A user who is considering moving from self-hosted to GitLab.com Gold plan has asked this question.
We are currently planning to move from our hosted instance to a Gold account on gitlab.com.
However we just learned the news that you will be moving your infrastructure to Google compute engine, and we are a little concerned with speed.
I am part of a web agency based in China, where most of Google's infrastructure is blocked, on our side we have a MPLS solution already that allows us to access blocked resources, however I would like to know more from your side what this change could mean for us.
I see that they currently have no data centers in Hong Kong, however I see that they are planning to open them. Do you already have plans of where your solution will be deployed?
At the moment I am optimistic on the access after GCP migration. It sounds to me only the resources by Google Inc. are blocked. I have some VMs on Google Cloud Platform at the moment for testing or demoing GitLab. No any trouble to access them from China by either IP or domain names.
Hello @xiaogang_gitlab, do you have any info on where (which datacenters) the infrastructure will be deployed in Asia? I had widely different results on my side when trying to access services located in HongKong vs Taiwan or Singapore for instance.
Many (very probably everything) Google Cloud Platform properties are server-side blocked in Cuba. This is what I get when trying to open Google's Cloud:
Thus, GitLab moving to GCP will effectively make it unavailable to us Cubans (I realize we're under the noise floor, but still it is kind of sad when myself and several of my friends have been using this great service for years).
Maybe http://www.gcping.com/ can help here, too.
In case the Global HTTP Load Balancer is used, the network packages enter the google internal backbone very early.
Please note the sanction is for the countries involved in the following countries: Crimea; Cuba; Iran; North Korea; Sudan and Syria. Please do take time to review this "U.S. Department of The Treasury" link [1]. As there are legal restrictions that were imposed for those mentioned countries
Hi @xiaogang_gitlab, @andrewn , I confirm that I was able to access the registry from China as well getting the same authentication error.
However I also tested to download a blob to check the speed (I think I am doing something wrong with the authentication, even tho I am able to correctly list blobs with the same token), and have noticed that the requests are still going trough AWS.
Is the registry already migrated but the data still on AWS or am I misunderstanding something?
@dario.martini - your conclusion is spot on, great investigation The data will - for a couple of weeks, at least - remain on AWS. Your issue appears to be unrelated to the GCP migration. When did this start happening to you? I don't think AWS would block requests with a HTTP 400 response, so I think something else must be wrong.
@andrewn not sure yet what the issue is with the 400 error, I have been able to do the same thing on registry.docker.io with no problem, and I have used this system to test the connectivity before. Do you have any clue that could point me in the right direction so I can better run tests?
I can see that the initial authentication seems successful in both cases, however in the case of Gitlab's registry I get blocked by AWS after being correctly redirected to it.
GCP completely banned iran from accessing services hosted on GCP .
Gitlab migration to GCP means no one from iran can access gitlab without proxy.
curl https://cloud.google.com/<!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 403 (Forbidden)!!1</title> <style> *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px} </style> <a href=//www.google.com/><span id=logo aria-label=Google></span></a> <p><b>403.</b> <ins>That’s an error.</ins> <p>Your client does not have permission to get URL <code>/</code> from this server. <ins>That’s all we know.</ins>
curl www.gcping.com<?xml version='1.0' encoding='UTF-8'?><Error><Code>AccessDenied</Code><Message>Access denied.</Message><Details>We're sorry, but this service is not available in your location</Details></Error>% [reza:~]$
From my personal opinion, this fact is a big shame.
I will need to find a free service where i can have my projects, after migrate it from github because of Microsoft acquisition and for pure reasons of principle.
I can not have my projects in a host that censure (or support to be censured or follow the censure) other countries, as this will be absurd to me. Specially because i was born in Cuba (not matter i'm outside it right now). I suppose that i will need to return to github, as my country is not directly censured there.
I'm convinced that the freedom of the free software is only important because it represent the freedom of us as persons. So, negate the freedom to some people to directly access the code will be worse (from my point of view) that a free an accessible code, but then hosted by a private company like Microsoft.
Specially because i was born in Cuba (not matter i'm outside it right now).
Even not born at Cuba but on a "uncensored country", and live in an "uncensored country". This restrictions goes under GPL and other free software restriction.
Why does Google not offering cloud services to some countries cause a restrictions on sites hosted within Google Cloud? This seems like someone has misinterpreted the restrictions, or gotten lazy and just blocked some regions for everything instead of just blocking them as Google Cloud direct customers. Otherwise, why are so many other sites available for use in Cuba?
Why is Github being acquired by MS a problem? They have not shown it will be a problem, they have transformed into a company that is doing a lot of good things in open-source. I think it is the better bet until they prove otherwise.
It isn't really a MS product, it is still the same Github, just with a bigger investor. You didn't really know who was behind Github to begin with did you? research everyone, their background, etc?
I would rather take the MS bullet than limit who can access our open-source and who can collaborate on our projects.
We were also looking at an email in https://gitlab.com/gitlab-com/production/issues/390, but I'm not sure how far we got there given other work this week - it was maybe filtering by last logged in IP to find users.
Closing this issue and will reopen a discussion in /production if we have more needs there.
Gitlab is not a company to bow to Google's interpretations of US sanction laws. Yesterday, it was not against the law to serve Iranians, neither today nor tomorrow. If Gitlab thinks open-source is important, they should take some actions instead of just letting Iranian developers down. Are you sure none of the open source projects at gitlab has Iranian developers? Do you not want to still have them by your side?
Why developers must suffer with b****it of politics. move from Google servers to another one; or convinced them to change the rules.
Take an FSF action not just use open source platform. We will back to github. at least Microsoft not bl**ob for politicians.
Google didn't block Iranians from their information based services like Gmail and Google plus. but it has blocked us (computer developers, not governors) from open source projects. Why?
Perhaps there is a configuration option for GCP to allow access from countries that fall under US sanctions? I've dealt with this issue a lot in regards to Android apps on Google Play. The US sanctions generally only forbid commercial activity, but most companies play it safe and just block all activity. Their idea is that they do not want to take on legal risk when they are not allowed to have any customers from the US-sanctioned countries.
Google Play changed this a couple years back, and now allows app developers to opt-in unpaid apps to be available in the US-sanctioned countries. I helped push for that internally in Google, I'm happy to try again with this GCP problem.
To change Google's current setup, you really have to do a campaign. So everyone needs to make their voice heard by Google. One good place to start would be to see if GCP has a public issue tracker, and whether there is already an issue filed about this. If not, create a new one. Then everyone should star/+1 the issue.
Would it be possible for GitLab Inc. to create proxy servers that would be accessible from the now blocked countries? I know that probably only a low number of users are affected by this, but that also has a bright side: it wouldn't cost much to keep such proxy servers running :)
This is really bad news for developers in countries affected by this move. The same thing happened with netlify's authentication system and their response to me was that there were no way to unblock access to those countries in Google Cloud. There are many sites blocked in Cuba because of this, but this one is a really important one.
I think google is following his criteria, base on the law of the country of where the servers that provide the service are hosted. So, one idea is request google to move gitlab outside US and then request to google that follow the law of the country where the servers are. This will means in most of cases the impossibility to censored the people access from the country where they are. Instead they will need to follow all fundamental human rights (all that the US government's say it defend), specially the article 1 (
http://www.un.org/en/universal-declaration-human-rights/):
All human beings are born free and equal in dignity and rights. They are endowed with reason and conscience and should act towards one another in a spirit of brotherhood.
We are humans all us, developers and users!!! All us developers and users, want promote an spirit of brotherhood and not censored other human's...
Please help all us do that, don't be accomplices of the opposite feeling.
Ohh.. bad news. Im from Crimea, and moved to Gitlab bcause other service was on Google Cloud platform, so I want to work without vpn/proxy.
BTW many google services work in Crimea fine: Gmail, Google Search, Google Webmaster, Youtube etc.. But all clients of their Google Cloud platform forced to ban some countries. I think they must have more flexible position, sanctions dosent restrict all network stuff, just part...
If it's possible, add/modify domain to go though Cloudflare or other service like that for us, we have no access to any of your services now. This is very easy to implement, please consider it.
I am little late for the party and case seems to be closed,
but, guys, isn't it time to move off the centralized hosting of open code?
There is a Gitchain started in 2014, still alive.
There are IPFS, Zeronet, G-d knows what else.
I mean, if you host your code or anything yourself, it is your sole responsibility to comply with local government rules. No need to blame giant corps for their limited liability.
I have a solution to affected people which still want to use Gitlab as source control service.
run this command on your local machine:
git config --global http.proxy url:port
change url and port with a proxy which will help you to bypass the sanctions.
to find a proxy just google "free proxy list".