最近在日常运维过程,发现挖矿病毒利用GitLab的CVE-2021-22205漏洞,消耗服务器的资源。为了彻底解决问题,决定对GitLab进行迁移和版本升级。
前提
服务器 | OS | GitLabVersion | 备注 |
---|---|---|---|
原始服务器A | Ubuntu | 13.7.4 | 下文简称ServerA |
迁移目标服务器B | Ubuntu | 15.3.3 | 下文简称原ServerB |
大致步骤:
- ServerA:备份GitLab
- ServerB:恢复GitLab
- ServerB:更新GitLab版本
备份
数据
这里我们是用DockerCompose运行的GitLab-13.7.4,从主机运行备份: GitLab 12.2 或更高版本:
$docker exec -t <container name> gitlab-backup create
GitLab 12.1 及更早版本:
$docker exec -t <container name> gitlab-rake gitlab:backup:create
开始备份:
$ docker exec -t 985506cf361c gitlab-rake gitlab:backup:create
2022-09-16 02:56:34 +0000 -- Dumping database ...
Dumping PostgreSQL database gitlabhq_production ... [DONE]
...
Backup task is done.
查看备份文件: 默认的备份路径为 /var/opt/gitlab/backups,如果不知道保存路径,可以从容器的 /etc/gitlab/gitlab.rb 文件,查找 gitlab_rails[‘backup_path’] = “/var/opt/gitlab/backups” 此为备份目录。
$ docker exec -it 985506cf361c bash
root@985506cf361c:/# cd /var/opt/gitlab/backups
root@985506cf361c:/var/opt/gitlab/backups# ls
123456_2022_09_16_13.7.4—_gitlab_backup.tar
将容器数据备份拷贝到主机的当前目录
docker cp gitlab:/var/opt/gitlab/backups/123456_2022_09_16_13.7.4_gitlab_backup.tar ~/
配置
GitLab 提供的备份 Rake 任务不存储您的配置文件,故而这里需要收到备份
/etc/gitlab/gitlab-secrets.json
/etc/gitlab/gitlab.rb
再将配置备份拷贝到主机的当前目录
docker cp gitlab:/etc/gitlab ~/
迁移
相同版本启动
docker-compose.yaml 示例如下
version: '3.3'
services:
web:
image: gitlab/gitlab-ce:13.7.4-ce.0
restart: always
hostname: 'gitlab.example.com'
environment:
GITLAB_OMNIBUS_CONFIG: |
external_url 'https://gitlab.example.com'
# Add any other gitlab.rb configuration here, each on its own line
ports:
- '80:80'
- '443:443'
- '22:22'
volumes:
- './volumes/gitlab/config:/etc/gitlab'
- './volumes/gitlab/logs:/var/log/gitlab'
- './volumes/gitlab/data:/var/opt/gitlab'
shm_size: '256m'
配置
数据
将ServerA的备份拷贝到ServerB
docker cp 1123456_2022_09_16_13.7.4_gitlab_backup.tar gitlab:/var/opt/gitlab/backups/
进入容器,
停止连接到数据库的进程。让 GitLab 的其余部分继续运行
root@23b5e49fc9ea:/var/opt/gitlab/backups# gitlab-ctl stop unicorn
root@23b5e49fc9ea:/var/opt/gitlab/backups# gitlab-ctl stop sidekiq
ok: down: sidekiq: 0s, normally up
root@23b5e49fc9ea:/var/opt/gitlab/backups# gitlab-ctl status
备份文件必须是git用户所有者(root下导入才需要)
# chown -R git:git /var/opt/gitlab/backups/备份.tar
开始还原备份
root@23b5e49fc9ea:/var/opt/gitlab/backups# gitlab-rake gitlab:backup:restore BACKUP=123456_2022_09_16_13.7.4
Unpacking backup ... done
Do you want to continue (yes/no)? yes
...
Do you want to continue (yes/no)? yes
Warning: Your gitlab.rb and gitlab-secrets.json files contain sensitive data
and are not included in this backup. You will need to restore these files manually.
Restore task is done.
启动GitLab
root@23b5e49fc9ea:/var/opt/gitlab/backups# gitlab-ctl start
登入http://ServerB,检查GitLab正常运行。
更新GitLab版本
接着开始更新版本,这里采用的停机升级方案,耗时较久(大概3~4小时),所以需要选择适当时机更新。更新路线: 13.7.4-> 13.8.8->13.12.15-> 14.0.12-> 14.3.6=>14.6.2-> 14.9.5-> 14.10.5-> 15.0.2->15.1.0
services:
gitlab:
image: gitlab/gitlab-ce:15.3.3-ce.0
# image: gitlab/gitlab-ce:15.1.0-ce.0
# image: gitlab/gitlab-ce:15.0.2-ce.0
# image: gitlab/gitlab-ce:14.10.5-ce.0
# image: gitlab/gitlab-ce:14.9.5-ce.0
# image: gitlab/gitlab-ce:14.6.2-ce.0
# image: gitlab/gitlab-ce:14.3.6-ce.0
# image: gitlab/gitlab-ce:14.0.12-ce.0
# image: gitlab/gitlab-ce:13.12.15-ce.0
# image: gitlab/gitlab-ce:13.8.8-ce.0
# image: gitlab/gitlab-ce:13.7.4-ce.0
遇到的问题
- 在使用备份恢复GitLab时卡住
$ docker exec -it 7ddbcc0a6eb2 gitlab-rake gitlab:backup:restore BACKUP=1123456_2022_09_16_13.7.4
Unpacking backup ... done
Do you want to continue (yes/no)? yes
处理方式:进入容器,授权,执行恢复
# chown -R git:git /var/opt/gitlab/backups/备份.tar
root@23b5e49fc9ea:/var/opt/gitlab/backups# gitlab-rake gitlab:backup:restore
备注:增加 gitlab-rake gitlab:backup:restore –trace 查看详细信息.
参考
- 备份GitLab https://docs.gitlab.com/ee/raketasks/backup_gitlab.html#storing-configuration-files
- 恢复GitLab https://docs.gitlab.com/ee/raketasks/restore_gitlab.html#restore-prerequisites
- GitLab升级路径 https://docs.gitlab.com/ee/update/#upgrade-paths
- Docker Hub-Gitlab.Ce https://hub.docker.com/r/gitlab/gitlab-ce/tags
- Docker gitlab备份与还原 https://www.xtcoder.com/archives/docker-gitlab-backup-restore
- Gitlab 应急解决方案 https://overstarry.vip/posts/gitlab_cve-2021-22205/