# config refs ==> https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-config-template/gitlab.rb.template version: '3' services: gitlab: image: 'gitlab/gitlab-ce:10.4.3-ce.0' container_name: gitlab restart: always hostname: 'gitlab.mritd.me' environment: GITLAB_OMNIBUS_CONFIG: | external_url 'https://gitlab.mritd.me' nginx['redirect_http_to_https'] = true nginx['ssl_certificate'] = "/etc/gitlab/ssl/mritd.me.cer" nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/mritd.me.key" nginx['real_ip_header'] = 'X-Real-IP' nginx['real_ip_recursive'] = 'on' #gitlab_rails['ldap_enabled'] = true #gitlab_rails['ldap_servers'] = YAML.load <<-EOS # remember to close this block with 'EOS' below #main: # 'main' is the GitLab 'provider ID' of this LDAP server # ## label # # # # A human-friendly name for your LDAP server. It is OK to change the label later, # # for instance if you find out it is too large to fit on the web page. # # # # Example: 'Paris' or 'Acme, Ltd.' # label: 'LDAP' # host: 'mail.mritd.me' # port: 389 # or 636 # uid: 'uid' # method: 'plain' # "tls" or "ssl" or "plain" # bind_dn: 'uid=zimbra,cn=admins,cn=zimbra' # password: 'PASSWORD' # # This setting specifies if LDAP server is Active Directory LDAP server. # # For non AD servers it skips the AD specific queries. # # If your LDAP server is not AD, set this to false. # active_directory: true # # If allow_username_or_email_login is enabled, GitLab will ignore everything # # after the first '@' in the LDAP username submitted by the user on login. # # # # Example: # # - the user enters 'jane.doe@example.com' and 'p@ssw0rd' as LDAP credentials; # # - GitLab queries the LDAP server with 'jane.doe' and 'p@ssw0rd'. # # # # If you are using "uid: 'userPrincipalName'" on ActiveDirectory you need to # # disable this setting, because the userPrincipalName contains an '@'. # allow_username_or_email_login: true # # Base where we can search for users # # # # Ex. ou=People,dc=gitlab,dc=example # # # base: '' # # Filter LDAP users # # # # Format: RFC 4515 http://tools.ietf.org/search/rfc4515 # # Ex. (employeeType=developer) # # # # Note: GitLab does not support omniauth-ldap's custom filter syntax. # # # user_filter: '' #EOS gitlab_rails['log_directory'] = "/var/log/gitlab/gitlab-rails" unicorn['log_directory'] = "/var/log/gitlab/unicorn" registry['log_directory'] = "/var/log/gitlab/registry" # Below are some of the default settings logging['logrotate_frequency'] = "daily"# rotate logs daily logging['logrotate_size'] = nil # do not rotate by size by default logging['logrotate_rotate'] = 30 # keep 30 rotated logs logging['logrotate_compress'] = "compress"# see 'man logrotate' logging['logrotate_method'] = "copytruncate"# see 'man logrotate' logging['logrotate_postrotate'] = nil # no postrotate command by default logging['logrotate_dateformat'] = nil # use date extensions for rotated files rather than numbers e.g. a value of "-%Y-%m-%d" would give rotated files like p # You can add overrides per service nginx['logrotate_frequency'] = nil nginx['logrotate_size'] = "200M" # You can also disable the built-in logrotate service if you want logrotate['enable'] = false gitlab_rails['smtp_enable'] = true gitlab_rails['smtp_address'] = "mail.mritd.me" gitlab_rails['smtp_port'] = 25 gitlab_rails['smtp_user_name'] = "no-reply@mritd.me" gitlab_rails['smtp_password'] = "PASSWORD" gitlab_rails['smtp_domain'] = "mritd.me" gitlab_rails['smtp_authentication'] = "login" gitlab_rails['smtp_enable_starttls_auto'] = true gitlab_rails['smtp_openssl_verify_mode'] = 'peer' # If your SMTP server does not like the default 'From: gitlab@localhost' you # can change the 'From' with this setting. gitlab_rails['gitlab_email_from'] = 'gitlab@mritd.me' gitlab_rails['gitlab_email_reply_to'] = 'no-reply@mritd.me' gitlab_rails['initial_root_password'] = 'PASSWORD' gitlab_rails['initial_shared_runners_registration_token'] = "iuLaUhGZYyFgTxAyZ6HbdFUZ" networks: macvlan: ipv4_address: 172.16.0.70 ports: - '80:80' - '443:443' - '22:22' volumes: - config:/etc/gitlab - logs:/var/log/gitlab - data:/var/opt/gitlab
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate ssl_certificate /etc/nginx/ssl/mritd.me.cer; ssl_certificate_key /etc/nginx/ssl/mritd.me.key; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# intermediate configuration. tweak to your needs. ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:EC DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES2 56-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:D HE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES 256-SHA:DES-CBC3-SHA:!DSS'; ssl_prefer_server_ciphers on;
在构建时需要注意一点,Drone CI 不同的 task 之间共享源码文件,也就是说如果你在第一个 task 中对源码或者编译后的发布物做了什么更改,在下一个 task 中同样可见,Drone CI 并没有 GitLab CI 在每个 task 中都进行还原的机制
除此之外,某些特殊性的挂载行为默认也是不被允许的,需要在 Drone CI 中对项目做 Trusted 设置
四、与 GitLab CI 对比
写到这里基本接近尾声了,可能常看我博客的人现在想喷我,这篇文章确实有点水…因为我真不推荐用这玩意,未来发展倒是不确定;下面对比一下与 GitLab CI 的区别
先说一下 Drone CI 的优点,Drone CI 更加轻量级,而且也支持 HA 等设置,配置文件使用 docker compose 的方式对于玩容器多的人确实很爽,启动速度等感觉也比 GitLab CI 要快;而且我个人用 GitLab CI Docker build 的方式时也是尽量将不同功能交给不同的镜像,通过切换镜像实现不同的功能;这个思想在 Drone CI 中表现的非常明显
至于 Drone CI 的缺点,目前我最大的吐槽就是文档烂,报错烂;很多时候搞得莫名其妙,比如上来安装讲的那个管理员账户配置,我现在也没明白怎么能关闭注册启动然后添加用户(可能是我笨);还有就是报错问题,感觉就像写代码不打 log 一样,比如 CI Server 在没有 agent 链接时,如果触发了 build 任务,Drone CI 不会报错,只会在任务上显示一个小闹钟,也没有超时…我傻傻的等了 1 小时;其他的比如全局变量、全局加密参数等都需要企业版才能支持,同时一些细节东西也缺失,比如查看当前 Server 连接的 Agent,对 Agent 打标签实现不同 task 分配等等
总结: Drone CI 目前还是个小玩具阶段,与传统 CI 基本没有抗衡之力,文档功能呢也是缺失比较严重,出问题很难排查