Best practice for making gitlab ssh port available externally

[jwthomp]

Hi,

I've gotten gitlab running inside of docker now and was able to backup from my old gitlab vm and restore it into the new docker container. I am now at the point where the docker gitlab instance is listening to port 22 on it's private IP.

I am looking for any information on the best way to expose that through the public host interface?

Thank you!

Jeff

[jwthomp]

I am currently solving this by using haproxy and have moved the main host ssh daemon off to another port.

[sameersbn]

@jwthomp Currently there are 2 ways you can do this.

1. As you have done, you can change the port number of the host ssh server and forward connections to port 22 to the container using the option -p 22:22 in the docker run command. There is no need to use haproxy.
2. Forward some other port on the host to port 22 of the container and use the GITLAB_SHELL_SSH_PORT configuration option to specify the forwarded port to the gitlab application so that the clone urls reflect this.

For example, add -p 10022:22 -e "GITLAB_SHELL_SSH_PORT=10022" to the docker run command. Now you will notice that the ssh clone urls in the gitlab server will change to the form ssh://git@git.local.host:10022/docker/docker-gitlab.git.

Make your pick.

[mbrgm]

@jwthomp
Another way I have investigated in is creating a virtual macvlan interface on the docker host. This way you can assign a hwaddr to the interface, which allows your host to get the IP for the interface via DHCP (you can of course also just assign a static IP address).

You then basically just forward requests on the virtual interface to your gitlab container's external IP address. I also added a DNS entry, which points to the virtual interface, e.g. gitlab.example.com. This lets you use gitlab without changing the docker host's ssh port.

I planned on writing a tutorial on this method but http://blog.codeaholics.org/2013/giving-dockerlxc-containers-a-routable-ip-address/ outlines it pretty well. It should get you through the whole process.

[sameersbn]

@jwthomp @mbrgm thats pretty sweet. Note that once moby/moby#4441 makes its way into docker master you will not require any extra setup. Just adding --net host to the docker run command will have the desired effect.

The feature is already added and is currently being tested and syntax is being finalized, so i think its only a couple of weeks away from landing into the master. As the saying goes "keep your eyes peeled"

[sameersbn]

closing this issue.

[uwydoc]

In my specific situation, where docker-gitlab is run inside the boot2docker-vm(host os is rhel 6.4, the kernel (2.6.32) is too old to run recent version of docker), the only workaround that I came up with is to configure iptables to forward git(ssh) connections. refer to http://stackoverflow.com/a/14637461/1994490 for details.