@@ -60,7 +60,7 @@ from [owasp.org](https://owasp.org/).
...
@@ -60,7 +60,7 @@ from [owasp.org](https://owasp.org/).
access), but is constrained to read-only activities. The principal use case is
access), but is constrained to read-only activities. The principal use case is
envisioned to be cloning Git repositories from the **secondary** site in favor of the
envisioned to be cloning Git repositories from the **secondary** site in favor of the
**primary** site, but end-users may use the GitLab web interface to view projects,
**primary** site, but end-users may use the GitLab web interface to view projects,
issues, merge requests, snippets, etc.
issues, merge requests, snippets, and so on.
### What security expectations do the end‐users have?
### What security expectations do the end‐users have?
...
@@ -203,7 +203,7 @@ from [owasp.org](https://owasp.org/).
...
@@ -203,7 +203,7 @@ from [owasp.org](https://owasp.org/).
### What data entry paths does the application support?
### What data entry paths does the application support?
- Data is entered via the web application exposed by GitLab itself. Some data is
- Data is entered via the web application exposed by GitLab itself. Some data is
also entered using system administration commands on the GitLab servers (e.g.,
also entered using system administration commands on the GitLab servers (for example
`gitlab-ctl set-primary-node`).
`gitlab-ctl set-primary-node`).
-**Secondary** sites also receive inputs via PostgreSQL streaming replication from the **primary** site.
-**Secondary** sites also receive inputs via PostgreSQL streaming replication from the **primary** site.
...
@@ -247,7 +247,7 @@ from [owasp.org](https://owasp.org/).
...
@@ -247,7 +247,7 @@ from [owasp.org](https://owasp.org/).
### What encryption requirements have been defined for data in transit - including transmission over WAN, LAN, SecureFTP, or publicly accessible protocols such as http: and https:?
### What encryption requirements have been defined for data in transit - including transmission over WAN, LAN, SecureFTP, or publicly accessible protocols such as http: and https:?
- Data must have the option to be encrypted in transit, and be secure against
- Data must have the option to be encrypted in transit, and be secure against
both passive and active attack (e.g., MITM attacks should not be possible).
both passive and active attack (for example, MITM attacks should not be possible).
@@ -57,7 +57,7 @@ developed and tested. We aim to be compatible with most external
...
@@ -57,7 +57,7 @@ developed and tested. We aim to be compatible with most external
To set up an external database, you can either:
To set up an external database, you can either:
- Set up [streaming replication](https://www.postgresql.org/docs/12/warm-standby.html#STREAMING-REPLICATION-SLOTS) yourself (for example AWS RDS, bare metal not managed by Omnibus, etc.).
- Set up [streaming replication](https://www.postgresql.org/docs/12/warm-standby.html#STREAMING-REPLICATION-SLOTS) yourself (for example AWS RDS, bare metal not managed by Omnibus, and so on).
- Perform the Omnibus configuration manually as follows.
- Perform the Omnibus configuration manually as follows.
#### Leverage your cloud provider's tools to replicate the primary database
#### Leverage your cloud provider's tools to replicate the primary database
@@ -8,7 +8,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
...
@@ -8,7 +8,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/2149) in GitLab Premium 13.9.
> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/2149) in GitLab Premium 13.9.
Maintenance Mode allows administrators to reduce write operations to a minimum while maintenance tasks are performed. The main goal is to block all external actions that change the internal state, including the PostgreSQL database, but especially files, Git repositories, Container repositories, etc.
Maintenance Mode allows administrators to reduce write operations to a minimum while maintenance tasks are performed. The main goal is to block all external actions that change the internal state, including the PostgreSQL database, but especially files, Git repositories, Container repositories, and so on.
Once Maintenance Mode is enabled, in-progress actions finish relatively quickly since no new actions are coming in, and internal state changes are minimal.
Once Maintenance Mode is enabled, in-progress actions finish relatively quickly since no new actions are coming in, and internal state changes are minimal.
In that state, various maintenance tasks are easier, and services can be stopped completely or be
In that state, various maintenance tasks are easier, and services can be stopped completely or be