Tag Archives: sysadmin

GitLab Installation on CentOS with nginx integration

Installation gitlab

S1. Follow the local installation guideline: https://about.gitlab.com/downloads/

wget https://downloads-packages.s3.amazonaws.com/centos-6.5/gitlab-7.1.1_omnibus-1.el6.x86_64.rpm
yum install openssh-server
yum install postfix # Select 'Internet Site', using sendmail instead also works, exim has problems
rpm -ivh gitlab-7.1.1_omnibus-1.el6.x86_64.rpm

S2. Initial basic gitlab config in /etc/gitlab/gitlab.rb

For troubleshooting and configuration options please see the Omnibus GitLab readme

# Change the external_url to the address your users will type in their browser
external_url 'http://git.iallex.com'
#git_data_dir '/home/git/git-data'

S3. Setup gitlab services configurations

gitlab-ctl reconfigure

That’s all if your server just for gitlab standalone.

You can login as an admin user with username root and password 5iveL!fe

Separation Nginx Server from gitlab Suite kit

Stop gitlab service first:

gitlab-ctl stop

Give nginx access to git group:

ensure your Nginx running with a specific user www in /etc/nginx/nginx.conf

usermod -a -G git www

Change some gitlab permissions:

# ensure gitlab-rails is owner by git group
chown git.git /var/opt/gitlab/gitlab-rails/ -R

# ensure `/var/opt/gitlab/gitlab-rails/tmp/sockets/gitlab.socket` and `uploads` accessable by nginx
chmod g+rwx /var/opt/gitlab/gitlab-rails/ -R

# link gitlab nginx config
ln -sf "/var/opt/gitlab/nginx/etc/gitlab-http.conf" /etc/nginx/conf.d/

# disable gitlab internal nginx service and symbolics link to global nginx config 
rm -f /opt/gitlab/service/nginx
ln -sf "/var/opt/gitlab/nginx/etc/gitlab-http.conf" /etc/nginx/conf.d/

# test permission
sudo -u www ls "/var/opt/gitlab/gitlab-rails/tmp/sockets/gitlab.socket"

Restart gitlab services and nginx

gitlab-ctl start
/etc/init.d/nginx restart

Enjoy! http://git.iallex.com

Related Links:

PHP_FPM of unix sockets vs TCP ports

When setup PHP-FPM for nginx pass_proxy, we may setup the php-fpm.conf include one of the config below:

listen = /var/run/php5-fpm.sock –> [nginx.conf] fastcgi_pass unix:/var/run/php5-fpm.sock;

listen = 127.0.0.1:9000 –> [nginx.conf] fastcgi_pass 127.0.0.1:9000;

Performance of unix sockets vs TCP ports

When you are using TCP, you are also using the whole network stack. Even if you are on the same machine, this implies that packets are encapsulated and decapsulated to use the network stack and the related protocols.

If you use unix domain sockets, you will not be forced to go through all the network protocols that are required otherwise. The sockets are identified solely by the inodes on your hard drive.

Make PHP-FPM Listen at “IPAddress:Port” Instead of “/var/run/php5-fpm.sock;”

Sockets are slightly faster as compared to TCP/IP connection. But they are less scalable by default.

If you start getting errors like below

connect() to unix:/var/run/php5-fpm.sock failed or **apr_socket_recv: Connection reset by peer (104)**

Then it means you need to either switch to TCP/IP or tweak with linux-system parameter so that your OS can handle large number of connections.

So, for high-load cases this is what it’s supposed to be: listen = 127.0.0.1:9000 and that fixed everything!

Reference Links

Use cron job to cleanup log files

Linux system various kinds logs and tmp generated in /var/log/, /tmp, How to clean these files automatically?

Using tmpwatch to automate temporary file cleanup

first we need install the 3rd tool tmpwatch

yum install tmpwatch -y

once tmpwatch is installed run command

/usr/sbin/tmpwatch -am 12 /tmp

this will delete all files over 12 hours old

next, we will configure your server to do this automatically.

from SSH type: crontab -e

go to the very bottom and paste

0 4 * * * /usr/sbin/tmpwatch -am 12 /var/log

For more daily job script:

$ cat /etc/cron.daily/tmpwatch

flags=-umc
/usr/sbin/tmpwatch "$flags" -x /tmp/.X11-unix -x /tmp/.XIM-unix \
    -x /tmp/.font-unix -x /tmp/.ICE-unix -x /tmp/.Test-unix 240 /tmp
/usr/sbin/tmpwatch "$flags" 720 /var/tmp
for d in /var/{cache/man,catman}/{cat?,X11R6/cat?,local/cat?}; do
  if [ -d "$d" ]; then
    /usr/sbin/tmpwatch "$flags" -f 720 "$d"
  fi
done

-x is an entry to be excluded from the clean up operation.


Using a shell script do the same thing if none tmpwatch

find /var/log -type f -name "*.tmp" -exec rm {} \+

Normally we can execute as find /path -name "*.tmp" -exec rm {} \;
This may sometimes fail to work because the argument list may grow larger (in bytes) than the maximum allowed by the shell (getconf ARG_MAX). This may be solved by xargs with the -L option.

Also configure as a cron job to run automatically.

find /var/log -type f -mtime +12 -print0 | xargs -0 -L 5000 rm

Reference Links:

CentOS LOG – Safety optimizations

Kernel optimization vi /etc/sysctl.conf

We can view the system kernel settings by sysctl -a.

# Not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0

# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.all.send_redirects = 0

优化内核阻挡SYN洪水攻击 sysctl -a | grep syn

# 设置syncookies:
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_max_syn_backlog=3072
sysctl -w net.ipv4.tcp_synack_retries=0
sysctl -w net.ipv4.tcp_syn_retries=0
sysctl -w net.ipv4.conf.all.send_redirects=0
sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.all.forwarding=0
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1

# 防止PING:
sysctl -w net.ipv4.icmp_echo_ignore_all=1

Add iptables to avoid Sync Flood Attack

# 防止Sync Flood, 缩短SYN- Timeout时间 (-limit 1/s 限制SYN并发数每秒1次,可以根据自己的需要修改)
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -i eth0 -m limit --limit 1/sec --limit-burst 5 -j ACCEPT

# 防止各种端口扫描
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

# 防止 Ping of Death 攻击
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

# 每秒 最多3个 syn 封包 进入
iptables -N syn-flood
iptables -A INPUT -p tcp --syn -j syn-flood
iptables -A syn-flood -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A syn-flood -j REJECT

# 拦截具体IP范围 (eg. 10.0.0.0/8)
iptables -A INPUT -s 10.0.0.0/8 -i eth0 -j Drop

开防火墙,不用的端口都禁止掉

iptables -F
iptables -A INPUT -p tcp -i vnet0 –dport ssh -j ACCEPT
iptables -A INPUT -p tcp -i vnet0 –dport 80 -j ACCEPT
iptables -A INPUT -i vnet0 -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p ICMP -j DROP
iptables -A INPUT -i vnet0 -j DROP

修改好之后重启iptables

/etc/init.d/iptables restart

Building a php extension using phpize

Run piece of PHP code in command line

php -r "echo(mcrypt_module_open('rijndael-256', '', 'ofb', ''));"

Then got an error message about Mcrypt:

Fatal error: Call to undefined function mcrypt_module_open() in Command line code on line 1

Install mcrypt for PHP53 on centos by phpize

cd php-5.5.9/ext/mcrypt/
phpize
aclocal
./configure
make
make install

Add the myrypt extension config /etc/php.ini containing:

extension=mcrypt.so

And check if the mcrypt module loaded or not by php -m | grep "mcrypt".

You may get some errors like the following

PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/local/php5/lib/php/extensions/no-debug-non-zts-20121212/mcrypt.so' - libmcrypt.so.4: cannot open shared object file: No such file or directory in Unknown on line 0

To fix it, enter yum install libmcrypt-devel

Nginx install and configuration skills

Compile and installation

Get latest source code from http://nginx.org/en/download.html

Some 3rd-party modules here

tar xzf nginx-1.4.3.tar.gz
cd nginx-1.4.3
./configure --prefix=/usr/local/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/tmp/nginx/body --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi --http-proxy-temp-path=/var/tmp/nginx/proxy --http-scgi-temp-path=/var/tmp/nginx/scgi --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi --lock-path=/var/lock/nginx.lock --pid-path=/var/run/nginx.pid
make
make install

Some optional options for advanced features:

--with-http_gzip_static_module

Sending precompressed files with the .gz filename extension instead of regular files by gzip_static on.

--add-module=/path/to/echo-nginx-module

Compile with module for bringing the power of echo, sleep, time and more to nginx’s config file. see more

location /test {
  echo "uri = $uri";
  echo "args = $args";
  ...
}

Nginx compile issues

./configure: error: the HTTP rewrite module requires the PCRE library. You can either disable the module by using --without-http_rewrite_module option, or install the PCRE library into the system, or build the PCRE library statically from the source with nginx by using --with-pcre option.

[Solution]

yum install pcre-devel.x86_64

[Note]

If pcre already installed, but still cannot find the pcre references:

In this case, when compiling nginx against a custom compiled library, such as pcre, zlib and OpenSSL, you must use the options --with-cc-opt and --with-ld-opt

--with-cc-opt="-I/usr/local/pcre/include" --with-ld-opt="-L/usr/local/pcre/lib"

./configure: error: SSL modules require the OpenSSL library. You can either do not enable the modules, or install the OpenSSL library into the system, or build the OpenSSL library statically from the source
with nginx by using --with-openssl option.

[Solution]

yum install openssl.x86_64 openssl-devel.x86_64

Nginx configuration guidlines

First understand IfIsEvil

set customize header

Add customize header for upstream identify when development environment (add variable$hostname to http headers).

add_header X-Original-Via $hostname;

Fastcgi normalize SCRIPT_FILENAME

With fastcgi_split_path_info we can customize the $fastcgi_path_info and $fastcgi_script_name

fastcgi_split_path_info regex; Defines a regular expression that captures a value for the $fastcgi_path_info variable. The regular expression should have two captures: the first becomes a value of the $fastcgi_script_name variable, the second becomes a value of the $fastcgi_path_info variable. For example, with these settings

location ~ ^(.+\.php)(.*)$ {
   fastcgi_split_path_info       ^(.+\.php)(.*)$;
   fastcgi_param SCRIPT_FILENAME /path/to/php$fastcgi_script_name;
   fastcgi_param PATH_INFO       $fastcgi_path_info;
}

and the “/show.php/article/0001” request, the SCRIPT_FILENAME parameter will be equal to “/path/to/php/show.php”, and the PATH_INFO parameter will be equal to “/article/0001”.

Related Links: