423.md 66.6 KB
Newer Older
Lab机器人's avatar
readme  
Lab机器人 已提交
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 1150 1151 1152 1153 1154 1155 1156 1157 1158 1159 1160 1161 1162 1163 1164 1165 1166 1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 1177 1178 1179 1180 1181 1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195 1196 1197 1198 1199 1200 1201 1202 1203 1204 1205 1206 1207 1208 1209 1210 1211 1212 1213 1214 1215 1216 1217 1218 1219 1220 1221 1222 1223 1224 1225 1226 1227 1228 1229 1230 1231 1232 1233 1234 1235 1236 1237 1238 1239 1240 1241 1242 1243 1244 1245 1246 1247 1248 1249 1250 1251 1252 1253 1254 1255 1256 1257 1258 1259 1260 1261 1262 1263 1264 1265 1266 1267 1268 1269 1270 1271 1272 1273 1274 1275 1276 1277 1278 1279 1280 1281 1282 1283 1284 1285 1286 1287 1288 1289 1290 1291 1292 1293 1294 1295 1296 1297 1298 1299 1300 1301 1302 1303 1304 1305 1306 1307 1308 1309 1310 1311 1312 1313 1314 1315 1316 1317 1318 1319 1320 1321 1322 1323 1324 1325 1326 1327 1328 1329 1330 1331 1332 1333 1334 1335 1336 1337 1338 1339 1340 1341 1342 1343 1344 1345 1346 1347 1348 1349 1350 1351 1352 1353 1354 1355 1356 1357 1358 1359 1360 1361 1362 1363 1364 1365 1366 1367 1368 1369 1370 1371 1372 1373 1374 1375 1376 1377 1378 1379 1380 1381 1382 1383 1384 1385 1386 1387 1388 1389 1390 1391 1392 1393 1394 1395 1396 1397 1398 1399 1400 1401 1402 1403 1404 1405 1406 1407 1408 1409 1410 1411 1412 1413 1414 1415 1416 1417 1418 1419 1420 1421 1422 1423 1424 1425 1426 1427 1428 1429 1430 1431 1432 1433 1434 1435 1436 1437 1438 1439 1440 1441 1442 1443 1444 1445 1446 1447 1448 1449 1450 1451
# Reference architecture: up to 3,000 users

> 原文:[https://docs.gitlab.com/ee/administration/reference_architectures/3k_users.html](https://docs.gitlab.com/ee/administration/reference_architectures/3k_users.html)

*   [Setup components](#setup-components)
*   [Configure the external load balancer](#configure-the-external-load-balancer)
    *   [Application node terminates SSL](#application-node-terminates-ssl)
    *   [Load balancer terminates SSL without backend SSL](#load-balancer-terminates-ssl-without-backend-ssl)
    *   [Load balancer terminates SSL with backend SSL](#load-balancer-terminates-ssl-with-backend-ssl)
    *   [Ports](#ports)
        *   [Alternate SSH Port](#alternate-ssh-port)
*   [Configure Redis](#configure-redis)
    *   [Provide your own Redis instance](#provide-your-own-redis-instance)
    *   [Standalone Redis using Omnibus GitLab](#standalone-redis-using-omnibus-gitlab)
        *   [Configuring the primary Redis instance](#configuring-the-primary-redis-instance)
        *   [Configuring the replica Redis instances](#configuring-the-replica-redis-instances)
*   [Configure Consul and Sentinel](#configure-consul-and-sentinel)
*   [Configure PostgreSQL](#configure-postgresql)
    *   [Provide your own PostgreSQL instance](#provide-your-own-postgresql-instance)
    *   [Standalone PostgreSQL using Omnibus GitLab](#standalone-postgresql-using-omnibus-gitlab)
        *   [PostgreSQL primary node](#postgresql-primary-node)
        *   [PostgreSQL secondary nodes](#postgresql-secondary-nodes)
        *   [PostgreSQL post-configuration](#postgresql-post-configuration)
*   [Configure PgBouncer](#configure-pgbouncer)
    *   [Configure the internal load balancer](#configure-the-internal-load-balancer)
*   [Configure Gitaly](#configure-gitaly)
    *   [Gitaly TLS support](#gitaly-tls-support)
*   [Configure Sidekiq](#configure-sidekiq)
*   [Configure GitLab Rails](#configure-gitlab-rails)
    *   [GitLab Rails post-configuration](#gitlab-rails-post-configuration)
*   [Configure Prometheus](#configure-prometheus)
*   [Configure the object storage](#configure-the-object-storage)
*   [Configure NFS (optional)](#configure-nfs-optional)
*   [Troubleshooting](#troubleshooting)

# Reference architecture: up to 3,000 users[](#reference-architecture-up-to-3000-users "Permalink")

此页面描述了最多 3,000 个用户的 GitLab 参考架构. 有关参考架构的完整列表,请参见[可用参考架构](index.html#available-reference-architectures) .

**注意:**下面记录的 3,000 个用户参考体系结构旨在帮助您的组织实现高度可用的 GitLab 部署. 如果您没有专业知识或需要维护高度可用的环境,则可以遵循[2,000 个用户的参考体系结构](2k_users.html) ,从而拥有一个更简单且成本更低的操作环境.

> *   **支持的用户(大约):** 3,000
> *   **高可用性:** True
> *   **测试 RPS 速率:** API:60 RPS,网站:6 RPS,Git:6 RPS

| Service | Nodes | Configuration | GCP | AWS | Azure |
| --- | --- | --- | --- | --- | --- |
| 外部负载平衡节点 | 1 | 2 vCPU, 1.8GB Memory | `n1-highcpu-2` | `c5.large` | `F2s v2` |
| Redis | 3 | 2 个 vCPU,7.5GB 内存 | `n1-standard-2` | `m5.large` | `D2s v3` |
| 领事+前哨 | 3 | 2 个 vCPU,1.8GB 内存 | `n1-highcpu-2` | `c5.large` | `F2s v2` |
| PostgreSQL | 3 | 2 个 vCPU,7.5GB 内存 | `n1-standard-2` | `m5.large` | `D2s v3` |
| PgBouncer | 3 | 2 个 vCPU,1.8GB 内存 | `n1-highcpu-2` | `c5.large` | `F2s v2` |
| 内部负载平衡节点 | 1 | 2 vCPU, 1.8GB Memory | `n1-highcpu-2` | `c5.large` | `F2s v2` |
| Gitaly | 最少 2 个 | 4 个 vCPU,15GB 内存 | `n1-standard-4` | `m5.xlarge` | `D4s v3` |
| Sidekiq | 4 | 2 个 vCPU,7.5GB 内存 | `n1-standard-2` | `m5.large` | `D2s v3` |
| 亚搏体育 app Rails | 3 | 8 个 vCPU,7.2GB 内存 | `n1-highcpu-8` | `c5.2xlarge` | `F8s v2` |
| 监控节点 | 1 | 2 vCPU, 1.8GB Memory | `n1-highcpu-2` | `c5.large` | `F2s v2` |
| 对象存储 | n/a | n/a | n/a | n/a | n/a |
| NFS 服务器(可选,不推荐) | 1 | 4 个 vCPU,3.6GB 内存 | `n1-highcpu-4` | `c5.xlarge` | `F4s v2` |

这些架构是使用 GCP 上的[Intel Xeon E5 v3(Haswell)](https://cloud.google.com/compute/docs/cpu-platforms) CPU 平台构建和测试的. 在不同的硬件上,您可能会发现需要对 CPU 或节点数进行相应的调整,无论是较低还是较高. 有关更多信息,请在[此处](https://gitlab.com/gitlab-org/quality/performance/-/wikis/Reference-Architectures/GCP-CPU-Benchmarks)找到 CPU 的[Sysbench](https://github.com/akopytov/sysbench)基准.

对于 LFS,Uploads,Artifacts 等数据对象,由于性能和可用性更好,建议在 NFS 上尽可能使用[对象存储服务](#configure-the-object-storage) . 由于这不需要设置节点,因此在上表中将其标记为不适用(n / a).

## Setup components[](#setup-components "Permalink")

设置 GitLab 及其组件以容纳多达 3,000 个用户:

1.  [配置外部负载平衡节点](#configure-the-external-load-balancer) ,该[节点](#configure-the-external-load-balancer)将处理两个 GitLab 应用程序服务节点的负载平衡.
2.  [Configure Redis](#configure-redis).
3.  [Configure Consul and Sentinel](#configure-consul-and-sentinel).
4.  [配置 PostgreSQL](#configure-postgresql) (GitLab 的数据库).
5.  [Configure PgBouncer](#configure-pgbouncer).
6.  [Configure the internal load balancing node](#configure-the-internal-load-balancer)
7.  [配置 Gitaly](#configure-gitaly) ,它提供对 Git 存储库的访问.
8.  [Configure Sidekiq](#configure-sidekiq).
9.  [配置主 GitLab Rails 应用程序](#configure-gitlab-rails)以运行 Puma / Unicorn,Workhorse,GitLab Shell,并服务所有前端请求(UI,API,基于 HTTP / SSH 的 Git).
10.  [配置 Prometheus](#configure-prometheus)来监视您的 GitLab 环境.
11.  [配置](#configure-the-object-storage)用于共享数据对象[的对象存储](#configure-the-object-storage) .
12.  [将 NFS(可选)配置](#configure-nfs-optional)为具有共享磁盘存储服务,以替代 Gitaly 和/或对象存储(尽管不建议这样做). GitLab 页面需要 NFS,如果不使用该功能,则可以跳过此步骤.

我们从同一 10.6.0.0/16 专用网络范围内的所有服务器开始,它们可以在这些地址上自由地相互连接.

这是每台机器和分配的 IP 的列表和说明:

*   `10.6.0.10` :外部负载平衡器
*   `10.6.0.61`主要
*   `10.6.0.62` :返回副本 1
*   `10.6.0.63` :返回副本 2
*   `10.6.0.11` :领事/前哨 1
*   `10.6.0.12` :领事/前哨 2
*   `10.6.0.13` :领事/前哨 3
*   `10.6.0.31`
*   `10.6.0.32`中学 1
*   `10.6.0.33`中学 2
*   `10.6.0.21` :PgBouncer 1
*   `10.6.0.22` :PgBouncer 2
*   `10.6.0.23` :PgBouncer 3
*   `10.6.0.20` :内部负载均衡器
*   `10.6.0.51` :Gitaly 1
*   `10.6.0.52` :Gitaly 2
*   `10.6.0.71` :Sidekiq 1
*   `10.6.0.72` :Sidekiq 2
*   `10.6.0.73` :Sidekiq 3
*   `10.6.0.74` :Sidekiq 4
*   `10.6.0.41`应用程序 1
*   `10.6.0.42`应用程序 2
*   `10.6.0.43`应用程序 3
*   `10.6.0.81` :普罗米修斯

## Configure the external load balancer[](#configure-the-external-load-balancer "Permalink")

**注意:**此体系结构已通过[HAProxy](https://www.haproxy.org/)作为负载均衡器进行了测试和验证. 尽管也可以使用具有类似功能集的其他负载均衡器,但这些负载均衡器尚未经过验证.

在主动/主动 GitLab 配置中,您将需要一个负载均衡器来将流量路由到应用程序服务器. 有关使用负载均衡器或进行确切配置的细节超出了 GitLab 文档的范围. 我们希望,如果您要管理像 GitLab 这样的多节点系统,那么已经选择了负载均衡器. 一些示例包括 HAProxy(开源),F5 Big-IP LTM 和 Citrix Net Scaler. 本文档将概述需要在 GitLab 上使用哪些端口和协议.

下一个问题是如何在环境中处理 SSL. 有几种不同的选择:

*   [The application node terminates SSL](#application-node-terminates-ssl).
*   [负载平衡器终止没有后端 SSL 的 SSL,](#load-balancer-terminates-ssl-without-backend-ssl)并且负载平衡器与应用程序节点之间的通信不安全.
*   [负载均衡器使用后端 SSL 终止 SSL,](#load-balancer-terminates-ssl-with-backend-ssl)并且负载均衡器与应用程序节点之间的通信是*安全*的.

### Application node terminates SSL[](#application-node-terminates-ssl "Permalink")

配置您的负载均衡器以将端口 443 上的连接作为`TCP`而不是`HTTP(S)`协议进行传递. 这会将连接直接传递到应用程序节点的 NGINX 服务. NGINX 将具有 SSL 证书并在端口 443 上侦听.

有关管理 SSL 证书和配置 NGINX 的详细信息,请参见[NGINX HTTPS 文档](https://docs.gitlab.com/omnibus/settings/nginx.html) .

### Load balancer terminates SSL without backend SSL[](#load-balancer-terminates-ssl-without-backend-ssl "Permalink")

将您的负载均衡器配置为使用`HTTP(S)`协议而不是`TCP` . 然后,负载平衡器将负责管理 SSL 证书和终止 SSL.

由于负载均衡器和 GitLab 之间的通信将不安全,因此需要一些其他配置. 有关详细信息,请参见[NGINX 代理的 SSL 文档](https://docs.gitlab.com/omnibus/settings/nginx.html) .

### Load balancer terminates SSL with backend SSL[](#load-balancer-terminates-ssl-with-backend-ssl "Permalink")

Configure your load balancer(s) to use the ‘HTTP(S)’ protocol rather than ‘TCP’. The load balancer(s) will be responsible for managing SSL certificates that end users will see.

在这种情况下,负载均衡器和 NGINX 之间的流量也将是安全的. 无需为代理 SSL 添加配置,因为连接将一直保持安全. 但是,需要将配置添加到 GitLab 来配置 SSL 证书. 有关管理 SSL 证书和配置 NGINX 的详细信息,请参见[NGINX HTTPS 文档](https://docs.gitlab.com/omnibus/settings/nginx.html) .

### Ports[](#ports "Permalink")

下表显示了要使用的基本端口.

| LB 端口 | 后端端口 | Protocol |
| --- | --- | --- |
| 80 | 80 | HTTP( *1* ) |
| 443 | 443 | TCP 或 HTTPS( *1* )( *2* ) |
| 22 | 22 | TCP |

**1* ): [Web 终端](../../ci/environments/index.html#web-terminals)支持要求您的负载平衡器正确处理 WebSocket 连接. 当使用 HTTP 或 HTTPS 代理,这意味着负载平衡器必须被配置为通过`Connection``Upgrade`逐跳头. 有关更多详细信息,请参见[Web 终端](../integration/terminal.html)集成指南.
**2* ):当对端口 443 使用 HTTPS 协议时,需要向负载均衡器添加 SSL 证书. 如果您想在 GitLab 应用程序服务器上终止 SSL,请使用 TCP 协议.

如果您使用具有自定义域支持的 GitLab 页面,则将需要一些其他端口配置. GitLab 页面需要一个单独的虚拟 IP 地址. 配置 DNS,将`pages_external_url``/etc/gitlab/gitlab.rb`指向新的虚拟 IP 地址. 有关更多信息,请参见[GitLab 页面文档](../pages/index.html) .

| LB 端口 | 后端端口 | Protocol |
| --- | --- | --- |
| 80 | 变化( *1* ) | HTTP |
| 443 | 变化( *1* ) | TCP( *2* ) |

**1* ):GitLab 页面的后端端口取决于`gitlab_pages['external_http']``gitlab_pages['external_https']`设置. 有关更多详细信息,请参见[GitLab Pages 文档](../pages/index.html) .
**2* ):GitLab 页面的端口 443 应该始终使用 TCP 协议. 用户可以使用自定义 SSL 配置自定义域,如果 SSL 在负载均衡器处终止,则不可能.

#### Alternate SSH Port[](#alternate-ssh-port "Permalink")

某些组织有禁止打开 SSH 端口 22 的策略.在这种情况下,配置允许用户在端口 443 上使用 SSH 的备用 SSH 主机名可能会有所帮助.与其他 GitLab 相比,备用 SSH 主机名将需要一个新的虚拟 IP 地址.上面的 HTTP 配置.

为备用 SSH 主机名(例如`altssh.gitlab.example.com`配置 DNS.

| LB 端口 | 后端端口 | Protocol |
| --- | --- | --- |
| 443 | 22 | TCP |

[Back to setup components](#setup-components)

## Configure Redis[](#configure-redis "Permalink")

使用[Redis 的](https://s0redis0io.icopy.site/)可扩展环境,可以使用**一次** X **副本**拓扑与[Redis 的哨兵](https://s0redis0io.icopy.site/topics/sentinel)服务来观看,并自动启动故障转移过程.

如果与 Sentinel 一起使用,Redis 需要身份验证. 有关更多信息,请参见[Redis 安全性](https://s0redis0io.icopy.site/topics/security)文档. 我们建议结合使用 Redis 密码和严格的防火墙规则来保护您的 Redis 服务. 强烈建议您在使用 GitLab 配置 Redis 之前阅读[Redis Sentinel](https://s0redis0io.icopy.site/topics/sentinel)文档,以充分了解拓扑和体系结构.

在本节中,将指导您配置与 GitLab 一起使用的外部 Redis 实例. 以下 IP 将作为示例:

*   `10.6.0.61`主要
*   `10.6.0.62` :返回副本 1
*   `10.6.0.63` :返回副本 2

### Provide your own Redis instance[](#provide-your-own-redis-instance "Permalink")

来自云提供商(例如 AWS ElastiCache)的托管 Redis 将可以使用. 如果这些服务支持高可用性,请确保它**不是** Redis 群集类型.

需要 Redis 5.0 或更高版本,因为这是从 GitLab 13.0 开始的 Omnibus GitLab 软件包附带的版本. 较旧的 Redis 版本不支持 SPOP 的可选 count 参数,这对于[合并火车](../../ci/merge_request_pipelines/pipelines_for_merged_results/merge_trains/index.html)现在是必需的.

注意 Redis 节点的 IP 地址或主机名,端口和密码(如果需要). 这些在以后配置[GitLab 应用程序服务器](#configure-gitlab-rails)时是必需的.

### Standalone Redis using Omnibus GitLab[](#standalone-redis-using-omnibus-gitlab "Permalink")

这是我们安装和设置新 Redis 实例的部分.

Redis 设置的要求如下:

1.  所有 Redis 节点必须能够互相通信并接受通过 Redis( `6379` )和 Sentinel( `26379` )端口的传入连接(除非您更改默认端口).
2.  托管 GitLab 应用程序的服务器必须能够访问 Redis 节点.
3.  使用防火墙保护节点免受来自外部网络( [Internet](https://gitlab.com/gitlab-org/gitlab-foss/uploads/c4cc8cd353604bd80315f9384035ff9e/The_Internet_IT_Crowd.png) )的访问.

**注意:** Redis 节点(主节点和副本节点)将需要使用`redis['password']`定义的相同密码. 在故障转移期间的任何时间,Sentinels 都可以重新配置节点并将其状态从主节点更改为副本节点,反之亦然.

#### Configuring the primary Redis instance[](#configuring-the-primary-redis-instance "Permalink")

1.  SSH 进入**主** Redis 服务器.
2.  从 GitLab 下载页面使用**步骤 1 和 2** [下载/安装](https://about.gitlab.com/install/)所需的 Omnibus GitLab 软件包.
    *   确保选择正确的 Omnibus 软件包,并使用与当前安装相同的版本和类型(社区版,企业版).
    *   不要完成下载页面上的任何其他步骤.
3.  编辑`/etc/gitlab/gitlab.rb`并添加内容:

    ```
    # Specify server role as 'redis_master_role'
    roles ['redis_master_role']

    # IP address pointing to a local IP that the other machines can reach to.
    # You can also set bind to '0.0.0.0' which listen in all interfaces.
    # If you really need to bind to an external accessible IP, make
    # sure you add extra firewall rules to prevent unauthorized access.
    redis['bind'] = '10.6.0.61'

    # Define a port so Redis can listen for TCP requests which will allow other
    # machines to connect to it.
    redis['port'] = 6379

    # Set up password authentication for Redis (use the same password in all nodes).
    redis['password'] = 'redis-password-goes-here'

    ## Enable service discovery for Prometheus
    consul['enable'] = true
    consul['monitoring_service_discovery'] =  true

    ## The IPs of the Consul server nodes
    ## You can also use FQDNs and intermix them with IPs
    consul['configuration'] = {
       retry_join: %w(10.6.0.11 10.6.0.12 10.6.0.13),
    }

    # Set the network addresses that the exporters will listen on
    node_exporter['listen_address'] = '0.0.0.0:9100'
    redis_exporter['listen_address'] = '0.0.0.0:9121'
    redis_exporter['flags'] = {
         'redis.addr' => 'redis://10.6.0.61:6379',
         'redis.password' => 'redis-password-goes-here',
    }

    # Disable auto migrations
    gitlab_rails['auto_migrate'] = false 
    ```

4.  [重新配置 Omnibus GitLab,](../restart_gitlab.html#omnibus-gitlab-reconfigure)以使更改生效.

**注意:**您可以将多个角色(如哨兵和 Redis)指定为: `roles ['redis_sentinel_role', 'redis_master_role']` . 阅读有关[角色的](https://docs.gitlab.com/omnibus/roles/)更多信息.

您可以通过以下方式列出当前 Redis 主副本服务器状态:

```
/opt/gitlab/embedded/bin/redis-cli -h <host> -a 'redis-password-goes-here' info replication 
```

通过以下方式显示正在运行的 GitLab 服务:

```
gitlab-ctl status 
```

输出应类似于以下内容:

```
run: consul: (pid 30043) 76863s; run: log: (pid 29691) 76892s
run: logrotate: (pid 31152) 3070s; run: log: (pid 29595) 76908s
run: node-exporter: (pid 30064) 76862s; run: log: (pid 29624) 76904s
run: redis: (pid 30070) 76861s; run: log: (pid 29573) 76914s
run: redis-exporter: (pid 30075) 76861s; run: log: (pid 29674) 76896s 
```

#### Configuring the replica Redis instances[](#configuring-the-replica-redis-instances "Permalink")

1.  SSH 进入**副本** Redis 服务器.
2.  从 GitLab 下载页面使用**步骤 1 和 2** [下载/安装](https://about.gitlab.com/install/)所需的 Omnibus GitLab 软件包.
    *   确保选择正确的 Omnibus 软件包,并使用与当前安装相同的版本和类型(社区版,企业版).
    *   不要完成下载页面上的任何其他步骤.
3.  编辑`/etc/gitlab/gitlab.rb`并添加内容:

    ```
    # Specify server role as 'redis_replica_role'
    roles ['redis_replica_role']

    # IP address pointing to a local IP that the other machines can reach to.
    # You can also set bind to '0.0.0.0' which listen in all interfaces.
    # If you really need to bind to an external accessible IP, make
    # sure you add extra firewall rules to prevent unauthorized access.
    redis['bind'] = '10.6.0.62'

    # Define a port so Redis can listen for TCP requests which will allow other
    # machines to connect to it.
    redis['port'] = 6379

    # The same password for Redis authentication you set up for the primary node.
    redis['password'] = 'redis-password-goes-here'

    # The IP of the primary Redis node.
    redis['master_ip'] = '10.6.0.61'

    # Port of primary Redis server, uncomment to change to non default. Defaults
    # to `6379`.
    #redis['master_port'] = 6379

    ## Enable service discovery for Prometheus
    consul['enable'] = true
    consul['monitoring_service_discovery'] =  true

    ## The IPs of the Consul server nodes
    ## You can also use FQDNs and intermix them with IPs
    consul['configuration'] = {
       retry_join: %w(10.6.0.11 10.6.0.12 10.6.0.13),
    }

    # Set the network addresses that the exporters will listen on
    node_exporter['listen_address'] = '0.0.0.0:9100'
    redis_exporter['listen_address'] = '0.0.0.0:9121'
    redis_exporter['flags'] = {
         'redis.addr' => 'redis://10.6.0.62:6379',
         'redis.password' => 'redis-password-goes-here',
    }

    # Disable auto migrations
    gitlab_rails['auto_migrate'] = false 
    ```

4.  [重新配置 Omnibus GitLab,](../restart_gitlab.html#omnibus-gitlab-reconfigure)以使更改生效.
5.  对于所有其他副本节点,请再次执行该步骤,并确保正确设置 IP.

**注意:**您可以将多个角色(如哨兵和 Redis)指定为: `roles ['redis_sentinel_role', 'redis_master_role']` . 阅读有关[角色的](https://docs.gitlab.com/omnibus/roles/)更多信息.

故障转移后, `/etc/gitlab/gitlab.rb``/etc/gitlab/gitlab.rb`再次更改这些值,因为节点将由[Sentinels](#configure-consul-and-sentinel)管理,即使在`gitlab-ctl reconfigure` ,它们也将通过恢复配置恢复.同样的哨兵

支持高级[配置选项](https://docs.gitlab.com/omnibus/settings/redis.html) ,可以根据需要添加.

[Back to setup components](#setup-components)

## Configure Consul and Sentinel[](#configure-consul-and-sentinel "Permalink")

**注意:**如果您使用的是外部 Redis Sentinel 实例,请确保从 Sentinel 配置中排除`requirepass`参数. 此参数将导致客户端报告`NOAUTH Authentication required.` . [Redis Sentinel 3.2.x 不支持密码身份验证](https://github.com/antirez/redis/issues/3279) .

现在已经全部安装了 Redis 服务器,让我们配置 Sentinel 服务器. 以下 IP 将作为示例:

*   `10.6.0.11` :领事/前哨 1
*   `10.6.0.12` :领事/前哨 2
*   `10.6.0.13` :领事/前哨 3

要配置 Sentinel:

1.  SSH 进入将托管 Consul / Sentinel 的服务器.
2.  从 GitLab 下载页面使用**步骤 1 和 2** [下载/安装](https://about.gitlab.com/install/) Omnibus GitLab 企业版软件包.
    *   确保选择正确的 Omnibus 软件包,并且与 GitLab 应用程序正在运行的版本相同.
    *   不要完成下载页面上的任何其他步骤.
3.  编辑`/etc/gitlab/gitlab.rb`并添加内容:

    ```
    roles ['redis_sentinel_role', 'consul_role']

    # Must be the same in every sentinel node
    redis['master_name'] = 'gitlab-redis'

    # The same password for Redis authentication you set up for the primary node.
    redis['master_password'] = 'redis-password-goes-here'

    # The IP of the primary Redis node.
    redis['master_ip'] = '10.6.0.61'

    # Define a port so Redis can listen for TCP requests which will allow other
    # machines to connect to it.
    redis['port'] = 6379

    # Port of primary Redis server, uncomment to change to non default. Defaults
    # to `6379`.
    #redis['master_port'] = 6379

    ## Configure Sentinel
    sentinel['bind'] = '10.6.0.11'

    # Port that Sentinel listens on, uncomment to change to non default. Defaults
    # to `26379`.
    # sentinel['port'] = 26379

    ## Quorum must reflect the amount of voting sentinels it take to start a failover.
    ## Value must NOT be greater then the amount of sentinels.
    ##
    ## The quorum can be used to tune Sentinel in two ways:
    ## 1\. If a the quorum is set to a value smaller than the majority of Sentinels
    ##    we deploy, we are basically making Sentinel more sensible to primary failures,
    ##    triggering a failover as soon as even just a minority of Sentinels is no longer
    ##    able to talk with the primary.
    ## 1\. If a quorum is set to a value greater than the majority of Sentinels, we are
    ##    making Sentinel able to failover only when there are a very large number (larger
    ##    than majority) of well connected Sentinels which agree about the primary being down.s
    sentinel['quorum'] = 2

    ## Consider unresponsive server down after x amount of ms.
    # sentinel['down_after_milliseconds'] = 10000

    ## Specifies the failover timeout in milliseconds. It is used in many ways:
    ##
    ## - The time needed to re-start a failover after a previous failover was
    ##   already tried against the same primary by a given Sentinel, is two
    ##   times the failover timeout.
    ##
    ## - The time needed for a replica replicating to a wrong primary according
    ##   to a Sentinel current configuration, to be forced to replicate
    ##   with the right primary, is exactly the failover timeout (counting since
    ##   the moment a Sentinel detected the misconfiguration).
    ##
    ## - The time needed to cancel a failover that is already in progress but
    ##   did not produced any configuration change (REPLICAOF NO ONE yet not
    ##   acknowledged by the promoted replica).
    ##
    ## - The maximum time a failover in progress waits for all the replica to be
    ##   reconfigured as replicas of the new primary. However even after this time
    ##   the replicas will be reconfigured by the Sentinels anyway, but not with
    ##   the exact parallel-syncs progression as specified.
    # sentinel['failover_timeout'] = 60000

    ## Enable service discovery for Prometheus
    consul['enable'] = true
    consul['monitoring_service_discovery'] =  true

    ## The IPs of the Consul server nodes
    ## You can also use FQDNs and intermix them with IPs
    consul['configuration'] = {
       server: true,
       retry_join: %w(10.6.0.11 10.6.0.12 10.6.0.13),
    }

    # Set the network addresses that the exporters will listen on
    node_exporter['listen_address'] = '0.0.0.0:9100'
    redis_exporter['listen_address'] = '0.0.0.0:9121'

    # Disable auto migrations
    gitlab_rails['auto_migrate'] = false 
    ```

4.  [重新配置 Omnibus GitLab,](../restart_gitlab.html#omnibus-gitlab-reconfigure)以使更改生效.
5.  对于其他所有 Consul / Sentinel 节点,请再次执行步骤,并确保设置了正确的 IP.

**注意:**第三个 Consul 服务器的配置完成后,将选举 Consul 负责人. 查看领事日志`sudo gitlab-ctl tail consul`将显示`...[INFO] consul: New leader elected: ...`

You can list the current Consul members (server, client):

```
sudo /opt/gitlab/embedded/bin/consul members 
```

您可以验证 GitLab 服务正在运行:

```
sudo gitlab-ctl status 
```

输出应类似于以下内容:

```
run: consul: (pid 30074) 76834s; run: log: (pid 29740) 76844s
run: logrotate: (pid 30925) 3041s; run: log: (pid 29649) 76861s
run: node-exporter: (pid 30093) 76833s; run: log: (pid 29663) 76855s
run: sentinel: (pid 30098) 76832s; run: log: (pid 29704) 76850s 
```

[Back to setup components](#setup-components)

## Configure PostgreSQL[](#configure-postgresql "Permalink")

在本节中,将指导您配置与 GitLab 一起使用的外部 PostgreSQL 数据库.

### Provide your own PostgreSQL instance[](#provide-your-own-postgresql-instance "Permalink")

如果您将 GitLab 托管在云提供商上,则可以选择将托管服务用于 PostgreSQL. 例如,AWS 提供了运行 PostgreSQL 的托管关系数据库服务(RDS).

如果您使用云托管服务,或提供自己的 PostgreSQL:

1.  根据[数据库要求文档](../../install/requirements.html#database)设置 PostgreSQL.
2.  使用您选择的密码设置一个`gitlab`用户名. `gitlab`用户需要特权才能创建`gitlabhq_production`数据库.
3.  使用适当的详细信息配置 GitLab 应用程序服务器. [配置 GitLab Rails 应用程序](#configure-gitlab-rails)涵盖了此步骤.

### Standalone PostgreSQL using Omnibus GitLab[](#standalone-postgresql-using-omnibus-gitlab "Permalink")

以下 IP 将作为示例:

*   `10.6.0.31`
*   `10.6.0.32`中学 1
*   `10.6.0.33`中学 2

首先,请确保**在每个节点上** [安装](https://about.gitlab.com/install/) Linux GitLab 软件包. 按照以下步骤,从步骤 1 安装必需的依赖项,并从步骤 2 添加 GitLab 软件包存储库.在第二步中安装 GitLab 时,请勿提供`EXTERNAL_URL`值.

#### PostgreSQL primary node[](#postgresql-primary-node "Permalink")

1.  SSH 进入 PostgreSQL 主节点.
2.  为 PostgreSQL 用户名/密码对生成密码哈希. 假设您将使用默认用户名`gitlab` (推荐). 该命令将要求输入密码和确认. 将此命令在下一步中输出的值用作`<postgresql_password_hash>`的值:

    ```
    sudo gitlab-ctl pg-password-md5 gitlab 
    ```

3.  为 PgBouncer 用户名/密码对生成密码哈希. 假设您将使用`pgbouncer`的默认用户名(推荐). 该命令将要求输入密码和确认. 将此命令在下一步中输出的值用作`<pgbouncer_password_hash>`的值:

    ```
    sudo gitlab-ctl pg-password-md5 pgbouncer 
    ```

4.  为 Consul 数据库用户名/密码对生成密码哈希. 假设您将使用默认用户名`gitlab-consul` (推荐). 该命令将要求输入密码和确认. 将此命令在下一步中输出的值用作`<consul_password_hash>`的值:

    ```
    sudo gitlab-ctl pg-password-md5 gitlab-consul 
    ```

5.  在主数据库节点上,编辑`/etc/gitlab/gitlab.rb`替换`/etc/gitlab/gitlab.rb` `# START user configuration`部分中记录的值:

    ```
    # Disable all components except PostgreSQL and Repmgr and Consul
    roles ['postgres_role']

    # PostgreSQL configuration
    postgresql['listen_address'] = '0.0.0.0'
    postgresql['hot_standby'] = 'on'
    postgresql['wal_level'] = 'replica'
    postgresql['shared_preload_libraries'] = 'repmgr_funcs'

    # Disable automatic database migrations
    gitlab_rails['auto_migrate'] = false

    # Configure the Consul agent
    consul['services'] = %w(postgresql)

    # START user configuration
    # Please set the real values as explained in Required Information section
    #
    # Replace PGBOUNCER_PASSWORD_HASH with a generated md5 value
    postgresql['pgbouncer_user_password'] = '<pgbouncer_password_hash>'
    # Replace POSTGRESQL_PASSWORD_HASH with a generated md5 value
    postgresql['sql_user_password'] = '<postgresql_password_hash>'
    # Set `max_wal_senders` to one more than the number of database nodes in the cluster.
    # This is used to prevent replication from using up all of the
    # available database connections.
    postgresql['max_wal_senders'] = 4
    postgresql['max_replication_slots'] = 4

    # Replace XXX.XXX.XXX.XXX/YY with Network Address
    postgresql['trust_auth_cidr_addresses'] = %w(127.0.0.1/32 10.6.0.0/24)
    repmgr['trust_auth_cidr_addresses'] = %w(127.0.0.1/32 10.6.0.0/24)

    ## Enable service discovery for Prometheus
    consul['enable'] = true
    consul['monitoring_service_discovery'] =  true

    # Set the network addresses that the exporters will listen on for monitoring
    node_exporter['listen_address'] = '0.0.0.0:9100'
    postgres_exporter['listen_address'] = '0.0.0.0:9187'
    postgres_exporter['dbname'] = 'gitlabhq_production'
    postgres_exporter['password'] = '<postgresql_password_hash>'

    ## The IPs of the Consul server nodes
    ## You can also use FQDNs and intermix them with IPs
    consul['configuration'] = {
       retry_join: %w(10.6.0.11 10.6.0.12 10.6.0.13),
    }
    #
    # END user configuration 
    ```

6.  [重新配置 GitLab,](../restart_gitlab.html#omnibus-gitlab-reconfigure)以使更改生效.
7.  您可以通过以下方式列出当前 PostgreSQL 主,辅助节点的状态:

    ```
    sudo /opt/gitlab/bin/gitlab-ctl repmgr cluster show 
    ```

8.  验证 GitLab 服务正在运行:

    ```
    sudo gitlab-ctl status 
    ```

    输出应类似于以下内容:

    ```
    run: consul: (pid 30593) 77133s; run: log: (pid 29912) 77156s
    run: logrotate: (pid 23449) 3341s; run: log: (pid 29794) 77175s
    run: node-exporter: (pid 30613) 77133s; run: log: (pid 29824) 77170s
    run: postgres-exporter: (pid 30620) 77132s; run: log: (pid 29894) 77163s
    run: postgresql: (pid 30630) 77132s; run: log: (pid 29618) 77181s
    run: repmgrd: (pid 30639) 77132s; run: log: (pid 29985) 77150s 
    ```

[Back to setup components](#setup-components)

#### PostgreSQL secondary nodes[](#postgresql-secondary-nodes "Permalink")

1.  在两个辅助节点上,添加与上面为主要节点指定的配置相同的附加设置,该设置将告知`gitlab-ctl`最初它们是备用节点,无需尝试将它们注册为主要节点:

    ```
    # Disable all components except PostgreSQL and Repmgr and Consul
    roles ['postgres_role']

    # PostgreSQL configuration
    postgresql['listen_address'] = '0.0.0.0'
    postgresql['hot_standby'] = 'on'
    postgresql['wal_level'] = 'replica'
    postgresql['shared_preload_libraries'] = 'repmgr_funcs'

    # Disable automatic database migrations
    gitlab_rails['auto_migrate'] = false

    # Configure the Consul agent
    consul['services'] = %w(postgresql)

    # Specify if a node should attempt to be primary on initialization.
    repmgr['master_on_initialization'] = false

    # START user configuration
    # Please set the real values as explained in Required Information section
    #
    # Replace PGBOUNCER_PASSWORD_HASH with a generated md5 value
    postgresql['pgbouncer_user_password'] = '<pgbouncer_password_hash>'
    # Replace POSTGRESQL_PASSWORD_HASH with a generated md5 value
    postgresql['sql_user_password'] = '<postgresql_password_hash>'
    # Set `max_wal_senders` to one more than the number of database nodes in the cluster.
    # This is used to prevent replication from using up all of the
    # available database connections.
    postgresql['max_wal_senders'] = 4
    postgresql['max_replication_slots'] = 4

    # Replace XXX.XXX.XXX.XXX/YY with Network Address
    postgresql['trust_auth_cidr_addresses'] = %w(127.0.0.1/32 10.6.0.0/24)
    repmgr['trust_auth_cidr_addresses'] = %w(127.0.0.1/32 10.6.0.0/24)

    ## Enable service discovery for Prometheus
    consul['enable'] = true
    consul['monitoring_service_discovery'] =  true

    # Set the network addresses that the exporters will listen on for monitoring
    node_exporter['listen_address'] = '0.0.0.0:9100'
    postgres_exporter['listen_address'] = '0.0.0.0:9187'
    postgres_exporter['dbname'] = 'gitlabhq_production'
    postgres_exporter['password'] = '<postgresql_password_hash>'

    ## The IPs of the Consul server nodes
    ## You can also use FQDNs and intermix them with IPs
    consul['configuration'] = {
       retry_join: %w(10.6.0.11 10.6.0.12 10.6.0.13),
    }
    # END user configuration 
    ```

2.  [重新配置 GitLab,](../restart_gitlab.html#omnibus-gitlab-reconfigure)以使更改生效.

支持高级[配置选项](https://docs.gitlab.com/omnibus/settings/database.html) ,可以根据需要添加.

[Back to setup components](#setup-components)

#### PostgreSQL post-configuration[](#postgresql-post-configuration "Permalink")

SSH 进入**主节点**

1.  打开数据库提示:

    ```
    gitlab-psql -d gitlabhq_production 
    ```

2.  Enable the `pg_trgm` extension:

    ```
    CREATE EXTENSION pg_trgm; 
    ```

3.  键入`\q`并按 Enter 退出数据库提示.

4.  验证集群是否已用一个节点初始化:

    ```
    gitlab-ctl repmgr cluster show 
    ```

    输出应类似于以下内容:

    ```
    Role      | Name     | Upstream | Connection String
    ----------+----------|----------|----------------------------------------
    * master  | HOSTNAME |          | host=HOSTNAME user=gitlab_repmgr dbname=gitlab_repmgr 
    ```

5.  在连接字符串中记下主机名或 IP 地址: `host=HOSTNAME` . 在下一节中,我们将主机名称为`<primary_node_name>` . 如果该值不是 IP 地址,则必须是可解析的名称(通过 DNS 或`/etc/hosts`

SSH 进入**辅助节点**

1.  设置 repmgr 备用数据库:

    ```
    gitlab-ctl repmgr standby setup <primary_node_name> 
    ```

    Do note that this will remove the existing data on the node. The command has a wait time.

    输出应类似于以下内容:

    ```
    Doing this will delete the entire contents of /var/opt/gitlab/postgresql/data
    If this is not what you want, hit Ctrl-C now to exit
    To skip waiting, rerun with the -w option
    Sleeping for 30 seconds
    Stopping the database
    Removing the data
    Cloning the data
    Starting the database
    Registering the node with the cluster
    ok: run: repmgrd: (pid 19068) 0s 
    ```

在继续之前,请确保正确配置了数据库. 在**主**节点上运行以下命令以验证复制是否正常工作,并且辅助节点是否出现在群集中:

```
gitlab-ctl repmgr cluster show 
```

输出应类似于以下内容:

```
Role      | Name    | Upstream  | Connection String
----------+---------|-----------|------------------------------------------------
* master  | MASTER  |           | host=<primary_node_name> user=gitlab_repmgr dbname=gitlab_repmgr
  standby | STANDBY | MASTER    | host=<secondary_node_name> user=gitlab_repmgr dbname=gitlab_repmgr
  standby | STANDBY | MASTER    | host=<secondary_node_name> user=gitlab_repmgr dbname=gitlab_repmgr 
```

如果任何节点的"角色"列显示"失败",请在继续操作之前检查" [故障排除"部分](troubleshooting.html) .

另外,请检查`repmgr-check-master`命令在每个节点上是否都能正常工作:

```
su - gitlab-consul
gitlab-ctl repmgr-check-master || echo 'This node is a standby repmgr node' 
```

此命令依靠退出代码来告诉 Consul 特定节点是主节点还是辅助节点. 这里最重要的是该命令不会产生错误. 如果有错误,很可能是由于`gitlab-consul`数据库用户权限不正确`gitlab-consul` . 在继续之前,请检查" [故障排除"部分](troubleshooting.html) .

[Back to setup components](#setup-components)

## Configure PgBouncer[](#configure-pgbouncer "Permalink")

现在已经安装了 PostgreSQL 服务器,让我们配置 PgBouncer. 以下 IP 将作为示例:

*   `10.6.0.21` :PgBouncer 1
*   `10.6.0.22` :PgBouncer 2
*   `10.6.0.23` :PgBouncer 3

1.  在每个 PgBouncer 节点上,编辑`/etc/gitlab/gitlab.rb` ,并将`<consul_password_hash>``<pgbouncer_password_hash>`替换为[之前设置](#postgresql-primary-node)的密码哈希:

    ```
    # Disable all components except Pgbouncer and Consul agent
    roles ['pgbouncer_role']

    # Configure PgBouncer
    pgbouncer['admin_users'] = %w(pgbouncer gitlab-consul)

    pgbouncer['users'] = {
    'gitlab-consul': {
       password: '<consul_password_hash>'
    },
    'pgbouncer': {
       password: '<pgbouncer_password_hash>'
    }
    }

    # Configure Consul agent
    consul['watchers'] = %w(postgresql)
    consul['enable'] = true
    consul['configuration'] = {
    retry_join: %w(10.6.0.11 10.6.0.12 10.6.0.13)
    }

    # Enable service discovery for Prometheus
    consul['monitoring_service_discovery'] = true

    # Set the network addresses that the exporters will listen on
    node_exporter['listen_address'] = '0.0.0.0:9100'
    pgbouncer_exporter['listen_address'] = '0.0.0.0:9188' 
    ```

2.  [重新配置 Omnibus GitLab,](../restart_gitlab.html#omnibus-gitlab-reconfigure)以使更改生效.

3.  创建一个`.pgpass`文件,以便 Consul 能够重新加载 PgBouncer. 询问时两次输入 PgBouncer 密码:

    ```
    gitlab-ctl write-pgpass --host 127.0.0.1 --database pgbouncer --user pgbouncer --hostuser gitlab-consul 
    ```

4.  确保每个节点都在与当前主节点通信:

    ```
    gitlab-ctl pgb-console # You will be prompted for PGBOUNCER_PASSWORD 
    ```

    如果出现错误`psql: ERROR: Auth failed`输入密码后`psql: ERROR: Auth failed` ,请确保您以前以正确的格式生成了 MD5 密码哈希. 正确的格式是连接密码和用户名`PASSWORDUSERNAME` . 例如, `Sup3rS3cr3tpgbouncer`将是为`pgbouncer`用户生成 MD5 密码哈希所需的文本.

5.  控制台提示可用后,请运行以下查询:

    ```
    show databases ; show clients ; 
    ```

    输出应类似于以下内容:

    ```
     name         |  host       | port |      database       | force_user | pool_size | reserve_pool | pool_mode | max_connections | current_connections
    ---------------------+-------------+------+---------------------+------------+-----------+--------------+-----------+-----------------+---------------------
     gitlabhq_production | MASTER_HOST | 5432 | gitlabhq_production |            |        20 |            0 |           |               0 |                   0
     pgbouncer           |             | 6432 | pgbouncer           | pgbouncer  |         2 |            0 | statement |               0 |                   0
    (2 rows)

     type |   user    |      database       |  state  |   addr         | port  | local_addr | local_port |    connect_time     |    request_time     |    ptr    | link | remote_pid | tls
    ------+-----------+---------------------+---------+----------------+-------+------------+------------+---------------------+---------------------+-----------+------+------------+-----
     C    | pgbouncer | pgbouncer           | active  | 127.0.0.1      | 56846 | 127.0.0.1  |       6432 | 2017-08-21 18:09:59 | 2017-08-21 18:10:48 | 0x22b3880 |      |          0 |
    (2 rows) 
    ```

6.  验证 GitLab 服务正在运行:

    ```
    sudo gitlab-ctl status 
    ```

    The output should be similar to the following:

    ```
    run: consul: (pid 31530) 77150s; run: log: (pid 31106) 77182s
    run: logrotate: (pid 32613) 3357s; run: log: (pid 30107) 77500s
    run: node-exporter: (pid 31550) 77149s; run: log: (pid 30138) 77493s
    run: pgbouncer: (pid 32033) 75593s; run: log: (pid 31117) 77175s
    run: pgbouncer-exporter: (pid 31558) 77148s; run: log: (pid 31498) 77156s 
    ```

[Back to setup components](#setup-components)

### Configure the internal load balancer[](#configure-the-internal-load-balancer "Permalink")

如果按照建议运行多个 PgBouncer 节点,那么此时,您将需要设置一个 TCP 内部负载均衡器以正确地服务每个负载均衡器.

以下 IP 将作为示例:

*   `10.6.0.20` :内部负载均衡器

使用[HAProxy 的方法](https://www.haproxy.org/)如下:

```
global
    log /dev/log local0
    log localhost local1 notice
    log stdout format raw local0

defaults
    log global
    default-server inter 10s fall 3 rise 2
    balance leastconn

frontend internal-pgbouncer-tcp-in
    bind *:6432
    mode tcp
    option tcplog

    default_backend pgbouncer

backend pgbouncer
    mode tcp
    option tcp-check

    server pgbouncer1 10.6.0.21:6432 check
    server pgbouncer2 10.6.0.22:6432 check
    server pgbouncer3 10.6.0.23:6432 check 
```

请参阅您首选的负载均衡器的文档以获取更多指导.

[Back to setup components](#setup-components)

## Configure Gitaly[](#configure-gitaly "Permalink")

在自己的服务器上部署 Gitaly 可以使大于单个计算机的 GitLab 安装受益.

Gitaly 节点要求取决于客户数据,特别是项目数量及其存储库大小. 建议将两个节点作为绝对最小值. 每个 Gitaly 节点应存储的数据不超过 5TB,并将[`gitaly-ruby`工作者](../gitaly/index.html#gitaly-ruby)的数量设置为可用 CPU 的 20%. 根据以上建议,应结合其他节点并结合对预期数据大小和分布的审查.

强烈建议所有 Gitaly 节点都安装 SSD 磁盘,因为 Gitaly I / O 繁重,因此其读操作的吞吐量至少为 8000 IOPS,写操作的吞吐量至少为 2,000 IOPS. 这些 IOPS 值仅建议作为启动器使用,因为随着时间的推移,它们可能会根据环境工作负载的规模而调整得更高或更低. 如果您在 Cloud provider 上运行环境,则可能需要参考其文档以了解如何正确配置 IOPS.

注意事项:

*   GitLab Rails 应用程序将[存储库分](../repository_storage_paths.html)片到[存储库中](../repository_storage_paths.html) .
*   Gitaly 服务器可以托管一个或多个存储.
*   一个 GitLab 服务器可以使用一个或多个 Gitaly 服务器.
*   必须以对所有 Gitaly 客户端正确解析的方式指定 Gitaly 地址.
*   Gitaly 服务器一定不能暴露在公共互联网上,因为默认情况下,Gitaly 的网络流量是未加密的. 强烈建议使用防火墙以限制对 Gitaly 服务器的访问. 另一种选择是[使用 TLS](#gitaly-tls-support) .

**提示:**有关 Gitaly 历史和网络体系结构的更多信息,请参见[独立的 Gitaly 文档](../gitaly/index.html) .

注意: **注意:** Gitaly 文档中引用的令牌只是管理员选择的任意密码. 它与为 GitLab API 创建的令牌或其他类似的 Web API 令牌无关.

下面我们描述如何配置两个具有 IP 和域名的 Gitaly 服务器:

*   `10.6.0.51` 1( `gitaly1.internal`
*   `10.6.0.52` 2( `gitaly2.internal`

假定该秘密令牌为`gitalysecret` ,并且您的 GitLab 安装具有三个存储库存储:

*   `default`为 Gitaly 1
*   `storage1`在 Gitaly 1
*   `storage2`上 Gitaly 2

在每个节点上:

1.  从 GitLab 下载页面使用**步骤 1 和 2** [下载/安装](https://about.gitlab.com/install/)所需的 Omnibus GitLab 软件包,但**不**提供`EXTERNAL_URL`值.
2.  编辑`/etc/gitlab/gitlab.rb`以配置存储路径,启用网络侦听器并配置令牌:

    ```
    # /etc/gitlab/gitlab.rb

    # Gitaly and GitLab use two shared secrets for authentication, one to authenticate gRPC requests
    # to Gitaly, and a second for authentication callbacks from GitLab-Shell to the GitLab internal API.
    # The following two values must be the same as their respective values
    # of the GitLab Rails application setup
    gitaly['auth_token'] = 'gitlaysecret'
    gitlab_shell['secret_token'] = 'shellsecret'

    # Avoid running unnecessary services on the Gitaly server
    postgresql['enable'] = false
    redis['enable'] = false
    nginx['enable'] = false
    puma['enable'] = false
    unicorn['enable'] = false
    sidekiq['enable'] = false
    gitlab_workhorse['enable'] = false
    grafana['enable'] = false
    gitlab_exporter['enable'] = false

    # If you run a seperate monitoring node you can disable these services
    alertmanager['enable'] = false
    prometheus['enable'] = false

    # Prevent database connections during 'gitlab-ctl reconfigure'
    gitlab_rails['rake_cache_clear'] = false
    gitlab_rails['auto_migrate'] = false

    # Configure the gitlab-shell API callback URL. Without this, `git push` will
    # fail. This can be your 'front door' GitLab URL or an internal load
    # balancer.
    # Don't forget to copy `/etc/gitlab/gitlab-secrets.json` from web server to Gitaly server.
    gitlab_rails['internal_api_url'] = 'https://gitlab.example.com'

    # Make Gitaly accept connections on all network interfaces. You must use
    # firewalls to restrict access to this address/port.
    # Comment out following line if you only want to support TLS connections
    gitaly['listen_addr'] = "0.0.0.0:8075"

    ## Enable service discovery for Prometheus
    consul['enable'] = true
    consul['monitoring_service_discovery'] =  true

    # Set the network addresses that the exporters will listen on for monitoring
    gitaly['prometheus_listen_addr'] = "0.0.0.0:9236"
    node_exporter['listen_address'] = '0.0.0.0:9100'
    gitlab_rails['prometheus_address'] = '10.6.0.81:9090'

    ## The IPs of the Consul server nodes
    ## You can also use FQDNs and intermix them with IPs
    consul['configuration'] = {
       retry_join: %w(10.6.0.11 10.6.0.12 10.6.0.13),
    } 
    ```

3.  对于每个服务器,将以下内容附加到`/etc/gitlab/gitlab.rb`
    1.`gitaly1.internal`

        ```
         git_data_dirs ({ 'default' => { 'path' => '/var/opt/gitlab/git-data' }, 'storage1' => { 'path' => '/mnt/gitlab/git-data' }, }) 
        ```

    2.  在`gitaly2.internal` :

        ```
         git_data_dirs ({ 'storage2' => { 'path' => '/mnt/gitlab/git-data' }, }) 
        ```

4.  保存文件并[重新配置 GitLab](../restart_gitlab.html#omnibus-gitlab-reconfigure) .
5.  确认 Gitaly 可以执行对内部 API 的回调:

    ```
    sudo /opt/gitlab/embedded/service/gitlab-shell/bin/check -config /opt/gitlab/embedded/service/gitlab-shell/config.yml 
    ```

6.  验证 GitLab 服务正在运行:

    ```
    sudo gitlab-ctl status 
    ```

    输出应类似于以下内容:

    ```
    run: consul: (pid 30339) 77006s; run: log: (pid 29878) 77020s
    run: gitaly: (pid 30351) 77005s; run: log: (pid 29660) 77040s
    run: logrotate: (pid 7760) 3213s; run: log: (pid 29782) 77032s
    run: node-exporter: (pid 30378) 77004s; run: log: (pid 29812) 77026s 
    ```

### Gitaly TLS support[](#gitaly-tls-support "Permalink")

Gitaly 支持 TLS 加密. 为了能够与侦听安全连接的 Gitaly 实例进行通信,您将需要在 GitLab 配置中相应存储条目的`gitaly_address`中使用`tls://` URL 方案.

您将需要携带自己的证书,因为该证书不会自动提供. 证书或其证书颁发机构必须按照[GitLab 自定义证书配置中](https://docs.gitlab.com/omnibus/settings/ssl.html)所述的步骤,安装在所有 Gitaly 节点(包括使用证书的 Gitaly 节点)上,以及与之通信的所有客户端节点上.

**注意:**自签名证书必须指定用于访问 Gitaly 服务器的地址. 如果要通过主机名寻址 Gitaly 服务器,则可以为此使用"公用名"字段,也可以将其添加为"使用者备用名". 如果要通过 Gitaly 服务器的 IP 地址对其进行寻址,则必须将其作为主题备用名称添加到证书中. [gRPC 不支持在证书中使用 IP 地址作为公用名](https://github.com/grpc/grpc/issues/2691) .**注意:**可以同时为 Gitaly 服务器配置未加密的侦听地址`listen_addr`和已加密的侦听地址`tls_listen_addr` . 如果需要,这使您可以从未加密的流量逐渐过渡到加密的流量.

要使用 TLS 配置 Gitaly:

1.  创建`/etc/gitlab/ssl`目录,并在其中复制密钥和证书:

    ```
    sudo mkdir -p /etc/gitlab/ssl
    sudo chmod 755 /etc/gitlab/ssl
    sudo cp key.pem cert.pem /etc/gitlab/ssl/
    sudo chmod 644 key.pem cert.pem 
    ```

2.  将证书复制到`/etc/gitlab/trusted-certs`以便 Gitaly 在调用自身时信任该证书:

    ```
    sudo cp /etc/gitlab/ssl/cert.pem /etc/gitlab/trusted-certs/ 
    ```

3.  编辑`/etc/gitlab/gitlab.rb`并添加:

    ```
    gitaly['tls_listen_addr'] = "0.0.0.0:9999"
    gitaly['certificate_path'] = "/etc/gitlab/ssl/cert.pem"
    gitaly['key_path'] = "/etc/gitlab/ssl/key.pem" 
    ```

4.  删除`gitaly['listen_addr']`以仅允许加密连接.
5.  保存文件并[重新配置 GitLab](../restart_gitlab.html#omnibus-gitlab-reconfigure) .

[Back to setup components](#setup-components)

## Configure Sidekiq[](#configure-sidekiq "Permalink")

Sidekiq 需要连接到 Redis,PostgreSQL 和 Gitaly 实例. 以下 IP 将作为示例:

*   `10.6.0.71` :Sidekiq 1
*   `10.6.0.72` :Sidekiq 2
*   `10.6.0.73` :Sidekiq 3
*   `10.6.0.74` :Sidekiq 4

要配置 Sidekiq 节点,每个节点一个:

1.  SSH 到 Sidekiq 服务器.
2.  从 GitLab 下载页面使用步骤 1 和 2 [下载/安装](https://about.gitlab.com/install/)所需的 Omnibus GitLab 软件包. **不要完成下载页面上的任何其他步骤.**
3.  使用编辑器打开`/etc/gitlab/gitlab.rb`

    ```
    ########################################
    #####        Services Disabled       ###
    ########################################

    nginx['enable'] = false
    grafana['enable'] = false
    prometheus['enable'] = false
    gitlab_rails['auto_migrate'] = false
    alertmanager['enable'] = false
    gitaly['enable'] = false
    gitlab_workhorse['enable'] = false
    nginx['enable'] = false
    puma['enable'] = false
    postgres_exporter['enable'] = false
    postgresql['enable'] = false
    redis['enable'] = false
    redis_exporter['enable'] = false
    gitlab_exporter['enable'] = false

    ########################################
    ####              Redis              ###
    ########################################

    ## Must be the same in every sentinel node
    redis['master_name'] = 'gitlab-redis'

    ## The same password for Redis authentication you set up for the master node.
    redis['master_password'] = '<redis_primary_password>'

    ## A list of sentinels with `host` and `port`
    gitlab_rails['redis_sentinels'] = [
       {'host' => '10.6.0.11', 'port' => 26379},
       {'host' => '10.6.0.12', 'port' => 26379},
       {'host' => '10.6.0.13', 'port' => 26379},
    ]

    #######################################
    ###              Gitaly             ###
    #######################################

    git_data_dirs({
      'default' => { 'gitaly_address' => 'tcp://gitaly1.internal:8075' },
      'storage1' => { 'gitaly_address' => 'tcp://gitaly1.internal:8075' },
      'storage2' => { 'gitaly_address' => 'tcp://gitaly2.internal:8075' },
    })
    gitlab_rails['gitaly_token'] = 'YOUR_TOKEN'

    #######################################
    ###            Postgres             ###
    #######################################
    gitlab_rails['db_host'] = '10.6.0.20' # internal load balancer IP
    gitlab_rails['db_port'] = 6432
    gitlab_rails['db_password'] = '<postgresql_user_password>'
    gitlab_rails['db_adapter'] = 'postgresql'
    gitlab_rails['db_encoding'] = 'unicode'
    gitlab_rails['auto_migrate'] = false

    #######################################
    ###      Sidekiq configuration      ###
    #######################################
    sidekiq['listen_address'] = "0.0.0.0"

    #######################################
    ###     Monitoring configuration    ###
    #######################################
    consul['enable'] = true
    consul['monitoring_service_discovery'] =  true

    consul['configuration'] = {
       retry_join: %w(10.6.0.11 10.6.0.12 10.6.0.13)
    }

    # Set the network addresses that the exporters will listen on
    node_exporter['listen_address'] = '0.0.0.0:9100'

    # Rails Status for prometheus
    gitlab_rails['monitoring_whitelist'] = ['10.6.0.81/32', '127.0.0.0/8']
    gitlab_rails['prometheus_address'] = '10.6.0.81:9090' 
    ```

4.  保存文件并[重新配置 GitLab](../restart_gitlab.html#omnibus-gitlab-reconfigure) .
5.  验证 GitLab 服务正在运行:

    ```
    sudo gitlab-ctl status 
    ```

    输出应类似于以下内容:

    ```
    run: consul: (pid 30114) 77353s; run: log: (pid 29756) 77367s
    run: logrotate: (pid 9898) 3561s; run: log: (pid 29653) 77380s
    run: node-exporter: (pid 30134) 77353s; run: log: (pid 29706) 77372s
    run: sidekiq: (pid 30142) 77351s; run: log: (pid 29638) 77386s 
    ```

**提示:**您还可以运行[多个 Sidekiq 进程](../operations/extra_sidekiq_processes.html) .[Back to setup components](#setup-components)

## Configure GitLab Rails[](#configure-gitlab-rails "Permalink")

**注意:**在我们的体系结构中,我们使用 Puma Web 服务器运行每个 GitLab Rails 节点,并将其工作程序数设置为可用 CPU 的 90%以及四个线程. 对于运行带有其他组件的 Rails 的节点,应该相应地降低 worker 的值,我们发现 50%达到了很好的平衡,但这取决于工作量.

本节介绍如何配置 GitLab 应用程序(Rails)组件. 在每个节点上执行以下操作:

1.  如果您[使用的是 NFS](#configure-nfs-optional)

    1.  如有必要,请使用以下命令安装 NFS 客户端实用程序软件包:

        ```
        # Ubuntu/Debian
        apt-get install nfs-common

        # CentOS/Red Hat
        yum install nfs-utils nfs-utils-lib 
        ```

    2.  在`/etc/fstab`指定必要的 NFS 挂载. `/etc/fstab`的确切内容取决于您选择配置 NFS 服务器的方式. 有关示例和各种选项,请参见[NFS 文档](../high_availability/nfs.html) .

    3.  创建共享目录. 这些可能会有所不同,具体取决于您的 NFS 安装位置.

        ```
        mkdir -p /var/opt/gitlab/.ssh /var/opt/gitlab/gitlab-rails/uploads /var/opt/gitlab/gitlab-rails/shared /var/opt/gitlab/gitlab-ci/builds /var/opt/gitlab/git-data 
        ```

2.  使用[GitLab 下载中的](https://about.gitlab.com/install/) **步骤 1 和 2**下载/安装 Omnibus GitLab. 不要完成下载页面上的其他步骤.
3.  创建/编辑`/etc/gitlab/gitlab.rb`并使用以下配置. 为了保持整个节点的链接均匀性, `external_url`在应用服务器上应指向外部 URL,用户将用来访问 GitLab. 这将是[外部负载平衡器](#configure-the-external-load-balancer)的 URL,它将[负载](#configure-the-external-load-balancer)流量路由到 GitLab 应用程序服务器:

    ```
    external_url 'https://gitlab.example.com'

    # Gitaly and GitLab use two shared secrets for authentication, one to authenticate gRPC requests
    # to Gitaly, and a second for authentication callbacks from GitLab-Shell to the GitLab internal API.
    # The following two values must be the same as their respective values
    # of the Gitaly setup
    gitlab_rails['gitaly_token'] = 'gitalyecret'
    gitlab_shell['secret_token'] = 'shellsecret'

    git_data_dirs({
      'default' => { 'gitaly_address' => 'tcp://gitaly1.internal:8075' },
      'storage1' => { 'gitaly_address' => 'tcp://gitaly1.internal:8075' },
      'storage2' => { 'gitaly_address' => 'tcp://gitaly2.internal:8075' },
    })

    ## Disable components that will not be on the GitLab application server
    roles ['application_role']
    gitaly['enable'] = false
    nginx['enable'] = true
    sidekiq['enable'] = false

    ## PostgreSQL connection details
    # Disable PostgreSQL on the application node
    postgresql['enable'] = false
    gitlab_rails['db_host'] = '10.6.0.20' # internal load balancer IP
    gitlab_rails['db_port'] = 6432
    gitlab_rails['db_password'] = '<postgresql_user_password>'
    gitlab_rails['auto_migrate'] = false

    ## Redis connection details
    ## Must be the same in every sentinel node
    redis['master_name'] = 'gitlab-redis'

    ## The same password for Redis authentication you set up for the Redis primary node.
    redis['master_password'] = '<redis_primary_password>'

    ## A list of sentinels with `host` and `port`
    gitlab_rails['redis_sentinels'] = [
      {'host' => '10.6.0.11', 'port' => 26379},
      {'host' => '10.6.0.12', 'port' => 26379},
      {'host' => '10.6.0.13', 'port' => 26379}
    ]

    ## Enable service discovery for Prometheus
    consul['enable'] = true
    consul['monitoring_service_discovery'] =  true

    # Set the network addresses that the exporters used for monitoring will listen on
    node_exporter['listen_address'] = '0.0.0.0:9100'
    gitlab_workhorse['prometheus_listen_addr'] = '0.0.0.0:9229'
    sidekiq['listen_address'] = "0.0.0.0"
    puma['listen'] = '0.0.0.0'

    ## The IPs of the Consul server nodes
    ## You can also use FQDNs and intermix them with IPs
    consul['configuration'] = {
       retry_join: %w(10.6.0.11 10.6.0.12 10.6.0.13),
    }

    # Add the monitoring node's IP address to the monitoring whitelist and allow it to
    # scrape the NGINX metrics
    gitlab_rails['monitoring_whitelist'] = ['10.6.0.81/32', '127.0.0.0/8']
    nginx['status']['options']['allow'] = ['10.6.0.81/32', '127.0.0.0/8']
    gitlab_rails['prometheus_address'] = '10.6.0.81:9090'

    ## Uncomment and edit the following options if you have set up NFS
    ##
    ## Prevent GitLab from starting if NFS data mounts are not available
    ##
    #high_availability['mountpoint'] = '/var/opt/gitlab/git-data'
    ##
    ## Ensure UIDs and GIDs match between servers for permissions via NFS
    ##
    #user['uid'] = 9000
    #user['gid'] = 9000
    #web_server['uid'] = 9001
    #web_server['gid'] = 9001
    #registry['uid'] = 9002
    #registry['gid'] = 9002 
    ```

4.  如果您正在使用[具有 TLS 支持](#gitaly-tls-support)`git_data_dirs` ,请确保`git_data_dirs`条目配置了`tls`而不是`tcp`

    ```
    git_data_dirs({
      'default' => { 'gitaly_address' => 'tls://gitaly1.internal:9999' },
      'storage1' => { 'gitaly_address' => 'tls://gitaly1.internal:9999' },
      'storage2' => { 'gitaly_address' => 'tls://gitaly2.internal:9999' },
    }) 
    ```

    1.  将证书复制到`/etc/gitlab/trusted-certs` :

        ```
        sudo cp cert.pem /etc/gitlab/trusted-certs/ 
        ```

5.  保存文件并[重新配置 GitLab](../restart_gitlab.html#omnibus-gitlab-reconfigure) .
6.  运行`sudo gitlab-rake gitlab:gitaly:check`确认节点可以连接到 Gitaly.
7.  拖尾日志以查看请求:

    ```
    sudo gitlab-ctl tail gitaly 
    ```

8.  验证 GitLab 服务正在运行:

    ```
    sudo gitlab-ctl status 
    ```

    输出应类似于以下内容:

    ```
    run: consul: (pid 4890) 8647s; run: log: (pid 29962) 79128s
    run: gitlab-exporter: (pid 4902) 8647s; run: log: (pid 29913) 79134s
    run: gitlab-workhorse: (pid 4904) 8646s; run: log: (pid 29713) 79155s
    run: logrotate: (pid 12425) 1446s; run: log: (pid 29798) 79146s
    run: nginx: (pid 4925) 8646s; run: log: (pid 29726) 79152s
    run: node-exporter: (pid 4931) 8645s; run: log: (pid 29855) 79140s
    run: puma: (pid 4936) 8645s; run: log: (pid 29656) 79161s 
    ```

**注意:**如上例所示,当在`external_url`指定`https`时,GitLab 会假定您在`/etc/gitlab/ssl/`具有 SSL 证书. 如果没有证书,NGINX 将无法启动. 有关更多信息,请参见[NGINX 文档](https://docs.gitlab.com/omnibus/settings/nginx.html) .

### GitLab Rails post-configuration[](#gitlab-rails-post-configuration "Permalink")

1.  确保运行所有迁移:

    ```
    gitlab-rake gitlab:db:configure 
    ```

    **注意:**如果遇到`rake aborted!` 错误,指出 PgBouncer 是无法连接到 PostgreSQL 也可能是您的 PgBouncer 节点的 IP 地址是从 PostgreSQL 的缺失`trust_auth_cidr_addresses`在`gitlab.rb`你的数据库节点. 请参阅"故障排除"部分中的[PgBouncer 错误`ERROR: pgbouncer cannot connect to server`](troubleshooting.html#pgbouncer-error-error-pgbouncer-cannot-connect-to-server) ,然后再继续.
2.  [Configure fast lookup of authorized SSH keys in the database](../operations/fast_ssh_key_lookup.html).

[Back to setup components](#setup-components)

## Configure Prometheus[](#configure-prometheus "Permalink")

Omnibus GitLab 软件包可用于配置运行[Prometheus](../monitoring/prometheus/index.html)[Grafana](../monitoring/performance/grafana_configuration.html)的独立 Monitoring 节点:

1.  SSH 进入"监视"节点.
2.  从 GitLab 下载页面使用**步骤 1 和 2** [下载/安装](https://about.gitlab.com/install/)所需的 Omnibus GitLab 软件包. 不要完成下载页面上的任何其他步骤.
3.  编辑`/etc/gitlab/gitlab.rb`并添加内容:

    ```
    external_url 'http://gitlab.example.com'

    # Disable all other services
    gitlab_rails['auto_migrate'] = false
    alertmanager['enable'] = false
    gitaly['enable'] = false
    gitlab_exporter['enable'] = false
    gitlab_workhorse['enable'] = false
    nginx['enable'] = true
    postgres_exporter['enable'] = false
    postgresql['enable'] = false
    redis['enable'] = false
    redis_exporter['enable'] = false
    sidekiq['enable'] = false
    puma['enable'] = false
    unicorn['enable'] = false
    node_exporter['enable'] = false
    gitlab_exporter['enable'] = false

    # Enable Prometheus
    prometheus['enable'] = true
    prometheus['listen_address'] = '0.0.0.0:9090'
    prometheus['monitor_kubernetes'] = false

    # Enable Login form
    grafana['disable_login_form'] = false

    # Enable Grafana
    grafana['enable'] = true
    grafana['admin_password'] = '<grafana_password>'

    # Enable service discovery for Prometheus
    consul['enable'] = true
    consul['monitoring_service_discovery'] =  true
    consul['configuration'] = {
       retry_join: %w(10.6.0.11 10.6.0.12 10.6.0.13)
    } 
    ```

4.  保存文件并[重新配置 GitLab](../restart_gitlab.html#omnibus-gitlab-reconfigure) .
5.  在 GitLab 用户界面中,将`admin/application_settings/metrics_and_profiling` >指标-Grafana 设置为`/-/grafana``http[s]://<MONITOR NODE>/-/grafana` .
6.  验证 GitLab 服务正在运行:

    ```
    sudo gitlab-ctl status 
    ```

    输出应类似于以下内容:

    ```
    run: consul: (pid 31637) 17337s; run: log: (pid 29748) 78432s
    run: grafana: (pid 31644) 17337s; run: log: (pid 29719) 78438s
    run: logrotate: (pid 31809) 2936s; run: log: (pid 29581) 78462s
    run: nginx: (pid 31665) 17335s; run: log: (pid 29556) 78468s
    run: prometheus: (pid 31672) 17335s; run: log: (pid 29633) 78456s 
    ```

[Back to setup components](#setup-components)

## Configure the object storage[](#configure-the-object-storage "Permalink")

GitLab 支持使用对象存储服务来保存多种类型的数据. 建议在[NFS](#configure-nfs-optional)上使用它,并且通常在较大的设置中更好,因为对象存储通常具有更高的性能,可靠性和可伸缩性.

manbetx 客户端打不开已经测试过或知道使用的客户的对象存储选项包括:

*   SaaS / Cloud 解决方案,例如[Amazon S3](https://aws.amazon.com/s3/)[Google 云存储](https://cloud.google.com/storage) .
*   来自各种存储供应商的本地硬件和设备.
*   MinIO. 我们的 Helm Chart 文档中[提供了有关部署的指南](https://docs.gitlab.com/charts/advanced/external-object-storage/minio.html) .

要配置 GitLab 以使用对象存储,请根据要使用的功能参考以下指南:

1.  Configure [object storage for backups](../../raketasks/backup_restore.html#uploading-backups-to-a-remote-cloud-storage).
2.  Configure [object storage for job artifacts](../job_artifacts.html#using-object-storage) including [incremental logging](../job_logs.html#new-incremental-logging-architecture).
3.  Configure [object storage for LFS objects](../lfs/index.html#storing-lfs-objects-in-remote-object-storage).
4.  Configure [object storage for uploads](../uploads.html#using-object-storage-core-only).
5.  Configure [object storage for merge request diffs](../merge_request_diffs.html#using-object-storage).
6.  配置[容器注册表的对象存储](../packages/container_registry.html#use-object-storage) (可选功能).
7.  [为 Mattermost](https://docs.mattermost.com/administration/config-settings.html#file-storage)配置[对象存储](https://docs.mattermost.com/administration/config-settings.html#file-storage) (可选功能).
8.  配置[软件包的对象存储](../packages/index.html#using-object-storage) (可选功能).
9.  配置[依赖项代理的对象存储](../packages/dependency_proxy.html#using-object-storage) (可选功能).
10.  [为 Pseudonymizer](../pseudonymizer.html#configuration) (可选功能)配置[对象存储](../pseudonymizer.html#configuration) .
11.  配置[对象存储以自动缩放 Runner 缓存](https://docs.gitlab.com/runner/configuration/autoscale.html) (可选-为了提高性能).
12.  Configure [object storage for Terraform state files](../terraform_state.html#using-object-storage-core-only).

对于 GitLab,建议为每种数据类型使用单独的存储桶.

我们的配置的局限性是对象存储的每次使用都是单独配置的. [我们有一个需要改进的问题](https://gitlab.com/gitlab-org/gitlab/-/issues/23345) ,轻松地将一个存储桶与单独的文件夹一起使用可能会带来一个改进.

使用同一个存储桶至少有一个特定的问题:当使用 Helm 图表部署 GitLab 时,除非使用单独的存储桶,否则从备份还原[将无法正常工作](https://docs.gitlab.com/charts/advanced/external-object-storage/) .

如果您的组织将来决定将 GitLab 迁移到 Helm 部署,则使用单个存储桶的一种风险是. GitLab 可以运行,但是直到组织对备份起作用的关键要求之前,备份的情况可能无法实现.

[Back to setup components](#setup-components)

## Configure NFS (optional)[](#configure-nfs-optional "Permalink")

建议尽可能在 NFS 上使用[对象存储](#configure-the-object-storage)以及[Gitaly](#configure-gitaly) ,以提高性能. 如果您打算使用 GitLab 页面,则当前[需要 NFS](troubleshooting.html#gitlab-pages-requires-nfs) .

请参阅如何[配置 NFS](../high_availability/nfs.html) .

[Back to setup components](#setup-components)

## Troubleshooting[](#troubleshooting "Permalink")

请参阅[故障排除文档](troubleshooting.html) .

[Back to setup components](#setup-components)