Step-by-Step Guide to Building a Secure Git Server and GitLab on CentOS 7
This tutorial walks you through creating a dedicated git user, configuring a bare repository, setting up SSH key authentication, installing GitLab on CentOS 7, managing groups and permissions, and performing backup and restore operations, all with concrete command examples and screenshots.
Creating the git user and group
First create a
gitgroup and a
gituser, then restrict the user to
git-shellby editing
/etc/passwd:
groupadd gituseradd -g git gitgit:x:1001:1002::/home/git:/usr/bin/git-shellThis allows SSH access for Git operations while preventing interactive shell login.
Creating a bare repository
Switch to the git home directory, create a directory for the repository, and initialize it as a bare repo:
cd /home/git/mkdir study.gitgit init --bare study.gitSet ownership to the git user:
chown -R git:git study.gitCloning the repository
Clone the repository via SSH. If the SSH daemon uses a non‑standard port, specify it in the URL:
git clone [email protected]:/home/git/study.gitgit clone ssh://[email protected]:500/home/git/study.gitSetting up SSH key authentication
Edit
/etc/ssh/sshd_configto enable public‑key authentication:
RSAAuthentication yesPubkeyAuthentication yesAuthorizedKeysFile .ssh/authorized_keysCreate the
.sshdirectory for the git user and set proper permissions:
mkdir .sshchmod 700 .sshtouch .ssh/authorized_keyschmod 600 .ssh/authorized_keysGenerate a key pair on the client with
ssh-keygenand copy the public key to
/home/git/.ssh/authorized_keys.
Installing GitLab on CentOS 7
Install required packages, start and enable
postfix, then download and install the GitLab CE package:
yum -y install policycoreutils openssh-server openssh-clients postfixsystemctl enable postfix && systemctl start postfixwget https://mirrors.tuna.tsinghua.edu.cn/gitlab-ce/yum/el7/gitlab-ce-8.9.5-ce.0.el7.x86_64.rpmrpm -i gitlab-ce-8.9.5-ce.0.el7.x86_64.rpmConfigure the external URL in
/etc/gitlab/gitlab.rb(replace with your server IP):
external_url 'http://192.168.188.222'Run the reconfiguration script to install all components, then restart GitLab:
gitlab-ctl reconfiguregitlab-ctl restartUsing GitLab
Access GitLab via the configured IP address, set an admin password, then create groups, projects, and users through the web UI. Permissions can be set at the group level (Private, Internal, Public) and per‑user role (Guest, Reporter, Developer, Master, Owner).
Backup and restore
Edit
/etc/gitlab/gitlab.rbto enable backups (default directory
/var/opt/gitlab/backups) and set the retention period (default 7 days). Then run:
/usr/bin/gitlab-rake gitlab:backup:createTo restore, stop services, run the restore command with the backup timestamp, and restart services:
gitlab-ctl stop unicorngitlab-ctl stop sidekiqgitlab-rake gitlab:backup:restore BACKUP=1533281464gitlab-ctl start unicorngitlab-ctl start sidekiqAfter restoration the projects are available again.
Ops Development Stories
Maintained by a like‑minded team, covering both operations and development. Topics span Linux ops, DevOps toolchain, Kubernetes containerization, monitoring, log collection, network security, and Python or Go development. Team members: Qiao Ke, wanger, Dong Ge, Su Xin, Hua Zai, Zheng Ge, Teacher Xia.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.