svn和gitlab-ce迁移

# 迁移案例

## 案例一 svn服务迁移到k8s平台

| 基本信息     | 旧环境                                     | 新环境          |
| ------------ | ------------------------------------------ | --------------- |
| IP地址       | 1.1.1.32                              | 2.2.2.238 |
| 端口         | 1022                                       | 22              |
| 登录         | 账号：aaa 秘钥：aaa | -               |
| 服务部署方式 | docker                                     | k8s             |

### 一、获取镜像

注意：这里重新制作了svn-server的镜像，由于未找到使用http插件的以alpine为基础镜像的镜像包，且alpine没有svn的http插件包。

**在238上做如下操作**

```
[root@ecs-arm-k8s-master01 svn-server]# docker pull garethflowers/svn-server:latest
说明：以上镜像没有http服务插件，alpine没有支持apache+svn的组件，需要重新制作镜像。
[root@ecs-arm-k8s-master01 svn-server]# vim Dockerfile
FROM centos:7

CMD [ "/usr/bin/svnserve", "--daemon", "--foreground", "--root", "/var/opt/svn" ]
EXPOSE 3690
HEALTHCHECK CMD netstat -ln | grep 3690 || exit 1
VOLUME [ "/var/opt/svn" ]
WORKDIR /var/opt/svn

RUN yum repolist && \
    yum -y install subversion wget vim httpd mod_dav_svn

[root@ecs-arm-k8s-master01 svn-server]# docker build -t cocl666/svn-httpd:zl

补充：以上镜像需要在启动后（通过k8s启动容器，参考步骤二、三、四）执行以下步骤，这里启动指的是http方式访问的启动配置：
进入启动后的容器
cd /var/opt/svn
创建svn的repo
svnadmin create Kunpeng_Technology_Center
修改repo权限
chown -R apache:apache Kunpeng_Technology_Center
修改httpd和svn配置文件
vim /etc/httpd/conf/httpd.conf
添加ServerName localhost:80
vim /etc/httpd/conf.d/svn.conf
LoadModule dav_module modules/mod_dav.so
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
<Location /Kunpeng_Technology_Center>
   DAV svn
   SVNPath /var/opt/svn/Kunpeng_Technology_Center
   # SVNParentPath /var/opt/svn

AuthType Basic
   AuthName "Authorization Realm"
   AuthUserFile /var/opt/svn/Kunpeng_Technology_Center/conf/passwd
   AuthzSVNAccessFile /var/opt/svn/Kunpeng_Technology_Center/conf/authz
   Satisfy all
   Require valid-user
</Location>
使用/usr/sbin/httpd启动http服务

注意：由于以上步骤限制需要在svn的repo创建后才能配置http服务，因此不能一次性写入镜像中；
```

### 二、建立storageclass

搭建nfs服务器，并在k8s中创建并配置默认storageclass。

**在238上做如下操作**

```
NFS服务搭建
yum install -y nfs-utils rpcbuild
systemctl start rpcbind
systemctl enable rpcbind
systemctl start nfs-server
systemctl start nfs-secure.service
systemctl enable nfs-server nfs-secure.service
mkdir /data/nfs_data
vim /etc/exports

/data/nfs_data 192.168.0.0/24(rw,sync,no_root_squash,no_subtree_check)

systemctl reload nfs

k8s中创建storageclass
1、安装nfs-client-provisioner
helm repo add az-stable http://mirror.azure.cn/kubernetes/charts/
helm repo update
由于默认镜像是amd64的，架构需要改变
docker pull kopkop/nfs-client-provisioner-arm64:v3.1.0-k8s1.11
docker tag kopkop/nfs-client-provisioner-arm64:v3.1.0-k8s1.11 cocl666/nfs-client-provisioner:v3.1.0-k8s1.11
helm pull az-stable/nfs-client-provisioner
tar -xvf nfs-client-provisioner-1.2.11.tgz
cd nfs-client-provisioner/
vim values.yaml
改变镜像仓地址为：cocl666/nfs-client-provisioner
版本不变。

cd ..
helm install nfs-client-provisioner /data/download/zl/nfs-client-provisioner --set nfs.server=192.168.0.156 --set nfs.path=/data/nfs_data

2、查看是否创建成功
kubectl get pods
NAME                                      READY   STATUS    RESTARTS   AGE
nfs-client-provisioner-84dc4599fb-7nsgz   2/2     Running   1          7s

kubectl get sc
NAME         PROVISIONER                            RECLAIMPOLICY   VOLUMEBINDINGMODE   ALLOWVOLUMEEXPANSION   AGE
nfs-client   cluster.local/nfs-client-provisioner   Delete          Immediate           true                   56s

3、安装成功后会自动创建名为“nfs-client”的storageclass，将这个sc设为默认sc
kubectl patch storageclass nfs-client -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'

4、再次查看
kubectl get sc
NAME                   PROVISIONER                            RECLAIMPOLICY   VOLUMEBINDINGMODE   ALLOWVOLUMEEXPANSION   AGE
nfs-client (default)   cluster.local/nfs-client-provisioner   Delete          Immediate           true                   116s

注意：
由于Kubernetes v1.20 (opens new window)开始，（我们使用的是1.21.5版本）默认删除了 metadata.selfLink 字段，然而，部分应用仍然依赖于这个字段，例如：nfs-client-provisioner。
启用 selfLink 字段
vim /etc/kubernetes/manifests/kube-apiserver.yaml
kube-apiserver参数配置下增加：
第44行 - --feature-gates=RemoveSelfLink=false
```

### 三、建立svn命名空间和pvc

**在238上做如下操作**

```
[root@ecs-arm-k8s-master01 svn-server]# kubectl create namespace svn
[root@ecs-arm-k8s-master01 svn-server]# vim svn-pvc.yaml
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: svn-pvc
  namespace: svn
  annotations:
    volume.beta.kubernetes.io/storage-class: "nfs-client"   #与kubectl edit storageclasses.storage.k8s.io查到的metadata.name保持一致
spec:
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 50Gi #最新版本12192达到了16G，暂存所有版本达到43G，这里只迁移最新版本；
      
[root@ecs-arm-k8s-master01 svn-server]# kubectl apply -f svn-pvc.yaml
[root@ecs-arm-k8s-master01 svn-server]# kubectl get pv
NAME                                       CAPACITY   ACCESS MODES   RECLAIM POLICY   STATUS   CLAIM                 STORAGECLASS   REASON   AGE
pvc-bfa9333d-97b3-4aa4-915e-4a5424598100   50Gi       RWX            Delete           Bound    svn/svn-pvc           nfs-client              6s
[root@ecs-arm-k8s-master01 svn-server]# kubectl get pvc --namespace svn
NAME      STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS   AGE
svn-pvc   Bound    pvc-bfa9333d-97b3-4aa4-915e-4a5424598100   50Gi       RWX            nfs-client     14s
```

### 四、拉起服务

**在238上做如下操作**

```
vim svn-server.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: svn-server
  namespace: svn
  labels:
    app: svn-server
spec:
  replicas: 1
  selector:
    matchLabels:
      app: svn-server
  template:
    metadata:
      labels:
        app: svn-server
    spec:
      containers:
      - name: svn
        image: cocl666/svn-httpd:zl #制作的镜像名
        ports:
        - containerPort: 80
        volumeMounts:
      	- name: nfs-pvc
          mountPath: "/var/opt/svn" #地址同容器中svn数据地址
      volumes:
        - name: nfs-pvc
          persistentVolumeClaim:
            claimName: svn-pvc
---
apiVersion: v1
kind: Service
metadata:
  name: svn-service
  namespace: svn
spec:
  ports:
  - port: 80   #http配置时80，svn访问的话统一改为3690
    protocol: TCP
    targetPort: 80
    nodePort: 30690
  selector:
    app: svn-server
  type: NodePort
[root@ecs-arm-k8s-master01 svn-server]# kubectl apply -f svn-server.yaml
[root@ecs-arm-k8s-master01 svn-server]# kubectl get pod --namespace svn 
NAME                          READY   STATUS    RESTARTS   AGE
svn-server-85c6977d69-7dk6l   1/1     Running   0          5m58s
[root@ecs-arm-k8s-master01 svn-server]# kubectl get svc --namespace svn 
NAME          TYPE       CLUSTER-IP      EXTERNAL-IP   PORT(S)          AGE
svn-service   NodePort   10.103.151.16   <none>        80:30690/TCP   6m5s
```

### 五、迁移旧服务器最新版本到新服务

**在32上做如下操作**

```
docker exec -it svn bash
cd /var/lib/svn
svnlook youngest Kunpeng_Technology_Center
12192
备份最新版本
svnadmin dump Kunpeng_Technology_Center -r 12192 > 12192.dumpfile
exit
docker cp svn:/var/lib/svn/12192.dumpfile .
同步备份包到238的svn-pvc数据目录下
rsync -avzP 12192.dumpfile root@2.2.2.2:/data/nfs_data/svn-svn-pvc-pvc-bfa9333d-97b3-4aa4-915e-4a5424598100
参数auvzP解释：参数a是归档传输，保留文件属性，v是显示详细过程，z是压缩传输，P是断点传输。
```

**在238上做如下操作**

```
[root@ecs-arm-k8s-master01 svn-server]# kubectl exec -it --namespace svn svn-server-776fdc9fd8-7qt8n sh
/var/opt/svn # ls
12192.dumpfile
/var/opt/svn # svnadmin create Kunpeng_Technology_Center
/var/opt/svn # ls
12192.dumpfile             Kunpeng_Technology_Center
将备份好的版本导入新库
/var/opt/svn # svnadmin load Kunpeng_Technology_Center < 12192.dumpfile
配置authz  passwd  svnserve.conf与32一样
/var/opt/svn # chown -R apache:apache Kunpeng_Technology_Center
/var/opt/svn # vim /etc/httpd/conf/httpd.conf
添加ServerName localhost:80
vim /etc/httpd/conf.d/svn.conf配置文件
LoadModule dav_module modules/mod_dav.so
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
<Location /Kunpeng_Technology_Center>
   DAV svn
   SVNPath /var/opt/svn/Kunpeng_Technology_Center
   # SVNParentPath /var/opt/svn

AuthType Basic
   AuthName "Authorization Realm"
   AuthUserFile /var/opt/svn/Kunpeng_Technology_Center/conf/passwd
   AuthzSVNAccessFile /var/opt/svn/Kunpeng_Technology_Center/conf/authz
   Satisfy all
   Require valid-user
</Location>

注意：svn访问需要禁掉svnserve.conf中的use-sasl = true，并使用passwd.default中的明文密码访问，且svn-server.yaml中端口改为3690；
http访问需要打开use-sasl = true，并使用passwd中的加密密码访问，且svn-server.yaml中端口改为80；

使用/usr/sbin/httpd启动http服务
验证
svn客户端连接方式为：svn://2.2.2.2:30690/Kunpeng_Technology_Center，http://2.2.2.2:30690/Kunpeng_Technology_Center，两者不能同时存在，由于配置不同。
```

## 案例二 gitlab-ce服务迁移

### 一、备份并传送数据文件

```
备份
1、确保gitlab-ce处于正常运行状态，直接执行gitlab-rake gitlab:backup:create进行备份；
2、默认的备份目录是：/var/opt/gitlab/backups/，会创建xxx.tar文件，迁移的话还要手动备份gitlab.rb和gitlab-secrets.json；
3、开启备份并配置备份目录：
vim /etc/gitlab/gitlab.rb
gitlab_rails['manage_backup_path'] = true #开启备份功能
gitlab_rails['backup_path'] = "/var/opt/gitlab/backups" #设置备份文件存储地址
4、设置备份权限和过期时间：
vim /etc/gitlab/gitlab.rb
gitlab_rails['backup_archive_permissions']=0644 #生成的备份文件权限
gitlab_rails['backup_keep_time'] = 604800 #以秒为单位，7天
使用gitlab-ctl reconfigure重载配置文件
5、定时任务配置自动备份：
crontab -e
30 17 * * 5 /opt/gitlab/bin/gitlab-rake gitlab:backup:create
6、docker部署，定时任务如何使用？
写好任务脚本如下：
vim /data/zl/shell/backups_formal.sh
#!/bin/bash
DOCKER_ID_formal=0149f7c4c7c6
docker exec $DOCKER_ID_formal /bin/bash -c '/opt/gitlab/bin/gitlab-rake gitlab:backup:create'
配置定时任务：
crontab -e
30 17 * * 5 /bin/bash /data/zl/shell/backups_formal.sh #每周五下午5:30分

传送备份好的文件到238
rsync -avP 1642301279_2022_01_16_13.8.3_gitlab_backup.tar root@2.2.2.2:/data/download/zl/gitlab-ce/
```

### 二、应用迁移

```
1、使用docker-compose部署
docker push cocl666/gitlab-ce:13.8.3 #必须与旧服务版本相同，若迁移有版本限制建议先在旧版本升级到可迁移版本，根据官方升级途径；
cd /data/gitlab-ce
vim docker-compose.yaml
version: "3.6"
services:
    gitlab-ce:
        container_name: gitlab-ce
        image: 'cocl666/gitlab-ce:13.8.3'
        restart: always
        hostname: 'gitlab.example.com'
        environment:
          GITLAB_OMNIBUS_CONFIG: | #这个|不能少，会报格式错误，以下配置属于精简优化配置，可酌情删减；
        	external_url 'http://2.2.2.2:80' # 配置本机ip
        	nginx['redirect_http_to_https'] = true
        	unicorn['worker_processes'] = 4
        	postgresql['max_worker_processes'] = 4
        	nginx['worker_processes'] = 4
        	postgresql['shared_buffers'] = "256MB"
        	sidekiq['concurrency'] = 20 #配置不可与gitlab-rb中min和max冲突，这里建议注释掉
        	gitlab_pages['enable'] = false
        	pages_nginx['enable'] = false
        	prometheus_monitoring['enable'] = false
        	alertmanager['enable'] = false
        	node_exporter['enable'] = false
        	redis_exporter['enable'] = false
        	postgres_exporter['enable'] = false
        	pgbouncer_exporter['enable'] = false
        	gitlab_exporter['enable'] = false
        	grafana['enable'] = false
        	sidekiq['metrics_enabled'] = false
        	gitlab_rails['usage_ping_enabled'] = false
        	gitlab_rails['sentry_enabled'] = false
        	grafana['reporting_enabled'] = false
        	gitlab_rails['smtp_enable'] = false
        	gitlab_rails['gitlab_email_enabled'] = false
        	gitlab_rails['incoming_email_enabled'] = false
        	gitlab_rails['gitlab_default_projects_features_container_registry'] = false
        	gitlab_rails['registry_enabled'] = false
        	registry['enable'] = false
        	registry_nginx['enable'] = false
        	gitlab_rails['manage_backup_path'] = true
        	gitlab_rails['backup_path'] = "/var/opt/gitlab/backups"
        	gitlab_rails['backup_archive_permissions'] = 0644
        ports:
            - "8083:80"
        volumes:
            - '/data/gitlab-ce/conf:/etc/gitlab'
            - '/data/gitlab-ce/logs:/var/log/gitlab'
            - '/data/gitlab-ce/data:/var/opt/gitlab'
安装新版docker-compose，具体版本可以从github网站查找
curl -L https://download.fastgit.org/docker/compose/releases/download/v2.0.1/docker-compose-linux-aarch64 -o /usr/bin/docker-compose
chmod +x /usr/bin/docker-compose

2、拉起容器
docker-compose up -d
报错一
Error executing action `run` on resource 'execute[reload all sysctl conf]'
解决
cd /opt/gitlab/embedded/cookbooks/gitlab/recipes
vim selinux.rb
注释以下，保存后gitlab-ctl reconfigure、gitlab-ctl start，每次重启容器都需要修改。
#if RedhatHelper.system_is_rhel7? || RedhatHelper.system_is_rhel8?
#  ssh_keygen_module = 'gitlab-7.2.0-ssh-keygen'
#  execute "semodule -i /opt/gitlab/embedded/selinux/rhel/7/#{ssh_keygen_module}.pp" do
#    not_if "getenforce | grep Disabled"
#    not_if "semodule -l | grep '^#{ssh_keygen_module}\\s'"
#  end

#  authorized_keys_module = 'gitlab-10.5.0-ssh-authorized-keys'
#  execute "semodule -i /opt/gitlab/embedded/selinux/rhel/7/#{authorized_keys_module}.pp" do
#    not_if "getenforce | grep Disabled"
#    not_if "semodule -l | grep '^#{authorized_keys_module}\\s'"
#  end

#  gitlab_shell_module = 'gitlab-13.5.0-gitlab-shell'
#  execute "semodule -i /opt/gitlab/embedded/selinux/rhel/7/#{gitlab_shell_module}.pp" do
#    not_if "getenforce | grep Disabled"
#    not_if "semodule -l | grep '^#{gitlab_shell_module}\\s'"
#  end
#end

3、迁移服务配置，还原备份文件
进入容器内部
gitlab-ctl stop puma
gitlab-ctl stop sidekiq
gitlab-ctl status 以上两个服务为down

chmod 777 /var/opt/gitlab/backups/xxx_gitlab_backup.tar

gitlab-rake gitlab:backup:restore /var/opt/gitlab/backups/xxx_gitlab_backup.tar

输入两次yes，回车后，完成恢复

手动备份gitlab.rb（配置优化）和gitlab-secrets.json到conf目录下，若gitlab.rb和docker-compose.yaml中配置有冲突，则修改其中之一即可；

gitlab-ctl reconfigure
gitlab-ctl start

验证http://2.2.2.2:8083
```