Adding trusted root certificates to the server

 Ref: https://manuals.gfi.com/en/kerio/connect/content/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html

If you want to send or receive messages signed by root authorities and these authorities are not installed on the server, you must add a trusted root certificate manually.

Use the following steps to add or remove trusted root certificates to/from a server.

Mac OS X

Function	Method
Add	Use command: sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ~/new-root-certificate.crt
Remove	Use command: sudo security delete-certificate -c "<name of existing certificate>"

Windows

Function	Method
Add	Use command: certutil -addstore -f "ROOT" new-root-certificate.crt
Remove	Use command: certutil -delstore "ROOT" serial-number-hex

Linux (Ubuntu, Debian)

Function	Method
Add	Copy your CA to dir /usr/local/share/ca-certificates/ Use command: sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt Update the CA store: sudo update-ca-certificates
Remove	Remove your CA. Update the CA store: sudo update-ca-certificates --fresh

NOTE

Restart Kerio Connect to reload the certificates in the 32-bit versions or Debian 7.

Linux (CentOs 6)

Function	Method
Add	Install the ca-certificates package: yum install ca-certificates Enable the dynamic CA configuration feature: update-ca-trust force-enable Add it as a new file to /etc/pki/ca-trust/source/anchors/: cp foo.crt /etc/pki/ca-trust/source/anchors/ Use command: update-ca-trust extract

NOTE

Restart Kerio Connect to reload the certificates in the 32-bit version.

Linux (CentOs 5)

Function	Method
Add	Append your trusted certificate to file /etc/pki/tls/certs/ca-bundle.crt cat foo.crt >>/etc/pki/tls/certs/ca-bundle.crt

NOTE

Restart Kerio Connect to reload the certificates in the 32-bit version.

CI using Your own gitlab runner

 Ref: https://wiki.samba.org/index.php/CI_using_Your_own_gitlab_runner

Register your development machine as a runner for your own gitlab project

To increase speed of your CI runs you can run your own CI on your own machine for your gitlab samba project clone You can register your own development machine as a runner for your pipelines on your own clone of the samba gitlab repo.

These instructions are for SUSE so you will need to adjust the commands (e.g. apt-get instead of zypper etc.) as appropriate for your linux distro.

• Install docker

 zypper in docker

IMPORTANT you need to ensure the device mapper storage driver is enabled, to do this you need to edit /etc/docker/daemon.json. If it does not yet exist, create it and add

{
  "storage-driver": "devicemapper"
}

• Install gitlab runner

 sudo wget -O /usr/local/bin/gitlab-runner https://gitlab-runner-downloads.s3.amazonaws.com/latest/binaries/gitlab-runner-linux-amd64
 sudo chmod +x /usr/local/bin/gitlab-runner

• Optionally, you can install and run as a service

sudo useradd --system --comment 'GitLab Runner' --create-home gitlab-runner --shell /bin/bash
sudo gitlab-runner install --user=gitlab-runner --working-directory=/home/gitlab-runner

gitlab-runner will run as root, but will execute jobs as user specified by the install command. You may need to add this user to the 'docker' group. Easiest way to test if docker is working is to issue 'docker info' as the gitlab-runner 'user'

• Register your runner

# gitlab-runner register
Running in system-mode.                            

Please enter the gitlab-ci coordinator URL (e.g. https://gitlab.com/):
https://gitlab.com

Please enter the gitlab-ci token for this runner:
<you can find your token in your project's Settings ==> CI/CD ==> Runners settings>

Please enter the gitlab-ci description for this runner:
[hostname]: <your hostname>

Please enter the gitlab-ci tags for this runner (comma separated):

Whether to run untagged builds [true/false]:
[false]: ==> false

Whether to lock the Runner to current project [true/false]:
[true]: true

Registering runner... succeeded                     runner=M6jmUiFA
Please enter the executor: ssh, virtualbox, docker-ssh+machine, kubernetes, docker-ssh, parallels, shell, docker, docker+machine:
docker, private, shared

Please enter the default Docker image (e.g. ruby:2.1):
registry.gitlab.com/samba-team/samba:latest

Runner registered successfully. Feel free to start it, but if it's running already the config should be automatically reloaded!

By default iirc gitlab-runner will just execute one job per pipeline at a time, to increase that you will need to edit /etc/gitlab-runner/config.toml and change the 'concurrent' value to something your machine can handle.

To manage your runner (and CI) you need to refer to the gitlab-runner help, additional options regarding CI and managing your runner specifically for your project can be accessed from your project settings available from the sidebar e.g. 

Note: you will need to change some defaults, from your project settings (navigate Settings | CI/CD from the sidebar), expand the 'General Pipeline settings' and change

   Timeout: 10h

   Custom CI config path: .gitlab-ci-private.yml

If you don't change the custom CI config path then by default the CI will run a reduced set of tests.

Credit for most the content above should go to Samuel Cabrero

Custom build directories in gitlab

Ref: https://docs.gitlab.com/ee/ci/runners/configure_runners.html

Edit config.toml

  [runners.custom_build_dir]

    enabled = true

By default, GitLab Runner clones the repository in a unique subpath of the $CI_BUILDS_DIR directory. However, your project might require the code in a specific directory (Go projects, for example). In that case, you can specify the GIT_CLONE_PATH variable to tell the runner the directory to clone the repository in:

variables:

  GIT_CLONE_PATH: $CI_BUILDS_DIR/project-name

test:

  script:

    - pwd

The GIT_CLONE_PATH has to always be within $CI_BUILDS_DIR. The directory set in $CI_BUILDS_DIR is dependent on executor and configuration of runners.builds_dir setting.

 

Supported options for self-signed certificates targeting the GitLab server

 

Ref:https://docs.gitlab.com/runner/configuration/tls-self-signed.html

• Specify a custom certificate file: GitLab Runner exposes the tls-ca-file option during registration (gitlab-runner register --tls-ca-file=/path), and in config.toml under the [[runners]] section. This allows you to specify a custom certificate file. This file will be read every time the runner tries to access the GitLab server.

VS Code: Fixing Git Certificate Issues

Ref: https://dougdefrank.wordpress.com/2018/02/28/vs-code-fixing-git-certificate-issues/ 

git config --system http.sslBackend schannel

GitLab Docker

 Ref:https://docs.gitlab.com/ee/install/docker.html

Set up the volumes location

Before setting everything else, configure a new environment variable $GITLAB_HOME pointing to the directory where the configuration, logs, and data files will reside. Ensure that the directory exists and appropriate permission have been granted.

For Linux users, set the path to /srv/gitlab:

export GITLAB_HOME=/srv/gitlab

For macOS users, use the user’s $HOME/gitlab directory:

export GITLAB_HOME=$HOME/gitlab

The GitLab container uses host mounted volumes to store persistent data:

Local location Container location Usage

$GITLAB_HOME/data /var/opt/gitlab For storing application data.

$GITLAB_HOME/logs /var/log/gitlab For storing logs.

$GITLAB_HOME/config /etc/gitlab For storing the GitLab configuration files.

Installation

The GitLab Docker images can be run in multiple ways:

Using Docker Engine

Using Docker Compose

Using Docker swarm mode

Install GitLab using Docker Engine

You can fine tune these directories to meet your requirements. Once you’ve set up the GITLAB_HOME variable, you can run the image:

sudo docker run --detach \

  --hostname gitlab.example.com \

  --publish 443:443 --publish 80:80 --publish 22:22 \

  --name gitlab \

  --restart always \

  --volume $GITLAB_HOME/config:/etc/gitlab \

  --volume $GITLAB_HOME/logs:/var/log/gitlab \

  --volume $GITLAB_HOME/data:/var/opt/gitlab \

  --shm-size 256m \

  gitlab/gitlab-ee:latest

This will download and start a GitLab container and publish ports needed to access SSH, HTTP and HTTPS. All GitLab data will be stored as subdirectories of $GITLAB_HOME. The container will automatically restart after a system reboot.

If you are on SELinux, then run this instead:

sudo docker run --detach \

  --hostname gitlab.example.com \

  --publish 443:443 --publish 80:80 --publish 22:22 \

  --name gitlab \

  --restart always \

  --volume $GITLAB_HOME/config:/etc/gitlab:Z \

  --volume $GITLAB_HOME/logs:/var/log/gitlab:Z \

  --volume $GITLAB_HOME/data:/var/opt/gitlab:Z \

  --shm-size 256m \

  gitlab/gitlab-ee:latest

This will ensure that the Docker process has enough permissions to create the configuration files in the mounted volumes.

If you’re using the Kerberos integration , you must also publish your Kerberos port (for example, --publish 8443:8443). Failing to do so prevents Git operations with Kerberos.

The initialization process may take a long time. You can track this process with:

sudo docker logs -f gitlab

After starting a container you can visit gitlab.example.com (or http://192.168.59.103 if you used boot2docker on macOS). It might take a while before the Docker container starts to respond to queries.

Visit the GitLab URL, and log in with username root and the password from the following command:

sudo docker exec -it gitlab grep 'Password:' /etc/gitlab/initial_root_password

Remove credentials from Git

 

Ref: https://stackoverflow.com/questions/15381198/remove-credentials-from-git

If this problem comes on a Windows machine, do the following.

• Go to Credential Manager

  • in German, it is called: Anmeldeinformationsverwaltung
  • in French, it is called: Gestionnaire d'identification
  • in Polish, it is called: Menedżer poświadczeń
  • in Portuguese, it is called: Gerenciador de Credenciais
  • in Russian, it is called: Диспетчер учётных данных
  • in Spanish, it is called: Administrador de credenciales
  

• Go to Windows Credentials

• Delete the entries under Generic Credentials

  

  
  

• Try connecting again. This time, it should prompt you for the correct username and password.