CI job (with gitlab-ci-token user) fails when ldap service isn't available

Summary

2 days ago 3 scheduled CI jobs failed at the exact same time (21:00 VLT) with the same error message. fatal: unable to access 'https://gitlab-ci-token:xxxxxxxxxxxxxxxxxxxx@git.example.com/deploy/project.git/': The requested URL returned error: 500

At the time of the problem, we had GitLab installed via Omnibus (on a VM with Debian 9.9/stretch) in version v11.9.6 and the GitLab Runners with version v11.9.1.

We opened an internal "post mortem" for that case and searched for the root cause of the problem. It took us some time to find the correct logs to look at but finally we found the cause in the production.log and the gitlab_access.log.

  • image
  • image

After looking at our monitoring system for the availability of our ldap server/service at the time the problem occured, we saw that the ldap service wasn't reachable at this exact time. (but some minutes later it was up again)

Steps to reproduce

I think it can be reproduced easily if you forbid GitLab to communicate with your LDAP server/service (or stop the ldap service) and have a CI job started afterwards.

Example Project

What is the current bug behavior?

The CI job fails if the ldap connection isn't working although the ldap connection isn't needed for the job.

What is the expected correct behavior?

GitLab is using it's own/internal "gitlab-ci-token" user, so I expected that a ldap server/service problem shouldn't interrupt the CI job. In my humble opinion, a working ldap service/login isn't needed for such CI jobs to finish.

Relevant logs and/or screenshots

  • see the summary

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info 
System information
System:		Debian 9.9
Current User:	git
Using RVM:	no
Ruby Version:	2.5.3p105
Gem Version:	2.7.6
Bundler Version:1.17.3
Rake Version:	12.3.2
Redis Version:	3.2.12
Git Version:	2.18.1
Sidekiq Version:5.2.5
Go Version:	unknown


GitLab information
Version:	11.10.4
Revision:	62c464651d2
Directory:	/opt/gitlab/embedded/service/gitlab-rails
DB Adapter:	PostgreSQL
DB Version:	9.6.11
URL:		https://git.example.com
HTTP Clone URL:	https://git.example.com/some-group/some-project.git
SSH Clone URL:	git@git.example.com:some-group/some-project.git
Using LDAP:	yes
Using Omniauth:	yes
Omniauth Providers: saml


GitLab Shell
Version:	9.0.0
Repository storage paths:
  • default: /var/opt/gitlab/git-data/repositories GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell Git: /opt/gitlab/embedded/bin/git

Results of GitLab application Check

Expand for output related to the GitLab application check 
Checking GitLab subtasks ...


Checking GitLab Shell ...


GitLab Shell: ... GitLab Shell version >= 9.0.0 ? ... OK (9.0.0)
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Check GitLab API access: OK
Redis available via internal API: OK


Access to /var/opt/gitlab/.ssh/authorized_keys: OK
gitlab-shell self-check successful


Checking GitLab Shell ... Finished


Checking Gitaly ...


Gitaly: ... default ... OK


Checking Gitaly ... Finished


Checking Sidekiq ...


Sidekiq: ... Running? ... yes
Number of Sidekiq processes ... 1


Checking Sidekiq ... Finished


Checking Incoming Email ...


Incoming Email: ... Reply by email is disabled in config/gitlab.yml


Checking Incoming Email ... Finished


Checking LDAP ...


LDAP: ... Server: ldapmain
LDAP authentication... Anonymous. No bind_dn or password configured
LDAP users with access to your GitLab server (only showing the first 100 results)
DN: here follow many users, won't post them here


Checking LDAP ... Finished


Checking GitLab App ...


Git configured correctly? ... yes
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... yes
Init script exists? ... skipped (omnibus-gitlab has no init script)
Init script up-to-date? ... skipped (omnibus-gitlab has no init script)
Projects have namespace: ...


here follow the project id's, won't post them here


Redis version >= 2.8.0? ... yes
Ruby version >= 2.5.3 ? ... yes (2.5.3)
Git version >= 2.18.0 ? ... yes (2.18.1)
Git user has default SSH configuration? ... yes
Active users: ... 336


Checking GitLab App ... Finished


Checking GitLab subtasks ... Finished

Possible fixes