九、运维管理要点
9.1 日常巡检命令
bash
# 查看GitLab服务状态
sudo gitlab-ctl status
# 查看日志
sudo gitlab-ctl tail
# 查看DRBD同步状态
sudo drbdadm status gitlab
# 查看集群状态
sudo pcs status
# 查看Keepalived状态
sudo systemctl status keepalived9.2 版本升级
bash
# 停止GitLab(生产环境建议在维护窗口进行)
sudo gitlab-ctl stop unicorn
sudo gitlab-ctl stop sidekiq
# 更新包
sudo apt update
sudo apt install --only-upgrade gitlab-ee
# 重新配置
sudo gitlab-ctl reconfigure
sudo gitlab-ctl restart9.3 安全加固建议
-
启用2FA双因素认证
-
配置IP白名单限制管理访问
-
禁用默认root账户登录
-
定期更新系统与GitLab版本
-
启用审计日志
十、部署检查清单
| 检查项 | 状态 |
|---|---|
| 两台节点系统环境一致 | ☐ |
| SSH免密登录配置完成 | ☐ |
| DRBD数据同步正常 | ☐ |
| PostgreSQL主从复制正常 | ☐ |
| Redis Sentinel集群正常 | ☐ |
| VIP漂移测试通过 | ☐ |
| SSL证书配置生效 | ☐ |
| 备份脚本测试通过 | ☐ |
| 监控告警配置完成 | ☐ |
| 故障转移演练完成 | ☐ |
以上是完整的Ubuntu系统企业级GitLab高可用主备部署指南。建议在正式上线前,在测试环境完整演练一遍部署流程和故障切换场景。如团队规模超过200人,建议参考GitLab官方参考架构进行分层部署。