環境
centos7,192.168.1.55
防火牆檢查
systemctl status firewalld systemctl disable firewalld systemctl stop firewalld
開啟路由轉發
vim /etc/sysctl.conf #添加如下內容: net.ipv4.ip_forward=1 #執行如下命令,生效配置 sysctl -p
檢查是否安裝docker
# 安裝依賴包
yum install -y yum-utils device-mapper-persistent-data lvm2
# 設置docker源
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
# 查看docker版本
yum list docker-ce --showduplicates | sort -r
# 安裝docker
# 安裝docker最新版本
yum install -y docker-ce docker-ce-cli containerd.io
# 啟動docker服務
systemctl enable docker
systemctl start docker
創建數據存放目錄
mkdir /data/system_data/openldap
mkdir /data/system_data/gerrit
chown -R nobody.nobody /data/system_data
chmod -R 777 /data/system_data
#注意:以上步驟需要在執行完docker-compose up之后在執行一次
編寫docker-composer
version: '2'
services:
gerrit:
image: gerritcodereview/gerrit
ports:
- "29418:29418"
- "8081:8080"
volumes:
- /data/system_data/gerrit/etc:/var/gerrit/etc
- /data/system_data/gerrit/git:/var/gerrit/git
- /data/system_data/gerrit/db:/var/gerrit/db
- /data/system_data/gerrit/index:/var/gerrit/index
- /data/system_data/gerrit/cache:/var/gerrit/cache
environment:
- CANONICAL_WEB_URL=http://192.168.1.55:8081
openldap:
image: osixia/openldap:latest
container_name: openldap
environment:
LDAP_LOG_LEVEL: "256"
LDAP_ORGANISATION: "byheart"
LDAP_DOMAIN: "byheart.com"
LDAP_BASE_DN: "dc=byheart,dc=com"
LDAP_ADMIN_PASSWORD: "xxxxxxxx"
LDAP_CONFIG_PASSWORD: "config"
LDAP_READONLY_USER: "false"
LDAP_RFC2307BIS_SCHEMA: "false"
LDAP_BACKEND: "mdb"
LDAP_TLS: "true"
LDAP_TLS_CRT_FILENAME: "ldap.crt"
LDAP_TLS_KEY_FILENAME: "ldap.key"
LDAP_TLS_CA_CRT_FILENAME: "ca.crt"
LDAP_TLS_ENFORCE: "false"
LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0"
LDAP_TLS_PROTOCOL_MIN: "3.1"
LDAP_TLS_VERIFY_CLIENT: "demand"
LDAP_REPLICATION: "false"
KEEP_EXISTING_CONFIG: "false"
LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
LDAP_SSL_HELPER_PREFIX: "ldap"
tty: true
stdin_open: true
volumes:
- /data/system_data/openldap/var/lib/ldap:/var/lib/ldap
- /data/system_data/openldap/etc/ldap/slapd.d:/etc/ldap/slapd.d
- /data/system_data/openldap/container/service/slapd/assets/certs:/container/service/slapd/assets/certs
ports:
- "389:389"
- "636:636"
domainname: "byheart.com" # important: same as hostname
hostname: "byheart.com"
phpldapadmin:
image: osixia/phpldapadmin:latest
container_name: phpldapadmin
environment:
PHPLDAPADMIN_LDAP_HOSTS: "openldap"
PHPLDAPADMIN_HTTPS: "false"
ports:
- "6443:80"
depends_on:
- openldap
執行docker-compose up
第一次執行不建議加上 -d,這樣會在控制台實時輸出日志,出現錯誤可以及時看到,比如gerrit就會報錯,因為權限的問題,另外需要執行以下步驟:mkdir /data/system_data/gerrit/etc/mail,
chown -R nobody.nobody /data/system_data chmod -R 777 /data/system_data
gerrit配置
[gerrit]
basePath = git
canonicalWebUrl = http://192.168.1.55:8081
serverId = b5136284-cae0-4f61-8b21-798dce18e85a
[index]
type = LUCENE
[auth]
type = ldap
gitBasicAuth = true
[ldap]
server = ldap://openldap
username = cn=admin,dc=byheart,dc=com
password = xxxxxx
accountBase = dc=byheart,dc=com
groupBase = ou=Depts,dc=byheart,dc=com
accountPattern = (&(objectClass=person)(uid=${username}))
accountFullName = displayName
accountEmailAddress = mail
[sendemail]
smtpServer = localhost
[sshd]
listenAddress = *:29418
[httpd]
listenUrl = http://*:8080/
[cache]
directory = cache
[container]
user = root
javaOptions = "-Dflogger.backend_factory=com.google.common.flogger.backend.log4j.Log4jBackendFactory#getInstance"
javaOptions = "-Dflogger.logging_context=com.google.gerrit.server.logging.LoggingContext#getInstance"
javaHome = /usr/lib/jvm/java-11-openjdk-11.0.9.11-2.el8_3.x86_64
javaOptions = -Djava.security.egd=file:/dev/./urandom
javaOptions = --add-opens java.base/java.net=ALL-UNNAMED
javaOptions = --add-opens java.base/java.lang.invoke=ALL-UNNAMED
javaOptions = -Djava.security.egd=file:/dev/./urandom
javaOptions = --add-opens java.base/java.net=ALL-UNNAMED
javaOptions = --add-opens java.base/java.lang.invoke=ALL-UNNAMED
javaOptions = -Djava.security.egd=file:/dev/./urandom
javaOptions = --add-opens java.base/java.net=ALL-UNNAMED
javaOptions = --add-opens java.base/java.lang.invoke=ALL-UNNAMED
# 執行以下命令停掉服務 docker-compose down # 執行以下命令啟動服務 docker-compose up
phpldapadmin創建用戶組
http://192.168.1.55:6443 是phpldapadmin登陸界面
命令行導入兩個組
# baseDN.ldif dn: ou=Users,dc=byheart,dc=com objectClass: top objectClass: organizationalUnit ou: Users dn: ou=Depts,dc=byheart,dc=com objectClass: top objectClass: organizationalUnit ou: Depts
將這個baseDN.ldif拷貝到openldap的容器實例中去
docker cp baseDN.ldif $containerId:/root/ docker exec -it $containerId /bin/bash ldapadd -x -h 127.0.0.1:389 -D "cn=admin,dc=byheart,dc=com" -f baseDN.ldif -W
創建其他用戶組
點擊 Generic: Posix Group 創建用戶組
Users
VPN
RDD
PDD
創建用戶
點擊Users用戶組,點擊Create new entry here,進入如下界面
注意:在創建ldap賬號的時候使用默認的md5加密方式,否則無法登錄成功 gerrit
登陸gerrit
-
添加公鑰
[2021-01-21T12:12:57.931Z] [HTTP POST /accounts/self/sshkeys (zhxm from 192.168.1.214)] ERROR com.google.gerrit.httpd.restapi.RestApiServlet : Error in POST /accounts/self/sshkeys: NullPointerException java.lang.NullPointerException: Null email at com.google.gerrit.entities.AutoValue_Address.<init>(AutoValue_Address.java:18) at com.google.gerrit.entities.Address.create(Address.java:61) at com.google.gerrit.entities.Address.create(Address.java:57) at com.google.gerrit.server.mail.send.AddKeySender.init(AddKeySender.java:71) at com.google.gerrit.server.mail.send.OutgoingEmail.send(OutgoingEmail.java:115) at com.google.gerrit.server.restapi.account.AddSshKey.apply(AddSshKey.java:109) at com.google.gerrit.server.restapi.account.AddSshKey.apply(AddSshKey.java:84) at com.google.gerrit.server.restapi.account.AddSshKey.apply(AddSshKey.java:52) at com.google.gerrit.httpd.restapi.RestApiServlet.lambda$invokeRestCollectionModifyViewWithRetry$10(RestApiServlet.java:866) at com.github.rholder.retry.AttemptTimeLimiters$NoAttemptTimeLimit.call(AttemptTimeLimiters.java:78) at com.github.rholder.retry.Retryer.call(Retryer.java:160) at com.google.gerrit.server.update.RetryHelper.executeWithTimeoutCount(RetryHelper.java:561) at com.google.gerrit.server.update.RetryHelper.execute(RetryHelper.java:504) at com.google.gerrit.server.update.RetryableAction.call(RetryableAction.java:172)
注意:雖然報錯,但是不影響添加成功
參考:
https://gist.github.com/thomasdarimont/d22a616a74b45964106461efb948df9c