diff --git a/.circleci/config.yml b/.circleci/config.yml new file mode 100644 index 000000000..10cf0a50a --- /dev/null +++ b/.circleci/config.yml @@ -0,0 +1,343 @@ +version: 2.1 + +orbs: + shellcheck: circleci/shellcheck@3.4.0 + docker: circleci/docker@2.8.2 + go: circleci/go@1.11.0 + +commands: + docker-build: + description: | + Build and optionally deploy a Docker images + parameters: + dockerfile: + default: Dockerfile + description: 'Name of dockerfile to use, defaults to Dockerfile' + type: string + extra_build_args: + default: '' + description: > + Extra flags to pass to docker build. For examples, see + https://docs.docker.com/engine/reference/commandline/build + type: string + registry: + default: docker.io + description: | + Comma separated list of registry to use, defaults to docker.io + type: string + image: + description: Name of image to build + type: string + tag: + default: $CIRCLE_SHA1 + description: 'Image tag, defaults to the value of $CIRCLE_SHA1' + type: string + path: + default: . + description: > + Path to the directory containing your Dockerfile and build context, + defaults to . (working directory) + type: string + cache_from: + default: '' + description: > + Comma-separated list of images, images will first be pulled, then passed + as the --cache-from build argument + https://docs.docker.com/engine/reference/commandline/build/ + type: string + no_output_timeout: + default: 10m + description: | + No output timeout for build step + type: string + use-buildkit: + default: false + description: | + Use buildkit to build the image. Available on Docker >= 18.09.0 https://docs.docker.com/develop/develop-images/build_enhancements/ + type: boolean + steps: + - when: + condition: <> + steps: + - run: + name: Build image for <> + no_output_timeout: <> + command: > + echo "<>" | sed -n 1'p' | tr ',' '\n' | + while read image; do + echo "Pulling ${image}"; + docker pull ${image} || true + done + + docker_tag_args="" + + IFS="," read -ra DOCKER_REGISTRIES \<<< "<< parameters.registry >>" + + for registry in "${DOCKER_REGISTRIES[@]}"; do + IFS="," read -ra DOCKER_TAGS \<<< "<< parameters.tag >>" + + for tag in "${DOCKER_TAGS[@]}"; do + docker_tag_args="$docker_tag_args -t $registry/<>:${tag}" + done + done + + docker buildx build + <<#parameters.extra_build_args>><><> + \ + --cache-from <> \ + -f <>/<> \ + $docker_tag_args \ + <> + - unless: + condition: <> + steps: + - run: + name: Building image for <> + no_output_timeout: <> + command: > + docker_tag_args="" + + IFS="," read -ra DOCKER_REGISTRIES \<<< "<< parameters.registry >>" + + for registry in "${DOCKER_REGISTRIES[@]}"; do + IFS="," read -ra DOCKER_TAGS \<<< "<< parameters.tag >>" + + for tag in "${DOCKER_TAGS[@]}"; do + docker_tag_args="$docker_tag_args -t $registry/<>:${tag}" + done + done + + docker buildx build + <<#parameters.extra_build_args>><><> + \ + -f <>/<> \ + $docker_tag_args \ + <> + + docker-save: + description: | + Save one or more images to a tar archive + parameters: + registry: + default: docker.io + description: | + Comma separated list of registry to use, defaults to docker.io + type: string + image: + description: Name of image to build + type: string + tag: + default: $CIRCLE_SHA1 + description: 'Image tag, defaults to the value of $CIRCLE_SHA1' + type: string + steps: + - run: + name: Save image to tar archive + command: > + docker_images="" + + IFS="," read -ra DOCKER_REGISTRIES \<<< "<< parameters.registry >>" + + for registry in "${DOCKER_REGISTRIES[@]}"; do + IFS="," read -ra DOCKER_TAGS \<<< "<< parameters.tag >>" + + for tag in "${DOCKER_TAGS[@]}"; do + docker_images="$docker_images $registry/<>:${tag}" + done + done + + mkdir -p ~/docker/ + + docker save -o ~/docker/docker-images.tar $docker_images + - persist_to_workspace: + root: ~/ + paths: + - docker + + docker-load: + description: | + Load tar archive + steps: + - attach_workspace: + at: ~/ + - run: + name: Load images from tar archive + command: > + docker load -i ~/docker/docker-images.tar + + docker-publish: + description: | + Build and optionally deploy a Docker images + parameters: + pr: + default: '' + type: string + registry: + default: docker.io + description: | + Comma separated list of registry to use, defaults to docker.io + type: string + image: + description: Name of image to build + type: string + tag: + default: $CIRCLE_SHA1 + description: 'Image tag, defaults to the value of $CIRCLE_SHA1' + type: string + steps: + - unless: + condition: <> + steps: + - run: + name: Publish image for <> + command: > + IFS="," read -ra DOCKER_REGISTRIES \<<< "<< parameters.registry >>" + + for registry in "${DOCKER_REGISTRIES[@]}"; do + IFS="," read -ra DOCKER_TAGS \<<< "<< parameters.tag >>" + + for tag in "${DOCKER_TAGS[@]}"; do + docker push $registry/<< parameters.image>>:${tag} + done + done + +jobs: + build: + machine: + image: ubuntu-2404:edge + resource_class: large + steps: + - checkout + - docker-build: + registry: docker.io,quay.io + image: sameersbn/gitlab + tag: ${CIRCLE_TAG:-latest} + cache_from: docker.io/sameersbn/gitlab:latest + extra_build_args: '--build-arg VCS_REF=${CIRCLE_TAG:-${CIRCLE_SHA1}} --build-arg BUILD_DATE="$(date +"%Y-%m-%d %H:%M:%S%:z")"' + no_output_timeout: 45m + use-buildkit: true + - docker-save: + registry: docker.io,quay.io + image: sameersbn/gitlab + tag: ${CIRCLE_TAG:-latest} + + test: + executor: docker/machine + steps: + - checkout + - docker-load + - run: + name: Update tag in docker-compose.yml + command: | + sed -i "s|image: sameersbn/gitlab:.*|image: sameersbn/gitlab:${CIRCLE_TAG:-latest}|" docker-compose.yml + - run: + name: Launch gitlab stack + command: docker-compose up -d --quiet-pull + - run: + name: Container info + command: docker ps + - run: + name: Wait for stack bootup + command: sleep 90 + - run: + name: Show logs + command: docker-compose logs + - run: + name: Test image bootup + command: | + docker run --network container:$(docker-compose ps -q gitlab) \ + curlimages/curl --ipv4 --retry 60 --retry-delay 5 --retry-connrefused -svf http://localhost/explore -o /dev/null + + publish-dockerhub: + executor: docker/machine + steps: + - docker-load + - docker/check: + registry: docker.io + docker-username: DOCKER_LOGIN + docker-password: DOCKER_PASSWORD + - docker-publish: + registry: docker.io + image: sameersbn/gitlab + tag: ${CIRCLE_TAG:-latest} + + publish-quay: + executor: docker/machine + steps: + - docker-load + - docker/check: + registry: quay.io + docker-username: DOCKER_LOGIN + docker-password: DOCKER_PASSWORD + - docker-publish: + registry: quay.io + image: sameersbn/gitlab + tag: ${CIRCLE_TAG:-latest} + + release: + executor: + name: go/default + tag: '1.24' + steps: + - checkout + - run: + name: Installing github-release tool + command: go install github.com/meterup/github-release@latest + - run: + name: Creating github release + command: | + PRE_RELEASE=${CIRCLE_TAG/${CIRCLE_TAG%-rc[0-9]*}/} + github-release delete -u ${CIRCLE_PROJECT_USERNAME} -r ${CIRCLE_PROJECT_REPONAME} -t ${CIRCLE_TAG} 2>/dev/null ||: + ./scripts/release-notes.sh ${CIRCLE_TAG} | github-release release ${PRE_RELEASE:+-p} -u ${CIRCLE_PROJECT_USERNAME} -r ${CIRCLE_PROJECT_REPONAME} -t ${CIRCLE_TAG} -d - + for f in $(find /tmp/dist -type f); do github-release upload -u ${CIRCLE_PROJECT_USERNAME} -r ${CIRCLE_PROJECT_REPONAME} -t ${CIRCLE_TAG} -n $(basename ${f}) -f ${f} ; done + +workflows: + build-test-and-release: + jobs: + - shellcheck/check: + name: shellcheck + exclude: SC2086,SC2181 + external_sources: true + filters: + tags: + only: /^([0-9]+)\.([0-9]+)\.([0-9]+)(?:-([0-9A-Za-z-]+(?:\.[0-9A-Za-z-]+)*))?(?:\+[0-9A-Za-z-]+)?$/ + - build: + requires: + - shellcheck + filters: + tags: + only: /^([0-9]+)\.([0-9]+)\.([0-9]+)(?:-([0-9A-Za-z-]+(?:\.[0-9A-Za-z-]+)*))?(?:\+[0-9A-Za-z-]+)?$/ + - test: + requires: + - build + filters: + tags: + only: /^([0-9]+)\.([0-9]+)\.([0-9]+)(?:-([0-9A-Za-z-]+(?:\.[0-9A-Za-z-]+)*))?(?:\+[0-9A-Za-z-]+)?$/ + - publish-dockerhub: + context: dockerhub + requires: + - test + filters: + branches: + only: master + tags: + only: /^([0-9]+)\.([0-9]+)\.([0-9]+)(?:-([0-9A-Za-z-]+(?:\.[0-9A-Za-z-]+)*))?(?:\+[0-9A-Za-z-]+)?$/ + - publish-quay: + context: quay + requires: + - test + filters: + tags: + only: /^([0-9]+)\.([0-9]+)\.([0-9]+)(?:-([0-9A-Za-z-]+(?:\.[0-9A-Za-z-]+)*))?(?:\+[0-9A-Za-z-]+)?$/ + branches: + only: master + - release: + context: github + requires: + - publish-dockerhub + - publish-quay + filters: + tags: + only: /^([0-9]+)\.([0-9]+)\.([0-9]+)(?:-([0-9A-Za-z-]+(?:\.[0-9A-Za-z-]+)*))?(?:\+[0-9A-Za-z-]+)?$/ + branches: + ignore: /.*/ diff --git a/.github/stale.yml b/.github/stale.yml new file mode 100644 index 000000000..019cbf42e --- /dev/null +++ b/.github/stale.yml @@ -0,0 +1,18 @@ +# Number of days of inactivity before an issue becomes stale +daysUntilStale: 60 +# Number of days of inactivity before a stale issue is closed +daysUntilClose: 7 +# Issues with these labels will never be considered stale +exemptLabels: + - pinned + - security + - keep-alive +# Label to use when marking an issue as stale +staleLabel: wontfix +# Comment to post when marking an issue as stale. Set to `false` to disable +markComment: > + This issue has been automatically marked as stale because it has not had + any activity for the last 60 days. It will be closed if no further activity + occurs during the next 7 days. Thank you for your contributions. +# Comment to post when closing a stale issue. Set to `false` to disable +closeComment: false diff --git a/.gitignore b/.gitignore index eb6011963..b0d15890e 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,3 @@ *.gem *.tar.gz - -docker-compose.yml +*.tar.bz2 diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 07ba61dbf..5e7b17980 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,5 +1,59 @@ -image: docker:dind +image: docker:18-git -deploy: +stages: + - build + +before_script: + - export VERSION=$(cat VERSION) + - export CI_REGISTRY=${CI_REGISTRY:-hub.docker.com} + - export CI_REGISTRY_USER=${CI_REGISTRY_USER:-gitlab-ci-token} + - export CI_REGISTRY_PASSWORD=${CI_REGISTRY_PASSWORD:-${CI_JOB_TOKEN}} + - export DOCKER_IMAGE=${DOCKER_IMAGE:-${CI_REGISTRY}/${CI_PROJECT_PATH}} + - | + if [ "${DOCKER_IMAGE}" = "/" ]; then + export DOCKER_IMAGE=sameersbn/gitlab + fi + +docker:build: + stage: build + only: + - master + script: + - docker login -u ${CI_REGISTRY_USER} -p ${CI_REGISTRY_PASSWORD} ${CI_REGISTRY} + - docker build + --pull + --cache-from=${DOCKER_IMAGE} + --build-arg=VCS_REF=$(git rev-parse --short HEAD) + --build-arg=BUILD_DATE="$(date +"%Y-%m-%d %H:%M:%S%:z")" + --tag ${DOCKER_IMAGE} . + - docker push ${DOCKER_IMAGE} + +docker:build:branches: + stage: build + only: + - branches + except: + - master + script: + - docker login -u ${CI_REGISTRY_USER} -p ${CI_REGISTRY_PASSWORD} ${CI_REGISTRY} + - docker build + --pull + --cache-from=${DOCKER_IMAGE}:${CI_COMMIT_REF_SLUG} + --build-arg=VCS_REF=$(git rev-parse --short HEAD) + --build-arg=BUILD_DATE="$(date +"%Y-%m-%d %H:%M:%S%:z")" + --tag ${DOCKER_IMAGE}:${CI_COMMIT_REF_SLUG} . + - docker push ${DOCKER_IMAGE}:${CI_COMMIT_REF_SLUG} + +docker:build:release: + stage: build + only: + - tags script: - - ci/gitlab + - docker login -u ${CI_REGISTRY_USER} -p ${CI_REGISTRY_PASSWORD} ${CI_REGISTRY} + - docker build + --pull + --cache-from=${DOCKER_IMAGE}:${VERSION} + --build-arg=VCS_REF=$(git rev-parse --short HEAD) + --build-arg=BUILD_DATE="$(date +"%Y-%m-%d %H:%M:%S%:z")" + --tag ${DOCKER_IMAGE}:${VERSION} . + - docker push ${DOCKER_IMAGE}:${VERSION} diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 000000000..1ec790677 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,12 @@ +# GitLab-CI Configuration + +When using your own GitLab instance, the provided .gitlab-ci.yml will automatically be using the settings provided by the GitLab instance. If needed, several options can be overriden. + +Overrides for these values can be set within the project, under `Settings` -> `CI/CD` -> `Variables`. + +| Variable | Default Value | Description | +| ---------------------- | ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| `CI_REGISTRY` | `hub.docker.com` | If available this will be automatically overriden by registry address which is configured within the GitLab instance | +| `CI_REGISTRY_USER` | `gitlab-ci-token` | Username for the registry | +| `CI_REGISTRY_PASSWORD` | `${CI_JOB_TOKEN}` | Password for the registry | +| `DOCKER_IMAGE` | `sameersbn/gitlab` | Docker image name, will automatically be overriden by the running GitLab instance with the `${CI_PROJECT_PATH}` variable. This will cause the image to be uploaded to the local registry of the project within GitLab. | diff --git a/Changelog.md b/Changelog.md index 92c14e6f6..9d9654314 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,20 +1,2755 @@ # Changelog -This file only reflects the changes that are made in this image. Please refer to the upstream GitLab [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG.md) for the list of changes in GitLab. +This file only reflects the changes that are made in this image. Please refer to the upstream GitLab [CHANGELOG](https:// +gitlab.com/gitlab-org/gitlab-foss/blob/master/CHANGELOG.md) for the list of changes in GitLab. + +## 18.5.1 + +- gitlab: upgrade CE to v18.5.1 +- gitaly: upgrade to v18.5.1 +- gitlab-pages: upgrade to v18.5.1 + +## 18.5.0 + +- gitlab: upgrade CE to v18.5.0 +- gitaly: upgrade to v18.5.0 +- gitlab-pages: upgrade to v18.5.0 +- gitlab-shell: upgrade to v14.45.3 +- golang: upgrade to v1.24.9 +- ubuntu: upgrade to noble-20251001 + +## 18.4.2 + +- gitlab: upgrade CE to v18.4.2 +- gitaly: upgrade to v18.4.2 +- gitlab-pages: upgrade to v18.4.2 +- golang: upgrade to v1.24.8 +- ubuntu: upgrade to noble-20250925 + +## 18.4.1 + +- gitlab: upgrade CE to v18.4.1 +- gitaly: upgrade to v18.4.1 +- gitlab-pages: upgrade to v18.4.1 +- ubuntu: upgrade to noble-20250910 + +## 18.4.0 + +- gitlab: upgrade CE to v18.4.0 +- gitaly: upgrade to v18.4.0 +- gitlab-pages: upgrade to v18.4.0 +- ubuntu: upgrade to noble-20250910 + +## 18.3.2 + +- gitlab: upgrade CE to v18.3.2 +- gitaly: upgrade to v18.3.2 +- gitlab-pages: upgrade to v18.3.2 +- gitlab-shell: upgrade to v14.45.2 +- golang: upgrade to v1.24.7 +- rubygems: upgrade to v3.7.2 +- ubuntu: upgrade to noble-20250805 + +## 18.3.1 + +- gitlab: upgrade CE to v18.3.1 +- gitaly: upgrade to v18.3.1 +- gitlab-pages: upgrade to v18.3.1 + +## 18.3.0 + +- gitlab: upgrade CE to v18.3.0 +- gitaly: upgrade to v18.3.0 +- gitlab-pages: upgrade to v18.3.0 + +## 18.2.4 + +- gitlab: upgrade CE to v18.2.4 +- gitaly: upgrade to v18.2.4 +- gitlab-pages: upgrade to v18.2.4 +- gitlab-shell: upgrade to v14.44.0 + +## 18.2.2 + +- gitlab: upgrade CE to v18.2.2 +- gitaly: upgrade to v18.2.2 +- gitlab-pages: upgrade to v18.2.2 +- golang: upgrade to v1.24.6 +- ubuntu: upgrade to noble-20250716 + +## 18.2.1 + +- gitlab: upgrade CE to v18.2.1 +- gitaly: upgrade to v18.2.1 +- gitlab-pages: upgrade to v18.2.1 +- ruby: upgrade to v3.2.9 +- rubygems: upgrade to v3.7.1 + +## 18.2.0 + +- gitlab: upgrade CE to v18.2.0 +- gitaly: upgrade to v18.2.0 +- gitlab-pages: upgrade to v18.2.0 +- gitlab-shell: upgrade to v14.43.0 +- rubygems: upgrade to v3.7.0 +- ubuntu: upgrade to noble-20250714 + +## 18.1.2 + +- gitlab: upgrade CE to v18.1.2 +- gitaly: upgrade to v18.1.2 +- gitlab-pages: upgrade to v18.1.2 +- golang: upgrade to v1.24.5 +- ubuntu: upgrade to noble-20250619 + +## 18.1.1 + +- gitlab: upgrade CE to v18.1.1 +- gitaly: upgrade to v18.1.1 +- gitlab-pages: upgrade to v18.1.1 + +## 18.1.0 + +- gitlab: upgrade CE to v18.1.0 +- gitaly: upgrade to v18.1.0 +- gitlab-pages: upgrade to v18.1.0 + +## 18.0.2 + +- gitlab: upgrade CE to v18.0.2 +- gitaly: upgrade to v18.0.2 +- gitlab-pages: upgrade to v18.0.2 +- golang: upgrade to v1.24.4 +- ubuntu: upgrade to noble-20250529 + +## 18.0.1 + +- gitlab: upgrade CE to v18.0.1 +- gitaly: upgrade to v18.0.1 +- gitlab-pages: upgrade to v18.0.1 +- gitlab-shell: upgrade to v14.42.0 + +## 18.0.0 + +- gitlab: upgrade CE to v18.0.0 +- gitaly: upgrade to v18.0.0 +- gitlab-pages: upgrade to v18.0.0 +- redis: upgrade to v7 +- rubygems: upgrade to v3.6.9 +- ubuntu: upgrade to noble-20250415.1 + +## 17.11.2 + +- gitlab: upgrade CE to v17.11.2 +- gitaly: upgrade to v17.11.2 +- gitlab-pages: upgrade to v17.11.2 +- golang: upgrade to v1.24.3 +- ubuntu: upgrade to jammy-20250415.1 + +## 17.11.1 + +- gitlab: upgrade CE to v17.11.1 +- gitaly: upgrade to v17.11.1 +- gitlab-pages: upgrade to v17.11.1 +- rubygems: upgrade to v3.6.8 + +## 17.11.0 + +- gitlab: upgrade CE to v17.11.0 +- gitaly: upgrade to v17.11.0 +- gitlab-pages: upgrade to v17.11.0 + +## 17.10.4 + +- gitlab: upgrade CE to v17.10.4 +- gitaly: upgrade to v17.10.4 +- gitlab-pages: upgrade to v17.10.4 +- ubuntu: upgrade to jammy-20250404 + +## 17.10.3 + +- gitlab: upgrade CE to v17.10.3 +- gitaly: upgrade to v17.10.3 +- gitlab-pages: upgrade to v17.10.3 +- golang: upgrade to v1.24.2 +- ruby: upgrade to v3.2.8 + +## 17.10.1 + +- gitlab: upgrade CE to v17.10.1 +- gitaly: upgrade to v17.10.1 +- gitlab-pages: upgrade to v17.10.1 + +## 17.10.0 + +- gitlab: upgrade CE to v17.10.0 +- gitaly: upgrade to v17.10.0 +- gitlab-pages: upgrade to v17.10.0 +- golang: upgrade to v1.24.1 +- rubygems: upgrade to v3.6.6 + +## 17.9.2 + +- gitlab: upgrade CE to v17.9.2 +- gitaly: upgrade to v17.9.2 +- gitlab-pages: upgrade to v17.9.2 + +## 17.9.1 + +- gitlab: upgrade CE to v17.9.1 +- gitaly: upgrade to v17.9.1 +- gitlab-pages: upgrade to v17.9.1 + +## 17.9.0 + +- gitlab: upgrade CE to v17.9.0 +- gitaly: upgrade to v17.9.0 +- gitlab-pages: upgrade to v17.9.0 +- gitlab-shell: upgrade to v14.40.0 +- golang: upgrade to v1.24.0 +- rubygems: upgrade to v3.5.23 +- ubuntu: upgrade to jammy-20250126 + +## 17.8.2 + +- gitlab: upgrade CE to v17.8.2 +- gitaly: upgrade to v17.8.2 +- gitlab-pages: upgrade to v17.8.2 +- golang: upgrade to v1.23.6 +- ruby: upgrade to v3.2.7 + +## 17.8.1 + +- gitlab: upgrade CE to v17.8.1 +- gitaly: upgrade to v17.8.1 +- gitlab-pages: upgrade to v17.8.1 + +## 17.8.0 + +- gitlab: upgrade CE to v17.8.0 +- gitaly: upgrade to v17.8.0 +- gitlab-pages: upgrade to v17.8.0 + +## 17.7.1 + +- gitlab: upgrade CE to v17.7.1 +- gitaly: upgrade to v17.7.1 +- gitlab-pages: upgrade to v17.7.1 + +## 17.7.0 + +- gitlab: upgrade CE to v17.7.0 +- gitaly: upgrade to v17.7.0 +- gitlab-pages: upgrade to v17.7.0 +- ubuntu: upgrade to jammy-20240911.1 +- update healthcheck for postgresql + +## 17.6.3 + +- gitlab: upgrade CE to v17.6.3 +- gitaly: upgrade to v17.6.3 +- gitlab-pages: upgrade to v17.6.3 + +## 17.6.2 + +- gitlab: upgrade CE to v17.6.2 +- gitaly: upgrade to v17.6.2 +- gitlab-pages: upgrade to v17.6.2 + +## 17.6.1 + +- gitlab: upgrade CE to v17.6.1 +- gitlab-pages: upgrade to v17.6.1 +- gitaly: upgrade to v17.6.1 +- golang: upgrade to v1.23.5 + +## 17.6.0 + +- gitlab: upgrade CE to v17.6.0 +- gitaly: upgrade to v17.6.0 +- gitlab-pages: upgrade to v17.6.0 + +## 17.5.2 + +- gitlab: upgrade CE to v17.5.2 +- gitaly: upgrade to v17.5.2 +- gitlab-pages: upgrade to v17.5.2 +- golang: upgrade to v1.23.2 +- ruby: upgrade to v3.2.6 + +## 17.5.1 + +- gitlab: upgrade CE to v17.5.1 +- gitaly: upgrade to v17.5.1 +- gitlab-pages: upgrade to v17.5.1 + +## 17.5.0 + +- gitlab: upgrade CE to v17.5.0 +- gitaly: upgrade to v17.5.0 +- gitlab-pages: upgrade to v17.5.0 +- ubuntu: upgrade to focal-20241011 + +## 17.4.2 + +- gitlab: upgrade CE to v17.4.2 +- gitaly: upgrade to v17.4.2 +- gitlab-pages: upgrade to v17.4.2 +- golang: upgrade to v1.23.2 +- ubuntu: upgrade to focal-20240918 + +## 17.4.1 + +- gitlab: upgrade CE to v17.4.1 +- gitaly: upgrade to v17.4.1 +- gitlab-pages: upgrade to v17.4.1 + +## 17.4.0 + +- gitlab: upgrade CE to v17.4.0 +- gitaly: upgrade to v17.4.0 +- gitlab-pages: upgrade to v17.4.0 +- gitlab-shell: upgrade to v14.39.0 + +## 17.3.3 + +- gitlab: upgrade CE to v17.3.3 +- gitaly: upgrade to v17.3.3 +- gitlab-pages: upgrade to v17.3.3 + +## 17.3.2 + +- gitlab: upgrade CE to v17.3.2 +- gitaly: upgrade to v17.3.2 +- gitlab-pages: upgrade to v17.3.2 +- golang: upgrade to v1.23.1 + +## 17.3.1 + +- gitlab: upgrade CE to v17.3.1 +- gitaly: upgrade to v17.3.1 +- gitlab-pages: upgrade to v17.3.1 + +## 17.3.0 + +- gitlab: upgrade CE to v17.3.0 +- gitaly: upgrade to v17.3.0 +- gitlab-pages: upgrade to v17.3.0 +- gitlab-shell: upgrade to v14.38.0 +- golang: upgrade to v1.23.0 + +## 17.2.2 + +- gitlab: upgrade CE to v17.2.2 +- gitaly: upgrade to v17.2.2 +- gitlab-pages: upgrade to v17.2.2 +- golang: upgrade to v1.22.6 + +## 17.2.1 + +- gitlab: upgrade CE to v17.2.1 +- gitaly: upgrade to v17.2.1 +- gitlab-pages: upgrade to v17.2.1 +- ruby: upgrade to v3.2.5 + +## 17.2.0 + +- gitlab: upgrade CE to v17.2.0 +- gitaly: upgrade to v17.2.0 +- gitlab-pages: upgrade to v17.2.0 +- gitlab-shell: upgrade to v14.37.0 + +## 17.1.2 + +- gitlab: upgrade CE to v17.1.2 +- gitaly: upgrade to v17.1.2 +- gitlab-pages: upgrade to v17.1.2 +- golang: upgrade to v1.22.5 + +## 17.1.1 + +- gitlab: upgrade CE to v17.1.1 +- gitaly: upgrade to v17.1.1 +- gitlab-pages: upgrade to v17.1.1 + +## 17.1.0 + +- gitlab: upgrade CE to v17.1.0 +- gitaly: upgrade to v17.1.0 +- gitlab-pages: upgrade to v17.1.0 +- gitlab-shell: upgrade to v14.36.0 + +## 17.0.2 + +- gitlab: upgrade CE to v17.0.2 +- gitaly: upgrade to v17.0.2 +- gitlab-pages: upgrade to v17.0.2 +- golang: upgrade to v1.22.4 +- ubuntu: upgrade to focal-20240530 + +## 17.0.1 + +- gitlab: upgrade CE to v17.0.1 +- gitaly: upgrade to v17.0.1 +- gitlab-pages: upgrade to v17.0.1 + +## 17.0.0 + +- gitlab: upgrade CE to v17.0.0 +- gitaly: upgrade to v17.0.0 +- gitlab-pages: upgrade to v17.0.0 +- gitlab-shell: upgrade to v14.35.0 + +## 16.11.2 + +- gitlab: upgrade CE to v16.11.2 +- gitaly: upgrade to v16.11.2 +- gitlab-pages: upgrade to v16.11.2 +- golang: upgrade to v1.22.3 +- ubuntu: upgrade to focal-20240427 + +## 16.11.1 + +- gitlab: upgrade CE to v16.11.1 +- gitaly: upgrade to v16.11.1 +- gitlab-pages: upgrade to v16.11.1 +- ruby: upgrade to v3.2.4 +- ubuntu: upgrade to focal-20240416 + +## 16.11.0 + +- gitlab: upgrade CE to v16.11.0 +- gitaly: upgrade to v16.11.0 +- gitlab-pages: upgrade to v16.11.0 +- gitlab-shell: upgrade to v14.35.0 + +## 16.10.3 + +- gitlab: upgrade CE to v16.10.3 +- gitaly: upgrade to v16.10.3 +- gitlab-pages: upgrade to v16.10.3 +- ubuntu: upgrade to focal-20240410 + +## 16.10.2 + +- gitlab: upgrade CE to v16.10.2 +- gitaly: upgrade to v16.10.2 +- gitlab-pages: upgrade to v16.10.2 +- golang: upgrade to v1.22.2 + +## 16.10.1 + +- gitlab: upgrade CE to v16.10.1 +- gitaly: upgrade to v16.10.1 +- gitlab-pages: upgrade to v16.10.1 + +## 16.10.0 + +- gitlab: upgrade CE to v16.10.0 +- gitaly: upgrade to v16.10.0 +- gitlab-pages: upgrade to v16.10.0 +- gitlab-shell: upgrade to v14.34.0 + +## 16.9.2 + +- gitlab: upgrade CE to v16.9.2 +- gitaly: upgrade to v16.9.2 +- gitlab-pages: upgrade to v16.9.2 +- golang: upgrade to v1.22.1 +- ubuntu: upgrade to focal-20240216 + +## 16.9.1 + +- gitlab: upgrade CE to v16.9.1 +- gitaly: upgrade to v16.9.1 +- gitlab-pages: upgrade to v16.9.1 + +## 16.9.0 + +- gitlab: upgrade CE to v16.9.0 +- gitaly: upgrade to v16.9.0 +- gitlab-pages: upgrade to v16.9.0 + +## 16.8.2 + +- gitlab: upgrade CE to v16.8.2 +- gitaly: upgrade to v16.8.2 +- gitlab-pages: upgrade to v16.8.2 +- golang: upgrade to v1.22.0 +- ubuntu: upgrade to focal-20240123 + +## 16.8.1 + +- gitlab: upgrade CE to v16.8.1 +- gitaly: upgrade to v16.8.1 +- gitlab-pages: upgrade to v16.8.1 +- gitlab-shell: upgrade to v14.33.0 + +## 16.8.0 + +- gitlab: upgrade CE to v16.8.0 +- gitaly: upgrade to v16.8.0 +- gitlab-pages: upgrade to v16.8.0 + +## 16.7.3 + +- gitlab: upgrade CE to v16.7.3 +- gitaly: upgrade to v16.7.3 +- gitlab-pages: upgrade to v16.7.3 + +## 16.7.2 + +- gitlab: upgrade CE to v16.7.2 +- gitaly: upgrade to v16.7.2 +- gitlab-pages: upgrade to v16.7.2 +- golang: upgrade to v1.21.6 + +## 16.7.0 + +- gitlab: upgrade CE to v16.7.0 +- gitaly: upgrade to v16.7.0 +- gitlab-pages: upgrade to v16.7.0 +- gitlab-shell: upgrade to v14.32.0 +- ruby: upgrade to v3.1.4 + +## 16.6.2 + +- gitlab: upgrade CE to v16.6.2 +- gitaly: upgrade to v16.6.2 +- gitlab-pages: upgrade to v16.6.2 +- golang: upgrade to v1.21.5 +- ubuntu: upgrade to focal-20231211 + +## 16.6.1 + +- gitlab: upgrade CE to v16.6.1 +- gitaly: upgrade to v16.6.1 +- gitlab-pages: upgrade to v16.6.1 +- ubuntu: upgrade to focal-20231128 + +## 16.6.0 + +- gitlab: upgrade CE to v16.6.0 +- gitaly: upgrade to v16.6.0 +- gitlab-pages: upgrade to v16.6.0 +- gitlab-shell: upgrade to v14.30.0 +- golang: upgrade to v1.21.4 + +## 16.5.1 + +- gitlab: upgrade CE to v16.5.1 +- gitaly: upgrade to v16.5.1 +- gitlab-pages: upgrade to v16.5.1 + +## 16.5.0 + +- gitlab: upgrade CE to v16.5.0 +- gitaly: upgrade to v16.5.0 +- gitlab-pages: upgrade to v16.5.0 +- gitlab-shell: upgrade to v14.29.0 +- golang: upgrade to v1.21.3 +- ubuntu: upgrade to focal-20231003 + +## 16.4.1 + +- gitlab: upgrade CE to v16.4.1 +- gitaly: upgrade to v16.4.1 +- gitlab-pages: upgrade to v16.4.1 + +## 16.4.0 + +- gitlab: upgrade CE to v16.4.0 +- gitaly: upgrade to v16.4.0 +- gitlab-pages: upgrade to v16.4.0 +- gitlab-shell: upgrade to v14.28.0 + +## 16.3.4 + +- gitlab: upgrade CE to v16.3.4 +- gitaly: upgrade to v16.3.4 +- gitlab-pages: upgrade to v16.3.4 + +## 16.3.3 + +- gitlab: upgrade CE to v16.3.3 +- gitaly: upgrade to v16.3.3 +- gitlab-pages: upgrade to v16.3.3 + +## 16.3.2 + +- gitlab: upgrade CE to v16.3.2 +- gitaly: upgrade to v16.3.2 +- gitlab-pages: upgrade to v16.3.2 +- golang: upgrade to v1.21.1 + +## 16.3.1 + +- gitlab: upgrade CE to v16.3.1 +- gitaly: upgrade to v16.3.1 +- gitlab-pages: upgrade to v16.3.1 + +## 16.3.0 + +- gitlab: upgrade CE to v16.3.0 +- gitaly: upgrade to v16.3.0 +- gitlab-pages: upgrade to v16.3.0 + +## 16.2.4 + +- gitlab: upgrade CE to v16.2.4 +- gitaly: upgrade to v16.2.4 +- gitlab-pages: upgrade to v16.2.4 +- golang: upgrade to v1.21.0 + +## 16.2.3 + +- gitlab: upgrade CE to v16.2.3 +- gitaly: upgrade to v16.2.3 +- gitlab-pages: upgrade to v16.2.3 + +## 16.2.2 + +- gitlab: upgrade CE to v16.2.2 +- gitaly: upgrade to v16.2.2 +- gitlab-pages: upgrade to v16.2.2 +- golang: upgrade to v1.20.7 +- ubuntu: upgrade to focal-20230801 + +## 16.2.1 + +- gitlab: upgrade CE to v16.2.1 +- gitaly: upgrade to v16.2.1 +- gitlab-pages: upgrade to v16.2.1 + +## 16.2.0 + +- gitlab: upgrade CE to v16.2.0 +- gitaly: upgrade to v16.2.0 +- gitlab-pages: upgrade to v16.2.0 +- golang: upgrade to v1.20.6 + +## 16.1.2 + +- gitlab: upgrade CE to v16.1.2 +- gitaly: upgrade to v16.1.2 +- gitlab-pages: upgrade to v16.1.2 +- ubuntu: upgrade to focal-20230624 + +## 16.1.1 + +- gitlab: upgrade CE to v16.1.1 +- gitaly: upgrade to v16.1.1 +- gitlab-pages: upgrade to v16.1.1 + +## 16.1.0 + +- gitlab: upgrade CE to v16.1.0 +- gitaly: upgrade to v16.1.0 +- gitlab-pages: upgrade to v16.1.0 +- gitlab-shell: upgrade to v14.23.0 + +## 16.0.5 + +- gitlab: upgrade CE to v16.0.5 +- gitaly: upgrade to v16.0.5 +- gitlab-pages: upgrade to v16.0.5 +- ubuntu: upgrade to focal-20230605 + +## 16.0.4 + +- gitlab: upgrade CE to v16.0.4 +- gitaly: upgrade to v16.0.4 +- gitlab-pages: upgrade to v16.0.4 + +## 16.0.3 + +- gitlab: upgrade CE to v16.0.3 +- gitaly: upgrade to v16.0.3 +- gitlab-pages: upgrade to v16.0.3 + +## 16.0.2 + +- gitlab: upgrade CE to v16.0.2 +- gitaly: upgrade to v16.0.2 +- gitlab-pages: upgrade to v16.0.2 +- golang: upgrade to v1.20.5 + +## 16.0.1 + +- gitlab: upgrade CE to v16.0.1 +- gitaly: upgrade to v16.0.1 +- gitlab-pages: upgrade to v16.0.1 + +## 16.0.0 + +- gitlab: upgrade CE to v16.0.0 +- gitaly: upgrade to v16.0.0 +- gitlab-pages: upgrade to v16.0.0 +- gitlab-shell: upgrade to v14.20.0 + +## 15.11.5 + +- gitlab: upgrade CE to v15.11.5 +- gitaly: upgrade to v15.11.5 +- gitlab-pages: upgrade to v15.11.5 + +## 15.11.4 + +- gitlab: upgrade CE to v15.11.4 +- gitaly: upgrade to v15.11.4 +- gitlab-pages: upgrade to v15.11.4 + +## 15.11.3 + +- gitlab: upgrade CE to v15.11.3 +- gitaly: upgrade to v15.11.3 +- gitlab-pages: upgrade to v15.11.3 +- ruby: upgrade to v3.0.6 + +## 15.11.2 + +- gitlab: upgrade CE to v15.11.2 +- gitaly: upgrade to v15.11.2 +- gitlab-pages: upgrade to v15.11.2 + +## 15.11.1 + +- gitlab: upgrade CE to v15.11.1 +- gitaly: upgrade to v15.11.1 +- gitlab-pages: upgrade to v15.11.1 +- golang: upgrade to v1.20.4 + +## 15.11.0 + +- gitlab: upgrade CE to v15.11.0 +- gitaly: upgrade to v15.11.0 +- gitlab-pages: upgrade to v15.11.0 +- ubuntu: upgrade to focal-20230412 + +## 15.10.3 + +- gitlab: upgrade CE to v15.10.3 +- gitaly: upgrade to v15.10.3 +- gitlab-pages: upgrade to v15.10.3 + +## 15.10.2 + +- gitlab: upgrade CE to v15.10.2 +- gitaly: upgrade to v15.10.2 +- gitlab-pages: upgrade to v15.10.2 +- golang: upgrade to v1.20.3 + +## 15.10.1 + +- gitlab: upgrade CE to v15.10.1 +- gitaly: upgrade to v15.10.1 +- gitlab-pages: upgrade to v15.10.1 +- ruby: upgrade to v2.7.8 +- ubuntu: upgrade to focal-20230308 + +## 15.10.0 + +- gitlab: upgrade CE to v15.10.0 +- gitaly: upgrade to v15.10.0 +- gitlab-pages: upgrade to v15.10.0 +- gitlab-shell: upgrade to v14.18.0 +- ubuntu: upgrade to focal-20230308 + +## 15.9.3 + +- gitlab: upgrade CE to v15.9.3 +- gitaly: upgrade to v15.9.3 +- gitlab-pages: upgrade to v15.9.3 +- golang: upgrade to v1.20.2 + +## 15.9.2 + +- gitlab: upgrade CE to v15.9.2 +- gitaly: upgrade to v15.9.2 +- gitlab-pages: upgrade to v15.9.2 +- ubuntu: upgrade to focal-20230301 + +## 15.9.1 + +- gitlab: upgrade CE to v15.9.1 +- gitaly: upgrade to v15.9.1 +- gitlab-pages: upgrade to v15.9.1 + +## 15.9.0 + +- gitlab: upgrade CE to v15.9.0 +- gitaly: upgrade to v15.9.0 +- gitlab-pages: upgrade to v15.9.0 +- gitlab-shell: upgrade to v14.17.0 + +## 15.8.2 + +- gitlab: upgrade CE to v15.8.2 +- gitaly: upgrade to v15.8.2 +- gitlab-pages: upgrade to v15.8.2 +- golang: upgrade to v1.19.6 + +## 15.8.1 + +- gitlab: upgrade CE to v15.8.1 +- gitaly: upgrade to v15.8.1 +- gitlab-pages: upgrade to v15.8.1 +- ubuntu: upgrade to focal-20230126 + +## 15.8.0-1 + +- ruby: rollback to v2.7.7 + +## 15.8.0 + +- gitlab: upgrade CE to v15.8.0 +- gitaly: upgrade to v15.8.0 +- gitlab-pages: upgrade to v15.8.0 +- gitlab-shell: upgrade to v14.15.0 +- golang: upgrade to v1.18.10 + +## 15.7.5 + +- gitlab: upgrade CE to v15.7.5 +- gitaly: upgrade to v15.7.5 +- gitlab-pages: upgrade to v15.7.5 + +## 15.7.3 + +- gitlab: upgrade CE to v15.7.3 +- gitaly: upgrade to v15.7.3 +- gitlab-pages: upgrade to v15.7.3 + +## 15.7.2 + +- gitlab: upgrade CE to v15.7.2 +- gitaly: upgrade to v15.7.2 +- gitlab-pages: upgrade to v15.7.2 + +## 15.7.1 + +- gitlab: upgrade CE to v15.7.1 +- gitaly: upgrade to v15.7.1 +- gitlab-pages: upgrade to v15.7.1 + +## 15.7.0 + +- gitlab: upgrade CE to v15.7.0 +- gitaly: upgrade to v15.7.0 +- gitlab-pages: upgrade to v15.7.0 +- gitlab-shell: upgrade to v14.14.0 +- ruby: upgrade to v3.0.5 + +## 15.6.3 + +- gitlab: upgrade CE to v15.6.3 +- gitaly: upgrade to v15.6.3 +- gitlab-pages: upgrade to v15.6.3 +- ubuntu: upgrade to focal-20221130 +- ruby: upgrade to v2.7.7 +- ruby: upgrade to v3.0.4 + +## 15.6.2 + +- gitlab: upgrade CE to v15.6.2 +- gitaly: upgrade to v15.6.2 + +## 15.6.1 + +- gitlab: upgrade CE to v15.6.1 +- gitaly: upgrade to v15.6.1 + +## 15.6.0 + +- gitlab: upgrade CE to v15.6.0 +- gitaly: upgrade to v15.6.0 +- gitlab-shell: upgrade to v14.13.0 +- gitlab-pages: upgrade to v1.63.0 +- golang: upgrade to v1.18.8 + +## 15.5.4 + +- gitlab: upgrade CE to v15.5.4 +- gitaly: upgrade to v15.5.4 + +## 15.5.3 + +- gitlab: upgrade CE to v15.5.3 +- gitaly: upgrade to v15.5.3 + +## 15.5.2 + +- gitlab: upgrade CE to v15.5.2 +- gitaly: upgrade to v15.5.2 +- ubuntu: upgrade to focal-20221019 + +## 15.5.1 + +- gitlab: upgrade CE to v15.5.1 +- gitaly: upgrade to v15.5.1 + +## 15.5.0 + +- gitlab: upgrade CE to v15.5.0 +- gitaly: upgrade to v15.5.0 +- gitlab-shell: upgrade to v14.12.0 + +## 15.4.3 + +- gitlab: upgrade CE to v15.4.3 +- gitaly: upgrade to v15.4.3 +- ubuntu: upgrade to focal-20220922 + +## 15.4.2 + +- gitlab: upgrade CE to v15.4.2 +- gitaly: upgrade to v15.4.2 + +## 15.4.1 + +- gitlab: upgrade CE to v15.4.1 +- gitaly: upgrade to v15.4.1 + +## 15.4.0 + +- gitlab: upgrade CE to v15.4.0 +- gitaly: upgrade to v15.4.0 +- ubuntu: upgrade tofocal-20220826 + +## 15.3.3 + +- gitlab: upgrade CE to v15.3.3 +- gitaly: upgrade to v15.3.3 + +## 15.3.2 + +- gitlab: upgrade CE to v15.3.2 +- gitaly: upgrade to v15.3.2 + +## 15.3.1 + +- gitlab: upgrade CE to v15.3.1 +- gitaly: upgrade to v15.3.1 + +## 15.3.0 + +- gitlab: upgrade CE to v15.3.0 +- gitaly: upgrade to v15.3.0 +- gitlab-shell: upgrade to v14.10.0 +- gitlab-pages: upgrade to v1.62.0 +- ubuntu: upgrade to focal-20220801 + +## 15.2.2 + +- gitlab: upgrade CE to v15.2.2 +- gitaly: upgrade to v15.2.2 +- golang: upgrade to v1.17.13 + +## 15.2.1 + +- gitlab: upgrade CE to v15.2.1 +- gitaly: upgrade to v15.2.1 +- gitlab-pages: upgrade to v1.61.1 + +## 15.2.0 + +- gitlab: upgrade CE to v15.2.0 +- gitaly: upgrade to v15.2.0 +- gitlab-shell: upgrade to v14.9.0 +- gitlab-pages: upgrade to v1.61.0 +- golang: upgrade to v1.17.12 + +## 15.1.3 + +- gitlab: upgrade CE to v15.1.3 +- gitaly: upgrade to v15.1.3 + +## 15.1.2 + +- gitlab: upgrade CE to v15.1.2 +- gitaly: upgrade to v15.1.2 + +## 15.1.1 + +- gitlab: upgrade CE to v15.1.1 +- gitaly: upgrade to v15.1.1 + +## 15.1.0 + +- gitlab: upgrade CE to v15.1.0 +- gitaly: upgrade to v15.1.0 +- gitlab-shell: upgrade to v14.7.4 +- gitlab-pages: upgrade to v1.59.0 + +## 15.0.3 + +- gitlab: upgrade CE to v15.0.3 +- gitaly: upgrade to v15.0.3 + +## 15.0.2 + +- gitlab: upgrade CE to v15.0.2 +- gitaly: upgrade to v15.0.2 +- ubuntu: upgrade to focal-20220531 + +## 15.0.1 + +- gitlab: upgrade CE to v15.0.1 +- gitaly: upgrade to v15.0.1 +- golang: upgrade to v1.17.11 + +## 15.0.0 + +- gitlab: upgrade CE to v15.0.0 +- gitaly: upgrade to v15.0.0 +- golang: upgrade to v1.17.10 +- gitlab-shell: upgrade to v14.3.0 +- gitlab-pages: upgrade to v1.58.0 + +## 14.10.3 + +- gitlab: upgrade CE to v14.10.3 +- gitaly: upgrade to v14.10.3 + +## 14.10.2 + +- gitlab: upgrade CE to v14.10.2 +- gitaly: upgrade to v14.10.2 +- ubuntu: upgrade to focal-20220426 + +## 14.10.1 + +- gitlab: upgrade CE to v14.10.1 +- gitaly: upgrade to v14.10.1 +- ubuntu: upgrade to focal-20220426 + +## 14.10.0 + +- gitlab: upgrade CE to v14.10.0 +- gitaly: upgrade to v14.10.0 +- gitlab-shell: upgrade to v13.25.1 +- ubuntu: upgrade to focal-20220415 + +## 14.9.3 + +- gitlab: upgrade CE to v14.9.3 +- gitaly: upgrade to v14.9.3 +- golang: upgrade to v1.17.9 +- ruby: upgrade to v2.7.6 +- ubuntu: upgrade to focal-20220404 + +## 14.9.2 + +- gitlab: upgrade CE to v14.9.2 +- gitaly: upgrade to v14.9.2 +- gitlab-pages: upgrade to v1.56.1 + +## 14.9.1 + +- gitlab: upgrade CE to v14.9.1 +- gitaly: upgrade to v14.9.1 + +## 14.9.0 + +- gitlab: upgrade CE to v14.9.0 +- gitaly: upgrade to v14.9.0 +- gitlab-pages: upgrade to v1.56.0 +- gitlab-shell: upgrade to v13.24.0 + +## 14.8.4 + +- gitlab: upgrade CE to v14.8.4 +- gitaly: upgrade to v14.8.4 + +## 14.8.3 + +- gitlab: upgrade CE to v14.8.3 +- gitaly: upgrade to v14.8.3 +- golang: upgrade to v1.17.8 +- ubuntu: upgrade to focal-20220316 + +## 14.8.2 + +- gitlab: upgrade CE to v14.8.2 +- gitaly: upgrade to v14.8.2 + +## 14.8.1 + +- gitlab: upgrade CE to v14.8.1 +- gitaly: upgrade to v14.8.1 + +## 14.8.0 + +- gitlab: upgrade CE to v14.8.0 +- gitaly: upgrade to v14.8.0 +- gitlab-pages: upgrade to v1.54.0 +- gitlab-shell: v13.23.2 + +## 14.7.3 + +- gitlab: upgrade CE to v14.7.3 +- gitaly: upgrade to v14.7.3 +- golang: upgrade to v1.17.7 + +## 14.7.2 + +- gitlab: upgrade CE to v14.7.2 +- gitaly: upgrade to v14.7.2 +- ubuntu: upgrade to focal-20220113 + +## 14.7.1 + +- gitlab: upgrade CE to v14.7.1 +- gitaly: upgrade to v14.7.1 + +## 14.7.0 + +- gitlab: upgrade CE to v14.7.0 +- gitaly: upgrade to v14.7.0 +- gitlab-shell: v13.22.2 +- gitlab-pages: upgrade to v1.51.0 + +## 14.6.3 + +- gitlab: upgrade CE to v14.6.3 +- gitaly: upgrade to v14.6.3 + +## 14.6.2 + +- gitlab: upgrade CE to v14.6.2 +- gitaly: upgrade to v14.6.2 +- golang: upgrade to v1.17.6 +- ubuntu: upgrade to focal-20220105 + +## 14.6.1 + +- gitlab: upgrade CE to v14.6.1 +- gitaly: upgrade to v14.6.1 + +## 14.6.0 + +- gitlab: upgrade CE to v14.6.0 +- gitaly: upgrade to v14.6.0 +- gitlab-pages: upgrade to v1.49.0 + +## 14.5.2 + +- gitlab: upgrade CE to v14.5.2 +- gitaly: upgrade to v14.5.2 +- golang: upgrade to v1.17.5 + +## 14.5.1 + +- gitlab: upgrade CE to v14.5.1 +- gitaly: upgrade to v14.5.1 +- gitlab-shell: v13.22.1 + +## 14.5.0 + +- gitlab: upgrade CE to v14.5.0 +- gitaly: upgrade to v14.5.0 +- gitlab-pages: upgrade to v1.48.0 +- gitlab-shell: v13.22.0 + +## 14.4.4 + +- gitlab: upgrade CE to v14.4.4 +- gitaly: upgrade to v14.4.4 +- ruby: upgrade to v2.7.5 + +## 14.4.3 + +- gitlab: upgrade CE to v14.4.3 +- gitaly: upgrade to v14.4.3 +- golang: upgrade to v1.17.4 + +## 14.4.2 + +- gitlab: upgrade CE to v14.4.2 +- gitaly: upgrade to v14.4.2 +- redis: upgrade to v6.2.6 + +## 14.4.1 + +- gitlab: upgrade CE to v14.4.1 +- gitaly: upgrade to v14.4.1 + +## 14.4.0 + +- gitlab: upgrade CE to v14.4.0 +- gitaly: upgrade to v14.4.0 +- gitlab-pages: upgrade to v1.46.0 + +## 14.3.3 + +- gitlab: upgrade CE to v14.3.3 +- gitaly: upgrade to v14.3.3 + +## 14.3.2 + +- gitlab: upgrade CE to v14.3.2 +- gitaly: upgrade to v14.3.2 +- gitlab-shell: v13.21.1 + +## 14.3.1 + +- gitlab: upgrade CE to v14.3.1 +- gitaly: upgrade to v14.3.1 + +## 14.3.0 + +- gitlab: upgrade CE to v14.3.0 +- gitaly: upgrade to v14.3.0 +- gitlab-shell: v13.21.0 +- gitlab-pages: upgrade to v1.44.0 +- ruby: compile ruby from source and use v2.7.4 +- ubuntu: upgrade to focal-20211006 + +## 14.2.5 + +- gitlab: upgrade CE to v14.2.5 +- gitaly: upgrade to v14.2.5 + +## 14.2.4 + +- gitlab: upgrade CE to v14.2.4 +- gitaly: upgrade to v14.2.4 +- golang: upgrade to v1.17.1 + +## 14.2.3 + +- gitlab: upgrade CE to v14.2.3 +- gitaly: upgrade to v14.2.3 + +## 14.2.2 + +- gitlab: upgrade CE to v14.2.2 +- gitaly: upgrade to v14.2.2 +- ubuntu: upgrade to focal-20210827 + +## 14.2.1 + +- gitlab: upgrade CE to v14.2.1 +- gitaly: upgrade to v14.2.1 + +## 14.2.0 + +- gitlab: upgrade CE to v14.2.0 +- gitaly: upgrade to v14.2.0 +- gitlab-pages: upgrade to v1.42.0 +- golang: upgrade to v1.17 + +## 14.1.3 + +- gitlab: upgrade CE to v14.1.3 +- gitaly: upgrade to v14.1.3 +- golang: upgrade to v1.16.7 + +## 14.1.2 + +- gitlab: upgrade CE to v14.1.2 +- gitaly: upgrade to v14.1.2 +- gitlab-shell: upgrade to v13.19.1 + +## 14.1.1 + +- gitlab: upgrade CE to v14.1.1 +- gitaly: upgrade to v14.1.1 +- ubuntu: upgrade to focal-20210723 + +## 14.1.0 + +- gitlab: upgrade CE to v14.1.0 +- gitaly: upgrade to v14.1.0 + +## 14.0.6 + +- gitlab: upgrade CE to v14.0.6 +- gitaly: upgrade to v14.0.6 +- golang: upgrade to v1.16.6 + +## 14.0.5 + +- gitlab: upgrade CE to v14.0.5 +- gitaly: upgrade to v14.0.5 + +## 14.0.4 + +- gitlab: upgrade CE to v14.0.4 +- gitaly: upgrade to v14.0.4 + +## 14.0.3 + +- gitlab: upgrade CE to v14.0.3 +- gitaly: upgrade to v14.0.3 + +## 14.0.2 + +- gitlab: upgrade CE to v14.0.2 +- gitaly: upgrade to v14.0.2 + +## 14.0.1 + +- gitlab: upgrade CE to v14.0.1 +- gitaly: upgrade to v14.0.1 + +## 14.0.0 + +- gitlab: upgrade CE to v14.0.0 +- gitaly: upgrade to v14.0.0 +- gitlab-shell: upgrade to v13.19.0 +- gitlab-pages: upgrade to v1.40.0 + +## 13.12.5 + +- gitlab: upgrade CE to v13.12.5 +- gitaly: upgrade to v13.12.5 +- ubuntu: upgrade to focal-20210609 + +## 13.12.4 + +- gitlab: upgrade CE to v13.12.4 +- gitaly: upgrade to v13.12.4 + +## 13.12.3 + +- gitlab: upgrade CE to v13.12.3 +- gitaly: upgrade to v13.12.3 +- golang: upgrade to v1.16.5 + +## 13.12.2 + +- gitlab: upgrade CE to v13.12.2 +- gitaly: upgrade to v13.12.2 + +## 13.12.1 + +- gitlab: upgrade CE to v13.12.1 +- gitaly: upgrade to v13.12.1 + +## 13.12.0 + +- gitlab: upgrade CE to v13.12.0 +- gitlab-shell: upgrade to v13.18.0 +- gitlab-pages: upgrade to v1.39.0 +- gitaly: upgrade to v13.12.0 + +## 13.11.4 + +- gitlab: upgrade CE to v13.11.4 +- gitaly: upgrade to v13.11.4 +- golang: upgrade to v1.16.4 +- ubuntu: upgrade to focal-20210416 + +## 13.11.3 + +- gitlab: upgrade CE to v13.11.3 +- gitaly: upgrade to v13.11.3 + +## 13.11.2 + +- gitlab: upgrade CE to v13.11.2 +- gitaly: upgrade to v13.11.2 + +## 13.11.1 + +- gitlab: upgrade CE to v13.11.1 +- gitaly: upgrade to v13.11.1 + +## 13.11.0 + +- gitlab: upgrade CE to v13.11.0 +- gitaly: upgrade to v13.11.0 +- gitlab-pages: upgrade to v1.38.0 +- ubuntu: upgrade to focal-20210401 + +## 13.10.3 + +- gitlab: upgrade CE to v13.10.3 +- gitaly: upgrade to v13.10.3 + +## 13.10.2 + +- gitlab: upgrade CE to v13.10.2 +- gitaly: upgrade to v13.10.2 +- golang: upgrade to v1.16.3 +- ubuntu: upgrade to bionic-20210325 + +## 13.10.1 + +- gitlab: upgrade CE to v13.10.1 +- gitaly: upgrade to v13.10.1 +- added libmagic1 to fit requirements of ruby-magic-static-0.3.4 (necessary for puma) + +## 13.10.0 + +- gitlab: upgrade CE to v13.10.0 +- gitaly: upgrade to v13.10.0 +- gitlab-pages: upgrade to v1.36.0 + +## 13.9.5 + +- gitlab: upgrade CE to v13.9.5 +- gitaly: upgrade to v13.9.5 + +## 13.9.4 + +- gitlab: upgrade CE to v13.9.4 +- gitaly: upgrade to v13.9.4 +- golang: upgrade to v1.16.2 +- ubuntu: upgrade to bionic-20210222 + +## 13.9.3 + +- gitlab: upgrade CE to v13.9.3 +- gitaly: upgrade to v13.9.3 +- gitlab-shell: upgrade to v13.17.0 + +## 13.9.2 + +- gitlab: upgrade CE to v13.9.2 +- gitaly: upgrade to v13.9.2 +- gitlab-workhorse: upgrade to v8.63.2 + +## 13.9.1 + +- gitlab: upgrade CE to v13.9.1 +- gitaly: upgrade to v13.9.1 + +## 13.9.0 + +- gitlab: upgrade CE to v13.9.0 +- gitaly: upgrade to v13.9.0 +- gitlab-shell: upgrade to v13.16.1 +- gitlab-pages: upgrade to v1.35.0 +- gitlab-workhorse: upgrade to v8.63.0 +- golang: upgrade to v1.16 + +## 13.8.4 + +- added `SSL_PROTOCOLS` option to change protocols of the nginx +- added `SSL_REGISTRY_CIPHERS` +- added `SSL_REGISTRY_PROTOCOLS` +- added `SSL_PAGES_CIPHERS` +- added `SSL_PAGES_PROTOCOLS` +- gitlab: upgrade CE to v13.8.4 +- gitaly: upgrade to v13.8.4 +- gitlab-shell: upgrade to v13.15.1 + +## 13.8.3 + +- gitlab: upgrade CE to v13.8.3 +- gitaly: upgrade to v13.8.3 +- golang: upgrade to v1.15.8 + +## 13.8.2 + +- gitlab: upgrade CE to v13.8.2 +- gitaly: upgrade to v13.8.2 + +## 13.8.1 + +- gitlab: upgrade CE to v13.8.1 +- gitaly: upgrade to v13.8.1 + +## 13.8.0 + +- gitlab: upgrade CE to v13.8.0 +- gitaly: upgrade to v13.8.0 +- gitlab-shell: upgrade to v13.15.0 +- gitlab-workhorse: upgrade to v8.59.0 +- gitlab-pages: upgrade to v1.34.0 +- golang: upgrade to v1.15.7 +- ubuntu: upgrade to bionic-20210118 + +## 13.7.4 + +- gitlab: upgrade CE to v13.7.4 + +## 13.7.3 + +- gitlab: upgrade CE to v13.7.3 +- gitlab-pages: upgrade to v1.34.0 +- gitlab-shell: upgrade to v13.7.3 +- gitlab-workhorse: upgrade to v8.58.2 + +## 13.7.1 + +- gitlab: upgrade CE to v13.7.1 +- gitaly: upgrade v13.7.1 + +## 13.7.0 + +- gitlab: upgrade CE to v13.7.0 +- gitaly: upgrade v13.7.0 +- gitlab-shell: upgrade to v13.14.0 +- gitlab-pages: upgrade to v1.32.0 +- gitlab-workhorse: upgrade to v8.58.0 +- ubuntu: upgrade to ubuntu bionic-20201119 +- postgresql: upgrade to postgresql 12 + +## 13.6.3 + +- gitlab: upgrade CE to v13.6.3 +- gitaly: upgrade v13.6.3 + +## 13.6.2 + +- gitlab: upgrade CE to v13.6.2 +- gitaly: upgrade v13.6.2 + +## 13.6.1 + +- gitlab: upgrade CE to v13.6.1 +- gitaly: upgrade v13.6.1 + +## 13.6.0 + +- gitlab: upgrade CE to v13.6.0 +- gitaly: upgrade v13.6.0 +- gitlab-shell: upgrade to v13.13.0 +- gitlab-pages: upgrade to v1.30.0 +- gitlab-workhorse: upgrade to v8.54.0 +- use bundler 2.1.4 +- use ruby 2.7 + +## 13.5.4 + +- gitlab: upgrade CE to v13.5.4 +- gitaly: upgrade v13.5.4 + +## 13.5.3 + +- gitlab: upgrade CE to v13.5.3 +- gitaly: upgrade v13.5.3 + +## 13.5.2 + +- gitlab: upgrade CE to v13.5.2 +- gitaly: upgrade v13.5.2 + +## 13.5.1 + +- gitlab: upgrade CE to v13.5.1 +- gitaly: upgrade v13.5.1 +- gitlab-shell: upgrade to v13.11.0 +- gitlab-pages: upgrade to v1.28.0 +- gitlab-workhorse: upgrade to v8.51.0 + +## 13.4.4 + +- gitlab: upgrade CE to v13.4.4 +- gitaly: upgrade to v13.4.4 + +## 13.4.3 + +- gitlab: upgrade CE to v13.4.3 +- gitaly: upgrade to v13.4.3 + +## 13.4.2 + +- gitlab: upgrade CE to v13.4.2 +- gitaly: upgrade to v13.4.2 +- gitlab-pages: upgrade to 1.25.0 +- gitlab-workhorse: upgrade to 8.46.0 +- gitlab-shell: uprade to 13.7.0 +- ubuntu: upgrade to bionic-20200921 + +## 13.3.4 + +- gitlab: upgrade CE to v13.3.4 +- gitaly: upgrade to v13.3.4 + +## 13.3.1 + +- gitlab: upgrade CE to v13.3.1 +- gitaly: upgrade to v13.3.1 + +## 13.3.0 + +- gitlab: upgrade CE to v13.3.0 +- gitaly: upgrade to v13.3.0 +- gitlab-pages: upgrade to v1.22.0 +- gitlab-shell: upgrade to v13.6.0 +- gitlab-workhorse: upgrade to v8.39.0 + +## 13.2.6 + +- gitlab: upgrade CE to v13.2.6 + +## 13.2.4 + +- gitlab: upgrade CE to v13.2.4 +- ubuntu: upgrade to bionic-20200713 + +## 13.2.3 + +- gitlab: upgrade CE to v13.2.3 +- golang: upgrade to 1.14.7 +- gitaly: upgrade to 13.2.3 +- postgresql: add btree_gist extension + +## 13.2.2 + +- gitlab: upgrade CE to v13.2.2 + +## 13.2.1 + +- gitlab: upgrade CE to v13.2.1 + +## 13.0.7 + +- gitlab: upgrade CE to v13.0.7 + +## 13.0.6 + +- gitlab: upgrade CE to v13.0.6 + +## 13.0.5 + +- gitlab: upgrade CE to v13.0.5 + +## 13.0.3 + +- gitlab: upgrade CE to v13.0.3 + +## 13.0.2 + +- gitlab: upgrade CE to v13.0.2 + +## 13.0.1 + +- gitlab: upgrade CE to v13.0.1 + +## 13.0.0 + +- gitlab: upgrade CE to v13.0.0 + +## 12.10.6 + +- gitlab: upgrade CE to v12.10.6 + +## 12.10.4 + +- updated to ubuntu:bionic-20200403 +- gitlab-workhorse: update to 8.30.1 +- sync: upstream configs +- gitlab: upgrade to 12.10.4 + +## 12.9.5 + +- gitlab: updated to 12.9.5 +- gitlab-shell: updated to 12.2.0 +- gitaly: updated to 12.10.0 + +## 12.9.4 + +- gitlab: upgrade CE to v12.9.4 +- Update gitlab-workhorse to 8.25.2 +- Update golang to 1.13.10 + +## 12.9.2 + +- gitlab: upgrade CE to v12.9.2 + +## 12.9.1 + +- gitlab: upgrade CE to v12.9.1 + +## 12.9.0 + +- gitlab: upgrade CE to v12.9.0 +- replaced unicorn with puma +- Removed `UNICORN_WORKERS` +- Removed `UNICORN_TIMEOUT` +- Added `PUMA_THREADS_MIN` +- Added `PUMA_THREADS_MAX` +- Added `PUMA_WORKERS` +- Added `PUMA_TIMEOUT` + +## 12.8.8 + +- gitlab: upgrade CE to v12.8.8 + +## 12.8.7 + +- gitlab: upgrade CE to v12.8.7 + +## 12.8.6 + +- gitlab: upgrade CE to v12.8.6 + +## 12.8.5 + +- gitlab: upgrade CE to v12.8.5 + +## 12.8.4 + +- gitlab: upgrade CE to v12.8.4 + +## 12.8.3 + +- gitlab: upgrade CE to v12.8.3 + +## 12.8.2 + +- gitlab: upgrade CE to v12.8.2 + +## 12.8.1 + +- gitlab: upgrade CE to v12.8.1 + +## 12.8.0 + +- gitlab: upgrade CE to v12.8.0 +- fix: ArgumentError: 'import/{{oauth2_generic_name}}' is not supported [#2101](https://github.com/sameersbn/docker-gitlab/issues/2101) + +## 12.7.8 + +- Upgrade GitLab CE to 12.7.8 + +## 12.7.7 + +- Upgrade GitLab CE to 12.7.7 +- Add Generic OAuth Provider PR#2070 + +## 12.7.6 + +- gitlab: upgrade CE to v12.7.6 + +## 12.7.5 + +- gitlab: upgrade CE to v12.7.5 + +## 12.7.4 + +- Upgrade GitLab CE to 12.7.4 +- Update golang to 1.13.7 +- Update gitlab-pages to 1.15.0 +- Update gitlab-workhorse to 8.20.0 +- Update gitaly to 1.85.0 + +## 12.7.2 + +- Upgrade GitLab CE to 12.7.2 + +## 12.7.0 + +- Update gitlab-shell to 11.0.0 +- Upgrade GitLab CE to 12.7.0 +- Update golang to 1.13.6 +- Update gitaly to 1.83.0 +- Update gitlab-pages to 1.14.0 +- Update gitlab-workhorse to 8.19.0 + +## 12.6.4 + +- gitlab: upgrade CE to v12.6.4 + +## 12.6.3 + +- gitlab: upgrade CE to v12.6.3 + +## 12.6.2 + +- gitlab: upgrade CE to v12.6.2 + +## 12.6.1 + +- gitlab: upgrade CE to v12.6.1 + +## 12.6.0 + +- gitlab: upgrade CE to v12.6.0 + +## 12.5.7 + +- gitlab: upgrade CE to v12.5.7 + +## 12.5.6 + +- gitlab: upgrade CE to v12.5.6 + +## 12.5.5 + +- gitlab: upgrade CE to v12.5.5 + +## 12.5.4 + +- gitlab: upgrade CE to v12.5.4 +- Update golang to 1.12.14 + +## 12.5.3 + +- gitlab: upgrade CE to v12.5.3 + +## 12.5.2 + +- gitlab: upgrade CE to v12.5.2 + +## 12.5.1 + +- gitlab: upgrade CE to v12.5.1 + +## 12.5.0 + +- gitlab: upgrade CE to v12.5.0 + +## 12.4.3 + +- gitlab: upgrade CE to v12.4.3 + +## 12.4.2 + +- gitlab: upgrade CE to v12.4.2 + +## 12.4.1 + +- gitlab: upgrade CE to v12.4.1 + +## 12.4.0 + +- gitlab: upgrade CE to v12.4.0 + +## 12.3.5 + +- gitlab: upgrade CE to v12.3.5 + +## 12.3.4 + +- gitlab: upgrade CE to v12.3.4 + +## 12.3.3 + +- gitlab: upgrade CE to v12.3.3 + +## 12.3.2 + +- gitlab: upgrade CE to v12.3.2 + +## 12.3.1 + +- gitlab: upgrade CE to v12.3.1 + +## 12.3.0 + +- gitlab: upgrade CE to v12.3.0 + +## 12.2.5 + +- gitlab: upgrade CE to v12.2.5 + +## 12.2.4 + +- gitlab: upgrade CE to v12.2.4 + +## 12.2.3 + +- gitlab: upgrade CE to v12.2.3 + +## 12.2.1 + +- gitlab: upgrade CE to v12.2.1 + +## 12.2.0 + +- gitlab: upgrade CE to v12.2.0 +- upgrade base image to ubuntu:bionic + +## 12.1.6 + +- gitlab: upgrade CE to v12.1.6 + +## 12.1.4 + +- gitlab: upgrade CE to v12.1.4 + +## 12.1.3 + +- gitlab: upgrade CE to v12.1.3 + +## 12.1.2 + +- gitlab: upgrade CE to v12.1.2 + +## 12.1.1 + +- gitlab: upgrade CE to v12.1.1 + +## 12.1.0 + +- gitlab: upgrade CE to v12.1.0 +- Removed MySQL related information and packages. GitLab v12.1.X or greater requires only PostgreSQL. Do an Migration before upgrading to v12.1.X. For more Information have a look at the [Migration Guide](https://docs.gitlab.com/ce/update/mysql_to_postgresql.html) + +## 12.0.4 + +- gitlab: upgrade CE to v12.0.4 + +## 12.0.3 + +- gitlab: upgrade CE to v12.0.3 + +## 12.0.2 + +- gitlab: upgrade CE to v12.0.2 + +## 12.0.1 + +- gitlab: upgrade CE to v12.0.1 + +## 12.0.0 + +- gitlab: upgrade CE to v12.0.0 +- Update gitaly to 1.47.0 +- Update gitlab-shell to 9.3.0 +- Update gitlab-pages to 1.6.1 +- ruby: update to 2.6 +- python: update to 3 + +## 11.11.3 + +- gitlab: upgrade CE to v11.11.3 +- Update gitaly to 1.42.4 +- Update golang to 1.12.6 + +## 11.11.2 + +- gitlab: upgrade CE to v11.11.2 +- Update gitaly to 1.42.3 + +## 11.11.1 + +- gitlab: upgrade CE to v11.11.1 +- Update gitaly to 1.42.2 + +## 11.11.0 + +- gitlab: upgrade CE to v11.11.0 +- Update gitaly to 1.42.0 +- Update gitlab-shell to 9.1.0 +- Update gitlab-workhorse to 8.7.0 + +## 11.10.4 + +- gitlab: upgrade CE to v11.10.4 + +## 11.10.3 + +- gitlab: upgrade CE to v11.10.3 + +## 11.10.2 + +- gitlab: upgrade CE to v11.10.2 + +## 11.10.1 + +- gitlab: upgrade CE to v11.10.1 + +## 11.10.0 + +- gitlab: upgrade CE to v11.10.0 + +## 11.9.8 + +- gitlab: upgrade CE to v11.9.8 + +## 11.9.7 + +- gitlab: upgrade CE to v11.9.7 + +## 11.9.6 + +- gitlab: upgrade CE to v11.9.6 + +## 11.9.5 + +- gitlab: upgrade CE to v11.9.5 + +## 11.9.4 + +- gitlab: upgrade CE to v11.9.4 +- Update gitlab-workhorse to 8.3.3 + +## 11.9.1 + +- gitlab: upgrade CE to v11.9.1 +- Update gitaly to 1.27.1 + +## 11.9.0 + +- gitlab: upgrade CE to v11.9.0 + +## 11.8.3 + +- gitlab: upgrade CE to v11.8.3 + +## 11.8.2 + +- gitlab: upgrade CE to v11.8.2 + +## 11.8.1 + +- gitlab: upgrade CE to v11.8.1 + +## 11.8.0 + +- gitlab: upgrade CE to v11.8.0 +- Update gitlab-workhorse to 8.3.1 +- Update gitaly to 1.20.0 +- Update gitlab-pages to 1.5.0 + +## 11.7.5 + +- gitlab: upgrade CE to v11.7.5 + +## 11.7.4 + +- gitlab: upgrade CE to v11.7.4 + +## 11.7.3 + +- gitlab: upgrade CE to v11.7.3 +- Update gitlab-workhorse to 8.1.1 +- Update gitaly to 1.13.0 +- Update gitlab-pages to 1.4.0 + +## 11.7.0 + +- gitlab: upgrade CE to v11.7.0 + +## 11.6.5 + +- gitlab: upgrade CE to v11.6.5 + +## 11.6.4 + +- gitlab: upgrade CE to v11.6.4 + +## 11.6.3 + +- gitlab: upgrade CE to v11.6.3 + +## 11.6.2 + +- gitlab: upgrade CE to v11.6.2 + +## 11.6.1 + +- gitlab: upgrade CE to v11.6.1 +- Added `GITLAB_IMPERSONATION_ENABLED` +- Added `OAUTH_SAML_ATTRIBUTE_STATEMENTS_USERNAME` +- Added `GITLAB_PAGES_ACCESS_CONTROL_SERVER` +- Added `GITLAB_PAGES_ACCESS_CLIENT_ID` +- Added `GITLAB_PAGES_ACCESS_CLIENT_SECRET` +- Added `GITLAB_PAGES_ACCESS_SECRET` +- Added `GITLAB_PAGES_ACCESS_REDIRECT_URI` + +## 11.6.0 + +- gitlab: upgrade CE to v11.6.0 +- Update gitaly to 1.7.1 +- Update gitlab-shell to 8.4.3 +- Update gitlab-workhorse to 7.6.0 +- Update golang to 1.11.4 +- Added `LDAP_USER_ATTRIBUTE_USERNAME` +- Added `LDAP_USER_ATTRIBUTE_MAIL` +- Added `LDAP_USER_ATTRIBUTE_NAME` +- Added `LDAP_USER_ATTRIBUTE_FIRSTNAME` +- Added `LDAP_USER_ATTRIBUTE_LASTNAME` +- Added `GITLAB_BACKUP_DIR_CHOWN` +- Added `GITLAB_BACKUP_DIR_GROUP` +- Added `GITLAB_PAGES_NGINX_PROXY` + +## 11.5.5 + +- gitlab: upgrade CE to v11.5.5 + +## 11.5.4 + +- gitlab: upgrade CE to v11.5.4 + +## 11.5.3 + +- gitlab: upgrade CE to v11.5.3 + +## 11.5.2 + +- gitlab: upgrade CE to v11.5.2 + +## 11.5.1-1 + +- Fixed GitLab Dependencies + +## 11.5.1 + +- gitlab: upgrade CE to v11.5.1 + +## 11.5.0 + +- gitlab: upgrade CE to v11.5.0 + +## 11.4.7 + +- gitlab: upgrade CE to v11.4.7 + +## 11.4.6 + +- gitlab: upgrade CE to v11.4.6 + +## 11.4.5 + +- gitlab: upgrade CE to v11.4.5 + +## 11.4.4 + +- gitlab: upgrade CE to v11.4.4 +- golang: update to 1.10.4 + +## 11.4.3 + +- gitlab: upgrade CE to v11.4.3 + +## 11.4.2 + +- gitlab: upgrade CE to v11.4.2 + +## 11.4.1 + +- gitlab: upgrade CE to v11.4.1 +- Add docs how to reuse ssh port [#1731](https://github.com/sameersbn/docker-gitlab/pull/1731) + +## 11.4.0 + +- gitlab: upgrade CE to v11.4.0 +- baseimage: upgrade to xenial-20181005 + +## 11.3.6 + +- gitlab: upgrade CE to v11.3.6 + +## 11.3.5 + +- gitlab: upgrade CE to v11.3.5 + +## 11.3.4 + +- gitlab: upgrade CE to v11.3.4 + +## 11.3.3 + +- gitlab: upgrade CE to v11.3.3 + +## 11.3.2 + +- gitlab: upgrade CE to v11.3.2 + +## 11.3.1 + +- gitlab: upgrade CE to v11.3.1 + +## 11.3.0 + +- gitlab: upgrade CE to v11.3.0 +- Fix backup config stripping for when AWS & GCS backups are disabled [#1725](https://github.com/sameersbn/docker-gitlab/pull/1725) +- Correct Backup Date format for selective backups [#1699](https://github.com/sameersbn/docker-gitlab/pull/1699) +- Fix gitlay-ssh symlink to enable rebase/squash in forks + +## 11.2.3 + +- gitlab: upgrade CE to v11.2.3 + +## 11.2.2 + +- gitlab: upgrade CE to v11.2.2 + +## 11.2.1 + +- gitlab: upgrade CE to v11.2.1 + +## 11.2.0 + +- gitlab: upgrade CE to v11.2.0 +- ADD `GITLAB_DEFAULT_THEME` + +## 11.1.4 + +- gitlab: upgrade CE to v11.1.4 + +## 11.1.3 + +- gitlab: upgrade CE to v11.1.3 +- Upgrade redis to 4.0.9-1 + +## 11.1.2 + +- gitlab: upgrade CE to v11.1.2 + +## 11.1.1 + +- gitlab: upgrade CE to v11.1.1 + +## 11.1.0 + +- gitlab: upgrade CE to v11.1.0 + +## 11.0.4 + +- gitlab: upgrade CE to v11.0.4 + +## 11.0.3 + +- gitlab: upgrade CE to v11.0.3 +- ruby: update to 2.4 + +## 11.0.2 + +- gitlab: upgrade CE to v11.0.2 + +## 11.0.1 + +- gitlab: upgrade CE to v11.0.1 + +## 11.0.0 + +- gitlab: upgrade CE to v11.0.0 + +## 10.8.4 + +- gitlab: upgrade CE to v10.8.4 + +## 10.8.3-1 + +- Fix boot loops that were introduced during [#1621](https://github.com/sameersbn/docker-gitlab/pull/1621) and will be fixed with [#1628](https://github.com/sameersbn/docker-gitlab/pull/1628) + +## 10.8.3 + +- gitlab: upgrade CE to v10.8.3 +- Fix potential boot problems on clean setups [#1621](https://github.com/sameersbn/docker-gitlab/pull/1621) + +## 10.8.2 + +- gitlab: upgrade CE to v10.8.2 + +## 10.8.1 + +- gitlab: upgrade CE to v10.8.1 + +## 10.8.0 + +- gitlab: upgrade CE to v10.8.0 +- Add support for swarm mode with docker-configs and docker secrets ([#1540](https://github.com/sameersbn/docker-gitlab/pull/1540)) + +## 10.7.4 + +- gitlab: upgrade CE to v10.7.4 +- FIX `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT` + +## 10.7.3 + +- gitlab: upgrade CE to v10.7.3 + +## 10.7.2 + +- gitlab: upgrade CE to v10.7.2 + +## 10.7.1 + +- gitlab: upgrade CE to v10.7.1 + +## 10.7.0 + +- gitlab: upgrade CE to v10.7.0 +- ADD `GITLAB_SIDEKIQ_LOG_FORMAT` +- ADD `GITLAB_ARTIFACTS_OBJECT_STORE_ENABLED` +- ADD `GITLAB_ARTIFACTS_OBJECT_STORE_REMOTE_DIRECTORY` +- ADD `GITLAB_ARTIFACTS_OBJECT_STORE_BACKGROUND_UPLOAD` +- ADD `GITLAB_ARTIFACTS_OBJECT_STORE_PROXY_DOWNLOAD` +- ADD `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER` +- ADD `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID` +- ADD `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY` +- ADD `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_REGION` +- ADD `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_HOST` +- ADD `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT` +- ADD `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE` + +- ADD `GITLAB_LFS_OBJECT_STORE_ENABLED` +- ADD `GITLAB_LFS_OBJECT_STORE_REMOTE_DIRECTORY` +- ADD `GITLAB_LFS_OBJECT_STORE_DIRECT_UPLOAD` +- ADD `GITLAB_LFS_OBJECT_STORE_BACKGROUND_UPLOAD` +- ADD `GITLAB_LFS_OBJECT_STORE_PROXY_DOWNLOAD` +- ADD `GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER` +- ADD `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID` +- ADD `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY` +- ADD `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_REGION` +- ADD `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_HOST` +- ADD `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT` +- ADD `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE` + +- ADD `GITLAB_UPLOADS_OBJECT_STORE_ENABLED` +- ADD `GITLAB_UPLOADS_OBJECT_STORE_REMOTE_DIRECTORY` +- ADD `GITLAB_UPLOADS_OBJECT_STORE_DIRECT_UPLOAD` +- ADD `GITLAB_UPLOADS_OBJECT_STORE_BACKGROUND_UPLOAD` +- ADD `GITLAB_UPLOADS_OBJECT_STORE_PROXY_DOWNLOAD` +- ADD `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER` +- ADD `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID` +- ADD `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY` +- ADD `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_REGION` +- ADD `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_HOST` +- ADD `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT` +- ADD `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE` + +## 10.6.4 + +- gitlab: upgrade CE to v10.6.4 + +## 10.6.3 + +- gitlab: upgrade CE to v10.6.3 + +## 10.6.2 + +- gitlab: upgrade CE to v10.6.2 +- golang: update to 1.9.5 + +## 10.6.1 + +- gitlab: upgrade CE to v10.6.1 + +## 10.6.0 + +- gitlab: upgrade CE to v10.6.0 + +## 10.5.6 + +- gitlab: security upgrade CE to v10.5.6 + +## 10.5.5 + +- gitlab: upgrade CE to v10.5.5 + +## 10.5.4 + +- gitlab: upgrade CE to v10.5.4 + +## 10.5.3 + +- gitlab: upgrade CE to v10.5.3 + +## 10.5.2 + +- gitlab: upgrade CE to v10.5.2 +- Fix `GITLAB_UPLOADS_STORAGE_PATH` + +## 10.5.1 + +- gitlab: upgrade CE to v10.5.1 + +## 10.5.0 + +- gitlab: upgrade CE to v10.5.0 +- Add `GITLAB_UPLOADS_STORAGE_PATH` +- Add `GITLAB_UPLOADS_BASE_DIR` +- Add `LDAP_LOWERCASE_USERNAMES` + +## 10.4.4 + +- gitlab: upgrade CE to v10.4.4 + +## 10.4.3 + +- gitlab: upgrade CE to v10.4.3 + +## 10.4.2-1 + +- FIXED SSH Host Key generation through dropping the support for rsa1 + +## 10.4.2 + +- gitlab: upgrade CE to v10.4.2 + +## 10.4.1 + +- gitlab: upgrade CE to v10.4.1 + +## 10.4.0 + +- gitlab: upgrade CE to v10.4.0 +- docker: upgrade to ubuntu xenial as baseimage +- golang: update to 1.9.3 + +## 10.3.6 + +- gitlab: upgrade CE to v10.3.6 + +## 10.3.5 + +- gitlab: upgrade CE to v10.3.5 + +## 10.3.4 + +- gitlab: upgrade CE to v10.3.4 + +## 10.3.3 + +- gitlab: upgrade CE to v10.3.3 +- ADDED `AWS_BACKUP_ENCRYPTION` [1449](https://github.com/sameersbn/docker-gitlab/pull/1449/) +- ADDED `AWS_BACKUP_STORAGE_CLASS` [1449](https://github.com/sameersbn/docker-gitlab/pull/1449/) +- FIXED `AWS_BACKUP_MULTIPART_CHUNK_SIZE` [1449](https://github.com/sameersbn/docker-gitlab/pull/1449/) +- Apply PaX mark to ruby [1458](https://github.com/sameersbn/docker-gitlab/pull/1458) + +## 10.3.2 + +- gitlab: upgrade CE to v10.3.2 + +## 10.3.1 + +- gitlab: upgrade CE to v10.3.1 + +## 10.3.0 + +- gitlab: upgrade CE to v10.3.0 +- REMOVED `GITLAB_REPOSITORIES_STORAGES_DEFAULT_FAILURE_COUNT_THRESHOLD` +- REMOVED `GITLAB_REPOSITORIES_STORAGES_DEFAULT_FAILURE_WAIT_TIME` +- REMOVED `GITLAB_REPOSITORIES_STORAGES_DEFAULT_FAILURE_RESET_TIME` +- REMOVED `GITLAB_REPOSITORIES_STORAGES_DEFAULT_STORAGE_TIMEOUT` +- REMOVED `GITLAB_MAX_OBJECT_SIZE` +- REMOVED `GITLAB_TIMEOUT` + +## 10.2.5 + +- gitlab: upgrade CE to v10.2.5 + +## 10.2.4 + +- gitlab: upgrade to CE v10.2.4 + +## 10.2.3 + +- gitlab: upgrade to CE v10.2.3 + +## 10.2.2 + +- gitlab: upgrade to CE v10.2.2 + +## 10.2.1 + +- gitlab: upgrade to CE v10.2.1 + +## 10.2.0 + +- gitlab: upgrade to CE v10.2.0 + +## 10.1.4 + +- gitlab: upgrade to CE v10.1.4 + +## 10.1.3 + +- gitlab: upgrade to CE v10.1.3 + +## 10.1.2 + +- gitlab: upgrade to CE v10.1.2 + +## 10.1.1 + +- gitlab: upgrade to CE v10.1.1 + +## 10.1.0 + +- gitlab: upgrade to CE v10.1.0 +- REMOVED `GITALY_ENABLED`` +- ADDED `GITALY_ARTIFACTS_SERVER` +- ADDED `GITALY_CLIENT_PATH` + +## 10.0.4 + +- gitlab: upgrade to CE v10.0.4 + +## 10.0.3 + +- gitlab: upgrade to CE v10.0.3 + +## 10.0.2 + +- gitlab: upgrade to CE v10.0.2 + +## 10.0.1 + +- gitlab: upgrade to CE v10.0.1 + +## 10.0.0 + +- gitlab: upgrade to CE v10.0.0 + +## 9.5.5 + +- gitlab: upgrade to CE v9.5.5 + +## 9.5.4 + +- gitlab: upgrade to CE v9.5.4 + +## 9.5.3 + +- gitlab: upgrade to CE v9.5.3 + +## 9.5.2 + +- gitlab: upgrade to CE v9.5.2 + +## 9.5.1 + +- gitlab: upgrade to CE v9.5.1 + +## 9.5.0 + +- gitlab: upgrade to CE v9.5.0 + +## 9.4.5 + +- gitlab: upgrade to CE v9.4.5 + +## 9.4.4 + +- gitlab: upgrade to CE v9.4.4 + +## 9.4.3 + +- gitlab: upgrade to CE v9.4.3 + +## 9.4.2 + +- gitlab: upgrade to CE v9.4.2 + +## 9.4.1 + +- gitlab: upgrade to CE v9.4.1 + +## 9.4.0-1 + +- Fix asset compiling for missing translations + +## 9.4.0 + +- gitlab: upgrade to CE v9.4.0 +- Added support for nginx_real_ip module ([#1137](https://github.com/sameersbn/docker-gitlab/pull/1137)) +- Added more security for regenerating certs ([#1288](https://github.com/sameersbn/docker-gitlab/pull/1288)) + +## 9.3.9 + +- gitlab: upgrade to CE v9.3.9 + +## 9.3.8 + +- gitlab: upgrade to CE v9.3.8 +- Added RE2 library to build dependencies ([issue 35342](https://gitlab.com/gitlab-org/gitlab-foss/issues/35342)) + +## 9.3.7 + +- gitlab: upgrade to CE v9.3.7 + +## 9.3.6 + +- gitlab: upgrade to CE v9.3.6 + +## 9.3.5 + +- gitlab: upgrade to CE v9.3.5 + +## 9.3.4 + +- gitlab: upgrade to CE v9.3.4 + +## 9.3.3 + +- gitlab: upgrade to CE v9.3.3 + +## 9.3.2 + +- gitlab: upgrade to CE v9.3.2 + +## 9.3.1 + +- gitlab: upgrade to CE v9.3.1 + +## 9.3.0-1 + +- Add the missing Gitaly config to let git commands over http/https working + +## 9.3.0 + +- gitlab: upgrade to CE v9.3.0 +- update baseimage to `14.04.20170608` +- Add `DB_COLLATION` (For MySQL related doesn't recognize by postgres) +- Add `GITLAB_PIPELINE_SCHEDULE_WORKER_CRON` +- Add `GITALY_ENABLED` +- Add `GITALY_SOCKET_PATH` +- Add `GITALY_ADDRESS` + +## 9.2.7 + +- gitlab: upgrade to CE v9.2.7 + +## 9.2.6 + +- gitlab: upgrade to CE v9.2.6 + +## 9.2.5 + +- gitlab: upgrade to CE v9.2.5 + +## 9.2.2 + +- gitlab: upgrade to CE v9.2.2 + +## 9.2.1 + +- gitlab: upgrade to CE v9.2.1 + +## 9.2.0 + +- gitlab: upgrade to CE v9.2.0 +- Add flexibility to use versions committed into gitlab-ce + +## 9.1.4 + +- gitlab: upgrade to CE v9.1.4 + +## 9.1.3 + +- gitlab: upgrade to CE v9.1.3 + +## 9.1.2 + +- gitlab: upgrade to CE v9.1.2 +- update baseimage to `14.04.20170503` + +## 9.1.1 + +- gitlab: upgrade to CE v9.1.1 + +## 9.1.0-1 + +- Fix gitlab-workhorse version display + +## 9.1.0 + +- gitlab: upgrade to CE v9.1.0 +- gitlab-shell: upgrade to 5.0.2 +- gitlab-workhorse: upgrade to 1.4.3 + +## 9.0.6 + +- gitlab: upgrade to CE v9.0.6 + +## 9.0.5 + +- gitlab: upgrade to CE v9.0.5 + +## 9.0.4 + +- gitlab: upgrade to CE v9.0.4 + +## 9.0.3 + +- gitlab: upgrade to CE v9.0.3 + +## 9.0.2 + +- gitlab: upgrade to CE v9.0.2 + +## 9.0.1 + +- gitlab: upgrade to CE v9.0.1 +- gitlab-workhorse 1.4.2 + +## 9.0.0 + +- gitlab: upgrade to CE v9.0.0 +- gitlab-shell 5.0.0 +- gitlab-workhorse 1.4.1 +- gitlab-pages 0.4.0 + +## 8.17.4 + +- gitlab: upgrade to CE v8.17.4 + +## 8.17.3 + +- gitlab: upgrade to CE v8.17.3 + +## 8.17.2 + +- gitlab: upgrade to CE v8.17.2 + +## 8.17.1 + +- gitlab: upgrade to CE v8.17.1 +- fixes first problems with gitlab-pages + +## 8.17.0 + +- gitlab: upgrade to CE v8.17.0 +- added `GITLAB_PAGES_ENABLED` +- added `GITLAB_PAGES_DOMAIN` +- added `GITLAB_PAGES_DIR` +- added `GITLAB_PAGES_PORT` +- added `GITLAB_PAGES_HTTPS` +- added `GITLAB_PAGES_EXTERNAL_HTTP` +- added `GITLAB_PAGES_EXTERNAL_HTTPS` +- added `SSL_PAGES_KEY_PATH` +- added `SSL_PAGES_CERT_PATH` +- added nodejs 7.x as core dependencies +- added gitlab-pages daemon + +## 8.16.6 + +- gitlab: upgrade to CE v8.16.6 +- Fix logical bug of Remote Backup + +## 8.16.5 + +- gitlab: upgrade to CE v8.16.5 + +## 8.16.4 + +- gitlab: upgrade to CE v8.16.4 + +## 8.16.3 + +- gitlab: upgrade to CE v8.16.3 + +## 8.16.2 + +- gitlab: upgrade to CE v8.16.2 + +## 8.16.1 + +- gitlab: upgrade to CE v8.16.1 + +## 8.16.0 + +- gitlab: upgrade to CE v8.16.0 + +## 8.15.4 -**8.15.4** - gitlab: upgrade to CE v8.15.4 -**8.15.3** +## 8.15.3 + - gitlab: upgrade to CE v8.15.3 -**8.15.2** +## 8.15.2 + - gitlab: upgrade to CE v8.15.2 -**8.15.1** +## 8.15.1 + - gitlab: upgrade to CE v8.15.1 -**8.15.0** +## 8.15.0 + - gitlab: upgrade to CE v8.15.0 - added `GITLAB_MATTERMOST_ENABLED` - added `GITLAB_MATTERMOST_URL` @@ -23,268 +2758,343 @@ This file only reflects the changes that are made in this image. Please refer to - added `OAUTH_AUTHENTIQ_SCOPE` - added `OAUTH_AUTHENTIQ_REDIRECT_URI` -**8.14.5** +## 8.14.5 + - gitlab: upgrade to CE v8.14.5 -**8.14.4** +## 8.14.4 + - gitlab: upgrade to CE v8.14.4 -**8.14.3** +## 8.14.3 + - gitlab: upgrade to CE v8.14.3 -**8.14.2** +## 8.14.2 + - gitlab: upgrade to CE v8.14.2 -**8.14.1** +## 8.14.1 + - gitlab: upgrade to CE v8.14.1 -**8.14.0** +## 8.14.0 + - gitlab: upgrade to CE v8.14.0 - added `IMAP_TIMEOUT` - update golang to 1.6.3 -**8.13.6** +## 8.13.6 + - gitlab: upgrade to CE v8.13.6 -**8.13.5** +## 8.13.5 + - gitlab: upgrade to CE v8.13.5 -**Important**: -We skipped `8.13.4` because it doesn't contain any changes. For more -information [8.13.4 release](https://about.gitlab.com/2016/11/09/gitlab-8-dot-13-dot-5-released/) +## 8.13.4 -**8.12.1** +**Important:** We skipped `8.13.4` because it doesn't contain any changes. For more information [8.13.4 release](https://about.gitlab.com/2016/11/09/gitlab-8-dot-13-dot-5-released/). + +## 8.13.3 -**8.13.3** - gitlab: upgrade to CE v8.13.3 -**8.13.2** +## 8.13.2 + - gitlab: upgrade to CE v8.13.2 -**8.13.1** +## 8.13.1 + - gitlab: upgrade to CE v8.13.1 -**8.13.0** +## 8.13.0 + - gitlab: upgrade to CE v8.13.0 - added `GITLAB_EMAIL_SUBJECT_SUFFIX` -**8.12.7** +## 8.12.7 + - gitlab: upgrade to CE v8.12.7 -**8.12.6** +## 8.12.6 + - gitlab: upgrade to CE v8.12.6 -**8.12.5** +## 8.12.5 + - gitlab: upgrade to CE v8.12.5 -**8.12.4** +## 8.12.4 + - gitlab: upgrade to CE v8.12.4 -**8.12.3** +## 8.12.3 + - gitlab: upgrade to CE v8.12.3 -**Important**: -We skipped `8.12.2` because it doesn't contain any changes. For more -information [8.12.3 release](https://about.gitlab.com/2016/09/29/gitlab-8-12-3-released/) +## 8.12.2 + +**Important:** We skipped `8.12.2` because it doesn't contain any changes. For more information [8.12.3 release](https://about.gitlab.com/2016/09/29/gitlab-8-12-3-released/). + +## 8.12.1 -**8.12.1** - gitlab: upgrade to CE v8.12.1 -**8.12.0** +## 8.12.0 + - gitlab: upgrade to CE v8.12.0 -**8.11.7** +## 8.11.7 + - gitlab: upgrade to CE v8.11.7 -**8.11.6** +## 8.11.6 + - gitlab: upgrade to CE v8.11.6 -**8.11.5** +## 8.11.5 + - gitlab: upgrade to CE v8.11.5 -**8.11.4** +## 8.11.4 + - gitlab: upgrade to CE v8.11.4 -**8.11.3** +## 8.11.3 + - gitlab: upgrade to CE v8.11.3 -**8.11.2** +## 8.11.2 + - gitlab: upgrade to CE v8.11.2 -**8.11.0** +## 8.11.0 + - gitlab: upgrade to CE v8.11.0 - added `GITLAB_SECRETS_SECRET_KEY_BASE` - added `GITLAB_SECRETS_OTP_KEY_BASE` -**Important** +## Important + When you start to upgrade from `8.10-7` or below use the key of `/home/git/data/.secret` for `GITLAB_SECRETS_OTP_KEY_BASE` otherwise it will break your 2FA . -**8.10.7** +## 8.10.7 + - gitlab: upgrade to CE v8.10.7 -**8.10.6** +## 8.10.6 + - gitlab: upgrade to CE v8.10.6 -**8.10.5** +## 8.10.5 + - gitlab: upgrade to CE v8.10.5 -**8.10.4** +## 8.10.4 + - gitlab: upgrade to CE v8.10.4 -**8.10.3** +## 8.10.3 + - gitlab: upgrade to CE v8.10.3 -**8.10.2-1** +## 8.10.2-1 + - Fix `OAUTH_GOOGLE_RESTRICT_DOMAIN` -**8.10.2** +## 8.10.2 + - gitlab: upgrade to CE v8.10.2 - Improve `OAUTH_GOOGLE_RESTRICT_DOMAIN` for multiple restricted domains -**8.10.1** +## 8.10.1 + - gitlab: upgrade to CE v8.10.1 -**8.10.0** +## 8.10.0 + - gitlab: upgrade to CE v8.10.0 -**8.9.6** +## 8.9.6 + - gitlab: upgrade to CE v8.9.6 -**8.9.5** +## 8.9.5 + - gitlab: upgrade to CE v8.9.5 -**8.9.4** +## 8.9.4 + - gitlab: upgrade to CE v8.9.4 -**8.9.3** +## 8.9.3 + - gitlab: upgrade to CE v8.9.3 -**8.9.2** +## 8.9.2 + - gitlab: upgrade to CE v8.9.2 -**8.9.1** +## 8.9.1 + - gitlab: upgrade to CE v8.9.1 -**8.9.0** +## 8.9.0 + - gitlab: upgrade to CE v8.9.0 -**8.8.5-1** +## 8.8.5-1 + - added GitLab Container Registry support - added `SSL_CIPHERS` option to change ciphers of the nginx -**8.8.5** +## 8.8.5 + - gitlab: upgrade to CE v8.8.5 -**8.8.4** +## 8.8.4 + - gitlab: upgrade to CE v8.8.4 - added `GITLAB_PROJECTS_LIMIT` configuration option -**8.8.3** +## 8.8.3 + - gitlab: upgrade to CE v8.8.3 -**8.8.2** +## 8.8.2 + - gitlab: upgrade to CE v8.8.2 -**8.8.1** +## 8.8.1 + - gitlab: upgrade to CE v8.8.1 -**8.8.0** +## 8.8.0 + - gitlab: upgrade to CE v8.8.0 - oauth: exposed `OAUTH_GITHUB_URL` and `OAUTH_GITHUB_VERIFY_SSL` options for users for GitHub Enterprise. -**8.7.6** +## 8.7.6 + - gitlab: upgrade to CE v8.7.6 -**8.7.5** +## 8.7.5 + - gitlab: upgrade to CE v8.7.5 -**8.7.3** +## 8.7.3 + - gitlab: upgrade to CE v8.7.3 -**8.7.2** +## 8.7.2 + - gitlab: upgrade to CE v8.7.2 -**8.7.1** +## 8.7.1 + - gitlab: upgrade to CE v8.7.1 -**8.7.0** +## 8.7.0 + - gitlab-shell: upgrade to v.2.7.2 - gitlab: upgrade to CE v8.7.0 - SSO: `OAUTH_ALLOW_SSO` now specifies a comma separated list of providers. - OAuth: Added `OAUTH_EXTERNAL_PROVIDERS` to specify external oauth providers. - Exposed `GITLAB_TRUSTED_PROXIES` configuration parameter -**8.6.7** +## 8.6.7 + - added `GITLAB_SIGNUP_ENABLED` option to enable/disable signups - gitlab: upgrade to CE v8.6.7 -**8.6.6** +## 8.6.6 + - gitlab: upgrade to CE v8.6.6 -**8.6.5** +## 8.6.5 + - gitlab: upgrade to CE v8.6.5 -**8.6.4** +## 8.6.4 + - gitlab: upgrade to CE v8.6.4 -**8.6.3** +## 8.6.3 + - gitlab-shell: upgrade to v.2.6.12 - gitlab: upgrade to CE v8.6.3 -**8.6.2** +## 8.6.2 + - gitlab: upgrade to CE v8.6.2 -**8.6.1** +## 8.6.1 + - gitlab: upgrade to CE v8.6.1 -**8.6.0** +## 8.6.0 + - gitlab-shell: upgrade to v.2.6.11 - gitlab-workhorse: upgrade to v0.7.1 - gitlab: upgrade to CE v8.6.0 - exposed configuration parameters for auth0 OAUTH support - fixed relative_url support -**8.5.8** +## 8.5.8 + - gitlab: upgrade to CE v8.5.8 -**8.5.7** +## 8.5.7 + - gitlab: upgrade to CE v8.5.7 -**8.5.5** +## 8.5.5 + - gitlab: upgrade to CE v8.5.5 -**8.5.4** +## 8.5.4 + - gitlab: upgrade to CE v8.5.4 -**8.5.3** +## 8.5.3 + - gitlab: upgrade to CE v8.5.3 -**8.5.1** +## 8.5.1 + - gitlab: upgrade to CE v8.5.1 -**8.5.0** +## 8.5.0 + - gitlab-workhorse: upgrade to v0.6.4 - gitlab: upgrade to CE v8.5.0 - firstrun: expose `GITLAB_ROOT_EMAIL` configuration option - expose `OAUTH_AUTO_LINK_SAML_USER` configuration parameter -**8.4.4** +## 8.4.4 + - gitlab: upgrade to CE v8.4.4 -**8.4.3** +## 8.4.3 + - gitlab: upgrade to CE v8.4.3 -**8.4.2** +## 8.4.2 + - gitlab-workhorse: upgrade to v0.6.2 - gitlab: upgrade to CE v8.4.2 -**8.4.1** +## 8.4.1 + - gitlab: upgrade to CE v8.4.1 -**8.4.0-1** +## 8.4.0-1 + - `assets:precompile` moved back to build time -**8.4.0** +## 8.4.0 + - gitlab-shell: upgrade to v.2.6.10 - gitlab-workhorse: upgrade to v0.6.1 - gitlab: upgrade to CE v8.4.0 @@ -292,21 +3102,26 @@ When you start to upgrade from `8.10-7` or below use the key of `/home/git/data/ - oauth: expose azure oauth configuration options - `assets:precompile` executed at runtime -**8.3.4** +## 8.3.4 + - gitlab-workhorse: upgrade to v0.5.4 - gitlab: upgrade to CE v8.3.4 - expose `LDAP_TIMEOUT` configuration parameter -**8.3.2** +## 8.3.2 + - gitlab: upgrade to CE v8.3.2 -**8.3.1** +## 8.3.1 + - gitlab: upgrade to CE v8.3.1 -**8.3.0-1** +## 8.3.0-1 + - fixed static asset routing when `GITLAB_RELATIVE_URL_ROOT` is used. -**8.3.0** +## 8.3.0 + - `envsubst` is now used for updating the configurations - renamed config `CA_CERTIFICATES_PATH` to `SSL_CA_CERTIFICATES_PATH` - renamed config `GITLAB_HTTPS_HSTS_ENABLED` to `NGINX_HSTS_ENABLED` @@ -318,28 +3133,33 @@ When you start to upgrade from `8.10-7` or below use the key of `/home/git/data/ - removed `NGINX_MAX_UPLOAD_SIZE` configuration parameter - gitlab-shell: upgrade to v.2.6.9 -**8.2.3** +## 8.2.3 + - fixed static asset routing when `GITLAB_RELATIVE_URL_ROOT` is used. - added `GITLAB_BACKUP_PG_SCHEMA` configuration parameter - gitlab: upgrade to CE v8.2.3 -**8.2.2** +## 8.2.2 + - added `GITLAB_DOWNLOADS_DIR` configuration parameter - `DB_TYPE` parameter renamed to `DB_ADAPTER` with `mysql2` and `postgresql` as accepted values - exposed `DB_ENCODING` parameter - gitlab: upgrade to CE v8.2.2 -**8.2.1-1** +## 8.2.1-1 + - fixed typo while setting the value of `GITLAB_ARTIFACTS_DIR` -**8.2.1** +## 8.2.1 + - expose rack_attack configuration options - gitlab-shell: upgrade to v.2.6.8 - gitlab: upgrade to CE v8.2.1 - added `GITLAB_ARTIFACTS_ENABLED` configuration parameter - added `GITLAB_ARTIFACTS_DIR` configuration parameter -**8.2.0** +## 8.2.0 + - gitlab-shell: upgrade to v.2.6.7 - gitlab-workhorse: upgrade to v.0.4.2 - gitlab: upgrade to CE v8.2.0 @@ -348,54 +3168,68 @@ When you start to upgrade from `8.10-7` or below use the key of `/home/git/data/ - added `GITLAB_PROJECTS_BUILDS` configuration parameter - added `GITLAB_LFS_ENABLED` configuration parameter -**8.1.4** +## 8.1.4 + - gitlab: upgrade to CE v8.1.4 -**8.1.3** +## 8.1.3 + - proper long-term fix for http/https cloning when `GITLAB_RELATIVE_URL_ROOT` is used - gitlab: upgrade to CE v8.1.3 - Expose Facebook OAUTH configuration parameters -**8.1.2** +## 8.1.2 + - gitlab: upgrade to CE v8.1.2 - removed `GITLAB_SATELLITES_TIMEOUT` configuration parameter -**8.1.0-2** +## 8.1.0-2 + - Recompile assets when `GITLAB_RELATIVE_URL_ROOT` is used Fixes #481 -**8.1.0-1** +## 8.1.0-1 + - temporary fix for http/https cloning when `GITLAB_RELATIVE_URL_ROOT` is used -**8.1.0** +## 8.1.0 + - gitlab: upgrade to CE v8.1.0 - gitlab-git-http-server: upgrade to v0.3.0 -**8.0.5-1** +## 8.0.5-1 + - speed up container startup by compiling assets at image build time - test connection to redis-server -**8.0.5** +## 8.0.5 + - gitlab: upgrade to CE v.8.0.5 -**8.0.4-2** +## 8.0.4-2 + - fix http/https cloning when `GITLAB_RELATIVE_URL_ROOT` is used - allow user to override `OAUTH_ENABLED` setting -**8.0.4-1** +## 8.0.4-1 + - update baseimage to `sameersbn/ubuntu:14.04.20151011` -**8.0.4** +## 8.0.4 + - gitlab: upgrade to CE v.8.0.4 -**8.0.3** +## 8.0.3 + - gitlab: upgrade to CE v.8.0.3 -**8.0.2** +## 8.0.2 + - gitlab: upgrade to CE v.8.0.2 - added `IMAP_STARTTLS` parameter, defaults to `false` - expose oauth parameters for crowd server -**8.0.0** +## 8.0.0 + - set default value of `DB_TYPE` to `postgres` - added sample Kubernetes rc and service description files - expose `GITLAB_BACKUP_ARCHIVE_PERMISSIONS` parameter @@ -407,102 +3241,129 @@ When you start to upgrade from `8.10-7` or below use the key of `/home/git/data/ - removed `GITLAB_ROBOTS_OVERRIDE` parameter. Override default `robots.txt` if `GITLAB_ROBOTS_PATH` exists. - added CI redirection using `GITLAB_CI_HOST` parameter -**7.14.3** +## 7.14.3 + - gitlab: upgrade to CE v.7.14.3 -**7.14.2** +## 7.14.2 + - Apply grsecurity policies to nodejs binary #394 - Fix broken emojis post migration #196 - gitlab-shell: upgrade to v.2.6.5 - gitlab: upgrade to CE v.7.14.2 -**7.14.1** +## 7.14.1 + - gitlab: upgrade to CE v.7.14.1 -**7.14.0** +## 7.14.0 + - gitlab-shell: upgrade to v.2.6.4 - gitlab: upgrade to CE v.7.14.0 -**7.13.5** +## 7.13.5 + - gitlab: upgrade to CE v.7.13.5 -**7.13.4** +## 7.13.4 + - gitlab: upgrade to CE v.7.13.4 -**7.13.3** +## 7.13.3 + - gitlab: upgrade to CE v.7.13.3 -**7.13.2** +## 7.13.2 + - gitlab: upgrade to CE v.7.13.2 -**7.13.1** +## 7.13.1 + - gitlab: upgrade to CE v.7.13.1 -**7.13.0** +## 7.13.0 + - expose SAML OAuth provider configuration - expose `OAUTH_AUTO_SIGN_IN_WITH_PROVIDER` configuration - gitlab: upgrade to CE v.7.13.0 -**7.12.2-2** +## 7.12.2-2 + - enable persistence `.secret` file used in 2FA -**7.12.2-1** +## 7.12.2-1 + - fixed gitlab:backup:restore raketask -**7.12.2** +## 7.12.2 + - gitlab: upgrade to CE v.7.12.2 -**7.12.1** +## 7.12.1 + - gitlab: upgrade to CE v.7.12.1 -**7.12.0** +## 7.12.0 + - added `SMTP_TLS` configuration parameter - gitlab: upgrade to CE v.7.12.0 - added `OAUTH_AUTO_LINK_LDAP_USER` configuration parameter -**7.11.4-1** +## 7.11.4-1 + - base image update to fix SSL vulnerability -**7.11.4** +## 7.11.4 + - gitlab: upgrade to CE v.7.11.4 -**7.11.3** +## 7.11.3 + - gitlab: upgrade to CE v.7.11.3 -**7.11.2** +## 7.11.2 + - gitlab: upgrade to CE v.7.11.2 -**7.11.0** +## 7.11.0 + - init: added `SIDEKIQ_MEMORY_KILLER_MAX_RSS` configuration option - init: added `SIDEKIQ_SHUTDOWN_TIMEOUT` configuration option - gitlab-shell: upgrade to v.2.6.3 - gitlab: upgrade to CE v.7.11.0 - init: removed `GITLAB_PROJECTS_VISIBILITY` ENV parameter -**7.10.4** +## 7.10.4 + - gitlab: upgrade to CE v.7.10.4 -**7.10.3** +## 7.10.3 + - gitlab: upgrade to CE v.7.10.3 -**7.10.2** +## 7.10.2 + - init: added support for remote AWS backups - gitlab: upgrade to CE v.7.10.2 -**7.10.1** +## 7.10.1 + - gitlab: upgrade to CE v.7.10.1 -**7.10.0** +## 7.10.0 + - gitlab-shell: upgrade to v.2.6.2 - gitlab: upgrade to CE v.7.10.0 - init: removed ENV variables to configure *External Issue Tracker* integration - init: added `GITLAB_EMAIL_REPLY_TO` configuration option - init: added `LDAP_BLOCK_AUTO_CREATED_USERS` configuration option -**7.9.4** +## 7.9.4 + - gitlab: upgrade to CE v.7.9.4 -**7.9.3** +## 7.9.3 + - added `NGINX_PROXY_BUFFERING` option - added `NGINX_ACCEL_BUFFERING` option - added `GITLAB_GRAVATAR_ENABLED` option @@ -511,14 +3372,17 @@ When you start to upgrade from `8.10-7` or below use the key of `/home/git/data/ - fixes: "transfer closed with xxx bytes remaining to read" error - gitlab: upgrade to CE v.7.9.3 -**7.9.2** +## 7.9.2 + - gitlab: upgrade to CE v.7.9.2 -**7.9.1** +## 7.9.1 + - init: set default value of `SMTP_OPENSSL_VERIFY_MODE` to `none` - gitlab: upgrade to CE v.7.9.1 -**7.9.0** +## 7.9.0 + - gitlab-shell: upgrade to v.2.6.0 - gitlab: upgrade to CE v.7.9.0 - init: set default value of `UNICORN_WORKERS` to `3` @@ -527,17 +3391,21 @@ When you start to upgrade from `8.10-7` or below use the key of `/home/git/data/ - init: added BitBucket OAuth configuration support - init: added `GITLAB_EMAIL_DISPLAY_NAME` configuration option -**7.8.4** +## 7.8.4 + - gitlab: upgrade to CE v.7.8.4 -**7.8.2** +## 7.8.2 + - gitlab: upgrade to CE v.7.8.2 -**7.8.1** +## 7.8.1 + - gitlab-shell: upgrade to v.2.5.4 - gitlab: upgrade to CE v.7.8.1 -**7.8.0** +## 7.8.0 + - update postgresql client to the latest version, Closes #249 - removed `GITLAB_SIGNUP` configuration option, can be set from gitlab ui - removed `GITLAB_SIGNIN` configuration option, can be set from gitlab ui @@ -549,60 +3417,73 @@ When you start to upgrade from `8.10-7` or below use the key of `/home/git/data/ - init: set `LDAP_METHOD` default value to `plain` - init: added gitlab oauth configuration support -**7.7.2** +## 7.7.2 + - gitlab-shell: upgrade to v.2.4.2 - gitlab: upgrade to CE v.7.7.2 -**7.7.1** +## 7.7.1 + - gitlab: upgrade to CE v.7.7.1 -**7.7.0** +## 7.7.0 + - init: added GOOGLE_ANALYTICS_ID configuration option - added support for mantis issue tracker - fixed log rotation configuration - gitlab-shell: upgrade to v.2.4.1 - gitlab: upgrade to CE v.7.7.0 -**7.6.2** +## 7.6.2 + - gitlab: upgrade to CE v.7.6.2 -**7.6.1** +## 7.6.1 + - disable nginx ipv6 if host does not support it. - init: added GITLAB_BACKUP_TIME configuration option - gitlab: upgrade to CE v.7.6.1 -**7.6.0** +## 7.6.0 + - add support for configuring piwik - gitlab-shell: upgrade to v.2.4.0 - gitlab: upgrade to CE v.7.6.0 -**7.5.3** +## 7.5.3 + - accept `BACKUP` parameter while running the restore rake task, closes #220 - init: do not run `gitlab:satellites:create` rake task at startup - gitlab: upgrade to CE v.7.5.3 -**7.5.2** +## 7.5.2 + - gitlab: upgrade to CE v.7.5.2 -**7.5.1** +## 7.5.1 + - gitlab: upgrade to CE v.7.5.1 - gitlab-shell to v2.2.0 - added `GITLAB_TIMEZONE` configuration option - added `GITLAB_EMAIL_ENABLED` configuration option -**7.4.4** +## 7.4.4 + - gitlab: upgrade to CE v.7.4.4 - added `SSL_VERIFY_CLIENT` configuration option - added `NGINX_WORKERS` configuration option - added `USERMAP_UID` and `USERMAP_GID` configuration option -**7.4.3** +## 7.4.3 + - gitlab: upgrade to CE v.7.4.3 -**7.4.2** +## 7.4.2 + - gitlab: upgrade to CE v.7.4.2 -**7.4.0** +## 7.4.0 + - gitlab: upgrade to CE v.7.4.0 - config: added `LDAP_ACTIVE_DIRECTORY` configuration option - added SMTP_OPENSSL_VERIFY_MODE configuration option @@ -610,10 +3491,12 @@ When you start to upgrade from `8.10-7` or below use the key of `/home/git/data/ - automatically compile assets if relative_url is changed - launch all daemons via supervisord -**7.3.2-1** +## 7.3.2-1 + - fix mysql status check -**7.3.2** +## 7.3.2 + - upgrade to gitlab-ce 7.3.2 - removed internal mysql server - added support for fetching `DB_NAME`, `DB_USER` and `DB_PASS` from the postgresql linkage @@ -622,27 +3505,33 @@ When you start to upgrade from `8.10-7` or below use the key of `/home/git/data/ - added GITLAB_GRAVATAR_ENABLED configuration option - added fig.yml -**7.3.1-3** +## 7.3.1-3 + - fix mysql command again! -**7.3.1-2** +## 7.3.1-2 + - fix mysql server status check -**7.3.1-1** +## 7.3.1-1 + - plug bash vulnerability by switching to dash shell - automatically run the `gitlab:setup` rake task for new installs -**7.3.1** +## 7.3.1 + - upgrade to gitlab-ce 7.3.1 -**7.3.0** +## 7.3.0 + - upgrade to gitlab-ce 7.3.0 - added GITLAB_WEBHOOK_TIMEOUT configuration option - upgrade to gitlab-shell 2.0.0 - removed internal redis server - shutdown the container gracefully -**7.2.2** +## 7.2.2 + - upgrade to gitlab-ce 7.2.2 - added GITLAB_HTTPS_HSTS_ENABLED configuration option (advanced config) - added GITLAB_HTTPS_HSTS_MAXAGE configuration option (advanced config) @@ -652,22 +3541,26 @@ When you start to upgrade from `8.10-7` or below use the key of `/home/git/data/ - added GITLAB_SSH_HOST configuration option - added GITLAB_USERNAME_CHANGE configuration option -**7.2.1-1** +## 7.2.1-1 + - removed the GITLAB_HTTPS_ONLY configuration option - added NGINX_X_FORWARDED_PROTO configuration option - optimization: talk directly to the unicorn worker from gitlab-shell -**7.2.1** +## 7.2.1 + - upgrade to gitlab-ce 7.2.1 - added new SMTP_ENABLED configuration option. -**7.2.0-1** +## 7.2.0-1 + - fix nginx static route handling when GITLAB_RELATIVE_URL_ROOT is used. - fix relative root access without the trailing '/' character -- added seperate server block for http config in gitlab.https.permissive. Fixes #127 +- added separate server block for http config in gitlab.https.permissive. Fixes #127 - added OAUTH_GOOGLE_RESTRICT_DOMAIN config option. -**7.2.0** +## 7.2.0 + - upgrade to gitlab-ce 7.2.0 - update to the sameersbn/ubuntu:14.04.20140818 baseimage - remove /var/lib/apt/lists to optimize image size. @@ -682,12 +3575,14 @@ When you start to upgrade from `8.10-7` or below use the key of `/home/git/data/ - update to gitlab-shell 1.9.7 - update to the sameersbn/ubuntu:14.04.20140812 baseimage -**7.1.1** +## 7.1.1 + - removed "add_header X-Frame-Options DENY" setting from the nginx config. fixes #110 - upgrade to gitlab-ce 7.1.1 - run /etc/init.d/gitlab as git user, plays nicely with selinux -**7.1.0** +## 7.1.0 + - removed GITLAB_SUPPORT configuration option - upgrade to gitlab-ce 7.1.0 - clone gitlab-ce and gitlab-shell sources from the git repo. @@ -696,7 +3591,8 @@ When you start to upgrade from `8.10-7` or below use the key of `/home/git/data/ - no more root access over ssh, use nsenter instead - upgrade to nginx-1.6.x series from the nginx/stable ppa -**7.0.0** +## 7.0.0 + - upgrade to gitlab-7.0.0 - fix repository and gitlab-satellites directory permissions. - added GITLAB_RESTRICTED_VISIBILITY configuration option @@ -706,18 +3602,22 @@ When you start to upgrade from `8.10-7` or below use the key of `/home/git/data/ - automatically migrate database when gitlab version is updated - upgrade to gitlab-shell 1.9.5 -**6.9.2** +## 6.9.2 + - upgrade to gitlab-ce 6.9.2 -**6.9.1** +## 6.9.1 + - upgrade to gitlab-ce 6.9.1 -**6.9.0** +## 6.9.0 + - upgrade to gitlab-ce 6.9.0 - added GITLAB_RELATIVE_URL_ROOT configuration option - added NGINX_MAX_UPLOAD_SIZE configuration to specify the maximum acceptable size of attachments. -**6.8.2** +## 6.8.2 + - upgrade to gitlab-ce 6.8.2 - renamed configuration option GITLAB_SHELL_SSH_PORT to GITLAB_SSH_PORT - added GITLAB_PROJECTS_VISIBILITY configuration option to specify the default project visibility level. @@ -738,10 +3638,12 @@ When you start to upgrade from `8.10-7` or below use the key of `/home/git/data/ - cache compiled assets to boost application startup. - fix symlink to uploads directory -**6.8.1** +## 6.8.1 + - upgrade to gitlab-ce 6.8.1 -**6.8.0** +## 6.8.0 + - upgrade to gitlab-shell 1.9.3 - added GITLAB_SIGNIN setting to enable or disable standard login form - upgraded to gitlab-ce version 6.8.0 @@ -749,30 +3651,36 @@ When you start to upgrade from `8.10-7` or below use the key of `/home/git/data/ - use sameersbn/ubuntu as the base docker image - install postgresql-client to fix restoring backups when used with a postgresql database backend. -**6.7.5** +## 6.7.5 + - upgrade gitlab to 6.7.5 - support linking to mysql and postgresql containers - added DEFAULT_PROJECTS_LIMIT configuration option -**6.7.4** +## 6.7.4 + - upgrade gitlab to 6.7.4 - added SMTP_AUTHENTICATION configuration option, defaults to :login. - added LDAP configuration options. -**6.7.3** +## 6.7.3 + - upgrade gitlab to 6.7.3 - install ruby2.0 from ppa -**6.7.2** +## 6.7.2 + - upgrade gitlab to 6.7.2 - upgrade gitlab-shell to 1.9.1 - reorganize repo -- do not perform system upgrades (http://crosbymichael.com/dockerfile-best-practices-take-2.html) +- do not perform system upgrades () + +## 6.6.5 -**6.6.5** - upgraded to gitlab-6.6.5 -**v6.6.4** +## v6.6.4 + - upgraded to gitlab-6.6.4 - added changelog - removed postfix mail delivery @@ -782,7 +3690,8 @@ When you start to upgrade from `8.10-7` or below use the key of `/home/git/data/ - added DB_PORT configuration option - changed backup time to 4am (UTC) -**v6.6.2** +## v6.6.2 + - upgraded to gitlab-6.6.2 - added automated daily/monthly backups feature - documented ssh login details for maintenance tasks. @@ -791,6 +3700,7 @@ When you start to upgrade from `8.10-7` or below use the key of `/home/git/data/ - added app:rake command for executing gitlab rake tasks - documented hardware requirements -**v6.6.1** +## v6.6.1 + - upgraded to gitlabhq-6.6.1 - reformatted README diff --git a/Dockerfile b/Dockerfile index b5772b899..7712fb6be 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,44 +1,64 @@ -FROM sameersbn/ubuntu:14.04.20170110 -MAINTAINER sameer@damagehead.com - -ENV GITLAB_VERSION=8.15.4 \ - RUBY_VERSION=2.3 \ - GOLANG_VERSION=1.6.3 \ - GITLAB_SHELL_VERSION=4.1.1 \ - GITLAB_WORKHORSE_VERSION=1.2.1 \ +FROM ubuntu:noble-20251001 + +ARG VERSION=18.5.1 + +ENV GITLAB_VERSION=${VERSION} \ + RUBY_VERSION=3.2.9 \ + RUBY_SOURCE_SHA256SUM="abbad98db9aeb152773b0d35868e50003b8c467f3d06152577c4dfed9d88ed2a" \ + RUBYGEMS_VERSION=3.7.2 \ + GOLANG_VERSION=1.24.9 \ + GITLAB_SHELL_VERSION=14.45.3 \ + GITLAB_PAGES_VERSION=18.5.1 \ + GITALY_SERVER_VERSION=18.5.1 \ GITLAB_USER="git" \ GITLAB_HOME="/home/git" \ GITLAB_LOG_DIR="/var/log/gitlab" \ GITLAB_CACHE_DIR="/etc/docker-gitlab" \ - RAILS_ENV=production + RAILS_ENV=production \ + NODE_ENV=production \ + NO_SOURCEMAPS=true ENV GITLAB_INSTALL_DIR="${GITLAB_HOME}/gitlab" \ GITLAB_SHELL_INSTALL_DIR="${GITLAB_HOME}/gitlab-shell" \ - GITLAB_WORKHORSE_INSTALL_DIR="${GITLAB_HOME}/gitlab-workhorse" \ + GITLAB_GITALY_INSTALL_DIR="${GITLAB_HOME}/gitaly" \ GITLAB_DATA_DIR="${GITLAB_HOME}/data" \ GITLAB_BUILD_DIR="${GITLAB_CACHE_DIR}/build" \ GITLAB_RUNTIME_DIR="${GITLAB_CACHE_DIR}/runtime" -RUN apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv E1DD270288B4E6030699E45FA1715D88E1DF1F24 \ - && echo "deb http://ppa.launchpad.net/git-core/ppa/ubuntu trusty main" >> /etc/apt/sources.list \ - && apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 80F70E11F0F0D5F10CB20E62F5DA5F09C3173AA6 \ - && echo "deb http://ppa.launchpad.net/brightbox/ruby-ng/ubuntu trusty main" >> /etc/apt/sources.list \ - && apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 8B3981E7A6852F782CC4951600A6F0A3C300EE8C \ - && echo "deb http://ppa.launchpad.net/nginx/stable/ubuntu trusty main" >> /etc/apt/sources.list \ - && wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - \ - && echo 'deb http://apt.postgresql.org/pub/repos/apt/ trusty-pgdg main' > /etc/apt/sources.list.d/pgdg.list \ +RUN apt-get update \ + && DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y \ + wget ca-certificates apt-transport-https gnupg2 \ + && apt-get upgrade -y \ + && rm -rf /var/lib/apt/lists/* + +RUN set -ex && \ + mkdir -p /etc/apt/keyrings \ + && wget --quiet -O - https://keyserver.ubuntu.com/pks/lookup?op=get\&search=0xe1dd270288b4e6030699e45fa1715d88e1df1f24 | gpg --dearmor -o /etc/apt/keyrings/git-core.gpg \ + && echo "deb [signed-by=/etc/apt/keyrings/git-core.gpg] http://ppa.launchpad.net/git-core/ppa/ubuntu noble main" >> /etc/apt/sources.list \ + && wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor -o /etc/apt/keyrings/postgres.gpg \ + && echo 'deb [signed-by=/etc/apt/keyrings/postgres.gpg] http://apt.postgresql.org/pub/repos/apt/ noble-pgdg main' > /etc/apt/sources.list.d/pgdg.list \ + && wget --quiet -O - https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg \ + && echo 'deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_20.x nodistro main' > /etc/apt/sources.list.d/nodesource.list \ + && wget --quiet -O - https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor -o /etc/apt/keyrings/yarn.gpg \ + && echo 'deb [signed-by=/etc/apt/keyrings/yarn.gpg] https://dl.yarnpkg.com/debian/ stable main' > /etc/apt/sources.list.d/yarn.list \ + && wget --quiet -O - https://nginx.org/keys/nginx_signing.key | gpg --dearmor -o /etc/apt/keyrings/nginx-archive-keyring.gpg \ + && echo "deb [signed-by=/etc/apt/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/ubuntu noble nginx" >> /etc/apt/sources.list.d/nginx.list \ + && printf "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" >> /etc/apt/preferences.d/99nginx \ + && set -ex \ && apt-get update \ - && DEBIAN_FRONTEND=noninteractive apt-get install -y supervisor logrotate locales curl \ - nginx openssh-server mysql-client postgresql-client redis-tools \ - git-core ruby${RUBY_VERSION} python2.7 python-docutils nodejs gettext-base \ - libmysqlclient18 libpq5 zlib1g libyaml-0-2 libssl1.0.0 \ - libgdbm3 libreadline6 libncurses5 libffi6 \ - libxml2 libxslt1.1 libcurl3 libicu52 \ + && DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y \ + sudo supervisor logrotate locales curl \ + nginx openssh-server redis-tools \ + postgresql-client-13 postgresql-client-14 postgresql-client-15 postgresql-client-16 postgresql-client-17 \ + python3 python3-docutils nodejs yarn gettext-base graphicsmagick \ + libpq5 zlib1g libyaml-dev libssl-dev libgdbm-dev libre2-dev \ + libreadline-dev libncurses5-dev libffi-dev curl openssh-server libxml2-dev libxslt-dev \ + libcurl4-openssl-dev libicu-dev libkrb5-dev rsync python3-docutils pkg-config cmake \ + tzdata unzip libimage-exiftool-perl libmagic1 \ && update-locale LANG=C.UTF-8 LC_MESSAGES=POSIX \ && locale-gen en_US.UTF-8 \ && DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales \ - && gem install --no-document bundler \ - && rm -rf /var/lib/apt/lists/* + && rm -rf /var/lib/apt/lists/* /etc/nginx/conf.d/default.conf COPY assets/build/ ${GITLAB_BUILD_DIR}/ RUN bash ${GITLAB_BUILD_DIR}/install.sh @@ -47,6 +67,22 @@ COPY assets/runtime/ ${GITLAB_RUNTIME_DIR}/ COPY entrypoint.sh /sbin/entrypoint.sh RUN chmod 755 /sbin/entrypoint.sh +ENV prometheus_multiproc_dir="/dev/shm" + +ARG BUILD_DATE +ARG VCS_REF + +LABEL \ + maintainer="sameer@damagehead.com" \ + org.label-schema.schema-version="1.0" \ + org.label-schema.build-date=${BUILD_DATE} \ + org.label-schema.name=gitlab \ + org.label-schema.vendor=damagehead \ + org.label-schema.url="https://github.com/sameersbn/docker-gitlab" \ + org.label-schema.vcs-url="https://github.com/sameersbn/docker-gitlab.git" \ + org.label-schema.vcs-ref=${VCS_REF} \ + com.damagehead.gitlab.license=MIT + EXPOSE 22/tcp 80/tcp 443/tcp VOLUME ["${GITLAB_DATA_DIR}", "${GITLAB_LOG_DIR}"] diff --git a/Makefile b/Makefile index 23f7daa36..a97663fe8 100644 --- a/Makefile +++ b/Makefile @@ -11,10 +11,14 @@ help: @echo " 5. make purge - stop and remove the container" build: - @docker build --tag=sameersbn/gitlab . + @docker build --tag=sameersbn/gitlab . \ + --build-arg BUILD_DATE="$(shell date +"%Y-%m-%d %H:%M:%S%:z")" \ + --build-arg VCS_REF=$(shell git rev-parse --short HEAD) release: build - @docker build --tag=sameersbn/gitlab:$(shell cat VERSION) . + @docker build --tag=sameersbn/gitlab:$(shell cat VERSION) . \ + --build-arg BUILD_DATE="$(shell date +"%Y-%m-%d %H:%M:%S%:z")" \ + --build-arg VCS_REF=$(git describe --tags --always) quickstart: @echo "Starting postgresql container..." diff --git a/README.md b/README.md index 6a5332221..5ecf8e454 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,6 @@ -[![Docker Repository on Quay.io](https://quay.io/repository/sameersbn/gitlab/status "Docker Repository on Quay.io")](https://quay.io/repository/sameersbn/gitlab) -[![](https://images.microbadger.com/badges/image/sameersbn/gitlab.svg)](http://microbadger.com/images/sameersbn/gitlab "Get your own image badge on microbadger.com") +# sameersbn/gitlab:18.5.1 -# sameersbn/gitlab:8.15.4 +[![CircleCI](https://circleci.com/gh/sameersbn/docker-gitlab/tree/master.svg?style=svg)](https://circleci.com/gh/sameersbn/docker-gitlab/tree/master) - [Introduction](#introduction) - [Changelog](Changelog.md) @@ -18,10 +17,7 @@ - [PostgreSQL (Recommended)](#postgresql) - [External PostgreSQL Server](#external-postgresql-server) - [Linking to PostgreSQL Container](#linking-to-postgresql-container) - - [MySQL](#mysql) - - [Internal MySQL Server](#internal-mysql-server) - - [External MySQL Server](#external-mysql-server) - - [Linking to MySQL Container](#linking-to-mysql-container) + - [Upgrading PostgreSQL](#upgrading-postgresql) - [Redis](#redis) - [Internal Redis Server](#internal-redis-server) - [External Redis Server](#external-redis-server) @@ -40,6 +36,7 @@ - [Deploy to a subdirectory (relative url root)](#deploy-to-a-subdirectory-relative-url-root) - [OmniAuth Integration](#omniauth-integration) - [CAS3](#cas3) + - [Authentiq](#authentiq) - [Google](#google) - [Twitter](#twitter) - [GitHub](#github) @@ -48,32 +45,41 @@ - [SAML](#saml) - [Crowd](#crowd) - [Microsoft Azure](#microsoft-azure) + - [Generic OAuth2](#generic-oauth2) + - [OpenID Connect](#openid-connect) + - [JWT](#jwt) + - [Gitlab Pages](#gitlab-pages) - [External Issue Trackers](#external-issue-trackers) - [Host UID / GID Mapping](#host-uid--gid-mapping) - [Piwik](#piwik) + - [Feature flags](#feature-flags) + - [Exposing ssh port in dockerized gitlab-ce](docs/exposing-ssh-port.md) - [Available Configuration Parameters](#available-configuration-parameters) - [Maintenance](#maintenance) - [Creating Backups](#creating-backups) - [Restoring Backups](#restoring-backups) - [Automated Backups](#automated-backups) - [Amazon Web Services (AWS) Remote Backups](#amazon-web-services-aws-remote-backups) + - [Google Cloud Storage (GCS) Remote Backups](#google-cloud-storage-gcs-remote-backups) - [Rake Tasks](#rake-tasks) - [Import Repositories](#import-repositories) - [Upgrading](#upgrading) - [Shell Access](#shell-access) -- [Features](#features) - - [Container Registry](docs/container_registry.md) +- [Monitoring](#monitoring) + - [Health Check](#health-check) +- [Container Registry](docs/container_registry.md) +- [Deploy in Docker Swarm mode, with HTTPS handled by Traefik proxy and Docker Registry](docs/docker-swarm-traefik-registry.md) - [References](#references) -# Introduction +## Introduction -Dockerfile to build a [GitLab](https://about.gitlab.com/) image for the [Docker](https://www.docker.com/products/docker-engine) opensource container platform. +Dockerfile to build a [GitLab](https://about.gitlab.com/) image for the [Docker](https://www.docker.com/products/docker-engine) open source container platform. -GitLab CE is set up in the Docker image using the [install from source](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/install/installation.md) method as documented in the the official GitLab documentation. +GitLab CE is set up in the Docker image using the [install from source](https://docs.gitlab.com/ce/install/installation.html) method as documented in the official GitLab documentation. -For other methods to install GitLab please refer to the [Official GitLab Installation Guide](https://about.gitlab.com/installation/) which includes a [GitLab image for Docker](https://gitlab.com/gitlab-org/gitlab-ce/tree/master/docker). +For other methods to install GitLab please refer to the [Official GitLab Installation Guide](https://about.gitlab.com/install/) which includes a [GitLab image for Docker](https://docs.gitlab.com/omnibus/docker/). -# Contributing +## Contributing If you find this image useful here's how you can help: @@ -81,18 +87,18 @@ If you find this image useful here's how you can help: - Be a part of the community and help resolve [Issues](https://github.com/sameersbn/docker-gitlab/issues) - Support the development of this image with a [donation](http://www.damagehead.com/donate/) -# Team +## Team - Niclas Mietz ([solidnerd](https://github.com/solidnerd)) - Sameer Naik ([sameersbn](https://github.com/sameersbn)) See [Contributors](../../graphs/contributors) for the complete list developers that have contributed to this project. -# Issues +## Issues -Docker is a relatively new project and is active being developed and tested by a thriving community of developers and testers and every release of docker features many enhancements and bugfixes. +Docker is actively being developed and tested by a thriving community of developers and testers and every release of Docker features many enhancements and bugfixes. -Given the nature of the development and release cycle it is very important that you have the latest version of docker installed because any issue that you encounter might have already been fixed with a newer docker release. +Given the nature of the development and release cycle it is very important that you have the latest version of Docker installed because any issue that you encounter might have already been fixed with a newer Docker release. Install the most recent version of the Docker Engine for your platform using the [official Docker releases](http://docs.docker.com/engine/installation/), which can also be installed using: @@ -102,9 +108,9 @@ wget -qO- https://get.docker.com/ | sh Fedora and RHEL/CentOS users should try disabling selinux with `setenforce 0` and check if resolves the issue. If it does than there is not much that I can help you with. You can either stick with selinux disabled (not recommended by redhat) or switch to using ubuntu. -You may also set `DEBUG=true` to enable debugging of the entrypoint script, which could help you pin point any configuration issues. +You may also set `DEBUG=true` to enable debugging of the entrypoint script, which could help you pinpoint any configuration issues. -If using the latest docker version and/or disabling selinux does not fix the issue then please file a issue request on the [issues](https://github.com/sameersbn/docker-gitlab/issues) page. +If using the latest docker version and/or disabling selinux does not fix the issue then please file an issue request on the [issues](https://github.com/sameersbn/docker-gitlab/issues) page. In your issue report please make sure you provide the following information: @@ -113,18 +119,16 @@ In your issue report please make sure you provide the following information: - Output of the `docker info` command - The `docker run` command you used to run the image (mask out the sensitive bits). -# Prerequisites +## Prerequisites Your docker host needs to have 1GB or more of available RAM to run GitLab. Please refer to the GitLab [hardware requirements](https://github.com/gitlabhq/gitlabhq/blob/master/doc/install/requirements.md#hardware-requirements) documentation for additional information. -# Installation +## Installation Automated builds of the image are available on [Dockerhub](https://hub.docker.com/r/sameersbn/gitlab) and is the recommended method of installation. -> **Note**: Builds are also available on [Quay.io](https://quay.io/repository/sameersbn/gitlab) - ```bash -docker pull sameersbn/gitlab:8.15.4 +docker pull sameersbn/gitlab:18.5.1 ``` You can also pull the `latest` tag which is built from the repository *HEAD* @@ -139,7 +143,7 @@ Alternatively you can build the image locally. docker build -t sameersbn/gitlab github.com/sameersbn/docker-gitlab ``` -# Quick Start +## Quick Start The quickest way to get started is using [docker-compose](https://docs.docker.com/compose/). @@ -147,14 +151,23 @@ The quickest way to get started is using [docker-compose](https://docs.docker.co wget https://raw.githubusercontent.com/sameersbn/docker-gitlab/master/docker-compose.yml ``` -Generate random strings that are at least `64` characters long for each of `GITLAB_SECRETS_OTP_KEY_BASE`, `GITLAB_SECRETS_DB_KEY_BASE`, and `GITLAB_SECRETS_SECRET_KEY_BASE`. These values are used for the following: +Generate random strings that are at least `64` characters long for each of `GITLAB_SECRETS_OTP_KEY_BASE`, `GITLAB_SECRETS_DB_KEY_BASE`, `GITLAB_SECRETS_SECRET_KEY_BASE`, `GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE`. These values are used for the following: - `GITLAB_SECRETS_OTP_KEY_BASE` is used to encrypt 2FA secrets in the database. If you lose or rotate this secret, none of your users will be able to log in using 2FA. - `GITLAB_SECRETS_DB_KEY_BASE` is used to encrypt CI secret variables, as well as import credentials, in the database. If you lose or rotate this secret, you will not be able to use existing CI secrets. - `GITLAB_SECRETS_SECRET_KEY_BASE` is used for password reset links, and other 'standard' auth features. If you lose or rotate this secret, password reset tokens in emails will reset. +- `GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE` is used for reading settings from encrypted files such as SMTP or LDAP credentials. > **Tip**: You can generate a random string using `pwgen -Bsv1 64` and assign it as the value of `GITLAB_SECRETS_DB_KEY_BASE`. +Also generate random strings that are typically `32` characters long for each of: + +- `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY` +- `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY` +- `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT` + +These values are used for `ActiveRecord::Encryption` encrypted columns. Details can be found under [Active Record Encryption](https://guides.rubyonrails.org/active_record_encryption.html). + Start GitLab using: ```bash @@ -169,17 +182,17 @@ Step 1. Launch a postgresql container docker run --name gitlab-postgresql -d \ --env 'DB_NAME=gitlabhq_production' \ --env 'DB_USER=gitlab' --env 'DB_PASS=password' \ - --env 'DB_EXTENSION=pg_trgm' \ + --env 'DB_EXTENSION=pg_trgm,btree_gist' \ --volume /srv/docker/gitlab/postgresql:/var/lib/postgresql \ - sameersbn/postgresql:9.6-1 + kkimurak/sameersbn-postgresql:16 ``` Step 2. Launch a redis container ```bash docker run --name gitlab-redis -d \ - --volume /srv/docker/gitlab/redis:/var/lib/redis \ - sameersbn/redis:latest + --volume /srv/docker/gitlab/redis:/data \ + redis:7 ``` Step 3. Launch the gitlab container @@ -192,13 +205,17 @@ docker run --name gitlab -d \ --env 'GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alpha-numeric-string' \ --env 'GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alpha-numeric-string' \ --env 'GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alpha-numeric-string' \ + --env 'GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=long-and-random-alpha-numeric-string' \ + --env 'GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=["long-and-random-alpha-numeric-string"]' \ + --env 'GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=["long-and-random-alpha-numeric-string"]' \ + --env 'GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=long-and-random-alpha-numeric-string' \ --volume /srv/docker/gitlab/gitlab:/home/git/data \ - sameersbn/gitlab:8.15.4 + sameersbn/gitlab:18.5.1 ``` *Please refer to [Available Configuration Parameters](#available-configuration-parameters) to understand `GITLAB_PORT` and other configuration options* -__NOTE__: Please allow a couple of minutes for the GitLab application to start. +**NOTE**: Please allow a couple of minutes for the GitLab application to start. Point your browser to `http://localhost:10080` and set a password for the `root` user account. @@ -206,15 +223,15 @@ You should now have the GitLab application up and ready for testing. If you want *The rest of the document will use the docker command line. You can quite simply adapt your configuration into a `docker-compose.yml` file if you wish to do so.* -# Configuration +## Configuration -## Data Store +### Data Store GitLab is a code hosting software and as such you don't want to lose your code when the docker container is stopped/deleted. To avoid losing any data, you should mount a volume at, -* `/home/git/data` +- `/home/git/data` -Note that if you are using the `docker-compose` approach, this has already been done for you. +*Note: that if you are using the `docker-compose` approach, you must "inspect" the volumes (```docker volume inspect```) to check the mounted path.* SELinux users are also required to change the security context of the mount point so that it plays nicely with selinux. @@ -228,18 +245,50 @@ Volumes can be mounted in docker by specifying the `-v` option in the docker run ```bash docker run --name gitlab -d \ --volume /srv/docker/gitlab/gitlab:/home/git/data \ - sameersbn/gitlab:8.15.4 + sameersbn/gitlab:18.5.1 ``` -## Database +### Database + +GitLab uses a database backend to store its data. You can configure this image to use PostgreSQL. + +*Note:* GitLab requires PostgreSQL now. So use an older image < 12.1 or migrate to PostgresSQL + +#### PostgreSQL -GitLab uses a database backend to store its data. You can configure this image to use either MySQL or PostgreSQL. +**Important note:** This image is shipped with different versions of the `postgresql-client`. -*Note: GitLab HQ recommends using PostgreSQL over MySQL* +During the startup of the container, the major version of the database system is checked based on the specified connection destination. Only the version of the `postgresql-client`, that matches the major version of the Postgres database is used. If the major version of any version of the included clients does not match, the latest client is used (but may cause issues). All other versions of the `postgresql-client` are deleted at runtime. -### PostgreSQL +This behavior can be checked using the command `docker logs` and an output like the following should be available: -#### External PostgreSQL Server +````sh +… +Configuring gitlab::database +- Installing postgresql client to avoid version mismatch on dumping +-- Detected server version: 160009 +- Generating /home/git/.postgresqlrc +16 postgresql:5432 gitlabhq_production +- Uninstalling unused client(s): postgresql-client-13 postgresql-client-14 postgresql-client-15 postgresql-client-17 +… +```` + +Please note furthermore, that only compatible versions of the `postgresql-client` to GitLab are shipped with this image. Currently, these belong to + +- `postgresql-client-13`, +- `postgresql-client-14`, +- `postgresql-client-15`, +- `postgresql-client-16`, +- and `postgresql-client-17`. + +***Notes:*** + +- GitLab CE version 13.7.0 and later requires PostgreSQL version 12.x. +- GitLab CE version 16.0.0 and later requires PostgreSQL version 13.x. +- GitLab CE version 17.0.0 and later requires PostgreSQL version 14.x. +- GitLab CE version 18.0.0 and later requires PostgreSQL version 16.x. + +##### External PostgreSQL Server The image also supports using an external PostgreSQL Server. This is also controlled via environment variables. @@ -249,33 +298,33 @@ CREATE DATABASE gitlabhq_production; GRANT ALL PRIVILEGES ON DATABASE gitlabhq_production to gitlab; ``` -Additionally since GitLab `8.6.0` the `pg_trgm` extension should also be loaded for the `gitlabhq_production` database. +Additionally, since GitLab `8.6.0` the `pg_trgm` extension should also be loaded for the `gitlabhq_production` database. We are now ready to start the GitLab application. -*Assuming that the PostgreSQL server host is 192.168.1.100* +*Note:* The following applies assuming that the PostgreSQL server host is `192.168.1.100`. ```bash docker run --name gitlab -d \ - --env 'DB_ADAPTER=postgresql' --env 'DB_HOST=192.168.1.100' \ + --env 'DB_HOST=192.168.1.100' \ --env 'DB_NAME=gitlabhq_production' \ --env 'DB_USER=gitlab' --env 'DB_PASS=password' \ --volume /srv/docker/gitlab/gitlab:/home/git/data \ - sameersbn/gitlab:8.15.4 + sameersbn/gitlab:18.5.1 ``` -#### Linking to PostgreSQL Container +##### Linking to PostgreSQL Container You can link this image with a postgresql container for the database requirements. The alias of the postgresql server container should be set to **postgresql** while linking with the gitlab image. -If a postgresql container is linked, only the `DB_ADAPTER`, `DB_HOST` and `DB_PORT` settings are automatically retrieved using the linkage. You may still need to set other database connection parameters such as the `DB_NAME`, `DB_USER`, `DB_PASS` and so on. +If a postgresql container is linked, only the `DB_HOST` and `DB_PORT` settings are automatically retrieved using the linkage. You may still need to set other database connection parameters such as the `DB_NAME`, `DB_USER`, `DB_PASS` and so on. To illustrate linking with a postgresql container, we will use the [sameersbn/postgresql](https://github.com/sameersbn/docker-postgresql) image. When using postgresql image in production you should mount a volume for the postgresql data store. Please refer the [README](https://github.com/sameersbn/docker-postgresql/blob/master/README.md) of docker-postgresql for details. -First, lets pull the postgresql image from the docker index. +First, let's pull the postgresql image from the docker index. ```bash -docker pull sameersbn/postgresql:9.6-1 +docker pull kkimurak/sameersbn-postgresql:16 ``` For data persistence lets create a store for the postgresql and start the container. @@ -295,7 +344,7 @@ docker run --name gitlab-postgresql -d \ --env 'DB_USER=gitlab' --env 'DB_PASS=password' \ --env 'DB_EXTENSION=pg_trgm' \ --volume /srv/docker/gitlab/postgresql:/var/lib/postgresql \ - sameersbn/postgresql:9.6-1 + kkimurak/sameersbn-postgresql:16 ``` The above command will create a database named `gitlabhq_production` and also create a user named `gitlab` with the password `password` with access to the `gitlabhq_production` database. @@ -305,161 +354,75 @@ We are now ready to start the GitLab application. ```bash docker run --name gitlab -d --link gitlab-postgresql:postgresql \ --volume /srv/docker/gitlab/gitlab:/home/git/data \ - sameersbn/gitlab:8.15.4 + sameersbn/gitlab:18.5.1 ``` Here the image will also automatically fetch the `DB_NAME`, `DB_USER` and `DB_PASS` variables from the postgresql container as they are specified in the `docker run` command for the postgresql container. This is made possible using the magic of docker links and works with the following images: - - [postgresql](https://hub.docker.com/_/postgresql/) - - [sameersbn/postgresql](https://quay.io/repository/sameersbn/postgresql/) - - [orchardup/postgresql](https://hub.docker.com/r/orchardup/postgresql/) - - [paintedfox/postgresql](https://hub.docker.com/r/paintedfox/postgresql/) - -### MySQL - -#### Internal MySQL Server - -The internal mysql server has been removed from the image. Please use a [linked mysql](#linking-to-mysql-container) container or specify a connection to a [external mysql](#external-mysql-server) server. - -If you have been using the internal mysql server follow these instructions to migrate to a linked mysql container: - -Assuming that your mysql data is available at `/srv/docker/gitlab/mysql` - -```bash -docker run --name gitlab-mysql -d \ - --volume /srv/docker/gitlab/mysql:/var/lib/mysql \ - sameersbn/mysql:latest -``` - -This will start a mysql container with your existing mysql data. Now login to the mysql container and create a user for the existing `gitlabhq_production` database. - -All you need to do now is link this mysql container to the gitlab ci container using the `--link gitlab-mysql:mysql` option and provide the `DB_NAME`, `DB_USER` and `DB_PASS` parameters. - -Refer to [Linking to MySQL Container](#linking-to-mysql-container) for more information. - -#### External MySQL Server - -The image can be configured to use an external MySQL database. The database configuration should be specified using environment variables while starting the GitLab image. - -Before you start the GitLab image create user and database for gitlab. - -```sql -CREATE USER 'gitlab'@'%.%.%.%' IDENTIFIED BY 'password'; -CREATE DATABASE IF NOT EXISTS `gitlabhq_production` DEFAULT CHARACTER SET `utf8` COLLATE `utf8_unicode_ci`; -GRANT ALL PRIVILEGES ON `gitlabhq_production`.* TO 'gitlab'@'%.%.%.%'; -``` - -We are now ready to start the GitLab application. - -*Assuming that the mysql server host is 192.168.1.100* - -```bash -docker run --name gitlab -d \ - --env 'DB_ADAPTER=mysql2' --env 'DB_HOST=192.168.1.100' \ - --env 'DB_NAME=gitlabhq_production' \ - --env 'DB_USER=gitlab' --env 'DB_PASS=password' \ - --volume /srv/docker/gitlab/gitlab:/home/git/data \ - sameersbn/gitlab:8.15.4 -``` - -#### Linking to MySQL Container - -You can link this image with a mysql container for the database requirements. The alias of the mysql server container should be set to **mysql** while linking with the gitlab image. - -If a mysql container is linked, only the `DB_ADAPTER`, `DB_HOST` and `DB_PORT` settings are automatically retrieved using the linkage. You may still need to set other database connection parameters such as the `DB_NAME`, `DB_USER`, `DB_PASS` and so on. - -To illustrate linking with a mysql container, we will use the [sameersbn/mysql](https://github.com/sameersbn/docker-mysql) image. When using docker-mysql in production you should mount a volume for the mysql data store. Please refer the [README](https://github.com/sameersbn/docker-mysql/blob/master/README.md) of docker-mysql for details. - -First, lets pull the mysql image from the docker index. - -```bash -docker pull sameersbn/mysql:latest -``` - -For data persistence lets create a store for the mysql and start the container. - -SELinux users are also required to change the security context of the mount point so that it plays nicely with selinux. - -```bash -mkdir -p /srv/docker/gitlab/mysql -sudo chcon -Rt svirt_sandbox_file_t /srv/docker/gitlab/mysql -``` - -The run command looks like this. +- [postgres](https://hub.docker.com/_/postgres/), +- [kkimurak/sameersbn-postgresql](https://hub.docker.com/r/kkimurak/sameersbn-postgresql), or +- [sameersbn/postgresql](https://quay.io/repository/sameersbn/postgresql/) . -```bash -docker run --name gitlab-mysql -d \ - --env 'DB_NAME=gitlabhq_production' \ - --env 'DB_USER=gitlab' --env 'DB_PASS=password' \ - --volume /srv/docker/gitlab/mysql:/var/lib/mysql \ - sameersbn/mysql:latest -``` +##### Upgrading PostgreSQL -The above command will create a database named `gitlabhq_production` and also create a user named `gitlab` with the password `password` with full/remote access to the `gitlabhq_production` database. +When this Gitlab image upgrades its dependency on specific version of PostgreSQL you will need to make sure to use corresponding version of PostgreSQL. -We are now ready to start the GitLab application. +If you are setting a brand new install, there is no data migration involved. However, if you already have an existing setup, the PostgreSQL data will need to be migrated as you are upgrading the version of PostgreSQL. -```bash -docker run --name gitlab -d --link gitlab-mysql:mysql \ - --volume /srv/docker/gitlab/gitlab:/home/git/data \ - sameersbn/gitlab:8.15.4 -``` +If you are using PostgreSQL image other than [sameersbn/postgresql](https://quay.io/repository/sameersbn/postgresql/) you will need make sure that the image you are using can handle migration itself, **or**, you will need to migrate the data yourself before starting newer version of PostgreSQL. -Here the image will also automatically fetch the `DB_NAME`, `DB_USER` and `DB_PASS` variables from the mysql container as they are specified in the `docker run` command for the mysql container. This is made possible using the magic of docker links and works with the following images: +Following project provides Docker image that handles migration of PostgreSQL data: [tianon/postgres-upgrade](https://hub.docker.com/r/tianon/postgres-upgrade/) - - [mysql](https://hub.docker.com/_/mysql/) - - [sameersbn/mysql](https://quay.io/repository/sameersbn/mysql/) - - [centurylink/mysql](https://hub.docker.com/r/centurylink/mysql/) - - [orchardup/mysql](https://hub.docker.com/r/orchardup/mysql/) +After migration of the data, verify that other PostgreSQL configuration files in its data folder are copied over as well. One such file is `pg_hba.conf`, it will need to be copied from old version data folder into new version data folder. -## Redis +### Redis GitLab uses the redis server for its key-value data store. The redis server connection details can be specified using environment variables. -### Internal Redis Server +#### Internal Redis Server The internal redis server has been removed from the image. Please use a [linked redis](#linking-to-redis-container) container or specify a [external redis](#external-redis-server) connection. -### External Redis Server +#### External Redis Server The image can be configured to use an external redis server. The configuration should be specified using environment variables while starting the GitLab image. -*Assuming that the redis server host is 192.168.1.100* +*Note:* The following applies assuming that the redis server host is `192.168.1.100`. ```bash docker run --name gitlab -it --rm \ --env 'REDIS_HOST=192.168.1.100' --env 'REDIS_PORT=6379' \ - sameersbn/gitlab:8.15.4 + sameersbn/gitlab:18.5.1 ``` -### Linking to Redis Container +#### Linking to Redis Container You can link this image with a redis container to satisfy gitlab's redis requirement. The alias of the redis server container should be set to **redisio** while linking with the gitlab image. -To illustrate linking with a redis container, we will use the [sameersbn/redis](https://github.com/sameersbn/docker-redis) image. Please refer the [README](https://github.com/sameersbn/docker-redis/blob/master/README.md) of docker-redis for details. +To illustrate linking with a redis container, we will use the [redis](https://github.com/docker-library/redis) image. Please refer the [README](https://github.com/docker-library/docs/blob/master/redis/README.md) for details. -First, lets pull the redis image from the docker index. +First, let's pull the redis image from the docker index. ```bash -docker pull sameersbn/redis:latest +docker pull redis:7 ``` Lets start the redis container ```bash docker run --name gitlab-redis -d \ - --volume /srv/docker/gitlab/redis:/var/lib/redis \ - sameersbn/redis:latest + --volume /srv/docker/gitlab/redis:/data \ + redis:7 ``` We are now ready to start the GitLab application. ```bash docker run --name gitlab -d --link gitlab-redis:redisio \ - sameersbn/gitlab:8.15.4 + sameersbn/gitlab:18.5.1 ``` -### Mail +#### Mail The mail configuration should be specified using environment variables while starting the GitLab image. The configuration defaults to using gmail to send emails and requires the specification of a valid username and password to login to the gmail servers. @@ -469,12 +432,12 @@ If you are using Gmail then all you need to do is: docker run --name gitlab -d \ --env 'SMTP_USER=USER@gmail.com' --env 'SMTP_PASS=PASSWORD' \ --volume /srv/docker/gitlab/gitlab:/home/git/data \ - sameersbn/gitlab:8.15.4 + sameersbn/gitlab:18.5.1 ``` Please refer the [Available Configuration Parameters](#available-configuration-parameters) section for the list of SMTP parameters that can be specified. -#### Reply by email +##### Reply by email Since version `8.0.0` GitLab adds support for commenting on issues by replying to emails. @@ -489,24 +452,25 @@ docker run --name gitlab -d \ --env 'IMAP_USER=USER@gmail.com' --env 'IMAP_PASS=PASSWORD' \ --env 'GITLAB_INCOMING_EMAIL_ADDRESS=USER+%{key}@gmail.com' \ --volume /srv/docker/gitlab/gitlab:/home/git/data \ - sameersbn/gitlab:8.15.4 + sameersbn/gitlab:18.5.1 ``` Please refer the [Available Configuration Parameters](#available-configuration-parameters) section for the list of IMAP parameters that can be specified. -### SSL +#### SSL -Access to the gitlab application can be secured using SSL so as to prevent unauthorized access to the data in your repositories. While a CA certified SSL certificate allows for verification of trust via the CA, a self signed certificate can also provide an equal level of trust verification as long as each client takes some additional steps to verify the identity of your website. I will provide instructions on achieving this towards the end of this section. +Access to the gitlab application can be secured using SSL so as to prevent unauthorized access to the data in your repositories. While a CA certified SSL certificate allows for verification of trust via the CA, a self-signed certificate can also provide an equal level of trust verification as long as each client takes some additional steps to verify the identity of your website. I will provide instructions on achieving this towards the end of this section. Jump to the [Using HTTPS with a load balancer](#using-https-with-a-load-balancer) section if you are using a load balancer such as hipache, haproxy or nginx. To secure your application via SSL you basically need two things: + - **Private key (.key)** - **SSL certificate (.crt)** When using CA certified certificates, these files are provided to you by the CA. When using self-signed certificates you need to generate these files yourself. Skip to [Strengthening the server security](#strengthening-the-server-security) section if you are armed with CA certified SSL certificates. -#### Generation of a Self Signed Certificate +##### Generation of a Self Signed Certificate Generation of a self-signed SSL certificate involves a simple 3-step procedure: @@ -530,7 +494,7 @@ openssl x509 -req -days 3650 -in gitlab.csr -signkey gitlab.key -out gitlab.crt Congratulations! You now have a self-signed SSL certificate valid for 10 years. -#### Strengthening the server security +##### Strengthening the server security This section provides you with instructions to [strengthen your server security](https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html). To achieve this we need to generate stronger DHE parameters. @@ -538,13 +502,19 @@ This section provides you with instructions to [strengthen your server security] openssl dhparam -out dhparam.pem 2048 ``` -#### Installation of the SSL Certificates +##### Installation of the SSL Certificates Out of the four files generated above, we need to install the `gitlab.key`, `gitlab.crt` and `dhparam.pem` files at the gitlab server. The CSR file is not needed, but do make sure you safely backup the file (in case you ever need it again). The default path that the gitlab application is configured to look for the SSL certificates is at `/home/git/data/certs`, this can however be changed using the `SSL_KEY_PATH`, `SSL_CERTIFICATE_PATH` and `SSL_DHPARAM_PATH` configuration options. -If you remember from above, the `/home/git/data` path is the path of the [data store](#data-store), which means that we have to create a folder named `certs/` inside `/srv/docker/gitlab/gitlab/` and copy the files into it and as a measure of security we'll update the permission on the `gitlab.key` file to only be readable by the owner. +If you remember from above, the `/home/git/data` path is the path of the [data store](#data-store), which means that we have to create a folder named `certs/` inside the volume to where `/home/git/data` point and copy the files into it and as a measure of security we'll update the permission on the `gitlab.key` file to only be readable by the owner. + +In case use of docker-compose ... + +```$>docker volume inspect``` + +Look for "< user >_gitlab-data" and copy the "certs" directory into the "Mountpoint" ```bash mkdir -p /srv/docker/gitlab/gitlab/certs @@ -554,9 +524,9 @@ cp dhparam.pem /srv/docker/gitlab/gitlab/certs/ chmod 400 /srv/docker/gitlab/gitlab/certs/gitlab.key ``` -Great! we are now just one step away from having our application secured. +Great! We are now just one step away from having our application secured. -#### Enabling HTTPS support +##### Enabling HTTPS support HTTPS support can be enabled by setting the `GITLAB_HTTPS` option to `true`. Additionally, when using self-signed SSL certificates you need to the set `SSL_SELF_SIGNED` option to `true` as well. Assuming we are using self-signed certificates @@ -566,32 +536,32 @@ docker run --name gitlab -d \ --env 'GITLAB_SSH_PORT=10022' --env 'GITLAB_PORT=10443' \ --env 'GITLAB_HTTPS=true' --env 'SSL_SELF_SIGNED=true' \ --volume /srv/docker/gitlab/gitlab:/home/git/data \ - sameersbn/gitlab:8.15.4 + sameersbn/gitlab:18.5.1 ``` In this configuration, any requests made over the plain http protocol will automatically be redirected to use the https protocol. However, this is not optimal when using a load balancer. -#### Configuring HSTS +##### Configuring HSTS HSTS if supported by the browsers makes sure that your users will only reach your sever via HTTPS. When the user comes for the first time it sees a header from the server which states for how long from now this site should only be reachable via HTTPS - that's the HSTS max-age value. -With `NGINX_HSTS_MAXAGE` you can configure that value. The default value is `31536000` seconds. If you want to disable a already sent HSTS MAXAGE value, set it to `0`. +With `NGINX_HSTS_MAXAGE` you can configure that value. The default value is `31536000` seconds. If you want to disable an already sent HSTS MAXAGE value, set it to `0`. ```bash docker run --name gitlab -d \ --env 'GITLAB_HTTPS=true' --env 'SSL_SELF_SIGNED=true' \ --env 'NGINX_HSTS_MAXAGE=2592000' \ --volume /srv/docker/gitlab/gitlab:/home/git/data \ - sameersbn/gitlab:8.15.4 + sameersbn/gitlab:18.5.1 ``` If you want to completely disable HSTS set `NGINX_HSTS_ENABLED` to `false`. -#### Using HTTPS with a load balancer +##### Using HTTPS with a load balancer Load balancers like nginx/haproxy/hipache talk to backend applications over plain http and as such the installation of ssl keys and certificates are not required and should **NOT** be installed in the container. The SSL configuration has to instead be done at the load balancer. -However, when using a load balancer you **MUST** set `GITLAB_HTTPS` to `true`. Additionally you will need to set the `SSL_SELF_SIGNED` option to `true` if self signed SSL certificates are in use. +However, when using a load balancer you **MUST** set `GITLAB_HTTPS` to `true`. Additionally, you will need to set the `SSL_SELF_SIGNED` option to `true` if self-signed SSL certificates are in use. With this in place, you should configure the load balancer to support handling of https requests. But that is out of the scope of this document. Please refer to [Using SSL/HTTPS with HAProxy](http://seanmcgary.com/posts/using-sslhttps-with-haproxy) for information on the subject. @@ -605,7 +575,7 @@ docker run --name gitlab -d \ --env 'GITLAB_SSH_PORT=10022' --env 'GITLAB_PORT=443' \ --env 'GITLAB_HTTPS=true' --env 'SSL_SELF_SIGNED=true' \ --volume /srv/docker/gitlab/gitlab:/home/git/data \ - sameersbn/gitlab:8.15.4 + sameersbn/gitlab:18.5.1 ``` Again, drop the `--env 'SSL_SELF_SIGNED=true'` option if you are using CA certified SSL certificates. @@ -614,9 +584,9 @@ In case GitLab responds to any kind of POST request (login, OAUTH, changing sett `proxy_set_header X-Forwarded-Ssl on;` (nginx format) -#### Establishing trust with your server +##### Establishing trust with your server -This section deals will self-signed ssl certificates. If you are using CA certified certificates, your done. +This section deals will self-signed ssl certificates. If you are using CA certified certificates, you're done. This section is more of a client side configuration so as to add a level of confidence at the client to be 100 percent sure they are communicating with whom they think they. @@ -625,15 +595,15 @@ This is simply done by adding the servers certificate into their list of trusted Again, this is a client side configuration which means that everyone who is going to communicate with the server should perform this configuration on their machine. In short, distribute the `gitlab.crt` file among your developers and ask them to add it to their list of trusted ssl certificates. Failure to do so will result in errors that look like this: ```bash -git clone https://git.local.host/gitlab-ce.git -fatal: unable to access 'https://git.local.host/gitlab-ce.git': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none +git clone https://git.local.host/gitlab-foss.git +fatal: unable to access 'https://git.local.host/gitlab-foss.git': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none ``` You can do the same at the web browser. Instructions for installing the root certificate for firefox can be found [here](http://portal.threatpulse.com/docs/sol/Content/03Solutions/ManagePolicy/SSL/ssl_firefox_cert_ta.htm). You will find similar options chrome, just make sure you install the certificate under the authorities tab of the certificate manager dialog. There you have it, that's all there is to it. -#### Installing Trusted SSL Server Certificates +##### Installing Trusted SSL Server Certificates If your GitLab CI server is using self-signed SSL certificates then you should make sure the GitLab CI server certificate is trusted on the GitLab server for them to be able to talk to each other. @@ -641,11 +611,11 @@ The default path image is configured to look for the trusted SSL certificates is Copy the `ca.crt` file into the certs directory on the [datastore](#data-store). The `ca.crt` file should contain the root certificates of all the servers you want to trust. With respect to GitLab CI, this will be the contents of the gitlab_ci.crt file as described in the [README](https://github.com/sameersbn/docker-gitlab-ci/blob/master/README.md#ssl) of the [docker-gitlab-ci](https://github.com/sameersbn/docker-gitlab-ci) container. -By default, our own server certificate [gitlab.crt](#generation-of-self-signed-certificate) is added to the trusted certificates list. +By default, our own server certificate [gitlab.crt](#generation-of-a-self-signed-certificate) is added to the trusted certificates list. -### Deploy to a subdirectory (relative url root) +#### Deploy to a subdirectory (relative url root) -By default GitLab expects that your application is running at the root (eg. /). This section explains how to run your application inside a directory. +By default, GitLab expects that your application is running at the root (e.g.. /). This section explains how to run your application inside a directory. Let's assume we want to deploy our application to '/git'. GitLab needs to know this directory to generate the appropriate routes. This can be specified using the `GITLAB_RELATIVE_URL_ROOT` configuration option like so: @@ -653,26 +623,36 @@ Let's assume we want to deploy our application to '/git'. GitLab needs to know t docker run --name gitlab -it --rm \ --env 'GITLAB_RELATIVE_URL_ROOT=/git' \ --volume /srv/docker/gitlab/gitlab:/home/git/data \ - sameersbn/gitlab:8.15.4 + sameersbn/gitlab:18.5.1 ``` GitLab will now be accessible at the `/git` path, e.g. `http://www.example.com/git`. **Note**: *The `GITLAB_RELATIVE_URL_ROOT` parameter should always begin with a slash and* **SHOULD NOT** *have any trailing slashes.* -### OmniAuth Integration +#### OmniAuth Integration GitLab leverages OmniAuth to allow users to sign in using Twitter, GitHub, and other popular services. Configuring OmniAuth does not prevent standard GitLab authentication or LDAP (if configured) from continuing to work. Users can choose to sign in using any of the configured mechanisms. Refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/omniauth.html) for additional information. -#### CAS3 +##### CAS3 -To enable the CAS OmniAuth provider you must register your application with your CAS instance. This requires the service URL GitLab will supply to CAS. It should be something like: https://git.example.com:443/users/auth/cas3/callback?url. By default handling for SLO is enabled, you only need to configure CAS for backchannel logout. +To enable the CAS OmniAuth provider you must register your application with your CAS instance. This requires the service URL GitLab will supply to CAS. It should be something like: `https://git.example.com:443/users/auth/cas3/callback?url`. By default handling for SLO is enabled, you only need to configure CAS for backchannel logout. For example, if your cas server url is `https://sso.example.com`, then adding `--env 'OAUTH_CAS3_SERVER=https://sso.example.com'` to the docker run command enables support for CAS3 OAuth. Please refer to [Available Configuration Parameters](#available-configuration-parameters) for additional CAS3 configuration parameters. -#### Google +##### Authentiq + +To enable the Authentiq OmniAuth provider for passwordless authentication you must register an application with [Authentiq](https://www.authentiq.com/). Please refer to the GitLab [documentation](https://docs.gitlab.com/ce/administration/auth/authentiq.html) for the procedure to generate the client ID and secret key with Authentiq. + +Once you have the API client id and client secret generated, configure them using the `OAUTH_AUTHENTIQ_CLIENT_ID` and `OAUTH_AUTHENTIQ_CLIENT_SECRET` environment variables respectively. + +For example, if your API key is `xxx` and the API secret key is `yyy`, then adding `--env 'OAUTH_AUTHENTIQ_CLIENT_ID=xxx' --env 'OAUTH_AUTHENTIQ_CLIENT_SECRET=yyy'` to the docker run command enables support for Authentiq OAuth. + +You may want to specify `OAUTH_AUTHENTIQ_REDIRECT_URI` as well. The OAuth scope can be altered as well with `OAUTH_AUTHENTIQ_SCOPE` (defaults to `'aq:name email~rs address aq:push'`). + +##### Google To enable the Google OAuth2 OmniAuth provider you must register your application with Google. Google will generate a client ID and secret key for you to use. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/google.html) for the procedure to generate the client ID and secret key with google. @@ -682,23 +662,23 @@ For example, if your client ID is `xxx.apps.googleusercontent.com` and client se You can also restrict logins to a single domain by adding `--env "OAUTH_GOOGLE_RESTRICT_DOMAIN='example.com'"`. -#### Facebook +##### Facebook -To enable the Facebook OAuth2 OmniAuth provider you must register your application with Facebook. Facebook will generate a API key and secret for you to use. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/facebook.html) for the procedure to generate the API key and secret. +To enable the Facebook OAuth2 OmniAuth provider you must register your application with Facebook. Facebook will generate an API key and secret for you to use. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/facebook.html) for the procedure to generate the API key and secret. Once you have the API key and secret generated, configure them using the `OAUTH_FACEBOOK_API_KEY` and `OAUTH_FACEBOOK_APP_SECRET` environment variables respectively. For example, if your API key is `xxx` and the API secret key is `yyy`, then adding `--env 'OAUTH_FACEBOOK_API_KEY=xxx' --env 'OAUTH_FACEBOOK_APP_SECRET=yyy'` to the docker run command enables support for Facebook OAuth. -#### Twitter +##### Twitter -To enable the Twitter OAuth2 OmniAuth provider you must register your application with Twitter. Twitter will generate a API key and secret for you to use. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/twitter.html) for the procedure to generate the API key and secret with twitter. +To enable the Twitter OAuth2 OmniAuth provider you must register your application with Twitter. Twitter will generate an API key and secret for you to use. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/twitter.html) for the procedure to generate the API key and secret with twitter. Once you have the API key and secret generated, configure them using the `OAUTH_TWITTER_API_KEY` and `OAUTH_TWITTER_APP_SECRET` environment variables respectively. For example, if your API key is `xxx` and the API secret key is `yyy`, then adding `--env 'OAUTH_TWITTER_API_KEY=xxx' --env 'OAUTH_TWITTER_APP_SECRET=yyy'` to the docker run command enables support for Twitter OAuth. -#### GitHub +##### GitHub To enable the GitHub OAuth2 OmniAuth provider you must register your application with GitHub. GitHub will generate a Client ID and secret for you to use. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/github.html) for the procedure to generate the Client ID and secret with github. @@ -708,7 +688,7 @@ For example, if your Client ID is `xxx` and the Client secret is `yyy`, then add Users of GitHub Enterprise may want to specify `OAUTH_GITHUB_URL` and `OAUTH_GITHUB_VERIFY_SSL` as well. -#### GitLab +##### GitLab To enable the GitLab OAuth2 OmniAuth provider you must register your application with GitLab. GitLab will generate a Client ID and secret for you to use. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/gitlab.html) for the procedure to generate the Client ID and secret with GitLab. @@ -716,7 +696,7 @@ Once you have the Client ID and secret generated, configure them using the `OAUT For example, if your Client ID is `xxx` and the Client secret is `yyy`, then adding `--env 'OAUTH_GITLAB_API_KEY=xxx' --env 'OAUTH_GITLAB_APP_SECRET=yyy'` to the docker run command enables support for GitLab OAuth. -#### BitBucket +##### BitBucket To enable the BitBucket OAuth2 OmniAuth provider you must register your application with BitBucket. BitBucket will generate a Client ID and secret for you to use. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/bitbucket.html) for the procedure to generate the Client ID and secret with BitBucket. @@ -724,7 +704,7 @@ Once you have the Client ID and secret generated, configure them using the `OAUT For example, if your Client ID is `xxx` and the Client secret is `yyy`, then adding `--env 'OAUTH_BITBUCKET_API_KEY=xxx' --env 'OAUTH_BITBUCKET_APP_SECRET=yyy'` to the docker run command enables support for BitBucket OAuth. -#### SAML +##### SAML GitLab can be configured to act as a SAML 2.0 Service Provider (SP). This allows GitLab to consume assertions from a SAML 2.0 Identity Provider (IdP) such as Microsoft ADFS to authenticate users. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/saml.html). @@ -734,19 +714,19 @@ You can also override the default "Sign in with" button label with `OAUTH_SAML_L Please refer to [Available Configuration Parameters](#available-configuration-parameters) for the default configurations of these parameters. -#### Crowd +##### Crowd To enable the Crowd server OAuth2 OmniAuth provider you must register your application with Crowd server. Configure GitLab to enable access the Crowd server by specifying the `OAUTH_CROWD_SERVER_URL`, `OAUTH_CROWD_APP_NAME` and `OAUTH_CROWD_APP_PASSWORD` environment variables. -#### Auth0 +##### Auth0 To enable the Auth0 OmniAuth provider you must register your application with [auth0](https://auth0.com/). Configure the following environment variables `OAUTH_AUTH0_CLIENT_ID`, `OAUTH_AUTH0_CLIENT_SECRET` and `OAUTH_AUTH0_DOMAIN` to complete the integration. -#### Microsoft Azure +##### Microsoft Azure To enable the Microsoft Azure OAuth2 OmniAuth provider you must register your application with Azure. Azure will generate a Client ID, Client secret and Tenant ID for you to use. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/azure.html) for the procedure. @@ -754,7 +734,106 @@ Once you have the Client ID, Client secret and Tenant ID generated, configure th For example, if your Client ID is `xxx`, the Client secret is `yyy` and the Tenant ID is `zzz`, then adding `--env 'OAUTH_AZURE_API_KEY=xxx' --env 'OAUTH_AZURE_API_SECRET=yyy' --env 'OAUTH_AZURE_TENANT_ID=zzz'` to the docker run command enables support for Microsoft Azure OAuth. -### External Issue Trackers +Also you can configure v2 endpoint (`azure_activedirectory_v2`) by using `OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_ID`, `OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_SECRET` and `OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID` environment variables. Optionally you can change label of login button using the `OAUTH_AZURE_ACTIVEDIRECTORY_V2_LABEL`. + +##### Generic OAuth2 + +To enable the Generic OAuth2 provider, you must register your application with your provider. You also need to confirm OAuth2 provider app's ID and secret, the client options and the user's response structure. + +As an example this code has been tested with Keycloak, with the following variables: `OAUTH2_GENERIC_APP_ID`, `OAUTH2_GENERIC_APP_SECRET`, `OAUTH2_GENERIC_CLIENT_SITE`, `OAUTH2_GENERIC_CLIENT_USER_INFO_URL`, `OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL`, `OAUTH2_GENERIC_CLIENT_TOKEN_URL`, `OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT`, `OAUTH2_GENERIC_ID_PATH`, `OAUTH2_GENERIC_USER_UID`, `OAUTH2_GENERIC_USER_NAME`, `OAUTH2_GENERIC_USER_EMAIL`, `OAUTH2_GENERIC_AUTHORIZE_PARAMS_SCOPE`, `OAUTH2_GENERIC_LABEL` and `OAUTH2_GENERIC_NAME`. + +See [GitLab documentation](https://docs.gitlab.com/ee/integration/oauth2_generic.html#sign-into-gitlab-with-almost-any-oauth2-provider) and [Omniauth-oauth2-generic documentation](https://gitlab.com/satorix/omniauth-oauth2-generic) for more details. + +##### OpenID Connect + +To enable OpenID Connect provider, you must register your application with your provider. You also need to confirm OpenID Connect provider app's ID and secret, the client options and the user's response structure. + +To use OIDC set at least `OAUTH_OIDC_ISSUER` and `OAUTH_OIDC_CLIENT_ID`. + +| GitLab setting | environment variable | default value | +|--------------------------------|-------------------------------------|--------------------------------| +| `label` | `OAUTH_OIDC_LABEL` | `OpenID Connect` | +| `icon` | `OAUTH_OIDC_ICON` | | +| `scope` | `OAUTH_OIDC_SCOPE` | `['openid','profile','email']` | +| `response_type` | `OAUTH_OIDC_RESPONSE_TYPE` | `code` | +| `issuer` | `OAUTH_OIDC_ISSUER` | | +| `discovery` | `OAUTH_OIDC_DISCOVERY` | `true` | +| `client_auth_method` | `OAUTH_OIDC_CLIENT_AUTH_METHOD` | `basic` | +| `uid_field` | `OAUTH_OIDC_UID_FIELD` | `sub` | +| `send_scope_to_token_endpoint` | `OAUTH_OIDC_SEND_SCOPE_TO_TOKEN_EP` | `false` | +| `pkce` | `OAUTH_OIDC_PKCE` | `true` | +| `client_options.identifier` | `OAUTH_OIDC_CLIENT_ID` | | +| `client_options.secret` | `OAUTH_OIDC_CLIENT_SECRET` | `secret` | +| `client_options.redirect_uri` | `OAUTH_OIDC_REDIRECT_URI` | `http://${GITLAB_HOST}/users/auth/openid_connect/callback` or `https://${GITLAB_HOST}/users/auth/openid_connect/callback` depending on the value of `GITLAB_HTTPS` | + +See [GitLab OIDC documentation](https://docs.gitlab.com/ee/administration/auth/oidc.html) and [OmniAuth OpenID Connect documentation](https://github.com/omniauth/omniauth_openid_connect/). + +##### JWT + +To enable the JWT OmniAuth provider, you must register your application with JWT. JWT provides you with a secret key for you to use. + +To use JWT set at least `OAUTH_JWT_SECRET` and `OAUTH_JWT_AUTH_URL`. + +| GitLab setting | environment variable | default value | +| ------------------------------ | ----------------------------------- | -------------------------------| +| `label` | `OAUTH_JWT_LABEL` | `Jwt` | +| `secret` | `OAUTH_JWT_SECRET` | | +| `algorithm` | `OAUTH_JWT_ALGORITHM` | `HS256` | +| `uid_claim` | `OAUTH_JWT_UID_CLAIM` | `email` | +| `required_claims` | `OAUTH_JWT_REQUIRED_CLAIMS` | `["name", "email"]` | +| `info_map.name` | `OAUTH_JWT_INFO_MAP_NAME` | `name` | +| `info_map.email` | `OAUTH_JWT_INFO_MAP_EMAIL` | `email` | +| `auth_url` | `OAUTH_JWT_AUTH_URL` | | +| `valid_within` | `OAUTH_JWT_VALID_WITHIN` | `3600` | + + +See [OmniAuth JWT documentation](https://docs.gitlab.com/administration/auth/jwt/). + +#### Gitlab Pages + +Gitlab Pages allows a user to host static websites from a project. Gitlab pages can be enabled with setting the environment variable `GITLAB_PAGES_ENABLED` to `true`. + +#### Gitlab Pages Access Control + +Since version `11.5.0` Gitlab pages supports access control. This allows only access to a published website if you are a project member, or have access to a certain project. + +Gitlab pages access control requires additional configuration before activating it through the variable `GITLAB_PAGES_ACCESS_CONTROL`. + +GitLab pages access control makes use of the Gitlab OAuth Module. + +- Goto the Gitlab Admin area +- Select `Applications` in the menu +- Create `New Application` + - Name: `Gitlab Pages` + - Scopes: + - api + - Trusted: NO (Do not select) + - Redirect URI: `https://projects./auth` + +Note about the `Redirect URI`; this can be tricky to configure or figure out, What needs to be achieved is the following, the redirect URI needs to end up at the `gitlab-pages` daemon with the `/auth` endpoint. + +This means that if you run your gitlab pages at domain `pages.example.io` this will be a wildcard domain where your projects are created based on their namespace. The best trick is to enter a NON-Existing gitlab project pages URI as the redirect URI. + +In the example above; the pages domain `projects` has been chosen. This will cause the nginx, either the built in or your own load balancer to redirect `*.` to the `gitlab-pages` daemon. Which will trigger the pages endpoint. + +Make sure to choose own which does not exist and make sure that the request is routed to the `gitlab-pages` daemon if you are using your own HTTP load balancer in front of Gitlab. + +After creating the OAuth application endpoint for the Gitlab Pages Daemon. Gitlab pages access control can now be enabled. + +Add to following environment variables to your Gitlab Container. + +| Variable | R/O | Description | +|----------|-----|-------------| +| GITLAB_PAGES_ACCESS_CONTROL | Required | Set to `true` to enable access control. | +| GITLAB_PAGES_ACCESS_SECRET | Optional | Secret Hash, minimal 32 characters, if omitted, it will be auto generated. | +| GITLAB_PAGES_ACCESS_CONTROL_SERVER | Required | Gitlab instance URI, example: `https://gitlab.example.io` | +| GITLAB_PAGES_ACCESS_CLIENT_ID | Required | Client ID from earlier generated OAuth application | +| GITLAB_PAGES_ACCESS_CLIENT_SECRET | Required | Client Secret from earlier generated OAuth application | +| GITLAB_PAGES_ACCESS_REDIRECT_URI | Required | Redirect URI, non existing pages domain to redirect to pages daemon, `https://projects.example.io` | + +After you have enabled the gitlab pages access control. When you go to a project `General Settings` -> `Permissions` you can choose the pages permission level for the project. + +#### External Issue Trackers Since version `7.10.0` support for external issue trackers can be enabled in the "Service Templates" section of the settings panel. @@ -762,7 +841,7 @@ If you are using the [docker-redmine](https://github.com/sameersbn/docker-redmin By using the above option the `/home/git/data/repositories` directory will be accessible by the redmine container and now you can add your git repository path to your redmine project. If, for example, in your gitlab server you have a project named `opensource/gitlab`, the bare repository will be accessible at `/home/git/data/repositories/opensource/gitlab.git` in the redmine container. -### Host UID / GID Mapping +#### Host UID / GID Mapping Per default the container is configured to run gitlab as user and group `git` with `uid` and `gid` `1000`. The host possibly uses this ids for different purposes leading to unfavorable effects. From the host it appears as if the mounted data volumes are owned by the host's user/group `1000`. @@ -771,17 +850,17 @@ Also the container processes seem to be executed as the host's user/group `1000` ```bash docker run --name gitlab -it --rm [options] \ --env "USERMAP_UID=$(id -u git)" --env "USERMAP_GID=$(id -g git)" \ - sameersbn/gitlab:8.15.4 + sameersbn/gitlab:18.5.1 ``` When changing this mapping, all files and directories in the mounted data volume `/home/git/data` have to be re-owned by the new ids. This can be achieved automatically using the following command: ```bash docker run --name gitlab -d [OPTIONS] \ - sameersbn/gitlab:8.15.4 app:sanitize + sameersbn/gitlab:18.5.1 app:sanitize ``` -### Piwik +#### Piwik If you want to monitor your gitlab instance with [Piwik](http://piwik.org/), there are two options to setup: `PIWIK_URL` and `PIWIK_SITE_ID`. These options should contain something like: @@ -789,429 +868,2017 @@ These options should contain something like: - `PIWIK_URL=piwik.example.org` - `PIWIK_SITE_ID=42` -### Available Configuration Parameters +#### Feature flags + +In this section, we talk about feature flags that administrators can change the state (See ). If you are looking for documentation for "Feature flags" that configured on project deploy settings, see + +GitLab adopted feature flags strategies to deploy features in an early stage of development so that they can be incrementally rolled out. GitLab administrators with access to the [Rails console](https://docs.gitlab.com/ee/administration/feature_flags.html#how-to-enable-and-disable-features-behind-flags) or the [Feature flags API](https://docs.gitlab.com/ee/api/features.html) can control them (note that `sameersbn/gitlab` is a container image that provides GitLab installations from the source). +You can see all feature flags in GitLab at corresponding version of documentation: + +For `sameersbn/gitlab`, you can control them via environment parameter [`GITLAB_FEATURE_FLAGS_DISABLE_TARGETS`](#gitlab_feature_flags_disable_targets) and [`GITLAB_FEATURE_FLAGS_ENABLE_TARGETS`](#gitlab_feature_flags_enable_targets) in addition to the above methods. +This image searches yml files in [`${GITLAB_INSTALL_DIR}/config/feature_flags`](https://gitlab.com/gitlab-org/gitlab-foss/-/tree/master/config/feature_flags) (typically `/home/git/gitlab/config/feature_flags/`) recursively and use the file list as a source of active feature flags. + +Here is a part of example `docker-compose.yml`: + +````yml +services: + gitlab: + image: sameersbn/gitlab:latest + environment: + - GITLAB_FEATURE_FLAGS_DISABLE_TARGETS=auto_devops_banner_disabled,ci_enable_live_trace + - GITLAB_FEATURE_FLAGS_ENABLE_TARGETS=git_push_create_all_pipelines,build_service_proxy +```` + +Once the container up, you can see following messages in container log like below. + +````sh +... +Configuring gitlab::feature_flags... +- specified feature flags: {:to_be_disabled=>["auto_devops_banner_disabled", "ci_enable_live_trace"], :to_be_enabled=>["git_push_create_all_pipelines", "build_service_proxy"]} +- auto_devops_banner_disabled : off +- ci_enable_live_trace : off +- git_push_create_all_pipelines : on +- build_service_proxy : on +... +```` + +If specified flag names are not included in the list, they will be ignored and appears to container log like below: -*Please refer the docker run command options for the `--env-file` flag where you can specify all required environment variables in a single file. This will save you from writing a potentially long docker run command. Alternatively you can use docker-compose.* +````sh +... +Configuring gitlab::feature_flags... +- specified feature flags: {:to_be_disabled=>["auto_devops_banner_disabled", "invalid_flag_name"], :to_be_enabled=>["git_push_create_all_pipelines", "another_invalid_flag_name"]} +- Following flags are probably invalid and have been ignored: invalid_flag_name,another_invalid_flag_name +- auto_devops_banner_disabled : off +- git_push_create_all_pipelines : on +... +```` + +#### Available Configuration Parameters + +*Please refer the docker run command options for the `--env-file` flag where you can specify all required environment variables in a single file. This will save you from writing a potentially long docker run command. Alternatively you can use docker-compose. docker-compose users and Docker Swarm mode users can also use the [secrets and config file options](#docker-secrets-and-configs)* Below is the complete list of available options that can be used to customize your gitlab installation. -| Parameter | Description | -|-----------|-------------| -| `DEBUG` | Set this to `true` to enable entrypoint debugging. | -| `GITLAB_HOST` | The hostname of the GitLab server. Defaults to `localhost` | -| `GITLAB_CI_HOST` | If you are migrating from GitLab CI use this parameter to configure the redirection to the GitLab service so that your existing runners continue to work without any changes. No defaults. | -| `GITLAB_PORT` | The port of the GitLab server. This value indicates the public port on which the GitLab application will be accessible on the network and appropriately configures GitLab to generate the correct urls. It does not affect the port on which the internal nginx server will be listening on. Defaults to `443` if `GITLAB_HTTPS=true`, else defaults to `80`. | -| `GITLAB_SECRETS_DB_KEY_BASE` | Encryption key for GitLab CI secret variables, as well as import credentials, in the database. Ensure that your key is at least 32 characters long and that you don't lose it. You can generate one using `pwgen -Bsv1 64`. If you are migrating from GitLab CI, you need to set this value to the value of `GITLAB_CI_SECRETS_DB_KEY_BASE`. No defaults. | -| `GITLAB_SECRETS_SECRET_KEY_BASE` | Encryption key for session secrets. Ensure that your key is at least 64 characters long and that you don't lose it. This secret can be rotated with minimal impact - the main effect is that previously-sent password reset emails will no longer work. You can generate one using `pwgen -Bsv1 64`. No defaults. | -| `GITLAB_SECRETS_OTP_KEY_BASE` | Encryption key for OTP related stuff with GitLab. Ensure that your key is at least 64 characters long and that you don't lose it. **If you lose or change this secret, 2FA will stop working for all users.** You can generate one using `pwgen -Bsv1 64`. No defaults. | -| `GITLAB_TIMEZONE` | Configure the timezone for the gitlab application. This configuration does not effect cron jobs. Defaults to `UTC`. See the list of [acceptable values](http://api.rubyonrails.org/classes/ActiveSupport/TimeZone.html). | -| `GITLAB_ROOT_PASSWORD` | The password for the root user on firstrun. Defaults to `5iveL!fe`. | -| `GITLAB_ROOT_EMAIL` | The email for the root user on firstrun. Defaults to `admin@example.com` | -| `GITLAB_EMAIL` | The email address for the GitLab server. Defaults to value of `SMTP_USER`, else defaults to `example@example.com`. | -| `GITLAB_EMAIL_DISPLAY_NAME` | The name displayed in emails sent out by the GitLab mailer. Defaults to `GitLab`. | -| `GITLAB_EMAIL_REPLY_TO` | The reply-to address of emails sent out by GitLab. Defaults to value of `GITLAB_EMAIL`, else defaults to `noreply@example.com`. | -| `GITLAB_EMAIL_SUBJECT_SUFFIX` | The e-mail subject suffix used in e-mails sent by GitLab. No defaults. | -| `GITLAB_EMAIL_ENABLED` | Enable or disable gitlab mailer. Defaults to the `SMTP_ENABLED` configuration. | -| `GITLAB_INCOMING_EMAIL_ADDRESS` | The incoming email address for reply by email. Defaults to the value of `IMAP_USER`, else defaults to `reply@example.com`. Please read the [reply by email](http://doc.gitlab.com/ce/incoming_email/README.html) documentation to currently set this parameter. | -| `GITLAB_INCOMING_EMAIL_ENABLED` | Enable or disable gitlab reply by email feature. Defaults to the value of `IMAP_ENABLED`. | -| `GITLAB_SIGNUP_ENABLED` | Enable or disable user signups (first run only). Default is `true`. | -| `GITLAB_PROJECTS_LIMIT` | Set default projects limit. Defaults to `100`. | -| `GITLAB_USERNAME_CHANGE` | Enable or disable ability for users to change their username. Defaults to `true`. | -| `GITLAB_CREATE_GROUP` | Enable or disable ability for users to create groups. Defaults to `true`. | -| `GITLAB_PROJECTS_ISSUES` | Set if *issues* feature should be enabled by default for new projects. Defaults to `true`. | -| `GITLAB_PROJECTS_MERGE_REQUESTS` | Set if *merge requests* feature should be enabled by default for new projects. Defaults to `true`. | -| `GITLAB_PROJECTS_WIKI` | Set if *wiki* feature should be enabled by default for new projects. Defaults to `true`. | -| `GITLAB_PROJECTS_SNIPPETS` | Set if *snippets* feature should be enabled by default for new projects. Defaults to `false`. | -| `GITLAB_PROJECTS_BUILDS` | Set if *builds* feature should be enabled by default for new projects. Defaults to `true`. | -| `GITLAB_PROJECTS_CONTAINER_REGISTRY` | Set if *container_registry* feature should be enabled by default for new projects. Defaults to `true`. | -| `GITLAB_WEBHOOK_TIMEOUT` | Sets the timeout for webhooks. Defaults to `10` seconds. | -| `GITLAB_TIMEOUT` | Sets the timeout for git commands. Defaults to `10` seconds. | -| `GITLAB_MAX_OBJECT_SIZE` | Maximum size (in bytes) of a git object (eg. a commit) in bytes. Defaults to `20971520`, i.e. `20` megabytes. | -| `GITLAB_NOTIFY_ON_BROKEN_BUILDS` | Enable or disable broken build notification emails. Defaults to `true` | -| `GITLAB_NOTIFY_PUSHER` | Add pusher to recipients list of broken build notification emails. Defaults to `false` | -| `GITLAB_REPOS_DIR` | The git repositories folder in the container. Defaults to `/home/git/data/repositories` | -| `GITLAB_BACKUP_DIR` | The backup folder in the container. Defaults to `/home/git/data/backups` | -| `GITLAB_BUILDS_DIR` | The build traces directory. Defaults to `/home/git/data/builds` | -| `GITLAB_DOWNLOADS_DIR` | The repository downloads directory. A temporary zip is created in this directory when users click **Download Zip** on a project. Defaults to `/home/git/data/tmp/downloads`. | -| `GITLAB_SHARED_DIR` | The directory to store the build artifacts. Defaults to `/home/git/data/shared` | -| `GITLAB_ARTIFACTS_ENABLED` | Enable/Disable GitLab artifacts support. Defaults to `true`. | -| `GITLAB_ARTIFACTS_DIR` | Directory to store the artifacts. Defaults to `$GITLAB_SHARED_DIR/artifacts` | -| `GITLAB_LFS_ENABLED` | Enable/Disable Git LFS support. Defaults to `true`. | -| `GITLAB_LFS_OBJECTS_DIR` | Directory to store the lfs-objects. Defaults to `$GITLAB_SHARED_DIR/lfs-objects` | -| `GITLAB_MATTERMOST_ENABLED` | Enable/Disable GitLab Mattermost for *Add Mattermost button*. Defaults to `false`. | -| `GITLAB_MATTERMOST_URL` | Sets Mattermost URL. Defaults to `https://mattermost.example.com`. | -| `GITLAB_BACKUP_SCHEDULE` | Setup cron job to automatic backups. Possible values `disable`, `daily`, `weekly` or `monthly`. Disabled by default | -| `GITLAB_BACKUP_EXPIRY` | Configure how long (in seconds) to keep backups before they are deleted. By default when automated backups are disabled backups are kept forever (0 seconds), else the backups expire in 7 days (604800 seconds). | -| `GITLAB_BACKUP_PG_SCHEMA` | Specify the PostgreSQL schema for the backups. No defaults, which means that all schemas will be backed up. see #524 | -| `GITLAB_BACKUP_ARCHIVE_PERMISSIONS` | Sets the permissions of the backup archives. Defaults to `0600`. [See](http://doc.gitlab.com/ce/raketasks/backup_restore.html#backup-archive-permissions) | -| `GITLAB_BACKUP_TIME` | Set a time for the automatic backups in `HH:MM` format. Defaults to `04:00`. | -| `GITLAB_BACKUP_SKIP` | Specified sections are skipped by the backups. Defaults to empty, i.e. `lfs,uploads`. [See](http://doc.gitlab.com/ce/raketasks/backup_restore.html#create-a-backup-of-the-gitlab-system) | -| `GITLAB_SSH_HOST` | The ssh host. Defaults to **GITLAB_HOST**. | -| `GITLAB_SSH_PORT` | The ssh port number. Defaults to `22`. | -| `GITLAB_RELATIVE_URL_ROOT` | The relative url of the GitLab server, e.g. `/git`. No default. | -| `GITLAB_TRUSTED_PROXIES` | Add IP address reverse proxy to trusted proxy list, otherwise users will appear signed in from that address. Currently only a single entry is permitted. No defaults. | -| `GITLAB_REGISTRY_ENABLED` | Enables the GitLab Container Registry. Defaults to `false`. | -| `GITLAB_REGISTRY_HOST` | Sets the GitLab Registry Host. Defaults to `registry.example.com` | -| `GITLAB_REGISTRY_PORT` | Sets the GitLab Registry Port. Defaults to `443`. | -| `GITLAB_REGISTRY_API_URL` | Sets the GitLab Registry API URL. Defaults to `http://localhost:5000` | -| `GITLAB_REGISTRY_KEY_PATH` | Sets the GitLab Registry Key Path. Defaults to `config/registry.key` | -| `GITLAB_REGISTRY_DIR` | Directory to store the container images will be shared with registry. Defaults to `$GITLAB_SHARED_DIR/registry` | -| `GITLAB_REGISTRY_ISSUER` | Sets the GitLab Registry Issuer. Defaults to `gitlab-issuer`. | -| `GITLAB_HTTPS` | Set to `true` to enable https support, disabled by default. | -| `SSL_SELF_SIGNED` | Set to `true` when using self signed ssl certificates. `false` by default. | -| `SSL_CERTIFICATE_PATH` | Location of the ssl certificate. Defaults to `/home/git/data/certs/gitlab.crt` | -| `SSL_KEY_PATH` | Location of the ssl private key. Defaults to `/home/git/data/certs/gitlab.key` | -| `SSL_DHPARAM_PATH` | Location of the dhparam file. Defaults to `/home/git/data/certs/dhparam.pem` | -| `SSL_VERIFY_CLIENT` | Enable verification of client certificates using the `SSL_CA_CERTIFICATES_PATH` file. Defaults to `false` | -| `SSL_CA_CERTIFICATES_PATH` | List of SSL certificates to trust. Defaults to `/home/git/data/certs/ca.crt`. | -| `SSL_REGISTRY_KEY_PATH` | Location of the ssl private key for gitlab container registry. Defaults to `/home/git/data/certs/registry.key` | -| `SSL_REGISTRY_CERT_PATH` | Location of the ssl certificate for the gitlab container registry. Defaults to `/home/git/data/certs/registry.crt` | -| `SSL_CIPHERS` | List of supported SSL ciphers: Defaults to `ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4` | -| `NGINX_WORKERS` | The number of nginx workers to start. Defaults to `1`. | -| `NGINX_SERVER_NAMES_HASH_BUCKET_SIZE` | Sets the bucket size for the server names hash tables. This is needed when you have long server_names or your an error message from nginx like *nginx: [emerg] could not build server_names_hash, you should increase server_names_hash_bucket_size:..*. It should be only increment by a power of 2. Defaults to `32`. | -| `NGINX_HSTS_ENABLED` | Advanced configuration option for turning off the HSTS configuration. Applicable only when SSL is in use. Defaults to `true`. See [#138](https://github.com/sameersbn/docker-gitlab/issues/138) for use case scenario. | -| `NGINX_HSTS_MAXAGE` | Advanced configuration option for setting the HSTS max-age in the gitlab nginx vHost configuration. Applicable only when SSL is in use. Defaults to `31536000`. | -| `NGINX_PROXY_BUFFERING` | Enable `proxy_buffering`. Defaults to `off`. | -| `NGINX_ACCEL_BUFFERING` | Enable `X-Accel-Buffering` header. Default to `no` | -| `NGINX_X_FORWARDED_PROTO` | Advanced configuration option for the `proxy_set_header X-Forwarded-Proto` setting in the gitlab nginx vHost configuration. Defaults to `https` when `GITLAB_HTTPS` is `true`, else defaults to `$scheme`. | -| `REDIS_HOST` | The hostname of the redis server. Defaults to `localhost` | -| `REDIS_PORT` | The connection port of the redis server. Defaults to `6379`. | -| `REDIS_DB_NUMBER` | The redis database number. Defaults to '0'. | -| `UNICORN_WORKERS` | The number of unicorn workers to start. Defaults to `3`. | -| `UNICORN_TIMEOUT` | Sets the timeout of unicorn worker processes. Defaults to `60` seconds. | -| `SIDEKIQ_CONCURRENCY` | The number of concurrent sidekiq jobs to run. Defaults to `25` | -| `SIDEKIQ_SHUTDOWN_TIMEOUT` | Timeout for sidekiq shutdown. Defaults to `4` | -| `SIDEKIQ_MEMORY_KILLER_MAX_RSS` | Non-zero value enables the SidekiqMemoryKiller. Defaults to `1000000`. For additional options refer [Configuring the MemoryKiller](http://doc.gitlab.com/ce/operations/sidekiq_memory_killer.html) | -| `DB_ADAPTER` | The database type. Possible values: `mysql2`, `postgresql`. Defaults to `postgresql`. | -| `DB_ENCODING` | The database encoding. For `DB_ADAPTER` values `postresql` and `mysql2`, this parameter defaults to `unicode` and `utf8` respectively. | -| `DB_HOST` | The database server hostname. Defaults to `localhost`. | -| `DB_PORT` | The database server port. Defaults to `3306` for mysql and `5432` for postgresql. | -| `DB_NAME` | The database database name. Defaults to `gitlabhq_production` | -| `DB_USER` | The database database user. Defaults to `root` | -| `DB_PASS` | The database database password. Defaults to no password | -| `DB_POOL` | The database database connection pool count. Defaults to `10`. | -| `SMTP_ENABLED` | Enable mail delivery via SMTP. Defaults to `true` if `SMTP_USER` is defined, else defaults to `false`. | -| `SMTP_DOMAIN` | SMTP domain. Defaults to` www.gmail.com` | -| `SMTP_HOST` | SMTP server host. Defaults to `smtp.gmail.com`. | -| `SMTP_PORT` | SMTP server port. Defaults to `587`. | -| `SMTP_USER` | SMTP username. | -| `SMTP_PASS` | SMTP password. | -| `SMTP_STARTTLS` | Enable STARTTLS. Defaults to `true`. | -| `SMTP_TLS` | Enable SSL/TLS. Defaults to `false`. | -| `SMTP_OPENSSL_VERIFY_MODE` | SMTP openssl verification mode. Accepted values are `none`, `peer`, `client_once` and `fail_if_no_peer_cert`. Defaults to `none`. | -| `SMTP_AUTHENTICATION` | Specify the SMTP authentication method. Defaults to `login` if `SMTP_USER` is set. | -| `SMTP_CA_ENABLED` | Enable custom CA certificates for SMTP email configuration. Defaults to `false`. | -| `SMTP_CA_PATH` | Specify the `ca_path` parameter for SMTP email configuration. Defaults to `/home/git/data/certs`. | -| `SMTP_CA_FILE` | Specify the `ca_file` parameter for SMTP email configuration. Defaults to `/home/git/data/certs/ca.crt`. | -| `IMAP_ENABLED` | Enable mail delivery via IMAP. Defaults to `true` if `IMAP_USER` is defined, else defaults to `false`. | -| `IMAP_HOST` | IMAP server host. Defaults to `imap.gmail.com`. | -| `IMAP_PORT` | IMAP server port. Defaults to `993`. | -| `IMAP_USER` | IMAP username. | -| `IMAP_PASS` | IMAP password. | -| `IMAP_SSL` | Enable SSL. Defaults to `true`. | -| `IMAP_STARTTLS` | Enable STARTSSL. Defaults to `false`. | -| `IMAP_MAILBOX` | The name of the mailbox where incoming mail will end up. Defaults to `inbox`. | -| `LDAP_ENABLED` | Enable LDAP. Defaults to `false` | -| `LDAP_LABEL` | Label to show on login tab for LDAP server. Defaults to 'LDAP' | -| `LDAP_HOST` | LDAP Host | -| `LDAP_PORT` | LDAP Port. Defaults to `389` | -| `LDAP_UID` | LDAP UID. Defaults to `sAMAccountName` | -| `LDAP_METHOD` | LDAP method, Possible values are `ssl`, `tls` and `plain`. Defaults to `plain` | -| `LDAP_BIND_DN` | No default. | -| `LDAP_PASS` | LDAP password | -| `LDAP_TIMEOUT` | Timeout, in seconds, for LDAP queries. Defaults to `10`. | -| `LDAP_ACTIVE_DIRECTORY` | Specifies if LDAP server is Active Directory LDAP server. If your LDAP server is not AD, set this to `false`. Defaults to `true`, | -| `LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN` | If enabled, GitLab will ignore everything after the first '@' in the LDAP username submitted by the user on login. Defaults to `false` if `LDAP_UID` is `userPrincipalName`, else `true`. | -| `LDAP_BLOCK_AUTO_CREATED_USERS` | Locks down those users until they have been cleared by the admin. Defaults to `false`. | -| `LDAP_BASE` | Base where we can search for users. No default. | -| `LDAP_USER_FILTER` | Filter LDAP users. No default. | -| `OAUTH_ENABLED` | Enable OAuth support. Defaults to `true` if any of the support OAuth providers is configured, else defaults to `false`. | -| `OAUTH_AUTO_SIGN_IN_WITH_PROVIDER` | Automatically sign in with a specific OAuth provider without showing GitLab sign-in page. Accepted values are `cas3`, `github`, `bitbucket`, `gitlab`, `google_oauth2`, `facebook`, `twitter`, `saml`, `crowd`, `auth0` and `azure_oauth2`. No default. | -| `OAUTH_ALLOW_SSO` | Comma separated list of oauth providers for single sign-on. This allows users to login without having a user account. The account is created automatically when authentication is successful. Accepted values are `cas3`, `github`, `bitbucket`, `gitlab`, `google_oauth2`, `facebook`, `twitter`, `saml`, `crowd`, `auth0` and `azure_oauth2`. No default. | -| `OAUTH_BLOCK_AUTO_CREATED_USERS` | Locks down those users until they have been cleared by the admin. Defaults to `true`. | -| `OAUTH_AUTO_LINK_LDAP_USER` | Look up new users in LDAP servers. If a match is found (same uid), automatically link the omniauth identity with the LDAP account. Defaults to `false`. | -| `OAUTH_AUTO_LINK_SAML_USER` | Allow users with existing accounts to login and auto link their account via SAML login, without having to do a manual login first and manually add SAML. Defaults to `false`. | -| `OAUTH_EXTERNAL_PROVIDERS` | Comma separated list if oauth providers to disallow access to `internal` projects. Users creating accounts via these providers will have access internal projects. Accepted values are `cas3`, `github`, `bitbucket`, `gitlab`, `google_oauth2`, `facebook`, `twitter`, `saml`, `crowd`, `auth0` and `azure_oauth2`. No default. | -| `OAUTH_CAS3_LABEL` | The "Sign in with" button label. Defaults to "cas3". | -| `OAUTH_CAS3_SERVER` | CAS3 server URL. No defaults. | -| `OAUTH_CAS3_DISABLE_SSL_VERIFICATION` | Disable CAS3 SSL verification. Defaults to `false`. | -| `OAUTH_CAS3_LOGIN_URL` | CAS3 login URL. Defaults to `/cas/login` | -| `OAUTH_CAS3_VALIDATE_URL` | CAS3 validation URL. Defaults to `/cas/p3/serviceValidate` | -| `OAUTH_CAS3_LOGOUT_URL` | CAS3 logout URL. Defaults to `/cas/logout` | -| `OAUTH_GOOGLE_API_KEY` | Google App Client ID. No defaults. | -| `OAUTH_GOOGLE_APP_SECRET` | Google App Client Secret. No defaults. | -| `OAUTH_GOOGLE_RESTRICT_DOMAIN` | List of Google App restricted domains. Value is comma separated list of single quoted groups. Example: `'exemple.com','exemple2.com'`. No defaults. | -| `OAUTH_FACEBOOK_API_KEY` | Facebook App API key. No defaults. | -| `OAUTH_FACEBOOK_APP_SECRET` | Facebook App API secret. No defaults. | -| `OAUTH_TWITTER_API_KEY` | Twitter App API key. No defaults. | -| `OAUTH_TWITTER_APP_SECRET` | Twitter App API secret. No defaults. | -| `OAUTH_AUTHENTIQ_CLIENT_ID` | authentiq Client ID. No defaults. | -| `OAUTH_AUTHENTIQ_CLIENT_SECRET` | authentiq Client secret. No defaults. | -| `OAUTH_AUTHENTIQ_SCOPE` | Scope of Authentiq Application Defaults to `'aq:name email~rs address aq:push'`| -| `OAUTH_AUTHENTIQ_REDIRECT_URI` | Callback URL for Authentiq. No defaults. | -| `OAUTH_GITHUB_API_KEY` | GitHub App Client ID. No defaults. | -| `OAUTH_GITHUB_APP_SECRET` | GitHub App Client secret. No defaults. | -| `OAUTH_GITHUB_URL` | Url to the GitHub Enterprise server. Defaults to https://github.com | -| `OAUTH_GITHUB_VERIFY_SSL` | Enable SSL verification while communicating with the GitHub server. Defaults to `true`. | -| `OAUTH_GITLAB_API_KEY` | GitLab App Client ID. No defaults. | -| `OAUTH_GITLAB_APP_SECRET` | GitLab App Client secret. No defaults. | -| `OAUTH_BITBUCKET_API_KEY` | BitBucket App Client ID. No defaults. | -| `OAUTH_BITBUCKET_APP_SECRET` | BitBucket App Client secret. No defaults. | -| `OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL` | The URL at which the SAML assertion should be received. When `GITLAB_HTTPS=true`, defaults to `https://${GITLAB_HOST}/users/auth/saml/callback` else defaults to `http://${GITLAB_HOST}/users/auth/saml/callback`. | -| `OAUTH_SAML_IDP_CERT_FINGERPRINT` | The SHA1 fingerprint of the certificate. No Defaults. | -| `OAUTH_SAML_IDP_SSO_TARGET_URL` | The URL to which the authentication request should be sent. No defaults. | -| `OAUTH_SAML_ISSUER` | The name of your application. When `GITLAB_HTTPS=true`, defaults to `https://${GITLAB_HOST}` else defaults to `http://${GITLAB_HOST}`. | -| `OAUTH_SAML_LABEL` | The "Sign in with" button label. Defaults to "Our SAML Provider". | -| `OAUTH_SAML_NAME_IDENTIFIER_FORMAT` | Describes the format of the username required by GitLab, Defaults to `urn:oasis:names:tc:SAML:2.0:nameid-format:transient` | -| `OAUTH_SAML_GROUPS_ATTRIBUTE` | Map groups attribute in a SAMLResponse to external groups. No defaults. | -| `OAUTH_SAML_EXTERNAL_GROUPS` | List of external groups in a SAMLResponse. Value is comma separated list of single quoted groups. Example: `'group1','group2'`. No defaults. | -| `OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL` | Map 'email' attribute name in a SAMLResponse to entries in the OmniAuth info hash, No defaults. See [GitLab documentation](http://doc.gitlab.com/ce/integration/saml.html#attribute_statements) for more details. | -| `OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME` | Map 'name' attribute in a SAMLResponse to entries in the OmniAuth info hash, No defaults. See [GitLab documentation](http://doc.gitlab.com/ce/integration/saml.html#attribute_statements) for more details. | -| `OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME` | Map 'first_name' attribute in a SAMLResponse to entries in the OmniAuth info hash, No defaults. See [GitLab documentation](http://doc.gitlab.com/ce/integration/saml.html#attribute_statements) for more details. | -| `OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME` | Map 'last_name' attribute in a SAMLResponse to entries in the OmniAuth info hash, No defaults. See [GitLab documentation](http://doc.gitlab.com/ce/integration/saml.html#attribute_statements) for more details. | -| `OAUTH_CROWD_SERVER_URL` | Crowd server url. No defaults. | -| `OAUTH_CROWD_APP_NAME` | Crowd server application name. No defaults. | -| `OAUTH_CROWD_APP_PASSWORD` | Crowd server application password. No defaults. | -| `OAUTH_AUTH0_CLIENT_ID` | Auth0 Client ID. No defaults. | -| `OAUTH_AUTH0_CLIENT_SECRET` | Auth0 Client secret. No defaults. | -| `OAUTH_AUTH0_DOMAIN` | Auth0 Domain. No defaults. | -| `OAUTH_AZURE_API_KEY` | Azure Client ID. No defaults. | -| `OAUTH_AZURE_API_SECRET` | Azure Client secret. No defaults. | -| `OAUTH_AZURE_TENANT_ID` | Azure Tenant ID. No defaults. | -| `GITLAB_GRAVATAR_ENABLED` | Enables gravatar integration. Defaults to `true`. | -| `GITLAB_GRAVATAR_HTTP_URL` | Sets a custom gravatar url. Defaults to `http://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon`. This can be used for [Libravatar integration](http://doc.gitlab.com/ce/customization/libravatar.html). | -| `GITLAB_GRAVATAR_HTTPS_URL` | Same as above, but for https. Defaults to `https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon`. | -| `USERMAP_UID` | Sets the uid for user `git` to the specified uid. Defaults to `1000`. | -| `USERMAP_GID` | Sets the gid for group `git` to the specified gid. Defaults to `USERMAP_UID` if defined, else defaults to `1000`. | -| `GOOGLE_ANALYTICS_ID` | Google Analytics ID. No defaults. | -| `PIWIK_URL` | Sets the Piwik URL. No defaults. | -| `PIWIK_SITE_ID` | Sets the Piwik site ID. No defaults. | -| `AWS_BACKUPS` | Enables automatic uploads to an Amazon S3 instance. Defaults to `false`. | -| `AWS_BACKUP_REGION` | AWS region. No defaults. | -| `AWS_BACKUP_ACCESS_KEY_ID` | AWS access key id. No defaults. | -| `AWS_BACKUP_SECRET_ACCESS_KEY` | AWS secret access key. No defaults. | -| `AWS_BACKUP_BUCKET` | AWS bucket for backup uploads. No defaults. | -| `AWS_BACKUP_MULTIPART_CHUNK_SIZE` | Enables mulitpart uploads when file size reaches a defined size. See at [AWS S3 Docs](http://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html) | -| `GITLAB_ROBOTS_PATH` | Location of custom `robots.txt`. Uses GitLab's default `robots.txt` configuration by default. See [www.robotstxt.org](http://www.robotstxt.org) for examples. | -| `RACK_ATTACK_ENABLED` | Enable/disable rack middleware for blocking & throttling abusive requests Defaults to `true`. | -| `RACK_ATTACK_WHITELIST` | Always allow requests from whitelisted host. Defaults to `127.0.0.1` | -| `RACK_ATTACK_MAXRETRY` | Number of failed auth attempts before which an IP should be banned. Defaults to `10` | -| `RACK_ATTACK_FINDTIME` | Number of seconds before resetting the per IP auth attempt counter. Defaults to `60`. | -| `RACK_ATTACK_BANTIME` | Number of seconds an IP should be banned after too many auth attempts. Defaults to `3600`. | -| `GITLAB_WORKHORSE_TIMEOUT` | Timeout for gitlab workhorse http proxy. Defaults to `5m0s`. | - -# Maintenance - -## Creating backups +##### `DEBUG` -GitLab defines a rake task to take a backup of your gitlab installation. The backup consists of all git repositories, uploaded files and as you might expect, the sql database. +Set this to `true` to enable entrypoint debugging. -Before taking a backup make sure the container is stopped and removed to avoid container name conflicts. +##### `TZ` -```bash -docker stop gitlab && docker rm gitlab -``` +Set the container timezone. Defaults to `UTC`. Values are expected to be in Canonical format. Example: `Europe/Amsterdam` See the list of [acceptable values](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones). For configuring the timezone of gitlab see variable `GITLAB_TIMEZONE`. -Execute the rake task to create a backup. +##### `GITLAB_HOST` -```bash -docker run --name gitlab -it --rm [OPTIONS] \ - sameersbn/gitlab:8.15.4 app:rake gitlab:backup:create -``` +The hostname of the GitLab server. Defaults to `localhost` -A backup will be created in the backups folder of the [Data Store](#data-store). You can change the location of the backups using the `GITLAB_BACKUP_DIR` configuration parameter. +##### `GITLAB_CI_HOST` -*P.S. Backups can also be generated on a running instance using `docker exec` as described in the [Rake Tasks](#rake-tasks) section. However, to avoid undesired side-effects, I advice against running backup and restore operations on a running instance.* +If you are migrating from GitLab CI use this parameter to configure the redirection to the GitLab service so that your existing runners continue to work without any changes. No defaults. -When using `docker-compose` you may use the following command to execute the backup. +##### `GITLAB_PORT` -```bash -docker-compose run --rm gitlab app:rake gitlab:backup:create -``` +The port of the GitLab server. This value indicates the public port on which the GitLab application will be accessible on the network and appropriately configures GitLab to generate the correct urls. It does not affect the port on which the internal nginx server will be listening on. Defaults to `443` if `GITLAB_HTTPS=true`, else defaults to `80`. -## Restoring Backups +##### `GITLAB_SECRETS_DB_KEY_BASE` -GitLab also defines a rake task to restore a backup. +Encryption key for GitLab CI secret variables, as well as import credentials, in the database. Ensure that your key is at least 32 characters long and that you don't lose it. You can generate one using `pwgen -Bsv1 64`. If you are migrating from GitLab CI, you need to set this value to the value of `GITLAB_CI_SECRETS_DB_KEY_BASE`. No defaults. -Before performing a restore make sure the container is stopped and removed to avoid container name conflicts. +##### `GITLAB_SECRETS_SECRET_KEY_BASE` -```bash -docker stop gitlab && docker rm gitlab -``` +Encryption key for session secrets. Ensure that your key is at least 64 characters long and that you don't lose it. This secret can be rotated with minimal impact - the main effect is that previously-sent password reset emails will no longer work. You can generate one using `pwgen -Bsv1 64`. No defaults. -If this is a fresh database that you're doing the restore on, first -you need to prepare the database: +##### `GITLAB_SECRETS_OTP_KEY_BASE` -```bash -docker run --name gitlab -it --rm [OPTIONS] \ - sameersbn/gitlab:8.14.4 app:rake db:setup -``` + Encryption key for OTP related stuff with GitLab. Ensure that your key is at least 64 characters long and that you don't lose it. **If you lose or change this secret, 2FA will stop working for all users.** You can generate one using `pwgen -Bsv1 64`. No defaults. -Execute the rake task to restore a backup. Make sure you run the container in interactive mode `-it`. +##### `GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE` -```bash -docker run --name gitlab -it --rm [OPTIONS] \ - sameersbn/gitlab:8.15.4 app:rake gitlab:backup:restore -``` + Encryption key for encrypted settings related stuff with GitLab. Ensure that your key is at least 64 characters long and that you don't lose it. **If you lose or change this secret, encrypted settings will not work and might cause errors in merge requests and so on** You can generate one using `pwgen -Bsv1 64`. No defaults. -The list of all available backups will be displayed in reverse chronological order. Select the backup you want to restore and continue. +##### `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY` -To avoid user interaction in the restore operation, specify the timestamp of the backup using the `BACKUP` argument to the rake task. +The base key used to encrypt data for non-deterministic `ActiveRecord::Encryption` encrypted columns. This value is used to set `active_record_encryption_primary_key` in `config/secrets.yml`. Ensure that your key is an alphanumeric string. Preferred to be 32 characters long. If you need to set multiple keys, set this parameter in the format `["first_primary_key","second_primary_key"]`. In `docker-compose.yml`, the value must NOT have additional quotes! **If you lose or change this secret, encrypted settings will not work and might cause errors in the API and the web interface.** No defaults. -```bash -docker run --name gitlab -it --rm [OPTIONS] \ - sameersbn/gitlab:8.15.4 app:rake gitlab:backup:restore BACKUP=1417624827 -``` +##### `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY` -When using `docker-compose` you may use the following command to execute the restore. +The base key used to encrypt data for deterministic `ActiveRecord::Encryption` encrypted columns. This value is used to set `active_record_encryption_deterministic_key` in `config/secrets.yml`. Ensure that your key is an alphanumeric string. Preferred to be 32 characters long. If you need to set multiple keys, set this parameter in the format `["first_deterministic_key","second_deterministic_key"]`. In `docker-compose.yml`, the value must NOT have additional quotes! **If you lose or change this secret, encrypted settings will not work and might cause errors in the API and the web interface.** No defaults. -```bash -docker-compose run --rm gitlab app:rake gitlab:backup:restore # List available backups -docker-compose run --rm gitlab app:rake gitlab:backup:restore BACKUP=1417624827 # Choose to restore from 1417624827 -``` +##### `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT` -## Host Key Backups (ssh) +The salt used to encrypt data for `ActiveRecord::Encryption` encrypted columns. This value is used to set `active_record_encryption_key_derivation_salt` in `config/secrets.yml`. Ensure that your salt is an alphanumeric string. Preferred to be 32 characters long. **If you lose or change this secret, encrypted settings will not work and might cause errors in the API and the web interface.** No defaults. -SSH keys are not backed up in the normal gitlab backup process. You -will need to backup the `ssh/` directory in the data volume by hand -and you will want to restore it prior to doing a gitlab restore. +##### `GITLAB_TIMEZONE` -## Automated Backups +Configure the timezone for the gitlab application. This configuration does not effect cron jobs. Defaults to `UTC`. See the list of [acceptable values](http://api.rubyonrails.org/classes/ActiveSupport/TimeZone.html). For settings the container timezone which will affect cron, see variable `TZ` -The image can be configured to automatically take backups `daily`, `weekly` or `monthly` using the `GITLAB_BACKUP_SCHEDULE` configuration option. +##### `GITLAB_ROOT_PASSWORD` -Daily backups are created at `GITLAB_BACKUP_TIME` which defaults to `04:00` everyday. Weekly backups are created every Sunday at the same time as the daily backups. Monthly backups are created on the 1st of every month at the same time as the daily backups. +The password for the root user on firstrun. Defaults to `5iveL!fe`. GitLab requires this to be at least **8 characters long**. -By default, when automated backups are enabled, backups are held for a period of 7 days. While when automated backups are disabled, the backups are held for an infinite period of time. This behavior can be configured via the `GITLAB_BACKUP_EXPIRY` option. +##### `GITLAB_ROOT_EMAIL` -### Amazon Web Services (AWS) Remote Backups +The email for the root user on firstrun. Defaults to `admin@example.com` -The image can be configured to automatically upload the backups to an AWS S3 bucket. To enable automatic AWS backups first add `--env 'AWS_BACKUPS=true'` to the docker run command. In addition `AWS_BACKUP_REGION` and `AWS_BACKUP_BUCKET` must be properly configured to point to the desired AWS location. Finally an IAM user must be configured with appropriate access permission and their AWS keys exposed through `AWS_BACKUP_ACCESS_KEY_ID` and `AWS_BACKUP_SECRET_ACCESS_KEY`. +##### `GITLAB_EMAIL` -More details about the appropriate IAM user properties can found on [doc.gitlab.com](http://doc.gitlab.com/ce/raketasks/backup_restore.html#upload-backups-to-remote-cloud-storage) +The email address for the GitLab server. Defaults to value of `SMTP_USER`, else defaults to `example@example.com`. -AWS uploads are performed alongside normal backups, both through the appropriate `app:rake` command and when an automatic backup is performed. +##### `GITLAB_EMAIL_DISPLAY_NAME` -## Rake Tasks +The name displayed in emails sent out by the GitLab mailer. Defaults to `GitLab`. -The `app:rake` command allows you to run gitlab rake tasks. To run a rake task simply specify the task to be executed to the `app:rake` command. For example, if you want to gather information about GitLab and the system it runs on. +##### `GITLAB_EMAIL_REPLY_TO` -```bash -docker run --name gitlab -it --rm [OPTIONS] \ - sameersbn/gitlab:8.15.4 app:rake gitlab:env:info -``` +The reply-to address of emails sent out by GitLab. Defaults to value of `GITLAB_EMAIL`, else defaults to `noreply@example.com`. -You can also use `docker exec` to run raketasks on running gitlab instance. For example, +##### `GITLAB_EMAIL_SUBJECT_SUFFIX` -```bash -docker exec --user git -it gitlab bundle exec rake gitlab:env:info RAILS_ENV=production -``` +The e-mail subject suffix used in e-mails sent by GitLab. No defaults. -Similarly, to import bare repositories into GitLab project instance +##### `GITLAB_EMAIL_ENABLED` -```bash -docker run --name gitlab -it --rm [OPTIONS] \ - sameersbn/gitlab:8.15.4 app:rake gitlab:import:repos -``` +Enable or disable gitlab mailer. Defaults to the `SMTP_ENABLED` configuration. -Or +##### `GITLAB_EMAIL_SMIME_ENABLE` -```bash -docker exec -it gitlab sudo -HEu git bundle exec rake gitlab:import:repos RAILS_ENV=production -``` +Enable or disable email S/MIME signing. Defaults is `false`. -For a complete list of available rake tasks please refer https://github.com/gitlabhq/gitlabhq/tree/master/doc/raketasks or the help section of your gitlab installation. +##### `GITLAB_EMAIL_SMIME_KEY_FILE` -*P.S. Please avoid running the rake tasks for backup and restore operations on a running gitlab instance.* +Specifies the path to a S/MIME private key file in PEM format, unencrypted. Defaults to ``. -To use the `app:rake` command with `docker-compose` use the following command. +##### `GITLAB_EMAIL_SMIME_CERT_FILE` -```bash -# For stopped instances -docker-compose run --rm gitlab app:rake gitlab:env:info -docker-compose run --rm gitlab app:rake gitlab:import:repos +Specifies the path to a S/MIME public certificate key in PEM format. Defaults to ``. -# For running instances -docker-compose exec --user git gitlab bundle exec rake gitlab:env:info RAILS_ENV=production -docker-compose exec gitlab sudo -HEu git bundle exec rake gitlab:import:repos RAILS_ENV=production -``` +##### `GITLAB_DEFAULT_THEME` -## Import Repositories +Default theme ID, by default 2. (1 - Indigo, 2 - Dark, 3 - Light, 4 - Blue, 5 - Green, 6 - Light Indigo, 7 - Light Blue, 8 - Light Green, 9 - Red, 10 - Light Red) -Copy all the **bare** git repositories to the `repositories/` directory of the [data store](#data-store) and execute the `gitlab:import:repos` rake task like so: +##### `GITLAB_ISSUE_CLOSING_PATTERN` -```bash -docker run --name gitlab -it --rm [OPTIONS] \ - sameersbn/gitlab:8.15.4 app:rake gitlab:import:repos -``` +Issue closing pattern regex. See [GitLab's documentation](https://docs.gitlab.com/ee/administration/issue_closing_pattern.html) for more detail. Defaults to ` \b((?:[Cc]los(?:e[sd]?|ing)|\b[Ff]ix(?:e[sd]|ing)?|\b[Rr]esolv(?:e[sd]?|ing)|\b[Ii]mplement(?:s|ed|ing)?)(:?) +(?:(?:issues? +)?%{issue_ref}(?:(?:, *| +and +)?)|([A-Z][A-Z0-9_]+-\d+))+) ` . -Watch the logs and your repositories should be available into your new gitlab container. +##### `GITLAB_INCOMING_EMAIL_ADDRESS` -See [Rake Tasks](#rake-tasks) for more information on executing rake tasks. -Usage when using `docker-compose` can also be found there. +The incoming email address for reply by email. Defaults to the value of `IMAP_USER`, else defaults to `reply@example.com`. Please read the [reply by email](http://doc.gitlab.com/ce/incoming_email/README.html) documentation to currently set this parameter. -## Upgrading +##### `GITLAB_INCOMING_EMAIL_ENABLED` -> **Important Notice** -> -> Since GitLab release `8.6.0` PostgreSQL users should enable `pg_trgm` extension on the GitLab database. Refer to GitLab's [Postgresql Requirements](http://doc.gitlab.com/ce/install/requirements.html#postgresql-requirements) for more information -> -> If you're using `sameersbn/postgresql` then please upgrade to `sameersbn/postgresql:9.4-18` or later and add `DB_EXTENSION=pg_trgm` to the environment of the PostgreSQL container (see: https://github.com/sameersbn/docker-gitlab/blob/master/docker-compose.yml#L8). +Enable or disable gitlab reply by email feature. Defaults to the value of `IMAP_ENABLED`. -GitLabHQ releases new versions on the 22nd of every month, bugfix releases immediately follow. I update this project almost immediately when a release is made (at least it has been the case so far). If you are using the image in production environments I recommend that you delay updates by a couple of days after the gitlab release, allowing some time for the dust to settle down. +##### `GITLAB_SIGNUP_ENABLED` -To upgrade to newer gitlab releases, simply follow this 4 step upgrade procedure. +Enable or disable user signups (first run only). Default is `true`. -> **Note** -> -> Upgrading to `sameersbn/gitlab:8.15.4` from `sameersbn/gitlab:7.x.x` can cause issues. It is therefore required that you first upgrade to `sameersbn/gitlab:8.0.5-1` before upgrading to `sameersbn/gitlab:8.1.0` or higher. +##### `GITLAB_IMPERSONATION_ENABLED` -- **Step 1**: Update the docker image. +Enable or disable impersonation. Defaults to `true`. -```bash -docker pull sameersbn/gitlab:8.15.4 -``` +##### `GITLAB_PROJECTS_LIMIT` -- **Step 2**: Stop and remove the currently running image +Set default projects limit. Defaults to `100`. -```bash -docker stop gitlab -docker rm gitlab -``` +##### `GITLAB_USERNAME_CHANGE` -- **Step 3**: Create a backup +Enable or disable ability for users to change their username. Defaults to `true`. -```bash -docker run --name gitlab -it --rm [OPTIONS] \ - sameersbn/gitlab:x.x.x app:rake gitlab:backup:create -``` +##### `GITLAB_CREATE_GROUP` -Replace `x.x.x` with the version you are upgrading from. For example, if you are upgrading from version `6.0.0`, set `x.x.x` to `6.0.0` +Enable or disable ability for users to create groups. Defaults to `true`. -- **Step 4**: Start the image +##### `GITLAB_PROJECTS_ISSUES` -> **Note**: Since GitLab `8.0.0` you need to provide the `GITLAB_SECRETS_DB_KEY_BASE` parameter while starting the image. +Set if *issues* feature should be enabled by default for new projects. Defaults to `true`. -> **Note**: Since GitLab `8.11.0` you need to provide the `GITLAB_SECRETS_SECRET_KEY_BASE` and `GITLAB_SECRETS_OTP_KEY_BASE` parameters while starting the image. These should initially both have the same value as the contents of the `/home/git/data/.secret` file. See [Available Configuration Parameters](#available-configuration-parameters) for more information on these parameters. +##### `GITLAB_PROJECTS_MERGE_REQUESTS` -```bash -docker run --name gitlab -d [OPTIONS] sameersbn/gitlab:8.15.4 -``` +Set if *merge requests* feature should be enabled by default for new projects. Defaults to `true`. -## Shell Access +##### `GITLAB_PROJECTS_WIKI` -For debugging and maintenance purposes you may want access the containers shell. If you are using docker version `1.3.0` or higher you can access a running containers shell using `docker exec` command. +Set if *wiki* feature should be enabled by default for new projects. Defaults to `true`. -```bash -docker exec -it gitlab bash +##### `GITLAB_PROJECTS_SNIPPETS` + +Set if *snippets* feature should be enabled by default for new projects. Defaults to `false`. + +##### `GITLAB_PROJECTS_BUILDS` + +Set if *builds* feature should be enabled by default for new projects. Defaults to `true`. + +##### `GITLAB_PROJECTS_CONTAINER_REGISTRY` + +Set if *container_registry* feature should be enabled by default for new projects. Defaults to `true`. + +##### `GITLAB_SHELL_CUSTOM_HOOKS_DIR` + +Global custom hooks directory. Defaults to `/home/git/gitlab-shell/hooks`. + +##### `GITLAB_WEBHOOK_TIMEOUT` + +Sets the timeout for webhooks. Defaults to `10` seconds. + +##### `GITLAB_NOTIFY_ON_BROKEN_BUILDS` + +Enable or disable broken build notification emails. Defaults to `true` + +##### `GITLAB_NOTIFY_PUSHER` + +Add pusher to recipients list of broken build notification emails. Defaults to `false` + +##### `GITLAB_REPOS_DIR` + +The git repositories folder in the container. Defaults to `/home/git/data/repositories` + +##### `GITLAB_BACKUP_DIR` + +The backup folder in the container. Defaults to `/home/git/data/backups` + +##### `GITLAB_BACKUP_DIR_CHOWN` + +Optionally change ownership of backup files on start-up. Defaults to `true` + +##### `GITLAB_BACKUP_DIR_GROUP` + +Optionally group backups into a subfolder. Can also be used to place backups in to a subfolder on remote storage. Not used by default. + +##### `GITLAB_BUILDS_DIR` + +The build traces directory. Defaults to `/home/git/data/builds` + +##### `GITLAB_DOWNLOADS_DIR` + +The repository downloads directory. A temporary zip is created in this directory when users click **Download Zip** on a project. Defaults to `/home/git/data/tmp/downloads`. + +##### `GITLAB_SHARED_DIR` + +The directory to store the build artifacts. Defaults to `/home/git/data/shared` + +##### `GITLAB_ARTIFACTS_ENABLED` + +Enable/Disable GitLab artifacts support. Defaults to `true`. + +##### `GITLAB_ARTIFACTS_DIR` + +Directory to store the artifacts. Defaults to `$GITLAB_SHARED_DIR/artifacts` + +##### `AWS_ACCESS_KEY_ID` + +Default AWS access key to be used for object store. Defaults to `AWS_ACCESS_KEY_ID` + +##### `AWS_SECRET_ACCESS_KEY` + +Default AWS access key to be used for object store. Defaults to `AWS_SECRET_ACCESS_KEY` + +##### `AWS_REGION` + +AWS Region. Defaults to `us-east-1` + +##### `AWS_HOST` + +Configure this for an compatible AWS host like minio. Defaults to `$AWS_HOST`. Defaults to `s3.amazon.com` + +##### `AWS_ENDPOINT` + +AWS Endpoint like `http://127.0.0.1:9000`. Defaults to `nil` + +##### `AWS_PATH_STYLE` + +Changes AWS Path Style to 'host/bucket_name/object' instead of 'bucket_name.host/object'. Defaults to `true` + +##### `AWS_SIGNATURE_VERSION` + +AWS signature version to use. 2 or 4 are valid options. Digital Ocean Spaces and other providers may need 2. Defaults to `4` + +##### `GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT` + +Default Google project to use for Object Store. + +##### `GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL` + +Default Google service account email to use for Object Store. + +##### `GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION` + +Default Google key file Defaults to `/gcs/key.json` + +##### `GITLAB_OBJECT_STORE_CONNECTION_PROVIDER` + +Default object store connection provider. Defaults to `AWS` + +##### `GITLAB_ARTIFACTS_OBJECT_STORE_ENABLED` + +Enables Object Store for Artifacts that will be remote stored. Defaults to `false` + +##### `GITLAB_ARTIFACTS_OBJECT_STORE_REMOTE_DIRECTORY` + +Bucket name to store the artifacts. Defaults to `artifacts` + +##### `GITLAB_ARTIFACTS_OBJECT_STORE_DIRECT_UPLOAD` + +Set to true to enable direct upload of Artifacts without the need of local shared storage. Defaults to `false` + +##### `GITLAB_ARTIFACTS_OBJECT_STORE_BACKGROUND_UPLOAD` + +Temporary option to limit automatic upload. Defaults to `false` + +##### `GITLAB_ARTIFACTS_OBJECT_STORE_PROXY_DOWNLOAD` + +Passthrough all downloads via GitLab instead of using Redirects to Object Storage. Defaults to `false` + +##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER` + +Connection Provider for the Object Store. (`AWS` or `Google`) Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER` (`AWS`) + +##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID` + +AWS Access Key ID for the Bucket. Defaults to `$AWS_ACCESS_KEY_ID` + +##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY` + +AWS Secret Access Key. Defaults to `$AWS_SECRET_ACCESS_KEY` + +##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_REGION` + +AWS Region. Defaults to `$AWS_REGION` + +##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_HOST` + +Configure this for an compatible AWS host like minio. Defaults to `$AWS_HOST` + +##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT` + +AWS Endpoint like `http://127.0.0.1:9000`. Defaults to `$AWS_ENDPOINT` + +##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE` + +Changes AWS Path Style to 'host/bucket_name/object' instead of 'bucket_name.host/object'. Defaults to `$AWS_PATH_STYLE` + +##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION` + +AWS signature version to use. 2 or 4 are valid options. Digital Ocean Spaces and other providers may need 2. Defaults to `$AWS_SIGNATURE_VERSION` + +##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT` + +Google project. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT` + +##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL` + +Google service account. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL` + +##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION` + +Default Google key file. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION` (`/gcs/key.json`) + +##### `GITLAB_PIPELINE_SCHEDULE_WORKER_CRON` + +Cron notation for the GitLab pipeline schedule worker. Defaults to `'19 * * * *'` + +##### `GITLAB_LFS_ENABLED` + +Enable/Disable Git LFS support. Defaults to `true`. + +##### `GITLAB_LFS_OBJECTS_DIR` + +Directory to store the lfs-objects. Defaults to `$GITLAB_SHARED_DIR/lfs-objects` + +##### `GITLAB_LFS_OBJECT_STORE_ENABLED` + +Enables Object Store for LFS that will be remote stored. Defaults to `false` + +##### `GITLAB_LFS_OBJECT_STORE_REMOTE_DIRECTORY` + +Bucket name to store the LFS. Defaults to `lfs-object` + +##### `GITLAB_LFS_OBJECT_STORE_BACKGROUND_UPLOAD` + +Temporary option to limit automatic upload. Defaults to `false` + +##### `GITLAB_LFS_OBJECT_STORE_PROXY_DOWNLOAD` + +Passthrough all downloads via GitLab instead of using Redirects to Object Storage. Defaults to `false` + +##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER` + +Connection Provider for the Object Store. (`AWS` or `Google`) Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER` (`AWS`) + +##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID` + +AWS Access Key ID for the Bucket. Defaults to `AWS_ACCESS_KEY_ID` + +##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY` + +AWS Secret Access Key. Defaults to `AWS_SECRET_ACCESS_KEY` + +##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_REGION` + +AWS Region. Defaults to `$AWS_REGION` + +##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_HOST` + +Configure this for an compatible AWS host like minio. Defaults to `$AWS_HOST` + +##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT` + +AWS Endpoint like `http://127.0.0.1:9000`. Defaults to `$AWS_ENDPOINT` + +##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE` + +Changes AWS Path Style to 'host/bucket_name/object' instead of 'bucket_name.host/object'. Defaults to `$AWS_PATH_STYLE` + +##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION` + +AWS signature version to use. 2 or 4 are valid options. Digital Ocean Spaces and other providers may need 2. Defaults to `$AWS_SIGNATURE_VERSION` + +##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT` + +Google project. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT` + +##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL` + +Google service account. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL` + +##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION` + +Default Google key file. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION` (`/gcs/key.json`) + +##### `GITLAB_PACKAGES_ENABLED` + +Enable/Disable Packages support. Defaults to `true`. + +##### `GITLAB_PACKAGES_DIR` + +Directory to store the packages data. Defaults to `$GITLAB_SHARED_DIR/packages` + +##### `GITLAB_PACKAGES_OBJECT_STORE_ENABLED` + +Enables Object Store for Packages that will be remote stored. Defaults to `false` + +##### `GITLAB_PACKAGES_OBJECT_STORE_REMOTE_DIRECTORY` + +Bucket name to store the packages. Defaults to `packages` + +##### `GITLAB_PACKAGES_OBJECT_STORE_DIRECT_UPLOAD` + +Set to true to enable direct upload of Packages without the need of local shared storage. Defaults to `false` + +##### `GITLAB_PACKAGES_OBJECT_STORE_BACKGROUND_UPLOAD` + +Temporary option to limit automatic upload. Defaults to `false` + +##### `GITLAB_PACKAGES_OBJECT_STORE_PROXY_DOWNLOAD` + +Passthrough all downloads via GitLab instead of using Redirects to Object Storage. Defaults to `false` + +##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_PROVIDER` + +Connection Provider for the Object Store. (`AWS` or `Google`) Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER` (`AWS`) + +##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID` + +AWS Access Key ID for the Bucket. Defaults to `$AWS_ACCESS_KEY_ID` + +##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY` + +AWS Secret Access Key. Defaults to `$AWS_SECRET_ACCESS_KEY` + +##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_REGION` + +AWS Region. Defaults to `$AWS_REGION` + +##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_HOST` + +Configure this for an compatible AWS host like minio. Defaults to `$AWS_HOST` + +##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ENDPOINT` + +AWS Endpoint like `http://127.0.0.1:9000`. Defaults to `$AWS_ENDPOINT` + +##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE` + +Changes AWS Path Style to 'host/bucket_name/object' instead of 'bucket_name.host/object'. Defaults to `AWS_PATH_STYLE` + +##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT` + +Google project. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT` + +##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL` + +Google service account. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL` + +##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION` + +Default Google key file. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION` (`/gcs/key.json`) + +##### `GITLAB_TERRAFORM_STATE_ENABLED` + +Enable/Disable Terraform State support. Defaults to `true`. + +##### `GITLAB_TERRAFORM_STATE_STORAGE_PATH` + +Directory to store the terraform state data. Defaults to `$GITLAB_SHARED_DIR/terraform_state` + +##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_ENABLED` + +Enables Object Store for Terraform state that will be remote stored. Defaults to `false` + +##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_REMOTE_DIRECTORY` + +Bucket name to store the Terraform state. Defaults to `terraform_state` + +##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_PROVIDER` + +Connection Provider for the Object Store (AWS or Google). Defaults to $GITLAB_OBJECT_STORE_CONNECTION_PROVIDER (i.e. AWS). + +##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID` + +AWS Access Key ID for the Bucket. Defaults to `$AWS_ACCESS_KEY_ID` + +##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY` + +AWS Secret Access Key. Defaults to `$AWS_SECRET_ACCESS_KEY` + +##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_REGION` + +AWS Region. Defaults to `$AWS_REGION` + +##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_HOST` + +Configure this for an compatible AWS host like minio. Defaults to `$AWS_HOST` + +##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ENDPOINT` + +AWS Endpoint like `http://127.0.0.1:9000`. Defaults to `$AWS_ENDPOINT` + +##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE` + +Changes AWS Path Style to 'host/bucket_name/object' instead of 'bucket_name.host/object'. Defaults to `AWS_PATH_STYLE` + +##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT` + +Google project. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT` + +##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL` + +Google service account. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL` + +##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION` + +Default Google key file. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION` (`/gcs/key.json`) + +##### `GITLAB_UPLOADS_STORAGE_PATH` + +The location where uploads objects are stored. Defaults to `$GITLAB_SHARED_DIR/public`. + +##### `GITLAB_UPLOADS_BASE_DIR` + +Mapping for the `GITLAB_UPLOADS_STORAGE_PATH`. Defaults to `uploads/-/system` + +##### `GITLAB_UPLOADS_OBJECT_STORE_ENABLED` + +Enables Object Store for UPLOADS that will be remote stored. Defaults to `false` + +##### `GITLAB_UPLOADS_OBJECT_STORE_REMOTE_DIRECTORY` + +Bucket name to store the UPLOADS. Defaults to `uploads` + +##### `GITLAB_UPLOADS_OBJECT_STORE_BACKGROUND_UPLOAD` + +Temporary option to limit automatic upload. Defaults to `false` + +##### `GITLAB_UPLOADS_OBJECT_STORE_PROXY_DOWNLOAD` + +Passthrough all downloads via GitLab instead of using Redirects to Object Storage. Defaults to `false` + +##### `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER` + +Connection Provider for the Object Store. (`AWS` or `Google`) Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER` (`AWS`) + +##### `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID` + +AWS Access Key ID for the Bucket. Defaults to `AWS_ACCESS_KEY_ID` + +##### `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY` + +AWS Secret Access Key. Defaults to `AWS_SECRET_ACCESS_KEY` + +##### `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_REGION` + +AWS Region. Defaults to `$AWS_REGION` + +##### `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_HOST` + +Configure this for an compatible AWS host like minio. Defaults to `$AWS_HOST` + +##### `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT` + +AWS Endpoint like `http://127.0.0.1:9000`. Defaults to `$AWS_ENDPOINT` + +##### `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE` + +Changes AWS Path Style to 'host/bucket_name/object' instead of 'bucket_name.host/object'. Defaults to `AWS_PATH_STYLE` + +##### `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT` + +Google project. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT` + +##### `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL` + +Google service account. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL` + +##### `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION` + +Default Google key file. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION` (`/gcs/key.json`) + +##### `GITLAB_MATTERMOST_ENABLED` + +Enable/Disable GitLab Mattermost for *Add Mattermost button*. Defaults to `false`. + +##### `GITLAB_MATTERMOST_URL` + +Sets Mattermost URL. Defaults to `https://mattermost.example.com`. + +##### `GITLAB_BACKUP_SCHEDULE` + +Setup cron job to automatic backups. Possible values `disable`, `daily`, `weekly` or `monthly`. Disabled by default + +##### `GITLAB_BACKUP_EXPIRY` + +Configure how long (in seconds) to keep backups before they are deleted. By default when automated backups are disabled backups are kept forever (0 seconds), else the backups expire in 7 days (604800 seconds). + +##### `GITLAB_BACKUP_PG_SCHEMA` + +Specify the PostgreSQL schema for the backups. No defaults, which means that all schemas will be backed up. see #524 + +##### `GITLAB_BACKUP_ARCHIVE_PERMISSIONS` + +Sets the permissions of the backup archives. Defaults to `0600`. [See](http://doc.gitlab.com/ce/raketasks/backup_restore.html#backup-archive-permissions) + +##### `GITLAB_BACKUP_TIME` + +Set a time for the automatic backups in `HH:MM` format. Defaults to `04:00`. + +##### `GITLAB_BACKUP_SKIP` + +Specified sections are skipped by the backups. Defaults to empty, i.e. `lfs,uploads`. [See](http://doc.gitlab.com/ce/raketasks/backup_restore.html#create-a-backup-of-the-gitlab-system) + +##### `GITLAB_SSH_HOST` + +The ssh host. Defaults to **GITLAB_HOST**. + +##### `GITLAB_SSH_LISTEN_PORT` + +The ssh port for SSHD to listen on. Defaults to `22` + +##### `GITLAB_SSH_MAXSTARTUPS` + +The ssh "MaxStartups" parameter, defaults to `10:30:60`. + +##### `GITLAB_SSH_PORT` + +The ssh port number. Defaults to `$GITLAB_SSH_LISTEN_PORT`. + +##### `GITLAB_RELATIVE_URL_ROOT` + +The relative url of the GitLab server, e.g. `/git`. No default. + +##### `GITLAB_TRUSTED_PROXIES` + +Add IP address reverse proxy to trusted proxy list, otherwise users will appear signed in from that address. Currently only a single entry is permitted. No defaults. + +##### `GITLAB_REGISTRY_ENABLED` + +Enables the GitLab Container Registry. Defaults to `false`. + +##### `GITLAB_REGISTRY_HOST` + +Sets the GitLab Registry Host. Defaults to `registry.example.com` + +##### `GITLAB_REGISTRY_PORT` + +Sets the GitLab Registry Port. Defaults to `443`. + +##### `GITLAB_REGISTRY_API_URL` + +Sets the GitLab Registry API URL. Defaults to `http://localhost:5000` + +##### `GITLAB_REGISTRY_KEY_PATH` + +Sets the GitLab Registry Key Path. Defaults to `config/registry.key` + +##### `GITLAB_REGISTRY_DIR` + +Directory to store the container images will be shared with registry. Defaults to `$GITLAB_SHARED_DIR/registry` + +##### `GITLAB_REGISTRY_ISSUER` + +Sets the GitLab Registry Issuer. Defaults to `gitlab-issuer`. + +##### `GITLAB_REGISTRY_GENERATE_INTERNAL_CERTIFICATES` + +Set to `true` to generate SSL internal Registry keys. Used to communicate between a Docker Registry and GitLab. It will generate a self-signed certificate key at the location given by `$GITLAB_REGISTRY_KEY_PATH`, e.g. `/certs/registry.key`. And will generate the certificate file at the same location, with the same name, but changing the extension from `key` to `crt`, e.g. `/certs/registry.crt` + +##### `GITLAB_PAGES_ENABLED` + +Enables the GitLab Pages. Defaults to `false`. + +##### `GITLAB_PAGES_DOMAIN` + +Sets the GitLab Pages Domain. Defaults to `example.com` + +##### `GITLAB_PAGES_DIR` + +Sets GitLab Pages directory where all pages will be stored. Defaults to `$GITLAB_SHARED_DIR/pages` + +##### `GITLAB_PAGES_PORT` + +Sets GitLab Pages Port that will be used in NGINX. Defaults to `80` + +##### `GITLAB_PAGES_HTTPS` + +Sets GitLab Pages to HTTPS and the gitlab-pages-ssl config will be used. Defaults to `false` + +##### `GITLAB_PAGES_ARTIFACTS_SERVER` + +Set to `true` to enable pages artifacts server, enabled by default. + +##### `GITLAB_PAGES_ARTIFACTS_SERVER_URL` + +If `GITLAB_PAGES_ARTIFACTS_SERVER` is enabled, set to API endpoint for GitLab Pages (e.g. `https://example.com/api/v4`). No default. + +##### `GITLAB_PAGES_EXTERNAL_HTTP` + +Sets GitLab Pages external http to receive request on an independent port. Disabled by default + +##### `GITLAB_PAGES_EXTERNAL_HTTPS` + +Sets GitLab Pages external https to receive request on an independent port. Disabled by default + +##### `GITLAB_PAGES_ACCESS_CONTROL` + +Set to `true` to enable access control for pages. Allows access to a Pages site to be controlled based on a user’s membership to that project. Disabled by default. + +##### `GITLAB_PAGES_NGINX_PROXY` + +Disable the nginx proxy for gitlab pages, defaults to `true`. When set to `false` this will turn off the nginx proxy to the gitlab pages daemon, used when the user provides their own http load balancer in combination with a gitlab pages custom domain setup. + +##### `GITLAB_PAGES_ACCESS_SECRET` + +Secret Hash, minimal 32 characters, if omitted, it will be auto generated. + +##### `GITLAB_PAGES_ACCESS_CONTROL_SERVER` + +Gitlab instance URI, example: `https://gitlab.example.io` + +##### `GITLAB_PAGES_ACCESS_CLIENT_ID` + +Client ID from earlier generated OAuth application + +##### `GITLAB_PAGES_ACCESS_CLIENT_SECRET` + +Client Secret from earlier generated OAuth application + +##### `GITLAB_PAGES_ACCESS_REDIRECT_URI` + +Redirect URI, non existing pages domain to redirect to pages daemon, `https://projects.example.io/auth` + +##### `GITLAB_HTTPS` + +Set to `true` to enable https support, disabled by default. + +##### `GITALY_CLIENT_PATH` + +Set default path for gitaly. defaults to `/home/git/gitaly` + +##### `GITALY_TOKEN` + +Set a gitaly token, blank by default. + +##### `GITLAB_MONITORING_UNICORN_SAMPLER_INTERVAL` + +Time between sampling of unicorn socket metrics, in seconds, defaults to `10` + +##### `GITLAB_MONITORING_IP_WHITELIST` + +IP whitelist to access monitoring endpoints. No defaults. + +##### `GITLAB_MONITORING_SIDEKIQ_EXPORTER_ENABLED` + +Set to `true` to enable the sidekiq exporter, enabled by default. + +##### `GITLAB_MONITORING_SIDEKIQ_EXPORTER_ADDRESS` + +Sidekiq exporter address, defaults to `0.0.0.0` + +##### `GITLAB_MONITORING_SIDEKIQ_EXPORTER_PORT` + +Sidekiq exporter port, defaults to `3807` + +##### `GITLAB_CONTENT_SECURITY_POLICY_ENABLED` + +Set to `true` to enable [Content Security Policy](https://guides.rubyonrails.org/security.html#content-security-policy), enabled by default. + +##### `GITLAB_CONTENT_SECURITY_POLICY_REPORT_ONLY` + +Set to `true` to set `Content-Security-Policy-Report-Only` header, disabled by default + +##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_BASE_URI` + +The value of the `base-uri` directive in the `Content-Security-Policy` header + +##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CHILD_SRC` + +The value of the `child-src` directive in the `Content-Security-Policy` header + +##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CONNECT_SRC` + +The value of the `connect-src` directive in the `Content-Security-Policy` header. Default to `'self' http://localhost:* ws://localhost:* wss://localhost:*` + +##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_DEFAULT_SRC` + +The value of the `default-src` directive in the `Content-Security-Policy` header. Default to `'self'` + +##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FONT_SRC` + +The value of the `font-src` directive in the `Content-Security-Policy` header + +##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FORM_ACTION` + +The value of the `form-action` directive in the `Content-Security-Policy` header + +##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_ANCESTORS` + +The value of the `frame-ancestors` directive in the `Content-Security-Policy` header. Default to `'self'` + +##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_SRC` + +The value of the `frame-src` directive in the `Content-Security-Policy` header. Default to `'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com` + +##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_IMG_SRC` + +The value of the `img-src` directive in the `Content-Security-Policy` header. Default to `* data: blob:` + +##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MANIFEST_SRC` + +The value of the `manifest-src` directive in the `Content-Security-Policy` header + +##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MEDIA_SRC` + +The value of the `media-src` directive in the `Content-Security-Policy` header + +##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_OBJECT_SRC` + +The value of the `object-src` directive in the `Content-Security-Policy` header. Default to `'none'` + +##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_SCRIPT_SRC` + +The value of the `script-src` directive in the `Content-Security-Policy` header. Default to `'self' 'unsafe-eval' http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com` + +##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_STYLE_SRC` + +The value of the `style-src` directive in the `Content-Security-Policy` header. Default to `'self' 'unsafe-inline'` + +##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_WORKER_SRC` + +The value of the `worker-src` directive in the `Content-Security-Policy` header. Default to `'self' blob:` + +##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_REPORT_URI` + +The value of the `report-uri` directive in the `Content-Security-Policy` header + +##### `GITLAB_FEATURE_FLAGS_DISABLE_TARGETS` + +Comma separated list of feature flag names to be disabled. No whitespace is allowed. +You can see all feature flags in GitLab at corresponding version of documentation: +Feature flags name and its statement will be appear to container log. Note that some of the feature flags are implicitly enabled or disabled by GitLab itself, and are not appear to container log. +No defaults. + +##### `GITLAB_FEATURE_FLAGS_ENABLE_TARGETS` + +This parameter is the same as [`GITLAB_FEATURE_FLAGS_DISABLE_TARGETS`](#gitlab_feature_flags_enable_targets), except its purpose is to enable the feature flag. No defaults. + +##### `SSL_SELF_SIGNED` + +Set to `true` when using self-signed ssl certificates. `false` by default. + +##### `SSL_CERTIFICATE_PATH` + +Location of the ssl certificate. Defaults to `/home/git/data/certs/gitlab.crt` + +##### `SSL_KEY_PATH` + +Location of the ssl private key. Defaults to `/home/git/data/certs/gitlab.key` + +##### `SSL_DHPARAM_PATH` + +Location of the dhparam file. Defaults to `/home/git/data/certs/dhparam.pem` + +##### `SSL_VERIFY_CLIENT` + +Enable verification of client certificates using the `SSL_CA_CERTIFICATES_PATH` file or setting this variable to `on`. Defaults to `off` + +##### `SSL_CA_CERTIFICATES_PATH` + +List of SSL certificates to trust. Defaults to `/home/git/data/certs/ca.crt`. + +##### `SSL_REGISTRY_KEY_PATH` + +Location of the ssl private key for gitlab container registry. Defaults to `/home/git/data/certs/registry.key` + +##### `SSL_REGISTRY_CERT_PATH` + +Location of the ssl certificate for the gitlab container registry. Defaults to `/home/git/data/certs/registry.crt` + +##### `SSL_PAGES_KEY_PATH` + +Location of the ssl private key for gitlab pages. Defaults to `/home/git/data/certs/pages.key` + +##### `SSL_PAGES_CERT_PATH` + +Location of the ssl certificate for the gitlab pages. Defaults to `/home/git/data/certs/pages.crt` + +##### `SSL_CIPHERS` + +List of supported SSL ciphers: Defaults to `ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4` + +##### `SSL_PROTOCOLS` + +List of supported SSL protocols: Defaults to `TLSv1 TLSv1.1 TLSv1.2 TLSv1.3` + +##### `SSL_PAGES_CIPHERS` + +List of supported SSL ciphers for the gitlab pages: Defaults to `SSL_CIPHERS` + +##### `SSL_PAGES_PROTOCOLS` + +List of supported SSL protocols for the gitlab pages: Defaults to `SSL_PROTOCOLS` + +##### `SSL_REGISTRY_CIPHERS` + +List of supported SSL ciphers for gitlab container registry: Defaults to `SSL_CIPHERS` + +##### `SSL_REGISTRY_PROTOCOLS` + +List of supported SSL protocols for gitlab container registry: Defaults to `SSL_PROTOCOLS` + +##### `NGINX_WORKERS` + +The number of nginx workers to start. Defaults to `1`. + +##### `NGINX_SERVER_NAMES_HASH_BUCKET_SIZE` + +Sets the bucket size for the server names hash tables. This is needed when you have long server_names or your an error message from nginx like *nginx: [emerg] could not build server_names_hash, you should increase server_names_hash_bucket_size:..*. It should be only increment by a power of 2. Defaults to `32`. + +##### `NGINX_HSTS_ENABLED` + +Advanced configuration option for turning off the HSTS configuration. Applicable only when SSL is in use. Defaults to `true`. See [#138](https://github.com/sameersbn/docker-gitlab/issues/138) for use case scenario. + +##### `NGINX_HSTS_MAXAGE` + +Advanced configuration option for setting the HSTS max-age in the gitlab nginx vHost configuration. Applicable only when SSL is in use. Defaults to `31536000`. + +##### `NGINX_PROXY_BUFFERING` + +Enable `proxy_buffering`. Defaults to `off`. + +##### `NGINX_ACCEL_BUFFERING` + +Enable `X-Accel-Buffering` header. Default to `no` + +##### `NGINX_X_FORWARDED_PROTO` + +Advanced configuration option for the `proxy_set_header X-Forwarded-Proto` setting in the gitlab nginx vHost configuration. Defaults to `https` when `GITLAB_HTTPS` is `true`, else defaults to `$scheme`. + +##### `NGINX_REAL_IP_RECURSIVE` + +set to `on` if docker container runs behind a reverse proxy,you may not want the IP address of the proxy to show up as the client address. `off` by default. + +##### `NGINX_REAL_IP_TRUSTED_ADDRESSES` + +You can have NGINX look for a different address to use by adding your reverse proxy to the `NGINX_REAL_IP_TRUSTED_ADDRESSES`. Currently only a single entry is permitted. No defaults. + +##### `NGINX_CUSTOM_GITLAB_SERVER_CONFIG` + +Advanced configuration option. You can add custom configuration for nginx as you like (e.g. custom location proxy). This is similar to setting `nginx['custom_gitlab_server_config']` to `gitlab.rb` for gitlab-omnibus. No defaults. + +##### `REDIS_HOST` + +The hostname of the redis server. Defaults to `localhost` + +##### `REDIS_PORT` + +The connection port of the redis server. Defaults to `6379`. + +##### `REDIS_DB_NUMBER` + +The redis database number. Defaults to '0'. + +##### `PUMA_WORKERS` + +The number of puma workers to start. Defaults to `3`. + +##### `PUMA_TIMEOUT` + +Sets the timeout of puma worker processes. Defaults to `60` seconds. + +##### `PUMA_THREADS_MIN` + +The number of puma minimum threads. Defaults to `1`. + +##### `PUMA_THREADS_MAX` + +The number of puma maximum threads. Defaults to `16`. + +##### `PUMA_PER_WORKER_MAX_MEMORY_MB` + +Maximum memory size of per puma worker process. Defaults to `1024`. + +##### `PUMA_MASTER_MAX_MEMORY_MB` + +Maximum memory size of puma master process. Defaults to `800`. + +##### `SIDEKIQ_CONCURRENCY` + +The number of concurrent sidekiq jobs to run. Defaults to `25` + +##### `SIDEKIQ_SHUTDOWN_TIMEOUT` + +Timeout for sidekiq shutdown. Defaults to `4` + +##### `SIDEKIQ_MEMORY_KILLER_MAX_RSS` + +Non-zero value enables the SidekiqMemoryKiller. Defaults to `2000000`. For additional options refer [Configuring the MemoryKiller](http://doc.gitlab.com/ce/operations/sidekiq_memory_killer.html) + +##### `GITLAB_SIDEKIQ_LOG_FORMAT` + +Sidekiq log format that will be used. Defaults to `json` + +##### `DB_ADAPTER` + +The database type. Currently only postgresql is supported. Possible values: `postgresql`. Defaults to `postgresql`. + +##### `DB_ENCODING` + +The database encoding. For `DB_ADAPTER` values `postgresql` this parameter defaults and `utf8` respectively. + +##### `DB_HOST` + +The database server hostname. Defaults to `localhost`. + +##### `DB_PORT` + +The database server port. Defaults to `5432` for postgresql. + +##### `DB_NAME` + +The database database name. Defaults to `gitlabhq_production` + +##### `DB_USER` + +The database database user. Defaults to `root` + +##### `DB_PASS` + +The database database password. Defaults to no password + +##### `DB_POOL` + +The database database connection pool count. Defaults to `10`. + +##### `DB_PREPARED_STATEMENTS` + +Whether to use database prepared statements. No defaults. But set to `false` if you want to use with [PgBouncer](https://pgbouncer.github.io/) + +##### `SMTP_ENABLED` + +Enable mail delivery via SMTP. Defaults to `true` if `SMTP_USER` is defined, else defaults to `false`. + +##### `SMTP_DOMAIN` + +SMTP domain. Defaults to `www.gmail.com` + +##### `SMTP_HOST` + +SMTP server host. Defaults to `smtp.gmail.com`. + +##### `SMTP_PORT` + +SMTP server port. Defaults to `587`. + +##### `SMTP_USER` + +SMTP username. + +##### `SMTP_PASS` + +SMTP password. + +##### `SMTP_STARTTLS` + +Enable STARTTLS. Defaults to `true`. + +##### `SMTP_TLS` + +Enable SSL/TLS. Defaults to `false`. + +##### `SMTP_OPENSSL_VERIFY_MODE` + +SMTP openssl verification mode. Accepted values are `none`, `peer`, `client_once` and `fail_if_no_peer_cert`. Defaults to `none`. + +##### `SMTP_AUTHENTICATION` + +Specify the SMTP authentication method. Defaults to `login` if `SMTP_USER` is set. + +##### `SMTP_CA_ENABLED` + +Enable custom CA certificates for SMTP email configuration. Defaults to `false`. + +##### `SMTP_CA_PATH` + +Specify the `ca_path` parameter for SMTP email configuration. Defaults to `/home/git/data/certs`. + +##### `SMTP_CA_FILE` + +Specify the `ca_file` parameter for SMTP email configuration. Defaults to `/home/git/data/certs/ca.crt`. + +##### `IMAP_ENABLED` + +Enable mail delivery via IMAP. Defaults to `true` if `IMAP_USER` is defined, else defaults to `false`. + +##### `IMAP_HOST` + +IMAP server host. Defaults to `imap.gmail.com`. + +##### `IMAP_PORT` + +IMAP server port. Defaults to `993`. + +##### `IMAP_USER` + +IMAP username. + +##### `IMAP_PASS` + +IMAP password. + +##### `IMAP_SSL` + +Enable SSL. Defaults to `true`. + +##### `IMAP_STARTTLS` + +Enable STARTTLS. Defaults to `false`. + +##### `IMAP_MAILBOX` + +The name of the mailbox where incoming mail will end up. Defaults to `inbox`. + +##### `LDAP_ENABLED` + +Enable LDAP. Defaults to `false` + +##### `LDAP_LABEL` + +Label to show on login tab for LDAP server. Defaults to 'LDAP' + +##### `LDAP_HOST` + +LDAP Host + +##### `LDAP_PORT` + +LDAP Port. Defaults to `389` + +##### `LDAP_UID` + +LDAP UID. Defaults to `sAMAccountName` + +##### `LDAP_METHOD` + +LDAP method, Possible values are `simple_tls`, `start_tls` and `plain`. Defaults to `plain` + +##### `LDAP_VERIFY_SSL` + +LDAP verify ssl certificate for installations that are using `LDAP_METHOD: 'simple_tls'` or `LDAP_METHOD: 'start_tls'`. Defaults to `true` + +##### `LDAP_CA_FILE` + +Specifies the path to a file containing a PEM-format CA certificate. Defaults to `` + +##### `LDAP_SSL_VERSION` + +Specifies the SSL version for OpenSSL to use, if the OpenSSL default is not appropriate. Example: 'TLSv1_1'. Defaults to `` + +##### `LDAP_BIND_DN` + +No default. + +##### `LDAP_PASS` + +LDAP password + +##### `LDAP_TIMEOUT` + +Timeout, in seconds, for LDAP queries. Defaults to `10`. + +##### `LDAP_ACTIVE_DIRECTORY` + +Specifies if LDAP server is Active Directory LDAP server. If your LDAP server is not AD, set this to `false`. Defaults to `true`, + +##### `LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN` + +If enabled, GitLab will ignore everything after the first '@' in the LDAP username submitted by the user on login. Defaults to `false` if `LDAP_UID` is `userPrincipalName`, else `true`. + +##### `LDAP_BLOCK_AUTO_CREATED_USERS` + +Locks down those users until they have been cleared by the admin. Defaults to `false`. + +##### `LDAP_BASE` + +Base where we can search for users. No default. + +##### `LDAP_USER_FILTER` + +Filter LDAP users. No default. + +##### `LDAP_USER_ATTRIBUTE_USERNAME` + +Attribute fields for the identification of a user. Default to `['uid', 'userid', 'sAMAccountName']` + +##### `LDAP_USER_ATTRIBUTE_MAIL` + +Attribute fields for the shown mail address. Default to `['mail', 'email', 'userPrincipalName']` + +##### `LDAP_USER_ATTRIBUTE_NAME` + +Attribute field for the used username of a user. Defaults to `cn`. + +##### `LDAP_USER_ATTRIBUTE_FIRSTNAME` + +Attribute field for the forename of a user. Default to `givenName` + +##### `LDAP_USER_ATTRIBUTE_LASTNAME` + + Attribute field for the surname of a user. Default to `sn` + +##### `LDAP_LOWERCASE_USERNAMES` + +GitLab will lower case the username for the LDAP Server. Defaults to `false` + +##### `LDAP_PREVENT_LDAP_SIGN_IN` + +Set to `true` to [Disable LDAP web sign in](https://docs.gitlab.com/ce/administration/auth/ldap/#disable-ldap-web-sign-in), defaults to `false` + +##### `OAUTH_ENABLED` + +Enable OAuth support. Defaults to `true` if any of the support OAuth providers is configured, else defaults to `false`. + +##### `OAUTH_AUTO_SIGN_IN_WITH_PROVIDER` + +Automatically sign in with a specific OAuth provider without showing GitLab sign-in page. Accepted values are `cas3`, `github`, `bitbucket`, `gitlab`, `google_oauth2`, `facebook`, `twitter`, `saml`, `crowd`, `auth0` and `azure_oauth2`. No default. + +##### `OAUTH_ALLOW_SSO` + +Comma separated list of oauth providers for single sign-on. This allows users to login without having a user account. The account is created automatically when authentication is successful. Accepted values are `cas3`, `github`, `bitbucket`, `gitlab`, `google_oauth2`, `facebook`, `twitter`, `saml`, `crowd`, `auth0` and `azure_oauth2`. No default. + +##### `OAUTH_BLOCK_AUTO_CREATED_USERS` + +Locks down those users until they have been cleared by the admin. Defaults to `true`. + +##### `OAUTH_AUTO_LINK_LDAP_USER` + +Look up new users in LDAP servers. If a match is found (same uid), automatically link the omniauth identity with the LDAP account. Defaults to `false`. + +##### `OAUTH_AUTO_LINK_SAML_USER` + +Allow users with existing accounts to login and auto link their account via SAML login, without having to do a manual login first and manually add SAML. Defaults to `false`. + +##### `OAUTH_AUTO_LINK_USER` + +Allow users with existing accounts to login and auto link their account via the defined Omniauth providers login, without having to do a manual login first and manually connect their chosen provider. Defaults to `[]`. + +##### `OAUTH_EXTERNAL_PROVIDERS` + +Comma separated list if oauth providers to disallow access to `internal` projects. Users creating accounts via these providers will have access internal projects. Accepted values are `cas3`, `github`, `bitbucket`, `gitlab`, `google_oauth2`, `facebook`, `twitter`, `saml`, `crowd`, `auth0` and `azure_oauth2`. No default. + +##### `OAUTH_ALLOW_BYPASS_TWO_FACTOR` + +Specify oauth providers where users can sign in without using two-factor authentication (2FA). You can define this using an array of providers like `["twitter", "google_oauth2"]`. Setting this to `true` or `false` applies to all - allow all or none. Defaults to `false`. + +##### `OAUTH_CAS3_LABEL` + +The "Sign in with" button label. Defaults to "cas3". + +##### `OAUTH_CAS3_SERVER` + +CAS3 server URL. No defaults. + +##### `OAUTH_CAS3_DISABLE_SSL_VERIFICATION` + +Disable CAS3 SSL verification. Defaults to `false`. + +##### `OAUTH_CAS3_LOGIN_URL` + +CAS3 login URL. Defaults to `/cas/login` + +##### `OAUTH_CAS3_VALIDATE_URL` + +CAS3 validation URL. Defaults to `/cas/p3/serviceValidate` + +##### `OAUTH_CAS3_LOGOUT_URL` + +CAS3 logout URL. Defaults to `/cas/logout` + +##### `OAUTH_GOOGLE_API_KEY` + +Google App Client ID. No defaults. + +##### `OAUTH_GOOGLE_APP_SECRET` + +Google App Client Secret. No defaults. + +##### `OAUTH_GOOGLE_RESTRICT_DOMAIN` + +List of Google App restricted domains. Value is comma separated list of single quoted groups. Example: `'exemple.com','exemple2.com'`. No defaults. + +##### `OAUTH_FACEBOOK_API_KEY` + +Facebook App API key. No defaults. + +##### `OAUTH_FACEBOOK_APP_SECRET` + +Facebook App API secret. No defaults. + +##### `OAUTH_TWITTER_API_KEY` + +Twitter App API key. No defaults. + +##### `OAUTH_TWITTER_APP_SECRET` + +Twitter App API secret. No defaults. + +##### `OAUTH_AUTHENTIQ_CLIENT_ID` + +authentiq Client ID. No defaults. + +##### `OAUTH_AUTHENTIQ_CLIENT_SECRET` + +authentiq Client secret. No defaults. + +##### `OAUTH_AUTHENTIQ_SCOPE` + +Scope of Authentiq Application Defaults to `'aq:name email~rs address aq:push'` + +##### `OAUTH_AUTHENTIQ_REDIRECT_URI` + + Callback URL for Authentiq. No defaults. + +##### `OAUTH_GITHUB_API_KEY` + +GitHub App Client ID. No defaults. + +##### `OAUTH_GITHUB_APP_SECRET` + +GitHub App Client secret. No defaults. + +##### `OAUTH_GITHUB_URL` + +Url to the GitHub Enterprise server. Defaults to `https://github.com` + +##### `OAUTH_GITHUB_VERIFY_SSL` + +Enable SSL verification while communicating with the GitHub server. Defaults to `true`. + +##### `OAUTH_GITLAB_API_KEY` + +GitLab App Client ID. No defaults. + +##### `OAUTH_GITLAB_APP_SECRET` + +GitLab App Client secret. No defaults. + +##### `OAUTH_BITBUCKET_API_KEY` + +BitBucket App Client ID. No defaults. + +##### `OAUTH_BITBUCKET_APP_SECRET` + +BitBucket App Client secret. No defaults. + +##### `OAUTH_BITBUCKET_URL` + +Bitbucket URL. Defaults: `https://bitbucket.org/` + +##### `OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL` + +The URL at which the SAML assertion should be received. When `GITLAB_HTTPS=true`, defaults to `https://${GITLAB_HOST}/users/auth/saml/callback` else defaults to `http://${GITLAB_HOST}/users/auth/saml/callback`. + +##### `OAUTH_SAML_IDP_CERT_FINGERPRINT` + +The SHA1 fingerprint of the certificate. No Defaults. + +##### `OAUTH_SAML_IDP_SSO_TARGET_URL` + +The URL to which the authentication request should be sent. No defaults. + +##### `OAUTH_SAML_ISSUER` + +The name of your application. When `GITLAB_HTTPS=true`, defaults to `https://${GITLAB_HOST}` else defaults to `http://${GITLAB_HOST}`. + +##### `OAUTH_SAML_LABEL` + +The "Sign in with" button label. Defaults to "Our SAML Provider". + +##### `OAUTH_SAML_NAME_IDENTIFIER_FORMAT` + +Describes the format of the username required by GitLab, Defaults to `urn:oasis:names:tc:SAML:2.0:nameid-format:transient` + +##### `OAUTH_SAML_GROUPS_ATTRIBUTE` + +Map groups attribute in a SAMLResponse to external groups. No defaults. + +##### `OAUTH_SAML_EXTERNAL_GROUPS` + +List of external groups in a SAMLResponse. Value is comma separated list of single quoted groups. Example: `'group1','group2'`. No defaults. + +##### `OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL` + +Map 'email' attribute name in a SAMLResponse to entries in the OmniAuth info hash, No defaults. See [GitLab documentation](http://doc.gitlab.com/ce/integration/saml.html#attribute_statements) for more details. + +##### `OAUTH_SAML_ATTRIBUTE_STATEMENTS_USERNAME` + +Map 'username' attribute in a SAMLResponse to entries in the OmniAuth info hash, No defaults. See [GitLab documentation](http://doc.gitlab.com/ce/integration/saml.html#attribute_statements) for more details. + +##### `OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME` + +Map 'name' attribute in a SAMLResponse to entries in the OmniAuth info hash, No defaults. See [GitLab documentation](http://doc.gitlab.com/ce/integration/saml.html#attribute_statements) for more details. + +##### `OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME` + +Map 'first_name' attribute in a SAMLResponse to entries in the OmniAuth info hash, No defaults. See [GitLab documentation](http://doc.gitlab.com/ce/integration/saml.html#attribute_statements) for more details. + +##### `OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME` + +Map 'last_name' attribute in a SAMLResponse to entries in the OmniAuth info hash, No defaults. See [GitLab documentation](http://doc.gitlab.com/ce/integration/saml.html#attribute_statements) for more details. + +##### `OAUTH_CROWD_SERVER_URL` + +Crowd server url. No defaults. + +##### `OAUTH_CROWD_APP_NAME` + +Crowd server application name. No defaults. + +##### `OAUTH_CROWD_APP_PASSWORD` + +Crowd server application password. No defaults. + +##### `OAUTH_AUTH0_CLIENT_ID` + +Auth0 Client ID. No defaults. + +##### `OAUTH_AUTH0_CLIENT_SECRET` + +Auth0 Client secret. No defaults. + +##### `OAUTH_AUTH0_DOMAIN` + +Auth0 Domain. No defaults. + +##### `OAUTH_AUTH0_SCOPE` + +Auth0 Scope. Defaults to `openid profile email`. + +##### `OAUTH_AZURE_API_KEY` + +Azure Client ID. No defaults. + +##### `OAUTH_AZURE_API_SECRET` + +Azure Client secret. No defaults. + +##### `OAUTH_AZURE_TENANT_ID` + +Azure Tenant ID. No defaults. + +#### `OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_ID` + +Client ID for oauth provider `azure_activedirectory_v2`. If not set, corresponding oauth provider configuration will be removed from `gitlab.yml` during container startup. No defaults. + +#### `OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_SECRET` + +Client secret for oauth provider `azure_activedirectory_v2`. If not set, corresponding oauth provider configuration will be removed from `gitlab.yml` during container startup. No defaults. + +#### `OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID` + +Tenant ID for oauth provider `azure_activedirectory_v2`. If not set, corresponding oauth provider configuration will be removed from `gitlab.yml` during container startup. No defaults. + +#### `OAUTH_AZURE_ACTIVEDIRECTORY_V2_LABEL` + +Optional label for login button for `azure_activedirectory_v2`. Defaults to `Azure AD v2` + +##### `OAUTH2_GENERIC_APP_ID` + +Your OAuth2 App ID. No defaults. + +##### `OAUTH2_GENERIC_APP_SECRET` + +Your OAuth2 App Secret. No defaults. + +##### `OAUTH2_GENERIC_CLIENT_SITE` + +The OAuth2 generic client site. No defaults + +##### `OAUTH2_GENERIC_CLIENT_USER_INFO_URL` + +The OAuth2 generic client user info url. No defaults + +##### `OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL` + +The OAuth2 generic client authorize url. No defaults + +##### `OAUTH2_GENERIC_CLIENT_TOKEN_URL` + +The OAuth2 generic client token url. No defaults + +##### `OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT` + +The OAuth2 generic client end session endpoint. No defaults + +##### `OAUTH2_GENERIC_ID_PATH` + +The OAuth2 generic id path. No defaults + +##### `OAUTH2_GENERIC_USER_UID` + +The OAuth2 generic user id path. No defaults + +##### `OAUTH2_GENERIC_USER_NAME` + +The OAuth2 generic user name. No defaults + +##### `OAUTH2_GENERIC_USER_EMAIL` + +The OAuth2 generic user email. No defaults + +##### `OAUTH2_GENERIC_AUTHORIZE_PARAMS_SCOPE` + +The scope of your OAuth2 provider. No defaults + +##### `OAUTH2_GENERIC_LABEL` + +The label of your OAuth2 provider. No defaults + +##### `OAUTH2_GENERIC_NAME` + +The name of your OAuth2 provider. No defaults + +##### `GITLAB_GRAVATAR_ENABLED` + +Enables gravatar integration. Defaults to `true`. + +##### `GITLAB_GRAVATAR_HTTP_URL` + +Sets a custom gravatar url. Defaults to `http://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon`. This can be used for [Libravatar integration](http://doc.gitlab.com/ce/customization/libravatar.html). + +##### `GITLAB_GRAVATAR_HTTPS_URL` + +Same as above, but for https. Defaults to `https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon`. + +##### `USERMAP_UID` + +Sets the uid for user `git` to the specified uid. Defaults to `1000`. + +##### `USERMAP_GID` + +Sets the gid for group `git` to the specified gid. Defaults to `USERMAP_UID` if defined, else defaults to `1000`. + +##### `GOOGLE_ANALYTICS_ID` + +Google Analytics ID. No defaults. + +##### `PIWIK_URL` + +Sets the Piwik URL. No defaults. + +##### `PIWIK_SITE_ID` + +Sets the Piwik site ID. No defaults. + +##### `AWS_BACKUPS` + +Enables automatic uploads to an Amazon S3 instance. Defaults to `false`. + +##### `AWS_BACKUP_REGION` + +AWS region. No defaults. + +##### `AWS_BACKUP_ENDPOINT` + +AWS endpoint. No defaults. + +##### `AWS_BACKUP_ACCESS_KEY_ID` + +AWS access key id. No defaults. + +##### `AWS_BACKUP_SECRET_ACCESS_KEY` + +AWS secret access key. No defaults. + +##### `AWS_BACKUP_BUCKET` + +AWS bucket for backup uploads. No defaults. + +##### `AWS_BACKUP_MULTIPART_CHUNK_SIZE` + +Enables multipart uploads when file size reaches a defined size. See at [AWS S3 Docs](http://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html) + +##### `AWS_BACKUP_ENCRYPTION` + +Turns on AWS Server-Side Encryption. Defaults to `false`. See at [AWS S3 Docs](http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html) + +##### `AWS_BACKUP_STORAGE_CLASS` + +Configure the storage class for the item. Defaults to `STANDARD` See at [AWS S3 Docs](http://docs.aws.amazon.com/AmazonS3/latest/dev/storage-class-intro.html) + +##### `AWS_BACKUP_SIGNATURE_VERSION` + +Configure the storage signature version. Defaults to `4` See at [AWS S3 Docs](https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html#specify-signature-version) + +##### `GCS_BACKUPS` + +Enables automatic uploads to an Google Cloud Storage (GCS) instance. Defaults to `false`. + +##### `GCS_BACKUP_ACCESS_KEY_ID` + +GCS access key id. No defaults + +##### `GCS_BACKUP_SECRET_ACCESS_KEY` + +GCS secret access key. No defaults + +##### `GCS_BACKUP_BUCKET` + +GCS bucket for backup uploads. No defaults + +##### `GITLAB_ROBOTS_PATH` + +Location of custom `robots.txt`. Uses GitLab's default `robots.txt` configuration by default. See [www.robotstxt.org](http://www.robotstxt.org) for examples. + +##### `RACK_ATTACK_ENABLED` + +Enable/disable rack middleware for blocking & throttling abusive requests Defaults to `true`. + +##### `RACK_ATTACK_WHITELIST` + +Always allow requests from whitelisted host. +This should be a valid yaml sequence of host address. Each host address string must be a valid IP address that can be passed to `IPAddr.new` of ruby. See [ruby-lang reference](https://docs.ruby-lang.org/en/3.0/IPAddr.html#method-c-new) for detail. +If you need to set multiple hosts, set this parameter like `["1.1.1.1","192.168.0.0/24"]` for example. + +````yaml +environment: +# pattern 1: `- key=value` style : you can specify array of hosts as is +- RACK_ATTACK_WHITELIST=["1.1.1.1","192.168.0.0/24"] +# pattern 2: `key: value` style : you must surround with quote, as the value of environment variable must not be an array + RACK_ATTACK_WHITELIST: "['1.1.1.1','192.168.0.0/24']" +```` + +Defaults to `["127.0.0.1"]` + +##### `RACK_ATTACK_MAXRETRY` + +Number of failed auth attempts before which an IP should be banned. Defaults to `10` + +##### `RACK_ATTACK_FINDTIME` + +Number of seconds before resetting the per IP auth attempt counter. Defaults to `60`. + +##### `RACK_ATTACK_BANTIME` + +Number of seconds an IP should be banned after too many auth attempts. Defaults to `3600`. + +##### `GITLAB_WORKHORSE_TIMEOUT` + +Timeout for gitlab workhorse http proxy. Defaults to `5m0s`. + +##### `SENTRY_ENABLED` + +Enables Error Reporting and Logging with Sentry. Defaults to `false`. + +##### `SENTRY_DSN` + +Sentry DSN. No defaults. + +##### `SENTRY_CLIENTSIDE_DSN` + +Sentry client side DSN. No defaults. + +##### `SENTRY_ENVIRONMENT` + +Sentry environment. Defaults to `production`. + +#### Docker secrets and configs + +All the above environment variables can be put into a [secrets](https://docs.docker.com/compose/compose-file/#secrets) or [config](https://docs.docker.com/compose/compose-file/#configs) file +and then both docker-compose and Docker Swarm can import them into your gitlab container. + +On startup, the gitlab container will source env vars from a config file labeled `gitlab-config`, and then a secrets file labeled `gitlab-secrets` (both mounted in the default locations). + +See the example [`contrib/docker-swarm/docker-compose.yml`](./contrib/docker-swarm/docker-compose.yml) file, and the +example `gitlab.configs` and `gitlab.secrets` file. +You may as well choose file names other than the example source files (`gitlab.configs` and `gitlab.secrets`) and update +the `file: ./gitlab.configs` and `file: ./gitlab.secrets` references accordingly. But do not alter the config +keys [`gitlab-configs`](contrib/docker-swarm/docker-compose.yml#L158) and +[`gitlab-secrets`](contrib/docker-swarm/docker-compose.yml#L162) as they are currently +[hardcoded](./assets/runtime/functions#L4:L9) and thus must be kept as in the example. + +If you're not using one of these files, then don't include its entry in the docker-compose file. + +## Maintenance + +### Creating backups + +GitLab defines a rake task to take a backup of your gitlab installation. The backup consists of all git repositories, uploaded files and as you might expect, the sql database. + +Before taking a backup make sure the container is stopped and removed to avoid container name conflicts. + +```bash +docker stop gitlab && docker rm gitlab +``` + +Execute the rake task to create a backup. + +```bash +docker run --name gitlab -it --rm [OPTIONS] \ + sameersbn/gitlab:18.5.1 app:rake gitlab:backup:create +``` + +A backup will be created in the backups folder of the [Data Store](#data-store). You can change the location of the backups using the `GITLAB_BACKUP_DIR` configuration parameter. + +*P.S. Backups can also be generated on a running instance using `docker exec` as described in the [Rake Tasks](#rake-tasks) section. However, to avoid undesired side-effects, I advice against running backup and restore operations on a running instance.* + +When using `docker-compose` you may use the following command to execute the backup. + +```bash +docker-compose rm -sf gitlab +docker-compose run --rm gitlab app:rake gitlab:backup:create +``` + +Afterwards you can bring your Instance back with the following command: + +```bash +docker-compose up -d +``` + +### Restoring Backups + +GitLab also defines a rake task to restore a backup. + +Before performing a restore make sure the container is stopped and removed to avoid container name conflicts. + +```bash +docker stop gitlab && docker rm gitlab +``` + +If this is a fresh database that you're doing the restore on, first +you need to prepare the database: + +```bash +docker run --name gitlab -it --rm [OPTIONS] \ + sameersbn/gitlab:18.5.1 app:rake db:setup +``` + +Execute the rake task to restore a backup. Make sure you run the container in interactive mode `-it`. + +```bash +docker run --name gitlab -it --rm [OPTIONS] \ + sameersbn/gitlab:18.5.1 app:rake gitlab:backup:restore +``` + +The list of all available backups will be displayed in reverse chronological order. Select the backup you want to restore and continue. + +To avoid user interaction in the restore operation, specify the timestamp, date and version of the backup using the `BACKUP` argument to the rake task. + +```bash +docker run --name gitlab -it --rm [OPTIONS] \ + sameersbn/gitlab:18.5.1 app:rake gitlab:backup:restore BACKUP=1515629493_2020_12_06_13.0.6 +``` + +When using `docker-compose` you may use the following command to execute the restore. + +```bash +docker-compose run --rm gitlab app:rake gitlab:backup:restore # List available backups +docker-compose run --rm gitlab app:rake gitlab:backup:restore BACKUP=1515629493_2020_12_06_13.10.0 # Choose to restore from 1515629493 +``` + +### Host Key Backups (ssh) + +SSH keys are not backed up in the normal gitlab backup process. You +will need to backup the `ssh/` directory in the data volume by hand +and you will want to restore it prior to doing a gitlab restore. + +### Automated Backups + +The image can be configured to automatically take backups `daily`, `weekly` or `monthly` using the `GITLAB_BACKUP_SCHEDULE` configuration option. + +Daily backups are created at `GITLAB_BACKUP_TIME` which defaults to `04:00` everyday. Weekly backups are created every Sunday at the same time as the daily backups. Monthly backups are created on the 1st of every month at the same time as the daily backups. + +By default, when automated backups are enabled, backups are held for a period of 7 days. While when automated backups are disabled, the backups are held for an infinite period of time. This behavior can be configured via the `GITLAB_BACKUP_EXPIRY` option. + +#### Amazon Web Services (AWS) Remote Backups + +The image can be configured to automatically upload the backups to an AWS S3 bucket. To enable automatic AWS backups first add `--env 'AWS_BACKUPS=true'` to the docker run command. In addition `AWS_BACKUP_REGION` and `AWS_BACKUP_BUCKET` must be properly configured to point to the desired AWS location. Finally an IAM user must be configured with appropriate access permission and their AWS keys exposed through `AWS_BACKUP_ACCESS_KEY_ID` and `AWS_BACKUP_SECRET_ACCESS_KEY`. + +More details about the appropriate IAM user properties can found on [doc.gitlab.com](http://doc.gitlab.com/ce/raketasks/backup_restore.html#upload-backups-to-remote-cloud-storage) + +For remote backup to self-hosted s3 compatible storage, use `AWS_BACKUP_ENDPOINT`. + +AWS uploads are performed alongside normal backups, both through the appropriate `app:rake` command and when an automatic backup is performed. + +#### Google Cloud Storage (GCS) Remote Backups + +The image can be configured to automatically upload the backups to an Google Cloud Storage bucket. To enable automatic GCS backups first add `--env 'GCS_BACKUPS=true'` to the docker run command. In addition `GCS_BACKUP_BUCKET` must be properly configured to point to the desired GCS location. +Finally a couple of `Interoperable storage access keys` user must be created and their keys exposed through `GCS_BACKUP_ACCESS_KEY_ID` and `GCS_BACKUP_SECRET_ACCESS_KEY`. + +More details about the Cloud storage interoperability properties can found on [cloud.google.com/storage](https://cloud.google.com/storage/docs/interoperability) + +GCS uploads are performed alongside normal backups, both through the appropriate `app:rake` command and when an automatic backup is performed. + +### Rake Tasks + +The `app:rake` command allows you to run gitlab rake tasks. To run a rake task simply specify the task to be executed to the `app:rake` command. For example, if you want to gather information about GitLab and the system it runs on. + +```bash +docker run --name gitlab -it --rm [OPTIONS] \ + sameersbn/gitlab:18.5.1 app:rake gitlab:env:info +``` + +You can also use `docker exec` to run rake tasks on running gitlab instance. For example, + +```bash +docker exec --user git -it gitlab bundle exec rake gitlab:env:info RAILS_ENV=production +``` + +Similarly, to import bare repositories into GitLab project instance + +```bash +docker run --name gitlab -it --rm [OPTIONS] \ + sameersbn/gitlab:18.5.1 app:rake gitlab:import:repos +``` + +Or + +```bash +docker exec -it gitlab sudo -HEu git bundle exec rake gitlab:import:repos RAILS_ENV=production +``` + +For a complete list of available rake tasks please refer or the help section of your gitlab installation. + +*P.S. Please avoid running the rake tasks for backup and restore operations on a running gitlab instance.* + +To use the `app:rake` command with `docker-compose` use the following command. + +```bash +## For stopped instances +docker-compose run --rm gitlab app:rake gitlab:env:info +docker-compose run --rm gitlab app:rake gitlab:import:repos + +## For running instances +docker-compose exec --user git gitlab bundle exec rake gitlab:env:info RAILS_ENV=production +docker-compose exec gitlab sudo -HEu git bundle exec rake gitlab:import:repos RAILS_ENV=production +``` + +### Import Repositories + +Copy all the **bare** git repositories to the `repositories/` directory of the [data store](#data-store) and execute the `gitlab:import:repos` rake task like so: + +```bash +docker run --name gitlab -it --rm [OPTIONS] \ + sameersbn/gitlab:18.5.1 app:rake gitlab:import:repos +``` + +Watch the logs and your repositories should be available into your new gitlab container. + +See [Rake Tasks](#rake-tasks) for more information on executing rake tasks. +Usage when using `docker-compose` can also be found there. + +### Upgrading + +> **Important Notice** +> +> Since GitLab release `8.6.0` PostgreSQL users should enable `pg_trgm` extension on the GitLab database. Refer to GitLab's [Postgresql Requirements](http://doc.gitlab.com/ce/install/requirements.html#postgresql-requirements) for more information +> +> If you're using `sameersbn/postgresql` then please upgrade to `kkimurak/sameersbn-postgresql:16` or later and add `DB_EXTENSION=pg_trgm,btree_gist` to the environment of the PostgreSQL container (see: ). +> +> Please keep in mind that: +> +> - As of version 13.7.0, the required PostgreSQL version is 12.x. +> - As of version 16.0.0, the required PostgreSQL version is 13.x. +> - As of version 17.0.0, the required PostgreSQL version is 14.x. +> - As of version 18.0.0, the required PostgreSQL version is 16.x. +> +> If you're using PostgreSQL image other than the above, please review section [Upgrading PostgreSQL](#upgrading-postgresql). + +GitLabHQ releases new versions on the 22nd of every month, bugfix releases immediately follow. I update this project almost immediately when a release is made (at least it has been the case so far). If you are using the image in production environments I recommend that you delay updates by a couple of days after the gitlab release, allowing some time for the dust to settle down. + +To upgrade to newer gitlab releases, simply follow this 4 step upgrade procedure. + +> **Note** +> +> Upgrading to `sameersbn/gitlab:18.5.1` from `sameersbn/gitlab:7.x.x` can cause issues. It is therefore required that you first upgrade to `sameersbn/gitlab:8.0.5-1` before upgrading to `sameersbn/gitlab:8.1.0` or higher. + +- **Step 1**: Update the docker image. + +```bash +docker pull sameersbn/gitlab:18.5.1 +``` + +- **Step 2**: Stop and remove the currently running image + +```bash +docker stop gitlab +docker rm gitlab +``` + +- **Step 3**: Create a backup + +```bash +docker run --name gitlab -it --rm [OPTIONS] \ + sameersbn/gitlab:x.x.x app:rake gitlab:backup:create +``` + +Replace `x.x.x` with the version you are upgrading from. For example, if you are upgrading from version `6.0.0`, set `x.x.x` to `6.0.0` + +- **Step 4**: Start the image + +> **Note**: Since GitLab `8.0.0` you need to provide the `GITLAB_SECRETS_DB_KEY_BASE` parameter while starting the image. + +> **Note**: Since GitLab `8.11.0` you need to provide the `GITLAB_SECRETS_SECRET_KEY_BASE` and `GITLAB_SECRETS_OTP_KEY_BASE` parameters while starting the image. These should initially both have the same value as the contents of the `/home/git/data/.secret` file. See [Available Configuration Parameters](#available-configuration-parameters) for more information on these parameters. + +> **Note**: Since Gitlab 13.7 you need to provide the `GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE` parameter while starting the image. If not provided, the key will be generated by gitlab. So you can start the image without setting this parameter. But you will lose the key when you shutting down the container without taking a backup of `secrets.yml`. + +> **Note**: Since Gitlab 17.8 you need to provide `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY`,`GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY` and `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT`. If not provided, these keys will be generated by gitlab. The image can be started without setting these parameters, **but you will lose the settings when you shutting down the container without taking a backup of `secrets.yml` and settings stored securely (such as the Dependency Proxy) will be unusable and unrecoverable.** + +```bash +docker run --name gitlab -d [OPTIONS] sameersbn/gitlab:18.5.1 +``` + +### Shell Access + +For debugging and maintenance purposes you may want access the containers shell. If you are using docker version `1.3.0` or higher you can access a running containers shell using `docker exec` command. + +```bash +docker exec -it gitlab bash +``` + +## Monitoring + +You can monitor your GitLab instance status as described in the [official documentation](https://docs.gitlab.com/ee/user/admin_area/monitoring/health_check.html), for example: + +```bash +curl 'https://gitlab.example.com/-/liveness' +``` + +On success, the endpoint will return a `200` HTTP status code, and a response like below. + +```bash +{ + "status": "ok" +} +``` + +To do that you will need to set the environment variable `GITLAB_MONITORING_IP_WHITELIST` to allow your IP or subnet to make requests to your GitLab instance. + +### Health Check + +You can also set your `docker-compose.yml` [healthcheck](https://docs.docker.com/compose/compose-file/compose-file-v2/#healthcheck) configuration to make periodic checks: + +```yml +services: + gitlab: + image: sameersbn/gitlab:18.5.1 + healthcheck: + test: ["CMD", "/usr/local/sbin/healthcheck"] + interval: 1m + timeout: 5s + retries: 5 + start_period: 2m +``` + +Then you will be able to consult the health check log by executing: + +```bash +docker inspect --format "{{json .State.Health }}" $(docker-compose ps -q gitlab) | jq ``` -# References +## References -* https://github.com/gitlabhq/gitlabhq -* https://github.com/gitlabhq/gitlabhq/blob/master/doc/install/installation.md -* http://wiki.nginx.org/HttpSslModule -* https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html -* https://github.com/gitlabhq/gitlab-recipes/blob/master/web-server/nginx/gitlab-ssl -* https://github.com/jpetazzo/nsenter -* https://jpetazzo.github.io/2014/03/23/lxc-attach-nsinit-nsenter-docker-0-9/ +- +- +- +- +- +- +- diff --git a/VERSION b/VERSION index 3bf68e636..82f73fb75 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -8.15.4 +18.5.1 diff --git a/assets/build/config/database.yml.postgresql b/assets/build/config/database.yml.postgresql new file mode 100644 index 000000000..198db0000 --- /dev/null +++ b/assets/build/config/database.yml.postgresql @@ -0,0 +1,144 @@ +# HINT: This file is identical to the corresponding configuration file from the +# upstream repository, where the additional defined entries for `geo` had to be +# removed. Otherwise, it is not possible to build the image, since the build +# will fail with the error message: +# +# > rake aborted! +# > ERROR: This installation of GitLab uses unsupported database names in 'config/database.yml': geo. The only supported ones are main, ci. +# +# This adjustment is hopefully only a temporary workaround (see +# ). + +# +# PRODUCTION +# +production: + main: + adapter: postgresql + encoding: unicode + database: gitlabhq_production + username: git + password: "secure password" + host: localhost + # load_balancing: + # hosts: + # - host1.example.com + # - host2.example.com + # discover: + # nameserver: 1.2.3.4 + # port: 8600 + # record: secondary.postgresql.service.consul + # interval: 300 + ci: + adapter: postgresql + encoding: unicode + database: gitlabhq_production + database_tasks: false + username: git + password: "secure password" + host: localhost +# geo: +# adapter: postgresql +# encoding: unicode +# database: gitlabhq_geo_production +# username: git +# password: "secure password" +# host: localhost + +# +# Development specific +# +development: + main: + adapter: postgresql + encoding: unicode + database: gitlabhq_development + username: postgres + password: "secure password" + host: localhost + variables: + statement_timeout: 15s + ci: + adapter: postgresql + encoding: unicode + database: gitlabhq_development + database_tasks: false + username: postgres + password: "secure password" + host: localhost + variables: + statement_timeout: 15s +# geo: +# adapter: postgresql +# encoding: unicode +# database: gitlabhq_geo_development +# username: postgres +# password: "secure password" +# host: localhost + +# +# Staging specific +# +staging: + main: + adapter: postgresql + encoding: unicode + database: gitlabhq_staging + username: git + password: "secure password" + host: localhost + ci: + adapter: postgresql + encoding: unicode + database: gitlabhq_staging + database_tasks: false + username: git + password: "secure password" + host: localhost +# geo: +# adapter: postgresql +# encoding: unicode +# database: gitlabhq_geo_staging +# username: git +# password: "secure password" +# host: localhost + +# Warning: The database defined as "test" will be erased and +# re-generated from your development database when you run "rake". +# Do not set this db to the same as development or production. +test: &test + main: + adapter: postgresql + encoding: unicode + database: gitlabhq_test + username: postgres + password: + host: localhost + prepared_statements: false + variables: + statement_timeout: 15s + ci: + adapter: postgresql + encoding: unicode + database: gitlabhq_test + database_tasks: false + username: postgres + password: + host: localhost + prepared_statements: false + variables: + statement_timeout: 15s +# geo: +# adapter: postgresql +# encoding: unicode +# database: gitlabhq_geo_test +# username: postgres +# password: +# host: localhost +# embedding: +# adapter: postgresql +# encoding: unicode +# database: gitlabhq_embedding_test +# username: postgres +# password: +# host: localhost diff --git a/assets/build/install.sh b/assets/build/install.sh index 215822843..817fd61cf 100755 --- a/assets/build/install.sh +++ b/assets/build/install.sh @@ -1,22 +1,38 @@ #!/bin/bash set -e -GITLAB_CLONE_URL=https://gitlab.com/gitlab-org/gitlab-ce.git -GITLAB_SHELL_URL=https://gitlab.com/gitlab-org/gitlab-shell/repository/archive.tar.gz -GITLAB_WORKHORSE_URL=https://gitlab.com/gitlab-org/gitlab-workhorse/repository/archive.tar.gz +GITLAB_CLONE_URL=https://gitlab.com/gitlab-org/gitlab-foss.git +GITLAB_SHELL_URL=https://gitlab.com/gitlab-org/gitlab-shell/-/archive/v${GITLAB_SHELL_VERSION}/gitlab-shell-v${GITLAB_SHELL_VERSION}.tar.bz2 +GITLAB_PAGES_URL=https://gitlab.com/gitlab-org/gitlab-pages.git +GITLAB_GITALY_URL=https://gitlab.com/gitlab-org/gitaly.git + +GITLAB_WORKHORSE_BUILD_DIR=${GITLAB_INSTALL_DIR}/workhorse +GITLAB_PAGES_BUILD_DIR=/tmp/gitlab-pages +GITLAB_GITALY_BUILD_DIR=/tmp/gitaly + +RUBY_SRC_URL=https://cache.ruby-lang.org/pub/ruby/${RUBY_VERSION%.*}/ruby-${RUBY_VERSION}.tar.gz GEM_CACHE_DIR="${GITLAB_BUILD_DIR}/cache" -BUILD_DEPENDENCIES="gcc g++ make patch pkg-config cmake paxctl \ - libc6-dev ruby${RUBY_VERSION}-dev \ - libmysqlclient-dev libpq-dev zlib1g-dev libyaml-dev libssl-dev \ +GOROOT=/tmp/go +PATH=${GOROOT}/bin:$PATH + +export GOROOT PATH + +# TODO Verify, if this is necessary or not. +# BUILD_DEPENDENCIES="gcc g++ make patch pkg-config cmake paxctl \ +BUILD_DEPENDENCIES="gcc g++ make patch pkg-config cmake \ + libc6-dev \ + libpq-dev zlib1g-dev libssl-dev \ libgdbm-dev libreadline-dev libncurses5-dev libffi-dev \ - libxml2-dev libxslt-dev libcurl4-openssl-dev libicu-dev" + libxml2-dev libxslt-dev libcurl4-openssl-dev libicu-dev \ + gettext libkrb5-dev \ + libexpat1-dev libz-dev libpcre2-dev build-essential git" ## Execute a command as GITLAB_USER exec_as_git() { - if [[ $(whoami) == ${GITLAB_USER} ]]; then - $@ + if [[ $(whoami) == "${GITLAB_USER}" ]]; then + "$@" else sudo -HEu ${GITLAB_USER} "$@" fi @@ -24,16 +40,43 @@ exec_as_git() { # install build dependencies for gem installation apt-get update -DEBIAN_FRONTEND=noninteractive apt-get install -y ${BUILD_DEPENDENCIES} - -# https://en.wikibooks.org/wiki/Grsecurity/Application-specific_Settings#Node.js -paxctl -Cm `which nodejs` +DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y ${BUILD_DEPENDENCIES} + +# build ruby from source +echo "Building ruby v${RUBY_VERSION} from source..." +PWD_ORG="$PWD" +mkdir /tmp/ruby && cd /tmp/ruby +curl --remote-name -Ss "${RUBY_SRC_URL}" +printf '%s ruby-%s.tar.gz' "${RUBY_SOURCE_SHA256SUM}" "${RUBY_VERSION}" | sha256sum -c - +tar xzf ruby-"${RUBY_VERSION}".tar.gz && cd ruby-"${RUBY_VERSION}" +find "${GITLAB_BUILD_DIR}/patches/ruby" -name "*.patch" | while read -r patch_file; do + echo "Applying patch ${patch_file}" + patch -p1 -i "${patch_file}" +done +./configure --disable-install-rdoc --enable-shared +make -j"$(nproc)" +make install +cd "$PWD_ORG" && rm -rf /tmp/ruby + +# upgrade rubygems on demand +gem update --no-document --system "${RUBYGEMS_VERSION}" + +# TODO Verify, if this is necessary or not. +# # PaX-mark ruby +# # Applying the mark late here does make the build usable on PaX kernels, but +# # still the build itself must be executed on a non-PaX kernel. It's done here +# # only for simplicity. +# paxctl -cvm "$(command -v ruby)" +# # https://en.wikibooks.org/wiki/Grsecurity/Application-specific_Settings#Node.js +# paxctl -cvm "$(command -v node)" # remove the host keys generated during openssh-server installation rm -rf /etc/ssh/ssh_host_*_key /etc/ssh/ssh_host_*_key.pub # add ${GITLAB_USER} user -adduser --disabled-login --gecos 'GitLab' ${GITLAB_USER} +deluser --remove-home ubuntu +addgroup --gid 1000 git +adduser --uid 1000 --gid 1000 --disabled-password --gecos 'GitLab' ${GITLAB_USER} passwd -d ${GITLAB_USER} # set PATH (fixes cron job PATH issues) @@ -44,71 +87,138 @@ EOF # configure git for ${GITLAB_USER} exec_as_git git config --global core.autocrlf input exec_as_git git config --global gc.auto 0 +exec_as_git git config --global repack.writeBitmaps true +exec_as_git git config --global receive.advertisePushOptions true +exec_as_git git config --global advice.detachedHead false +exec_as_git git config --global --add safe.directory /home/git/gitlab -# install gitlab-shell -echo "Downloading gitlab-shell v.${GITLAB_SHELL_VERSION}..." -mkdir -p ${GITLAB_SHELL_INSTALL_DIR} -wget -cq ${GITLAB_SHELL_URL}?ref=v${GITLAB_SHELL_VERSION} -O ${GITLAB_BUILD_DIR}/gitlab-shell-${GITLAB_SHELL_VERSION}.tar.gz -tar xf ${GITLAB_BUILD_DIR}/gitlab-shell-${GITLAB_SHELL_VERSION}.tar.gz --strip 1 -C ${GITLAB_SHELL_INSTALL_DIR} -rm -rf ${GITLAB_BUILD_DIR}/gitlab-shell-${GITLAB_SHELL_VERSION}.tar.gz -chown -R ${GITLAB_USER}: ${GITLAB_SHELL_INSTALL_DIR} +# shallow clone gitlab-foss +echo "Cloning gitlab-foss v.${GITLAB_VERSION}..." +exec_as_git git clone -q -b v${GITLAB_VERSION} --depth 1 ${GITLAB_CLONE_URL} ${GITLAB_INSTALL_DIR} -cd ${GITLAB_SHELL_INSTALL_DIR} -exec_as_git cp -a ${GITLAB_SHELL_INSTALL_DIR}/config.yml.example ${GITLAB_SHELL_INSTALL_DIR}/config.yml -exec_as_git ./bin/install +find "${GITLAB_BUILD_DIR}/patches/gitlabhq" -name "*.patch" | while read -r patch_file; do + printf "Applying patch %s for gitlab-foss...\n" "${patch_file}" + exec_as_git git -C ${GITLAB_INSTALL_DIR} apply --ignore-whitespace < "${patch_file}" +done -# remove unused repositories directory created by gitlab-shell install -exec_as_git rm -rf ${GITLAB_HOME}/repositories +GITLAB_SHELL_VERSION=${GITLAB_SHELL_VERSION:-$(cat ${GITLAB_INSTALL_DIR}/GITLAB_SHELL_VERSION)} +GITLAB_PAGES_VERSION=${GITLAB_PAGES_VERSION:-$(cat ${GITLAB_INSTALL_DIR}/GITLAB_PAGES_VERSION)} -echo "Downloading gitlab-workhorse v.${GITLAB_WORKHORSE_VERSION}..." -mkdir -p ${GITLAB_WORKHORSE_INSTALL_DIR} -wget -cq ${GITLAB_WORKHORSE_URL}?ref=v${GITLAB_WORKHORSE_VERSION} -O ${GITLAB_BUILD_DIR}/gitlab-workhorse-${GITLAB_WORKHORSE_VERSION}.tar.gz -tar xf ${GITLAB_BUILD_DIR}/gitlab-workhorse-${GITLAB_WORKHORSE_VERSION}.tar.gz --strip 1 -C ${GITLAB_WORKHORSE_INSTALL_DIR} -rm -rf ${GITLAB_BUILD_DIR}/gitlab-workhorse-${GITLAB_WORKHORSE_VERSION}.tar.gz -chown -R ${GITLAB_USER}: ${GITLAB_WORKHORSE_INSTALL_DIR} +# install bundler: use version specified in Gemfile.lock +BUNDLER_VERSION="$(grep "BUNDLED WITH" ${GITLAB_INSTALL_DIR}/Gemfile.lock -A 1 | grep -v "BUNDLED WITH" | tr -d "[:space:]")" +gem install bundler:"${BUNDLER_VERSION}" +# download golang echo "Downloading Go ${GOLANG_VERSION}..." -wget -cnv https://storage.googleapis.com/golang/go${GOLANG_VERSION}.linux-amd64.tar.gz -P ${GITLAB_BUILD_DIR}/ +wget -cnv https://go.dev/dl/go${GOLANG_VERSION}.linux-amd64.tar.gz -P ${GITLAB_BUILD_DIR}/ tar -xf ${GITLAB_BUILD_DIR}/go${GOLANG_VERSION}.linux-amd64.tar.gz -C /tmp/ -cd ${GITLAB_WORKHORSE_INSTALL_DIR} -PATH=/tmp/go/bin:$PATH GOROOT=/tmp/go make install +# install gitlab-shell +echo "Downloading gitlab-shell v.${GITLAB_SHELL_VERSION}..." +mkdir -p ${GITLAB_SHELL_INSTALL_DIR} +wget -cq ${GITLAB_SHELL_URL} -O ${GITLAB_BUILD_DIR}/gitlab-shell-${GITLAB_SHELL_VERSION}.tar.bz2 +tar xf ${GITLAB_BUILD_DIR}/gitlab-shell-${GITLAB_SHELL_VERSION}.tar.bz2 --strip 1 -C ${GITLAB_SHELL_INSTALL_DIR} +rm -rf ${GITLAB_BUILD_DIR}/gitlab-shell-${GITLAB_SHELL_VERSION}.tar.bz2 +chown -R ${GITLAB_USER}: ${GITLAB_SHELL_INSTALL_DIR} -# remove go -rm -rf ${GITLAB_BUILD_DIR}/go${GOLANG_VERSION}.linux-amd64.tar.gz /tmp/go +cd ${GITLAB_SHELL_INSTALL_DIR} +exec_as_git cp -a config.yml.example config.yml -# shallow clone gitlab-ce -echo "Cloning gitlab-ce v.${GITLAB_VERSION}..." -exec_as_git git clone -q -b v${GITLAB_VERSION} --depth 1 ${GITLAB_CLONE_URL} ${GITLAB_INSTALL_DIR} +echo "Compiling gitlab-shell golang executables..." +exec_as_git "PATH=$PATH" make verify setup -# remove HSTS config from the default headers, we configure it in nginx -exec_as_git sed -i "/headers\['Strict-Transport-Security'\]/d" ${GITLAB_INSTALL_DIR}/app/controllers/application_controller.rb +# remove unused repositories directory created by gitlab-shell install +rm -rf ${GITLAB_HOME}/repositories + +# build gitlab-workhorse +echo "Build gitlab-workhorse" +git config --global --add safe.directory /home/git/gitlab +make -C ${GITLAB_WORKHORSE_BUILD_DIR} install +# clean up +rm -rf ${GITLAB_WORKHORSE_BUILD_DIR} + +# download gitlab-pages +echo "Downloading gitlab-pages v.${GITLAB_PAGES_VERSION}..." +git clone -q -b v${GITLAB_PAGES_VERSION} --depth 1 ${GITLAB_PAGES_URL} ${GITLAB_PAGES_BUILD_DIR} + +# install gitlab-pages +make -C ${GITLAB_PAGES_BUILD_DIR} +cp -a ${GITLAB_PAGES_BUILD_DIR}/gitlab-pages /usr/local/bin/ + +# clean up +rm -rf ${GITLAB_PAGES_BUILD_DIR} + +# download and build gitaly +echo "Downloading gitaly v.${GITALY_SERVER_VERSION}..." +git clone -q -b v${GITALY_SERVER_VERSION} --depth 1 ${GITLAB_GITALY_URL} ${GITLAB_GITALY_BUILD_DIR} + +# install gitaly +make -C ${GITLAB_GITALY_BUILD_DIR} install +mkdir -p ${GITLAB_GITALY_INSTALL_DIR} +# The following line causes some issues. However, according to +# and +# there seems to +# be some attempts to remove ruby from gitaly. +# +# cp -a ${GITLAB_GITALY_BUILD_DIR}/ruby ${GITLAB_GITALY_INSTALL_DIR}/ +cp -a ${GITLAB_GITALY_BUILD_DIR}/config.toml.example ${GITLAB_GITALY_INSTALL_DIR}/config.toml +rm -rf ${GITLAB_GITALY_INSTALL_DIR}/ruby/vendor/bundle/ruby/**/cache +chown -R ${GITLAB_USER}: ${GITLAB_GITALY_INSTALL_DIR} + +# install git bundled with gitaly. +make -C ${GITLAB_GITALY_BUILD_DIR} git GIT_PREFIX=/usr/local + +# clean up +rm -rf ${GITLAB_GITALY_BUILD_DIR} + +# remove go +go clean --modcache +rm -rf ${GITLAB_BUILD_DIR}/go${GOLANG_VERSION}.linux-amd64.tar.gz ${GOROOT} # revert `rake gitlab:setup` changes from gitlabhq/gitlabhq@a54af831bae023770bf9b2633cc45ec0d5f5a66a exec_as_git sed -i 's/db:reset/db:setup/' ${GITLAB_INSTALL_DIR}/lib/tasks/gitlab/setup.rake +# change SSH_ALGORITHM_PATH - we have moved host keys in ${GITLAB_DATA_DIR}/ssh/ to persist them +exec_as_git sed -i "s:/etc/ssh/:/${GITLAB_DATA_DIR}/ssh/:g" ${GITLAB_INSTALL_DIR}/app/models/instance_configuration.rb + cd ${GITLAB_INSTALL_DIR} # install gems, use local cache if available if [[ -d ${GEM_CACHE_DIR} ]]; then + echo "Found local npm package cache..." mv ${GEM_CACHE_DIR} ${GITLAB_INSTALL_DIR}/vendor/cache chown -R ${GITLAB_USER}: ${GITLAB_INSTALL_DIR}/vendor/cache fi -exec_as_git bundle install -j$(nproc) --deployment --without development test aws + +exec_as_git bundle config set --local deployment 'true' +exec_as_git bundle config set --local without 'development test mysql aws' +exec_as_git bundle install -j"$(nproc)" # make sure everything in ${GITLAB_HOME} is owned by ${GITLAB_USER} user chown -R ${GITLAB_USER}: ${GITLAB_HOME} # gitlab.yml and database.yml are required for `assets:precompile` +exec_as_git cp ${GITLAB_INSTALL_DIR}/config/resque.yml.example ${GITLAB_INSTALL_DIR}/config/resque.yml exec_as_git cp ${GITLAB_INSTALL_DIR}/config/gitlab.yml.example ${GITLAB_INSTALL_DIR}/config/gitlab.yml -exec_as_git cp ${GITLAB_INSTALL_DIR}/config/database.yml.mysql ${GITLAB_INSTALL_DIR}/config/database.yml +# +# Temporary workaround, see +# +# exec_as_git cp ${GITLAB_INSTALL_DIR}/config/database.yml.postgresql ${GITLAB_INSTALL_DIR}/config/database.yml +cp ${GITLAB_BUILD_DIR}/config/database.yml.postgresql ${GITLAB_INSTALL_DIR}/config/database.yml +chown ${GITLAB_USER}: ${GITLAB_INSTALL_DIR}/config/database.yml + +# Installs nodejs packages required to compile webpack +exec_as_git yarn install --production --pure-lockfile echo "Compiling assets. Please be patient, this could take a while..." -exec_as_git bundle exec rake assets:clean assets:precompile USE_DB=false SKIP_STORAGE_VALIDATION=true >/dev/null 2>&1 +exec_as_git bundle exec rake gitlab:assets:compile USE_DB=false SKIP_STORAGE_VALIDATION=true NODE_OPTIONS="--max-old-space-size=8192" # remove auto generated ${GITLAB_DATA_DIR}/config/secrets.yml rm -rf ${GITLAB_DATA_DIR}/config/secrets.yml +# remove gitlab shell and workhorse secrets +rm -f ${GITLAB_INSTALL_DIR}/.gitlab_shell_secret ${GITLAB_INSTALL_DIR}/.gitlab_workhorse_secret + exec_as_git mkdir -p ${GITLAB_INSTALL_DIR}/tmp/pids/ ${GITLAB_INSTALL_DIR}/tmp/sockets/ chmod -R u+rwX ${GITLAB_INSTALL_DIR}/tmp @@ -145,18 +255,31 @@ sed -i \ -e "s|^[#]*UsePrivilegeSeparation yes|UsePrivilegeSeparation no|" \ -e "s|^[#]*PasswordAuthentication yes|PasswordAuthentication no|" \ -e "s|^[#]*LogLevel INFO|LogLevel VERBOSE|" \ + -e "s|^[#]*AuthorizedKeysFile.*|AuthorizedKeysFile %h/.ssh/authorized_keys %h/.ssh/authorized_keys_proxy|" \ /etc/ssh/sshd_config +echo "AcceptEnv GIT_PROTOCOL" >> /etc/ssh/sshd_config # Allow clients to explicitly set the Git transfer protocol, e.g. to enable version 2. echo "UseDNS no" >> /etc/ssh/sshd_config # move supervisord.log file to ${GITLAB_LOG_DIR}/supervisor/ sed -i "s|^[#]*logfile=.*|logfile=${GITLAB_LOG_DIR}/supervisor/supervisord.log ;|" /etc/supervisor/supervisord.conf +# silence "CRIT Server 'unix_http_server' running without any HTTP authentication checking" message +# https://github.com/Supervisor/supervisor/issues/717 +sed -i '/\.sock/a password=dummy' /etc/supervisor/supervisord.conf +sed -i '/\.sock/a username=dummy' /etc/supervisor/supervisord.conf +# prevent confusing warning "CRIT Supervisor running as root" by clarify run as root +# user not defined in supervisord.conf by default, so just append it after [supervisord] block +sed -i "/\[supervisord\]/a user=root" /etc/supervisor/supervisord.conf + # move nginx logs to ${GITLAB_LOG_DIR}/nginx sed -i \ -e "s|access_log /var/log/nginx/access.log;|access_log ${GITLAB_LOG_DIR}/nginx/access.log;|" \ -e "s|error_log /var/log/nginx/error.log;|error_log ${GITLAB_LOG_DIR}/nginx/error.log;|" \ /etc/nginx/nginx.conf +# fix "unknown group 'syslog'" error preventing logrotate from functioning +sed -i "s|^su root syslog$|su root root|" /etc/logrotate.conf + # configure supervisord log rotation cat > /etc/logrotate.d/supervisord < /etc/logrotate.d/gitaly < /etc/logrotate.d/gitlab-nginx < /etc/supervisor/conf.d/unicorn.conf < /etc/supervisor/conf.d/puma.conf < /etc/supervisor/conf.d/gitaly.conf < /etc/supervisor/conf.d/mail_room.conf < /etc/supervisor/conf.d/groups.conf < stat.isDirectory()).catch(() => false); ++ if(isDirectory) { ++ for (const dir_ent of await readdir(NODE_MODULES, { withFileTypes: true})) { ++ const to_remove = join(NODE_MODULES, dir_ent.name); ++ await rm(to_remove, { recursive: true, force: true }); ++ } ++ } + } diff --git a/assets/build/patches/gitlabhq/0004-fix-raketask-gitlab-assets-compile.patch.bak b/assets/build/patches/gitlabhq/0004-fix-raketask-gitlab-assets-compile.patch.bak new file mode 100644 index 000000000..a0877b832 --- /dev/null +++ b/assets/build/patches/gitlabhq/0004-fix-raketask-gitlab-assets-compile.patch.bak @@ -0,0 +1,20 @@ +diff --git a/lib/tasks/gitlab/assets.rake b/lib/tasks/gitlab/assets.rake +index b8a6e7018767..5096d81ea63f 100644 +--- a/lib/tasks/gitlab/assets.rake ++++ b/lib/tasks/gitlab/assets.rake +@@ -96,7 +96,14 @@ namespace :gitlab do + puts "Assets SHA256 for `HEAD`: #{Tasks::Gitlab::Assets.head_assets_sha256.inspect}" + + if Tasks::Gitlab::Assets.head_assets_sha256 != Tasks::Gitlab::Assets.master_assets_sha256 +- FileUtils.rm_rf([Tasks::Gitlab::Assets::PUBLIC_ASSETS_DIR] + Dir.glob('app/assets/javascripts/locale/**/app.js')) ++ # sameersbn/gitlab takes a cache of public_assets_dir by symlinking to volume to speedup relaunch (if relative url is used) ++ # so do not remove the directory directly, empty instead ++ # Dir.glob("*") ignores dotfiles (even it is fine to remove here), so list up children manually ++ removal_targets = Dir.glob('app/assets/javascripts/locale/**/app.js') ++ if Dir.exist?(Tasks::Gitlab::Assets::PUBLIC_ASSETS_DIR) ++ removal_targets += Dir.children(Tasks::Gitlab::Assets::PUBLIC_ASSETS_DIR).map {|child| File.join(Tasks::Gitlab::Assets::PUBLIC_ASSETS_DIR, child)} ++ end ++ FileUtils.rm_rf(removal_targets, secure: true) + + # gettext:compile needs to run before rake:assets:precompile because + # app/assets/javascripts/locale/**/app.js are pre-compiled by Sprockets diff --git a/assets/build/patches/ruby/0001-avoid-seeding_until-ruby3.3.0.patch b/assets/build/patches/ruby/0001-avoid-seeding_until-ruby3.3.0.patch new file mode 100644 index 000000000..5fd7dcbe7 --- /dev/null +++ b/assets/build/patches/ruby/0001-avoid-seeding_until-ruby3.3.0.patch @@ -0,0 +1,45 @@ +From 64e503eb62aff0952b655e9a86217e355f786146 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=E5=8D=9C=E9=83=A8=E6=98=8C=E5=B9=B3?= + +Date: Thu, 13 Apr 2023 15:36:24 +0900 +Subject: [PATCH] avoid seeding + +OpenSSL's man page previously stated that "the application is +responsible for seeding the PRNG by calling RAND_add" (see [1]). +So we had this code. However things changed. They no longer +say so, instead "manual (re-)seeding of the default OpenSSL +random generator is not necessary" now (see [2]). It seems all +OpenSSL versions that we support now already behaves like this. +Let's follow that. + +[1]: https://www.openssl.org/docs/man1.0.2/man3/RAND_add.html +[2]: https://www.openssl.org/docs/manmaster/man3/RAND_add.html +--- + lib/securerandom.rb | 11 ----------- + 1 file changed, 11 deletions(-) + +diff --git a/lib/securerandom.rb b/lib/securerandom.rb +index 07ae048634..c5be6ce734 100644 +--- a/lib/securerandom.rb ++++ b/lib/securerandom.rb +@@ -47,17 +47,6 @@ def bytes(n) + private + + def gen_random_openssl(n) +- @pid = 0 unless defined?(@pid) +- pid = $$ +- unless @pid == pid +- now = Process.clock_gettime(Process::CLOCK_REALTIME, :nanosecond) +- OpenSSL::Random.random_add([now, @pid, pid].join(""), 0.0) +- seed = Random.urandom(16) +- if (seed) +- OpenSSL::Random.random_add(seed, 16) +- end +- @pid = pid +- end + return OpenSSL::Random.random_bytes(n) + end + +-- +2.43.0.windows.1 + diff --git a/assets/runtime/config/gitaly/config.toml b/assets/runtime/config/gitaly/config.toml new file mode 100644 index 000000000..0b070505e --- /dev/null +++ b/assets/runtime/config/gitaly/config.toml @@ -0,0 +1,98 @@ +# Example Gitaly configuration file +# Documentation lives at https://docs.gitlab.com/ee/administration/gitaly/ and +# https://docs.gitlab.com/ee//administration/gitaly/reference + +socket_path = "{{GITALY_SOCKET_PATH}}" + +# The directory where Gitaly's executables are stored +bin_dir = "/usr/local/bin/" + +# # Optional: listen on a TCP socket. This is insecure (no authentication) +# listen_addr = "localhost:9999" +# tls_listen_addr = "localhost:8888 + +# # Optional: export metrics via Prometheus +# prometheus_listen_addr = "localhost:9236" + +# # Optional: configure where the Gitaly creates the sockets for internal connections. If unset, Gitaly will create a randomly +# # named temp directory each time it boots. +# # Non Gitaly clients should never connect to these sockets. +# internal_socket_dir = "/home/git/gitlab/tmp/sockets/private/internal" + +# # Optional: authenticate Gitaly requests using a shared secret +# [auth] +# token = 'abc123secret' +# transitioning = false # Set `transitioning` to true to temporarily allow unauthenticated while rolling out authentication. + +# [tls] +# certificate_path = '/home/git/cert.cert' +# key_path = '/home/git/key.pem' + +# # Git settings +# [git] +# bin_path = "/usr/bin/git" +# catfile_cache_size = 100 + +[[storage]] +name = "default" +path = "{{GITLAB_REPOS_DIR}}" + +# # You can optionally configure more storages for this Gitaly instance to serve up +# +# [[storage]] +# name = "other_storage" +# path = "/mnt/other_storage/repositories" +# + +# # You can optionally configure Gitaly to output JSON-formatted log messages to stdout +[logging] +# # The directory where Gitaly stores extra log files +dir = "{{GITLAB_LOG_DIR}}/gitaly" +# format = "json" +# # Optional: Set log level to only log entries with that severity or above +# # One of, in order: debug, info, warn, errror, fatal, panic +# # Defaults to "info" +# level = "warn" +# +# # Additionally exceptions from the Go server can be reported to Sentry +# sentry_dsn = "https://%3Ckey%3E:%3Csecret%3E@sentry.io/%3Cproject%3E" +# # Exceptions from gitaly-ruby can also be reported to Sentry +# ruby_sentry_dsn = "https://%3Ckey%3E:%3Csecret%3E@sentry.io/%3Cproject%3E" + +# # You can optionally configure Gitaly to record histogram latencies on GRPC method calls +# [prometheus] +# grpc_latency_buckets = [0.001, 0.005, 0.025, 0.1, 0.5, 1.0, 10.0, 30.0, 60.0, 300.0, 1500.0] + +[gitaly-ruby] +# The directory where gitaly-ruby is installed +dir = "{{GITLAB_GITALY_INSTALL_DIR}}/ruby" + +# # Gitaly-ruby resident set size (RSS) that triggers a memory restart (bytes) +# max_rss = 200000000 +# +# # Grace period before a gitaly-ruby process is forcibly terminated after exceeding max_rss (seconds) +# graceful_restart_timeout = "10m" +# +# # Time that gitaly-ruby memory must remain high before a restart (seconds) +# restart_delay = "5m" +# +# # Number of gitaly-ruby worker processes +# num_workers = 2 +# +# # Search path for system gitconfig file (e.g. /etc, /opt/gitlab/embedded/etc) +# # NOTE: This only affects RPCs that use Rugged. +# rugged_git_config_search_path = "/etc" + +[gitlab-shell] +# The directory where gitlab-shell is installed +dir = "{{GITLAB_SHELL_INSTALL_DIR}}" + +# # You can adjust the concurrency of each RPC endpoint +# [[concurrency]] +# rpc = "/gitaly.RepositoryService/GarbageCollect" +# max_per_repo = 1 + +[gitlab] +secret_file = "/home/git/gitlab-shell/.gitlab_shell_secret" +url = "http://localhost:8181{{GITLAB_RELATIVE_URL_ROOT}}" + diff --git a/assets/runtime/config/gitlab-pages/config b/assets/runtime/config/gitlab-pages/config new file mode 100644 index 000000000..409786090 --- /dev/null +++ b/assets/runtime/config/gitlab-pages/config @@ -0,0 +1,8 @@ +auth-client-id={{GITLAB_PAGES_ACCESS_CLIENT_ID}} +auth-client-secret={{GITLAB_PAGES_ACCESS_CLIENT_SECRET}} +auth-redirect-uri={{GITLAB_PAGES_ACCESS_REDIRECT_URI}} +auth-secret={{GITLAB_PAGES_ACCESS_SECRET}} +gitlab-server={{GITLAB_PAGES_ACCESS_CONTROL_SERVER}} +artifacts-server={{GITLAB_PAGES_ARTIFACTS_SERVER_URL}} +internal-gitlab-server=http://localhost:8181 +api-secret-key={{GITLAB_INSTALL_DIR}}/.gitlab_pages_secret diff --git a/assets/runtime/config/gitlab-shell/config.yml b/assets/runtime/config/gitlab-shell/config.yml index 2649a13ac..5719b9357 100644 --- a/assets/runtime/config/gitlab-shell/config.yml +++ b/assets/runtime/config/gitlab-shell/config.yml @@ -28,26 +28,12 @@ http_settings: auth_file: "{{GITLAB_HOME}}/.ssh/authorized_keys" # File that contains the secret key for verifying access to GitLab. -# Default is .gitlab_shell_secret in the root directory. +# Default is .gitlab_shell_secret in the gitlab-shell directory. secret_file: "{{GITLAB_SHELL_INSTALL_DIR}}/.gitlab_shell_secret" -# Redis settings used for pushing commit notices to gitlab -redis: - bin: /usr/bin/redis-cli - host: "{{REDIS_HOST}}" - port: {{REDIS_PORT}} - # pass: redispass # Allows you to specify the password for Redis - database: {{REDIS_DB_NUMBER}} - # socket: /var/run/redis/redis.sock # Comment out this line if you want to use TCP or Sentinel - namespace: resque:gitlab - # sentinels: - # - - # host: 127.0.0.1 - # port: 26380 - # - - # host: 127.0.0.1 - # port: 26381 - +# Parent directory for global custom hook directories (pre-receive.d, update.d, post-receive.d) +# Default is hooks in the gitlab-shell directory. +custom_hooks_dir: "{{GITLAB_SHELL_INSTALL_DIR}}/hooks" # Log file. # Default is gitlab-shell.log in the root directory. @@ -56,22 +42,14 @@ log_file: "{{GITLAB_LOG_DIR}}/gitlab-shell/gitlab-shell.log" # Log level. INFO by default log_level: INFO +# Log format. 'text' by default +# log_format: json + # Audit usernames. # Set to true to see real usernames in the logs instead of key ids, which is easier to follow, but # incurs an extra API call on every gitlab-shell command. audit_usernames: false -# Enable git-annex support -# git-annex allows managing files with git, without checking the file contents into git -# See https://git-annex.branchable.com/ for documentation -# If enabled, git-annex needs to be installed on the server where gitlab-shell is setup -# For Debian and Ubuntu systems this can be done with: sudo apt-get install git-annex -# For CentOS: sudo yum install epel-release && sudo yum install git-annex -git_annex_enabled: false - -# Git trace log file. -# If set, git commands receive GIT_TRACE* environment variables -# See https://git-scm.com/book/es/v2/Git-Internals-Environment-Variables#Debugging for documentation -# An absolute path starting with / – the trace output will be appended to that file. -# It needs to exist so we can check permissions and avoid to throwing warnings to the users. -git_trace_log_file: +# Distributed Tracing. GitLab-Shell has distributed tracing instrumentation. +# For more details, visit https://docs.gitlab.com/ee/development/distributed_tracing.html +# gitlab_tracing: opentracing://driver diff --git a/assets/runtime/config/gitlabhq/cable.yml b/assets/runtime/config/gitlabhq/cable.yml new file mode 100644 index 000000000..d36e74fe1 --- /dev/null +++ b/assets/runtime/config/gitlabhq/cable.yml @@ -0,0 +1,14 @@ +# This is a template taken from here: +# https://gitlab.com/gitlab-org/gitlab/-/blob/master/config/cable.yml.example +development: + adapter: redis + url: redis://localhost:6379 + channel_prefix: gitlab_development +test: + adapter: redis + url: redis://localhost:6379 + channel_prefix: gitlab_test +production: + adapter: redis + url: redis://{{REDIS_HOST}}:{{REDIS_PORT}}/{{REDIS_DB_NUMBER}} + channel_prefix: gitlab_production diff --git a/assets/runtime/config/gitlabhq/database.yml b/assets/runtime/config/gitlabhq/database.yml index 018d28a36..6ca70ad2a 100644 --- a/assets/runtime/config/gitlabhq/database.yml +++ b/assets/runtime/config/gitlabhq/database.yml @@ -1,15 +1,24 @@ # -# PRODUCTION +# PRODUCTION (here: non-decomposed database) # production: - adapter: {{DB_ADAPTER}} - encoding: {{DB_ENCODING}} - collation: utf8_general_ci - reconnect: false - database: {{DB_NAME}} - host: {{DB_HOST}} - port: {{DB_PORT}} - username: {{DB_USER}} - password: "{{DB_PASS}}" - pool: {{DB_POOL}} - + main: + adapter: postgresql + encoding: {{DB_ENCODING}} + database: {{DB_NAME}} + host: {{DB_HOST}} + port: {{DB_PORT}} + username: {{DB_USER}} + password: "{{DB_PASS}}" + pool: {{DB_POOL}} + prepared_statements: {{DB_PREPARED_STATEMENTS}} + ci: + adapter: postgresql + encoding: {{DB_ENCODING}} + database: {{DB_NAME}} + database_tasks: false + host: {{DB_HOST}} + port: {{DB_PORT}} + username: {{DB_USER}} + password: "{{DB_PASS}}" + pool: {{DB_POOL}} diff --git a/assets/runtime/config/gitlabhq/gitlab.yml b/assets/runtime/config/gitlabhq/gitlab.yml index 51643caff..9d562de66 100644 --- a/assets/runtime/config/gitlabhq/gitlab.yml +++ b/assets/runtime/config/gitlabhq/gitlab.yml @@ -7,7 +7,8 @@ # * are being moved to ApplicationSetting model! # # If a setting requires an application restart say so in that screen. # # If you change this file in a Merge Request, please also create # -# a MR on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests # +# a MR on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests. # +# For more details see https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/gitlab.yml.md # ######################################################################## # # @@ -32,8 +33,11 @@ production: &base host: {{GITLAB_HOST}} port: {{GITLAB_PORT}} # Set to 443 if using HTTPS, see installation.md#using-https for additional HTTPS configuration details https: {{GITLAB_HTTPS}} # Set to true if using HTTPS, see installation.md#using-https for additional HTTPS configuration details + # The maximum time unicorn/puma can spend on the request. This needs to be smaller than the worker timeout. + # Default is 95% of the worker timeout + max_request_duration_seconds: 57 - # Uncommment this line below if your ssh host is different from HTTP/HTTPS one + # Uncomment this line below if your ssh host is different from HTTP/HTTPS one # (you'd obviously need to replace ssh.host_example.com with your own host). # Otherwise, ssh host will be set to the `host:` value above ssh_host: {{GITLAB_SSH_HOST}} @@ -46,11 +50,38 @@ production: &base # relative_url_root: {{GITLAB_RELATIVE_URL_ROOT}} + # Content Security Policy + # See https://guides.rubyonrails.org/security.html#content-security-policy + content_security_policy: + enabled: {{GITLAB_CONTENT_SECURITY_POLICY_ENABLED}} + report_only: {{GITLAB_CONTENT_SECURITY_POLICY_REPORT_ONLY}} + directives: + base_uri: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_BASE_URI}}" + child_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CHILD_SRC}}" + connect_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CONNECT_SRC}}" + default_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_DEFAULT_SRC}}" + font_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FONT_SRC}}" + form_action: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FORM_ACTION}}" + frame_ancestors: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_ANCESTORS}}" + frame_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_SRC}}" + img_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_IMG_SRC}}" + manifest_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MANIFEST_SRC}}" + media_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MEDIA_SRC}}" + object_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_OBJECT_SRC}}" + script_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_SCRIPT_SRC}}" + style_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_STYLE_SRC}}" + worker_src: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_WORKER_SRC}}" + report_uri: "{{GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_REPORT_URI}}" + # Trusted Proxies # Customize if you have GitLab behind a reverse proxy which is running on a different machine. # Add the IP address for your reverse proxy to the list, otherwise users will appear signed in from that address. trusted_proxies: - {{GITLAB_TRUSTED_PROXIES}} + # Examples: + #- 192.168.1.0/24 + #- 192.168.2.1 + #- 2001:0db8::/32 # Uncomment and customize if you can't use the default user to run GitLab (default: 'git') # user: git @@ -68,30 +99,46 @@ production: &base email_display_name: {{GITLAB_EMAIL_DISPLAY_NAME}} email_reply_to: {{GITLAB_EMAIL_REPLY_TO}} email_subject_suffix: '{{GITLAB_EMAIL_SUBJECT_SUFFIX}}' + #start-email-smime + email_smime: + # Uncomment and set to true if you need to enable email S/MIME signing (default: false) + enabled: {{GITLAB_EMAIL_SMIME_ENABLE}} + # S/MIME private key file in PEM format, unencrypted + # Default is '.gitlab_smime_key' relative to Rails.root (i.e. root of the GitLab app). + key_file: {{GITLAB_EMAIL_SMIME_KEY_FILE}} + # S/MIME public certificate key in PEM format, will be attached to signed messages + # Default is '.gitlab_smime_cert' relative to Rails.root (i.e. root of the GitLab app). + cert_file: {{GITLAB_EMAIL_SMIME_CERT_FILE}} + #end-email-smime + # S/MIME extra CA public certificates in PEM format, will be attached to signed messages + # Optional + # ca_certs_file: /home/git/gitlab/.gitlab_smime_ca_certs # Email server smtp settings are in config/initializers/smtp_settings.rb.sample default_projects_limit: {{GITLAB_PROJECTS_LIMIT}} default_can_create_group: {{GITLAB_CREATE_GROUP}} # default: true - username_changing_enabled: {{GITLAB_USERNAME_CHANGE}} # default: true - User can change her username/namespace - ## Default theme ID - ## 1 - Graphite - ## 2 - Charcoal - ## 3 - Green - ## 4 - Gray - ## 5 - Violet - ## 6 - Blue - # default_theme: 2 # default: 2 - - # Enable or disable user signups (first run only) + username_changing_enabled: {{GITLAB_USERNAME_CHANGE}} # default: true - User can change their username/namespace signup_enabled: {{GITLAB_SIGNUP_ENABLED}} + ## Default theme ID + ## 1 - Indigo + ## 2 - Dark + ## 3 - Light + ## 4 - Blue + ## 5 - Green + ## 6 - Light Indigo + ## 7 - Light Blue + ## 8 - Light Green + ## 9 - Red + ## 10 - Light Red + default_theme: {{GITLAB_DEFAULT_THEME}} # default: 1 ## Automatic issue closing # If a commit message matches this regular expression, all issues referenced from the matched text will be closed. # This happens when the commit is pushed or merged into the default branch of a project. # When not specified the default issue_closing_pattern as specified below will be used. # Tip: you can test your closing pattern at http://rubular.com. - # issue_closing_pattern: '((?:[Cc]los(?:e[sd]?|ing)|[Ff]ix(?:e[sd]|ing)?|[Rr]esolv(?:e[sd]?|ing))(:?) +(?:(?:issues? +)?%{issue_ref}(?:(?:, *| +and +)?)|([A-Z][A-Z0-9_]+-\d+))+)' + issue_closing_pattern: '{{GITLAB_ISSUE_CLOSING_PATTERN}}' ## Default project features settings default_projects_features: @@ -106,11 +153,23 @@ production: &base # Number of seconds to wait for HTTP response after sending webhook HTTP POST request (default: 10) webhook_timeout: {{GITLAB_WEBHOOK_TIMEOUT}} + ### GraphQL Settings + # Tells the rails application how long it has to complete a GraphQL request. + # We suggest this value to be higher than the database timeout value + # and lower than the worker timeout set in unicorn/puma. (default: 30) + # graphql_timeout: 30 + ## Repository downloads directory # When a user clicks e.g. 'Download zip' on a project, a temporary zip file is created in the following directory. # The default is 'shared/cache/archive/' relative to the root of the Rails app. repository_downloads_path: {{GITLAB_DOWNLOADS_DIR}} + ## Impersonation settings + impersonation_enabled: {{GITLAB_IMPERSONATION_ENABLED}} + + ## Disable jQuery and CSS animations + # disable_animations: true + ## Reply by email # Allow users to comment on issues and merge requests by replying to notification emails. # For documentation on how to set this up, see http://doc.gitlab.com/ce/administration/reply_by_email.html @@ -119,6 +178,7 @@ production: &base # The email address including the `%{key}` placeholder that will be replaced to reference the item being replied to. # The placeholder can be omitted but if present, it must appear in the "user" part of the address (before the `@`). + # Please be aware that a placeholder is required for the Service Desk feature to work. address: "{{GITLAB_INCOMING_EMAIL_ADDRESS}}" # Email account username @@ -142,18 +202,218 @@ production: &base # The IDLE command timeout. idle_timeout: {{IMAP_TIMEOUT}} + # The log file path for the structured log file. + # Since `mail_room` is run independently of Rails, an absolute path is preferred. + # The default is 'log/mail_room_json.log' relative to the root of the Rails app. + # + # log_path: log/mail_room_json.log + + # Whether to expunge (permanently remove) messages from the mailbox when they are deleted after delivery + expunge_deleted: false ## Build Artifacts artifacts: enabled: {{GITLAB_ARTIFACTS_ENABLED}} # The location where build artifacts are stored (default: shared/artifacts). path: {{GITLAB_ARTIFACTS_DIR}} + object_store: + enabled: {{GITLAB_ARTIFACTS_OBJECT_STORE_ENABLED}} + remote_directory: {{GITLAB_ARTIFACTS_OBJECT_STORE_REMOTE_DIRECTORY}} # The bucket name + direct_upload: {{GITLAB_ARTIFACTS_OBJECT_STORE_DIRECT_UPLOAD}} # Set to true to enable direct upload of Artifacts without the need of local shared storage. + background_upload: {{GITLAB_ARTIFACTS_OBJECT_STORE_BACKGROUND_UPLOAD}} # Temporary option to limit automatic upload (Default: true) + proxy_download: {{GITLAB_ARTIFACTS_OBJECT_STORE_PROXY_DOWNLOAD}} # Passthrough all downloads via GitLab instead of using Redirects to Object Storage + connection: + provider: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER}} # Only AWS supported at the moment + #start-artifacts-aws + aws_access_key_id: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID}} + aws_secret_access_key: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY}} + region: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_REGION}} + host: '{{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_HOST}}' # default: s3.amazonaws.com + aws_signature_version: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION}} # For creation of signed URLs. Set to 2 if provider does not support v4. + endpoint: '{{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT}}' # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces + path_style: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE}} # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' + #end-artifacts-aws + #start-artifacts-gcs + google_project: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT}} + google_client_email: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL}} + google_json_key_location: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION}} + #end-artifacts-gcs + + ## Merge request external diff storage + external_diffs: + # If disabled (the default), the diffs are in-database. Otherwise, they can + # be stored on disk, or in object storage + enabled: false + # The location where external diffs are stored (default: shared/lfs-external-diffs). + # storage_path: shared/external-diffs + # object_store: + # enabled: false + # remote_directory: external-diffs + # background_upload: false + # proxy_download: false + # connection: + # provider: AWS + # aws_access_key_id: AWS_ACCESS_KEY_ID + # aws_secret_access_key: AWS_SECRET_ACCESS_KEY + # region: us-east-1 ## Git LFS lfs: enabled: {{GITLAB_LFS_ENABLED}} # The location where LFS objects are stored (default: shared/lfs-objects). storage_path: {{GITLAB_LFS_OBJECTS_DIR}} + object_store: + enabled: {{GITLAB_LFS_OBJECT_STORE_ENABLED}} + remote_directory: {{GITLAB_LFS_OBJECT_STORE_REMOTE_DIRECTORY}} # Bucket name + direct_upload: {{GITLAB_LFS_OBJECT_STORE_DIRECT_UPLOAD}} # Use Object Storage directly for uploads instead of background uploads if enabled (Default: false) + background_upload: {{GITLAB_LFS_OBJECT_STORE_BACKGROUND_UPLOAD}} # Temporary option to limit automatic upload (Default: true) + proxy_download: {{GITLAB_LFS_OBJECT_STORE_PROXY_DOWNLOAD}} # Passthrough all downloads via GitLab instead of using Redirects to Object Storage + connection: + provider: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER}} + #start-lfs-aws + aws_access_key_id: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID}} + aws_secret_access_key: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY}} + aws_signature_version: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION}} # For creation of signed URLs. Set to 2 if provider does not support v4. + region: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_REGION}} + host: '{{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_HOST}}' # default: s3.amazonaws.com + endpoint: '{{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT}}' # default: nil + path_style: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE}} # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' + #end-lfs-aws + #start-lfs-gcs + google_project: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT}} + google_client_email: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL}} + google_json_key_location: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION}} + #end-lfs-gcs + + # Use the following options to configure an AWS compatible host + # host: 'localhost' # default: s3.amazonaws.com + # endpoint: 'http://127.0.0.1:9000/' # default: nil + # aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4. + # path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' + + ## Uploads (attachments, avatars, etc...) + uploads: + # The location where uploads objects are stored (default: public/). + storage_path: {{GITLAB_UPLOADS_STORAGE_PATH}} + base_dir: {{GITLAB_UPLOADS_BASE_DIR}} + object_store: + enabled: {{GITLAB_UPLOADS_OBJECT_STORE_ENABLED}} + remote_directory: {{GITLAB_UPLOADS_OBJECT_STORE_REMOTE_DIRECTORY}} # Bucket name + direct_upload: {{GITLAB_UPLOADS_OBJECT_STORE_DIRECT_UPLOAD}} # Use Object Storage directly for uploads instead of background uploads if enabled (Default: false) + background_upload: {{GITLAB_UPLOADS_OBJECT_STORE_BACKGROUND_UPLOAD}} # Temporary option to limit automatic upload (Default: true) + proxy_download: {{GITLAB_UPLOADS_OBJECT_STORE_PROXY_DOWNLOAD}} # Passthrough all downloads via GitLab instead of using Redirects to Object Storage + connection: + provider: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER}} + #start-uploads-aws + aws_access_key_id: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID}} + aws_secret_access_key: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY}} + aws_signature_version: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION}} # For creation of signed URLs. Set to 2 if provider does not support v4. + region: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_REGION}} + host: '{{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_HOST}}' # default: s3.amazonaws.com + endpoint: '{{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT}}' # default: nil + path_style: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE}} # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' + #end-uploads-aws + #start-uploads-gcs + google_project: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT}} + google_client_email: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL}} + google_json_key_location: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION}} + #end-uploads-gcs + + ## Packages (maven repository, npm registry, etc...) + packages: + enabled: {{GITLAB_PACKAGES_ENABLED}} + # The location where build packages are stored (default: shared/packages). + path: {{GITLAB_PACKAGES_DIR}} + object_store: + enabled: {{GITLAB_PACKAGES_OBJECT_STORE_ENABLED}} + remote_directory: {{GITLAB_PACKAGES_OBJECT_STORE_REMOTE_DIRECTORY}} # The bucket name + direct_upload: {{GITLAB_PACKAGES_OBJECT_STORE_DIRECT_UPLOAD}} # Set to true to enable direct upload of Packages without the need of local shared storage. + background_upload: {{GITLAB_PACKAGES_OBJECT_STORE_BACKGROUND_UPLOAD}} # Temporary option to limit automatic upload (Default: true) + proxy_download: {{GITLAB_PACKAGES_OBJECT_STORE_PROXY_DOWNLOAD}} # Passthrough all downloads via GitLab instead of using Redirects to Object Storage + connection: + provider: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_PROVIDER}} # Only AWS supported at the moment + #start-packages-aws + aws_access_key_id: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID}} + aws_secret_access_key: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY}} + region: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_REGION}} + host: '{{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_HOST}}' # default: s3.amazonaws.com + aws_signature_version: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION}} # For creation of signed URLs. Set to 2 if provider does not support v4. + endpoint: '{{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ENDPOINT}}' # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces + path_style: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE}} # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' + #end-packages-aws + #start-packages-gcs + google_project: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT}} + google_client_email: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL}} + google_json_key_location: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION}} + #end-packages-gcs + + + ## Dependency Proxy + dependency_proxy: + enabled: true + # The location where build packages are stored (default: shared/dependency_proxy). + # storage_path: shared/dependency_proxy + object_store: + enabled: false + remote_directory: dependency_proxy # The bucket name + # direct_upload: false # Use Object Storage directly for uploads instead of background uploads if enabled (Default: false) + # background_upload: false # Temporary option to limit automatic upload (Default: true) + # proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage + connection: + provider: AWS + aws_access_key_id: AWS_ACCESS_KEY_ID + aws_secret_access_key: AWS_SECRET_ACCESS_KEY + region: us-east-1 + # host: 'localhost' # default: s3.amazonaws.com + # endpoint: 'http://127.0.0.1:9000/' # default: nil + # aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4. + # path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' + + ## Terraform state + terraform_state: + enabled: {{GITLAB_TERRAFORM_STATE_ENABLED}} + # The location where Terraform state files are stored (default: shared/terraform_state). + storage_path: {{GITLAB_TERRAFORM_STATE_STORAGE_PATH}} + object_store: + enabled: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_ENABLED}} + remote_directory: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_REMOTE_DIRECTORY}} # The bucket name + connection: + provider: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_PROVIDER}} + #start-terraform_state-aws + aws_access_key_id: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID}} + aws_secret_access_key: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY}} + region: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_REGION}} + host: '{{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_HOST}}' # default: s3.amazonaws.com + endpoint: '{{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ENDPOINT}}' # default: nil + aws_signature_version: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION}} # For creation of signed URLs. Set to 2 if provider does not support v4. + path_style: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE}} # Use 'host/bucket_name/object' instead of 'bucket_name.host/object' + #end-terraform_state-aws + #start-terraform_state-gcs + google_project: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT}} + google_client_email: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL}} + google_json_key_location: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION}} + #end-terraform_state-gcs + + ## GitLab Pages + pages: + enabled: {{GITLAB_PAGES_ENABLED}} + access_control: {{GITLAB_PAGES_ACCESS_CONTROL}} + # The location where pages are stored (default: shared/pages). + # path: shared/pages + + # The domain under which the pages are served: + # http://group.example.com/project + # or project path can be a group page: group.example.com + host: {{GITLAB_PAGES_DOMAIN}} + port: {{GITLAB_PAGES_PORT}} # Set to 443 if you serve the pages with HTTPS + https: {{GITLAB_PAGES_HTTPS}} # Set to true if you serve the pages with HTTPS + artifacts_server: {{GITLAB_PAGES_ARTIFACTS_SERVER}} # Set to false if you want to disable online view of HTML artifacts + external_http: {{GITLAB_PAGES_EXTERNAL_HTTP}} # If defined, enables custom domain support in GitLab Pages + external_https: {{GITLAB_PAGES_EXTERNAL_HTTPS}} # If defined, enables custom domain and certificate support in GitLab Pages + + # File that contains the shared secret key for verifying access for gitlab-pages. + # Default is '.gitlab_pages_secret' relative to Rails.root (i.e. root of the GitLab app). + # secret_file: /home/git/gitlab/.gitlab_pages_secret ## Mattermost ## For enabling Add to Mattermost button @@ -162,35 +422,118 @@ production: &base host: '{{GITLAB_MATTERMOST_URL}}' ## Gravatar - ## For Libravatar see: http://doc.gitlab.com/ce/customization/libravatar.html + ## If using gravatar.com, there's nothing to change here. For Libravatar + ## you'll need to provide the custom URLs. For more information, + ## see: https://docs.gitlab.com/ee/customization/libravatar.html gravatar: - enabled: {{GITLAB_GRAVATAR_ENABLED}} # Use user avatar image from Gravatar.com (default: true) - # gravatar urls: possible placeholders: %{hash} %{size} %{email} - plain_url: "{{GITLAB_GRAVATAR_HTTP_URL}}" # default: http://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon + enabled: {{GITLAB_GRAVATAR_ENABLED}} + # Gravatar/Libravatar URLs: possible placeholders: %{hash} %{size} %{email} %{username} + plain_url: "{{GITLAB_GRAVATAR_HTTP_URL}}" # default: https://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon ssl_url: "{{GITLAB_GRAVATAR_HTTPS_URL}}" # default: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon + ## Sidekiq + sidekiq: + log_format: {{GITLAB_SIDEKIQ_LOG_FORMAT}} # (default is the original format) + ## Auxiliary jobs - # Periodically executed jobs, to self-heal Gitlab, do external synchronizations, etc. + # Periodically executed jobs, to self-heal GitLab, do external synchronizations, etc. # Please read here for more information: https://github.com/ondrejbartas/sidekiq-cron#adding-cron-job cron_jobs: - # Flag stuck CI builds as failed - stuck_ci_builds_worker: - cron: "0 0 * * *" + # Flag stuck CI jobs as failed + stuck_ci_jobs_worker: + cron: "0 * * * *" + # Execute scheduled triggers + pipeline_schedule_worker: + cron: "{{GITLAB_PIPELINE_SCHEDULE_WORKER_CRON}}" # Remove expired build artifacts expire_build_artifacts_worker: cron: "50 * * * *" + # Stop expired environments + environments_auto_stop_cron_worker: + cron: "24 * * * *" # Periodically run 'git fsck' on all repositories. If started more than # once per hour you will have concurrent 'git fsck' jobs. repository_check_worker: cron: "20 * * * *" + # Archive live traces which have not been archived yet + ci_archive_traces_cron_worker: + cron: "17 * * * *" # Send admin emails once a week admin_email_worker: cron: "0 0 * * 0" + # Send emails for personal tokens which are about to expire + personal_access_tokens_expiring_worker: + cron: "0 1 * * *" # Remove outdated repository archives repository_archive_cache_worker: cron: "0 * * * *" + # Verify custom GitLab Pages domains + pages_domain_verification_cron_worker: + cron: "*/15 * * * *" + + # Periodically migrate diffs from the database to external storage + schedule_migrate_external_diffs_worker: + cron: "15 * * * *" + + # GitLab EE only jobs. These jobs are automatically enabled for an EE + # installation, and ignored for a CE installation. + ee_cron_jobs: + # Snapshot active users statistics + historical_data_worker: + cron: "0 12 * * *" + + # In addition to refreshing users when they log in, + # periodically refresh LDAP users membership. + # NOTE: This will only take effect if LDAP is enabled + ldap_sync_worker: + cron: "30 1 * * *" + + # Periodically refresh LDAP groups membership. + # NOTE: This will only take effect if LDAP is enabled + ldap_group_sync_worker: + cron: "0 * * * *" + + # GitLab Geo metrics update worker + # NOTE: This will only take effect if Geo is enabled + geo_metrics_update_worker: + cron: "*/1 * * * *" + + # GitLab Geo prune event log worker + # NOTE: This will only take effect if Geo is enabled (primary node only) + geo_prune_event_log_worker: + cron: "*/5 * * * *" + + # GitLab Geo repository sync worker + # NOTE: This will only take effect if Geo is enabled (secondary nodes only) + geo_repository_sync_worker: + cron: "*/1 * * * *" + + # GitLab Geo registry backfill worker + # NOTE: This will only take effect if Geo is enabled (secondary nodes only) + geo_secondary_registry_consistency_worker: + cron: "* * * * *" + + # GitLab Geo file download dispatch worker + # NOTE: This will only take effect if Geo is enabled (secondary nodes only) + geo_file_download_dispatch_worker: + cron: "*/1 * * * *" + + # GitLab Geo migrated local files clean up worker + # NOTE: This will only take effect if Geo is enabled (secondary nodes only) + geo_migrated_local_files_clean_up_worker: + cron: "15 */6 * * *" + + # Export pseudonymized data in CSV format for analysis + pseudonymizer_worker: + cron: "0 * * * *" + + # Elasticsearch bulk updater for incremental updates. + # NOTE: This will only take effect if elasticsearch is enabled. + elastic_index_bulk_cron_worker: + cron: "*/1 * * * *" + registry: enabled: {{GITLAB_REGISTRY_ENABLED}} host: {{GITLAB_REGISTRY_HOST}} @@ -199,6 +542,46 @@ production: &base key: {{GITLAB_REGISTRY_KEY_PATH}} path: {{GITLAB_REGISTRY_DIR}} issuer: {{GITLAB_REGISTRY_ISSUER}} + # notification_secret: '' # only set it when you use Geo replication feature without built-in Registry + + # Add notification settings if you plan to use Geo Replication for the registry + # notifications: + # - name: geo_event + # url: https://example.com/api/v4/container_registry_event/events + # timeout: 2s + # threshold: 5 + # backoff: 1s + # headers: + # Authorization: secret_phrase + + ## Error Reporting and Logging with Sentry + sentry: + enabled: {{SENTRY_ENABLED}} + dsn: {{SENTRY_DSN}} + clientside_dsn: {{SENTRY_CLIENTSIDE_DSN}} + environment: '{{SENTRY_ENVIRONMENT}}' # e.g. development, staging, production + + ## Geo + # NOTE: These settings will only take effect if Geo is enabled + geo: + # This is an optional identifier which Geo nodes can use to identify themselves. + # For example, if external_url is the same for two secondaries, you must specify + # a unique Geo node name for those secondaries. + # + # If it is blank, it defaults to external_url. + node_name: '' + + registry_replication: + # enabled: true + # primary_api_url: http://localhost:5000/ # internal address to the primary registry, will be used by GitLab to directly communicate with primary registry API + + ## Feature Flag https://docs.gitlab.com/ee/user/project/operations/feature_flags.html + feature_flags: + unleash: + # enabled: false + # url: https://gitlab.com/api/v4/feature_flags/unleash/ + # app_name: gitlab.com # Environment name of your GitLab instance + # instance_id: INSTANCE_ID # # 2. GitLab CI settings @@ -221,10 +604,25 @@ production: &base # ========================== ## LDAP settings - # You can inspect a sample of the LDAP users with login access by running: + # You can test connections and inspect a sample of the LDAP users with login + # access by running: # bundle exec rake gitlab:ldap:check RAILS_ENV=production ldap: enabled: {{LDAP_ENABLED}} + prevent_ldap_sign_in: {{LDAP_PREVENT_LDAP_SIGN_IN}} + + # This setting controls the number of seconds between LDAP permission checks + # for each user. After this time has expired for a given user, their next + # interaction with GitLab (a click in the web UI, a git pull, etc.) will be + # slower because the LDAP permission check is being performed. How much + # slower depends on your LDAP setup, but it is not uncommon for this check + # to add seconds of waiting time. The default value is to have a "slow + # click" once every 3600 seconds (i.e., once per hour). + # + # Warning: if you set this value too low, every click in GitLab will be a + # "slow click" for all of your LDAP users. + # sync_time: 3600 + servers: ########################################################################## # @@ -244,18 +642,88 @@ production: &base # Example: 'Paris' or 'Acme, Ltd.' label: '{{LDAP_LABEL}}' + # Example: 'ldap.mydomain.com' host: '{{LDAP_HOST}}' - port: {{LDAP_PORT}} - uid: '{{LDAP_UID}}' - method: '{{LDAP_METHOD}}' # "tls" or "ssl" or "plain" + # This port is an example, it is sometimes different but it is always an integer and not a string + port: {{LDAP_PORT}} # usually 636 for SSL + uid: '{{LDAP_UID}}' # This should be the attribute, not the value that maps to uid. + + # Examples: 'america\\momo' or 'CN=Gitlab Git,CN=Users,DC=mydomain,DC=com' bind_dn: '{{LDAP_BIND_DN}}' password: '{{LDAP_PASS}}' + # Encryption method. The "method" key is deprecated in favor of + # "encryption". + # + # Examples: "start_tls" or "simple_tls" or "plain" + # + # Deprecated values: "tls" was replaced with "start_tls" and "ssl" was + # replaced with "simple_tls". + # + encryption: '{{LDAP_METHOD}}' + + # Enables SSL certificate verification if encryption method is + # "start_tls" or "simple_tls". Defaults to true. + verify_certificates: {{LDAP_VERIFY_SSL}} + + # OpenSSL::SSL::SSLContext options. + tls_options: + # Specifies the path to a file containing a PEM-format CA certificate, + # e.g. if you need to use an internal CA. + # + # Example: '/etc/ca.pem' + # + ca_file: '{{LDAP_CA_FILE}}' + + # Specifies the SSL version for OpenSSL to use, if the OpenSSL default + # is not appropriate. + # + # Example: 'TLSv1_1' + # + ssl_version: '{{LDAP_SSL_VERSION}}' + + # Specific SSL ciphers to use in communication with LDAP servers. + # + # Example: 'ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2' + ciphers: '' + + # Client certificate + # + # Example: + # cert: | + # -----BEGIN CERTIFICATE----- + # MIIDbDCCAlSgAwIBAgIGAWkJxLmKMA0GCSqGSIb3DQEBCwUAMHcxFDASBgNVBAoTC0dvb2dsZSBJ + # bmMuMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQDEwtMREFQIENsaWVudDEPMA0GA1UE + # CxMGR1N1aXRlMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTAeFw0xOTAyMjAwNzE4 + # rntnF4d+0dd7zP3jrWkbdtoqjLDT/5D7NYRmVCD5vizV98FJ5//PIHbD1gL3a9b2MPAc6k7NV8tl + # ... + # 4SbuJPAiJxC1LQ0t39dR6oMCAMab3hXQqhL56LrR6cRBp6Mtlphv7alu9xb/x51y2x+g2zWtsf80 + # Jrv/vKMsIh/sAyuogb7hqMtp55ecnKxceg== + # -----END CERTIFICATE ----- + cert: '' + + # Client private key + # key: | + # -----BEGIN PRIVATE KEY----- + # MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC3DmJtLRmJGY4xU1QtI3yjvxO6 + # bNuyE4z1NF6Xn7VSbcAaQtavWQ6GZi5uukMo+W5DHVtEkgDwh92ySZMuJdJogFbNvJvHAayheCdN + # 7mCQ2UUT9jGXIbmksUn9QMeJVXTZjgJWJzPXToeUdinx9G7+lpVa62UATEd1gaI3oyL72WmpDy/C + # rntnF4d+0dd7zP3jrWkbdtoqjLDT/5D7NYRmVCD5vizV98FJ5//PIHbD1gL3a9b2MPAc6k7NV8tl + # ... + # +9IhSYX+XIg7BZOVDeYqlPfxRvQh8vy3qjt/KUihmEPioAjLaGiihs1Fk5ctLk9A2hIUyP+sEQv9 + # l6RG+a/mW+0rCWn8JAd464Ps9hE= + # -----END PRIVATE KEY----- + key: '' + # Set a timeout, in seconds, for LDAP queries. This helps avoid blocking # a request if the LDAP server becomes unresponsive. # A value of 0 means there is no timeout. timeout: {{LDAP_TIMEOUT}} + # Enable smartcard authentication against the LDAP server. Valid values + # are "false", "optional", and "required". + smartcard_auth: false + # This setting specifies if LDAP server is Active Directory LDAP server. # For non AD servers it skips the AD specific queries. # If your LDAP server is not AD, set this to false. @@ -279,19 +747,47 @@ production: &base # Base where we can search for users # - # Ex. ou=People,dc=gitlab,dc=example + # Ex. 'ou=People,dc=gitlab,dc=example' or 'DC=mydomain,DC=com' # base: '{{LDAP_BASE}}' # Filter LDAP users # - # Format: RFC 4515 http://tools.ietf.org/search/rfc4515 + # Format: RFC 4515 https://tools.ietf.org/search/rfc4515 # Ex. (employeeType=developer) # # Note: GitLab does not support omniauth-ldap's custom filter syntax. # + # Example for getting only specific users: + # '(&(objectclass=user)(|(samaccountname=momo)(samaccountname=toto)))' + # user_filter: '{{LDAP_USER_FILTER}}' + # Base where we can search for groups + # + # Ex. ou=Groups,dc=gitlab,dc=example + # + group_base: '' + + # LDAP group of users who should be admins in GitLab + # + # Ex. GLAdmins + # + admin_group: '' + + # LDAP group of users who should be marked as external users in GitLab + # + # Ex. ['Contractors', 'Interns'] + # + external_groups: [] + + # Name of attribute which holds a ssh public key of the user object. + # If false or nil, SSH key syncronisation will be disabled. + # + # Ex. sshpublickey + # + sync_ssh_keys: false + # LDAP attributes that GitLab will use to create an account for the LDAP user. # The specified attribute can either be the attribute name as a string (e.g. 'mail'), # or an array of attribute names to try in order (e.g. ['mail', 'email']). @@ -302,15 +798,18 @@ production: &base # them in issues, merge request and comments (like `@username`). # If the attribute specified for `username` contains an email address, # the GitLab username will be the part of the email address before the '@'. - username: ['uid', 'userid', 'sAMAccountName'] - email: ['mail', 'email', 'userPrincipalName'] + username: {{LDAP_USER_ATTRIBUTE_USERNAME}} + email: {{LDAP_USER_ATTRIBUTE_MAIL}} # If no full name could be found at the attribute specified for `name`, # the full name is determined using the attributes specified for # `first_name` and `last_name`. - name: 'cn' - first_name: 'givenName' - last_name: 'sn' + name: '{{LDAP_USER_ATTRIBUTE_NAME}}' + first_name: '{{LDAP_USER_ATTRIBUTE_FIRSTNAME}}' + last_name: '{{LDAP_USER_ATTRIBUTE_LASTNAME}}' + + # If lowercase_usernames is enabled, GitLab will lower case the username. + lowercase_usernames: {{LDAP_LOWERCASE_USERNAMES}} # GitLab EE only: add more LDAP servers # Choose an ID made of a-z and 0-9 . This ID will be stored in the database @@ -320,6 +819,47 @@ production: &base # host: # .... + ## Smartcard authentication settings + smartcard: + # Allow smartcard authentication + enabled: false + + # Path to a file containing a CA certificate bundle + ca_file: '/etc/ssl/certs/CA.pem' + + # Host and port where the client side certificate is requested by the + # webserver (NGINX/Apache) + # client_certificate_required_host: smartcard.gitlab.example.com + # client_certificate_required_port: 3444 + + # Browser session with smartcard sign-in is required for Git access + # required_for_git_access: false + + # Use X.509 SAN extensions certificates to identify GitLab users + # Add a subjectAltName to your certificates like: email:user + # san_extensions: true + + ## Kerberos settings + kerberos: + # Allow the HTTP Negotiate authentication method for Git clients + enabled: false + + # Kerberos 5 keytab file. The keytab file must be readable by the GitLab user, + # and should be different from other keytabs in the system. + # (default: use default keytab from Krb5 config) + # keytab: /etc/http.keytab + + # The Kerberos service name to be used by GitLab. + # (default: accept any service name in keytab file) + # service_principal_name: HTTP/gitlab.example.com@EXAMPLE.COM + + # Dedicated port: Git before 2.4 does not fall back to Basic authentication if Negotiate fails. + # To support both Basic and Negotiate methods with older versions of Git, configure + # nginx to proxy GitLab on an extra port (e.g. 8443) and uncomment the following lines + # to dedicate this port to Kerberos authentication. (default: false) + # use_dedicated_port: true + # port: 8443 + # https: true ## OmniAuth settings omniauth: @@ -330,11 +870,23 @@ production: &base # showing GitLab's sign-in page (default: show the GitLab sign-in page) auto_sign_in_with_provider: {{OAUTH_AUTO_SIGN_IN_WITH_PROVIDER}} + # Sync user's profile from the specified Omniauth providers every time the user logs in (default: empty). + # Define the allowed providers using an array, e.g. ["cas3", "saml", "twitter"], + # or as true/false to allow all providers or none. + # When authenticating using LDAP, the user's email is always synced. + # sync_profile_from_provider: [] + + # Select which info to sync from the providers above. (default: email). + # Define the synced profile info using an array. Available options are "name", "email" and "location" + # e.g. ["name", "email", "location"] or as true to sync all available. + # This consequently will make the selected attributes read-only. + # sync_profile_attributes: true + # CAUTION! # This allows users to login without having a user account first. Define the allowed providers # using an array, e.g. ["saml", "twitter"], or as true/false to allow all providers or none. # User accounts will be created automatically when authentication was successful. - allow_single_sign_on: [{{OAUTH_ALLOW_SSO}}] + allow_single_sign_on: ["{{OAUTH_ALLOW_SSO}}"] # Locks down those users until they have been cleared by the admin (default: true). block_auto_created_users: {{OAUTH_BLOCK_AUTO_CREATED_USERS}} @@ -347,6 +899,12 @@ production: &base # (default: false) auto_link_saml_user: {{OAUTH_AUTO_LINK_SAML_USER}} + # Allow users with existing accounts to login and auto link their account via the + # defined Omniauth providers login, without having to do a manual login first and + # manually connect their chosen provider. + # (default: []) + auto_link_user: [{{OAUTH_AUTO_LINK_USER}}] + # Set different Omniauth providers as external so that all users creating accounts # via these providers will not be able to have access to internal projects. You # will need to use the full name of the provider, like `google_oauth2` for Google. @@ -354,6 +912,14 @@ production: &base # (default: []) external_providers: [{{OAUTH_EXTERNAL_PROVIDERS}}] + # CAUTION! + # This allows users to login with the specified providers without two factor. Define the allowed providers + # using an array, e.g. ["twitter", 'google_oauth2'], or as true/false to allow all providers or none. + # This option should only be configured for providers which already have two factor. + # This configration dose not apply to SAML. + # (default: false) + allow_bypass_two_factor: {{OAUTH_ALLOW_BYPASS_TWO_FACTOR}} + ## Auth providers # Uncomment the following lines and fill in the data of the auth provider you want to use # If your favorite auth provider is not listed you can use others: @@ -371,7 +937,7 @@ production: &base login_url: '{{OAUTH_CAS3_LOGIN_URL}}', service_validate_url: '{{OAUTH_CAS3_VALIDATE_URL}}', logout_url: '{{OAUTH_CAS3_LOGOUT_URL}}'} } - - { name: 'authentiq', + - { name: 'authentiq', app_id: '{{OAUTH_AUTHENTIQ_CLIENT_ID}}', app_secret: 'OAUTH_AUTHENTIQ_CLIENT_SECRET', args: { scope: {{OAUTH_AUTHENTIQ_SCOPE}}, redirect_uri: '{{OAUTH_AUTHENTIQ_REDIRECT_URI}}' } } @@ -384,7 +950,8 @@ production: &base args: { scope: '{{OAUTH_GITHUB_SCOPE}}' } } - { name: 'bitbucket', app_id: '{{OAUTH_BITBUCKET_API_KEY}}', - app_secret: '{{OAUTH_BITBUCKET_APP_SECRET}}' } + app_secret: '{{OAUTH_BITBUCKET_APP_SECRET}}', + url: '{{OAUTH_BITBUCKET_URL}}' } - { name: 'gitlab', label: 'GitLab.com', app_id: '{{OAUTH_GITLAB_API_KEY}}', @@ -416,6 +983,7 @@ production: &base attribute_statements: { first_name: ['{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME}}'], last_name: ['{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME}}'], + username: ['{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_USERNAME}}'], name: ['{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME}}'], email: ['{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL}}'] }, name_identifier_format: '{{OAUTH_SAML_NAME_IDENTIFIER_FORMAT}}' } } @@ -428,34 +996,89 @@ production: &base args: { client_id: '{{OAUTH_AUTH0_CLIENT_ID}}', client_secret: '{{OAUTH_AUTH0_CLIENT_SECRET}}', - namespace: '{{OAUTH_AUTH0_DOMAIN}}' } } + domain: '{{OAUTH_AUTH0_DOMAIN}}', + scope: '{{OAUTH_AUTH0_SCOPE}}' } } + - { name: 'oauth2_generic', + app_id: '{{OAUTH2_GENERIC_APP_ID}}', + app_secret: '{{OAUTH2_GENERIC_APP_SECRET}}', + args: { + client_options: { + site: '{{OAUTH2_GENERIC_CLIENT_SITE}}', + user_info_url: '{{OAUTH2_GENERIC_CLIENT_USER_INFO_URL}}', + authorize_url: '{{OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL}}', + token_url: '{{OAUTH2_GENERIC_CLIENT_TOKEN_URL}}', + end_session_endpoint: '{{OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT}}', + }, + user_response_structure: { + id_path: '{{OAUTH2_GENERIC_ID_PATH}}', + attributes: { + uid: '{{OAUTH2_GENERIC_USER_UID}}', + name: '{{OAUTH2_GENERIC_USER_NAME}}', + email: '{{OAUTH2_GENERIC_USER_EMAIL}}' + } + }, + authorize_params: { scope: "{{OAUTH2_GENERIC_AUTHORIZE_PARAMS_SCOPE}}" }, + label: '{{OAUTH2_GENERIC_LABEL}}', + name: '{{OAUTH2_GENERIC_NAME}}' }} - { name: 'azure_oauth2', args: { client_id: '{{OAUTH_AZURE_API_KEY}}', client_secret: '{{OAUTH_AZURE_API_SECRET}}', tenant_id: '{{OAUTH_AZURE_TENANT_ID}}' } } - + - { name: 'azure_activedirectory_v2', + label: '{{OAUTH_AZURE_ACTIVEDIRECTORY_V2_LABEL}}', + args: { + client_id: '{{OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_ID}}', + client_secret: '{{OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_SECRET}}', + tenant_id: '{{OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID}}' } } + - { name: 'openid_connect', + label: '{{OAUTH_OIDC_LABEL}}', + icon: '{{OAUTH_OIDC_ICON}}', + args: { + name: 'openid_connect', + scope: {{OAUTH_OIDC_SCOPE}}, + response_type: '{{OAUTH_OIDC_RESPONSE_TYPE}}', + issuer: '{{OAUTH_OIDC_ISSUER}}', + discovery: {{OAUTH_OIDC_DISCOVERY}}, + client_auth_method: '{{OAUTH_OIDC_CLIENT_AUTH_METHOD}}', + uid_field: '{{OAUTH_OIDC_UID_FIELD}}', + send_scope_to_token_endpoint: {{OAUTH_OIDC_SEND_SCOPE_TO_TOKEN_EP}}, + pkce: {{OAUTH_OIDC_PKCE}}, + client_options: { + identifier: '{{OAUTH_OIDC_CLIENT_ID}}', + secret: '{{OAUTH_OIDC_CLIENT_SECRET}}', + redirect_uri: '{{OAUTH_OIDC_REDIRECT_URI}}' } } } + - { name: 'jwt', + label: '{{OAUTH_JWT_LABEL}}', + args: { + secret: '{{OAUTH_JWT_SECRET}}', + algorithm: '{{OAUTH_JWT_ALGORITHM}}', + uid_claim: '{{OAUTH_JWT_UID_CLAIM}}', + required_claims: {{OAUTH_JWT_REQUIRED_CLAIMS}}, + info_map: { name: '{{OAUTH_JWT_INFO_MAP_NAME}}', email: '{{OAUTH_JWT_INFO_MAP_EMAIL}}' }, + auth_url: '{{OAUTH_JWT_AUTH_URL}}', + valid_within: {{OAUTH_JWT_VALID_WITHIN}} } } # SSO maximum session duration in seconds. Defaults to CAS default of 8 hours. # cas3: # session_duration: 28800 # Shared file storage settings shared: - path: {{GITLAB_SHARED_DIR}} + path: {{GITLAB_SHARED_DIR}} # Default: shared + # Gitaly settings + gitaly: + # Path to the directory containing Gitaly client executables. + client_path: {{GITALY_CLIENT_PATH}} + # Default Gitaly authentication token. Can be overridden per storage. Can + # be left blank when Gitaly is running locally on a Unix socket, which + # is the normal way to deploy Gitaly. + token: {{GITALY_TOKEN}} # # 4. Advanced settings # ========================== - # GitLab Satellites - # - # Note for maintainers: keep the satellites.path setting until GitLab 9.0 at - # least. This setting is fed to 'rm -rf' in - # db/migrate/20151023144219_remove_satellites.rb - satellites: - path: {{GITLAB_DATA_DIR}}/gitlab-satellites/ - ## Repositories settings repositories: # Paths where repositories can be stored. Give the canonicalized absolute pathname. @@ -463,7 +1086,10 @@ production: &base # gitlab-shell invokes Dir.pwd inside the repository path and that results # real path not the symlink. storages: # You must have at least a `default` storage path. - default: {{GITLAB_REPOS_DIR}}/ + default: + path: {{GITLAB_REPOS_DIR}}/ + gitaly_address: unix:{{GITLAB_INSTALL_DIR}}/tmp/sockets/private/gitaly.socket # TCP connections are supported too (e.g. tcp://host:port). TLS connections are also supported using the system certificate pool (eg: tls://host:port). + # gitaly_token: 'special token' # Optional: override global gitaly.token for this storage. ## Backup settings backup: @@ -473,23 +1099,60 @@ production: &base pg_schema: {{GITLAB_BACKUP_PG_SCHEMA}} # default: nil, it means that all schemas will be backed up upload: # Fog storage connection settings, see http://fog.io/storage/ . + #start-aws connection: provider: AWS region: {{AWS_BACKUP_REGION}} + endpoint: {{AWS_BACKUP_ENDPOINT}} + path_style: {{AWS_BACKUP_PATH_STYLE}} aws_access_key_id: {{AWS_BACKUP_ACCESS_KEY_ID}} aws_secret_access_key: '{{AWS_BACKUP_SECRET_ACCESS_KEY}}' + aws_signature_version: {{AWS_BACKUP_SIGNATURE_VERSION}} # The remote 'directory' to store your backups. For S3, this would be the bucket name. remote_directory: '{{AWS_BACKUP_BUCKET}}' - # # Use multipart uploads when file size reaches 100MB, see - # # http://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html - # multipart_chunk_size: 104857600 - # # Turns on AWS Server-Side Encryption with Amazon S3-Managed Keys for backups, this is optional - # # encryption: 'AES256' + #start-multipart-aws + # Use multipart uploads when file size reaches 100MB, see + # http://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html + multipart_chunk_size: {{AWS_BACKUP_MULTIPART_CHUNK_SIZE}} + #end-multipart-aws + #start-encryption-aws + # Turns on AWS Server-Side Encryption with Amazon S3-Managed Keys for backups, this is optional + encryption: 'AES256' + # Turns on AWS Server-Side Encryption with Amazon Customer-Provided Encryption Keys for backups, this is optional + # This should be set to the 256-bit encryption key for Amazon S3 to use to encrypt or decrypt your data. + # 'encryption' must also be set in order for this to have any effect. + # encryption_key: '' + #end-encryption-aws + # Specifies Amazon S3 storage class to use for backups, this is optional + storage_class: '{{AWS_BACKUP_STORAGE_CLASS}}' + #end-aws + #start-gcs + # Fog storage connection settings, see http://fog.io/storage/ . + connection: + provider: Google + google_storage_access_key_id: {{GCS_BACKUP_ACCESS_KEY_ID}} + google_storage_secret_access_key: '{{GCS_BACKUP_SECRET_ACCESS_KEY}}' + remote_directory: '{{GCS_BACKUP_BUCKET}}' + #end-gcs + + ## Pseudonymizer exporter + pseudonymizer: + # Tables manifest that specifies the fields to extract and pseudonymize. + manifest: config/pseudonymizer.yml + upload: + remote_directory: 'gitlab-elt' + # Fog storage connection settings, see http://fog.io/storage/ . + connection: + # provider: AWS + # region: eu-west-1 + # aws_access_key_id: AKIAKIAKI + # aws_secret_access_key: 'secret123' + # # The remote 'directory' to store the CSV files. For S3, this would be the bucket name. ## GitLab Shell settings gitlab_shell: path: {{GITLAB_SHELL_INSTALL_DIR}}/ - hooks_path: {{GITLAB_SHELL_INSTALL_DIR}}/hooks/ + authorized_keys_file: {{GITLAB_HOME}}/.ssh/authorized_keys # File that contains the secret key for verifying access for gitlab-shell. # Default is '.gitlab_shell_secret' relative to Rails.root (i.e. root of the GitLab app). @@ -499,20 +1162,84 @@ production: &base upload_pack: true receive_pack: true + # Git import/fetch timeout, in seconds. Defaults to 3 hours. + # git_timeout: 10800 + # If you use non-standard ssh port you need to specify it ssh_port: {{GITLAB_SSH_PORT}} + workhorse: + # File that contains the secret key for verifying access for gitlab-workhorse. + # Default is '.gitlab_workhorse_secret' relative to Rails.root (i.e. root of the GitLab app). + # secret_file: /home/git/gitlab/.gitlab_workhorse_secret + + ## GitLab Elasticsearch settings + elasticsearch: + indexer_path: {{GITLAB_HOME}}/gitlab-elasticsearch-indexer/ + ## Git settings # CAUTION! # Use the default values unless you really know what you are doing git: - bin_path: /usr/bin/git - # The next value is the maximum memory size grit can use - # Given in number of bytes per git object (e.g. a commit) - # This value can be increased if you have very large commits - max_size: {{GITLAB_MAX_OBJECT_SIZE}} # 20.megabytes - # Git timeout to read a commit, in seconds - timeout: {{GITLAB_TIMEOUT}} + bin_path: /usr/local/bin/git + + ## ActionCable settings + action_cable: + # Number of threads used to process ActionCable connection callbacks and channel actions + # worker_pool_size: 4 + + ## Webpack settings + # If enabled, this will tell rails to serve frontend assets from the webpack-dev-server running + # on a given port instead of serving directly from /assets/webpack. This is only indended for use + # in development. + webpack: + # dev_server: + # enabled: true + # host: localhost + # port: 3808 + + ## Monitoring + # Built in monitoring settings + monitoring: + # Time between sampling of unicorn socket metrics, in seconds + unicorn_sampler_interval: {{GITLAB_MONITORING_UNICORN_SAMPLER_INTERVAL}} + # Time between sampling of Puma metrics, in seconds + # puma_sampler_interval: 5 + # IP whitelist to access monitoring endpoints + ip_whitelist: + - 127.0.0.0/8 + - {{GITLAB_MONITORING_IP_WHITELIST}} + + # Sidekiq exporter is webserver built in to Sidekiq to expose Prometheus metrics + sidekiq_exporter: + enabled: {{GITLAB_MONITORING_SIDEKIQ_EXPORTER_ENABLED}} + address: {{GITLAB_MONITORING_SIDEKIQ_EXPORTER_ADDRESS}} + port: {{GITLAB_MONITORING_SIDEKIQ_EXPORTER_PORT}} + + # Web exporter is webserver built in to Unicorn/Puma to expose Prometheus metrics + # It runs alongside the `/metrics` endpoints to ease the publish of metrics + web_exporter: + # enabled: true + # address: localhost + # port: 8083 + + ## Prometheus settings + # Do not modify these settings here. They should be modified in /etc/gitlab/gitlab.rb + # if you installed GitLab via Omnibus. + # If you installed from source, you need to install and configure Prometheus + # yourself, and then update the values here. + # https://docs.gitlab.com/ee/administration/monitoring/prometheus/ + prometheus: + # enable: true + # listen_address: 'localhost:9090' + + shutdown: + # # blackout_seconds: + # # defines an interval to block healthcheck, + # # but continue accepting application requests + # # this allows Load Balancer to notice service + # # being shutdown and not interrupt any of the clients + # blackout_seconds: 10 # # 5. Extra customization @@ -532,7 +1259,7 @@ production: &base enabled: {{RACK_ATTACK_ENABLED}} # # Whitelist requests from 127.0.0.1 for web proxies (NGINX/Apache) with incorrect headers - ip_whitelist: [{{RACK_ATTACK_WHITELIST}}] + ip_whitelist: {{RACK_ATTACK_WHITELIST}} # # Limit the number of Git HTTP authentication attempts per IP maxretry: {{RACK_ATTACK_MAXRETRY}} @@ -546,30 +1273,147 @@ production: &base development: <<: *base + # We want to run web/sidekiq exporters for devs + # to catch errors from using them. + # + # We use random port to not block ability to run + # multiple instances of the service + monitoring: + sidekiq_exporter: + enabled: true + address: 127.0.0.1 + port: 0 + web_exporter: + enabled: true + address: 127.0.0.1 + port: 0 + test: <<: *base gravatar: enabled: true + external_diffs: + enabled: false + # Diffs may be `always` external (the default), or they can be made external + # after they have become `outdated` (i.e., the MR is closed or a new version + # has been pushed). + # when: always + # The location where external diffs are stored (default: shared/external-diffs). + # storage_path: shared/external-diffs + object_store: + enabled: false + remote_directory: external-diffs # The bucket name + connection: + provider: AWS # Only AWS supported at the moment + aws_access_key_id: AWS_ACCESS_KEY_ID + aws_secret_access_key: AWS_SECRET_ACCESS_KEY + region: us-east-1 lfs: enabled: false + # The location where LFS objects are stored (default: shared/lfs-objects). + # storage_path: shared/lfs-objects + object_store: + enabled: false + remote_directory: lfs-objects # The bucket name + connection: + provider: AWS # Only AWS supported at the moment + aws_access_key_id: AWS_ACCESS_KEY_ID + aws_secret_access_key: AWS_SECRET_ACCESS_KEY + region: us-east-1 + artifacts: + path: tmp/tests/artifacts + enabled: true + # The location where build artifacts are stored (default: shared/artifacts). + # path: shared/artifacts + object_store: + enabled: false + remote_directory: artifacts # The bucket name + background_upload: false + connection: + provider: AWS # Only AWS supported at the moment + aws_access_key_id: AWS_ACCESS_KEY_ID + aws_secret_access_key: AWS_SECRET_ACCESS_KEY + region: us-east-1 + uploads: + storage_path: tmp/tests/public + object_store: + enabled: false + connection: + provider: AWS # Only AWS supported at the moment + aws_access_key_id: AWS_ACCESS_KEY_ID + aws_secret_access_key: AWS_SECRET_ACCESS_KEY + region: us-east-1 + + terraform_state: + enabled: true + storage_path: tmp/tests/terraform_state + object_store: + enabled: false + remote_directory: terraform_state + connection: + provider: AWS # Only AWS supported at the moment + aws_access_key_id: AWS_ACCESS_KEY_ID + aws_secret_access_key: AWS_SECRET_ACCESS_KEY + region: us-east-1 + gitlab: host: localhost port: 80 - # When you run tests we clone and setup gitlab-shell - # In order to setup it correctly you need to specify + content_security_policy: + enabled: true + report_only: false + directives: + base_uri: + child_src: + connect_src: + default_src: "'self'" + font_src: + form_action: + frame_ancestors: "'self'" + frame_src: "'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com" + img_src: "* data: blob:" + manifest_src: + media_src: + object_src: "'none'" + script_src: "'self' 'unsafe-eval' http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com" + style_src: "'self' 'unsafe-inline'" + worker_src: "'self' blob:" + report_uri: + + # When you run tests we clone and set up gitlab-shell + # In order to set it up correctly you need to specify # your system username you use to run GitLab # user: YOUR_USERNAME - satellites: - path: tmp/tests/gitlab-satellites/ + pages: + path: tmp/tests/pages repositories: storages: - default: tmp/tests/repositories/ + default: + path: tmp/tests/repositories/ + gitaly_address: unix:tmp/tests/gitaly/gitaly.socket + + gitaly: + client_path: tmp/tests/gitaly + token: secret + workhorse: + secret_file: tmp/gitlab_workhorse_test_secret backup: path: tmp/tests/backups + pseudonymizer: + manifest: config/pseudonymizer.yml + upload: + # The remote 'directory' to store the CSV files. For S3, this would be the bucket name. + remote_directory: gitlab-elt.test + # Fog storage connection settings, see http://fog.io/storage/ + connection: + provider: AWS # Only AWS supported at the moment + aws_access_key_id: AWS_ACCESS_KEY_ID + aws_secret_access_key: AWS_SECRET_ACCESS_KEY + region: us-east-1 gitlab_shell: path: tmp/tests/gitlab-shell/ - hooks_path: tmp/tests/gitlab-shell/hooks/ + authorized_keys_file: tmp/tests/authorized_keys issues_tracker: redmine: title: "Redmine" @@ -577,9 +1421,70 @@ test: issues_url: "http://redmine/:project_id/:issues_tracker_id/:id" new_issue_url: "http://redmine/projects/:issues_tracker_id/issues/new" jira: - title: "JIRA" - url: https://sample_company.atlasian.net + title: "Jira" + url: https://sample_company.atlassian.net project_key: PROJECT + + omniauth: + # enabled: true + allow_single_sign_on: true + external_providers: [] + + providers: + - { name: 'cas3', + label: 'cas3', + args: { url: 'https://sso.example.com/', + disable_ssl_verification: false, + login_url: '/cas/login', + service_validate_url: '/cas/p3/serviceValidate', + logout_url: '/cas/logout'} } + - { name: 'github', + app_id: 'YOUR_APP_ID', + app_secret: 'YOUR_APP_SECRET', + url: "https://github.com/", + verify_ssl: false, + args: { scope: 'user:email' } } + - { name: 'bitbucket', + app_id: 'YOUR_APP_ID', + app_secret: 'YOUR_APP_SECRET' } + - { name: 'gitlab', + app_id: 'YOUR_APP_ID', + app_secret: 'YOUR_APP_SECRET', + args: { scope: 'api' } } + - { name: 'google_oauth2', + app_id: 'YOUR_APP_ID', + app_secret: 'YOUR_APP_SECRET', + args: { access_type: 'offline', approval_prompt: '' } } + - { name: 'facebook', + app_id: 'YOUR_APP_ID', + app_secret: 'YOUR_APP_SECRET' } + - { name: 'twitter', + app_id: 'YOUR_APP_ID', + app_secret: 'YOUR_APP_SECRET' } + - { name: 'jwt', + app_secret: 'YOUR_APP_SECRET', + args: { + algorithm: 'HS256', + uid_claim: 'email', + required_claims: ["name", "email"], + info_map: { name: "name", email: "email" }, + auth_url: 'https://example.com/', + valid_within: null, + } + } + - { name: 'auth0', + args: { + client_id: 'YOUR_AUTH0_CLIENT_ID', + client_secret: 'YOUR_AUTH0_CLIENT_SECRET', + namespace: 'YOUR_AUTH0_DOMAIN' } } + - { name: 'authentiq', + app_id: 'YOUR_CLIENT_ID', + app_secret: 'YOUR_CLIENT_SECRET', + args: { scope: 'aq:name email~rs address aq:push' } } + - { name: 'salesforce', + app_id: 'YOUR_CLIENT_ID', + app_secret: 'YOUR_CLIENT_SECRET' + } ldap: enabled: false servers: @@ -588,11 +1493,14 @@ test: host: 127.0.0.1 port: 3890 uid: 'uid' - method: 'plain' # "tls" or "ssl" or "plain" + encryption: 'plain' # "start_tls" or "simple_tls" or "plain" base: 'dc=example,dc=com' user_filter: '' group_base: 'ou=groups,dc=example,dc=com' admin_group: '' + prometheus: + enable: true + listen_address: 'localhost:9090' staging: <<: *base diff --git a/assets/runtime/config/gitlabhq/puma.rb b/assets/runtime/config/gitlabhq/puma.rb new file mode 100644 index 000000000..df5b5eeac --- /dev/null +++ b/assets/runtime/config/gitlabhq/puma.rb @@ -0,0 +1,97 @@ +ENV['RAILS_RELATIVE_URL_ROOT'] = "{{GITLAB_RELATIVE_URL_ROOT}}" + +# frozen_string_literal: true + +# Load "path" as a rackup file. +# +# The default is "config.ru". +# +rackup 'config.ru' +pidfile '{{GITLAB_INSTALL_DIR}}/tmp/pids/puma.pid' +state_path '{{GITLAB_INSTALL_DIR}}/tmp/pids/puma.state' + +stdout_redirect '{{GITLAB_INSTALL_DIR}}/log/puma.stdout.log', + '{{GITLAB_INSTALL_DIR}}/log/puma.stderr.log', + true + +# Configure "min" to be the minimum number of threads to use to answer +# requests and "max" the maximum. +# +# The default is "0, 16". +# +threads {{PUMA_THREADS_MIN}}, {{PUMA_THREADS_MAX}} + +# By default, workers accept all requests and queue them to pass to handlers. +# When false, workers accept the number of simultaneous requests configured. +# +# Queueing requests generally improves performance, but can cause deadlocks if +# the app is waiting on a request to itself. See https://github.com/puma/puma/issues/612 +# +# When set to false this may require a reverse proxy to handle slow clients and +# queue requests before they reach puma. This is due to disabling HTTP keepalive +queue_requests false + +# Bind the server to "url". "tcp://", "unix://" and "ssl://" are the only +# accepted protocols. +bind 'unix:///home/git/gitlab/tmp/sockets/gitlab.socket' +bind 'tcp://127.0.0.1:8080' + +workers {{PUMA_WORKERS}} + +require_relative "{{GITLAB_INSTALL_DIR}}/lib/gitlab/cluster/lifecycle_events" + +on_restart do + # Signal application hooks that we're about to restart + Gitlab::Cluster::LifecycleEvents.do_before_master_restart +end + +before_fork do + # Signal to the puma killer + Gitlab::Cluster::PumaWorkerKillerInitializer.start(@config.options, puma_per_worker_max_memory_mb: {{PUMA_PER_WORKER_MAX_MEMORY_MB}}, puma_master_max_memory_mb: {{PUMA_MASTER_MAX_MEMORY_MB}}) unless ENV['DISABLE_PUMA_WORKER_KILLER'] + + # Signal application hooks that we're about to fork + Gitlab::Cluster::LifecycleEvents.do_before_fork +end + +Gitlab::Cluster::LifecycleEvents.set_puma_options @config.options +on_worker_boot do + # Signal application hooks of worker start + Gitlab::Cluster::LifecycleEvents.do_worker_start +end + +on_worker_shutdown do + # Signal application hooks that a worker is shutting down + Gitlab::Cluster::LifecycleEvents.do_worker_stop +end + +# Preload the application before starting the workers; this conflicts with +# phased restart feature. (off by default) +preload_app! + +tag 'gitlab-puma-worker' + +# Verifies that all workers have checked in to the master process within +# the given timeout. If not the worker process will be restarted. Default +# value is 60 seconds. +# +worker_timeout {{PUMA_TIMEOUT}} + +# https://github.com/puma/puma/blob/master/5.0-Upgrade.md#lower-latency-better-throughput +wait_for_less_busy_worker ENV.fetch('https://github.com/PUMA_WAIT_FOR_LESS_BUSY_WORKER', 0.001).to_f + +# Use json formatter +require_relative "{{GITLAB_INSTALL_DIR}}/lib/gitlab/puma_logging/json_formatter" + +json_formatter = Gitlab::PumaLogging::JSONFormatter.new +log_formatter do |str| + json_formatter.call(str) +end + +lowlevel_error_handler do |ex, env| + if Raven.configuration.capture_allowed? + Raven.capture_exception(ex, tags: { 'handler': 'puma_low_level' }, extra: { puma_env: env }) + end + + # note the below is just a Rack response + [500, {}, ["An error has occurred and reported in the system's low-level error handler."]] +end diff --git a/assets/runtime/config/gitlabhq/rack_attack.rb b/assets/runtime/config/gitlabhq/rack_attack.rb deleted file mode 100644 index 69052c029..000000000 --- a/assets/runtime/config/gitlabhq/rack_attack.rb +++ /dev/null @@ -1,29 +0,0 @@ -# 1. Rename this file to rack_attack.rb -# 2. Review the paths_to_be_protected and add any other path you need protecting -# -# If you change this file in a Merge Request, please also create a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests - -paths_to_be_protected = [ - "#{Rails.application.config.relative_url_root}/users/password", - "#{Rails.application.config.relative_url_root}/users/sign_in", - "#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session.json", - "#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session", - "#{Rails.application.config.relative_url_root}/users", - "#{Rails.application.config.relative_url_root}/users/confirmation", - "#{Rails.application.config.relative_url_root}/unsubscribes/", - "#{Rails.application.config.relative_url_root}/import/github/personal_access_token" - -] - -# Create one big regular expression that matches strings starting with any of -# the paths_to_be_protected. -paths_regex = Regexp.union(paths_to_be_protected.map { |path| /\A#{Regexp.escape(path)}/ }) -rack_attack_enabled = Gitlab.config.rack_attack.git_basic_auth['enabled'] - -unless Rails.env.test? || !rack_attack_enabled - Rack::Attack.throttle('protected paths', limit: 10, period: 60.seconds) do |req| - if req.post? && req.path =~ paths_regex - req.ip - end - end -end diff --git a/assets/runtime/config/gitlabhq/secrets.yml b/assets/runtime/config/gitlabhq/secrets.yml index 769d956a2..0bcdde2b9 100644 --- a/assets/runtime/config/gitlabhq/secrets.yml +++ b/assets/runtime/config/gitlabhq/secrets.yml @@ -6,6 +6,10 @@ production: db_key_base: {{GITLAB_SECRETS_DB_KEY_BASE}} secret_key_base: {{GITLAB_SECRETS_SECRET_KEY_BASE}} otp_key_base: {{GITLAB_SECRETS_OTP_KEY_BASE}} + encrypted_settings_key_base: {{GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE}} + active_record_encryption_primary_key: {{GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY}} + active_record_encryption_deterministic_key: {{GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY}} + active_record_encryption_key_derivation_salt: {{GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT}} development: db_key_base: development diff --git a/assets/runtime/config/gitlabhq/unicorn.rb b/assets/runtime/config/gitlabhq/unicorn.rb deleted file mode 100644 index 62f650c2f..000000000 --- a/assets/runtime/config/gitlabhq/unicorn.rb +++ /dev/null @@ -1,129 +0,0 @@ -# Sample verbose configuration file for Unicorn (not Rack) -# -# This configuration file documents many features of Unicorn -# that may not be needed for some applications. See -# http://unicorn.bogomips.org/examples/unicorn.conf.minimal.rb -# for a much simpler configuration file. -# -# See http://unicorn.bogomips.org/Unicorn/Configurator.html for complete -# documentation. - -# Note: If you change this file in a Merge Request, please also create a -# Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests - -# Relative URL support -# WARNING: We recommend using an FQDN to host GitLab in a root path instead -# of using a relative URL. -# Documentation: http://doc.gitlab.com/ce/install/relative_url.html -# Uncomment and customize the following line to run in a non-root path -# -ENV['RAILS_RELATIVE_URL_ROOT'] = "{{GITLAB_RELATIVE_URL_ROOT}}" - -# Read about unicorn workers here: -# http://doc.gitlab.com/ee/install/requirements.html#unicorn-workers -# -worker_processes {{UNICORN_WORKERS}} - -# Since Unicorn is never exposed to outside clients, it does not need to -# run on the standard HTTP port (80), there is no reason to start Unicorn -# as root unless it's from system init scripts. -# If running the master process as root and the workers as an unprivileged -# user, do this to switch euid/egid in the workers (also chowns logs): -# user "unprivileged_user", "unprivileged_group" - -# Help ensure your application will always spawn in the symlinked -# "current" directory that Capistrano sets up. -working_directory "{{GITLAB_INSTALL_DIR}}" # available in 0.94.0+ - -# Listen on both a Unix domain socket and a TCP port. -# If you are load-balancing multiple Unicorn masters, lower the backlog -# setting to e.g. 64 for faster failover. -listen "{{GITLAB_INSTALL_DIR}}/tmp/sockets/gitlab.socket", :backlog => 1024 -listen "127.0.0.1:8080", :tcp_nopush => true - -# nuke workers after 30 seconds instead of 60 seconds (the default) -# -# NOTICE: git push over http depends on this value. -# If you want to be able to push huge amount of data to git repository over http -# you will have to increase this value too. -# -# Example of output if you try to push 1GB repo to GitLab over http. -# -> git push http://gitlab.... master -# -# error: RPC failed; result=18, HTTP code = 200 -# fatal: The remote end hung up unexpectedly -# fatal: The remote end hung up unexpectedly -# -# For more information see http://stackoverflow.com/a/21682112/752049 -# -timeout {{UNICORN_TIMEOUT}} - -# feel free to point this anywhere accessible on the filesystem -pid "{{GITLAB_INSTALL_DIR}}/tmp/pids/unicorn.pid" - -# By default, the Unicorn logger will write to stderr. -# Additionally, some applications/frameworks log to stderr or stdout, -# so prevent them from going to /dev/null when daemonized here: -stderr_path "{{GITLAB_INSTALL_DIR}}/log/unicorn.stderr.log" -stdout_path "{{GITLAB_INSTALL_DIR}}/log/unicorn.stdout.log" - -# combine Ruby 2.0.0dev or REE with "preload_app true" for memory savings -# http://rubyenterpriseedition.com/faq.html#adapt_apps_for_cow -preload_app true -GC.respond_to?(:copy_on_write_friendly=) and - GC.copy_on_write_friendly = true - -# Enable this flag to have unicorn test client connections by writing the -# beginning of the HTTP headers before calling the application. This -# prevents calling the application for connections that have disconnected -# while queued. This is only guaranteed to detect clients on the same -# host unicorn runs on, and unlikely to detect disconnects even on a -# fast LAN. -check_client_connection false - -before_fork do |server, worker| - # the following is highly recomended for Rails + "preload_app true" - # as there's no need for the master process to hold a connection - defined?(ActiveRecord::Base) and - ActiveRecord::Base.connection.disconnect! - - # The following is only recommended for memory/DB-constrained - # installations. It is not needed if your system can house - # twice as many worker_processes as you have configured. - # - # This allows a new master process to incrementally - # phase out the old master process with SIGTTOU to avoid a - # thundering herd (especially in the "preload_app false" case) - # when doing a transparent upgrade. The last worker spawned - # will then kill off the old master process with a SIGQUIT. - old_pid = "#{server.config[:pid]}.oldbin" - if old_pid != server.pid - begin - sig = (worker.nr + 1) >= server.worker_processes ? :QUIT : :TTOU - Process.kill(sig, File.read(old_pid).to_i) - rescue Errno::ENOENT, Errno::ESRCH - end - end - # - # Throttle the master from forking too quickly by sleeping. Due - # to the implementation of standard Unix signal handlers, this - # helps (but does not completely) prevent identical, repeated signals - # from being lost when the receiving process is busy. - # sleep 1 -end - -after_fork do |server, worker| - # per-process listener ports for debugging/admin/migrations - # addr = "127.0.0.1:#{9293 + worker.nr}" - # server.listen(addr, :tries => -1, :delay => 5, :tcp_nopush => true) - - # the following is *required* for Rails + "preload_app true", - defined?(ActiveRecord::Base) and - ActiveRecord::Base.establish_connection - - # if preload_app is true, then you may also want to check and - # restart any other shared sockets/descriptors such as Memcached, - # and Redis. TokyoCabinet file handles are safe to reuse - # between any number of forked children (assuming your kernel - # correctly implements pread()/pwrite() system calls) -end diff --git a/assets/runtime/config/nginx/gitlab b/assets/runtime/config/nginx/gitlab index 701437fc6..75001235e 100644 --- a/assets/runtime/config/nginx/gitlab +++ b/assets/runtime/config/nginx/gitlab @@ -25,6 +25,15 @@ map $http_upgrade $connection_upgrade_gitlab { '' close; } +## Obfuscate access_token and private_token in access log +map $request_uri $obfuscated_request_uri { + ~(.+\?)(.*&)?(private_token=|access_token=)[^&]*(&.*|$) $1$2$3****$4; + default $request_uri; +} +log_format gitlab_access '$remote_addr - $remote_user [$time_local] ' + '"$request_method $obfuscated_request_uri $server_protocol" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent"'; + ## Normal HTTP host server { ## Either remove "default_server" from the listen line below, @@ -37,11 +46,19 @@ server { server_tokens off; ## Don't show the nginx version number, a security best practice ## See app/controllers/application_controller.rb for headers set + + ## Real IP Module Config + ## http://nginx.org/en/docs/http/ngx_http_realip_module.html + real_ip_header X-Real-IP; ## X-Real-IP or X-Forwarded-For or proxy_protocol + real_ip_recursive {{NGINX_REAL_IP_RECURSIVE}}; ## If you enable 'on' + ## If you have a trusted IP address, uncomment it and set it + set_real_ip_from {{NGINX_REAL_IP_TRUSTED_ADDRESSES}}; ## Replace this with something like 192.168.1.0/24 + add_header X-Accel-Buffering {{NGINX_ACCEL_BUFFERING}}; add_header Strict-Transport-Security "max-age={{NGINX_HSTS_MAXAGE}};"; ## Individual nginx logs for this GitLab vhost - access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log; + access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log gitlab_access; error_log {{GITLAB_LOG_DIR}}/nginx/gitlab_error.log; location / { @@ -77,4 +94,5 @@ server { internal; } + {{NGINX_CUSTOM_GITLAB_SERVER_CONFIG}} } diff --git a/assets/runtime/config/nginx/gitlab-pages b/assets/runtime/config/nginx/gitlab-pages new file mode 100644 index 000000000..6f2978dde --- /dev/null +++ b/assets/runtime/config/nginx/gitlab-pages @@ -0,0 +1,23 @@ +## GitLab +## +## Pages serving host +server { + listen 0.0.0.0:80; + listen [::]:80; + ## Replace this with something like pages.gitlab.com + server_name ~^.*{{GITLAB_PAGES_DOMAIN}}; + ## Individual nginx logs for GitLab pages + access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_pages_access.log; + error_log {{GITLAB_LOG_DIR}}/nginx/gitlab_pages_error.log; + location / { + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + # The same address as passed to GitLab Pages: `-listen-proxy` + proxy_pass http://localhost:8090/; + } + # Define custom error pages + error_page 403 /403.html; + error_page 404 /404.html; +} diff --git a/assets/runtime/config/nginx/gitlab-pages-ssl b/assets/runtime/config/nginx/gitlab-pages-ssl new file mode 100644 index 000000000..8563c1a92 --- /dev/null +++ b/assets/runtime/config/nginx/gitlab-pages-ssl @@ -0,0 +1,77 @@ +## GitLab +## + +## Redirects all HTTP traffic to the HTTPS host +server { + ## Either remove "default_server" from the listen line below, + ## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab + ## to be served if you visit any address that your server responds to, eg. + ## the ip address of the server (http://x.x.x.x/) + listen 0.0.0.0:80; + listen [::]:80; + + ## Replace this with something like pages.gitlab.com + server_name ~^.*{{GITLAB_PAGES_DOMAIN}}; + server_tokens off; ## Don't show the nginx version number, a security best practice + + return 301 https://$host:{{GITLAB_PORT}}$request_uri; + + access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_pages_access.log; + error_log {{GITLAB_LOG_DIR}}/nginx/gitlab_pages_error.log; +} + +## Pages serving host +server { + listen 0.0.0.0:443 ssl; + listen [::]:443 ssl; + http2 on; + + ## Replace this with something like pages.gitlab.com + server_name ~^.*{{GITLAB_PAGES_DOMAIN}}; + server_tokens off; ## Don't show the nginx version number, a security best practice + + ## Strong SSL Security + ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/ + ssl_certificate {{SSL_PAGES_CERT_PATH}}; + ssl_certificate_key {{SSL_PAGES_KEY_PATH}}; + + # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs + ssl_ciphers "{{SSL_PAGES_CIPHERS}}"; + ssl_protocols {{SSL_PAGES_PROTOCOLS}}; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 5m; + + ## See app/controllers/application_controller.rb for headers set + + ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL. + ## Replace with your ssl_trusted_certificate. For more info see: + ## - https://medium.com/devops-programming/4445f4862461 + ## - https://www.ruby-forum.com/topic/4419319 + ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx + # ssl_stapling on; + # ssl_stapling_verify on; + # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt; + + ## [Optional] Generate a stronger DHE parameter: + ## sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096 + ## + ssl_dhparam {{SSL_DHPARAM_PATH}}; + + ## Individual nginx logs for this GitLab vhost + access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_pages_access.log; + error_log {{GITLAB_LOG_DIR}}/nginx/gitlab_pages_error.log; + + location / { + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + # The same address as passed to GitLab Pages: `-listen-proxy` + proxy_pass http://localhost:8090/; + } + + # Define custom error pages + error_page 403 /403.html; + error_page 404 /404.html; +} diff --git a/assets/runtime/config/nginx/gitlab-registry b/assets/runtime/config/nginx/gitlab-registry index 0aa1cc30f..f43be97e5 100644 --- a/assets/runtime/config/nginx/gitlab-registry +++ b/assets/runtime/config/nginx/gitlab-registry @@ -10,15 +10,16 @@ server { listen *:80; server_name {{GITLAB_REGISTRY_HOST}}; server_tokens off; ## Don't show the nginx version number, a security best practice - return 301 https://$http_host:$request_uri; + return 301 https://$http_host$request_uri; access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_registry_access.log; error_log {{GITLAB_LOG_DIR}}/nginx/gitlab_registry_error.log; } server { - # If a different port is specified in https://gitlab.com/gitlab-org/gitlab-ce/blob/8-8-stable/config/gitlab.yml.example#L182, + # If a different port is specified in https://gitlab.com/gitlab-org/gitlab-foss/blob/8-8-stable/config/gitlab.yml.example#L182, # it should be declared here as well - listen *:{{GITLAB_REGISTRY_PORT}} ssl http2; + listen *:{{GITLAB_REGISTRY_PORT}} ssl; + http2 on; server_name {{GITLAB_REGISTRY_HOST}}; server_tokens off; ## Don't show the nginx version number, a security best practice @@ -27,12 +28,11 @@ server { ## Strong SSL Security ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/ - ssl on; ssl_certificate {{SSL_REGISTRY_CERT_PATH}}; ssl_certificate_key {{SSL_REGISTRY_KEY_PATH}}; - ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers "{{SSL_REGISTRY_CIPHERS}}"; + ssl_protocols {{SSL_REGISTRY_PROTOCOLS}}; ssl_prefer_server_ciphers on; ssl_session_cache builtin:1000 shared:SSL:10m; ssl_session_timeout 5m; diff --git a/assets/runtime/config/nginx/gitlab-ssl b/assets/runtime/config/nginx/gitlab-ssl index f55eb1a8e..1057e0926 100644 --- a/assets/runtime/config/nginx/gitlab-ssl +++ b/assets/runtime/config/nginx/gitlab-ssl @@ -29,6 +29,15 @@ map $http_upgrade $connection_upgrade_gitlab_ssl { '' close; } +## Obfuscate access_token and private_token in access log +map $request_uri $obfuscated_request_uri { + ~(.+\?)(.*&)?(private_token=|access_token=)[^&]*(&.*|$) $1$2$3****$4; + default $request_uri; +} +log_format gitlab_ssl_access '$remote_addr - $remote_user [$time_local] ' + '"$request_method $obfuscated_request_uri $server_protocol" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent"'; + ## Redirects all HTTP traffic to the HTTPS host server { ## Either remove "default_server" from the listen line below, @@ -40,20 +49,20 @@ server { server_name _; ## Replace this with something like gitlab.example.com server_tokens off; ## Don't show the nginx version number, a security best practice return 301 https://$host:{{GITLAB_PORT}}$request_uri; - access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log; + access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log gitlab_ssl_access; error_log {{GITLAB_LOG_DIR}}/nginx/gitlab_error.log; } ## HTTPS host server { - listen 0.0.0.0:443 ssl http2; - listen [::]:443 ipv6only=on ssl http2 default_server; + listen 0.0.0.0:443 ssl; + listen [::]:443 ipv6only=on ssl default_server; + http2 on; server_name {{GITLAB_HOST}}; ## Replace this with something like gitlab.example.com server_tokens off; ## Don't show the nginx version number, a security best practice ## Strong SSL Security ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/ - ssl on; ssl_certificate {{SSL_CERTIFICATE_PATH}}; ssl_certificate_key {{SSL_KEY_PATH}}; ssl_verify_client {{SSL_VERIFY_CLIENT}}; @@ -61,12 +70,20 @@ server { # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs ssl_ciphers "{{SSL_CIPHERS}}"; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_protocols {{SSL_PROTOCOLS}}; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 5m; ## See app/controllers/application_controller.rb for headers set + + ## Real IP Module Config + ## http://nginx.org/en/docs/http/ngx_http_realip_module.html + real_ip_header X-Real-IP; ## X-Real-IP or X-Forwarded-For or proxy_protocol + real_ip_recursive {{NGINX_REAL_IP_RECURSIVE}}; ## If you enable 'on' + ## If you have a trusted IP address, uncomment it and set it + set_real_ip_from {{NGINX_REAL_IP_TRUSTED_ADDRESSES}}; ## Replace this with something like 192.168.1.0/24 + add_header X-Accel-Buffering {{NGINX_ACCEL_BUFFERING}}; add_header Strict-Transport-Security "max-age={{NGINX_HSTS_MAXAGE}};"; @@ -87,7 +104,7 @@ server { ssl_dhparam {{SSL_DHPARAM_PATH}}; ## Individual nginx logs for this GitLab vhost - access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log; + access_log {{GITLAB_LOG_DIR}}/nginx/gitlab_access.log gitlab_ssl_access; error_log {{GITLAB_LOG_DIR}}/nginx/gitlab_error.log; location / { @@ -110,7 +127,7 @@ server { proxy_set_header X-Forwarded-Proto {{NGINX_X_FORWARDED_PROTO}}; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade_gitlab_ssl; - + proxy_pass http://gitlab-workhorse; } @@ -123,4 +140,6 @@ server { root {{GITLAB_INSTALL_DIR}}/public; internal; } + + {{NGINX_CUSTOM_GITLAB_SERVER_CONFIG}} } diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index 92674d2b8..d3269e8ee 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -1,19 +1,24 @@ #!/bin/bash +# CONTAINER DEBUG=${DEBUG:-$DEBUG_ENTRYPOINT} +TIMEZONE=${TZ:-UTC} ## GITLAB CORE GITLAB_TEMP_DIR="${GITLAB_DATA_DIR}/tmp" GITLAB_BACKUP_DIR="${GITLAB_BACKUP_DIR:-$GITLAB_DATA_DIR/backups}" +GITLAB_BACKUP_DIR_CHOWN=${GITLAB_BACKUP_DIR_CHOWN:-true} +GITLAB_BACKUP_DIR_GROUP=${GITLAB_BACKUP_DIR_GROUP:-} GITLAB_REPOS_DIR="${GITLAB_REPOS_DIR:-$GITLAB_DATA_DIR/repositories}" GITLAB_BUILDS_DIR="${GITLAB_BUILDS_DIR:-$GITLAB_DATA_DIR/builds}" GITLAB_DOWNLOADS_DIR="${GITLAB_DOWNLOADS_DIR:-$GITLAB_TEMP_DIR/downloads}" GITLAB_SHARED_DIR="${GITLAB_SHARED_DIR:-$GITLAB_DATA_DIR/shared}" - +GITLAB_DEFAULT_THEME=${GITLAB_DEFAULT_THEME:-2} GITLAB_HTTPS=${GITLAB_HTTPS:-false} GITLAB_HOST=${GITLAB_HOST:-localhost} GITLAB_CI_HOST=${GITLAB_CI_HOST:-} GITLAB_PORT=${GITLAB_PORT:-} +GITLAB_IMPERSONATION_ENABLED=${GITLAB_IMPERSONATION_ENABLED:-true} if [[ $GITLAB_HTTPS == true ]]; then GITLAB_PORT=${GITLAB_PORT:-443} else @@ -23,7 +28,9 @@ fi ## SSH GITLAB_SSH_HOST=${GITLAB_SSH_HOST:-$GITLAB_HOST} GITLAB_SSH_PORT=${GITLAB_SSH_PORT:-$GITLAB_SHELL_SSH_PORT} # for backwards compatibility -GITLAB_SSH_PORT=${GITLAB_SSH_PORT:-22} +GITLAB_SSH_LISTEN_PORT=${GITLAB_SSH_LISTEN_PORT:-22} +GITLAB_SSH_PORT=${GITLAB_SSH_PORT:-$GITLAB_SSH_LISTEN_PORT} +GITLAB_SSH_MAXSTARTUPS=${GITLAB_SSH_MAXSTARTUPS:-10:30:60} NGINX_HSTS_ENABLED=${NGINX_HSTS_ENABLED:-$GITLAB_HTTPS_HSTS_ENABLED} # backward compatibility NGINX_HSTS_ENABLED=${NGINX_HSTS_ENABLED:-true} @@ -32,7 +39,7 @@ NGINX_HSTS_MAXAGE=${NGINX_HSTS_MAXAGE:-$GITLAB_HTTPS_HSTS_MAXAGE} # backward com NGINX_HSTS_MAXAGE=${NGINX_HSTS_MAXAGE:-31536000} ## DATABASE -DB_ADAPTER=${DB_ADAPTER:-} +DB_ADAPTER=${DB_ADAPTER:-postgresql} DB_ENCODING=${DB_ENCODING:-} DB_HOST=${DB_HOST:-} DB_PORT=${DB_PORT:-} @@ -40,10 +47,10 @@ DB_NAME=${DB_NAME:-} DB_USER=${DB_USER:-} DB_PASS=${DB_PASS:-} DB_POOL=${DB_POOL:-10} +DB_PREPARED_STATEMENTS=${DB_PREPARED_STATEMENTS:-true} # backward compatibility case ${DB_TYPE} in - mysql) DB_ADAPTER=${DB_ADAPTER:-mysql2} ;; postgres) DB_ADAPTER=${DB_ADAPTER:-postgresql} ;; esac @@ -55,22 +62,34 @@ REDIS_DB_NUMBER=${REDIS_DB_NUMBER:-0} ## SIDEKIQ SIDEKIQ_SHUTDOWN_TIMEOUT=${SIDEKIQ_SHUTDOWN_TIMEOUT:-4} SIDEKIQ_CONCURRENCY=${SIDEKIQ_CONCURRENCY:-25} -SIDEKIQ_MEMORY_KILLER_MAX_RSS=${SIDEKIQ_MEMORY_KILLER_MAX_RSS:-1000000} +SIDEKIQ_MEMORY_KILLER_MAX_RSS=${SIDEKIQ_MEMORY_KILLER_MAX_RSS:-2000000} +GITLAB_SIDEKIQ_LOG_FORMAT=${GITLAB_SIDEKIQ_LOG_FORMAT:-json} + +## PUMA +PUMA_THREADS_MIN=${PUMA_THREADS_MIN:-1} +PUMA_THREADS_MAX=${PUMA_THREADS_MAX:-16} +PUMA_WORKERS=${PUMA_WORKERS:-3} +PUMA_TIMEOUT=${PUMA_TIMEOUT:-60} +PUMA_PER_WORKER_MAX_MEMORY_MB=${PUMA_PER_WORKER_MAX_MEMORY_MB:-1024} +PUMA_MASTER_MAX_MEMORY_MB=${PUMA_MASTER_MAX_MEMORY_MB:-800} + +# Set Default values according to the documentation +# https://docs.gitlab.com/ee/administration/operations/unicorn.html#unicorn-worker-killer +GITLAB_UNICORN_MEMORY_MIN=${GITLAB_UNICORN_MEMORY_MIN:-1073741824} +GITLAB_UNICORN_MEMORY_MAX=${GITLAB_UNICORN_MEMORY_MAX:-1342177280} -## UNICORN -UNICORN_WORKERS=${UNICORN_WORKERS:-3} -UNICORN_TIMEOUT=${UNICORN_TIMEOUT:-60} ## GITLAB_TIMEZONE=${GITLAB_TIMEZONE:-UTC} GITLAB_SIGNUP_ENABLED=${GITLAB_SIGNUP_ENABLED:-true} +GITLAB_ISSUE_CLOSING_PATTERN=${GITLAB_ISSUE_CLOSING_PATTERN:-'\b((?:[Cc]los(?:e[sd]?|ing)|\b[Ff]ix(?:e[sd]|ing)?|\b[Rr]esolv(?:e[sd]?|ing)|\b[Ii]mplement(?:s|ed|ing)?)(:?) +(?:(?:issues? +)?%{issue_ref}(?:(?:, *| +and +)?)|([A-Z][A-Z0-9_]+-\d+))+)'} GITLAB_PROJECTS_LIMIT=${GITLAB_PROJECTS_LIMIT:-100} GITLAB_USERNAME_CHANGE=${GITLAB_USERNAME_CHANGE:-true} GITLAB_CREATE_GROUP=${GITLAB_CREATE_GROUP:-true} GITLAB_PROJECTS_ISSUES=${GITLAB_PROJECTS_ISSUES:-true} GITLAB_PROJECTS_MERGE_REQUESTS=${GITLAB_PROJECTS_MERGE_REQUESTS:-true} GITLAB_PROJECTS_WIKI=${GITLAB_PROJECTS_WIKI:-true} -GITLAB_PROJECTS_SNIPPETS=${GITLAB_PROJECTS_SNIPPETS:-false} +GITLAB_PROJECTS_SNIPPETS=${GITLAB_PROJECTS_SNIPPETS:-true} GITLAB_PROJECTS_BUILDS=${GITLAB_PROJECTS_BUILDS:-true} GITLAB_PROJECTS_CONTAINER_REGISTRY=${GITLAB_PROJECTS_CONTAINER_REGISTRY:-true} GITLAB_RELATIVE_URL_ROOT=${GITLAB_RELATIVE_URL_ROOT:-} @@ -80,38 +99,167 @@ if [[ -z ${GITLAB_RELATIVE_URL_ROOT} || ${GITLAB_RELATIVE_URL_ROOT} == / ]]; the fi GITLAB_WEBHOOK_TIMEOUT=${GITLAB_WEBHOOK_TIMEOUT:-10} -GITLAB_TIMEOUT=${GITLAB_TIMEOUT:-10} -GITLAB_MAX_OBJECT_SIZE=${GITLAB_MAX_OBJECT_SIZE:-} -if [[ -z ${GITLAB_MAX_OBJECT_SIZE} ]]; then - if [[ -n ${NGINX_MAX_UPLOAD_SIZE} ]]; then # backward compatibility - GITLAB_MAX_OBJECT_SIZE=$(echo $NGINX_MAX_UPLOAD_SIZE |sed -e "s/^ *\([0-9]*\)[mMkKgG] *$/\1/g") - case ${NGINX_MAX_UPLOAD_SIZE} in - *[kK] ) GITLAB_MAX_OBJECT_SIZE=$(($GITLAB_MAX_OBJECT_SIZE * 1024));; - *[mM] ) GITLAB_MAX_OBJECT_SIZE=$(($GITLAB_MAX_OBJECT_SIZE * 1048576));; - *[gG] ) GITLAB_MAX_OBJECT_SIZE=$(($GITLAB_MAX_OBJECT_SIZE * 1073741824));; - esac - else - GITLAB_MAX_OBJECT_SIZE=${GITLAB_MAX_OBJECT_SIZE:-20971520} - fi -fi GITLAB_WORKHORSE_TIMEOUT=${GITLAB_WORKHORSE_TIMEOUT:-5m0s} +# OBJECTSTORE +GITLAB_OBJECT_STORE_CONNECTION_PROVIDER=${GITLAB_OBJECT_STORE_CONNECTION_PROVIDER:-AWS} + +#-- AWS +AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID:-AWS_ACCESS_KEY_ID} +AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY:-AWS_SECRET_ACCESS_KEY} +AWS_REGION=${AWS_REGION:-us-east-1} +AWS_HOST=${AWS_HOST:-s3.amazonaws.com} +AWS_ENDPOINT=${AWS_ENDPOINT:-nil} +AWS_PATH_STYLE=${AWS_PATH_STYLE:-true} +AWS_SIGNATURE_VERSION=${AWS_SIGNATURE_VERSION:-4} + +#-- Google +GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT=${GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT} +GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL=${GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL} +GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION=${GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION:-"/gcs/key.json"} + ## ARTIFACTS GITLAB_ARTIFACTS_ENABLED=${GITLAB_ARTIFACTS_ENABLED:-true} GITLAB_ARTIFACTS_DIR="${GITLAB_ARTIFACTS_DIR:-$GITLAB_SHARED_DIR/artifacts}" + +GITLAB_ARTIFACTS_OBJECT_STORE_ENABLED=${GITLAB_ARTIFACTS_OBJECT_STORE_ENABLED:-false} +GITLAB_ARTIFACTS_OBJECT_STORE_REMOTE_DIRECTORY=${GITLAB_ARTIFACTS_OBJECT_STORE_REMOTE_DIRECTORY:-artifacts} +GITLAB_ARTIFACTS_OBJECT_STORE_DIRECT_UPLOAD=${GITLAB_ARTIFACTS_OBJECT_STORE_DIRECT_UPLOAD:-false} +GITLAB_ARTIFACTS_OBJECT_STORE_BACKGROUND_UPLOAD=${GITLAB_ARTIFACTS_OBJECT_STORE_BACKGROUND_UPLOAD:-false} +GITLAB_ARTIFACTS_OBJECT_STORE_PROXY_DOWNLOAD=${GITLAB_ARTIFACTS_OBJECT_STORE_PROXY_DOWNLOAD:-false} +GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER:-$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER} + +# ARTIFACTS:AWS +GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID:-$AWS_ACCESS_KEY_ID} +GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY:-$AWS_SECRET_ACCESS_KEY} +GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_REGION=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_REGION:-$AWS_REGION} +GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_HOST=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_HOST:-$AWS_HOST} +GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT:-$AWS_ENDPOINT} +GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE:-$AWS_PATH_STYLE} +GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION:-$AWS_SIGNATURE_VERSION} + +# ARTIFACTS:Google +GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT} +GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL} +GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION} + +## PACKAGES +GITLAB_PACKAGES_ENABLED=${GITLAB_PACKAGES_ENABLED:-true} +GITLAB_PACKAGES_DIR="${GITLAB_PACKAGES_DIR:-$GITLAB_SHARED_DIR/packages}" + + +GITLAB_PACKAGES_OBJECT_STORE_ENABLED=${GITLAB_PACKAGES_OBJECT_STORE_ENABLED:-false} +GITLAB_PACKAGES_OBJECT_STORE_REMOTE_DIRECTORY=${GITLAB_PACKAGES_OBJECT_STORE_REMOTE_DIRECTORY:-packages} +GITLAB_PACKAGES_OBJECT_STORE_DIRECT_UPLOAD=${GITLAB_PACKAGES_OBJECT_STORE_DIRECT_UPLOAD:-false} +GITLAB_PACKAGES_OBJECT_STORE_BACKGROUND_UPLOAD=${GITLAB_PACKAGES_OBJECT_STORE_BACKGROUND_UPLOAD:-false} +GITLAB_PACKAGES_OBJECT_STORE_PROXY_DOWNLOAD=${GITLAB_PACKAGES_OBJECT_STORE_PROXY_DOWNLOAD:-false} +GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_PROVIDER=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_PROVIDER:-$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER} + +# PACKAGES:AWS +GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID:-$AWS_ACCESS_KEY_ID} +GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY:-$AWS_SECRET_ACCESS_KEY} +GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_REGION=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_REGION:-$AWS_REGION} +GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_HOST=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_HOST:-$AWS_HOST} +GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ENDPOINT=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ENDPOINT:-$AWS_ENDPOINT} +GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE:-$AWS_PATH_STYLE} +GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION:-$AWS_SIGNATURE_VERSION} + +# PACKAGES:Google +GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT} +GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL} +GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION} + +## TERRAFORM STATE +GITLAB_TERRAFORM_STATE_ENABLED=${GITLAB_TERRAFORM_STATE_ENABLED:-true} +GITLAB_TERRAFORM_STATE_STORAGE_PATH="${GITLAB_TERRAFORM_STATE_STORAGE_PATH:-$GITLAB_SHARED_DIR/terraform_state}" + +GITLAB_TERRAFORM_STATE_OBJECT_STORE_ENABLED=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_ENABLED:-false} +GITLAB_TERRAFORM_STATE_OBJECT_STORE_REMOTE_DIRECTORY=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_REMOTE_DIRECTORY:-terraform_state} +GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_PROVIDER=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_PROVIDER:-$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER} + +# TERRAFORM STATE:AWS +GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID:-$AWS_ACCESS_KEY_ID} +GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY:-$AWS_SECRET_ACCESS_KEY} +GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_REGION=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_REGION:-$AWS_REGION} +GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_HOST=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_HOST:-$AWS_HOST} +GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ENDPOINT=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ENDPOINT:-$AWS_ENDPOINT} +GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE:-$AWS_PATH_STYLE} +GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION:-$AWS_SIGNATURE_VERSION} + +# TERRAFORM STATE:Google +GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT} +GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL} +GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION} + +## Cron Jobs +GITLAB_PIPELINE_SCHEDULE_WORKER_CRON=${GITLAB_PIPELINE_SCHEDULE_WORKER_CRON:-"19 * * * *"} + ## LFS GITLAB_LFS_ENABLED=${GITLAB_LFS_ENABLED:-true} GITLAB_LFS_OBJECTS_DIR="${GITLAB_LFS_OBJECTS_DIR:-$GITLAB_SHARED_DIR/lfs-objects}" -## Mattermose +GITLAB_LFS_OBJECT_STORE_ENABLED=${GITLAB_LFS_OBJECT_STORE_ENABLED:-false} +GITLAB_LFS_OBJECT_STORE_REMOTE_DIRECTORY=${GITLAB_LFS_OBJECT_STORE_REMOTE_DIRECTORY:-lfs-objects} +GITLAB_LFS_OBJECT_STORE_DIRECT_UPLOAD=${GITLAB_LFS_OBJECT_STORE_DIRECT_UPLOAD:-false} +GITLAB_LFS_OBJECT_STORE_BACKGROUND_UPLOAD=${GITLAB_LFS_OBJECT_STORE_BACKGROUND_UPLOAD:-false} +GITLAB_LFS_OBJECT_STORE_PROXY_DOWNLOAD=${GITLAB_LFS_OBJECT_STORE_PROXY_DOWNLOAD:-false} +GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER=${GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER:-$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER} + +# LFS:AWS +GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID=${GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID:-$AWS_ACCESS_KEY_ID} +GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY=${GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY:-$AWS_SECRET_ACCESS_KEY} +GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_REGION=${GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_REGION:-$AWS_REGION} +GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_HOST=${GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_HOST:-$AWS_HOST} +GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT=${GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT:-$AWS_ENDPOINT} +GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE=${GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE:-$AWS_PATH_STYLE} +GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION=${GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION:-$AWS_SIGNATURE_VERSION} + +# LFS:Google +GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT=${GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT} +GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL=${GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL} +GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION=${GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION} + +## Uploads +GITLAB_UPLOADS_STORAGE_PATH="${GITLAB_UPLOADS_STORAGE_PATH:-$GITLAB_INSTALL_DIR/public}" +GITLAB_UPLOADS_BASE_DIR="${GITLAB_UPLOADS_BASE_DIR:-uploads/-/system}" + +GITLAB_UPLOADS_OBJECT_STORE_ENABLED=${GITLAB_UPLOADS_OBJECT_STORE_ENABLED:-false} +GITLAB_UPLOADS_OBJECT_STORE_REMOTE_DIRECTORY=${GITLAB_UPLOADS_OBJECT_STORE_REMOTE_DIRECTORY:-uploads} +GITLAB_UPLOADS_OBJECT_STORE_DIRECT_UPLOAD=${GITLAB_UPLOADS_OBJECT_STORE_DIRECT_UPLOAD:-false} +GITLAB_UPLOADS_OBJECT_STORE_BACKGROUND_UPLOAD=${GITLAB_UPLOADS_OBJECT_STORE_BACKGROUND_UPLOAD:-false} +GITLAB_UPLOADS_OBJECT_STORE_PROXY_DOWNLOAD=${GITLAB_UPLOADS_OBJECT_STORE_PROXY_DOWNLOAD:-false} +GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER:-$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER} + +# Uploads:AWS +GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID:-$AWS_ACCESS_KEY_ID} +GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY:-$AWS_SECRET_ACCESS_KEY} +GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_REGION=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_REGION:-$AWS_REGION} +GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_HOST=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_HOST:-$AWS_HOST} +GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT:-$AWS_ENDPOINT} +GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE:-$AWS_PATH_STYLE} +GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION:-$AWS_SIGNATURE_VERSION} + +# Uploads:Google +GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT} +GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL} +GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION:-$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION} + + +## Mattermost GITLAB_MATTERMOST_ENABLED=${GITLAB_MATTERMOST_ENABLED:-false} GITLAB_MATTERMOST_URL=${GITLAB_MATTERMOST_URL:-https://mattermost.example.com} +# secrets GITLAB_SECRETS_DB_KEY_BASE=${GITLAB_SECRETS_DB_KEY_BASE:-} GITLAB_SECRETS_SECRET_KEY_BASE=${GITLAB_SECRETS_SECRET_KEY_BASE:-} GITLAB_SECRETS_OTP_KEY_BASE=${GITLAB_SECRETS_OTP_KEY_BASE:-} +GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=${GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE:-} +GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=${GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY:-} +GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=${GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY:-} +GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=${GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT:-} + GITLAB_NOTIFY_ON_BROKEN_BUILDS=${GITLAB_NOTIFY_ON_BROKEN_BUILDS:-true} GITLAB_NOTIFY_PUSHER=${GITLAB_NOTIFY_PUSHER:-false} @@ -125,6 +273,7 @@ GITLAB_REGISTRY_PORT=${GITLAB_REGISTRY_PORT:-443} GITLAB_REGISTRY_API_URL=${GITLAB_REGISTRY_API_URL:-http://localhost:5000/} GITLAB_REGISTRY_KEY_PATH=${GITLAB_REGISTRY_KEY_PATH:-config/registry.key} GITLAB_REGISTRY_ISSUER=${GITLAB_REGISTRY_ISSUER:-gitlab-issuer} +GITLAB_REGISTRY_GENERATE_INTERNAL_CERTIFICATES=${GITLAB_REGISTRY_GENERATE_INTERNAL_CERTIFICATES:-false} ## SSL SSL_SELF_SIGNED=${SSL_SELF_SIGNED:-false} @@ -133,9 +282,19 @@ SSL_KEY_PATH=${SSL_KEY_PATH:-$GITLAB_DATA_DIR/certs/gitlab.key} SSL_DHPARAM_PATH=${SSL_DHPARAM_PATH:-$GITLAB_DATA_DIR/certs/dhparam.pem} SSL_VERIFY_CLIENT=${SSL_VERIFY_CLIENT:-off} SSL_CIPHERS=${SSL_CIPHERS:-'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'} +SSL_PROTOCOLS=${SSL_PROTOCOLS:-'TLSv1 TLSv1.1 TLSv1.2 TLSv1.3'} +SSL_REGISTRY_KEY_PATH=${SSL_REGISTRY_KEY_PATH:-$GITLAB_REGISTRY_KEY_PATH} SSL_REGISTRY_KEY_PATH=${SSL_REGISTRY_KEY_PATH:-$GITLAB_DATA_DIR/certs/registry.key} +SSL_REGISTRY_CERT_PATH=${SSL_REGISTRY_CERT_PATH:-$GITLAB_REGISTRY_CERT_PATH} SSL_REGISTRY_CERT_PATH=${SSL_REGISTRY_CERT_PATH:-$GITLAB_DATA_DIR/certs/registry.crt} +SSL_REGISTRY_CIPHERS=${SSL_REGISTRY_CIPHERS:-$SSL_CIPHERS} +SSL_REGISTRY_PROTOCOLS=${SSL_REGISTRY_PROTOCOLS:-$SSL_PROTOCOLS} + +SSL_PAGES_KEY_PATH=${SSL_PAGES_KEY_PATH:-$GITLAB_DATA_DIR/certs/pages.key} +SSL_PAGES_CERT_PATH=${SSL_PAGES_CERT_PATH:-$GITLAB_DATA_DIR/certs/pages.crt} +SSL_PAGES_CIPHERS=${SSL_PAGES_CIPHERS:-$SSL_CIPHERS} +SSL_PAGES_PROTOCOLS=${SSL_PAGES_PROTOCOLS:-$SSL_PROTOCOLS} SSL_CA_CERTIFICATES_PATH=${SSL_CA_CERTIFICATES_PATH:-$CA_CERTIFICATES_PATH} # backward compatibility SSL_CA_CERTIFICATES_PATH=${SSL_CA_CERTIFICATES_PATH:-$GITLAB_DATA_DIR/certs/ca.crt} @@ -155,20 +314,34 @@ esac ### AWS BACKUPS AWS_BACKUPS=${AWS_BACKUPS:-false} AWS_BACKUP_REGION=${AWS_BACKUP_REGION} +AWS_BACKUP_ENDPOINT=${AWS_BACKUP_ENDPOINT} +AWS_BACKUP_PATH_STYLE=${AWS_BACKUP_PATH_STYLE:-false} AWS_BACKUP_ACCESS_KEY_ID=${AWS_BACKUP_ACCESS_KEY_ID} AWS_BACKUP_SECRET_ACCESS_KEY=${AWS_BACKUP_SECRET_ACCESS_KEY} AWS_BACKUP_BUCKET=${AWS_BACKUP_BUCKET} AWS_BACKUP_MULTIPART_CHUNK_SIZE=${AWS_BACKUP_MULTIPART_CHUNK_SIZE} +AWS_BACKUP_ENCRYPTION=${AWS_BACKUP_ENCRYPTION} +AWS_BACKUP_STORAGE_CLASS=${AWS_BACKUP_STORAGE_CLASS:-STANDARD} +AWS_BACKUP_SIGNATURE_VERSION=${AWS_BACKUP_SIGNATURE_VERSION:-4} + +### GCS BACKUPS +GCS_BACKUPS=${GCS_BACKUPS:-false} +GCS_BACKUP_ACCESS_KEY_ID=${GCS_BACKUP_ACCESS_KEY_ID} +GCS_BACKUP_SECRET_ACCESS_KEY=${GCS_BACKUP_SECRET_ACCESS_KEY} +GCS_BACKUP_BUCKET=${GCS_BACKUP_BUCKET} ## NGINX NGINX_SERVER_NAMES_HASH_BUCKET_SIZE=${NGINX_SERVER_NAMES_HASH_BUCKET_SIZE:-32}; NGINX_WORKERS=${NGINX_WORKERS:-1} NGINX_ACCEL_BUFFERING=${NGINX_ACCEL_BUFFERING:-no} NGINX_PROXY_BUFFERING=${NGINX_PROXY_BUFFERING:-off} +NGINX_REAL_IP_RECURSIVE=${NGINX_REAL_IP_RECURSIVE:-off} +NGINX_REAL_IP_TRUSTED_ADDRESSES=${NGINX_REAL_IP_TRUSTED_ADDRESSES:-} case ${GITLAB_HTTPS} in true) NGINX_X_FORWARDED_PROTO=${NGINX_X_FORWARDED_PROTO:-https} ;; *) NGINX_X_FORWARDED_PROTO=${NGINX_X_FORWARDED_PROTO:-\$scheme} ;; esac +NGINX_CUSTOM_GITLAB_SERVER_CONFIG=${NGINX_CUSTOM_GITLAB_SERVER_CONFIG:-} ## MAIL DELIVERY SMTP_DOMAIN=${SMTP_DOMAIN:-www.gmail.com} @@ -194,6 +367,9 @@ GITLAB_EMAIL_SUBJECT_SUFFIX=${GITLAB_EMAIL_SUBJECT_SUFFIX:-} GITLAB_EMAIL=${GITLAB_EMAIL:-example@example.com} GITLAB_EMAIL_REPLY_TO=${GITLAB_EMAIL_REPLY_TO:-noreply@example.com} GITLAB_EMAIL_DISPLAY_NAME=${GITLAB_EMAIL_DISPLAY_NAME:-GitLab} +GITLAB_EMAIL_SMIME_ENABLE=${GITLAB_EMAIL_SMIME_ENABLE:-false} +GITLAB_EMAIL_SMIME_KEY_FILE=${GITLAB_EMAIL_SMIME_KEY_FILE:-} +GITLAB_EMAIL_SMIME_CERT_FILE=${GITLAB_EMAIL_SMIME_CERT_FILE:-} ## INCOMING MAIL IMAP_HOST=${IMAP_HOST:-imap.gmail.com} @@ -219,6 +395,9 @@ LDAP_HOST=${LDAP_HOST:-} LDAP_PORT=${LDAP_PORT:-389} LDAP_UID=${LDAP_UID:-sAMAccountName} LDAP_METHOD=${LDAP_METHOD:-plain} +LDAP_VERIFY_SSL=${LDAP_VERIFY_SSL:-true} +LDAP_CA_FILE=${LDAP_CA_FILE:-} +LDAP_SSL_VERSION=${LDAP_SSL_VERSION:-} LDAP_BIND_DN=${LDAP_BIND_DN:-} LDAP_PASS=${LDAP_PASS:-} LDAP_TIMEOUT=${LDAP_TIMEOUT:-10} @@ -226,8 +405,15 @@ LDAP_ACTIVE_DIRECTORY=${LDAP_ACTIVE_DIRECTORY:-true} LDAP_BLOCK_AUTO_CREATED_USERS=${LDAP_BLOCK_AUTO_CREATED_USERS:-false} LDAP_BASE=${LDAP_BASE:-} LDAP_USER_FILTER=${LDAP_USER_FILTER:-} +LDAP_USER_ATTRIBUTE_USERNAME=${LDAP_USER_ATTRIBUTE_USERNAME:-['uid', 'userid', 'sAMAccountName']} +LDAP_USER_ATTRIBUTE_MAIL=${LDAP_USER_ATTRIBUTE_MAIL:-['mail', 'email', 'userPrincipalName']} +LDAP_USER_ATTRIBUTE_NAME=${LDAP_USER_ATTRIBUTE_NAME:-cn} +LDAP_USER_ATTRIBUTE_FIRSTNAME=${LDAP_USER_ATTRIBUTE_FIRSTNAME:-givenName} +LDAP_USER_ATTRIBUTE_LASTNAME=${LDAP_USER_ATTRIBUTE_LASTNAME:-sn} +LDAP_LOWERCASE_USERNAMES="${LDAP_LOWERCASE_USERNAMES:-false}" LDAP_LABEL=${LDAP_LABEL:-LDAP} LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN=${LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN:-} +LDAP_PREVENT_LDAP_SIGN_IN=${LDAP_PREVENT_LDAP_SIGN_IN:-false} case ${LDAP_UID} in userPrincipalName) LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN=${LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN:-false} ;; *) LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN=${LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN:-true} @@ -246,6 +432,7 @@ OAUTH_BLOCK_AUTO_CREATED_USERS=${OAUTH_BLOCK_AUTO_CREATED_USERS:-true} OAUTH_AUTO_LINK_LDAP_USER=${OAUTH_AUTO_LINK_LDAP_USER:-false} OAUTH_AUTO_LINK_SAML_USER=${OAUTH_AUTO_LINK_SAML_USER:-false} OAUTH_EXTERNAL_PROVIDERS=${OAUTH_EXTERNAL_PROVIDERS:-} +OAUTH_ALLOW_BYPASS_TWO_FACTOR=${OAUTH_ALLOW_BYPASS_TWO_FACTOR:-false} ### GOOGLE OAUTH_GOOGLE_API_KEY=${OAUTH_GOOGLE_API_KEY:-} @@ -287,6 +474,7 @@ OAUTH_GITLAB_SCOPE=${OAUTH_GITLAB_SCOPE:-api} ### BITBUCKET OAUTH_BITBUCKET_API_KEY=${OAUTH_BITBUCKET_API_KEY:-} OAUTH_BITBUCKET_APP_SECRET=${OAUTH_BITBUCKET_APP_SECRET:-} +OAUTH_BITBUCKET_URL=${OAUTH_BITBUCKET_URL:-https://bitbucket.org/} ### CROWD OAUTH_CROWD_SERVER_URL=${OAUTH_CROWD_SERVER_URL:-} @@ -298,6 +486,12 @@ OAUTH_AZURE_API_KEY=${OAUTH_AZURE_API_KEY:-} OAUTH_AZURE_API_SECRET=${OAUTH_AZURE_API_SECRET:-} OAUTH_AZURE_TENANT_ID=${OAUTH_AZURE_TENANT_ID:-} +## AZURE Active Directory V2 endpoint +OAUTH_AZURE_ACTIVEDIRECTORY_V2_LABEL=${OAUTH_AZURE_ACTIVEDIRECTORY_V2_LABEL:-'Azure AD v2'} +OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_ID=${OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_ID:-} +OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_SECRET=${OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_SECRET:-} +OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID=${OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID:-} + ### SAML case $GITLAB_HTTPS in true) @@ -317,6 +511,7 @@ OAUTH_SAML_GROUPS_ATTRIBUTE=${OAUTH_SAML_GROUPS_ATTRIBUTE:-} OAUTH_SAML_EXTERNAL_GROUPS=${OAUTH_SAML_EXTERNAL_GROUPS:-} OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL=${OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL:-} OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME=${OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME:-} +OAUTH_SAML_ATTRIBUTE_STATEMENTS_USERNAME=${OAUTH_SAML_ATTRIBUTE_STATEMENTS_USERNAME:-} OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME=${OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME:-} OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME=${OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME:-} @@ -328,6 +523,58 @@ OAUTH_CAS3_LOGIN_URL=${OAUTH_CAS3_LOGIN_URL:-/cas/login} OAUTH_CAS3_VALIDATE_URL=${OAUTH_CAS3_VALIDATE_URL:-/cas/p3/serviceValidate} OAUTH_CAS3_LOGOUT_URL=${OAUTH_CAS3_LOGOUT_URL:-/cas/logout} +### AUTH0 +OAUTH_AUTH0_SCOPE=${OAUTH_AUTH0_SCOPE:-openid profile email} + +## OAUTH2 GENERIC +OAUTH2_GENERIC_APP_ID=${OAUTH2_GENERIC_APP_ID:-} +OAUTH2_GENERIC_APP_SECRET=${OAUTH2_GENERIC_APP_SECRET:-} +OAUTH2_GENERIC_CLIENT_SITE=${OAUTH2_GENERIC_CLIENT_SITE:-} +OAUTH2_GENERIC_CLIENT_USER_INFO_URL=${OAUTH2_GENERIC_CLIENT_USER_INFO_URL:-} +OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL=${OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL:-} +OAUTH2_GENERIC_CLIENT_TOKEN_URL=${OAUTH2_GENERIC_CLIENT_TOKEN_URL:-} +OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT=${OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT:-} +OAUTH2_GENERIC_ID_PATH=${OAUTH2_GENERIC_ID_PATH:-} +OAUTH2_GENERIC_USER_UID=${OAUTH2_GENERIC_USER_UID:-} +OAUTH2_GENERIC_USER_NAME=${OAUTH2_GENERIC_USER_NAME:-} +OAUTH2_GENERIC_USER_EMAIL=${OAUTH2_GENERIC_USER_EMAIL:-} +OAUTH2_GENERIC_AUTHORIZE_PARAMS_SCOPE=${OAUTH2_GENERIC_AUTHORIZE_PARAMS_SCOPE:-} +OAUTH2_GENERIC_LABEL=${OAUTH2_GENERIC_LABEL:-} +OAUTH2_GENERIC_NAME=${OAUTH2_GENERIC_NAME:-} + +### OpenID Connect +OAUTH_OIDC_LABEL=${OAUTH_OIDC_LABEL:-'OpenID Connect'} +OAUTH_OIDC_ICON=${OAUTH_OIDC_ICON:-} +OAUTH_OIDC_SCOPE=${OAUTH_OIDC_SCOPE:-"['openid','profile','email']"} +OAUTH_OIDC_RESPONSE_TYPE=${OAUTH_OIDC_RESPONSE_TYPE:-'code'} +OAUTH_OIDC_ISSUER=${OAUTH_OIDC_ISSUER:-} +OAUTH_OIDC_DISCOVERY=${OAUTH_OIDC_DISCOVERY:-true} +OAUTH_OIDC_CLIENT_AUTH_METHOD=${OAUTH_OIDC_CLIENT_AUTH_METHOD:-'basic'} +OAUTH_OIDC_UID_FIELD=${OAUTH_OIDC_UID_FIELD:-sub} +OAUTH_OIDC_SEND_SCOPE_TO_TOKEN_EP=${OAUTH_OIDC_SEND_SCOPE_TO_TOKEN_EP:-false} +OAUTH_OIDC_PKCE=${OAUTH_OIDC_PKCE:-true} +OAUTH_OIDC_CLIENT_ID=${OAUTH_OIDC_CLIENT_ID:-} +OAUTH_OIDC_CLIENT_SECRET=${OAUTH_OIDC_CLIENT_SECRET:-'secret'} +case $GITLAB_HTTPS in + true) + OAUTH_OIDC_REDIRECT_URI=${OAUTH_OIDC_REDIRECT_URI:-https://${GITLAB_HOST}/users/auth/openid_connect/callback} + ;; + false) + OAUTH_OIDC_REDIRECT_URI=${OAUTH_OIDC_REDIRECT_URI:-http://${GITLAB_HOST}/users/auth/openid_connect/callback} + ;; +esac + +### JWT +OAUTH_JWT_LABEL=${OAUTH_JWT_LABEL:-'Jwt'} +OAUTH_JWT_SECRET=${OAUTH_JWT_SECRET:-} +OAUTH_JWT_ALGORITHM=${OAUTH_JWT_ALGORITHM:-'HS256'} +OAUTH_JWT_UID_CLAIM=${OAUTH_JWT_UID_CLAIM:-'email'} +OAUTH_JWT_REQUIRED_CLAIMS=${OAUTH_JWT_REQUIRED_CLAIMS:-'["name", "email"]'} +OAUTH_JWT_INFO_MAP_NAME=${OAUTH_JWT_INFO_MAP_NAME:-'name'} +OAUTH_JWT_INFO_MAP_EMAIL=${OAUTH_JWT_INFO_MAP_EMAIL:-'email'} +OAUTH_JWT_AUTH_URL=${OAUTH_JWT_AUTH_URL:-} +OAUTH_JWT_VALID_WITHIN=${OAUTH_JWT_VALID_WITHIN:-3600} + ## ANALYTICS ### GOOGLE @@ -339,7 +586,97 @@ PIWIK_SITE_ID=${PIWIK_SITE_ID:-} ## RACK ATTACK RACK_ATTACK_ENABLED=${RACK_ATTACK_ENABLED:-true} -RACK_ATTACK_WHITELIST=${RACK_ATTACK_WHITELIST:-"127.0.0.1"} +RACK_ATTACK_WHITELIST=${RACK_ATTACK_WHITELIST:-'["127.0.0.1"]'} +RACK_ATTACK_WHITELIST=${RACK_ATTACK_WHITELIST// /} +# Backward compatibility : See sameersbn/docker-gitlab#2828 +# Pre-check: each host is surrounded by single / double quotation +# if not, generated string will be [127.0.0.1] for example and ruby raises error +RACK_ATTACK_WHITELIST_ORIGIN=${RACK_ATTACK_WHITELIST} +# remove [], then iterate entries +RACK_ATTACK_WHITELIST=${RACK_ATTACK_WHITELIST#"["} +RACK_ATTACK_WHITELIST=${RACK_ATTACK_WHITELIST%"]"} +IFS_ORG=${IFS} +IFS=, +for host in ${RACK_ATTACK_WHITELIST}; do + # Both single / double quotation may be used + if ! [[ ${host} =~ ^(\"|\').*(\"|\')$ ]]; then + RACK_ATTACK_WHITELIST=${RACK_ATTACK_WHITELIST/${host}/\"${host//(\'|\")/}\"} + fi +done +IFS=$IFS_ORG +# surround with [] +RACK_ATTACK_WHITELIST="[${RACK_ATTACK_WHITELIST}]" +if [[ "${RACK_ATTACK_WHITELIST}" != "${RACK_ATTACK_WHITELIST_ORIGIN}" ]]; then + printf "[warning] RACK_ATTACK_WHITELIST must be a yaml sequence of hosts.\nFixing from %s to %s\n" \ + "${RACK_ATTACK_WHITELIST_ORIGIN}" \ + "${RACK_ATTACK_WHITELIST}" +fi RACK_ATTACK_MAXRETRY=${RACK_ATTACK_MAXRETRY:-10} RACK_ATTACK_FINDTIME=${RACK_ATTACK_FINDTIME:-60} RACK_ATTACK_BANTIME=${RACK_ATTACK_BANTIME:-3600} + + +## GitLab Pages +GITLAB_PAGES_ENABLED=${GITLAB_PAGES_ENABLED:-false} +GITLAB_PAGES_DOMAIN=${GITLAB_PAGES_DOMAIN:-"example.com"} +GITLAB_PAGES_DIR="${GITLAB_PAGES_DIR:-$GITLAB_SHARED_DIR/pages}" +GITLAB_PAGES_PORT=${GITLAB_PAGES_PORT:-80} +GITLAB_PAGES_ARTIFACTS_SERVER=${GITLAB_PAGES_ARTIFACTS_SERVER:-true} +GITLAB_PAGES_ARTIFACTS_SERVER_URL=${GITLAB_PAGES_ARTIFACTS_SERVER_URL:-} +GITLAB_PAGES_HTTPS=${GITLAB_PAGES_HTTPS:-false} +GITLAB_PAGES_EXTERNAL_HTTP=${GITLAB_PAGES_EXTERNAL_HTTP:-} +GITLAB_PAGES_EXTERNAL_HTTPS=${GITLAB_PAGES_EXTERNAL_HTTPS:-} +GITLAB_PAGES_ACCESS_CONTROL=${GITLAB_PAGES_ACCESS_CONTROL:-false} +GITLAB_PAGES_ACCESS_CONTROL_SERVER=${GITLAB_PAGES_ACCESS_CONTROL_SERVER:-} +GITLAB_PAGES_ACCESS_SECRET=${GITLAB_PAGES_ACCESS_SECRET:-} +GITLAB_PAGES_ACCESS_CLIENT_ID=${GITLAB_PAGES_ACCESS_CLIENT_ID:-} +GITLAB_PAGES_ACCESS_CLIENT_SECRET=${GITLAB_PAGES_ACCESS_CLIENT_SECRET:-} +GITLAB_PAGES_ACCESS_REDIRECT_URI=${GITLAB_PAGES_ACCESS_REDIRECT_URI:-} +GITLAB_PAGES_NGINX_PROXY=${GITLAB_PAGES_NGINX_PROXY:-true} + +## Gitaly +GITALY_CLIENT_PATH=${GITALY_CLIENT_PATH:-$GITLAB_GITALY_INSTALL_DIR} +GITALY_TOKEN=${GITALY_TOKEN:-} +GITALY_SOCKET_PATH=${GITLAB_INSTALL_DIR}/tmp/sockets/private/gitaly.socket +GITALY_ADDRESS=${GITALY_ADDRESS:-unix:$GITALY_SOCKET_PATH} + +## GitLab Shell +GITLAB_SHELL_CUSTOM_HOOKS_DIR=${GITLAB_SHELL_CUSTOM_HOOKS_DIR:-"$GITLAB_SHELL_INSTALL_DIR/hooks"} + +## MONITORING +GITLAB_MONITORING_UNICORN_SAMPLER_INTERVAL=${GITLAB_MONITORING_UNICORN_SAMPLER_INTERVAL:-10} +GITLAB_MONITORING_IP_WHITELIST=${GITLAB_MONITORING_IP_WHITELIST:-} +GITLAB_MONITORING_SIDEKIQ_EXPORTER_ENABLED=${GITLAB_MONITORING_SIDEKIQ_EXPORTER_ENABLED:-true} +GITLAB_MONITORING_SIDEKIQ_EXPORTER_ADDRESS=${GITLAB_MONITORING_SIDEKIQ_EXPORTER_ADDRESS:-"0.0.0.0"} +GITLAB_MONITORING_SIDEKIQ_EXPORTER_PORT=${GITLAB_MONITORING_SIDEKIQ_EXPORTER_PORT:-3807} + +## Sentry +SENTRY_ENABLED=${SENTRY_ENABLED:-false} +SENTRY_DSN=${SENTRY_DSN:-} +SENTRY_CLIENTSIDE_DSN=${SENTRY_CLIENTSIDE_DSN:-} +SENTRY_ENVIRONMENT=${SENTRY_ENVIRONMENT:-production} + +## Content Security Policy +# See https://guides.rubyonrails.org/security.html#content-security-policy +GITLAB_CONTENT_SECURITY_POLICY_ENABLED=${GITLAB_CONTENT_SECURITY_POLICY_ENABLED:-true} +GITLAB_CONTENT_SECURITY_POLICY_REPORT_ONLY=${GITLAB_CONTENT_SECURITY_POLICY_REPORT_ONLY:-false} +GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_BASE_URI=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_BASE_URI:-} +GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CHILD_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CHILD_SRC:-} +GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CONNECT_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CONNECT_SRC:-"'self' http://localhost:* ws://localhost:* wss://localhost:*"} +GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_DEFAULT_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_DEFAULT_SRC:-"'self'"} +GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FONT_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FONT_SRC:-} +GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FORM_ACTION=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FORM_ACTION:-} +GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_ANCESTORS=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_ANCESTORS:-"'self'"} +GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_SRC:-"'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com"} +GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_IMG_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_IMG_SRC:-"* data: blob:"} +GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MANIFEST_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MANIFEST_SRC:-} +GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MEDIA_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MEDIA_SRC:-} +GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_OBJECT_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_OBJECT_SRC:-"'none'"} +GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_SCRIPT_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_SCRIPT_SRC:-"'self' 'unsafe-eval' http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com"} +GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_STYLE_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_STYLE_SRC:-"'self' 'unsafe-inline'"} +GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_WORKER_SRC=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_WORKER_SRC:-"'self' blob:"} +GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_REPORT_URI=${GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_REPORT_URI:-} + +## Feature Flags +GITLAB_FEATURE_FLAGS_DISABLE_TARGETS=${GITLAB_FEATURE_FLAGS_DISABLE_TARGETS:-} +GITLAB_FEATURE_FLAGS_ENABLE_TARGETS=${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS:-} diff --git a/assets/runtime/functions b/assets/runtime/functions index 481428608..2315bfc1a 100644 --- a/assets/runtime/functions +++ b/assets/runtime/functions @@ -1,5 +1,13 @@ #!/bin/bash set -e + +for file in /gitlab-configs /run/secrets/gitlab-secrets; do + if [[ -e "$file" ]]; then + echo "Loading $file" + source "$file" + fi +done +echo "Loading ${GITLAB_RUNTIME_DIR}/env-defaults" source ${GITLAB_RUNTIME_DIR}/env-defaults SYSCONF_TEMPLATES_DIR="${GITLAB_RUNTIME_DIR}/config" @@ -7,17 +15,20 @@ USERCONF_TEMPLATES_DIR="${GITLAB_DATA_DIR}/config" GITLAB_CONFIG="${GITLAB_INSTALL_DIR}/config/gitlab.yml" GITLAB_DATABASE_CONFIG="${GITLAB_INSTALL_DIR}/config/database.yml" -GITLAB_UNICORN_CONFIG="${GITLAB_INSTALL_DIR}/config/unicorn.rb" +GITLAB_PUMA_CONFIG="${GITLAB_INSTALL_DIR}/config/puma.rb" GITLAB_RELATIVE_URL_CONFIG="${GITLAB_INSTALL_DIR}/config/initializers/relative_url.rb" -GITLAB_RACK_ATTACK_CONFIG="${GITLAB_INSTALL_DIR}/config/initializers/rack_attack.rb" GITLAB_SMTP_CONFIG="${GITLAB_INSTALL_DIR}/config/initializers/smtp_settings.rb" GITLAB_RESQUE_CONFIG="${GITLAB_INSTALL_DIR}/config/resque.yml" +GITLAB_ACTIONCABLE_CONFIG="${GITLAB_INSTALL_DIR}/config/cable.yml" GITLAB_SECRETS_CONFIG="${GITLAB_INSTALL_DIR}/config/secrets.yml" GITLAB_ROBOTS_CONFIG="${GITLAB_INSTALL_DIR}/public/robots.txt" GITLAB_SHELL_CONFIG="${GITLAB_SHELL_INSTALL_DIR}/config.yml" -GITLAB_NGINX_CONFIG="/etc/nginx/sites-enabled/gitlab" -GITLAB_CI_NGINX_CONFIG="/etc/nginx/sites-enabled/gitlab_ci" -GITLAB_REGISTRY_NGINX_CONFIG="/etc/nginx/sites-enabled/gitlab-registry" +GITLAB_NGINX_CONFIG="/etc/nginx/conf.d/gitlab.conf" +GITLAB_CI_NGINX_CONFIG="/etc/nginx/conf.d/gitlab_ci.conf" +GITLAB_REGISTRY_NGINX_CONFIG="/etc/nginx/conf.d/gitlab-registry.conf" +GITLAB_PAGES_NGINX_CONFIG="/etc/nginx/conf.d/gitlab-pages.conf" +GITLAB_PAGES_CONFIG="${GITLAB_INSTALL_DIR}/gitlab-pages-config" +GITLAB_GITALY_CONFIG="${GITLAB_GITALY_INSTALL_DIR}/config.toml" # Compares two version strings `a` and `b` # Returns @@ -89,50 +100,32 @@ update_template() { } gitlab_finalize_database_parameters() { - # is a mysql or postgresql database linked? - # requires that the mysql or postgresql containers have exposed - # port 3306 and 5432 respectively. - if [[ -n ${MYSQL_PORT_3306_TCP_ADDR} ]]; then - DB_ADAPTER=${DB_ADAPTER:-mysql2} - DB_HOST=${DB_HOST:-${MYSQL_PORT_3306_TCP_ADDR}} - DB_PORT=${DB_PORT:-${MYSQL_PORT_3306_TCP_PORT}} - - # support for linked sameersbn/mysql image - DB_USER=${DB_USER:-${MYSQL_ENV_DB_USER}} - DB_PASS=${DB_PASS:-${MYSQL_ENV_DB_PASS}} - DB_NAME=${DB_NAME:-${MYSQL_ENV_DB_NAME}} - - # support for linked orchardup/mysql and enturylink/mysql image - # also supports official mysql image - DB_USER=${DB_USER:-${MYSQL_ENV_MYSQL_USER}} - DB_PASS=${DB_PASS:-${MYSQL_ENV_MYSQL_PASSWORD}} - DB_NAME=${DB_NAME:-${MYSQL_ENV_MYSQL_DATABASE}} - elif [[ -n ${POSTGRESQL_PORT_5432_TCP_ADDR} ]]; then - DB_ADAPTER=${DB_ADAPTER:-postgresql} - DB_HOST=${DB_HOST:-${POSTGRESQL_PORT_5432_TCP_ADDR}} - DB_PORT=${DB_PORT:-${POSTGRESQL_PORT_5432_TCP_PORT}} - - # support for linked official postgres image - DB_USER=${DB_USER:-${POSTGRESQL_ENV_POSTGRES_USER}} - DB_PASS=${DB_PASS:-${POSTGRESQL_ENV_POSTGRES_PASSWORD}} - DB_NAME=${DB_NAME:-${POSTGRESQL_ENV_POSTGRES_DB}} - DB_NAME=${DB_NAME:-${POSTGRESQL_ENV_POSTGRES_USER}} - - # support for linked sameersbn/postgresql image - DB_USER=${DB_USER:-${POSTGRESQL_ENV_DB_USER}} - DB_PASS=${DB_PASS:-${POSTGRESQL_ENV_DB_PASS}} - DB_NAME=${DB_NAME:-${POSTGRESQL_ENV_DB_NAME}} - - # support for linked orchardup/postgresql image - DB_USER=${DB_USER:-${POSTGRESQL_ENV_POSTGRESQL_USER}} - DB_PASS=${DB_PASS:-${POSTGRESQL_ENV_POSTGRESQL_PASS}} - DB_NAME=${DB_NAME:-${POSTGRESQL_ENV_POSTGRESQL_DB}} - - # support for linked paintedfox/postgresql image - DB_USER=${DB_USER:-${POSTGRESQL_ENV_USER}} - DB_PASS=${DB_PASS:-${POSTGRESQL_ENV_PASS}} - DB_NAME=${DB_NAME:-${POSTGRESQL_ENV_DB}} - fi + # is a postgresql database linked? + # requires that the postgresql containers have exposed port 5432. + DB_HOST=${DB_HOST:-${POSTGRESQL_PORT_5432_TCP_ADDR}} + DB_PORT=${DB_PORT:-${POSTGRESQL_PORT_5432_TCP_PORT}} + + # support for linked official postgres image + DB_USER=${DB_USER:-${POSTGRESQL_ENV_POSTGRES_USER}} + DB_PASS=${DB_PASS:-${POSTGRESQL_ENV_POSTGRES_PASSWORD}} + DB_NAME=${DB_NAME:-${POSTGRESQL_ENV_POSTGRES_DB}} + DB_NAME=${DB_NAME:-${POSTGRESQL_ENV_POSTGRES_USER}} + + # support for linked sameersbn/postgresql image + DB_USER=${DB_USER:-${POSTGRESQL_ENV_DB_USER}} + DB_PASS=${DB_PASS:-${POSTGRESQL_ENV_DB_PASS}} + DB_NAME=${DB_NAME:-${POSTGRESQL_ENV_DB_NAME}} + + # support for linked orchardup/postgresql image + DB_USER=${DB_USER:-${POSTGRESQL_ENV_POSTGRESQL_USER}} + DB_PASS=${DB_PASS:-${POSTGRESQL_ENV_POSTGRESQL_PASS}} + DB_NAME=${DB_NAME:-${POSTGRESQL_ENV_POSTGRESQL_DB}} + + # support for linked paintedfox/postgresql image + DB_USER=${DB_USER:-${POSTGRESQL_ENV_USER}} + DB_PASS=${DB_PASS:-${POSTGRESQL_ENV_PASS}} + DB_NAME=${DB_NAME:-${POSTGRESQL_ENV_DB}} + if [[ -z ${DB_HOST} ]]; then echo @@ -145,25 +138,9 @@ gitlab_finalize_database_parameters() { fi # set default port number if not specified - DB_ADAPTER=${DB_ADAPTER:-postgresql} - case ${DB_ADAPTER} in - mysql2) - DB_ENCODING=${DB_ENCODING:-utf8} - DB_PORT=${DB_PORT:-3306} - ;; - postgresql) - DB_ENCODING=${DB_ENCODING:-unicode} - DB_PORT=${DB_PORT:-5432} - ;; - *) - echo - echo "ERROR: " - echo " Please specify the database type in use via the DB_ADAPTER configuration option." - echo " Accepted values are \"postgresql\" or \"mysql2\". Aborting..." - echo - return 1 - ;; - esac + DB_PORT=${DB_PORT:-5432} + + DB_ENCODING=${DB_ENCODING:-unicode} # set default user and database DB_USER=${DB_USER:-root} @@ -171,15 +148,10 @@ gitlab_finalize_database_parameters() { } gitlab_check_database_connection() { - case ${DB_ADAPTER} in - mysql2) - prog="mysqladmin -h ${DB_HOST} -P ${DB_PORT} -u ${DB_USER} ${DB_PASS:+-p$DB_PASS} status" - ;; - postgresql) - prog=$(find /usr/lib/postgresql/ -name pg_isready) - prog="${prog} -h ${DB_HOST} -p ${DB_PORT} -U ${DB_USER} -d ${DB_NAME} -t 1" - ;; - esac + + prog=$(command -v pg_isready) + prog="${prog} -h ${DB_HOST} -p ${DB_PORT} -U ${DB_USER} -d ${DB_NAME} -t 1" + timeout=60 while ! ${prog} >/dev/null 2>&1 do @@ -195,28 +167,108 @@ gitlab_check_database_connection() { echo } +gitlab_generate_postgresqlrc() { + echo "Configuring /home/${GITLAB_USER}/.postgresqlrc to avoid version mismatch on dumping" + # server_version_num property is a number built from version string: + # https://www.postgresql.org/docs/15/libpq-status.html#LIBPQ-PQSERVERVERSION + # > The result is formed by multiplying the server's major version number by 10000 and adding the minor version number. + # > For example, version 10.1 will be returned as 100001, and version 11.0 will be returned as 110000. Zero is returned if the connection is bad. + # > + # > Prior to major version 10, PostgreSQL used three-part version numbers in which the first two parts together represented the major version. + # > For those versions, PQserverVersion uses two digits for each part; + # > for example version 9.1.5 will be returned as 90105, and version 9.2.0 will be returned as 90200. + # + # This difference also appends to apt package name. + # For example, in ubuntu:focal, postgresql-client-{8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, 9.5, 9.6, 10, 11, 12, 13, 14, 15} are available. + # + DB_SERVER_VERSION=$(PGPASSWORD=${DB_PASS} psql -h "${DB_HOST}" -p "${DB_PORT}" -U "${DB_USER}" -d "${DB_NAME}" -Atw -c "SHOW server_version_num") + if [[ "${DB_SERVER_VERSION}" -eq 0 ]]; then + echo + echo "Could not retrieve database server version correctly. Aborting..." + return 1 + fi + + echo "- Detected server version: ${DB_SERVER_VERSION}" + + # Anyway, we can get major version (8, 9, 10 and so on) by dividing by 10000. + # DB_SERVER_VERSION_MAJOR=${DB_SERVER_VERSION%%.*} + DB_SERVER_VERSION_MAJOR=$((DB_SERVER_VERSION/10000)) + DB_CLIENT_VERSION_PACKAGE_NAME= + + if [[ "${DB_SERVER_VERSION_MAJOR}" -ge 10 ]]; then + # v10 or later: use "rought major version" as version number in package name + DB_CLIENT_VERSION_PACKAGE_NAME=${DB_SERVER_VERSION_MAJOR} + else + # prior to v10: convert + # FIXME: rough implementation + # It exploits the fact that there is no version such as 9.10, and it lacks versatility. + # divide by 100, then replace first 0 to comma + DB_CLIENT_VERSION_PACKAGE_NAME=$((DB_SERVER_VERSION/100)) + DB_CLIENT_VERSION_PACKAGE_NAME=${DB_CLIENT_VERSION_PACKAGE_NAME/0/.} + fi + + # if exact-match client not found, select latest version from installed clients + if [[ "$(apt-cache pkgnames postgresql-client | grep -e "-${DB_CLIENT_VERSION_PACKAGE_NAME}" | wc -l)" -ne 1 ]]; then + LATEST_CLIENT="$(apt-cache pkgnames postgresql-client | grep -v -e "-common" | sort --version-sort | tail -n1)" + DB_CLIENT_VERSION_PACKAGE_NAME=${LATEST_CLIENT/postgresql-client-/} + echo "gitlab_generate_postgresqlrc(): WARNING - Suitable client not installed. postgresql-client-${DB_CLIENT_VERSION_PACKAGE_NAME} will be used but you may face issue (database in backup will be empty, for example)" + fi + + # generate ~/.postgresqlrc to switch client version + GITLAB_USER_POSTGRESQLRC="/home/${GITLAB_USER}/.postgresqlrc" + echo "- Generating ${GITLAB_USER_POSTGRESQLRC}" + echo "${DB_CLIENT_VERSION_PACKAGE_NAME} ${DB_HOST}:${DB_PORT} ${DB_NAME}" | exec_as_git tee "${GITLAB_USER_POSTGRESQLRC}" +} + +gitlab_uninstall_unused_database_client() { + if [[ -f "/home/${GITLAB_USER}/.postgresqlrc" ]]; then + # refer /home/${GITLAB_USER}/.postgresqlrc and pick up versions in use + # .postgresqlrc contains following information per line + # database_major_version host:port database_name + # - ignore lines starts with # by specifying pattern /^[^#]/ + # - first field is the version number in use. + # - cocnat whole lines into single string. convert newline to \| + # this is escaped regex "OR" + # now we got the following regex that can be used as an option to grep: + # \|-12\|-13 + DB_CLIENT_VERSIONS_IN_USE="$(awk '/^[^#]/ {printf("\|-%s",$1)}' "/home/${GITLAB_USER}/.postgresqlrc")" + + # we also need to keep postgresql-client-common package to switch based on ~/.postgresqlrc + REGEX_DB_CLIENT_VERSIONS_IN_USE="-common${DB_CLIENT_VERSIONS_IN_USE}" + + # remove unused client using regex above + # grep may return non-zero code on mo match, so fake the exit code with the `|| true` to swallow that + UNUSED_DB_CLIENTS=$(apt-cache pkgnames postgresql-client | grep -v -e "${REGEX_DB_CLIENT_VERSIONS_IN_USE}" || true) + if [[ "${UNUSED_DB_CLIENTS}" == "" ]]; then + echo "- All installed version of clients are in use. Did not uninstalled any client..." + return + fi + + # just to get clean log, convert newline (package name delimiter) to single whitespace + UNUSED_DB_CLIENTS=$(echo ${UNUSED_DB_CLIENTS} | tr '\n' ' ') + + echo "- Uninstalling unused client(s): ${UNUSED_DB_CLIENTS}" + DEBIAN_FRONTEND=noninteractive apt-get -qq -y purge -- ${UNUSED_DB_CLIENTS} >/dev/null + fi +} + gitlab_configure_database() { echo -n "Configuring gitlab::database" gitlab_finalize_database_parameters gitlab_check_database_connection + gitlab_generate_postgresqlrc + gitlab_uninstall_unused_database_client update_template ${GITLAB_DATABASE_CONFIG} \ - DB_ADAPTER \ DB_ENCODING \ DB_HOST \ DB_PORT \ DB_NAME \ DB_USER \ DB_PASS \ - DB_POOL - - if [[ ${DB_ADAPTER} == postgresql ]]; then - exec_as_git sed -i \ - -e "/reconnect: /d" \ - -e "/collation: /d" \ - ${GITLAB_DATABASE_CONFIG} - fi + DB_POOL \ + DB_PREPARED_STATEMENTS } gitlab_finalize_redis_parameters() { @@ -268,6 +320,49 @@ gitlab_configure_redis() { REDIS_DB_NUMBER } +gitlab_configure_actioncable() { + echo -n "Configuring gitlab::actioncable" + + gitlab_finalize_redis_parameters + gitlab_check_redis_connection + + update_template ${GITLAB_ACTIONCABLE_CONFIG} \ + REDIS_HOST \ + REDIS_PORT \ + REDIS_DB_NUMBER +} + +gitlab_configure_gitaly() { + echo "Configuring gitlab::gitaly..." + update_template ${GITLAB_GITALY_CONFIG} \ + GITALY_SOCKET_PATH \ + GITLAB_GITALY_INSTALL_DIR \ + GITLAB_LOG_DIR \ + GITLAB_REPOS_DIR \ + GITLAB_SHELL_INSTALL_DIR \ + GITLAB_RELATIVE_URL_ROOT + + update_template ${GITLAB_CONFIG} \ + GITALY_CLIENT_PATH \ + GITALY_TOKEN + +} + +gitlab_configure_monitoring() { + echo "Configuring gitlab::monitoring..." + + if [ "${GITLAB_MONITORING_IP_WHITELIST}" == "" ]; then + exec_as_git sed -i "/{{GITLAB_MONITORING_IP_WHITELIST}}/d" ${GITLAB_CONFIG} + fi + + update_template ${GITLAB_CONFIG} \ + GITLAB_MONITORING_UNICORN_SAMPLER_INTERVAL \ + GITLAB_MONITORING_IP_WHITELIST \ + GITLAB_MONITORING_SIDEKIQ_EXPORTER_ENABLED \ + GITLAB_MONITORING_SIDEKIQ_EXPORTER_ADDRESS \ + GITLAB_MONITORING_SIDEKIQ_EXPORTER_PORT +} + gitlab_configure_gitlab_workhorse() { echo "Configuring gitlab::gitlab-workhorse..." update_template /etc/supervisor/conf.d/gitlab-workhorse.conf \ @@ -275,18 +370,22 @@ gitlab_configure_gitlab_workhorse() { GITLAB_WORKHORSE_TIMEOUT } -gitlab_configure_unicorn() { - echo "Configuring gitlab::unicorn..." +gitlab_configure_puma() { + echo "Configuring gitlab::puma..." if [[ -n ${GITLAB_RELATIVE_URL_ROOT} ]]; then - update_template ${GITLAB_UNICORN_CONFIG} GITLAB_RELATIVE_URL_ROOT + update_template ${GITLAB_PUMA_CONFIG} GITLAB_RELATIVE_URL_ROOT else - exec_as_git sed -i "/{{GITLAB_RELATIVE_URL_ROOT}}/d" ${GITLAB_UNICORN_CONFIG} + exec_as_git sed -i "/{{GITLAB_RELATIVE_URL_ROOT}}/d" ${GITLAB_PUMA_CONFIG} fi - update_template ${GITLAB_UNICORN_CONFIG} \ + update_template ${GITLAB_PUMA_CONFIG} \ GITLAB_INSTALL_DIR \ - UNICORN_WORKERS \ - UNICORN_TIMEOUT + PUMA_THREADS_MIN \ + PUMA_THREADS_MAX \ + PUMA_WORKERS \ + PUMA_PER_WORKER_MAX_MEMORY_MB \ + PUMA_MASTER_MAX_MEMORY_MB \ + PUMA_TIMEOUT } gitlab_configure_relative_url() { @@ -361,6 +460,17 @@ gitlab_configure_mail_delivery() { GITLAB_EMAIL_DISPLAY_NAME \ GITLAB_EMAIL_REPLY_TO \ GITLAB_EMAIL_SUBJECT_SUFFIX + + if [[ ${GITLAB_EMAIL_SMIME_ENABLE} == true ]]; then + exec_as_git sed -i "/#start-email-smime/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#end-email-smime/d" ${GITLAB_CONFIG} + update_template ${GITLAB_CONFIG} \ + GITLAB_EMAIL_SMIME_ENABLE \ + GITLAB_EMAIL_SMIME_KEY_FILE \ + GITLAB_EMAIL_SMIME_CERT_FILE + else + exec_as_git sed -i "/#start-email-smime/,/#end-email-smime/d" ${GITLAB_CONFIG} + fi } gitlab_configure_mailroom() { @@ -415,6 +525,9 @@ gitlab_configure_ldap() { LDAP_PORT \ LDAP_UID \ LDAP_METHOD \ + LDAP_VERIFY_SSL \ + LDAP_CA_FILE \ + LDAP_SSL_VERSION \ LDAP_BIND_DN \ LDAP_PASS \ LDAP_TIMEOUT \ @@ -423,7 +536,14 @@ gitlab_configure_ldap() { LDAP_BLOCK_AUTO_CREATED_USERS \ LDAP_BASE \ LDAP_USER_FILTER \ - LDAP_LABEL + LDAP_LOWERCASE_USERNAMES \ + LDAP_USER_ATTRIBUTE_USERNAME \ + LDAP_USER_ATTRIBUTE_MAIL \ + LDAP_USER_ATTRIBUTE_NAME \ + LDAP_USER_ATTRIBUTE_FIRSTNAME \ + LDAP_USER_ATTRIBUTE_LASTNAME \ + LDAP_LABEL \ + LDAP_PREVENT_LDAP_SIGN_IN } gitlab_configure_oauth_cas3() { @@ -497,7 +617,7 @@ gitlab_configure_oauth_authentiq() { OAUTH_AUTHENTIQ_CLIENT_ID \ OAUTH_AUTHENTIQ_CLIENT_SECRET \ OAUTH_AUTHENTIQ_SCOPE \ - OAUTH_AUTHENTIQ_REDIRECT_URI + OAUTH_AUTHENTIQ_REDIRECT_URI else exec_as_git sed -i "/name: 'authentiq'/,/{{OAUTH_AUTHENTIQ_SCOPE}}/d" ${GITLAB_CONFIG} fi @@ -537,22 +657,26 @@ gitlab_configure_oauth_bitbucket() { OAUTH_ENABLED=${OAUTH_ENABLED:-true} update_template ${GITLAB_CONFIG} \ OAUTH_BITBUCKET_API_KEY \ - OAUTH_BITBUCKET_APP_SECRET + OAUTH_BITBUCKET_APP_SECRET \ + OAUTH_BITBUCKET_URL else - exec_as_git sed -i "/name: 'bitbucket'/,/{{OAUTH_BITBUCKET_APP_SECRET}}/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/name: 'bitbucket'/,/{{OAUTH_BITBUCKET_URL}}/d" ${GITLAB_CONFIG} fi } gitlab_configure_oauth_saml_attribute_statements() { - if [[ -n ${OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL} && \ - -n ${OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME} ]]; then + if [[ -n ${OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL} ]]; then echo "Configuring gitlab::oauth::saml::attribute_statements..." update_template ${GITLAB_CONFIG} \ OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL \ OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME \ + OAUTH_SAML_ATTRIBUTE_STATEMENTS_USERNAME \ OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME \ OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME # Remove undefined optional attributes + exec_as_git sed -i "/email: \\[''\\],/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/name: \\[''\\],/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/username: \\[''\\],/d" ${GITLAB_CONFIG} exec_as_git sed -i "/first_name: \\[''\\],/d" ${GITLAB_CONFIG} exec_as_git sed -i "/last_name: \\[''\\],/d" ${GITLAB_CONFIG} else @@ -585,6 +709,31 @@ gitlab_configure_oauth_saml() { fi } +gitlab_configure_oauth2_generic() { + if [[ -n ${OAUTH2_GENERIC_APP_ID} && \ + -n ${OAUTH2_GENERIC_APP_SECRET} ]]; then + echo "Configuring gitlab::oauth::generic..." + OAUTH_ENABLED=${OAUTH_ENABLED:-true} + update_template ${GITLAB_CONFIG} \ + OAUTH2_GENERIC_APP_ID \ + OAUTH2_GENERIC_APP_SECRET \ + OAUTH2_GENERIC_CLIENT_SITE \ + OAUTH2_GENERIC_CLIENT_USER_INFO_URL \ + OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL \ + OAUTH2_GENERIC_CLIENT_TOKEN_URL \ + OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT \ + OAUTH2_GENERIC_ID_PATH \ + OAUTH2_GENERIC_USER_UID \ + OAUTH2_GENERIC_USER_NAME \ + OAUTH2_GENERIC_USER_EMAIL \ + OAUTH2_GENERIC_AUTHORIZE_PARAMS_SCOPE \ + OAUTH2_GENERIC_LABEL \ + OAUTH2_GENERIC_NAME + else + exec_as_git sed -i "/name: 'oauth2_generic'/,/{{OAUTH2_GENERIC_NAME}}/d" ${GITLAB_CONFIG} + fi +} + gitlab_configure_oauth_crowd() { if [[ -n ${OAUTH_CROWD_SERVER_URL} && \ -n ${OAUTH_CROWD_APP_NAME} && \ @@ -603,15 +752,17 @@ gitlab_configure_oauth_crowd() { gitlab_configure_oauth_auth0() { if [[ -n ${OAUTH_AUTH0_CLIENT_ID} && \ -n ${OAUTH_AUTH0_CLIENT_SECRET} && \ + -n ${OAUTH_AUTH0_SCOPE} && \ -n ${OAUTH_AUTH0_DOMAIN} ]]; then echo "Configuring gitlab::oauth::auth0..." OAUTH_ENABLED=${OAUTH_ENABLED:-true} update_template ${GITLAB_CONFIG} \ OAUTH_AUTH0_CLIENT_ID \ OAUTH_AUTH0_CLIENT_SECRET \ - OAUTH_AUTH0_DOMAIN + OAUTH_AUTH0_DOMAIN \ + OAUTH_AUTH0_SCOPE else - exec_as_git sed -i "/name: 'auth0'/,/{{OAUTH_AUTH0_DOMAIN}}/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/name: 'auth0'/,/{{OAUTH_AUTH0_SCOPE}}/d" ${GITLAB_CONFIG} fi } @@ -630,6 +781,66 @@ gitlab_configure_oauth_azure() { fi } +gitlab_configure_oauth_azure_ad_v2() { + # we don't check if OAUTH_AZURE_ACTIVEDIRECTORY_V2_LABEL because it is optional + if [[ -n ${OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_ID} && \ + -n ${OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_SECRET} && \ + -n ${OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID} ]]; then + echo "Configuring gitlab::oauth::azure_activedirectory_v2..." + update_template ${GITLAB_CONFIG} \ + OAUTH_AZURE_ACTIVEDIRECTORY_V2_LABEL \ + OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_ID \ + OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_SECRET \ + OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID + else + exec_as_git sed -i "/name: 'azure_activedirectory_v2'/,/{{OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID}}/d" ${GITLAB_CONFIG} + fi +} + +gitlab_configure_oauth_oidc() { + if [[ -n ${OAUTH_OIDC_ISSUER} && \ + -n ${OAUTH_OIDC_CLIENT_ID} ]]; then + echo "Configuring gitlab::oauth::oidc..." + OAUTH_ENABLED=${OAUTH_ENABLED:-true} + update_template ${GITLAB_CONFIG} \ + OAUTH_OIDC_LABEL \ + OAUTH_OIDC_ICON \ + OAUTH_OIDC_SCOPE \ + OAUTH_OIDC_RESPONSE_TYPE \ + OAUTH_OIDC_ISSUER \ + OAUTH_OIDC_DISCOVERY \ + OAUTH_OIDC_CLIENT_AUTH_METHOD \ + OAUTH_OIDC_UID_FIELD \ + OAUTH_OIDC_SEND_SCOPE_TO_TOKEN_EP \ + OAUTH_OIDC_PKCE \ + OAUTH_OIDC_CLIENT_ID \ + OAUTH_OIDC_CLIENT_SECRET \ + OAUTH_OIDC_REDIRECT_URI + else + exec_as_git sed -i "/name: 'openid_connect'/,/{{OAUTH_OIDC_REDIRECT_URI}}/d" ${GITLAB_CONFIG} + fi +} + +gitlab_configure_oauth_jwt() { + if [[ -n ${OAUTH_JWT_SECRET} && \ + -n ${OAUTH_JWT_AUTH_URL} ]]; then + echo "Configuring gitlab::oauth::jwt..." + OAUTH_ENABLED=${OAUTH_ENABLED:-true} + update_template ${GITLAB_CONFIG} \ + OAUTH_JWT_LABEL \ + OAUTH_JWT_SECRET \ + OAUTH_JWT_ALGORITHM \ + OAUTH_JWT_UID_CLAIM \ + OAUTH_JWT_REQUIRED_CLAIMS \ + OAUTH_JWT_INFO_MAP_NAME \ + OAUTH_JWT_INFO_MAP_EMAIL \ + OAUTH_JWT_AUTH_URL \ + OAUTH_JWT_VALID_WITHIN + else + exec_as_git sed -i "/name: 'jwt'/,/{{OAUTH_JWT_VALID_WITHIN}}/d" ${GITLAB_CONFIG} + fi +} + gitlab_configure_oauth() { echo "Configuring gitlab::oauth..." @@ -642,9 +853,13 @@ gitlab_configure_oauth() { gitlab_configure_oauth_gitlab gitlab_configure_oauth_bitbucket gitlab_configure_oauth_saml + gitlab_configure_oauth2_generic gitlab_configure_oauth_crowd gitlab_configure_oauth_auth0 gitlab_configure_oauth_azure + gitlab_configure_oauth_azure_ad_v2 + gitlab_configure_oauth_oidc + gitlab_configure_oauth_jwt OAUTH_ENABLED=${OAUTH_ENABLED:-false} update_template ${GITLAB_CONFIG} \ @@ -653,10 +868,12 @@ gitlab_configure_oauth() { OAUTH_BLOCK_AUTO_CREATED_USERS \ OAUTH_AUTO_LINK_LDAP_USER \ OAUTH_AUTO_LINK_SAML_USER \ - OAUTH_EXTERNAL_PROVIDERS + OAUTH_AUTO_LINK_USER \ + OAUTH_EXTERNAL_PROVIDERS \ + OAUTH_ALLOW_BYPASS_TWO_FACTOR case ${OAUTH_AUTO_SIGN_IN_WITH_PROVIDER} in - cas3|google_oauth2|facebook|twitter|github|gitlab|bitbucket|saml|crowd|azure_oauth2) + cas3|google_oauth2|facebook|twitter|github|gitlab|bitbucket|saml|crowd|azure_oauth2|azure_activedirectory_v2|oauth2_generic|$OAUTH2_GENERIC_NAME|oidc|jwt) update_template ${GITLAB_CONFIG} OAUTH_AUTO_SIGN_IN_WITH_PROVIDER ;; *) @@ -691,12 +908,38 @@ gitlab_configure_secrets() { update_template ${GITLAB_SECRETS_CONFIG} \ GITLAB_SECRETS_DB_KEY_BASE \ GITLAB_SECRETS_SECRET_KEY_BASE \ - GITLAB_SECRETS_OTP_KEY_BASE + GITLAB_SECRETS_OTP_KEY_BASE \ + GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE \ + GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY \ + GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY \ + GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT + + local shell_secret="${GITLAB_INSTALL_DIR}/.gitlab_shell_secret" + if [[ ! -f "${shell_secret}" ]]; then + exec_as_git openssl rand -hex -out "${shell_secret}" 16 + chmod 600 "${shell_secret}" + fi + + local workhorse_secret="${GITLAB_INSTALL_DIR}/.gitlab_workhorse_secret" + if [[ ! -f "${workhorse_secret}" ]]; then + exec_as_git openssl rand -base64 -out "${workhorse_secret}" 32 + chmod 600 "${workhorse_secret}" + fi + + local pages_secret="${GITLAB_INSTALL_DIR}/.gitlab_pages_secret" + if [[ ! -f "${pages_secret}" ]]; then + exec_as_git openssl rand -base64 -out "${pages_secret}" 32 + chmod 600 "${pages_secret}" + fi } gitlab_configure_sidekiq() { echo "Configuring gitlab::sidekiq..." + # configure gitlab sidekiq log format + update_template ${GITLAB_CONFIG} \ + GITLAB_SIDEKIQ_LOG_FORMAT + # configure sidekiq update_template /etc/supervisor/conf.d/sidekiq.conf \ SIDEKIQ_CONCURRENCY \ @@ -717,19 +960,23 @@ gitlab_configure_sidekiq() { gitlab_configure_backups_schedule() { case ${GITLAB_BACKUP_SCHEDULE} in daily|weekly|monthly) - if [[ ! $(crontab -u ${GITLAB_USER} -l >/tmp/cron.${GITLAB_USER} 2>/dev/null) || \ - ! $(grep -q 'bundle exec rake gitlab:backup:create' /tmp/cron.${GITLAB_USER}) ]]; then + if ! crontab -u ${GITLAB_USER} -l >/tmp/cron.${GITLAB_USER} 2>/dev/null || ! grep -q 'bundle exec rake gitlab:backup:create' /tmp/cron.${GITLAB_USER}; then echo "Configuring gitlab::backups::schedule..." - read hour min <<< ${GITLAB_BACKUP_TIME//[:]/ } - day_of_month=* - month=* - day_of_week=* + gitlab_backup_log="${GITLAB_LOG_DIR}/gitlab/gitlab-backup.log" + read -r hour min <<< "${GITLAB_BACKUP_TIME//[:]/ }" + day_of_month="*" + month="*" + day_of_week="*" case ${GITLAB_BACKUP_SCHEDULE} in daily) ;; weekly) day_of_week=0 ;; monthly) day_of_month=01 ;; esac - echo "$min $hour $day_of_month $month $day_of_week /bin/bash -l -c 'cd ${GITLAB_INSTALL_DIR} && bundle exec rake gitlab:backup:create SKIP=${GITLAB_BACKUP_SKIP} RAILS_ENV=${RAILS_ENV}'" >> /tmp/cron.${GITLAB_USER} + if [[ -n ${GITLAB_BACKUP_DIR_GROUP} ]]; then + echo "$min $hour $day_of_month $month $day_of_week /bin/bash -l -c 'cd ${GITLAB_INSTALL_DIR} && bundle exec rake gitlab:backup:create SKIP=${GITLAB_BACKUP_SKIP} DIRECTORY=${GITLAB_BACKUP_DIR_GROUP} RAILS_ENV=${RAILS_ENV}' >> ${gitlab_backup_log} 2>&1" >> "/tmp/cron.${GITLAB_USER}" + else + echo "$min $hour $day_of_month $month $day_of_week /bin/bash -l -c 'cd ${GITLAB_INSTALL_DIR} && bundle exec rake gitlab:backup:create SKIP=${GITLAB_BACKUP_SKIP} RAILS_ENV=${RAILS_ENV}' >> ${gitlab_backup_log} 2>&1" >> "/tmp/cron.${GITLAB_USER}" + fi crontab -u ${GITLAB_USER} /tmp/cron.${GITLAB_USER} fi rm -rf /tmp/cron.${GITLAB_USER} @@ -738,24 +985,62 @@ gitlab_configure_backups_schedule() { } gitlab_configure_backups_aws() { - case ${AWS_BACKUPS} in - true) - echo "Configuring gitlab::backups::aws..." - if [[ -z ${AWS_BACKUP_REGION} || -z ${AWS_BACKUP_ACCESS_KEY_ID} || -z ${AWS_BACKUP_SECRET_ACCESS_KEY} || -z ${AWS_BACKUP_BUCKET} ]]; then - printf "\nMissing AWS options. Aborting...\n" - return 1 - fi - update_template ${GITLAB_CONFIG} \ - AWS_BACKUP_REGION \ - AWS_BACKUP_ACCESS_KEY_ID \ - AWS_BACKUP_SECRET_ACCESS_KEY \ - AWS_BACKUP_BUCKET \ - AWS_BACKUP_MULTIPART_CHUNK_SIZE - ;; - *) - exec_as_git sed -i "/upload:/,/remote_directory:/d" ${GITLAB_CONFIG} - ;; - esac + echo "Configuring gitlab::backups::aws..." + exec_as_git sed -i "/#start-gcs/,/#end-gcs/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#start-aws/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#end-aws/d" ${GITLAB_CONFIG} + + if [[ -z ${AWS_BACKUP_MULTIPART_CHUNK_SIZE} ]]; then + exec_as_git sed -i "/#start-multipart/,/#end-multipart/d" ${GITLAB_CONFIG} + fi + + if [[ -z ${AWS_BACKUP_MULTIPART_CHUNK_SIZE} ]]; then + exec_as_git sed -i "/#start-multipart-aws/,/#end-multipart-aws/d" ${GITLAB_CONFIG} + fi + + if [[ ${AWS_BACKUP_ENCRYPTION} != true ]]; then + exec_as_git sed -i "/#start-encryption-aws/,/#end-encryption-aws/d" ${GITLAB_CONFIG} + fi + + if [[ -z ${AWS_BACKUP_REGION} && -z ${AWS_BACKUP_ENDPOINT} ]]; then + echo "\nMissing AWS region or endpoint. Aborting...\n" + return 1 + fi + + if [[ ! -z ${AWS_BACKUP_ENDPOINT} ]]; then + AWS_BACKUP_PATH_STYLE="true" + fi + + if [[ -z ${AWS_BACKUP_ACCESS_KEY_ID} || -z ${AWS_BACKUP_SECRET_ACCESS_KEY} || -z ${AWS_BACKUP_BUCKET} ]]; then + echo "\nMissing AWS options. Aborting...\n" + return 1 + fi + + update_template ${GITLAB_CONFIG} \ + AWS_BACKUP_REGION \ + AWS_BACKUP_ENDPOINT \ + AWS_BACKUP_PATH_STYLE \ + AWS_BACKUP_ACCESS_KEY_ID \ + AWS_BACKUP_SECRET_ACCESS_KEY \ + AWS_BACKUP_BUCKET \ + AWS_BACKUP_MULTIPART_CHUNK_SIZE \ + AWS_BACKUP_STORAGE_CLASS \ + AWS_BACKUP_SIGNATURE_VERSION +} + +gitlab_configure_backup_gcs() { + echo "Configuring gitlab::backups::gcs..." + exec_as_git sed -i "/#start-aws/,/#end-aws/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#start-gcs/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#end-gcs/d" ${GITLAB_CONFIG} + if [[ -z ${GCS_BACKUP_ACCESS_KEY_ID} || -z ${GCS_BACKUP_SECRET_ACCESS_KEY} || -z ${GCS_BACKUP_BUCKET} ]]; then + printf "\nMissing GCS options. Aborting...\n" + return 1 + fi + update_template ${GITLAB_CONFIG} \ + GCS_BACKUP_ACCESS_KEY_ID \ + GCS_BACKUP_SECRET_ACCESS_KEY \ + GCS_BACKUP_BUCKET } gitlab_configure_backups() { @@ -765,9 +1050,21 @@ gitlab_configure_backups() { GITLAB_BACKUP_EXPIRY \ GITLAB_BACKUP_PG_SCHEMA \ GITLAB_BACKUP_ARCHIVE_PERMISSIONS - gitlab_configure_backups_schedule - gitlab_configure_backups_aws + if [[ ${AWS_BACKUPS} != true && ${GCS_BACKUPS} != true ]]; then + exec_as_git sed -i "/\s\+#start-aws/,/#end-gcs/d" ${GITLAB_CONFIG} + return 0 + fi + if [[ ${AWS_BACKUPS} == true && ${GCS_BACKUPS} == true ]]; then + printf "\nAWS and GCE cannot be enabled together, please choose one...\n" + return 1 + fi + if [[ ${AWS_BACKUPS} == true ]]; then + gitlab_configure_backups_aws + fi + if [[ ${GCS_BACKUPS} == true ]]; then + gitlab_configure_backup_gcs + fi } gitlab_configure_gravatar() { @@ -788,6 +1085,16 @@ gitlab_configure_gravatar() { fi } +gitlab_configure_cron_jobs() { + echo "Configuring gitlab::cron_jobs..." + + if [[ -n "${GITLAB_PIPELINE_SCHEDULE_WORKER_CRON}" ]]; then + update_template ${GITLAB_CONFIG} GITLAB_PIPELINE_SCHEDULE_WORKER_CRON + else + exec_as_git sed -i "/{{GITLAB_PIPELINE_SCHEDULE_WORKER_CRON}}/d" ${GITLAB_CONFIG} + fi +} + gitlab_configure_analytics_google() { if [[ -n ${GOOGLE_ANALYTICS_ID} ]]; then echo "Configuring gitlab::analytics:google..." @@ -818,6 +1125,24 @@ gitlab_configure_analytics() { gitlab_configure_rack_attack() { echo "Configuring gitlab::rack_attack..." + + # validity check : RACK_ATTACK_WHITELIST should be an array of valid IP Address string + echo " Validating RACK_ATTACK_WHITELIST..." + /usr/bin/env ruby << SCRIPT + require 'ipaddr' + ${RACK_ATTACK_WHITELIST}.each do |host| + begin + printf(" input=%s, to_range=%s\n", host, IPAddr.new(host).to_range) + rescue IPAddr::InvalidAddressError => e + p e + exit 1 + rescue => e + put "Unexpected error", e + exit 1 + end + end +SCRIPT + update_template ${GITLAB_CONFIG} \ RACK_ATTACK_ENABLED \ RACK_ATTACK_WHITELIST \ @@ -834,19 +1159,234 @@ gitlab_configure_ci() { } gitlab_configure_artifacts() { + update_template ${GITLAB_CONFIG} \ + GITLAB_ARTIFACTS_OBJECT_STORE_ENABLED + + if [[ ${GITLAB_ARTIFACTS_OBJECT_STORE_ENABLED} == true ]]; then + echo "Configuring gitlab::artifacts:object_store" + + if [[ "${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER}" == "Google" ]]; then + echo " -> Google ARTIFACTS provider selected removing aws config" + exec_as_git sed -i "/#start-artifacts-aws/,/#end-artifacts-aws/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#start-artifacts-gcs/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#end-artifacts-gcs/d" ${GITLAB_CONFIG} + fi + if [[ "${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER}" == "AWS" ]]; then + echo " -> AWS ARTIFACTS provider selected removing Google config" + exec_as_git sed -i "/#start-artifacts-gcs/,/#end-artifacts-gcs/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#start-artifacts-aws/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#end-artifacts-aws/d" ${GITLAB_CONFIG} + fi + + update_template ${GITLAB_CONFIG} \ + GITLAB_ARTIFACTS_OBJECT_STORE_REMOTE_DIRECTORY \ + GITLAB_ARTIFACTS_OBJECT_STORE_DIRECT_UPLOAD \ + GITLAB_ARTIFACTS_OBJECT_STORE_BACKGROUND_UPLOAD \ + GITLAB_ARTIFACTS_OBJECT_STORE_PROXY_DOWNLOAD \ + GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER \ + GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID \ + GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY \ + GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_REGION \ + GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_HOST \ + GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT \ + GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE \ + GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION \ + GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT \ + GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL \ + GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION + else + exec_as_git sed -i -e "/path: {{GITLAB_ARTIFACTS_DIR}}/{n;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;d;}" ${GITLAB_CONFIG} + fi + echo "Configuring gitlab::artifacts..." update_template ${GITLAB_CONFIG} \ GITLAB_ARTIFACTS_ENABLED \ GITLAB_ARTIFACTS_DIR } + +gitlab_configure_packages() { + update_template ${GITLAB_CONFIG} \ + GITLAB_PACKAGES_OBJECT_STORE_ENABLED + + if [[ ${GITLAB_PACKAGES_OBJECT_STORE_ENABLED} == true ]]; then + echo "Configuring gitlab::packages:object_store" + + if [[ "${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_PROVIDER}" == "Google" ]]; then + echo " -> Google PACKAGES provider selected removing aws config" + exec_as_git sed -i "/#start-packages-aws/,/#end-packages-aws/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#start-packages-gcs/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#end-packages-gcs/d" ${GITLAB_CONFIG} + fi + if [[ "${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_PROVIDER}" == "AWS" ]]; then + echo " -> AWS PACKAGES provider selected removing Google config" + exec_as_git sed -i "/#start-packages-gcs/,/#end-packages-gcs/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#start-packages-aws/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#end-packages-aws/d" ${GITLAB_CONFIG} + fi + + update_template ${GITLAB_CONFIG} \ + GITLAB_PACKAGES_OBJECT_STORE_REMOTE_DIRECTORY \ + GITLAB_PACKAGES_OBJECT_STORE_DIRECT_UPLOAD \ + GITLAB_PACKAGES_OBJECT_STORE_BACKGROUND_UPLOAD \ + GITLAB_PACKAGES_OBJECT_STORE_PROXY_DOWNLOAD \ + GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_PROVIDER \ + GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID \ + GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY \ + GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_REGION \ + GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_HOST \ + GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ENDPOINT \ + GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE \ + GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION \ + GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT \ + GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL \ + GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION + else + exec_as_git sed -i -e "/path: {{GITLAB_PACKAGES_DIR}}/{n;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;d;}" ${GITLAB_CONFIG} + fi + + echo "Configuring gitlab::packages..." + update_template ${GITLAB_CONFIG} \ + GITLAB_PACKAGES_ENABLED \ + GITLAB_PACKAGES_DIR +} + +gitlab_configure_terraform_state() { + update_template ${GITLAB_CONFIG} \ + GITLAB_TERRAFORM_STATE_OBJECT_STORE_ENABLED + + if [[ ${GITLAB_TERRAFORM_STATE_OBJECT_STORE_ENABLED} == true ]]; then + echo "Configuring gitlab::terraform_state:object_store" + + if [[ "${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_PROVIDER}" == "Google" ]]; then + echo " -> Google TERRAFORM STATE provider selected removing aws config" + exec_as_git sed -i "/#start-terraform_state-aws/,/#end-terraform_state-aws/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#start-terraform_state-gcs/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#end-terraform_state-gcs/d" ${GITLAB_CONFIG} + fi + if [[ "${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_PROVIDER}" == "AWS" ]]; then + echo " -> AWS TERRAFORM STATE provider selected removing Google config" + exec_as_git sed -i "/#start-terraform_state-gcs/,/#end-terraform_state-gcs/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#start-terraform_state-aws/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#end-terraform_state-aws/d" ${GITLAB_CONFIG} + fi + + update_template ${GITLAB_CONFIG} \ + GITLAB_TERRAFORM_STATE_OBJECT_STORE_REMOTE_DIRECTORY \ + GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_PROVIDER \ + GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID \ + GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY \ + GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_REGION \ + GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_HOST \ + GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ENDPOINT \ + GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE \ + GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION \ + GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT \ + GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL \ + GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION + else + exec_as_git sed -i -e "/storage_path: {{GITLAB_TERRAFORM_STATE_STORAGE_PATH}}/{n;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;d;}" ${GITLAB_CONFIG} + fi + + echo "Configuring gitlab::terraform_state..." + update_template ${GITLAB_CONFIG} \ + GITLAB_TERRAFORM_STATE_ENABLED \ + GITLAB_TERRAFORM_STATE_STORAGE_PATH +} + gitlab_configure_lfs() { + update_template ${GITLAB_CONFIG} \ + GITLAB_LFS_OBJECT_STORE_ENABLED \ + + if [[ ${GITLAB_LFS_OBJECT_STORE_ENABLED} == true ]]; then + echo "Configuring gitlab::lfs:object_store" + + if [[ "${GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER}" == "Google" ]]; then + echo " -> Google LFS provider selected removing aws config" + exec_as_git sed -i "/#start-lfs-aws/,/#end-lfs-aws/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#start-lfs-gcs/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#end-lfs-gcs/d" ${GITLAB_CONFIG} + fi + if [[ "${GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER}" == "AWS" ]]; then + echo " -> AWS LFS provider selected removing Google config" + exec_as_git sed -i "/#start-lfs-gcs/,/#end-lfs-gcs/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#start-lfs-aws/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#end-lfs-aws/d" ${GITLAB_CONFIG} + fi + + update_template ${GITLAB_CONFIG} \ + GITLAB_LFS_OBJECT_STORE_REMOTE_DIRECTORY \ + GITLAB_LFS_OBJECT_STORE_DIRECT_UPLOAD \ + GITLAB_LFS_OBJECT_STORE_BACKGROUND_UPLOAD \ + GITLAB_LFS_OBJECT_STORE_PROXY_DOWNLOAD \ + GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER \ + GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID \ + GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY \ + GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_REGION \ + GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_HOST \ + GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT \ + GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE \ + GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION \ + GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT \ + GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL \ + GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION + else + exec_as_git sed -i -e "/path: {{GITLAB_LFS_OBJECTS_DIR}}/{n;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;d;}" ${GITLAB_CONFIG} + fi + echo "Configuring gitlab::lfs..." update_template ${GITLAB_CONFIG} \ GITLAB_LFS_ENABLED \ GITLAB_LFS_OBJECTS_DIR } +gitlab_configure_uploads() { + update_template ${GITLAB_CONFIG} \ + GITLAB_UPLOADS_OBJECT_STORE_ENABLED + + if [[ ${GITLAB_UPLOADS_OBJECT_STORE_ENABLED} == true ]]; then + echo "Configuring gitlab::uploads:object_store" + + if [[ "${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER}" == "Google" ]]; then + echo " -> Google UPLOADS provider selected removing aws config" + exec_as_git sed -i "/#start-uploads-aws/,/#end-uploads-aws/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#start-uploads-gcs/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#end-uploads-gcs/d" ${GITLAB_CONFIG} + fi + if [[ "${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER}" == "AWS" ]]; then + echo " -> AWS UPLOADS provider selected removing Google config" + exec_as_git sed -i "/#start-uploads-gcs/,/#end-uploads-gcs/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#start-uploads-aws/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#end-uploads-aws/d" ${GITLAB_CONFIG} + fi + + update_template ${GITLAB_CONFIG} \ + GITLAB_UPLOADS_OBJECT_STORE_REMOTE_DIRECTORY \ + GITLAB_UPLOADS_OBJECT_STORE_DIRECT_UPLOAD \ + GITLAB_UPLOADS_OBJECT_STORE_BACKGROUND_UPLOAD \ + GITLAB_UPLOADS_OBJECT_STORE_PROXY_DOWNLOAD \ + GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER \ + GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID \ + GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY \ + GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_REGION \ + GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_HOST \ + GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT \ + GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE \ + GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION \ + GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT \ + GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL \ + GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION + + else + exec_as_git sed -i -e "/base_dir: {{GITLAB_UPLOADS_BASE_DIR}}/{n;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;d;}" ${GITLAB_CONFIG} + fi + + echo "Configuring gitlab::uploads..." + update_template ${GITLAB_CONFIG} \ + GITLAB_UPLOADS_STORAGE_PATH \ + GITLAB_UPLOADS_BASE_DIR +} + gitlab_configure_mattermost() { echo "Configuring gitlab::mattermost..." update_template ${GITLAB_CONFIG} \ @@ -888,6 +1428,63 @@ gitlab_configure_registry(){ GITLAB_REGISTRY_ISSUER } +gitlab_configure_pages(){ + echo "Configuring gitlab::pages..." + update_template ${GITLAB_CONFIG} \ + GITLAB_PAGES_ENABLED \ + GITLAB_PAGES_DOMAIN \ + GITLAB_PAGES_PORT \ + GITLAB_PAGES_HTTPS \ + GITLAB_PAGES_ARTIFACTS_SERVER \ + GITLAB_PAGES_ACCESS_CONTROL + + if [[ -n ${GITLAB_PAGES_EXTERNAL_HTTP} ]]; then + update_template ${GITLAB_CONFIG} \ + GITLAB_PAGES_EXTERNAL_HTTP + else + exec_as_git sed -ie "/{{GITLAB_PAGES_EXTERNAL_HTTP}}/d" ${GITLAB_CONFIG} + fi + + if [[ -n ${GITLAB_PAGES_EXTERNAL_HTTPS} ]]; then + update_template ${GITLAB_CONFIG} \ + GITLAB_PAGES_EXTERNAL_HTTPS + else + exec_as_git sed -ie "/{{GITLAB_PAGES_EXTERNAL_HTTPS}}/d" ${GITLAB_CONFIG} + fi +} + +gitlab_configure_sentry(){ + echo "Configuring gitlab::sentry..." + update_template ${GITLAB_CONFIG} \ + SENTRY_ENABLED \ + SENTRY_DSN \ + SENTRY_CLIENTSIDE_DSN \ + SENTRY_ENVIRONMENT +} + +gitlab_configure_content_security_policy(){ + echo "Configuring gitlab::content_security_policy..." + update_template ${GITLAB_CONFIG} \ + GITLAB_CONTENT_SECURITY_POLICY_ENABLED \ + GITLAB_CONTENT_SECURITY_POLICY_REPORT_ONLY \ + GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_BASE_URI \ + GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CHILD_SRC \ + GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CONNECT_SRC \ + GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_DEFAULT_SRC \ + GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FONT_SRC \ + GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FORM_ACTION \ + GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_ANCESTORS \ + GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_SRC \ + GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_IMG_SRC \ + GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MANIFEST_SRC \ + GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MEDIA_SRC \ + GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_OBJECT_SRC \ + GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_SCRIPT_SRC \ + GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_STYLE_SRC \ + GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_WORKER_SRC \ + GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_REPORT_URI +} + nginx_configure_gitlab_ssl() { if [[ ${GITLAB_HTTPS} == true && -f ${SSL_CERTIFICATE_PATH} && -f ${SSL_KEY_PATH} && -f ${SSL_DHPARAM_PATH} ]]; then echo "Configuring nginx::gitlab::ssl..." @@ -901,7 +1498,8 @@ nginx_configure_gitlab_ssl() { SSL_DHPARAM_PATH \ SSL_VERIFY_CLIENT \ SSL_CA_CERTIFICATES_PATH \ - SSL_CIPHERS + SSL_CIPHERS \ + SSL_PROTOCOLS fi } @@ -919,28 +1517,55 @@ nginx_configure_gitlab_hsts() { nginx_configure_gitlab_ipv6() { if [[ ! -f /proc/net/if_inet6 ]]; then - # disable ipv6 support + # disable ipv6 support in nginx for gitlab sed -i \ -e "/listen \[::\]:80/d" \ -e "/listen \[::\]:443/d" \ ${GITLAB_NGINX_CONFIG} + # disable ipv6 support in nginx for pages + if [[ ${GITLAB_PAGES_ENABLED} == true ]]; then + if [[ ${GITLAB_PAGES_NGINX_PROXY} == true ]]; then + sed -i \ + -e "/listen \[::\]:80/d" \ + -e "/listen \[::\]:443/d" \ + ${GITLAB_PAGES_NGINX_CONFIG} + fi + fi + fi +} + +nginx_configure_gitlab_real_ip() { + if [[ ${NGINX_REAL_IP_RECURSIVE} == on && \ + -n ${NGINX_REAL_IP_TRUSTED_ADDRESSES} ]]; then + echo "Configuring nginx::gitlab::real_ip..." + update_template ${GITLAB_NGINX_CONFIG} \ + NGINX_REAL_IP_RECURSIVE \ + NGINX_REAL_IP_TRUSTED_ADDRESSES + else + NGINX_REAL_IP_RECURSIVE="off" + update_template ${GITLAB_NGINX_CONFIG} \ + NGINX_REAL_IP_RECURSIVE + sed -i "/{{NGINX_REAL_IP_TRUSTED_ADDRESSES}}/d" ${GITLAB_NGINX_CONFIG} fi } nginx_configure_gitlab() { echo "Configuring nginx::gitlab..." update_template ${GITLAB_NGINX_CONFIG} \ + GITLAB_HOME \ GITLAB_INSTALL_DIR \ GITLAB_LOG_DIR \ GITLAB_HOST \ GITLAB_PORT \ NGINX_PROXY_BUFFERING \ NGINX_ACCEL_BUFFERING \ - NGINX_X_FORWARDED_PROTO + NGINX_X_FORWARDED_PROTO \ + NGINX_CUSTOM_GITLAB_SERVER_CONFIG nginx_configure_gitlab_ssl nginx_configure_gitlab_hsts nginx_configure_gitlab_ipv6 + nginx_configure_gitlab_real_ip } nginx_configure_gitlab_ci() { @@ -964,7 +1589,39 @@ nginx_configure_gitlab_registry() { GITLAB_REGISTRY_HOST \ GITLAB_REGISTRY_API_URL \ SSL_REGISTRY_KEY_PATH \ - SSL_REGISTRY_CERT_PATH + SSL_REGISTRY_CERT_PATH \ + SSL_REGISTRY_CIPHERS \ + SSL_REGISTRY_PROTOCOLS + fi +} + +nginx_configure_pages(){ + local GITLAB_PAGES_DOMAIN=$(echo $GITLAB_PAGES_DOMAIN | sed 's/\./\\\\./g') + if [[ ${GITLAB_PAGES_ENABLED} == true ]]; then + echo "Configuring nginx::gitlab-pages..." + if [[ ${GITLAB_PAGES_NGINX_PROXY} == true ]]; then + if [[ ${GITLAB_PAGES_HTTPS} == true ]]; then + update_template ${GITLAB_PAGES_NGINX_CONFIG} \ + GITLAB_PORT \ + GITLAB_PAGES_DOMAIN \ + GITLAB_PAGES_PORT \ + GITLAB_LOG_DIR \ + GITLAB_PAGES_DOMAIN \ + SSL_PAGES_CERT_PATH \ + SSL_PAGES_KEY_PATH \ + SSL_PAGES_CIPHERS \ + SSL_PAGES_PROTOCOLS \ + SSL_DHPARAM_PATH \ + GITLAB_LOG_DIR + else + update_template ${GITLAB_PAGES_NGINX_CONFIG} \ + GITLAB_PAGES_DOMAIN \ + GITLAB_LOG_DIR + fi + else + echo "Gitlab pages nginx proxy disabled" + echo "Assuming custom domain setup with own HTTP(S) load balancer'" + fi fi } @@ -989,10 +1646,11 @@ map_uidgid() { } update_ca_certificates() { - if [[ -f ${SSL_CERTIFICATE_PATH} || -f ${SSL_CA_CERTIFICATES_PATH} ]]; then + if [[ -f ${SSL_CERTIFICATE_PATH} || -f ${SSL_CA_CERTIFICATES_PATH} || -f ${SSL_REGISTRY_CERT_PATH} ]]; then echo "Updating CA certificates..." [[ -f ${SSL_CERTIFICATE_PATH} ]] && cp "${SSL_CERTIFICATE_PATH}" /usr/local/share/ca-certificates/gitlab.crt [[ -f ${SSL_CA_CERTIFICATES_PATH} ]] && cp "${SSL_CA_CERTIFICATES_PATH}" /usr/local/share/ca-certificates/ca.crt + [[ -f ${SSL_REGISTRY_CERT_PATH} ]] && cp "${SSL_REGISTRY_CERT_PATH}" /usr/local/share/ca-certificates/registry-ca.crt update-ca-certificates --fresh >/dev/null fi } @@ -1014,6 +1672,10 @@ initialize_logdir() { mkdir -p ${GITLAB_LOG_DIR}/gitlab-shell chmod -R 0755 ${GITLAB_LOG_DIR}/gitlab-shell chown -R ${GITLAB_USER}: ${GITLAB_LOG_DIR}/gitlab-shell + + mkdir -p ${GITLAB_LOG_DIR}/gitaly + chmod -R 0755 ${GITLAB_LOG_DIR}/gitaly + chown -R ${GITLAB_USER}: ${GITLAB_LOG_DIR}/gitaly } initialize_datadir() { @@ -1051,11 +1713,26 @@ initialize_datadir() { chmod u+rwX ${GITLAB_SHARED_DIR} chown ${GITLAB_USER}: ${GITLAB_SHARED_DIR} - # create attifacts dir + # create the ci_secure_files directory + mkdir -p ${GITLAB_SHARED_DIR}/ci_secure_files + chmod u+rwX ${GITLAB_SHARED_DIR}/ci_secure_files + chown ${GITLAB_USER}: ${GITLAB_SHARED_DIR}/ci_secure_files + + # create external-diffs dir + mkdir -p ${GITLAB_SHARED_DIR}/external-diffs + chmod u+rwX ${GITLAB_SHARED_DIR}/external-diffs + chown ${GITLAB_USER}: ${GITLAB_SHARED_DIR}/external-diffs + + # create artifacts dir mkdir -p ${GITLAB_ARTIFACTS_DIR} chmod u+rwX ${GITLAB_ARTIFACTS_DIR} chown ${GITLAB_USER}: ${GITLAB_ARTIFACTS_DIR} + # create pages dir + mkdir -p ${GITLAB_PAGES_DIR} + chmod u+rwX ${GITLAB_PAGES_DIR} + chown ${GITLAB_USER}: ${GITLAB_PAGES_DIR} + # symlink ${GITLAB_INSTALL_DIR}/shared -> ${GITLAB_DATA_DIR}/shared rm -rf ${GITLAB_INSTALL_DIR}/shared ln -sf ${GITLAB_SHARED_DIR} ${GITLAB_INSTALL_DIR}/shared @@ -1065,6 +1742,13 @@ initialize_datadir() { chmod u+rwX ${GITLAB_LFS_OBJECTS_DIR} chown ${GITLAB_USER}: ${GITLAB_LFS_OBJECTS_DIR} + # create terraform_state directory + if [[ ${GITLAB_TERRAFORM_STATE_ENABLED} == true ]]; then + mkdir -p ${GITLAB_TERRAFORM_STATE_STORAGE_PATH} + chmod u+rwX ${GITLAB_TERRAFORM_STATE_STORAGE_PATH} + chown ${GITLAB_USER}: ${GITLAB_TERRAFORM_STATE_STORAGE_PATH} + fi + # create registry dir if [[ ${GITLAB_REGISTRY_ENABLED} == true ]]; then mkdir -p ${GITLAB_REGISTRY_DIR} @@ -1072,9 +1756,18 @@ initialize_datadir() { chown ${GITLAB_USER}: ${GITLAB_REGISTRY_DIR} fi + # create packages directory + if [[ ${GITLAB_PACKAGES_ENABLED} == true ]]; then + mkdir -p ${GITLAB_PACKAGES_DIR} + chmod u+rwX ${GITLAB_PACKAGES_DIR} + chown ${GITLAB_USER}: ${GITLAB_PACKAGES_DIR} + fi + # create the backups directory mkdir -p ${GITLAB_BACKUP_DIR} - chown ${GITLAB_USER}: ${GITLAB_BACKUP_DIR} + if [[ ${GITLAB_BACKUP_DIR_CHOWN} == true ]]; then + chown ${GITLAB_USER}: ${GITLAB_BACKUP_DIR} + fi # create the uploads directory mkdir -p ${GITLAB_DATA_DIR}/uploads @@ -1087,25 +1780,6 @@ initialize_datadir() { chmod 700 ${GITLAB_DATA_DIR}/.ssh chmod 600 ${GITLAB_DATA_DIR}/.ssh/authorized_keys chown -R ${GITLAB_USER}: ${GITLAB_DATA_DIR}/.ssh - - # recompile and persist assets when relative_url is in use - if [[ -n ${GITLAB_RELATIVE_URL_ROOT} ]]; then - mkdir -p ${GITLAB_TEMP_DIR}/cache - chmod 755 ${GITLAB_TEMP_DIR}/cache - chown ${GITLAB_USER}: ${GITLAB_TEMP_DIR}/cache - - mkdir -p ${GITLAB_TEMP_DIR}/assets - chmod 755 ${GITLAB_TEMP_DIR}/assets - chown ${GITLAB_USER}: ${GITLAB_TEMP_DIR}/assets - - # symlink ${GITLAB_INSTALL_DIR}/tmp/cache -> ${GITLAB_TEMP_DIR}/cache - rm -rf ${GITLAB_INSTALL_DIR}/tmp/cache - exec_as_git ln -s ${GITLAB_TEMP_DIR}/cache ${GITLAB_INSTALL_DIR}/tmp/cache - - # symlink ${GITLAB_INSTALL_DIR}/public/assets -> ${GITLAB_TEMP_DIR}/assets - rm -rf ${GITLAB_INSTALL_DIR}/public/assets - exec_as_git ln -s ${GITLAB_TEMP_DIR}/assets ${GITLAB_INSTALL_DIR}/public/assets - fi } sanitize_datadir() { @@ -1130,14 +1804,27 @@ sanitize_datadir() { chmod -R u+rwX ${GITLAB_ARTIFACTS_DIR} chown -R ${GITLAB_USER}: ${GITLAB_ARTIFACTS_DIR} + chmod -R u+rwX ${GITLAB_PAGES_DIR} + chown -R ${GITLAB_USER}: ${GITLAB_PAGES_DIR} + chmod -R u+rwX ${GITLAB_LFS_OBJECTS_DIR} chown -R ${GITLAB_USER}: ${GITLAB_LFS_OBJECTS_DIR} + # create terraform_state directory + # TODO : wrap with "if [[ _ENABLED ]]" condition + chmod u+rwX ${GITLAB_SHARED_DIR}/terraform_state + chown ${GITLAB_USER}: ${GITLAB_SHARED_DIR}/terraform_state + if [[ ${GITLAB_REGISTRY_ENABLED} == true ]]; then chmod -R u+rwX ${GITLAB_REGISTRY_DIR} chown -R ${GITLAB_USER}: ${GITLAB_REGISTRY_DIR} fi + if [[ ${GITLAB_PACKAGES_ENABLED} ]]; then + chmod u+rwX ${GITLAB_PACKAGES_DIR} + chown ${GITLAB_USER}: ${GITLAB_PACKAGES_DIR} + fi + find ${GITLAB_DATA_DIR}/uploads -type f -exec chmod 0644 {} \; find ${GITLAB_DATA_DIR}/uploads -type d -not -path ${GITLAB_DATA_DIR}/uploads -exec chmod 0755 {} \; chmod 0700 ${GITLAB_DATA_DIR}/uploads/ @@ -1153,10 +1840,10 @@ generate_ssh_key() { } generate_ssh_host_keys() { - sed -i "s|HostKey /etc/ssh/|HostKey ${GITLAB_DATA_DIR}/ssh/|g" /etc/ssh/sshd_config + sed -i "s|^[#]*MaxStartups[^$]*|MaxStartups ${GITLAB_SSH_MAXSTARTUPS}|" /etc/ssh/sshd_config + sed -i "s|#HostKey /etc/ssh/|HostKey ${GITLAB_DATA_DIR}/ssh/|g" /etc/ssh/sshd_config if [[ ! -e ${GITLAB_DATA_DIR}/ssh/ssh_host_rsa_key ]]; then echo -n "Generating OpenSSH host keys... " - generate_ssh_key rsa1 ${GITLAB_DATA_DIR}/ssh/ssh_host_key generate_ssh_key rsa ${GITLAB_DATA_DIR}/ssh/ssh_host_rsa_key generate_ssh_key dsa ${GITLAB_DATA_DIR}/ssh/ssh_host_dsa_key generate_ssh_key ecdsa ${GITLAB_DATA_DIR}/ssh/ssh_host_ecdsa_key @@ -1169,12 +1856,50 @@ generate_ssh_host_keys() { chmod 0644 ${GITLAB_DATA_DIR}/ssh/*.pub } +update_ssh_listen_port() { + sed -i "s|#Port 22|Port ${GITLAB_SSH_LISTEN_PORT}|g" /etc/ssh/sshd_config +} + +generate_healthcheck_script() { + # configure healthcheck script + ## https://docs.gitlab.com/ee/user/admin_area/monitoring/health_check.html + local HEALTHCHECK_PROTOCOL="http" + if [[ "${GITLAB_HTTPS}" == true && "${SSL_SELF_SIGNED}" == false ]]; then + HEALTHCHECK_PROTOCOL="${HEALTHCHECK_PROTOCOL}s" + fi +cat > /usr/local/sbin/healthcheck < /etc/timezone + + echo "Container TimeZone -> ${TIMEZONE}" + fi +} + initialize_system() { map_uidgid initialize_logdir initialize_datadir update_ca_certificates generate_ssh_host_keys + update_ssh_listen_port + configure_container_timezone install_configuration_templates rm -rf /var/run/supervisor.sock } @@ -1183,11 +1908,11 @@ install_configuration_templates() { echo "Installing configuration templates..." install_template ${GITLAB_USER}: gitlabhq/gitlab.yml ${GITLAB_CONFIG} 0640 install_template ${GITLAB_USER}: gitlabhq/database.yml ${GITLAB_DATABASE_CONFIG} 0640 - install_template ${GITLAB_USER}: gitlabhq/unicorn.rb ${GITLAB_UNICORN_CONFIG} 0644 - install_template ${GITLAB_USER}: gitlabhq/rack_attack.rb ${GITLAB_RACK_ATTACK_CONFIG} 0644 + install_template ${GITLAB_USER}: gitlabhq/puma.rb ${GITLAB_PUMA_CONFIG} 0644 install_template ${GITLAB_USER}: gitlabhq/resque.yml ${GITLAB_RESQUE_CONFIG} 0640 install_template ${GITLAB_USER}: gitlabhq/secrets.yml ${GITLAB_SECRETS_CONFIG} 0600 install_template ${GITLAB_USER}: gitlab-shell/config.yml ${GITLAB_SHELL_CONFIG} 0640 + install_template ${GITLAB_USER}: gitlabhq/cable.yml ${GITLAB_ACTIONCABLE_CONFIG} 0640 if [[ -n ${GITLAB_RELATIVE_URL_ROOT} ]]; then install_template ${GITLAB_USER}: gitlabhq/relative_url.rb ${GITLAB_RELATIVE_URL_CONFIG} 0644 @@ -1215,6 +1940,31 @@ install_configuration_templates() { install_template root: nginx/gitlab ${GITLAB_NGINX_CONFIG} fi + + ## ${GITLAB_PAGES_NGINX_CONFIG} + if [[ ${GITLAB_PAGES_ENABLED} == true ]]; then + install_template ${GITLAB_USER}: gitlab-pages/config ${GITLAB_PAGES_CONFIG} 0640 + if [[ ${GITLAB_PAGES_HTTPS} == true && -f ${SSL_PAGES_CERT_PATH} && -f ${SSL_PAGES_KEY_PATH} ]]; then + if [[ ${GITLAB_PAGES_NGINX_PROXY} == true ]]; then + install_template root: nginx/gitlab-pages-ssl ${GITLAB_PAGES_NGINX_CONFIG} + else + echo "Gitlab pages nginx proxy disabled" + echo "Assuming custom domain setup with own HTTP(S) load balancer'" + fi + else + if [[ ${GITLAB_PAGES_NGINX_PROXY} == true ]]; then + echo "SSL Key, SSL Certificate were not found." + echo "Assuming that the container is running behind a HTTPS enabled load balancer." + install_template root: nginx/gitlab-pages ${GITLAB_PAGES_NGINX_CONFIG} + else + echo "Gitlab pages nginx proxy disabled" + echo "Assuming custom domain setup with own HTTP(S) load balancer'" + fi + fi + fi + + + if [[ -n $GITLAB_CI_HOST ]]; then install_template root: nginx/gitlab_ci ${GITLAB_CI_NGINX_CONFIG} fi @@ -1227,6 +1977,8 @@ install_configuration_templates() { echo "Assuming that the Registry is running behind a HTTPS enabled load balancer." fi fi + + install_template ${GITLAB_USER}: gitaly/config.toml ${GITLAB_GITALY_CONFIG} } configure_gitlab() { @@ -1238,32 +1990,41 @@ configure_gitlab() { GITLAB_REPOS_DIR \ GITLAB_DOWNLOADS_DIR \ GITLAB_SHARED_DIR \ + GITLAB_HOME \ GITLAB_HOST \ GITLAB_PORT \ GITLAB_RELATIVE_URL_ROOT \ GITLAB_HTTPS \ - GITLAB_MAX_OBJECT_SIZE \ GITLAB_SSH_HOST \ + GITLAB_SSH_LISTEN_PORT \ GITLAB_SSH_PORT \ GITLAB_SIGNUP_ENABLED \ + GITLAB_IMPERSONATION_ENABLED \ GITLAB_PROJECTS_LIMIT \ GITLAB_USERNAME_CHANGE \ + GITLAB_DEFAULT_THEME \ GITLAB_CREATE_GROUP \ - GITLAB_TIMEOUT + GITLAB_ISSUE_CLOSING_PATTERN gitlab_configure_database gitlab_configure_redis + gitlab_configure_actioncable gitlab_configure_secrets gitlab_configure_sidekiq + gitlab_configure_gitaly + gitlab_configure_monitoring gitlab_configure_gitlab_workhorse gitlab_configure_relative_url gitlab_configure_trusted_proxies - gitlab_configure_unicorn + gitlab_configure_puma gitlab_configure_timezone gitlab_configure_rack_attack gitlab_configure_ci gitlab_configure_artifacts + gitlab_configure_packages + gitlab_configure_terraform_state gitlab_configure_lfs + gitlab_configure_uploads gitlab_configure_mattermost gitlab_configure_project_features gitlab_configure_mail_delivery @@ -1271,14 +2032,71 @@ configure_gitlab() { gitlab_configure_oauth gitlab_configure_ldap gitlab_configure_gravatar + gitlab_configure_cron_jobs gitlab_configure_analytics gitlab_configure_backups + generate_registry_certificates gitlab_configure_registry + gitlab_configure_pages + gitlab_configure_sentry + generate_healthcheck_script + gitlab_configure_content_security_policy # remove stale gitlab.socket rm -rf ${GITLAB_INSTALL_DIR}/tmp/sockets/gitlab.socket } +# feature flags are recorded to database (schema "application_settings") so requires DB is (at least) initialized +gitlab_configure_feature_flags() { + echo "Configuring gitlab::feature_flags..." + + if [[ -z "${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS}" && -z "${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS}" ]]; then + # Do nothing and reports no error if no targets specified + echo "- No targets specified. skipping..." + return 0 + fi + + # Build command line argument for script only when target is specified + # If not, scripts fails because option specifier is recognized as feature flags for example + # like "--disable --enable" : for this case, --disable is recognized as a value of option "--enable" + if [[ -n "${GITLAB_FEATURE_FLAGS_DISABLE_TARGETS}" ]]; then + GITLAB_FEATURE_FLAGS_DISABLE_TARGETS="--disable ${GITLAB_FEATURE_FLAGS_DISABLE_TARGETS}" + fi + # The same goes for --enable (this is the last option passed to "rails runner" that will be run below) + # For this case (final option), it throws "missing argument" error for execution like: + # like "--disable feature1,feature2 --enable" + if [[ -n "${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS}" ]]; then + GITLAB_FEATURE_FLAGS_ENABLE_TARGETS="--enable ${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS}" + fi + + PWD_ORG=${PWD} + cd "${GITLAB_INSTALL_DIR}" + + # copy the script to temporal directory : to avoid permission issue + cp "${GITLAB_RUNTIME_DIR}/scripts/configure_feature_flags.rb" "${GITLAB_TEMP_DIR}/" + chown "${GITLAB_USER}:" "${GITLAB_TEMP_DIR}/configure_feature_flags.rb" + + echo "- Launching rails runner to set feature flags. This will take some time...." + + # If arguments are empty, the script will do nothing and print object dump like below: + # - specified feature flags: {:to_be_disabled=>[], :to_be_enabled=>[]} + # DO NOT qupte variables : word splitting must be enabled. + # If disabled, whole string like '--disable feature_name_1,feature_name_2' + # will be recognized as single option and results to invalid argument error + # + # shellcheck disable=SC2086 + exec_as_git bundle exec rails runner "${GITLAB_TEMP_DIR}/configure_feature_flags.rb" \ + ${GITLAB_FEATURE_FLAGS_DISABLE_TARGETS} \ + ${GITLAB_FEATURE_FLAGS_ENABLE_TARGETS} + + rm "${GITLAB_TEMP_DIR}/configure_feature_flags.rb" + cd "${PWD_ORG}" +} + +configure_gitlab_requires_db() { + gitlab_configure_feature_flags +} + configure_gitlab_shell() { echo "Configuring gitlab-shell..." update_template ${GITLAB_SHELL_CONFIG} \ @@ -1290,6 +2108,87 @@ configure_gitlab_shell() { REDIS_HOST \ REDIS_PORT \ REDIS_DB_NUMBER + + # update custom_hooks_dir if set $GITLAB_SHELL_CUSTOM_HOOKS_DIR + if [[ -n ${GITLAB_SHELL_CUSTOM_HOOKS_DIR} ]]; then + exec_as_git sed -i \ + "s|custom_hooks_dir:.*|custom_hooks_dir: $GITLAB_SHELL_CUSTOM_HOOKS_DIR|g" \ + ${GITLAB_SHELL_CONFIG} + fi +} + + +configure_gitlab_pages() { + if [[ ${GITLAB_PAGES_ENABLED} == true ]]; then + echo "Configuring gitlab-pages..." +cat > /etc/supervisor/conf.d/gitlab-pages.conf <> /etc/supervisor/conf.d/gitlab-pages.conf <> /etc/supervisor/conf.d/gitlab-pages.conf <> /etc/supervisor/conf.d/gitlab-pages.conf <> /etc/supervisor/conf.d/gitlab-pages.conf </dev/null - if [[ ${DB_ADAPTER} == mysql2 ]]; then - exec_as_git bundle exec rake add_limits_mysql >/dev/null - fi - echo "${GITLAB_VERSION}" > ${GITLAB_TEMP_DIR}/VERSION rm -rf ${GITLAB_TEMP_DIR}/GITLAB_RELATIVE_URL_ROOT # force cache cleanup fi @@ -1366,12 +2255,6 @@ migrate_database() { # clear cache if relative_url has changed. [[ -f ${GITLAB_TEMP_DIR}/GITLAB_RELATIVE_URL_ROOT ]] && CACHE_GITLAB_RELATIVE_URL_ROOT=$(cat ${GITLAB_TEMP_DIR}/GITLAB_RELATIVE_URL_ROOT) if [[ ! -f ${GITLAB_TEMP_DIR}/GITLAB_RELATIVE_URL_ROOT || ${GITLAB_RELATIVE_URL_ROOT} != ${CACHE_GITLAB_RELATIVE_URL_ROOT} ]]; then - # assets need to be recompiled when GITLAB_RELATIVE_URL_ROOT is used - if [[ -n ${GITLAB_RELATIVE_URL_ROOT} ]]; then - echo "Recompiling assets (relative_url in use), this could take a while..." - exec_as_git bundle exec rake assets:clean assets:precompile >/dev/null 2>&1 - fi - echo "Clearing cache..." exec_as_git bundle exec rake cache:clear >/dev/null 2>&1 echo "${GITLAB_RELATIVE_URL_ROOT}" > ${GITLAB_TEMP_DIR}/GITLAB_RELATIVE_URL_ROOT @@ -1384,7 +2267,16 @@ execute_raketask() { return 1 fi + if [[ ${1} == gitlab:backup:create ]]; then + /usr/bin/supervisord -c /etc/supervisor/supervisord.conf + supervisorctl stop gitlab_extensions:* + supervisorctl stop gitlab:* + fi + if [[ ${1} == gitlab:backup:restore ]]; then + /usr/bin/supervisord -c /etc/supervisor/supervisord.conf + supervisorctl stop gitlab_extensions:* + supervisorctl stop gitlab:* interactive=true for arg in $@ do @@ -1405,7 +2297,7 @@ execute_raketask() { echo for b in $(ls ${GITLAB_BACKUP_DIR} | grep _gitlab_backup | sort -r) do - echo "‣ $b (created at $(date --date="@${b%%_gitlab_backup.tar}" +'%d %b, %G - %H:%M:%S %Z'))" + echo "‣ $b (created at $(date --date="@${b%%_*_gitlab_backup.tar}" +'%d %b, %G - %H:%M:%S %Z'))" done echo @@ -1430,3 +2322,57 @@ execute_raketask() { echo "Running raketask ${1}..." exec_as_git bundle exec rake $@ ${BACKUP:+BACKUP=$BACKUP} } + +generate_registry_certificates() { + if [[ ${GITLAB_REGISTRY_GENERATE_INTERNAL_CERTIFICATES} == true ]]; then + echo 'Generating GitLab Registry internal certificates for communication between Gitlab and a Docker Registry' + PREVIOUS_DIRECTORY=$(pwd) + # Get directory from cert file path + if [[ -z $GITLAB_REGISTRY_KEY_PATH ]]; then + echo "\$GITLAB_REGISTRY_KEY_PATH is empty" + return 1 + fi + DIRECTORY=$(dirname "$GITLAB_REGISTRY_KEY_PATH") + echo "Registry internal certificates will be generated in directory: $DIRECTORY" + # Make certs directory if it doesn't exists + mkdir -p "$DIRECTORY" + # Go to the temporary directory + cd "$DIRECTORY" || return + # Get key filename + KEY_FILENAME=$(basename "$GITLAB_REGISTRY_KEY_PATH") + echo "Registry internal key filename: $KEY_FILENAME" + # Generate cert filename, by default, in same directory as $KEY_FILENAME, with same name, but with extension .crt + CERT_FILENAME=$(echo "$KEY_FILENAME" | sed "s|key|crt|" -) + echo "Registry internal cert filename: $CERT_FILENAME" + # Generate a random password password_file used in the next commands + if [[ -f password_file ]] ; then + echo "password_file exists" + else + openssl rand -hex -out password_file 32 + fi + # Create a PKCS#10 certificate request + echo "Generating internal certificate request" + if [[ -f registry.csr ]] ; then + echo "registry.csr exists" + else + openssl req -new -passout file:password_file -newkey rsa:4096 -batch > registry.csr + fi + # Process RSA key + echo "Processing RSA internal key" + if [[ -f $KEY_FILENAME ]] ; then + echo "$KEY_FILENAME exists" + else + openssl rsa -passin file:password_file -in privkey.pem -out "$KEY_FILENAME" + fi + + # Generate certificate + echo "Generating internal certificate" + if [[ -f $CERT_FILENAME ]] ; then + echo "$CERT_FILENAME exists" + else + openssl x509 -in registry.csr -out "$CERT_FILENAME" -req -signkey "$KEY_FILENAME" -days 10000 + fi + chown -R ${GITLAB_USER}: ${DIRECTORY} + cd ${PREVIOUS_DIRECTORY} + fi +} diff --git a/assets/runtime/scripts/configure_feature_flags.rb b/assets/runtime/scripts/configure_feature_flags.rb new file mode 100644 index 000000000..72197a99d --- /dev/null +++ b/assets/runtime/scripts/configure_feature_flags.rb @@ -0,0 +1,93 @@ +#!/usr/bin/env ruby + +require "optparse" +require "set" + +# sameersbn/docker-gitlab +# Ruby script to configure feature flags via CLI +# Intended to be executed in the context of Rails Runner of Gitlab application +# (to get valid "Feature" module, defined in (gitlab root)/lib/feature.rb) +# https://guides.rubyonrails.org/command_line.html#bin-rails-runner +# bundle exec rails runner -- --enable --disable + +class FeatureFlagCLI + def available_feature_flags() + # Feature flag lists are stored in (Gitlab root directory)/config/feature_flags/ + # We can get the directory by accessing "root" property of "Gitlab" Module + # (may returns /home/git/gitlab for sameersbn/docker-gitlab) + feature_flag_yamls = Dir.glob("#{Gitlab.root}/config/feature_flags/**/*.yml") + + if Gitlab.ee? + feature_flag_yamls.concat(Dir.glob("#{Gitlab.root}/ee/config/feature_flags/**/*.yml")) + end if + + list = feature_flag_yamls.map { |p| File.basename(p, File.extname(p)) } + list + end + + def parse_options(argv = ARGV) + op = OptionParser.new + + opts = { + to_be_disabled: [], + to_be_enabled: [], + # TODO support "opt out", "opt out removed" + # to_be_opted_out: [], + # opt_out_removed: [], + } + + op.on("-d", "--disable feature_a,feature_b,feature_c", Array, "comma-separated list of feature flags to be disabled (defaults: ${opts[:to_be_disabled]})") { |v| + opts[:to_be_disabled] = v.uniq + puts "- Specified feature flags to be disabled" + puts opts[:to_be_disabled].map { |f| format("--- %s", opt: f) } + } + op.on("-e", "--enable feature_a,feature_b,feature_c", Array, "comma-separated list of feature flags to be enabled (defaults: ${opts[:to_be_enabled]})") { |v| + opts[:to_be_enabled] = v.uniq + puts "- Specified feature flags to be enabled" + puts opts[:to_be_enabled].map { |f| format("--- %s", opt: f) } + } + + begin + args = op.parse(argv) + succeed = true + rescue OptionParser::InvalidOption, OptionParser::MissingArgument => e + puts e.message + puts op.help + succeed = false + end + + [succeed, opts, args] + end + + def run + succeed, opts, args = parse_options + if succeed + available_flags = self.available_feature_flags + disable_targets = available_flags & opts[:to_be_disabled] + enable_targets = available_flags & opts[:to_be_enabled] + + disable_targets.each do |feature| + Feature.disable(feature) + end + + enable_targets.each do |feature| + Feature.enable(feature) + end + + invalid_enable_targets = opts[:to_be_enabled] - enable_targets + invalid_disable_targets = opts[:to_be_disabled] - disable_targets + invalid_targets = invalid_disable_targets | invalid_enable_targets + if invalid_targets.length > 0 + puts "- Following flags are probably invalid and have been ignored" + puts invalid_targets.map { |f| format("--- %s", name: f) } + end + end + + Feature.all + end +end + +features = FeatureFlagCLI.new.run +puts features.map { |f| + format("- feature %s : %s", name: f.name, state: f.state) +} diff --git a/ci/gitlab b/ci/gitlab deleted file mode 100755 index 1b8736d56..000000000 --- a/ci/gitlab +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/sh - -set -e - -VERSION=$(cat VERSION) -DOCKER_REGISTRY_HOST=${DOCKER_REGISTRY_HOST:-hub.docker.com} -DOCKER_IMAGE=${DOCKER_IMAGE:-sameersbn/gitlab} - -docker build -t $DOCKER_IMAGE . - -docker tag $DOCKER_IMAGE $DOCKER_REGISTRY_HOST/$DOCKER_IMAGE:latest -docker tag $DOCKER_IMAGE $DOCKER_REGISTRY_HOST/$DOCKER_IMAGE:$VERSION - -docker push $DOCKER_REGISTRY_HOST/$DOCKER_IMAGE:latest -docker push $DOCKER_REGISTRY_HOST/$DOCKER_IMAGE:$VERSION diff --git a/contrib/docker-swarm/docker-compose.yml b/contrib/docker-swarm/docker-compose.yml new file mode 100644 index 000000000..97fe9d52e --- /dev/null +++ b/contrib/docker-swarm/docker-compose.yml @@ -0,0 +1,183 @@ +services: + redis: + restart: always + image: redis:7 + command: + - --loglevel warning + volumes: + - /srv/docker/gitlab/redis:/var/lib/redis:Z + + postgresql: + restart: always + image: kkimurak/sameersbn-postgresql:16 + volumes: + - /srv/docker/gitlab/postgresql:/var/lib/postgresql:Z + environment: + - DB_USER=gitlab + - DB_PASS=password + - DB_NAME=gitlabhq_production + - DB_EXTENSION=pg_trgm + + gitlab: + restart: always + image: sameersbn/gitlab:18.5.1 + depends_on: + - redis + - postgresql + ports: + - "10080:80" + - "10022:22" + volumes: + - /srv/docker/gitlab/gitlab:/home/git/data:Z + configs: + - gitlab-configs + secrets: + - gitlab-secrets + environment: + - DEBUG=false + + - DB_ADAPTER=postgresql + - DB_HOST=postgresql + - DB_PORT=5432 + - DB_USER=gitlab + - DB_PASS=password + - DB_NAME=gitlabhq_production + + - REDIS_HOST=redis + - REDIS_PORT=6379 + + - TZ=Asia/Kolkata + - GITLAB_TIMEZONE=Kolkata + + - GITLAB_HTTPS=false + - SSL_SELF_SIGNED=false + + - GITLAB_HOST=localhost + - GITLAB_PORT=10080 + - GITLAB_SSH_PORT=10022 + - GITLAB_RELATIVE_URL_ROOT= + - GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string + - GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string + - GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string + - GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=long-and-random-alphanumeric-string + - GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=["long-and-random-alphanumeric-string"] + - GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=["long-and-random-alphanumeric-string"] + - GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=long-and-random-alphanumeric-string + + - GITLAB_ROOT_PASSWORD= + - GITLAB_ROOT_EMAIL= + + - GITLAB_NOTIFY_ON_BROKEN_BUILDS=true + - GITLAB_NOTIFY_PUSHER=false + + - GITLAB_EMAIL=notifications@example.com + - GITLAB_EMAIL_REPLY_TO=noreply@example.com + - GITLAB_INCOMING_EMAIL_ADDRESS=reply@example.com + + - GITLAB_BACKUP_SCHEDULE=daily + - GITLAB_BACKUP_TIME=01:00 + + - SMTP_ENABLED=false + - SMTP_DOMAIN=www.example.com + - SMTP_HOST=smtp.gmail.com + - SMTP_PORT=587 + - SMTP_USER=mailer@example.com + - SMTP_PASS=password + - SMTP_STARTTLS=true + - SMTP_AUTHENTICATION=login + + - IMAP_ENABLED=false + - IMAP_HOST=imap.gmail.com + - IMAP_PORT=993 + - IMAP_USER=mailer@example.com + - IMAP_PASS=password + - IMAP_SSL=true + - IMAP_STARTTLS=false + + - OAUTH_ENABLED=false + - OAUTH_AUTO_SIGN_IN_WITH_PROVIDER= + - OAUTH_ALLOW_SSO= + - OAUTH_BLOCK_AUTO_CREATED_USERS=true + - OAUTH_AUTO_LINK_LDAP_USER=false + - OAUTH_AUTO_LINK_SAML_USER=false + - OAUTH_EXTERNAL_PROVIDERS= + - OAUTH_ALLOW_BYPASS_TWO_FACTOR=false + + - OAUTH_CAS3_LABEL=cas3 + - OAUTH_CAS3_SERVER= + - OAUTH_CAS3_DISABLE_SSL_VERIFICATION=false + - OAUTH_CAS3_LOGIN_URL=/cas/login + - OAUTH_CAS3_VALIDATE_URL=/cas/p3/serviceValidate + - OAUTH_CAS3_LOGOUT_URL=/cas/logout + + - OAUTH_GOOGLE_API_KEY= + - OAUTH_GOOGLE_APP_SECRET= + - OAUTH_GOOGLE_RESTRICT_DOMAIN= + + - OAUTH_FACEBOOK_API_KEY= + - OAUTH_FACEBOOK_APP_SECRET= + + - OAUTH_TWITTER_API_KEY= + - OAUTH_TWITTER_APP_SECRET= + + - OAUTH_GITHUB_API_KEY= + - OAUTH_GITHUB_APP_SECRET= + - OAUTH_GITHUB_URL= + - OAUTH_GITHUB_VERIFY_SSL= + + - OAUTH_GITLAB_API_KEY= + - OAUTH_GITLAB_APP_SECRET= + + - OAUTH_BITBUCKET_API_KEY= + - OAUTH_BITBUCKET_APP_SECRET= + - OAUTH_BITBUCKET_URL= + + - OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL= + - OAUTH_SAML_IDP_CERT_FINGERPRINT= + - OAUTH_SAML_IDP_SSO_TARGET_URL= + - OAUTH_SAML_ISSUER= + - OAUTH_SAML_LABEL="Our SAML Provider" + - OAUTH_SAML_NAME_IDENTIFIER_FORMAT=urn:oasis:names:tc:SAML:2.0:nameid-format:transient + - OAUTH_SAML_GROUPS_ATTRIBUTE= + - OAUTH_SAML_EXTERNAL_GROUPS= + - OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL= + - OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME= + - OAUTH_SAML_ATTRIBUTE_STATEMENTS_USERNAME= + - OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME= + - OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME= + + - OAUTH_CROWD_SERVER_URL= + - OAUTH_CROWD_APP_NAME= + - OAUTH_CROWD_APP_PASSWORD= + + - OAUTH_AUTH0_CLIENT_ID= + - OAUTH_AUTH0_CLIENT_SECRET= + - OAUTH_AUTH0_DOMAIN= + - OAUTH_AUTH0_SCOPE= + + - OAUTH2_GENERIC_APP_ID= + - OAUTH2_GENERIC_APP_SECRET= + - OAUTH2_GENERIC_CLIENT_SITE= + - OAUTH2_GENERIC_CLIENT_USER_INFO_URL= + - OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL= + - OAUTH2_GENERIC_CLIENT_TOKEN_URL= + - OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT= + - OAUTH2_GENERIC_ID_PATH= + - OAUTH2_GENERIC_USER_UID= + - OAUTH2_GENERIC_USER_NAME= + - OAUTH2_GENERIC_USER_EMAIL= + - OAUTH2_GENERIC_AUTHORIZE_PARAMS_SCOPE= + - OAUTH2_GENERIC_LABEL= + - OAUTH2_GENERIC_NAME= + + - OAUTH_AZURE_API_KEY= + - OAUTH_AZURE_API_SECRET= + - OAUTH_AZURE_TENANT_ID= + +configs: + gitlab-configs: + file: ./gitlab.configs + +secrets: + gitlab-secrets: + file: ./gitlab.secrets diff --git a/contrib/docker-swarm/gitlab.configs b/contrib/docker-swarm/gitlab.configs new file mode 100644 index 000000000..898f5209b --- /dev/null +++ b/contrib/docker-swarm/gitlab.configs @@ -0,0 +1,3 @@ +# config file to be sourced on startup - will over-ride any env set in the docker-compose.yml + +TEST=none diff --git a/contrib/docker-swarm/gitlab.secrets b/contrib/docker-swarm/gitlab.secrets new file mode 100644 index 000000000..488566e34 --- /dev/null +++ b/contrib/docker-swarm/gitlab.secrets @@ -0,0 +1,13 @@ +# config file to be sourced on startup - will over-ride any env set in the docker-compose.yml + +LDAP_ENABLED=true +LDAP_LABEL="LDAP login" +LDAP_HOST=pool.ldap.example.com +LDAP_PORT=3268 +LDAP_BIND_DN=the-ldap +LDAP_PASS=no-not-really +LDAP_BASE=ou=People,dc=example,dc=com +#LDAP_LOWERCASE_USERNAMES=true +##LDAP_USER_FILTER=uid={login} +##LDAP_UID= +# diff --git a/contrib/expose-gitlab-ssh-port.sh b/contrib/expose-gitlab-ssh-port.sh new file mode 100644 index 000000000..0211d27ea --- /dev/null +++ b/contrib/expose-gitlab-ssh-port.sh @@ -0,0 +1,33 @@ +#!/usr/bin/env bash +set -ev + +GITLAB_USERGROUP=${GITLAB_USERGROUP:-1010} +GITLAB_SSH_PORT=${GITLAB_SSH_PORT:-9922} + +if ! id -u git >> /dev/null 2>&1; then + groupadd -g ${GITLAB_USERGROUP} git + useradd -m -u ${GITLAB_USERGROUP} -g git -s /bin/sh -d /home/git git +fi +su git -c "mkdir -p /home/git/.ssh/" + +su git -c "if [ ! -f /home/git/.ssh/id_ed25519 ]; then ssh-keygen -t ed25519 -N \"\" -f /home/git/.ssh/id_ed25519; fi" +su git -c "if [ -f /home/git/.ssh/id_ed25519.pub ]; then mv /home/git/.ssh/id_ed25519.pub /home/git/.ssh/authorized_keys_proxy; fi" + +mkdir -p /home/git/gitlab-shell/bin/ +rm -f /home/git/gitlab-shell/bin/gitlab-shell +tee -a /home/git/gitlab-shell/bin/gitlab-shell > /dev/null <= 2.4 - - [Docker GitLab](https://github.com/sameersbn/docker-gitlab) >= 8.8.5-1 +- [Docker Distribution](https://github.com/docker/distribution) >= 2.4 +- [Docker GitLab](https://github.com/sameersbn/docker-gitlab) >= 8.8.5-1 +## Installation -# Available Parameters +### Setup with Nginx as Reverse Proxy -Here is an example of all configuration parameters that can be used in the GitLab container. +We assume that you already have Nginx installed on your host system and that +you use a reverse proxy configuration to connect to your GitLab container. + +In this example we use a dedicated domain for the registry. The URLs for +the GitLab installation and the registry are: + +- git.example.com +- registry.example.com + +> Note: You could also run everything on the same domain and use different ports +> instead. The required configuration changes below should be straightforward. + +#### Create auth tokens + +GitLab needs a certificate ("auth token") to talk to the registry API. The +tokens must be provided in the `/certs` directory of your container. You could +use an existing domain certificate or create your own with a very long +lifetime like this: + +```bash +mkdir certs +cd certs +# Generate a random password password_file used in the next commands +openssl rand -hex -out password_file 32 +# Create a PKCS#10 certificate request +openssl req -new -passout file:password_file -newkey rsa:4096 -batch > registry.csr +# Convert RSA key +openssl rsa -passin file:password_file -in privkey.pem -out registry.key +# Generate certificate +openssl x509 -in registry.csr -out registry.crt -req -signkey registry.key -days 10000 +``` + +It doesn't matter which details (domain name, etc.) you enter during key +creation. This information is not used at all. + +#### Update docker-compose.yml + +First add the configuration for the registry container to your `docker-compose.yml`. + +```yaml + registry: + image: registry + restart: always + expose: + - "5000" + ports: + - "5000:5000" + volumes: + - ./gitlab/shared/registry:/registry + - ./certs:/certs + environment: + - REGISTRY_LOG_LEVEL=info + - REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/registry + - REGISTRY_AUTH_TOKEN_REALM=https://git.example.com/jwt/auth + - REGISTRY_AUTH_TOKEN_SERVICE=container_registry + - REGISTRY_AUTH_TOKEN_ISSUER=gitlab-issuer + - REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/certs/registry.crt + - REGISTRY_STORAGE_DELETE_ENABLED=true +``` + +> **Important:** +> +> 1. Don't change `REGISTRY_AUTH_TOKEN_SERVICE`. It must have +> `container_registry` as value. +> 2. `REGISTRY_AUTH_TOKEN_REALM` must look like +> `https://git.example.com/jwt/auth`. So the endpoint must be `/jwt/auth`. +> +> These configuration options are required by the GitLab Container Registry. + +Then update the `volumes` and `environment` sections of your `gitlab` container: + +```yaml + gitlab: + environment: + # ... + # Registry + - GITLAB_REGISTRY_ENABLED=true + - GITLAB_REGISTRY_HOST=registry.example.com + - GITLAB_REGISTRY_PORT=443 + - GITLAB_REGISTRY_API_URL=http://registry:5000 + - GITLAB_REGISTRY_KEY_PATH=/certs/registry.key + + volumes: + - ./gitlab:/home/git/data + - ./certs:/certs +``` +#### Nginx Site Configuration + +```nginx +server { + root /dev/null; + server_name registry.example.com; + charset UTF-8; + access_log /var/log/nginx/registry.example.com.access.log; + error_log /var/log/nginx/registry.example.com.error.log; + + # Set up SSL only connections: + listen *:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/registry.example.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/registry.example.com/privkey.pem; + + ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_prefer_server_ciphers on; + ssl_session_cache builtin:1000 shared:SSL:10m; + ssl_session_timeout 5m; + + client_max_body_size 0; + chunked_transfer_encoding on; + + location / { + proxy_set_header Host $http_host; # required for docker client's sake + proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_read_timeout 900; + proxy_pass http://localhost:5000; + } +} + +server { + listen *:80; + server_name registry.example.com; + server_tokens off; ## Don't show the nginx version number, a security best practice + return 301 https://$http_host:$request_uri; +} ``` + +## Configuration + +### Available Parameters + +Here is an example of all configuration parameters that can be used in the GitLab container. + +```yml ... gitlab: ... environment: - GITLAB_REGISTRY_ENABLED=true - GITLAB_REGISTRY_HOST=registry.gitlab.example.com - - GITLAB_REGISTRY_PORT=5500 - GITLAB_REGISTRY_API_URL=http://registry:5000 - GITLAB_REGISTRY_KEY_PATH=/certs/registry-auth.key - GITLAB_REGISTRY_ISSUER=gitlab-issuer @@ -39,15 +181,15 @@ where: | Parameter | Description | | --------- | ----------- | -| `GITLAB_REGISTRY_ENABLED ` | `true` or `false`. Enables the Registry in GitLab. By default this is `false`. | -| `GITLAB_REGISTRY_HOST ` | The host URL under which the Registry will run and the users will be able to use. | -| `GITLAB_REGISTRY_PORT ` | The port under which the external Registry domain will listen on. | -| `GITLAB_REGISTRY_API_URL ` | The internal API URL under which the Registry is exposed to. | -| `GITLAB_REGISTRY_KEY_PATH `| The private key location that is a pair of Registry's `rootcertbundle`. Read the [token auth configuration documentation][token-config]. | -| `GITLAB_REGISTRY_PATH ` | This should be the same directory like specified in Registry's `rootdirectory`. Read the [storage configuration documentation][storage-config]. This path needs to be readable by the GitLab user, the web-server user and the Registry user *if you use filesystem as storage configuration*. Read more in [#container-registry-storage-path](#container-registry-storage-path). | +| `GITLAB_REGISTRY_ENABLED` | `true` or `false`. Enables the Registry in GitLab. By default this is `false`. | +| `GITLAB_REGISTRY_HOST` | The host URL under which the Registry will run and the users will be able to use. | +| `GITLAB_REGISTRY_PORT` | The port under which the external Registry domain will listen on. | +| `GITLAB_REGISTRY_API_URL` | The internal API URL under which the Registry is exposed to. | +| `GITLAB_REGISTRY_KEY_PATH`| The private key location that is a pair of Registry's `rootcertbundle`. Read the [token auth configuration documentation][token-config]. | +| `GITLAB_REGISTRY_PATH` | This should be the same directory like specified in Registry's `rootdirectory`. Read the [storage configuration documentation][storage-config]. This path needs to be readable by the GitLab user, the web-server user and the Registry user *if you use filesystem as storage configuration*. Read more in [#container-registry-storage-path](#container-registry-storage-path). | | `GITLAB_REGISTRY_ISSUER` | This should be the same value as configured in Registry's `issuer`. Otherwise the authentication will not work. For more info read the [token auth configuration documentation][token-config]. | -| `SSL_REGISTRY_KEY_PATH ` | The private key of the `SSL_REGISTRY_CERT_PATH`. This will be later used in nginx to proxy your registry via https. | -| `SSL_REGISTRY_CERT_PATH ` | The certificate for the private key of `SSL_REGISTRY_KEY_PATH`. This will be later used in nginx to proxy your registry via https. | +| `SSL_REGISTRY_KEY_PATH` | The private key of the `SSL_REGISTRY_CERT_PATH`. This will be later used in nginx to proxy your registry via https. | +| `SSL_REGISTRY_CERT_PATH` | The certificate for the private key of `SSL_REGISTRY_KEY_PATH`. This will be later used in nginx to proxy your registry via https. | For more info look at [Available Configuration Parameters](https://github.com/sameersbn/docker-gitlab#available-configuration-parameters). @@ -64,141 +206,10 @@ gitlab: - GITLAB_REGISTRY_ISSUER=gitlab-issuer ... ``` -# Installation -Starting a fresh installation with GitLab Container registry would be like the `docker-compose` file. +### Container Registry storage driver -## Docker Compose - -This is an example with a registry and filesystem as storage driver. - -```yml -version: '2' - -services: - redis: - restart: always - image: sameersbn/redis:latest - command: - - --loglevel warning - volumes: - - ./redis:/var/lib/redis:Z - postgresql: - restart: always - image: sameersbn/postgresql:9.6-1 - volumes: - - ./postgresql:/var/lib/postgresql:Z - environment: - - DB_USER=gitlab - - DB_PASS=password - - DB_NAME=gitlabhq_production - - DB_EXTENSION=pg_trgm - - gitlab: - restart: always - image: sameersbn/gitlab:8.15.4 - depends_on: - - redis - - postgresql - ports: - - "10080:80" - - "5500:5500" - - "10022:22" - volumes: - - ./gitlab:/home/git/data:Z - - ./logs:/var/log/gitlab - - ./certs:/certs - environment: - - DEBUG=false - - - DB_ADAPTER=postgresql - - DB_HOST=postgresql - - DB_PORT=5432 - - DB_USER=gitlab - - DB_PASS=password - - DB_NAME=gitlabhq_production - - - REDIS_HOST=redis - - REDIS_PORT=6379 - - GITLAB_SSH_PORT=10022 - - GITLAB_PORT=10080 - - GITLAB_HOST=gitlab.example.com - - - GITLAB_SECRETS_DB_KEY_BASE=superrandomsecret - - GITLAB_REGISTRY_ENABLED=true - - GITLAB_REGISTRY_HOST=registry.gitlab.example.com - - GITLAB_REGISTRY_PORT=5500 - - GITLAB_REGISTRY_API_URL=http://registry:5000 - - GITLAB_REGISTRY_KEY_PATH=/certs/registry-auth.key - - SSL_REGISTRY_KEY_PATH=/certs/registry.key - - SSL_REGISTRY_CERT_PATH=/certs/registry.crt - - registry: - restart: always - image: registry:2.4.1 - volumes: - - ./gitlab/shared/registry:/registry - - ./certs:/certs - environment: - - REGISTRY_LOG_LEVEL=info - - REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/registry - - REGISTRY_AUTH_TOKEN_REALM=http://gitlab.example.com:10080/jwt/auth - - REGISTRY_AUTH_TOKEN_SERVICE=container_registry - - REGISTRY_AUTH_TOKEN_ISSUER=gitlab-issuer - - REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/certs/registry-auth.crt - - REGISTRY_STORAGE_DELETE_ENABLED=true -``` -> **Important Notice** -> -> 1. Don't change `REGISTRY_AUTH_TOKEN_SERVICE`. It must have `container_registry` as value. -> 2. `REGISTRY_AUTH_TOKEN_REALM` need to be look like `http/s://gitlab.example.com/jwt/auth`. Endpoint must be `/jwt/auth` -> These configuration options are required by the GitLab Container Registry. - - -## Generating certificate for authentication with the registry - -So GitLab handles for us the authentication with Registry we need an certificate to do that secure. -With have here two options: - -1. Use a signed certificate from an Trusted Certificate Authority. -2. Self-Signed Certificate for the authentication process. - -### Signed Certificate -If you have a signed certificate from a Trusted Certificate Authority you need only to copy the files in then `certs` folder and mount the folder in both containers (gitlab,registry) like in the docker-compose example. -After that you need to set an environment variable in each container. -In the **GitLab Container** you need to set `GITLAB_REGISTRY_KEY_PATH` this is the private key of the signed certificate. -In the **Registry Container** you need to set `REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE` to the certificate file of the signed certificate. -For more info read [token auth configuration documentation][token-config]. - -### Self Signed Certificate - -Generate a self signed certificate with openssl. - -- **Step 1**: Create a certs dir - ```bash - mkdir certs && cd certs - ``` - -- **Step 2**: Generate a private key and sign request for the private key -```bash -openssl req -nodes -newkey rsa:4096 -keyout registry-auth.key -out registry-auth.csr -subj "/CN=gitlab-issuer" -``` - -- **Step 3**: Sign your created privated key -```bash -openssl x509 -in registry-auth.csr -out registry-auth.crt -req -signkey registry-auth.key -days 3650 -``` - -After this mount the `certs` dir in both containers and set the same environment variables like way of the signed certificate. - - - -## Container Registry storage driver - -You can configure the Container Registry to use a different storage backend by -configuring a different storage driver. By default the GitLab Container Registry -is configured to use the filesystem driver, which makes use of [storage path](#container-registry-storage-path) -configuration. These configurations will all be done in the registry container. +You can configure the Container Registry to use a different storage backend by configuring a different storage driver. By default the GitLab Container Registry is configured to use the filesystem driver, which makes use of [storage path](#container-registry-storage-path) configuration. These configurations will all be done in the registry container. The different supported drivers are: @@ -217,10 +228,10 @@ Read more about the individual driver's config options in the > **Warning** GitLab will not backup Docker images that are not stored on the filesystem. Remember to enable backups with your object storage provider if desired. > > If you use **filesystem** as storage driver you need to mount the path from `GITLAB_REGISTRY_DIR` of the GitLab container in the registry container. So both container can access the registry data. -> If you don't change `GITLAB_REGISTRY_DIR` you will find your registry data in the mounted volume from the GitLab Container under `./gitlab/shared/registry`. This don't need to be seprated mounted because `./gitlab` is already mounted in the GitLab Container. If it will be mounted seperated the whole restoring proccess of GitLab backup won't work because gitlab try to create an folder under `./gitlab/shared/registry` /`GITLAB_REGISTRY_DIR` and GitLab can't delete/remove the mount point inside the container so the restoring process of the backup will fail. +> If you don't change `GITLAB_REGISTRY_DIR` you will find your registry data in the mounted volume from the GitLab Container under `./gitlab/shared/registry`. This don't need to be separated mounted because `./gitlab` is already mounted in the GitLab Container. If it will be mounted separated the whole restoring process of GitLab backup won't work because gitlab try to create an folder under `./gitlab/shared/registry` /`GITLAB_REGISTRY_DIR` and GitLab can't delete/remove the mount point inside the container so the restoring process of the backup will fail. > An example how it works is in the `docker-compose`. -### Example for Amazon Simple Storage Service (s3) +#### Example for Amazon Simple Storage Service (s3) If you want to configure your registry via `/etc/docker/registry/config.yml` your storage part should like this snippet below. @@ -236,8 +247,6 @@ storage: enabled: true ``` - - ```yaml ... registry: @@ -258,20 +267,19 @@ storage: - REGISTRY_STORAGE_DELETE_ENABLED=true ``` -Generaly for more information about the configuration of the registry container you can find it under [registry configuration](https://docs.docker.com/registry/configuration). - +Generally for more information about the configuration of the registry container you can find it under [registry configuration](https://docs.docker.com/registry/configuration). -## Storage limitations +### Storage limitations Currently, there is no storage limitation, which means a user can upload an infinite amount of Docker images with arbitrary sizes. This setting will be configurable in future releases. +## Maintenance -# Maintenance If you use another storage configuration than filesystem it will have no impact on your Maintenance workflow. -## Creating Backups +### Creating Backups Creating Backups is the same like without a container registry. I would recommend to stop your registry container. @@ -280,13 +288,15 @@ docker stop registry gitlab && docker rm registry gitlab ``` Execute the rake task with a removeable container. + ```bash docker run --name gitlab -it --rm [OPTIONS] \ - sameersbn/gitlab:8.15.4 app:rake gitlab:backup:create + sameersbn/gitlab:18.5.1 app:rake gitlab:backup:create ``` -## Restoring Backups -Gitlab also defines a rake task to restore a backup. +### Restoring Backups + +GitLab also defines a rake task to restore a backup. Before performing a restore make sure the container is stopped and removed to avoid container name conflicts. @@ -298,7 +308,7 @@ Execute the rake task to restore a backup. Make sure you run the container in in ```bash docker run --name gitlab -it --rm [OPTIONS] \ - sameersbn/gitlab:8.15.4 app:rake gitlab:backup:restore + sameersbn/gitlab:18.5.1 app:rake gitlab:backup:restore ``` The list of all available backups will be displayed in reverse chronological order. Select the backup you want to restore and continue. @@ -307,18 +317,17 @@ To avoid user interaction in the restore operation, specify the timestamp of the ```bash docker run --name gitlab -it --rm [OPTIONS] \ - sameersbn/gitlab:8.15.4 app:rake gitlab:backup:restore BACKUP=1417624827 + sameersbn/gitlab:18.5.1 app:rake gitlab:backup:restore BACKUP=1417624827 ``` -# Upgrading from an existing GitLab installation - +## Upgrading from an existing GitLab installation If you want enable this feature for an existing instance of GitLab you need to do the following steps. - **Step 1**: Update the docker image. ```bash -docker pull sameersbn/gitlab:8.15.4 +docker pull sameersbn/gitlab:18.5.1 ``` - **Step 2**: Stop and remove the currently running image @@ -335,7 +344,7 @@ docker run --name gitlab -it --rm [OPTIONS] \ ``` - **Step 4**: Create a certs folder -Create an authentication certificate with [Generating certificate for authentication with the registry](#Generating-certificate-for-authentication-with-the-registry). +Create an authentication certificate with [Generating certificate for authentication with the registry](#generating-certificate-for-authentication-with-the-registry). - **Step 5**: Create an registry instance @@ -358,6 +367,7 @@ docker run --name registry -d \ --env 'REGISTRY_STORAGE_DELETE_ENABLED=true' \ registry:2.4.1 ``` + - **Step 6**: Start the image ```bash @@ -368,16 +378,11 @@ docker run --name gitlab -d [PREVIOUS_OPTIONS] \ --env 'GITLAB_REGISTRY_ENABLED=true' \ --env 'GITLAB_REGISTRY_HOST=registry.gitlab.example.com' \ --env 'GITLAB_REGISTRY_API_URL=http://registry:5000/' \ +--env 'GITLAB_REGISTRY_CERT_PATH=/certs/registry-auth.crt' \ --env 'GITLAB_REGISTRY_KEY_PATH=/certs/registry-auth.key' \ --link registry:registry -sameersbn/gitlab:8.15.4 +sameersbn/gitlab:18.5.1 ``` - -[wildcard certificate]: https://en.wikipedia.org/wiki/Wildcard_certificate -[ce-4040]: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/4040 -[docker-insecure]: https://docs.docker.com/registry/insecure/ -[registry-deploy]: https://docs.docker.com/registry/deploying/ [storage-config]: https://docs.docker.com/registry/configuration/#storage [token-config]: https://docs.docker.com/registry/configuration/#token -[8-8-docs]: https://gitlab.com/gitlab-org/gitlab-ce/blob/8-8-stable/doc/administration/container_registry.md diff --git a/docs/docker-compose-keycloak.yml b/docs/docker-compose-keycloak.yml new file mode 100644 index 000000000..903ba799c --- /dev/null +++ b/docs/docker-compose-keycloak.yml @@ -0,0 +1,180 @@ +services: + redis: + restart: always + image: redis:7 + command: + - --loglevel warning + volumes: + - redis-data:/var/lib/redis:Z + + postgresql: + restart: always + image: kkimurak/sameersbn-postgresql:16 + volumes: + - postgresql-data:/var/lib/postgresql:Z + environment: + - DB_USER=gitlab + - DB_PASS=password + - DB_NAME=gitlabhq_production + - DB_EXTENSION=pg_trgm,btree_gist + + gitlab: + restart: always + image: sameersbn/gitlab:18.5.1 + depends_on: + - redis + - postgresql + ports: + - "10080:80" + - "10022:22" + volumes: + - gitlab-data:/home/git/data:Z + environment: + - DEBUG=false + + - DB_ADAPTER=postgresql + - DB_HOST=postgresql + - DB_PORT=5432 + - DB_USER=gitlab + - DB_PASS=password + - DB_NAME=gitlabhq_production + + - REDIS_HOST=redis + - REDIS_PORT=6379 + + - TZ=Asia/Kolkata + - GITLAB_TIMEZONE=Kolkata + + - GITLAB_HTTPS=false + - SSL_SELF_SIGNED=false + + - GITLAB_HOST='' + - GITLAB_PORT=10080 + - GITLAB_SSH_PORT=10022 + - GITLAB_RELATIVE_URL_ROOT= + - GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string + - GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string + - GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string + - GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=long-and-random-alphanumeric-string + + - GITLAB_ROOT_PASSWORD= + - GITLAB_ROOT_EMAIL= + + - GITLAB_NOTIFY_ON_BROKEN_BUILDS=true + - GITLAB_NOTIFY_PUSHER=false + + - GITLAB_EMAIL=notifications@example.com + - GITLAB_EMAIL_REPLY_TO=noreply@example.com + - GITLAB_INCOMING_EMAIL_ADDRESS=reply@example.com + + - GITLAB_BACKUP_SCHEDULE=daily + - GITLAB_BACKUP_TIME=01:00 + + - SMTP_ENABLED=false + - SMTP_DOMAIN=www.example.com + - SMTP_HOST=smtp.gmail.com + - SMTP_PORT=587 + - SMTP_USER=mailer@example.com + - SMTP_PASS=password + - SMTP_STARTTLS=true + - SMTP_AUTHENTICATION=login + + - IMAP_ENABLED=false + - IMAP_HOST=imap.gmail.com + - IMAP_PORT=993 + - IMAP_USER=mailer@example.com + - IMAP_PASS=password + - IMAP_SSL=true + - IMAP_STARTTLS=false + + - OAUTH_ENABLED=true + - OAUTH_AUTO_SIGN_IN_WITH_PROVIDER=Keycloak + - OAUTH_ALLOW_SSO=Keycloak + - OAUTH_BLOCK_AUTO_CREATED_USERS=false + - OAUTH_AUTO_LINK_LDAP_USER=false + - OAUTH_AUTO_LINK_SAML_USER=false + - OAUTH_EXTERNAL_PROVIDERS=Keycloak + + - OAUTH_CAS3_LABEL=cas3 + - OAUTH_CAS3_SERVER= + - OAUTH_CAS3_DISABLE_SSL_VERIFICATION=false + - OAUTH_CAS3_LOGIN_URL=/cas/login + - OAUTH_CAS3_VALIDATE_URL=/cas/p3/serviceValidate + - OAUTH_CAS3_LOGOUT_URL=/cas/logout + + - OAUTH_GOOGLE_API_KEY= + - OAUTH_GOOGLE_APP_SECRET= + - OAUTH_GOOGLE_RESTRICT_DOMAIN= + + - OAUTH_FACEBOOK_API_KEY= + - OAUTH_FACEBOOK_APP_SECRET= + + - OAUTH_TWITTER_API_KEY= + - OAUTH_TWITTER_APP_SECRET= + + - OAUTH_GITHUB_API_KEY= + - OAUTH_GITHUB_APP_SECRET= + - OAUTH_GITHUB_URL= + - OAUTH_GITHUB_VERIFY_SSL= + + - OAUTH_GITLAB_API_KEY= + - OAUTH_GITLAB_APP_SECRET= + + - OAUTH_BITBUCKET_API_KEY= + - OAUTH_BITBUCKET_APP_SECRET= + - OAUTH_BITBUCKET_URL= + + - OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL= + - OAUTH_SAML_IDP_CERT_FINGERPRINT= + - OAUTH_SAML_IDP_SSO_TARGET_URL= + - OAUTH_SAML_ISSUER= + - OAUTH_SAML_LABEL="Our SAML Provider" + - OAUTH_SAML_NAME_IDENTIFIER_FORMAT=urn:oasis:names:tc:SAML:2.0:nameid-format:transient + - OAUTH_SAML_GROUPS_ATTRIBUTE= + - OAUTH_SAML_EXTERNAL_GROUPS= + - OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL= + - OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME= + - OAUTH_SAML_ATTRIBUTE_STATEMENTS_USERNAME= + - OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME= + - OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME= + + - OAUTH_CROWD_SERVER_URL= + - OAUTH_CROWD_APP_NAME= + - OAUTH_CROWD_APP_PASSWORD= + + - OAUTH_AUTH0_CLIENT_ID= + - OAUTH_AUTH0_CLIENT_SECRET= + - OAUTH_AUTH0_DOMAIN= + - OAUTH_AUTH0_SCOPE= + + - OAUTH_AZURE_API_KEY= + - OAUTH_AZURE_API_SECRET= + - OAUTH_AZURE_TENANT_ID= + + - OAUTH2_GENERIC_APP_ID=git + - OAUTH2_GENERIC_APP_SECRET= + - OAUTH2_GENERIC_CLIENT_SITE=http://:10081 + - OAUTH2_GENERIC_CLIENT_USER_INFO_URL=http://:10081/auth/realms/master/protocol/openid-connect/userinfo + - OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL=http://:10081/auth/realms/master/protocol/openid-connect/auth + - OAUTH2_GENERIC_CLIENT_TOKEN_URL=http://:10081/auth/realms/master/protocol/openid-connect/token + - OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT=http://:10081/auth/realms/master/protocol/openid-connect/logout + - OAUTH2_GENERIC_ID_PATH=sub + - OAUTH2_GENERIC_USER_UID=sub + - OAUTH2_GENERIC_USER_NAME=preferred_username + - OAUTH2_GENERIC_USER_EMAIL=email + - OAUTH2_GENERIC_NAME=Keycloak + + keycloak: + restart: always + image: jboss/keycloak:8.0.1 + ports: + - "10081:8080" + environment: + - DEBUG=false + - KEYCLOAK_PASSWORD=admin + - KEYCLOAK_USER=admin + +volumes: + redis-data: + postgresql-data: + gitlab-data: diff --git a/docs/docker-compose-registry.yml b/docs/docker-compose-registry.yml new file mode 100644 index 000000000..24b75c8db --- /dev/null +++ b/docs/docker-compose-registry.yml @@ -0,0 +1,95 @@ +services: + redis: + restart: always + image: redis:7 + command: + - --loglevel warning + volumes: + - redis:/var/lib/redis:Z + + postgresql: + restart: always + image: kkimurak/sameersbn-postgresql:16 + volumes: + - postgresql:/var/lib/postgresql:Z + environment: + - DB_USER=gitlab + - DB_PASS=password + - DB_NAME=gitlabhq_production + - DB_EXTENSION=pg_trgm,btree_gist + + gitlab: + restart: always + image: sameersbn/gitlab:18.5.1 + volumes: + - gitlab-data:/home/git/data:Z + - gitlab-logs:/var/log/gitlab + - ./certs:/certs + depends_on: + - redis + - postgresql + ports: + - "80:80" + - "10022:22" + external_links: + - "registry:registry.example.com" + environment: + - DEBUG=false + + - DB_ADAPTER=postgresql + - DB_HOST=postgresql + - DB_PORT=5432 + - DB_USER=gitlab + - DB_PASS=password + - DB_NAME=gitlabhq_production + + - REDIS_HOST=redis + - REDIS_PORT=6379 + + - GITLAB_HTTPS=false + - SSL_SELF_SIGNED=false + + - GITLAB_HOST=gitlab.example.com + - GITLAB_PORT=80 + - GITLAB_SSH_PORT=10022 + - GITLAB_RELATIVE_URL_ROOT= + - GITLAB_SECRETS_DB_KEY_BASE=secret + - GITLAB_SECRETS_SECRET_KEY_BASE=secret + - GITLAB_SECRETS_OTP_KEY_BASE=secret + - GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=secret + + - GITLAB_REGISTRY_ENABLED=true + - GITLAB_REGISTRY_HOST=registry.example.com + - GITLAB_REGISTRY_PORT=5000 + - GITLAB_REGISTRY_API_URL=https://registry.example.com:5000 + - GITLAB_REGISTRY_CERT_PATH=/certs/registry-auth.crt + - GITLAB_REGISTRY_KEY_PATH=/certs/registry-auth.key + + registry: + restart: always + image: registry:2.4.1 + ports: + - "5000:5000" + volumes: + - registry-data:/var/lib/registry + - ./certs:/certs + external_links: + - "gitlab:gitlab.example.com" + environment: + - REGISTRY_LOG_LEVEL=info + - REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/var/lib/registry + - REGISTRY_AUTH_TOKEN_REALM=http://gitlab.example.com/jwt/auth + - REGISTRY_AUTH_TOKEN_SERVICE=container_registry + - REGISTRY_AUTH_TOKEN_ISSUER=gitlab-issuer + - REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/certs/registry-auth.crt + - REGISTRY_STORAGE_DELETE_ENABLED=true + - REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry-auth.crt + - REGISTRY_HTTP_TLS_KEY=/certs/registry-auth.key + - REGISTRY_HTTP_SECRET=secret + +volumes: + gitlab-data: + gitlab-logs: + postgresql: + redis: + registry-data: diff --git a/docs/docker-swarm-traefik-registry.md b/docs/docker-swarm-traefik-registry.md new file mode 100644 index 000000000..62384b64d --- /dev/null +++ b/docs/docker-swarm-traefik-registry.md @@ -0,0 +1,379 @@ +# Docker Swarm mode deployment + +Here's a guide to deploy **GitLab** with: + +* [Docker Swarm mode](https://docs.docker.com/engine/swarm/) for cluster management and orchestration. +* [Docker Registry](https://docs.docker.com/registry/) with HTTPS, TLS (SSL) handled automatically, using GitLab credentials and integration with GitLab CI. +* [Traefik](https://traefik.io/) proxy to handle domain based redirection, HTTPS communication and automatic certificate generation with [Let's encrypt](https://letsencrypt.org/). You don't need to build a custom Nginx proxy or anything similar, it's all handled by Traefik. +* Automatic generation and configuration of GitLab / Registry internal communication certificates. + +## Set up Docker Swarm + +Set up a Docker Swarm mode cluster with a main global Traefik load balancer following the guide at [DockerSwarm.rocks](https://dockerswarm.rocks). + +It will take you less than 20 minutes to follow it to deploy a cluster (of one or more machines) and have it ready for the next steps. + +## Configure DNS records + +Configure your DNS domain records to point one subdomain for your GitLab instance and one subdomain for the Docker Registry to the new server. + +For example, a DNS `A` record for `gitlab.example.com` and a DNS `A` record for `registry.example.com`. + +If you have a cluster with several nodes, make sure those DNS records point to the IP of the node that will host the `gitlab` and `registry` services. + +This is because `gitlab` has to listen on port `22` for Git to work, but we will configure it to make it listen on port `22` only on the server that has GitLab. + +That way, if you have other servers in your cluster, you won't have to change the default SSH port of all of them. + +## Modify the server SSH port + +As by default Git uses the same SSH port `22`, and you want your GitLab container to use that port, modify your server SSH configuration to use a different port. This guide will assume you will use port `2222` for your server SSH and port `22` for your GitLab. + +Connect to your remote server as normally, e.g.: + +```bash +ssh root@gitlab.example.com +``` + +Create a backup of your SSH config file: + +```bash +cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup +``` + +Modify your SSH config. + +**Warning**: if something is broken after modifying the SSH configuration, you could lock yourself out of the server. + +You need to have a line `Port 2222` and make sure there's no line `Port 22`. + +You can use this command to do it automatically, it will check for a line with `Port 22` or `#Port 22` and replace it with `Port 2222`. + +```bash +sed -i 's|^#\?Port 22$|Port 2222|' /etc/ssh/sshd_config +``` + +Or you can modify it with `nano` by hand, with: + +```bash +nano /etc/ssh/sshd_config +``` + +Confirm that there's a single line with `Port 2222` with: + +```bash +grep "^Port" /etc/ssh/sshd_config +``` + +Then restart the SSH server: + +```bash +systemctl restart sshd.service +``` + +**Warning**: at this point, if you lose your connection and something was wrong in the configuration, you could lock yourself out of the server. Run the following steps in a new terminal session, without closing the existing one, so that, if something was wrong, you can use the current session to edit the configurations, revert them, and restart the SSH service, before being locked out. + +In a different terminal session, without closing the existing one, try connecting with SSH to your server using the new port, e.g.: + +```bash +ssh -p 2222 root@gitlab.example.com +``` + +If you get connected to the remote server normally, everything is working correctly. + +## Download the Docker Compose stack file + +* Download the Docker Compose stack file: + +```bash +curl -L https://raw.githubusercontent.com/sameersbn/docker-gitlab/master/docker-compose.swarm.yml -o docker-compose.swarm.yml +``` + +## Set environment variables + +Set and export the environment variables `GITLAB_HOST` and `REGISTRY_HOST` to the subdomains you configured. + +For example: + +```bash +export GITLAB_HOST=gitlab.example.com +export REGISTRY_HOST=registry.example.com +``` + +You will use the domain for `GITLAB_HOST` to access GitLab in your browser and to commit and push with Git. + +And you will use the domain for `REGISTRY_HOST` to store, push, and pull Docker images, e.g.: + +```bash +docker pull registry.example.com/mygroup/myproject/imagename:sometag +``` + +These environment variables will be used by the file `docker-compose.swarm.yml`. + +They are used inside of the stacks and are also used to configure the domains for the Traefik load balancer. Because of that, you need to export them for them to be available when deploying the stack. + +## Other environment variables + +There are many additional environment variables with different configurations. + +Read the [main README](https://github.com/sameersbn/docker-gitlab) for all the options. + +For Registry specific options and details, check the main [GitLab Registry documentation in this repo](https://github.com/sameersbn/docker-gitlab/blob/master/docs/container_registry.md). + +You can configure them by editing de file `docker-compose.swarm.yml`. + +You can do it in the command line with a program like `nano`, e.g.: + +```bash +nano docker-compose.swarm.yml +``` + +## Set other environment variables + +If you want anyone to sign up instead of only people with invitation, change `GITLAB_SIGNUP_ENABLED` to `true`: + +```bash +export GITLAB_SIGNUP_ENABLED=true +``` + +There are several environment variables that require random strings for keys and passwords. + +For the sections that require generating random strings for keys and passwords, each time, run the following command and copy the output: + +```bash +openssl rand -hex 32 +# Outputs something like: 99d3b1f01aa639e4a76f4fc281fc834747a543720ba4c8a8648ba755aef9be7f +``` + +You can copy it and set it in the file like: + +```yaml +- GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string +- GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string +- GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string +- GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=long-and-random-alphanumeric-string +``` + +There are several other settings that you might want to configure, like email accounts for notifications, SMTP credentials to send emails, etc. + +## Copy the file + +If you modified the file locally, make sure you copy it to your remote server, e.g.: + +```bash +scp -P 2222 docker-compose.swarm.yml root@gitlab.example.com:/root/ +``` + +and connect via SSH to your remote server, e.g.: + +```bash +ssh -p 2222 root@gitlab.example.com +``` + +If you modified the file locally and then connected to your server later, make sure you export the environment variables `GITLAB_HOST` and `REGISTRY_HOST` that are needed even if you modified the Docker Compose file (as those are used in the Traefik labels). + +## About volumes, labels, and constraints + +Because the Docker Swarm cluster may have more than one single node (machine) in the cluster, we need to make sure that the services that need to save and read files from volumes are always deployed to the same node. + +For example, the service for `redis` uses a volume, you can check it on the `docker-compose.swarm.yml` file: + +```yaml + volumes: + - redis-data:/var/lib/redis:Z +``` + +To make sure `redis` is always deployed to the same node that contains the same volume `redis-data`, we have a constraint: + +```yaml + deploy: + placement: + constraints: + - node.labels.gitlab.redis-data == true +``` + +This tells Docker that the service `redis` should be deployed to a Docker node (a machine in the cluster) with the label `node.labels.gitlab.redis-data=true`. + +Then we can make one node (only one) have this label, and Docker Swarm will always deploy the `redis` service to the same node. That way, the service will keep reading the same volume every time. Even if you re-deploy or upgrade the stack. + +## Add constraint labels + +Now we are going to add the needed labels to satisfy those constraints, to make sure the volumes work correctly. + +* Connect to a manager node in your Docker Swarm cluster. It could be the same server that will run GitLab, or it could be a different one. + +* If you are deploying the stack in the same current manager node, get its node ID and store it in an environment variable: + +```bash +export NODE_ID=$(docker info -f '{{.Swarm.NodeID}}') +``` + +* Otherwise, you can check the current available nodes with: + +```console +$ docker node ls + +ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS ENGINE VERSION +m48gz5e8ucmk59af4m6enmnaz * dog.example.com Ready Active Leader 19.03.9 +4w456u9lnanau629v3y456k9d cat.example.com Ready Active 19.03.9 +mue36qqwqnzrqt4iqi0yyd6ie gitlab.example.com Ready Active 19.03.9 +``` + +And select the node where you want to deploy the main `gitlab` service. In this example, in the node that has a `HOSTNAME` with value `gitlab.example.com`, with node ID `mue36qqwqnzrqt4iqi0yyd6ie`. + +So, you could export that environment variable using the node ID with something like: + +```bash +export NODE_ID=mue36qqwqnzrqt4iqi0yyd6ie +``` + +* Create a label in that node, so that the service `gitlab` and `registry` are always deployed to the same node and use the same volumes: + +```bash +docker node update --label-add gitlab.certs-data=true $NODE_ID +``` + +We need to make sure `gitlab` and `registry` are deployed on the same node because they share the same volume with the TLS certificates generated by `gitlab`. + +Now create the label for `redis`. You could use another node in your cluster if you have more than one, for simplicity we are going to use the same node, e.g.: + +```bash +docker node update --label-add gitlab.redis-data=true $NODE_ID +``` + +And add the label for `postgres`: + +```bash +docker node update --label-add gitlab.postgresql-data=true $NODE_ID +``` + +**Note**: you only have to set those labels once. Not every time you want to re-deploy your stack. + +## Deploy the stack + +Now, having the labels set in the Docker nodes, and the environment variables exported, you can deploy your stack: + +```bash +docker stack deploy --compose-file docker-compose.swarm.yml gitlab +``` + +**Note**: the environment variables `GITLAB_HOST` and `REGISTRY_HOST` have to be available every time to deploy the stack. But the node labels can be set only once, the first time you deploy. + +You can check the status of the deployment with: + +```bash +docker stack ps gitlab +``` + +Or check the logs, for example for the service `gitlab_gitlab`: + +```bash +docker service logs gitlab_gitlab +``` + +## Internal certificates + +GitLab and the Docker Registry have public facing HTTPS certificates generated with Let's Encrypt for each one. But to communicate between themselves they use an additional self-signed certificate. + +To tell GitLab to generate those self-signed certificates for the internal communication with GitLab, the `gitlab` service has an environment variable: + +```yaml +- GITLAB_REGISTRY_GENERATE_INTERNAL_CERTIFICATES=true +``` + +GitLab will generate the certificates and store them in the location given by: + +```yaml +- GITLAB_REGISTRY_KEY_PATH=/certs/registry.key +``` + +And that location, `/certs`, is mounted as a named volume: + +```yaml + volumes: + - gitlab-data:/home/git/data:Z + - certs-data:/certs +``` + +So, the self-signed certificates will be generated inside the named volume `gitlab-certs`. + +And the Registry also has that named volume mounted: + +```yaml + volumes: + - registry-data:/registry + - certs-data:/certs +``` + +And the Registry is configured to look for the certificate in that same location that GitLab used to generate the certificate: + +```yaml +- REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/certs/registry.crt +``` + +## GitLab Runner in Docker + +If you use GitLab and want to integrate Continuous Integration / Continuous Deployment, you can follow this section to install the GitLab runner. + +You should create the runner using Docker standalone instead of in Docker Swarm mode, as you need the configurations to persist, and in Docker Swarm mode, the container could be deployed to a different server and you would lose those configurations. + +### Testing and Deployment + +For testing, the GitLab runner can run in any node. + +But if you want to deploy another runner for deployment (or use the same one), it has to run on a manager node in the Docker Swarm cluster. + +### Create the GitLab Runner in Docker standalone mode + +To install a GitLab runner in a standalone Docker run: + +```bash +docker run -d \ + --name gitlab-runner \ + --restart always \ + -v gitlab-runner:/etc/gitlab-runner \ + -v /tmp/builds:/tmp/builds \ + -v /var/run/docker.sock:/var/run/docker.sock \ + gitlab/gitlab-runner:latest +``` + +Then, enter into that container: + +```bash +docker exec -it gitlab-runner bash +``` + +### Install the GitLab Runner + +* Go to the GitLab "Admin Area -> Runners" section. +* Get the URL and create a variable with it in the bash session inside of your Runner's Docker container, e.g.: + +```bash +export GITLAB_URL=https://gitlab.example.com/ +``` + +* Get the registration token and create a variable in the bash session inside of your Runner's Docker container, e.g.: + +```bash +export GITLAB_TOKEN=WYasdfJp4sdfasdf1234 +``` + +* Run the next command editing the name and tags as you need, you can also edit them later in the web user interface. + +```bash +gitlab-runner \ + register -n \ + --name "Docker Runner" \ + --executor docker \ + --locked false \ + --access-level not_protected \ + --builds-dir /tmp/builds \ + --docker-image docker:latest \ + --docker-volumes /tmp/builds:/tmp/builds \ + --docker-volumes /var/run/docker.sock:/var/run/docker.sock \ + --url $GITLAB_URL \ + --registration-token $GITLAB_TOKEN \ + --tag-list dog-cat-cluster,stag,prod +``` + +* You can edit the runner more from the GitLab admin section. diff --git a/docs/exposing-ssh-port.md b/docs/exposing-ssh-port.md new file mode 100644 index 000000000..a2dbca10a --- /dev/null +++ b/docs/exposing-ssh-port.md @@ -0,0 +1,7 @@ +# Exposing ssh port in dockerized gitlab-ce + +This is how to expose this internal ssh port without affecting the existing ssh port on the host server: + +* use this configuration script: [`../contrib/expose-gitlab-ssh-port.sh`](../contrib/expose-gitlab-ssh-port.sh) +* see implementation example in Vagrant: [harobed/docker-gitlab-vagrant-test](https://github.com/harobed/docker-gitlab-vagrant-test) +* more information, see [« Exposing ssh port in dockerized gitlab-ce »](https://blog.xiaket.org/2017/exposing.ssh.port.in.dockerized.gitlab-ce.html) post diff --git a/docs/images/keycloak-admin-acc.png b/docs/images/keycloak-admin-acc.png new file mode 100644 index 000000000..116967254 Binary files /dev/null and b/docs/images/keycloak-admin-acc.png differ diff --git a/docs/images/keycloak-client-creation.png b/docs/images/keycloak-client-creation.png new file mode 100644 index 000000000..0595b8df9 Binary files /dev/null and b/docs/images/keycloak-client-creation.png differ diff --git a/docs/images/keycloak-client-creation2.png b/docs/images/keycloak-client-creation2.png new file mode 100644 index 000000000..96879a04d Binary files /dev/null and b/docs/images/keycloak-client-creation2.png differ diff --git a/docs/images/keycloak-client.png b/docs/images/keycloak-client.png new file mode 100644 index 000000000..f10fc95ce Binary files /dev/null and b/docs/images/keycloak-client.png differ diff --git a/docs/images/keycloak-gitlab-login.png b/docs/images/keycloak-gitlab-login.png new file mode 100644 index 000000000..2d7933d60 Binary files /dev/null and b/docs/images/keycloak-gitlab-login.png differ diff --git a/docs/images/keycloak-home.png b/docs/images/keycloak-home.png new file mode 100644 index 000000000..f2adbed24 Binary files /dev/null and b/docs/images/keycloak-home.png differ diff --git a/docs/images/keycloak-secret.png b/docs/images/keycloak-secret.png new file mode 100644 index 000000000..4af4960e5 Binary files /dev/null and b/docs/images/keycloak-secret.png differ diff --git a/docs/images/keycloak-users.png b/docs/images/keycloak-users.png new file mode 100644 index 000000000..6949e8212 Binary files /dev/null and b/docs/images/keycloak-users.png differ diff --git a/docs/keycloak-idp.md b/docs/keycloak-idp.md new file mode 100644 index 000000000..04bc3c734 --- /dev/null +++ b/docs/keycloak-idp.md @@ -0,0 +1,80 @@ +# Integrate Keycloak as an IDP with GitLab + +In this document, we will explain how to set up Keycloak and integrate it into GitLab. + +## Setting up Keycloak + +First, you need a client in Keycloak to authenticate with GitLab. You can start Keycloak by running `docker-compose up -d keycloak`. + +When Keycloak is running, log in using the `Administration console`. You can visit the Keycloak on the [local IP](http://localhost:10081) of your laptop. + +![Keycloak Home](images/keycloak-home.png) + +Next, create a client. + +![Keycloak client](images/keycloak-client.png) + +Fill in the following variables: + +![Keycloak client creation](images/keycloak-client-creation.png) + +Make access type confidential and enable service accounts and authorization. + +![Keycloak client creation](images/keycloak-client-creation2.png) + +Next, click save, get the client secret generated by Keycloak and start filling out the variables for GitLab in the docker-compose file. + +![Keycloak client secret](images/keycloak-secret.png) + +Set the following in the docker-compose file: + +```yaml + - OAUTH2_GENERIC_APP_SECRET= + - OAUTH2_GENERIC_CLIENT_SITE=http://:10081 + - OAUTH2_GENERIC_CLIENT_USER_INFO_URL=http://:10081/auth/realms/master/protocol/openid-connect/userinfo + - OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL=http://:10081/auth/realms/master/protocol/openid-connect/auth + - OAUTH2_GENERIC_CLIENT_TOKEN_URL=http://:10081/auth/realms/master/protocol/openid-connect/token + - OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT=http://:10081/auth/realms/master/protocol/openid-connect/logout +``` + +`` is the IP address of your keycloak. For this example this would be your IP address, but if your Keycloak existed elsewhere for your deployment `` would be different as would the port and the realm. + +The following must also be configured: + +```yaml + - OAUTH2_GENERIC_USER_UID='preferred_username' + - OAUTH2_GENERIC_USER_NAME='name' + - OAUTH2_GENERIC_USER_EMAIL='email' +``` + +The values will be different for your deployment. Navigate Keycloak's UI, select `Clients`, click `[your client]`, then open the `Client Scopes` tab, then open `Evaluate` sub-tab, enter a username you know in the `User` field, select the match, then `Generate Access Token` to see the values you need to configure. + +Also, make sure the following variables are filled in the docker-compose file: + +```yaml + - GITLAB_HOST='' + ... + - OAUTH_ENABLED=true + - OAUTH_AUTO_SIGN_IN_WITH_PROVIDER=Keycloak + - OAUTH_ALLOW_SSO=Keycloak + - OAUTH_BLOCK_AUTO_CREATED_USERS=false + - OAUTH_AUTO_LINK_LDAP_USER=false + - OAUTH_AUTO_LINK_SAML_USER=false +``` + +`` is the IP address of your GitLab for this example this would be the your IP address, but if your GitLab was to be proxied or deployed elsewhere `` would be another value appropriate for your deployment. + +GitLab does not allow login from users in Keycloak with an empty email or name. To prevent this, you can create a new user in Keycloak or you can add email and name for the admin account. + +Visit the `Users` tab and click on `View all users` to modify the Admin user. + +![keycloak-users](images/keycloak-users.png) + +Modify the `Email`, `First name` and `Last Name` fields. +![admin-account](images/keycloak-admin-acc.png) + +Deploy GitLab, Redis and PostgreSQL by running the following command: `docker-compose up -d gitlab redis postgresql`. + +You can now login on the local GitLab instance with with Keycloak on your [local IP](http://localhost:10080). + +![gitlab-login](images/keycloak-gitlab-login.png) diff --git a/docs/s3_compatible_storage.md b/docs/s3_compatible_storage.md new file mode 100644 index 000000000..6e5ba10af --- /dev/null +++ b/docs/s3_compatible_storage.md @@ -0,0 +1,239 @@ +# GitLab Backup to s3 compatible storage + +Enables automatic backups to self-hosted s3 compatible storage like minio () and others. +This is an extend of AWS Remote Backups. + +As explained in [doc.gitlab.com](https://docs.gitlab.com/ce/raketasks/backup_restore.html#upload-backups-to-remote-cloud-storage), it uses [Fog library](http://fog.io) and the module fog-aws. More details on [s3 supported parameters](https://github.com/fog/fog-aws/blob/master/lib/fog/aws/storage.rb) + +- [GitLab Backup to s3 compatible storage](#gitlab-backup-to-s3-compatible-storage) + - [Available Parameters](#available-parameters) + - [Installation](#installation) + - [Docker Compose](#docker-compose) + - [Creating Backups](#creating-backups) + - [Restoring Backups](#restoring-backups) + +## Available Parameters + +Here is an example of all configuration parameters that can be used in the GitLab container. + +```yaml +... +gitlab: + ... + environment: + - AWS_BACKUPS=true + - AWS_BACKUP_ENDPOINT='http://minio:9000/' + - AWS_BACKUP_ACCESS_KEY_ID=minio + - AWS_BACKUP_SECRET_ACCESS_KEY=minio123 + - AWS_BACKUP_BUCKET=docker + - AWS_BACKUP_MULTIPART_CHUNK_SIZE=104857600 +``` + +where: + +| Parameter | Description | +| --------- | ----------- | +| `AWS_BACKUPS` | Enables automatic uploads to an Amazon S3 instance. Defaults to `false`. | +| `AWS_BACKUP_ENDPOINT` | AWS endpoint. No defaults. | +| `AWS_BACKUP_ACCESS_KEY_ID` | AWS access key id. No defaults. | +| `AWS_BACKUP_SECRET_ACCESS_KEY` | AWS secret access key. No defaults. | +| `AWS_BACKUP_BUCKET` | AWS bucket for backup uploads. No defaults. | +| `AWS_BACKUP_MULTIPART_CHUNK_SIZE` | Enables multipart uploads when file size reaches a defined size. See at [AWS S3 Docs](http://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html) | + +For more info look at [Available Configuration Parameters](https://github.com/sameersbn/docker-gitlab#available-configuration-parameters). + +A minimum set of these parameters are required to use the s3 compatible storage: + +```yaml +... +gitlab: + environment: + - AWS_BACKUPS=true + - AWS_BACKUP_ENDPOINT='http://minio:9000/' + - AWS_BACKUP_ACCESS_KEY_ID=minio + - AWS_BACKUP_SECRET_ACCESS_KEY=minio123 + - AWS_BACKUP_BUCKET=docker +... +``` + +## Installation + +Starting a fresh installation with GitLab would be like the `docker-compose` file. + +### Docker Compose + +This is an example with minio. + +```yml +services: + redis: + restart: always + image: sameersbn/redis:7 + command: + - --loglevel warning + volumes: + - /tmp/docker/gitlab/redis:/data:Z + + postgresql: + restart: always + image: sameersbn/postgresql:10-2 + volumes: + - /tmp/docker/gitlab/postgresql:/var/lib/postgresql:Z + environment: + - DB_USER=gitlab + - DB_PASS=password + - DB_NAME=gitlabhq_production + - DB_EXTENSION=pg_trgm + + gitlab: + restart: always + #image: sameersbn/gitlab:8.16.4 + build: . + depends_on: + - redis + - postgresql + ports: + - "10080:80" + - "10022:22" + volumes: + - /tmp/docker/gitlab/gitlab:/home/git/data:Z + environment: + - DEBUG=false + - DB_ADAPTER=postgresql + - DB_HOST=postgresql + - DB_PORT=5432 + - DB_USER=gitlab + - DB_PASS=password + - DB_NAME=gitlabhq_production + - REDIS_HOST=redis + - REDIS_PORT=6379 + - TZ=Asia/Kolkata + - GITLAB_TIMEZONE=Kolkata + - GITLAB_HTTPS=false + - SSL_SELF_SIGNED=false + - GITLAB_HOST=localhost + - GITLAB_PORT=10080 + - GITLAB_SSH_PORT=10022 + - GITLAB_RELATIVE_URL_ROOT= + - GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string + - GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string + - GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string + - GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=long-and-random-alphanumeric-string + - GITLAB_ROOT_PASSWORD= + - GITLAB_ROOT_EMAIL= + - GITLAB_NOTIFY_ON_BROKEN_BUILDS=true + - GITLAB_NOTIFY_PUSHER=false + - GITLAB_EMAIL=notifications@example.com + - GITLAB_EMAIL_REPLY_TO=noreply@example.com + - GITLAB_INCOMING_EMAIL_ADDRESS=reply@example.com + - GITLAB_BACKUP_SCHEDULE=daily + - GITLAB_BACKUP_TIME=01:00 + - SMTP_ENABLED=false + - SMTP_DOMAIN=www.example.com + - SMTP_HOST=smtp.gmail.com + - SMTP_PORT=587 + - SMTP_USER=mailer@example.com + - SMTP_PASS=password + - SMTP_STARTTLS=true + - SMTP_AUTHENTICATION=login + - IMAP_ENABLED=false + - IMAP_HOST=imap.gmail.com + - IMAP_PORT=993 + - IMAP_USER=mailer@example.com + - IMAP_PASS=password + - IMAP_SSL=true + - IMAP_STARTTLS=false + - OAUTH_ENABLED=false + - OAUTH_AUTO_SIGN_IN_WITH_PROVIDER= + - OAUTH_ALLOW_SSO= + - OAUTH_BLOCK_AUTO_CREATED_USERS=true + - OAUTH_AUTO_LINK_LDAP_USER=false + - OAUTH_AUTO_LINK_SAML_USER=false + - OAUTH_EXTERNAL_PROVIDERS= + - OAUTH_CAS3_LABEL=cas3 + - OAUTH_CAS3_SERVER= + - OAUTH_CAS3_DISABLE_SSL_VERIFICATION=false + - OAUTH_CAS3_LOGIN_URL=/cas/login + - OAUTH_CAS3_VALIDATE_URL=/cas/p3/serviceValidate + - OAUTH_CAS3_LOGOUT_URL=/cas/logout + - OAUTH_GOOGLE_API_KEY= + - OAUTH_GOOGLE_APP_SECRET= + - OAUTH_GOOGLE_RESTRICT_DOMAIN= + - OAUTH_FACEBOOK_API_KEY= + - OAUTH_FACEBOOK_APP_SECRET= + - OAUTH_TWITTER_API_KEY= + - OAUTH_TWITTER_APP_SECRET= + - OAUTH_GITHUB_API_KEY= + - OAUTH_GITHUB_APP_SECRET= + - OAUTH_GITHUB_URL= + - OAUTH_GITHUB_VERIFY_SSL= + - OAUTH_GITLAB_API_KEY= + - OAUTH_GITLAB_APP_SECRET= + - OAUTH_BITBUCKET_API_KEY= + - OAUTH_BITBUCKET_APP_SECRET= + - OAUTH_BITBUCKET_URL= + - OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL= + - OAUTH_SAML_IDP_CERT_FINGERPRINT= + - OAUTH_SAML_IDP_SSO_TARGET_URL= + - OAUTH_SAML_ISSUER= + - OAUTH_SAML_LABEL="Our SAML Provider" + - OAUTH_SAML_NAME_IDENTIFIER_FORMAT=urn:oasis:names:tc:SAML:2.0:nameid-format:transient + - OAUTH_SAML_GROUPS_ATTRIBUTE= + - OAUTH_SAML_EXTERNAL_GROUPS= + - OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL= + - OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME= + - OAUTH_SAML_ATTRIBUTE_STATEMENTS_USERNAME= + - OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME= + - OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME= + - OAUTH_CROWD_SERVER_URL= + - OAUTH_CROWD_APP_NAME= + - OAUTH_CROWD_APP_PASSWORD= + - OAUTH_AUTH0_CLIENT_ID= + - OAUTH_AUTH0_CLIENT_SECRET= + - OAUTH_AUTH0_DOMAIN= + - OAUTH_AUTH0_SCOPE= + - OAUTH_AZURE_API_KEY= + - OAUTH_AZURE_API_SECRET= + - OAUTH_AZURE_TENANT_ID= + - AWS_BACKUPS=true + - AWS_BACKUP_ENDPOINT='http://minio:9000/' + - AWS_BACKUP_ACCESS_KEY_ID=minio + - AWS_BACKUP_SECRET_ACCESS_KEY=minio123 + - AWS_BACKUP_BUCKET=docker + + minio: + image: minio/minio + ports: + - "9000:9000" + environment: + MINIO_ACCESS_KEY: minio + MINIO_SECRET_KEY: minio123 + command: server /export +``` + +### Creating Backups + +Execute the rake task with a removeable container. + +```bash +docker run --name gitlab -it --rm [OPTIONS] \ + sameersbn/gitlab:8.16.4 app:rake gitlab:backup:create +``` + +### Restoring Backups + +Execute the rake task to restore a backup. Make sure you run the container in interactive mode `-it`. + +```bash +docker run --name gitlab -it --rm [OPTIONS] \ + sameersbn/gitlab:8.16.4 app:rake gitlab:backup:restore +``` + +The list of all available backups will be displayed in reverse chronological order. Select the backup you want to restore and continue. + +To avoid user interaction in the restore operation, specify the timestamp of the backup using the `BACKUP` argument to the rake task. + +```bash +docker run --name gitlab -it --rm [OPTIONS] \ + sameersbn/gitlab:8.16.4 app:rake gitlab:backup:restore BACKUP=1417624827 +``` diff --git a/entrypoint.sh b/entrypoint.sh index 080fb6b47..2f3b15959 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,6 +1,9 @@ #!/bin/bash set -e -source ${GITLAB_RUNTIME_DIR}/functions +set -o pipefail + +# shellcheck source=assets/runtime/functions +source "${GITLAB_RUNTIME_DIR}/functions" [[ $DEBUG == true ]] && set -x @@ -10,12 +13,20 @@ case ${1} in initialize_system configure_gitlab configure_gitlab_shell + configure_gitlab_pages configure_nginx case ${1} in app:start) + /usr/bin/supervisord -nc /etc/supervisor/supervisord.conf & + SUPERVISOR_PID=$! migrate_database + kill -15 $SUPERVISOR_PID + if ps h -p $SUPERVISOR_PID > /dev/null ; then + wait $SUPERVISOR_PID || true + fi rm -rf /var/run/supervisor.sock + configure_gitlab_requires_db exec /usr/bin/supervisord -nc /etc/supervisor/supervisord.conf ;; app:init) @@ -26,7 +37,7 @@ case ${1} in ;; app:rake) shift 1 - execute_raketask $@ + execute_raketask "$@" ;; esac ;; diff --git a/hooks/build b/hooks/build new file mode 100644 index 000000000..6b0c931ce --- /dev/null +++ b/hooks/build @@ -0,0 +1,12 @@ +#!/bin/bash + +# Docker Daemon Build Hook +# $IMAGE_NAME var is injected into the build so the tag is correct. + +docker pull ${DOCKER_REPO}:latest + +docker build \ + --cache-from=${DOCKER_REPO}:latest \ + --build-arg=BUILD_DATE="$(date +"%Y-%m-%d %H:%M:%S%:z")" \ + --build-arg=VCS_REF="$(git rev-parse --short HEAD)" \ + -t ${IMAGE_NAME} . diff --git a/kubernetes/deploy.sh b/kubernetes/deploy.sh index f899ff418..315c6b168 100755 --- a/kubernetes/deploy.sh +++ b/kubernetes/deploy.sh @@ -1,6 +1,8 @@ #!/bin/bash +set -e +set -o pipefail -if ! which -s kubectl; then +if ! command -v kubectl > /dev/null; then echo "kubectl command not installed" exit 1 fi diff --git a/kubernetes/gitlab-rc.yml b/kubernetes/gitlab-rc.yml index a49718e86..e069a6814 100644 --- a/kubernetes/gitlab-rc.yml +++ b/kubernetes/gitlab-rc.yml @@ -14,7 +14,7 @@ spec: spec: containers: - name: gitlab - image: sameersbn/gitlab:8.15.4 + image: sameersbn/gitlab:18.5.1 env: - name: TZ value: Asia/Kolkata @@ -27,6 +27,14 @@ spec: value: long-and-random-alpha-numeric-string - name: GITLAB_SECRETS_OTP_KEY_BASE value: long-and-random-alpha-numeric-string + - name: GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE + value: long-and-random-alpha-numeric-string + - name: GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY + value: '[long-and-random-alpha-numeric-string]' + - name: GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY + value: '[long-and-random-alpha-numeric-string]' + - name: GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT + value: long-and-random-alpha-numeric-string - name: GITLAB_ROOT_PASSWORD value: diff --git a/kubernetes/postgresql-rc.yml b/kubernetes/postgresql-rc.yml index df0efd21d..e6c4adbb3 100644 --- a/kubernetes/postgresql-rc.yml +++ b/kubernetes/postgresql-rc.yml @@ -14,7 +14,7 @@ spec: spec: containers: - name: postgresql - image: sameersbn/postgresql:9.6-1 + image: kkimurak/sameersbn-postgresql:16 env: - name: DB_USER value: gitlab diff --git a/kubernetes/redis-rc.yml b/kubernetes/redis-rc.yml index dc8344426..0c7991d65 100644 --- a/kubernetes/redis-rc.yml +++ b/kubernetes/redis-rc.yml @@ -14,7 +14,7 @@ spec: spec: containers: - name: redis - image: sameersbn/redis + image: redis:7 ports: - name: redis containerPort: 6379 diff --git a/kubernetes/teardown.sh b/kubernetes/teardown.sh index 3937c4bc7..c4b3be9e8 100755 --- a/kubernetes/teardown.sh +++ b/kubernetes/teardown.sh @@ -1,6 +1,8 @@ #!/bin/bash +set -e +set -o pipefail -if ! which -s kubectl; then +if ! command -v kubectl > /dev/null; then echo "kubectl command not installed" exit 1 fi diff --git a/scripts/release-notes.sh b/scripts/release-notes.sh new file mode 100755 index 000000000..db67c17fd --- /dev/null +++ b/scripts/release-notes.sh @@ -0,0 +1,60 @@ +#!/usr/bin/env sh + +RELEASE=${GIT_TAG:-$1} + +if [ -z "${RELEASE}" ]; then + echo "Usage:" + echo "./scripts/release-notes.sh v0.1.0" + exit 1 +fi + +if ! git rev-list ${RELEASE} >/dev/null 2>&1; then + echo "${RELEASE} does not exist" + exit +fi + +PREV_RELEASE=${PREV_RELEASE:-$(git describe --tags --abbrev=0 ${RELEASE}^)} +PREV_RELEASE=${PREV_RELEASE:-$(git rev-list --max-parents=0 ${RELEASE}^)} +NOTABLE_CHANGES=$(git cat-file -p ${RELEASE} | sed '/-----BEGIN PGP SIGNATURE-----/,//d' | tail -n +6) +CHANGELOG=$(git log --no-merges --pretty=format:'- [%h] %s (%aN)' ${PREV_RELEASE}..${RELEASE}) +if [ $? -ne 0 ]; then + echo "Error creating changelog" + exit 1 +fi + +cat <. + +## Contributing + +You are kindly invited to provide contributions. If you find this image useful here's how you can help: + +- Send a Pull Request with your awesome new features and bug fixes +- Be a part of the community and help resolve [issues](https://github.com/sameersbn/docker-gitlab/issues) +- Support the development of this image with a [donation](http://www.damagehead.com/donate/) + +## Changelog + +${CHANGELOG} +EOF