环境
centos7,192.168.1.55
防火墙检查
systemctl status firewalld systemctl disable firewalld systemctl stop firewalld
开启路由转发
vim /etc/sysctl.conf #添加如下内容: net.ipv4.ip_forward=1 #执行如下命令,生效配置 sysctl -p
检查是否安装docker
# 安装依赖包
yum install -y yum-utils device-mapper-persistent-data lvm2
# 设置docker源
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
# 查看docker版本
yum list docker-ce --showduplicates | sort -r
# 安装docker
# 安装docker最新版本
yum install -y docker-ce docker-ce-cli containerd.io
# 启动docker服务
systemctl enable docker
systemctl start docker
创建数据存放目录
mkdir /data/system_data/openldap
mkdir /data/system_data/gerrit
chown -R nobody.nobody /data/system_data
chmod -R 777 /data/system_data
#注意:以上步骤需要在执行完docker-compose up之后在执行一次
编写docker-composer
version: '2'
services:
gerrit:
image: gerritcodereview/gerrit
ports:
- "29418:29418"
- "8081:8080"
volumes:
- /data/system_data/gerrit/etc:/var/gerrit/etc
- /data/system_data/gerrit/git:/var/gerrit/git
- /data/system_data/gerrit/db:/var/gerrit/db
- /data/system_data/gerrit/index:/var/gerrit/index
- /data/system_data/gerrit/cache:/var/gerrit/cache
environment:
- CANONICAL_WEB_URL=http://192.168.1.55:8081
openldap:
image: osixia/openldap:latest
container_name: openldap
environment:
LDAP_LOG_LEVEL: "256"
LDAP_ORGANISATION: "byheart"
LDAP_DOMAIN: "byheart.com"
LDAP_BASE_DN: "dc=byheart,dc=com"
LDAP_ADMIN_PASSWORD: "xxxxxxxx"
LDAP_CONFIG_PASSWORD: "config"
LDAP_READONLY_USER: "false"
LDAP_RFC2307BIS_SCHEMA: "false"
LDAP_BACKEND: "mdb"
LDAP_TLS: "true"
LDAP_TLS_CRT_FILENAME: "ldap.crt"
LDAP_TLS_KEY_FILENAME: "ldap.key"
LDAP_TLS_CA_CRT_FILENAME: "ca.crt"
LDAP_TLS_ENFORCE: "false"
LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0"
LDAP_TLS_PROTOCOL_MIN: "3.1"
LDAP_TLS_VERIFY_CLIENT: "demand"
LDAP_REPLICATION: "false"
KEEP_EXISTING_CONFIG: "false"
LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
LDAP_SSL_HELPER_PREFIX: "ldap"
tty: true
stdin_open: true
volumes:
- /data/system_data/openldap/var/lib/ldap:/var/lib/ldap
- /data/system_data/openldap/etc/ldap/slapd.d:/etc/ldap/slapd.d
- /data/system_data/openldap/container/service/slapd/assets/certs:/container/service/slapd/assets/certs
ports:
- "389:389"
- "636:636"
domainname: "byheart.com" # important: same as hostname
hostname: "byheart.com"
phpldapadmin:
image: osixia/phpldapadmin:latest
container_name: phpldapadmin
environment:
PHPLDAPADMIN_LDAP_HOSTS: "openldap"
PHPLDAPADMIN_HTTPS: "false"
ports:
- "6443:80"
depends_on:
- openldap
执行docker-compose up
第一次执行不建议加上 -d,这样会在控制台实时输出日志,出现错误可以及时看到,比如gerrit就会报错,因为权限的问题,另外需要执行以下步骤:mkdir /data/system_data/gerrit/etc/mail,
chown -R nobody.nobody /data/system_data chmod -R 777 /data/system_data
gerrit配置
[gerrit]
basePath = git
canonicalWebUrl = http://192.168.1.55:8081
serverId = b5136284-cae0-4f61-8b21-798dce18e85a
[index]
type = LUCENE
[auth]
type = ldap
gitBasicAuth = true
[ldap]
server = ldap://openldap
username = cn=admin,dc=byheart,dc=com
password = xxxxxx
accountBase = dc=byheart,dc=com
groupBase = ou=Depts,dc=byheart,dc=com
accountPattern = (&(objectClass=person)(uid=${username}))
accountFullName = displayName
accountEmailAddress = mail
[sendemail]
smtpServer = localhost
[sshd]
listenAddress = *:29418
[httpd]
listenUrl = http://*:8080/
[cache]
directory = cache
[container]
user = root
javaOptions = "-Dflogger.backend_factory=com.google.common.flogger.backend.log4j.Log4jBackendFactory#getInstance"
javaOptions = "-Dflogger.logging_context=com.google.gerrit.server.logging.LoggingContext#getInstance"
javaHome = /usr/lib/jvm/java-11-openjdk-11.0.9.11-2.el8_3.x86_64
javaOptions = -Djava.security.egd=file:/dev/./urandom
javaOptions = --add-opens java.base/java.net=ALL-UNNAMED
javaOptions = --add-opens java.base/java.lang.invoke=ALL-UNNAMED
javaOptions = -Djava.security.egd=file:/dev/./urandom
javaOptions = --add-opens java.base/java.net=ALL-UNNAMED
javaOptions = --add-opens java.base/java.lang.invoke=ALL-UNNAMED
javaOptions = -Djava.security.egd=file:/dev/./urandom
javaOptions = --add-opens java.base/java.net=ALL-UNNAMED
javaOptions = --add-opens java.base/java.lang.invoke=ALL-UNNAMED
# 执行以下命令停掉服务 docker-compose down # 执行以下命令启动服务 docker-compose up
phpldapadmin创建用户组
http://192.168.1.55:6443 是phpldapadmin登陆界面
命令行导入两个组
# baseDN.ldif dn: ou=Users,dc=byheart,dc=com objectClass: top objectClass: organizationalUnit ou: Users dn: ou=Depts,dc=byheart,dc=com objectClass: top objectClass: organizationalUnit ou: Depts
将这个baseDN.ldif拷贝到openldap的容器实例中去
docker cp baseDN.ldif $containerId:/root/ docker exec -it $containerId /bin/bash ldapadd -x -h 127.0.0.1:389 -D "cn=admin,dc=byheart,dc=com" -f baseDN.ldif -W
创建其他用户组
点击 Generic: Posix Group 创建用户组
Users
VPN
RDD
PDD
创建用户
点击Users用户组,点击Create new entry here,进入如下界面
注意:在创建ldap账号的时候使用默认的md5加密方式,否则无法登录成功 gerrit
登陆gerrit
-
添加公钥
[2021-01-21T12:12:57.931Z] [HTTP POST /accounts/self/sshkeys (zhxm from 192.168.1.214)] ERROR com.google.gerrit.httpd.restapi.RestApiServlet : Error in POST /accounts/self/sshkeys: NullPointerException java.lang.NullPointerException: Null email at com.google.gerrit.entities.AutoValue_Address.<init>(AutoValue_Address.java:18) at com.google.gerrit.entities.Address.create(Address.java:61) at com.google.gerrit.entities.Address.create(Address.java:57) at com.google.gerrit.server.mail.send.AddKeySender.init(AddKeySender.java:71) at com.google.gerrit.server.mail.send.OutgoingEmail.send(OutgoingEmail.java:115) at com.google.gerrit.server.restapi.account.AddSshKey.apply(AddSshKey.java:109) at com.google.gerrit.server.restapi.account.AddSshKey.apply(AddSshKey.java:84) at com.google.gerrit.server.restapi.account.AddSshKey.apply(AddSshKey.java:52) at com.google.gerrit.httpd.restapi.RestApiServlet.lambda$invokeRestCollectionModifyViewWithRetry$10(RestApiServlet.java:866) at com.github.rholder.retry.AttemptTimeLimiters$NoAttemptTimeLimit.call(AttemptTimeLimiters.java:78) at com.github.rholder.retry.Retryer.call(Retryer.java:160) at com.google.gerrit.server.update.RetryHelper.executeWithTimeoutCount(RetryHelper.java:561) at com.google.gerrit.server.update.RetryHelper.execute(RetryHelper.java:504) at com.google.gerrit.server.update.RetryableAction.call(RetryableAction.java:172)
注意:虽然报错,但是不影响添加成功
参考:
https://gist.github.com/thomasdarimont/d22a616a74b45964106461efb948df9c