Installing GoCD on CentOS 7 with Block Storage Configuration
GoCD is a freely available automation and continuous delivery platform. It supports designing sophisticated pipelines through both sequential and concurrent task execution. Its integrated value stream mapping simplifies the visualization of complex deployment chains. You can inspect and compare builds effortlessly and deploy specific application versions as needed.
The GoCD environment comprises a server and agents. The server handles administrative tasks such as delivering jobs to agents and offering a web-based interface. Meanwhile, agents execute assigned jobs and manage deployments.
Requirements
- A CentOS 7 server with a minimum of 1GB RAM
- An account with sudo privileges
- A domain that routes traffic to the server
For demonstration purposes, this guide uses the IP 192.168.1.1 and domain gocd.example.com. Make sure to update these with your actual IP and domain details.
Before continuing, refer to the guide on updating CentOS 7 to ensure your system is up to date. Once completed, proceed to install Java.
Java Installation
GoCD requires Java 8, and it’s compatible with both OpenJDK and Oracle Java. This guide uses OpenJDK 8, which is accessible via the standard YUM repository.
Run the following to install Java:
sudo yum -y install java-1.8.0-openjdk-devel
To verify the Java installation:
java -version
Example output:
[user@centron~]$ java -version
openjdk version "1.8.0_151"
OpenJDK Runtime Environment (build 1.8.0_151-b12)
OpenJDK 64-Bit Server VM (build 25.151-b12, mixed mode)
To configure Java environment variables, find the absolute path of the Java binary:
readlink -f $(which java)
Expected output:
[user@centron~]$ readlink -f $(which java)
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-5.b12.el7_4.x86_64/jre/bin/java
Now, define the JAVA_HOME and JRE_HOME variables using your system’s path:
echo "export JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-5.b12.el7_4.x86_64" >> ~/.bash_profile
echo "export JRE_HOME=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-5.b12.el7_4.x86_64/jre" >> ~/.bash_profile
Note: Replace the paths with your specific installation directory as they may vary with newer releases.
Apply the profile changes:
source ~/.bash_profile
Verify the variable:
[user@centron~]$ echo $JAVA_HOME
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64
Installing GoCD
As GoCD is Java-based, Java must be installed first. To proceed, integrate the official GoCD repository:
sudo curl https://download.gocd.org/gocd.repo -o /etc/yum.repos.d/gocd.repo
Then install the GoCD server:
sudo yum install -y go-server
Start and enable the service at boot:
sudo systemctl start go-server
sudo systemctl enable go-server
Create a directory for storing build artifacts:
sudo mkdir /opt/artifacts
sudo chown -R go:go /opt/artifacts
Configuring Block Storage
Since CI/CD systems like GoCD continuously generate files, it’s recommended to allocate a separate partition for artifact storage. This avoids storage-related service disruptions as disk usage grows.
If opting for separate storage, attach a block device and create a partition:
sudo parted -s /dev/vdb mklabel gpt
sudo parted -s /dev/vdb unit mib mkpart primary 0% 100%
Format the partition:
sudo mkfs.ext4 /dev/vdb1
Mount the disk and configure it for persistence:
sudo mkdir /mnt/artifacts
sudo cp /etc/fstab /etc/fstab.backup
echo "
/dev/vdb1 /mnt/artifacts ext4 defaults,noatime 0 0" | sudo tee -a /etc/fstab
sudo mount /mnt/artifacts
Use df to confirm the mount:
[user@centron~]$ df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/vda1 20616252 6313892 13237464 33% /
...
/dev/vdb1 10188052 36888 9610596 1% /mnt/artifacts
Assign GoCD as the owner of the mount point:
sudo chown -R go:go /mnt/artifacts
Firewall Configuration
Allow network traffic on GoCD’s default ports 8153 (non-secure) and 8154 (secure) by updating the firewall settings:
sudo firewall-cmd --zone=public --add-port=8153/tcp --permanent
sudo firewall-cmd --zone=public --add-port=8154/tcp --permanent
sudo firewall-cmd --reload
Now, open http://192.168.1.1:8153 for non-encrypted access or https://192.168.1.1:8154 for encrypted access. You might see a warning about invalid certificates—this can be disregarded since the certificate is self-signed. It’s strongly recommended to use the secure URL.
Navigate to Admin >> Server Configuration in the GoCD dashboard and provide:
- The HTTP site URL (non-secure)
- The HTTPS site URL (secure)
- Your SMTP mail server configuration (for notifications)
- The path to store artifacts: use
/opt/artifactsor/mnt/artifactsdepending on where you’ve set up storage
To automatically delete older artifacts, configure this option based on your disk capacity. Keep in mind that enabling this option does not back up artifacts. If backups are required, set auto-delete to “Never” and manage it manually.
To apply your changes, restart the GoCD service:
sudo systemctl restart go-server
Setting Up Password Authentication
By default, GoCD lacks user authentication. It can be secured using password files or LDAP. This tutorial sets up a password-based login system.
Important: This is optional, but highly advisable for publicly accessible installations.
Begin by installing the Apache tools package:
sudo yum -y install httpd-tools
Create the password file and define an admin user:
sudo htpasswd -B -c /etc/go/passwd_auth goadmin
You’ll be prompted to enter and confirm the password. To add more users without overwriting existing ones, skip the -c flag:
sudo htpasswd -B /etc/go/passwd_auth gouser1
Log back into the dashboard and navigate to Admin >> Security >> Authorization Configurations. Click “Add”, set an ID, select “Password File Authentication Plugin for GoCD”, and specify the file path.
Test the configuration by clicking “Check Connection” and save the settings. You’ll be logged out and see a login prompt—sign in with your new credentials.
To assign admin rights, go to Admin >> User Summary, select the admin account, and mark “Go System Administrator” under roles.
Users are added either manually or automatically upon first login if they are present in the password file.
Securing GoCD Using Let’s Encrypt and Nginx
Though GoCD already supports secure connections on port 8154, browsers may show warnings because of the self-signed certificate. To prevent this, install Let’s Encrypt with Nginx acting as a reverse proxy.
First, install and configure Nginx:
sudo yum -y install nginx
sudo systemctl start nginx
sudo systemctl enable nginx
Install Certbot to obtain SSL certificates:
sudo yum -y install certbot
Allow HTTP and HTTPS traffic and remove port 8153 from the firewall:
sudo firewall-cmd --zone=public --add-service=http --permanent
sudo firewall-cmd --zone=public --add-service=https --permanent
sudo firewall-cmd --zone=public --remove-port=8153/tcp --permanent
sudo firewall-cmd --reload
Note: Ensure your domain resolves to the server before proceeding with certificate issuance.
Request certificates:
sudo certbot certonly --webroot -w /usr/share/nginx/html -d gocd.example.com
The files will be placed in /etc/letsencrypt/live/gocd.example.com/.
Set up daily auto-renewal using cron:
sudo crontab -e
Add:
30 5 * * * /usr/bin/certbot renew --quiet
Remove the default_server directive from Nginx’s main config:
sudo sed -i 's/default_server//g' /etc/nginx/nginx.conf
Create the GoCD virtual host file:
sudo nano /etc/nginx/conf.d/gocd.conf
Insert the following content:
upstream gocd {
server 127.0.0.1:8153;
}
server {
listen 80 default_server;
server_name gocd.example.com;
return 301 https://$host$request_uri;
}
server {
listen 443 default_server;
server_name gocd.example.com;
ssl_certificate /etc/letsencrypt/live/gocd.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/gocd.example.com/privkey.pem;
ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/gocd.access.log;
location / {
proxy_pass http://gocd;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_redirect off;
}
location /go {
proxy_pass http://gocd/go;
proxy_http_version 1.1;
proxy_set_header Upgrade websocket;
proxy_set_header Connection upgrade;
proxy_read_timeout 86400;
}
}
Check for configuration errors:
sudo nginx -t
If validation passes, restart Nginx:
sudo systemctl restart nginx
Open https://gocd.example.com and update your Server Configuration URLs accordingly. Keep port 8154 accessible so agents can connect if needed.
Installing the GoCD Agent
GoCD agents carry out the CI tasks and pipeline executions. When changes are detected, jobs are dispatched to these agents for execution.
Install an agent using YUM:
sudo yum install -y go-agent
Enable and start the agent service:
sudo systemctl start go-agent
sudo systemctl enable go-agent
Once installed on the local server, the agent will automatically appear in the GoCD dashboard as an active worker.
Conclusion
By following this guide, you’ve successfully set up a fully functional GoCD continuous delivery environment on CentOS 7. You’ve installed and configured Java, the GoCD server, and agent, and secured your deployment using Let’s Encrypt SSL with Nginx as a reverse proxy. You’ve also configured authentication for secure access and established proper artifact storage and firewall rules to ensure stability and performance.
This setup enables you to build and manage sophisticated deployment pipelines with clarity and flexibility. Be sure to regularly maintain your SSL certificates, monitor artifact storage usage, and keep your system updated to ensure ongoing reliability and security.
