Commit d853c6b7 authored by Alain Takoudjou's avatar Alain Takoudjou

gitlab-sr: upgrade gitlab software to version 9.5.10

Previous gitlab version was 8.17.0, this commit upgrade gitlab to version 9.5.10,
and update all configuration to work with this version according to the installation procedure,
see: https://gitlab.com/gitlab-org/gitlab-foss/-/blob/v9.5.10/doc/install/installation.md
parent 7c462c93
...@@ -14,7 +14,7 @@ ...@@ -14,7 +14,7 @@
# not need these here). # not need these here).
[instance.cfg] [instance.cfg]
filename = instance.cfg.in filename = instance.cfg.in
md5sum = 36252abb4d857da08d62bf3eb26faae1 md5sum = dc3f318e8a3aa7a59f9394118543e9e3
[watcher] [watcher]
_update_hash_filename_ = watcher.in _update_hash_filename_ = watcher.in
...@@ -34,27 +34,31 @@ md5sum = 7782f5c5d75663c2586e28d029c51e49 ...@@ -34,27 +34,31 @@ md5sum = 7782f5c5d75663c2586e28d029c51e49
[gitlab-parameters.cfg] [gitlab-parameters.cfg]
_update_hash_filename_ = gitlab-parameters.cfg _update_hash_filename_ = gitlab-parameters.cfg
md5sum = 8f4537cb8a0c9a8e0058c30cb687681c md5sum = c2e23c0f7baa1633df0436ca4e728424
[gitlab-shell-config.yml.in] [gitlab-shell-config.yml.in]
_update_hash_filename_ = template/gitlab-shell-config.yml.in _update_hash_filename_ = template/gitlab-shell-config.yml.in
md5sum = 58c09b1e609f903e483a76fe9e57366c md5sum = 52d18b521b8cd16352fc88b1e1d79d53
[gitlab-unicorn-startup.in] [gitlab-unicorn-startup.in]
_update_hash_filename_ = gitlab-unicorn-startup.in _update_hash_filename_ = gitlab-unicorn-startup.in
md5sum = a9cb347f60aad3465932fd36cd4fe25d md5sum = aff91edaf9786c213db8ea703ab3571e
[gitlab.yml.in] [gitlab.yml.in]
_update_hash_filename_ = template/gitlab.yml.in _update_hash_filename_ = template/gitlab.yml.in
md5sum = 0ddf4093dcf4427e5a160707e6017950 md5sum = f4cc0bc898b8d59010d61473e2adc53b
[gitaly-config.toml.in]
_update_hash_filename_ = template/gitaly-config.toml.in
md5sum = 056d7ed09e1bf20d022d3ef6b9363e00
[instance-gitlab.cfg.in] [instance-gitlab.cfg.in]
_update_hash_filename_ = instance-gitlab.cfg.in _update_hash_filename_ = instance-gitlab.cfg.in
md5sum = 9dd764b3c90b3425b19b40da029b759c md5sum = f5e7f9717eaa999fbf11ce4b6c1abb1c
[instance-gitlab-export.cfg.in] [instance-gitlab-export.cfg.in]
_update_hash_filename_ = instance-gitlab-export.cfg.in _update_hash_filename_ = instance-gitlab-export.cfg.in
md5sum = 319d7dbe3ad9b260c1e292cfc0d13b11 md5sum = 2af7dcf63f74e5edc53a3ff11fa4989b
[instance-gitlab-test.cfg.in] [instance-gitlab-test.cfg.in]
_update_hash_filename_ = instance-gitlab-test.cfg.in _update_hash_filename_ = instance-gitlab-test.cfg.in
...@@ -66,11 +70,11 @@ md5sum = a56a44e96f65f5ed20211bb6a54279f4 ...@@ -66,11 +70,11 @@ md5sum = a56a44e96f65f5ed20211bb6a54279f4
[nginx-gitlab-http.conf.in] [nginx-gitlab-http.conf.in]
_update_hash_filename_ = template/nginx-gitlab-http.conf.in _update_hash_filename_ = template/nginx-gitlab-http.conf.in
md5sum = e74695aa1be60f0ffac64ddbe1c8eaf1 md5sum = 79d2b4e8a32abf7a74a3d4528844c593
[nginx.conf.in] [nginx.conf.in]
_update_hash_filename_ = template/nginx.conf.in _update_hash_filename_ = template/nginx.conf.in
md5sum = 1374f38ab6f295b850d45ea0019ec05d md5sum = 8c904510eb39dc212204f68f2b81b068
[rack_attack.rb.in] [rack_attack.rb.in]
_update_hash_filename_ = template/rack_attack.rb.in _update_hash_filename_ = template/rack_attack.rb.in
...@@ -82,7 +86,7 @@ md5sum = 7c89a730889e3224548d9abe51a2d719 ...@@ -82,7 +86,7 @@ md5sum = 7c89a730889e3224548d9abe51a2d719
[smtp_settings.rb.in] [smtp_settings.rb.in]
_update_hash_filename_ = template/smtp_settings.rb.in _update_hash_filename_ = template/smtp_settings.rb.in
md5sum = 4e1ced687a86e4cfff2dde91237e3942 md5sum = e2144b03f7247636143c65dc81550d75
[template-gitlab-resiliency-restore.sh.in] [template-gitlab-resiliency-restore.sh.in]
_update_hash_filename_ = template/template-gitlab-resiliency-restore.sh.in _update_hash_filename_ = template/template-gitlab-resiliency-restore.sh.in
...@@ -90,4 +94,4 @@ md5sum = 590fcadf26085fdd17487175bc0a469d ...@@ -90,4 +94,4 @@ md5sum = 590fcadf26085fdd17487175bc0a469d
[unicorn.rb.in] [unicorn.rb.in]
_update_hash_filename_ = template/unicorn.rb.in _update_hash_filename_ = template/unicorn.rb.in
md5sum = 83921db1835d9e81cbbe808631cc40a9 md5sum = 67728235a2c4c9425c80f0c856749885
...@@ -45,7 +45,7 @@ configuration.default_projects_features.issues = true ...@@ -45,7 +45,7 @@ configuration.default_projects_features.issues = true
configuration.default_projects_features.merge_requests = true configuration.default_projects_features.merge_requests = true
configuration.default_projects_features.wiki = true configuration.default_projects_features.wiki = true
configuration.default_projects_features.snippets = true configuration.default_projects_features.snippets = true
#configuration.default_projects_features.builds = false configuration.default_projects_features.builds = true
configuration.webhook_timeout = 10 configuration.webhook_timeout = 10
...@@ -102,6 +102,10 @@ configuration.nginx_gzip_proxied = any ...@@ -102,6 +102,10 @@ configuration.nginx_gzip_proxied = any
configuration.nginx_gzip_types = text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript application/json configuration.nginx_gzip_types = text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript application/json
configuration.nginx_keepalive_timeout = 65 configuration.nginx_keepalive_timeout = 65
configuration.nginx_header_allow_origin = $http_origin configuration.nginx_header_allow_origin = $http_origin
configuration.nginx_hsts_max_age = 31536000
configuration.nginx_hsts_include_subdomains = false
configuration.nginx_gzip_enabled = true
# configuring trusted proxies # configuring trusted proxies
# GitLab is behind a reverse proxy, so we don't want the IP address of the proxy # GitLab is behind a reverse proxy, so we don't want the IP address of the proxy
......
...@@ -27,7 +27,7 @@ psql() { ...@@ -27,7 +27,7 @@ psql() {
# ( first quering PG several times waiting a bit till postgresql is started and ready ) # ( first quering PG several times waiting a bit till postgresql is started and ready )
tpgwait=5 tpgwait=5
while true; do while true; do
pgtables="$(psql -c '\d')" && break pgtables="$(psql -c '\d' 2>&1)" && break
tpgwait=$(( $tpgwait - 1 )) tpgwait=$(( $tpgwait - 1 ))
test $tpgwait = 0 && die "pg query problem" test $tpgwait = 0 && die "pg query problem"
echo "I: PostgreSQL is not ready (yet ?); will retry $tpgwait times..." 1>&2 echo "I: PostgreSQL is not ready (yet ?); will retry $tpgwait times..." 1>&2
...@@ -38,10 +38,11 @@ echo "I: PostgreSQL ready." 1>&2 ...@@ -38,10 +38,11 @@ echo "I: PostgreSQL ready." 1>&2
# make sure pg_trgm extension is enabled for gitlab db # make sure pg_trgm extension is enabled for gitlab db
psql -c 'CREATE EXTENSION IF NOT EXISTS pg_trgm;' || die "pg_trgm setup failed" psql -c 'CREATE EXTENSION IF NOT EXISTS pg_trgm;' || die "pg_trgm setup failed"
if echo "$pgtables" | grep -q '^No relations found' ; then if echo "$pgtables" | grep -q '^Did not find any relations' ; then
$RAKE db:schema:load db:seed_fu || die "initial db setup failed" $RAKE db:schema:load db:seed_fu || die "initial db setup failed"
fi fi
# re-build ssh keys # re-build ssh keys
# (we do not use them - just for cleannes) # (we do not use them - just for cleannes)
force=yes $RAKE gitlab:shell:setup || die "gitlab:shell:setup failed" force=yes $RAKE gitlab:shell:setup || die "gitlab:shell:setup failed"
......
...@@ -6,7 +6,6 @@ depends_gitfetch = ...@@ -6,7 +6,6 @@ depends_gitfetch =
${go_github.com_pkg_errors:recipe} ${go_github.com_pkg_errors:recipe}
${go_lab.nexedi.com_kirr_git-backup:recipe} ${go_lab.nexedi.com_kirr_git-backup:recipe}
${go_lab.nexedi.com_kirr_go123:recipe} ${go_lab.nexedi.com_kirr_go123:recipe}
${go_gitlab.com_gitlab-org_gitlab-workhorse:recipe}
[go_github.com_libgit2_git2go] [go_github.com_libgit2_git2go]
...@@ -26,16 +25,10 @@ revision = v0.8.0-12-g816c908556 ...@@ -26,16 +25,10 @@ revision = v0.8.0-12-g816c908556
<= go-git-package <= go-git-package
go.importpath = lab.nexedi.com/kirr/git-backup go.importpath = lab.nexedi.com/kirr/git-backup
repository = https://lab.nexedi.com/kirr/git-backup.git repository = https://lab.nexedi.com/kirr/git-backup.git
revision = 9791c04ecc2555a519321905efa734a1b5f3c4e6 revision = 3f6c4deec8834bdcd2c28c7c5eeacd8211e759b5
[go_lab.nexedi.com_kirr_go123] [go_lab.nexedi.com_kirr_go123]
<= go-git-package <= go-git-package
go.importpath = lab.nexedi.com/kirr/go123 go.importpath = lab.nexedi.com/kirr/go123
repository = https://lab.nexedi.com/kirr/go123.git repository = https://lab.nexedi.com/kirr/go123.git
revision = d9250d6332 revision = 56bf8f815a
\ No newline at end of file
[go_gitlab.com_gitlab-org_gitlab-workhorse]
<= go-git-package
go.importpath = gitlab.com/gitlab-org/gitlab-workhorse
repository = https://lab.nexedi.com/nexedi/gitlab-workhorse.git
revision = v1.3.0-8-g5f44f59cbb
\ No newline at end of file
...@@ -44,6 +44,7 @@ command = ${exporter:wrapper-path} ...@@ -44,6 +44,7 @@ command = ${exporter:wrapper-path}
recipe = collective.recipe.template recipe = collective.recipe.template
input = inline: gitlab-shell-work* input = inline: gitlab-shell-work*
gitlab-work* gitlab-work*
var/log/**
var/backup/** var/backup/**
var/repositories* var/repositories*
var/repositories/** var/repositories/**
......
...@@ -32,7 +32,10 @@ parts = ...@@ -32,7 +32,10 @@ parts =
service-redis service-redis
promise-redis promise-redis
service-cron service-gitaly
cron-service
cron-entry-logrotate
logrotate-entry-cron
on-reinstantiate on-reinstantiate
...@@ -69,7 +72,6 @@ configuration.nginx_worker_processes = {{ multiprocessing.cpu_count() }} ...@@ -69,7 +72,6 @@ configuration.nginx_worker_processes = {{ multiprocessing.cpu_count() }}
configuration.icp_license = configuration.icp_license =
# for convenience # for convenience
[external-url] [external-url]
recipe = slapos.cookbook:urlparse recipe = slapos.cookbook:urlparse
...@@ -125,6 +127,8 @@ artifacts = ${:shared}/artifacts ...@@ -125,6 +127,8 @@ artifacts = ${:shared}/artifacts
lfs-objects = ${:shared}/lfs-objects lfs-objects = ${:shared}/lfs-objects
builds = ${:var}/builds builds = ${:var}/builds
backup = ${directory:var}/backup backup = ${directory:var}/backup
public = ${:var}/public
pages = ${:shared}/pages
[gitlab-repo-dir] [gitlab-repo-dir]
recipe = slapos.cookbook:mkdirectory recipe = slapos.cookbook:mkdirectory
...@@ -151,6 +155,8 @@ lfs-objects = ${gitlab-dir:lfs-objects} ...@@ -151,6 +155,8 @@ lfs-objects = ${gitlab-dir:lfs-objects}
builds = ${gitlab-dir:builds} builds = ${gitlab-dir:builds}
backup = ${gitlab-dir:backup} backup = ${gitlab-dir:backup}
repositories = ${gitlab-repo-xdir:repositories} repositories = ${gitlab-repo-xdir:repositories}
public = ${gitlab-dir:public}
pages = ${gitlab-dir:shared}/pages
# gitlab-shell: etc/ log/ gitlab_shell_secret ... # gitlab-shell: etc/ log/ gitlab_shell_secret ...
...@@ -163,6 +169,7 @@ log = ${directory:log}/gitlab-shell ...@@ -163,6 +169,7 @@ log = ${directory:log}/gitlab-shell
etc = ${gitlab-shell-dir:etc} etc = ${gitlab-shell-dir:etc}
log = ${gitlab-shell-dir:log} log = ${gitlab-shell-dir:log}
secret = ${secrets:secrets}/gitlab_shell_secret secret = ${secrets:secrets}/gitlab_shell_secret
hook =
# place to keep all secrets # place to keep all secrets
...@@ -171,8 +178,19 @@ recipe = slapos.cookbook:mkdirectory ...@@ -171,8 +178,19 @@ recipe = slapos.cookbook:mkdirectory
secrets = ${directory:var}/secrets secrets = ${directory:var}/secrets
mode = 0700 mode = 0700
[gitaly-dir]
recipe = slapos.cookbook:mkdirectory
gitaly = ${directory:var}/gitaly
sockets = ${:gitaly}/sockets
internal = ${:sockets}/internal
log = ${directory:log}/gitaly
[gitaly]
socket = ${gitaly-dir:sockets}/gitaly.socket
log = ${gitaly-dir:log}
location = {{ gitaly_location }}
pid = ${directory:run}/gitaly.pid
internal_socket = ${gitaly-dir:internal}
# 2. configuration files # 2. configuration files
[etc-template] [etc-template]
...@@ -219,6 +237,7 @@ context-extra = ...@@ -219,6 +237,7 @@ context-extra =
import urllib urllib import urllib urllib
section gitlab gitlab section gitlab gitlab
section gitlab_shell gitlab-shell section gitlab_shell gitlab-shell
section gitlab_shell_work gitlab-shell-work
section unicorn unicorn section unicorn unicorn
section service_redis service-redis section service_redis service-redis
raw redis_binprefix {{ redis_binprefix }} raw redis_binprefix {{ redis_binprefix }}
...@@ -231,12 +250,14 @@ context-extra = ...@@ -231,12 +250,14 @@ context-extra =
section gitlab gitlab section gitlab gitlab
section gitlab_shell gitlab-shell section gitlab_shell gitlab-shell
section gitlab_shell_work gitlab-shell-work section gitlab_shell_work gitlab-shell-work
section gitaly gitaly
[nginx.conf] [nginx.conf]
<= nginx-etc-template <= nginx-etc-template
template= {{ nginx_conf_in }} template= {{ nginx_conf_in }}
context-extra = context-extra =
section directory directory section directory directory
section gitlab_workhorse gitlab-workhorse
raw nginx_mime_types {{ nginx_mime_types }} raw nginx_mime_types {{ nginx_mime_types }}
raw nginx_gitlab_http_conf ${nginx-gitlab-http.conf:rendered} raw nginx_gitlab_http_conf ${nginx-gitlab-http.conf:rendered}
...@@ -248,6 +269,16 @@ context-extra = ...@@ -248,6 +269,16 @@ context-extra =
section gitlab_work gitlab-work section gitlab_work gitlab-work
section gitlab_workhorse gitlab-workhorse section gitlab_workhorse gitlab-workhorse
[gitaly-config.toml]
<= etc-template
template= {{ gitaly_config_toml_in }}
rendered= ${directory:etc}/${:_buildout_section_name_}
context-extra =
import urllib urllib
section gitlab gitlab
section gitlab_shell_work gitlab-shell-work
section gitaly gitaly
[rack_attack.rb] [rack_attack.rb]
<= gitlab-etc-template <= gitlab-etc-template
template = {{ rack_attack_rb_in }} template = {{ rack_attack_rb_in }}
...@@ -281,7 +312,7 @@ recipe = slapos.cookbook:wrapper ...@@ -281,7 +312,7 @@ recipe = slapos.cookbook:wrapper
wrapper-path = ${directory:bin}/${:_buildout_section_name_} wrapper-path = ${directory:bin}/${:_buildout_section_name_}
# NOTE $HOME needed to pick gitconfig # NOTE $HOME needed to pick gitconfig
environment = environment =
PATH = {{ node_bin_location }}:{{ gopath_bin }}:$PATH PATH = {{ node_bin_location }}:{{ gopath_bin }}:{{ yarn_location }}/bin:/usr/local/bin:/usr/bin:/bin
BUNDLE_GEMFILE = {{ gitlab_repository_location }}/Gemfile BUNDLE_GEMFILE = {{ gitlab_repository_location }}/Gemfile
HOME = ${directory:home} HOME = ${directory:home}
RAILS_ENV = production RAILS_ENV = production
...@@ -362,6 +393,10 @@ update-command = ...@@ -362,6 +393,10 @@ update-command =
<= work-base <= work-base
software = {{ gitlab_repository_location }} software = {{ gitlab_repository_location }}
tune-command = tune-command =
# Initialise secrets
if [ ! -s "${secrets:secrets}/gitlab_secrets.yml" ]; then
cp config/secrets.yml.example ${secrets:secrets}/gitlab_secrets.yml;
fi
# secret* tmp/ log/ shared/ builds/ node_modules/ # secret* tmp/ log/ shared/ builds/ node_modules/
rm -f .secret && rm -f .secret &&
rm -rf log tmp shared builds node_modules && rm -rf log tmp shared builds node_modules &&
...@@ -371,6 +406,7 @@ tune-command = ...@@ -371,6 +406,7 @@ tune-command =
ln -sf ${gitlab:shared} shared && ln -sf ${gitlab:shared} shared &&
ln -sf ${gitlab:builds} builds && ln -sf ${gitlab:builds} builds &&
ln -sf {{ gitlab_repository_location }}/node_modules node_modules && ln -sf {{ gitlab_repository_location }}/node_modules node_modules &&
ln -sf ${gitlab-workhorse:secret} .gitlab_workhorse_secret
# config/ # config/
cd config && cd config &&
ln -sf ${unicorn.rb:rendered} unicorn.rb && ln -sf ${unicorn.rb:rendered} unicorn.rb &&
...@@ -499,8 +535,9 @@ config-command = ${service-redis:promise_wrapper} ...@@ -499,8 +535,9 @@ config-command = ${service-redis:promise_wrapper}
# NOTE slapos.cookbook:redis.server setups promise automatically # NOTE slapos.cookbook:redis.server setups promise automatically
[logrotate-entry-redis] [logrotate-entry-redis]
<= logrotate-entry <= logrotate-entry-base
log = ${redis:log}/*.log log = ${redis:log}/*.log
name = redis
######################## ########################
...@@ -509,10 +546,13 @@ log = ${redis:log}/*.log ...@@ -509,10 +546,13 @@ log = ${redis:log}/*.log
[gitlab-workhorse-dir] [gitlab-workhorse-dir]
recipe = slapos.cookbook:mkdirectory recipe = slapos.cookbook:mkdirectory
srv = ${directory:srv}/gitlab-workhorse srv = ${directory:srv}/gitlab-workhorse
log = ${directory:log}/workhorse
[gitlab-workhorse] [gitlab-workhorse]
srv = ${gitlab-workhorse-dir:srv} srv = ${gitlab-workhorse-dir:srv}
socket = ${gitlab-workhorse:srv}/gitlab-workhorse.socket socket = ${gitlab-workhorse:srv}/gitlab-workhorse.socket
log = ${gitlab-workhorse-dir:log}/gitlab-workhorse.log
secret = ${secrets:secrets}/gitlab_workhorse_secret
[service-gitlab-workhorse] [service-gitlab-workhorse]
recipe = slapos.cookbook:wrapper recipe = slapos.cookbook:wrapper
...@@ -522,7 +562,8 @@ command-line = {{ gitlab_workhorse }} ...@@ -522,7 +562,8 @@ command-line = {{ gitlab_workhorse }}
-listenAddr ${gitlab-workhorse:socket} -listenAddr ${gitlab-workhorse:socket}
-authSocket ${unicorn:socket} -authSocket ${unicorn:socket}
-documentRoot ${gitlab-work:location}/public -documentRoot ${gitlab-work:location}/public
-secretPath ${gitlab-work:location}/.gitlab_workhorse_secret -secretPath ${gitlab-workhorse:secret}
-logFile ${gitlab-workhorse:log}
# NOTE for profiling # NOTE for profiling
# -pprofListenAddr ... # -pprofListenAddr ...
...@@ -536,6 +577,7 @@ environment = ...@@ -536,6 +577,7 @@ environment =
depend = depend =
${promise-gitlab-workhorse:recipe} ${promise-gitlab-workhorse:recipe}
${logrotate-entry-gitlab-workhorse:recipe}
[promise-gitlab-workhorse] [promise-gitlab-workhorse]
...@@ -607,17 +649,24 @@ command-line = ${:rake} gitlab:gitlab_shell:check ...@@ -607,17 +649,24 @@ command-line = ${:rake} gitlab:gitlab_shell:check
[logrotate-entry-unicorn] [logrotate-entry-unicorn]
<= logrotate-entry <= logrotate-entry-base
log = ${unicorn:log}/*.log log = ${unicorn:log}/*.log
name = unicorn
[logrotate-entry-gitlab] [logrotate-entry-gitlab]
<= logrotate-entry <= logrotate-entry-base
log = ${gitlab:log}/*.log log = ${gitlab:log}/*.log
name = gitlab
[logrotate-entry-gitlab-shell] [logrotate-entry-gitlab-shell]
<= logrotate-entry <= logrotate-entry-base
log = ${gitlab-shell:log}/*.log log = ${gitlab-shell:log}/*.log
name = gitlab-shell
[logrotate-entry-gitlab-workhorse]
<= logrotate-entry-base
log = ${gitlab-workhorse-dir:log}//*.log
name = gitlab-shell
####################################### #######################################
# sidekiq background jobs manager # # sidekiq background jobs manager #
...@@ -664,8 +713,9 @@ depend = ...@@ -664,8 +713,9 @@ depend =
command-line = ${:rake} gitlab:sidekiq:check command-line = ${:rake} gitlab:sidekiq:check
[logrotate-entry-sidekiq] [logrotate-entry-sidekiq]
<= logrotate-entry <= logrotate-entry-base
log = ${sidekiq:log}/*.log log = ${sidekiq:log}/*.log
name = sidekiq
###################### ######################
...@@ -735,40 +785,9 @@ config-url = ${backend-info:url}/users/sign_in ...@@ -735,40 +785,9 @@ config-url = ${backend-info:url}/users/sign_in
module = check_url_available module = check_url_available
[logrotate-entry-nginx] [logrotate-entry-nginx]
<= logrotate-entry <= logrotate-entry-base
log = ${nginx:log}/*.log log = ${nginx:log}/*.log
name = nginx
#############
# cron #
#############
[cron-dir]
recipe = slapos.cookbook:mkdirectory
cron.d = ${directory:etc}/cron.d
crontabs= ${directory:srv}/cron/crontabs
cronstamps = ${directory:var}/cron/cronstamps
log = ${directory:log}/cron
[service-cron]
recipe = slapos.cookbook:cron
binary = ${directory:service}/crond
cron-entries = ${cron-dir:cron.d}
crontabs = ${cron-dir:crontabs}
cronstamps = ${cron-dir:cronstamps}
catcher = ${cron-simplelogger:wrapper}
dcrond-binary = {{ dcron_bin }}
depends =
${logrotate-entry-cron:recipe}
# "mailer" that cron uses to emit messages to logfile
[cron-simplelogger]
recipe = slapos.cookbook:simplelogger
wrapper = ${directory:bin}/${:_buildout_section_name_}
log = ${cron-dir:log}/cron.log
# base entry for clients who registers to cron # base entry for clients who registers to cron
[cron-entry] [cron-entry]
...@@ -778,63 +797,22 @@ recipe = slapos.cookbook:cron.d ...@@ -778,63 +797,22 @@ recipe = slapos.cookbook:cron.d
name = !py!'${:_buildout_section_name_}' [11:] name = !py!'${:_buildout_section_name_}' [11:]
# NOTE _not_ ${service-cron:cron-entries} - though the value is the same we do # NOTE _not_ ${service-cron:cron-entries} - though the value is the same we do
# not want service-cron to be instantiated just if a cron-entry is registered. # not want service-cron to be instantiated just if a cron-entry is registered.
cron-entries = ${cron-dir:cron.d} cron-entries = ${cron:cron-entries}
# cron logs are also rotated
[logrotate-entry-cron]
<= logrotate-entry
log = ${cron-dir:log}/*.log
######################
# gitaly worker #
######################
####################################### # https://docs.gitlab.com/ee/install/installation.html
# logrotate base for all services # [service-gitaly]
####################################### recipe = slapos.cookbook:wrapper
[logrotate-dir] wrapper-path = ${directory:service}/gitaly
recipe = slapos.cookbook:mkdirectory #command-line = ${gitlab-work:location}/bin/daemon_with_pidfile ${gitaly:pid}
srv = ${directory:srv}/logrotate command-line = {{ gitaly_location }}/gitaly ${gitaly-config.toml:rendered}
entries = ${directory:etc}/logrotate.d
[logrotate]
recipe = slapos.cookbook:logrotate
wrapper = ${directory:bin}/${:_buildout_section_name_}
conf = ${directory:etc}/logrotate.conf
logrotate-entries = ${logrotate-dir:entries}
state-file = ${logrotate-dir:srv}/logrotate.status
logrotate-binary = {{ logrotate_bin }}
gzip-binary = {{ gzip_bin }}
gunzip-binary = {{ gunzip_bin }}
depend = ${cron-entry-logrotate:recipe}
# base entry for clients who registers to logrotate
[logrotate-entry]
recipe = slapos.cookbook:logrotate.d
logrotate-entries = ${logrotate:logrotate-entries}
# name = <section-name>.strip_prefix('logrotate-entry-')
# XXX len is not available in !py! - 16 hardcoded
name = !py!'${:_buildout_section_name_}'[16:]
# NOTE frequency is hardcoded to `daily` in slapos.cookbook:logrotate.d
# NOTE backup is also used to add custom logrotate options (hack)
backup = ...
# TODO settle whether we need/want olddir or not
noolddir
# override create emitted by slapos.cookbook:logrotate.d
nocreate
# do not move log file and this way we do not need to signal its program to
# reopen the log. There are a lot of bugs when on such reopen / restart /
# graceful-restart something bad happens. Even if copytruncate is a bit racy
# and can loose some data, it is better to keep the system the stable way.
copytruncate
# hook logrotate into cron
[cron-entry-logrotate]
<= cron-entry
time = daily
command = ${logrotate:wrapper}
environment =
PATH={{ bundler_1_17_3_dir }}:{{ ruby_location }}/bin:/bin:/usr/bin
# 6. on-reinstantiate actions # 6. on-reinstantiate actions
...@@ -849,7 +827,17 @@ rake = ${gitlab-rake:wrapper-path} ...@@ -849,7 +827,17 @@ rake = ${gitlab-rake:wrapper-path}
# run command on every reinstantiation # run command on every reinstantiation
update-command = ${:command} update-command = ${:command}
# https://gitlab.com/gitlab-org/gitlab-foss/issues/38457
# we need to manually install ajv@^4.0.0 with yarn to fix the bug 'yarn check failed!'
command = command =
${:rake} gitlab:assets:clean && ${:rake} gitlab:assets:clean &&
${:rake} gitlab:assets:compile && ${:rake} gettext:compile RAILS_ENV=production &&
cd ${gitlab-work:location} &&
PATH={{ node_bin_location }}:$PATH {{ yarn_location }}/bin/yarn add ajv@^4.11.2 &&
PATH={{ node_bin_location }}:$PATH {{ yarn_location }}/bin/yarn install --production --pure-lockfile &&
${:rake} gitlab:assets:compile NODE_ENV=production NODE_OPTIONS="--max_old_space_size=4096" &&
true true
# Promise, gitlab can connect to gitaly:
# sudo gitlab-rake gitlab:tcp_check[GITALY_SERVER_IP,GITALY_LISTEN_PORT]
\ No newline at end of file
...@@ -27,6 +27,7 @@ context = ...@@ -27,6 +27,7 @@ context =
import pwd pwd import pwd pwd
import multiprocessing multiprocessing import multiprocessing multiprocessing
key bin_directory buildout:bin-directory
key eggs_directory buildout:eggs-directory key eggs_directory buildout:eggs-directory
key develop_eggs_directory buildout:develop-eggs-directory key develop_eggs_directory buildout:develop-eggs-directory
raw gitlab_repository_location ${gitlab-repository:location} raw gitlab_repository_location ${gitlab-repository:location}
...@@ -36,11 +37,13 @@ context = ...@@ -36,11 +37,13 @@ context =
raw bash_bin ${bash:location}/bin/bash raw bash_bin ${bash:location}/bin/bash
raw bzip2_location ${bzip2:location} raw bzip2_location ${bzip2:location}
raw bundler_4gitlab ${bundler-4gitlab:bundle} raw bundler_4gitlab ${bundler-4gitlab:bundle}
raw bundler_1_17_3_dir ${bundler-4gitlab:bundle1.17.3}
raw coreutils_location ${coreutils:location} raw coreutils_location ${coreutils:location}
raw curl_bin ${curl:location}/bin/curl raw curl_bin ${curl:location}/bin/curl
raw dcron_bin ${dcron-output:crond} raw dcron_bin ${dcron-output:crond}
raw git ${git:location}/bin/git raw git ${git:location}/bin/git
raw git_location ${git:location} raw git_location ${git:location}
raw gitaly_location ${gitaly-repository:location}
raw gitlab_export ${gitlab-export:rendered} raw gitlab_export ${gitlab-export:rendered}
raw gitlab_workhorse ${gowork:bin}/gitlab-workhorse raw gitlab_workhorse ${gowork:bin}/gitlab-workhorse
raw gopath_bin ${gowork:bin} raw gopath_bin ${gowork:bin}
...@@ -51,14 +54,15 @@ context = ...@@ -51,14 +54,15 @@ context =
raw logrotate_bin ${logrotate:location}/usr/sbin/logrotate raw logrotate_bin ${logrotate:location}/usr/sbin/logrotate
raw nginx_bin ${nginx-output:nginx} raw nginx_bin ${nginx-output:nginx}
raw nginx_mime_types ${nginx-output:mime} raw nginx_mime_types ${nginx-output:mime}
raw node_bin_location ${nodejs-8.6.0:location}/bin/ raw node_bin_location ${nodejs-8.12.0:location}/bin/
raw openssl_bin ${openssl-output:openssl} raw openssl_bin ${openssl-output:openssl}
raw postgresql_location ${postgresql92:location} raw postgresql_location ${postgresql10:location}
raw redis_binprefix ${redis28:location}/bin raw redis_binprefix ${redis28:location}/bin
raw ruby_location ${bundler-4gitlab:ruby-location} raw ruby_location ${bundler-4gitlab:ruby-location}
raw tar_location ${tar:location} raw tar_location ${tar:location}
raw watcher ${watcher:rendered} raw watcher ${watcher:rendered}
raw xnice_repository_location ${xnice-repository:location} raw xnice_repository_location ${xnice-repository:location}
raw yarn_location ${yarn:location}
# config files # config files
raw database_yml_in ${database.yml.in:target} raw database_yml_in ${database.yml.in:target}
...@@ -68,6 +72,7 @@ context = ...@@ -68,6 +72,7 @@ context =
raw gitlab_shell_config_yml_in ${gitlab-shell-config.yml.in:target} raw gitlab_shell_config_yml_in ${gitlab-shell-config.yml.in:target}
raw gitlab_unicorn_startup_in ${gitlab-unicorn-startup.in:target} raw gitlab_unicorn_startup_in ${gitlab-unicorn-startup.in:target}
raw gitlab_yml_in ${gitlab.yml.in:target} raw gitlab_yml_in ${gitlab.yml.in:target}
raw gitaly_config_toml_in ${gitaly-config.toml.in:target}
raw macrolib_cfg_in ${macrolib.cfg.in:target} raw macrolib_cfg_in ${macrolib.cfg.in:target}
raw nginx_conf_in ${nginx.conf.in:target} raw nginx_conf_in ${nginx.conf.in:target}
raw nginx_gitlab_http_conf_in ${nginx-gitlab-http.conf.in:target} raw nginx_gitlab_http_conf_in ${nginx-gitlab-http.conf.in:target}
......
...@@ -15,6 +15,7 @@ extends = ...@@ -15,6 +15,7 @@ extends =
../../component/openssl/buildout.cfg ../../component/openssl/buildout.cfg
../../component/nginx/buildout.cfg ../../component/nginx/buildout.cfg
../../component/zlib/buildout.cfg ../../component/zlib/buildout.cfg
../../component/icu/buildout.cfg
gowork.cfg gowork.cfg
# for instance # for instance
...@@ -29,10 +30,10 @@ extends = ...@@ -29,10 +30,10 @@ extends =
../../component/logrotate/buildout.cfg ../../component/logrotate/buildout.cfg
parts = parts =
ruby2.1 ruby2.3
golang1.12 golang1.12
git git
postgresql92 postgresql10
redis28 redis28
cmake cmake
icu icu
...@@ -40,6 +41,8 @@ parts = ...@@ -40,6 +41,8 @@ parts =
nginx-output nginx-output
gowork gowork
gitlab-workhorse
gitaly-build
python-4gitlab python-4gitlab
gitlab-shell/vendor gitlab-shell/vendor
gitlab/vendor/bundle gitlab/vendor/bundle
...@@ -64,6 +67,13 @@ parts = ...@@ -64,6 +67,13 @@ parts =
[slapos.cookbook-repository] [slapos.cookbook-repository]
revision = 571d6514f7290e8faa9439c4b86aa2f6c87df261 revision = 571d6514f7290e8faa9439c4b86aa2f6c87df261
[yarn]
# need this version of Yarn
recipe = slapos.recipe.build:download-unpacked
url = https://github.com/yarnpkg/yarn/releases/download/v1.3.2/yarn-v1.3.2.tar.gz
md5sum = db82fa09c996e9318f2f1d2ab99228f9
############################ ############################
# Software compilation # # Software compilation #
############################ ############################
...@@ -78,20 +88,22 @@ eggs = ...@@ -78,20 +88,22 @@ eggs =
# rubygemsrecipe with fixed url and this way pinned rubygems version # rubygemsrecipe with fixed url and this way pinned rubygems version
[rubygemsrecipe] [rubygemsrecipe]
recipe = rubygemsrecipe recipe = rubygemsrecipe
url = https://rubygems.org/rubygems/rubygems-2.5.2.zip url = https://rubygems.org/rubygems/rubygems-3.1.2.zip
# bundler, that we'll use to # bundler, that we'll use to
# - install gems for gitlab # - install gems for gitlab
# - run gitlab services / jobs (via `bundle exec ...`) # - run gitlab services / jobs (via `bundle exec ...`)
[bundler-4gitlab] [bundler-4gitlab]
<= rubygemsrecipe <= rubygemsrecipe
ruby-location = ${ruby2.1:location} ruby-location = ${ruby2.3:location}
ruby-executable = ${:ruby-location}/bin/ruby ruby-executable = ${:ruby-location}/bin/ruby
gems = bundler==1.11.2 gems =
bundler==1.17.3
# bin installed here # bin installed here
bundle = ${buildout:bin-directory}/bundle bundle = ${buildout:bin-directory}/bundle
# Gitaly need bundler 1.17.3 which is not the default version at the end
bundle1.17.3 = ${buildout:parts-directory}/${:_buildout_section_name_}/lib/ruby/gems/1.8/gems/bundler-1.17.3/exe/
# install together with dependencies of gitlab, which we cannot specify using # install together with dependencies of gitlab, which we cannot specify using
# --with-... gem option # --with-... gem option
...@@ -109,7 +121,8 @@ bundle = ${buildout:bin-directory}/bundle ...@@ -109,7 +121,8 @@ bundle = ${buildout:bin-directory}/bundle
# gitlab (via github-markup) wants to convert rst -> html via running: python2 (with docutils egg) # gitlab (via github-markup) wants to convert rst -> html via running: python2 (with docutils egg)
# (python-4gitlab puts interpreter into ${buildout:bin-directory}) # (python-4gitlab puts interpreter into ${buildout:bin-directory})
environment = environment =
PATH = ${:ruby-location}/bin:${cmake:location}/bin:${pkgconfig:location}/bin:${nodejs-8.6.0:location}/bin:${postgresql92:location}/bin:${redis28:location}/bin:${git:location}/bin:${buildout:bin-directory}:%(PATH)s
PATH = ${yarn:location}/bin:${:ruby-location}/bin:${cmake:location}/bin:${pkgconfig:location}/bin:${nodejs-8.12.0:location}/bin:${postgresql10:location}/bin:${redis28:location}/bin:${git:location}/bin:${buildout:bin-directory}:%(PATH)s
# gitlab, gitlab-shell & gitlab-workhorse checked out as git repositories # gitlab, gitlab-shell & gitlab-workhorse checked out as git repositories
...@@ -120,21 +133,31 @@ git-executable = ${git:location}/bin/git ...@@ -120,21 +133,31 @@ git-executable = ${git:location}/bin/git
[gitlab-repository] [gitlab-repository]
<= git-repository <= git-repository
#repository = https://gitlab.com/gitlab-org/gitlab-ce.git
repository = https://lab.nexedi.com/nexedi/gitlab-ce.git repository = https://lab.nexedi.com/nexedi/gitlab-ce.git
# 8.17.X + NXD patches: # 9.5.10 + NXD patches:
revision = v8.17.8-12-g611cf13b90 revision = v9.5.10-8-gc290e22a08cb
location = ${buildout:parts-directory}/gitlab location = ${buildout:parts-directory}/gitlab
[gitlab-shell-repository] [gitlab-shell-repository]
<= git-repository <= git-repository
#repository = https://gitlab.com/gitlab-org/gitlab-shell.git #repository = https://lab.nexedi.com/nexedi/gitlab-shell.git
repository = https://lab.nexedi.com/nexedi/gitlab-shell.git repository = https://gitlab.com/gitlab-org/gitlab-shell.git
# gitlab 8.17 wants gitlab-shell 4.1.1 # gitlab 9.5.10 wants gitlab-shell 5.6.1
# 4.1.1 + NXD patches revision = v5.6.1-10-g1e587d3b7f
revision = v4.1.1-1-g64603b4da2
location = ${buildout:parts-directory}/gitlab-shell location = ${buildout:parts-directory}/gitlab-shell
[gitaly-repository]
<= git-repository
repository = https://gitlab.com/gitlab-org/gitaly.git
# for version v0.35.0 (gitlab 9.5.10)
revision = v0.35.0-0-gf99a57b19a
location = ${buildout:parts-directory}/gitaly
[gitlab-workhorse-repository]
<= git-repository
repository = https://lab.nexedi.com/nexedi/gitlab-workhorse.git
revision = v3.0.0-8-g74793ad3cc
# Patch github markup to not call "python2 -S /path/to/rest2html" but only "python2 /path/to/rest2html" # Patch github markup to not call "python2 -S /path/to/rest2html" but only "python2 /path/to/rest2html"
# NOTE github-markup invokes it as `python2`, that's why we are naming it this way # NOTE github-markup invokes it as `python2`, that's why we are naming it this way
# https://github.com/github/markup/blob/5393ae93/lib/github/markups.rb#L36 # https://github.com/github/markup/blob/5393ae93/lib/github/markups.rb#L36
...@@ -158,11 +181,23 @@ bundle = ${bundler-4gitlab:bundle} ...@@ -158,11 +181,23 @@ bundle = ${bundler-4gitlab:bundle}
configure-command = cd ${:path} && configure-command = cd ${:path} &&
${:bundle} config --local build.charlock_holmes --with-icu-dir=${icu:location} && ${:bundle} config --local build.charlock_holmes --with-icu-dir=${icu:location} &&
${:bundle} config --local build.pg --with-pg-config=${postgresql92:location}/bin/pg_config ${:bundle} config --local build.pg --with-pg-config=${postgresql10:location}/bin/pg_config &&
${:bundle} config --local build.re2 --with-re2-dir=${re2:location}
make-binary = make-binary =
make-targets= cd ${:path} && make-targets= cd ${:path} &&
${:bundle} install --deployment --without development test mysql kerberos ${:bundle} install --deployment --without development test mysql aws kerberos
environment =
PKG_CONFIG_PATH=${openssl-1.0:location}/lib/pkgconfig:${re2:location}/lib/pkgconfig
PATH=${pkgconfig:location}/bin:%(PATH)s
################## Google re2
[re2]
recipe = slapos.recipe.cmmi
url = https://github.com/google/re2/archive/2019-12-01.tar.gz
md5sum = 527eab0c75d6a1a0044c6eefd816b2fb
configure-command = :
[gitlab_npm] [gitlab_npm]
recipe = slapos.recipe.cmmi recipe = slapos.recipe.cmmi
...@@ -173,7 +208,7 @@ make-binary = ...@@ -173,7 +208,7 @@ make-binary =
make-targets= cd ${:path} && npm install make-targets= cd ${:path} && npm install
environment = environment =
PATH=${nodejs-8.6.0:location}/bin/:%(PATH)s PATH=${nodejs-8.12.0:location}/bin/:%(PATH)s
#our go infrastructure not currently supporting submodules, IIRC #our go infrastructure not currently supporting submodules, IIRC
# https://lab.nexedi.com/nexedi/slapos/merge_requests/337 # https://lab.nexedi.com/nexedi/slapos/merge_requests/337
...@@ -193,27 +228,52 @@ environment = ...@@ -193,27 +228,52 @@ environment =
[gowork.goinstall] [gowork.goinstall]
git2go = ${go_github.com_libgit2_git2go_prepare:path}/vendor/libgit2/install git2go = ${go_github.com_libgit2_git2go_prepare:path}/vendor/libgit2/install
command = bash -c ". ${gowork:env.sh} && CGO_CFLAGS=-I${:git2go}/include CGO_LDFLAGS=-L${:git2go}/lib go install ${gowork:buildflags} -v $(echo -n '${gowork:install}' |tr '\n' ' ')" command = bash -c ". ${gowork:env.sh} && CGO_CFLAGS=-I${:git2go}/include CGO_LDFLAGS='-L${:git2go}/lib -lgit2' go install ${gowork:buildflags} -v $(echo -n '${gowork:install}' |tr '\n' ' ')"
[gowork] [gowork]
golang = ${golang1.12:location} golang = ${golang1.12:location}
gcc-bin-directory = ${golang1.12:gcc-bin-directory}
# gitlab.com/gitlab-org/gitlab-workhorse
# gitlab.com/gitlab-org/gitlab-workhorse/cmd/gitlab-zip-cat
# gitlab.com/gitlab-org/gitlab-workhorse/cmd/gitlab-zip-metadata
install = install =
lab.nexedi.com/kirr/git-backup lab.nexedi.com/kirr/git-backup
gitlab.com/gitlab-org/gitlab-workhorse
gitlab.com/gitlab-org/gitlab-workhorse/cmd/gitlab-zip-cat
gitlab.com/gitlab-org/gitlab-workhorse/cmd/gitlab-zip-metadata
cpkgpath = cpkgpath =
${openssl-1.0:location}/lib/pkgconfig ${openssl-1.0:location}/lib/pkgconfig
${zlib:location}/lib/pkgconfig ${zlib:location}/lib/pkgconfig
${go_github.com_libgit2_git2go_prepare:path}/vendor/libgit2/install/lib/pkgconfig ${go_github.com_libgit2_git2go_prepare:path}/vendor/libgit2/install/lib/pkgconfig
buildflags = --tags "static" buildflags = --tags "static"
[gitlab-workhorse]
recipe = slapos.recipe.cmmi
path = ${gitlab-workhorse-repository:location}
md5sum = 2988c944d58c4a08880498c4981cc7b7
configure-command = :
make-binary =
make-targets =
. ${gowork:env.sh} && make install PREFIX=${gowork:directory}
[gitlab-backup] [gitlab-backup]
recipe = plone.recipe.command recipe = plone.recipe.command
command = command =
cp -a ${go_lab.nexedi.com_kirr_git-backup:location}/contrib/gitlab-backup ${gowork:bin} cp -a ${go_lab.nexedi.com_kirr_git-backup:location}/contrib/gitlab-backup ${gowork:bin}
update-command = ${:command} update-command = ${:command}
[gitaly-build]
recipe = slapos.recipe.cmmi
path = ${gitaly-repository:location}
bundle = ${bundler-4gitlab:bundle}
configure-command = cd ${:path}/ruby &&
${:bundle} config --local build.charlock_holmes --with-icu-dir=${icu:location}
make-binary =
make-targets =
. ${gowork:env.sh} && make
environment =
PKG_CONFIG_PATH=${openssl-1.0:location}/lib/pkgconfig:${icu:location}/lib/pkgconfig
PATH=${pkgconfig:location}/bin:${ruby2.3:location}/bin:%(PATH)s
[xnice-repository] [xnice-repository]
# to get kirr's misc repo containing xnice script for executing processes # to get kirr's misc repo containing xnice script for executing processes
# with lower priority (used for backup script inside the cron) # with lower priority (used for backup script inside the cron)
...@@ -235,6 +295,7 @@ make-binary = ...@@ -235,6 +295,7 @@ make-binary =
make-targets= cd ${:path} && make-targets= cd ${:path} &&
${:bundle} install --deployment --without development test ${:bundle} install --deployment --without development test
############################### ###############################
# Trampoline for instance # # Trampoline for instance #
############################### ###############################
...@@ -297,6 +358,9 @@ destination = ${buildout:directory}/${:_buildout_section_name_} ...@@ -297,6 +358,9 @@ destination = ${buildout:directory}/${:_buildout_section_name_}
[gitlab.yml.in] [gitlab.yml.in]
<= download-file <= download-file
[gitaly-config.toml.in]
<= download-file
[instance-gitlab.cfg.in] [instance-gitlab.cfg.in]
<= download-file <= download-file
...@@ -340,6 +404,6 @@ strip-top-level-dir = true ...@@ -340,6 +404,6 @@ strip-top-level-dir = true
cns.recipe.symlink = 0.2.3 cns.recipe.symlink = 0.2.3
docutils = 0.12 docutils = 0.12
plone.recipe.command = 1.1 plone.recipe.command = 1.1
rubygemsrecipe = 0.2.2+slapos001 rubygemsrecipe = 0.2.2+slapos002
slapos.recipe.template = 4.4 slapos.recipe.template = 4.3
z3c.recipe.scripts = 1.0.1 z3c.recipe.scripts = 1.0.1
# Example Gitaly configuration file
# Documentation lives at https://docs.gitlab.com/ee/administration/gitaly/ and
# https://docs.gitlab.com/ee//administration/gitaly/reference
socket_path = "{{ gitaly.socket }}"
# The directory where Gitaly's executables are stored
bin_dir = "{{ gitaly.location }}"
# # Optional: listen on a TCP socket. This is insecure (no authentication)
# listen_addr = "localhost:9999"
# tls_listen_addr = "localhost:8888
# # Optional: export metrics via Prometheus
# prometheus_listen_addr = "localhost:9236"
# # Git settings
[git]
bin_path = "{{ git }}"
[[storage]]
name = "default"
path = "{{ gitlab.repositories }}"
# # You can optionally configure more storages for this Gitaly instance to serve up
#
# [[storage]]
# name = "other_storage"
# path = "/mnt/other_storage/repositories"
#
# # You can optionally configure Gitaly to output JSON-formatted log messages to stdout
# [logging]
# format = "json"
# # Additionally exceptions can be reported to Sentry
# sentry_dsn = "https://<key>:<secret>@sentry.io/<project>
# # You can optionally configure Gitaly to record histogram latencies on GRPC method calls
# [prometheus]
# grpc_latency_buckets = [0.001, 0.005, 0.025, 0.1, 0.5, 1.0, 10.0, 30.0, 60.0, 300.0, 1500.0]
[gitaly-ruby]
# The directory where gitaly-ruby is installed
dir = "{{ gitaly.location }}/ruby"
[gitlab-shell]
# The directory where gitlab-shell is installed
dir = "{{ gitlab_shell_work.location }}"
...@@ -24,7 +24,7 @@ http_settings: ...@@ -24,7 +24,7 @@ http_settings:
# Give the canonicalized absolute pathname, # Give the canonicalized absolute pathname,
# REPOS_PATH MUST NOT CONTAIN ANY SYMLINK!!! # REPOS_PATH MUST NOT CONTAIN ANY SYMLINK!!!
# Check twice that none of the components is a symlink, including "/home". # Check twice that none of the components is a symlink, including "/home".
repos_path: "{{ gitlab.repositories }}" # repos_path: "{{ gitlab.repositories }}"
# File used as authorized_keys for gitlab user # File used as authorized_keys for gitlab user
# NOTE not used in slapos version (all access via https only) # NOTE not used in slapos version (all access via https only)
...@@ -34,6 +34,9 @@ auth_file: "{{ gitlab.var }}/sshkeys-notused" ...@@ -34,6 +34,9 @@ auth_file: "{{ gitlab.var }}/sshkeys-notused"
# Default is .gitlab_shell_secret in the root directory. # Default is .gitlab_shell_secret in the root directory.
secret_file: "{{ gitlab_shell.secret }}" secret_file: "{{ gitlab_shell.secret }}"
# Parent directory for global custom hook directories (pre-receive.d, update.d, post-receive.d)
# Default is hooks in the gitlab-shell directory.
custom_hooks_dir: "{{ gitlab_shell_work.location }}/hooks/"
# Redis settings used for pushing commit notices to gitlab # Redis settings used for pushing commit notices to gitlab
redis: redis:
...@@ -41,11 +44,6 @@ redis: ...@@ -41,11 +44,6 @@ redis:
host: {# <%= @redis_host %> #} host: {# <%= @redis_host %> #}
port: {# <%= @redis_port %> #} port: {# <%= @redis_port %> #}
socket: {{ service_redis.unixsocket }} socket: {{ service_redis.unixsocket }}
{# we don't use password for redis
<% if @redis_password %>
pass: <%= @redis_password %>
<% end %>
#}
database: {# <%= @redis_database %> #} database: {# <%= @redis_database %> #}
namespace: resque:gitlab namespace: resque:gitlab
......
...@@ -32,6 +32,29 @@ production: &base ...@@ -32,6 +32,29 @@ production: &base
relative_url_root: <%= @gitlab_relative_url %> relative_url_root: <%= @gitlab_relative_url %>
#} #}
# Content Security Policy
# See https://guides.rubyonrails.org/security.html#content-security-policy
content_security_policy:
enabled: true
report_only: false
directives:
base_uri:
child_src:
connect_src: "'self' http://localhost:* ws://localhost:* wss://localhost:*"
default_src: "'self'"
font_src:
form_action:
frame_ancestors: "'self'"
frame_src: "'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com"
img_src: "* data: blob:"
manifest_src:
media_src:
object_src: "'none'"
script_src: "'self' 'unsafe-eval' http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com"
style_src: "'self' 'unsafe-inline'"
worker_src: "'self' blob:"
report_uri:
# Trusted Proxies # Trusted Proxies
# Customize if you have GitLab behind a reverse proxy which is running on a different machine. # Customize if you have GitLab behind a reverse proxy which is running on a different machine.
# Add the IP address for your reverse proxy to the list, otherwise users will appear signed in from that address. # Add the IP address for your reverse proxy to the list, otherwise users will appear signed in from that address.
...@@ -84,7 +107,7 @@ production: &base ...@@ -84,7 +107,7 @@ production: &base
merge_requests: {{ cfg('default_projects_features.merge_requests') }} merge_requests: {{ cfg('default_projects_features.merge_requests') }}
wiki: {{ cfg('default_projects_features.wiki') }} wiki: {{ cfg('default_projects_features.wiki') }}
snippets: {{ cfg('default_projects_features.snippets') }} snippets: {{ cfg('default_projects_features.snippets') }}
builds: false {# builds not supported yet <%= @gitlab_default_projects_features_builds %> #} builds: {{ cfg('default_projects_features.builds') }}
{# container_registry: <%= @gitlab_default_projects_features_container_registry %> #} {# container_registry: <%= @gitlab_default_projects_features_container_registry %> #}
## Webhook settings ## Webhook settings
...@@ -148,6 +171,7 @@ production: &base ...@@ -148,6 +171,7 @@ production: &base
storage_path: <%= @lfs_storage_path %> storage_path: <%= @lfs_storage_path %>
#} #}
{# we do not support container registry {# we do not support container registry
## Container Registry ## Container Registry
registry: registry:
...@@ -191,6 +215,9 @@ production: &base ...@@ -191,6 +215,9 @@ production: &base
ssl_url: <%= single_quote(@gravatar_ssl_url) %> # default: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon ssl_url: <%= single_quote(@gravatar_ssl_url) %> # default: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon
#} #}
## Sidekiq
sidekiq:
log_format: json # (default is the original format)
{# XXX cron jobs are disabled for now - we do not support CI and EE features or we are ok with defaults {# XXX cron jobs are disabled for now - we do not support CI and EE features or we are ok with defaults
## Auxiliary jobs ## Auxiliary jobs
...@@ -375,19 +402,18 @@ production: &base ...@@ -375,19 +402,18 @@ production: &base
path: <%= @shared_path %> path: <%= @shared_path %>
#} #}
# Gitaly settings
gitaly:
# Default Gitaly authentication token. Can be overriden per storage. Can
# be left blank when Gitaly is running locally on a Unix socket, which
# is the normal way to deploy Gitaly.
token:
# #
# 4. Advanced settings # 4. Advanced settings
# ========================== # ==========================
# GitLab Satellites
# Important: keep the satellites.path setting until GitLab 9.0 at
# least. This setting is fed to 'rm -rf' in
# db/migrate/20151023144219_remove_satellites.rb
satellites:
# Relative paths are relative to Rails.root (default: tmp/repo_satellites/)
path: /dev/null
timeout: 0
## Repositories settings ## Repositories settings
repositories: repositories:
# Paths where repositories can be stored. Give the canonicalized absolute pathname. # Paths where repositories can be stored. Give the canonicalized absolute pathname.
...@@ -395,7 +421,11 @@ production: &base ...@@ -395,7 +421,11 @@ production: &base
# gitlab-shell invokes Dir.pwd inside the repository path and that results # gitlab-shell invokes Dir.pwd inside the repository path and that results
# real path not the symlink. # real path not the symlink.
storages: # You must have at least a `default` storage path. storages: # You must have at least a `default` storage path.
default: {{ gitlab.repositories }} default:
path: {{ gitlab.repositories }}
gitaly_address: unix:{{ gitaly.socket }} # TCP connections are supported too (e.g. tcp://host:port). TLS connections are also supported using the system certificate pool (eg: tls://host:port).
# gitaly_token: 'special token' # Optional: override global gitaly.token for this storage.
## Backup settings ## Backup settings
backup: backup:
...@@ -420,8 +450,8 @@ production: &base ...@@ -420,8 +450,8 @@ production: &base
## GitLab Shell settings ## GitLab Shell settings
gitlab_shell: gitlab_shell:
path: {{ gitlab_shell_work.location }} path: {{ gitlab_shell_work.location }}
authorized_keys_file: {{ gitlab.var }}/sshkeys-notused
# REPOS_PATH MUST NOT BE A SYMLINK!!!
repos_path: {{ gitlab.repositories }} repos_path: {{ gitlab.repositories }}
hooks_path: {{ gitlab_shell_work.location }}/hooks/ hooks_path: {{ gitlab_shell_work.location }}/hooks/
secret_file: {{ gitlab_shell.secret }} secret_file: {{ gitlab_shell.secret }}
...@@ -430,6 +460,9 @@ production: &base ...@@ -430,6 +460,9 @@ production: &base
upload_pack: true upload_pack: true
receive_pack: true receive_pack: true
# Git import/fetch timeout, in seconds. Defaults to 3 hours.
# git_timeout: 10800
{# Git over SSH is disabled elsewhere (so we don't care about ssh_port) {# Git over SSH is disabled elsewhere (so we don't care about ssh_port)
# If you use non-standard ssh port you need to specify it # If you use non-standard ssh port you need to specify it
ssh_port: <%= @gitlab_shell_ssh_port %> ssh_port: <%= @gitlab_shell_ssh_port %>
...@@ -452,7 +485,6 @@ production: &base ...@@ -452,7 +485,6 @@ production: &base
# Git timeout to read a commit, in seconds # Git timeout to read a commit, in seconds
timeout: {{ cfg('git_timeout') }} timeout: {{ cfg('git_timeout') }}
# #
# 5. Extra customization # 5. Extra customization
# ========================== # ==========================
......
...@@ -111,16 +111,71 @@ server { ...@@ -111,16 +111,71 @@ server {
set_real_ip_from {{ trusted_address }}; set_real_ip_from {{ trusted_address }};
{% endfor %} {% endfor %}
## HSTS Config
## https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
{% if cfg("nginx_hsts_max_age") > 0 -%}
{% if '{{ cfg("nginx_hsts_include_subdomains") }}' == 'true' -%}
add_header Strict-Transport-Security "max-age={{ cfg('nginx_hsts_max_age') }}; includeSubDomains"
{% else -%}
add_header Strict-Transport-Security "max-age={{ cfg('nginx_hsts_max_age') }}";
{% endif -%}
{% endif -%}
## Individual nginx logs for this GitLab vhost ## Individual nginx logs for this GitLab vhost
access_log {{ nginx.log }}/gitlab_access.log gitlab_access; access_log {{ nginx.log }}/gitlab_access.log gitlab_access;
error_log {{ nginx.log }}/gitlab_error.log; error_log {{ nginx.log }}/gitlab_error.log;
# Set CORS header
add_header 'Access-Control-Allow-Origin' {{ cfg('nginx_header_allow_origin') }};
add_header 'Access-Control-Allow-Credentials' true;
#{{ 'gzip off;' if cfg_https else ''}}
{% if '{{ cfg("nginx_gzip_enabled") }}' == 'true' -%}
gzip on;
gzip_static on;
gzip_comp_level 2;
gzip_http_version 1.1;
gzip_vary on;
gzip_disable "msie6";
gzip_min_length 10240;
gzip_proxied no-cache no-store private expired auth;
gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/json application/xml application/rss+xml;
{% endif -%}
## https://github.com/gitlabhq/gitlabhq/issues/694
## Some requests take more than 30 seconds.
proxy_read_timeout {{ cfg('nginx_proxy_read_timeout') }};
proxy_connect_timeout {{ cfg('nginx_proxy_connect_timeout') }};
proxy_redirect off;
proxy_http_version 1.1;
{# we do not support relative URL - path is always "/" #} {# we do not support relative URL - path is always "/" #}
{% set path = "/" %} {% set path = "/" %}
#if ($http_host = "") {
# set $http_host_with_default "<%= default_host %>";
#}
#if ($http_host != "") {
# set $http_host_with_default $http_host;
#}
location ~ (\.git/gitlab-lfs/objects|\.git/info/lfs/objects/batch$) {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
{% if cfg_https %}
proxy_set_header X-Forwarded-Ssl on;
{% endif %}
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto {{ "https" if cfg_https else "http" }};
proxy_pass http://gitlab-workhorse;
}
location {{ path }} { location {{ path }} {
# Set CORS header # NOTE(slapos) proxy headers are defined upstream in omnibus-gitlab in:
add_header 'Access-Control-Allow-Origin' {{ cfg('nginx_header_allow_origin') }}; # - files/gitlab-config-template/gitlab.rb.template nginx['proxy_set_headers']
add_header 'Access-Control-Allow-Credentials' true; # - files/gitlab-cookbooks/gitlab/attributes/default.rb default['gitlab']['nginx']['proxy_set_headers']
# - files/gitlab-cookbooks/gitlab/libraries/gitlab.rb parse_nginx_proxy_headers()
# (last updated for omnibus-gitlab 8.5.1+ce.0-1-ge732b39)
if ($request_method = OPTIONS ) { if ($request_method = OPTIONS ) {
add_header Allow "GET, OPTIONS"; add_header Allow "GET, OPTIONS";
add_header Content-Type text/plain; add_header Content-Type text/plain;
...@@ -128,23 +183,7 @@ server { ...@@ -128,23 +183,7 @@ server {
add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Authorization, Content-Type, Accept"; add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Authorization, Content-Type, Accept";
return 200; return 200;
} }
## If you use HTTPS make sure you disable gzip compression proxy_cache off;
## to be safe against BREACH attack.
{{ 'gzip off;' if cfg_https else ''}}
## https://github.com/gitlabhq/gitlabhq/issues/694
## Some requests take more than 30 seconds.
proxy_read_timeout {{ cfg('nginx_proxy_read_timeout') }};
proxy_connect_timeout {{ cfg('nginx_proxy_connect_timeout') }};
proxy_redirect off;
proxy_http_version 1.1;
# NOTE(slapos) proxy headers are defined upstream in omnibus-gitlab in:
# - files/gitlab-config-template/gitlab.rb.template nginx['proxy_set_headers']
# - files/gitlab-cookbooks/gitlab/attributes/default.rb default['gitlab']['nginx']['proxy_set_headers']
# - files/gitlab-cookbooks/gitlab/libraries/gitlab.rb parse_nginx_proxy_headers()
# (last updated for omnibus-gitlab 8.5.1+ce.0-1-ge732b39)
proxy_set_header Host $http_host; proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
{% if cfg_https %} {% if cfg_https %}
...@@ -153,7 +192,12 @@ server { ...@@ -153,7 +192,12 @@ server {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto {{ "https" if cfg_https else "http" }}; proxy_set_header X-Forwarded-Proto {{ "https" if cfg_https else "http" }};
proxy_pass http://gitlab-workhorse; proxy_pass http://gitlab-workhorse;
}
location ~ ^/(assets)/ {
proxy_cache off;
proxy_pass http://gitlab-workhorse;
} }
error_page 404 /404.html; error_page 404 /404.html;
...@@ -169,3 +213,4 @@ server { ...@@ -169,3 +213,4 @@ server {
<%= @custom_gitlab_server_config %> <%= @custom_gitlab_server_config %>
#} #}
} }
...@@ -50,6 +50,42 @@ http { ...@@ -50,6 +50,42 @@ http {
include {{ nginx_gitlab_http_conf }}; include {{ nginx_gitlab_http_conf }};
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# Remove private_token from the request URI
# In: /foo?private_token=unfiltered&authenticity_token=unfiltered&rss_token=unfiltered&...
# Out: /foo?private_token=[FILTERED]&authenticity_token=unfiltered&rss_token=unfiltered&...
map $request_uri $temp_request_uri_1 {
default $request_uri;
~(?i)^(?<start>.*)(?<temp>[\?&]private[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
}
# Remove authenticity_token from the request URI
# In: /foo?private_token=[FILTERED]&authenticity_token=unfiltered&rss_token=unfiltered&...
# Out: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=unfiltered&...
map $temp_request_uri_1 $temp_request_uri_2 {
default $temp_request_uri_1;
~(?i)^(?<start>.*)(?<temp>[\?&]authenticity[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
}
# Remove rss_token from the request URI
# In: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=unfiltered&...
# Out: /foo?private_token=[FILTERED]&authenticity_token=[FILTERED]&rss_token=[FILTERED]&...
map $temp_request_uri_2 $filtered_request_uri {
default $temp_request_uri_2;
~(?i)^(?<start>.*)(?<temp>[\?&]rss[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
}
# A version of the referer without the query string
map $http_referer $filtered_http_referer {
default $http_referer;
~^(?<temp>.*)\? $temp;
}
{# we don't need: ci, pages, mattermost, registry {# we don't need: ci, pages, mattermost, registry
include <%= @gitlab_ci_http_config %> include <%= @gitlab_ci_http_config %>
include <%= @gitlab_pages_http_config %>; include <%= @gitlab_pages_http_config %>;
......
...@@ -29,3 +29,4 @@ end ...@@ -29,3 +29,4 @@ end
# SMTP disabled in instance configuration (see `smtp_enable` parameter). # SMTP disabled in instance configuration (see `smtp_enable` parameter).
# Mail sending, if enabled (see `email_enabled`), will be done via sendmail. # Mail sending, if enabled (see `email_enabled`), will be done via sendmail.
{% endif %} {% endif %}
...@@ -17,8 +17,20 @@ working_directory '{{ gitlab_work.location }}' ...@@ -17,8 +17,20 @@ working_directory '{{ gitlab_work.location }}'
# What the timeout for killing busy workers is, in seconds # What the timeout for killing busy workers is, in seconds
timeout {{ cfg('unicorn_worker_timeout') }} timeout {{ cfg('unicorn_worker_timeout') }}
# Whether the app should be pre-loaded # combine Ruby 2.0.0dev or REE with "preload_app true" for memory savings
# http://rubyenterpriseedition.com/faq.html#adapt_apps_for_cow
preload_app true preload_app true
GC.respond_to?(:copy_on_write_friendly=) and
GC.copy_on_write_friendly = true
# Enable this flag to have unicorn test client connections by writing the
# beginning of the HTTP headers before calling the application. This
# prevents calling the application for connections that have disconnected
# while queued. This is only guaranteed to detect clients on the same
# host unicorn runs on, and unlikely to detect disconnects even on a
# fast LAN.
check_client_connection false
# How many worker processes # How many worker processes
worker_processes {{ cfg('unicorn_worker_processes') }} worker_processes {{ cfg('unicorn_worker_processes') }}
...@@ -35,6 +47,10 @@ before_fork do |server, worker| ...@@ -35,6 +47,10 @@ before_fork do |server, worker|
# defined?(ActiveRecord::Base) and # defined?(ActiveRecord::Base) and
# ActiveRecord::Base.connection.disconnect! # ActiveRecord::Base.connection.disconnect!
# The following is only recommended for memory/DB-constrained
# installations. It is not needed if your system can house
# twice as many worker_processes as you have configured.
#
# This allows a new master process to incrementally # This allows a new master process to incrementally
# phase out the old master process with SIGTTOU to avoid a # phase out the old master process with SIGTTOU to avoid a
# thundering herd (especially in the "preload_app false" case) # thundering herd (especially in the "preload_app false" case)
...@@ -48,8 +64,15 @@ before_fork do |server, worker| ...@@ -48,8 +64,15 @@ before_fork do |server, worker|
rescue Errno::ENOENT, Errno::ESRCH rescue Errno::ENOENT, Errno::ESRCH
end end
end end
#
# Throttle the master from forking too quickly by sleeping. Due
# to the implementation of standard Unix signal handlers, this
# helps (but does not completely) prevent identical, repeated signals
# from being lost when the receiving process is busy.
# sleep 1
end end
# What to do after we fork a worker # What to do after we fork a worker
after_fork do |server, worker| after_fork do |server, worker|
# per-process listener ports for debugging/admin/migrations # per-process listener ports for debugging/admin/migrations
...@@ -60,6 +83,17 @@ after_fork do |server, worker| ...@@ -60,6 +83,17 @@ after_fork do |server, worker|
# # the following is *required* for Rails + "preload_app true", # # the following is *required* for Rails + "preload_app true",
# defined?(ActiveRecord::Base) and # defined?(ActiveRecord::Base) and
# ActiveRecord::Base.establish_connection # ActiveRecord::Base.establish_connection
# reset prometheus client, this will cause any opened metrics files to be closed
#defined?(::Prometheus::Client.reinitialize_on_pid_change) &&
# Prometheus::Client.reinitialize_on_pid_change
# if preload_app is true, then you may also want to check and
# restart any other shared sockets/descriptors such as Memcached,
# and Redis. TokyoCabinet file handles are safe to reuse
# between any number of forked children (assuming your kernel
# correctly implements pread()/pwrite() system calls)
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment