diff --git a/README.md b/README.md index 9a732da7d..09652d61d 100644 --- a/README.md +++ b/README.md @@ -49,7 +49,7 @@ - [Gitlab Pages](#gitlab-pages) - [External Issue Trackers](#external-issue-trackers) - [Host UID / GID Mapping](#host-uid--gid-mapping) - - [Piwik](#piwik) + - [Matomo](#matomo) - [Exposing ssh port in dockerized gitlab-ce](docs/exposing-ssh-port.md) - [Available Configuration Parameters](#available-configuration-parameters) - [Maintenance](#maintenance) @@ -483,13 +483,14 @@ Great! we are now just one step away from having our application secured. ##### Enabling HTTPS support -HTTPS support can be enabled by setting the `GITLAB_HTTPS` option to `true`. Additionally, when using self-signed SSL certificates you need to the set `SSL_SELF_SIGNED` option to `true` as well. Assuming we are using self-signed certificates +HTTPS support can be enabled by setting the `GITLAB_HTTPS` option to `true`. +Since corresponding setting `self_signed_cert` was removed in the gitlab-shell 13.26.0 release, the option `SSL_SELF_SIGNED`, that was used to indicate to use a self-signed certificate, is not used anymore. You don't need to set this option even if you're using a self-signed certificate. ```bash docker run --name gitlab -d \ --publish 10022:22 --publish 10080:80 --publish 10443:443 \ --env 'GITLAB_SSH_PORT=10022' --env 'GITLAB_PORT=10443' \ - --env 'GITLAB_HTTPS=true' --env 'SSL_SELF_SIGNED=true' \ + --env 'GITLAB_HTTPS=true' \ --volume /srv/docker/gitlab/gitlab:/home/git/data \ sameersbn/gitlab:15.5.0 ``` @@ -504,7 +505,7 @@ With `NGINX_HSTS_MAXAGE` you can configure that value. The default value is `315 ```bash docker run --name gitlab -d \ - --env 'GITLAB_HTTPS=true' --env 'SSL_SELF_SIGNED=true' \ + --env 'GITLAB_HTTPS=true' \ --env 'NGINX_HSTS_MAXAGE=2592000' \ --volume /srv/docker/gitlab/gitlab:/home/git/data \ sameersbn/gitlab:15.5.0 @@ -516,7 +517,7 @@ If you want to completely disable HSTS set `NGINX_HSTS_ENABLED` to `false`. Load balancers like nginx/haproxy/hipache talk to backend applications over plain http and as such the installation of ssl keys and certificates are not required and should **NOT** be installed in the container. The SSL configuration has to instead be done at the load balancer. -However, when using a load balancer you **MUST** set `GITLAB_HTTPS` to `true`. Additionally you will need to set the `SSL_SELF_SIGNED` option to `true` if self signed SSL certificates are in use. +However, when using a load balancer you **MUST** set `GITLAB_HTTPS` to `true`. With this in place, you should configure the load balancer to support handling of https requests. But that is out of the scope of this document. Please refer to [Using SSL/HTTPS with HAProxy](http://seanmcgary.com/posts/using-sslhttps-with-haproxy) for information on the subject. @@ -528,12 +529,11 @@ In summation, when using a load balancer, the docker command would look for the docker run --name gitlab -d \ --publish 10022:22 --publish 10080:80 \ --env 'GITLAB_SSH_PORT=10022' --env 'GITLAB_PORT=443' \ - --env 'GITLAB_HTTPS=true' --env 'SSL_SELF_SIGNED=true' \ + --env 'GITLAB_HTTPS=true' \ --volume /srv/docker/gitlab/gitlab:/home/git/data \ sameersbn/gitlab:15.5.0 ``` -Again, drop the `--env 'SSL_SELF_SIGNED=true'` option if you are using CA certified SSL certificates. In case GitLab responds to any kind of POST request (login, OAUTH, changing settings etc.) with a 422 HTTP Error, consider adding this to your reverse proxy configuration: @@ -770,13 +770,15 @@ docker run --name gitlab -d [OPTIONS] \ sameersbn/gitlab:15.5.0 app:sanitize ``` -#### Piwik +#### Matomo -If you want to monitor your gitlab instance with [Piwik](http://piwik.org/), there are two options to setup: `PIWIK_URL` and `PIWIK_SITE_ID`. +If you want to monitor your gitlab instance with [Matomo](https://matomo.org/), there are two options to setup: `MATOMO_URL` and `MATOMO_SITE_ID`. These options should contain something like: -- `PIWIK_URL=piwik.example.org` -- `PIWIK_SITE_ID=42` +- `MATOMO_URL=matomo.example.org` +- `MATOMO_SITE_ID=42` + +[Piwik have been changed the name to Matomo on Jan 2018](https://matomo.org/blog/2018/01/piwik-is-now-matomo/). Legacy configuration parameter `PIWIK_URL` and `PIWIK_SITE_ID` still works as fallback for corresponding parameter. #### Available Configuration Parameters @@ -928,14 +930,6 @@ Global custom hooks directory. Defaults to `/home/git/gitlab-shell/hooks`. Sets the timeout for webhooks. Defaults to `10` seconds. -##### `GITLAB_NOTIFY_ON_BROKEN_BUILDS` - -Enable or disable broken build notification emails. Defaults to `true` - -##### `GITLAB_NOTIFY_PUSHER` - -Add pusher to recipients list of broken build notification emails. Defaults to `false` - ##### `GITLAB_REPOS_DIR` The git repositories folder in the container. Defaults to `/home/git/data/repositories` @@ -1024,14 +1018,6 @@ Enables Object Store for Artifacts that will be remote stored. Defaults to `fals Bucket name to store the artifacts. Defaults to `artifacts` -##### `GITLAB_ARTIFACTS_OBJECT_STORE_DIRECT_UPLOAD` - -Set to true to enable direct upload of Artifacts without the need of local shared storage. Defaults to `false` - -##### `GITLAB_ARTIFACTS_OBJECT_STORE_BACKGROUND_UPLOAD` - -Temporary option to limit automatic upload. Defaults to `false` - ##### `GITLAB_ARTIFACTS_OBJECT_STORE_PROXY_DOWNLOAD` Passthrough all downloads via GitLab instead of using Redirects to Object Storage. Defaults to `false` @@ -1100,10 +1086,6 @@ Enables Object Store for LFS that will be remote stored. Defaults to `false` Bucket name to store the LFS. Defaults to `lfs-object` -##### `GITLAB_LFS_OBJECT_STORE_BACKGROUND_UPLOAD` - -Temporary option to limit automatic upload. Defaults to `false` - ##### `GITLAB_LFS_OBJECT_STORE_PROXY_DOWNLOAD` Passthrough all downloads via GitLab instead of using Redirects to Object Storage. Defaults to `false` @@ -1168,14 +1150,6 @@ Enables Object Store for Packages that will be remote stored. Defaults to `false Bucket name to store the packages. Defaults to `packages` -##### `GITLAB_PACKAGES_OBJECT_STORE_DIRECT_UPLOAD` - -Set to true to enable direct upload of Packages without the need of local shared storage. Defaults to `false` - -##### `GITLAB_PACKAGES_OBJECT_STORE_BACKGROUND_UPLOAD` - -Temporary option to limit automatic upload. Defaults to `false` - ##### `GITLAB_PACKAGES_OBJECT_STORE_PROXY_DOWNLOAD` Passthrough all downloads via GitLab instead of using Redirects to Object Storage. Defaults to `false` @@ -1292,10 +1266,6 @@ Enables Object Store for UPLOADS that will be remote stored. Defaults to `false` Bucket name to store the UPLOADS. Defaults to `uploads` -##### `GITLAB_UPLOADS_OBJECT_STORE_BACKGROUND_UPLOAD` - -Temporary option to limit automatic upload. Defaults to `false` - ##### `GITLAB_UPLOADS_OBJECT_STORE_PROXY_DOWNLOAD` Passthrough all downloads via GitLab instead of using Redirects to Object Storage. Defaults to `false` @@ -1504,10 +1474,6 @@ Set default path for gitaly. defaults to `/home/git/gitaly` Set a gitaly token, blank by default. -##### `GITLAB_MONITORING_UNICORN_SAMPLER_INTERVAL` - -Time between sampling of unicorn socket metrics, in seconds, defaults to `10` - ##### `GITLAB_MONITORING_IP_WHITELIST` IP whitelist to access monitoring endpoints, defaults to `0.0.0.0/8` @@ -1596,10 +1562,6 @@ The value of the `worker-src` directive in the `Content-Security-Policy` header. The value of the `report-uri` directive in the `Content-Security-Policy` header -##### `SSL_SELF_SIGNED` - -Set to `true` when using self signed ssl certificates. `false` by default. - ##### `SSL_CERTIFICATE_PATH` Location of the ssl certificate. Defaults to `/home/git/data/certs/gitlab.crt` @@ -1780,10 +1742,6 @@ The database database user. Defaults to `root` The database database password. Defaults to no password -##### `DB_POOL` - -The database database connection pool count. Defaults to `10`. - ##### `DB_PREPARED_STATEMENTS` Whether use database prepared statements. No defaults. But set to `false` if you want to use with [PgBouncer](https://pgbouncer.github.io/) @@ -2284,13 +2242,21 @@ Sets the gid for group `git` to the specified gid. Defaults to `USERMAP_UID` if Google Analytics ID. No defaults. +##### `MATOMO_URL` + +Sets the Matomo URL. No defaults. + ##### `PIWIK_URL` -Sets the Piwik URL. No defaults. +Works as Matomo URL fallback only when `MATOMO_URL` is not set. No defaults. + +##### `MATOMO_SITE_ID` + +Sets the Matomo site ID. No defaults. ##### `PIWIK_SITE_ID` -Sets the Piwik site ID. No defaults. +Works as Matomo URL fallback only when `MATOMO_SITE_ID` is not set. No defaults. ##### `AWS_BACKUPS` diff --git a/assets/runtime/config/gitaly/config.toml b/assets/runtime/config/gitaly/config.toml index 0b070505e..00c0dd894 100644 --- a/assets/runtime/config/gitaly/config.toml +++ b/assets/runtime/config/gitaly/config.toml @@ -7,9 +7,14 @@ socket_path = "{{GITALY_SOCKET_PATH}}" # The directory where Gitaly's executables are stored bin_dir = "/usr/local/bin/" +# # Optional: The directory where Gitaly can create all files required to +# # properly operate at runtime. If not set, Gitaly will create a directory in +# # the global temporary directory. This directory must exist. +# runtime_dir = "/home/git/gitaly/run" + # # Optional: listen on a TCP socket. This is insecure (no authentication) # listen_addr = "localhost:9999" -# tls_listen_addr = "localhost:8888 +# tls_listen_addr = "localhost:8888" # # Optional: export metrics via Prometheus # prometheus_listen_addr = "localhost:9236" @@ -32,6 +37,17 @@ bin_dir = "/usr/local/bin/" # [git] # bin_path = "/usr/bin/git" # catfile_cache_size = 100 +# +# # Set this setting to `true` to start ignoring gitconfig files installed in +# # the system. This includes both system-level (e.g. '/etc/gitconffig') and +# # global-level (e.g. `$HOME/.gitconfig`) files. This setting will become the +# # default with v16.0. If you intend to override Git configuration you can do +# # so via `[[git.config]]`. The default value is `false`. +# ignore_gitconfig = false +# +# [[git.config]] +# key = fetch.fsckObjects +# value = true [[storage]] name = "default" @@ -87,6 +103,10 @@ dir = "{{GITLAB_GITALY_INSTALL_DIR}}/ruby" # The directory where gitlab-shell is installed dir = "{{GITLAB_SHELL_INSTALL_DIR}}" +[hooks] +custom_hooks_dir = "{{GITLAB_SHELL_INSTALL_DIR}}/hooks" + + # # You can adjust the concurrency of each RPC endpoint # [[concurrency]] # rpc = "/gitaly.RepositoryService/GarbageCollect" diff --git a/assets/runtime/config/gitlab-shell/config.yml b/assets/runtime/config/gitlab-shell/config.yml index 5719b9357..63d2b6dbc 100644 --- a/assets/runtime/config/gitlab-shell/config.yml +++ b/assets/runtime/config/gitlab-shell/config.yml @@ -15,6 +15,10 @@ user: git # "http+unix://%2Fpath%2Fto%2Fsocket" gitlab_url: "http://localhost:8080{{GITLAB_RELATIVE_URL_ROOT}}" +# When a http+unix:// is used in gitlab_url, this is the relative URL root to GitLab. +# Not used if gitlab_url is http:// or https://. +# gitlab_relative_url_root: "/" + # See installation.md#using-https for additional HTTPS configuration details. http_settings: # read_timeout: 300 @@ -22,18 +26,22 @@ http_settings: # password: somepass # ca_file: /etc/ssl/cert.pem # ca_path: /etc/pki/tls/certs - self_signed_cert: {{SSL_SELF_SIGNED}} +# # File used as authorized_keys for gitlab user auth_file: "{{GITLAB_HOME}}/.ssh/authorized_keys" +# SSL certificate dir where custom certificates can be placed +# https://golang.org/pkg/crypto/x509/ +# ssl_cert_dir: /opt/gitlab/embedded/ssl/certs/ + # File that contains the secret key for verifying access to GitLab. # Default is .gitlab_shell_secret in the gitlab-shell directory. secret_file: "{{GITLAB_SHELL_INSTALL_DIR}}/.gitlab_shell_secret" - -# Parent directory for global custom hook directories (pre-receive.d, update.d, post-receive.d) -# Default is hooks in the gitlab-shell directory. -custom_hooks_dir: "{{GITLAB_SHELL_INSTALL_DIR}}/hooks" +# +# The secret field supersedes the secret_file, and if set that +# file will not be read. +# secret: "supersecret" # Log file. # Default is gitlab-shell.log in the root directory. @@ -42,7 +50,7 @@ log_file: "{{GITLAB_LOG_DIR}}/gitlab-shell/gitlab-shell.log" # Log level. INFO by default log_level: INFO -# Log format. 'text' by default +# Log format. 'json' by default, can be changed to 'text' if needed # log_format: json # Audit usernames. diff --git a/assets/runtime/config/gitlabhq/database.yml b/assets/runtime/config/gitlabhq/database.yml index 0423a57c4..bbd918de2 100644 --- a/assets/runtime/config/gitlabhq/database.yml +++ b/assets/runtime/config/gitlabhq/database.yml @@ -10,6 +10,13 @@ production: port: {{DB_PORT}} username: {{DB_USER}} password: "{{DB_PASS}}" - pool: {{DB_POOL}} prepared_statements: {{DB_PREPARED_STATEMENTS}} - + # load_balancing: + # hosts: + # - host1.example.com + # - host2.example.com + # discover: + # nameserver: 1.2.3.4 + # port: 8600 + # record: secondary.postgresql.service.consul + # interval: 300 diff --git a/assets/runtime/config/gitlabhq/gitlab.yml b/assets/runtime/config/gitlabhq/gitlab.yml index 49502277e..e4ceb7ebc 100644 --- a/assets/runtime/config/gitlabhq/gitlab.yml +++ b/assets/runtime/config/gitlabhq/gitlab.yml @@ -6,9 +6,11 @@ # This file should not receive new settings. All configuration options # # * are being moved to ApplicationSetting model! # # If a setting requires an application restart say so in that screen. # -# If you change this file in a Merge Request, please also create # +# If you change this file in a merge request, please also create # # a MR on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests. # # For more details see https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/gitlab.yml.md # +# Be sure to create a MR against the GDK configuration # +# file (https://gitlab.com/gitlab-org/gitlab-development-kit/-/blob/main/support/templates/gitlab/config/gitlab.yml.erb) too. # ######################################################################## # # @@ -33,7 +35,11 @@ production: &base host: {{GITLAB_HOST}} port: {{GITLAB_PORT}} # Set to 443 if using HTTPS, see installation.md#using-https for additional HTTPS configuration details https: {{GITLAB_HTTPS}} # Set to true if using HTTPS, see installation.md#using-https for additional HTTPS configuration details - # The maximum time unicorn/puma can spend on the request. This needs to be smaller than the worker timeout. + + # Uncomment this line if you want to configure the Rails asset host for a CDN. + # cdn_host: localhost + + # The maximum time Puma can spend on the request. This needs to be smaller than the worker timeout. # Default is 95% of the worker timeout max_request_duration_seconds: 57 @@ -73,6 +79,8 @@ production: &base worker_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_WORKER_SRC}}" report_uri: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_REPORT_URI}}" + allowed_hosts: [] + # Trusted Proxies # Customize if you have GitLab behind a reverse proxy which is running on a different machine. # Add the IP address for your reverse proxy to the list, otherwise users will appear signed in from that address. @@ -115,11 +123,12 @@ production: &base # ca_certs_file: /home/git/gitlab/.gitlab_smime_ca_certs # Email server smtp settings are in config/initializers/smtp_settings.rb.sample + # File location to read encrypted SMTP secrets from + # email_smtp_secret_file: /mnt/gitlab/smtp.yaml.enc # Default: shared/encrypted_settings/smtp.yaml.enc default_projects_limit: {{GITLAB_PROJECTS_LIMIT}} default_can_create_group: {{GITLAB_CREATE_GROUP}} # default: true username_changing_enabled: {{GITLAB_USERNAME_CHANGE}} # default: true - User can change their username/namespace - signup_enabled: {{GITLAB_SIGNUP_ENABLED}} ## Default theme ID ## 1 - Indigo ## 2 - Dark @@ -156,7 +165,7 @@ production: &base ### GraphQL Settings # Tells the rails application how long it has to complete a GraphQL request. # We suggest this value to be higher than the database timeout value - # and lower than the worker timeout set in unicorn/puma. (default: 30) + # and lower than the worker timeout set in Puma. (default: 30) # graphql_timeout: 30 ## Repository downloads directory @@ -170,9 +179,33 @@ production: &base ## Disable jQuery and CSS animations # disable_animations: true + ## Application settings cache expiry in seconds (default: 60) + # application_settings_cache_seconds: 60 + + ## Print initial root password to stdout during initialization (default: false) + # WARNING: setting this to true means that the root password will be printed in + # plaintext. This can be a security risk. + # display_initial_root_password: false + + # Allows delivery of emails using Microsoft Graph API with OAuth 2.0 client credentials flow. + microsoft_graph_mailer: + enabled: false + # The unique identifier for the user. To use Microsoft Graph on behalf of the user. + # user_id: "YOUR-USER-ID" + # The directory tenant the application plans to operate against, in GUID or domain-name format. + # tenant: "YOUR-TENANT-ID" + # The application ID that's assigned to your app. You can find this information in the portal where you registered your app. + # client_id: "YOUR-CLIENT-ID" + # The client secret that you generated for your app in the app registration portal. + # client_secret: "YOUR-CLIENT-SECRET-ID" + # Defaults to "https://login.microsoftonline.com". + # azure_ad_endpoint: + # Defaults to "https://graph.microsoft.com". + # graph_endpoint: + ## Reply by email # Allow users to comment on issues and merge requests by replying to notification emails. - # For documentation on how to set this up, see http://doc.gitlab.com/ce/administration/reply_by_email.html + # For documentation on how to set this up, see https://docs.gitlab.com/ee/administration/reply_by_email.html incoming_email: enabled: {{GITLAB_INCOMING_EMAIL_ENABLED}} @@ -208,9 +241,39 @@ production: &base # # log_path: log/mail_room_json.log - # Whether to expunge (permanently remove) messages from the mailbox when they are deleted after delivery + # Whether to expunge (permanently remove) messages from the mailbox when they are marked as deleted after delivery expunge_deleted: false + ## Consolidated object store config + ## This will only take effect if the object_store sections are not defined + ## within the types (e.g. artifacts, lfs, etc.). + # object_store: + # enabled: false + # proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage + # connection: + # provider: AWS # Only AWS supported at the moment + # aws_access_key_id: AWS_ACCESS_KEY_ID + # aws_secret_access_key: AWS_SECRET_ACCESS_KEY + # region: us-east-1 + # aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4. + # endpoint: 'https://s3.amazonaws.com' # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces + # storage_options: + # server_side_encryption: AES256 # AES256, aws:kms + # server_side_encryption_kms_key_id: # Amazon Resource Name. See https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html + # objects: + # artifacts: + # bucket: artifacts + # external_diffs: + # bucket: external-diffs + # lfs: + # bucket: lfs-objects + # uploads: + # bucket: uploads + # packages: + # bucket: packages + # dependency_proxy: + # bucket: dependency_proxy + ## Build Artifacts artifacts: enabled: {{GITLAB_ARTIFACTS_ENABLED}} @@ -219,8 +282,6 @@ production: &base object_store: enabled: {{GITLAB_ARTIFACTS_OBJECT_STORE_ENABLED}} remote_directory: {{GITLAB_ARTIFACTS_OBJECT_STORE_REMOTE_DIRECTORY}} # The bucket name - direct_upload: {{GITLAB_ARTIFACTS_OBJECT_STORE_DIRECT_UPLOAD}} # Set to true to enable direct upload of Artifacts without the need of local shared storage. - background_upload: {{GITLAB_ARTIFACTS_OBJECT_STORE_BACKGROUND_UPLOAD}} # Temporary option to limit automatic upload (Default: true) proxy_download: {{GITLAB_ARTIFACTS_OBJECT_STORE_PROXY_DOWNLOAD}} # Passthrough all downloads via GitLab instead of using Redirects to Object Storage connection: provider: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER}} # Only AWS supported at the moment @@ -249,7 +310,6 @@ production: &base # object_store: # enabled: false # remote_directory: external-diffs - # background_upload: false # proxy_download: false # connection: # provider: AWS @@ -265,8 +325,6 @@ production: &base object_store: enabled: {{GITLAB_LFS_OBJECT_STORE_ENABLED}} remote_directory: {{GITLAB_LFS_OBJECT_STORE_REMOTE_DIRECTORY}} # Bucket name - direct_upload: {{GITLAB_LFS_OBJECT_STORE_DIRECT_UPLOAD}} # Use Object Storage directly for uploads instead of background uploads if enabled (Default: false) - background_upload: {{GITLAB_LFS_OBJECT_STORE_BACKGROUND_UPLOAD}} # Temporary option to limit automatic upload (Default: true) proxy_download: {{GITLAB_LFS_OBJECT_STORE_PROXY_DOWNLOAD}} # Passthrough all downloads via GitLab instead of using Redirects to Object Storage connection: provider: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER}} @@ -299,8 +357,6 @@ production: &base object_store: enabled: {{GITLAB_UPLOADS_OBJECT_STORE_ENABLED}} remote_directory: {{GITLAB_UPLOADS_OBJECT_STORE_REMOTE_DIRECTORY}} # Bucket name - direct_upload: {{GITLAB_UPLOADS_OBJECT_STORE_DIRECT_UPLOAD}} # Use Object Storage directly for uploads instead of background uploads if enabled (Default: false) - background_upload: {{GITLAB_UPLOADS_OBJECT_STORE_BACKGROUND_UPLOAD}} # Temporary option to limit automatic upload (Default: true) proxy_download: {{GITLAB_UPLOADS_OBJECT_STORE_PROXY_DOWNLOAD}} # Passthrough all downloads via GitLab instead of using Redirects to Object Storage connection: provider: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER}} @@ -322,13 +378,12 @@ production: &base ## Packages (maven repository, npm registry, etc...) packages: enabled: {{GITLAB_PACKAGES_ENABLED}} + dpkg_deb_path: /usr/bin/dpkg-deb # The location where build packages are stored (default: shared/packages). path: {{GITLAB_PACKAGES_DIR}} object_store: enabled: {{GITLAB_PACKAGES_OBJECT_STORE_ENABLED}} remote_directory: {{GITLAB_PACKAGES_OBJECT_STORE_REMOTE_DIRECTORY}} # The bucket name - direct_upload: {{GITLAB_PACKAGES_OBJECT_STORE_DIRECT_UPLOAD}} # Set to true to enable direct upload of Packages without the need of local shared storage. - background_upload: {{GITLAB_PACKAGES_OBJECT_STORE_BACKGROUND_UPLOAD}} # Temporary option to limit automatic upload (Default: true) proxy_download: {{GITLAB_PACKAGES_OBJECT_STORE_PROXY_DOWNLOAD}} # Passthrough all downloads via GitLab instead of using Redirects to Object Storage connection: provider: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_PROVIDER}} # Only AWS supported at the moment @@ -356,8 +411,6 @@ production: &base object_store: enabled: false remote_directory: dependency_proxy # The bucket name - # direct_upload: false # Use Object Storage directly for uploads instead of background uploads if enabled (Default: false) - # background_upload: false # Temporary option to limit automatic upload (Default: true) # proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage connection: provider: AWS @@ -394,6 +447,23 @@ production: &base google_json_key_location: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION}} #end-terraform_state-gcs + ## CI Secure Files + ci_secure_files: + enabled: true + # storage_path: shared/ci_secure_files + object_store: + enabled: false + remote_directory: ci-secure-files # The bucket name + connection: + provider: AWS + aws_access_key_id: AWS_ACCESS_KEY_ID + aws_secret_access_key: AWS_SECRET_ACCESS_KEY + region: us-east-1 + # host: 'localhost' # default: s3.amazonaws.com + # endpoint: 'http://127.0.0.1:9000' # default: nil + # aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4. + # path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' + ## GitLab Pages pages: enabled: {{GITLAB_PAGES_ENABLED}} @@ -414,6 +484,18 @@ production: &base # File that contains the shared secret key for verifying access for gitlab-pages. # Default is '.gitlab_pages_secret' relative to Rails.root (i.e. root of the GitLab app). # secret_file: /home/git/gitlab/.gitlab_pages_secret + object_store: + enabled: false + remote_directory: pages # The bucket name + connection: + provider: AWS + aws_access_key_id: AWS_ACCESS_KEY_ID + aws_secret_access_key: AWS_SECRET_ACCESS_KEY + region: us-east-1 + local_store: + enabled: true + # The location where pages are stored (default: shared/pages). + # path: shared/pages ## Mattermost ## For enabling Add to Mattermost button @@ -424,7 +506,7 @@ production: &base ## Gravatar ## If using gravatar.com, there's nothing to change here. For Libravatar ## you'll need to provide the custom URLs. For more information, - ## see: https://docs.gitlab.com/ee/customization/libravatar.html + ## see: https://docs.gitlab.com/ee/administration/libravatar.html gravatar: enabled: {{GITLAB_GRAVATAR_ENABLED}} # Gravatar/Libravatar URLs: possible placeholders: %{hash} %{size} %{email} %{username} @@ -515,25 +597,20 @@ production: &base geo_secondary_registry_consistency_worker: cron: "* * * * *" - # GitLab Geo file download dispatch worker - # NOTE: This will only take effect if Geo is enabled (secondary nodes only) - geo_file_download_dispatch_worker: - cron: "*/1 * * * *" - # GitLab Geo migrated local files clean up worker # NOTE: This will only take effect if Geo is enabled (secondary nodes only) geo_migrated_local_files_clean_up_worker: cron: "15 */6 * * *" - # Export pseudonymized data in CSV format for analysis - pseudonymizer_worker: - cron: "0 * * * *" - # Elasticsearch bulk updater for incremental updates. # NOTE: This will only take effect if elasticsearch is enabled. elastic_index_bulk_cron_worker: cron: "*/1 * * * *" + # Periodically prune stale runners from namespaces having opted-in. + ci_runners_stale_group_runners_prune_worker_cron: + cron: "30 * * * *" + registry: enabled: {{GITLAB_REGISTRY_ENABLED}} host: {{GITLAB_REGISTRY_HOST}} @@ -575,7 +652,7 @@ production: &base # enabled: true # primary_api_url: http://localhost:5000/ # internal address to the primary registry, will be used by GitLab to directly communicate with primary registry API - ## Feature Flag https://docs.gitlab.com/ee/user/project/operations/feature_flags.html + ## Feature Flag https://docs.gitlab.com/ee/operations/feature_flags.html feature_flags: unleash: # enabled: false @@ -589,12 +666,6 @@ production: &base gitlab_ci: # Default project notifications settings: - # - # Send emails only on broken builds (default: true) - all_broken_builds: {{GITLAB_NOTIFY_ON_BROKEN_BUILDS}} - # - # Add pusher to recipients list (default: false) - add_pusher: {{GITLAB_NOTIFY_PUSHER}} # The location where build traces are stored (default: builds/). Relative paths are relative to Rails.root builds_path: {{GITLAB_BUILDS_DIR}} @@ -1107,20 +1178,6 @@ production: &base remote_directory: '{{GCS_BACKUP_BUCKET}}' #end-gcs - ## Pseudonymizer exporter - pseudonymizer: - # Tables manifest that specifies the fields to extract and pseudonymize. - manifest: config/pseudonymizer.yml - upload: - remote_directory: 'gitlab-elt' - # Fog storage connection settings, see http://fog.io/storage/ . - connection: - # provider: AWS - # region: eu-west-1 - # aws_access_key_id: AKIAKIAKI - # aws_secret_access_key: 'secret123' - # # The remote 'directory' to store the CSV files. For S3, this would be the bucket name. - ## GitLab Shell settings gitlab_shell: path: {{GITLAB_SHELL_INSTALL_DIR}}/ @@ -1173,10 +1230,6 @@ production: &base ## Monitoring # Built in monitoring settings monitoring: - # Time between sampling of unicorn socket metrics, in seconds - unicorn_sampler_interval: {{GITLAB_MONITORING_UNICORN_SAMPLER_INTERVAL}} - # Time between sampling of Puma metrics, in seconds - # puma_sampler_interval: 5 # IP whitelist to access monitoring endpoints ip_whitelist: - 127.0.0.0/8 @@ -1188,7 +1241,7 @@ production: &base address: {{GITLAB_MONITORING_SIDEKIQ_EXPORTER_ADDRESS}} port: {{GITLAB_MONITORING_SIDEKIQ_EXPORTER_PORT}} - # Web exporter is webserver built in to Unicorn/Puma to expose Prometheus metrics + # Web exporter is a dedicated Rack server running alongside Puma to expose Prometheus metrics # It runs alongside the `/metrics` endpoints to ease the publish of metrics web_exporter: # enabled: true @@ -1221,9 +1274,10 @@ production: &base ## Google analytics. Uncomment if you want it google_analytics_id: '{{GOOGLE_ANALYTICS_ID}}' - ## Piwik analytics. - piwik_url: '{{PIWIK_URL}}' - piwik_site_id: '{{PIWIK_SITE_ID}}' + ## Matomo analytics. + matomo_url: '{{MATOMO_URL}}' + matomo_site_id: '{{MATOMO_SITE_ID}}' + matomo_disable_cookies: false rack_attack: git_basic_auth: @@ -1300,7 +1354,6 @@ test: object_store: enabled: false remote_directory: artifacts # The bucket name - background_upload: false connection: provider: AWS # Only AWS supported at the moment aws_access_key_id: AWS_ACCESS_KEY_ID @@ -1359,6 +1412,17 @@ test: # user: YOUR_USERNAME pages: path: tmp/tests/pages + object_store: + enabled: false + remote_directory: pages # The bucket name + connection: + provider: AWS + aws_access_key_id: AWS_ACCESS_KEY_ID + aws_secret_access_key: AWS_SECRET_ACCESS_KEY + region: us-east-1 + local_store: + enabled: true + path: tmp/tests/pages repositories: storages: default: @@ -1372,17 +1436,6 @@ test: secret_file: tmp/gitlab_workhorse_test_secret backup: path: tmp/tests/backups - pseudonymizer: - manifest: config/pseudonymizer.yml - upload: - # The remote 'directory' to store the CSV files. For S3, this would be the bucket name. - remote_directory: gitlab-elt.test - # Fog storage connection settings, see http://fog.io/storage/ - connection: - provider: AWS # Only AWS supported at the moment - aws_access_key_id: AWS_ACCESS_KEY_ID - aws_secret_access_key: AWS_SECRET_ACCESS_KEY - region: us-east-1 gitlab_shell: path: tmp/tests/gitlab-shell/ authorized_keys_file: tmp/tests/authorized_keys diff --git a/assets/runtime/config/gitlabhq/puma.rb b/assets/runtime/config/gitlabhq/puma.rb index f48ff788a..29c541cb2 100644 --- a/assets/runtime/config/gitlabhq/puma.rb +++ b/assets/runtime/config/gitlabhq/puma.rb @@ -72,6 +72,12 @@ # worker_timeout {{PUMA_TIMEOUT}} +# https://github.com/puma/puma/blob/master/5.0-Upgrade.md#lower-latency-better-throughput +wait_for_less_busy_worker ENV.fetch('PUMA_WAIT_FOR_LESS_BUSY_WORKER', 0.001).to_f + +# https://github.com/puma/puma/blob/master/5.0-Upgrade.md#nakayoshi_fork +nakayoshi_fork unless ENV['DISABLE_PUMA_NAKAYOSHI_FORK'] == 'true' + # Use json formatter require_relative "{{GITLAB_INSTALL_DIR}}/lib/gitlab/puma_logging/json_formatter" @@ -79,3 +85,12 @@ log_formatter do |str| json_formatter.call(str) end + +lowlevel_error_handler do |ex, env| + if Raven.configuration.capture_allowed? + Raven.capture_exception(ex, tags: { 'handler': 'puma_low_level' }, extra: { puma_env: env }) + end + + # note the below is just a Rack response + [500, {}, ["An error has occurred and reported in the system's low-level error handler."]] +end diff --git a/assets/runtime/config/gitlabhq/resque.yml b/assets/runtime/config/gitlabhq/resque.yml index 7a6681536..20b4bab7f 100644 --- a/assets/runtime/config/gitlabhq/resque.yml +++ b/assets/runtime/config/gitlabhq/resque.yml @@ -1,5 +1,5 @@ -# If you change this file in a Merge Request, please also create -# a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests +# If you change this file in a merge request, please also create +# a merge request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests # development: url: redis://localhost:6379 @@ -8,7 +8,7 @@ development: # host: localhost # port: 26380 # point to sentinel, not to redis port # - - # host: slave2 + # host: replica2 # port: 26381 # point to sentinel, not to redis port test: url: redis://localhost:6379 @@ -22,13 +22,13 @@ production: # http://redis.io/topics/sentinel # # You must specify a list of a few sentinels that will handle client connection - # please read here for more information: https://docs.gitlab.com/ce/administration/high_availability/redis.html + # please read here for more information: https://docs.gitlab.com/ee/administration/redis/index.html ## # url: redis://master:6379 # sentinels: # - - # host: slave1 + # host: replica1 # port: 26379 # point to sentinel, not to redis port # - - # host: slave2 + # host: replica2 # port: 26379 # point to sentinel, not to redis port diff --git a/assets/runtime/config/gitlabhq/secrets.yml b/assets/runtime/config/gitlabhq/secrets.yml index 769d956a2..175cbebdf 100644 --- a/assets/runtime/config/gitlabhq/secrets.yml +++ b/assets/runtime/config/gitlabhq/secrets.yml @@ -1,7 +1,7 @@ production: # db_key_base is used to encrypt for Variables. Ensure that you don't lose it. # If you change or lose this key you will be unable to access variables stored in database. - # Make sure the secret is at least 30 characters and all random, + # Make sure the secret is at least 32 characters and all random, # no regular words or you'll be exposed to dictionary attacks. db_key_base: {{GITLAB_SECRETS_DB_KEY_BASE}} secret_key_base: {{GITLAB_SECRETS_SECRET_KEY_BASE}} diff --git a/assets/runtime/config/gitlabhq/smtp_settings.rb b/assets/runtime/config/gitlabhq/smtp_settings.rb index d7dffbde0..be128b7a6 100644 --- a/assets/runtime/config/gitlabhq/smtp_settings.rb +++ b/assets/runtime/config/gitlabhq/smtp_settings.rb @@ -5,10 +5,11 @@ # # For full list of options and their values see http://api.rubyonrails.org/classes/ActionMailer/Base.html # -# If you change this file in a Merge Request, please also create a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests +# If you change this file in a merge request, please also create a merge request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests if Rails.env.production? Rails.application.config.action_mailer.delivery_method = :smtp + secrets = Gitlab::Email::SmtpConfig.secrets ActionMailer::Base.delivery_method = :smtp ActionMailer::Base.smtp_settings = { @@ -16,12 +17,46 @@ port: {{SMTP_PORT}}, user_name: "{{SMTP_USER}}", password: "{{SMTP_PASS}}", + ## If you are using encrypted smtp credentials then you should instead use the secrets user_name/password + ## See: https://docs.gitlab.com/ee/administration/raketasks/smtp.html#secrets + # user_name: secrets.username, + # password: secrets.password, domain: "{{SMTP_DOMAIN}}", authentication: "{{SMTP_AUTHENTICATION}}", enable_starttls_auto: {{SMTP_STARTTLS}}, - openssl_verify_mode: '{{SMTP_OPENSSL_VERIFY_MODE}}', + openssl_verify_mode: '{{SMTP_OPENSSL_VERIFY_MODE}}', # See ActionMailer documentation for other possible options ca_path: "{{SMTP_CA_PATH}}", ca_file: "{{SMTP_CA_FILE}}", tls: {{SMTP_TLS}} } end + +# To use an SMTP connection pool, uncomment the following section: +# +# require 'mail/smtp_pool' +# +# ActionMailer::Base.add_delivery_method :smtp_pool, Mail::SMTPPool +# +# if Rails.env.production? +# Rails.application.config.action_mailer.delivery_method = :smtp_pool +# secrets = Gitlab::Email::SmtpConfig.secrets +# +# ActionMailer::Base.delivery_method = :smtp_pool +# ActionMailer::Base.smtp_pool_settings = { +# pool: Mail::SMTPPool.create_pool( +# pool_size: Gitlab::Runtime.max_threads, +# address: "email.server.com", +# port: 465, +# user_name: "smtp", +# password: "123456", +# ## If you are using encrypted smtp credentials then you should instead use the secrets user_name/password +# ## See: https://docs.gitlab.com/ee/administration/raketasks/smtp.html#secrets +# # user_name: secrets.username, +# # password: secrets.password, +# domain: "gitlab.company.com", +# authentication: :login, +# enable_starttls_auto: true, +# openssl_verify_mode: 'peer' # See ActionMailer documentation for other possible options +# ) +# } +# end diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index 46624eafc..1aaec4c51 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -46,7 +46,9 @@ DB_PORT=${DB_PORT:-} DB_NAME=${DB_NAME:-} DB_USER=${DB_USER:-} DB_PASS=${DB_PASS:-} -DB_POOL=${DB_POOL:-10} +if [[ -v DB_POOL ]]; then + echo "configuration parameter DB_POOL is removed and has no effect." +fi DB_PREPARED_STATEMENTS=${DB_PREPARED_STATEMENTS:-true} # backward compatibility @@ -126,8 +128,6 @@ GITLAB_ARTIFACTS_DIR="${GITLAB_ARTIFACTS_DIR:-$GITLAB_SHARED_DIR/artifacts}" GITLAB_ARTIFACTS_OBJECT_STORE_ENABLED=${GITLAB_ARTIFACTS_OBJECT_STORE_ENABLED:-false} GITLAB_ARTIFACTS_OBJECT_STORE_REMOTE_DIRECTORY=${GITLAB_ARTIFACTS_OBJECT_STORE_REMOTE_DIRECTORY:-artifacts} -GITLAB_ARTIFACTS_OBJECT_STORE_DIRECT_UPLOAD=${GITLAB_ARTIFACTS_OBJECT_STORE_DIRECT_UPLOAD:-false} -GITLAB_ARTIFACTS_OBJECT_STORE_BACKGROUND_UPLOAD=${GITLAB_ARTIFACTS_OBJECT_STORE_BACKGROUND_UPLOAD:-false} GITLAB_ARTIFACTS_OBJECT_STORE_PROXY_DOWNLOAD=${GITLAB_ARTIFACTS_OBJECT_STORE_PROXY_DOWNLOAD:-false} GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER:-$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER} @@ -152,8 +152,6 @@ GITLAB_PACKAGES_DIR="${GITLAB_PACKAGES_DIR:-$GITLAB_SHARED_DIR/packages}" GITLAB_PACKAGES_OBJECT_STORE_ENABLED=${GITLAB_PACKAGES_OBJECT_STORE_ENABLED:-false} GITLAB_PACKAGES_OBJECT_STORE_REMOTE_DIRECTORY=${GITLAB_PACKAGES_OBJECT_STORE_REMOTE_DIRECTORY:-packages} -GITLAB_PACKAGES_OBJECT_STORE_DIRECT_UPLOAD=${GITLAB_PACKAGES_OBJECT_STORE_DIRECT_UPLOAD:-false} -GITLAB_PACKAGES_OBJECT_STORE_BACKGROUND_UPLOAD=${GITLAB_PACKAGES_OBJECT_STORE_BACKGROUND_UPLOAD:-false} GITLAB_PACKAGES_OBJECT_STORE_PROXY_DOWNLOAD=${GITLAB_PACKAGES_OBJECT_STORE_PROXY_DOWNLOAD:-false} GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_PROVIDER=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_PROVIDER:-$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER} @@ -202,8 +200,6 @@ GITLAB_LFS_OBJECTS_DIR="${GITLAB_LFS_OBJECTS_DIR:-$GITLAB_SHARED_DIR/lfs-objects GITLAB_LFS_OBJECT_STORE_ENABLED=${GITLAB_LFS_OBJECT_STORE_ENABLED:-false} GITLAB_LFS_OBJECT_STORE_REMOTE_DIRECTORY=${GITLAB_LFS_OBJECT_STORE_REMOTE_DIRECTORY:-lfs-objects} -GITLAB_LFS_OBJECT_STORE_DIRECT_UPLOAD=${GITLAB_LFS_OBJECT_STORE_DIRECT_UPLOAD:-false} -GITLAB_LFS_OBJECT_STORE_BACKGROUND_UPLOAD=${GITLAB_LFS_OBJECT_STORE_BACKGROUND_UPLOAD:-false} GITLAB_LFS_OBJECT_STORE_PROXY_DOWNLOAD=${GITLAB_LFS_OBJECT_STORE_PROXY_DOWNLOAD:-false} GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER=${GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER:-$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER} @@ -227,8 +223,6 @@ GITLAB_UPLOADS_BASE_DIR="${GITLAB_UPLOADS_BASE_DIR:-uploads/-/system}" GITLAB_UPLOADS_OBJECT_STORE_ENABLED=${GITLAB_UPLOADS_OBJECT_STORE_ENABLED:-false} GITLAB_UPLOADS_OBJECT_STORE_REMOTE_DIRECTORY=${GITLAB_UPLOADS_OBJECT_STORE_REMOTE_DIRECTORY:-uploads} -GITLAB_UPLOADS_OBJECT_STORE_DIRECT_UPLOAD=${GITLAB_UPLOADS_OBJECT_STORE_DIRECT_UPLOAD:-false} -GITLAB_UPLOADS_OBJECT_STORE_BACKGROUND_UPLOAD=${GITLAB_UPLOADS_OBJECT_STORE_BACKGROUND_UPLOAD:-false} GITLAB_UPLOADS_OBJECT_STORE_PROXY_DOWNLOAD=${GITLAB_UPLOADS_OBJECT_STORE_PROXY_DOWNLOAD:-false} GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER:-$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER} @@ -254,8 +248,12 @@ GITLAB_MATTERMOST_URL=${GITLAB_MATTERMOST_URL:-https://mattermost.example.com} GITLAB_SECRETS_DB_KEY_BASE=${GITLAB_SECRETS_DB_KEY_BASE:-} GITLAB_SECRETS_SECRET_KEY_BASE=${GITLAB_SECRETS_SECRET_KEY_BASE:-} GITLAB_SECRETS_OTP_KEY_BASE=${GITLAB_SECRETS_OTP_KEY_BASE:-} -GITLAB_NOTIFY_ON_BROKEN_BUILDS=${GITLAB_NOTIFY_ON_BROKEN_BUILDS:-true} -GITLAB_NOTIFY_PUSHER=${GITLAB_NOTIFY_PUSHER:-false} +if [[ -v GITLAB_NOTIFY_ON_BROKEN_BUILDS ]]; then + echo "GITLAB_NOTIFY_ON_BROKEN_BUILDS is removed in gitlab v15.2.0 and has no effect." +fi +if [[ -v GITLAB_NOTIFY_PUSHER ]]; then + echo "GITLAB_NOTIFY_PUSHER is removed in gitlab v15.2.0 and has no effect." +fi GITLAB_ROBOTS_PATH=${GITLAB_ROBOTS_PATH:-${USERCONF_TEMPLATES_DIR}/gitlabhq/robots.txt} @@ -270,7 +268,10 @@ GITLAB_REGISTRY_ISSUER=${GITLAB_REGISTRY_ISSUER:-gitlab-issuer} GITLAB_REGISTRY_GENERATE_INTERNAL_CERTIFICATES=${GITLAB_REGISTRY_GENERATE_INTERNAL_CERTIFICATES:-false} ## SSL -SSL_SELF_SIGNED=${SSL_SELF_SIGNED:-false} +### removed +if [ -v SSL_SELF_SIGNED ]; then + echo "The configuration parameter SSL_SELF_SIGNED is removed and not used anymore." +fi SSL_CERTIFICATE_PATH=${SSL_CERTIFICATE_PATH:-$GITLAB_DATA_DIR/certs/gitlab.crt} SSL_KEY_PATH=${SSL_KEY_PATH:-$GITLAB_DATA_DIR/certs/gitlab.key} SSL_DHPARAM_PATH=${SSL_DHPARAM_PATH:-$GITLAB_DATA_DIR/certs/dhparam.pem} @@ -538,9 +539,11 @@ OAUTH2_GENERIC_NAME=${OAUTH2_GENERIC_NAME:-} ### GOOGLE GOOGLE_ANALYTICS_ID=${GOOGLE_ANALYTICS_ID:-} -### PIWIK -PIWIK_URL=${PIWIK_URL:-} -PIWIK_SITE_ID=${PIWIK_SITE_ID:-} +### MATOMO +PIWIK_URL=${PIWIK_URL:-} # backward compatibility +PIWIK_SITE_ID=${PIWIK_SITE_ID:-} # backward compatibility +MATOMO_URL=${MATOMO_URL:-PIWIKI_URL} +MATOMO_SITE_ID=${MATOMO_SITE_ID:-PIWIK_SITE_ID} ## RACK ATTACK RACK_ATTACK_ENABLED=${RACK_ATTACK_ENABLED:-true} @@ -578,7 +581,6 @@ GITALY_ADDRESS=${GITALY_ADDRESS:-unix:$GITALY_SOCKET_PATH} GITLAB_SHELL_CUSTOM_HOOKS_DIR=${GITLAB_SHELL_CUSTOM_HOOKS_DIR:-"$GITLAB_SHELL_INSTALL_DIR/hooks"} ## MONITORING -GITLAB_MONITORING_UNICORN_SAMPLER_INTERVAL=${GITLAB_MONITORING_UNICORN_SAMPLER_INTERVAL:-10} GITLAB_MONITORING_IP_WHITELIST=${GITLAB_MONITORING_IP_WHITELIST:-"0.0.0.0/8"} GITLAB_MONITORING_SIDEKIQ_EXPORTER_ENABLED=${GITLAB_MONITORING_SIDEKIQ_EXPORTER_ENABLED:-true} GITLAB_MONITORING_SIDEKIQ_EXPORTER_ADDRESS=${GITLAB_MONITORING_SIDEKIQ_EXPORTER_ADDRESS:-"0.0.0.0"} diff --git a/assets/runtime/functions b/assets/runtime/functions index 787ce5c8a..0dde1e52f 100644 --- a/assets/runtime/functions +++ b/assets/runtime/functions @@ -180,7 +180,6 @@ gitlab_configure_database() { DB_NAME \ DB_USER \ DB_PASS \ - DB_POOL \ DB_PREPARED_STATEMENTS } @@ -265,7 +264,6 @@ gitlab_configure_monitoring() { echo "Configuring gitlab::monitoring..." update_template ${GITLAB_CONFIG} \ - GITLAB_MONITORING_UNICORN_SAMPLER_INTERVAL \ GITLAB_MONITORING_IP_WHITELIST \ GITLAB_MONITORING_SIDEKIQ_EXPORTER_ENABLED \ GITLAB_MONITORING_SIDEKIQ_EXPORTER_ADDRESS \ @@ -960,23 +958,23 @@ gitlab_configure_analytics_google() { fi } -gitlab_configure_analytics_piwik() { - if [[ -n ${PIWIK_URL} && -n ${PIWIK_SITE_ID} ]]; then - echo "Configuring gitlab::analytics:piwik..." +gitlab_configure_analytics_matomo() { + if [[ -n ${MATOMO_URL} && -n ${MATOMO_SITE_ID} ]]; then + echo "Configuring gitlab::analytics:matomo..." update_template ${GITLAB_CONFIG} \ - PIWIK_URL \ - PIWIK_SITE_ID + MATOMO_URL \ + MATOMO_SITE_ID else exec_as_git sed -i \ - -e "/{{PIWIK_URL}}/d" \ - -e "/{{PIWIK_SITE_ID}}/d" \ + -e "/{{MATOMO_URL}}/d" \ + -e "/{{MATOMO_SITE_ID}}/d" \ ${GITLAB_CONFIG} fi } gitlab_configure_analytics() { gitlab_configure_analytics_google - gitlab_configure_analytics_piwik + gitlab_configure_analytics_matomo } gitlab_configure_rack_attack() { @@ -992,8 +990,7 @@ gitlab_configure_rack_attack() { gitlab_configure_ci() { echo "Configuring gitlab::ci..." update_template ${GITLAB_CONFIG} \ - GITLAB_NOTIFY_ON_BROKEN_BUILDS \ - GITLAB_NOTIFY_PUSHER GITLAB_BUILDS_DIR + GITLAB_NOTIFY_ON_BROKEN_BUILDS } gitlab_configure_artifacts() { @@ -1018,8 +1015,6 @@ gitlab_configure_artifacts() { update_template ${GITLAB_CONFIG} \ GITLAB_ARTIFACTS_OBJECT_STORE_REMOTE_DIRECTORY \ - GITLAB_ARTIFACTS_OBJECT_STORE_DIRECT_UPLOAD \ - GITLAB_ARTIFACTS_OBJECT_STORE_BACKGROUND_UPLOAD \ GITLAB_ARTIFACTS_OBJECT_STORE_PROXY_DOWNLOAD \ GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER \ GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID \ @@ -1065,8 +1060,6 @@ gitlab_configure_packages() { update_template ${GITLAB_CONFIG} \ GITLAB_PACKAGES_OBJECT_STORE_REMOTE_DIRECTORY \ - GITLAB_PACKAGES_OBJECT_STORE_DIRECT_UPLOAD \ - GITLAB_PACKAGES_OBJECT_STORE_BACKGROUND_UPLOAD \ GITLAB_PACKAGES_OBJECT_STORE_PROXY_DOWNLOAD \ GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_PROVIDER \ GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID \ @@ -1154,8 +1147,6 @@ gitlab_configure_lfs() { update_template ${GITLAB_CONFIG} \ GITLAB_LFS_OBJECT_STORE_REMOTE_DIRECTORY \ - GITLAB_LFS_OBJECT_STORE_DIRECT_UPLOAD \ - GITLAB_LFS_OBJECT_STORE_BACKGROUND_UPLOAD \ GITLAB_LFS_OBJECT_STORE_PROXY_DOWNLOAD \ GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER \ GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID \ @@ -1200,8 +1191,6 @@ gitlab_configure_uploads() { update_template ${GITLAB_CONFIG} \ GITLAB_UPLOADS_OBJECT_STORE_REMOTE_DIRECTORY \ - GITLAB_UPLOADS_OBJECT_STORE_DIRECT_UPLOAD \ - GITLAB_UPLOADS_OBJECT_STORE_BACKGROUND_UPLOAD \ GITLAB_UPLOADS_OBJECT_STORE_PROXY_DOWNLOAD \ GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER \ GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID \ @@ -1845,7 +1834,6 @@ configure_gitlab() { GITLAB_SSH_HOST \ GITLAB_SSH_LISTEN_PORT \ GITLAB_SSH_PORT \ - GITLAB_SIGNUP_ENABLED \ GITLAB_IMPERSONATION_ENABLED \ GITLAB_PROJECTS_LIMIT \ GITLAB_USERNAME_CHANGE \ @@ -1889,6 +1877,15 @@ configure_gitlab() { generate_healthcheck_script gitlab_configure_content_security_policy + # some configurations are stored in database + ## GITLAB_SIGNUP_ENABLED : `signup_enabled` in `application_settings` table + ## avoid injection: set to false unless explicitly specified to be true + if [[ "${GITLAB_SIGNUP_ENABLED}" != true ]]; then + GITLAB_SIGNUP_ENABLED=false + fi + printf "Configurating application_settings.signup_enabled=%s :" ${GITLAB_SIGNUP_ENABLED} + PGPASSWORD="${DB_PASS}" psql -h "${DB_HOST}" -p "${DB_PORT}" -U "${DB_USER}" -d "${DB_NAME}" -Atw -c "UPDATE application_settings SET signup_enabled = ${GITLAB_SIGNUP_ENABLED}" + # remove stale gitlab.socket rm -rf ${GITLAB_INSTALL_DIR}/tmp/sockets/gitlab.socket } @@ -1900,7 +1897,6 @@ configure_gitlab_shell() { GITLAB_HOME \ GITLAB_LOG_DIR \ GITLAB_SHELL_INSTALL_DIR \ - SSL_SELF_SIGNED \ REDIS_HOST \ REDIS_PORT \ REDIS_DB_NUMBER diff --git a/contrib/docker-swarm/docker-compose.yml b/contrib/docker-swarm/docker-compose.yml index 4e7b0eae4..5376bc1aa 100644 --- a/contrib/docker-swarm/docker-compose.yml +++ b/contrib/docker-swarm/docker-compose.yml @@ -52,7 +52,6 @@ services: - GITLAB_TIMEZONE=Kolkata - GITLAB_HTTPS=false - - SSL_SELF_SIGNED=false - GITLAB_HOST=localhost - GITLAB_PORT=10080 @@ -65,9 +64,6 @@ services: - GITLAB_ROOT_PASSWORD= - GITLAB_ROOT_EMAIL= - - GITLAB_NOTIFY_ON_BROKEN_BUILDS=true - - GITLAB_NOTIFY_PUSHER=false - - GITLAB_EMAIL=notifications@example.com - GITLAB_EMAIL_REPLY_TO=noreply@example.com - GITLAB_INCOMING_EMAIL_ADDRESS=reply@example.com diff --git a/docker-compose.swarm.yml b/docker-compose.swarm.yml index 23991fa68..b156a625a 100644 --- a/docker-compose.swarm.yml +++ b/docker-compose.swarm.yml @@ -114,7 +114,6 @@ services: - GITLAB_TIMEZONE=Kolkata - GITLAB_HTTPS=true - - SSL_SELF_SIGNED=false - GITLAB_HOST=${GITLAB_HOST?Variable not set} - GITLAB_PORT=443 @@ -127,9 +126,6 @@ services: - GITLAB_ROOT_PASSWORD= - GITLAB_ROOT_EMAIL= - - GITLAB_NOTIFY_ON_BROKEN_BUILDS=true - - GITLAB_NOTIFY_PUSHER=false - - GITLAB_EMAIL=notifications@example.com - GITLAB_EMAIL_REPLY_TO=noreply@example.com - GITLAB_INCOMING_EMAIL_ADDRESS=reply@example.com diff --git a/docker-compose.yml b/docker-compose.yml index a0983b7a6..1303c043e 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -54,7 +54,6 @@ services: - GITLAB_TIMEZONE=Kolkata - GITLAB_HTTPS=false - - SSL_SELF_SIGNED=false - GITLAB_HOST=localhost - GITLAB_PORT=10080 @@ -67,9 +66,6 @@ services: - GITLAB_ROOT_PASSWORD= - GITLAB_ROOT_EMAIL= - - GITLAB_NOTIFY_ON_BROKEN_BUILDS=true - - GITLAB_NOTIFY_PUSHER=false - - GITLAB_EMAIL=notifications@example.com - GITLAB_EMAIL_REPLY_TO=noreply@example.com - GITLAB_INCOMING_EMAIL_ADDRESS=reply@example.com diff --git a/docs/docker-compose-keycloak.yml b/docs/docker-compose-keycloak.yml index 1e9e631fc..2cc35c356 100644 --- a/docs/docker-compose-keycloak.yml +++ b/docs/docker-compose-keycloak.yml @@ -48,7 +48,6 @@ services: - GITLAB_TIMEZONE=Kolkata - GITLAB_HTTPS=false - - SSL_SELF_SIGNED=false - GITLAB_HOST='' - GITLAB_PORT=10080 @@ -61,9 +60,6 @@ services: - GITLAB_ROOT_PASSWORD= - GITLAB_ROOT_EMAIL= - - GITLAB_NOTIFY_ON_BROKEN_BUILDS=true - - GITLAB_NOTIFY_PUSHER=false - - GITLAB_EMAIL=notifications@example.com - GITLAB_EMAIL_REPLY_TO=noreply@example.com - GITLAB_INCOMING_EMAIL_ADDRESS=reply@example.com diff --git a/docs/docker-compose-registry.yml b/docs/docker-compose-registry.yml index e4495d4fb..88b8d299c 100644 --- a/docs/docker-compose-registry.yml +++ b/docs/docker-compose-registry.yml @@ -49,7 +49,6 @@ services: - REDIS_PORT=6379 - GITLAB_HTTPS=false - - SSL_SELF_SIGNED=false - GITLAB_HOST=gitlab.example.com - GITLAB_PORT=80 diff --git a/docs/s3_compatible_storage.md b/docs/s3_compatible_storage.md index b6e9f3db8..718deb401 100644 --- a/docs/s3_compatible_storage.md +++ b/docs/s3_compatible_storage.md @@ -7,11 +7,12 @@ This is an extend of AWS Remote Backups. As explained in [doc.gitlab.com](https://docs.gitlab.com/ce/raketasks/backup_restore.html#upload-backups-to-remote-cloud-storage), it uses [Fog library](http://fog.io) and the module fog-aws. More details on [s3 supported parameters](https://github.com/fog/fog-aws/blob/master/lib/fog/aws/storage.rb) +- [GitLab Backup to s3 compatible storage](#gitlab-backup-to-s3-compatible-storage) - [Available Parameters](#available-parameters) - [Installation](#installation) -- [Maintenance](#maintenance) - - [Creating Backups](#creating-backups) - - [Restoring Backups](#restoring-backups) + - [Docker Compose](#docker-compose) + - [Creating Backups](#creating-backups) + - [Restoring Backups](#restoring-backups) # Available Parameters @@ -114,7 +115,6 @@ services: - TZ=Asia/Kolkata - GITLAB_TIMEZONE=Kolkata - GITLAB_HTTPS=false - - SSL_SELF_SIGNED=false - GITLAB_HOST=localhost - GITLAB_PORT=10080 - GITLAB_SSH_PORT=10022 @@ -124,8 +124,6 @@ services: - GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string - GITLAB_ROOT_PASSWORD= - GITLAB_ROOT_EMAIL= - - GITLAB_NOTIFY_ON_BROKEN_BUILDS=true - - GITLAB_NOTIFY_PUSHER=false - GITLAB_EMAIL=notifications@example.com - GITLAB_EMAIL_REPLY_TO=noreply@example.com - GITLAB_INCOMING_EMAIL_ADDRESS=reply@example.com diff --git a/kubernetes/gitlab-rc.yml b/kubernetes/gitlab-rc.yml index c4a0ac196..f1d6d4281 100644 --- a/kubernetes/gitlab-rc.yml +++ b/kubernetes/gitlab-rc.yml @@ -40,11 +40,6 @@ spec: - name: GITLAB_SSH_PORT value: "22" - - name: GITLAB_NOTIFY_ON_BROKEN_BUILDS - value: "true" - - name: GITLAB_NOTIFY_PUSHER - value: "false" - - name: GITLAB_BACKUP_SCHEDULE value: daily - name: GITLAB_BACKUP_TIME