最近在日常运维过程，发现挖矿病毒利用GitLab的CVE-2021-22205漏洞，消耗服务器的资源。为了彻底解决问题，决定对GitLab进行迁移和版本升级。

前提

大致步骤：

1. ServerA:备份GitLab
2. ServerB:恢复GitLab
3. ServerB:更新GitLab版本

备份

数据

这里我们是用DockerCompose运行的GitLab-13.7.4，从主机运行备份： GitLab 12.2 或更高版本：

$docker exec -t <container name> gitlab-backup create

GitLab 12.1 及更早版本：

$docker exec -t <container name> gitlab-rake gitlab:backup:create

开始备份:

$ docker exec -t 985506cf361c gitlab-rake gitlab:backup:create
2022-09-16 02:56:34 +0000 -- Dumping database ...
Dumping PostgreSQL database gitlabhq_production ... [DONE]
...
Backup task is done.

查看备份文件： 默认的备份路径为 /var/opt/gitlab/backups，如果不知道保存路径，可以从容器的 /etc/gitlab/gitlab.rb 文件，查找 gitlab_rails[‘backup_path’] = “/var/opt/gitlab/backups” 此为备份目录。

$ docker exec -it 985506cf361c bash
root@985506cf361c:/# cd /var/opt/gitlab/backups
root@985506cf361c:/var/opt/gitlab/backups# ls
123456_2022_09_16_13.7.4—_gitlab_backup.tar

将容器数据备份拷贝到主机的当前目录

docker cp gitlab:/var/opt/gitlab/backups/123456_2022_09_16_13.7.4_gitlab_backup.tar  ~/

配置

GitLab 提供的备份 Rake 任务不存储您的配置文件,故而这里需要收到备份

/etc/gitlab/gitlab-secrets.json
/etc/gitlab/gitlab.rb

再将配置备份拷贝到主机的当前目录

docker cp gitlab:/etc/gitlab  ~/

迁移

相同版本启动

docker-compose.yaml 示例如下

version: '3.3'
services:
  web:
    image: gitlab/gitlab-ce:13.7.4-ce.0
    restart: always
    hostname: 'gitlab.example.com'
    environment:
      GITLAB_OMNIBUS_CONFIG: |
        external_url 'https://gitlab.example.com'
        # Add any other gitlab.rb configuration here, each on its own line        
    ports:
      - '80:80'
      - '443:443'
      - '22:22'
    volumes:
      - './volumes/gitlab/config:/etc/gitlab'
      - './volumes/gitlab/logs:/var/log/gitlab'
      - './volumes/gitlab/data:/var/opt/gitlab'
    shm_size: '256m'

配置

数据

将ServerA的备份拷贝到ServerB

docker cp 1123456_2022_09_16_13.7.4_gitlab_backup.tar gitlab:/var/opt/gitlab/backups/

进入容器，

停止连接到数据库的进程。让 GitLab 的其余部分继续运行

root@23b5e49fc9ea:/var/opt/gitlab/backups# gitlab-ctl stop unicorn
root@23b5e49fc9ea:/var/opt/gitlab/backups# gitlab-ctl stop sidekiq
ok: down: sidekiq: 0s, normally up
root@23b5e49fc9ea:/var/opt/gitlab/backups# gitlab-ctl status

备份文件必须是git用户所有者（root下导入才需要）

# chown -R git:git /var/opt/gitlab/backups/备份.tar

开始还原备份

root@23b5e49fc9ea:/var/opt/gitlab/backups# gitlab-rake gitlab:backup:restore BACKUP=123456_2022_09_16_13.7.4
Unpacking backup ... done

Do you want to continue (yes/no)? yes
...
Do you want to continue (yes/no)? yes

Warning: Your gitlab.rb and gitlab-secrets.json files contain sensitive data
and are not included in this backup. You will need to restore these files manually.
Restore task is done.

启动GitLab

root@23b5e49fc9ea:/var/opt/gitlab/backups# gitlab-ctl start

登入http://ServerB，检查GitLab正常运行。

更新GitLab版本

接着开始更新版本，这里采用的停机升级方案，耗时较久（大概3～4小时），所以需要选择适当时机更新。更新路线： 13.7.4-> 13.8.8->13.12.15-> 14.0.12-> 14.3.6=>14.6.2-> 14.9.5-> 14.10.5-> 15.0.2->15.1.0

services:
   gitlab:
    image: gitlab/gitlab-ce:15.3.3-ce.0
#    image: gitlab/gitlab-ce:15.1.0-ce.0
#    image: gitlab/gitlab-ce:15.0.2-ce.0
#    image: gitlab/gitlab-ce:14.10.5-ce.0
#    image: gitlab/gitlab-ce:14.9.5-ce.0
#    image: gitlab/gitlab-ce:14.6.2-ce.0
#    image: gitlab/gitlab-ce:14.3.6-ce.0
#    image: gitlab/gitlab-ce:14.0.12-ce.0
#    image: gitlab/gitlab-ce:13.12.15-ce.0
#    image: gitlab/gitlab-ce:13.8.8-ce.0
#    image: gitlab/gitlab-ce:13.7.4-ce.0

遇到的问题

1. 在使用备份恢复GitLab时卡住

$ docker exec -it 7ddbcc0a6eb2 gitlab-rake gitlab:backup:restore BACKUP=1123456_2022_09_16_13.7.4
Unpacking backup ... done
Do you want to continue (yes/no)? yes

处理方式：进入容器,授权,执行恢复

# chown -R git:git /var/opt/gitlab/backups/备份.tar
root@23b5e49fc9ea:/var/opt/gitlab/backups# gitlab-rake gitlab:backup:restore 

备注：增加 gitlab-rake gitlab:backup:restore –trace 查看详细信息.

参考

• 备份GitLab https://docs.gitlab.com/ee/raketasks/backup_gitlab.html#storing-configuration-files
• 恢复GitLab https://docs.gitlab.com/ee/raketasks/restore_gitlab.html#restore-prerequisites
• GitLab升级路径 https://docs.gitlab.com/ee/update/#upgrade-paths
• Docker Hub-Gitlab.Ce https://hub.docker.com/r/gitlab/gitlab-ce/tags
• Docker gitlab备份与还原 https://www.xtcoder.com/archives/docker-gitlab-backup-restore
• Gitlab 应急解决方案 https://overstarry.vip/posts/gitlab_cve-2021-22205/

问题

在mac m1 构建的docker镜像（image:v1.0），在ubuntu上面运行报错：

smart-service | standard_init_linux.go:228: exec user process caused: exec format error

$ uname -m
 arm64

由于m1是arm64架构,而ubuntu的是x86_64架构，那有没有可以在mac上面构建x86_64的镜像的方法呢？

解决步骤

在 Docker 19.03+ 版本中可以使用

$ docker buildx build

命令使用 BuildKit 构建镜像。该命令支持 –platform 参数可以同时构建支持多种系统架构的 Docker 镜像。 更多参考：

https://docs.docker.com/engine/reference/commandline/buildx/

Sep1 启用experimental features

Docker 的 buildx 还是实验性功能，需要在 Docker Desktop 设置中开启。

Preferences > Experimental Features > Enable CLI experimental features

Sep2 创建builder

由于 Docker 默认的 builder 实例不支持同时指定多个 –platform，我们必须首先创建一个新的 builder 实例。

$ docker buildx create --use --name my_builder

国内环境使用:

• 网易云镜像

$ docker buildx create --use --name=mybuilder --driver docker-container --driver-opt image=dockerpracticesig/buildkit:master

• 百度云镜像

$ docker buildx create --use --name=mybuilder --driver docker-container --driver-opt image=dockerpracticesig/buildkit:master-baidu

查看实例详情：

docker buildx inspect --bootstrap

output:

$ docker buildx inspect --bootstrap
[+] Building 4.9s (1/1) FINISHED
 => [internal] booting buildkit                           
 => => starting container buildx_buildkit_my_builder0     
Name:   my_builder
Driver: docker-container

Nodes:
Name:      my_builder0
Endpoint:  unix:///var/run/docker.sock
Status:    running
Platforms: linux/arm64, linux/amd64, linux/amd64/v2, linux/riscv64, linux/ppc64le, linux/s390x, linux/386, linux/mips64le, linux/mips64, linux/arm/v7, linux/arm/v6

Sep3 构建

使用 $ docker buildx build 命令构建镜像

     docker buildx build
      –platform linux/amd64,linux/arm64  –push -t myusername:v2.0 .

• –platfrom 不同的架构
• –push 将构建好的镜像推送到 Docker 仓库

构建完 push 上去以后，可以查看远程仓库的 manifest：

 docker buildx imagetools inspect myusername:v2.0 

output:

$ docker buildx imagetools inspect myusername:v2.0 
Name:      myusername:v2.0 
MediaType: application/vnd.docker.distribution.manifest.list.v2+json
Digest:    sha256:c234123456XXXyyyy3a7123456XXXyyyyd28de6c376d2f123456XXXyyyy9edf2

Manifests:
  Name:      myusername:v2.0 @sha123456XXXyyyy777122
  MediaType: application/vnd.docker.distribution.manifest.v2+json
  Platform:  linux/amd64

  Name:      myusername:v2.0 @sha123456XXXyyyy777123
  MediaType: application/vnd.docker.distribution.manifest.v2+json
  Platform:  linux/arm64

显示已经支持不同架构

Sep4 测试

在Ubuntu下（v2.0镜像）运行

Status: Downloaded newer image for 
myusername:v0.2
Recreating my-service ... done 
my-service | INFO msg=[HTTP] server listening on: [::]:8000

正常运行 Succeed

总结

本文主要介绍 使用 buildx 构建多种系统架构支持的 Docker 镜像

参考：

• https://docs.docker.com/desktop/mac/apple-silicon/
• https://docs.docker.com/engine/reference/commandline/buildx/
• https://yeasy.gitbook.io/docker_practice/buildx/multi-arch-images
• https://prinsss.github.io/build-x86-docker-images-on-an-m1-macs