架构选型与规划1.1 高可用主备架构方案企业级GitLab高可用部署主要有以下几种主流方案方案一DRBD Pacemaker Corosync主备模式该架构为Active/Passive主/备模式只有主节点运行GitLab服务并挂载存储备节点通过DRBD实时同步数据。当主节点宕机时Pacemaker自动将VIP和存储切换到备节点。此方案适合中小型企业硬件成本低约比单节点增加40%。方案二GitLab Geo地理分布式GitLab企业版EE原生提供的Geo功能可实现完整的实例级复制。主站点可读写辅助站点只读支持自动故障转移。需要GitLab Premium或Ultimate订阅。方案三分层高可用架构官方参考架构将GitLab各组件拆分部署前端负载均衡HAProxy/Nginx 多个GitLab应用节点 PostgreSQL集群Patronietcd Redis Sentinel 共享存储NFS/Ceph。适合大规模企业。本文推荐方案一DRBD Pacemaker 性价比高、部署相对简单适合大多数企业场景。如团队规模超过200人建议升级到方案三。1.2 硬件配置建议团队规模CPU内存存储网络5-20人4核8GB100GB SSD100Mbps20-100人8核16GB500GB NVMe SSD1Gbps100人以上16核32GBRAID10 SSD阵列多网卡绑定⚠️ 生产环境强烈建议使用SSD存储GitLab官方建议禁用swap分区。1.3 服务器规划示例角色主机名IP地址配置主节点gitlab-primary192.168.1.108核16G 500GB SSD备节点gitlab-secondary192.168.1.118核16G 500GB SSD虚拟IPVIPgitlab.local192.168.1.100浮动IP二、基础环境准备两台节点均需执行2.1 系统更新与依赖安装bash# 更新系统 sudo apt update sudo apt upgrade -y # 安装必要依赖 sudo apt install -y \ curl \ openssh-server \ ca-certificates \ tzdata \ perl \ postfix \ wget \ gnupg \ lsb-release \ software-properties-common安装postfix时如选择“Internet Site”输入你的邮件域名如暂不需要邮件功能可跳过。2.2 配置防火墙bashsudo ufw allow 22/tcp # SSH访问 sudo ufw allow 80/tcp # HTTP服务 sudo ufw allow 443/tcp # HTTPS服务 sudo ufw allow 9090/tcp # Prometheus监控可选 sudo ufw enable2.3 系统优化配置bash# 禁用swapGitLab官方建议 sudo swapoff -a sudo sed -i / swap / s/^\(.*\)$/#\1/g /etc/fstab # 配置时区 sudo timedatectl set-timezone Asia/Shanghai # 优化系统文件句柄限制 echo fs.file-max 65536 | sudo tee -a /etc/sysctl.conf sudo sysctl -p2.4 配置SSH免密登录主备节点间bash# 在主节点生成SSH密钥 ssh-keygen -t rsa -b 4096 -N -f ~/.ssh/id_rsa # 将公钥复制到备节点 ssh-copy-id root192.168.1.11 # 同样在备节点生成并复制到主节点 ssh-keygen -t rsa -b 4096 -N -f ~/.ssh/id_rsa ssh-copy-id root192.168.1.10三、安装GitLab3.1 添加GitLab官方仓库使用官方源国外服务器较快bashcurl -sS https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.deb.sh | sudo bash使用国内清华镜像源推荐国内用户bash# 信任GitLab GPG公钥 curl -fsSL https://packages.gitlab.com/gpg.key | sudo gpg --dearmor -o /usr/share/keyrings/gitlab_gitlab-ee-archive-keyring.gpg # 添加源 echo deb [signed-by/usr/share/keyrings/gitlab_gitlab-ee-archive-keyring.gpg] https://mirrors.tuna.tsinghua.edu.cn/gitlab-ee/ubuntu $(lsb_release -cs) main | sudo tee /etc/apt/sources.list.d/gitlab-ee.list sudo apt update 如使用社区版CE将上述命令中的gitlab-ee替换为gitlab-ce。企业版EE提供更多高可用特性生产环境建议使用企业版。3.2 安装GitLabbash# 安装企业版设置外部访问URL sudo EXTERNAL_URLhttps://gitlab.local apt-get install -y gitlab-ee如果尚未配置域名和SSL证书可先使用IP地址EXTERNAL_URLhttp://192.168.1.103.3 初始配置bash# 编辑主配置文件 sudo vim /etc/gitlab/gitlab.rb基础配置项ruby# 外部访问地址 external_url https://gitlab.local # 时区 gitlab_rails[time_zone] Asia/Shanghai # 数据存储目录后续将迁移到共享存储 git_data_dirs({ default { path /var/opt/gitlab/git-data } }) # 邮件配置可选 gitlab_rails[smtp_enable] true gitlab_rails[smtp_address] smtp.your-email.com gitlab_rails[smtp_port] 587 gitlab_rails[smtp_user_name] gitlabyour-email.com gitlab_rails[smtp_password] your-password gitlab_rails[smtp_domain] your-email.com gitlab_rails[smtp_authentication] login gitlab_rails[smtp_enable_starttls_auto] true gitlab_rails[gitlab_email_from] gitlabyour-email.com3.4 应用配置并启动bashsudo gitlab-ctl reconfigure该命令会启动所有必要服务耗时几分钟。3.5 验证安装bash# 查看服务状态 sudo gitlab-ctl status # 获取初始root密码 sudo cat /etc/gitlab/initial_root_password四、高可用核心组件配置4.1 配置共享存储DRBDDRBD实现两台服务器间数据的实时块级同步。在两台节点上安装DRBDbashsudo apt install -y drbd-utils在主节点创建DRBD配置文件bashsudo vim /etc/drbd.d/gitlab.resconfresource gitlab { protocol C; meta-disk internal; device /dev/drbd0; disk /dev/sdb; # 请替换为实际的数据盘设备 net { cram-hmac-alg sha1; shared-secret your-secure-secret-key; } on gitlab-primary { address 192.168.1.10:7789; } on gitlab-secondary { address 192.168.1.11:7789; } }初始化DRBD资源两台节点执行bash# 创建元数据 sudo drbdadm create-md gitlab # 启动DRBD服务 sudo systemctl enable drbd sudo systemctl start drbd # 在主节点提升为Primary sudo drbdadm primary --force gitlab # 创建文件系统仅在主节点执行 sudo mkfs.ext4 /dev/drbd0 # 挂载存储 sudo mkdir -p /mnt/gitlab-data sudo mount /dev/drbd0 /mnt/gitlab-data配置自动挂载bashecho /dev/drbd0 /mnt/gitlab-data ext4 defaults,noatime 0 0 | sudo tee -a /etc/fstab4.2 配置GitLab使用共享存储修改GitLab数据目录bashsudo vim /etc/gitlab/gitlab.rbruby# 将数据目录指向共享存储 git_data_dirs({ default { path /mnt/gitlab-data/git-data } }) # 仓库存储路径 gitlab_rails[repository_storage_dirs] { default /mnt/gitlab-data/git-data/repositories } # 上传文件存储 gitlab_rails[uploads_directory] /mnt/gitlab-data/uploads迁移现有数据到共享存储如已存在数据bash# 停止GitLab服务 sudo gitlab-ctl stop # 迁移数据 sudo rsync -av /var/opt/gitlab/ /mnt/gitlab-data/ # 重新配置并启动 sudo gitlab-ctl reconfigure sudo gitlab-ctl start4.3 配置PostgreSQL高可用Patroni etcdGitLab官方推荐使用Patroni etcd实现PostgreSQL自动主备切换。在两台节点安装etcd和Patronibashsudo apt install -y etcd patroni patroni-pgq配置etcd集群两台节点bashsudo vim /etc/default/etcd主节点配置confETCD_NAMEetcd1 ETCD_INITIAL_ADVERTISE_PEER_URLShttp://192.168.1.10:2380 ETCD_LISTEN_PEER_URLShttp://0.0.0.0:2380 ETCD_LISTEN_CLIENT_URLShttp://0.0.0.0:2379 ETCD_ADVERTISE_CLIENT_URLShttp://192.168.1.10:2379 ETCD_INITIAL_CLUSTERetcd1http://192.168.1.10:2380,etcd2http://192.168.1.11:2380 ETCD_INITIAL_CLUSTER_STATEnew备节点将IP替换为192.168.1.11ETCD_NAME改为etcd2。启动etcdbashsudo systemctl enable etcd sudo systemctl start etcd配置Patronibashsudo vim /etc/patroni/patroni.ymlyamlscope: gitlab name: gitlab-pg-1 # 主节点为1备节点为2 restapi: listen: 0.0.0.0:8008 connect_address: 192.168.1.10:8008 # 备节点改为备节点IP etcd: hosts: - 192.168.1.10:2379 - 192.168.1.11:2379 bootstrap: dcs: ttl: 30 loop_wait: 10 retry_timeout: 10 maximum_lag_on_failover: 1048576 postgresql: use_pg_rewind: true parameters: max_connections: 200 shared_buffers: 256MB wal_level: replica hot_standby: on max_wal_senders: 10 max_replication_slots: 10 wal_log_hints: on postgresql: listen: 0.0.0.0:5432 connect_address: 192.168.1.10:5432 # 备节点改为备节点IP data_dir: /mnt/gitlab-data/postgresql pgpass: /tmp/pgpass authentication: replication: username: replicator password: your-replica-password superuser: username: postgres password: your-superuser-password parameters: unix_socket_directories: /var/run/postgresql启动Patronibashsudo systemctl enable patroni sudo systemctl start patroni配置GitLab使用外部PostgreSQLruby# /etc/gitlab/gitlab.rb postgresql[enable] false gitlab_rails[db_host] 192.168.1.10 # 或使用VIP gitlab_rails[db_port] 5432 gitlab_rails[db_username] gitlab gitlab_rails[db_password] gitlab-db-password gitlab_rails[db_database] gitlabhq_production4.4 配置Redis高可用Redis Sentinel安装Redis两台节点bashsudo apt install -y redis-server配置Redis主从主节点/etc/redis/redis.confconfbind 0.0.0.0 port 6379 requirepass your-redis-password masterauth your-redis-password备节点/etc/redis/redis.confconfbind 0.0.0.0 port 6379 requirepass your-redis-password masterauth your-redis-password replicaof 192.168.1.10 6379配置Redis Sentinel两台节点bashsudo vim /etc/redis/sentinel.confconfbind 0.0.0.0 port 26379 sentinel monitor gitlab-redis 192.168.1.10 6379 2 sentinel auth-pass gitlab-redis your-redis-password sentinel down-after-milliseconds gitlab-redis 5000 sentinel failover-timeout gitlab-redis 60000启动服务bashsudo systemctl enable redis-server redis-sentinel sudo systemctl start redis-server redis-sentinel配置GitLab使用Redis Sentinelruby# /etc/gitlab/gitlab.rb redis[enable] false gitlab_rails[redis_host] 192.168.1.10 gitlab_rails[redis_port] 6379 gitlab_rails[redis_password] your-redis-password4.5 配置负载均衡与VIP漂移Keepalived安装Keepalived两台节点bashsudo apt install -y keepalived主节点配置/etc/keepalived/keepalived.confconfvrrp_instance VI_1 { state MASTER interface eth0 virtual_router_id 51 priority 100 advert_int 1 authentication { auth_type PASS auth_pass your-auth-password } virtual_ipaddress { 192.168.1.100/24 dev eth0 } track_script { check_gitlab } } vrrp_script check_gitlab { script /usr/local/bin/check_gitlab.sh interval 5 weight -10 }备节点配置state改为BACKUPpriority改为90。健康检查脚本/usr/local/bin/check_gitlab.shbash#!/bin/bash if curl -s -o /dev/null -w %{http_code} http://localhost:80/ | grep -q 200\|302; then exit 0 else exit 1 fibashsudo chmod x /usr/local/bin/check_gitlab.sh sudo systemctl enable keepalived sudo systemctl start keepalived4.6 配置Nginx负载均衡可选如需在前端增加负载均衡层bashsudo apt install -y nginxnginx# /etc/nginx/sites-available/gitlab upstream gitlab_backend { server 192.168.1.10:80 max_fails3 fail_timeout30s; server 192.168.1.11:80 max_fails3 fail_timeout30s backup; keepalive 32; } server { listen 80; server_name gitlab.local; location / { proxy_pass http://gitlab_backend; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_http_version 1.1; proxy_set_header Connection ; } }五、配置SSL证书HTTPS5.1 使用Lets Encrypt免费证书bashsudo apt install -y certbot python3-certbot-nginx # 申请证书需已配置域名解析 sudo certbot certonly --nginx -d gitlab.yourdomain.com # 自动续期 echo 0 3 * * * root /usr/bin/certbot renew --quiet | sudo tee /etc/cron.d/certbot-renew5.2 配置GitLab使用SSLruby# /etc/gitlab/gitlab.rb external_url https://gitlab.yourdomain.com nginx[redirect_http_to_https] true nginx[ssl_certificate] /etc/letsencrypt/live/gitlab.yourdomain.com/fullchain.pem nginx[ssl_certificate_key] /etc/letsencrypt/live/gitlab.yourdomain.com/privkey.pem nginx[ssl_protocols] TLSv1.2 TLSv1.3六、监控与告警配置6.1 启用GitLab内置监控ruby# /etc/gitlab/gitlab.rb prometheus[enable] true prometheus[listen_address] 0.0.0.0:9090 node_exporter[enable] true node_exporter[listen_address] 0.0.0.0:9100 redis_exporter[enable] true redis_exporter[listen_address] 0.0.0.0:9121 postgres_exporter[enable] true postgres_exporter[listen_address] 0.0.0.0:9187 gitlab_exporter[enable] true gitlab_exporter[listen_address] 0.0.0.0:91686.2 安装Grafana可视化bashsudo apt install -y grafana sudo systemctl enable grafana-server sudo systemctl start grafana-server访问http://gitlab.local:3000添加Prometheus数据源导入GitLab官方仪表盘。6.3 关键告警阈值建议设置以下告警PostgreSQL连接数 最大值的80%Redis内存使用 8GB仓库存储空间 90%Sidekiq队列积压 1000HTTP 500错误率 1%七、备份策略7.1 定期备份bash# 创建完整备份 sudo gitlab-rake gitlab:backup:create # 备份配置文件 sudo tar -czf /mnt/gitlab-data/backups/gitlab-config-$(date %Y%m%d).tar.gz /etc/gitlab/7.2 自动化备份脚本bash#!/bin/bash # /usr/local/bin/gitlab-backup.sh BACKUP_DIR/mnt/gitlab-data/backups DATE$(date %Y%m%d_%H%M%S) # 创建备份 sudo gitlab-rake gitlab:backup:create # 备份配置文件 sudo tar -czf ${BACKUP_DIR}/gitlab-config-${DATE}.tar.gz /etc/gitlab/ # 保留最近7天的备份 find ${BACKUP_DIR} -name *.tar -mtime 7 -delete find ${BACKUP_DIR} -name *.tar.gz -mtime 7 -deletebash# 添加到crontab每天凌晨2点执行 echo 0 2 * * * /usr/local/bin/gitlab-backup.sh | sudo tee -a /etc/crontab八、故障转移与恢复8.1 手动故障转移主节点故障时bash# 在备节点上 # 1. 提升DRBD为Primary sudo drbdadm primary gitlab # 2. 挂载存储 sudo mount /dev/drbd0 /mnt/gitlab-data # 3. 启动GitLab sudo gitlab-ctl start # 4. 提升Keepalived为MASTER或等待自动切换 sudo systemctl restart keepalived8.2 自动故障转移通过Keepalived DRBD Pacemaker组合可实现自动故障转移。配置Pacemaker资源管理bashsudo apt install -y pacemaker corosync # 配置Corosync集群 sudo vim /etc/corosync/corosync.conf # 添加资源VIP、DRBD、GitLab服务 sudo pcs resource create gitlab-vip IPaddr2 ip192.168.1.100 sudo pcs resource create gitlab-drbd drbd ... sudo pcs resource create gitlab-service systemd:gitlab-runsvdir九、运维管理要点9.1 日常巡检命令bash# 查看GitLab服务状态 sudo gitlab-ctl status # 查看日志 sudo gitlab-ctl tail # 查看DRBD同步状态 sudo drbdadm status gitlab # 查看集群状态 sudo pcs status # 查看Keepalived状态 sudo systemctl status keepalived9.2 版本升级bash# 停止GitLab生产环境建议在维护窗口进行 sudo gitlab-ctl stop unicorn sudo gitlab-ctl stop sidekiq # 更新包 sudo apt update sudo apt install --only-upgrade gitlab-ee # 重新配置 sudo gitlab-ctl reconfigure sudo gitlab-ctl restart9.3 安全加固建议启用2FA双因素认证配置IP白名单限制管理访问禁用默认root账户登录定期更新系统与GitLab版本启用审计日志十、部署检查清单检查项状态两台节点系统环境一致☐SSH免密登录配置完成☐DRBD数据同步正常☐PostgreSQL主从复制正常☐Redis Sentinel集群正常☐VIP漂移测试通过☐SSL证书配置生效☐备份脚本测试通过☐监控告警配置完成☐故障转移演练完成☐