进度:
bastion部署-yum源、镜像站
workstation部署-安装podman
utility部署-安装podman、私有registry
gitlab部署-安装gitlab、配置student用户、上传项目文件
主机清单 & 功能分工
🔧 每台主机需要搭建的服务
搭建前说明
1、搭建流程:
bastion —> workstation —> utility —> git —> controller —> hub —> server2、搭建前提
workstation需要对所有主机实现免密登录
镜像使用:rhel-8.6-x86_64-dvd.iso
1️⃣ bastion
功能:
跳板机(SSH 入口)
离线 YUM 仓库(镜像 RHEL BaseOS/AppStream/Extras)
HTTP 服务
/var/www/html提供 ISO/RPM
需要安装:
dnf install -y httpd createrepo rsync
步骤 1:基础环境配置
搭建离线 YUM 仓库--bastion.lab.example.com
mkdir -p /mnt/rhel8.6
mount -o loop /dev/sr0 /mnt/rhel8.6
## 本地yum源
cat > /etc/yum.repos.d/rhel8.6.repo <<EOF
[BaseOS]
name=BaseOS
baseurl=file:///mnt/rhel8.6/BaseOS
enabled=1
gpgcheck=0
[AppStream]
name=AppStream
baseurl=file:///mnt/rhel8.6/AppStream
enabled=1
gpgcheck=0
EOF
## 安装基础服务
dnf install -y httpd createrepo rsync tar wget
systemctl enable --now httpd
firewall-cmd --permanent --add-service=http
firewall-cmd --reload
## 验证 HTTP 服务
curl http://172.25.250.254/
# 获取 gitlab-ce-offline
cd /root/
wget http://192.168.10.250:5244/d/Project%20Files%20Bak/Linux/%E8%87%AA%E5%BB%BA%E6%B5%8B%E8%AF%95%E7%8E%AF%E5%A2%83/gitlab-ce-offline.tar.gz
# 获取 aap22-repo.tar.gz
wget http://192.168.10.250:5244/d/Project%20Files%20Bak/Linux/%E8%87%AA%E5%BB%BA%E6%B5%8B%E8%AF%95%E7%8E%AF%E5%A2%83/aap22-repo.tar.gz
## 获取 ee 镜像
wget http://192.168.10.250:5244/d/Project%20Files%20Bak/Linux/%E8%87%AA%E5%BB%BA%E6%B5%8B%E8%AF%95%E7%8E%AF%E5%A2%83/ee-supported-rhel8.tar
## 获取 AAP2.2 安装包
wget http://192.168.10.250:5244/d/Project%20Files%20Bak/Linux/%E8%87%AA%E5%BB%BA%E6%B5%8B%E8%AF%95%E7%8E%AF%E5%A2%83/ansible-automation-platform-setup-bundle-2.2.2-1.2.tar.gz
## 获取 registry:2
wget http://192.168.10.250:5244/d/Project%20Files%20Bak/Linux/%E8%87%AA%E5%BB%BA%E6%B5%8B%E8%AF%95%E7%8E%AF%E5%A2%83/registry-2.tar
## 获取 gitlab 项目
wget http://192.168.10.250:5244/d/Project%20Files%20Bak/Linux/%E8%87%AA%E5%BB%BA%E6%B5%8B%E8%AF%95%E7%8E%AF%E5%A2%83/gitlab_mirror.tar.gz
# 手动解压
mkdir -p /var/www/html/rhel8.6/{BaseOS,AppStream}
mkdir -p /var/www/html/{ProjectFiels,software}
rsync -av /mnt/rhel8.6/BaseOS/ /var/www/html/rhel8.6/BaseOS/
rsync -av /mnt/rhel8.6/AppStream/ /var/www/html/rhel8.6/AppStream/
rsync -av /root/aap22/ /var/www/html/aap22/
rsync -av /root/gitlab-ce-offline/ /var/www/html/gitlab-ce-offline/
createrepo /var/www/html/rhel8.6/BaseOS/
createrepo /var/www/html/rhel8.6/AppStream/
createrepo /var/www/html/aap22/
createrepo /var/www/html/gitlab-ce-offline/
# 同步需要下载的文件
rsync -av /root/ee-supported-rhel8.tar /var/www/html/software/ee-supported-rhel8.tar
rsync -av /root/ansible-automation-platform-setup-bundle-2.2.2-1.2.tar.gz /var/www/html/software/ansible-automation-platform-setup-bundle-2.2.2-1.2.tar.gz
rsync -av /root/registry-2.tar /var/www/html/software/registry-2.tar
rsync -av /root/gitlab_mirror.tar.gz /var/www/html/ProjectFiels/gitlab_mirror.tar.gz
# push gitlab 项目脚本
cat > /var/www/html/ProjectFiels/push_to_gitlab.sh <<EOF
#!/bin/bash
BASE_DIR="/home/student/gitlab_mirror"
GIT_URL="https://git.lab.example.com"
USERNAME="student"
cd "$BASE_DIR" || exit 1
for repo in *.git; do
if [ -d "$repo" ]; then
echo "➡️ 推送仓库: $repo"
cd "$repo" || continue
git remote set-url origin "$GIT_URL/$USERNAME/$repo"
git push --mirror "https://[email protected]/$USERNAME/$repo"
cd "$BASE_DIR" || exit 1
fi
done
echo "✅ 所有仓库推送完成"
EOF
chown student:student /var/www/html/ProjectFiels/push_to_gitlab.sh
restorecon -Rv /var/www/html/
rm -f /root/*.tar.gz
rm -f /root/*.tar
hosts文件配置
cat >> /etc/hosts <<EOF
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.25.250.254 bastion.lab.example.com bastion
172.25.250.10 servera.lab.example.com servera
172.25.250.11 serverb.lab.example.com serverb
172.25.250.12 serverc.lab.example.com serverc
172.25.250.13 serverd.lab.example.com serverd
172.25.250.14 servere.lab.example.com servere
172.25.250.15 serverf.lab.example.com serverf
172.25.250.5 git.lab.example.com git
172.25.250.6 hub.lab.example.com hub
172.25.250.7 controller.lab.example.com controller
172.25.250.8 utility.lab.example.com utility registry.lab.example.com
172.25.250.9 workstation.lab.example.com workstation
EOF步骤 2:创建 repo 文件
## 创建 repo 配置文件:
rm -f /etc/yum.repos.d/*
cat > /etc/yum.repos.d/rhel8.6-offline.repo <<EOF
[rhel8.6-BaseOS]
name=RHEL8.6 BaseOS Offline
baseurl=http://bastion.lab.example.com/rhel8.6/BaseOS/
enabled=1
gpgcheck=0
[rhel8.6-AppStream]
name=RHEL8.6 AppStream Offline
baseurl=http://bastion.lab.example.com/rhel8.6/AppStream/
enabled=1
gpgcheck=0
EOF
cat > /etc/yum.repos.d/aap22.repo <<EOF
[aap22]
name=AAP 2.2 Offline Repo
baseurl=http://bastion.lab.example.com/aap22
enabled=1
gpgcheck=0
EOF
cat > /etc/yum.repos.d/gitlab.repo <<EOF
[gitlab-ce-offline]
name=GitLab CE Offline
baseurl=http://bastion.lab.example.com/gitlab-ce-offline/
enabled=1
gpgcheck=0
EOF
dnf clean all && dnf repolist2️⃣ workstation
功能:
课程操作终端
ansible-navigator主机连接 controller/hub/servera~f
需要安装:
dnf install -y ansible-navigator podman
步骤 1:基础环境配置
设置主机名:
hostnamectl set-hostname workstation.lab.example.com配置
/etc/hosts解析所有实验环境节点:cat >> /etc/hosts <<EOF 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 172.25.250.254 bastion.lab.example.com bastion 172.25.250.10 servera.lab.example.com servera 172.25.250.11 serverb.lab.example.com serverb 172.25.250.12 serverc.lab.example.com serverc 172.25.250.13 serverd.lab.example.com serverd 172.25.250.14 servere.lab.example.com servere 172.25.250.15 serverf.lab.example.com serverf 172.25.250.5 git.lab.example.com git 172.25.250.6 hub.lab.example.com hub 172.25.250.7 controller.lab.example.com controller 172.25.250.8 utility.lab.example.com utility registry.lab.example.com 172.25.250.9 workstation.lab.example.com workstation EOF配置离线 RHEL YUM 源:
## 创建 repo 配置文件: rm -rf /etc/yum.repos.d/* cat > /etc/yum.repos.d/rhel8.6-offline.repo <<EOF [rhel8.6-BaseOS] name=RHEL8.6 BaseOS Offline baseurl=http://bastion.lab.example.com/rhel8.6/BaseOS/ enabled=1 gpgcheck=0 [rhel8.6-AppStream] name=RHEL8.6 AppStream Offline baseurl=http://bastion.lab.example.com/rhel8.6/AppStream/ enabled=1 gpgcheck=0 EOF cat > /etc/yum.repos.d/aap22.repo <<EOF [aap22] name=AAP 2.2 Offline Repo baseurl=http://bastion.lab.example.com/aap22/ enabled=1 gpgcheck=0 EOF cat > /etc/yum.repos.d/gitlab.repo <<EOF [gitlab-ce-offline] name=GitLab CE Offline baseurl=http://bastion.lab.example.com/gitlab-ce-offline/ enabled=1 gpgcheck=0 EOF dnf clean all && dnf repolist dnf install
步骤 2:安装 ansible-navigator
dnf install -y ansible-navigator vim步骤 3:验证安装
ansible-navigator --version ✅ 期望输出:
ansible-navigator x.x.x 步骤 4:配置 EE 镜像
确认 EE 镜像从私有 registry 拉取:
dnf install -y podman
mkdir -p /etc/containers/registries.conf.d
cat > /etc/containers/registries.conf.d/registry-insecure.conf <<EOF
[[registry]]
location = "registry.lab.example.com:5000"
insecure = true
EOF
podman pull registry.lab.example.com:5000/ee-supported-rhel8
cat > /root/test.yml <<EOF
- name: Test EE execution
hosts: localhost
gather_facts: no
tasks:
- name: Print EE verification message
debug:
msg: "✅ EE 镜像 registry.lab.example.com:5000/ee-supported-rhel8 运行正常"
EOF
ansible-navigator run test.yml -m stdout --eei registry.lab.example.com:5000/ee-supported-rhel8 --pull-policy never
步骤 5:准备实验 Inventory
创建
inventory.yml:
cat > /home/student/inventory.yml << EOF
all:
vars:
ansible_user: sisthy
children:
control:
hosts:
controller.lab.example.com:
ansible_host: 172.25.250.7
utility.lab.example.com:
ansible_host: 172.25.250.8
nodes:
hosts:
servera.lab.example.com:
ansible_host: 172.25.250.10
serverb.lab.example.com:
ansible_host: 172.25.250.11
serverc.lab.example.com:
ansible_host: 172.25.250.12
serverd.lab.example.com:
ansible_host: 172.25.250.13
servere.lab.example.com:
ansible_host: 172.25.250.14
serverf.lab.example.com:
ansible_host: 172.25.250.15
bastion:
hosts:
bastion.lab.example.com:
ansible_host: 172.25.250.254
workstation:
hosts:
workstation.lab.example.com:
ansible_host: 172.25.250.9
EOF步骤 6:初始化 DO374 实验环境
创建
init-servers.ymlPlaybook,对 servera-f 初始化:
cat > /home/student/init-servers.yml << EOF
- name: Initialize DO374 lab servers
hosts: all
become: true
tasks:
- name: Set hostname based on inventory_hostname
hostname:
name: "{{ inventory_hostname }}"
- name: Remove existing repo files
file:
path: /etc/yum.repos.d/
state: absent
- name: Recreate yum.repos.d directory
file:
path: /etc/yum.repos.d/
state: directory
mode: '0755'
- name: Deploy AAP 2.2 repo
copy:
dest: /etc/yum.repos.d/aap22.repo
content: |
[aap24]
name=AAP 2.2 Internal Repo
baseurl=http://bastion.lab.example.com/aap22/
enabled=1
gpgcheck=0
- name: Deploy gitlab-ce-offline repo
copy:
dest: /etc/yum.repos.d/gitlab-ce-offline.repo
content: |
[aap24]
name=gitlab ce offline
baseurl=http://bastion.lab.example.com/gitlab-ce-offline/
enabled=1
gpgcheck=0
- name: Deploy RHEL8 offline repos
copy:
dest: /etc/yum.repos.d/rhel8.6-offline.repo
content: |
[rhel8.6-BaseOS]
name=rhel8.6 BaseOS Offline
baseurl=http://bastion.lab.example.com/rhel8.6/BaseOS/
enabled=1
gpgcheck=0
[rhel8.6-AppStream]
name=rhel8.6 AppStream Offline
baseurl=http://bastion.lab.example.com/rhel8.6/AppStream/
enabled=1
gpgcheck=0
- name: Clean YUM cache
command: dnf clean all
- name: Deploy /etc/hosts
copy:
dest: /etc/hosts
content: |
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.25.250.254 bastion.lab.example.com bastion
172.25.250.10 servera.lab.example.com servera
172.25.250.11 serverb.lab.example.com serverb
172.25.250.12 serverc.lab.example.com serverc
172.25.250.13 serverd.lab.example.com serverd
172.25.250.14 servere.lab.example.com servere
172.25.250.15 serverf.lab.example.com serverf
172.25.250.5 git.lab.example.com git
172.25.250.6 hub.lab.example.com hub
172.25.250.7 controller.lab.example.com controller
172.25.250.8 utility.lab.example.com utility registry.lab.example.com
172.25.250.9 workstation.lab.example.com workstation
- name: Create student user
user:
name: student
state: present
groups: wheel
- name: Configure passwordless sudo for student
copy:
dest: /etc/sudoers.d/student
content: "student ALL=(ALL) NOPASSWD: ALL\n"
mode: '0440'
- name: Authorize SSH key for student
authorized_key:
user: student
state: present
key: "{{ lookup('file', '/home/student/.ssh/id_rsa.pub') }}"
EOF
ansible-navigator run init-servers.yml -m stdout -i inventory.yml3️⃣ servera~f
功能:
被控节点
承载 playbook 目标环境
需要安装:
dnf install -y python3 python3-libselinux
功能:
搭建 GitLab CE
用于代码版本控制
安装建议(离线包):
dnf install -y gitlab-ce
5️⃣ hub
功能:
私有 Automation Hub
存放离线 Collections
需要:
ansible-galaxy collections 的离线导入
可选安装
automation-hub(AAP 组件)ansible-coreansible-navigatorAAP setup-bundle 中的 installer 脚本
在 hub 上先安装 ansible-core
如果 bastion 上已经搭了离线 YUM 源:
dnf install -y ansible-core
ansible-galaxy --version部署脚本
dnf clean all && dnf makecache
dnf install -y tar vim
curl -o /root/ansible-automation-platform-setup-bundle-2.2.2-1.2.tar.gz http://bastion.lab.example.com/software/ansible-automation-platform-setup-bundle-2.2.2-1.2.tar.gz
tar -xf /root/ansible-automation-platform-setup-bundle-2.2.2-1.2.tar.gz --directory=/root/ansible-automation-platform-setup-bundle-2.2.2-1.2
mkdir -p /etc/pki/tls/certs /etc/pki/tls/private
# 生成 CA 私钥和证书
openssl genrsa -out /etc/pki/tls/private/classroom-ca.key 4096
openssl req -x509 -new -nodes -key /etc/pki/tls/private/classroom-ca.key \
-subj "/CN=Classroom-CA" \
-days 3650 -out /etc/pki/tls/certs/classroom-ca.pem
# 生成 hub 主机私钥
openssl genrsa -out /etc/pki/tls/private/hub.lab.example.com.key 2048
# 生成 CSR
openssl req -new -key /etc/pki/tls/private/hub.lab.example.com.key \
-subj "/CN=hub.lab.example.com" \
-out /tmp/hub.lab.example.com.csr
# 用 CA 签发证书
openssl x509 -req -in /tmp/hub.lab.example.com.csr \
-CA /etc/pki/tls/certs/classroom-ca.pem \
-CAkey /etc/pki/tls/private/classroom-ca.key \
-CAcreateserial \
-out /etc/pki/tls/certs/hub.lab.example.com.crt \
-days 365 -sha256
cd /root/ansible-automation-platform-setup-bundle-2.2.2-1.2
cat > inventory << EOF
[automationcontroller]
[automationhub]
hub.lab.example.com ansible_connection=local
[database]
[servicescatalog_workers]
[all:vars]
admin_password='redhat'
pg_host=''
pg_port=''
pg_database='awx'
pg_username='awx'
pg_password='redhat'
registry_url='registry.redhat.io'
registry_username=''
registry_password=''
automationhub_admin_password='redhat'
automationhub_pg_host=''
automationhub_pg_port=''
automationhub_pg_database='automationhub'
automationhub_pg_username='automationhub'
automationhub_pg_password='redhat'
automationhub_pg_sslmode='prefer'
custom_ca_cert=/etc/pki/tls/certs/classroom-ca.pem
# 手动创建过了
#automationhub_ssl_cert=/etc/pki/tls/certs/hub.lab.example.com.crt
#automationhub_ssl_key=/etc/pki/tls/private/hub.lab.example.com.key
EOF
./setup.sh -i inventory
6️⃣ controller
功能:
Ansible Automation Controller(Tower/AWX)
执行 UI 自动化任务
安装:
离线 AWX/Controller 安装包
配置 inventory 和 EE
dnf clean all && dnf makecache
dnf install -y tar vim
curl -o /root/ansible-automation-platform-setup-bundle-2.2.2-1.2.tar.gz http://bastion.lab.example.com/software/ansible-automation-platform-setup-bundle-2.2.2-1.2.tar.gz
tar -xf /root/ansible-automation-platform-setup-bundle-2.2.2-1.2.tar.gz --directory=/root/ansible-automation-platform-setup-bundle-2.2.2-1.2
mkdir -p /etc/pki/tls/certs /etc/pki/tls/private
# 生成 CA 私钥和证书
openssl genrsa -out /etc/pki/tls/private/classroom-ca.key 4096
openssl req -x509 -new -nodes -key /etc/pki/tls/private/classroom-ca.key \
-subj "/CN=Classroom-CA" \
-days 3650 -out /etc/pki/tls/certs/classroom-ca.pem
# 生成 hub 主机私钥
openssl genrsa -out /etc/pki/tls/private/controller.lab.example.com.key 2048
# 生成 CSR
openssl req -new -key /etc/pki/tls/private/controller.lab.example.com.key \
-subj "/CN=controller.lab.example.com" \
-out /tmp/controller.lab.example.com.csr
# 用 CA 签发证书
openssl x509 -req -in /tmp/controller.lab.example.com.csr \
-CA /etc/pki/tls/certs/classroom-ca.pem \
-CAkey /etc/pki/tls/private/classroom-ca.key \
-CAcreateserial \
-out /etc/pki/tls/certs/controller.lab.example.com.crt \
-days 365 -sha256
cd /root/ansible-automation-platform-setup-bundle-2.2.2-1.2
cat > inventory << EOF
[automationcontroller]
controller.lab.example.com ansible_connection=local
[automationhub]
[database]
[servicescatalog_workers]
[all:vars]
admin_password='redhat'
pg_host=''
pg_port=''
pg_database='awx'
pg_username='awx'
pg_password='redhat'
tower_package_name=automation-controller
tower_package_version=4.2.2-3.el8ap
#registry_url='registry.redhat.io'
registry_username=''
registry_password=''
automationhub_admin_password='redhat'
automationhub_pg_host=''
automationhub_pg_port=''
automationhub_pg_database='automationhub'
automationhub_pg_username='automationhub'
automationhub_pg_password='redhat'
automationhub_pg_sslmode='prefer'
custom_ca_cert=/etc/pki/tls/certs/classroom-ca.pem
web_server_ssl_cert=/etc/pki/tls/certs/controller.lab.example.com.crt
web_server_ssl_key=/etc/pki/tls/private/controller.lab.example.com.key
EOF
./setup.sh -i inventory
systemctl status automation-controller
systemctl status postgresql
ss -tnlp | grep 443
TASK [ansible.automation_platform_installer.preflight : Preflight check - Fail if this machine lacks sufficient RAM.] ***
fatal: [controller.lab.example.com]: FAILED! => {"changed": false, "msg": "This machine does not have sufficient RAM to run Ansible Automation Platform."}
# 内存空间不足,扩容或调整配置文件;将数值调整成适合你的
vim collections/ansible_collections/ansible/automation_platform_installer/roles/preflight/defaults/main.yml
7️⃣ utility
功能:
私有 registry (registry.lab.example.com:5000)
存放 EE 容器镜像
搭建:
podman run -d -p 5000:5000 --name registry \ -v /opt/registry/data:/var/lib/registry \ registry:2
✅ 第一步:把 ee-supported-rhel8.tar 放到 bastion
获取ee-supported-rhel8
# 1. 从 bastion 下载
curl -o /root/ee-supported-rhel8.tar http://172.25.250.254/software/ee-supported-rhel8.tar
curl -o /root/registry-2.tar http://172.25.250.254/software/registry-2.tar✅ 第二步:utility 搭建 registry 并导入 EE 镜像
登录 utility.lab.example.com(172.25.250.8):
# 2. 加载 registry 镜像
podman load -i /root/registry-2.tar || podman pull registry:2
# 3. 启动本地
mkdir -p /opt/registry/data
semanage fcontext -a -t container_file_t "/opt/registry/data(/.*)?" && restorecon -Rv /opt/registry/data
podman run -d -p 5000:5000 --name registry \
-v /opt/registry/data:/var/lib/registry \
registry:2
# 4. 加载 EE 镜像并推送到 registry
podman load -i /root/ee-supported-rhel8.tar
podman tag registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel8:1.0.0-1045 registry.lab.example.com:5000/ee-supported-rhel8:latest
podman push registry.lab.example.com:5000/ee-supported-rhel8:latest
# Podman 默认用 HTTPS 访问 registry
cat > /etc/containers/registries.conf.d/insecure.conf << EOF
[[registry]]
location = "registry.lab.example.com:5000"
insecure = true
EOF✅ 第三步:测试 EE 镜像是否可用
在 workstation 上运行:
[root@workstation ~]# curl http://registry.lab.example.com:5000/v2/_catalog
{"repositories":["ee-supported-rhel8"]}
podman pull registry.lab.example.com:5000/ee-supported-rhel8:latest8️⃣ git
功能:
承载 GitLab CE(Community Edition)
提供 Git 仓库服务
Web UI 用于管理项目
所有 Ansible playbook 将通过它做版本控制
搭建:
dnf install -y gitlab-ce
✅ 第一步:安装 GitLab CE
dnf clean all && dnf makecache
dnf install -y gitlab-ce✅ 第二步:配置 GitLab CE
生成自签名证书(完全离线)
mkdir -p /etc/gitlab/ssl
chmod 700 /etc/gitlab/ssl
cd /etc/gitlab/ssl
## 生成自签名证书
openssl req -newkey rsa:4096 -nodes -keyout git.lab.example.com.key \
-x509 -days 365 -out git.lab.example.com.crt \
-subj "/C=CN/ST=Lab/L=Lab/O=Lab/OU=IT/CN=git.lab.example.com"
## 修改 GitLab 配置使用 HTTPS
cat > /etc/gitlab/gitlab.rb <<EOF
external_url "https://git.lab.example.com"
nginx['redirect_http_to_https'] = true
nginx['ssl_certificate'] = "/etc/gitlab/ssl/git.lab.example.com.crt"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/git.lab.example.com.key"
EOF
## 开放防火墙规则
firewall-cmd --permanent --add-service=https
firewall-cmd --reload 应用配置
gitlab-ctl reconfigure
gitlab-ctl restart✅ 第三步:重置 root 密码
[root@git ssl]# gitlab-rails console
--------------------------------------------------------------------------------
Ruby: ruby 3.1.4p223 (2023-03-30 revision 957bb7cb81) [x86_64-linux]
GitLab: 16.11.4 (83a2fa9fae0) FOSS
GitLab Shell: 14.35.0
PostgreSQL: 14.11
------------------------------------------------------------[ booted in 30.34s ]
Loading production environment (Rails 7.0.8.1)
irb(main):001:0> user = User.where(id: 1).first
=> #<User id:1 @root>
irb(main):002:0> user.password = 'Hello@163'
=> "Hello@163"
irb(main):003:0> user.password_confirmation = 'Hello@163'
=> "Hello@163"
irb(main):004:0> user.save!
=> true
irb(main):005:0> quit
[root@git ssl]# systemctl restart gitlab-runsvdir.service
# 重启后需要等待3-5min✅ 第四步:信任 GitLab 自签名证书
Linux:
scp [email protected]:/etc/gitlab/ssl/git.lab.example.com.crt /etc/pki/ca-trust/source/anchors/
## 更新系统 CA 信任
update-ca-trust extractWindows:
## 查看 /etc/gitlab/ssl/git.lab.example.com.crt 内容并复制到 windwos git.lab.example.com.crt文件中
在 Windows 导入证书
双击 git.lab.example.com.crt
点击 安装证书
选择 本地计算机
存储位置选择 受信任的根证书颁发机构
完成导入✅ 第五步:验证
# 在 workstation 上执行
curl -I https://git.lab.example.com/
## 看到 HTTP/2 302 或 200 OK 就说明信任成功✅ 第六步:新建 student 用户
git 主机执行
# 新建 student 用户及 namespace
[root@git ssl]# gitlab-rails console
--------------------------------------------------------------------------------
Ruby: ruby 3.1.4p223 (2023-03-30 revision 957bb7cb81) [x86_64-linux]
GitLab: 16.11.4 (83a2fa9fae0) FOSS
GitLab Shell: 14.35.0
PostgreSQL: 14.11
------------------------------------------------------------[ booted in 30.34s ]
Loading production environment (Rails 7.0.8.1)
### 执行以下命令创建 ###
ns = Namespace.create!(name: 'student', path: 'student', type: 'User')
user = User.new(
username: 'student',
name: 'Student User',
email: '[email protected]',
password: 'Hello@163',
password_confirmation: 'Hello@163'
)
user.skip_confirmation!
user.build_namespace(name: user.username, path: user.username, type: 'User')
user.save!
quit
✅ 第七步:上传测试环境项目到 gitlab
添加密钥
ssh-keygen -t ed25519 -f ~/.ssh/gitlab_rsa以下是在web端操作
1. 使用 student 登录 https://git.lab.example.com
2. 将 .pub 内容添加到 GitLab → Preferences → SSH Keys
直连访问:
https://git.lab.example.com/-/user_settings/ssh_keys上传项目
# 使用 student 用户
curl -o /home/student/gitlab_mirror.tar.gz http://bastion.lab.example.com/ProjectFiles/gitlab_mirror.tar.gz
tar -xf gitlab_mirror.tar.gz
curl -o push_to_gitlab.sh http://bastion.lab.example.com/ProjectFiles/push_to_gitlab.sh
bash push_to_gitlab.sh
### 循环每次都需要输入密码 ###
[root@workstation gitlab_mirror]# ls -lg
total 0
drwxrwxr-x. 7 student 138 Jul 28 22:25 tune_ansible.git
[root@workstation gitlab_mirror]# cd tune_ansible.git/
[root@workstation tune_ansible.git]# git remote set-url origin https://git.lab.example.com/student/tune_ansible.git
[root@workstation tune_ansible.git]# git push --mirror
Username for 'https://git.lab.example.com': student
Password for 'https://[email protected]':
Enumerating objects: 8, done.
Counting objects: 100% (8/8), done.
Delta compression using up to 2 threads
Compressing objects: 100% (6/6), done.
Writing objects: 100% (8/8), 744 bytes | 744.00 KiB/s, done.
Total 8 (delta 1), reused 0 (delta 0), pack-reused 0
remote:
remote:
remote: The private project root/tune_ansible was successfully created.
remote:
remote: To configure the remote, run:
remote: git remote add origin https://git.lab.example.com/student/tune_ansible.git
remote:
remote: To view the project, visit:
remote: https://git.lab.example.com/student/tune_ansible
remote:
remote:
remote:
To https://git.lab.example.com/student/tune_ansible.git
* [new branch] master -> master
[root@workstation tune_ansible.git]#实现“Partially protected”
root登录,进入项目 → Settings → Default branch → Partially protected
`https://git.lab.example.com/admin/application_settings/repository`
报错
Podman—500 Internal Server Error
[root@utility ~]# podman push registry.lab.example.com:5000/ee-supported-rhel8:latest
Getting image source signatures
Copying blob 9c79e462130a [--------------------------------------] 8.0b / 89.9MiB
Copying blob b4e846f994ae [--------------------------------------] 8.0b / 58.6MiB
Copying blob 871cc3af8a9e [--------------------------------------] 8.0b / 143.9MiB
Copying blob 70419e0ba9e7 [--------------------------------------] 8.0b / 1.1GiB
Error: writing blob: initiating layer upload to /v2/ee-supported-rhel8/blobs/uploads/ in registry.lab.example.com:5000: received unexpected HTTP status: 500 Internal Server Error
[root@utility ~]#
解决
1️⃣ /opt/registry/data 权限不对 → registry 容器无法写入 blob。
2️⃣ 容器被旧配置污染 → 上一次启动的数据目录格式不兼容。
3️⃣ SELinux 拦截(RHEL 默认开启,Podman registry 容器需要标签)。
# 方法一:
## 确保目录干净 + 权限正确
systemctl stop podman || true
podman stop registry || true
podman rm registry || true
rm -rf /opt/registry/data
mkdir -p /opt/registry/data
chown -R 1000:1000 /opt/registry/data
## 重启 registry 容器
podman run -d --name registry \
-p 5000:5000 \
-v /opt/registry/data:/var/lib/registry:Z \
registry:2
## 注意 :Z,这是 Podman 在 SELinux 下自动打标签的选项。
# 方法二:
semanage fcontext -a -t container_file_t "/opt/registry/data(/.*)?" && restorecon -Rv /opt/registry/datastudent 用户的 rootless Podman 存储已经损坏
[student@worstation ~]$ ansible-navigator run init-servers.yml
------------------------------------------------------------------------------------------
Execution environment image and pull policy overview
------------------------------------------------------------------------------------------
Execution environment image name: registry.lab.example.com:5000/ee-supported-rhel8:latest
Execution environment image tag: latest
Execution environment pull arguments: None
Execution environment pull policy: missing
Execution environment pull needed: True
------------------------------------------------------------------------------------------
Updating the execution environment
------------------------------------------------------------------------------------------
Running the command: podman pull registry.lab.example.com:5000/ee-supported-rhel8:latest
Trying to pull registry.lab.example.com:5000/ee-supported-rhel8:latest...
Getting image source signatures
Copying blob b6ba26064f37 skipped: already exists
Copying blob 479db9119d59 skipped: already exists
Copying blob 3b61b03f5ac7 skipped: already exists
Copying blob 8302e5ecab89 skipped: already exists
Copying config 7127804fe9 done
Writing manifest to image destination
Storing signatures
7127804fe9eed9ea4eb45946e1b8d05e7451164b7c2d33477d4a7a97322f4ea8
WARN[0000] Can't read link "/home/student/.local/share/containers/storage/overlay/l/NSP2BRNRKC23KR6FWYLNW6XNDU" because it does not exist. A storage corruption might have occurred, attempting to recreate the missing symlinks. It might be best wipe the storage to avoid further errors due to storage corruption.
Error: readlink /home/student/.local/share/containers/storage/overlay/l/NSP2BRNRKC23KR6FWYLNW6XNDU: no such file or directory
Please review the log for errors.
解决
什么用户异常就是用什么用户执行
podman system reset -f资源下载
#
dnf install -y skopeo
cd /
skopeo copy docker://registry.redhat.io/ansible-automation-platform-24/controller-rhel8:4.5.24-2-source
registry.redhat.io/ansible-automation-platform-22/ansible-automation-hub-rhel8