diff --git a/.circleci/config.yml b/.circleci/config.yml index f3cead2d0..10cf0a50a 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -1,9 +1,9 @@ version: 2.1 orbs: - shellcheck: circleci/shellcheck@1.3.16 - docker: circleci/docker@1.0.1 - go: circleci/go@1.1.1 + shellcheck: circleci/shellcheck@3.4.0 + docker: circleci/docker@2.8.2 + go: circleci/go@1.11.0 commands: docker-build: @@ -50,6 +50,11 @@ commands: description: | No output timeout for build step type: string + use-buildkit: + default: false + description: | + Use buildkit to build the image. Available on Docker >= 18.09.0 https://docs.docker.com/develop/develop-images/build_enhancements/ + type: boolean steps: - when: condition: <> @@ -76,7 +81,7 @@ commands: done done - docker build + docker buildx build <<#parameters.extra_build_args>><><> \ --cache-from <> \ @@ -102,7 +107,7 @@ commands: done done - docker build + docker buildx build <<#parameters.extra_build_args>><><> \ -f <>/<> \ @@ -198,7 +203,9 @@ commands: jobs: build: - executor: docker/machine + machine: + image: ubuntu-2404:edge + resource_class: large steps: - checkout - docker-build: @@ -208,6 +215,7 @@ jobs: cache_from: docker.io/sameersbn/gitlab:latest extra_build_args: '--build-arg VCS_REF=${CIRCLE_TAG:-${CIRCLE_SHA1}} --build-arg BUILD_DATE="$(date +"%Y-%m-%d %H:%M:%S%:z")"' no_output_timeout: 45m + use-buildkit: true - docker-save: registry: docker.io,quay.io image: sameersbn/gitlab @@ -231,6 +239,9 @@ jobs: - run: name: Wait for stack bootup command: sleep 90 + - run: + name: Show logs + command: docker-compose logs - run: name: Test image bootup command: | @@ -266,12 +277,12 @@ jobs: release: executor: name: go/default - tag: '1.14' + tag: '1.24' steps: - checkout - run: name: Installing github-release tool - command: go get github.com/meterup/github-release + command: go install github.com/meterup/github-release@latest - run: name: Creating github release command: | @@ -285,7 +296,8 @@ workflows: jobs: - shellcheck/check: name: shellcheck - ignore: SC2086,SC2181 + exclude: SC2086,SC2181 + external_sources: true filters: tags: only: /^([0-9]+)\.([0-9]+)\.([0-9]+)(?:-([0-9A-Za-z-]+(?:\.[0-9A-Za-z-]+)*))?(?:\+[0-9A-Za-z-]+)?$/ diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index dbb5cdb4d..1ec790677 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,6 +1,6 @@ # GitLab-CI Configuration -When using your own gitlab instance, the provided .gitlab-ci.yml will be automatically be using the settings provided by the GitLab Instance. If needed several options can be overriden. +When using your own GitLab instance, the provided .gitlab-ci.yml will automatically be using the settings provided by the GitLab instance. If needed, several options can be overriden. Overrides for these values can be set within the project, under `Settings` -> `CI/CD` -> `Variables`. @@ -9,4 +9,4 @@ Overrides for these values can be set within the project, under `Settings` -> `C | `CI_REGISTRY` | `hub.docker.com` | If available this will be automatically overriden by registry address which is configured within the GitLab instance | | `CI_REGISTRY_USER` | `gitlab-ci-token` | Username for the registry | | `CI_REGISTRY_PASSWORD` | `${CI_JOB_TOKEN}` | Password for the registry | -| `DOCKER_IMAGE` | `sameersbn/gitlab` | Docker image name, will be automatically be overriden by the running GitLab instance with the `${CI_PROJECT_PATH}` variable. This will case the image to be uploaded to the local registry of the project within GitLab. | +| `DOCKER_IMAGE` | `sameersbn/gitlab` | Docker image name, will automatically be overriden by the running GitLab instance with the `${CI_PROJECT_PATH}` variable. This will cause the image to be uploaded to the local registry of the project within GitLab. | diff --git a/Changelog.md b/Changelog.md index 1181a5235..9d9654314 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,32 +1,1553 @@ # Changelog -This file only reflects the changes that are made in this image. Please refer to the upstream GitLab [CHANGELOG]( -https://gitlab.com/gitlab-org/gitlab-foss/blob/master/CHANGELOG.md) for the list of changes in GitLab. +This file only reflects the changes that are made in this image. Please refer to the upstream GitLab [CHANGELOG](https:// +gitlab.com/gitlab-org/gitlab-foss/blob/master/CHANGELOG.md) for the list of changes in GitLab. + +## 18.5.1 + +- gitlab: upgrade CE to v18.5.1 +- gitaly: upgrade to v18.5.1 +- gitlab-pages: upgrade to v18.5.1 + +## 18.5.0 + +- gitlab: upgrade CE to v18.5.0 +- gitaly: upgrade to v18.5.0 +- gitlab-pages: upgrade to v18.5.0 +- gitlab-shell: upgrade to v14.45.3 +- golang: upgrade to v1.24.9 +- ubuntu: upgrade to noble-20251001 + +## 18.4.2 + +- gitlab: upgrade CE to v18.4.2 +- gitaly: upgrade to v18.4.2 +- gitlab-pages: upgrade to v18.4.2 +- golang: upgrade to v1.24.8 +- ubuntu: upgrade to noble-20250925 + +## 18.4.1 + +- gitlab: upgrade CE to v18.4.1 +- gitaly: upgrade to v18.4.1 +- gitlab-pages: upgrade to v18.4.1 +- ubuntu: upgrade to noble-20250910 + +## 18.4.0 + +- gitlab: upgrade CE to v18.4.0 +- gitaly: upgrade to v18.4.0 +- gitlab-pages: upgrade to v18.4.0 +- ubuntu: upgrade to noble-20250910 + +## 18.3.2 + +- gitlab: upgrade CE to v18.3.2 +- gitaly: upgrade to v18.3.2 +- gitlab-pages: upgrade to v18.3.2 +- gitlab-shell: upgrade to v14.45.2 +- golang: upgrade to v1.24.7 +- rubygems: upgrade to v3.7.2 +- ubuntu: upgrade to noble-20250805 + +## 18.3.1 + +- gitlab: upgrade CE to v18.3.1 +- gitaly: upgrade to v18.3.1 +- gitlab-pages: upgrade to v18.3.1 + +## 18.3.0 + +- gitlab: upgrade CE to v18.3.0 +- gitaly: upgrade to v18.3.0 +- gitlab-pages: upgrade to v18.3.0 + +## 18.2.4 + +- gitlab: upgrade CE to v18.2.4 +- gitaly: upgrade to v18.2.4 +- gitlab-pages: upgrade to v18.2.4 +- gitlab-shell: upgrade to v14.44.0 + +## 18.2.2 + +- gitlab: upgrade CE to v18.2.2 +- gitaly: upgrade to v18.2.2 +- gitlab-pages: upgrade to v18.2.2 +- golang: upgrade to v1.24.6 +- ubuntu: upgrade to noble-20250716 + +## 18.2.1 + +- gitlab: upgrade CE to v18.2.1 +- gitaly: upgrade to v18.2.1 +- gitlab-pages: upgrade to v18.2.1 +- ruby: upgrade to v3.2.9 +- rubygems: upgrade to v3.7.1 + +## 18.2.0 + +- gitlab: upgrade CE to v18.2.0 +- gitaly: upgrade to v18.2.0 +- gitlab-pages: upgrade to v18.2.0 +- gitlab-shell: upgrade to v14.43.0 +- rubygems: upgrade to v3.7.0 +- ubuntu: upgrade to noble-20250714 + +## 18.1.2 + +- gitlab: upgrade CE to v18.1.2 +- gitaly: upgrade to v18.1.2 +- gitlab-pages: upgrade to v18.1.2 +- golang: upgrade to v1.24.5 +- ubuntu: upgrade to noble-20250619 + +## 18.1.1 + +- gitlab: upgrade CE to v18.1.1 +- gitaly: upgrade to v18.1.1 +- gitlab-pages: upgrade to v18.1.1 + +## 18.1.0 + +- gitlab: upgrade CE to v18.1.0 +- gitaly: upgrade to v18.1.0 +- gitlab-pages: upgrade to v18.1.0 + +## 18.0.2 + +- gitlab: upgrade CE to v18.0.2 +- gitaly: upgrade to v18.0.2 +- gitlab-pages: upgrade to v18.0.2 +- golang: upgrade to v1.24.4 +- ubuntu: upgrade to noble-20250529 + +## 18.0.1 + +- gitlab: upgrade CE to v18.0.1 +- gitaly: upgrade to v18.0.1 +- gitlab-pages: upgrade to v18.0.1 +- gitlab-shell: upgrade to v14.42.0 + +## 18.0.0 + +- gitlab: upgrade CE to v18.0.0 +- gitaly: upgrade to v18.0.0 +- gitlab-pages: upgrade to v18.0.0 +- redis: upgrade to v7 +- rubygems: upgrade to v3.6.9 +- ubuntu: upgrade to noble-20250415.1 + +## 17.11.2 + +- gitlab: upgrade CE to v17.11.2 +- gitaly: upgrade to v17.11.2 +- gitlab-pages: upgrade to v17.11.2 +- golang: upgrade to v1.24.3 +- ubuntu: upgrade to jammy-20250415.1 + +## 17.11.1 + +- gitlab: upgrade CE to v17.11.1 +- gitaly: upgrade to v17.11.1 +- gitlab-pages: upgrade to v17.11.1 +- rubygems: upgrade to v3.6.8 + +## 17.11.0 + +- gitlab: upgrade CE to v17.11.0 +- gitaly: upgrade to v17.11.0 +- gitlab-pages: upgrade to v17.11.0 + +## 17.10.4 + +- gitlab: upgrade CE to v17.10.4 +- gitaly: upgrade to v17.10.4 +- gitlab-pages: upgrade to v17.10.4 +- ubuntu: upgrade to jammy-20250404 + +## 17.10.3 + +- gitlab: upgrade CE to v17.10.3 +- gitaly: upgrade to v17.10.3 +- gitlab-pages: upgrade to v17.10.3 +- golang: upgrade to v1.24.2 +- ruby: upgrade to v3.2.8 + +## 17.10.1 + +- gitlab: upgrade CE to v17.10.1 +- gitaly: upgrade to v17.10.1 +- gitlab-pages: upgrade to v17.10.1 + +## 17.10.0 + +- gitlab: upgrade CE to v17.10.0 +- gitaly: upgrade to v17.10.0 +- gitlab-pages: upgrade to v17.10.0 +- golang: upgrade to v1.24.1 +- rubygems: upgrade to v3.6.6 + +## 17.9.2 + +- gitlab: upgrade CE to v17.9.2 +- gitaly: upgrade to v17.9.2 +- gitlab-pages: upgrade to v17.9.2 + +## 17.9.1 + +- gitlab: upgrade CE to v17.9.1 +- gitaly: upgrade to v17.9.1 +- gitlab-pages: upgrade to v17.9.1 + +## 17.9.0 + +- gitlab: upgrade CE to v17.9.0 +- gitaly: upgrade to v17.9.0 +- gitlab-pages: upgrade to v17.9.0 +- gitlab-shell: upgrade to v14.40.0 +- golang: upgrade to v1.24.0 +- rubygems: upgrade to v3.5.23 +- ubuntu: upgrade to jammy-20250126 + +## 17.8.2 + +- gitlab: upgrade CE to v17.8.2 +- gitaly: upgrade to v17.8.2 +- gitlab-pages: upgrade to v17.8.2 +- golang: upgrade to v1.23.6 +- ruby: upgrade to v3.2.7 + +## 17.8.1 + +- gitlab: upgrade CE to v17.8.1 +- gitaly: upgrade to v17.8.1 +- gitlab-pages: upgrade to v17.8.1 + +## 17.8.0 + +- gitlab: upgrade CE to v17.8.0 +- gitaly: upgrade to v17.8.0 +- gitlab-pages: upgrade to v17.8.0 + +## 17.7.1 + +- gitlab: upgrade CE to v17.7.1 +- gitaly: upgrade to v17.7.1 +- gitlab-pages: upgrade to v17.7.1 + +## 17.7.0 + +- gitlab: upgrade CE to v17.7.0 +- gitaly: upgrade to v17.7.0 +- gitlab-pages: upgrade to v17.7.0 +- ubuntu: upgrade to jammy-20240911.1 +- update healthcheck for postgresql + +## 17.6.3 + +- gitlab: upgrade CE to v17.6.3 +- gitaly: upgrade to v17.6.3 +- gitlab-pages: upgrade to v17.6.3 + +## 17.6.2 + +- gitlab: upgrade CE to v17.6.2 +- gitaly: upgrade to v17.6.2 +- gitlab-pages: upgrade to v17.6.2 + +## 17.6.1 + +- gitlab: upgrade CE to v17.6.1 +- gitlab-pages: upgrade to v17.6.1 +- gitaly: upgrade to v17.6.1 +- golang: upgrade to v1.23.5 + +## 17.6.0 + +- gitlab: upgrade CE to v17.6.0 +- gitaly: upgrade to v17.6.0 +- gitlab-pages: upgrade to v17.6.0 + +## 17.5.2 + +- gitlab: upgrade CE to v17.5.2 +- gitaly: upgrade to v17.5.2 +- gitlab-pages: upgrade to v17.5.2 +- golang: upgrade to v1.23.2 +- ruby: upgrade to v3.2.6 + +## 17.5.1 + +- gitlab: upgrade CE to v17.5.1 +- gitaly: upgrade to v17.5.1 +- gitlab-pages: upgrade to v17.5.1 + +## 17.5.0 + +- gitlab: upgrade CE to v17.5.0 +- gitaly: upgrade to v17.5.0 +- gitlab-pages: upgrade to v17.5.0 +- ubuntu: upgrade to focal-20241011 + +## 17.4.2 + +- gitlab: upgrade CE to v17.4.2 +- gitaly: upgrade to v17.4.2 +- gitlab-pages: upgrade to v17.4.2 +- golang: upgrade to v1.23.2 +- ubuntu: upgrade to focal-20240918 + +## 17.4.1 + +- gitlab: upgrade CE to v17.4.1 +- gitaly: upgrade to v17.4.1 +- gitlab-pages: upgrade to v17.4.1 + +## 17.4.0 + +- gitlab: upgrade CE to v17.4.0 +- gitaly: upgrade to v17.4.0 +- gitlab-pages: upgrade to v17.4.0 +- gitlab-shell: upgrade to v14.39.0 + +## 17.3.3 + +- gitlab: upgrade CE to v17.3.3 +- gitaly: upgrade to v17.3.3 +- gitlab-pages: upgrade to v17.3.3 + +## 17.3.2 + +- gitlab: upgrade CE to v17.3.2 +- gitaly: upgrade to v17.3.2 +- gitlab-pages: upgrade to v17.3.2 +- golang: upgrade to v1.23.1 + +## 17.3.1 + +- gitlab: upgrade CE to v17.3.1 +- gitaly: upgrade to v17.3.1 +- gitlab-pages: upgrade to v17.3.1 + +## 17.3.0 + +- gitlab: upgrade CE to v17.3.0 +- gitaly: upgrade to v17.3.0 +- gitlab-pages: upgrade to v17.3.0 +- gitlab-shell: upgrade to v14.38.0 +- golang: upgrade to v1.23.0 + +## 17.2.2 + +- gitlab: upgrade CE to v17.2.2 +- gitaly: upgrade to v17.2.2 +- gitlab-pages: upgrade to v17.2.2 +- golang: upgrade to v1.22.6 + +## 17.2.1 + +- gitlab: upgrade CE to v17.2.1 +- gitaly: upgrade to v17.2.1 +- gitlab-pages: upgrade to v17.2.1 +- ruby: upgrade to v3.2.5 + +## 17.2.0 + +- gitlab: upgrade CE to v17.2.0 +- gitaly: upgrade to v17.2.0 +- gitlab-pages: upgrade to v17.2.0 +- gitlab-shell: upgrade to v14.37.0 + +## 17.1.2 + +- gitlab: upgrade CE to v17.1.2 +- gitaly: upgrade to v17.1.2 +- gitlab-pages: upgrade to v17.1.2 +- golang: upgrade to v1.22.5 + +## 17.1.1 + +- gitlab: upgrade CE to v17.1.1 +- gitaly: upgrade to v17.1.1 +- gitlab-pages: upgrade to v17.1.1 + +## 17.1.0 + +- gitlab: upgrade CE to v17.1.0 +- gitaly: upgrade to v17.1.0 +- gitlab-pages: upgrade to v17.1.0 +- gitlab-shell: upgrade to v14.36.0 + +## 17.0.2 + +- gitlab: upgrade CE to v17.0.2 +- gitaly: upgrade to v17.0.2 +- gitlab-pages: upgrade to v17.0.2 +- golang: upgrade to v1.22.4 +- ubuntu: upgrade to focal-20240530 + +## 17.0.1 + +- gitlab: upgrade CE to v17.0.1 +- gitaly: upgrade to v17.0.1 +- gitlab-pages: upgrade to v17.0.1 + +## 17.0.0 + +- gitlab: upgrade CE to v17.0.0 +- gitaly: upgrade to v17.0.0 +- gitlab-pages: upgrade to v17.0.0 +- gitlab-shell: upgrade to v14.35.0 + +## 16.11.2 + +- gitlab: upgrade CE to v16.11.2 +- gitaly: upgrade to v16.11.2 +- gitlab-pages: upgrade to v16.11.2 +- golang: upgrade to v1.22.3 +- ubuntu: upgrade to focal-20240427 + +## 16.11.1 + +- gitlab: upgrade CE to v16.11.1 +- gitaly: upgrade to v16.11.1 +- gitlab-pages: upgrade to v16.11.1 +- ruby: upgrade to v3.2.4 +- ubuntu: upgrade to focal-20240416 + +## 16.11.0 + +- gitlab: upgrade CE to v16.11.0 +- gitaly: upgrade to v16.11.0 +- gitlab-pages: upgrade to v16.11.0 +- gitlab-shell: upgrade to v14.35.0 + +## 16.10.3 + +- gitlab: upgrade CE to v16.10.3 +- gitaly: upgrade to v16.10.3 +- gitlab-pages: upgrade to v16.10.3 +- ubuntu: upgrade to focal-20240410 + +## 16.10.2 + +- gitlab: upgrade CE to v16.10.2 +- gitaly: upgrade to v16.10.2 +- gitlab-pages: upgrade to v16.10.2 +- golang: upgrade to v1.22.2 + +## 16.10.1 + +- gitlab: upgrade CE to v16.10.1 +- gitaly: upgrade to v16.10.1 +- gitlab-pages: upgrade to v16.10.1 + +## 16.10.0 + +- gitlab: upgrade CE to v16.10.0 +- gitaly: upgrade to v16.10.0 +- gitlab-pages: upgrade to v16.10.0 +- gitlab-shell: upgrade to v14.34.0 + +## 16.9.2 + +- gitlab: upgrade CE to v16.9.2 +- gitaly: upgrade to v16.9.2 +- gitlab-pages: upgrade to v16.9.2 +- golang: upgrade to v1.22.1 +- ubuntu: upgrade to focal-20240216 + +## 16.9.1 + +- gitlab: upgrade CE to v16.9.1 +- gitaly: upgrade to v16.9.1 +- gitlab-pages: upgrade to v16.9.1 + +## 16.9.0 + +- gitlab: upgrade CE to v16.9.0 +- gitaly: upgrade to v16.9.0 +- gitlab-pages: upgrade to v16.9.0 + +## 16.8.2 + +- gitlab: upgrade CE to v16.8.2 +- gitaly: upgrade to v16.8.2 +- gitlab-pages: upgrade to v16.8.2 +- golang: upgrade to v1.22.0 +- ubuntu: upgrade to focal-20240123 + +## 16.8.1 + +- gitlab: upgrade CE to v16.8.1 +- gitaly: upgrade to v16.8.1 +- gitlab-pages: upgrade to v16.8.1 +- gitlab-shell: upgrade to v14.33.0 + +## 16.8.0 + +- gitlab: upgrade CE to v16.8.0 +- gitaly: upgrade to v16.8.0 +- gitlab-pages: upgrade to v16.8.0 + +## 16.7.3 + +- gitlab: upgrade CE to v16.7.3 +- gitaly: upgrade to v16.7.3 +- gitlab-pages: upgrade to v16.7.3 + +## 16.7.2 + +- gitlab: upgrade CE to v16.7.2 +- gitaly: upgrade to v16.7.2 +- gitlab-pages: upgrade to v16.7.2 +- golang: upgrade to v1.21.6 + +## 16.7.0 + +- gitlab: upgrade CE to v16.7.0 +- gitaly: upgrade to v16.7.0 +- gitlab-pages: upgrade to v16.7.0 +- gitlab-shell: upgrade to v14.32.0 +- ruby: upgrade to v3.1.4 + +## 16.6.2 + +- gitlab: upgrade CE to v16.6.2 +- gitaly: upgrade to v16.6.2 +- gitlab-pages: upgrade to v16.6.2 +- golang: upgrade to v1.21.5 +- ubuntu: upgrade to focal-20231211 + +## 16.6.1 + +- gitlab: upgrade CE to v16.6.1 +- gitaly: upgrade to v16.6.1 +- gitlab-pages: upgrade to v16.6.1 +- ubuntu: upgrade to focal-20231128 + +## 16.6.0 + +- gitlab: upgrade CE to v16.6.0 +- gitaly: upgrade to v16.6.0 +- gitlab-pages: upgrade to v16.6.0 +- gitlab-shell: upgrade to v14.30.0 +- golang: upgrade to v1.21.4 + +## 16.5.1 + +- gitlab: upgrade CE to v16.5.1 +- gitaly: upgrade to v16.5.1 +- gitlab-pages: upgrade to v16.5.1 + +## 16.5.0 + +- gitlab: upgrade CE to v16.5.0 +- gitaly: upgrade to v16.5.0 +- gitlab-pages: upgrade to v16.5.0 +- gitlab-shell: upgrade to v14.29.0 +- golang: upgrade to v1.21.3 +- ubuntu: upgrade to focal-20231003 + +## 16.4.1 + +- gitlab: upgrade CE to v16.4.1 +- gitaly: upgrade to v16.4.1 +- gitlab-pages: upgrade to v16.4.1 + +## 16.4.0 + +- gitlab: upgrade CE to v16.4.0 +- gitaly: upgrade to v16.4.0 +- gitlab-pages: upgrade to v16.4.0 +- gitlab-shell: upgrade to v14.28.0 + +## 16.3.4 + +- gitlab: upgrade CE to v16.3.4 +- gitaly: upgrade to v16.3.4 +- gitlab-pages: upgrade to v16.3.4 + +## 16.3.3 + +- gitlab: upgrade CE to v16.3.3 +- gitaly: upgrade to v16.3.3 +- gitlab-pages: upgrade to v16.3.3 + +## 16.3.2 + +- gitlab: upgrade CE to v16.3.2 +- gitaly: upgrade to v16.3.2 +- gitlab-pages: upgrade to v16.3.2 +- golang: upgrade to v1.21.1 + +## 16.3.1 + +- gitlab: upgrade CE to v16.3.1 +- gitaly: upgrade to v16.3.1 +- gitlab-pages: upgrade to v16.3.1 + +## 16.3.0 + +- gitlab: upgrade CE to v16.3.0 +- gitaly: upgrade to v16.3.0 +- gitlab-pages: upgrade to v16.3.0 + +## 16.2.4 + +- gitlab: upgrade CE to v16.2.4 +- gitaly: upgrade to v16.2.4 +- gitlab-pages: upgrade to v16.2.4 +- golang: upgrade to v1.21.0 + +## 16.2.3 + +- gitlab: upgrade CE to v16.2.3 +- gitaly: upgrade to v16.2.3 +- gitlab-pages: upgrade to v16.2.3 + +## 16.2.2 + +- gitlab: upgrade CE to v16.2.2 +- gitaly: upgrade to v16.2.2 +- gitlab-pages: upgrade to v16.2.2 +- golang: upgrade to v1.20.7 +- ubuntu: upgrade to focal-20230801 + +## 16.2.1 + +- gitlab: upgrade CE to v16.2.1 +- gitaly: upgrade to v16.2.1 +- gitlab-pages: upgrade to v16.2.1 + +## 16.2.0 + +- gitlab: upgrade CE to v16.2.0 +- gitaly: upgrade to v16.2.0 +- gitlab-pages: upgrade to v16.2.0 +- golang: upgrade to v1.20.6 + +## 16.1.2 + +- gitlab: upgrade CE to v16.1.2 +- gitaly: upgrade to v16.1.2 +- gitlab-pages: upgrade to v16.1.2 +- ubuntu: upgrade to focal-20230624 + +## 16.1.1 + +- gitlab: upgrade CE to v16.1.1 +- gitaly: upgrade to v16.1.1 +- gitlab-pages: upgrade to v16.1.1 + +## 16.1.0 + +- gitlab: upgrade CE to v16.1.0 +- gitaly: upgrade to v16.1.0 +- gitlab-pages: upgrade to v16.1.0 +- gitlab-shell: upgrade to v14.23.0 + +## 16.0.5 + +- gitlab: upgrade CE to v16.0.5 +- gitaly: upgrade to v16.0.5 +- gitlab-pages: upgrade to v16.0.5 +- ubuntu: upgrade to focal-20230605 + +## 16.0.4 + +- gitlab: upgrade CE to v16.0.4 +- gitaly: upgrade to v16.0.4 +- gitlab-pages: upgrade to v16.0.4 + +## 16.0.3 + +- gitlab: upgrade CE to v16.0.3 +- gitaly: upgrade to v16.0.3 +- gitlab-pages: upgrade to v16.0.3 + +## 16.0.2 + +- gitlab: upgrade CE to v16.0.2 +- gitaly: upgrade to v16.0.2 +- gitlab-pages: upgrade to v16.0.2 +- golang: upgrade to v1.20.5 + +## 16.0.1 + +- gitlab: upgrade CE to v16.0.1 +- gitaly: upgrade to v16.0.1 +- gitlab-pages: upgrade to v16.0.1 + +## 16.0.0 + +- gitlab: upgrade CE to v16.0.0 +- gitaly: upgrade to v16.0.0 +- gitlab-pages: upgrade to v16.0.0 +- gitlab-shell: upgrade to v14.20.0 + +## 15.11.5 + +- gitlab: upgrade CE to v15.11.5 +- gitaly: upgrade to v15.11.5 +- gitlab-pages: upgrade to v15.11.5 + +## 15.11.4 + +- gitlab: upgrade CE to v15.11.4 +- gitaly: upgrade to v15.11.4 +- gitlab-pages: upgrade to v15.11.4 + +## 15.11.3 + +- gitlab: upgrade CE to v15.11.3 +- gitaly: upgrade to v15.11.3 +- gitlab-pages: upgrade to v15.11.3 +- ruby: upgrade to v3.0.6 + +## 15.11.2 + +- gitlab: upgrade CE to v15.11.2 +- gitaly: upgrade to v15.11.2 +- gitlab-pages: upgrade to v15.11.2 + +## 15.11.1 + +- gitlab: upgrade CE to v15.11.1 +- gitaly: upgrade to v15.11.1 +- gitlab-pages: upgrade to v15.11.1 +- golang: upgrade to v1.20.4 + +## 15.11.0 + +- gitlab: upgrade CE to v15.11.0 +- gitaly: upgrade to v15.11.0 +- gitlab-pages: upgrade to v15.11.0 +- ubuntu: upgrade to focal-20230412 + +## 15.10.3 + +- gitlab: upgrade CE to v15.10.3 +- gitaly: upgrade to v15.10.3 +- gitlab-pages: upgrade to v15.10.3 + +## 15.10.2 + +- gitlab: upgrade CE to v15.10.2 +- gitaly: upgrade to v15.10.2 +- gitlab-pages: upgrade to v15.10.2 +- golang: upgrade to v1.20.3 + +## 15.10.1 + +- gitlab: upgrade CE to v15.10.1 +- gitaly: upgrade to v15.10.1 +- gitlab-pages: upgrade to v15.10.1 +- ruby: upgrade to v2.7.8 +- ubuntu: upgrade to focal-20230308 + +## 15.10.0 + +- gitlab: upgrade CE to v15.10.0 +- gitaly: upgrade to v15.10.0 +- gitlab-pages: upgrade to v15.10.0 +- gitlab-shell: upgrade to v14.18.0 +- ubuntu: upgrade to focal-20230308 + +## 15.9.3 + +- gitlab: upgrade CE to v15.9.3 +- gitaly: upgrade to v15.9.3 +- gitlab-pages: upgrade to v15.9.3 +- golang: upgrade to v1.20.2 + +## 15.9.2 + +- gitlab: upgrade CE to v15.9.2 +- gitaly: upgrade to v15.9.2 +- gitlab-pages: upgrade to v15.9.2 +- ubuntu: upgrade to focal-20230301 + +## 15.9.1 + +- gitlab: upgrade CE to v15.9.1 +- gitaly: upgrade to v15.9.1 +- gitlab-pages: upgrade to v15.9.1 + +## 15.9.0 + +- gitlab: upgrade CE to v15.9.0 +- gitaly: upgrade to v15.9.0 +- gitlab-pages: upgrade to v15.9.0 +- gitlab-shell: upgrade to v14.17.0 + +## 15.8.2 + +- gitlab: upgrade CE to v15.8.2 +- gitaly: upgrade to v15.8.2 +- gitlab-pages: upgrade to v15.8.2 +- golang: upgrade to v1.19.6 + +## 15.8.1 + +- gitlab: upgrade CE to v15.8.1 +- gitaly: upgrade to v15.8.1 +- gitlab-pages: upgrade to v15.8.1 +- ubuntu: upgrade to focal-20230126 + +## 15.8.0-1 + +- ruby: rollback to v2.7.7 + +## 15.8.0 + +- gitlab: upgrade CE to v15.8.0 +- gitaly: upgrade to v15.8.0 +- gitlab-pages: upgrade to v15.8.0 +- gitlab-shell: upgrade to v14.15.0 +- golang: upgrade to v1.18.10 + +## 15.7.5 + +- gitlab: upgrade CE to v15.7.5 +- gitaly: upgrade to v15.7.5 +- gitlab-pages: upgrade to v15.7.5 + +## 15.7.3 + +- gitlab: upgrade CE to v15.7.3 +- gitaly: upgrade to v15.7.3 +- gitlab-pages: upgrade to v15.7.3 + +## 15.7.2 + +- gitlab: upgrade CE to v15.7.2 +- gitaly: upgrade to v15.7.2 +- gitlab-pages: upgrade to v15.7.2 + +## 15.7.1 + +- gitlab: upgrade CE to v15.7.1 +- gitaly: upgrade to v15.7.1 +- gitlab-pages: upgrade to v15.7.1 + +## 15.7.0 + +- gitlab: upgrade CE to v15.7.0 +- gitaly: upgrade to v15.7.0 +- gitlab-pages: upgrade to v15.7.0 +- gitlab-shell: upgrade to v14.14.0 +- ruby: upgrade to v3.0.5 + +## 15.6.3 + +- gitlab: upgrade CE to v15.6.3 +- gitaly: upgrade to v15.6.3 +- gitlab-pages: upgrade to v15.6.3 +- ubuntu: upgrade to focal-20221130 +- ruby: upgrade to v2.7.7 +- ruby: upgrade to v3.0.4 + +## 15.6.2 + +- gitlab: upgrade CE to v15.6.2 +- gitaly: upgrade to v15.6.2 + +## 15.6.1 + +- gitlab: upgrade CE to v15.6.1 +- gitaly: upgrade to v15.6.1 + +## 15.6.0 + +- gitlab: upgrade CE to v15.6.0 +- gitaly: upgrade to v15.6.0 +- gitlab-shell: upgrade to v14.13.0 +- gitlab-pages: upgrade to v1.63.0 +- golang: upgrade to v1.18.8 + +## 15.5.4 + +- gitlab: upgrade CE to v15.5.4 +- gitaly: upgrade to v15.5.4 + +## 15.5.3 + +- gitlab: upgrade CE to v15.5.3 +- gitaly: upgrade to v15.5.3 + +## 15.5.2 + +- gitlab: upgrade CE to v15.5.2 +- gitaly: upgrade to v15.5.2 +- ubuntu: upgrade to focal-20221019 + +## 15.5.1 + +- gitlab: upgrade CE to v15.5.1 +- gitaly: upgrade to v15.5.1 + +## 15.5.0 + +- gitlab: upgrade CE to v15.5.0 +- gitaly: upgrade to v15.5.0 +- gitlab-shell: upgrade to v14.12.0 + +## 15.4.3 + +- gitlab: upgrade CE to v15.4.3 +- gitaly: upgrade to v15.4.3 +- ubuntu: upgrade to focal-20220922 + +## 15.4.2 + +- gitlab: upgrade CE to v15.4.2 +- gitaly: upgrade to v15.4.2 + +## 15.4.1 + +- gitlab: upgrade CE to v15.4.1 +- gitaly: upgrade to v15.4.1 + +## 15.4.0 + +- gitlab: upgrade CE to v15.4.0 +- gitaly: upgrade to v15.4.0 +- ubuntu: upgrade tofocal-20220826 + +## 15.3.3 + +- gitlab: upgrade CE to v15.3.3 +- gitaly: upgrade to v15.3.3 + +## 15.3.2 + +- gitlab: upgrade CE to v15.3.2 +- gitaly: upgrade to v15.3.2 + +## 15.3.1 + +- gitlab: upgrade CE to v15.3.1 +- gitaly: upgrade to v15.3.1 + +## 15.3.0 + +- gitlab: upgrade CE to v15.3.0 +- gitaly: upgrade to v15.3.0 +- gitlab-shell: upgrade to v14.10.0 +- gitlab-pages: upgrade to v1.62.0 +- ubuntu: upgrade to focal-20220801 + +## 15.2.2 + +- gitlab: upgrade CE to v15.2.2 +- gitaly: upgrade to v15.2.2 +- golang: upgrade to v1.17.13 + +## 15.2.1 + +- gitlab: upgrade CE to v15.2.1 +- gitaly: upgrade to v15.2.1 +- gitlab-pages: upgrade to v1.61.1 + +## 15.2.0 + +- gitlab: upgrade CE to v15.2.0 +- gitaly: upgrade to v15.2.0 +- gitlab-shell: upgrade to v14.9.0 +- gitlab-pages: upgrade to v1.61.0 +- golang: upgrade to v1.17.12 + +## 15.1.3 + +- gitlab: upgrade CE to v15.1.3 +- gitaly: upgrade to v15.1.3 + +## 15.1.2 + +- gitlab: upgrade CE to v15.1.2 +- gitaly: upgrade to v15.1.2 + +## 15.1.1 + +- gitlab: upgrade CE to v15.1.1 +- gitaly: upgrade to v15.1.1 + +## 15.1.0 + +- gitlab: upgrade CE to v15.1.0 +- gitaly: upgrade to v15.1.0 +- gitlab-shell: upgrade to v14.7.4 +- gitlab-pages: upgrade to v1.59.0 + +## 15.0.3 + +- gitlab: upgrade CE to v15.0.3 +- gitaly: upgrade to v15.0.3 + +## 15.0.2 + +- gitlab: upgrade CE to v15.0.2 +- gitaly: upgrade to v15.0.2 +- ubuntu: upgrade to focal-20220531 + +## 15.0.1 + +- gitlab: upgrade CE to v15.0.1 +- gitaly: upgrade to v15.0.1 +- golang: upgrade to v1.17.11 + +## 15.0.0 + +- gitlab: upgrade CE to v15.0.0 +- gitaly: upgrade to v15.0.0 +- golang: upgrade to v1.17.10 +- gitlab-shell: upgrade to v14.3.0 +- gitlab-pages: upgrade to v1.58.0 + +## 14.10.3 + +- gitlab: upgrade CE to v14.10.3 +- gitaly: upgrade to v14.10.3 + +## 14.10.2 + +- gitlab: upgrade CE to v14.10.2 +- gitaly: upgrade to v14.10.2 +- ubuntu: upgrade to focal-20220426 + +## 14.10.1 + +- gitlab: upgrade CE to v14.10.1 +- gitaly: upgrade to v14.10.1 +- ubuntu: upgrade to focal-20220426 + +## 14.10.0 + +- gitlab: upgrade CE to v14.10.0 +- gitaly: upgrade to v14.10.0 +- gitlab-shell: upgrade to v13.25.1 +- ubuntu: upgrade to focal-20220415 + +## 14.9.3 + +- gitlab: upgrade CE to v14.9.3 +- gitaly: upgrade to v14.9.3 +- golang: upgrade to v1.17.9 +- ruby: upgrade to v2.7.6 +- ubuntu: upgrade to focal-20220404 + +## 14.9.2 + +- gitlab: upgrade CE to v14.9.2 +- gitaly: upgrade to v14.9.2 +- gitlab-pages: upgrade to v1.56.1 + +## 14.9.1 + +- gitlab: upgrade CE to v14.9.1 +- gitaly: upgrade to v14.9.1 + +## 14.9.0 + +- gitlab: upgrade CE to v14.9.0 +- gitaly: upgrade to v14.9.0 +- gitlab-pages: upgrade to v1.56.0 +- gitlab-shell: upgrade to v13.24.0 + +## 14.8.4 + +- gitlab: upgrade CE to v14.8.4 +- gitaly: upgrade to v14.8.4 + +## 14.8.3 + +- gitlab: upgrade CE to v14.8.3 +- gitaly: upgrade to v14.8.3 +- golang: upgrade to v1.17.8 +- ubuntu: upgrade to focal-20220316 + +## 14.8.2 + +- gitlab: upgrade CE to v14.8.2 +- gitaly: upgrade to v14.8.2 + +## 14.8.1 + +- gitlab: upgrade CE to v14.8.1 +- gitaly: upgrade to v14.8.1 + +## 14.8.0 + +- gitlab: upgrade CE to v14.8.0 +- gitaly: upgrade to v14.8.0 +- gitlab-pages: upgrade to v1.54.0 +- gitlab-shell: v13.23.2 + +## 14.7.3 + +- gitlab: upgrade CE to v14.7.3 +- gitaly: upgrade to v14.7.3 +- golang: upgrade to v1.17.7 + +## 14.7.2 + +- gitlab: upgrade CE to v14.7.2 +- gitaly: upgrade to v14.7.2 +- ubuntu: upgrade to focal-20220113 + +## 14.7.1 + +- gitlab: upgrade CE to v14.7.1 +- gitaly: upgrade to v14.7.1 + +## 14.7.0 + +- gitlab: upgrade CE to v14.7.0 +- gitaly: upgrade to v14.7.0 +- gitlab-shell: v13.22.2 +- gitlab-pages: upgrade to v1.51.0 + +## 14.6.3 + +- gitlab: upgrade CE to v14.6.3 +- gitaly: upgrade to v14.6.3 + +## 14.6.2 + +- gitlab: upgrade CE to v14.6.2 +- gitaly: upgrade to v14.6.2 +- golang: upgrade to v1.17.6 +- ubuntu: upgrade to focal-20220105 + +## 14.6.1 + +- gitlab: upgrade CE to v14.6.1 +- gitaly: upgrade to v14.6.1 + +## 14.6.0 + +- gitlab: upgrade CE to v14.6.0 +- gitaly: upgrade to v14.6.0 +- gitlab-pages: upgrade to v1.49.0 + +## 14.5.2 + +- gitlab: upgrade CE to v14.5.2 +- gitaly: upgrade to v14.5.2 +- golang: upgrade to v1.17.5 + +## 14.5.1 + +- gitlab: upgrade CE to v14.5.1 +- gitaly: upgrade to v14.5.1 +- gitlab-shell: v13.22.1 + +## 14.5.0 + +- gitlab: upgrade CE to v14.5.0 +- gitaly: upgrade to v14.5.0 +- gitlab-pages: upgrade to v1.48.0 +- gitlab-shell: v13.22.0 + +## 14.4.4 + +- gitlab: upgrade CE to v14.4.4 +- gitaly: upgrade to v14.4.4 +- ruby: upgrade to v2.7.5 + +## 14.4.3 + +- gitlab: upgrade CE to v14.4.3 +- gitaly: upgrade to v14.4.3 +- golang: upgrade to v1.17.4 + +## 14.4.2 + +- gitlab: upgrade CE to v14.4.2 +- gitaly: upgrade to v14.4.2 +- redis: upgrade to v6.2.6 + +## 14.4.1 + +- gitlab: upgrade CE to v14.4.1 +- gitaly: upgrade to v14.4.1 + +## 14.4.0 + +- gitlab: upgrade CE to v14.4.0 +- gitaly: upgrade to v14.4.0 +- gitlab-pages: upgrade to v1.46.0 + +## 14.3.3 + +- gitlab: upgrade CE to v14.3.3 +- gitaly: upgrade to v14.3.3 + +## 14.3.2 + +- gitlab: upgrade CE to v14.3.2 +- gitaly: upgrade to v14.3.2 +- gitlab-shell: v13.21.1 + +## 14.3.1 + +- gitlab: upgrade CE to v14.3.1 +- gitaly: upgrade to v14.3.1 + +## 14.3.0 + +- gitlab: upgrade CE to v14.3.0 +- gitaly: upgrade to v14.3.0 +- gitlab-shell: v13.21.0 +- gitlab-pages: upgrade to v1.44.0 +- ruby: compile ruby from source and use v2.7.4 +- ubuntu: upgrade to focal-20211006 + +## 14.2.5 + +- gitlab: upgrade CE to v14.2.5 +- gitaly: upgrade to v14.2.5 + +## 14.2.4 + +- gitlab: upgrade CE to v14.2.4 +- gitaly: upgrade to v14.2.4 +- golang: upgrade to v1.17.1 + +## 14.2.3 + +- gitlab: upgrade CE to v14.2.3 +- gitaly: upgrade to v14.2.3 + +## 14.2.2 + +- gitlab: upgrade CE to v14.2.2 +- gitaly: upgrade to v14.2.2 +- ubuntu: upgrade to focal-20210827 + +## 14.2.1 + +- gitlab: upgrade CE to v14.2.1 +- gitaly: upgrade to v14.2.1 + +## 14.2.0 + +- gitlab: upgrade CE to v14.2.0 +- gitaly: upgrade to v14.2.0 +- gitlab-pages: upgrade to v1.42.0 +- golang: upgrade to v1.17 + +## 14.1.3 + +- gitlab: upgrade CE to v14.1.3 +- gitaly: upgrade to v14.1.3 +- golang: upgrade to v1.16.7 + +## 14.1.2 + +- gitlab: upgrade CE to v14.1.2 +- gitaly: upgrade to v14.1.2 +- gitlab-shell: upgrade to v13.19.1 + +## 14.1.1 + +- gitlab: upgrade CE to v14.1.1 +- gitaly: upgrade to v14.1.1 +- ubuntu: upgrade to focal-20210723 + +## 14.1.0 + +- gitlab: upgrade CE to v14.1.0 +- gitaly: upgrade to v14.1.0 + +## 14.0.6 + +- gitlab: upgrade CE to v14.0.6 +- gitaly: upgrade to v14.0.6 +- golang: upgrade to v1.16.6 + +## 14.0.5 + +- gitlab: upgrade CE to v14.0.5 +- gitaly: upgrade to v14.0.5 + +## 14.0.4 + +- gitlab: upgrade CE to v14.0.4 +- gitaly: upgrade to v14.0.4 + +## 14.0.3 + +- gitlab: upgrade CE to v14.0.3 +- gitaly: upgrade to v14.0.3 + +## 14.0.2 + +- gitlab: upgrade CE to v14.0.2 +- gitaly: upgrade to v14.0.2 + +## 14.0.1 + +- gitlab: upgrade CE to v14.0.1 +- gitaly: upgrade to v14.0.1 + +## 14.0.0 + +- gitlab: upgrade CE to v14.0.0 +- gitaly: upgrade to v14.0.0 +- gitlab-shell: upgrade to v13.19.0 +- gitlab-pages: upgrade to v1.40.0 + +## 13.12.5 + +- gitlab: upgrade CE to v13.12.5 +- gitaly: upgrade to v13.12.5 +- ubuntu: upgrade to focal-20210609 + +## 13.12.4 + +- gitlab: upgrade CE to v13.12.4 +- gitaly: upgrade to v13.12.4 + +## 13.12.3 + +- gitlab: upgrade CE to v13.12.3 +- gitaly: upgrade to v13.12.3 +- golang: upgrade to v1.16.5 + +## 13.12.2 + +- gitlab: upgrade CE to v13.12.2 +- gitaly: upgrade to v13.12.2 + +## 13.12.1 + +- gitlab: upgrade CE to v13.12.1 +- gitaly: upgrade to v13.12.1 + +## 13.12.0 + +- gitlab: upgrade CE to v13.12.0 +- gitlab-shell: upgrade to v13.18.0 +- gitlab-pages: upgrade to v1.39.0 +- gitaly: upgrade to v13.12.0 + +## 13.11.4 + +- gitlab: upgrade CE to v13.11.4 +- gitaly: upgrade to v13.11.4 +- golang: upgrade to v1.16.4 +- ubuntu: upgrade to focal-20210416 + +## 13.11.3 + +- gitlab: upgrade CE to v13.11.3 +- gitaly: upgrade to v13.11.3 + +## 13.11.2 + +- gitlab: upgrade CE to v13.11.2 +- gitaly: upgrade to v13.11.2 + +## 13.11.1 + +- gitlab: upgrade CE to v13.11.1 +- gitaly: upgrade to v13.11.1 + +## 13.11.0 + +- gitlab: upgrade CE to v13.11.0 +- gitaly: upgrade to v13.11.0 +- gitlab-pages: upgrade to v1.38.0 +- ubuntu: upgrade to focal-20210401 + +## 13.10.3 + +- gitlab: upgrade CE to v13.10.3 +- gitaly: upgrade to v13.10.3 + +## 13.10.2 + +- gitlab: upgrade CE to v13.10.2 +- gitaly: upgrade to v13.10.2 +- golang: upgrade to v1.16.3 +- ubuntu: upgrade to bionic-20210325 + +## 13.10.1 + +- gitlab: upgrade CE to v13.10.1 +- gitaly: upgrade to v13.10.1 +- added libmagic1 to fit requirements of ruby-magic-static-0.3.4 (necessary for puma) + +## 13.10.0 + +- gitlab: upgrade CE to v13.10.0 +- gitaly: upgrade to v13.10.0 +- gitlab-pages: upgrade to v1.36.0 + +## 13.9.5 + +- gitlab: upgrade CE to v13.9.5 +- gitaly: upgrade to v13.9.5 + +## 13.9.4 + +- gitlab: upgrade CE to v13.9.4 +- gitaly: upgrade to v13.9.4 +- golang: upgrade to v1.16.2 +- ubuntu: upgrade to bionic-20210222 + +## 13.9.3 + +- gitlab: upgrade CE to v13.9.3 +- gitaly: upgrade to v13.9.3 +- gitlab-shell: upgrade to v13.17.0 + +## 13.9.2 + +- gitlab: upgrade CE to v13.9.2 +- gitaly: upgrade to v13.9.2 +- gitlab-workhorse: upgrade to v8.63.2 + +## 13.9.1 + +- gitlab: upgrade CE to v13.9.1 +- gitaly: upgrade to v13.9.1 + +## 13.9.0 + +- gitlab: upgrade CE to v13.9.0 +- gitaly: upgrade to v13.9.0 +- gitlab-shell: upgrade to v13.16.1 +- gitlab-pages: upgrade to v1.35.0 +- gitlab-workhorse: upgrade to v8.63.0 +- golang: upgrade to v1.16 + +## 13.8.4 + +- added `SSL_PROTOCOLS` option to change protocols of the nginx +- added `SSL_REGISTRY_CIPHERS` +- added `SSL_REGISTRY_PROTOCOLS` +- added `SSL_PAGES_CIPHERS` +- added `SSL_PAGES_PROTOCOLS` +- gitlab: upgrade CE to v13.8.4 +- gitaly: upgrade to v13.8.4 +- gitlab-shell: upgrade to v13.15.1 + +## 13.8.3 + +- gitlab: upgrade CE to v13.8.3 +- gitaly: upgrade to v13.8.3 +- golang: upgrade to v1.15.8 + +## 13.8.2 + +- gitlab: upgrade CE to v13.8.2 +- gitaly: upgrade to v13.8.2 + +## 13.8.1 + +- gitlab: upgrade CE to v13.8.1 +- gitaly: upgrade to v13.8.1 + +## 13.8.0 + +- gitlab: upgrade CE to v13.8.0 +- gitaly: upgrade to v13.8.0 +- gitlab-shell: upgrade to v13.15.0 +- gitlab-workhorse: upgrade to v8.59.0 +- gitlab-pages: upgrade to v1.34.0 +- golang: upgrade to v1.15.7 +- ubuntu: upgrade to bionic-20210118 + +## 13.7.4 + +- gitlab: upgrade CE to v13.7.4 + +## 13.7.3 + +- gitlab: upgrade CE to v13.7.3 +- gitlab-pages: upgrade to v1.34.0 +- gitlab-shell: upgrade to v13.7.3 +- gitlab-workhorse: upgrade to v8.58.2 + +## 13.7.1 + +- gitlab: upgrade CE to v13.7.1 +- gitaly: upgrade v13.7.1 + +## 13.7.0 + +- gitlab: upgrade CE to v13.7.0 +- gitaly: upgrade v13.7.0 +- gitlab-shell: upgrade to v13.14.0 +- gitlab-pages: upgrade to v1.32.0 +- gitlab-workhorse: upgrade to v8.58.0 +- ubuntu: upgrade to ubuntu bionic-20201119 +- postgresql: upgrade to postgresql 12 + +## 13.6.3 + +- gitlab: upgrade CE to v13.6.3 +- gitaly: upgrade v13.6.3 + +## 13.6.2 + +- gitlab: upgrade CE to v13.6.2 +- gitaly: upgrade v13.6.2 + +## 13.6.1 + +- gitlab: upgrade CE to v13.6.1 +- gitaly: upgrade v13.6.1 + +## 13.6.0 + +- gitlab: upgrade CE to v13.6.0 +- gitaly: upgrade v13.6.0 +- gitlab-shell: upgrade to v13.13.0 +- gitlab-pages: upgrade to v1.30.0 +- gitlab-workhorse: upgrade to v8.54.0 +- use bundler 2.1.4 +- use ruby 2.7 + +## 13.5.4 + +- gitlab: upgrade CE to v13.5.4 +- gitaly: upgrade v13.5.4 + +## 13.5.3 -**13.5.3** - gitlab: upgrade CE to v13.5.3 - gitaly: upgrade v13.5.3 -**13.5.2** +## 13.5.2 + - gitlab: upgrade CE to v13.5.2 - gitaly: upgrade v13.5.2 -**13.5.1** +## 13.5.1 + - gitlab: upgrade CE to v13.5.1 - gitaly: upgrade v13.5.1 - gitlab-shell: upgrade to v13.11.0 - gitlab-pages: upgrade to v1.28.0 - gitlab-workhorse: upgrade to v8.51.0 -**13.4.4** +## 13.4.4 + - gitlab: upgrade CE to v13.4.4 - gitaly: upgrade to v13.4.4 -**13.4.3** +## 13.4.3 + - gitlab: upgrade CE to v13.4.3 - gitaly: upgrade to v13.4.3 -**13.4.2** +## 13.4.2 + - gitlab: upgrade CE to v13.4.2 - gitaly: upgrade to v13.4.2 - gitlab-pages: upgrade to 1.25.0 @@ -34,87 +1555,109 @@ https://gitlab.com/gitlab-org/gitlab-foss/blob/master/CHANGELOG.md) for the list - gitlab-shell: uprade to 13.7.0 - ubuntu: upgrade to bionic-20200921 -**13.3.4** +## 13.3.4 + - gitlab: upgrade CE to v13.3.4 - gitaly: upgrade to v13.3.4 -**13.3.1** +## 13.3.1 + - gitlab: upgrade CE to v13.3.1 - gitaly: upgrade to v13.3.1 -**13.3.0** +## 13.3.0 + - gitlab: upgrade CE to v13.3.0 - gitaly: upgrade to v13.3.0 - gitlab-pages: upgrade to v1.22.0 - gitlab-shell: upgrade to v13.6.0 - gitlab-workhorse: upgrade to v8.39.0 -**13.2.6** +## 13.2.6 + - gitlab: upgrade CE to v13.2.6 -**13.2.4** +## 13.2.4 + - gitlab: upgrade CE to v13.2.4 - ubuntu: upgrade to bionic-20200713 -**13.2.3** +## 13.2.3 + - gitlab: upgrade CE to v13.2.3 - golang: upgrade to 1.14.7 - gitaly: upgrade to 13.2.3 - postgresql: add btree_gist extension -**13.2.2** +## 13.2.2 + - gitlab: upgrade CE to v13.2.2 -**13.2.1** +## 13.2.1 + - gitlab: upgrade CE to v13.2.1 -**13.0.7** +## 13.0.7 + - gitlab: upgrade CE to v13.0.7 -**13.0.6** +## 13.0.6 + - gitlab: upgrade CE to v13.0.6 -**13.0.5** +## 13.0.5 + - gitlab: upgrade CE to v13.0.5 -**13.0.3** +## 13.0.3 + - gitlab: upgrade CE to v13.0.3 -**13.0.2** +## 13.0.2 + - gitlab: upgrade CE to v13.0.2 -**13.0.1** +## 13.0.1 + - gitlab: upgrade CE to v13.0.1 -**13.0.0** +## 13.0.0 + - gitlab: upgrade CE to v13.0.0 -**12.10.6** +## 12.10.6 + - gitlab: upgrade CE to v12.10.6 -**12.10.4** +## 12.10.4 + - updated to ubuntu:bionic-20200403 - gitlab-workhorse: update to 8.30.1 - sync: upstream configs - gitlab: upgrade to 12.10.4 -**12.9.5** +## 12.9.5 + - gitlab: updated to 12.9.5 - gitlab-shell: updated to 12.2.0 - gitaly: updated to 12.10.0 -**12.9.4** +## 12.9.4 + - gitlab: upgrade CE to v12.9.4 - Update gitlab-workhorse to 8.25.2 - Update golang to 1.13.10 -**12.9.2** +## 12.9.2 + - gitlab: upgrade CE to v12.9.2 -**12.9.1** +## 12.9.1 + - gitlab: upgrade CE to v12.9.1 -**12.9.0** +## 12.9.0 + - gitlab: upgrade CE to v12.9.0 - replaced unicorn with puma - Removed `UNICORN_WORKERS` @@ -124,61 +1667,74 @@ https://gitlab.com/gitlab-org/gitlab-foss/blob/master/CHANGELOG.md) for the list - Added `PUMA_WORKERS` - Added `PUMA_TIMEOUT` -**12.8.8** +## 12.8.8 + - gitlab: upgrade CE to v12.8.8 -**12.8.7** +## 12.8.7 + - gitlab: upgrade CE to v12.8.7 -**12.8.6** +## 12.8.6 + - gitlab: upgrade CE to v12.8.6 -**12.8.5** +## 12.8.5 + - gitlab: upgrade CE to v12.8.5 -**12.8.4** +## 12.8.4 + - gitlab: upgrade CE to v12.8.4 -**12.8.3** +## 12.8.3 + - gitlab: upgrade CE to v12.8.3 -**12.8.2** +## 12.8.2 + - gitlab: upgrade CE to v12.8.2 -**12.8.1** +## 12.8.1 + - gitlab: upgrade CE to v12.8.1 -**12.8.0** +## 12.8.0 + - gitlab: upgrade CE to v12.8.0 - fix: ArgumentError: 'import/{{oauth2_generic_name}}' is not supported [#2101](https://github.com/sameersbn/docker-gitlab/issues/2101) -**12.7.8** +## 12.7.8 + - Upgrade GitLab CE to 12.7.8 -**12.7.7** +## 12.7.7 + - Upgrade GitLab CE to 12.7.7 - Add Generic OAuth Provider PR#2070 -**12.7.7** -- Upgrade GitLab CE to 12.7.7 +## 12.7.6 -**12.7.6** - gitlab: upgrade CE to v12.7.6 -**12.7.5** +## 12.7.5 + - gitlab: upgrade CE to v12.7.5 -**12.7.4** +## 12.7.4 + - Upgrade GitLab CE to 12.7.4 - Update golang to 1.13.7 - Update gitlab-pages to 1.15.0 - Update gitlab-workhorse to 8.20.0 - Update gitaly to 1.85.0 -**12.7.2** +## 12.7.2 + - Upgrade GitLab CE to 12.7.2 -**12.7.0** +## 12.7.0 + - Update gitlab-shell to 11.0.0 - Upgrade GitLab CE to 12.7.0 - Update golang to 1.13.6 @@ -186,124 +1742,163 @@ https://gitlab.com/gitlab-org/gitlab-foss/blob/master/CHANGELOG.md) for the list - Update gitlab-pages to 1.14.0 - Update gitlab-workhorse to 8.19.0 -**12.6.4** +## 12.6.4 + - gitlab: upgrade CE to v12.6.4 -**12.6.3** +## 12.6.3 + - gitlab: upgrade CE to v12.6.3 -**12.6.2** +## 12.6.2 + - gitlab: upgrade CE to v12.6.2 -**12.6.1** +## 12.6.1 + - gitlab: upgrade CE to v12.6.1 -**12.6.0** +## 12.6.0 + - gitlab: upgrade CE to v12.6.0 -**12.5.7** +## 12.5.7 + - gitlab: upgrade CE to v12.5.7 -**12.5.6** +## 12.5.6 + - gitlab: upgrade CE to v12.5.6 -**12.5.5** +## 12.5.5 + - gitlab: upgrade CE to v12.5.5 -**12.5.4** +## 12.5.4 + - gitlab: upgrade CE to v12.5.4 - Update golang to 1.12.14 -**12.5.3** +## 12.5.3 + - gitlab: upgrade CE to v12.5.3 -**12.5.2** +## 12.5.2 + - gitlab: upgrade CE to v12.5.2 -**12.5.1** +## 12.5.1 + - gitlab: upgrade CE to v12.5.1 -**12.5.0** +## 12.5.0 + - gitlab: upgrade CE to v12.5.0 -**12.4.3** +## 12.4.3 + - gitlab: upgrade CE to v12.4.3 -**12.4.2** +## 12.4.2 + - gitlab: upgrade CE to v12.4.2 -**12.4.1** +## 12.4.1 + - gitlab: upgrade CE to v12.4.1 -**12.4.0** +## 12.4.0 + - gitlab: upgrade CE to v12.4.0 -**12.3.5** +## 12.3.5 + - gitlab: upgrade CE to v12.3.5 -**12.3.4** +## 12.3.4 + - gitlab: upgrade CE to v12.3.4 -**12.3.3** +## 12.3.3 + - gitlab: upgrade CE to v12.3.3 -**12.3.2** +## 12.3.2 + - gitlab: upgrade CE to v12.3.2 -**12.3.1** +## 12.3.1 + - gitlab: upgrade CE to v12.3.1 -**12.3.0** +## 12.3.0 + - gitlab: upgrade CE to v12.3.0 -**12.2.5** +## 12.2.5 + - gitlab: upgrade CE to v12.2.5 -**12.2.4** +## 12.2.4 + - gitlab: upgrade CE to v12.2.4 -**12.2.3** +## 12.2.3 + - gitlab: upgrade CE to v12.2.3 -**12.2.1** +## 12.2.1 + - gitlab: upgrade CE to v12.2.1 -**12.2.0** +## 12.2.0 + - gitlab: upgrade CE to v12.2.0 - upgrade base image to ubuntu:bionic -**12.1.6** +## 12.1.6 + - gitlab: upgrade CE to v12.1.6 -**12.1.4** +## 12.1.4 + - gitlab: upgrade CE to v12.1.4 -**12.1.3** +## 12.1.3 + - gitlab: upgrade CE to v12.1.3 -**12.1.2** +## 12.1.2 + - gitlab: upgrade CE to v12.1.2 -**12.1.1** +## 12.1.1 + - gitlab: upgrade CE to v12.1.1 -**12.1.0** +## 12.1.0 + - gitlab: upgrade CE to v12.1.0 - Removed MySQL related information and packages. GitLab v12.1.X or greater requires only PostgreSQL. Do an Migration before upgrading to v12.1.X. For more Information have a look at the [Migration Guide](https://docs.gitlab.com/ce/update/mysql_to_postgresql.html) -**12.0.4** +## 12.0.4 + - gitlab: upgrade CE to v12.0.4 -**12.0.3** +## 12.0.3 + - gitlab: upgrade CE to v12.0.3 -**12.0.2** +## 12.0.2 + - gitlab: upgrade CE to v12.0.2 -**12.0.1** +## 12.0.1 + - gitlab: upgrade CE to v12.0.1 -**12.0.0** +## 12.0.0 + - gitlab: upgrade CE to v12.0.0 - Update gitaly to 1.47.0 - Update gitlab-shell to 9.3.0 @@ -311,106 +1906,135 @@ https://gitlab.com/gitlab-org/gitlab-foss/blob/master/CHANGELOG.md) for the list - ruby: update to 2.6 - python: update to 3 -**11.11.3** +## 11.11.3 + - gitlab: upgrade CE to v11.11.3 - Update gitaly to 1.42.4 - Update golang to 1.12.6 -**11.11.2** +## 11.11.2 + - gitlab: upgrade CE to v11.11.2 - Update gitaly to 1.42.3 -**11.11.1** +## 11.11.1 + - gitlab: upgrade CE to v11.11.1 - Update gitaly to 1.42.2 -**11.11.0** +## 11.11.0 + - gitlab: upgrade CE to v11.11.0 - Update gitaly to 1.42.0 - Update gitlab-shell to 9.1.0 - Update gitlab-workhorse to 8.7.0 -**11.10.4** +## 11.10.4 + - gitlab: upgrade CE to v11.10.4 -**11.10.3** +## 11.10.3 + - gitlab: upgrade CE to v11.10.3 -**11.10.2** +## 11.10.2 + - gitlab: upgrade CE to v11.10.2 -**11.10.1** +## 11.10.1 + - gitlab: upgrade CE to v11.10.1 -**11.10.0** +## 11.10.0 + - gitlab: upgrade CE to v11.10.0 -**11.9.8** +## 11.9.8 + - gitlab: upgrade CE to v11.9.8 -**11.9.7** +## 11.9.7 + - gitlab: upgrade CE to v11.9.7 -**11.9.6** +## 11.9.6 + - gitlab: upgrade CE to v11.9.6 -**11.9.5** +## 11.9.5 + - gitlab: upgrade CE to v11.9.5 -**11.9.4** +## 11.9.4 + - gitlab: upgrade CE to v11.9.4 - Update gitlab-workhorse to 8.3.3 -**11.9.1** +## 11.9.1 + - gitlab: upgrade CE to v11.9.1 - Update gitaly to 1.27.1 -**11.9.0** +## 11.9.0 + - gitlab: upgrade CE to v11.9.0 -**11.8.3** +## 11.8.3 + - gitlab: upgrade CE to v11.8.3 -**11.8.2** +## 11.8.2 + - gitlab: upgrade CE to v11.8.2 -**11.8.1** +## 11.8.1 + - gitlab: upgrade CE to v11.8.1 -**11.8.0** +## 11.8.0 + - gitlab: upgrade CE to v11.8.0 - Update gitlab-workhorse to 8.3.1 - Update gitaly to 1.20.0 - Update gitlab-pages to 1.5.0 -**11.7.5** +## 11.7.5 + - gitlab: upgrade CE to v11.7.5 -**11.7.4** +## 11.7.4 + - gitlab: upgrade CE to v11.7.4 -**11.7.3** +## 11.7.3 + - gitlab: upgrade CE to v11.7.3 - Update gitlab-workhorse to 8.1.1 - Update gitaly to 1.13.0 - Update gitlab-pages to 1.4.0 -**11.7.0** +## 11.7.0 + - gitlab: upgrade CE to v11.7.0 -**11.6.5** +## 11.6.5 + - gitlab: upgrade CE to v11.6.5 -**11.6.4** +## 11.6.4 + - gitlab: upgrade CE to v11.6.4 -**11.6.3** +## 11.6.3 + - gitlab: upgrade CE to v11.6.3 -**11.6.2** +## 11.6.2 + - gitlab: upgrade CE to v11.6.2 -**11.6.1** +## 11.6.1 + - gitlab: upgrade CE to v11.6.1 - Added `GITLAB_IMPERSONATION_ENABLED` - Added `OAUTH_SAML_ATTRIBUTE_STATEMENTS_USERNAME` @@ -420,7 +2044,8 @@ https://gitlab.com/gitlab-org/gitlab-foss/blob/master/CHANGELOG.md) for the list - Added `GITLAB_PAGES_ACCESS_SECRET` - Added `GITLAB_PAGES_ACCESS_REDIRECT_URI` -**11.6.0** +## 11.6.0 + - gitlab: upgrade CE to v11.6.0 - Update gitaly to 1.7.1 - Update gitlab-shell to 8.4.3 @@ -435,158 +2060,204 @@ https://gitlab.com/gitlab-org/gitlab-foss/blob/master/CHANGELOG.md) for the list - Added `GITLAB_BACKUP_DIR_GROUP` - Added `GITLAB_PAGES_NGINX_PROXY` -**11.5.5** +## 11.5.5 + - gitlab: upgrade CE to v11.5.5 -**11.5.4** +## 11.5.4 + - gitlab: upgrade CE to v11.5.4 -**11.5.3** +## 11.5.3 + - gitlab: upgrade CE to v11.5.3 -**11.5.2** +## 11.5.2 + - gitlab: upgrade CE to v11.5.2 -**11.5.1-1** +## 11.5.1-1 + - Fixed GitLab Dependencies -**11.5.1** +## 11.5.1 + - gitlab: upgrade CE to v11.5.1 -**11.5.0** +## 11.5.0 + - gitlab: upgrade CE to v11.5.0 -**11.4.7** +## 11.4.7 + - gitlab: upgrade CE to v11.4.7 -**11.4.6** +## 11.4.6 + - gitlab: upgrade CE to v11.4.6 -**11.4.5** +## 11.4.5 + - gitlab: upgrade CE to v11.4.5 -**11.4.4** +## 11.4.4 + - gitlab: upgrade CE to v11.4.4 - golang: update to 1.10.4 -**11.4.3** +## 11.4.3 + - gitlab: upgrade CE to v11.4.3 -**11.4.2** +## 11.4.2 + - gitlab: upgrade CE to v11.4.2 -**11.4.1** +## 11.4.1 + - gitlab: upgrade CE to v11.4.1 - Add docs how to reuse ssh port [#1731](https://github.com/sameersbn/docker-gitlab/pull/1731) -**11.4.0** +## 11.4.0 + - gitlab: upgrade CE to v11.4.0 - baseimage: upgrade to xenial-20181005 -**11.3.6** +## 11.3.6 + - gitlab: upgrade CE to v11.3.6 -**11.3.5** +## 11.3.5 + - gitlab: upgrade CE to v11.3.5 -**11.3.4** +## 11.3.4 + - gitlab: upgrade CE to v11.3.4 -**11.3.3** +## 11.3.3 + - gitlab: upgrade CE to v11.3.3 -**11.3.2** +## 11.3.2 + - gitlab: upgrade CE to v11.3.2 -**11.3.1** +## 11.3.1 + - gitlab: upgrade CE to v11.3.1 -**11.3.0** +## 11.3.0 + - gitlab: upgrade CE to v11.3.0 - Fix backup config stripping for when AWS & GCS backups are disabled [#1725](https://github.com/sameersbn/docker-gitlab/pull/1725) - Correct Backup Date format for selective backups [#1699](https://github.com/sameersbn/docker-gitlab/pull/1699) - Fix gitlay-ssh symlink to enable rebase/squash in forks -**11.2.3** +## 11.2.3 + - gitlab: upgrade CE to v11.2.3 -**11.2.2** +## 11.2.2 + - gitlab: upgrade CE to v11.2.2 -**11.2.1** +## 11.2.1 + - gitlab: upgrade CE to v11.2.1 -**11.2.0** +## 11.2.0 + - gitlab: upgrade CE to v11.2.0 - ADD `GITLAB_DEFAULT_THEME` -**11.1.4** +## 11.1.4 + - gitlab: upgrade CE to v11.1.4 -**11.1.3** +## 11.1.3 + - gitlab: upgrade CE to v11.1.3 - Upgrade redis to 4.0.9-1 -**11.1.2** +## 11.1.2 + - gitlab: upgrade CE to v11.1.2 -**11.1.1** +## 11.1.1 + - gitlab: upgrade CE to v11.1.1 -**11.1.0** +## 11.1.0 + - gitlab: upgrade CE to v11.1.0 -**11.0.4** +## 11.0.4 + - gitlab: upgrade CE to v11.0.4 -**11.0.3** +## 11.0.3 + - gitlab: upgrade CE to v11.0.3 - ruby: update to 2.4 -**11.0.2** +## 11.0.2 + - gitlab: upgrade CE to v11.0.2 -**11.0.1** +## 11.0.1 + - gitlab: upgrade CE to v11.0.1 -**11.0.0** +## 11.0.0 + - gitlab: upgrade CE to v11.0.0 -**10.8.4** +## 10.8.4 + - gitlab: upgrade CE to v10.8.4 -**10.8.3-1** +## 10.8.3-1 + - Fix boot loops that were introduced during [#1621](https://github.com/sameersbn/docker-gitlab/pull/1621) and will be fixed with [#1628](https://github.com/sameersbn/docker-gitlab/pull/1628) +## 10.8.3 -**10.8.3** - gitlab: upgrade CE to v10.8.3 - Fix potential boot problems on clean setups [#1621](https://github.com/sameersbn/docker-gitlab/pull/1621) -**10.8.2** +## 10.8.2 + - gitlab: upgrade CE to v10.8.2 -**10.8.1** +## 10.8.1 + - gitlab: upgrade CE to v10.8.1 -**10.8.0** +## 10.8.0 + - gitlab: upgrade CE to v10.8.0 - Add support for swarm mode with docker-configs and docker secrets ([#1540](https://github.com/sameersbn/docker-gitlab/pull/1540)) -**10.7.4** +## 10.7.4 + - gitlab: upgrade CE to v10.7.4 - FIX `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT` -**10.7.3** +## 10.7.3 + - gitlab: upgrade CE to v10.7.3 -**10.7.2** +## 10.7.2 + - gitlab: upgrade CE to v10.7.2 -**10.7.1** +## 10.7.1 + - gitlab: upgrade CE to v10.7.1 -**10.7.0** +## 10.7.0 + - gitlab: upgrade CE to v10.7.0 - ADD `GITLAB_SIDEKIQ_LOG_FORMAT` - ADD `GITLAB_ARTIFACTS_OBJECT_STORE_ENABLED` @@ -627,90 +2298,115 @@ https://gitlab.com/gitlab-org/gitlab-foss/blob/master/CHANGELOG.md) for the list - ADD `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT` - ADD `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE` -**10.6.4** +## 10.6.4 + - gitlab: upgrade CE to v10.6.4 -**10.6.3** +## 10.6.3 + - gitlab: upgrade CE to v10.6.3 -**10.6.2** +## 10.6.2 + - gitlab: upgrade CE to v10.6.2 - golang: update to 1.9.5 -**10.6.1** +## 10.6.1 + - gitlab: upgrade CE to v10.6.1 -**10.6.0** +## 10.6.0 + - gitlab: upgrade CE to v10.6.0 -**10.5.6** +## 10.5.6 + - gitlab: security upgrade CE to v10.5.6 -**10.5.5** +## 10.5.5 + - gitlab: upgrade CE to v10.5.5 -**10.5.4** +## 10.5.4 + - gitlab: upgrade CE to v10.5.4 -**10.5.3** +## 10.5.3 + - gitlab: upgrade CE to v10.5.3 -**10.5.2** +## 10.5.2 + - gitlab: upgrade CE to v10.5.2 - Fix `GITLAB_UPLOADS_STORAGE_PATH` -**10.5.1** +## 10.5.1 + - gitlab: upgrade CE to v10.5.1 -**10.5.0** +## 10.5.0 + - gitlab: upgrade CE to v10.5.0 - Add `GITLAB_UPLOADS_STORAGE_PATH` - Add `GITLAB_UPLOADS_BASE_DIR` - Add `LDAP_LOWERCASE_USERNAMES` -**10.4.4** +## 10.4.4 + - gitlab: upgrade CE to v10.4.4 -**10.4.3** +## 10.4.3 + - gitlab: upgrade CE to v10.4.3 -**10.4.2-1** -- FIXED SSH Host Key generation through droping the support for rsa1 +## 10.4.2-1 + +- FIXED SSH Host Key generation through dropping the support for rsa1 + +## 10.4.2 -**10.4.2** - gitlab: upgrade CE to v10.4.2 -**10.4.1** +## 10.4.1 + - gitlab: upgrade CE to v10.4.1 -**10.4.0** +## 10.4.0 + - gitlab: upgrade CE to v10.4.0 - docker: upgrade to ubuntu xenial as baseimage - golang: update to 1.9.3 -**10.3.6** +## 10.3.6 + - gitlab: upgrade CE to v10.3.6 -**10.3.5** +## 10.3.5 + - gitlab: upgrade CE to v10.3.5 -**10.3.4** +## 10.3.4 + - gitlab: upgrade CE to v10.3.4 -**10.3.3** +## 10.3.3 + - gitlab: upgrade CE to v10.3.3 - ADDED `AWS_BACKUP_ENCRYPTION` [1449](https://github.com/sameersbn/docker-gitlab/pull/1449/) - ADDED `AWS_BACKUP_STORAGE_CLASS` [1449](https://github.com/sameersbn/docker-gitlab/pull/1449/) - FIXED `AWS_BACKUP_MULTIPART_CHUNK_SIZE` [1449](https://github.com/sameersbn/docker-gitlab/pull/1449/) - Apply PaX mark to ruby [1458](https://github.com/sameersbn/docker-gitlab/pull/1458) -**10.3.2** +## 10.3.2 + - gitlab: upgrade CE to v10.3.2 -**10.3.1** +## 10.3.1 + - gitlab: upgrade CE to v10.3.1 -**10.3.0** +## 10.3.0 + - gitlab: upgrade CE to v10.3.0 - REMOVED `GITLAB_REPOSITORIES_STORAGES_DEFAULT_FAILURE_COUNT_THRESHOLD` - REMOVED `GITLAB_REPOSITORIES_STORAGES_DEFAULT_FAILURE_WAIT_TIME` @@ -719,130 +2415,170 @@ https://gitlab.com/gitlab-org/gitlab-foss/blob/master/CHANGELOG.md) for the list - REMOVED `GITLAB_MAX_OBJECT_SIZE` - REMOVED `GITLAB_TIMEOUT` -**10.2.5** +## 10.2.5 + - gitlab: upgrade CE to v10.2.5 -**10.2.4** +## 10.2.4 + - gitlab: upgrade to CE v10.2.4 -**10.2.3** +## 10.2.3 + - gitlab: upgrade to CE v10.2.3 -**10.2.2** +## 10.2.2 + - gitlab: upgrade to CE v10.2.2 -**10.2.1** +## 10.2.1 + - gitlab: upgrade to CE v10.2.1 -**10.2.0** +## 10.2.0 + - gitlab: upgrade to CE v10.2.0 -**10.1.4** +## 10.1.4 + - gitlab: upgrade to CE v10.1.4 -**10.1.3** +## 10.1.3 + - gitlab: upgrade to CE v10.1.3 -**10.1.2** +## 10.1.2 + - gitlab: upgrade to CE v10.1.2 -**10.1.1** +## 10.1.1 + - gitlab: upgrade to CE v10.1.1 -**10.1.0** +## 10.1.0 + - gitlab: upgrade to CE v10.1.0 - REMOVED `GITALY_ENABLED`` - ADDED `GITALY_ARTIFACTS_SERVER` - ADDED `GITALY_CLIENT_PATH` -**10.0.4** +## 10.0.4 + - gitlab: upgrade to CE v10.0.4 -**10.0.3** +## 10.0.3 + - gitlab: upgrade to CE v10.0.3 -**10.0.2** +## 10.0.2 + - gitlab: upgrade to CE v10.0.2 -**10.0.1** +## 10.0.1 + - gitlab: upgrade to CE v10.0.1 -**10.0.0** +## 10.0.0 + - gitlab: upgrade to CE v10.0.0 -**9.5.5** +## 9.5.5 + - gitlab: upgrade to CE v9.5.5 -**9.5.4** +## 9.5.4 + - gitlab: upgrade to CE v9.5.4 -**9.5.3** +## 9.5.3 + - gitlab: upgrade to CE v9.5.3 -**9.5.2** +## 9.5.2 + - gitlab: upgrade to CE v9.5.2 -**9.5.1** +## 9.5.1 + - gitlab: upgrade to CE v9.5.1 -**9.5.0** +## 9.5.0 + - gitlab: upgrade to CE v9.5.0 -**9.4.5** +## 9.4.5 + - gitlab: upgrade to CE v9.4.5 -**9.4.4** +## 9.4.4 + - gitlab: upgrade to CE v9.4.4 -**9.4.3** +## 9.4.3 + - gitlab: upgrade to CE v9.4.3 -**9.4.2** +## 9.4.2 + - gitlab: upgrade to CE v9.4.2 -**9.4.1** +## 9.4.1 + - gitlab: upgrade to CE v9.4.1 -**9.4.0-1** +## 9.4.0-1 + - Fix asset compiling for missing translations -**9.4.0** +## 9.4.0 + - gitlab: upgrade to CE v9.4.0 - Added support for nginx_real_ip module ([#1137](https://github.com/sameersbn/docker-gitlab/pull/1137)) -- Added more security for regenarting certs ([#1288](https://github.com/sameersbn/docker-gitlab/pull/1288)) +- Added more security for regenerating certs ([#1288](https://github.com/sameersbn/docker-gitlab/pull/1288)) + +## 9.3.9 -**9.3.9** - gitlab: upgrade to CE v9.3.9 -**9.3.8** +## 9.3.8 + - gitlab: upgrade to CE v9.3.8 - Added RE2 library to build dependencies ([issue 35342](https://gitlab.com/gitlab-org/gitlab-foss/issues/35342)) -**9.3.7** +## 9.3.7 + - gitlab: upgrade to CE v9.3.7 -**9.3.6** +## 9.3.6 + - gitlab: upgrade to CE v9.3.6 -**9.3.5** +## 9.3.5 + - gitlab: upgrade to CE v9.3.5 -**9.3.4** +## 9.3.4 + - gitlab: upgrade to CE v9.3.4 -**9.3.3** +## 9.3.3 + - gitlab: upgrade to CE v9.3.3 -**9.3.2** +## 9.3.2 + - gitlab: upgrade to CE v9.3.2 -**9.3.1** +## 9.3.1 + - gitlab: upgrade to CE v9.3.1 -**9.3.0-1** +## 9.3.0-1 + - Add the missing Gitaly config to let git commands over http/https working -**9.3.0** +## 9.3.0 + - gitlab: upgrade to CE v9.3.0 - update baseimage to `14.04.20170608` - Add `DB_COLLATION` (For MySQL related doesn't recognize by postgres) @@ -851,85 +2587,109 @@ https://gitlab.com/gitlab-org/gitlab-foss/blob/master/CHANGELOG.md) for the list - Add `GITALY_SOCKET_PATH` - Add `GITALY_ADDRESS` -**9.2.7** +## 9.2.7 + - gitlab: upgrade to CE v9.2.7 -**9.2.6** +## 9.2.6 + - gitlab: upgrade to CE v9.2.6 -**9.2.5** +## 9.2.5 + - gitlab: upgrade to CE v9.2.5 -**9.2.2** +## 9.2.2 + - gitlab: upgrade to CE v9.2.2 -**9.2.1** +## 9.2.1 + - gitlab: upgrade to CE v9.2.1 -**9.2.0** -- gilab: upgrade to CE v9.2.0 +## 9.2.0 + +- gitlab: upgrade to CE v9.2.0 - Add flexibility to use versions committed into gitlab-ce -**9.1.4** +## 9.1.4 + - gitlab: upgrade to CE v9.1.4 -**9.1.3** +## 9.1.3 + - gitlab: upgrade to CE v9.1.3 -**9.1.2** +## 9.1.2 + - gitlab: upgrade to CE v9.1.2 - update baseimage to `14.04.20170503` -**9.1.1** +## 9.1.1 + - gitlab: upgrade to CE v9.1.1 -**9.1.0-1** +## 9.1.0-1 + - Fix gitlab-workhorse version display -**9.1.0** +## 9.1.0 + - gitlab: upgrade to CE v9.1.0 - gitlab-shell: upgrade to 5.0.2 - gitlab-workhorse: upgrade to 1.4.3 -**9.0.6** +## 9.0.6 + - gitlab: upgrade to CE v9.0.6 -**9.0.5** +## 9.0.5 + - gitlab: upgrade to CE v9.0.5 -**9.0.4** +## 9.0.4 + - gitlab: upgrade to CE v9.0.4 -**9.0.3** +## 9.0.3 + - gitlab: upgrade to CE v9.0.3 -**9.0.2** +## 9.0.2 + - gitlab: upgrade to CE v9.0.2 -**9.0.1** +## 9.0.1 + - gitlab: upgrade to CE v9.0.1 - gitlab-workhorse 1.4.2 -**9.0.0** +## 9.0.0 + - gitlab: upgrade to CE v9.0.0 - gitlab-shell 5.0.0 - gitlab-workhorse 1.4.1 - gitlab-pages 0.4.0 -**8.17.4** +## 8.17.4 + - gitlab: upgrade to CE v8.17.4 -**8.17.3** +## 8.17.3 + - gitlab: upgrade to CE v8.17.3 -**8.17.2** +## 8.17.2 + - gitlab: upgrade to CE v8.17.2 -**8.17.1** +## 8.17.1 + - gitlab: upgrade to CE v8.17.1 - fixes first problems with gitlab-pages -**8.17.0** +## 8.17.0 + - gitlab: upgrade to CE v8.17.0 - added `GITLAB_PAGES_ENABLED` - added `GITLAB_PAGES_DOMAIN` @@ -940,44 +2700,56 @@ https://gitlab.com/gitlab-org/gitlab-foss/blob/master/CHANGELOG.md) for the list - added `GITLAB_PAGES_EXTERNAL_HTTPS` - added `SSL_PAGES_KEY_PATH` - added `SSL_PAGES_CERT_PATH` -- added nodejs 7.x as core dependencie +- added nodejs 7.x as core dependencies - added gitlab-pages daemon -**8.16.6** +## 8.16.6 + - gitlab: upgrade to CE v8.16.6 - Fix logical bug of Remote Backup -**8.16.5** +## 8.16.5 + - gitlab: upgrade to CE v8.16.5 -**8.16.4** +## 8.16.4 + - gitlab: upgrade to CE v8.16.4 -**8.16.3** +## 8.16.3 + - gitlab: upgrade to CE v8.16.3 -**8.16.2** +## 8.16.2 + - gitlab: upgrade to CE v8.16.2 -**8.16.1** +## 8.16.1 + - gitlab: upgrade to CE v8.16.1 -**8.16.0** +## 8.16.0 + - gitlab: upgrade to CE v8.16.0 -**8.15.4** +## 8.15.4 + - gitlab: upgrade to CE v8.15.4 -**8.15.3** +## 8.15.3 + - gitlab: upgrade to CE v8.15.3 -**8.15.2** +## 8.15.2 + - gitlab: upgrade to CE v8.15.2 -**8.15.1** +## 8.15.1 + - gitlab: upgrade to CE v8.15.1 -**8.15.0** +## 8.15.0 + - gitlab: upgrade to CE v8.15.0 - added `GITLAB_MATTERMOST_ENABLED` - added `GITLAB_MATTERMOST_URL` @@ -986,268 +2758,343 @@ https://gitlab.com/gitlab-org/gitlab-foss/blob/master/CHANGELOG.md) for the list - added `OAUTH_AUTHENTIQ_SCOPE` - added `OAUTH_AUTHENTIQ_REDIRECT_URI` -**8.14.5** +## 8.14.5 + - gitlab: upgrade to CE v8.14.5 -**8.14.4** +## 8.14.4 + - gitlab: upgrade to CE v8.14.4 -**8.14.3** +## 8.14.3 + - gitlab: upgrade to CE v8.14.3 -**8.14.2** +## 8.14.2 + - gitlab: upgrade to CE v8.14.2 -**8.14.1** +## 8.14.1 + - gitlab: upgrade to CE v8.14.1 -**8.14.0** +## 8.14.0 + - gitlab: upgrade to CE v8.14.0 - added `IMAP_TIMEOUT` - update golang to 1.6.3 -**8.13.6** +## 8.13.6 + - gitlab: upgrade to CE v8.13.6 -**8.13.5** +## 8.13.5 + - gitlab: upgrade to CE v8.13.5 -**Important**: -We skipped `8.13.4` because it doesn't contain any changes. For more -information [8.13.4 release](https://about.gitlab.com/2016/11/09/gitlab-8-dot-13-dot-5-released/) +## 8.13.4 -**8.12.1** +**Important:** We skipped `8.13.4` because it doesn't contain any changes. For more information [8.13.4 release](https://about.gitlab.com/2016/11/09/gitlab-8-dot-13-dot-5-released/). + +## 8.13.3 -**8.13.3** - gitlab: upgrade to CE v8.13.3 -**8.13.2** +## 8.13.2 + - gitlab: upgrade to CE v8.13.2 -**8.13.1** +## 8.13.1 + - gitlab: upgrade to CE v8.13.1 -**8.13.0** +## 8.13.0 + - gitlab: upgrade to CE v8.13.0 - added `GITLAB_EMAIL_SUBJECT_SUFFIX` -**8.12.7** +## 8.12.7 + - gitlab: upgrade to CE v8.12.7 -**8.12.6** +## 8.12.6 + - gitlab: upgrade to CE v8.12.6 -**8.12.5** +## 8.12.5 + - gitlab: upgrade to CE v8.12.5 -**8.12.4** +## 8.12.4 + - gitlab: upgrade to CE v8.12.4 -**8.12.3** +## 8.12.3 + - gitlab: upgrade to CE v8.12.3 -**Important**: -We skipped `8.12.2` because it doesn't contain any changes. For more -information [8.12.3 release](https://about.gitlab.com/2016/09/29/gitlab-8-12-3-released/) +## 8.12.2 + +**Important:** We skipped `8.12.2` because it doesn't contain any changes. For more information [8.12.3 release](https://about.gitlab.com/2016/09/29/gitlab-8-12-3-released/). + +## 8.12.1 -**8.12.1** - gitlab: upgrade to CE v8.12.1 -**8.12.0** +## 8.12.0 + - gitlab: upgrade to CE v8.12.0 -**8.11.7** +## 8.11.7 + - gitlab: upgrade to CE v8.11.7 -**8.11.6** +## 8.11.6 + - gitlab: upgrade to CE v8.11.6 -**8.11.5** +## 8.11.5 + - gitlab: upgrade to CE v8.11.5 -**8.11.4** +## 8.11.4 + - gitlab: upgrade to CE v8.11.4 -**8.11.3** +## 8.11.3 + - gitlab: upgrade to CE v8.11.3 -**8.11.2** +## 8.11.2 + - gitlab: upgrade to CE v8.11.2 -**8.11.0** +## 8.11.0 + - gitlab: upgrade to CE v8.11.0 - added `GITLAB_SECRETS_SECRET_KEY_BASE` - added `GITLAB_SECRETS_OTP_KEY_BASE` -**Important** +## Important + When you start to upgrade from `8.10-7` or below use the key of `/home/git/data/.secret` for `GITLAB_SECRETS_OTP_KEY_BASE` otherwise it will break your 2FA . -**8.10.7** +## 8.10.7 + - gitlab: upgrade to CE v8.10.7 -**8.10.6** +## 8.10.6 + - gitlab: upgrade to CE v8.10.6 -**8.10.5** +## 8.10.5 + - gitlab: upgrade to CE v8.10.5 -**8.10.4** +## 8.10.4 + - gitlab: upgrade to CE v8.10.4 -**8.10.3** +## 8.10.3 + - gitlab: upgrade to CE v8.10.3 -**8.10.2-1** +## 8.10.2-1 + - Fix `OAUTH_GOOGLE_RESTRICT_DOMAIN` -**8.10.2** +## 8.10.2 + - gitlab: upgrade to CE v8.10.2 - Improve `OAUTH_GOOGLE_RESTRICT_DOMAIN` for multiple restricted domains -**8.10.1** +## 8.10.1 + - gitlab: upgrade to CE v8.10.1 -**8.10.0** +## 8.10.0 + - gitlab: upgrade to CE v8.10.0 -**8.9.6** +## 8.9.6 + - gitlab: upgrade to CE v8.9.6 -**8.9.5** +## 8.9.5 + - gitlab: upgrade to CE v8.9.5 -**8.9.4** +## 8.9.4 + - gitlab: upgrade to CE v8.9.4 -**8.9.3** +## 8.9.3 + - gitlab: upgrade to CE v8.9.3 -**8.9.2** +## 8.9.2 + - gitlab: upgrade to CE v8.9.2 -**8.9.1** +## 8.9.1 + - gitlab: upgrade to CE v8.9.1 -**8.9.0** +## 8.9.0 + - gitlab: upgrade to CE v8.9.0 -**8.8.5-1** +## 8.8.5-1 + - added GitLab Container Registry support - added `SSL_CIPHERS` option to change ciphers of the nginx -**8.8.5** +## 8.8.5 + - gitlab: upgrade to CE v8.8.5 -**8.8.4** +## 8.8.4 + - gitlab: upgrade to CE v8.8.4 - added `GITLAB_PROJECTS_LIMIT` configuration option -**8.8.3** +## 8.8.3 + - gitlab: upgrade to CE v8.8.3 -**8.8.2** +## 8.8.2 + - gitlab: upgrade to CE v8.8.2 -**8.8.1** +## 8.8.1 + - gitlab: upgrade to CE v8.8.1 -**8.8.0** +## 8.8.0 + - gitlab: upgrade to CE v8.8.0 - oauth: exposed `OAUTH_GITHUB_URL` and `OAUTH_GITHUB_VERIFY_SSL` options for users for GitHub Enterprise. -**8.7.6** +## 8.7.6 + - gitlab: upgrade to CE v8.7.6 -**8.7.5** +## 8.7.5 + - gitlab: upgrade to CE v8.7.5 -**8.7.3** +## 8.7.3 + - gitlab: upgrade to CE v8.7.3 -**8.7.2** +## 8.7.2 + - gitlab: upgrade to CE v8.7.2 -**8.7.1** +## 8.7.1 + - gitlab: upgrade to CE v8.7.1 -**8.7.0** +## 8.7.0 + - gitlab-shell: upgrade to v.2.7.2 - gitlab: upgrade to CE v8.7.0 - SSO: `OAUTH_ALLOW_SSO` now specifies a comma separated list of providers. - OAuth: Added `OAUTH_EXTERNAL_PROVIDERS` to specify external oauth providers. - Exposed `GITLAB_TRUSTED_PROXIES` configuration parameter -**8.6.7** +## 8.6.7 + - added `GITLAB_SIGNUP_ENABLED` option to enable/disable signups - gitlab: upgrade to CE v8.6.7 -**8.6.6** +## 8.6.6 + - gitlab: upgrade to CE v8.6.6 -**8.6.5** +## 8.6.5 + - gitlab: upgrade to CE v8.6.5 -**8.6.4** +## 8.6.4 + - gitlab: upgrade to CE v8.6.4 -**8.6.3** +## 8.6.3 + - gitlab-shell: upgrade to v.2.6.12 - gitlab: upgrade to CE v8.6.3 -**8.6.2** +## 8.6.2 + - gitlab: upgrade to CE v8.6.2 -**8.6.1** +## 8.6.1 + - gitlab: upgrade to CE v8.6.1 -**8.6.0** +## 8.6.0 + - gitlab-shell: upgrade to v.2.6.11 - gitlab-workhorse: upgrade to v0.7.1 - gitlab: upgrade to CE v8.6.0 - exposed configuration parameters for auth0 OAUTH support - fixed relative_url support -**8.5.8** +## 8.5.8 + - gitlab: upgrade to CE v8.5.8 -**8.5.7** +## 8.5.7 + - gitlab: upgrade to CE v8.5.7 -**8.5.5** +## 8.5.5 + - gitlab: upgrade to CE v8.5.5 -**8.5.4** +## 8.5.4 + - gitlab: upgrade to CE v8.5.4 -**8.5.3** +## 8.5.3 + - gitlab: upgrade to CE v8.5.3 -**8.5.1** +## 8.5.1 + - gitlab: upgrade to CE v8.5.1 -**8.5.0** +## 8.5.0 + - gitlab-workhorse: upgrade to v0.6.4 - gitlab: upgrade to CE v8.5.0 - firstrun: expose `GITLAB_ROOT_EMAIL` configuration option - expose `OAUTH_AUTO_LINK_SAML_USER` configuration parameter -**8.4.4** +## 8.4.4 + - gitlab: upgrade to CE v8.4.4 -**8.4.3** +## 8.4.3 + - gitlab: upgrade to CE v8.4.3 -**8.4.2** +## 8.4.2 + - gitlab-workhorse: upgrade to v0.6.2 - gitlab: upgrade to CE v8.4.2 -**8.4.1** +## 8.4.1 + - gitlab: upgrade to CE v8.4.1 -**8.4.0-1** +## 8.4.0-1 + - `assets:precompile` moved back to build time -**8.4.0** +## 8.4.0 + - gitlab-shell: upgrade to v.2.6.10 - gitlab-workhorse: upgrade to v0.6.1 - gitlab: upgrade to CE v8.4.0 @@ -1255,21 +3102,26 @@ When you start to upgrade from `8.10-7` or below use the key of `/home/git/data/ - oauth: expose azure oauth configuration options - `assets:precompile` executed at runtime -**8.3.4** +## 8.3.4 + - gitlab-workhorse: upgrade to v0.5.4 - gitlab: upgrade to CE v8.3.4 - expose `LDAP_TIMEOUT` configuration parameter -**8.3.2** +## 8.3.2 + - gitlab: upgrade to CE v8.3.2 -**8.3.1** +## 8.3.1 + - gitlab: upgrade to CE v8.3.1 -**8.3.0-1** +## 8.3.0-1 + - fixed static asset routing when `GITLAB_RELATIVE_URL_ROOT` is used. -**8.3.0** +## 8.3.0 + - `envsubst` is now used for updating the configurations - renamed config `CA_CERTIFICATES_PATH` to `SSL_CA_CERTIFICATES_PATH` - renamed config `GITLAB_HTTPS_HSTS_ENABLED` to `NGINX_HSTS_ENABLED` @@ -1281,28 +3133,33 @@ When you start to upgrade from `8.10-7` or below use the key of `/home/git/data/ - removed `NGINX_MAX_UPLOAD_SIZE` configuration parameter - gitlab-shell: upgrade to v.2.6.9 -**8.2.3** +## 8.2.3 + - fixed static asset routing when `GITLAB_RELATIVE_URL_ROOT` is used. - added `GITLAB_BACKUP_PG_SCHEMA` configuration parameter - gitlab: upgrade to CE v8.2.3 -**8.2.2** +## 8.2.2 + - added `GITLAB_DOWNLOADS_DIR` configuration parameter - `DB_TYPE` parameter renamed to `DB_ADAPTER` with `mysql2` and `postgresql` as accepted values - exposed `DB_ENCODING` parameter - gitlab: upgrade to CE v8.2.2 -**8.2.1-1** +## 8.2.1-1 + - fixed typo while setting the value of `GITLAB_ARTIFACTS_DIR` -**8.2.1** +## 8.2.1 + - expose rack_attack configuration options - gitlab-shell: upgrade to v.2.6.8 - gitlab: upgrade to CE v8.2.1 - added `GITLAB_ARTIFACTS_ENABLED` configuration parameter - added `GITLAB_ARTIFACTS_DIR` configuration parameter -**8.2.0** +## 8.2.0 + - gitlab-shell: upgrade to v.2.6.7 - gitlab-workhorse: upgrade to v.0.4.2 - gitlab: upgrade to CE v8.2.0 @@ -1311,54 +3168,68 @@ When you start to upgrade from `8.10-7` or below use the key of `/home/git/data/ - added `GITLAB_PROJECTS_BUILDS` configuration parameter - added `GITLAB_LFS_ENABLED` configuration parameter -**8.1.4** +## 8.1.4 + - gitlab: upgrade to CE v8.1.4 -**8.1.3** +## 8.1.3 + - proper long-term fix for http/https cloning when `GITLAB_RELATIVE_URL_ROOT` is used - gitlab: upgrade to CE v8.1.3 - Expose Facebook OAUTH configuration parameters -**8.1.2** +## 8.1.2 + - gitlab: upgrade to CE v8.1.2 - removed `GITLAB_SATELLITES_TIMEOUT` configuration parameter -**8.1.0-2** +## 8.1.0-2 + - Recompile assets when `GITLAB_RELATIVE_URL_ROOT` is used Fixes #481 -**8.1.0-1** +## 8.1.0-1 + - temporary fix for http/https cloning when `GITLAB_RELATIVE_URL_ROOT` is used -**8.1.0** +## 8.1.0 + - gitlab: upgrade to CE v8.1.0 - gitlab-git-http-server: upgrade to v0.3.0 -**8.0.5-1** +## 8.0.5-1 + - speed up container startup by compiling assets at image build time - test connection to redis-server -**8.0.5** +## 8.0.5 + - gitlab: upgrade to CE v.8.0.5 -**8.0.4-2** +## 8.0.4-2 + - fix http/https cloning when `GITLAB_RELATIVE_URL_ROOT` is used - allow user to override `OAUTH_ENABLED` setting -**8.0.4-1** +## 8.0.4-1 + - update baseimage to `sameersbn/ubuntu:14.04.20151011` -**8.0.4** +## 8.0.4 + - gitlab: upgrade to CE v.8.0.4 -**8.0.3** +## 8.0.3 + - gitlab: upgrade to CE v.8.0.3 -**8.0.2** +## 8.0.2 + - gitlab: upgrade to CE v.8.0.2 - added `IMAP_STARTTLS` parameter, defaults to `false` - expose oauth parameters for crowd server -**8.0.0** +## 8.0.0 + - set default value of `DB_TYPE` to `postgres` - added sample Kubernetes rc and service description files - expose `GITLAB_BACKUP_ARCHIVE_PERMISSIONS` parameter @@ -1370,102 +3241,129 @@ When you start to upgrade from `8.10-7` or below use the key of `/home/git/data/ - removed `GITLAB_ROBOTS_OVERRIDE` parameter. Override default `robots.txt` if `GITLAB_ROBOTS_PATH` exists. - added CI redirection using `GITLAB_CI_HOST` parameter -**7.14.3** +## 7.14.3 + - gitlab: upgrade to CE v.7.14.3 -**7.14.2** +## 7.14.2 + - Apply grsecurity policies to nodejs binary #394 - Fix broken emojis post migration #196 - gitlab-shell: upgrade to v.2.6.5 - gitlab: upgrade to CE v.7.14.2 -**7.14.1** +## 7.14.1 + - gitlab: upgrade to CE v.7.14.1 -**7.14.0** +## 7.14.0 + - gitlab-shell: upgrade to v.2.6.4 - gitlab: upgrade to CE v.7.14.0 -**7.13.5** +## 7.13.5 + - gitlab: upgrade to CE v.7.13.5 -**7.13.4** +## 7.13.4 + - gitlab: upgrade to CE v.7.13.4 -**7.13.3** +## 7.13.3 + - gitlab: upgrade to CE v.7.13.3 -**7.13.2** +## 7.13.2 + - gitlab: upgrade to CE v.7.13.2 -**7.13.1** +## 7.13.1 + - gitlab: upgrade to CE v.7.13.1 -**7.13.0** +## 7.13.0 + - expose SAML OAuth provider configuration - expose `OAUTH_AUTO_SIGN_IN_WITH_PROVIDER` configuration - gitlab: upgrade to CE v.7.13.0 -**7.12.2-2** +## 7.12.2-2 + - enable persistence `.secret` file used in 2FA -**7.12.2-1** +## 7.12.2-1 + - fixed gitlab:backup:restore raketask -**7.12.2** +## 7.12.2 + - gitlab: upgrade to CE v.7.12.2 -**7.12.1** +## 7.12.1 + - gitlab: upgrade to CE v.7.12.1 -**7.12.0** +## 7.12.0 + - added `SMTP_TLS` configuration parameter - gitlab: upgrade to CE v.7.12.0 - added `OAUTH_AUTO_LINK_LDAP_USER` configuration parameter -**7.11.4-1** +## 7.11.4-1 + - base image update to fix SSL vulnerability -**7.11.4** +## 7.11.4 + - gitlab: upgrade to CE v.7.11.4 -**7.11.3** +## 7.11.3 + - gitlab: upgrade to CE v.7.11.3 -**7.11.2** +## 7.11.2 + - gitlab: upgrade to CE v.7.11.2 -**7.11.0** +## 7.11.0 + - init: added `SIDEKIQ_MEMORY_KILLER_MAX_RSS` configuration option - init: added `SIDEKIQ_SHUTDOWN_TIMEOUT` configuration option - gitlab-shell: upgrade to v.2.6.3 - gitlab: upgrade to CE v.7.11.0 - init: removed `GITLAB_PROJECTS_VISIBILITY` ENV parameter -**7.10.4** +## 7.10.4 + - gitlab: upgrade to CE v.7.10.4 -**7.10.3** +## 7.10.3 + - gitlab: upgrade to CE v.7.10.3 -**7.10.2** +## 7.10.2 + - init: added support for remote AWS backups - gitlab: upgrade to CE v.7.10.2 -**7.10.1** +## 7.10.1 + - gitlab: upgrade to CE v.7.10.1 -**7.10.0** +## 7.10.0 + - gitlab-shell: upgrade to v.2.6.2 - gitlab: upgrade to CE v.7.10.0 - init: removed ENV variables to configure *External Issue Tracker* integration - init: added `GITLAB_EMAIL_REPLY_TO` configuration option - init: added `LDAP_BLOCK_AUTO_CREATED_USERS` configuration option -**7.9.4** +## 7.9.4 + - gitlab: upgrade to CE v.7.9.4 -**7.9.3** +## 7.9.3 + - added `NGINX_PROXY_BUFFERING` option - added `NGINX_ACCEL_BUFFERING` option - added `GITLAB_GRAVATAR_ENABLED` option @@ -1474,14 +3372,17 @@ When you start to upgrade from `8.10-7` or below use the key of `/home/git/data/ - fixes: "transfer closed with xxx bytes remaining to read" error - gitlab: upgrade to CE v.7.9.3 -**7.9.2** +## 7.9.2 + - gitlab: upgrade to CE v.7.9.2 -**7.9.1** +## 7.9.1 + - init: set default value of `SMTP_OPENSSL_VERIFY_MODE` to `none` - gitlab: upgrade to CE v.7.9.1 -**7.9.0** +## 7.9.0 + - gitlab-shell: upgrade to v.2.6.0 - gitlab: upgrade to CE v.7.9.0 - init: set default value of `UNICORN_WORKERS` to `3` @@ -1490,17 +3391,21 @@ When you start to upgrade from `8.10-7` or below use the key of `/home/git/data/ - init: added BitBucket OAuth configuration support - init: added `GITLAB_EMAIL_DISPLAY_NAME` configuration option -**7.8.4** +## 7.8.4 + - gitlab: upgrade to CE v.7.8.4 -**7.8.2** +## 7.8.2 + - gitlab: upgrade to CE v.7.8.2 -**7.8.1** +## 7.8.1 + - gitlab-shell: upgrade to v.2.5.4 - gitlab: upgrade to CE v.7.8.1 -**7.8.0** +## 7.8.0 + - update postgresql client to the latest version, Closes #249 - removed `GITLAB_SIGNUP` configuration option, can be set from gitlab ui - removed `GITLAB_SIGNIN` configuration option, can be set from gitlab ui @@ -1512,60 +3417,73 @@ When you start to upgrade from `8.10-7` or below use the key of `/home/git/data/ - init: set `LDAP_METHOD` default value to `plain` - init: added gitlab oauth configuration support -**7.7.2** +## 7.7.2 + - gitlab-shell: upgrade to v.2.4.2 - gitlab: upgrade to CE v.7.7.2 -**7.7.1** +## 7.7.1 + - gitlab: upgrade to CE v.7.7.1 -**7.7.0** +## 7.7.0 + - init: added GOOGLE_ANALYTICS_ID configuration option - added support for mantis issue tracker - fixed log rotation configuration - gitlab-shell: upgrade to v.2.4.1 - gitlab: upgrade to CE v.7.7.0 -**7.6.2** +## 7.6.2 + - gitlab: upgrade to CE v.7.6.2 -**7.6.1** +## 7.6.1 + - disable nginx ipv6 if host does not support it. - init: added GITLAB_BACKUP_TIME configuration option - gitlab: upgrade to CE v.7.6.1 -**7.6.0** +## 7.6.0 + - add support for configuring piwik - gitlab-shell: upgrade to v.2.4.0 - gitlab: upgrade to CE v.7.6.0 -**7.5.3** +## 7.5.3 + - accept `BACKUP` parameter while running the restore rake task, closes #220 - init: do not run `gitlab:satellites:create` rake task at startup - gitlab: upgrade to CE v.7.5.3 -**7.5.2** +## 7.5.2 + - gitlab: upgrade to CE v.7.5.2 -**7.5.1** +## 7.5.1 + - gitlab: upgrade to CE v.7.5.1 - gitlab-shell to v2.2.0 - added `GITLAB_TIMEZONE` configuration option - added `GITLAB_EMAIL_ENABLED` configuration option -**7.4.4** +## 7.4.4 + - gitlab: upgrade to CE v.7.4.4 - added `SSL_VERIFY_CLIENT` configuration option - added `NGINX_WORKERS` configuration option - added `USERMAP_UID` and `USERMAP_GID` configuration option -**7.4.3** +## 7.4.3 + - gitlab: upgrade to CE v.7.4.3 -**7.4.2** +## 7.4.2 + - gitlab: upgrade to CE v.7.4.2 -**7.4.0** +## 7.4.0 + - gitlab: upgrade to CE v.7.4.0 - config: added `LDAP_ACTIVE_DIRECTORY` configuration option - added SMTP_OPENSSL_VERIFY_MODE configuration option @@ -1573,10 +3491,12 @@ When you start to upgrade from `8.10-7` or below use the key of `/home/git/data/ - automatically compile assets if relative_url is changed - launch all daemons via supervisord -**7.3.2-1** +## 7.3.2-1 + - fix mysql status check -**7.3.2** +## 7.3.2 + - upgrade to gitlab-ce 7.3.2 - removed internal mysql server - added support for fetching `DB_NAME`, `DB_USER` and `DB_PASS` from the postgresql linkage @@ -1585,27 +3505,33 @@ When you start to upgrade from `8.10-7` or below use the key of `/home/git/data/ - added GITLAB_GRAVATAR_ENABLED configuration option - added fig.yml -**7.3.1-3** +## 7.3.1-3 + - fix mysql command again! -**7.3.1-2** +## 7.3.1-2 + - fix mysql server status check -**7.3.1-1** +## 7.3.1-1 + - plug bash vulnerability by switching to dash shell - automatically run the `gitlab:setup` rake task for new installs -**7.3.1** +## 7.3.1 + - upgrade to gitlab-ce 7.3.1 -**7.3.0** +## 7.3.0 + - upgrade to gitlab-ce 7.3.0 - added GITLAB_WEBHOOK_TIMEOUT configuration option - upgrade to gitlab-shell 2.0.0 - removed internal redis server - shutdown the container gracefully -**7.2.2** +## 7.2.2 + - upgrade to gitlab-ce 7.2.2 - added GITLAB_HTTPS_HSTS_ENABLED configuration option (advanced config) - added GITLAB_HTTPS_HSTS_MAXAGE configuration option (advanced config) @@ -1615,22 +3541,26 @@ When you start to upgrade from `8.10-7` or below use the key of `/home/git/data/ - added GITLAB_SSH_HOST configuration option - added GITLAB_USERNAME_CHANGE configuration option -**7.2.1-1** +## 7.2.1-1 + - removed the GITLAB_HTTPS_ONLY configuration option - added NGINX_X_FORWARDED_PROTO configuration option - optimization: talk directly to the unicorn worker from gitlab-shell -**7.2.1** +## 7.2.1 + - upgrade to gitlab-ce 7.2.1 - added new SMTP_ENABLED configuration option. -**7.2.0-1** +## 7.2.0-1 + - fix nginx static route handling when GITLAB_RELATIVE_URL_ROOT is used. - fix relative root access without the trailing '/' character -- added seperate server block for http config in gitlab.https.permissive. Fixes #127 +- added separate server block for http config in gitlab.https.permissive. Fixes #127 - added OAUTH_GOOGLE_RESTRICT_DOMAIN config option. -**7.2.0** +## 7.2.0 + - upgrade to gitlab-ce 7.2.0 - update to the sameersbn/ubuntu:14.04.20140818 baseimage - remove /var/lib/apt/lists to optimize image size. @@ -1645,12 +3575,14 @@ When you start to upgrade from `8.10-7` or below use the key of `/home/git/data/ - update to gitlab-shell 1.9.7 - update to the sameersbn/ubuntu:14.04.20140812 baseimage -**7.1.1** +## 7.1.1 + - removed "add_header X-Frame-Options DENY" setting from the nginx config. fixes #110 - upgrade to gitlab-ce 7.1.1 - run /etc/init.d/gitlab as git user, plays nicely with selinux -**7.1.0** +## 7.1.0 + - removed GITLAB_SUPPORT configuration option - upgrade to gitlab-ce 7.1.0 - clone gitlab-ce and gitlab-shell sources from the git repo. @@ -1659,7 +3591,8 @@ When you start to upgrade from `8.10-7` or below use the key of `/home/git/data/ - no more root access over ssh, use nsenter instead - upgrade to nginx-1.6.x series from the nginx/stable ppa -**7.0.0** +## 7.0.0 + - upgrade to gitlab-7.0.0 - fix repository and gitlab-satellites directory permissions. - added GITLAB_RESTRICTED_VISIBILITY configuration option @@ -1669,18 +3602,22 @@ When you start to upgrade from `8.10-7` or below use the key of `/home/git/data/ - automatically migrate database when gitlab version is updated - upgrade to gitlab-shell 1.9.5 -**6.9.2** +## 6.9.2 + - upgrade to gitlab-ce 6.9.2 -**6.9.1** +## 6.9.1 + - upgrade to gitlab-ce 6.9.1 -**6.9.0** +## 6.9.0 + - upgrade to gitlab-ce 6.9.0 - added GITLAB_RELATIVE_URL_ROOT configuration option - added NGINX_MAX_UPLOAD_SIZE configuration to specify the maximum acceptable size of attachments. -**6.8.2** +## 6.8.2 + - upgrade to gitlab-ce 6.8.2 - renamed configuration option GITLAB_SHELL_SSH_PORT to GITLAB_SSH_PORT - added GITLAB_PROJECTS_VISIBILITY configuration option to specify the default project visibility level. @@ -1701,10 +3638,12 @@ When you start to upgrade from `8.10-7` or below use the key of `/home/git/data/ - cache compiled assets to boost application startup. - fix symlink to uploads directory -**6.8.1** +## 6.8.1 + - upgrade to gitlab-ce 6.8.1 -**6.8.0** +## 6.8.0 + - upgrade to gitlab-shell 1.9.3 - added GITLAB_SIGNIN setting to enable or disable standard login form - upgraded to gitlab-ce version 6.8.0 @@ -1712,30 +3651,36 @@ When you start to upgrade from `8.10-7` or below use the key of `/home/git/data/ - use sameersbn/ubuntu as the base docker image - install postgresql-client to fix restoring backups when used with a postgresql database backend. -**6.7.5** +## 6.7.5 + - upgrade gitlab to 6.7.5 - support linking to mysql and postgresql containers - added DEFAULT_PROJECTS_LIMIT configuration option -**6.7.4** +## 6.7.4 + - upgrade gitlab to 6.7.4 - added SMTP_AUTHENTICATION configuration option, defaults to :login. - added LDAP configuration options. -**6.7.3** +## 6.7.3 + - upgrade gitlab to 6.7.3 - install ruby2.0 from ppa -**6.7.2** +## 6.7.2 + - upgrade gitlab to 6.7.2 - upgrade gitlab-shell to 1.9.1 - reorganize repo -- do not perform system upgrades (http://crosbymichael.com/dockerfile-best-practices-take-2.html) +- do not perform system upgrades () + +## 6.6.5 -**6.6.5** - upgraded to gitlab-6.6.5 -**v6.6.4** +## v6.6.4 + - upgraded to gitlab-6.6.4 - added changelog - removed postfix mail delivery @@ -1745,7 +3690,8 @@ When you start to upgrade from `8.10-7` or below use the key of `/home/git/data/ - added DB_PORT configuration option - changed backup time to 4am (UTC) -**v6.6.2** +## v6.6.2 + - upgraded to gitlab-6.6.2 - added automated daily/monthly backups feature - documented ssh login details for maintenance tasks. @@ -1754,6 +3700,7 @@ When you start to upgrade from `8.10-7` or below use the key of `/home/git/data/ - added app:rake command for executing gitlab rake tasks - documented hardware requirements -**v6.6.1** +## v6.6.1 + - upgraded to gitlabhq-6.6.1 - reformatted README diff --git a/Dockerfile b/Dockerfile index 2130a6f9b..7712fb6be 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,20 +1,22 @@ -FROM ubuntu:bionic-20200921 +FROM ubuntu:noble-20251001 -ARG VERSION=13.5.3 +ARG VERSION=18.5.1 ENV GITLAB_VERSION=${VERSION} \ - RUBY_VERSION=2.6 \ - GOLANG_VERSION=1.15.3 \ - GITLAB_SHELL_VERSION=13.11.0 \ - GITLAB_WORKHORSE_VERSION=8.51.0 \ - GITLAB_PAGES_VERSION=1.28.0 \ - GITALY_SERVER_VERSION=13.5.3 \ + RUBY_VERSION=3.2.9 \ + RUBY_SOURCE_SHA256SUM="abbad98db9aeb152773b0d35868e50003b8c467f3d06152577c4dfed9d88ed2a" \ + RUBYGEMS_VERSION=3.7.2 \ + GOLANG_VERSION=1.24.9 \ + GITLAB_SHELL_VERSION=14.45.3 \ + GITLAB_PAGES_VERSION=18.5.1 \ + GITALY_SERVER_VERSION=18.5.1 \ GITLAB_USER="git" \ GITLAB_HOME="/home/git" \ GITLAB_LOG_DIR="/var/log/gitlab" \ GITLAB_CACHE_DIR="/etc/docker-gitlab" \ RAILS_ENV=production \ - NODE_ENV=production + NODE_ENV=production \ + NO_SOURCEMAPS=true ENV GITLAB_INSTALL_DIR="${GITLAB_HOME}/gitlab" \ GITLAB_SHELL_INSTALL_DIR="${GITLAB_HOME}/gitlab-shell" \ @@ -25,34 +27,38 @@ ENV GITLAB_INSTALL_DIR="${GITLAB_HOME}/gitlab" \ RUN apt-get update \ && DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y \ - wget ca-certificates apt-transport-https gnupg2 + wget ca-certificates apt-transport-https gnupg2 \ + && apt-get upgrade -y \ + && rm -rf /var/lib/apt/lists/* + RUN set -ex && \ - apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv E1DD270288B4E6030699E45FA1715D88E1DF1F24 \ - && echo "deb http://ppa.launchpad.net/git-core/ppa/ubuntu bionic main" >> /etc/apt/sources.list \ - && apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 80F70E11F0F0D5F10CB20E62F5DA5F09C3173AA6 \ - && echo "deb http://ppa.launchpad.net/brightbox/ruby-ng/ubuntu bionic main" >> /etc/apt/sources.list \ - && apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 8B3981E7A6852F782CC4951600A6F0A3C300EE8C \ - && echo "deb http://ppa.launchpad.net/nginx/stable/ubuntu bionic main" >> /etc/apt/sources.list \ - && wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - \ - && echo 'deb http://apt.postgresql.org/pub/repos/apt/ bionic-pgdg main' > /etc/apt/sources.list.d/pgdg.list \ - && wget --quiet -O - https://deb.nodesource.com/gpgkey/nodesource.gpg.key | apt-key add - \ - && echo 'deb https://deb.nodesource.com/node_12.x bionic main' > /etc/apt/sources.list.d/nodesource.list \ - && wget --quiet -O - https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add - \ - && echo 'deb https://dl.yarnpkg.com/debian/ stable main' > /etc/apt/sources.list.d/yarn.list \ + mkdir -p /etc/apt/keyrings \ + && wget --quiet -O - https://keyserver.ubuntu.com/pks/lookup?op=get\&search=0xe1dd270288b4e6030699e45fa1715d88e1df1f24 | gpg --dearmor -o /etc/apt/keyrings/git-core.gpg \ + && echo "deb [signed-by=/etc/apt/keyrings/git-core.gpg] http://ppa.launchpad.net/git-core/ppa/ubuntu noble main" >> /etc/apt/sources.list \ + && wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor -o /etc/apt/keyrings/postgres.gpg \ + && echo 'deb [signed-by=/etc/apt/keyrings/postgres.gpg] http://apt.postgresql.org/pub/repos/apt/ noble-pgdg main' > /etc/apt/sources.list.d/pgdg.list \ + && wget --quiet -O - https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg \ + && echo 'deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_20.x nodistro main' > /etc/apt/sources.list.d/nodesource.list \ + && wget --quiet -O - https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor -o /etc/apt/keyrings/yarn.gpg \ + && echo 'deb [signed-by=/etc/apt/keyrings/yarn.gpg] https://dl.yarnpkg.com/debian/ stable main' > /etc/apt/sources.list.d/yarn.list \ + && wget --quiet -O - https://nginx.org/keys/nginx_signing.key | gpg --dearmor -o /etc/apt/keyrings/nginx-archive-keyring.gpg \ + && echo "deb [signed-by=/etc/apt/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/ubuntu noble nginx" >> /etc/apt/sources.list.d/nginx.list \ + && printf "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" >> /etc/apt/preferences.d/99nginx \ && set -ex \ && apt-get update \ && DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y \ sudo supervisor logrotate locales curl \ - nginx openssh-server postgresql-client-12 postgresql-contrib-12 redis-tools \ - git-core ruby${RUBY_VERSION} python3 python3-docutils nodejs yarn gettext-base graphicsmagick \ - libpq5 zlib1g libyaml-0-2 libssl1.0.0 \ - libgdbm5 libreadline7 libncurses5 libffi6 \ - libxml2 libxslt1.1 libcurl4 libicu60 libre2-dev tzdata unzip libimage-exiftool-perl \ + nginx openssh-server redis-tools \ + postgresql-client-13 postgresql-client-14 postgresql-client-15 postgresql-client-16 postgresql-client-17 \ + python3 python3-docutils nodejs yarn gettext-base graphicsmagick \ + libpq5 zlib1g libyaml-dev libssl-dev libgdbm-dev libre2-dev \ + libreadline-dev libncurses5-dev libffi-dev curl openssh-server libxml2-dev libxslt-dev \ + libcurl4-openssl-dev libicu-dev libkrb5-dev rsync python3-docutils pkg-config cmake \ + tzdata unzip libimage-exiftool-perl libmagic1 \ && update-locale LANG=C.UTF-8 LC_MESSAGES=POSIX \ && locale-gen en_US.UTF-8 \ && DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales \ - && gem install --no-document bundler -v 1.17.3 \ - && rm -rf /var/lib/apt/lists/* + && rm -rf /var/lib/apt/lists/* /etc/nginx/conf.d/default.conf COPY assets/build/ ${GITLAB_BUILD_DIR}/ RUN bash ${GITLAB_BUILD_DIR}/install.sh @@ -61,6 +67,8 @@ COPY assets/runtime/ ${GITLAB_RUNTIME_DIR}/ COPY entrypoint.sh /sbin/entrypoint.sh RUN chmod 755 /sbin/entrypoint.sh +ENV prometheus_multiproc_dir="/dev/shm" + ARG BUILD_DATE ARG VCS_REF diff --git a/README.md b/README.md index 64755df57..5ecf8e454 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ -[![](https://images.microbadger.com/badges/image/sameersbn/gitlab.svg)](http://microbadger.com/images/sameersbn/gitlab "Get your own image badge on microbadger.com") +# sameersbn/gitlab:18.5.1 -# sameersbn/gitlab:13.5.3 +[![CircleCI](https://circleci.com/gh/sameersbn/docker-gitlab/tree/master.svg?style=svg)](https://circleci.com/gh/sameersbn/docker-gitlab/tree/master) - [Introduction](#introduction) - [Changelog](Changelog.md) @@ -17,6 +17,7 @@ - [PostgreSQL (Recommended)](#postgresql) - [External PostgreSQL Server](#external-postgresql-server) - [Linking to PostgreSQL Container](#linking-to-postgresql-container) + - [Upgrading PostgreSQL](#upgrading-postgresql) - [Redis](#redis) - [Internal Redis Server](#internal-redis-server) - [External Redis Server](#external-redis-server) @@ -44,11 +45,14 @@ - [SAML](#saml) - [Crowd](#crowd) - [Microsoft Azure](#microsoft-azure) - - [Generic OAuth2](#Generic-OAuth2) + - [Generic OAuth2](#generic-oauth2) + - [OpenID Connect](#openid-connect) + - [JWT](#jwt) - [Gitlab Pages](#gitlab-pages) - [External Issue Trackers](#external-issue-trackers) - [Host UID / GID Mapping](#host-uid--gid-mapping) - [Piwik](#piwik) + - [Feature flags](#feature-flags) - [Exposing ssh port in dockerized gitlab-ce](docs/exposing-ssh-port.md) - [Available Configuration Parameters](#available-configuration-parameters) - [Maintenance](#maintenance) @@ -56,7 +60,7 @@ - [Restoring Backups](#restoring-backups) - [Automated Backups](#automated-backups) - [Amazon Web Services (AWS) Remote Backups](#amazon-web-services-aws-remote-backups) - - [Google Cloud Storage (GCS) Remote Backups](#google-cloud-storage-gcs-remote-backup) + - [Google Cloud Storage (GCS) Remote Backups](#google-cloud-storage-gcs-remote-backups) - [Rake Tasks](#rake-tasks) - [Import Repositories](#import-repositories) - [Upgrading](#upgrading) @@ -67,15 +71,15 @@ - [Deploy in Docker Swarm mode, with HTTPS handled by Traefik proxy and Docker Registry](docs/docker-swarm-traefik-registry.md) - [References](#references) -# Introduction +## Introduction -Dockerfile to build a [GitLab](https://about.gitlab.com/) image for the [Docker](https://www.docker.com/products/docker-engine) opensource container platform. +Dockerfile to build a [GitLab](https://about.gitlab.com/) image for the [Docker](https://www.docker.com/products/docker-engine) open source container platform. -GitLab CE is set up in the Docker image using the [install from source](https://docs.gitlab.com/ce/install/installation.html) method as documented in the the official GitLab documentation. +GitLab CE is set up in the Docker image using the [install from source](https://docs.gitlab.com/ce/install/installation.html) method as documented in the official GitLab documentation. For other methods to install GitLab please refer to the [Official GitLab Installation Guide](https://about.gitlab.com/install/) which includes a [GitLab image for Docker](https://docs.gitlab.com/omnibus/docker/). -# Contributing +## Contributing If you find this image useful here's how you can help: @@ -83,18 +87,18 @@ If you find this image useful here's how you can help: - Be a part of the community and help resolve [Issues](https://github.com/sameersbn/docker-gitlab/issues) - Support the development of this image with a [donation](http://www.damagehead.com/donate/) -# Team +## Team - Niclas Mietz ([solidnerd](https://github.com/solidnerd)) - Sameer Naik ([sameersbn](https://github.com/sameersbn)) See [Contributors](../../graphs/contributors) for the complete list developers that have contributed to this project. -# Issues +## Issues -Docker is a relatively new project and is active being developed and tested by a thriving community of developers and testers and every release of docker features many enhancements and bugfixes. +Docker is actively being developed and tested by a thriving community of developers and testers and every release of Docker features many enhancements and bugfixes. -Given the nature of the development and release cycle it is very important that you have the latest version of docker installed because any issue that you encounter might have already been fixed with a newer docker release. +Given the nature of the development and release cycle it is very important that you have the latest version of Docker installed because any issue that you encounter might have already been fixed with a newer Docker release. Install the most recent version of the Docker Engine for your platform using the [official Docker releases](http://docs.docker.com/engine/installation/), which can also be installed using: @@ -104,9 +108,9 @@ wget -qO- https://get.docker.com/ | sh Fedora and RHEL/CentOS users should try disabling selinux with `setenforce 0` and check if resolves the issue. If it does than there is not much that I can help you with. You can either stick with selinux disabled (not recommended by redhat) or switch to using ubuntu. -You may also set `DEBUG=true` to enable debugging of the entrypoint script, which could help you pin point any configuration issues. +You may also set `DEBUG=true` to enable debugging of the entrypoint script, which could help you pinpoint any configuration issues. -If using the latest docker version and/or disabling selinux does not fix the issue then please file a issue request on the [issues](https://github.com/sameersbn/docker-gitlab/issues) page. +If using the latest docker version and/or disabling selinux does not fix the issue then please file an issue request on the [issues](https://github.com/sameersbn/docker-gitlab/issues) page. In your issue report please make sure you provide the following information: @@ -115,16 +119,16 @@ In your issue report please make sure you provide the following information: - Output of the `docker info` command - The `docker run` command you used to run the image (mask out the sensitive bits). -# Prerequisites +## Prerequisites Your docker host needs to have 1GB or more of available RAM to run GitLab. Please refer to the GitLab [hardware requirements](https://github.com/gitlabhq/gitlabhq/blob/master/doc/install/requirements.md#hardware-requirements) documentation for additional information. -# Installation +## Installation Automated builds of the image are available on [Dockerhub](https://hub.docker.com/r/sameersbn/gitlab) and is the recommended method of installation. ```bash -docker pull sameersbn/gitlab:13.5.3 +docker pull sameersbn/gitlab:18.5.1 ``` You can also pull the `latest` tag which is built from the repository *HEAD* @@ -139,7 +143,7 @@ Alternatively you can build the image locally. docker build -t sameersbn/gitlab github.com/sameersbn/docker-gitlab ``` -# Quick Start +## Quick Start The quickest way to get started is using [docker-compose](https://docs.docker.com/compose/). @@ -147,14 +151,23 @@ The quickest way to get started is using [docker-compose](https://docs.docker.co wget https://raw.githubusercontent.com/sameersbn/docker-gitlab/master/docker-compose.yml ``` -Generate random strings that are at least `64` characters long for each of `GITLAB_SECRETS_OTP_KEY_BASE`, `GITLAB_SECRETS_DB_KEY_BASE`, and `GITLAB_SECRETS_SECRET_KEY_BASE`. These values are used for the following: +Generate random strings that are at least `64` characters long for each of `GITLAB_SECRETS_OTP_KEY_BASE`, `GITLAB_SECRETS_DB_KEY_BASE`, `GITLAB_SECRETS_SECRET_KEY_BASE`, `GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE`. These values are used for the following: - `GITLAB_SECRETS_OTP_KEY_BASE` is used to encrypt 2FA secrets in the database. If you lose or rotate this secret, none of your users will be able to log in using 2FA. - `GITLAB_SECRETS_DB_KEY_BASE` is used to encrypt CI secret variables, as well as import credentials, in the database. If you lose or rotate this secret, you will not be able to use existing CI secrets. - `GITLAB_SECRETS_SECRET_KEY_BASE` is used for password reset links, and other 'standard' auth features. If you lose or rotate this secret, password reset tokens in emails will reset. +- `GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE` is used for reading settings from encrypted files such as SMTP or LDAP credentials. > **Tip**: You can generate a random string using `pwgen -Bsv1 64` and assign it as the value of `GITLAB_SECRETS_DB_KEY_BASE`. +Also generate random strings that are typically `32` characters long for each of: + +- `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY` +- `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY` +- `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT` + +These values are used for `ActiveRecord::Encryption` encrypted columns. Details can be found under [Active Record Encryption](https://guides.rubyonrails.org/active_record_encryption.html). + Start GitLab using: ```bash @@ -169,17 +182,17 @@ Step 1. Launch a postgresql container docker run --name gitlab-postgresql -d \ --env 'DB_NAME=gitlabhq_production' \ --env 'DB_USER=gitlab' --env 'DB_PASS=password' \ - --env 'DB_EXTENSION=pg_trgm' \ + --env 'DB_EXTENSION=pg_trgm,btree_gist' \ --volume /srv/docker/gitlab/postgresql:/var/lib/postgresql \ - sameersbn/postgresql:11-20200524 + kkimurak/sameersbn-postgresql:16 ``` Step 2. Launch a redis container ```bash docker run --name gitlab-redis -d \ - --volume /srv/docker/gitlab/redis:/var/lib/redis \ - sameersbn/redis:4.0.9-2 + --volume /srv/docker/gitlab/redis:/data \ + redis:7 ``` Step 3. Launch the gitlab container @@ -192,13 +205,17 @@ docker run --name gitlab -d \ --env 'GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alpha-numeric-string' \ --env 'GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alpha-numeric-string' \ --env 'GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alpha-numeric-string' \ + --env 'GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=long-and-random-alpha-numeric-string' \ + --env 'GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=["long-and-random-alpha-numeric-string"]' \ + --env 'GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=["long-and-random-alpha-numeric-string"]' \ + --env 'GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=long-and-random-alpha-numeric-string' \ --volume /srv/docker/gitlab/gitlab:/home/git/data \ - sameersbn/gitlab:13.5.3 + sameersbn/gitlab:18.5.1 ``` *Please refer to [Available Configuration Parameters](#available-configuration-parameters) to understand `GITLAB_PORT` and other configuration options* -__NOTE__: Please allow a couple of minutes for the GitLab application to start. +**NOTE**: Please allow a couple of minutes for the GitLab application to start. Point your browser to `http://localhost:10080` and set a password for the `root` user account. @@ -206,15 +223,15 @@ You should now have the GitLab application up and ready for testing. If you want *The rest of the document will use the docker command line. You can quite simply adapt your configuration into a `docker-compose.yml` file if you wish to do so.* -# Configuration +## Configuration -## Data Store +### Data Store GitLab is a code hosting software and as such you don't want to lose your code when the docker container is stopped/deleted. To avoid losing any data, you should mount a volume at, -* `/home/git/data` +- `/home/git/data` -Note that if you are using the `docker-compose` approach, this has already been done for you. +*Note: that if you are using the `docker-compose` approach, you must "inspect" the volumes (```docker volume inspect```) to check the mounted path.* SELinux users are also required to change the security context of the mount point so that it plays nicely with selinux. @@ -228,18 +245,50 @@ Volumes can be mounted in docker by specifying the `-v` option in the docker run ```bash docker run --name gitlab -d \ --volume /srv/docker/gitlab/gitlab:/home/git/data \ - sameersbn/gitlab:13.5.3 + sameersbn/gitlab:18.5.1 ``` -## Database +### Database GitLab uses a database backend to store its data. You can configure this image to use PostgreSQL. -*Note: GitLab requieres PostgreSQL now. So use an older image < 12.1 or migrate to PostgresSQL* +*Note:* GitLab requires PostgreSQL now. So use an older image < 12.1 or migrate to PostgresSQL + +#### PostgreSQL + +**Important note:** This image is shipped with different versions of the `postgresql-client`. + +During the startup of the container, the major version of the database system is checked based on the specified connection destination. Only the version of the `postgresql-client`, that matches the major version of the Postgres database is used. If the major version of any version of the included clients does not match, the latest client is used (but may cause issues). All other versions of the `postgresql-client` are deleted at runtime. + +This behavior can be checked using the command `docker logs` and an output like the following should be available: -### PostgreSQL +````sh +… +Configuring gitlab::database +- Installing postgresql client to avoid version mismatch on dumping +-- Detected server version: 160009 +- Generating /home/git/.postgresqlrc +16 postgresql:5432 gitlabhq_production +- Uninstalling unused client(s): postgresql-client-13 postgresql-client-14 postgresql-client-15 postgresql-client-17 +… +```` -#### External PostgreSQL Server +Please note furthermore, that only compatible versions of the `postgresql-client` to GitLab are shipped with this image. Currently, these belong to + +- `postgresql-client-13`, +- `postgresql-client-14`, +- `postgresql-client-15`, +- `postgresql-client-16`, +- and `postgresql-client-17`. + +***Notes:*** + +- GitLab CE version 13.7.0 and later requires PostgreSQL version 12.x. +- GitLab CE version 16.0.0 and later requires PostgreSQL version 13.x. +- GitLab CE version 17.0.0 and later requires PostgreSQL version 14.x. +- GitLab CE version 18.0.0 and later requires PostgreSQL version 16.x. + +##### External PostgreSQL Server The image also supports using an external PostgreSQL Server. This is also controlled via environment variables. @@ -249,11 +298,11 @@ CREATE DATABASE gitlabhq_production; GRANT ALL PRIVILEGES ON DATABASE gitlabhq_production to gitlab; ``` -Additionally since GitLab `8.6.0` the `pg_trgm` extension should also be loaded for the `gitlabhq_production` database. +Additionally, since GitLab `8.6.0` the `pg_trgm` extension should also be loaded for the `gitlabhq_production` database. We are now ready to start the GitLab application. -*Assuming that the PostgreSQL server host is 192.168.1.100* +*Note:* The following applies assuming that the PostgreSQL server host is `192.168.1.100`. ```bash docker run --name gitlab -d \ @@ -261,10 +310,10 @@ docker run --name gitlab -d \ --env 'DB_NAME=gitlabhq_production' \ --env 'DB_USER=gitlab' --env 'DB_PASS=password' \ --volume /srv/docker/gitlab/gitlab:/home/git/data \ - sameersbn/gitlab:13.5.3 + sameersbn/gitlab:18.5.1 ``` -#### Linking to PostgreSQL Container +##### Linking to PostgreSQL Container You can link this image with a postgresql container for the database requirements. The alias of the postgresql server container should be set to **postgresql** while linking with the gitlab image. @@ -272,10 +321,10 @@ If a postgresql container is linked, only the `DB_HOST` and `DB_PORT` settings a To illustrate linking with a postgresql container, we will use the [sameersbn/postgresql](https://github.com/sameersbn/docker-postgresql) image. When using postgresql image in production you should mount a volume for the postgresql data store. Please refer the [README](https://github.com/sameersbn/docker-postgresql/blob/master/README.md) of docker-postgresql for details. -First, lets pull the postgresql image from the docker index. +First, let's pull the postgresql image from the docker index. ```bash -docker pull sameersbn/postgresql:11-20200524 +docker pull kkimurak/sameersbn-postgresql:16 ``` For data persistence lets create a store for the postgresql and start the container. @@ -295,7 +344,7 @@ docker run --name gitlab-postgresql -d \ --env 'DB_USER=gitlab' --env 'DB_PASS=password' \ --env 'DB_EXTENSION=pg_trgm' \ --volume /srv/docker/gitlab/postgresql:/var/lib/postgresql \ - sameersbn/postgresql:11-20200524 + kkimurak/sameersbn-postgresql:16 ``` The above command will create a database named `gitlabhq_production` and also create a user named `gitlab` with the password `password` with access to the `gitlabhq_production` database. @@ -305,64 +354,75 @@ We are now ready to start the GitLab application. ```bash docker run --name gitlab -d --link gitlab-postgresql:postgresql \ --volume /srv/docker/gitlab/gitlab:/home/git/data \ - sameersbn/gitlab:13.5.3 + sameersbn/gitlab:18.5.1 ``` Here the image will also automatically fetch the `DB_NAME`, `DB_USER` and `DB_PASS` variables from the postgresql container as they are specified in the `docker run` command for the postgresql container. This is made possible using the magic of docker links and works with the following images: - - [postgres](https://hub.docker.com/_/postgres/) - - [sameersbn/postgresql](https://quay.io/repository/sameersbn/postgresql/) - - [orchardup/postgresql](https://hub.docker.com/r/orchardup/postgresql/) - - [paintedfox/postgresql](https://hub.docker.com/r/paintedfox/postgresql/) +- [postgres](https://hub.docker.com/_/postgres/), +- [kkimurak/sameersbn-postgresql](https://hub.docker.com/r/kkimurak/sameersbn-postgresql), or +- [sameersbn/postgresql](https://quay.io/repository/sameersbn/postgresql/) . + +##### Upgrading PostgreSQL + +When this Gitlab image upgrades its dependency on specific version of PostgreSQL you will need to make sure to use corresponding version of PostgreSQL. + +If you are setting a brand new install, there is no data migration involved. However, if you already have an existing setup, the PostgreSQL data will need to be migrated as you are upgrading the version of PostgreSQL. + +If you are using PostgreSQL image other than [sameersbn/postgresql](https://quay.io/repository/sameersbn/postgresql/) you will need make sure that the image you are using can handle migration itself, **or**, you will need to migrate the data yourself before starting newer version of PostgreSQL. -## Redis +Following project provides Docker image that handles migration of PostgreSQL data: [tianon/postgres-upgrade](https://hub.docker.com/r/tianon/postgres-upgrade/) + +After migration of the data, verify that other PostgreSQL configuration files in its data folder are copied over as well. One such file is `pg_hba.conf`, it will need to be copied from old version data folder into new version data folder. + +### Redis GitLab uses the redis server for its key-value data store. The redis server connection details can be specified using environment variables. -### Internal Redis Server +#### Internal Redis Server The internal redis server has been removed from the image. Please use a [linked redis](#linking-to-redis-container) container or specify a [external redis](#external-redis-server) connection. -### External Redis Server +#### External Redis Server The image can be configured to use an external redis server. The configuration should be specified using environment variables while starting the GitLab image. -*Assuming that the redis server host is 192.168.1.100* +*Note:* The following applies assuming that the redis server host is `192.168.1.100`. ```bash docker run --name gitlab -it --rm \ --env 'REDIS_HOST=192.168.1.100' --env 'REDIS_PORT=6379' \ - sameersbn/gitlab:13.5.3 + sameersbn/gitlab:18.5.1 ``` -### Linking to Redis Container +#### Linking to Redis Container You can link this image with a redis container to satisfy gitlab's redis requirement. The alias of the redis server container should be set to **redisio** while linking with the gitlab image. -To illustrate linking with a redis container, we will use the [sameersbn/redis](https://github.com/sameersbn/docker-redis) image. Please refer the [README](https://github.com/sameersbn/docker-redis/blob/master/README.md) of docker-redis for details. +To illustrate linking with a redis container, we will use the [redis](https://github.com/docker-library/redis) image. Please refer the [README](https://github.com/docker-library/docs/blob/master/redis/README.md) for details. -First, lets pull the redis image from the docker index. +First, let's pull the redis image from the docker index. ```bash -docker pull sameersbn/redis:4.0.9-2 +docker pull redis:7 ``` Lets start the redis container ```bash docker run --name gitlab-redis -d \ - --volume /srv/docker/gitlab/redis:/var/lib/redis \ - sameersbn/redis:4.0.9-2 + --volume /srv/docker/gitlab/redis:/data \ + redis:7 ``` We are now ready to start the GitLab application. ```bash docker run --name gitlab -d --link gitlab-redis:redisio \ - sameersbn/gitlab:13.5.3 + sameersbn/gitlab:18.5.1 ``` -### Mail +#### Mail The mail configuration should be specified using environment variables while starting the GitLab image. The configuration defaults to using gmail to send emails and requires the specification of a valid username and password to login to the gmail servers. @@ -372,12 +432,12 @@ If you are using Gmail then all you need to do is: docker run --name gitlab -d \ --env 'SMTP_USER=USER@gmail.com' --env 'SMTP_PASS=PASSWORD' \ --volume /srv/docker/gitlab/gitlab:/home/git/data \ - sameersbn/gitlab:13.5.3 + sameersbn/gitlab:18.5.1 ``` Please refer the [Available Configuration Parameters](#available-configuration-parameters) section for the list of SMTP parameters that can be specified. -#### Reply by email +##### Reply by email Since version `8.0.0` GitLab adds support for commenting on issues by replying to emails. @@ -392,24 +452,25 @@ docker run --name gitlab -d \ --env 'IMAP_USER=USER@gmail.com' --env 'IMAP_PASS=PASSWORD' \ --env 'GITLAB_INCOMING_EMAIL_ADDRESS=USER+%{key}@gmail.com' \ --volume /srv/docker/gitlab/gitlab:/home/git/data \ - sameersbn/gitlab:13.5.3 + sameersbn/gitlab:18.5.1 ``` Please refer the [Available Configuration Parameters](#available-configuration-parameters) section for the list of IMAP parameters that can be specified. -### SSL +#### SSL -Access to the gitlab application can be secured using SSL so as to prevent unauthorized access to the data in your repositories. While a CA certified SSL certificate allows for verification of trust via the CA, a self signed certificate can also provide an equal level of trust verification as long as each client takes some additional steps to verify the identity of your website. I will provide instructions on achieving this towards the end of this section. +Access to the gitlab application can be secured using SSL so as to prevent unauthorized access to the data in your repositories. While a CA certified SSL certificate allows for verification of trust via the CA, a self-signed certificate can also provide an equal level of trust verification as long as each client takes some additional steps to verify the identity of your website. I will provide instructions on achieving this towards the end of this section. Jump to the [Using HTTPS with a load balancer](#using-https-with-a-load-balancer) section if you are using a load balancer such as hipache, haproxy or nginx. To secure your application via SSL you basically need two things: + - **Private key (.key)** - **SSL certificate (.crt)** When using CA certified certificates, these files are provided to you by the CA. When using self-signed certificates you need to generate these files yourself. Skip to [Strengthening the server security](#strengthening-the-server-security) section if you are armed with CA certified SSL certificates. -#### Generation of a Self Signed Certificate +##### Generation of a Self Signed Certificate Generation of a self-signed SSL certificate involves a simple 3-step procedure: @@ -433,7 +494,7 @@ openssl x509 -req -days 3650 -in gitlab.csr -signkey gitlab.key -out gitlab.crt Congratulations! You now have a self-signed SSL certificate valid for 10 years. -#### Strengthening the server security +##### Strengthening the server security This section provides you with instructions to [strengthen your server security](https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html). To achieve this we need to generate stronger DHE parameters. @@ -441,13 +502,19 @@ This section provides you with instructions to [strengthen your server security] openssl dhparam -out dhparam.pem 2048 ``` -#### Installation of the SSL Certificates +##### Installation of the SSL Certificates Out of the four files generated above, we need to install the `gitlab.key`, `gitlab.crt` and `dhparam.pem` files at the gitlab server. The CSR file is not needed, but do make sure you safely backup the file (in case you ever need it again). The default path that the gitlab application is configured to look for the SSL certificates is at `/home/git/data/certs`, this can however be changed using the `SSL_KEY_PATH`, `SSL_CERTIFICATE_PATH` and `SSL_DHPARAM_PATH` configuration options. -If you remember from above, the `/home/git/data` path is the path of the [data store](#data-store), which means that we have to create a folder named `certs/` inside `/srv/docker/gitlab/gitlab/` and copy the files into it and as a measure of security we'll update the permission on the `gitlab.key` file to only be readable by the owner. +If you remember from above, the `/home/git/data` path is the path of the [data store](#data-store), which means that we have to create a folder named `certs/` inside the volume to where `/home/git/data` point and copy the files into it and as a measure of security we'll update the permission on the `gitlab.key` file to only be readable by the owner. + +In case use of docker-compose ... + +```$>docker volume inspect``` + +Look for "< user >_gitlab-data" and copy the "certs" directory into the "Mountpoint" ```bash mkdir -p /srv/docker/gitlab/gitlab/certs @@ -457,9 +524,9 @@ cp dhparam.pem /srv/docker/gitlab/gitlab/certs/ chmod 400 /srv/docker/gitlab/gitlab/certs/gitlab.key ``` -Great! we are now just one step away from having our application secured. +Great! We are now just one step away from having our application secured. -#### Enabling HTTPS support +##### Enabling HTTPS support HTTPS support can be enabled by setting the `GITLAB_HTTPS` option to `true`. Additionally, when using self-signed SSL certificates you need to the set `SSL_SELF_SIGNED` option to `true` as well. Assuming we are using self-signed certificates @@ -469,32 +536,32 @@ docker run --name gitlab -d \ --env 'GITLAB_SSH_PORT=10022' --env 'GITLAB_PORT=10443' \ --env 'GITLAB_HTTPS=true' --env 'SSL_SELF_SIGNED=true' \ --volume /srv/docker/gitlab/gitlab:/home/git/data \ - sameersbn/gitlab:13.5.3 + sameersbn/gitlab:18.5.1 ``` In this configuration, any requests made over the plain http protocol will automatically be redirected to use the https protocol. However, this is not optimal when using a load balancer. -#### Configuring HSTS +##### Configuring HSTS HSTS if supported by the browsers makes sure that your users will only reach your sever via HTTPS. When the user comes for the first time it sees a header from the server which states for how long from now this site should only be reachable via HTTPS - that's the HSTS max-age value. -With `NGINX_HSTS_MAXAGE` you can configure that value. The default value is `31536000` seconds. If you want to disable a already sent HSTS MAXAGE value, set it to `0`. +With `NGINX_HSTS_MAXAGE` you can configure that value. The default value is `31536000` seconds. If you want to disable an already sent HSTS MAXAGE value, set it to `0`. ```bash docker run --name gitlab -d \ --env 'GITLAB_HTTPS=true' --env 'SSL_SELF_SIGNED=true' \ --env 'NGINX_HSTS_MAXAGE=2592000' \ --volume /srv/docker/gitlab/gitlab:/home/git/data \ - sameersbn/gitlab:13.5.3 + sameersbn/gitlab:18.5.1 ``` If you want to completely disable HSTS set `NGINX_HSTS_ENABLED` to `false`. -#### Using HTTPS with a load balancer +##### Using HTTPS with a load balancer Load balancers like nginx/haproxy/hipache talk to backend applications over plain http and as such the installation of ssl keys and certificates are not required and should **NOT** be installed in the container. The SSL configuration has to instead be done at the load balancer. -However, when using a load balancer you **MUST** set `GITLAB_HTTPS` to `true`. Additionally you will need to set the `SSL_SELF_SIGNED` option to `true` if self signed SSL certificates are in use. +However, when using a load balancer you **MUST** set `GITLAB_HTTPS` to `true`. Additionally, you will need to set the `SSL_SELF_SIGNED` option to `true` if self-signed SSL certificates are in use. With this in place, you should configure the load balancer to support handling of https requests. But that is out of the scope of this document. Please refer to [Using SSL/HTTPS with HAProxy](http://seanmcgary.com/posts/using-sslhttps-with-haproxy) for information on the subject. @@ -508,7 +575,7 @@ docker run --name gitlab -d \ --env 'GITLAB_SSH_PORT=10022' --env 'GITLAB_PORT=443' \ --env 'GITLAB_HTTPS=true' --env 'SSL_SELF_SIGNED=true' \ --volume /srv/docker/gitlab/gitlab:/home/git/data \ - sameersbn/gitlab:13.5.3 + sameersbn/gitlab:18.5.1 ``` Again, drop the `--env 'SSL_SELF_SIGNED=true'` option if you are using CA certified SSL certificates. @@ -517,9 +584,9 @@ In case GitLab responds to any kind of POST request (login, OAUTH, changing sett `proxy_set_header X-Forwarded-Ssl on;` (nginx format) -#### Establishing trust with your server +##### Establishing trust with your server -This section deals will self-signed ssl certificates. If you are using CA certified certificates, your done. +This section deals will self-signed ssl certificates. If you are using CA certified certificates, you're done. This section is more of a client side configuration so as to add a level of confidence at the client to be 100 percent sure they are communicating with whom they think they. @@ -536,7 +603,7 @@ You can do the same at the web browser. Instructions for installing the root cer There you have it, that's all there is to it. -#### Installing Trusted SSL Server Certificates +##### Installing Trusted SSL Server Certificates If your GitLab CI server is using self-signed SSL certificates then you should make sure the GitLab CI server certificate is trusted on the GitLab server for them to be able to talk to each other. @@ -544,11 +611,11 @@ The default path image is configured to look for the trusted SSL certificates is Copy the `ca.crt` file into the certs directory on the [datastore](#data-store). The `ca.crt` file should contain the root certificates of all the servers you want to trust. With respect to GitLab CI, this will be the contents of the gitlab_ci.crt file as described in the [README](https://github.com/sameersbn/docker-gitlab-ci/blob/master/README.md#ssl) of the [docker-gitlab-ci](https://github.com/sameersbn/docker-gitlab-ci) container. -By default, our own server certificate [gitlab.crt](#generation-of-self-signed-certificate) is added to the trusted certificates list. +By default, our own server certificate [gitlab.crt](#generation-of-a-self-signed-certificate) is added to the trusted certificates list. -### Deploy to a subdirectory (relative url root) +#### Deploy to a subdirectory (relative url root) -By default GitLab expects that your application is running at the root (eg. /). This section explains how to run your application inside a directory. +By default, GitLab expects that your application is running at the root (e.g.. /). This section explains how to run your application inside a directory. Let's assume we want to deploy our application to '/git'. GitLab needs to know this directory to generate the appropriate routes. This can be specified using the `GITLAB_RELATIVE_URL_ROOT` configuration option like so: @@ -556,26 +623,26 @@ Let's assume we want to deploy our application to '/git'. GitLab needs to know t docker run --name gitlab -it --rm \ --env 'GITLAB_RELATIVE_URL_ROOT=/git' \ --volume /srv/docker/gitlab/gitlab:/home/git/data \ - sameersbn/gitlab:13.5.3 + sameersbn/gitlab:18.5.1 ``` GitLab will now be accessible at the `/git` path, e.g. `http://www.example.com/git`. **Note**: *The `GITLAB_RELATIVE_URL_ROOT` parameter should always begin with a slash and* **SHOULD NOT** *have any trailing slashes.* -### OmniAuth Integration +#### OmniAuth Integration GitLab leverages OmniAuth to allow users to sign in using Twitter, GitHub, and other popular services. Configuring OmniAuth does not prevent standard GitLab authentication or LDAP (if configured) from continuing to work. Users can choose to sign in using any of the configured mechanisms. Refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/omniauth.html) for additional information. -#### CAS3 +##### CAS3 -To enable the CAS OmniAuth provider you must register your application with your CAS instance. This requires the service URL GitLab will supply to CAS. It should be something like: https://git.example.com:443/users/auth/cas3/callback?url. By default handling for SLO is enabled, you only need to configure CAS for backchannel logout. +To enable the CAS OmniAuth provider you must register your application with your CAS instance. This requires the service URL GitLab will supply to CAS. It should be something like: `https://git.example.com:443/users/auth/cas3/callback?url`. By default handling for SLO is enabled, you only need to configure CAS for backchannel logout. For example, if your cas server url is `https://sso.example.com`, then adding `--env 'OAUTH_CAS3_SERVER=https://sso.example.com'` to the docker run command enables support for CAS3 OAuth. Please refer to [Available Configuration Parameters](#available-configuration-parameters) for additional CAS3 configuration parameters. -#### Authentiq +##### Authentiq To enable the Authentiq OmniAuth provider for passwordless authentication you must register an application with [Authentiq](https://www.authentiq.com/). Please refer to the GitLab [documentation](https://docs.gitlab.com/ce/administration/auth/authentiq.html) for the procedure to generate the client ID and secret key with Authentiq. @@ -585,7 +652,7 @@ For example, if your API key is `xxx` and the API secret key is `yyy`, then addi You may want to specify `OAUTH_AUTHENTIQ_REDIRECT_URI` as well. The OAuth scope can be altered as well with `OAUTH_AUTHENTIQ_SCOPE` (defaults to `'aq:name email~rs address aq:push'`). -#### Google +##### Google To enable the Google OAuth2 OmniAuth provider you must register your application with Google. Google will generate a client ID and secret key for you to use. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/google.html) for the procedure to generate the client ID and secret key with google. @@ -595,23 +662,23 @@ For example, if your client ID is `xxx.apps.googleusercontent.com` and client se You can also restrict logins to a single domain by adding `--env "OAUTH_GOOGLE_RESTRICT_DOMAIN='example.com'"`. -#### Facebook +##### Facebook -To enable the Facebook OAuth2 OmniAuth provider you must register your application with Facebook. Facebook will generate a API key and secret for you to use. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/facebook.html) for the procedure to generate the API key and secret. +To enable the Facebook OAuth2 OmniAuth provider you must register your application with Facebook. Facebook will generate an API key and secret for you to use. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/facebook.html) for the procedure to generate the API key and secret. Once you have the API key and secret generated, configure them using the `OAUTH_FACEBOOK_API_KEY` and `OAUTH_FACEBOOK_APP_SECRET` environment variables respectively. For example, if your API key is `xxx` and the API secret key is `yyy`, then adding `--env 'OAUTH_FACEBOOK_API_KEY=xxx' --env 'OAUTH_FACEBOOK_APP_SECRET=yyy'` to the docker run command enables support for Facebook OAuth. -#### Twitter +##### Twitter -To enable the Twitter OAuth2 OmniAuth provider you must register your application with Twitter. Twitter will generate a API key and secret for you to use. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/twitter.html) for the procedure to generate the API key and secret with twitter. +To enable the Twitter OAuth2 OmniAuth provider you must register your application with Twitter. Twitter will generate an API key and secret for you to use. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/twitter.html) for the procedure to generate the API key and secret with twitter. Once you have the API key and secret generated, configure them using the `OAUTH_TWITTER_API_KEY` and `OAUTH_TWITTER_APP_SECRET` environment variables respectively. For example, if your API key is `xxx` and the API secret key is `yyy`, then adding `--env 'OAUTH_TWITTER_API_KEY=xxx' --env 'OAUTH_TWITTER_APP_SECRET=yyy'` to the docker run command enables support for Twitter OAuth. -#### GitHub +##### GitHub To enable the GitHub OAuth2 OmniAuth provider you must register your application with GitHub. GitHub will generate a Client ID and secret for you to use. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/github.html) for the procedure to generate the Client ID and secret with github. @@ -621,7 +688,7 @@ For example, if your Client ID is `xxx` and the Client secret is `yyy`, then add Users of GitHub Enterprise may want to specify `OAUTH_GITHUB_URL` and `OAUTH_GITHUB_VERIFY_SSL` as well. -#### GitLab +##### GitLab To enable the GitLab OAuth2 OmniAuth provider you must register your application with GitLab. GitLab will generate a Client ID and secret for you to use. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/gitlab.html) for the procedure to generate the Client ID and secret with GitLab. @@ -629,7 +696,7 @@ Once you have the Client ID and secret generated, configure them using the `OAUT For example, if your Client ID is `xxx` and the Client secret is `yyy`, then adding `--env 'OAUTH_GITLAB_API_KEY=xxx' --env 'OAUTH_GITLAB_APP_SECRET=yyy'` to the docker run command enables support for GitLab OAuth. -#### BitBucket +##### BitBucket To enable the BitBucket OAuth2 OmniAuth provider you must register your application with BitBucket. BitBucket will generate a Client ID and secret for you to use. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/bitbucket.html) for the procedure to generate the Client ID and secret with BitBucket. @@ -637,7 +704,7 @@ Once you have the Client ID and secret generated, configure them using the `OAUT For example, if your Client ID is `xxx` and the Client secret is `yyy`, then adding `--env 'OAUTH_BITBUCKET_API_KEY=xxx' --env 'OAUTH_BITBUCKET_APP_SECRET=yyy'` to the docker run command enables support for BitBucket OAuth. -#### SAML +##### SAML GitLab can be configured to act as a SAML 2.0 Service Provider (SP). This allows GitLab to consume assertions from a SAML 2.0 Identity Provider (IdP) such as Microsoft ADFS to authenticate users. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/saml.html). @@ -647,19 +714,19 @@ You can also override the default "Sign in with" button label with `OAUTH_SAML_L Please refer to [Available Configuration Parameters](#available-configuration-parameters) for the default configurations of these parameters. -#### Crowd +##### Crowd To enable the Crowd server OAuth2 OmniAuth provider you must register your application with Crowd server. Configure GitLab to enable access the Crowd server by specifying the `OAUTH_CROWD_SERVER_URL`, `OAUTH_CROWD_APP_NAME` and `OAUTH_CROWD_APP_PASSWORD` environment variables. -#### Auth0 +##### Auth0 To enable the Auth0 OmniAuth provider you must register your application with [auth0](https://auth0.com/). Configure the following environment variables `OAUTH_AUTH0_CLIENT_ID`, `OAUTH_AUTH0_CLIENT_SECRET` and `OAUTH_AUTH0_DOMAIN` to complete the integration. -#### Microsoft Azure +##### Microsoft Azure To enable the Microsoft Azure OAuth2 OmniAuth provider you must register your application with Azure. Azure will generate a Client ID, Client secret and Tenant ID for you to use. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/azure.html) for the procedure. @@ -667,40 +734,87 @@ Once you have the Client ID, Client secret and Tenant ID generated, configure th For example, if your Client ID is `xxx`, the Client secret is `yyy` and the Tenant ID is `zzz`, then adding `--env 'OAUTH_AZURE_API_KEY=xxx' --env 'OAUTH_AZURE_API_SECRET=yyy' --env 'OAUTH_AZURE_TENANT_ID=zzz'` to the docker run command enables support for Microsoft Azure OAuth. -#### Generic OAuth2 +Also you can configure v2 endpoint (`azure_activedirectory_v2`) by using `OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_ID`, `OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_SECRET` and `OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID` environment variables. Optionally you can change label of login button using the `OAUTH_AZURE_ACTIVEDIRECTORY_V2_LABEL`. + +##### Generic OAuth2 To enable the Generic OAuth2 provider, you must register your application with your provider. You also need to confirm OAuth2 provider app's ID and secret, the client options and the user's response structure. -As an example this code has been tested with Keycloak, with the following variables: `OAUTH2_GENERIC_APP_ID`, `OAUTH2_GENERIC_APP_SECRET`, `OAUTH2_GENERIC_CLIENT_SITE`, `OAUTH2_GENERIC_CLIENT_USER_INFO_URL`, `OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL`, `OAUTH2_GENERIC_CLIENT_TOKEN_URL`, `OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT`, `OAUTH2_GENERIC_ID_PATH`, `OAUTH2_GENERIC_USER_UID`, `OAUTH2_GENERIC_USER_NAME`, `OAUTH2_GENERIC_USER_EMAIL`, `OAUTH2_GENERIC_NAME`, +As an example this code has been tested with Keycloak, with the following variables: `OAUTH2_GENERIC_APP_ID`, `OAUTH2_GENERIC_APP_SECRET`, `OAUTH2_GENERIC_CLIENT_SITE`, `OAUTH2_GENERIC_CLIENT_USER_INFO_URL`, `OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL`, `OAUTH2_GENERIC_CLIENT_TOKEN_URL`, `OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT`, `OAUTH2_GENERIC_ID_PATH`, `OAUTH2_GENERIC_USER_UID`, `OAUTH2_GENERIC_USER_NAME`, `OAUTH2_GENERIC_USER_EMAIL`, `OAUTH2_GENERIC_AUTHORIZE_PARAMS_SCOPE`, `OAUTH2_GENERIC_LABEL` and `OAUTH2_GENERIC_NAME`. See [GitLab documentation](https://docs.gitlab.com/ee/integration/oauth2_generic.html#sign-into-gitlab-with-almost-any-oauth2-provider) and [Omniauth-oauth2-generic documentation](https://gitlab.com/satorix/omniauth-oauth2-generic) for more details. -### Gitlab Pages +##### OpenID Connect + +To enable OpenID Connect provider, you must register your application with your provider. You also need to confirm OpenID Connect provider app's ID and secret, the client options and the user's response structure. + +To use OIDC set at least `OAUTH_OIDC_ISSUER` and `OAUTH_OIDC_CLIENT_ID`. + +| GitLab setting | environment variable | default value | +|--------------------------------|-------------------------------------|--------------------------------| +| `label` | `OAUTH_OIDC_LABEL` | `OpenID Connect` | +| `icon` | `OAUTH_OIDC_ICON` | | +| `scope` | `OAUTH_OIDC_SCOPE` | `['openid','profile','email']` | +| `response_type` | `OAUTH_OIDC_RESPONSE_TYPE` | `code` | +| `issuer` | `OAUTH_OIDC_ISSUER` | | +| `discovery` | `OAUTH_OIDC_DISCOVERY` | `true` | +| `client_auth_method` | `OAUTH_OIDC_CLIENT_AUTH_METHOD` | `basic` | +| `uid_field` | `OAUTH_OIDC_UID_FIELD` | `sub` | +| `send_scope_to_token_endpoint` | `OAUTH_OIDC_SEND_SCOPE_TO_TOKEN_EP` | `false` | +| `pkce` | `OAUTH_OIDC_PKCE` | `true` | +| `client_options.identifier` | `OAUTH_OIDC_CLIENT_ID` | | +| `client_options.secret` | `OAUTH_OIDC_CLIENT_SECRET` | `secret` | +| `client_options.redirect_uri` | `OAUTH_OIDC_REDIRECT_URI` | `http://${GITLAB_HOST}/users/auth/openid_connect/callback` or `https://${GITLAB_HOST}/users/auth/openid_connect/callback` depending on the value of `GITLAB_HTTPS` | + +See [GitLab OIDC documentation](https://docs.gitlab.com/ee/administration/auth/oidc.html) and [OmniAuth OpenID Connect documentation](https://github.com/omniauth/omniauth_openid_connect/). + +##### JWT + +To enable the JWT OmniAuth provider, you must register your application with JWT. JWT provides you with a secret key for you to use. + +To use JWT set at least `OAUTH_JWT_SECRET` and `OAUTH_JWT_AUTH_URL`. + +| GitLab setting | environment variable | default value | +| ------------------------------ | ----------------------------------- | -------------------------------| +| `label` | `OAUTH_JWT_LABEL` | `Jwt` | +| `secret` | `OAUTH_JWT_SECRET` | | +| `algorithm` | `OAUTH_JWT_ALGORITHM` | `HS256` | +| `uid_claim` | `OAUTH_JWT_UID_CLAIM` | `email` | +| `required_claims` | `OAUTH_JWT_REQUIRED_CLAIMS` | `["name", "email"]` | +| `info_map.name` | `OAUTH_JWT_INFO_MAP_NAME` | `name` | +| `info_map.email` | `OAUTH_JWT_INFO_MAP_EMAIL` | `email` | +| `auth_url` | `OAUTH_JWT_AUTH_URL` | | +| `valid_within` | `OAUTH_JWT_VALID_WITHIN` | `3600` | + -Gitlab Pages allows a user to host static websites from a project. Gitlab pages can be enabled with setting the envrionment variable `GITLAB_PAGES_ENABLED` to `true`. +See [OmniAuth JWT documentation](https://docs.gitlab.com/administration/auth/jwt/). -### Gitlab Pages Access Control +#### Gitlab Pages + +Gitlab Pages allows a user to host static websites from a project. Gitlab pages can be enabled with setting the environment variable `GITLAB_PAGES_ENABLED` to `true`. + +#### Gitlab Pages Access Control Since version `11.5.0` Gitlab pages supports access control. This allows only access to a published website if you are a project member, or have access to a certain project. Gitlab pages access control requires additional configuration before activating it through the variable `GITLAB_PAGES_ACCESS_CONTROL`. -Gitab pages access control makes use of the Gitlab OAuth Module. +GitLab pages access control makes use of the Gitlab OAuth Module. - - Goto the Gitlab Admin area - - Select `Applications` in the menu - - Create `New Application` - - Name: `Gitlab Pages` - - Scopes: - - api - - Trusted: NO (Do not select) - - Redirect URI: https://projects./auth +- Goto the Gitlab Admin area +- Select `Applications` in the menu +- Create `New Application` + - Name: `Gitlab Pages` + - Scopes: + - api + - Trusted: NO (Do not select) + - Redirect URI: `https://projects./auth` -Note about the `Redirect URI`; this can be tricky to configure or figure out, What needs to be achieved is to following, the redirect URI needs to end up at the `gitlab-pages` daemon with the `/auth` endpoint. +Note about the `Redirect URI`; this can be tricky to configure or figure out, What needs to be achieved is the following, the redirect URI needs to end up at the `gitlab-pages` daemon with the `/auth` endpoint. -This means that if you run your gitlab pages at domain `pages.example.io` this will be a wilcard domain where your projects are created based on their namespace. The best trick is to enter a NON-Existing gitlab project pages URI as the redirect URI. +This means that if you run your gitlab pages at domain `pages.example.io` this will be a wildcard domain where your projects are created based on their namespace. The best trick is to enter a NON-Existing gitlab project pages URI as the redirect URI. -In the example above; the pages domain `projects` has been chosen. This will cause the nginx, either the built in or your own loadbalancer to redirect `*.` to the `gitlab-pages` daemon. Which will trigger the pages endpoint. +In the example above; the pages domain `projects` has been chosen. This will cause the nginx, either the built in or your own load balancer to redirect `*.` to the `gitlab-pages` daemon. Which will trigger the pages endpoint. Make sure to choose own which does not exist and make sure that the request is routed to the `gitlab-pages` daemon if you are using your own HTTP load balancer in front of Gitlab. @@ -714,13 +828,12 @@ Add to following environment variables to your Gitlab Container. | GITLAB_PAGES_ACCESS_SECRET | Optional | Secret Hash, minimal 32 characters, if omitted, it will be auto generated. | | GITLAB_PAGES_ACCESS_CONTROL_SERVER | Required | Gitlab instance URI, example: `https://gitlab.example.io` | | GITLAB_PAGES_ACCESS_CLIENT_ID | Required | Client ID from earlier generated OAuth application | -| GITLAB_PAGES_ACCESS_CLIENT_SECRET | Required | Client Secret from earlier genereated OAuth application | +| GITLAB_PAGES_ACCESS_CLIENT_SECRET | Required | Client Secret from earlier generated OAuth application | | GITLAB_PAGES_ACCESS_REDIRECT_URI | Required | Redirect URI, non existing pages domain to redirect to pages daemon, `https://projects.example.io` | -After you have enabled the gitlab pages access control. When you go to a project `General Settings` -> `Permissions` you can choose the pages persmission level for the project. +After you have enabled the gitlab pages access control. When you go to a project `General Settings` -> `Permissions` you can choose the pages permission level for the project. - -### External Issue Trackers +#### External Issue Trackers Since version `7.10.0` support for external issue trackers can be enabled in the "Service Templates" section of the settings panel. @@ -728,7 +841,7 @@ If you are using the [docker-redmine](https://github.com/sameersbn/docker-redmin By using the above option the `/home/git/data/repositories` directory will be accessible by the redmine container and now you can add your git repository path to your redmine project. If, for example, in your gitlab server you have a project named `opensource/gitlab`, the bare repository will be accessible at `/home/git/data/repositories/opensource/gitlab.git` in the redmine container. -### Host UID / GID Mapping +#### Host UID / GID Mapping Per default the container is configured to run gitlab as user and group `git` with `uid` and `gid` `1000`. The host possibly uses this ids for different purposes leading to unfavorable effects. From the host it appears as if the mounted data volumes are owned by the host's user/group `1000`. @@ -737,17 +850,17 @@ Also the container processes seem to be executed as the host's user/group `1000` ```bash docker run --name gitlab -it --rm [options] \ --env "USERMAP_UID=$(id -u git)" --env "USERMAP_GID=$(id -g git)" \ - sameersbn/gitlab:13.5.3 + sameersbn/gitlab:18.5.1 ``` When changing this mapping, all files and directories in the mounted data volume `/home/git/data` have to be re-owned by the new ids. This can be achieved automatically using the following command: ```bash docker run --name gitlab -d [OPTIONS] \ - sameersbn/gitlab:13.5.3 app:sanitize + sameersbn/gitlab:18.5.1 app:sanitize ``` -### Piwik +#### Piwik If you want to monitor your gitlab instance with [Piwik](http://piwik.org/), there are two options to setup: `PIWIK_URL` and `PIWIK_SITE_ID`. These options should contain something like: @@ -755,616 +868,1997 @@ These options should contain something like: - `PIWIK_URL=piwik.example.org` - `PIWIK_SITE_ID=42` +#### Feature flags -### Available Configuration Parameters +In this section, we talk about feature flags that administrators can change the state (See ). If you are looking for documentation for "Feature flags" that configured on project deploy settings, see -*Please refer the docker run command options for the `--env-file` flag where you can specify all required environment variables in a single file. This will save you from writing a potentially long docker run command. Alternatively you can use docker-compose. docker-compose users and Docker Swarm mode users can also use the [secrets and config file options](#docker-secrets-and-configs)* +GitLab adopted feature flags strategies to deploy features in an early stage of development so that they can be incrementally rolled out. GitLab administrators with access to the [Rails console](https://docs.gitlab.com/ee/administration/feature_flags.html#how-to-enable-and-disable-features-behind-flags) or the [Feature flags API](https://docs.gitlab.com/ee/api/features.html) can control them (note that `sameersbn/gitlab` is a container image that provides GitLab installations from the source). +You can see all feature flags in GitLab at corresponding version of documentation: + +For `sameersbn/gitlab`, you can control them via environment parameter [`GITLAB_FEATURE_FLAGS_DISABLE_TARGETS`](#gitlab_feature_flags_disable_targets) and [`GITLAB_FEATURE_FLAGS_ENABLE_TARGETS`](#gitlab_feature_flags_enable_targets) in addition to the above methods. +This image searches yml files in [`${GITLAB_INSTALL_DIR}/config/feature_flags`](https://gitlab.com/gitlab-org/gitlab-foss/-/tree/master/config/feature_flags) (typically `/home/git/gitlab/config/feature_flags/`) recursively and use the file list as a source of active feature flags. + +Here is a part of example `docker-compose.yml`: + +````yml +services: + gitlab: + image: sameersbn/gitlab:latest + environment: + - GITLAB_FEATURE_FLAGS_DISABLE_TARGETS=auto_devops_banner_disabled,ci_enable_live_trace + - GITLAB_FEATURE_FLAGS_ENABLE_TARGETS=git_push_create_all_pipelines,build_service_proxy +```` + +Once the container up, you can see following messages in container log like below. + +````sh +... +Configuring gitlab::feature_flags... +- specified feature flags: {:to_be_disabled=>["auto_devops_banner_disabled", "ci_enable_live_trace"], :to_be_enabled=>["git_push_create_all_pipelines", "build_service_proxy"]} +- auto_devops_banner_disabled : off +- ci_enable_live_trace : off +- git_push_create_all_pipelines : on +- build_service_proxy : on +... +```` + +If specified flag names are not included in the list, they will be ignored and appears to container log like below: + +````sh +... +Configuring gitlab::feature_flags... +- specified feature flags: {:to_be_disabled=>["auto_devops_banner_disabled", "invalid_flag_name"], :to_be_enabled=>["git_push_create_all_pipelines", "another_invalid_flag_name"]} +- Following flags are probably invalid and have been ignored: invalid_flag_name,another_invalid_flag_name +- auto_devops_banner_disabled : off +- git_push_create_all_pipelines : on +... +```` + +#### Available Configuration Parameters +*Please refer the docker run command options for the `--env-file` flag where you can specify all required environment variables in a single file. This will save you from writing a potentially long docker run command. Alternatively you can use docker-compose. docker-compose users and Docker Swarm mode users can also use the [secrets and config file options](#docker-secrets-and-configs)* Below is the complete list of available options that can be used to customize your gitlab installation. -| Parameter | Description | -|-----------|-------------| -| `DEBUG` | Set this to `true` to enable entrypoint debugging. | -| `GITLAB_HOST` | The hostname of the GitLab server. Defaults to `localhost` | -| `GITLAB_CI_HOST` | If you are migrating from GitLab CI use this parameter to configure the redirection to the GitLab service so that your existing runners continue to work without any changes. No defaults. | -| `GITLAB_PORT` | The port of the GitLab server. This value indicates the public port on which the GitLab application will be accessible on the network and appropriately configures GitLab to generate the correct urls. It does not affect the port on which the internal nginx server will be listening on. Defaults to `443` if `GITLAB_HTTPS=true`, else defaults to `80`. | -| `GITLAB_SECRETS_DB_KEY_BASE` | Encryption key for GitLab CI secret variables, as well as import credentials, in the database. Ensure that your key is at least 32 characters long and that you don't lose it. You can generate one using `pwgen -Bsv1 64`. If you are migrating from GitLab CI, you need to set this value to the value of `GITLAB_CI_SECRETS_DB_KEY_BASE`. No defaults. | -| `GITLAB_SECRETS_SECRET_KEY_BASE` | Encryption key for session secrets. Ensure that your key is at least 64 characters long and that you don't lose it. This secret can be rotated with minimal impact - the main effect is that previously-sent password reset emails will no longer work. You can generate one using `pwgen -Bsv1 64`. No defaults. | -| `GITLAB_SECRETS_OTP_KEY_BASE` | Encryption key for OTP related stuff with GitLab. Ensure that your key is at least 64 characters long and that you don't lose it. **If you lose or change this secret, 2FA will stop working for all users.** You can generate one using `pwgen -Bsv1 64`. No defaults. | -| `GITLAB_TIMEZONE` | Configure the timezone for the gitlab application. This configuration does not effect cron jobs. Defaults to `UTC`. See the list of [acceptable values](http://api.rubyonrails.org/classes/ActiveSupport/TimeZone.html). | -| `GITLAB_ROOT_PASSWORD` | The password for the root user on firstrun. Defaults to `5iveL!fe`. GitLab requires this to be at least **8 characters long**. | -| `GITLAB_ROOT_EMAIL` | The email for the root user on firstrun. Defaults to `admin@example.com` | -| `GITLAB_EMAIL` | The email address for the GitLab server. Defaults to value of `SMTP_USER`, else defaults to `example@example.com`. | -| `GITLAB_EMAIL_DISPLAY_NAME` | The name displayed in emails sent out by the GitLab mailer. Defaults to `GitLab`. | -| `GITLAB_EMAIL_REPLY_TO` | The reply-to address of emails sent out by GitLab. Defaults to value of `GITLAB_EMAIL`, else defaults to `noreply@example.com`. | -| `GITLAB_EMAIL_SUBJECT_SUFFIX` | The e-mail subject suffix used in e-mails sent by GitLab. No defaults. | -| `GITLAB_EMAIL_ENABLED` | Enable or disable gitlab mailer. Defaults to the `SMTP_ENABLED` configuration. | -| `GITLAB_EMAIL_SMIME_ENABLE` | Enable or disable email S/MIME signing. Defaults is `false`. | -| `GITLAB_EMAIL_SMIME_KEY_FILE` | Specifies the path to a S/MIME private key file in PEM format, unencrypted. Defaults to ``. | -| `GITLAB_EMAIL_SMIME_CERT_FILE` | Specifies the path to a S/MIME public certificate key in PEM format. Defaults to ``. | -| `GITLAB_DEFAULT_THEME` | Default theme ID, by default 2. (1 - Indigo, 2 - Dark, 3 - Light, 4 - Blue, 5 - Green, 6 - Light Indigo, 7 - Light Blue, 8 - Light Green, 9 - Red, 10 - Light Red) | -| `GITLAB_INCOMING_EMAIL_ADDRESS` | The incoming email address for reply by email. Defaults to the value of `IMAP_USER`, else defaults to `reply@example.com`. Please read the [reply by email](http://doc.gitlab.com/ce/incoming_email/README.html) documentation to currently set this parameter. | -| `GITLAB_INCOMING_EMAIL_ENABLED` | Enable or disable gitlab reply by email feature. Defaults to the value of `IMAP_ENABLED`. | -| `GITLAB_SIGNUP_ENABLED` | Enable or disable user signups (first run only). Default is `true`. | -| `GITLAB_IMPERSONATION_ENABLED` | Enable or disable impersonation. Defaults to `true`. | -| `GITLAB_PROJECTS_LIMIT` | Set default projects limit. Defaults to `100`. | -| `GITLAB_USERNAME_CHANGE` | Enable or disable ability for users to change their username. Defaults to `true`. | -| `GITLAB_CREATE_GROUP` | Enable or disable ability for users to create groups. Defaults to `true`. | -| `GITLAB_PROJECTS_ISSUES` | Set if *issues* feature should be enabled by default for new projects. Defaults to `true`. | -| `GITLAB_PROJECTS_MERGE_REQUESTS` | Set if *merge requests* feature should be enabled by default for new projects. Defaults to `true`. | -| `GITLAB_PROJECTS_WIKI` | Set if *wiki* feature should be enabled by default for new projects. Defaults to `true`. | -| `GITLAB_PROJECTS_SNIPPETS` | Set if *snippets* feature should be enabled by default for new projects. Defaults to `false`. | -| `GITLAB_PROJECTS_BUILDS` | Set if *builds* feature should be enabled by default for new projects. Defaults to `true`. | -| `GITLAB_PROJECTS_CONTAINER_REGISTRY` | Set if *container_registry* feature should be enabled by default for new projects. Defaults to `true`. | -| `GITLAB_WEBHOOK_TIMEOUT` | Sets the timeout for webhooks. Defaults to `10` seconds. | -| `GITLAB_NOTIFY_ON_BROKEN_BUILDS` | Enable or disable broken build notification emails. Defaults to `true` | -| `GITLAB_NOTIFY_PUSHER` | Add pusher to recipients list of broken build notification emails. Defaults to `false` | -| `GITLAB_REPOS_DIR` | The git repositories folder in the container. Defaults to `/home/git/data/repositories` | -| `GITLAB_BACKUP_DIR` | The backup folder in the container. Defaults to `/home/git/data/backups` | -| `GITLAB_BACKUP_DIR_CHOWN` | Optionally change ownership of backup files on start-up. Defaults to `true` | -| `GITLAB_BACKUP_DIR_GROUP` | Optionally group backups into a subfolder. Can also be used to place backups in to a subfolder on remote storage. Not used by default. | -| `GITLAB_BUILDS_DIR` | The build traces directory. Defaults to `/home/git/data/builds` | -| `GITLAB_DOWNLOADS_DIR` | The repository downloads directory. A temporary zip is created in this directory when users click **Download Zip** on a project. Defaults to `/home/git/data/tmp/downloads`. | -| `GITLAB_SHARED_DIR` | The directory to store the build artifacts. Defaults to `/home/git/data/shared` | -| `GITLAB_ARTIFACTS_ENABLED` | Enable/Disable GitLab artifacts support. Defaults to `true`. | -| `GITLAB_ARTIFACTS_DIR` | Directory to store the artifacts. Defaults to `$GITLAB_SHARED_DIR/artifacts` | -| `AWS_ACCESS_KEY_ID`| Default AWS access key to be used for object store. Defaults to `AWS_ACCESS_KEY_ID`| -| `AWS_SECRET_ACCESS_KEY`| Default AWS access key to be used for object store. Defaults to `AWS_SECRET_ACCESS_KEY`| -| `GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT`| Default Google project to use for Object Store.| -| `GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL`| Default Google service account email to use for Object Store.| -| `GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION`| Default Google key file Defaults to `/gcs/key.json`| -| `GITLAB_OBJECT_STORE_CONNECTION_PROVIDER`| Default object store connection provider. Defaults to `AWS`| -| `GITLAB_ARTIFACTS_OBJECT_STORE_ENABLED` | Enables Object Store for Artifacts that will be remote stored. Defaults to `false` | -| `GITLAB_ARTIFACTS_OBJECT_STORE_REMOTE_DIRECTORY` | Bucket name to store the artifacts. Defaults to `artifacts` | -| `GITLAB_ARTIFACTS_OBJECT_STORE_DIRECT_UPLOAD` | Set to true to enable direct upload of Artifacts without the need of local shared storage. Defaults to `false` | -| `GITLAB_ARTIFACTS_OBJECT_STORE_BACKGROUND_UPLOAD` | Temporary option to limit automatic upload. Defaults to `false` | -| `GITLAB_ARTIFACTS_OBJECT_STORE_PROXY_DOWNLOAD` | Passthrough all downloads via GitLab instead of using Redirects to Object Storage. Defaults to `false` | -| `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER` | Connection Provider for the Object Store. (`AWS` or `Google`) Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER` (`AWS`) | -| `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID` | AWS Access Key ID for the Bucket. Defaults to `$AWS_ACCESS_KEY_ID` | -| `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY` | AWS Secret Access Key. Defaults to `$AWS_SECRET_ACCESS_KEY` | -| `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_REGION` | AWS Region. Defaults to `us-east-1` | -| `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_HOST` | Configure this for an compatible AWS host like minio. Defaults to `s3.amazonaws.com` | -| `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT` | AWS Endpoint like `http://127.0.0.1:9000`. Defaults to `nil` | -| `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE` | Changes AWS Path Style to 'host/bucket_name/object' instead of 'bucket_name.host/object'. Defaults to `true` | -| `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT`| Google project. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT`| -| `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL`| Google service account. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL`| -| `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION`| Default Google key file. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION` (`/gcs/key.json`)| -| `GITLAB_PIPELINE_SCHEDULE_WORKER_CRON` | Cron notation for the GitLab pipeline schedule worker. Defaults to `'19 * * * *'` | -| `GITLAB_LFS_ENABLED` | Enable/Disable Git LFS support. Defaults to `true`. | -| `GITLAB_LFS_OBJECTS_DIR` | Directory to store the lfs-objects. Defaults to `$GITLAB_SHARED_DIR/lfs-objects` | -| `GITLAB_LFS_OBJECT_STORE_ENABLED` | Enables Object Store for LFS that will be remote stored. Defaults to `false` | -| `GITLAB_LFS_OBJECT_STORE_REMOTE_DIRECTORY` | Bucket name to store the LFS. Defaults to `lfs-object` | -| `GITLAB_LFS_OBJECT_STORE_BACKGROUND_UPLOAD` | Temporary option to limit automatic upload. Defaults to `false` | -| `GITLAB_LFS_OBJECT_STORE_PROXY_DOWNLOAD` | Passthrough all downloads via GitLab instead of using Redirects to Object Storage. Defaults to `false` | -| `GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER` | Connection Provider for the Object Store. (`AWS` or `Google`) Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER` (`AWS`) | -| `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID` | AWS Access Key ID for the Bucket. Defaults to `AWS_ACCESS_KEY_ID` | -| `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY` | AWS Secret Access Key. Defaults to `AWS_SECRET_ACCESS_KEY` | -| `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_REGION` | AWS Region. Defaults to `us-east-1` | -| `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_HOST` | Configure this for an compatible AWS host like minio. Defaults to `s3.amazonaws.com` | -| `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT` | AWS Endpoint like `http://127.0.0.1:9000`. Defaults to `nil` | -| `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE` | Changes AWS Path Style to 'host/bucket_name/object' instead of 'bucket_name.host/object'. Defaults to `true` | -| `GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT`| Google project. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT`| -| `GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL`| Google service account. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL`| -| `GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION`| Default Google key file. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION` (`/gcs/key.json`)| -| `GITLAB_UPLOADS_STORAGE_PATH` | The location where uploads objects are stored. Defaults to `$GITLAB_SHARED_DIR/public`. | -| `GITLAB_UPLOADS_BASE_DIR` | Mapping for the `GITLAB_UPLOADS_STORAGE_PATH`. Defaults to `uploads/-/system` | -| `GITLAB_UPLOADS_OBJECT_STORE_ENABLED` | Enables Object Store for UPLOADS that will be remote stored. Defaults to `false` | -| `GITLAB_UPLOADS_OBJECT_STORE_REMOTE_DIRECTORY` | Bucket name to store the UPLOADS. Defaults to `uploads` | -| `GITLAB_UPLOADS_OBJECT_STORE_BACKGROUND_UPLOAD` | Temporary option to limit automatic upload. Defaults to `false` | -| `GITLAB_UPLOADS_OBJECT_STORE_PROXY_DOWNLOAD` | Passthrough all downloads via GitLab instead of using Redirects to Object Storage. Defaults to `false` | -| `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER` | Connection Provider for the Object Store. (`AWS` or `Google`) Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER` (`AWS`) | -| `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID` | AWS Access Key ID for the Bucket. Defaults to `AWS_ACCESS_KEY_ID` | -| `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY` | AWS Secret Access Key. Defaults to `AWS_SECRET_ACCESS_KEY` | -| `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_REGION` | AWS Region. Defaults to `us-east-1` | -| `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_HOST` | Configure this for an compatible AWS host like minio. Defaults to `s3.amazonaws.com` | -| `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT` | AWS Endpoint like `http://127.0.0.1:9000`. Defaults to `nil` | -| `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE` | Changes AWS Path Style to 'host/bucket_name/object' instead of 'bucket_name.host/object'. Defaults to `true` | -| `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT`| Google project. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT`| -| `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL`| Google service account. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL`| -| `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION`| Default Google key file. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION` (`/gcs/key.json`)| -| `GITLAB_MATTERMOST_ENABLED` | Enable/Disable GitLab Mattermost for *Add Mattermost button*. Defaults to `false`. | -| `GITLAB_MATTERMOST_URL` | Sets Mattermost URL. Defaults to `https://mattermost.example.com`. | -| `GITLAB_BACKUP_SCHEDULE` | Setup cron job to automatic backups. Possible values `disable`, `daily`, `weekly` or `monthly`. Disabled by default | -| `GITLAB_BACKUP_EXPIRY` | Configure how long (in seconds) to keep backups before they are deleted. By default when automated backups are disabled backups are kept forever (0 seconds), else the backups expire in 7 days (604800 seconds). | -| `GITLAB_BACKUP_PG_SCHEMA` | Specify the PostgreSQL schema for the backups. No defaults, which means that all schemas will be backed up. see #524 | -| `GITLAB_BACKUP_ARCHIVE_PERMISSIONS` | Sets the permissions of the backup archives. Defaults to `0600`. [See](http://doc.gitlab.com/ce/raketasks/backup_restore.html#backup-archive-permissions) | -| `GITLAB_BACKUP_TIME` | Set a time for the automatic backups in `HH:MM` format. Defaults to `04:00`. | -| `GITLAB_BACKUP_SKIP` | Specified sections are skipped by the backups. Defaults to empty, i.e. `lfs,uploads`. [See](http://doc.gitlab.com/ce/raketasks/backup_restore.html#create-a-backup-of-the-gitlab-system) | -| `GITLAB_SSH_HOST` | The ssh host. Defaults to **GITLAB_HOST**. | -| `GITLAB_SSH_LISTEN_PORT` | The ssh port for SSHD to listen on. Defaults to `22` | -| `GITLAB_SSH_MAXSTARTUPS` | The ssh "MaxStartups" parameter, defaults to `10:30:60`. | -| `GITLAB_SSH_PORT` | The ssh port number. Defaults to `$GITLAB_SSH_LISTEN_PORT`. | -| `GITLAB_RELATIVE_URL_ROOT` | The relative url of the GitLab server, e.g. `/git`. No default. | -| `GITLAB_TRUSTED_PROXIES` | Add IP address reverse proxy to trusted proxy list, otherwise users will appear signed in from that address. Currently only a single entry is permitted. No defaults. | -| `GITLAB_REGISTRY_ENABLED` | Enables the GitLab Container Registry. Defaults to `false`. | -| `GITLAB_REGISTRY_HOST` | Sets the GitLab Registry Host. Defaults to `registry.example.com` | -| `GITLAB_REGISTRY_PORT` | Sets the GitLab Registry Port. Defaults to `443`. | -| `GITLAB_REGISTRY_API_URL` | Sets the GitLab Registry API URL. Defaults to `http://localhost:5000` | -| `GITLAB_REGISTRY_KEY_PATH` | Sets the GitLab Registry Key Path. Defaults to `config/registry.key` | -| `GITLAB_REGISTRY_DIR` | Directory to store the container images will be shared with registry. Defaults to `$GITLAB_SHARED_DIR/registry` | -| `GITLAB_REGISTRY_ISSUER` | Sets the GitLab Registry Issuer. Defaults to `gitlab-issuer`. | -| `GITLAB_REGISTRY_GENERATE_INTERNAL_CERTIFICATES` | Set to `true` to generate SSL internal Registry keys. Used to communicate between a Docker Registry and GitLab. It will generate a self-signed certificate key at the location given by `$GITLAB_REGISTRY_KEY_PATH`, e.g. `/certs/registry.key`. And will generate the certificate file at the same location, with the same name, but changing the extension from `key` to `crt`, e.g. `/certs/registry.crt` | -| `GITLAB_PAGES_ENABLED` | Enables the GitLab Pages. Defaults to `false`. | -| `GITLAB_PAGES_DOMAIN` | Sets the GitLab Pages Domain. Defaults to `example.com` | -| `GITLAB_PAGES_DIR` | Sets GitLab Pages directory where all pages will be stored. Defaults to `$GITLAB_SHARED_DIR/pages` | -| `GITLAB_PAGES_PORT`| Sets GitLab Pages Port that will be used in NGINX. Defaults to `80` | -| `GITLAB_PAGES_HTTPS` | Sets GitLab Pages to HTTPS and the gitlab-pages-ssl config will be used. Defaults to `false` | -| `GITLAB_PAGES_ARTIFACTS_SERVER` | Set to `true` to enable pages artifactsserver, enabled by default. | -| `GITLAB_PAGES_EXTERNAL_HTTP` | Sets GitLab Pages external http to receive request on an independen port. Disabled by default | -| `GITLAB_PAGES_EXTERNAL_HTTPS` | Sets GitLab Pages external https to receive request on an independen port. Disabled by default | -| `GITLAB_PAGES_ACCESS_CONTROL` | Set to `true` to enable access control for pages. Allows access to a Pages site to be controlled based on a user’s membership to that project. Disabled by default. | -| `GITLAB_PAGES_NGINX_PROXY` | Disable the nginx proxy for gitlab pages, defaults to `true`. When set to `false` this will turn off the nginx proxy to the gitlab pages daemon, used when the user provides their own http load balancer in combination with a gitlab pages custom domain setup. | -| `GITLAB_PAGES_ACCESS_SECRET` | Secret Hash, minimal 32 characters, if omitted, it will be auto generated. | -| `GITLAB_PAGES_ACCESS_CONTROL_SERVER` | Gitlab instance URI, example: `https://gitlab.example.io` | -| `GITLAB_PAGES_ACCESS_CLIENT_ID` | Client ID from earlier generated OAuth application | -| `GITLAB_PAGES_ACCESS_CLIENT_SECRET` | Client Secret from earlier genereated OAuth application | -| `GITLAB_PAGES_ACCESS_REDIRECT_URI` | Redirect URI, non existing pages domain to redirect to pages daemon, `https://projects.example.io/auth` | -| `GITLAB_HTTPS` | Set to `true` to enable https support, disabled by default. | -| `GITALY_CLIENT_PATH` | Set default path for gitaly. defaults to `/home/git/gitaly` | -| `GITALY_TOKEN` | Set a gitaly token, blank by default. | -| `GITLAB_MONITORING_UNICORN_SAMPLER_INTERVAL` | Time between sampling of unicorn socket metrics, in seconds, defaults to `10` | -| `GITLAB_MONITORING_IP_WHITELIST` | IP whitelist to access monitoring endpoints, defaults to `0.0.0.0/8` | -| `GITLAB_MONITORING_SIDEKIQ_EXPORTER_ENABLED` | Set to `true` to enable the sidekiq exporter, enabled by default. | -| `GITLAB_MONITORING_SIDEKIQ_EXPORTER_ADDRESS` | Sidekiq exporter address, defaults to `0.0.0.0` | -| `GITLAB_MONITORING_SIDEKIQ_EXPORTER_PORT` | Sidekiq exporter port, defaults to `3807` | -| `SSL_SELF_SIGNED` | Set to `true` when using self signed ssl certificates. `false` by default. | -| `SSL_CERTIFICATE_PATH` | Location of the ssl certificate. Defaults to `/home/git/data/certs/gitlab.crt` | -| `SSL_KEY_PATH` | Location of the ssl private key. Defaults to `/home/git/data/certs/gitlab.key` | -| `SSL_DHPARAM_PATH` | Location of the dhparam file. Defaults to `/home/git/data/certs/dhparam.pem` | -| `SSL_VERIFY_CLIENT` | Enable verification of client certificates using the `SSL_CA_CERTIFICATES_PATH` file or setting this variable to `on`. Defaults to `off` | -| `SSL_CA_CERTIFICATES_PATH` | List of SSL certificates to trust. Defaults to `/home/git/data/certs/ca.crt`. | -| `SSL_REGISTRY_KEY_PATH` | Location of the ssl private key for gitlab container registry. Defaults to `/home/git/data/certs/registry.key` | -| `SSL_REGISTRY_CERT_PATH` | Location of the ssl certificate for the gitlab container registry. Defaults to `/home/git/data/certs/registry.crt` | -| `SSL_PAGES_KEY_PATH` | Location of the ssl private key for gitlab pages. Defaults to `/home/git/data/certs/pages.key` | -| `SSL_PAGES_CERT_PATH` | Location of the ssl certificate for the gitlab pages. Defaults to `/home/git/data/certs/pages.crt` | -| `SSL_CIPHERS` | List of supported SSL ciphers: Defaults to `ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4` | -| `NGINX_WORKERS` | The number of nginx workers to start. Defaults to `1`. | -| `NGINX_SERVER_NAMES_HASH_BUCKET_SIZE` | Sets the bucket size for the server names hash tables. This is needed when you have long server_names or your an error message from nginx like *nginx: [emerg] could not build server_names_hash, you should increase server_names_hash_bucket_size:..*. It should be only increment by a power of 2. Defaults to `32`. | -| `NGINX_HSTS_ENABLED` | Advanced configuration option for turning off the HSTS configuration. Applicable only when SSL is in use. Defaults to `true`. See [#138](https://github.com/sameersbn/docker-gitlab/issues/138) for use case scenario. | -| `NGINX_HSTS_MAXAGE` | Advanced configuration option for setting the HSTS max-age in the gitlab nginx vHost configuration. Applicable only when SSL is in use. Defaults to `31536000`. | -| `NGINX_PROXY_BUFFERING` | Enable `proxy_buffering`. Defaults to `off`. | -| `NGINX_ACCEL_BUFFERING` | Enable `X-Accel-Buffering` header. Default to `no` | -| `NGINX_X_FORWARDED_PROTO` | Advanced configuration option for the `proxy_set_header X-Forwarded-Proto` setting in the gitlab nginx vHost configuration. Defaults to `https` when `GITLAB_HTTPS` is `true`, else defaults to `$scheme`. | -| `NGINX_REAL_IP_RECURSIVE` | set to `on` if docker container runs behind a reverse proxy,you may not want the IP address of the proxy to show up as the client address. `off` by default. | -| `NGINX_REAL_IP_TRUSTED_ADDRESSES` | You can have NGINX look for a different address to use by adding your reverse proxy to the `NGINX_REAL_IP_TRUSTED_ADDRESSES`. Currently only a single entry is permitted. No defaults. | -| `REDIS_HOST` | The hostname of the redis server. Defaults to `localhost` | -| `REDIS_PORT` | The connection port of the redis server. Defaults to `6379`. | -| `REDIS_DB_NUMBER` | The redis database number. Defaults to '0'. | -| `PUMA_WORKERS` | The number of puma workers to start. Defaults to `3`. | -| `PUMA_TIMEOUT` | Sets the timeout of puma worker processes. Defaults to `60` seconds. | -| `PUMA_THREADS_MIN` | The number of puma minimum threads. Defaults to `1`. | -| `PUMA_THREADS_MAX` | The number of puma maximum threads. Defaults to `16`. | -| `PUMA_PER_WORKER_MAX_MEMORY_MB` | Maximum memory size of per puma worker process. Defaults to `850`. | -| `PUMA_MASTER_MAX_MEMORY_MB` | Maximum memory size of puma master process. Defaults to `550`. | -| `SIDEKIQ_CONCURRENCY` | The number of concurrent sidekiq jobs to run. Defaults to `25` | -| `SIDEKIQ_SHUTDOWN_TIMEOUT` | Timeout for sidekiq shutdown. Defaults to `4` | -| `SIDEKIQ_MEMORY_KILLER_MAX_RSS` | Non-zero value enables the SidekiqMemoryKiller. Defaults to `1000000`. For additional options refer [Configuring the MemoryKiller](http://doc.gitlab.com/ce/operations/sidekiq_memory_killer.html) | -| `GITLAB_SIDEKIQ_LOG_FORMAT` | Sidekiq log format that will be used. Defaults to `json` | -| `DB_ADAPTER` | The database type. Currently only postgresql is supported. Over 12.1 postgres force. Possible values: `postgresql`. Defaults to `postgresql`. | -| `DB_ENCODING` | The database encoding. For `DB_ADAPTER` values `postresql` this parameter defaults and `utf8` respectively. | -| `DB_HOST` | The database server hostname. Defaults to `localhost`. | -| `DB_PORT` | The database server port. Defaults to `5432` for postgresql. | -| `DB_NAME` | The database database name. Defaults to `gitlabhq_production` | -| `DB_USER` | The database database user. Defaults to `root` | -| `DB_PASS` | The database database password. Defaults to no password | -| `DB_POOL` | The database database connection pool count. Defaults to `10`. | -| `DB_PREPARED_STATEMENTS` | Whether use database prepared statements. No defaults. But set to `false` if you want to use with [PgBouncer](https://pgbouncer.github.io/) | -| `SMTP_ENABLED` | Enable mail delivery via SMTP. Defaults to `true` if `SMTP_USER` is defined, else defaults to `false`. | -| `SMTP_DOMAIN` | SMTP domain. Defaults to` www.gmail.com` | -| `SMTP_HOST` | SMTP server host. Defaults to `smtp.gmail.com`. | -| `SMTP_PORT` | SMTP server port. Defaults to `587`. | -| `SMTP_USER` | SMTP username. | -| `SMTP_PASS` | SMTP password. | -| `SMTP_STARTTLS` | Enable STARTTLS. Defaults to `true`. | -| `SMTP_TLS` | Enable SSL/TLS. Defaults to `false`. | -| `SMTP_OPENSSL_VERIFY_MODE` | SMTP openssl verification mode. Accepted values are `none`, `peer`, `client_once` and `fail_if_no_peer_cert`. Defaults to `none`. | -| `SMTP_AUTHENTICATION` | Specify the SMTP authentication method. Defaults to `login` if `SMTP_USER` is set. | -| `SMTP_CA_ENABLED` | Enable custom CA certificates for SMTP email configuration. Defaults to `false`. | -| `SMTP_CA_PATH` | Specify the `ca_path` parameter for SMTP email configuration. Defaults to `/home/git/data/certs`. | -| `SMTP_CA_FILE` | Specify the `ca_file` parameter for SMTP email configuration. Defaults to `/home/git/data/certs/ca.crt`. | -| `IMAP_ENABLED` | Enable mail delivery via IMAP. Defaults to `true` if `IMAP_USER` is defined, else defaults to `false`. | -| `IMAP_HOST` | IMAP server host. Defaults to `imap.gmail.com`. | -| `IMAP_PORT` | IMAP server port. Defaults to `993`. | -| `IMAP_USER` | IMAP username. | -| `IMAP_PASS` | IMAP password. | -| `IMAP_SSL` | Enable SSL. Defaults to `true`. | -| `IMAP_STARTTLS` | Enable STARTSSL. Defaults to `false`. | -| `IMAP_MAILBOX` | The name of the mailbox where incoming mail will end up. Defaults to `inbox`. | -| `LDAP_ENABLED` | Enable LDAP. Defaults to `false` | -| `LDAP_LABEL` | Label to show on login tab for LDAP server. Defaults to 'LDAP' | -| `LDAP_HOST` | LDAP Host | -| `LDAP_PORT` | LDAP Port. Defaults to `389` | -| `LDAP_UID` | LDAP UID. Defaults to `sAMAccountName` | -| `LDAP_METHOD` | LDAP method, Possible values are `simple_tls`, `start_tls` and `plain`. Defaults to `plain` | -| `LDAP_VERIFY_SSL` | LDAP verify ssl certificate for installations that are using `LDAP_METHOD: 'simple_tls'` or `LDAP_METHOD: 'start_tls'`. Defaults to `true` | -| `LDAP_CA_FILE` | Specifies the path to a file containing a PEM-format CA certificate. Defaults to `` | -| `LDAP_SSL_VERSION` | Specifies the SSL version for OpenSSL to use, if the OpenSSL default is not appropriate. Example: 'TLSv1_1'. Defaults to `` | -| `LDAP_BIND_DN` | No default. | -| `LDAP_PASS` | LDAP password | -| `LDAP_TIMEOUT` | Timeout, in seconds, for LDAP queries. Defaults to `10`. | -| `LDAP_ACTIVE_DIRECTORY` | Specifies if LDAP server is Active Directory LDAP server. If your LDAP server is not AD, set this to `false`. Defaults to `true`, | -| `LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN` | If enabled, GitLab will ignore everything after the first '@' in the LDAP username submitted by the user on login. Defaults to `false` if `LDAP_UID` is `userPrincipalName`, else `true`. | -| `LDAP_BLOCK_AUTO_CREATED_USERS` | Locks down those users until they have been cleared by the admin. Defaults to `false`. | -| `LDAP_BASE` | Base where we can search for users. No default. | -| `LDAP_USER_FILTER` | Filter LDAP users. No default. | -| `LDAP_USER_ATTRIBUTE_USERNAME` | Attribute fields for the identification of a user. Default to `['uid', 'userid', 'sAMAccountName']` | -| `LDAP_USER_ATTRIBUTE_MAIL` | Attribute fields for the shown mail address. Default to `['mail', 'email', 'userPrincipalName']` | -| `LDAP_USER_ATTRIBUTE_NAME` | Attribute field for the used username of a user. Default to `cn`. | -| `LDAP_USER_ATTRIBUTE_FIRSTNAME` | Attribute field for the forename of a user. Default to `givenName` | -| `LDAP_USER_ATTRIBUTE_LASTNAME` | Attribute field for the surname of a user. Default to `sn` | -| `LDAP_LOWERCASE_USERNAMES` | GitLab will lower case the username for the LDAP Server. Defaults to `false` | -| `OAUTH_ENABLED` | Enable OAuth support. Defaults to `true` if any of the support OAuth providers is configured, else defaults to `false`. | -| `OAUTH_AUTO_SIGN_IN_WITH_PROVIDER` | Automatically sign in with a specific OAuth provider without showing GitLab sign-in page. Accepted values are `cas3`, `github`, `bitbucket`, `gitlab`, `google_oauth2`, `facebook`, `twitter`, `saml`, `crowd`, `auth0` and `azure_oauth2`. No default. | -| `OAUTH_ALLOW_SSO` | Comma separated list of oauth providers for single sign-on. This allows users to login without having a user account. The account is created automatically when authentication is successful. Accepted values are `cas3`, `github`, `bitbucket`, `gitlab`, `google_oauth2`, `facebook`, `twitter`, `saml`, `crowd`, `auth0` and `azure_oauth2`. No default. | -| `OAUTH_BLOCK_AUTO_CREATED_USERS` | Locks down those users until they have been cleared by the admin. Defaults to `true`. | -| `OAUTH_AUTO_LINK_LDAP_USER` | Look up new users in LDAP servers. If a match is found (same uid), automatically link the omniauth identity with the LDAP account. Defaults to `false`. | -| `OAUTH_AUTO_LINK_SAML_USER` | Allow users with existing accounts to login and auto link their account via SAML login, without having to do a manual login first and manually add SAML. Defaults to `false`. | -| `OAUTH_EXTERNAL_PROVIDERS` | Comma separated list if oauth providers to disallow access to `internal` projects. Users creating accounts via these providers will have access internal projects. Accepted values are `cas3`, `github`, `bitbucket`, `gitlab`, `google_oauth2`, `facebook`, `twitter`, `saml`, `crowd`, `auth0` and `azure_oauth2`. No default. | -| `OAUTH_CAS3_LABEL` | The "Sign in with" button label. Defaults to "cas3". | -| `OAUTH_CAS3_SERVER` | CAS3 server URL. No defaults. | -| `OAUTH_CAS3_DISABLE_SSL_VERIFICATION` | Disable CAS3 SSL verification. Defaults to `false`. | -| `OAUTH_CAS3_LOGIN_URL` | CAS3 login URL. Defaults to `/cas/login` | -| `OAUTH_CAS3_VALIDATE_URL` | CAS3 validation URL. Defaults to `/cas/p3/serviceValidate` | -| `OAUTH_CAS3_LOGOUT_URL` | CAS3 logout URL. Defaults to `/cas/logout` | -| `OAUTH_GOOGLE_API_KEY` | Google App Client ID. No defaults. | -| `OAUTH_GOOGLE_APP_SECRET` | Google App Client Secret. No defaults. | -| `OAUTH_GOOGLE_RESTRICT_DOMAIN` | List of Google App restricted domains. Value is comma separated list of single quoted groups. Example: `'exemple.com','exemple2.com'`. No defaults. | -| `OAUTH_FACEBOOK_API_KEY` | Facebook App API key. No defaults. | -| `OAUTH_FACEBOOK_APP_SECRET` | Facebook App API secret. No defaults. | -| `OAUTH_TWITTER_API_KEY` | Twitter App API key. No defaults. | -| `OAUTH_TWITTER_APP_SECRET` | Twitter App API secret. No defaults. | -| `OAUTH_AUTHENTIQ_CLIENT_ID` | authentiq Client ID. No defaults. | -| `OAUTH_AUTHENTIQ_CLIENT_SECRET` | authentiq Client secret. No defaults. | -| `OAUTH_AUTHENTIQ_SCOPE` | Scope of Authentiq Application Defaults to `'aq:name email~rs address aq:push'`| -| `OAUTH_AUTHENTIQ_REDIRECT_URI` | Callback URL for Authentiq. No defaults. | -| `OAUTH_GITHUB_API_KEY` | GitHub App Client ID. No defaults. | -| `OAUTH_GITHUB_APP_SECRET` | GitHub App Client secret. No defaults. | -| `OAUTH_GITHUB_URL` | Url to the GitHub Enterprise server. Defaults to https://github.com | -| `OAUTH_GITHUB_VERIFY_SSL` | Enable SSL verification while communicating with the GitHub server. Defaults to `true`. | -| `OAUTH_GITLAB_API_KEY` | GitLab App Client ID. No defaults. | -| `OAUTH_GITLAB_APP_SECRET` | GitLab App Client secret. No defaults. | -| `OAUTH_BITBUCKET_API_KEY` | BitBucket App Client ID. No defaults. | -| `OAUTH_BITBUCKET_APP_SECRET` | BitBucket App Client secret. No defaults. | -| `OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL` | The URL at which the SAML assertion should be received. When `GITLAB_HTTPS=true`, defaults to `https://${GITLAB_HOST}/users/auth/saml/callback` else defaults to `http://${GITLAB_HOST}/users/auth/saml/callback`. | -| `OAUTH_SAML_IDP_CERT_FINGERPRINT` | The SHA1 fingerprint of the certificate. No Defaults. | -| `OAUTH_SAML_IDP_SSO_TARGET_URL` | The URL to which the authentication request should be sent. No defaults. | -| `OAUTH_SAML_ISSUER` | The name of your application. When `GITLAB_HTTPS=true`, defaults to `https://${GITLAB_HOST}` else defaults to `http://${GITLAB_HOST}`. | -| `OAUTH_SAML_LABEL` | The "Sign in with" button label. Defaults to "Our SAML Provider". | -| `OAUTH_SAML_NAME_IDENTIFIER_FORMAT` | Describes the format of the username required by GitLab, Defaults to `urn:oasis:names:tc:SAML:2.0:nameid-format:transient` | -| `OAUTH_SAML_GROUPS_ATTRIBUTE` | Map groups attribute in a SAMLResponse to external groups. No defaults. | -| `OAUTH_SAML_EXTERNAL_GROUPS` | List of external groups in a SAMLResponse. Value is comma separated list of single quoted groups. Example: `'group1','group2'`. No defaults. | -| `OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL` | Map 'email' attribute name in a SAMLResponse to entries in the OmniAuth info hash, No defaults. See [GitLab documentation](http://doc.gitlab.com/ce/integration/saml.html#attribute_statements) for more details. | -| `OAUTH_SAML_ATTRIBUTE_STATEMENTS_USERNAME` | Map 'username' attribute in a SAMLResponse to entries in the OmniAuth info hash, No defaults. See [GitLab documentation](http://doc.gitlab.com/ce/integration/saml.html#attribute_statements) for more details. | -| `OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME` | Map 'name' attribute in a SAMLResponse to entries in the OmniAuth info hash, No defaults. See [GitLab documentation](http://doc.gitlab.com/ce/integration/saml.html#attribute_statements) for more details. | -| `OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME` | Map 'first_name' attribute in a SAMLResponse to entries in the OmniAuth info hash, No defaults. See [GitLab documentation](http://doc.gitlab.com/ce/integration/saml.html#attribute_statements) for more details. | -| `OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME` | Map 'last_name' attribute in a SAMLResponse to entries in the OmniAuth info hash, No defaults. See [GitLab documentation](http://doc.gitlab.com/ce/integration/saml.html#attribute_statements) for more details. | -| `OAUTH_CROWD_SERVER_URL` | Crowd server url. No defaults. | -| `OAUTH_CROWD_APP_NAME` | Crowd server application name. No defaults. | -| `OAUTH_CROWD_APP_PASSWORD` | Crowd server application password. No defaults. | -| `OAUTH_AUTH0_CLIENT_ID` | Auth0 Client ID. No defaults. | -| `OAUTH_AUTH0_CLIENT_SECRET` | Auth0 Client secret. No defaults. | -| `OAUTH_AUTH0_DOMAIN` | Auth0 Domain. No defaults. | -| `OAUTH_AUTH0_SCOPE` | Auth0 Scope. Defaults to `openid profile email`. | -| `OAUTH_AZURE_API_KEY` | Azure Client ID. No defaults. | -| `OAUTH_AZURE_API_SECRET` | Azure Client secret. No defaults. | -| `OAUTH_AZURE_TENANT_ID` | Azure Tenant ID. No defaults. | -| `OAUTH2_GENERIC_APP_ID` | Your OAuth2 App ID. No defaults. | -| `OAUTH2_GENERIC_APP_SECRET` | Your OAuth2 App Secret. No defaults. | -| `OAUTH2_GENERIC_CLIENT_SITE` | The OAuth2 generic client site. No defaults | -| `OAUTH2_GENERIC_CLIENT_USER_INFO_URL` | The OAuth2 generic client user info url. No defaults | -| `OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL` | The OAuth2 generic client authorize url. No defaults | -| `OAUTH2_GENERIC_CLIENT_TOKEN_URL` | The OAuth2 generic client token url. No defaults| -| `OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT` | The OAuth2 generic client end session endpoint. No defaults | -| `OAUTH2_GENERIC_ID_PATH` | The OAuth2 generic id path. No defaults | -| `OAUTH2_GENERIC_USER_UID` | The OAuth2 generic user id path. No defaults | -| `OAUTH2_GENERIC_USER_NAME` | The OAuth2 generic user name. No defaults | -| `OAUTH2_GENERIC_USER_EMAIL` | The OAuth2 generic user email. No defaults | -| `OAUTH2_GENERIC_NAME` | The name of your OAuth2 provider. No defaults | -| `GITLAB_GRAVATAR_ENABLED` | Enables gravatar integration. Defaults to `true`. | -| `GITLAB_GRAVATAR_HTTP_URL` | Sets a custom gravatar url. Defaults to `http://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon`. This can be used for [Libravatar integration](http://doc.gitlab.com/ce/customization/libravatar.html). | -| `GITLAB_GRAVATAR_HTTPS_URL` | Same as above, but for https. Defaults to `https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon`. | -| `USERMAP_UID` | Sets the uid for user `git` to the specified uid. Defaults to `1000`. | -| `USERMAP_GID` | Sets the gid for group `git` to the specified gid. Defaults to `USERMAP_UID` if defined, else defaults to `1000`. | -| `GOOGLE_ANALYTICS_ID` | Google Analytics ID. No defaults. | -| `PIWIK_URL` | Sets the Piwik URL. No defaults. | -| `PIWIK_SITE_ID` | Sets the Piwik site ID. No defaults. | -| `AWS_BACKUPS` | Enables automatic uploads to an Amazon S3 instance. Defaults to `false`. | -| `AWS_BACKUP_REGION` | AWS region. No defaults. | -| `AWS_BACKUP_ENDPOINT` | AWS endpoint. No defaults. | -| `AWS_BACKUP_ACCESS_KEY_ID` | AWS access key id. No defaults. | -| `AWS_BACKUP_SECRET_ACCESS_KEY` | AWS secret access key. No defaults. | -| `AWS_BACKUP_BUCKET` | AWS bucket for backup uploads. No defaults. | -| `AWS_BACKUP_MULTIPART_CHUNK_SIZE` | Enables mulitpart uploads when file size reaches a defined size. See at [AWS S3 Docs](http://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html) | -| `AWS_BACKUP_ENCRYPTION` | Turns on AWS Server-Side Encryption. Defaults to `false`. See at [AWS S3 Docs](http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html) | -| `AWS_BACKUP_STORAGE_CLASS` | Configure the storage class for the item. Defaults to `STANDARD` See at [AWS S3 Docs](http://docs.aws.amazon.com/AmazonS3/latest/dev/storage-class-intro.html) | -| `AWS_BACKUP_SIGNATURE_VERSION` | Configure the storage signature version. Defaults to `4` See at [AWS S3 Docs](https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html#specify-signature-version) | -| `GCS_BACKUPS` | Enables automatic uploads to an Google Cloud Storage (GCS) instance. Defaults to `false`. | -| `GCS_BACKUP_ACCESS_KEY_ID` | GCS access key id. No defaults | -| `GCS_BACKUP_SECRET_ACCESS_KEY` | GCS secret access key. No defaults | -| `GCS_BACKUP_BUCKET` | GCS bucket for backup uploads. No defaults | -| `GITLAB_ROBOTS_PATH` | Location of custom `robots.txt`. Uses GitLab's default `robots.txt` configuration by default. See [www.robotstxt.org](http://www.robotstxt.org) for examples. | -| `RACK_ATTACK_ENABLED` | Enable/disable rack middleware for blocking & throttling abusive requests Defaults to `true`. | -| `RACK_ATTACK_WHITELIST` | Always allow requests from whitelisted host. Defaults to `127.0.0.1` | -| `RACK_ATTACK_MAXRETRY` | Number of failed auth attempts before which an IP should be banned. Defaults to `10` | -| `RACK_ATTACK_FINDTIME` | Number of seconds before resetting the per IP auth attempt counter. Defaults to `60`. | -| `RACK_ATTACK_BANTIME` | Number of seconds an IP should be banned after too many auth attempts. Defaults to `3600`. | -| `GITLAB_WORKHORSE_TIMEOUT` | Timeout for gitlab workhorse http proxy. Defaults to `5m0s`. | -| `SENTRY_ENABLED` | Enables Error Reporting and Logging with Sentry. Defaults to `false`. | -| `SENTRY_DSN` | Sentry DSN. No defaults. | -| `SENTRY_CLIENTSIDE_DSN` | Sentry clientside DSN. No defaults. | -| `SENTRY_ENVIRONMENT` | Sentry environment. Defaults to `production`. | - -### Docker secrets and configs +##### `DEBUG` -All the above environment variables can be put into a [secrets](https://docs.docker.com/compose/compose-file/#secrets) or [config](https://docs.docker.com/compose/compose-file/#configs) file -and then both docker-compose and Docker Swarm can import them into your gitlab container. +Set this to `true` to enable entrypoint debugging. -On startup, the gitlab container will source env vars from a config file labeled `gitlab-config`, and then a secrets file labeled `gitlab-secrets` (both mounted in the default locations). +##### `TZ` -See the example [`contrib/docker-swarm/docker-compose.yml`](./contrib/docker-swarm/docker-compose.yml) file, and the -example `gitlab.configs` and `gitlab.secrets` file. -You may as well choose file names other than the example source files (`gitlab.configs` and `gitlab.secrets`) and update -the `file: ./gitlab.configs` and `file: ./gitlab.secrets` references accordingly. But do not alter the config -keys [`gitlab-configs`](contrib/docker-swarm/docker-compose.yml#L158) and -[`gitlab-secrets`](contrib/docker-swarm/docker-compose.yml#L162) as they are currently -[hardcoded](./assets/runtime/functions#L4:L9) and thus must be kept as in the example. +Set the container timezone. Defaults to `UTC`. Values are expected to be in Canonical format. Example: `Europe/Amsterdam` See the list of [acceptable values](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones). For configuring the timezone of gitlab see variable `GITLAB_TIMEZONE`. -If you're not using one of these files, then don't include its entry in the docker-compose file. +##### `GITLAB_HOST` -# Maintenance +The hostname of the GitLab server. Defaults to `localhost` -## Creating backups +##### `GITLAB_CI_HOST` -GitLab defines a rake task to take a backup of your gitlab installation. The backup consists of all git repositories, uploaded files and as you might expect, the sql database. +If you are migrating from GitLab CI use this parameter to configure the redirection to the GitLab service so that your existing runners continue to work without any changes. No defaults. -Before taking a backup make sure the container is stopped and removed to avoid container name conflicts. +##### `GITLAB_PORT` -```bash -docker stop gitlab && docker rm gitlab -``` +The port of the GitLab server. This value indicates the public port on which the GitLab application will be accessible on the network and appropriately configures GitLab to generate the correct urls. It does not affect the port on which the internal nginx server will be listening on. Defaults to `443` if `GITLAB_HTTPS=true`, else defaults to `80`. -Execute the rake task to create a backup. +##### `GITLAB_SECRETS_DB_KEY_BASE` -```bash -docker run --name gitlab -it --rm [OPTIONS] \ - sameersbn/gitlab:13.5.3 app:rake gitlab:backup:create -``` +Encryption key for GitLab CI secret variables, as well as import credentials, in the database. Ensure that your key is at least 32 characters long and that you don't lose it. You can generate one using `pwgen -Bsv1 64`. If you are migrating from GitLab CI, you need to set this value to the value of `GITLAB_CI_SECRETS_DB_KEY_BASE`. No defaults. -A backup will be created in the backups folder of the [Data Store](#data-store). You can change the location of the backups using the `GITLAB_BACKUP_DIR` configuration parameter. +##### `GITLAB_SECRETS_SECRET_KEY_BASE` -*P.S. Backups can also be generated on a running instance using `docker exec` as described in the [Rake Tasks](#rake-tasks) section. However, to avoid undesired side-effects, I advice against running backup and restore operations on a running instance.* +Encryption key for session secrets. Ensure that your key is at least 64 characters long and that you don't lose it. This secret can be rotated with minimal impact - the main effect is that previously-sent password reset emails will no longer work. You can generate one using `pwgen -Bsv1 64`. No defaults. -When using `docker-compose` you may use the following command to execute the backup. +##### `GITLAB_SECRETS_OTP_KEY_BASE` -```bash -docker-compose rm -sf gitlab -docker-compose run --rm gitlab app:rake gitlab:backup:create -``` + Encryption key for OTP related stuff with GitLab. Ensure that your key is at least 64 characters long and that you don't lose it. **If you lose or change this secret, 2FA will stop working for all users.** You can generate one using `pwgen -Bsv1 64`. No defaults. -Afterwards you can bring your Instance back with the following command: +##### `GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE` -```bash -docker-compose up -d -``` + Encryption key for encrypted settings related stuff with GitLab. Ensure that your key is at least 64 characters long and that you don't lose it. **If you lose or change this secret, encrypted settings will not work and might cause errors in merge requests and so on** You can generate one using `pwgen -Bsv1 64`. No defaults. -## Restoring Backups +##### `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY` -GitLab also defines a rake task to restore a backup. +The base key used to encrypt data for non-deterministic `ActiveRecord::Encryption` encrypted columns. This value is used to set `active_record_encryption_primary_key` in `config/secrets.yml`. Ensure that your key is an alphanumeric string. Preferred to be 32 characters long. If you need to set multiple keys, set this parameter in the format `["first_primary_key","second_primary_key"]`. In `docker-compose.yml`, the value must NOT have additional quotes! **If you lose or change this secret, encrypted settings will not work and might cause errors in the API and the web interface.** No defaults. -Before performing a restore make sure the container is stopped and removed to avoid container name conflicts. +##### `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY` -```bash -docker stop gitlab && docker rm gitlab -``` +The base key used to encrypt data for deterministic `ActiveRecord::Encryption` encrypted columns. This value is used to set `active_record_encryption_deterministic_key` in `config/secrets.yml`. Ensure that your key is an alphanumeric string. Preferred to be 32 characters long. If you need to set multiple keys, set this parameter in the format `["first_deterministic_key","second_deterministic_key"]`. In `docker-compose.yml`, the value must NOT have additional quotes! **If you lose or change this secret, encrypted settings will not work and might cause errors in the API and the web interface.** No defaults. -If this is a fresh database that you're doing the restore on, first -you need to prepare the database: +##### `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT` -```bash -docker run --name gitlab -it --rm [OPTIONS] \ - sameersbn/gitlab:13.5.3 app:rake db:setup -``` +The salt used to encrypt data for `ActiveRecord::Encryption` encrypted columns. This value is used to set `active_record_encryption_key_derivation_salt` in `config/secrets.yml`. Ensure that your salt is an alphanumeric string. Preferred to be 32 characters long. **If you lose or change this secret, encrypted settings will not work and might cause errors in the API and the web interface.** No defaults. -Execute the rake task to restore a backup. Make sure you run the container in interactive mode `-it`. +##### `GITLAB_TIMEZONE` -```bash -docker run --name gitlab -it --rm [OPTIONS] \ - sameersbn/gitlab:13.5.3 app:rake gitlab:backup:restore -``` +Configure the timezone for the gitlab application. This configuration does not effect cron jobs. Defaults to `UTC`. See the list of [acceptable values](http://api.rubyonrails.org/classes/ActiveSupport/TimeZone.html). For settings the container timezone which will affect cron, see variable `TZ` -The list of all available backups will be displayed in reverse chronological order. Select the backup you want to restore and continue. +##### `GITLAB_ROOT_PASSWORD` -To avoid user interaction in the restore operation, specify the timestamp, date and version of the backup using the `BACKUP` argument to the rake task. +The password for the root user on firstrun. Defaults to `5iveL!fe`. GitLab requires this to be at least **8 characters long**. -```bash -docker run --name gitlab -it --rm [OPTIONS] \ - sameersbn/gitlab:13.5.3 app:rake gitlab:backup:restore BACKUP=1515629493_2020_12_06_13.0.6 -``` +##### `GITLAB_ROOT_EMAIL` -When using `docker-compose` you may use the following command to execute the restore. +The email for the root user on firstrun. Defaults to `admin@example.com` -```bash -docker-compose run --rm gitlab app:rake gitlab:backup:restore # List available backups -docker-compose run --rm gitlab app:rake gitlab:backup:restore BACKUP=1515629493_2020_12_06_13.5.3 # Choose to restore from 1515629493 -``` +##### `GITLAB_EMAIL` +The email address for the GitLab server. Defaults to value of `SMTP_USER`, else defaults to `example@example.com`. -## Host Key Backups (ssh) +##### `GITLAB_EMAIL_DISPLAY_NAME` -SSH keys are not backed up in the normal gitlab backup process. You -will need to backup the `ssh/` directory in the data volume by hand -and you will want to restore it prior to doing a gitlab restore. +The name displayed in emails sent out by the GitLab mailer. Defaults to `GitLab`. -## Automated Backups +##### `GITLAB_EMAIL_REPLY_TO` -The image can be configured to automatically take backups `daily`, `weekly` or `monthly` using the `GITLAB_BACKUP_SCHEDULE` configuration option. +The reply-to address of emails sent out by GitLab. Defaults to value of `GITLAB_EMAIL`, else defaults to `noreply@example.com`. -Daily backups are created at `GITLAB_BACKUP_TIME` which defaults to `04:00` everyday. Weekly backups are created every Sunday at the same time as the daily backups. Monthly backups are created on the 1st of every month at the same time as the daily backups. +##### `GITLAB_EMAIL_SUBJECT_SUFFIX` -By default, when automated backups are enabled, backups are held for a period of 7 days. While when automated backups are disabled, the backups are held for an infinite period of time. This behavior can be configured via the `GITLAB_BACKUP_EXPIRY` option. +The e-mail subject suffix used in e-mails sent by GitLab. No defaults. -### Amazon Web Services (AWS) Remote Backups +##### `GITLAB_EMAIL_ENABLED` -The image can be configured to automatically upload the backups to an AWS S3 bucket. To enable automatic AWS backups first add `--env 'AWS_BACKUPS=true'` to the docker run command. In addition `AWS_BACKUP_REGION` and `AWS_BACKUP_BUCKET` must be properly configured to point to the desired AWS location. Finally an IAM user must be configured with appropriate access permission and their AWS keys exposed through `AWS_BACKUP_ACCESS_KEY_ID` and `AWS_BACKUP_SECRET_ACCESS_KEY`. +Enable or disable gitlab mailer. Defaults to the `SMTP_ENABLED` configuration. -More details about the appropriate IAM user properties can found on [doc.gitlab.com](http://doc.gitlab.com/ce/raketasks/backup_restore.html#upload-backups-to-remote-cloud-storage) +##### `GITLAB_EMAIL_SMIME_ENABLE` -For remote backup to selfhosted s3 compatible storage, use `AWS_BACKUP_ENDPOINT`. +Enable or disable email S/MIME signing. Defaults is `false`. -AWS uploads are performed alongside normal backups, both through the appropriate `app:rake` command and when an automatic backup is performed. +##### `GITLAB_EMAIL_SMIME_KEY_FILE` -### Google Cloud Storage (GCS) Remote Backups +Specifies the path to a S/MIME private key file in PEM format, unencrypted. Defaults to ``. -The image can be configured to automatically upload the backups to an Google Cloud Storage bucket. To enable automatic GCS backups first add `--env 'GCS_BACKUPS=true'` to the docker run command. In addition `GCS_BACKUP_BUCKET` must be properly configured to point to the desired GCS location. -Finally a couple of `Interoperable storage access keys` user must be created and their keys exposed through `GCS_BACKUP_ACCESS_KEY_ID` and `GCS_BACKUP_SECRET_ACCESS_KEY`. +##### `GITLAB_EMAIL_SMIME_CERT_FILE` -More details about the Cloud storage interoperability properties can found on [cloud.google.com/storage](https://cloud.google.com/storage/docs/interoperability) +Specifies the path to a S/MIME public certificate key in PEM format. Defaults to ``. -GCS uploads are performed alongside normal backups, both through the appropriate `app:rake` command and when an automatic backup is performed. +##### `GITLAB_DEFAULT_THEME` -## Rake Tasks +Default theme ID, by default 2. (1 - Indigo, 2 - Dark, 3 - Light, 4 - Blue, 5 - Green, 6 - Light Indigo, 7 - Light Blue, 8 - Light Green, 9 - Red, 10 - Light Red) -The `app:rake` command allows you to run gitlab rake tasks. To run a rake task simply specify the task to be executed to the `app:rake` command. For example, if you want to gather information about GitLab and the system it runs on. +##### `GITLAB_ISSUE_CLOSING_PATTERN` -```bash -docker run --name gitlab -it --rm [OPTIONS] \ - sameersbn/gitlab:13.5.3 app:rake gitlab:env:info -``` +Issue closing pattern regex. See [GitLab's documentation](https://docs.gitlab.com/ee/administration/issue_closing_pattern.html) for more detail. Defaults to ` \b((?:[Cc]los(?:e[sd]?|ing)|\b[Ff]ix(?:e[sd]|ing)?|\b[Rr]esolv(?:e[sd]?|ing)|\b[Ii]mplement(?:s|ed|ing)?)(:?) +(?:(?:issues? +)?%{issue_ref}(?:(?:, *| +and +)?)|([A-Z][A-Z0-9_]+-\d+))+) ` . -You can also use `docker exec` to run raketasks on running gitlab instance. For example, +##### `GITLAB_INCOMING_EMAIL_ADDRESS` -```bash -docker exec --user git -it gitlab bundle exec rake gitlab:env:info RAILS_ENV=production -``` +The incoming email address for reply by email. Defaults to the value of `IMAP_USER`, else defaults to `reply@example.com`. Please read the [reply by email](http://doc.gitlab.com/ce/incoming_email/README.html) documentation to currently set this parameter. -Similarly, to import bare repositories into GitLab project instance +##### `GITLAB_INCOMING_EMAIL_ENABLED` -```bash -docker run --name gitlab -it --rm [OPTIONS] \ - sameersbn/gitlab:13.5.3 app:rake gitlab:import:repos -``` +Enable or disable gitlab reply by email feature. Defaults to the value of `IMAP_ENABLED`. -Or +##### `GITLAB_SIGNUP_ENABLED` -```bash -docker exec -it gitlab sudo -HEu git bundle exec rake gitlab:import:repos RAILS_ENV=production -``` +Enable or disable user signups (first run only). Default is `true`. -For a complete list of available rake tasks please refer https://github.com/gitlabhq/gitlabhq/tree/master/doc/raketasks or the help section of your gitlab installation. +##### `GITLAB_IMPERSONATION_ENABLED` -*P.S. Please avoid running the rake tasks for backup and restore operations on a running gitlab instance.* +Enable or disable impersonation. Defaults to `true`. -To use the `app:rake` command with `docker-compose` use the following command. +##### `GITLAB_PROJECTS_LIMIT` -```bash -# For stopped instances -docker-compose run --rm gitlab app:rake gitlab:env:info -docker-compose run --rm gitlab app:rake gitlab:import:repos +Set default projects limit. Defaults to `100`. -# For running instances -docker-compose exec --user git gitlab bundle exec rake gitlab:env:info RAILS_ENV=production -docker-compose exec gitlab sudo -HEu git bundle exec rake gitlab:import:repos RAILS_ENV=production -``` +##### `GITLAB_USERNAME_CHANGE` -## Import Repositories +Enable or disable ability for users to change their username. Defaults to `true`. -Copy all the **bare** git repositories to the `repositories/` directory of the [data store](#data-store) and execute the `gitlab:import:repos` rake task like so: +##### `GITLAB_CREATE_GROUP` -```bash -docker run --name gitlab -it --rm [OPTIONS] \ - sameersbn/gitlab:13.5.3 app:rake gitlab:import:repos -``` +Enable or disable ability for users to create groups. Defaults to `true`. -Watch the logs and your repositories should be available into your new gitlab container. +##### `GITLAB_PROJECTS_ISSUES` -See [Rake Tasks](#rake-tasks) for more information on executing rake tasks. -Usage when using `docker-compose` can also be found there. +Set if *issues* feature should be enabled by default for new projects. Defaults to `true`. -## Upgrading +##### `GITLAB_PROJECTS_MERGE_REQUESTS` -> **Important Notice** -> -> Since GitLab release `8.6.0` PostgreSQL users should enable `pg_trgm` extension on the GitLab database. Refer to GitLab's [Postgresql Requirements](http://doc.gitlab.com/ce/install/requirements.html#postgresql-requirements) for more information -> -> If you're using `sameersbn/postgresql` then please upgrade to `sameersbn/postgresql:11-20200524` or later and add `DB_EXTENSION=pg_trgm,btree_gist` to the environment of the PostgreSQL container (see: https://github.com/sameersbn/docker-gitlab/blob/master/docker-compose.yml#L8). +Set if *merge requests* feature should be enabled by default for new projects. Defaults to `true`. -GitLabHQ releases new versions on the 22nd of every month, bugfix releases immediately follow. I update this project almost immediately when a release is made (at least it has been the case so far). If you are using the image in production environments I recommend that you delay updates by a couple of days after the gitlab release, allowing some time for the dust to settle down. +##### `GITLAB_PROJECTS_WIKI` -To upgrade to newer gitlab releases, simply follow this 4 step upgrade procedure. +Set if *wiki* feature should be enabled by default for new projects. Defaults to `true`. -> **Note** -> -> Upgrading to `sameersbn/gitlab:13.5.3` from `sameersbn/gitlab:7.x.x` can cause issues. It is therefore required that you first upgrade to `sameersbn/gitlab:8.0.5-1` before upgrading to `sameersbn/gitlab:8.1.0` or higher. +##### `GITLAB_PROJECTS_SNIPPETS` -- **Step 1**: Update the docker image. +Set if *snippets* feature should be enabled by default for new projects. Defaults to `false`. -```bash -docker pull sameersbn/gitlab:13.5.3 -``` +##### `GITLAB_PROJECTS_BUILDS` -- **Step 2**: Stop and remove the currently running image +Set if *builds* feature should be enabled by default for new projects. Defaults to `true`. -```bash -docker stop gitlab -docker rm gitlab -``` +##### `GITLAB_PROJECTS_CONTAINER_REGISTRY` -- **Step 3**: Create a backup +Set if *container_registry* feature should be enabled by default for new projects. Defaults to `true`. -```bash -docker run --name gitlab -it --rm [OPTIONS] \ - sameersbn/gitlab:x.x.x app:rake gitlab:backup:create -``` +##### `GITLAB_SHELL_CUSTOM_HOOKS_DIR` -Replace `x.x.x` with the version you are upgrading from. For example, if you are upgrading from version `6.0.0`, set `x.x.x` to `6.0.0` +Global custom hooks directory. Defaults to `/home/git/gitlab-shell/hooks`. -- **Step 4**: Start the image +##### `GITLAB_WEBHOOK_TIMEOUT` -> **Note**: Since GitLab `8.0.0` you need to provide the `GITLAB_SECRETS_DB_KEY_BASE` parameter while starting the image. +Sets the timeout for webhooks. Defaults to `10` seconds. -> **Note**: Since GitLab `8.11.0` you need to provide the `GITLAB_SECRETS_SECRET_KEY_BASE` and `GITLAB_SECRETS_OTP_KEY_BASE` parameters while starting the image. These should initially both have the same value as the contents of the `/home/git/data/.secret` file. See [Available Configuration Parameters](#available-configuration-parameters) for more information on these parameters. +##### `GITLAB_NOTIFY_ON_BROKEN_BUILDS` -```bash -docker run --name gitlab -d [OPTIONS] sameersbn/gitlab:13.5.3 -``` +Enable or disable broken build notification emails. Defaults to `true` -## Shell Access +##### `GITLAB_NOTIFY_PUSHER` -For debugging and maintenance purposes you may want access the containers shell. If you are using docker version `1.3.0` or higher you can access a running containers shell using `docker exec` command. +Add pusher to recipients list of broken build notification emails. Defaults to `false` -```bash -docker exec -it gitlab bash -``` +##### `GITLAB_REPOS_DIR` -# Monitoring +The git repositories folder in the container. Defaults to `/home/git/data/repositories` -You can monitor your GitLab instance status as described in the [official documentation](https://docs.gitlab.com/ee/user/admin_area/monitoring/health_check.html), for example: +##### `GITLAB_BACKUP_DIR` -```bash -curl 'https://gitlab.example.com/-/liveness' -``` +The backup folder in the container. Defaults to `/home/git/data/backups` -On success, the endpoint will return a `200` HTTP status code, and a response like below. +##### `GITLAB_BACKUP_DIR_CHOWN` -```bash -{ - "status": "ok" -} -``` +Optionally change ownership of backup files on start-up. Defaults to `true` -To do that you will need to set the environment variable `GITLAB_MONITORING_IP_WHITELIST` to allow your IP or subnet to make requests to your GitLab instance. +##### `GITLAB_BACKUP_DIR_GROUP` -## Health Check +Optionally group backups into a subfolder. Can also be used to place backups in to a subfolder on remote storage. Not used by default. -You can also set your `docker-compose.yml` [healthcheck](https://docs.docker.com/compose/compose-file/compose-file-v2/#healthcheck) configuration to make periodic checks: +##### `GITLAB_BUILDS_DIR` -```yml -version: '2.3' +The build traces directory. Defaults to `/home/git/data/builds` + +##### `GITLAB_DOWNLOADS_DIR` + +The repository downloads directory. A temporary zip is created in this directory when users click **Download Zip** on a project. Defaults to `/home/git/data/tmp/downloads`. + +##### `GITLAB_SHARED_DIR` + +The directory to store the build artifacts. Defaults to `/home/git/data/shared` + +##### `GITLAB_ARTIFACTS_ENABLED` + +Enable/Disable GitLab artifacts support. Defaults to `true`. + +##### `GITLAB_ARTIFACTS_DIR` + +Directory to store the artifacts. Defaults to `$GITLAB_SHARED_DIR/artifacts` + +##### `AWS_ACCESS_KEY_ID` + +Default AWS access key to be used for object store. Defaults to `AWS_ACCESS_KEY_ID` + +##### `AWS_SECRET_ACCESS_KEY` + +Default AWS access key to be used for object store. Defaults to `AWS_SECRET_ACCESS_KEY` + +##### `AWS_REGION` + +AWS Region. Defaults to `us-east-1` + +##### `AWS_HOST` + +Configure this for an compatible AWS host like minio. Defaults to `$AWS_HOST`. Defaults to `s3.amazon.com` + +##### `AWS_ENDPOINT` + +AWS Endpoint like `http://127.0.0.1:9000`. Defaults to `nil` + +##### `AWS_PATH_STYLE` + +Changes AWS Path Style to 'host/bucket_name/object' instead of 'bucket_name.host/object'. Defaults to `true` + +##### `AWS_SIGNATURE_VERSION` + +AWS signature version to use. 2 or 4 are valid options. Digital Ocean Spaces and other providers may need 2. Defaults to `4` + +##### `GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT` + +Default Google project to use for Object Store. + +##### `GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL` + +Default Google service account email to use for Object Store. + +##### `GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION` + +Default Google key file Defaults to `/gcs/key.json` + +##### `GITLAB_OBJECT_STORE_CONNECTION_PROVIDER` + +Default object store connection provider. Defaults to `AWS` + +##### `GITLAB_ARTIFACTS_OBJECT_STORE_ENABLED` + +Enables Object Store for Artifacts that will be remote stored. Defaults to `false` + +##### `GITLAB_ARTIFACTS_OBJECT_STORE_REMOTE_DIRECTORY` + +Bucket name to store the artifacts. Defaults to `artifacts` + +##### `GITLAB_ARTIFACTS_OBJECT_STORE_DIRECT_UPLOAD` + +Set to true to enable direct upload of Artifacts without the need of local shared storage. Defaults to `false` + +##### `GITLAB_ARTIFACTS_OBJECT_STORE_BACKGROUND_UPLOAD` + +Temporary option to limit automatic upload. Defaults to `false` + +##### `GITLAB_ARTIFACTS_OBJECT_STORE_PROXY_DOWNLOAD` + +Passthrough all downloads via GitLab instead of using Redirects to Object Storage. Defaults to `false` + +##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER` + +Connection Provider for the Object Store. (`AWS` or `Google`) Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER` (`AWS`) + +##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID` + +AWS Access Key ID for the Bucket. Defaults to `$AWS_ACCESS_KEY_ID` + +##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY` + +AWS Secret Access Key. Defaults to `$AWS_SECRET_ACCESS_KEY` + +##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_REGION` + +AWS Region. Defaults to `$AWS_REGION` + +##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_HOST` + +Configure this for an compatible AWS host like minio. Defaults to `$AWS_HOST` + +##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT` + +AWS Endpoint like `http://127.0.0.1:9000`. Defaults to `$AWS_ENDPOINT` + +##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE` + +Changes AWS Path Style to 'host/bucket_name/object' instead of 'bucket_name.host/object'. Defaults to `$AWS_PATH_STYLE` + +##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION` + +AWS signature version to use. 2 or 4 are valid options. Digital Ocean Spaces and other providers may need 2. Defaults to `$AWS_SIGNATURE_VERSION` + +##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT` + +Google project. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT` + +##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL` + +Google service account. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL` + +##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION` + +Default Google key file. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION` (`/gcs/key.json`) + +##### `GITLAB_PIPELINE_SCHEDULE_WORKER_CRON` + +Cron notation for the GitLab pipeline schedule worker. Defaults to `'19 * * * *'` + +##### `GITLAB_LFS_ENABLED` + +Enable/Disable Git LFS support. Defaults to `true`. + +##### `GITLAB_LFS_OBJECTS_DIR` + +Directory to store the lfs-objects. Defaults to `$GITLAB_SHARED_DIR/lfs-objects` + +##### `GITLAB_LFS_OBJECT_STORE_ENABLED` + +Enables Object Store for LFS that will be remote stored. Defaults to `false` + +##### `GITLAB_LFS_OBJECT_STORE_REMOTE_DIRECTORY` + +Bucket name to store the LFS. Defaults to `lfs-object` + +##### `GITLAB_LFS_OBJECT_STORE_BACKGROUND_UPLOAD` +Temporary option to limit automatic upload. Defaults to `false` + +##### `GITLAB_LFS_OBJECT_STORE_PROXY_DOWNLOAD` + +Passthrough all downloads via GitLab instead of using Redirects to Object Storage. Defaults to `false` + +##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER` + +Connection Provider for the Object Store. (`AWS` or `Google`) Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER` (`AWS`) + +##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID` + +AWS Access Key ID for the Bucket. Defaults to `AWS_ACCESS_KEY_ID` + +##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY` + +AWS Secret Access Key. Defaults to `AWS_SECRET_ACCESS_KEY` + +##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_REGION` + +AWS Region. Defaults to `$AWS_REGION` + +##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_HOST` + +Configure this for an compatible AWS host like minio. Defaults to `$AWS_HOST` + +##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT` + +AWS Endpoint like `http://127.0.0.1:9000`. Defaults to `$AWS_ENDPOINT` + +##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE` + +Changes AWS Path Style to 'host/bucket_name/object' instead of 'bucket_name.host/object'. Defaults to `$AWS_PATH_STYLE` + +##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION` + +AWS signature version to use. 2 or 4 are valid options. Digital Ocean Spaces and other providers may need 2. Defaults to `$AWS_SIGNATURE_VERSION` + +##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT` + +Google project. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT` + +##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL` + +Google service account. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL` + +##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION` + +Default Google key file. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION` (`/gcs/key.json`) + +##### `GITLAB_PACKAGES_ENABLED` + +Enable/Disable Packages support. Defaults to `true`. + +##### `GITLAB_PACKAGES_DIR` + +Directory to store the packages data. Defaults to `$GITLAB_SHARED_DIR/packages` + +##### `GITLAB_PACKAGES_OBJECT_STORE_ENABLED` + +Enables Object Store for Packages that will be remote stored. Defaults to `false` + +##### `GITLAB_PACKAGES_OBJECT_STORE_REMOTE_DIRECTORY` + +Bucket name to store the packages. Defaults to `packages` + +##### `GITLAB_PACKAGES_OBJECT_STORE_DIRECT_UPLOAD` + +Set to true to enable direct upload of Packages without the need of local shared storage. Defaults to `false` + +##### `GITLAB_PACKAGES_OBJECT_STORE_BACKGROUND_UPLOAD` + +Temporary option to limit automatic upload. Defaults to `false` + +##### `GITLAB_PACKAGES_OBJECT_STORE_PROXY_DOWNLOAD` + +Passthrough all downloads via GitLab instead of using Redirects to Object Storage. Defaults to `false` + +##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_PROVIDER` + +Connection Provider for the Object Store. (`AWS` or `Google`) Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER` (`AWS`) + +##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID` + +AWS Access Key ID for the Bucket. Defaults to `$AWS_ACCESS_KEY_ID` + +##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY` + +AWS Secret Access Key. Defaults to `$AWS_SECRET_ACCESS_KEY` + +##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_REGION` + +AWS Region. Defaults to `$AWS_REGION` + +##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_HOST` + +Configure this for an compatible AWS host like minio. Defaults to `$AWS_HOST` + +##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ENDPOINT` + +AWS Endpoint like `http://127.0.0.1:9000`. Defaults to `$AWS_ENDPOINT` + +##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE` + +Changes AWS Path Style to 'host/bucket_name/object' instead of 'bucket_name.host/object'. Defaults to `AWS_PATH_STYLE` + +##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT` + +Google project. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT` + +##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL` + +Google service account. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL` + +##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION` + +Default Google key file. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION` (`/gcs/key.json`) + +##### `GITLAB_TERRAFORM_STATE_ENABLED` + +Enable/Disable Terraform State support. Defaults to `true`. + +##### `GITLAB_TERRAFORM_STATE_STORAGE_PATH` + +Directory to store the terraform state data. Defaults to `$GITLAB_SHARED_DIR/terraform_state` + +##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_ENABLED` + +Enables Object Store for Terraform state that will be remote stored. Defaults to `false` + +##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_REMOTE_DIRECTORY` + +Bucket name to store the Terraform state. Defaults to `terraform_state` + +##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_PROVIDER` + +Connection Provider for the Object Store (AWS or Google). Defaults to $GITLAB_OBJECT_STORE_CONNECTION_PROVIDER (i.e. AWS). + +##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID` + +AWS Access Key ID for the Bucket. Defaults to `$AWS_ACCESS_KEY_ID` + +##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY` + +AWS Secret Access Key. Defaults to `$AWS_SECRET_ACCESS_KEY` + +##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_REGION` + +AWS Region. Defaults to `$AWS_REGION` + +##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_HOST` + +Configure this for an compatible AWS host like minio. Defaults to `$AWS_HOST` + +##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ENDPOINT` + +AWS Endpoint like `http://127.0.0.1:9000`. Defaults to `$AWS_ENDPOINT` + +##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE` + +Changes AWS Path Style to 'host/bucket_name/object' instead of 'bucket_name.host/object'. Defaults to `AWS_PATH_STYLE` + +##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT` + +Google project. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT` + +##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL` + +Google service account. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL` + +##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION` + +Default Google key file. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION` (`/gcs/key.json`) + +##### `GITLAB_UPLOADS_STORAGE_PATH` + +The location where uploads objects are stored. Defaults to `$GITLAB_SHARED_DIR/public`. + +##### `GITLAB_UPLOADS_BASE_DIR` + +Mapping for the `GITLAB_UPLOADS_STORAGE_PATH`. Defaults to `uploads/-/system` + +##### `GITLAB_UPLOADS_OBJECT_STORE_ENABLED` + +Enables Object Store for UPLOADS that will be remote stored. Defaults to `false` + +##### `GITLAB_UPLOADS_OBJECT_STORE_REMOTE_DIRECTORY` + +Bucket name to store the UPLOADS. Defaults to `uploads` + +##### `GITLAB_UPLOADS_OBJECT_STORE_BACKGROUND_UPLOAD` + +Temporary option to limit automatic upload. Defaults to `false` + +##### `GITLAB_UPLOADS_OBJECT_STORE_PROXY_DOWNLOAD` + +Passthrough all downloads via GitLab instead of using Redirects to Object Storage. Defaults to `false` + +##### `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER` + +Connection Provider for the Object Store. (`AWS` or `Google`) Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER` (`AWS`) + +##### `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID` + +AWS Access Key ID for the Bucket. Defaults to `AWS_ACCESS_KEY_ID` + +##### `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY` + +AWS Secret Access Key. Defaults to `AWS_SECRET_ACCESS_KEY` + +##### `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_REGION` + +AWS Region. Defaults to `$AWS_REGION` + +##### `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_HOST` + +Configure this for an compatible AWS host like minio. Defaults to `$AWS_HOST` + +##### `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT` + +AWS Endpoint like `http://127.0.0.1:9000`. Defaults to `$AWS_ENDPOINT` + +##### `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE` + +Changes AWS Path Style to 'host/bucket_name/object' instead of 'bucket_name.host/object'. Defaults to `AWS_PATH_STYLE` + +##### `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT` + +Google project. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT` + +##### `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL` + +Google service account. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL` + +##### `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION` + +Default Google key file. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION` (`/gcs/key.json`) + +##### `GITLAB_MATTERMOST_ENABLED` + +Enable/Disable GitLab Mattermost for *Add Mattermost button*. Defaults to `false`. + +##### `GITLAB_MATTERMOST_URL` + +Sets Mattermost URL. Defaults to `https://mattermost.example.com`. + +##### `GITLAB_BACKUP_SCHEDULE` + +Setup cron job to automatic backups. Possible values `disable`, `daily`, `weekly` or `monthly`. Disabled by default + +##### `GITLAB_BACKUP_EXPIRY` + +Configure how long (in seconds) to keep backups before they are deleted. By default when automated backups are disabled backups are kept forever (0 seconds), else the backups expire in 7 days (604800 seconds). + +##### `GITLAB_BACKUP_PG_SCHEMA` + +Specify the PostgreSQL schema for the backups. No defaults, which means that all schemas will be backed up. see #524 + +##### `GITLAB_BACKUP_ARCHIVE_PERMISSIONS` + +Sets the permissions of the backup archives. Defaults to `0600`. [See](http://doc.gitlab.com/ce/raketasks/backup_restore.html#backup-archive-permissions) + +##### `GITLAB_BACKUP_TIME` + +Set a time for the automatic backups in `HH:MM` format. Defaults to `04:00`. + +##### `GITLAB_BACKUP_SKIP` + +Specified sections are skipped by the backups. Defaults to empty, i.e. `lfs,uploads`. [See](http://doc.gitlab.com/ce/raketasks/backup_restore.html#create-a-backup-of-the-gitlab-system) + +##### `GITLAB_SSH_HOST` + +The ssh host. Defaults to **GITLAB_HOST**. + +##### `GITLAB_SSH_LISTEN_PORT` + +The ssh port for SSHD to listen on. Defaults to `22` + +##### `GITLAB_SSH_MAXSTARTUPS` + +The ssh "MaxStartups" parameter, defaults to `10:30:60`. + +##### `GITLAB_SSH_PORT` + +The ssh port number. Defaults to `$GITLAB_SSH_LISTEN_PORT`. + +##### `GITLAB_RELATIVE_URL_ROOT` + +The relative url of the GitLab server, e.g. `/git`. No default. + +##### `GITLAB_TRUSTED_PROXIES` + +Add IP address reverse proxy to trusted proxy list, otherwise users will appear signed in from that address. Currently only a single entry is permitted. No defaults. + +##### `GITLAB_REGISTRY_ENABLED` + +Enables the GitLab Container Registry. Defaults to `false`. + +##### `GITLAB_REGISTRY_HOST` + +Sets the GitLab Registry Host. Defaults to `registry.example.com` + +##### `GITLAB_REGISTRY_PORT` + +Sets the GitLab Registry Port. Defaults to `443`. + +##### `GITLAB_REGISTRY_API_URL` + +Sets the GitLab Registry API URL. Defaults to `http://localhost:5000` + +##### `GITLAB_REGISTRY_KEY_PATH` + +Sets the GitLab Registry Key Path. Defaults to `config/registry.key` + +##### `GITLAB_REGISTRY_DIR` + +Directory to store the container images will be shared with registry. Defaults to `$GITLAB_SHARED_DIR/registry` + +##### `GITLAB_REGISTRY_ISSUER` + +Sets the GitLab Registry Issuer. Defaults to `gitlab-issuer`. + +##### `GITLAB_REGISTRY_GENERATE_INTERNAL_CERTIFICATES` + +Set to `true` to generate SSL internal Registry keys. Used to communicate between a Docker Registry and GitLab. It will generate a self-signed certificate key at the location given by `$GITLAB_REGISTRY_KEY_PATH`, e.g. `/certs/registry.key`. And will generate the certificate file at the same location, with the same name, but changing the extension from `key` to `crt`, e.g. `/certs/registry.crt` + +##### `GITLAB_PAGES_ENABLED` + +Enables the GitLab Pages. Defaults to `false`. + +##### `GITLAB_PAGES_DOMAIN` + +Sets the GitLab Pages Domain. Defaults to `example.com` + +##### `GITLAB_PAGES_DIR` + +Sets GitLab Pages directory where all pages will be stored. Defaults to `$GITLAB_SHARED_DIR/pages` + +##### `GITLAB_PAGES_PORT` + +Sets GitLab Pages Port that will be used in NGINX. Defaults to `80` + +##### `GITLAB_PAGES_HTTPS` + +Sets GitLab Pages to HTTPS and the gitlab-pages-ssl config will be used. Defaults to `false` + +##### `GITLAB_PAGES_ARTIFACTS_SERVER` + +Set to `true` to enable pages artifacts server, enabled by default. + +##### `GITLAB_PAGES_ARTIFACTS_SERVER_URL` + +If `GITLAB_PAGES_ARTIFACTS_SERVER` is enabled, set to API endpoint for GitLab Pages (e.g. `https://example.com/api/v4`). No default. + +##### `GITLAB_PAGES_EXTERNAL_HTTP` + +Sets GitLab Pages external http to receive request on an independent port. Disabled by default + +##### `GITLAB_PAGES_EXTERNAL_HTTPS` + +Sets GitLab Pages external https to receive request on an independent port. Disabled by default + +##### `GITLAB_PAGES_ACCESS_CONTROL` + +Set to `true` to enable access control for pages. Allows access to a Pages site to be controlled based on a user’s membership to that project. Disabled by default. + +##### `GITLAB_PAGES_NGINX_PROXY` + +Disable the nginx proxy for gitlab pages, defaults to `true`. When set to `false` this will turn off the nginx proxy to the gitlab pages daemon, used when the user provides their own http load balancer in combination with a gitlab pages custom domain setup. + +##### `GITLAB_PAGES_ACCESS_SECRET` + +Secret Hash, minimal 32 characters, if omitted, it will be auto generated. + +##### `GITLAB_PAGES_ACCESS_CONTROL_SERVER` + +Gitlab instance URI, example: `https://gitlab.example.io` + +##### `GITLAB_PAGES_ACCESS_CLIENT_ID` + +Client ID from earlier generated OAuth application + +##### `GITLAB_PAGES_ACCESS_CLIENT_SECRET` + +Client Secret from earlier generated OAuth application + +##### `GITLAB_PAGES_ACCESS_REDIRECT_URI` + +Redirect URI, non existing pages domain to redirect to pages daemon, `https://projects.example.io/auth` + +##### `GITLAB_HTTPS` + +Set to `true` to enable https support, disabled by default. + +##### `GITALY_CLIENT_PATH` + +Set default path for gitaly. defaults to `/home/git/gitaly` + +##### `GITALY_TOKEN` + +Set a gitaly token, blank by default. + +##### `GITLAB_MONITORING_UNICORN_SAMPLER_INTERVAL` + +Time between sampling of unicorn socket metrics, in seconds, defaults to `10` + +##### `GITLAB_MONITORING_IP_WHITELIST` + +IP whitelist to access monitoring endpoints. No defaults. + +##### `GITLAB_MONITORING_SIDEKIQ_EXPORTER_ENABLED` + +Set to `true` to enable the sidekiq exporter, enabled by default. + +##### `GITLAB_MONITORING_SIDEKIQ_EXPORTER_ADDRESS` + +Sidekiq exporter address, defaults to `0.0.0.0` + +##### `GITLAB_MONITORING_SIDEKIQ_EXPORTER_PORT` + +Sidekiq exporter port, defaults to `3807` + +##### `GITLAB_CONTENT_SECURITY_POLICY_ENABLED` + +Set to `true` to enable [Content Security Policy](https://guides.rubyonrails.org/security.html#content-security-policy), enabled by default. + +##### `GITLAB_CONTENT_SECURITY_POLICY_REPORT_ONLY` + +Set to `true` to set `Content-Security-Policy-Report-Only` header, disabled by default + +##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_BASE_URI` + +The value of the `base-uri` directive in the `Content-Security-Policy` header + +##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CHILD_SRC` + +The value of the `child-src` directive in the `Content-Security-Policy` header + +##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CONNECT_SRC` + +The value of the `connect-src` directive in the `Content-Security-Policy` header. Default to `'self' http://localhost:* ws://localhost:* wss://localhost:*` + +##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_DEFAULT_SRC` + +The value of the `default-src` directive in the `Content-Security-Policy` header. Default to `'self'` + +##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FONT_SRC` + +The value of the `font-src` directive in the `Content-Security-Policy` header + +##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FORM_ACTION` + +The value of the `form-action` directive in the `Content-Security-Policy` header + +##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_ANCESTORS` + +The value of the `frame-ancestors` directive in the `Content-Security-Policy` header. Default to `'self'` + +##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_SRC` + +The value of the `frame-src` directive in the `Content-Security-Policy` header. Default to `'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com` + +##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_IMG_SRC` + +The value of the `img-src` directive in the `Content-Security-Policy` header. Default to `* data: blob:` + +##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MANIFEST_SRC` + +The value of the `manifest-src` directive in the `Content-Security-Policy` header + +##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MEDIA_SRC` + +The value of the `media-src` directive in the `Content-Security-Policy` header + +##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_OBJECT_SRC` + +The value of the `object-src` directive in the `Content-Security-Policy` header. Default to `'none'` + +##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_SCRIPT_SRC` + +The value of the `script-src` directive in the `Content-Security-Policy` header. Default to `'self' 'unsafe-eval' http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com` + +##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_STYLE_SRC` + +The value of the `style-src` directive in the `Content-Security-Policy` header. Default to `'self' 'unsafe-inline'` + +##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_WORKER_SRC` + +The value of the `worker-src` directive in the `Content-Security-Policy` header. Default to `'self' blob:` + +##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_REPORT_URI` + +The value of the `report-uri` directive in the `Content-Security-Policy` header + +##### `GITLAB_FEATURE_FLAGS_DISABLE_TARGETS` + +Comma separated list of feature flag names to be disabled. No whitespace is allowed. +You can see all feature flags in GitLab at corresponding version of documentation: +Feature flags name and its statement will be appear to container log. Note that some of the feature flags are implicitly enabled or disabled by GitLab itself, and are not appear to container log. +No defaults. + +##### `GITLAB_FEATURE_FLAGS_ENABLE_TARGETS` + +This parameter is the same as [`GITLAB_FEATURE_FLAGS_DISABLE_TARGETS`](#gitlab_feature_flags_enable_targets), except its purpose is to enable the feature flag. No defaults. + +##### `SSL_SELF_SIGNED` + +Set to `true` when using self-signed ssl certificates. `false` by default. + +##### `SSL_CERTIFICATE_PATH` + +Location of the ssl certificate. Defaults to `/home/git/data/certs/gitlab.crt` + +##### `SSL_KEY_PATH` + +Location of the ssl private key. Defaults to `/home/git/data/certs/gitlab.key` + +##### `SSL_DHPARAM_PATH` + +Location of the dhparam file. Defaults to `/home/git/data/certs/dhparam.pem` + +##### `SSL_VERIFY_CLIENT` + +Enable verification of client certificates using the `SSL_CA_CERTIFICATES_PATH` file or setting this variable to `on`. Defaults to `off` + +##### `SSL_CA_CERTIFICATES_PATH` + +List of SSL certificates to trust. Defaults to `/home/git/data/certs/ca.crt`. + +##### `SSL_REGISTRY_KEY_PATH` + +Location of the ssl private key for gitlab container registry. Defaults to `/home/git/data/certs/registry.key` + +##### `SSL_REGISTRY_CERT_PATH` + +Location of the ssl certificate for the gitlab container registry. Defaults to `/home/git/data/certs/registry.crt` + +##### `SSL_PAGES_KEY_PATH` + +Location of the ssl private key for gitlab pages. Defaults to `/home/git/data/certs/pages.key` + +##### `SSL_PAGES_CERT_PATH` + +Location of the ssl certificate for the gitlab pages. Defaults to `/home/git/data/certs/pages.crt` + +##### `SSL_CIPHERS` + +List of supported SSL ciphers: Defaults to `ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4` + +##### `SSL_PROTOCOLS` + +List of supported SSL protocols: Defaults to `TLSv1 TLSv1.1 TLSv1.2 TLSv1.3` + +##### `SSL_PAGES_CIPHERS` + +List of supported SSL ciphers for the gitlab pages: Defaults to `SSL_CIPHERS` + +##### `SSL_PAGES_PROTOCOLS` + +List of supported SSL protocols for the gitlab pages: Defaults to `SSL_PROTOCOLS` + +##### `SSL_REGISTRY_CIPHERS` + +List of supported SSL ciphers for gitlab container registry: Defaults to `SSL_CIPHERS` + +##### `SSL_REGISTRY_PROTOCOLS` + +List of supported SSL protocols for gitlab container registry: Defaults to `SSL_PROTOCOLS` + +##### `NGINX_WORKERS` + +The number of nginx workers to start. Defaults to `1`. + +##### `NGINX_SERVER_NAMES_HASH_BUCKET_SIZE` + +Sets the bucket size for the server names hash tables. This is needed when you have long server_names or your an error message from nginx like *nginx: [emerg] could not build server_names_hash, you should increase server_names_hash_bucket_size:..*. It should be only increment by a power of 2. Defaults to `32`. + +##### `NGINX_HSTS_ENABLED` + +Advanced configuration option for turning off the HSTS configuration. Applicable only when SSL is in use. Defaults to `true`. See [#138](https://github.com/sameersbn/docker-gitlab/issues/138) for use case scenario. + +##### `NGINX_HSTS_MAXAGE` + +Advanced configuration option for setting the HSTS max-age in the gitlab nginx vHost configuration. Applicable only when SSL is in use. Defaults to `31536000`. + +##### `NGINX_PROXY_BUFFERING` + +Enable `proxy_buffering`. Defaults to `off`. + +##### `NGINX_ACCEL_BUFFERING` + +Enable `X-Accel-Buffering` header. Default to `no` + +##### `NGINX_X_FORWARDED_PROTO` + +Advanced configuration option for the `proxy_set_header X-Forwarded-Proto` setting in the gitlab nginx vHost configuration. Defaults to `https` when `GITLAB_HTTPS` is `true`, else defaults to `$scheme`. + +##### `NGINX_REAL_IP_RECURSIVE` + +set to `on` if docker container runs behind a reverse proxy,you may not want the IP address of the proxy to show up as the client address. `off` by default. + +##### `NGINX_REAL_IP_TRUSTED_ADDRESSES` + +You can have NGINX look for a different address to use by adding your reverse proxy to the `NGINX_REAL_IP_TRUSTED_ADDRESSES`. Currently only a single entry is permitted. No defaults. + +##### `NGINX_CUSTOM_GITLAB_SERVER_CONFIG` + +Advanced configuration option. You can add custom configuration for nginx as you like (e.g. custom location proxy). This is similar to setting `nginx['custom_gitlab_server_config']` to `gitlab.rb` for gitlab-omnibus. No defaults. + +##### `REDIS_HOST` + +The hostname of the redis server. Defaults to `localhost` + +##### `REDIS_PORT` + +The connection port of the redis server. Defaults to `6379`. + +##### `REDIS_DB_NUMBER` + +The redis database number. Defaults to '0'. + +##### `PUMA_WORKERS` + +The number of puma workers to start. Defaults to `3`. + +##### `PUMA_TIMEOUT` + +Sets the timeout of puma worker processes. Defaults to `60` seconds. + +##### `PUMA_THREADS_MIN` + +The number of puma minimum threads. Defaults to `1`. + +##### `PUMA_THREADS_MAX` + +The number of puma maximum threads. Defaults to `16`. + +##### `PUMA_PER_WORKER_MAX_MEMORY_MB` + +Maximum memory size of per puma worker process. Defaults to `1024`. + +##### `PUMA_MASTER_MAX_MEMORY_MB` + +Maximum memory size of puma master process. Defaults to `800`. + +##### `SIDEKIQ_CONCURRENCY` + +The number of concurrent sidekiq jobs to run. Defaults to `25` + +##### `SIDEKIQ_SHUTDOWN_TIMEOUT` + +Timeout for sidekiq shutdown. Defaults to `4` + +##### `SIDEKIQ_MEMORY_KILLER_MAX_RSS` + +Non-zero value enables the SidekiqMemoryKiller. Defaults to `2000000`. For additional options refer [Configuring the MemoryKiller](http://doc.gitlab.com/ce/operations/sidekiq_memory_killer.html) + +##### `GITLAB_SIDEKIQ_LOG_FORMAT` + +Sidekiq log format that will be used. Defaults to `json` + +##### `DB_ADAPTER` + +The database type. Currently only postgresql is supported. Possible values: `postgresql`. Defaults to `postgresql`. + +##### `DB_ENCODING` + +The database encoding. For `DB_ADAPTER` values `postgresql` this parameter defaults and `utf8` respectively. + +##### `DB_HOST` + +The database server hostname. Defaults to `localhost`. + +##### `DB_PORT` + +The database server port. Defaults to `5432` for postgresql. + +##### `DB_NAME` + +The database database name. Defaults to `gitlabhq_production` + +##### `DB_USER` + +The database database user. Defaults to `root` + +##### `DB_PASS` + +The database database password. Defaults to no password + +##### `DB_POOL` + +The database database connection pool count. Defaults to `10`. + +##### `DB_PREPARED_STATEMENTS` + +Whether to use database prepared statements. No defaults. But set to `false` if you want to use with [PgBouncer](https://pgbouncer.github.io/) + +##### `SMTP_ENABLED` + +Enable mail delivery via SMTP. Defaults to `true` if `SMTP_USER` is defined, else defaults to `false`. + +##### `SMTP_DOMAIN` + +SMTP domain. Defaults to `www.gmail.com` + +##### `SMTP_HOST` + +SMTP server host. Defaults to `smtp.gmail.com`. + +##### `SMTP_PORT` + +SMTP server port. Defaults to `587`. + +##### `SMTP_USER` + +SMTP username. + +##### `SMTP_PASS` + +SMTP password. + +##### `SMTP_STARTTLS` + +Enable STARTTLS. Defaults to `true`. + +##### `SMTP_TLS` + +Enable SSL/TLS. Defaults to `false`. + +##### `SMTP_OPENSSL_VERIFY_MODE` + +SMTP openssl verification mode. Accepted values are `none`, `peer`, `client_once` and `fail_if_no_peer_cert`. Defaults to `none`. + +##### `SMTP_AUTHENTICATION` + +Specify the SMTP authentication method. Defaults to `login` if `SMTP_USER` is set. + +##### `SMTP_CA_ENABLED` + +Enable custom CA certificates for SMTP email configuration. Defaults to `false`. + +##### `SMTP_CA_PATH` + +Specify the `ca_path` parameter for SMTP email configuration. Defaults to `/home/git/data/certs`. + +##### `SMTP_CA_FILE` + +Specify the `ca_file` parameter for SMTP email configuration. Defaults to `/home/git/data/certs/ca.crt`. + +##### `IMAP_ENABLED` + +Enable mail delivery via IMAP. Defaults to `true` if `IMAP_USER` is defined, else defaults to `false`. + +##### `IMAP_HOST` + +IMAP server host. Defaults to `imap.gmail.com`. + +##### `IMAP_PORT` + +IMAP server port. Defaults to `993`. + +##### `IMAP_USER` + +IMAP username. + +##### `IMAP_PASS` + +IMAP password. + +##### `IMAP_SSL` + +Enable SSL. Defaults to `true`. + +##### `IMAP_STARTTLS` + +Enable STARTTLS. Defaults to `false`. + +##### `IMAP_MAILBOX` + +The name of the mailbox where incoming mail will end up. Defaults to `inbox`. + +##### `LDAP_ENABLED` + +Enable LDAP. Defaults to `false` + +##### `LDAP_LABEL` + +Label to show on login tab for LDAP server. Defaults to 'LDAP' + +##### `LDAP_HOST` + +LDAP Host + +##### `LDAP_PORT` + +LDAP Port. Defaults to `389` + +##### `LDAP_UID` + +LDAP UID. Defaults to `sAMAccountName` + +##### `LDAP_METHOD` + +LDAP method, Possible values are `simple_tls`, `start_tls` and `plain`. Defaults to `plain` + +##### `LDAP_VERIFY_SSL` + +LDAP verify ssl certificate for installations that are using `LDAP_METHOD: 'simple_tls'` or `LDAP_METHOD: 'start_tls'`. Defaults to `true` + +##### `LDAP_CA_FILE` + +Specifies the path to a file containing a PEM-format CA certificate. Defaults to `` + +##### `LDAP_SSL_VERSION` + +Specifies the SSL version for OpenSSL to use, if the OpenSSL default is not appropriate. Example: 'TLSv1_1'. Defaults to `` + +##### `LDAP_BIND_DN` + +No default. + +##### `LDAP_PASS` + +LDAP password + +##### `LDAP_TIMEOUT` + +Timeout, in seconds, for LDAP queries. Defaults to `10`. + +##### `LDAP_ACTIVE_DIRECTORY` + +Specifies if LDAP server is Active Directory LDAP server. If your LDAP server is not AD, set this to `false`. Defaults to `true`, + +##### `LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN` + +If enabled, GitLab will ignore everything after the first '@' in the LDAP username submitted by the user on login. Defaults to `false` if `LDAP_UID` is `userPrincipalName`, else `true`. + +##### `LDAP_BLOCK_AUTO_CREATED_USERS` + +Locks down those users until they have been cleared by the admin. Defaults to `false`. + +##### `LDAP_BASE` + +Base where we can search for users. No default. + +##### `LDAP_USER_FILTER` + +Filter LDAP users. No default. + +##### `LDAP_USER_ATTRIBUTE_USERNAME` + +Attribute fields for the identification of a user. Default to `['uid', 'userid', 'sAMAccountName']` + +##### `LDAP_USER_ATTRIBUTE_MAIL` + +Attribute fields for the shown mail address. Default to `['mail', 'email', 'userPrincipalName']` + +##### `LDAP_USER_ATTRIBUTE_NAME` + +Attribute field for the used username of a user. Defaults to `cn`. + +##### `LDAP_USER_ATTRIBUTE_FIRSTNAME` + +Attribute field for the forename of a user. Default to `givenName` + +##### `LDAP_USER_ATTRIBUTE_LASTNAME` + + Attribute field for the surname of a user. Default to `sn` + +##### `LDAP_LOWERCASE_USERNAMES` + +GitLab will lower case the username for the LDAP Server. Defaults to `false` + +##### `LDAP_PREVENT_LDAP_SIGN_IN` + +Set to `true` to [Disable LDAP web sign in](https://docs.gitlab.com/ce/administration/auth/ldap/#disable-ldap-web-sign-in), defaults to `false` + +##### `OAUTH_ENABLED` + +Enable OAuth support. Defaults to `true` if any of the support OAuth providers is configured, else defaults to `false`. + +##### `OAUTH_AUTO_SIGN_IN_WITH_PROVIDER` + +Automatically sign in with a specific OAuth provider without showing GitLab sign-in page. Accepted values are `cas3`, `github`, `bitbucket`, `gitlab`, `google_oauth2`, `facebook`, `twitter`, `saml`, `crowd`, `auth0` and `azure_oauth2`. No default. + +##### `OAUTH_ALLOW_SSO` + +Comma separated list of oauth providers for single sign-on. This allows users to login without having a user account. The account is created automatically when authentication is successful. Accepted values are `cas3`, `github`, `bitbucket`, `gitlab`, `google_oauth2`, `facebook`, `twitter`, `saml`, `crowd`, `auth0` and `azure_oauth2`. No default. + +##### `OAUTH_BLOCK_AUTO_CREATED_USERS` + +Locks down those users until they have been cleared by the admin. Defaults to `true`. + +##### `OAUTH_AUTO_LINK_LDAP_USER` + +Look up new users in LDAP servers. If a match is found (same uid), automatically link the omniauth identity with the LDAP account. Defaults to `false`. + +##### `OAUTH_AUTO_LINK_SAML_USER` + +Allow users with existing accounts to login and auto link their account via SAML login, without having to do a manual login first and manually add SAML. Defaults to `false`. + +##### `OAUTH_AUTO_LINK_USER` + +Allow users with existing accounts to login and auto link their account via the defined Omniauth providers login, without having to do a manual login first and manually connect their chosen provider. Defaults to `[]`. + +##### `OAUTH_EXTERNAL_PROVIDERS` + +Comma separated list if oauth providers to disallow access to `internal` projects. Users creating accounts via these providers will have access internal projects. Accepted values are `cas3`, `github`, `bitbucket`, `gitlab`, `google_oauth2`, `facebook`, `twitter`, `saml`, `crowd`, `auth0` and `azure_oauth2`. No default. + +##### `OAUTH_ALLOW_BYPASS_TWO_FACTOR` + +Specify oauth providers where users can sign in without using two-factor authentication (2FA). You can define this using an array of providers like `["twitter", "google_oauth2"]`. Setting this to `true` or `false` applies to all - allow all or none. Defaults to `false`. + +##### `OAUTH_CAS3_LABEL` + +The "Sign in with" button label. Defaults to "cas3". + +##### `OAUTH_CAS3_SERVER` + +CAS3 server URL. No defaults. + +##### `OAUTH_CAS3_DISABLE_SSL_VERIFICATION` + +Disable CAS3 SSL verification. Defaults to `false`. + +##### `OAUTH_CAS3_LOGIN_URL` + +CAS3 login URL. Defaults to `/cas/login` + +##### `OAUTH_CAS3_VALIDATE_URL` + +CAS3 validation URL. Defaults to `/cas/p3/serviceValidate` + +##### `OAUTH_CAS3_LOGOUT_URL` + +CAS3 logout URL. Defaults to `/cas/logout` + +##### `OAUTH_GOOGLE_API_KEY` + +Google App Client ID. No defaults. + +##### `OAUTH_GOOGLE_APP_SECRET` + +Google App Client Secret. No defaults. + +##### `OAUTH_GOOGLE_RESTRICT_DOMAIN` + +List of Google App restricted domains. Value is comma separated list of single quoted groups. Example: `'exemple.com','exemple2.com'`. No defaults. + +##### `OAUTH_FACEBOOK_API_KEY` + +Facebook App API key. No defaults. + +##### `OAUTH_FACEBOOK_APP_SECRET` + +Facebook App API secret. No defaults. + +##### `OAUTH_TWITTER_API_KEY` + +Twitter App API key. No defaults. + +##### `OAUTH_TWITTER_APP_SECRET` + +Twitter App API secret. No defaults. + +##### `OAUTH_AUTHENTIQ_CLIENT_ID` + +authentiq Client ID. No defaults. + +##### `OAUTH_AUTHENTIQ_CLIENT_SECRET` + +authentiq Client secret. No defaults. + +##### `OAUTH_AUTHENTIQ_SCOPE` + +Scope of Authentiq Application Defaults to `'aq:name email~rs address aq:push'` + +##### `OAUTH_AUTHENTIQ_REDIRECT_URI` + + Callback URL for Authentiq. No defaults. + +##### `OAUTH_GITHUB_API_KEY` + +GitHub App Client ID. No defaults. + +##### `OAUTH_GITHUB_APP_SECRET` + +GitHub App Client secret. No defaults. + +##### `OAUTH_GITHUB_URL` + +Url to the GitHub Enterprise server. Defaults to `https://github.com` + +##### `OAUTH_GITHUB_VERIFY_SSL` + +Enable SSL verification while communicating with the GitHub server. Defaults to `true`. + +##### `OAUTH_GITLAB_API_KEY` + +GitLab App Client ID. No defaults. + +##### `OAUTH_GITLAB_APP_SECRET` + +GitLab App Client secret. No defaults. + +##### `OAUTH_BITBUCKET_API_KEY` + +BitBucket App Client ID. No defaults. + +##### `OAUTH_BITBUCKET_APP_SECRET` + +BitBucket App Client secret. No defaults. + +##### `OAUTH_BITBUCKET_URL` + +Bitbucket URL. Defaults: `https://bitbucket.org/` + +##### `OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL` + +The URL at which the SAML assertion should be received. When `GITLAB_HTTPS=true`, defaults to `https://${GITLAB_HOST}/users/auth/saml/callback` else defaults to `http://${GITLAB_HOST}/users/auth/saml/callback`. + +##### `OAUTH_SAML_IDP_CERT_FINGERPRINT` + +The SHA1 fingerprint of the certificate. No Defaults. + +##### `OAUTH_SAML_IDP_SSO_TARGET_URL` + +The URL to which the authentication request should be sent. No defaults. + +##### `OAUTH_SAML_ISSUER` + +The name of your application. When `GITLAB_HTTPS=true`, defaults to `https://${GITLAB_HOST}` else defaults to `http://${GITLAB_HOST}`. + +##### `OAUTH_SAML_LABEL` + +The "Sign in with" button label. Defaults to "Our SAML Provider". + +##### `OAUTH_SAML_NAME_IDENTIFIER_FORMAT` + +Describes the format of the username required by GitLab, Defaults to `urn:oasis:names:tc:SAML:2.0:nameid-format:transient` + +##### `OAUTH_SAML_GROUPS_ATTRIBUTE` + +Map groups attribute in a SAMLResponse to external groups. No defaults. + +##### `OAUTH_SAML_EXTERNAL_GROUPS` + +List of external groups in a SAMLResponse. Value is comma separated list of single quoted groups. Example: `'group1','group2'`. No defaults. + +##### `OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL` + +Map 'email' attribute name in a SAMLResponse to entries in the OmniAuth info hash, No defaults. See [GitLab documentation](http://doc.gitlab.com/ce/integration/saml.html#attribute_statements) for more details. + +##### `OAUTH_SAML_ATTRIBUTE_STATEMENTS_USERNAME` + +Map 'username' attribute in a SAMLResponse to entries in the OmniAuth info hash, No defaults. See [GitLab documentation](http://doc.gitlab.com/ce/integration/saml.html#attribute_statements) for more details. + +##### `OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME` + +Map 'name' attribute in a SAMLResponse to entries in the OmniAuth info hash, No defaults. See [GitLab documentation](http://doc.gitlab.com/ce/integration/saml.html#attribute_statements) for more details. + +##### `OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME` + +Map 'first_name' attribute in a SAMLResponse to entries in the OmniAuth info hash, No defaults. See [GitLab documentation](http://doc.gitlab.com/ce/integration/saml.html#attribute_statements) for more details. + +##### `OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME` + +Map 'last_name' attribute in a SAMLResponse to entries in the OmniAuth info hash, No defaults. See [GitLab documentation](http://doc.gitlab.com/ce/integration/saml.html#attribute_statements) for more details. + +##### `OAUTH_CROWD_SERVER_URL` + +Crowd server url. No defaults. + +##### `OAUTH_CROWD_APP_NAME` + +Crowd server application name. No defaults. + +##### `OAUTH_CROWD_APP_PASSWORD` + +Crowd server application password. No defaults. + +##### `OAUTH_AUTH0_CLIENT_ID` + +Auth0 Client ID. No defaults. + +##### `OAUTH_AUTH0_CLIENT_SECRET` + +Auth0 Client secret. No defaults. + +##### `OAUTH_AUTH0_DOMAIN` + +Auth0 Domain. No defaults. + +##### `OAUTH_AUTH0_SCOPE` + +Auth0 Scope. Defaults to `openid profile email`. + +##### `OAUTH_AZURE_API_KEY` + +Azure Client ID. No defaults. + +##### `OAUTH_AZURE_API_SECRET` + +Azure Client secret. No defaults. + +##### `OAUTH_AZURE_TENANT_ID` + +Azure Tenant ID. No defaults. + +#### `OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_ID` + +Client ID for oauth provider `azure_activedirectory_v2`. If not set, corresponding oauth provider configuration will be removed from `gitlab.yml` during container startup. No defaults. + +#### `OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_SECRET` + +Client secret for oauth provider `azure_activedirectory_v2`. If not set, corresponding oauth provider configuration will be removed from `gitlab.yml` during container startup. No defaults. + +#### `OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID` + +Tenant ID for oauth provider `azure_activedirectory_v2`. If not set, corresponding oauth provider configuration will be removed from `gitlab.yml` during container startup. No defaults. + +#### `OAUTH_AZURE_ACTIVEDIRECTORY_V2_LABEL` + +Optional label for login button for `azure_activedirectory_v2`. Defaults to `Azure AD v2` + +##### `OAUTH2_GENERIC_APP_ID` + +Your OAuth2 App ID. No defaults. + +##### `OAUTH2_GENERIC_APP_SECRET` + +Your OAuth2 App Secret. No defaults. + +##### `OAUTH2_GENERIC_CLIENT_SITE` + +The OAuth2 generic client site. No defaults + +##### `OAUTH2_GENERIC_CLIENT_USER_INFO_URL` + +The OAuth2 generic client user info url. No defaults + +##### `OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL` + +The OAuth2 generic client authorize url. No defaults + +##### `OAUTH2_GENERIC_CLIENT_TOKEN_URL` + +The OAuth2 generic client token url. No defaults + +##### `OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT` + +The OAuth2 generic client end session endpoint. No defaults + +##### `OAUTH2_GENERIC_ID_PATH` + +The OAuth2 generic id path. No defaults + +##### `OAUTH2_GENERIC_USER_UID` + +The OAuth2 generic user id path. No defaults + +##### `OAUTH2_GENERIC_USER_NAME` + +The OAuth2 generic user name. No defaults + +##### `OAUTH2_GENERIC_USER_EMAIL` + +The OAuth2 generic user email. No defaults + +##### `OAUTH2_GENERIC_AUTHORIZE_PARAMS_SCOPE` + +The scope of your OAuth2 provider. No defaults + +##### `OAUTH2_GENERIC_LABEL` + +The label of your OAuth2 provider. No defaults + +##### `OAUTH2_GENERIC_NAME` + +The name of your OAuth2 provider. No defaults + +##### `GITLAB_GRAVATAR_ENABLED` + +Enables gravatar integration. Defaults to `true`. + +##### `GITLAB_GRAVATAR_HTTP_URL` + +Sets a custom gravatar url. Defaults to `http://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon`. This can be used for [Libravatar integration](http://doc.gitlab.com/ce/customization/libravatar.html). + +##### `GITLAB_GRAVATAR_HTTPS_URL` + +Same as above, but for https. Defaults to `https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon`. + +##### `USERMAP_UID` + +Sets the uid for user `git` to the specified uid. Defaults to `1000`. + +##### `USERMAP_GID` + +Sets the gid for group `git` to the specified gid. Defaults to `USERMAP_UID` if defined, else defaults to `1000`. + +##### `GOOGLE_ANALYTICS_ID` + +Google Analytics ID. No defaults. + +##### `PIWIK_URL` + +Sets the Piwik URL. No defaults. + +##### `PIWIK_SITE_ID` + +Sets the Piwik site ID. No defaults. + +##### `AWS_BACKUPS` + +Enables automatic uploads to an Amazon S3 instance. Defaults to `false`. + +##### `AWS_BACKUP_REGION` + +AWS region. No defaults. + +##### `AWS_BACKUP_ENDPOINT` + +AWS endpoint. No defaults. + +##### `AWS_BACKUP_ACCESS_KEY_ID` + +AWS access key id. No defaults. + +##### `AWS_BACKUP_SECRET_ACCESS_KEY` + +AWS secret access key. No defaults. + +##### `AWS_BACKUP_BUCKET` + +AWS bucket for backup uploads. No defaults. + +##### `AWS_BACKUP_MULTIPART_CHUNK_SIZE` + +Enables multipart uploads when file size reaches a defined size. See at [AWS S3 Docs](http://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html) + +##### `AWS_BACKUP_ENCRYPTION` + +Turns on AWS Server-Side Encryption. Defaults to `false`. See at [AWS S3 Docs](http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html) + +##### `AWS_BACKUP_STORAGE_CLASS` + +Configure the storage class for the item. Defaults to `STANDARD` See at [AWS S3 Docs](http://docs.aws.amazon.com/AmazonS3/latest/dev/storage-class-intro.html) + +##### `AWS_BACKUP_SIGNATURE_VERSION` + +Configure the storage signature version. Defaults to `4` See at [AWS S3 Docs](https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html#specify-signature-version) + +##### `GCS_BACKUPS` + +Enables automatic uploads to an Google Cloud Storage (GCS) instance. Defaults to `false`. + +##### `GCS_BACKUP_ACCESS_KEY_ID` + +GCS access key id. No defaults + +##### `GCS_BACKUP_SECRET_ACCESS_KEY` + +GCS secret access key. No defaults + +##### `GCS_BACKUP_BUCKET` + +GCS bucket for backup uploads. No defaults + +##### `GITLAB_ROBOTS_PATH` + +Location of custom `robots.txt`. Uses GitLab's default `robots.txt` configuration by default. See [www.robotstxt.org](http://www.robotstxt.org) for examples. + +##### `RACK_ATTACK_ENABLED` + +Enable/disable rack middleware for blocking & throttling abusive requests Defaults to `true`. + +##### `RACK_ATTACK_WHITELIST` + +Always allow requests from whitelisted host. +This should be a valid yaml sequence of host address. Each host address string must be a valid IP address that can be passed to `IPAddr.new` of ruby. See [ruby-lang reference](https://docs.ruby-lang.org/en/3.0/IPAddr.html#method-c-new) for detail. +If you need to set multiple hosts, set this parameter like `["1.1.1.1","192.168.0.0/24"]` for example. + +````yaml +environment: +# pattern 1: `- key=value` style : you can specify array of hosts as is +- RACK_ATTACK_WHITELIST=["1.1.1.1","192.168.0.0/24"] +# pattern 2: `key: value` style : you must surround with quote, as the value of environment variable must not be an array + RACK_ATTACK_WHITELIST: "['1.1.1.1','192.168.0.0/24']" +```` + +Defaults to `["127.0.0.1"]` + +##### `RACK_ATTACK_MAXRETRY` + +Number of failed auth attempts before which an IP should be banned. Defaults to `10` + +##### `RACK_ATTACK_FINDTIME` + +Number of seconds before resetting the per IP auth attempt counter. Defaults to `60`. + +##### `RACK_ATTACK_BANTIME` + +Number of seconds an IP should be banned after too many auth attempts. Defaults to `3600`. + +##### `GITLAB_WORKHORSE_TIMEOUT` + +Timeout for gitlab workhorse http proxy. Defaults to `5m0s`. + +##### `SENTRY_ENABLED` + +Enables Error Reporting and Logging with Sentry. Defaults to `false`. + +##### `SENTRY_DSN` + +Sentry DSN. No defaults. + +##### `SENTRY_CLIENTSIDE_DSN` + +Sentry client side DSN. No defaults. + +##### `SENTRY_ENVIRONMENT` + +Sentry environment. Defaults to `production`. + +#### Docker secrets and configs + +All the above environment variables can be put into a [secrets](https://docs.docker.com/compose/compose-file/#secrets) or [config](https://docs.docker.com/compose/compose-file/#configs) file +and then both docker-compose and Docker Swarm can import them into your gitlab container. + +On startup, the gitlab container will source env vars from a config file labeled `gitlab-config`, and then a secrets file labeled `gitlab-secrets` (both mounted in the default locations). + +See the example [`contrib/docker-swarm/docker-compose.yml`](./contrib/docker-swarm/docker-compose.yml) file, and the +example `gitlab.configs` and `gitlab.secrets` file. +You may as well choose file names other than the example source files (`gitlab.configs` and `gitlab.secrets`) and update +the `file: ./gitlab.configs` and `file: ./gitlab.secrets` references accordingly. But do not alter the config +keys [`gitlab-configs`](contrib/docker-swarm/docker-compose.yml#L158) and +[`gitlab-secrets`](contrib/docker-swarm/docker-compose.yml#L162) as they are currently +[hardcoded](./assets/runtime/functions#L4:L9) and thus must be kept as in the example. + +If you're not using one of these files, then don't include its entry in the docker-compose file. + +## Maintenance + +### Creating backups + +GitLab defines a rake task to take a backup of your gitlab installation. The backup consists of all git repositories, uploaded files and as you might expect, the sql database. + +Before taking a backup make sure the container is stopped and removed to avoid container name conflicts. + +```bash +docker stop gitlab && docker rm gitlab +``` + +Execute the rake task to create a backup. + +```bash +docker run --name gitlab -it --rm [OPTIONS] \ + sameersbn/gitlab:18.5.1 app:rake gitlab:backup:create +``` + +A backup will be created in the backups folder of the [Data Store](#data-store). You can change the location of the backups using the `GITLAB_BACKUP_DIR` configuration parameter. + +*P.S. Backups can also be generated on a running instance using `docker exec` as described in the [Rake Tasks](#rake-tasks) section. However, to avoid undesired side-effects, I advice against running backup and restore operations on a running instance.* + +When using `docker-compose` you may use the following command to execute the backup. + +```bash +docker-compose rm -sf gitlab +docker-compose run --rm gitlab app:rake gitlab:backup:create +``` + +Afterwards you can bring your Instance back with the following command: + +```bash +docker-compose up -d +``` + +### Restoring Backups + +GitLab also defines a rake task to restore a backup. + +Before performing a restore make sure the container is stopped and removed to avoid container name conflicts. + +```bash +docker stop gitlab && docker rm gitlab +``` + +If this is a fresh database that you're doing the restore on, first +you need to prepare the database: + +```bash +docker run --name gitlab -it --rm [OPTIONS] \ + sameersbn/gitlab:18.5.1 app:rake db:setup +``` + +Execute the rake task to restore a backup. Make sure you run the container in interactive mode `-it`. + +```bash +docker run --name gitlab -it --rm [OPTIONS] \ + sameersbn/gitlab:18.5.1 app:rake gitlab:backup:restore +``` + +The list of all available backups will be displayed in reverse chronological order. Select the backup you want to restore and continue. + +To avoid user interaction in the restore operation, specify the timestamp, date and version of the backup using the `BACKUP` argument to the rake task. + +```bash +docker run --name gitlab -it --rm [OPTIONS] \ + sameersbn/gitlab:18.5.1 app:rake gitlab:backup:restore BACKUP=1515629493_2020_12_06_13.0.6 +``` + +When using `docker-compose` you may use the following command to execute the restore. + +```bash +docker-compose run --rm gitlab app:rake gitlab:backup:restore # List available backups +docker-compose run --rm gitlab app:rake gitlab:backup:restore BACKUP=1515629493_2020_12_06_13.10.0 # Choose to restore from 1515629493 +``` + +### Host Key Backups (ssh) + +SSH keys are not backed up in the normal gitlab backup process. You +will need to backup the `ssh/` directory in the data volume by hand +and you will want to restore it prior to doing a gitlab restore. + +### Automated Backups + +The image can be configured to automatically take backups `daily`, `weekly` or `monthly` using the `GITLAB_BACKUP_SCHEDULE` configuration option. + +Daily backups are created at `GITLAB_BACKUP_TIME` which defaults to `04:00` everyday. Weekly backups are created every Sunday at the same time as the daily backups. Monthly backups are created on the 1st of every month at the same time as the daily backups. + +By default, when automated backups are enabled, backups are held for a period of 7 days. While when automated backups are disabled, the backups are held for an infinite period of time. This behavior can be configured via the `GITLAB_BACKUP_EXPIRY` option. + +#### Amazon Web Services (AWS) Remote Backups + +The image can be configured to automatically upload the backups to an AWS S3 bucket. To enable automatic AWS backups first add `--env 'AWS_BACKUPS=true'` to the docker run command. In addition `AWS_BACKUP_REGION` and `AWS_BACKUP_BUCKET` must be properly configured to point to the desired AWS location. Finally an IAM user must be configured with appropriate access permission and their AWS keys exposed through `AWS_BACKUP_ACCESS_KEY_ID` and `AWS_BACKUP_SECRET_ACCESS_KEY`. + +More details about the appropriate IAM user properties can found on [doc.gitlab.com](http://doc.gitlab.com/ce/raketasks/backup_restore.html#upload-backups-to-remote-cloud-storage) + +For remote backup to self-hosted s3 compatible storage, use `AWS_BACKUP_ENDPOINT`. + +AWS uploads are performed alongside normal backups, both through the appropriate `app:rake` command and when an automatic backup is performed. + +#### Google Cloud Storage (GCS) Remote Backups + +The image can be configured to automatically upload the backups to an Google Cloud Storage bucket. To enable automatic GCS backups first add `--env 'GCS_BACKUPS=true'` to the docker run command. In addition `GCS_BACKUP_BUCKET` must be properly configured to point to the desired GCS location. +Finally a couple of `Interoperable storage access keys` user must be created and their keys exposed through `GCS_BACKUP_ACCESS_KEY_ID` and `GCS_BACKUP_SECRET_ACCESS_KEY`. + +More details about the Cloud storage interoperability properties can found on [cloud.google.com/storage](https://cloud.google.com/storage/docs/interoperability) + +GCS uploads are performed alongside normal backups, both through the appropriate `app:rake` command and when an automatic backup is performed. + +### Rake Tasks + +The `app:rake` command allows you to run gitlab rake tasks. To run a rake task simply specify the task to be executed to the `app:rake` command. For example, if you want to gather information about GitLab and the system it runs on. + +```bash +docker run --name gitlab -it --rm [OPTIONS] \ + sameersbn/gitlab:18.5.1 app:rake gitlab:env:info +``` + +You can also use `docker exec` to run rake tasks on running gitlab instance. For example, + +```bash +docker exec --user git -it gitlab bundle exec rake gitlab:env:info RAILS_ENV=production +``` + +Similarly, to import bare repositories into GitLab project instance + +```bash +docker run --name gitlab -it --rm [OPTIONS] \ + sameersbn/gitlab:18.5.1 app:rake gitlab:import:repos +``` + +Or + +```bash +docker exec -it gitlab sudo -HEu git bundle exec rake gitlab:import:repos RAILS_ENV=production +``` + +For a complete list of available rake tasks please refer or the help section of your gitlab installation. + +*P.S. Please avoid running the rake tasks for backup and restore operations on a running gitlab instance.* + +To use the `app:rake` command with `docker-compose` use the following command. + +```bash +## For stopped instances +docker-compose run --rm gitlab app:rake gitlab:env:info +docker-compose run --rm gitlab app:rake gitlab:import:repos + +## For running instances +docker-compose exec --user git gitlab bundle exec rake gitlab:env:info RAILS_ENV=production +docker-compose exec gitlab sudo -HEu git bundle exec rake gitlab:import:repos RAILS_ENV=production +``` + +### Import Repositories + +Copy all the **bare** git repositories to the `repositories/` directory of the [data store](#data-store) and execute the `gitlab:import:repos` rake task like so: + +```bash +docker run --name gitlab -it --rm [OPTIONS] \ + sameersbn/gitlab:18.5.1 app:rake gitlab:import:repos +``` + +Watch the logs and your repositories should be available into your new gitlab container. + +See [Rake Tasks](#rake-tasks) for more information on executing rake tasks. +Usage when using `docker-compose` can also be found there. + +### Upgrading + +> **Important Notice** +> +> Since GitLab release `8.6.0` PostgreSQL users should enable `pg_trgm` extension on the GitLab database. Refer to GitLab's [Postgresql Requirements](http://doc.gitlab.com/ce/install/requirements.html#postgresql-requirements) for more information +> +> If you're using `sameersbn/postgresql` then please upgrade to `kkimurak/sameersbn-postgresql:16` or later and add `DB_EXTENSION=pg_trgm,btree_gist` to the environment of the PostgreSQL container (see: ). +> +> Please keep in mind that: +> +> - As of version 13.7.0, the required PostgreSQL version is 12.x. +> - As of version 16.0.0, the required PostgreSQL version is 13.x. +> - As of version 17.0.0, the required PostgreSQL version is 14.x. +> - As of version 18.0.0, the required PostgreSQL version is 16.x. +> +> If you're using PostgreSQL image other than the above, please review section [Upgrading PostgreSQL](#upgrading-postgresql). + +GitLabHQ releases new versions on the 22nd of every month, bugfix releases immediately follow. I update this project almost immediately when a release is made (at least it has been the case so far). If you are using the image in production environments I recommend that you delay updates by a couple of days after the gitlab release, allowing some time for the dust to settle down. + +To upgrade to newer gitlab releases, simply follow this 4 step upgrade procedure. + +> **Note** +> +> Upgrading to `sameersbn/gitlab:18.5.1` from `sameersbn/gitlab:7.x.x` can cause issues. It is therefore required that you first upgrade to `sameersbn/gitlab:8.0.5-1` before upgrading to `sameersbn/gitlab:8.1.0` or higher. + +- **Step 1**: Update the docker image. + +```bash +docker pull sameersbn/gitlab:18.5.1 +``` + +- **Step 2**: Stop and remove the currently running image + +```bash +docker stop gitlab +docker rm gitlab +``` + +- **Step 3**: Create a backup + +```bash +docker run --name gitlab -it --rm [OPTIONS] \ + sameersbn/gitlab:x.x.x app:rake gitlab:backup:create +``` + +Replace `x.x.x` with the version you are upgrading from. For example, if you are upgrading from version `6.0.0`, set `x.x.x` to `6.0.0` + +- **Step 4**: Start the image + +> **Note**: Since GitLab `8.0.0` you need to provide the `GITLAB_SECRETS_DB_KEY_BASE` parameter while starting the image. + +> **Note**: Since GitLab `8.11.0` you need to provide the `GITLAB_SECRETS_SECRET_KEY_BASE` and `GITLAB_SECRETS_OTP_KEY_BASE` parameters while starting the image. These should initially both have the same value as the contents of the `/home/git/data/.secret` file. See [Available Configuration Parameters](#available-configuration-parameters) for more information on these parameters. + +> **Note**: Since Gitlab 13.7 you need to provide the `GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE` parameter while starting the image. If not provided, the key will be generated by gitlab. So you can start the image without setting this parameter. But you will lose the key when you shutting down the container without taking a backup of `secrets.yml`. + +> **Note**: Since Gitlab 17.8 you need to provide `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY`,`GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY` and `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT`. If not provided, these keys will be generated by gitlab. The image can be started without setting these parameters, **but you will lose the settings when you shutting down the container without taking a backup of `secrets.yml` and settings stored securely (such as the Dependency Proxy) will be unusable and unrecoverable.** + +```bash +docker run --name gitlab -d [OPTIONS] sameersbn/gitlab:18.5.1 +``` + +### Shell Access + +For debugging and maintenance purposes you may want access the containers shell. If you are using docker version `1.3.0` or higher you can access a running containers shell using `docker exec` command. + +```bash +docker exec -it gitlab bash +``` + +## Monitoring + +You can monitor your GitLab instance status as described in the [official documentation](https://docs.gitlab.com/ee/user/admin_area/monitoring/health_check.html), for example: + +```bash +curl 'https://gitlab.example.com/-/liveness' +``` + +On success, the endpoint will return a `200` HTTP status code, and a response like below. + +```bash +{ + "status": "ok" +} +``` + +To do that you will need to set the environment variable `GITLAB_MONITORING_IP_WHITELIST` to allow your IP or subnet to make requests to your GitLab instance. + +### Health Check + +You can also set your `docker-compose.yml` [healthcheck](https://docs.docker.com/compose/compose-file/compose-file-v2/#healthcheck) configuration to make periodic checks: + +```yml services: gitlab: - image: sameersbn/gitlab:13.5.3 + image: sameersbn/gitlab:18.5.1 healthcheck: test: ["CMD", "/usr/local/sbin/healthcheck"] interval: 1m @@ -1373,18 +2867,18 @@ services: start_period: 2m ``` -Then you will be able to consult the healthcheck log by executing: +Then you will be able to consult the health check log by executing: ```bash docker inspect --format "{{json .State.Health }}" $(docker-compose ps -q gitlab) | jq ``` -# References +## References -* https://github.com/gitlabhq/gitlabhq -* https://github.com/gitlabhq/gitlabhq/blob/master/doc/install/installation.md -* http://wiki.nginx.org/HttpSslModule -* https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html -* https://github.com/gitlabhq/gitlab-recipes/blob/master/web-server/nginx/gitlab-ssl -* https://github.com/jpetazzo/nsenter -* https://jpetazzo.github.io/2014/03/23/lxc-attach-nsinit-nsenter-docker-0-9/ +- +- +- +- +- +- +- diff --git a/VERSION b/VERSION index 6d883115a..82f73fb75 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -13.5.3 +18.5.1 diff --git a/assets/build/config/database.yml.postgresql b/assets/build/config/database.yml.postgresql new file mode 100644 index 000000000..198db0000 --- /dev/null +++ b/assets/build/config/database.yml.postgresql @@ -0,0 +1,144 @@ +# HINT: This file is identical to the corresponding configuration file from the +# upstream repository, where the additional defined entries for `geo` had to be +# removed. Otherwise, it is not possible to build the image, since the build +# will fail with the error message: +# +# > rake aborted! +# > ERROR: This installation of GitLab uses unsupported database names in 'config/database.yml': geo. The only supported ones are main, ci. +# +# This adjustment is hopefully only a temporary workaround (see +# ). + +# +# PRODUCTION +# +production: + main: + adapter: postgresql + encoding: unicode + database: gitlabhq_production + username: git + password: "secure password" + host: localhost + # load_balancing: + # hosts: + # - host1.example.com + # - host2.example.com + # discover: + # nameserver: 1.2.3.4 + # port: 8600 + # record: secondary.postgresql.service.consul + # interval: 300 + ci: + adapter: postgresql + encoding: unicode + database: gitlabhq_production + database_tasks: false + username: git + password: "secure password" + host: localhost +# geo: +# adapter: postgresql +# encoding: unicode +# database: gitlabhq_geo_production +# username: git +# password: "secure password" +# host: localhost + +# +# Development specific +# +development: + main: + adapter: postgresql + encoding: unicode + database: gitlabhq_development + username: postgres + password: "secure password" + host: localhost + variables: + statement_timeout: 15s + ci: + adapter: postgresql + encoding: unicode + database: gitlabhq_development + database_tasks: false + username: postgres + password: "secure password" + host: localhost + variables: + statement_timeout: 15s +# geo: +# adapter: postgresql +# encoding: unicode +# database: gitlabhq_geo_development +# username: postgres +# password: "secure password" +# host: localhost + +# +# Staging specific +# +staging: + main: + adapter: postgresql + encoding: unicode + database: gitlabhq_staging + username: git + password: "secure password" + host: localhost + ci: + adapter: postgresql + encoding: unicode + database: gitlabhq_staging + database_tasks: false + username: git + password: "secure password" + host: localhost +# geo: +# adapter: postgresql +# encoding: unicode +# database: gitlabhq_geo_staging +# username: git +# password: "secure password" +# host: localhost + +# Warning: The database defined as "test" will be erased and +# re-generated from your development database when you run "rake". +# Do not set this db to the same as development or production. +test: &test + main: + adapter: postgresql + encoding: unicode + database: gitlabhq_test + username: postgres + password: + host: localhost + prepared_statements: false + variables: + statement_timeout: 15s + ci: + adapter: postgresql + encoding: unicode + database: gitlabhq_test + database_tasks: false + username: postgres + password: + host: localhost + prepared_statements: false + variables: + statement_timeout: 15s +# geo: +# adapter: postgresql +# encoding: unicode +# database: gitlabhq_geo_test +# username: postgres +# password: +# host: localhost +# embedding: +# adapter: postgresql +# encoding: unicode +# database: gitlabhq_embedding_test +# username: postgres +# password: +# host: localhost diff --git a/assets/build/install.sh b/assets/build/install.sh index a29dfd437..817fd61cf 100755 --- a/assets/build/install.sh +++ b/assets/build/install.sh @@ -3,14 +3,15 @@ set -e GITLAB_CLONE_URL=https://gitlab.com/gitlab-org/gitlab-foss.git GITLAB_SHELL_URL=https://gitlab.com/gitlab-org/gitlab-shell/-/archive/v${GITLAB_SHELL_VERSION}/gitlab-shell-v${GITLAB_SHELL_VERSION}.tar.bz2 -GITLAB_WORKHORSE_URL=https://gitlab.com/gitlab-org/gitlab-workhorse.git GITLAB_PAGES_URL=https://gitlab.com/gitlab-org/gitlab-pages.git GITLAB_GITALY_URL=https://gitlab.com/gitlab-org/gitaly.git -GITLAB_WORKHORSE_BUILD_DIR=/tmp/gitlab-workhorse +GITLAB_WORKHORSE_BUILD_DIR=${GITLAB_INSTALL_DIR}/workhorse GITLAB_PAGES_BUILD_DIR=/tmp/gitlab-pages GITLAB_GITALY_BUILD_DIR=/tmp/gitaly +RUBY_SRC_URL=https://cache.ruby-lang.org/pub/ruby/${RUBY_VERSION%.*}/ruby-${RUBY_VERSION}.tar.gz + GEM_CACHE_DIR="${GITLAB_BUILD_DIR}/cache" GOROOT=/tmp/go @@ -18,12 +19,15 @@ PATH=${GOROOT}/bin:$PATH export GOROOT PATH -BUILD_DEPENDENCIES="gcc g++ make patch pkg-config cmake paxctl \ - libc6-dev ruby${RUBY_VERSION}-dev \ - libpq-dev zlib1g-dev libyaml-dev libssl-dev \ +# TODO Verify, if this is necessary or not. +# BUILD_DEPENDENCIES="gcc g++ make patch pkg-config cmake paxctl \ +BUILD_DEPENDENCIES="gcc g++ make patch pkg-config cmake \ + libc6-dev \ + libpq-dev zlib1g-dev libssl-dev \ libgdbm-dev libreadline-dev libncurses5-dev libffi-dev \ libxml2-dev libxslt-dev libcurl4-openssl-dev libicu-dev \ - gettext libkrb5-dev" + gettext libkrb5-dev \ + libexpat1-dev libz-dev libpcre2-dev build-essential git" ## Execute a command as GITLAB_USER exec_as_git() { @@ -38,19 +42,41 @@ exec_as_git() { apt-get update DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y ${BUILD_DEPENDENCIES} -# PaX-mark ruby -# Applying the mark late here does make the build usable on PaX kernels, but -# still the build itself must be executed on a non-PaX kernel. It's done here -# only for simplicity. -paxctl -cvm "$(command -v ruby${RUBY_VERSION})" -# https://en.wikibooks.org/wiki/Grsecurity/Application-specific_Settings#Node.js -paxctl -cvm "$(command -v nodejs)" +# build ruby from source +echo "Building ruby v${RUBY_VERSION} from source..." +PWD_ORG="$PWD" +mkdir /tmp/ruby && cd /tmp/ruby +curl --remote-name -Ss "${RUBY_SRC_URL}" +printf '%s ruby-%s.tar.gz' "${RUBY_SOURCE_SHA256SUM}" "${RUBY_VERSION}" | sha256sum -c - +tar xzf ruby-"${RUBY_VERSION}".tar.gz && cd ruby-"${RUBY_VERSION}" +find "${GITLAB_BUILD_DIR}/patches/ruby" -name "*.patch" | while read -r patch_file; do + echo "Applying patch ${patch_file}" + patch -p1 -i "${patch_file}" +done +./configure --disable-install-rdoc --enable-shared +make -j"$(nproc)" +make install +cd "$PWD_ORG" && rm -rf /tmp/ruby + +# upgrade rubygems on demand +gem update --no-document --system "${RUBYGEMS_VERSION}" + +# TODO Verify, if this is necessary or not. +# # PaX-mark ruby +# # Applying the mark late here does make the build usable on PaX kernels, but +# # still the build itself must be executed on a non-PaX kernel. It's done here +# # only for simplicity. +# paxctl -cvm "$(command -v ruby)" +# # https://en.wikibooks.org/wiki/Grsecurity/Application-specific_Settings#Node.js +# paxctl -cvm "$(command -v node)" # remove the host keys generated during openssh-server installation rm -rf /etc/ssh/ssh_host_*_key /etc/ssh/ssh_host_*_key.pub # add ${GITLAB_USER} user -adduser --disabled-login --gecos 'GitLab' ${GITLAB_USER} +deluser --remove-home ubuntu +addgroup --gid 1000 git +adduser --uid 1000 --gid 1000 --disabled-password --gecos 'GitLab' ${GITLAB_USER} passwd -d ${GITLAB_USER} # set PATH (fixes cron job PATH issues) @@ -63,23 +89,28 @@ exec_as_git git config --global core.autocrlf input exec_as_git git config --global gc.auto 0 exec_as_git git config --global repack.writeBitmaps true exec_as_git git config --global receive.advertisePushOptions true +exec_as_git git config --global advice.detachedHead false +exec_as_git git config --global --add safe.directory /home/git/gitlab # shallow clone gitlab-foss echo "Cloning gitlab-foss v.${GITLAB_VERSION}..." exec_as_git git clone -q -b v${GITLAB_VERSION} --depth 1 ${GITLAB_CLONE_URL} ${GITLAB_INSTALL_DIR} -if [[ -d "${GITLAB_BUILD_DIR}/patches" ]]; then -echo "Applying patches for gitlab-foss..." -exec_as_git git -C ${GITLAB_INSTALL_DIR} apply --ignore-whitespace < ${GITLAB_BUILD_DIR}/patches/*.patch -fi +find "${GITLAB_BUILD_DIR}/patches/gitlabhq" -name "*.patch" | while read -r patch_file; do + printf "Applying patch %s for gitlab-foss...\n" "${patch_file}" + exec_as_git git -C ${GITLAB_INSTALL_DIR} apply --ignore-whitespace < "${patch_file}" +done GITLAB_SHELL_VERSION=${GITLAB_SHELL_VERSION:-$(cat ${GITLAB_INSTALL_DIR}/GITLAB_SHELL_VERSION)} -GITLAB_WORKHORSE_VERSION=${GITLAB_WORKHOUSE_VERSION:-$(cat ${GITLAB_INSTALL_DIR}/GITLAB_WORKHORSE_VERSION)} GITLAB_PAGES_VERSION=${GITLAB_PAGES_VERSION:-$(cat ${GITLAB_INSTALL_DIR}/GITLAB_PAGES_VERSION)} +# install bundler: use version specified in Gemfile.lock +BUNDLER_VERSION="$(grep "BUNDLED WITH" ${GITLAB_INSTALL_DIR}/Gemfile.lock -A 1 | grep -v "BUNDLED WITH" | tr -d "[:space:]")" +gem install bundler:"${BUNDLER_VERSION}" + # download golang echo "Downloading Go ${GOLANG_VERSION}..." -wget -cnv https://storage.googleapis.com/golang/go${GOLANG_VERSION}.linux-amd64.tar.gz -P ${GITLAB_BUILD_DIR}/ +wget -cnv https://go.dev/dl/go${GOLANG_VERSION}.linux-amd64.tar.gz -P ${GITLAB_BUILD_DIR}/ tar -xf ${GITLAB_BUILD_DIR}/go${GOLANG_VERSION}.linux-amd64.tar.gz -C /tmp/ # install gitlab-shell @@ -94,17 +125,15 @@ cd ${GITLAB_SHELL_INSTALL_DIR} exec_as_git cp -a config.yml.example config.yml echo "Compiling gitlab-shell golang executables..." -exec_as_git bundle install -j"$(nproc)" --deployment --with development test exec_as_git "PATH=$PATH" make verify setup # remove unused repositories directory created by gitlab-shell install rm -rf ${GITLAB_HOME}/repositories -# download gitlab-workhorse -echo "Cloning gitlab-workhorse v.${GITLAB_WORKHORSE_VERSION}..." -git clone -q -b v${GITLAB_WORKHORSE_VERSION} --depth 1 ${GITLAB_WORKHORSE_URL} ${GITLAB_WORKHORSE_BUILD_DIR} +# build gitlab-workhorse +echo "Build gitlab-workhorse" +git config --global --add safe.directory /home/git/gitlab make -C ${GITLAB_WORKHORSE_BUILD_DIR} install - # clean up rm -rf ${GITLAB_WORKHORSE_BUILD_DIR} @@ -126,23 +155,32 @@ git clone -q -b v${GITALY_SERVER_VERSION} --depth 1 ${GITLAB_GITALY_URL} ${GITLA # install gitaly make -C ${GITLAB_GITALY_BUILD_DIR} install mkdir -p ${GITLAB_GITALY_INSTALL_DIR} -cp -a ${GITLAB_GITALY_BUILD_DIR}/ruby ${GITLAB_GITALY_INSTALL_DIR}/ +# The following line causes some issues. However, according to +# and +# there seems to +# be some attempts to remove ruby from gitaly. +# +# cp -a ${GITLAB_GITALY_BUILD_DIR}/ruby ${GITLAB_GITALY_INSTALL_DIR}/ cp -a ${GITLAB_GITALY_BUILD_DIR}/config.toml.example ${GITLAB_GITALY_INSTALL_DIR}/config.toml rm -rf ${GITLAB_GITALY_INSTALL_DIR}/ruby/vendor/bundle/ruby/**/cache chown -R ${GITLAB_USER}: ${GITLAB_GITALY_INSTALL_DIR} +# install git bundled with gitaly. +make -C ${GITLAB_GITALY_BUILD_DIR} git GIT_PREFIX=/usr/local + # clean up rm -rf ${GITLAB_GITALY_BUILD_DIR} # remove go +go clean --modcache rm -rf ${GITLAB_BUILD_DIR}/go${GOLANG_VERSION}.linux-amd64.tar.gz ${GOROOT} -# remove HSTS config from the default headers, we configure it in nginx -exec_as_git sed -i "/headers\['Strict-Transport-Security'\]/d" ${GITLAB_INSTALL_DIR}/app/controllers/application_controller.rb - # revert `rake gitlab:setup` changes from gitlabhq/gitlabhq@a54af831bae023770bf9b2633cc45ec0d5f5a66a exec_as_git sed -i 's/db:reset/db:setup/' ${GITLAB_INSTALL_DIR}/lib/tasks/gitlab/setup.rake +# change SSH_ALGORITHM_PATH - we have moved host keys in ${GITLAB_DATA_DIR}/ssh/ to persist them +exec_as_git sed -i "s:/etc/ssh/:/${GITLAB_DATA_DIR}/ssh/:g" ${GITLAB_INSTALL_DIR}/app/models/instance_configuration.rb + cd ${GITLAB_INSTALL_DIR} # install gems, use local cache if available @@ -152,7 +190,9 @@ if [[ -d ${GEM_CACHE_DIR} ]]; then chown -R ${GITLAB_USER}: ${GITLAB_INSTALL_DIR}/vendor/cache fi -exec_as_git bundle install -j"$(nproc)" --deployment --without development test mysql aws +exec_as_git bundle config set --local deployment 'true' +exec_as_git bundle config set --local without 'development test mysql aws' +exec_as_git bundle install -j"$(nproc)" # make sure everything in ${GITLAB_HOME} is owned by ${GITLAB_USER} user chown -R ${GITLAB_USER}: ${GITLAB_HOME} @@ -160,14 +200,18 @@ chown -R ${GITLAB_USER}: ${GITLAB_HOME} # gitlab.yml and database.yml are required for `assets:precompile` exec_as_git cp ${GITLAB_INSTALL_DIR}/config/resque.yml.example ${GITLAB_INSTALL_DIR}/config/resque.yml exec_as_git cp ${GITLAB_INSTALL_DIR}/config/gitlab.yml.example ${GITLAB_INSTALL_DIR}/config/gitlab.yml -exec_as_git cp ${GITLAB_INSTALL_DIR}/config/database.yml.postgresql ${GITLAB_INSTALL_DIR}/config/database.yml +# +# Temporary workaround, see +# +# exec_as_git cp ${GITLAB_INSTALL_DIR}/config/database.yml.postgresql ${GITLAB_INSTALL_DIR}/config/database.yml +cp ${GITLAB_BUILD_DIR}/config/database.yml.postgresql ${GITLAB_INSTALL_DIR}/config/database.yml +chown ${GITLAB_USER}: ${GITLAB_INSTALL_DIR}/config/database.yml # Installs nodejs packages required to compile webpack exec_as_git yarn install --production --pure-lockfile -exec_as_git yarn add ajv@^4.0.0 echo "Compiling assets. Please be patient, this could take a while..." -exec_as_git bundle exec rake gitlab:assets:compile USE_DB=false SKIP_STORAGE_VALIDATION=true NODE_OPTIONS="--max-old-space-size=4096" +exec_as_git bundle exec rake gitlab:assets:compile USE_DB=false SKIP_STORAGE_VALIDATION=true NODE_OPTIONS="--max-old-space-size=8192" # remove auto generated ${GITLAB_DATA_DIR}/config/secrets.yml rm -rf ${GITLAB_DATA_DIR}/config/secrets.yml @@ -213,11 +257,20 @@ sed -i \ -e "s|^[#]*LogLevel INFO|LogLevel VERBOSE|" \ -e "s|^[#]*AuthorizedKeysFile.*|AuthorizedKeysFile %h/.ssh/authorized_keys %h/.ssh/authorized_keys_proxy|" \ /etc/ssh/sshd_config +echo "AcceptEnv GIT_PROTOCOL" >> /etc/ssh/sshd_config # Allow clients to explicitly set the Git transfer protocol, e.g. to enable version 2. echo "UseDNS no" >> /etc/ssh/sshd_config # move supervisord.log file to ${GITLAB_LOG_DIR}/supervisor/ sed -i "s|^[#]*logfile=.*|logfile=${GITLAB_LOG_DIR}/supervisor/supervisord.log ;|" /etc/supervisor/supervisord.conf +# silence "CRIT Server 'unix_http_server' running without any HTTP authentication checking" message +# https://github.com/Supervisor/supervisor/issues/717 +sed -i '/\.sock/a password=dummy' /etc/supervisor/supervisord.conf +sed -i '/\.sock/a username=dummy' /etc/supervisor/supervisord.conf +# prevent confusing warning "CRIT Supervisor running as root" by clarify run as root +# user not defined in supervisord.conf by default, so just append it after [supervisord] block +sed -i "/\[supervisord\]/a user=root" /etc/supervisor/supervisord.conf + # move nginx logs to ${GITLAB_LOG_DIR}/nginx sed -i \ -e "s|access_log /var/log/nginx/access.log;|access_log ${GITLAB_LOG_DIR}/nginx/access.log;|" \ @@ -316,8 +369,6 @@ command=bundle exec sidekiq -c {{SIDEKIQ_CONCURRENCY}} -C ${GITLAB_INSTALL_DIR}/config/sidekiq_queues.yml -e ${RAILS_ENV} -t {{SIDEKIQ_SHUTDOWN_TIMEOUT}} - -P ${GITLAB_INSTALL_DIR}/tmp/pids/sidekiq.pid - -L ${GITLAB_INSTALL_DIR}/log/sidekiq.log user=git autostart=true autorestart=true @@ -426,20 +477,11 @@ programs=sshd,nginx,mail_room,cron priority=20 EOF -# configure healthcheck script -## https://docs.gitlab.com/ee/user/admin_area/monitoring/health_check.html -cat > /usr/local/sbin/healthcheck < stat.isDirectory()).catch(() => false); ++ if(isDirectory) { ++ for (const dir_ent of await readdir(NODE_MODULES, { withFileTypes: true})) { ++ const to_remove = join(NODE_MODULES, dir_ent.name); ++ await rm(to_remove, { recursive: true, force: true }); ++ } ++ } + } diff --git a/assets/build/patches/gitlabhq/0004-fix-raketask-gitlab-assets-compile.patch.bak b/assets/build/patches/gitlabhq/0004-fix-raketask-gitlab-assets-compile.patch.bak new file mode 100644 index 000000000..a0877b832 --- /dev/null +++ b/assets/build/patches/gitlabhq/0004-fix-raketask-gitlab-assets-compile.patch.bak @@ -0,0 +1,20 @@ +diff --git a/lib/tasks/gitlab/assets.rake b/lib/tasks/gitlab/assets.rake +index b8a6e7018767..5096d81ea63f 100644 +--- a/lib/tasks/gitlab/assets.rake ++++ b/lib/tasks/gitlab/assets.rake +@@ -96,7 +96,14 @@ namespace :gitlab do + puts "Assets SHA256 for `HEAD`: #{Tasks::Gitlab::Assets.head_assets_sha256.inspect}" + + if Tasks::Gitlab::Assets.head_assets_sha256 != Tasks::Gitlab::Assets.master_assets_sha256 +- FileUtils.rm_rf([Tasks::Gitlab::Assets::PUBLIC_ASSETS_DIR] + Dir.glob('app/assets/javascripts/locale/**/app.js')) ++ # sameersbn/gitlab takes a cache of public_assets_dir by symlinking to volume to speedup relaunch (if relative url is used) ++ # so do not remove the directory directly, empty instead ++ # Dir.glob("*") ignores dotfiles (even it is fine to remove here), so list up children manually ++ removal_targets = Dir.glob('app/assets/javascripts/locale/**/app.js') ++ if Dir.exist?(Tasks::Gitlab::Assets::PUBLIC_ASSETS_DIR) ++ removal_targets += Dir.children(Tasks::Gitlab::Assets::PUBLIC_ASSETS_DIR).map {|child| File.join(Tasks::Gitlab::Assets::PUBLIC_ASSETS_DIR, child)} ++ end ++ FileUtils.rm_rf(removal_targets, secure: true) + + # gettext:compile needs to run before rake:assets:precompile because + # app/assets/javascripts/locale/**/app.js are pre-compiled by Sprockets diff --git a/assets/build/patches/ruby/0001-avoid-seeding_until-ruby3.3.0.patch b/assets/build/patches/ruby/0001-avoid-seeding_until-ruby3.3.0.patch new file mode 100644 index 000000000..5fd7dcbe7 --- /dev/null +++ b/assets/build/patches/ruby/0001-avoid-seeding_until-ruby3.3.0.patch @@ -0,0 +1,45 @@ +From 64e503eb62aff0952b655e9a86217e355f786146 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=E5=8D=9C=E9=83=A8=E6=98=8C=E5=B9=B3?= + +Date: Thu, 13 Apr 2023 15:36:24 +0900 +Subject: [PATCH] avoid seeding + +OpenSSL's man page previously stated that "the application is +responsible for seeding the PRNG by calling RAND_add" (see [1]). +So we had this code. However things changed. They no longer +say so, instead "manual (re-)seeding of the default OpenSSL +random generator is not necessary" now (see [2]). It seems all +OpenSSL versions that we support now already behaves like this. +Let's follow that. + +[1]: https://www.openssl.org/docs/man1.0.2/man3/RAND_add.html +[2]: https://www.openssl.org/docs/manmaster/man3/RAND_add.html +--- + lib/securerandom.rb | 11 ----------- + 1 file changed, 11 deletions(-) + +diff --git a/lib/securerandom.rb b/lib/securerandom.rb +index 07ae048634..c5be6ce734 100644 +--- a/lib/securerandom.rb ++++ b/lib/securerandom.rb +@@ -47,17 +47,6 @@ def bytes(n) + private + + def gen_random_openssl(n) +- @pid = 0 unless defined?(@pid) +- pid = $$ +- unless @pid == pid +- now = Process.clock_gettime(Process::CLOCK_REALTIME, :nanosecond) +- OpenSSL::Random.random_add([now, @pid, pid].join(""), 0.0) +- seed = Random.urandom(16) +- if (seed) +- OpenSSL::Random.random_add(seed, 16) +- end +- @pid = pid +- end + return OpenSSL::Random.random_bytes(n) + end + +-- +2.43.0.windows.1 + diff --git a/assets/runtime/config/gitlab-pages/config b/assets/runtime/config/gitlab-pages/config index 768d5f95d..409786090 100644 --- a/assets/runtime/config/gitlab-pages/config +++ b/assets/runtime/config/gitlab-pages/config @@ -3,3 +3,6 @@ auth-client-secret={{GITLAB_PAGES_ACCESS_CLIENT_SECRET}} auth-redirect-uri={{GITLAB_PAGES_ACCESS_REDIRECT_URI}} auth-secret={{GITLAB_PAGES_ACCESS_SECRET}} gitlab-server={{GITLAB_PAGES_ACCESS_CONTROL_SERVER}} +artifacts-server={{GITLAB_PAGES_ARTIFACTS_SERVER_URL}} +internal-gitlab-server=http://localhost:8181 +api-secret-key={{GITLAB_INSTALL_DIR}}/.gitlab_pages_secret diff --git a/assets/runtime/config/gitlabhq/cable.yml b/assets/runtime/config/gitlabhq/cable.yml new file mode 100644 index 000000000..d36e74fe1 --- /dev/null +++ b/assets/runtime/config/gitlabhq/cable.yml @@ -0,0 +1,14 @@ +# This is a template taken from here: +# https://gitlab.com/gitlab-org/gitlab/-/blob/master/config/cable.yml.example +development: + adapter: redis + url: redis://localhost:6379 + channel_prefix: gitlab_development +test: + adapter: redis + url: redis://localhost:6379 + channel_prefix: gitlab_test +production: + adapter: redis + url: redis://{{REDIS_HOST}}:{{REDIS_PORT}}/{{REDIS_DB_NUMBER}} + channel_prefix: gitlab_production diff --git a/assets/runtime/config/gitlabhq/database.yml b/assets/runtime/config/gitlabhq/database.yml index 6ff2dbc83..6ca70ad2a 100644 --- a/assets/runtime/config/gitlabhq/database.yml +++ b/assets/runtime/config/gitlabhq/database.yml @@ -1,14 +1,24 @@ # -# PRODUCTION +# PRODUCTION (here: non-decomposed database) # production: - adapter: postgresql - encoding: {{DB_ENCODING}} - database: {{DB_NAME}} - host: {{DB_HOST}} - port: {{DB_PORT}} - username: {{DB_USER}} - password: "{{DB_PASS}}" - pool: {{DB_POOL}} - prepared_statements: {{DB_PREPARED_STATEMENTS}} - + main: + adapter: postgresql + encoding: {{DB_ENCODING}} + database: {{DB_NAME}} + host: {{DB_HOST}} + port: {{DB_PORT}} + username: {{DB_USER}} + password: "{{DB_PASS}}" + pool: {{DB_POOL}} + prepared_statements: {{DB_PREPARED_STATEMENTS}} + ci: + adapter: postgresql + encoding: {{DB_ENCODING}} + database: {{DB_NAME}} + database_tasks: false + host: {{DB_HOST}} + port: {{DB_PORT}} + username: {{DB_USER}} + password: "{{DB_PASS}}" + pool: {{DB_POOL}} diff --git a/assets/runtime/config/gitlabhq/gitlab.yml b/assets/runtime/config/gitlabhq/gitlab.yml index 4f549a037..9d562de66 100644 --- a/assets/runtime/config/gitlabhq/gitlab.yml +++ b/assets/runtime/config/gitlabhq/gitlab.yml @@ -53,25 +53,25 @@ production: &base # Content Security Policy # See https://guides.rubyonrails.org/security.html#content-security-policy content_security_policy: - enabled: true - report_only: false + enabled: {{GITLAB_CONTENT_SECURITY_POLICY_ENABLED}} + report_only: {{GITLAB_CONTENT_SECURITY_POLICY_REPORT_ONLY}} directives: - base_uri: - child_src: - connect_src: "'self' http://localhost:* ws://localhost:* wss://localhost:*" - default_src: "'self'" - font_src: - form_action: - frame_ancestors: "'self'" - frame_src: "'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com" - img_src: "* data: blob:" - manifest_src: - media_src: - object_src: "'none'" - script_src: "'self' 'unsafe-eval' http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com" - style_src: "'self' 'unsafe-inline'" - worker_src: "'self' blob:" - report_uri: + base_uri: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_BASE_URI}}" + child_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CHILD_SRC}}" + connect_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CONNECT_SRC}}" + default_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_DEFAULT_SRC}}" + font_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FONT_SRC}}" + form_action: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FORM_ACTION}}" + frame_ancestors: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_ANCESTORS}}" + frame_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_SRC}}" + img_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_IMG_SRC}}" + manifest_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MANIFEST_SRC}}" + media_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MEDIA_SRC}}" + object_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_OBJECT_SRC}}" + script_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_SCRIPT_SRC}}" + style_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_STYLE_SRC}}" + worker_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_WORKER_SRC}}" + report_uri: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_REPORT_URI}}" # Trusted Proxies # Customize if you have GitLab behind a reverse proxy which is running on a different machine. @@ -138,7 +138,7 @@ production: &base # This happens when the commit is pushed or merged into the default branch of a project. # When not specified the default issue_closing_pattern as specified below will be used. # Tip: you can test your closing pattern at http://rubular.com. - # issue_closing_pattern: '\b((?:[Cc]los(?:e[sd]?|ing)|\b[Ff]ix(?:e[sd]|ing)?|\b[Rr]esolv(?:e[sd]?|ing)|\b[Ii]mplement(?:s|ed|ing)?)(:?) +(?:(?:issues? +)?%{issue_ref}(?:(?:, *| +and +)?)|([A-Z][A-Z0-9_]+-\d+))+)' + issue_closing_pattern: '{{GITLAB_ISSUE_CLOSING_PATTERN}}' ## Default project features settings default_projects_features: @@ -229,7 +229,7 @@ production: &base aws_secret_access_key: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY}} region: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_REGION}} host: '{{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_HOST}}' # default: s3.amazonaws.com - aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4. + aws_signature_version: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION}} # For creation of signed URLs. Set to 2 if provider does not support v4. endpoint: '{{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT}}' # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces path_style: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE}} # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' #end-artifacts-aws @@ -273,6 +273,7 @@ production: &base #start-lfs-aws aws_access_key_id: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID}} aws_secret_access_key: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY}} + aws_signature_version: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION}} # For creation of signed URLs. Set to 2 if provider does not support v4. region: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_REGION}} host: '{{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_HOST}}' # default: s3.amazonaws.com endpoint: '{{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT}}' # default: nil @@ -306,39 +307,47 @@ production: &base #start-uploads-aws aws_access_key_id: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID}} aws_secret_access_key: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY}} - aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4. + aws_signature_version: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION}} # For creation of signed URLs. Set to 2 if provider does not support v4. region: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_REGION}} host: '{{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_HOST}}' # default: s3.amazonaws.com endpoint: '{{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT}}' # default: nil path_style: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE}} # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' #end-uploads-aws #start-uploads-gcs - google_project: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT}} - google_client_email: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL}} - google_json_key_location: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION}} + google_project: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT}} + google_client_email: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL}} + google_json_key_location: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION}} #end-uploads-gcs ## Packages (maven repository, npm registry, etc...) packages: - enabled: true + enabled: {{GITLAB_PACKAGES_ENABLED}} # The location where build packages are stored (default: shared/packages). - # storage_path: shared/packages + path: {{GITLAB_PACKAGES_DIR}} object_store: - enabled: false - remote_directory: packages # The bucket name - # direct_upload: false # Use Object Storage directly for uploads instead of background uploads if enabled (Default: false) - # background_upload: false # Temporary option to limit automatic upload (Default: true) - # proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage + enabled: {{GITLAB_PACKAGES_OBJECT_STORE_ENABLED}} + remote_directory: {{GITLAB_PACKAGES_OBJECT_STORE_REMOTE_DIRECTORY}} # The bucket name + direct_upload: {{GITLAB_PACKAGES_OBJECT_STORE_DIRECT_UPLOAD}} # Set to true to enable direct upload of Packages without the need of local shared storage. + background_upload: {{GITLAB_PACKAGES_OBJECT_STORE_BACKGROUND_UPLOAD}} # Temporary option to limit automatic upload (Default: true) + proxy_download: {{GITLAB_PACKAGES_OBJECT_STORE_PROXY_DOWNLOAD}} # Passthrough all downloads via GitLab instead of using Redirects to Object Storage connection: - provider: AWS - aws_access_key_id: AWS_ACCESS_KEY_ID - aws_secret_access_key: AWS_SECRET_ACCESS_KEY - region: us-east-1 - # host: 'localhost' # default: s3.amazonaws.com - # endpoint: 'http://127.0.0.1:9000/' # default: nil - # aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4. - # path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' - + provider: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_PROVIDER}} # Only AWS supported at the moment + #start-packages-aws + aws_access_key_id: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID}} + aws_secret_access_key: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY}} + region: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_REGION}} + host: '{{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_HOST}}' # default: s3.amazonaws.com + aws_signature_version: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION}} # For creation of signed URLs. Set to 2 if provider does not support v4. + endpoint: '{{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ENDPOINT}}' # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces + path_style: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE}} # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' + #end-packages-aws + #start-packages-gcs + google_project: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT}} + google_client_email: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL}} + google_json_key_location: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION}} + #end-packages-gcs + + ## Dependency Proxy dependency_proxy: enabled: true @@ -362,21 +371,28 @@ production: &base ## Terraform state terraform_state: - enabled: true + enabled: {{GITLAB_TERRAFORM_STATE_ENABLED}} # The location where Terraform state files are stored (default: shared/terraform_state). - # storage_path: shared/terraform_state + storage_path: {{GITLAB_TERRAFORM_STATE_STORAGE_PATH}} object_store: - enabled: false - remote_directory: terraform_state # The bucket name + enabled: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_ENABLED}} + remote_directory: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_REMOTE_DIRECTORY}} # The bucket name connection: - provider: AWS - aws_access_key_id: AWS_ACCESS_KEY_ID - aws_secret_access_key: AWS_SECRET_ACCESS_KEY - region: us-east-1 - # host: 'localhost' # default: s3.amazonaws.com - # endpoint: 'http://127.0.0.1:9000/' # default: nil - # aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4. - # path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' + provider: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_PROVIDER}} + #start-terraform_state-aws + aws_access_key_id: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID}} + aws_secret_access_key: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY}} + region: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_REGION}} + host: '{{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_HOST}}' # default: s3.amazonaws.com + endpoint: '{{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ENDPOINT}}' # default: nil + aws_signature_version: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION}} # For creation of signed URLs. Set to 2 if provider does not support v4. + path_style: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE}} # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' + #end-terraform_state-aws + #start-terraform_state-gcs + google_project: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT}} + google_client_email: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL}} + google_json_key_location: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION}} + #end-terraform_state-gcs ## GitLab Pages pages: @@ -593,7 +609,7 @@ production: &base # bundle exec rake gitlab:ldap:check RAILS_ENV=production ldap: enabled: {{LDAP_ENABLED}} - prevent_ldap_sign_in: false + prevent_ldap_sign_in: {{LDAP_PREVENT_LDAP_SIGN_IN}} # This setting controls the number of seconds between LDAP permission checks # for each user. After this time has expired for a given user, their next @@ -883,6 +899,12 @@ production: &base # (default: false) auto_link_saml_user: {{OAUTH_AUTO_LINK_SAML_USER}} + # Allow users with existing accounts to login and auto link their account via the + # defined Omniauth providers login, without having to do a manual login first and + # manually connect their chosen provider. + # (default: []) + auto_link_user: [{{OAUTH_AUTO_LINK_USER}}] + # Set different Omniauth providers as external so that all users creating accounts # via these providers will not be able to have access to internal projects. You # will need to use the full name of the provider, like `google_oauth2` for Google. @@ -896,7 +918,7 @@ production: &base # This option should only be configured for providers which already have two factor. # This configration dose not apply to SAML. # (default: false) - allow_bypass_two_factor: null + allow_bypass_two_factor: {{OAUTH_ALLOW_BYPASS_TWO_FACTOR}} ## Auth providers # Uncomment the following lines and fill in the data of the auth provider you want to use @@ -915,7 +937,7 @@ production: &base login_url: '{{OAUTH_CAS3_LOGIN_URL}}', service_validate_url: '{{OAUTH_CAS3_VALIDATE_URL}}', logout_url: '{{OAUTH_CAS3_LOGOUT_URL}}'} } - - { name: 'authentiq', + - { name: 'authentiq', app_id: '{{OAUTH_AUTHENTIQ_CLIENT_ID}}', app_secret: 'OAUTH_AUTHENTIQ_CLIENT_SECRET', args: { scope: {{OAUTH_AUTHENTIQ_SCOPE}}, redirect_uri: '{{OAUTH_AUTHENTIQ_REDIRECT_URI}}' } } @@ -928,7 +950,8 @@ production: &base args: { scope: '{{OAUTH_GITHUB_SCOPE}}' } } - { name: 'bitbucket', app_id: '{{OAUTH_BITBUCKET_API_KEY}}', - app_secret: '{{OAUTH_BITBUCKET_APP_SECRET}}' } + app_secret: '{{OAUTH_BITBUCKET_APP_SECRET}}', + url: '{{OAUTH_BITBUCKET_URL}}' } - { name: 'gitlab', label: 'GitLab.com', app_id: '{{OAUTH_GITLAB_API_KEY}}', @@ -994,13 +1017,47 @@ production: &base email: '{{OAUTH2_GENERIC_USER_EMAIL}}' } }, + authorize_params: { scope: "{{OAUTH2_GENERIC_AUTHORIZE_PARAMS_SCOPE}}" }, + label: '{{OAUTH2_GENERIC_LABEL}}', name: '{{OAUTH2_GENERIC_NAME}}' }} - { name: 'azure_oauth2', args: { client_id: '{{OAUTH_AZURE_API_KEY}}', client_secret: '{{OAUTH_AZURE_API_SECRET}}', tenant_id: '{{OAUTH_AZURE_TENANT_ID}}' } } - + - { name: 'azure_activedirectory_v2', + label: '{{OAUTH_AZURE_ACTIVEDIRECTORY_V2_LABEL}}', + args: { + client_id: '{{OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_ID}}', + client_secret: '{{OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_SECRET}}', + tenant_id: '{{OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID}}' } } + - { name: 'openid_connect', + label: '{{OAUTH_OIDC_LABEL}}', + icon: '{{OAUTH_OIDC_ICON}}', + args: { + name: 'openid_connect', + scope: {{OAUTH_OIDC_SCOPE}}, + response_type: '{{OAUTH_OIDC_RESPONSE_TYPE}}', + issuer: '{{OAUTH_OIDC_ISSUER}}', + discovery: {{OAUTH_OIDC_DISCOVERY}}, + client_auth_method: '{{OAUTH_OIDC_CLIENT_AUTH_METHOD}}', + uid_field: '{{OAUTH_OIDC_UID_FIELD}}', + send_scope_to_token_endpoint: {{OAUTH_OIDC_SEND_SCOPE_TO_TOKEN_EP}}, + pkce: {{OAUTH_OIDC_PKCE}}, + client_options: { + identifier: '{{OAUTH_OIDC_CLIENT_ID}}', + secret: '{{OAUTH_OIDC_CLIENT_SECRET}}', + redirect_uri: '{{OAUTH_OIDC_REDIRECT_URI}}' } } } + - { name: 'jwt', + label: '{{OAUTH_JWT_LABEL}}', + args: { + secret: '{{OAUTH_JWT_SECRET}}', + algorithm: '{{OAUTH_JWT_ALGORITHM}}', + uid_claim: '{{OAUTH_JWT_UID_CLAIM}}', + required_claims: {{OAUTH_JWT_REQUIRED_CLAIMS}}, + info_map: { name: '{{OAUTH_JWT_INFO_MAP_NAME}}', email: '{{OAUTH_JWT_INFO_MAP_EMAIL}}' }, + auth_url: '{{OAUTH_JWT_AUTH_URL}}', + valid_within: {{OAUTH_JWT_VALID_WITHIN}} } } # SSO maximum session duration in seconds. Defaults to CAS default of 8 hours. # cas3: # session_duration: 28800 @@ -1124,7 +1181,7 @@ production: &base # CAUTION! # Use the default values unless you really know what you are doing git: - bin_path: /usr/bin/git + bin_path: /usr/local/bin/git ## ActionCable settings action_cable: @@ -1202,7 +1259,7 @@ production: &base enabled: {{RACK_ATTACK_ENABLED}} # # Whitelist requests from 127.0.0.1 for web proxies (NGINX/Apache) with incorrect headers - ip_whitelist: ["{{RACK_ATTACK_WHITELIST}}"] + ip_whitelist: {{RACK_ATTACK_WHITELIST}} # # Limit the number of Git HTTP authentication attempts per IP maxretry: {{RACK_ATTACK_MAXRETRY}} diff --git a/assets/runtime/config/gitlabhq/puma.rb b/assets/runtime/config/gitlabhq/puma.rb index f48ff788a..df5b5eeac 100644 --- a/assets/runtime/config/gitlabhq/puma.rb +++ b/assets/runtime/config/gitlabhq/puma.rb @@ -39,7 +39,6 @@ workers {{PUMA_WORKERS}} require_relative "{{GITLAB_INSTALL_DIR}}/lib/gitlab/cluster/lifecycle_events" -require_relative "{{GITLAB_INSTALL_DIR}}/lib/gitlab/cluster/puma_worker_killer_initializer" on_restart do # Signal application hooks that we're about to restart @@ -60,6 +59,11 @@ Gitlab::Cluster::LifecycleEvents.do_worker_start end +on_worker_shutdown do + # Signal application hooks that a worker is shutting down + Gitlab::Cluster::LifecycleEvents.do_worker_stop +end + # Preload the application before starting the workers; this conflicts with # phased restart feature. (off by default) preload_app! @@ -72,6 +76,9 @@ # worker_timeout {{PUMA_TIMEOUT}} +# https://github.com/puma/puma/blob/master/5.0-Upgrade.md#lower-latency-better-throughput +wait_for_less_busy_worker ENV.fetch('https://github.com/PUMA_WAIT_FOR_LESS_BUSY_WORKER', 0.001).to_f + # Use json formatter require_relative "{{GITLAB_INSTALL_DIR}}/lib/gitlab/puma_logging/json_formatter" @@ -79,3 +86,12 @@ log_formatter do |str| json_formatter.call(str) end + +lowlevel_error_handler do |ex, env| + if Raven.configuration.capture_allowed? + Raven.capture_exception(ex, tags: { 'handler': 'puma_low_level' }, extra: { puma_env: env }) + end + + # note the below is just a Rack response + [500, {}, ["An error has occurred and reported in the system's low-level error handler."]] +end diff --git a/assets/runtime/config/gitlabhq/rack_attack.rb b/assets/runtime/config/gitlabhq/rack_attack.rb deleted file mode 100644 index 69052c029..000000000 --- a/assets/runtime/config/gitlabhq/rack_attack.rb +++ /dev/null @@ -1,29 +0,0 @@ -# 1. Rename this file to rack_attack.rb -# 2. Review the paths_to_be_protected and add any other path you need protecting -# -# If you change this file in a Merge Request, please also create a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests - -paths_to_be_protected = [ - "#{Rails.application.config.relative_url_root}/users/password", - "#{Rails.application.config.relative_url_root}/users/sign_in", - "#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session.json", - "#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session", - "#{Rails.application.config.relative_url_root}/users", - "#{Rails.application.config.relative_url_root}/users/confirmation", - "#{Rails.application.config.relative_url_root}/unsubscribes/", - "#{Rails.application.config.relative_url_root}/import/github/personal_access_token" - -] - -# Create one big regular expression that matches strings starting with any of -# the paths_to_be_protected. -paths_regex = Regexp.union(paths_to_be_protected.map { |path| /\A#{Regexp.escape(path)}/ }) -rack_attack_enabled = Gitlab.config.rack_attack.git_basic_auth['enabled'] - -unless Rails.env.test? || !rack_attack_enabled - Rack::Attack.throttle('protected paths', limit: 10, period: 60.seconds) do |req| - if req.post? && req.path =~ paths_regex - req.ip - end - end -end diff --git a/assets/runtime/config/gitlabhq/secrets.yml b/assets/runtime/config/gitlabhq/secrets.yml index 769d956a2..0bcdde2b9 100644 --- a/assets/runtime/config/gitlabhq/secrets.yml +++ b/assets/runtime/config/gitlabhq/secrets.yml @@ -6,6 +6,10 @@ production: db_key_base: {{GITLAB_SECRETS_DB_KEY_BASE}} secret_key_base: {{GITLAB_SECRETS_SECRET_KEY_BASE}} otp_key_base: {{GITLAB_SECRETS_OTP_KEY_BASE}} + encrypted_settings_key_base: {{GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE}} + active_record_encryption_primary_key: {{GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY}} + active_record_encryption_deterministic_key: {{GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY}} + active_record_encryption_key_derivation_salt: {{GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT}} development: db_key_base: development diff --git a/assets/runtime/config/nginx/gitlab b/assets/runtime/config/nginx/gitlab index 6372aad90..75001235e 100644 --- a/assets/runtime/config/nginx/gitlab +++ b/assets/runtime/config/nginx/gitlab @@ -25,6 +25,15 @@ map $http_upgrade $connection_upgrade_gitlab { '' close; } +## Obfuscate access_token and private_token in access log +map $request_uri $obfuscated_request_uri { + ~(.+\?)(.*&)?(private_token=|access_token=)[^&]*(&.*|$) $1$2$3****$4; + default $request_uri; +} +log_format gitlab_access '$remote_addr - $remote_user [$time_local] ' + '"$request_method $obfuscated_request_uri $server_protocol" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent"'; + ## Normal HTTP host server { ## Either remove "default_server" from the listen line below, @@ -49,7 +58,7 @@ server { add_header Strict-Transport-Security "max-age={{NGINX_HSTS_MAXAGE}};"; ## Individual nginx logs for this GitLab vhost - access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log; + access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log gitlab_access; error_log {{GITLAB_LOG_DIR}}/nginx/gitlab_error.log; location / { @@ -85,4 +94,5 @@ server { internal; } + {{NGINX_CUSTOM_GITLAB_SERVER_CONFIG}} } diff --git a/assets/runtime/config/nginx/gitlab-pages-ssl b/assets/runtime/config/nginx/gitlab-pages-ssl index dba9f0a2e..8563c1a92 100644 --- a/assets/runtime/config/nginx/gitlab-pages-ssl +++ b/assets/runtime/config/nginx/gitlab-pages-ssl @@ -23,7 +23,8 @@ server { ## Pages serving host server { listen 0.0.0.0:443 ssl; - listen [::]:443 ssl http2; + listen [::]:443 ssl; + http2 on; ## Replace this with something like pages.gitlab.com server_name ~^.*{{GITLAB_PAGES_DOMAIN}}; @@ -35,8 +36,8 @@ server { ssl_certificate_key {{SSL_PAGES_KEY_PATH}}; # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs - ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers "{{SSL_PAGES_CIPHERS}}"; + ssl_protocols {{SSL_PAGES_PROTOCOLS}}; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 5m; diff --git a/assets/runtime/config/nginx/gitlab-registry b/assets/runtime/config/nginx/gitlab-registry index 562b37ef2..f43be97e5 100644 --- a/assets/runtime/config/nginx/gitlab-registry +++ b/assets/runtime/config/nginx/gitlab-registry @@ -10,7 +10,7 @@ server { listen *:80; server_name {{GITLAB_REGISTRY_HOST}}; server_tokens off; ## Don't show the nginx version number, a security best practice - return 301 https://$http_host:$request_uri; + return 301 https://$http_host$request_uri; access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_registry_access.log; error_log {{GITLAB_LOG_DIR}}/nginx/gitlab_registry_error.log; } @@ -18,7 +18,8 @@ server { server { # If a different port is specified in https://gitlab.com/gitlab-org/gitlab-foss/blob/8-8-stable/config/gitlab.yml.example#L182, # it should be declared here as well - listen *:{{GITLAB_REGISTRY_PORT}} ssl http2; + listen *:{{GITLAB_REGISTRY_PORT}} ssl; + http2 on; server_name {{GITLAB_REGISTRY_HOST}}; server_tokens off; ## Don't show the nginx version number, a security best practice @@ -30,8 +31,8 @@ server { ssl_certificate {{SSL_REGISTRY_CERT_PATH}}; ssl_certificate_key {{SSL_REGISTRY_KEY_PATH}}; - ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers "{{SSL_REGISTRY_CIPHERS}}"; + ssl_protocols {{SSL_REGISTRY_PROTOCOLS}}; ssl_prefer_server_ciphers on; ssl_session_cache builtin:1000 shared:SSL:10m; ssl_session_timeout 5m; diff --git a/assets/runtime/config/nginx/gitlab-ssl b/assets/runtime/config/nginx/gitlab-ssl index 24acfe171..1057e0926 100644 --- a/assets/runtime/config/nginx/gitlab-ssl +++ b/assets/runtime/config/nginx/gitlab-ssl @@ -29,6 +29,15 @@ map $http_upgrade $connection_upgrade_gitlab_ssl { '' close; } +## Obfuscate access_token and private_token in access log +map $request_uri $obfuscated_request_uri { + ~(.+\?)(.*&)?(private_token=|access_token=)[^&]*(&.*|$) $1$2$3****$4; + default $request_uri; +} +log_format gitlab_ssl_access '$remote_addr - $remote_user [$time_local] ' + '"$request_method $obfuscated_request_uri $server_protocol" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent"'; + ## Redirects all HTTP traffic to the HTTPS host server { ## Either remove "default_server" from the listen line below, @@ -40,14 +49,15 @@ server { server_name _; ## Replace this with something like gitlab.example.com server_tokens off; ## Don't show the nginx version number, a security best practice return 301 https://$host:{{GITLAB_PORT}}$request_uri; - access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log; + access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log gitlab_ssl_access; error_log {{GITLAB_LOG_DIR}}/nginx/gitlab_error.log; } ## HTTPS host server { - listen 0.0.0.0:443 ssl http2; - listen [::]:443 ipv6only=on ssl http2 default_server; + listen 0.0.0.0:443 ssl; + listen [::]:443 ipv6only=on ssl default_server; + http2 on; server_name {{GITLAB_HOST}}; ## Replace this with something like gitlab.example.com server_tokens off; ## Don't show the nginx version number, a security best practice @@ -60,7 +70,7 @@ server { # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs ssl_ciphers "{{SSL_CIPHERS}}"; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_protocols {{SSL_PROTOCOLS}}; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 5m; @@ -94,7 +104,7 @@ server { ssl_dhparam {{SSL_DHPARAM_PATH}}; ## Individual nginx logs for this GitLab vhost - access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log; + access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log gitlab_ssl_access; error_log {{GITLAB_LOG_DIR}}/nginx/gitlab_error.log; location / { @@ -117,7 +127,7 @@ server { proxy_set_header X-Forwarded-Proto {{NGINX_X_FORWARDED_PROTO}}; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade_gitlab_ssl; - + proxy_pass http://gitlab-workhorse; } @@ -130,4 +140,6 @@ server { root {{GITLAB_INSTALL_DIR}}/public; internal; } + + {{NGINX_CUSTOM_GITLAB_SERVER_CONFIG}} } diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index db1eb56fc..d3269e8ee 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -1,6 +1,8 @@ #!/bin/bash +# CONTAINER DEBUG=${DEBUG:-$DEBUG_ENTRYPOINT} +TIMEZONE=${TZ:-UTC} ## GITLAB CORE GITLAB_TEMP_DIR="${GITLAB_DATA_DIR}/tmp" @@ -60,7 +62,7 @@ REDIS_DB_NUMBER=${REDIS_DB_NUMBER:-0} ## SIDEKIQ SIDEKIQ_SHUTDOWN_TIMEOUT=${SIDEKIQ_SHUTDOWN_TIMEOUT:-4} SIDEKIQ_CONCURRENCY=${SIDEKIQ_CONCURRENCY:-25} -SIDEKIQ_MEMORY_KILLER_MAX_RSS=${SIDEKIQ_MEMORY_KILLER_MAX_RSS:-1000000} +SIDEKIQ_MEMORY_KILLER_MAX_RSS=${SIDEKIQ_MEMORY_KILLER_MAX_RSS:-2000000} GITLAB_SIDEKIQ_LOG_FORMAT=${GITLAB_SIDEKIQ_LOG_FORMAT:-json} ## PUMA @@ -68,8 +70,8 @@ PUMA_THREADS_MIN=${PUMA_THREADS_MIN:-1} PUMA_THREADS_MAX=${PUMA_THREADS_MAX:-16} PUMA_WORKERS=${PUMA_WORKERS:-3} PUMA_TIMEOUT=${PUMA_TIMEOUT:-60} -PUMA_PER_WORKER_MAX_MEMORY_MB=${PUMA_PER_WORKER_MAX_MEMORY_MB:-850} -PUMA_MASTER_MAX_MEMORY_MB=${PUMA_MASTER_MAX_MEMORY_MB:-550} +PUMA_PER_WORKER_MAX_MEMORY_MB=${PUMA_PER_WORKER_MAX_MEMORY_MB:-1024} +PUMA_MASTER_MAX_MEMORY_MB=${PUMA_MASTER_MAX_MEMORY_MB:-800} # Set Default values according to the documentation # https://docs.gitlab.com/ee/administration/operations/unicorn.html#unicorn-worker-killer @@ -80,6 +82,7 @@ GITLAB_UNICORN_MEMORY_MAX=${GITLAB_UNICORN_MEMORY_MAX:-1342177280} ## GITLAB_TIMEZONE=${GITLAB_TIMEZONE:-UTC} GITLAB_SIGNUP_ENABLED=${GITLAB_SIGNUP_ENABLED:-true} +GITLAB_ISSUE_CLOSING_PATTERN=${GITLAB_ISSUE_CLOSING_PATTERN:-'\b((?:[Cc]los(?:e[sd]?|ing)|\b[Ff]ix(?:e[sd]|ing)?|\b[Rr]esolv(?:e[sd]?|ing)|\b[Ii]mplement(?:s|ed|ing)?)(:?) +(?:(?:issues? +)?%{issue_ref}(?:(?:, *| +and +)?)|([A-Z][A-Z0-9_]+-\d+))+)'} GITLAB_PROJECTS_LIMIT=${GITLAB_PROJECTS_LIMIT:-100} GITLAB_USERNAME_CHANGE=${GITLAB_USERNAME_CHANGE:-true} GITLAB_CREATE_GROUP=${GITLAB_CREATE_GROUP:-true} @@ -101,8 +104,17 @@ GITLAB_WORKHORSE_TIMEOUT=${GITLAB_WORKHORSE_TIMEOUT:-5m0s} # OBJECTSTORE GITLAB_OBJECT_STORE_CONNECTION_PROVIDER=${GITLAB_OBJECT_STORE_CONNECTION_PROVIDER:-AWS} + +#-- AWS AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID:-AWS_ACCESS_KEY_ID} AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY:-AWS_SECRET_ACCESS_KEY} +AWS_REGION=${AWS_REGION:-us-east-1} +AWS_HOST=${AWS_HOST:-s3.amazonaws.com} +AWS_ENDPOINT=${AWS_ENDPOINT:-nil} +AWS_PATH_STYLE=${AWS_PATH_STYLE:-true} +AWS_SIGNATURE_VERSION=${AWS_SIGNATURE_VERSION:-4} + +#-- Google GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT=${GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT} GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL=${GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL} GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION=${GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION:-"/gcs/key.json"} @@ -122,16 +134,64 @@ GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER=${GITLAB_ARTIFACTS_OBJECT_STOR # ARTIFACTS:AWS GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID:-$AWS_ACCESS_KEY_ID} GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY:-$AWS_SECRET_ACCESS_KEY} -GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_REGION=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_REGION:-us-east-1} -GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_HOST=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_HOST:-s3.amazonaws.com} -GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT:-nil} -GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE:-true} +GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_REGION=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_REGION:-$AWS_REGION} +GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_HOST=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_HOST:-$AWS_HOST} +GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT:-$AWS_ENDPOINT} +GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE:-$AWS_PATH_STYLE} +GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION:-$AWS_SIGNATURE_VERSION} # ARTIFACTS:Google GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT} GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL} GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION} +## PACKAGES +GITLAB_PACKAGES_ENABLED=${GITLAB_PACKAGES_ENABLED:-true} +GITLAB_PACKAGES_DIR="${GITLAB_PACKAGES_DIR:-$GITLAB_SHARED_DIR/packages}" + + +GITLAB_PACKAGES_OBJECT_STORE_ENABLED=${GITLAB_PACKAGES_OBJECT_STORE_ENABLED:-false} +GITLAB_PACKAGES_OBJECT_STORE_REMOTE_DIRECTORY=${GITLAB_PACKAGES_OBJECT_STORE_REMOTE_DIRECTORY:-packages} +GITLAB_PACKAGES_OBJECT_STORE_DIRECT_UPLOAD=${GITLAB_PACKAGES_OBJECT_STORE_DIRECT_UPLOAD:-false} +GITLAB_PACKAGES_OBJECT_STORE_BACKGROUND_UPLOAD=${GITLAB_PACKAGES_OBJECT_STORE_BACKGROUND_UPLOAD:-false} +GITLAB_PACKAGES_OBJECT_STORE_PROXY_DOWNLOAD=${GITLAB_PACKAGES_OBJECT_STORE_PROXY_DOWNLOAD:-false} +GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_PROVIDER=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_PROVIDER:-$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER} + +# PACKAGES:AWS +GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID:-$AWS_ACCESS_KEY_ID} +GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY:-$AWS_SECRET_ACCESS_KEY} +GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_REGION=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_REGION:-$AWS_REGION} +GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_HOST=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_HOST:-$AWS_HOST} +GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ENDPOINT=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ENDPOINT:-$AWS_ENDPOINT} +GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE:-$AWS_PATH_STYLE} +GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION:-$AWS_SIGNATURE_VERSION} + +# PACKAGES:Google +GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT} +GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL} +GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION} + +## TERRAFORM STATE +GITLAB_TERRAFORM_STATE_ENABLED=${GITLAB_TERRAFORM_STATE_ENABLED:-true} +GITLAB_TERRAFORM_STATE_STORAGE_PATH="${GITLAB_TERRAFORM_STATE_STORAGE_PATH:-$GITLAB_SHARED_DIR/terraform_state}" + +GITLAB_TERRAFORM_STATE_OBJECT_STORE_ENABLED=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_ENABLED:-false} +GITLAB_TERRAFORM_STATE_OBJECT_STORE_REMOTE_DIRECTORY=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_REMOTE_DIRECTORY:-terraform_state} +GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_PROVIDER=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_PROVIDER:-$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER} + +# TERRAFORM STATE:AWS +GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID:-$AWS_ACCESS_KEY_ID} +GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY:-$AWS_SECRET_ACCESS_KEY} +GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_REGION=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_REGION:-$AWS_REGION} +GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_HOST=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_HOST:-$AWS_HOST} +GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ENDPOINT=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ENDPOINT:-$AWS_ENDPOINT} +GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE:-$AWS_PATH_STYLE} +GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION:-$AWS_SIGNATURE_VERSION} + +# TERRAFORM STATE:Google +GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT} +GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL} +GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION} ## Cron Jobs GITLAB_PIPELINE_SCHEDULE_WORKER_CRON=${GITLAB_PIPELINE_SCHEDULE_WORKER_CRON:-"19 * * * *"} @@ -150,10 +210,11 @@ GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER=${GITLAB_LFS_OBJECT_STORE_CONNECTION # LFS:AWS GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID=${GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID:-$AWS_ACCESS_KEY_ID} GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY=${GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY:-$AWS_SECRET_ACCESS_KEY} -GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_REGION=${GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_REGION:-us-east-1} -GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_HOST=${GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_HOST:-s3.amazonaws.com} -GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT=${GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT:-nil} -GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE=${GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE:-true} +GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_REGION=${GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_REGION:-$AWS_REGION} +GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_HOST=${GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_HOST:-$AWS_HOST} +GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT=${GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT:-$AWS_ENDPOINT} +GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE=${GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE:-$AWS_PATH_STYLE} +GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION=${GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION:-$AWS_SIGNATURE_VERSION} # LFS:Google GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT=${GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT} @@ -174,10 +235,11 @@ GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER=${GITLAB_UPLOADS_OBJECT_STORE_CO # Uploads:AWS GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID:-$AWS_ACCESS_KEY_ID} GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY:-$AWS_SECRET_ACCESS_KEY} -GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_REGION=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_REGION:-us-east-1} -GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_HOST=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_HOST:-s3.amazonaws.com} -GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT:-nil} -GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE:-true} +GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_REGION=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_REGION:-$AWS_REGION} +GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_HOST=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_HOST:-$AWS_HOST} +GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT:-$AWS_ENDPOINT} +GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE:-$AWS_PATH_STYLE} +GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION:-$AWS_SIGNATURE_VERSION} # Uploads:Google GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT} @@ -189,9 +251,15 @@ GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION=${GITLAB_UPLOADS GITLAB_MATTERMOST_ENABLED=${GITLAB_MATTERMOST_ENABLED:-false} GITLAB_MATTERMOST_URL=${GITLAB_MATTERMOST_URL:-https://mattermost.example.com} +# secrets GITLAB_SECRETS_DB_KEY_BASE=${GITLAB_SECRETS_DB_KEY_BASE:-} GITLAB_SECRETS_SECRET_KEY_BASE=${GITLAB_SECRETS_SECRET_KEY_BASE:-} GITLAB_SECRETS_OTP_KEY_BASE=${GITLAB_SECRETS_OTP_KEY_BASE:-} +GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=${GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE:-} +GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=${GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY:-} +GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=${GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY:-} +GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=${GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT:-} + GITLAB_NOTIFY_ON_BROKEN_BUILDS=${GITLAB_NOTIFY_ON_BROKEN_BUILDS:-true} GITLAB_NOTIFY_PUSHER=${GITLAB_NOTIFY_PUSHER:-false} @@ -214,14 +282,19 @@ SSL_KEY_PATH=${SSL_KEY_PATH:-$GITLAB_DATA_DIR/certs/gitlab.key} SSL_DHPARAM_PATH=${SSL_DHPARAM_PATH:-$GITLAB_DATA_DIR/certs/dhparam.pem} SSL_VERIFY_CLIENT=${SSL_VERIFY_CLIENT:-off} SSL_CIPHERS=${SSL_CIPHERS:-'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'} +SSL_PROTOCOLS=${SSL_PROTOCOLS:-'TLSv1 TLSv1.1 TLSv1.2 TLSv1.3'} SSL_REGISTRY_KEY_PATH=${SSL_REGISTRY_KEY_PATH:-$GITLAB_REGISTRY_KEY_PATH} SSL_REGISTRY_KEY_PATH=${SSL_REGISTRY_KEY_PATH:-$GITLAB_DATA_DIR/certs/registry.key} SSL_REGISTRY_CERT_PATH=${SSL_REGISTRY_CERT_PATH:-$GITLAB_REGISTRY_CERT_PATH} SSL_REGISTRY_CERT_PATH=${SSL_REGISTRY_CERT_PATH:-$GITLAB_DATA_DIR/certs/registry.crt} +SSL_REGISTRY_CIPHERS=${SSL_REGISTRY_CIPHERS:-$SSL_CIPHERS} +SSL_REGISTRY_PROTOCOLS=${SSL_REGISTRY_PROTOCOLS:-$SSL_PROTOCOLS} SSL_PAGES_KEY_PATH=${SSL_PAGES_KEY_PATH:-$GITLAB_DATA_DIR/certs/pages.key} SSL_PAGES_CERT_PATH=${SSL_PAGES_CERT_PATH:-$GITLAB_DATA_DIR/certs/pages.crt} +SSL_PAGES_CIPHERS=${SSL_PAGES_CIPHERS:-$SSL_CIPHERS} +SSL_PAGES_PROTOCOLS=${SSL_PAGES_PROTOCOLS:-$SSL_PROTOCOLS} SSL_CA_CERTIFICATES_PATH=${SSL_CA_CERTIFICATES_PATH:-$CA_CERTIFICATES_PATH} # backward compatibility SSL_CA_CERTIFICATES_PATH=${SSL_CA_CERTIFICATES_PATH:-$GITLAB_DATA_DIR/certs/ca.crt} @@ -251,7 +324,7 @@ AWS_BACKUP_ENCRYPTION=${AWS_BACKUP_ENCRYPTION} AWS_BACKUP_STORAGE_CLASS=${AWS_BACKUP_STORAGE_CLASS:-STANDARD} AWS_BACKUP_SIGNATURE_VERSION=${AWS_BACKUP_SIGNATURE_VERSION:-4} -### GCS BACKUPS +### GCS BACKUPS GCS_BACKUPS=${GCS_BACKUPS:-false} GCS_BACKUP_ACCESS_KEY_ID=${GCS_BACKUP_ACCESS_KEY_ID} GCS_BACKUP_SECRET_ACCESS_KEY=${GCS_BACKUP_SECRET_ACCESS_KEY} @@ -268,6 +341,7 @@ case ${GITLAB_HTTPS} in true) NGINX_X_FORWARDED_PROTO=${NGINX_X_FORWARDED_PROTO:-https} ;; *) NGINX_X_FORWARDED_PROTO=${NGINX_X_FORWARDED_PROTO:-\$scheme} ;; esac +NGINX_CUSTOM_GITLAB_SERVER_CONFIG=${NGINX_CUSTOM_GITLAB_SERVER_CONFIG:-} ## MAIL DELIVERY SMTP_DOMAIN=${SMTP_DOMAIN:-www.gmail.com} @@ -339,6 +413,7 @@ LDAP_USER_ATTRIBUTE_LASTNAME=${LDAP_USER_ATTRIBUTE_LASTNAME:-sn} LDAP_LOWERCASE_USERNAMES="${LDAP_LOWERCASE_USERNAMES:-false}" LDAP_LABEL=${LDAP_LABEL:-LDAP} LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN=${LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN:-} +LDAP_PREVENT_LDAP_SIGN_IN=${LDAP_PREVENT_LDAP_SIGN_IN:-false} case ${LDAP_UID} in userPrincipalName) LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN=${LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN:-false} ;; *) LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN=${LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN:-true} @@ -357,6 +432,7 @@ OAUTH_BLOCK_AUTO_CREATED_USERS=${OAUTH_BLOCK_AUTO_CREATED_USERS:-true} OAUTH_AUTO_LINK_LDAP_USER=${OAUTH_AUTO_LINK_LDAP_USER:-false} OAUTH_AUTO_LINK_SAML_USER=${OAUTH_AUTO_LINK_SAML_USER:-false} OAUTH_EXTERNAL_PROVIDERS=${OAUTH_EXTERNAL_PROVIDERS:-} +OAUTH_ALLOW_BYPASS_TWO_FACTOR=${OAUTH_ALLOW_BYPASS_TWO_FACTOR:-false} ### GOOGLE OAUTH_GOOGLE_API_KEY=${OAUTH_GOOGLE_API_KEY:-} @@ -398,6 +474,7 @@ OAUTH_GITLAB_SCOPE=${OAUTH_GITLAB_SCOPE:-api} ### BITBUCKET OAUTH_BITBUCKET_API_KEY=${OAUTH_BITBUCKET_API_KEY:-} OAUTH_BITBUCKET_APP_SECRET=${OAUTH_BITBUCKET_APP_SECRET:-} +OAUTH_BITBUCKET_URL=${OAUTH_BITBUCKET_URL:-https://bitbucket.org/} ### CROWD OAUTH_CROWD_SERVER_URL=${OAUTH_CROWD_SERVER_URL:-} @@ -409,6 +486,12 @@ OAUTH_AZURE_API_KEY=${OAUTH_AZURE_API_KEY:-} OAUTH_AZURE_API_SECRET=${OAUTH_AZURE_API_SECRET:-} OAUTH_AZURE_TENANT_ID=${OAUTH_AZURE_TENANT_ID:-} +## AZURE Active Directory V2 endpoint +OAUTH_AZURE_ACTIVEDIRECTORY_V2_LABEL=${OAUTH_AZURE_ACTIVEDIRECTORY_V2_LABEL:-'Azure AD v2'} +OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_ID=${OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_ID:-} +OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_SECRET=${OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_SECRET:-} +OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID=${OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID:-} + ### SAML case $GITLAB_HTTPS in true) @@ -455,8 +538,43 @@ OAUTH2_GENERIC_ID_PATH=${OAUTH2_GENERIC_ID_PATH:-} OAUTH2_GENERIC_USER_UID=${OAUTH2_GENERIC_USER_UID:-} OAUTH2_GENERIC_USER_NAME=${OAUTH2_GENERIC_USER_NAME:-} OAUTH2_GENERIC_USER_EMAIL=${OAUTH2_GENERIC_USER_EMAIL:-} +OAUTH2_GENERIC_AUTHORIZE_PARAMS_SCOPE=${OAUTH2_GENERIC_AUTHORIZE_PARAMS_SCOPE:-} +OAUTH2_GENERIC_LABEL=${OAUTH2_GENERIC_LABEL:-} OAUTH2_GENERIC_NAME=${OAUTH2_GENERIC_NAME:-} +### OpenID Connect +OAUTH_OIDC_LABEL=${OAUTH_OIDC_LABEL:-'OpenID Connect'} +OAUTH_OIDC_ICON=${OAUTH_OIDC_ICON:-} +OAUTH_OIDC_SCOPE=${OAUTH_OIDC_SCOPE:-"['openid','profile','email']"} +OAUTH_OIDC_RESPONSE_TYPE=${OAUTH_OIDC_RESPONSE_TYPE:-'code'} +OAUTH_OIDC_ISSUER=${OAUTH_OIDC_ISSUER:-} +OAUTH_OIDC_DISCOVERY=${OAUTH_OIDC_DISCOVERY:-true} +OAUTH_OIDC_CLIENT_AUTH_METHOD=${OAUTH_OIDC_CLIENT_AUTH_METHOD:-'basic'} +OAUTH_OIDC_UID_FIELD=${OAUTH_OIDC_UID_FIELD:-sub} +OAUTH_OIDC_SEND_SCOPE_TO_TOKEN_EP=${OAUTH_OIDC_SEND_SCOPE_TO_TOKEN_EP:-false} +OAUTH_OIDC_PKCE=${OAUTH_OIDC_PKCE:-true} +OAUTH_OIDC_CLIENT_ID=${OAUTH_OIDC_CLIENT_ID:-} +OAUTH_OIDC_CLIENT_SECRET=${OAUTH_OIDC_CLIENT_SECRET:-'secret'} +case $GITLAB_HTTPS in + true) + OAUTH_OIDC_REDIRECT_URI=${OAUTH_OIDC_REDIRECT_URI:-https://${GITLAB_HOST}/users/auth/openid_connect/callback} + ;; + false) + OAUTH_OIDC_REDIRECT_URI=${OAUTH_OIDC_REDIRECT_URI:-http://${GITLAB_HOST}/users/auth/openid_connect/callback} + ;; +esac + +### JWT +OAUTH_JWT_LABEL=${OAUTH_JWT_LABEL:-'Jwt'} +OAUTH_JWT_SECRET=${OAUTH_JWT_SECRET:-} +OAUTH_JWT_ALGORITHM=${OAUTH_JWT_ALGORITHM:-'HS256'} +OAUTH_JWT_UID_CLAIM=${OAUTH_JWT_UID_CLAIM:-'email'} +OAUTH_JWT_REQUIRED_CLAIMS=${OAUTH_JWT_REQUIRED_CLAIMS:-'["name", "email"]'} +OAUTH_JWT_INFO_MAP_NAME=${OAUTH_JWT_INFO_MAP_NAME:-'name'} +OAUTH_JWT_INFO_MAP_EMAIL=${OAUTH_JWT_INFO_MAP_EMAIL:-'email'} +OAUTH_JWT_AUTH_URL=${OAUTH_JWT_AUTH_URL:-} +OAUTH_JWT_VALID_WITHIN=${OAUTH_JWT_VALID_WITHIN:-3600} + ## ANALYTICS ### GOOGLE @@ -468,7 +586,31 @@ PIWIK_SITE_ID=${PIWIK_SITE_ID:-} ## RACK ATTACK RACK_ATTACK_ENABLED=${RACK_ATTACK_ENABLED:-true} -RACK_ATTACK_WHITELIST=${RACK_ATTACK_WHITELIST:-"127.0.0.1"} +RACK_ATTACK_WHITELIST=${RACK_ATTACK_WHITELIST:-'["127.0.0.1"]'} +RACK_ATTACK_WHITELIST=${RACK_ATTACK_WHITELIST// /} +# Backward compatibility : See sameersbn/docker-gitlab#2828 +# Pre-check: each host is surrounded by single / double quotation +# if not, generated string will be [127.0.0.1] for example and ruby raises error +RACK_ATTACK_WHITELIST_ORIGIN=${RACK_ATTACK_WHITELIST} +# remove [], then iterate entries +RACK_ATTACK_WHITELIST=${RACK_ATTACK_WHITELIST#"["} +RACK_ATTACK_WHITELIST=${RACK_ATTACK_WHITELIST%"]"} +IFS_ORG=${IFS} +IFS=, +for host in ${RACK_ATTACK_WHITELIST}; do + # Both single / double quotation may be used + if ! [[ ${host} =~ ^(\"|\').*(\"|\')$ ]]; then + RACK_ATTACK_WHITELIST=${RACK_ATTACK_WHITELIST/${host}/\"${host//(\'|\")/}\"} + fi +done +IFS=$IFS_ORG +# surround with [] +RACK_ATTACK_WHITELIST="[${RACK_ATTACK_WHITELIST}]" +if [[ "${RACK_ATTACK_WHITELIST}" != "${RACK_ATTACK_WHITELIST_ORIGIN}" ]]; then + printf "[warning] RACK_ATTACK_WHITELIST must be a yaml sequence of hosts.\nFixing from %s to %s\n" \ + "${RACK_ATTACK_WHITELIST_ORIGIN}" \ + "${RACK_ATTACK_WHITELIST}" +fi RACK_ATTACK_MAXRETRY=${RACK_ATTACK_MAXRETRY:-10} RACK_ATTACK_FINDTIME=${RACK_ATTACK_FINDTIME:-60} RACK_ATTACK_BANTIME=${RACK_ATTACK_BANTIME:-3600} @@ -480,6 +622,7 @@ GITLAB_PAGES_DOMAIN=${GITLAB_PAGES_DOMAIN:-"example.com"} GITLAB_PAGES_DIR="${GITLAB_PAGES_DIR:-$GITLAB_SHARED_DIR/pages}" GITLAB_PAGES_PORT=${GITLAB_PAGES_PORT:-80} GITLAB_PAGES_ARTIFACTS_SERVER=${GITLAB_PAGES_ARTIFACTS_SERVER:-true} +GITLAB_PAGES_ARTIFACTS_SERVER_URL=${GITLAB_PAGES_ARTIFACTS_SERVER_URL:-} GITLAB_PAGES_HTTPS=${GITLAB_PAGES_HTTPS:-false} GITLAB_PAGES_EXTERNAL_HTTP=${GITLAB_PAGES_EXTERNAL_HTTP:-} GITLAB_PAGES_EXTERNAL_HTTPS=${GITLAB_PAGES_EXTERNAL_HTTPS:-} @@ -497,9 +640,12 @@ GITALY_TOKEN=${GITALY_TOKEN:-} GITALY_SOCKET_PATH=${GITLAB_INSTALL_DIR}/tmp/sockets/private/gitaly.socket GITALY_ADDRESS=${GITALY_ADDRESS:-unix:$GITALY_SOCKET_PATH} +## GitLab Shell +GITLAB_SHELL_CUSTOM_HOOKS_DIR=${GITLAB_SHELL_CUSTOM_HOOKS_DIR:-"$GITLAB_SHELL_INSTALL_DIR/hooks"} + ## MONITORING GITLAB_MONITORING_UNICORN_SAMPLER_INTERVAL=${GITLAB_MONITORING_UNICORN_SAMPLER_INTERVAL:-10} -GITLAB_MONITORING_IP_WHITELIST=${GITLAB_MONITORING_IP_WHITELIST:-"0.0.0.0/8"} +GITLAB_MONITORING_IP_WHITELIST=${GITLAB_MONITORING_IP_WHITELIST:-} GITLAB_MONITORING_SIDEKIQ_EXPORTER_ENABLED=${GITLAB_MONITORING_SIDEKIQ_EXPORTER_ENABLED:-true} GITLAB_MONITORING_SIDEKIQ_EXPORTER_ADDRESS=${GITLAB_MONITORING_SIDEKIQ_EXPORTER_ADDRESS:-"0.0.0.0"} GITLAB_MONITORING_SIDEKIQ_EXPORTER_PORT=${GITLAB_MONITORING_SIDEKIQ_EXPORTER_PORT:-3807} @@ -509,3 +655,28 @@ SENTRY_ENABLED=${SENTRY_ENABLED:-false} SENTRY_DSN=${SENTRY_DSN:-} SENTRY_CLIENTSIDE_DSN=${SENTRY_CLIENTSIDE_DSN:-} SENTRY_ENVIRONMENT=${SENTRY_ENVIRONMENT:-production} + +## Content Security Policy +# See https://guides.rubyonrails.org/security.html#content-security-policy +GITLAB_CONTENT_SECURITY_POLICY_ENABLED=${GITLAB_CONTENT_SECURITY_POLICY_ENABLED:-true} +GITLAB_CONTENT_SECURITY_POLICY_REPORT_ONLY=${GITLAB_CONTENT_SECURITY_POLICY_REPORT_ONLY:-false} +GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_BASE_URI=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_BASE_URI:-} +GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CHILD_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CHILD_SRC:-} +GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CONNECT_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CONNECT_SRC:-"'self' http://localhost:* ws://localhost:* wss://localhost:*"} +GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_DEFAULT_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_DEFAULT_SRC:-"'self'"} +GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FONT_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FONT_SRC:-} +GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FORM_ACTION=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FORM_ACTION:-} +GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_ANCESTORS=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_ANCESTORS:-"'self'"} +GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_SRC:-"'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com"} +GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_IMG_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_IMG_SRC:-"* data: blob:"} +GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MANIFEST_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MANIFEST_SRC:-} +GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MEDIA_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MEDIA_SRC:-} +GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_OBJECT_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_OBJECT_SRC:-"'none'"} +GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_SCRIPT_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_SCRIPT_SRC:-"'self' 'unsafe-eval' http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com"} +GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_STYLE_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_STYLE_SRC:-"'self' 'unsafe-inline'"} +GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_WORKER_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_WORKER_SRC:-"'self' blob:"} +GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_REPORT_URI=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_REPORT_URI:-} + +## Feature Flags +GITLAB_FEATURE_FLAGS_DISABLE_TARGETS=${GITLAB_FEATURE_FLAGS_DISABLE_TARGETS:-} +GITLAB_FEATURE_FLAGS_ENABLE_TARGETS=${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS:-} diff --git a/assets/runtime/functions b/assets/runtime/functions index a4e0ef4d6..2315bfc1a 100644 --- a/assets/runtime/functions +++ b/assets/runtime/functions @@ -17,16 +17,16 @@ GITLAB_CONFIG="${GITLAB_INSTALL_DIR}/config/gitlab.yml" GITLAB_DATABASE_CONFIG="${GITLAB_INSTALL_DIR}/config/database.yml" GITLAB_PUMA_CONFIG="${GITLAB_INSTALL_DIR}/config/puma.rb" GITLAB_RELATIVE_URL_CONFIG="${GITLAB_INSTALL_DIR}/config/initializers/relative_url.rb" -GITLAB_RACK_ATTACK_CONFIG="${GITLAB_INSTALL_DIR}/config/initializers/rack_attack.rb" GITLAB_SMTP_CONFIG="${GITLAB_INSTALL_DIR}/config/initializers/smtp_settings.rb" GITLAB_RESQUE_CONFIG="${GITLAB_INSTALL_DIR}/config/resque.yml" +GITLAB_ACTIONCABLE_CONFIG="${GITLAB_INSTALL_DIR}/config/cable.yml" GITLAB_SECRETS_CONFIG="${GITLAB_INSTALL_DIR}/config/secrets.yml" GITLAB_ROBOTS_CONFIG="${GITLAB_INSTALL_DIR}/public/robots.txt" GITLAB_SHELL_CONFIG="${GITLAB_SHELL_INSTALL_DIR}/config.yml" -GITLAB_NGINX_CONFIG="/etc/nginx/sites-enabled/gitlab" -GITLAB_CI_NGINX_CONFIG="/etc/nginx/sites-enabled/gitlab_ci" -GITLAB_REGISTRY_NGINX_CONFIG="/etc/nginx/sites-enabled/gitlab-registry" -GITLAB_PAGES_NGINX_CONFIG="/etc/nginx/sites-enabled/gitlab-pages" +GITLAB_NGINX_CONFIG="/etc/nginx/conf.d/gitlab.conf" +GITLAB_CI_NGINX_CONFIG="/etc/nginx/conf.d/gitlab_ci.conf" +GITLAB_REGISTRY_NGINX_CONFIG="/etc/nginx/conf.d/gitlab-registry.conf" +GITLAB_PAGES_NGINX_CONFIG="/etc/nginx/conf.d/gitlab-pages.conf" GITLAB_PAGES_CONFIG="${GITLAB_INSTALL_DIR}/gitlab-pages-config" GITLAB_GITALY_CONFIG="${GITLAB_GITALY_INSTALL_DIR}/config.toml" @@ -149,7 +149,7 @@ gitlab_finalize_database_parameters() { gitlab_check_database_connection() { - prog=$(find /usr/lib/postgresql/ -name pg_isready) + prog=$(command -v pg_isready) prog="${prog} -h ${DB_HOST} -p ${DB_PORT} -U ${DB_USER} -d ${DB_NAME} -t 1" timeout=60 @@ -167,11 +167,98 @@ gitlab_check_database_connection() { echo } +gitlab_generate_postgresqlrc() { + echo "Configuring /home/${GITLAB_USER}/.postgresqlrc to avoid version mismatch on dumping" + # server_version_num property is a number built from version string: + # https://www.postgresql.org/docs/15/libpq-status.html#LIBPQ-PQSERVERVERSION + # > The result is formed by multiplying the server's major version number by 10000 and adding the minor version number. + # > For example, version 10.1 will be returned as 100001, and version 11.0 will be returned as 110000. Zero is returned if the connection is bad. + # > + # > Prior to major version 10, PostgreSQL used three-part version numbers in which the first two parts together represented the major version. + # > For those versions, PQserverVersion uses two digits for each part; + # > for example version 9.1.5 will be returned as 90105, and version 9.2.0 will be returned as 90200. + # + # This difference also appends to apt package name. + # For example, in ubuntu:focal, postgresql-client-{8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, 9.5, 9.6, 10, 11, 12, 13, 14, 15} are available. + # + DB_SERVER_VERSION=$(PGPASSWORD=${DB_PASS} psql -h "${DB_HOST}" -p "${DB_PORT}" -U "${DB_USER}" -d "${DB_NAME}" -Atw -c "SHOW server_version_num") + if [[ "${DB_SERVER_VERSION}" -eq 0 ]]; then + echo + echo "Could not retrieve database server version correctly. Aborting..." + return 1 + fi + + echo "- Detected server version: ${DB_SERVER_VERSION}" + + # Anyway, we can get major version (8, 9, 10 and so on) by dividing by 10000. + # DB_SERVER_VERSION_MAJOR=${DB_SERVER_VERSION%%.*} + DB_SERVER_VERSION_MAJOR=$((DB_SERVER_VERSION/10000)) + DB_CLIENT_VERSION_PACKAGE_NAME= + + if [[ "${DB_SERVER_VERSION_MAJOR}" -ge 10 ]]; then + # v10 or later: use "rought major version" as version number in package name + DB_CLIENT_VERSION_PACKAGE_NAME=${DB_SERVER_VERSION_MAJOR} + else + # prior to v10: convert + # FIXME: rough implementation + # It exploits the fact that there is no version such as 9.10, and it lacks versatility. + # divide by 100, then replace first 0 to comma + DB_CLIENT_VERSION_PACKAGE_NAME=$((DB_SERVER_VERSION/100)) + DB_CLIENT_VERSION_PACKAGE_NAME=${DB_CLIENT_VERSION_PACKAGE_NAME/0/.} + fi + + # if exact-match client not found, select latest version from installed clients + if [[ "$(apt-cache pkgnames postgresql-client | grep -e "-${DB_CLIENT_VERSION_PACKAGE_NAME}" | wc -l)" -ne 1 ]]; then + LATEST_CLIENT="$(apt-cache pkgnames postgresql-client | grep -v -e "-common" | sort --version-sort | tail -n1)" + DB_CLIENT_VERSION_PACKAGE_NAME=${LATEST_CLIENT/postgresql-client-/} + echo "gitlab_generate_postgresqlrc(): WARNING - Suitable client not installed. postgresql-client-${DB_CLIENT_VERSION_PACKAGE_NAME} will be used but you may face issue (database in backup will be empty, for example)" + fi + + # generate ~/.postgresqlrc to switch client version + GITLAB_USER_POSTGRESQLRC="/home/${GITLAB_USER}/.postgresqlrc" + echo "- Generating ${GITLAB_USER_POSTGRESQLRC}" + echo "${DB_CLIENT_VERSION_PACKAGE_NAME} ${DB_HOST}:${DB_PORT} ${DB_NAME}" | exec_as_git tee "${GITLAB_USER_POSTGRESQLRC}" +} + +gitlab_uninstall_unused_database_client() { + if [[ -f "/home/${GITLAB_USER}/.postgresqlrc" ]]; then + # refer /home/${GITLAB_USER}/.postgresqlrc and pick up versions in use + # .postgresqlrc contains following information per line + # database_major_version host:port database_name + # - ignore lines starts with # by specifying pattern /^[^#]/ + # - first field is the version number in use. + # - cocnat whole lines into single string. convert newline to \| + # this is escaped regex "OR" + # now we got the following regex that can be used as an option to grep: + # \|-12\|-13 + DB_CLIENT_VERSIONS_IN_USE="$(awk '/^[^#]/ {printf("\|-%s",$1)}' "/home/${GITLAB_USER}/.postgresqlrc")" + + # we also need to keep postgresql-client-common package to switch based on ~/.postgresqlrc + REGEX_DB_CLIENT_VERSIONS_IN_USE="-common${DB_CLIENT_VERSIONS_IN_USE}" + + # remove unused client using regex above + # grep may return non-zero code on mo match, so fake the exit code with the `|| true` to swallow that + UNUSED_DB_CLIENTS=$(apt-cache pkgnames postgresql-client | grep -v -e "${REGEX_DB_CLIENT_VERSIONS_IN_USE}" || true) + if [[ "${UNUSED_DB_CLIENTS}" == "" ]]; then + echo "- All installed version of clients are in use. Did not uninstalled any client..." + return + fi + + # just to get clean log, convert newline (package name delimiter) to single whitespace + UNUSED_DB_CLIENTS=$(echo ${UNUSED_DB_CLIENTS} | tr '\n' ' ') + + echo "- Uninstalling unused client(s): ${UNUSED_DB_CLIENTS}" + DEBIAN_FRONTEND=noninteractive apt-get -qq -y purge -- ${UNUSED_DB_CLIENTS} >/dev/null + fi +} + gitlab_configure_database() { echo -n "Configuring gitlab::database" gitlab_finalize_database_parameters gitlab_check_database_connection + gitlab_generate_postgresqlrc + gitlab_uninstall_unused_database_client update_template ${GITLAB_DATABASE_CONFIG} \ DB_ENCODING \ @@ -233,6 +320,18 @@ gitlab_configure_redis() { REDIS_DB_NUMBER } +gitlab_configure_actioncable() { + echo -n "Configuring gitlab::actioncable" + + gitlab_finalize_redis_parameters + gitlab_check_redis_connection + + update_template ${GITLAB_ACTIONCABLE_CONFIG} \ + REDIS_HOST \ + REDIS_PORT \ + REDIS_DB_NUMBER +} + gitlab_configure_gitaly() { echo "Configuring gitlab::gitaly..." update_template ${GITLAB_GITALY_CONFIG} \ @@ -252,6 +351,10 @@ gitlab_configure_gitaly() { gitlab_configure_monitoring() { echo "Configuring gitlab::monitoring..." + if [ "${GITLAB_MONITORING_IP_WHITELIST}" == "" ]; then + exec_as_git sed -i "/{{GITLAB_MONITORING_IP_WHITELIST}}/d" ${GITLAB_CONFIG} + fi + update_template ${GITLAB_CONFIG} \ GITLAB_MONITORING_UNICORN_SAMPLER_INTERVAL \ GITLAB_MONITORING_IP_WHITELIST \ @@ -439,7 +542,8 @@ gitlab_configure_ldap() { LDAP_USER_ATTRIBUTE_NAME \ LDAP_USER_ATTRIBUTE_FIRSTNAME \ LDAP_USER_ATTRIBUTE_LASTNAME \ - LDAP_LABEL + LDAP_LABEL \ + LDAP_PREVENT_LDAP_SIGN_IN } gitlab_configure_oauth_cas3() { @@ -553,9 +657,10 @@ gitlab_configure_oauth_bitbucket() { OAUTH_ENABLED=${OAUTH_ENABLED:-true} update_template ${GITLAB_CONFIG} \ OAUTH_BITBUCKET_API_KEY \ - OAUTH_BITBUCKET_APP_SECRET + OAUTH_BITBUCKET_APP_SECRET \ + OAUTH_BITBUCKET_URL else - exec_as_git sed -i "/name: 'bitbucket'/,/{{OAUTH_BITBUCKET_APP_SECRET}}/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/name: 'bitbucket'/,/{{OAUTH_BITBUCKET_URL}}/d" ${GITLAB_CONFIG} fi } @@ -621,6 +726,8 @@ gitlab_configure_oauth2_generic() { OAUTH2_GENERIC_USER_UID \ OAUTH2_GENERIC_USER_NAME \ OAUTH2_GENERIC_USER_EMAIL \ + OAUTH2_GENERIC_AUTHORIZE_PARAMS_SCOPE \ + OAUTH2_GENERIC_LABEL \ OAUTH2_GENERIC_NAME else exec_as_git sed -i "/name: 'oauth2_generic'/,/{{OAUTH2_GENERIC_NAME}}/d" ${GITLAB_CONFIG} @@ -674,6 +781,66 @@ gitlab_configure_oauth_azure() { fi } +gitlab_configure_oauth_azure_ad_v2() { + # we don't check if OAUTH_AZURE_ACTIVEDIRECTORY_V2_LABEL because it is optional + if [[ -n ${OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_ID} && \ + -n ${OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_SECRET} && \ + -n ${OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID} ]]; then + echo "Configuring gitlab::oauth::azure_activedirectory_v2..." + update_template ${GITLAB_CONFIG} \ + OAUTH_AZURE_ACTIVEDIRECTORY_V2_LABEL \ + OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_ID \ + OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_SECRET \ + OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID + else + exec_as_git sed -i "/name: 'azure_activedirectory_v2'/,/{{OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID}}/d" ${GITLAB_CONFIG} + fi +} + +gitlab_configure_oauth_oidc() { + if [[ -n ${OAUTH_OIDC_ISSUER} && \ + -n ${OAUTH_OIDC_CLIENT_ID} ]]; then + echo "Configuring gitlab::oauth::oidc..." + OAUTH_ENABLED=${OAUTH_ENABLED:-true} + update_template ${GITLAB_CONFIG} \ + OAUTH_OIDC_LABEL \ + OAUTH_OIDC_ICON \ + OAUTH_OIDC_SCOPE \ + OAUTH_OIDC_RESPONSE_TYPE \ + OAUTH_OIDC_ISSUER \ + OAUTH_OIDC_DISCOVERY \ + OAUTH_OIDC_CLIENT_AUTH_METHOD \ + OAUTH_OIDC_UID_FIELD \ + OAUTH_OIDC_SEND_SCOPE_TO_TOKEN_EP \ + OAUTH_OIDC_PKCE \ + OAUTH_OIDC_CLIENT_ID \ + OAUTH_OIDC_CLIENT_SECRET \ + OAUTH_OIDC_REDIRECT_URI + else + exec_as_git sed -i "/name: 'openid_connect'/,/{{OAUTH_OIDC_REDIRECT_URI}}/d" ${GITLAB_CONFIG} + fi +} + +gitlab_configure_oauth_jwt() { + if [[ -n ${OAUTH_JWT_SECRET} && \ + -n ${OAUTH_JWT_AUTH_URL} ]]; then + echo "Configuring gitlab::oauth::jwt..." + OAUTH_ENABLED=${OAUTH_ENABLED:-true} + update_template ${GITLAB_CONFIG} \ + OAUTH_JWT_LABEL \ + OAUTH_JWT_SECRET \ + OAUTH_JWT_ALGORITHM \ + OAUTH_JWT_UID_CLAIM \ + OAUTH_JWT_REQUIRED_CLAIMS \ + OAUTH_JWT_INFO_MAP_NAME \ + OAUTH_JWT_INFO_MAP_EMAIL \ + OAUTH_JWT_AUTH_URL \ + OAUTH_JWT_VALID_WITHIN + else + exec_as_git sed -i "/name: 'jwt'/,/{{OAUTH_JWT_VALID_WITHIN}}/d" ${GITLAB_CONFIG} + fi +} + gitlab_configure_oauth() { echo "Configuring gitlab::oauth..." @@ -690,6 +857,9 @@ gitlab_configure_oauth() { gitlab_configure_oauth_crowd gitlab_configure_oauth_auth0 gitlab_configure_oauth_azure + gitlab_configure_oauth_azure_ad_v2 + gitlab_configure_oauth_oidc + gitlab_configure_oauth_jwt OAUTH_ENABLED=${OAUTH_ENABLED:-false} update_template ${GITLAB_CONFIG} \ @@ -698,10 +868,12 @@ gitlab_configure_oauth() { OAUTH_BLOCK_AUTO_CREATED_USERS \ OAUTH_AUTO_LINK_LDAP_USER \ OAUTH_AUTO_LINK_SAML_USER \ - OAUTH_EXTERNAL_PROVIDERS + OAUTH_AUTO_LINK_USER \ + OAUTH_EXTERNAL_PROVIDERS \ + OAUTH_ALLOW_BYPASS_TWO_FACTOR case ${OAUTH_AUTO_SIGN_IN_WITH_PROVIDER} in - cas3|google_oauth2|facebook|twitter|github|gitlab|bitbucket|saml|crowd|azure_oauth2|oauth2_generic|$OAUTH2_GENERIC_NAME) + cas3|google_oauth2|facebook|twitter|github|gitlab|bitbucket|saml|crowd|azure_oauth2|azure_activedirectory_v2|oauth2_generic|$OAUTH2_GENERIC_NAME|oidc|jwt) update_template ${GITLAB_CONFIG} OAUTH_AUTO_SIGN_IN_WITH_PROVIDER ;; *) @@ -736,7 +908,11 @@ gitlab_configure_secrets() { update_template ${GITLAB_SECRETS_CONFIG} \ GITLAB_SECRETS_DB_KEY_BASE \ GITLAB_SECRETS_SECRET_KEY_BASE \ - GITLAB_SECRETS_OTP_KEY_BASE + GITLAB_SECRETS_OTP_KEY_BASE \ + GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE \ + GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY \ + GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY \ + GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT local shell_secret="${GITLAB_INSTALL_DIR}/.gitlab_shell_secret" if [[ ! -f "${shell_secret}" ]]; then @@ -749,6 +925,12 @@ gitlab_configure_secrets() { exec_as_git openssl rand -base64 -out "${workhorse_secret}" 32 chmod 600 "${workhorse_secret}" fi + + local pages_secret="${GITLAB_INSTALL_DIR}/.gitlab_pages_secret" + if [[ ! -f "${pages_secret}" ]]; then + exec_as_git openssl rand -base64 -out "${pages_secret}" 32 + chmod 600 "${pages_secret}" + fi } gitlab_configure_sidekiq() { @@ -943,6 +1125,24 @@ gitlab_configure_analytics() { gitlab_configure_rack_attack() { echo "Configuring gitlab::rack_attack..." + + # validity check : RACK_ATTACK_WHITELIST should be an array of valid IP Address string + echo " Validating RACK_ATTACK_WHITELIST..." + /usr/bin/env ruby << SCRIPT + require 'ipaddr' + ${RACK_ATTACK_WHITELIST}.each do |host| + begin + printf(" input=%s, to_range=%s\n", host, IPAddr.new(host).to_range) + rescue IPAddr::InvalidAddressError => e + p e + exit 1 + rescue => e + put "Unexpected error", e + exit 1 + end + end +SCRIPT + update_template ${GITLAB_CONFIG} \ RACK_ATTACK_ENABLED \ RACK_ATTACK_WHITELIST \ @@ -959,6 +1159,9 @@ gitlab_configure_ci() { } gitlab_configure_artifacts() { + update_template ${GITLAB_CONFIG} \ + GITLAB_ARTIFACTS_OBJECT_STORE_ENABLED + if [[ ${GITLAB_ARTIFACTS_OBJECT_STORE_ENABLED} == true ]]; then echo "Configuring gitlab::artifacts:object_store" @@ -976,7 +1179,6 @@ gitlab_configure_artifacts() { fi update_template ${GITLAB_CONFIG} \ - GITLAB_ARTIFACTS_OBJECT_STORE_ENABLED \ GITLAB_ARTIFACTS_OBJECT_STORE_REMOTE_DIRECTORY \ GITLAB_ARTIFACTS_OBJECT_STORE_DIRECT_UPLOAD \ GITLAB_ARTIFACTS_OBJECT_STORE_BACKGROUND_UPLOAD \ @@ -988,6 +1190,7 @@ gitlab_configure_artifacts() { GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_HOST \ GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT \ GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE \ + GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION \ GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT \ GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL \ GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION @@ -1001,7 +1204,100 @@ gitlab_configure_artifacts() { GITLAB_ARTIFACTS_DIR } + +gitlab_configure_packages() { + update_template ${GITLAB_CONFIG} \ + GITLAB_PACKAGES_OBJECT_STORE_ENABLED + + if [[ ${GITLAB_PACKAGES_OBJECT_STORE_ENABLED} == true ]]; then + echo "Configuring gitlab::packages:object_store" + + if [[ "${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_PROVIDER}" == "Google" ]]; then + echo " -> Google PACKAGES provider selected removing aws config" + exec_as_git sed -i "/#start-packages-aws/,/#end-packages-aws/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#start-packages-gcs/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#end-packages-gcs/d" ${GITLAB_CONFIG} + fi + if [[ "${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_PROVIDER}" == "AWS" ]]; then + echo " -> AWS PACKAGES provider selected removing Google config" + exec_as_git sed -i "/#start-packages-gcs/,/#end-packages-gcs/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#start-packages-aws/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#end-packages-aws/d" ${GITLAB_CONFIG} + fi + + update_template ${GITLAB_CONFIG} \ + GITLAB_PACKAGES_OBJECT_STORE_REMOTE_DIRECTORY \ + GITLAB_PACKAGES_OBJECT_STORE_DIRECT_UPLOAD \ + GITLAB_PACKAGES_OBJECT_STORE_BACKGROUND_UPLOAD \ + GITLAB_PACKAGES_OBJECT_STORE_PROXY_DOWNLOAD \ + GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_PROVIDER \ + GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID \ + GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY \ + GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_REGION \ + GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_HOST \ + GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ENDPOINT \ + GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE \ + GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION \ + GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT \ + GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL \ + GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION + else + exec_as_git sed -i -e "/path: {{GITLAB_PACKAGES_DIR}}/{n;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;d;}" ${GITLAB_CONFIG} + fi + + echo "Configuring gitlab::packages..." + update_template ${GITLAB_CONFIG} \ + GITLAB_PACKAGES_ENABLED \ + GITLAB_PACKAGES_DIR +} + +gitlab_configure_terraform_state() { + update_template ${GITLAB_CONFIG} \ + GITLAB_TERRAFORM_STATE_OBJECT_STORE_ENABLED + + if [[ ${GITLAB_TERRAFORM_STATE_OBJECT_STORE_ENABLED} == true ]]; then + echo "Configuring gitlab::terraform_state:object_store" + + if [[ "${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_PROVIDER}" == "Google" ]]; then + echo " -> Google TERRAFORM STATE provider selected removing aws config" + exec_as_git sed -i "/#start-terraform_state-aws/,/#end-terraform_state-aws/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#start-terraform_state-gcs/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#end-terraform_state-gcs/d" ${GITLAB_CONFIG} + fi + if [[ "${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_PROVIDER}" == "AWS" ]]; then + echo " -> AWS TERRAFORM STATE provider selected removing Google config" + exec_as_git sed -i "/#start-terraform_state-gcs/,/#end-terraform_state-gcs/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#start-terraform_state-aws/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#end-terraform_state-aws/d" ${GITLAB_CONFIG} + fi + + update_template ${GITLAB_CONFIG} \ + GITLAB_TERRAFORM_STATE_OBJECT_STORE_REMOTE_DIRECTORY \ + GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_PROVIDER \ + GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID \ + GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY \ + GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_REGION \ + GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_HOST \ + GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ENDPOINT \ + GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE \ + GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION \ + GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT \ + GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL \ + GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION + else + exec_as_git sed -i -e "/storage_path: {{GITLAB_TERRAFORM_STATE_STORAGE_PATH}}/{n;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;d;}" ${GITLAB_CONFIG} + fi + + echo "Configuring gitlab::terraform_state..." + update_template ${GITLAB_CONFIG} \ + GITLAB_TERRAFORM_STATE_ENABLED \ + GITLAB_TERRAFORM_STATE_STORAGE_PATH +} + gitlab_configure_lfs() { + update_template ${GITLAB_CONFIG} \ + GITLAB_LFS_OBJECT_STORE_ENABLED \ + if [[ ${GITLAB_LFS_OBJECT_STORE_ENABLED} == true ]]; then echo "Configuring gitlab::lfs:object_store" @@ -1019,7 +1315,6 @@ gitlab_configure_lfs() { fi update_template ${GITLAB_CONFIG} \ - GITLAB_LFS_OBJECT_STORE_ENABLED \ GITLAB_LFS_OBJECT_STORE_REMOTE_DIRECTORY \ GITLAB_LFS_OBJECT_STORE_DIRECT_UPLOAD \ GITLAB_LFS_OBJECT_STORE_BACKGROUND_UPLOAD \ @@ -1031,6 +1326,7 @@ gitlab_configure_lfs() { GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_HOST \ GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT \ GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE \ + GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION \ GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT \ GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL \ GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION @@ -1045,6 +1341,9 @@ gitlab_configure_lfs() { } gitlab_configure_uploads() { + update_template ${GITLAB_CONFIG} \ + GITLAB_UPLOADS_OBJECT_STORE_ENABLED + if [[ ${GITLAB_UPLOADS_OBJECT_STORE_ENABLED} == true ]]; then echo "Configuring gitlab::uploads:object_store" @@ -1062,7 +1361,6 @@ gitlab_configure_uploads() { fi update_template ${GITLAB_CONFIG} \ - GITLAB_UPLOADS_OBJECT_STORE_ENABLED \ GITLAB_UPLOADS_OBJECT_STORE_REMOTE_DIRECTORY \ GITLAB_UPLOADS_OBJECT_STORE_DIRECT_UPLOAD \ GITLAB_UPLOADS_OBJECT_STORE_BACKGROUND_UPLOAD \ @@ -1074,6 +1372,7 @@ gitlab_configure_uploads() { GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_HOST \ GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT \ GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE \ + GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION \ GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT \ GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL \ GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION @@ -1163,6 +1462,29 @@ gitlab_configure_sentry(){ SENTRY_ENVIRONMENT } +gitlab_configure_content_security_policy(){ + echo "Configuring gitlab::content_security_policy..." + update_template ${GITLAB_CONFIG} \ + GITLAB_CONTENT_SECURITY_POLICY_ENABLED \ + GITLAB_CONTENT_SECURITY_POLICY_REPORT_ONLY \ + GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_BASE_URI \ + GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CHILD_SRC \ + GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CONNECT_SRC \ + GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_DEFAULT_SRC \ + GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FONT_SRC \ + GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FORM_ACTION \ + GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_ANCESTORS \ + GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_SRC \ + GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_IMG_SRC \ + GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MANIFEST_SRC \ + GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MEDIA_SRC \ + GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_OBJECT_SRC \ + GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_SCRIPT_SRC \ + GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_STYLE_SRC \ + GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_WORKER_SRC \ + GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_REPORT_URI +} + nginx_configure_gitlab_ssl() { if [[ ${GITLAB_HTTPS} == true && -f ${SSL_CERTIFICATE_PATH} && -f ${SSL_KEY_PATH} && -f ${SSL_DHPARAM_PATH} ]]; then echo "Configuring nginx::gitlab::ssl..." @@ -1176,7 +1498,8 @@ nginx_configure_gitlab_ssl() { SSL_DHPARAM_PATH \ SSL_VERIFY_CLIENT \ SSL_CA_CERTIFICATES_PATH \ - SSL_CIPHERS + SSL_CIPHERS \ + SSL_PROTOCOLS fi } @@ -1236,7 +1559,8 @@ nginx_configure_gitlab() { GITLAB_PORT \ NGINX_PROXY_BUFFERING \ NGINX_ACCEL_BUFFERING \ - NGINX_X_FORWARDED_PROTO + NGINX_X_FORWARDED_PROTO \ + NGINX_CUSTOM_GITLAB_SERVER_CONFIG nginx_configure_gitlab_ssl nginx_configure_gitlab_hsts @@ -1265,7 +1589,9 @@ nginx_configure_gitlab_registry() { GITLAB_REGISTRY_HOST \ GITLAB_REGISTRY_API_URL \ SSL_REGISTRY_KEY_PATH \ - SSL_REGISTRY_CERT_PATH + SSL_REGISTRY_CERT_PATH \ + SSL_REGISTRY_CIPHERS \ + SSL_REGISTRY_PROTOCOLS fi } @@ -1283,6 +1609,8 @@ nginx_configure_pages(){ GITLAB_PAGES_DOMAIN \ SSL_PAGES_CERT_PATH \ SSL_PAGES_KEY_PATH \ + SSL_PAGES_CIPHERS \ + SSL_PAGES_PROTOCOLS \ SSL_DHPARAM_PATH \ GITLAB_LOG_DIR else @@ -1385,7 +1713,17 @@ initialize_datadir() { chmod u+rwX ${GITLAB_SHARED_DIR} chown ${GITLAB_USER}: ${GITLAB_SHARED_DIR} - # create attifacts dir + # create the ci_secure_files directory + mkdir -p ${GITLAB_SHARED_DIR}/ci_secure_files + chmod u+rwX ${GITLAB_SHARED_DIR}/ci_secure_files + chown ${GITLAB_USER}: ${GITLAB_SHARED_DIR}/ci_secure_files + + # create external-diffs dir + mkdir -p ${GITLAB_SHARED_DIR}/external-diffs + chmod u+rwX ${GITLAB_SHARED_DIR}/external-diffs + chown ${GITLAB_USER}: ${GITLAB_SHARED_DIR}/external-diffs + + # create artifacts dir mkdir -p ${GITLAB_ARTIFACTS_DIR} chmod u+rwX ${GITLAB_ARTIFACTS_DIR} chown ${GITLAB_USER}: ${GITLAB_ARTIFACTS_DIR} @@ -1404,6 +1742,13 @@ initialize_datadir() { chmod u+rwX ${GITLAB_LFS_OBJECTS_DIR} chown ${GITLAB_USER}: ${GITLAB_LFS_OBJECTS_DIR} + # create terraform_state directory + if [[ ${GITLAB_TERRAFORM_STATE_ENABLED} == true ]]; then + mkdir -p ${GITLAB_TERRAFORM_STATE_STORAGE_PATH} + chmod u+rwX ${GITLAB_TERRAFORM_STATE_STORAGE_PATH} + chown ${GITLAB_USER}: ${GITLAB_TERRAFORM_STATE_STORAGE_PATH} + fi + # create registry dir if [[ ${GITLAB_REGISTRY_ENABLED} == true ]]; then mkdir -p ${GITLAB_REGISTRY_DIR} @@ -1411,6 +1756,13 @@ initialize_datadir() { chown ${GITLAB_USER}: ${GITLAB_REGISTRY_DIR} fi + # create packages directory + if [[ ${GITLAB_PACKAGES_ENABLED} == true ]]; then + mkdir -p ${GITLAB_PACKAGES_DIR} + chmod u+rwX ${GITLAB_PACKAGES_DIR} + chown ${GITLAB_USER}: ${GITLAB_PACKAGES_DIR} + fi + # create the backups directory mkdir -p ${GITLAB_BACKUP_DIR} if [[ ${GITLAB_BACKUP_DIR_CHOWN} == true ]]; then @@ -1428,25 +1780,6 @@ initialize_datadir() { chmod 700 ${GITLAB_DATA_DIR}/.ssh chmod 600 ${GITLAB_DATA_DIR}/.ssh/authorized_keys chown -R ${GITLAB_USER}: ${GITLAB_DATA_DIR}/.ssh - - # recompile and persist assets when relative_url is in use - if [[ -n ${GITLAB_RELATIVE_URL_ROOT} ]]; then - mkdir -p ${GITLAB_TEMP_DIR}/cache - chmod 755 ${GITLAB_TEMP_DIR}/cache - chown ${GITLAB_USER}: ${GITLAB_TEMP_DIR}/cache - - mkdir -p ${GITLAB_TEMP_DIR}/assets - chmod 755 ${GITLAB_TEMP_DIR}/assets - chown ${GITLAB_USER}: ${GITLAB_TEMP_DIR}/assets - - # symlink ${GITLAB_INSTALL_DIR}/tmp/cache -> ${GITLAB_TEMP_DIR}/cache - rm -rf ${GITLAB_INSTALL_DIR}/tmp/cache - exec_as_git ln -s ${GITLAB_TEMP_DIR}/cache ${GITLAB_INSTALL_DIR}/tmp/cache - - # symlink ${GITLAB_INSTALL_DIR}/public/assets -> ${GITLAB_TEMP_DIR}/assets - rm -rf ${GITLAB_INSTALL_DIR}/public/assets - exec_as_git ln -s ${GITLAB_TEMP_DIR}/assets ${GITLAB_INSTALL_DIR}/public/assets - fi } sanitize_datadir() { @@ -1477,11 +1810,21 @@ sanitize_datadir() { chmod -R u+rwX ${GITLAB_LFS_OBJECTS_DIR} chown -R ${GITLAB_USER}: ${GITLAB_LFS_OBJECTS_DIR} + # create terraform_state directory + # TODO : wrap with "if [[ _ENABLED ]]" condition + chmod u+rwX ${GITLAB_SHARED_DIR}/terraform_state + chown ${GITLAB_USER}: ${GITLAB_SHARED_DIR}/terraform_state + if [[ ${GITLAB_REGISTRY_ENABLED} == true ]]; then chmod -R u+rwX ${GITLAB_REGISTRY_DIR} chown -R ${GITLAB_USER}: ${GITLAB_REGISTRY_DIR} fi + if [[ ${GITLAB_PACKAGES_ENABLED} ]]; then + chmod u+rwX ${GITLAB_PACKAGES_DIR} + chown ${GITLAB_USER}: ${GITLAB_PACKAGES_DIR} + fi + find ${GITLAB_DATA_DIR}/uploads -type f -exec chmod 0644 {} \; find ${GITLAB_DATA_DIR}/uploads -type d -not -path ${GITLAB_DATA_DIR}/uploads -exec chmod 0755 {} \; chmod 0700 ${GITLAB_DATA_DIR}/uploads/ @@ -1497,7 +1840,7 @@ generate_ssh_key() { } generate_ssh_host_keys() { - sed -i "s|^[#]*MaxStartups 10:30:60|MaxStartups ${GITLAB_SSH_MAXSTARTUPS}|" /etc/ssh/sshd_config + sed -i "s|^[#]*MaxStartups[^$]*|MaxStartups ${GITLAB_SSH_MAXSTARTUPS}|" /etc/ssh/sshd_config sed -i "s|#HostKey /etc/ssh/|HostKey ${GITLAB_DATA_DIR}/ssh/|g" /etc/ssh/sshd_config if [[ ! -e ${GITLAB_DATA_DIR}/ssh/ssh_host_rsa_key ]]; then echo -n "Generating OpenSSH host keys... " @@ -1517,6 +1860,38 @@ update_ssh_listen_port() { sed -i "s|#Port 22|Port ${GITLAB_SSH_LISTEN_PORT}|g" /etc/ssh/sshd_config } +generate_healthcheck_script() { + # configure healthcheck script + ## https://docs.gitlab.com/ee/user/admin_area/monitoring/health_check.html + local HEALTHCHECK_PROTOCOL="http" + if [[ "${GITLAB_HTTPS}" == true && "${SSL_SELF_SIGNED}" == false ]]; then + HEALTHCHECK_PROTOCOL="${HEALTHCHECK_PROTOCOL}s" + fi +cat > /usr/local/sbin/healthcheck < /etc/timezone + + echo "Container TimeZone -> ${TIMEZONE}" + fi +} + initialize_system() { map_uidgid initialize_logdir @@ -1524,6 +1899,7 @@ initialize_system() { update_ca_certificates generate_ssh_host_keys update_ssh_listen_port + configure_container_timezone install_configuration_templates rm -rf /var/run/supervisor.sock } @@ -1533,10 +1909,10 @@ install_configuration_templates() { install_template ${GITLAB_USER}: gitlabhq/gitlab.yml ${GITLAB_CONFIG} 0640 install_template ${GITLAB_USER}: gitlabhq/database.yml ${GITLAB_DATABASE_CONFIG} 0640 install_template ${GITLAB_USER}: gitlabhq/puma.rb ${GITLAB_PUMA_CONFIG} 0644 - install_template ${GITLAB_USER}: gitlabhq/rack_attack.rb ${GITLAB_RACK_ATTACK_CONFIG} 0644 install_template ${GITLAB_USER}: gitlabhq/resque.yml ${GITLAB_RESQUE_CONFIG} 0640 install_template ${GITLAB_USER}: gitlabhq/secrets.yml ${GITLAB_SECRETS_CONFIG} 0600 install_template ${GITLAB_USER}: gitlab-shell/config.yml ${GITLAB_SHELL_CONFIG} 0640 + install_template ${GITLAB_USER}: gitlabhq/cable.yml ${GITLAB_ACTIONCABLE_CONFIG} 0640 if [[ -n ${GITLAB_RELATIVE_URL_ROOT} ]]; then install_template ${GITLAB_USER}: gitlabhq/relative_url.rb ${GITLAB_RELATIVE_URL_CONFIG} 0644 @@ -1627,10 +2003,12 @@ configure_gitlab() { GITLAB_PROJECTS_LIMIT \ GITLAB_USERNAME_CHANGE \ GITLAB_DEFAULT_THEME \ - GITLAB_CREATE_GROUP + GITLAB_CREATE_GROUP \ + GITLAB_ISSUE_CLOSING_PATTERN gitlab_configure_database gitlab_configure_redis + gitlab_configure_actioncable gitlab_configure_secrets gitlab_configure_sidekiq gitlab_configure_gitaly @@ -1643,6 +2021,8 @@ configure_gitlab() { gitlab_configure_rack_attack gitlab_configure_ci gitlab_configure_artifacts + gitlab_configure_packages + gitlab_configure_terraform_state gitlab_configure_lfs gitlab_configure_uploads gitlab_configure_mattermost @@ -1659,11 +2039,64 @@ configure_gitlab() { gitlab_configure_registry gitlab_configure_pages gitlab_configure_sentry + generate_healthcheck_script + gitlab_configure_content_security_policy # remove stale gitlab.socket rm -rf ${GITLAB_INSTALL_DIR}/tmp/sockets/gitlab.socket } +# feature flags are recorded to database (schema "application_settings") so requires DB is (at least) initialized +gitlab_configure_feature_flags() { + echo "Configuring gitlab::feature_flags..." + + if [[ -z "${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS}" && -z "${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS}" ]]; then + # Do nothing and reports no error if no targets specified + echo "- No targets specified. skipping..." + return 0 + fi + + # Build command line argument for script only when target is specified + # If not, scripts fails because option specifier is recognized as feature flags for example + # like "--disable --enable" : for this case, --disable is recognized as a value of option "--enable" + if [[ -n "${GITLAB_FEATURE_FLAGS_DISABLE_TARGETS}" ]]; then + GITLAB_FEATURE_FLAGS_DISABLE_TARGETS="--disable ${GITLAB_FEATURE_FLAGS_DISABLE_TARGETS}" + fi + # The same goes for --enable (this is the last option passed to "rails runner" that will be run below) + # For this case (final option), it throws "missing argument" error for execution like: + # like "--disable feature1,feature2 --enable" + if [[ -n "${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS}" ]]; then + GITLAB_FEATURE_FLAGS_ENABLE_TARGETS="--enable ${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS}" + fi + + PWD_ORG=${PWD} + cd "${GITLAB_INSTALL_DIR}" + + # copy the script to temporal directory : to avoid permission issue + cp "${GITLAB_RUNTIME_DIR}/scripts/configure_feature_flags.rb" "${GITLAB_TEMP_DIR}/" + chown "${GITLAB_USER}:" "${GITLAB_TEMP_DIR}/configure_feature_flags.rb" + + echo "- Launching rails runner to set feature flags. This will take some time...." + + # If arguments are empty, the script will do nothing and print object dump like below: + # - specified feature flags: {:to_be_disabled=>[], :to_be_enabled=>[]} + # DO NOT qupte variables : word splitting must be enabled. + # If disabled, whole string like '--disable feature_name_1,feature_name_2' + # will be recognized as single option and results to invalid argument error + # + # shellcheck disable=SC2086 + exec_as_git bundle exec rails runner "${GITLAB_TEMP_DIR}/configure_feature_flags.rb" \ + ${GITLAB_FEATURE_FLAGS_DISABLE_TARGETS} \ + ${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS} + + rm "${GITLAB_TEMP_DIR}/configure_feature_flags.rb" + cd "${PWD_ORG}" +} + +configure_gitlab_requires_db() { + gitlab_configure_feature_flags +} + configure_gitlab_shell() { echo "Configuring gitlab-shell..." update_template ${GITLAB_SHELL_CONFIG} \ @@ -1675,6 +2108,13 @@ configure_gitlab_shell() { REDIS_HOST \ REDIS_PORT \ REDIS_DB_NUMBER + + # update custom_hooks_dir if set $GITLAB_SHELL_CUSTOM_HOOKS_DIR + if [[ -n ${GITLAB_SHELL_CUSTOM_HOOKS_DIR} ]]; then + exec_as_git sed -i \ + "s|custom_hooks_dir:.*|custom_hooks_dir: $GITLAB_SHELL_CUSTOM_HOOKS_DIR|g" \ + ${GITLAB_SHELL_CONFIG} + fi } @@ -1717,12 +2157,29 @@ if [[ ${GITLAB_PAGES_ACCESS_CONTROL} == true ]]; then GITLAB_PAGES_ACCESS_CLIENT_SECRET \ GITLAB_PAGES_ACCESS_REDIRECT_URI \ GITLAB_PAGES_ACCESS_SECRET \ - GITLAB_PAGES_ACCESS_CONTROL_SERVER + GITLAB_PAGES_ACCESS_CONTROL_SERVER \ + GITLAB_INSTALL_DIR + + if [[ -n ${GITLAB_PAGES_ARTIFACTS_SERVER_URL} ]]; then + update_template ${GITLAB_PAGES_CONFIG} GITLAB_PAGES_ARTIFACTS_SERVER_URL + else + exec_as_git sed -i "/{{GITLAB_PAGES_ARTIFACTS_SERVER_URL}}/d" ${GITLAB_PAGES_CONFIG} + fi +else + update_template ${GITLAB_PAGES_CONFIG} \ + GITLAB_INSTALL_DIR + + exec_as_git sed -i "/{{GITLAB_PAGES_ACCESS_CLIENT_ID}}/d" ${GITLAB_PAGES_CONFIG} + exec_as_git sed -i "/{{GITLAB_PAGES_ACCESS_CLIENT_SECRET}}/d" ${GITLAB_PAGES_CONFIG} + exec_as_git sed -i "/{{GITLAB_PAGES_ACCESS_REDIRECT_URI}}/d" ${GITLAB_PAGES_CONFIG} + exec_as_git sed -i "/{{GITLAB_PAGES_ACCESS_SECRET}}/d" ${GITLAB_PAGES_CONFIG} + exec_as_git sed -i "/{{GITLAB_PAGES_ACCESS_CONTROL_SERVER}}/d" ${GITLAB_PAGES_CONFIG} + exec_as_git sed -i "/{{GITLAB_PAGES_ARTIFACTS_SERVER_URL}}/d" ${GITLAB_PAGES_CONFIG} +fi cat >> /etc/supervisor/conf.d/gitlab-pages.conf <> /etc/supervisor/conf.d/gitlab-pages.conf </dev/null 2>&1 - fi - echo "Clearing cache..." exec_as_git bundle exec rake cache:clear >/dev/null 2>&1 echo "${GITLAB_RELATIVE_URL_ROOT}" > ${GITLAB_TEMP_DIR}/GITLAB_RELATIVE_URL_ROOT diff --git a/assets/runtime/scripts/configure_feature_flags.rb b/assets/runtime/scripts/configure_feature_flags.rb new file mode 100644 index 000000000..72197a99d --- /dev/null +++ b/assets/runtime/scripts/configure_feature_flags.rb @@ -0,0 +1,93 @@ +#!/usr/bin/env ruby + +require "optparse" +require "set" + +# sameersbn/docker-gitlab +# Ruby script to configure feature flags via CLI +# Intended to be executed in the context of Rails Runner of Gitlab application +# (to get valid "Feature" module, defined in (gitlab root)/lib/feature.rb) +# https://guides.rubyonrails.org/command_line.html#bin-rails-runner +# bundle exec rails runner -- --enable --disable + +class FeatureFlagCLI + def available_feature_flags() + # Feature flag lists are stored in (Gitlab root directory)/config/feature_flags/ + # We can get the directory by accessing "root" property of "Gitlab" Module + # (may returns /home/git/gitlab for sameersbn/docker-gitlab) + feature_flag_yamls = Dir.glob("#{Gitlab.root}/config/feature_flags/**/*.yml") + + if Gitlab.ee? + feature_flag_yamls.concat(Dir.glob("#{Gitlab.root}/ee/config/feature_flags/**/*.yml")) + end if + + list = feature_flag_yamls.map { |p| File.basename(p, File.extname(p)) } + list + end + + def parse_options(argv = ARGV) + op = OptionParser.new + + opts = { + to_be_disabled: [], + to_be_enabled: [], + # TODO support "opt out", "opt out removed" + # to_be_opted_out: [], + # opt_out_removed: [], + } + + op.on("-d", "--disable feature_a,feature_b,feature_c", Array, "comma-separated list of feature flags to be disabled (defaults: ${opts[:to_be_disabled]})") { |v| + opts[:to_be_disabled] = v.uniq + puts "- Specified feature flags to be disabled" + puts opts[:to_be_disabled].map { |f| format("--- %s", opt: f) } + } + op.on("-e", "--enable feature_a,feature_b,feature_c", Array, "comma-separated list of feature flags to be enabled (defaults: ${opts[:to_be_enabled]})") { |v| + opts[:to_be_enabled] = v.uniq + puts "- Specified feature flags to be enabled" + puts opts[:to_be_enabled].map { |f| format("--- %s", opt: f) } + } + + begin + args = op.parse(argv) + succeed = true + rescue OptionParser::InvalidOption, OptionParser::MissingArgument => e + puts e.message + puts op.help + succeed = false + end + + [succeed, opts, args] + end + + def run + succeed, opts, args = parse_options + if succeed + available_flags = self.available_feature_flags + disable_targets = available_flags & opts[:to_be_disabled] + enable_targets = available_flags & opts[:to_be_enabled] + + disable_targets.each do |feature| + Feature.disable(feature) + end + + enable_targets.each do |feature| + Feature.enable(feature) + end + + invalid_enable_targets = opts[:to_be_enabled] - enable_targets + invalid_disable_targets = opts[:to_be_disabled] - disable_targets + invalid_targets = invalid_disable_targets | invalid_enable_targets + if invalid_targets.length > 0 + puts "- Following flags are probably invalid and have been ignored" + puts invalid_targets.map { |f| format("--- %s", name: f) } + end + end + + Feature.all + end +end + +features = FeatureFlagCLI.new.run +puts features.map { |f| + format("- feature %s : %s", name: f.name, state: f.state) +} diff --git a/contrib/docker-swarm/docker-compose.yml b/contrib/docker-swarm/docker-compose.yml index ac7ca0b1e..97fe9d52e 100644 --- a/contrib/docker-swarm/docker-compose.yml +++ b/contrib/docker-swarm/docker-compose.yml @@ -1,172 +1,178 @@ -version: '3.4' - services: redis: restart: always - image: redis:5.0.9 + image: redis:7 command: - - --loglevel warning + - --loglevel warning volumes: - - /srv/docker/gitlab/redis:/var/lib/redis:Z + - /srv/docker/gitlab/redis:/var/lib/redis:Z postgresql: restart: always - image: sameersbn/postgresql:11-20200524 + image: kkimurak/sameersbn-postgresql:16 volumes: - - /srv/docker/gitlab/postgresql:/var/lib/postgresql:Z + - /srv/docker/gitlab/postgresql:/var/lib/postgresql:Z environment: - - DB_USER=gitlab - - DB_PASS=password - - DB_NAME=gitlabhq_production - - DB_EXTENSION=pg_trgm + - DB_USER=gitlab + - DB_PASS=password + - DB_NAME=gitlabhq_production + - DB_EXTENSION=pg_trgm gitlab: restart: always - image: sameersbn/gitlab:13.5.3 + image: sameersbn/gitlab:18.5.1 depends_on: - - redis - - postgresql + - redis + - postgresql ports: - - "10080:80" - - "10022:22" + - "10080:80" + - "10022:22" volumes: - - /srv/docker/gitlab/gitlab:/home/git/data:Z + - /srv/docker/gitlab/gitlab:/home/git/data:Z configs: - gitlab-configs secrets: - gitlab-secrets environment: - - DEBUG=false - - - DB_ADAPTER=postgresql - - DB_HOST=postgresql - - DB_PORT=5432 - - DB_USER=gitlab - - DB_PASS=password - - DB_NAME=gitlabhq_production - - - REDIS_HOST=redis - - REDIS_PORT=6379 - - - TZ=Asia/Kolkata - - GITLAB_TIMEZONE=Kolkata - - - GITLAB_HTTPS=false - - SSL_SELF_SIGNED=false - - - GITLAB_HOST=localhost - - GITLAB_PORT=10080 - - GITLAB_SSH_PORT=10022 - - GITLAB_RELATIVE_URL_ROOT= - - GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string - - GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string - - GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string - - - GITLAB_ROOT_PASSWORD= - - GITLAB_ROOT_EMAIL= - - - GITLAB_NOTIFY_ON_BROKEN_BUILDS=true - - GITLAB_NOTIFY_PUSHER=false - - - GITLAB_EMAIL=notifications@example.com - - GITLAB_EMAIL_REPLY_TO=noreply@example.com - - GITLAB_INCOMING_EMAIL_ADDRESS=reply@example.com - - - GITLAB_BACKUP_SCHEDULE=daily - - GITLAB_BACKUP_TIME=01:00 - - - SMTP_ENABLED=false - - SMTP_DOMAIN=www.example.com - - SMTP_HOST=smtp.gmail.com - - SMTP_PORT=587 - - SMTP_USER=mailer@example.com - - SMTP_PASS=password - - SMTP_STARTTLS=true - - SMTP_AUTHENTICATION=login - - - IMAP_ENABLED=false - - IMAP_HOST=imap.gmail.com - - IMAP_PORT=993 - - IMAP_USER=mailer@example.com - - IMAP_PASS=password - - IMAP_SSL=true - - IMAP_STARTTLS=false - - - OAUTH_ENABLED=false - - OAUTH_AUTO_SIGN_IN_WITH_PROVIDER= - - OAUTH_ALLOW_SSO= - - OAUTH_BLOCK_AUTO_CREATED_USERS=true - - OAUTH_AUTO_LINK_LDAP_USER=false - - OAUTH_AUTO_LINK_SAML_USER=false - - OAUTH_EXTERNAL_PROVIDERS= - - - OAUTH_CAS3_LABEL=cas3 - - OAUTH_CAS3_SERVER= - - OAUTH_CAS3_DISABLE_SSL_VERIFICATION=false - - OAUTH_CAS3_LOGIN_URL=/cas/login - - OAUTH_CAS3_VALIDATE_URL=/cas/p3/serviceValidate - - OAUTH_CAS3_LOGOUT_URL=/cas/logout - - - OAUTH_GOOGLE_API_KEY= - - OAUTH_GOOGLE_APP_SECRET= - - OAUTH_GOOGLE_RESTRICT_DOMAIN= - - - OAUTH_FACEBOOK_API_KEY= - - OAUTH_FACEBOOK_APP_SECRET= - - - OAUTH_TWITTER_API_KEY= - - OAUTH_TWITTER_APP_SECRET= - - - OAUTH_GITHUB_API_KEY= - - OAUTH_GITHUB_APP_SECRET= - - OAUTH_GITHUB_URL= - - OAUTH_GITHUB_VERIFY_SSL= - - - OAUTH_GITLAB_API_KEY= - - OAUTH_GITLAB_APP_SECRET= - - - OAUTH_BITBUCKET_API_KEY= - - OAUTH_BITBUCKET_APP_SECRET= - - - OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL= - - OAUTH_SAML_IDP_CERT_FINGERPRINT= - - OAUTH_SAML_IDP_SSO_TARGET_URL= - - OAUTH_SAML_ISSUER= - - OAUTH_SAML_LABEL="Our SAML Provider" - - OAUTH_SAML_NAME_IDENTIFIER_FORMAT=urn:oasis:names:tc:SAML:2.0:nameid-format:transient - - OAUTH_SAML_GROUPS_ATTRIBUTE= - - OAUTH_SAML_EXTERNAL_GROUPS= - - OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL= - - OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME= - - OAUTH_SAML_ATTRIBUTE_STATEMENTS_USERNAME= - - OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME= - - OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME= - - - OAUTH_CROWD_SERVER_URL= - - OAUTH_CROWD_APP_NAME= - - OAUTH_CROWD_APP_PASSWORD= - - - OAUTH_AUTH0_CLIENT_ID= - - OAUTH_AUTH0_CLIENT_SECRET= - - OAUTH_AUTH0_DOMAIN= - - OAUTH_AUTH0_SCOPE= - - - OAUTH2_GENERIC_APP_ID= - - OAUTH2_GENERIC_APP_SECRET= - - OAUTH2_GENERIC_CLIENT_SITE= - - OAUTH2_GENERIC_CLIENT_USER_INFO_URL= - - OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL= - - OAUTH2_GENERIC_CLIENT_TOKEN_URL= - - OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT= - - OAUTH2_GENERIC_ID_PATH= - - OAUTH2_GENERIC_USER_UID= - - OAUTH2_GENERIC_USER_NAME= - - OAUTH2_GENERIC_USER_EMAIL= - - OAUTH2_GENERIC_NAME= - - - OAUTH_AZURE_API_KEY= - - OAUTH_AZURE_API_SECRET= - - OAUTH_AZURE_TENANT_ID= + - DEBUG=false + + - DB_ADAPTER=postgresql + - DB_HOST=postgresql + - DB_PORT=5432 + - DB_USER=gitlab + - DB_PASS=password + - DB_NAME=gitlabhq_production + + - REDIS_HOST=redis + - REDIS_PORT=6379 + + - TZ=Asia/Kolkata + - GITLAB_TIMEZONE=Kolkata + + - GITLAB_HTTPS=false + - SSL_SELF_SIGNED=false + + - GITLAB_HOST=localhost + - GITLAB_PORT=10080 + - GITLAB_SSH_PORT=10022 + - GITLAB_RELATIVE_URL_ROOT= + - GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string + - GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string + - GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string + - GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=long-and-random-alphanumeric-string + - GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=["long-and-random-alphanumeric-string"] + - GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=["long-and-random-alphanumeric-string"] + - GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=long-and-random-alphanumeric-string + + - GITLAB_ROOT_PASSWORD= + - GITLAB_ROOT_EMAIL= + + - GITLAB_NOTIFY_ON_BROKEN_BUILDS=true + - GITLAB_NOTIFY_PUSHER=false + + - GITLAB_EMAIL=notifications@example.com + - GITLAB_EMAIL_REPLY_TO=noreply@example.com + - GITLAB_INCOMING_EMAIL_ADDRESS=reply@example.com + + - GITLAB_BACKUP_SCHEDULE=daily + - GITLAB_BACKUP_TIME=01:00 + + - SMTP_ENABLED=false + - SMTP_DOMAIN=www.example.com + - SMTP_HOST=smtp.gmail.com + - SMTP_PORT=587 + - SMTP_USER=mailer@example.com + - SMTP_PASS=password + - SMTP_STARTTLS=true + - SMTP_AUTHENTICATION=login + + - IMAP_ENABLED=false + - IMAP_HOST=imap.gmail.com + - IMAP_PORT=993 + - IMAP_USER=mailer@example.com + - IMAP_PASS=password + - IMAP_SSL=true + - IMAP_STARTTLS=false + + - OAUTH_ENABLED=false + - OAUTH_AUTO_SIGN_IN_WITH_PROVIDER= + - OAUTH_ALLOW_SSO= + - OAUTH_BLOCK_AUTO_CREATED_USERS=true + - OAUTH_AUTO_LINK_LDAP_USER=false + - OAUTH_AUTO_LINK_SAML_USER=false + - OAUTH_EXTERNAL_PROVIDERS= + - OAUTH_ALLOW_BYPASS_TWO_FACTOR=false + + - OAUTH_CAS3_LABEL=cas3 + - OAUTH_CAS3_SERVER= + - OAUTH_CAS3_DISABLE_SSL_VERIFICATION=false + - OAUTH_CAS3_LOGIN_URL=/cas/login + - OAUTH_CAS3_VALIDATE_URL=/cas/p3/serviceValidate + - OAUTH_CAS3_LOGOUT_URL=/cas/logout + + - OAUTH_GOOGLE_API_KEY= + - OAUTH_GOOGLE_APP_SECRET= + - OAUTH_GOOGLE_RESTRICT_DOMAIN= + + - OAUTH_FACEBOOK_API_KEY= + - OAUTH_FACEBOOK_APP_SECRET= + + - OAUTH_TWITTER_API_KEY= + - OAUTH_TWITTER_APP_SECRET= + + - OAUTH_GITHUB_API_KEY= + - OAUTH_GITHUB_APP_SECRET= + - OAUTH_GITHUB_URL= + - OAUTH_GITHUB_VERIFY_SSL= + + - OAUTH_GITLAB_API_KEY= + - OAUTH_GITLAB_APP_SECRET= + + - OAUTH_BITBUCKET_API_KEY= + - OAUTH_BITBUCKET_APP_SECRET= + - OAUTH_BITBUCKET_URL= + + - OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL= + - OAUTH_SAML_IDP_CERT_FINGERPRINT= + - OAUTH_SAML_IDP_SSO_TARGET_URL= + - OAUTH_SAML_ISSUER= + - OAUTH_SAML_LABEL="Our SAML Provider" + - OAUTH_SAML_NAME_IDENTIFIER_FORMAT=urn:oasis:names:tc:SAML:2.0:nameid-format:transient + - OAUTH_SAML_GROUPS_ATTRIBUTE= + - OAUTH_SAML_EXTERNAL_GROUPS= + - OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL= + - OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME= + - OAUTH_SAML_ATTRIBUTE_STATEMENTS_USERNAME= + - OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME= + - OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME= + + - OAUTH_CROWD_SERVER_URL= + - OAUTH_CROWD_APP_NAME= + - OAUTH_CROWD_APP_PASSWORD= + + - OAUTH_AUTH0_CLIENT_ID= + - OAUTH_AUTH0_CLIENT_SECRET= + - OAUTH_AUTH0_DOMAIN= + - OAUTH_AUTH0_SCOPE= + + - OAUTH2_GENERIC_APP_ID= + - OAUTH2_GENERIC_APP_SECRET= + - OAUTH2_GENERIC_CLIENT_SITE= + - OAUTH2_GENERIC_CLIENT_USER_INFO_URL= + - OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL= + - OAUTH2_GENERIC_CLIENT_TOKEN_URL= + - OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT= + - OAUTH2_GENERIC_ID_PATH= + - OAUTH2_GENERIC_USER_UID= + - OAUTH2_GENERIC_USER_NAME= + - OAUTH2_GENERIC_USER_EMAIL= + - OAUTH2_GENERIC_AUTHORIZE_PARAMS_SCOPE= + - OAUTH2_GENERIC_LABEL= + - OAUTH2_GENERIC_NAME= + + - OAUTH_AZURE_API_KEY= + - OAUTH_AZURE_API_SECRET= + - OAUTH_AZURE_TENANT_ID= configs: gitlab-configs: diff --git a/contrib/expose-gitlab-ssh-port.sh b/contrib/expose-gitlab-ssh-port.sh index 51f5339ec..0211d27ea 100644 --- a/contrib/expose-gitlab-ssh-port.sh +++ b/contrib/expose-gitlab-ssh-port.sh @@ -10,15 +10,15 @@ if ! id -u git >> /dev/null 2>&1; then fi su git -c "mkdir -p /home/git/.ssh/" -su git -c "if [ ! -f /home/git/.ssh/id_rsa ]; then ssh-keygen -t rsa -b 4096 -N \"\" -f /home/git/.ssh/id_rsa; fi" -su git -c "if [ -f /home/git/.ssh/id_rsa.pub ]; then mv /home/git/.ssh/id_rsa.pub /home/git/.ssh/authorized_keys_proxy; fi" +su git -c "if [ ! -f /home/git/.ssh/id_ed25519 ]; then ssh-keygen -t ed25519 -N \"\" -f /home/git/.ssh/id_ed25519; fi" +su git -c "if [ -f /home/git/.ssh/id_ed25519.pub ]; then mv /home/git/.ssh/id_ed25519.pub /home/git/.ssh/authorized_keys_proxy; fi" mkdir -p /home/git/gitlab-shell/bin/ rm -f /home/git/gitlab-shell/bin/gitlab-shell tee -a /home/git/gitlab-shell/bin/gitlab-shell > /dev/null <= 2.4 - - [Docker GitLab](https://github.com/sameersbn/docker-gitlab) >= 8.8.5-1 +## Prerequisites +- [Docker Distribution](https://github.com/docker/distribution) >= 2.4 +- [Docker GitLab](https://github.com/sameersbn/docker-gitlab) >= 8.8.5-1 -# Installation +## Installation -## Setup with Nginx as Reverse Proxy +### Setup with Nginx as Reverse Proxy We assume that you already have Nginx installed on your host system and that you use a reverse proxy configuration to connect to your GitLab container. @@ -26,17 +34,17 @@ you use a reverse proxy configuration to connect to your GitLab container. In this example we use a dedicated domain for the registry. The URLs for the GitLab installation and the registry are: -* git.example.com -* registry.example.com +- git.example.com +- registry.example.com > Note: You could also run everything on the same domain and use different ports > instead. The required configuration changes below should be straightforward. -### Create auth tokens +#### Create auth tokens GitLab needs a certificate ("auth token") to talk to the registry API. The tokens must be provided in the `/certs` directory of your container. You could -use an existing domain ceritificate or create your own with a very long +use an existing domain certificate or create your own with a very long lifetime like this: ```bash @@ -55,8 +63,7 @@ openssl x509 -in registry.csr -out registry.crt -req -signkey registry.key -days It doesn't matter which details (domain name, etc.) you enter during key creation. This information is not used at all. - -### Update docker-compose.yml +#### Update docker-compose.yml First add the configuration for the registry container to your `docker-compose.yml`. @@ -108,7 +115,7 @@ Then update the `volumes` and `environment` sections of your `gitlab` container: - ./certs:/certs ``` -### Nginx Site Configuration +#### Nginx Site Configuration ```nginx server { @@ -150,9 +157,9 @@ server { } ``` -# Configuration +## Configuration -## Available Parameters +### Available Parameters Here is an example of all configuration parameters that can be used in the GitLab container. @@ -174,15 +181,15 @@ where: | Parameter | Description | | --------- | ----------- | -| `GITLAB_REGISTRY_ENABLED ` | `true` or `false`. Enables the Registry in GitLab. By default this is `false`. | -| `GITLAB_REGISTRY_HOST ` | The host URL under which the Registry will run and the users will be able to use. | -| `GITLAB_REGISTRY_PORT ` | The port under which the external Registry domain will listen on. | -| `GITLAB_REGISTRY_API_URL ` | The internal API URL under which the Registry is exposed to. | -| `GITLAB_REGISTRY_KEY_PATH `| The private key location that is a pair of Registry's `rootcertbundle`. Read the [token auth configuration documentation][token-config]. | -| `GITLAB_REGISTRY_PATH ` | This should be the same directory like specified in Registry's `rootdirectory`. Read the [storage configuration documentation][storage-config]. This path needs to be readable by the GitLab user, the web-server user and the Registry user *if you use filesystem as storage configuration*. Read more in [#container-registry-storage-path](#container-registry-storage-path). | +| `GITLAB_REGISTRY_ENABLED` | `true` or `false`. Enables the Registry in GitLab. By default this is `false`. | +| `GITLAB_REGISTRY_HOST` | The host URL under which the Registry will run and the users will be able to use. | +| `GITLAB_REGISTRY_PORT` | The port under which the external Registry domain will listen on. | +| `GITLAB_REGISTRY_API_URL` | The internal API URL under which the Registry is exposed to. | +| `GITLAB_REGISTRY_KEY_PATH`| The private key location that is a pair of Registry's `rootcertbundle`. Read the [token auth configuration documentation][token-config]. | +| `GITLAB_REGISTRY_PATH` | This should be the same directory like specified in Registry's `rootdirectory`. Read the [storage configuration documentation][storage-config]. This path needs to be readable by the GitLab user, the web-server user and the Registry user *if you use filesystem as storage configuration*. Read more in [#container-registry-storage-path](#container-registry-storage-path). | | `GITLAB_REGISTRY_ISSUER` | This should be the same value as configured in Registry's `issuer`. Otherwise the authentication will not work. For more info read the [token auth configuration documentation][token-config]. | -| `SSL_REGISTRY_KEY_PATH ` | The private key of the `SSL_REGISTRY_CERT_PATH`. This will be later used in nginx to proxy your registry via https. | -| `SSL_REGISTRY_CERT_PATH ` | The certificate for the private key of `SSL_REGISTRY_KEY_PATH`. This will be later used in nginx to proxy your registry via https. | +| `SSL_REGISTRY_KEY_PATH` | The private key of the `SSL_REGISTRY_CERT_PATH`. This will be later used in nginx to proxy your registry via https. | +| `SSL_REGISTRY_CERT_PATH` | The certificate for the private key of `SSL_REGISTRY_KEY_PATH`. This will be later used in nginx to proxy your registry via https. | For more info look at [Available Configuration Parameters](https://github.com/sameersbn/docker-gitlab#available-configuration-parameters). @@ -200,12 +207,9 @@ gitlab: ... ``` -## Container Registry storage driver +### Container Registry storage driver -You can configure the Container Registry to use a different storage backend by -configuring a different storage driver. By default the GitLab Container Registry -is configured to use the filesystem driver, which makes use of [storage path](#container-registry-storage-path) -configuration. These configurations will all be done in the registry container. +You can configure the Container Registry to use a different storage backend by configuring a different storage driver. By default the GitLab Container Registry is configured to use the filesystem driver, which makes use of [storage path](#container-registry-storage-path) configuration. These configurations will all be done in the registry container. The different supported drivers are: @@ -224,10 +228,10 @@ Read more about the individual driver's config options in the > **Warning** GitLab will not backup Docker images that are not stored on the filesystem. Remember to enable backups with your object storage provider if desired. > > If you use **filesystem** as storage driver you need to mount the path from `GITLAB_REGISTRY_DIR` of the GitLab container in the registry container. So both container can access the registry data. -> If you don't change `GITLAB_REGISTRY_DIR` you will find your registry data in the mounted volume from the GitLab Container under `./gitlab/shared/registry`. This don't need to be seprated mounted because `./gitlab` is already mounted in the GitLab Container. If it will be mounted seperated the whole restoring proccess of GitLab backup won't work because gitlab try to create an folder under `./gitlab/shared/registry` /`GITLAB_REGISTRY_DIR` and GitLab can't delete/remove the mount point inside the container so the restoring process of the backup will fail. +> If you don't change `GITLAB_REGISTRY_DIR` you will find your registry data in the mounted volume from the GitLab Container under `./gitlab/shared/registry`. This don't need to be separated mounted because `./gitlab` is already mounted in the GitLab Container. If it will be mounted separated the whole restoring process of GitLab backup won't work because gitlab try to create an folder under `./gitlab/shared/registry` /`GITLAB_REGISTRY_DIR` and GitLab can't delete/remove the mount point inside the container so the restoring process of the backup will fail. > An example how it works is in the `docker-compose`. -### Example for Amazon Simple Storage Service (s3) +#### Example for Amazon Simple Storage Service (s3) If you want to configure your registry via `/etc/docker/registry/config.yml` your storage part should like this snippet below. @@ -243,8 +247,6 @@ storage: enabled: true ``` - - ```yaml ... registry: @@ -265,20 +267,19 @@ storage: - REGISTRY_STORAGE_DELETE_ENABLED=true ``` -Generaly for more information about the configuration of the registry container you can find it under [registry configuration](https://docs.docker.com/registry/configuration). - +Generally for more information about the configuration of the registry container you can find it under [registry configuration](https://docs.docker.com/registry/configuration). -## Storage limitations +### Storage limitations Currently, there is no storage limitation, which means a user can upload an infinite amount of Docker images with arbitrary sizes. This setting will be configurable in future releases. +## Maintenance -# Maintenance If you use another storage configuration than filesystem it will have no impact on your Maintenance workflow. -## Creating Backups +### Creating Backups Creating Backups is the same like without a container registry. I would recommend to stop your registry container. @@ -287,11 +288,13 @@ docker stop registry gitlab && docker rm registry gitlab ``` Execute the rake task with a removeable container. + ```bash docker run --name gitlab -it --rm [OPTIONS] \ - sameersbn/gitlab:13.5.3 app:rake gitlab:backup:create + sameersbn/gitlab:18.5.1 app:rake gitlab:backup:create ``` -## Restoring Backups + +### Restoring Backups GitLab also defines a rake task to restore a backup. @@ -305,7 +308,7 @@ Execute the rake task to restore a backup. Make sure you run the container in in ```bash docker run --name gitlab -it --rm [OPTIONS] \ - sameersbn/gitlab:13.5.3 app:rake gitlab:backup:restore + sameersbn/gitlab:18.5.1 app:rake gitlab:backup:restore ``` The list of all available backups will be displayed in reverse chronological order. Select the backup you want to restore and continue. @@ -314,18 +317,17 @@ To avoid user interaction in the restore operation, specify the timestamp of the ```bash docker run --name gitlab -it --rm [OPTIONS] \ - sameersbn/gitlab:13.5.3 app:rake gitlab:backup:restore BACKUP=1417624827 + sameersbn/gitlab:18.5.1 app:rake gitlab:backup:restore BACKUP=1417624827 ``` -# Upgrading from an existing GitLab installation - +## Upgrading from an existing GitLab installation If you want enable this feature for an existing instance of GitLab you need to do the following steps. - **Step 1**: Update the docker image. ```bash -docker pull sameersbn/gitlab:13.5.3 +docker pull sameersbn/gitlab:18.5.1 ``` - **Step 2**: Stop and remove the currently running image @@ -365,6 +367,7 @@ docker run --name registry -d \ --env 'REGISTRY_STORAGE_DELETE_ENABLED=true' \ registry:2.4.1 ``` + - **Step 6**: Start the image ```bash @@ -378,14 +381,8 @@ docker run --name gitlab -d [PREVIOUS_OPTIONS] \ --env 'GITLAB_REGISTRY_CERT_PATH=/certs/registry-auth.crt' \ --env 'GITLAB_REGISTRY_KEY_PATH=/certs/registry-auth.key' \ --link registry:registry -sameersbn/gitlab:13.5.3 +sameersbn/gitlab:18.5.1 ``` - -[wildcard certificate]: https://en.wikipedia.org/wiki/Wildcard_certificate -[ce-4040]: https://gitlab.com/gitlab-org/gitlab-foss/merge_requests/4040 -[docker-insecure]: https://docs.docker.com/registry/insecure/ -[registry-deploy]: https://docs.docker.com/registry/deploying/ [storage-config]: https://docs.docker.com/registry/configuration/#storage [token-config]: https://docs.docker.com/registry/configuration/#token -[8-8-docs]: https://gitlab.com/gitlab-org/gitlab-foss/blob/8-8-stable/doc/administration/container_registry.md diff --git a/docs/docker-compose-keycloak.yml b/docs/docker-compose-keycloak.yml index d1bf70c4c..903ba799c 100644 --- a/docs/docker-compose-keycloak.yml +++ b/docs/docker-compose-keycloak.yml @@ -1,178 +1,178 @@ -version: '2' - services: redis: restart: always - image: redis:5.0.9 + image: redis:7 command: - - --loglevel warning + - --loglevel warning volumes: - - redis-data:/var/lib/redis:Z + - redis-data:/var/lib/redis:Z postgresql: restart: always - image: sameersbn/postgresql:11-20200524 + image: kkimurak/sameersbn-postgresql:16 volumes: - - postgresql-data:/var/lib/postgresql:Z + - postgresql-data:/var/lib/postgresql:Z environment: - - DB_USER=gitlab - - DB_PASS=password - - DB_NAME=gitlabhq_production - - DB_EXTENSION=pg_trgm,btree_gist + - DB_USER=gitlab + - DB_PASS=password + - DB_NAME=gitlabhq_production + - DB_EXTENSION=pg_trgm,btree_gist gitlab: restart: always - image: sameersbn/gitlab:13.5.3 + image: sameersbn/gitlab:18.5.1 depends_on: - - redis - - postgresql + - redis + - postgresql ports: - - "10080:80" - - "10022:22" + - "10080:80" + - "10022:22" volumes: - - gitlab-data:/home/git/data:Z + - gitlab-data:/home/git/data:Z environment: - - DEBUG=false - - - DB_ADAPTER=postgresql - - DB_HOST=postgresql - - DB_PORT=5432 - - DB_USER=gitlab - - DB_PASS=password - - DB_NAME=gitlabhq_production - - - REDIS_HOST=redis - - REDIS_PORT=6379 - - - TZ=Asia/Kolkata - - GITLAB_TIMEZONE=Kolkata - - - GITLAB_HTTPS=false - - SSL_SELF_SIGNED=false - - - GITLAB_HOST='' - - GITLAB_PORT=10080 - - GITLAB_SSH_PORT=10022 - - GITLAB_RELATIVE_URL_ROOT= - - GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string - - GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string - - GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string - - - GITLAB_ROOT_PASSWORD= - - GITLAB_ROOT_EMAIL= - - - GITLAB_NOTIFY_ON_BROKEN_BUILDS=true - - GITLAB_NOTIFY_PUSHER=false - - - GITLAB_EMAIL=notifications@example.com - - GITLAB_EMAIL_REPLY_TO=noreply@example.com - - GITLAB_INCOMING_EMAIL_ADDRESS=reply@example.com - - - GITLAB_BACKUP_SCHEDULE=daily - - GITLAB_BACKUP_TIME=01:00 - - - SMTP_ENABLED=false - - SMTP_DOMAIN=www.example.com - - SMTP_HOST=smtp.gmail.com - - SMTP_PORT=587 - - SMTP_USER=mailer@example.com - - SMTP_PASS=password - - SMTP_STARTTLS=true - - SMTP_AUTHENTICATION=login - - - IMAP_ENABLED=false - - IMAP_HOST=imap.gmail.com - - IMAP_PORT=993 - - IMAP_USER=mailer@example.com - - IMAP_PASS=password - - IMAP_SSL=true - - IMAP_STARTTLS=false - - - OAUTH_ENABLED=true - - OAUTH_AUTO_SIGN_IN_WITH_PROVIDER=Keycloak - - OAUTH_ALLOW_SSO=Keycloak - - OAUTH_BLOCK_AUTO_CREATED_USERS=false - - OAUTH_AUTO_LINK_LDAP_USER=false - - OAUTH_AUTO_LINK_SAML_USER=false - - OAUTH_EXTERNAL_PROVIDERS=Keycloak - - - OAUTH_CAS3_LABEL=cas3 - - OAUTH_CAS3_SERVER= - - OAUTH_CAS3_DISABLE_SSL_VERIFICATION=false - - OAUTH_CAS3_LOGIN_URL=/cas/login - - OAUTH_CAS3_VALIDATE_URL=/cas/p3/serviceValidate - - OAUTH_CAS3_LOGOUT_URL=/cas/logout - - - OAUTH_GOOGLE_API_KEY= - - OAUTH_GOOGLE_APP_SECRET= - - OAUTH_GOOGLE_RESTRICT_DOMAIN= - - - OAUTH_FACEBOOK_API_KEY= - - OAUTH_FACEBOOK_APP_SECRET= - - - OAUTH_TWITTER_API_KEY= - - OAUTH_TWITTER_APP_SECRET= - - - OAUTH_GITHUB_API_KEY= - - OAUTH_GITHUB_APP_SECRET= - - OAUTH_GITHUB_URL= - - OAUTH_GITHUB_VERIFY_SSL= - - - OAUTH_GITLAB_API_KEY= - - OAUTH_GITLAB_APP_SECRET= - - - OAUTH_BITBUCKET_API_KEY= - - OAUTH_BITBUCKET_APP_SECRET= - - - OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL= - - OAUTH_SAML_IDP_CERT_FINGERPRINT= - - OAUTH_SAML_IDP_SSO_TARGET_URL= - - OAUTH_SAML_ISSUER= - - OAUTH_SAML_LABEL="Our SAML Provider" - - OAUTH_SAML_NAME_IDENTIFIER_FORMAT=urn:oasis:names:tc:SAML:2.0:nameid-format:transient - - OAUTH_SAML_GROUPS_ATTRIBUTE= - - OAUTH_SAML_EXTERNAL_GROUPS= - - OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL= - - OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME= - - OAUTH_SAML_ATTRIBUTE_STATEMENTS_USERNAME= - - OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME= - - OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME= - - - OAUTH_CROWD_SERVER_URL= - - OAUTH_CROWD_APP_NAME= - - OAUTH_CROWD_APP_PASSWORD= - - - OAUTH_AUTH0_CLIENT_ID= - - OAUTH_AUTH0_CLIENT_SECRET= - - OAUTH_AUTH0_DOMAIN= - - OAUTH_AUTH0_SCOPE= - - - OAUTH_AZURE_API_KEY= - - OAUTH_AZURE_API_SECRET= - - OAUTH_AZURE_TENANT_ID= - - - OAUTH2_GENERIC_APP_ID=git - - OAUTH2_GENERIC_APP_SECRET= - - OAUTH2_GENERIC_CLIENT_SITE=http://:10081 - - OAUTH2_GENERIC_CLIENT_USER_INFO_URL=http://:10081/auth/realms/master/protocol/openid-connect/userinfo - - OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL=http://:10081/auth/realms/master/protocol/openid-connect/auth - - OAUTH2_GENERIC_CLIENT_TOKEN_URL=http://:10081/auth/realms/master/protocol/openid-connect/token - - OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT=http://:10081/auth/realms/master/protocol/openid-connect/logout - - OAUTH2_GENERIC_ID_PATH=sub - - OAUTH2_GENERIC_USER_UID=sub - - OAUTH2_GENERIC_USER_NAME=preferred_username - - OAUTH2_GENERIC_USER_EMAIL=email - - OAUTH2_GENERIC_NAME=Keycloak + - DEBUG=false + + - DB_ADAPTER=postgresql + - DB_HOST=postgresql + - DB_PORT=5432 + - DB_USER=gitlab + - DB_PASS=password + - DB_NAME=gitlabhq_production + + - REDIS_HOST=redis + - REDIS_PORT=6379 + + - TZ=Asia/Kolkata + - GITLAB_TIMEZONE=Kolkata + + - GITLAB_HTTPS=false + - SSL_SELF_SIGNED=false + + - GITLAB_HOST='' + - GITLAB_PORT=10080 + - GITLAB_SSH_PORT=10022 + - GITLAB_RELATIVE_URL_ROOT= + - GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string + - GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string + - GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string + - GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=long-and-random-alphanumeric-string + + - GITLAB_ROOT_PASSWORD= + - GITLAB_ROOT_EMAIL= + + - GITLAB_NOTIFY_ON_BROKEN_BUILDS=true + - GITLAB_NOTIFY_PUSHER=false + + - GITLAB_EMAIL=notifications@example.com + - GITLAB_EMAIL_REPLY_TO=noreply@example.com + - GITLAB_INCOMING_EMAIL_ADDRESS=reply@example.com + + - GITLAB_BACKUP_SCHEDULE=daily + - GITLAB_BACKUP_TIME=01:00 + + - SMTP_ENABLED=false + - SMTP_DOMAIN=www.example.com + - SMTP_HOST=smtp.gmail.com + - SMTP_PORT=587 + - SMTP_USER=mailer@example.com + - SMTP_PASS=password + - SMTP_STARTTLS=true + - SMTP_AUTHENTICATION=login + + - IMAP_ENABLED=false + - IMAP_HOST=imap.gmail.com + - IMAP_PORT=993 + - IMAP_USER=mailer@example.com + - IMAP_PASS=password + - IMAP_SSL=true + - IMAP_STARTTLS=false + + - OAUTH_ENABLED=true + - OAUTH_AUTO_SIGN_IN_WITH_PROVIDER=Keycloak + - OAUTH_ALLOW_SSO=Keycloak + - OAUTH_BLOCK_AUTO_CREATED_USERS=false + - OAUTH_AUTO_LINK_LDAP_USER=false + - OAUTH_AUTO_LINK_SAML_USER=false + - OAUTH_EXTERNAL_PROVIDERS=Keycloak + + - OAUTH_CAS3_LABEL=cas3 + - OAUTH_CAS3_SERVER= + - OAUTH_CAS3_DISABLE_SSL_VERIFICATION=false + - OAUTH_CAS3_LOGIN_URL=/cas/login + - OAUTH_CAS3_VALIDATE_URL=/cas/p3/serviceValidate + - OAUTH_CAS3_LOGOUT_URL=/cas/logout + + - OAUTH_GOOGLE_API_KEY= + - OAUTH_GOOGLE_APP_SECRET= + - OAUTH_GOOGLE_RESTRICT_DOMAIN= + + - OAUTH_FACEBOOK_API_KEY= + - OAUTH_FACEBOOK_APP_SECRET= + + - OAUTH_TWITTER_API_KEY= + - OAUTH_TWITTER_APP_SECRET= + + - OAUTH_GITHUB_API_KEY= + - OAUTH_GITHUB_APP_SECRET= + - OAUTH_GITHUB_URL= + - OAUTH_GITHUB_VERIFY_SSL= + + - OAUTH_GITLAB_API_KEY= + - OAUTH_GITLAB_APP_SECRET= + + - OAUTH_BITBUCKET_API_KEY= + - OAUTH_BITBUCKET_APP_SECRET= + - OAUTH_BITBUCKET_URL= + + - OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL= + - OAUTH_SAML_IDP_CERT_FINGERPRINT= + - OAUTH_SAML_IDP_SSO_TARGET_URL= + - OAUTH_SAML_ISSUER= + - OAUTH_SAML_LABEL="Our SAML Provider" + - OAUTH_SAML_NAME_IDENTIFIER_FORMAT=urn:oasis:names:tc:SAML:2.0:nameid-format:transient + - OAUTH_SAML_GROUPS_ATTRIBUTE= + - OAUTH_SAML_EXTERNAL_GROUPS= + - OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL= + - OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME= + - OAUTH_SAML_ATTRIBUTE_STATEMENTS_USERNAME= + - OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME= + - OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME= + + - OAUTH_CROWD_SERVER_URL= + - OAUTH_CROWD_APP_NAME= + - OAUTH_CROWD_APP_PASSWORD= + + - OAUTH_AUTH0_CLIENT_ID= + - OAUTH_AUTH0_CLIENT_SECRET= + - OAUTH_AUTH0_DOMAIN= + - OAUTH_AUTH0_SCOPE= + + - OAUTH_AZURE_API_KEY= + - OAUTH_AZURE_API_SECRET= + - OAUTH_AZURE_TENANT_ID= + + - OAUTH2_GENERIC_APP_ID=git + - OAUTH2_GENERIC_APP_SECRET= + - OAUTH2_GENERIC_CLIENT_SITE=http://:10081 + - OAUTH2_GENERIC_CLIENT_USER_INFO_URL=http://:10081/auth/realms/master/protocol/openid-connect/userinfo + - OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL=http://:10081/auth/realms/master/protocol/openid-connect/auth + - OAUTH2_GENERIC_CLIENT_TOKEN_URL=http://:10081/auth/realms/master/protocol/openid-connect/token + - OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT=http://:10081/auth/realms/master/protocol/openid-connect/logout + - OAUTH2_GENERIC_ID_PATH=sub + - OAUTH2_GENERIC_USER_UID=sub + - OAUTH2_GENERIC_USER_NAME=preferred_username + - OAUTH2_GENERIC_USER_EMAIL=email + - OAUTH2_GENERIC_NAME=Keycloak keycloak: restart: always image: jboss/keycloak:8.0.1 ports: - - "10081:8080" + - "10081:8080" environment: - - DEBUG=false - - KEYCLOAK_PASSWORD=admin - - KEYCLOAK_USER=admin + - DEBUG=false + - KEYCLOAK_PASSWORD=admin + - KEYCLOAK_USER=admin volumes: redis-data: diff --git a/docs/docker-compose-registry.yml b/docs/docker-compose-registry.yml index ae55e507d..24b75c8db 100644 --- a/docs/docker-compose-registry.yml +++ b/docs/docker-compose-registry.yml @@ -1,92 +1,91 @@ -version: '2' - services: redis: restart: always - image: redis:5.0.9 + image: redis:7 command: - - --loglevel warning + - --loglevel warning volumes: - - redis:/var/lib/redis:Z + - redis:/var/lib/redis:Z postgresql: restart: always - image: sameersbn/postgresql:11-20200524 + image: kkimurak/sameersbn-postgresql:16 volumes: - - postgresql:/var/lib/postgresql:Z + - postgresql:/var/lib/postgresql:Z environment: - - DB_USER=gitlab - - DB_PASS=password - - DB_NAME=gitlabhq_production - - DB_EXTENSION=pg_trgm,btree_gist + - DB_USER=gitlab + - DB_PASS=password + - DB_NAME=gitlabhq_production + - DB_EXTENSION=pg_trgm,btree_gist gitlab: restart: always - image: sameersbn/gitlab:13.5.3 + image: sameersbn/gitlab:18.5.1 volumes: - - gitlab-data:/home/git/data:Z - - gitlab-logs:/var/log/gitlab - - ./certs:/certs + - gitlab-data:/home/git/data:Z + - gitlab-logs:/var/log/gitlab + - ./certs:/certs depends_on: - - redis - - postgresql + - redis + - postgresql ports: - - "80:80" - - "10022:22" + - "80:80" + - "10022:22" external_links: - - "registry:registry.example.com" + - "registry:registry.example.com" environment: - - DEBUG=false + - DEBUG=false - - DB_ADAPTER=postgresql - - DB_HOST=postgresql - - DB_PORT=5432 - - DB_USER=gitlab - - DB_PASS=password - - DB_NAME=gitlabhq_production + - DB_ADAPTER=postgresql + - DB_HOST=postgresql + - DB_PORT=5432 + - DB_USER=gitlab + - DB_PASS=password + - DB_NAME=gitlabhq_production - - REDIS_HOST=redis - - REDIS_PORT=6379 + - REDIS_HOST=redis + - REDIS_PORT=6379 - - GITLAB_HTTPS=false - - SSL_SELF_SIGNED=false + - GITLAB_HTTPS=false + - SSL_SELF_SIGNED=false - - GITLAB_HOST=gitlab.example.com - - GITLAB_PORT=80 - - GITLAB_SSH_PORT=10022 - - GITLAB_RELATIVE_URL_ROOT= - - GITLAB_SECRETS_DB_KEY_BASE=secret - - GITLAB_SECRETS_SECRET_KEY_BASE=secret - - GITLAB_SECRETS_OTP_KEY_BASE=secret + - GITLAB_HOST=gitlab.example.com + - GITLAB_PORT=80 + - GITLAB_SSH_PORT=10022 + - GITLAB_RELATIVE_URL_ROOT= + - GITLAB_SECRETS_DB_KEY_BASE=secret + - GITLAB_SECRETS_SECRET_KEY_BASE=secret + - GITLAB_SECRETS_OTP_KEY_BASE=secret + - GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=secret - - GITLAB_REGISTRY_ENABLED=true - - GITLAB_REGISTRY_HOST=registry.example.com - - GITLAB_REGISTRY_PORT=5000 - - GITLAB_REGISTRY_API_URL=https://registry.example.com:5000 - - GITLAB_REGISTRY_CERT_PATH=/certs/registry-auth.crt - - GITLAB_REGISTRY_KEY_PATH=/certs/registry-auth.key + - GITLAB_REGISTRY_ENABLED=true + - GITLAB_REGISTRY_HOST=registry.example.com + - GITLAB_REGISTRY_PORT=5000 + - GITLAB_REGISTRY_API_URL=https://registry.example.com:5000 + - GITLAB_REGISTRY_CERT_PATH=/certs/registry-auth.crt + - GITLAB_REGISTRY_KEY_PATH=/certs/registry-auth.key registry: restart: always image: registry:2.4.1 ports: - - "5000:5000" + - "5000:5000" volumes: - - registry-data:/var/lib/registry - - ./certs:/certs + - registry-data:/var/lib/registry + - ./certs:/certs external_links: - - "gitlab:gitlab.example.com" + - "gitlab:gitlab.example.com" environment: - - REGISTRY_LOG_LEVEL=info - - REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/var/lib/registry - - REGISTRY_AUTH_TOKEN_REALM=http://gitlab.example.com/jwt/auth - - REGISTRY_AUTH_TOKEN_SERVICE=container_registry - - REGISTRY_AUTH_TOKEN_ISSUER=gitlab-issuer - - REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/certs/registry-auth.crt - - REGISTRY_STORAGE_DELETE_ENABLED=true - - REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry-auth.crt - - REGISTRY_HTTP_TLS_KEY=/certs/registry-auth.key - - REGISTRY_HTTP_SECRET=secret + - REGISTRY_LOG_LEVEL=info + - REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/var/lib/registry + - REGISTRY_AUTH_TOKEN_REALM=http://gitlab.example.com/jwt/auth + - REGISTRY_AUTH_TOKEN_SERVICE=container_registry + - REGISTRY_AUTH_TOKEN_ISSUER=gitlab-issuer + - REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/certs/registry-auth.crt + - REGISTRY_STORAGE_DELETE_ENABLED=true + - REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry-auth.crt + - REGISTRY_HTTP_TLS_KEY=/certs/registry-auth.key + - REGISTRY_HTTP_SECRET=secret volumes: gitlab-data: diff --git a/docs/docker-swarm-traefik-registry.md b/docs/docker-swarm-traefik-registry.md index cf6f479dc..62384b64d 100644 --- a/docs/docker-swarm-traefik-registry.md +++ b/docs/docker-swarm-traefik-registry.md @@ -151,6 +151,7 @@ You can copy it and set it in the file like: - GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string - GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string - GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string +- GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=long-and-random-alphanumeric-string ``` There are several other settings that you might want to configure, like email accounts for notifications, SMTP credentials to send emails, etc. @@ -331,6 +332,7 @@ docker run -d \ --name gitlab-runner \ --restart always \ -v gitlab-runner:/etc/gitlab-runner \ + -v /tmp/builds:/tmp/builds \ -v /var/run/docker.sock:/var/run/docker.sock \ gitlab/gitlab-runner:latest ``` @@ -363,7 +365,11 @@ gitlab-runner \ register -n \ --name "Docker Runner" \ --executor docker \ + --locked false \ + --access-level not_protected \ + --builds-dir /tmp/builds \ --docker-image docker:latest \ + --docker-volumes /tmp/builds:/tmp/builds \ --docker-volumes /var/run/docker.sock:/var/run/docker.sock \ --url $GITLAB_URL \ --registration-token $GITLAB_TOKEN \ diff --git a/docs/exposing-ssh-port.md b/docs/exposing-ssh-port.md index 9c37baee6..a2dbca10a 100644 --- a/docs/exposing-ssh-port.md +++ b/docs/exposing-ssh-port.md @@ -3,6 +3,5 @@ This is how to expose this internal ssh port without affecting the existing ssh port on the host server: * use this configuration script: [`../contrib/expose-gitlab-ssh-port.sh`](../contrib/expose-gitlab-ssh-port.sh) -* see implementation example in Vagrant: [harobed/docker-gitlab-vagrant-test -](https://github.com/harobed/docker-gitlab-vagrant-test) +* see implementation example in Vagrant: [harobed/docker-gitlab-vagrant-test](https://github.com/harobed/docker-gitlab-vagrant-test) * more information, see [« Exposing ssh port in dockerized gitlab-ce »](https://blog.xiaket.org/2017/exposing.ssh.port.in.dockerized.gitlab-ce.html) post diff --git a/docs/keycloak-idp.md b/docs/keycloak-idp.md index 23f3eb08d..04bc3c734 100644 --- a/docs/keycloak-idp.md +++ b/docs/keycloak-idp.md @@ -1,4 +1,4 @@ -# Integrate Keycloak as a IDP with GitLab +# Integrate Keycloak as an IDP with GitLab In this document, we will explain how to set up Keycloak and integrate it into GitLab. @@ -26,6 +26,8 @@ Next, click save, get the client secret generated by Keycloak and start filling ![Keycloak client secret](images/keycloak-secret.png) +Set the following in the docker-compose file: + ```yaml - OAUTH2_GENERIC_APP_SECRET= - OAUTH2_GENERIC_CLIENT_SITE=http://:10081 @@ -35,7 +37,19 @@ Next, click save, get the client secret generated by Keycloak and start filling - OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT=http://:10081/auth/realms/master/protocol/openid-connect/logout ``` -Make sure the following variables are filled in the docker-compose file: +`` is the IP address of your keycloak. For this example this would be your IP address, but if your Keycloak existed elsewhere for your deployment `` would be different as would the port and the realm. + +The following must also be configured: + +```yaml + - OAUTH2_GENERIC_USER_UID='preferred_username' + - OAUTH2_GENERIC_USER_NAME='name' + - OAUTH2_GENERIC_USER_EMAIL='email' +``` + +The values will be different for your deployment. Navigate Keycloak's UI, select `Clients`, click `[your client]`, then open the `Client Scopes` tab, then open `Evaluate` sub-tab, enter a username you know in the `User` field, select the match, then `Generate Access Token` to see the values you need to configure. + +Also, make sure the following variables are filled in the docker-compose file: ```yaml - GITLAB_HOST='' @@ -46,9 +60,10 @@ Make sure the following variables are filled in the docker-compose file: - OAUTH_BLOCK_AUTO_CREATED_USERS=false - OAUTH_AUTO_LINK_LDAP_USER=false - OAUTH_AUTO_LINK_SAML_USER=false - - OAUTH_EXTERNAL_PROVIDERS=Keycloak ``` +`` is the IP address of your GitLab for this example this would be the your IP address, but if your GitLab was to be proxied or deployed elsewhere `` would be another value appropriate for your deployment. + GitLab does not allow login from users in Keycloak with an empty email or name. To prevent this, you can create a new user in Keycloak or you can add email and name for the admin account. Visit the `Users` tab and click on `View all users` to modify the Admin user. @@ -58,8 +73,8 @@ Visit the `Users` tab and click on `View all users` to modify the Admin user. Modify the `Email`, `First name` and `Last Name` fields. ![admin-account](images/keycloak-admin-acc.png) -Deploy GitLab, Reddis and PostgreSQL by running the following command: `docker-compose up -d gitlab redis postgresql`. +Deploy GitLab, Redis and PostgreSQL by running the following command: `docker-compose up -d gitlab redis postgresql`. You can now login on the local GitLab instance with with Keycloak on your [local IP](http://localhost:10080). -![gitlab-login](images/keycloak-gitlab-login.png) \ No newline at end of file +![gitlab-login](images/keycloak-gitlab-login.png) diff --git a/docs/s3_compatible_storage.md b/docs/s3_compatible_storage.md index 7471206bc..6e5ba10af 100644 --- a/docs/s3_compatible_storage.md +++ b/docs/s3_compatible_storage.md @@ -1,24 +1,22 @@ -GitLab Backup to s3 compatible storage -================================================= +# GitLab Backup to s3 compatible storage -Enables automatic backups to selfhosted s3 compatible storage like minio (https://minio.io/) and others. +Enables automatic backups to self-hosted s3 compatible storage like minio () and others. This is an extend of AWS Remote Backups. As explained in [doc.gitlab.com](https://docs.gitlab.com/ce/raketasks/backup_restore.html#upload-backups-to-remote-cloud-storage), it uses [Fog library](http://fog.io) and the module fog-aws. More details on [s3 supported parameters](https://github.com/fog/fog-aws/blob/master/lib/fog/aws/storage.rb) - -- [Available Parameters](#available-parameters) -- [Installation](#installation) -- [Maintenance](#maintenance) +- [GitLab Backup to s3 compatible storage](#gitlab-backup-to-s3-compatible-storage) + - [Available Parameters](#available-parameters) + - [Installation](#installation) + - [Docker Compose](#docker-compose) - [Creating Backups](#creating-backups) - [Restoring Backups](#restoring-backups) - -# Available Parameters +## Available Parameters Here is an example of all configuration parameters that can be used in the GitLab container. -``` +```yaml ... gitlab: ... @@ -29,7 +27,6 @@ gitlab: - AWS_BACKUP_SECRET_ACCESS_KEY=minio123 - AWS_BACKUP_BUCKET=docker - AWS_BACKUP_MULTIPART_CHUNK_SIZE=104857600 - ``` where: @@ -41,13 +38,13 @@ where: | `AWS_BACKUP_ACCESS_KEY_ID` | AWS access key id. No defaults. | | `AWS_BACKUP_SECRET_ACCESS_KEY` | AWS secret access key. No defaults. | | `AWS_BACKUP_BUCKET` | AWS bucket for backup uploads. No defaults. | -| `AWS_BACKUP_MULTIPART_CHUNK_SIZE` | Enables mulitpart uploads when file size reaches a defined size. See at [AWS S3 Docs](http://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html) | +| `AWS_BACKUP_MULTIPART_CHUNK_SIZE` | Enables multipart uploads when file size reaches a defined size. See at [AWS S3 Docs](http://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html) | For more info look at [Available Configuration Parameters](https://github.com/sameersbn/docker-gitlab#available-configuration-parameters). A minimum set of these parameters are required to use the s3 compatible storage: -```yml +```yaml ... gitlab: environment: @@ -58,25 +55,24 @@ gitlab: - AWS_BACKUP_BUCKET=docker ... ``` -# Installation + +## Installation Starting a fresh installation with GitLab would be like the `docker-compose` file. -## Docker Compose +### Docker Compose This is an example with minio. ```yml -version: '2' - services: redis: restart: always - image: sameersbn/redis:4.0.9-2 + image: sameersbn/redis:7 command: - --loglevel warning volumes: - - /tmp/docker/gitlab/redis:/var/lib/redis:Z + - /tmp/docker/gitlab/redis:/data:Z postgresql: restart: always @@ -122,6 +118,7 @@ services: - GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string - GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string - GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string + - GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=long-and-random-alphanumeric-string - GITLAB_ROOT_PASSWORD= - GITLAB_ROOT_EMAIL= - GITLAB_NOTIFY_ON_BROKEN_BUILDS=true @@ -174,6 +171,7 @@ services: - OAUTH_GITLAB_APP_SECRET= - OAUTH_BITBUCKET_API_KEY= - OAUTH_BITBUCKET_APP_SECRET= + - OAUTH_BITBUCKET_URL= - OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL= - OAUTH_SAML_IDP_CERT_FINGERPRINT= - OAUTH_SAML_IDP_SSO_TARGET_URL= @@ -213,15 +211,16 @@ services: command: server /export ``` - -## Creating Backups +### Creating Backups Execute the rake task with a removeable container. + ```bash docker run --name gitlab -it --rm [OPTIONS] \ sameersbn/gitlab:8.16.4 app:rake gitlab:backup:create ``` -## Restoring Backups + +### Restoring Backups Execute the rake task to restore a backup. Make sure you run the container in interactive mode `-it`. diff --git a/entrypoint.sh b/entrypoint.sh index 1d9bc107c..2f3b15959 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -26,6 +26,7 @@ case ${1} in wait $SUPERVISOR_PID || true fi rm -rf /var/run/supervisor.sock + configure_gitlab_requires_db exec /usr/bin/supervisord -nc /etc/supervisor/supervisord.conf ;; app:init) diff --git a/kubernetes/gitlab-rc.yml b/kubernetes/gitlab-rc.yml index a74f8000f..e069a6814 100644 --- a/kubernetes/gitlab-rc.yml +++ b/kubernetes/gitlab-rc.yml @@ -14,7 +14,7 @@ spec: spec: containers: - name: gitlab - image: sameersbn/gitlab:13.5.3 + image: sameersbn/gitlab:18.5.1 env: - name: TZ value: Asia/Kolkata @@ -27,6 +27,14 @@ spec: value: long-and-random-alpha-numeric-string - name: GITLAB_SECRETS_OTP_KEY_BASE value: long-and-random-alpha-numeric-string + - name: GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE + value: long-and-random-alpha-numeric-string + - name: GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY + value: '[long-and-random-alpha-numeric-string]' + - name: GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY + value: '[long-and-random-alpha-numeric-string]' + - name: GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT + value: long-and-random-alpha-numeric-string - name: GITLAB_ROOT_PASSWORD value: diff --git a/kubernetes/postgresql-rc.yml b/kubernetes/postgresql-rc.yml index de00601e2..e6c4adbb3 100644 --- a/kubernetes/postgresql-rc.yml +++ b/kubernetes/postgresql-rc.yml @@ -14,7 +14,7 @@ spec: spec: containers: - name: postgresql - image: sameersbn/postgresql:11-20200524 + image: kkimurak/sameersbn-postgresql:16 env: - name: DB_USER value: gitlab diff --git a/kubernetes/redis-rc.yml b/kubernetes/redis-rc.yml index 96a6119f9..0c7991d65 100644 --- a/kubernetes/redis-rc.yml +++ b/kubernetes/redis-rc.yml @@ -14,7 +14,7 @@ spec: spec: containers: - name: redis - image: redis:5.0.9 + image: redis:7 ports: - name: redis containerPort: 6379 diff --git a/scripts/release-notes.sh b/scripts/release-notes.sh index bd49f28e1..db67c17fd 100755 --- a/scripts/release-notes.sh +++ b/scripts/release-notes.sh @@ -34,9 +34,21 @@ ${NOTABLE_CHANGES} For installation and usage instructions please refer to the [README](https://github.com/sameersbn/docker-gitlab/blob/${RELEASE}/README.md) +## Important notes + +Please note that this version does not yet include any rework as a consequence of the major release and possibly some functions in our implementation might not be usable yet or only to a limited extent. + +Don't forget to consider the version specific upgrading instructions for [GitLab CE](https://docs.gitlab.com/ee/update/) **before** upgrading your GitLab CE instance! + +Please note: + +- Before upgrading to GitLab 18 make sure to read and understand the [notes about breaking changes](https://about.gitlab.com/blog/2025/04/18/a-guide-to-the-breaking-changes-in-gitlab-18-0/). +- In GitLab 18.0 and later, [PostgreSQL 16 or later is required](https://docs.gitlab.com/install/installation/#software-requirements). +- See issues to be aware of when upgrading: . + ## Contributing -If you find this image useful here's how you can help: +You are kindly invited to provide contributions. If you find this image useful here's how you can help: - Send a Pull Request with your awesome new features and bug fixes - Be a part of the community and help resolve [issues](https://github.com/sameersbn/docker-gitlab/issues)