Installing GitLab CE on CentOS Stream 9: Building Your Own Internal Code and CI/CD Forge

CentOS tutorial - IT technology blog
CentOS tutorial - IT technology blog

Quick Start – Install GitLab in 5 Minutes

Just rented a brand new CentOS Stream 9 VPS and want to see results immediately? Run this command sequence with root privileges. I’ll explain each line in detail right below.

# Update system and install dependencies
dnf update -y
dnf install -y curl policycoreutils-python-utils openssh-server perl

# Add GitLab repository
curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.rpm.sh | bash

# Install GitLab (replace 'gitlab.example.com' with your IP or domain)
EXTERNAL_URL="http://gitlab.example.com" dnf install -y gitlab-ce

# Open ports on Firewall
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --permanent --add-service=ssh
firewall-cmd --reload

Once the commands finish, wait about 1 minute for services to initialize, then access your domain to check the result.

Why Choose CentOS Stream 9 to Run GitLab?

Previously, CentOS 7 was the “king of stability” in my book. However, since Red Hat changed the game, I’ve gradually moved systems to CentOS Stream 9. In practice, this version handles I/O exceptionally well thanks to the new Kernel, making Git Push/Pull operations significantly smoother.

Running your own GitLab CE (Community Edition) provides absolute freedom. You have full control over your data, no worries about repository limits, and no spending hundreds of dollars a month on GitHub user fees. For high-security projects, hiding GitLab behind a VPN is currently the safest option.

Hardware Configuration: Don’t Skimp on RAM

Installing GitLab on a 1GB RAM VPS is a “fatal” mistake. You’ll see 502 errors constantly because Ruby on Rails and Sidekiq consume massive resources. Here are the recommended specs for a team of about 10-20 people:

  • RAM: Minimum 4GB (8GB recommended to keep CI/CD running smoothly without hanging).
  • CPU: 2 Cores (Prioritize high clock speeds).
  • Storage: 20GB free (SSD/NVMe recommended to avoid bottlenecks when multiple people commit simultaneously).
  • OS: Clean CentOS Stream 9 x86_64.

Detailed Deployment Steps

Step 1: Environment Preparation

GitLab requires a few tools for SSH management and email notifications. On CentOS Stream 9, this is extremely simple using the dnf package manager.

dnf install -y curl policycoreutils-python-utils openssh-server perl

Next, download the official repository configuration script from GitLab. This script will automatically detect your OS and add the necessary download sources to your system.

curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.rpm.sh | bash

Step 2: Installation and URL Setup

During installation, you should declare the EXTERNAL_URL variable immediately. This is the address you’ll use to access the web interface. If you haven’t pointed a domain yet, you can temporarily use your server’s IP.

EXTERNAL_URL="http://192.168.1.100" dnf install -y gitlab-ce

This process usually takes 3 to 5 minutes. GitLab will automatically trigger gitlab-ctl reconfigure to install the full package of PostgreSQL, Redis, and Nginx for you.

Securing the Server with Firewalld and SELinux

Many developers tend to disable Firewall and SELinux to avoid minor issues. However, with a server holding all your intellectual property (source code), doing so is like leaving your front door wide open for hackers.

Firewalld Configuration

Open only the three essential ports: HTTP (80), HTTPS (443), and SSH (22). Other ports should be tightly closed to minimize port scanning risks.

firewall-cmd --permanent --add-service={http,https,ssh}
firewall-cmd --reload

Living with SELinux

CentOS Stream 9 defaults to Enforcing mode for SELinux. Don’t disable it. GitLab supports SELinux very well. If you change the default SSH port (e.g., to 2222), just run the following command to allow SELinux connections:

semanage port -a -t ssh_port_t -p tcp 2222

How to Get the Initial Admin Password

GitLab no longer allows setting a password during installation; instead, it generates a random string for the root account. To view this password, read the following file:

cat /etc/gitlab/initial_root_password

Important Note: The system will automatically delete this file after 24 hours. You need to log in immediately and go to User Settings -> Password to change your personal password.

Upgrading to HTTPS with Let’s Encrypt (Free)

Sending code via HTTP is a major risk because data is transmitted in plain text. Fortunately, GitLab has built-in Let’s Encrypt integration. You just need to edit the configuration file:

vi /etc/gitlab/gitlab.rb

Find and update the following parameters:

external_url 'https://gitlab.yourdomain.com'
letsencrypt['enable'] = true
letsencrypt['contact_emails'] = ['[email protected]']

Finally, run the gitlab-ctl reconfigure command to have GitLab automatically request the SSL certificate and configure Nginx for you.

Pro Tips: Troubleshooting Issues

Here are a few tips I’ve gathered after many times “rescuing” GitLab systems:

  • 502 Whoops Error: Don’t rush to restart the server. Usually, it’s because the Puma service hasn’t finished starting after a reconfigure. Be patient for 2 minutes; the error will resolve itself.
  • Enable Swap: If the server RAM is only 4GB, create an additional 2GB-4GB of Swap on the SSD. This helps prevent the server from “freezing” when the team handles large Merge Requests with hundreds of files.
  • Backup Strategy: Code is life. Use a Cronjob to run gitlab-rake gitlab:backup:create every night and push the .tar file to another server or S3.
  • Health Check: Use the gitlab-ctl status command to see exactly which component (Redis, Postgres, Gitaly…) is having issues.

Building your own code management system isn’t hard; the hard part is maintaining its stability. I hope this article gives you more confidence when deploying GitLab on CentOS Stream 9. Good luck!

Share: