Skip to content

v17 redis-sentinel cannot handle non-RFC2396 passwords

Summary

Using non-RFC2396 password in redis-sentinel node breaks reconfigure (upgrade 16.11 > 17.0.2 fails)

Steps to reproduce

  • Install GitLab 16.11
  • Configure gitlab.rb like below:
external_url 'https://gitlab.example.com'

roles(['redis_sentinel_role', 'consul_role'])

gitlab_rails['auto_migrate'] = false

redis['master_name'] = 'gitlab-redis'
redis['master_ip'] = '10.1.1.100'
redis['master_port'] = 6379
redis['master_password'] = 'testy@345'

sentinel['bind'] = '0.0.0.0'
sentinel['quorum'] = 2

# Consul server
consul['enable'] = true
consul['monitoring_service_discovery'] = true
consul['configuration'] = {
  retry_join: %w(gitlab-consul-1.example.com gitlab-consul-2.example.com gitlab-consul-3.example.com),
  server: true,
  ports: {
    https: 8501
  },
  auto_encrypt: {
    allow_tls: true
  },
}

consul['encryption_key'] = 'testy345'
consul['encryption_verify_incoming'] = true
consul['encryption_verify_outgoing'] = true
  • run apt install gitlab-ee=17.0.2-ee.0
  • it will fail with error
  ================================================================================
  Recipe Compile Error in /opt/gitlab/embedded/cookbooks/cache/cookbooks/gitlab-ee/recipes/default.rb
  ================================================================================

  URI::InvalidComponentError
  --------------------------
  bad password component

  Cookbook Trace: (most recent call first)
  ----------------------------------------
    /opt/gitlab/embedded/cookbooks/cache/cookbooks/gitlab/libraries/redis_helper.rb:44:in `redis_url'
    /opt/gitlab/embedded/cookbooks/cache/cookbooks/gitlab/recipes/gitlab-rails.rb:192:in `from_file'
    /opt/gitlab/embedded/cookbooks/cache/cookbooks/gitlab/recipes/default.rb:89:in `from_file'
    /opt/gitlab/embedded/cookbooks/cache/cookbooks/gitlab-ee/recipes/default.rb:22:in `from_file'

  Relevant File Content:
  ----------------------
  /opt/gitlab/embedded/cookbooks/cache/cookbooks/gitlab/libraries/redis_helper.rb:

   37:
   38:      if redis_socket && !RedisHelper::Checks.has_sentinels?
   39:        uri = URI("unix://")
   40:        uri.path = redis_socket
   41:
   42:        if params[2]
   43:          password = encode_redis_password(params[2])
   44>>         uri.userinfo = ":#{password}"
   45:        end
   46:      else
   47:        uri = build_redis_url(
   48:          ssl: gitlab_rails['redis_ssl'],
   49:          host: params[0],
   50:          port: params[1],
   51:          password: params[2],
   52:          path: "/#{gitlab_rails['redis_database']}"
   53:        )

  System Info:
  ------------
  chef_version=18.3.0
  platform=ubuntu
  platform_version=20.04
  ruby=ruby 3.1.5p253 (2024-04-023 revision 1945f8dc0e) [x86_64-linux]
  program_name=/opt/gitlab/embedded/bin/cinc-client
  executable=/opt/gitlab/embedded/bin/cinc-client


  Running handlers:
[2024-06-27T14:09:36+00:00] ERROR: Running exception handlers
There was an error running gitlab-ctl reconfigure:

bad password component

  Running handlers complete
[2024-06-27T14:09:36+00:00] ERROR: Exception handlers complete
  Infra Phase failed. 0 resources updated in 06 seconds
[2024-06-27T14:09:36+00:00] FATAL: Stacktrace dumped to /opt/gitlab/embedded/cookbooks/cache/cinc-stacktrace.out
[2024-06-27T14:09:36+00:00] FATAL: ---------------------------------------------------------------------------------------
[2024-06-27T14:09:36+00:00] FATAL: PLEASE PROVIDE THE CONTENTS OF THE stacktrace.out FILE (above) IF YOU FILE A BUG REPORT
[2024-06-27T14:09:36+00:00] FATAL: ---------------------------------------------------------------------------------------
[2024-06-27T14:09:36+00:00] FATAL: URI::InvalidComponentError: bad password component
===
There was an error running gitlab-ctl reconfigure. Please check the output above for more
details.
===

dpkg: error processing package gitlab-ee (--configure):
 installed gitlab-ee package post-installation script subprocess returned error exit status 1
Errors were encountered while processing:
 gitlab-ee
E: Sub-process /usr/bin/dpkg returned an error code (1)

Example Project

What is the current bug behavior?

GitLab 17.0 does not escape non-RFC2396 Redis password

What is the expected correct behavior?

GitLab 17.0 should escape redis password

Relevant logs and/or screenshots

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info 

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Possible fixes