...
 
Commits (144)
......@@ -2,7 +2,6 @@ stages:
- tests
- package
- notification_fail
- add_to_version_server
- extra
- notification_fail
......@@ -309,18 +308,8 @@ notify:slack-fail:
image: "alpine"
stage: notification_fail
script:
- ./support/notify_slack.sh "#omnibus-builds" "(╯°□°)╯︵┻━┻ Build on \`$CI_BUILD_REF_NAME\` failed! Commit \`$(git log -1 --oneline)\` See <https://dev.gitlab.org/gitlab/omnibus-gitlab/commit/"$CI_BUILD_REF"/builds>"
- ./support/notify_slack.sh "#omnibus-builds" "(╯°□°)╯︵┻━┻ Build on \`$CI_BUILD_REF_NAME\` failed! Commit \`$(git log -1 --oneline | sed 's|\"|\\\\\"|g')\` See <https://dev.gitlab.org/gitlab/omnibus-gitlab/commit/"$CI_BUILD_REF"/builds>"
when: on_failure
only:
- master
- tags@gitlab/omnibus-gitlab
add-to-version-server:
before_script: # Nothing
- apk update && apk add curl
image: "alpine"
stage: add_to_version_server
script:
- ./support/add_to_version_server.sh $CI_BUILD_TAG $VERSION_TOKEN
only:
- tags@gitlab/omnibus-gitlab
......@@ -3,10 +3,105 @@
The latest version of this file can be found at the master branch of the
omnibus-gitlab repository.
8.13.13
- Pin bundler version to 1.13.7 to avoid breaking changes
8.13.12
- No changes
8.13.11
- No changes
8.13.10
- No changes
8.13.9
- No changes
8.13.8
- Patch Git 2.7.4 for security vulnerabilities 2d7cf04a
8.13.7
- No changes
8.13.6
- No changes
8.13.5
- No changes
8.13.4
- Add support for configurable email subject suffix (Fu Xu)
- Fix executable file mode for the Docker image update-permissions command
- Update curl to 7.51.0 to get the latest security patches
8.13.3
- No changes
8.13.2
- Move mail_room queue from incoming_email to email_receiver
8.13.1
- Update docs for nginx status, fix the default server for status config
8.13.0
- Add support for registry debug addr configuration
- Add support for configuring workhorse's api limiting
- Fix unsetting the sticky bit for storage directory permissions and improved error messages
- Fixed a bug with disabling registry storage deletion
- Support specifying a post reconfigure script to run in the docker container
- Updated cacerts.pem to 2016-09-14 version
- Add support for nginx status
- Enable jemalloc by default 0a7799d2
- Move database migration log to a persisted location
8.12.7
- Use forked gitlab-markup gem (forked from github-markup)
8.12.6
- No changes
8.12.5
- Update the storage directory helper to check permissions for symlink targets
8.12.4
- No changes
8.12.3
- Updated cacerts.pem to 2016-09-14 version
8.12.2
- Update openssl to 1.0.2j
8.12.1
- Fix gitlab-workhorse Runit template bug #1595 !1005
8.12.0
- Add support for using NFS root_squash for storage directories d5cf0d1d
- Add `gitlab-ctl deploy-page status` command 4ff2df5df
- Update mattermost to 3.4 6857c902
- Add `gitlab-ctl deploy-page status` command b8ffd251
- Set read permissions on the trusted certificates in case they are restricted
- Fix permissions for nginx proxy_cache directory (Charles Blaxland) 4eb85976
- Render gitlab-workhorse token c50c85
......@@ -21,6 +116,10 @@ omnibus-gitlab repository.
- Add default HOME variable to workhorse fcfa3672
- Show GitLab ascii art after installation (Luis Sagastume) 17ed6cb
8.11.7
- No changes
8.11.6
- Fix registry build by enabling vendor feature
......@@ -72,6 +171,10 @@ omnibus-gitlab repository.
- Update expat to 2.2.0 (Takuya Noguchi)
- Ignore and don't write `gitlab_ci:gitlab_server` key in gitlab-secrets file 10bcb
8.10.10
- No changes
8.10.9
- Fix registry build by enabling vendor feature
......@@ -122,6 +225,10 @@ omnibus-gitlab repository.
- Lower expiry date of registry internal certificate b269b4
- Add personal access token to rack attack whitelist 21abc
8.9.10
- No changes
8.9.9
- Fix registry build by enabling vendor feature
......
PROJECT=gitlab
RELEASE_BUCKET=downloads-packages
RELEASE_BUCKET_REGION=eu-west-1
SECRET_DIR:=$(shell openssl rand -hex 20)
PLATFORM_DIR:=$(shell bundle exec support/ohai-helper platform-dir)
PACKAGECLOUD_USER=gitlab
PACKAGECLOUD_REPO:=$(shell support/repo_name.sh)
......@@ -44,13 +43,13 @@ do_release: no_changes on_tag purge build move_to_platform_dir sync packagecloud
test: RELEASE_BUCKET=omnibus-builds
test: no_changes purge build move_to_platform_dir sync
ifdef NIGHTLY
test: PACKAGECLOUD_REPO=nightly-builds
test: NIGHTLY_REPO=nightly-builds PACKAGECLOUD_REPO=$(shell support/repo_name.sh)
test: packagecloud
endif
# Redefine PLATFORM_DIR for Raspberry Pi 2 packages.
do_rpi2_release: PLATFORM_DIR=raspberry-pi2
do_rpi2_release: PACKAGECLOUD_REPO=raspberry-pi2
do_rpi2_release: RASPBERRY_REPO=raspberry-pi2 PACKAGECLOUD_REPO=$(shell support/repo_name.sh)
do_rpi2_release: no_changes purge build move_to_platform_dir sync packagecloud
no_changes:
......@@ -78,15 +77,6 @@ move_to_platform_dir:
mkdir pkg
mv ${PLATFORM_DIR} pkg/
sync: move_to_secret_dir s3_sync
move_to_secret_dir:
if support/is_gitlab_ee.sh ; then \
mv pkg ${SECRET_DIR} \
&& mkdir pkg \
&& mv ${SECRET_DIR} pkg/ \
; fi
docker_cleanup:
-docker ps -q -a | xargs docker rm -v
-docker images -f dangling=true -q | xargs docker rmi
......@@ -99,22 +89,22 @@ docker_build: docker_cleanup
docker build --pull -t $(RELEASE_PACKAGE):latest -f docker/Dockerfile docker/
docker_push:
docker tag -f $(RELEASE_PACKAGE):latest gitlab/$(RELEASE_PACKAGE):$(DOCKER_TAG)
docker tag $(RELEASE_PACKAGE):latest gitlab/$(RELEASE_PACKAGE):$(DOCKER_TAG)
docker push gitlab/$(RELEASE_PACKAGE):$(DOCKER_TAG)
docker_push_rc:
# push as :rc tag, the :rc is always the latest tagged release
docker tag -f $(RELEASE_PACKAGE):latest gitlab/$(RELEASE_PACKAGE):rc
docker tag $(RELEASE_PACKAGE):latest gitlab/$(RELEASE_PACKAGE):rc
docker push gitlab/$(RELEASE_PACKAGE):rc
docker_push_latest:
# push as :latest tag, the :latest is always the latest stable release
docker tag -f $(RELEASE_PACKAGE):latest gitlab/$(RELEASE_PACKAGE):latest
docker tag $(RELEASE_PACKAGE):latest gitlab/$(RELEASE_PACKAGE):latest
docker push gitlab/$(RELEASE_PACKAGE):latest
do_docker_master:
ifdef NIGHTLY
do_docker_master: PACKAGECLOUD_REPO=nightly-builds
do_docker_master: NIGHTLY_REPO=nightly-builds PACKAGECLOUD_REPO=$(shell support/repo_name.sh)
do_docker_master: docker_build docker_push
endif
......@@ -128,7 +118,7 @@ ifeq ($(shell git describe --exact-match --match ${LATEST_STABLE_TAG} > /dev/nul
do_docker_release: docker_push_latest
endif
s3_sync:
sync:
aws s3 sync pkg/ s3://${RELEASE_BUCKET} --acl public-read --region ${RELEASE_BUCKET_REGION}
# empty line for aws status crud
# Replace FQDN in URL and deal with URL encoding
......
diff --git a/lib/github/commands/rest2html b/lib/github/commands/rest2html
index 7ecfe27..958cd3c 100755
--- a/lib/github/commands/rest2html
+++ b/lib/github/commands/rest2html
@@ -31,9 +31,11 @@ import sys
import os
# This fixes docutils failing with unicode parameters to CSV-Table. The -S
-# switch and the following 2 lines can be removed after upgrading to python 3.
-reload(sys)
-sys.setdefaultencoding('utf-8')
+# switch and the following 3 lines can be removed after upgrading to python 3.
+if sys.version_info[0] < 3:
+ reload(sys)
+ sys.setdefaultencoding('utf-8')
+
import site
try:
#
# Copyright 2012-2016 Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
name "bundler"
# Pin the bundler version to avoid breaking changes in later versions
default_version "1.13.7"
license "MIT"
license_file "https://raw.githubusercontent.com/bundler/bundler/master/LICENSE.md"
dependency "rubygems"
build do
env = with_standard_compiler_flags(with_embedded_path)
v_opts = "--version '#{version}'" unless version.nil?
gem [
"install bundler",
v_opts,
"--no-ri --no-rdoc",
].compact.join(" "), env: env
end
......@@ -16,8 +16,15 @@
name "cacerts"
license "MPL-2.0"
license_file "https://www.mozilla.org/media/MPL/2.0/index.815ca599c9df.txt"
# Date of the file is in a comment at the start, or in the changelog
default_version "2016.04.20"
default_version "2016.09.14"
version "2016.09.14" do
source md5: "8d35a5cef6ce28da07867a0712558067"
end
version "2016.04.20" do
source md5: "782dcde8f5d53b1b9e888fdf113c42b9"
......@@ -55,7 +62,7 @@ version "2014.01.28" do
source md5: "5d108f8ab86afacc6663aafca8604dd3"
end
source url: "http://curl.haxx.se/ca/cacert.pem"
source url: "https://curl.haxx.se/ca/cacert.pem"
relative_path "cacerts-#{version}"
......
......@@ -15,7 +15,7 @@
#
name "curl"
default_version "7.50.3"
default_version "7.51.0"
dependency "zlib"
dependency "openssl"
......@@ -31,6 +31,10 @@ version "7.50.3" do
source sha256: "3991c2234986178af3b3f693e5afa35d49da2ab4ba61292e3817222446dca7e1"
end
version "7.51.0" do
source sha256: "65b5216a6fbfa72f547eb7706ca5902d7400db9868269017a8888aa91d87977c"
end
source url: "http://curl.haxx.se/download/curl-#{version}.tar.gz"
relative_path "curl-#{version}"
......
......@@ -55,6 +55,9 @@ NO_INSTALL_HARDLINKS=YesPlease
end
end
# Patch for git vulnerabilities
patch source: 'git-Nov-2016-security.patch'
command "make -j #{workers}", :env => env
command "make install"
end
......@@ -18,6 +18,7 @@
name "gitlab-config-template"
license "Apache-2.0"
license_file File.expand_path("LICENSE", Omnibus::Config.project_root)
source :path => File.expand_path("files/gitlab-config-template", Omnibus::Config.project_root)
......
......@@ -19,6 +19,7 @@
name "gitlab-cookbooks"
license "Apache-2.0"
license_file File.expand_path("LICENSE", Omnibus::Config.project_root)
source :path => File.expand_path("files/gitlab-cookbooks", Omnibus::Config.project_root)
......
......@@ -19,6 +19,7 @@
name "gitlab-ctl"
license "Apache-2.0"
license_file File.expand_path("LICENSE", Omnibus::Config.project_root)
dependency "omnibus-ctl"
......
......@@ -20,6 +20,7 @@ require 'digest'
name "gitlab-psql"
license "Apache-2.0"
license_file File.expand_path("LICENSE", Omnibus::Config.project_root)
# This 'software' is self-contained in this file. Use the file contents
# to generate a version string.
default_version Digest::MD5.file(__FILE__).hexdigest
......
......@@ -71,8 +71,7 @@ build do
# This patch makes the github-markup gem use and be compatible with Python3
# We've sent part of the changes upstream: https://github.com/github/markup/pull/919
patch source: 'github-markup_gem-markups.patch', target: "#{gems_directory}/github-markup-1.4.0/lib/github/markups.rb"
patch source: 'github-markup_gem-rest2html.patch', target: "#{gems_directory}/github-markup-1.4.0/lib/github/commands/rest2html"
patch source: 'gitlab-markup_gem-markups.patch', target: "#{gems_directory}/gitlab-markup-1.5.1/lib/github/markups.rb"
# In order to precompile the assets, we need to get to a state where rake can
# load the Rails environment.
......
......@@ -18,7 +18,7 @@
name "gitlab-scripts"
license "Apache-2.0"
license_file File.expand_path("LICENSE", Omnibus::Config.project_root)
source :path => File.expand_path("files/gitlab-scripts", Omnibus::Config.project_root)
build do
......
......@@ -18,6 +18,7 @@
name "gitlab-selinux"
license "Apache-2.0"
license_file File.expand_path("LICENSE", Omnibus::Config.project_root)
source :path => File.expand_path("files/gitlab-selinux", Omnibus::Config.project_root)
......
......@@ -18,6 +18,9 @@
name "jemalloc"
default_version "4.2.1"
license "jemalloc"
license_file "COPYING"
source url: "https://github.com/jemalloc/jemalloc/releases/download/#{version}/jemalloc-#{version}.tar.bz2",
sha256: '5630650d5c1caab95d2f0898de4fe5ab8519dc680b04963b38bb425ef6a42d57'
......
......@@ -23,7 +23,7 @@ source url: "http://download.icu-project.org/files/icu4c/57.1/icu4c-57_1-src.tgz
sha256: "ff8c67cb65949b1e7808f2359f2b80f722697048e90e7cfc382ec1fe229e9581"
license "MIT"
license_file "license.html"
license_file "icu/LICENSE"
build do
env = with_standard_compiler_flags(with_embedded_path)
......
......@@ -17,10 +17,10 @@
#
name "mattermost"
default_version "3.3.0"
default_version "3.4.0"
source url: "https://releases.mattermost.com/#{version}/mattermost-team-#{version}-linux-amd64.tar.gz",
md5: 'acfa431b0a9ce80c36e3be9ec3acb7f8'
md5: '4d2c95a7ff2ed918e1d4b810b985b4ed'
relative_path "mattermost"
......
......@@ -25,10 +25,10 @@ dependency "cacerts"
dependency "makedepend" unless aix?
dependency "patch" if solaris2?
default_version "1.0.2h"
default_version "1.0.2j"
source url: "https://www.openssl.org/source/openssl-#{version}.tar.gz",
md5: "9392e65072ce4b614c1392eefc1f23d0"
md5: "96322138f0b69e61b7212bc53d5e912b"
relative_path "openssl-#{version}"
......
......@@ -19,6 +19,7 @@
name "package-scripts"
license "Apache-2.0"
license_file File.expand_path("LICENSE", Omnibus::Config.project_root)
# Help omnibus-ruby to cache the build product of this software. This is a
# workaround for the deprecation of `always_build true`. What happens now is
......
......@@ -20,7 +20,7 @@ name "python-docutils"
default_version "0.11"
license "Public Domain"
license "Public-Domain"
license_file "http://docutils.sourceforge.net/COPYING.txt"
dependency "python3"
......
......@@ -25,7 +25,7 @@ dependency "zlib"
dependency "openssl"
dependency "bzip2"
license "PSFL"
license "Python-2.0"
license_file "LICENSE"
source :url => "http://python.org/ftp/python/#{version}/Python-#{version}.tgz",
......
......@@ -38,9 +38,27 @@ gitlab_ascii()
print_banner()
{
# Check if we have colors enabled
tput=$(which tput)
if [ -n "$tput" ]; then
ncolors=$($tput colors)
if [ -n "$ncolors" ] && [ "$ncolors" -ge 8 ]; then
RED="$(tput setaf 1)"
YELLOW="$(tput setaf 3)"
NOCOLOR="$(tput sgr0)"
else
RED=""
YELLOW=""
NOCOLOR=""
fi
fi
echo ""
echo "\033[0;33m$(tanuki_ascii)\033[0m"
echo "\033[0;31m$(gitlab_ascii)\033[0m"
echo "$YELLOW"
echo "$(tanuki_ascii)"
echo "$RED"
echo "$(gitlab_ascii)"
echo "$NOCOLOR"
echo ""
}
......
......@@ -48,6 +48,26 @@ project.
If you are using these tools to build your own packages, you will have to
adjust them to your needs.
At the time of writing, an example of a fully public config for `.custom_sources.yml`
would look like this:
```
gitlab-rails:
remote: "https://gitlab.com/gitlab-org/gitlab-ce.git"
gitlab-rails-ee:
remote: "https://gitlab.com/gitlab-org/gitlab-ee.git"
gitlab-shell:
remote: "https://gitlab.com/gitlab-org/gitlab-shell.git"
gitlab-workhorse:
remote: "https://gitlab.com/gitlab-org/gitlab-workhorse.git"
gitlab-pages:
remote: "https://gitlab.com/gitlab-org/gitlab-pages"
config_guess:
remote: "git://git.savannah.gnu.org/config.git"
omnibus:
remote: "https://gitlab.com/gitlab-org/omnibus.git"
```
### Build
You create a platform-specific package using the `build` command:
......
......@@ -70,13 +70,13 @@ To troubleshoot this error:
```
3. Restart the runit server.
On Ubuntu:
Using upstart (Ubuntu <= 14.04):
```
$ sudo initctl restart gitlab-runsvdir
```
On CentOS:
Using systemd (CentOS, Ubuntu >= 16.04):
```
$ systemctl restart gitlab-runsvdir.service
......
......@@ -123,6 +123,8 @@ container's `gitlab.rb` file. That way you can easily configure GitLab's
external URL, make any database configuration or any other option from the
[Omnibus GitLab template](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-config-template/gitlab.rb.template).
_Note: The settings contained in `GITLAB_OMNIBUS_CONFIG` will not be written to the `gitlab.rb` configuration file, they're evaluated on load._
Here's an example that sets the external URL and enables LFS while starting
the container:
......@@ -152,14 +154,9 @@ After starting a container you can visit <http://localhost/> or
<http://192.168.59.103> if you use boot2docker. It might take a while before
the Docker container starts to respond to queries.
Login to GitLab with the following credentials:
```
username: `root`
password: `5iveL!fe`
```
Next time, you can just use docker start and stop to run the container.
The very first time you visit GitLab, you will be asked to set up the admin
password. After you change it, you can login with username `root` and the
password you set up.
## Upgrade GitLab to newer version
......@@ -236,16 +233,32 @@ You can then access your GitLab instance at `http://1.1.1.1/` and `https://1.1.1
### Expose GitLab on different ports
If you want to use a different port than `80` (HTTP) or `443` (HTTPS), you need
to add a separate `--publish` directive to the `docker run` command.
GitLab will occupy by default the following ports inside the container:
For example, to expose the web interface on port `8929` and the SSH service on
- `80` (HTTP)
- `443` (if you configure HTTPS)
- `8080` (used by Unicorn)
- `22` (used by the SSH daemon)
> **Note:**
The format for publishing ports is `hostPort:containerPort`. Read more in
Docker's documentation about [exposing incoming ports][docker-ports].
> **Warning:**
Do NOT use port `8080` otherwise there will be conflicts. This port is already
used by Unicorn that runs internally in the container.
If you want to use a different port than `80` (HTTP) or `443` (HTTPS) for the
container, you need to add a separate `--publish` directive to the `docker run`
command.
For example, to expose the web interface on port `8929`, and the SSH service on
port `2289`, use the following `docker run` command:
```bash
sudo docker run --detach \
--hostname gitlab.example.com \
--publish 8929:80 --publish 2289:22 \
--publish 8929:8929 --publish 2289:2289 \
--name gitlab \
--restart always \
--volume /srv/gitlab/config:/etc/gitlab \
......@@ -262,16 +275,26 @@ You then need to appropriately configure `gitlab.rb`:
# For HTTP
external_url "http://gitlab.example.com:8929"
# For HTTPS
or
# For HTTPS (notice the https)
external_url "https://gitlab.example.com:8929"
```
For more information see the [NGINX documentation](../settings/nginx.md).
2. Set `gitlab_shell_ssh_port`:
```
gitlab_rails['gitlab_shell_ssh_port'] = 2289
```
Following the above example you will be able to reach GitLab from your
web browser under `<hostIP>:8929` and push using SSH under the port `2289`.
A `docker-compose.yml` example that uses different ports can be found in the
[docker-compose](#install-gitlab-using-docker-compose) section.
## Diagnose potential problems
Read container logs:
......@@ -338,16 +361,14 @@ web:
gitlab_rails['gitlab_shell_ssh_port'] = 2224
ports:
- '9090:9090'
- '2224:22'
- '2224:2224'
volumes:
- '/srv/gitlab/config:/etc/gitlab'
- '/srv/gitlab/logs:/var/log/gitlab'
- '/srv/gitlab/data:/var/opt/gitlab'
```
[docker compose]: https://docs.docker.com/compose/
[install-compose]: https://docs.docker.com/compose/install/
[down-yml]: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/docker/docker-compose.yml
This is the same as using `--publish 9090:9090 --publish 2224:2224`.
## Update GitLab using Docker compose
......@@ -376,3 +397,8 @@ container afterwards:
sudo docker exec gitlab update-permissions
sudo docker restart gitlab
```
[docker compose]: https://docs.docker.com/compose/
[install-compose]: https://docs.docker.com/compose/install/
[down-yml]: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/docker/docker-compose.yml
[docker-ports]: https://docs.docker.com/engine/reference/run/#/expose-incoming-ports
......@@ -61,7 +61,7 @@ gitlab_rails['enable'] = false
where `Secret` and `Id` are `application secret` and `application id` received when creating new `Application` authorization in GitLab admin section.
Optionally, you can set `mattermost['email_enable_sign_up_with_email'] = false` to force all users to sign-up with GitLab only. See Mattermost [documentation on GitLab SSO](https://github.com/mattermost/platform/blob/master/doc/integrations/Single-Sign-On/Gitlab.md).
Optionally, you can set `mattermost['email_enable_sign_up_with_email'] = false` to force all users to sign-up with GitLab only. See Mattermost [documentation on GitLab SSO](https://docs.mattermost.com/deployment/sso-gitlab.html).
## Manually (re)authorising GitLab Mattermost with GitLab
......@@ -256,7 +256,7 @@ The source code can be modified to support not only GitLab, but any in-house app
![webhooks](https://gitlab.com/gitlab-org/omnibus-gitlab/uploads/677b0aa055693c4dcabad0ee580c61b8/730_gitlab_feature_request.png)
## Specify numeric user and group identifiers
### Specify numeric user and group identifiers
omnibus-gitlab creates a user and group mattermost. You can specify the
numeric identifiers for these users in `/etc/gitlab/gitlab.rb` as follows.
......@@ -267,3 +267,11 @@ mattermost['gid'] = 1234
```
Run `sudo gitlab-ctl reconfigure` for the changes to take effect.
### OAuth2 Sequence Diagram
The following image is a sequence diagram for how GitLab works as an OAuth2
provider for Mattermost. It may be useful to use this to troubleshoot errors
in getting the integration to work:
![sequence diagram](img/gitlab-mattermost.png)
msc {
# Use https://mscgen.js.org or mscgen to convert this into PNG
hscale="1.5",
wordwraparcs=on;
user [ label="User", textbgcolor="blue", textcolor="white" ],
mattermost [ label="Mattermost", textbgcolor="red", textcolor="white"],
gitlab [ label="GitLab", textbgcolor="indigo", textcolor="white"];
user=>mattermost [label="GET https://mm.domain.com"];
mattermost note gitlab [label="Obtain access code", textcolor="green"];
mattermost=>gitlab [label="GET https://gitlab.domain.com/oauth/authorize", textcolor="indigo"];
gitlab rbox user [label="GitLab user logs in (if necessary)"];
gitlab rbox gitlab [label="GitLab verifies client_id matches an OAuth application"];
gitlab=>user [label="GitLab asks user to authorize Mattermost OAuth app"];
user=>gitlab [label="User clicks 'Allow'"];
gitlab rbox gitlab [label="GitLab verifies redirect_uri matches list of valid URLs"];
gitlab=>user [label="302 Redirect: https://mm.domain.com/signup/gitlab/complete"];
user=>mattermost [label="GET https://mm.domain.com/signup/gitlab/complete", textcolor="red"];
mattermost note gitlab [label="Exchange access code for access token", textcolor="green"];
mattermost=>gitlab [label="POST http://gitlab.domain.com/oauth/token", textcolor="indigo"];
gitlab=>gitlab [label="Doorkeeper::TokensController#create"];
gitlab=>mattermost [label="Access token", textcolor="red"];
mattermost note gitlab [label="Mattermost looks up GitLab user", textcolor="green"];
mattermost=>gitlab [label="GET https://gitlab.domain.com/api/v3/user", textcolor="indigo"];
gitlab=>mattermost [label="User details", textcolor="red"];
mattermost=>user [label="Mattermost/GitLab user ready"];
}
......@@ -16,6 +16,7 @@ by default:
| Redis | Yes | Socket | Port (6379) | X |
| Unicorn | Yes | Socket | Port (8080) | X |
| GitLab Workhorse | Yes | Socket | Port (8181) | X |
| Nginx status | Yes | Port | X | 8060 |
| Incoming email | No | Port | X | 143 |
| Elastic search | No | Port | X | 9200 |
| GitLab Pages | No | Port | X | 80 or 443 |
......
......@@ -486,3 +486,7 @@ See [doc/settings/nginx.md](nginx.md).
## Inserting custom settings into the NGINX config
See [doc/settings/nginx.md](nginx.md).
## Enable nginx_status
See [doc/settings/nginx.md](nginx.md).
......@@ -26,6 +26,7 @@ What happens here is that we forget about `production: &base`, and join
Note that not all `gitlab.yml` settings can be changed via `gitlab.rb` yet; see
the [gitlab.yml ERB template][gitlab.yml.erb]. If you think an attribute is
missing please create a merge request on the omnibus-gitlab repository.
Merge request also need to update the [default attributes file][gitlab.yml.erb], and the [gitlab.rb template][gitlab.yml.example] in order to be able to set this value from gitlab.rb
Run `sudo gitlab-ctl reconfigure` for changes in `gitlab.rb` to take effect.
......
......@@ -515,6 +515,57 @@ server {
}
```
### Enabling/Disabling nginx_status
By default you will have an nginx health-check endpoint configured at 127.0.0.1:8060/nginx_status to monitor your Nginx server status.
#### The following information will be displayed:
```
Active connections: 1
server accepts handled requests
18 18 36
Reading: 0 Writing: 1 Waiting: 0
```
* Active connections – Open connections in total.
* 3 figures are shown.
* All accepted connections.
* All handled connections.
* Total number of handled requests.
* Reading: Nginx reads request headers
* Writing: Nginx reads request bodies, processes requests, or writes responses to a client
* Waiting: Keep-alive connections. This number depends on the keepalive-timeout.
## Configuration
Edit `/etc/gitlab/gitlab.rb`:
```Ruby
nginx['status'] = {
"listen_addresses" => ["127.0.0.1"],
"fqdn" => "dev.example.com",
"port" => 9999,
"options" => {
"stub_status" => "on", # Turn on stats
"access_log" => "on", # Disable logs for stats
"allow" => "127.0.0.1", # Only allow access from localhost
"deny" => "all" # Deny access to anyone else
}
}
```
If you don't find this service useful for your current infrastructure you can disable it with:
```ruby
nginx['status'] = {
'enable' => false
}
```
Make sure you run sudo gitlab-ctl reconfigure for the changes to take effect.
#### Warning
To ensure that user uploads are accessible your Nginx user (usually `www-data`)
......
File mode changed from 100644 to 100755
......@@ -79,6 +79,11 @@ echo "Configuring GitLab package..."
echo "Configuring GitLab..."
gitlab-ctl reconfigure
if [ -n "${GITLAB_POST_RECONFIGURE_SCRIPT+x}" ]; then
echo "Runnning Post Reconfigure Script..."
eval ${GITLAB_POST_RECONFIGURE_SCRIPT}
fi
# Tail all logs
gitlab-ctl tail &
......
......@@ -99,10 +99,10 @@
"spec": {
"tags": [
{
"name": "8.11.0",
"name": "8.12.0",
"from": {
"kind": "DockerImage",
"name": "gitlab/gitlab-ce:8.11.0-ce.1"
"name": "gitlab/gitlab-ce:8.12.0-ce.0"
}
}
]
......@@ -163,7 +163,7 @@
],
"from": {
"kind": "ImageStreamTag",
"name": "${APPLICATION_NAME}:8.11.0"
"name": "${APPLICATION_NAME}:8.12.0"
}
}
}
......@@ -213,7 +213,7 @@
"env": [
{
"name": "GITLAB_OMNIBUS_CONFIG",
"value": "external_url 'http://${APPLICATION_HOSTNAME}/'; root_pass='${GITLAB_ROOT_PASSWORD}'; gitlab_rails['initial_root_password']=root_pass unless root_pass.to_s == ''; postgresql['enable']=false; gitlab_rails['db_host'] = '${APPLICATION_NAME}-postgresql'; gitlab_rails['db_password']='${POSTGRESQL_PASSWORD}'; gitlab_rails['db_username']='${POSTGRESQL_USER}'; gitlab_rails['db_database']='${POSTGRESQL_DATABASE}'; redis['enable'] = false; gitlab_rails['redis_host']='${APPLICATION_NAME}-redis'; unicorn['worker_processes'] = 2; manage_accounts['enable'] = true; user['home'] = '/gitlab-data/home'; git_data_dir '/gitlab-data/git-data'; gitlab_rails['shared_path'] = '/gitlab-data/shared'; gitlab_rails['uploads_directory'] = '/gitlab-data/uploads'; gitlab_ci['builds_directory'] = '/gitlab-data/builds';"
"value": "external_url 'http://${APPLICATION_HOSTNAME}/'; root_pass='${GITLAB_ROOT_PASSWORD}'; gitlab_rails['initial_root_password']=root_pass unless root_pass.to_s == ''; postgresql['enable']=false; gitlab_rails['db_host'] = '${APPLICATION_NAME}-postgresql'; gitlab_rails['db_password']='${POSTGRESQL_PASSWORD}'; gitlab_rails['db_username']='${POSTGRESQL_USER}'; gitlab_rails['db_database']='${POSTGRESQL_DATABASE}'; redis['enable'] = false; gitlab_rails['redis_host']='${APPLICATION_NAME}-redis'; unicorn['worker_processes'] = 2; manage_accounts['enable'] = true; manage_storage_directories['manage_etc'] = false; gitlab_shell['auth_file'] = '/gitlab-data/ssh/authorized_keys'; git_data_dir '/gitlab-data/git-data'; gitlab_rails['shared_path'] = '/gitlab-data/shared'; gitlab_rails['uploads_directory'] = '/gitlab-data/uploads'; gitlab_ci['builds_directory'] = '/gitlab-data/builds';"
}
],
"resources": {
......
......@@ -23,6 +23,7 @@ external_url 'GENERATED_EXTERNAL_URL'
# gitlab_rails['gitlab_email_from'] = 'example@example.com'
# gitlab_rails['gitlab_email_display_name'] = 'Example'
# gitlab_rails['gitlab_email_reply_to'] = 'noreply@example.com'
# gitlab_rails['gitlab_email_subject_suffix'] = ''
# gitlab_rails['gitlab_default_can_create_group'] = true
# gitlab_rails['gitlab_username_changing_enabled'] = true
# gitlab_rails['gitlab_default_theme'] = 2
......@@ -101,7 +102,7 @@ external_url 'GENERATED_EXTERNAL_URL'
## For setting up LDAP
## see https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/README.md#setting-up-ldap-sign-in
## Be careful not to break the identation in the ldap_servers block. It is in
## Be careful not to break the indentation in the ldap_servers block. It is in
## yaml format and the spaces must be retained. Using tabs will not work.
# gitlab_rails['ldap_enabled'] = false
......@@ -343,29 +344,34 @@ external_url 'GENERATED_EXTERNAL_URL'
# gitlab_rails['smtp_ca_file'] = "/etc/ssl/certs/ca-certificates.crt"
###############################
# Container registry settings #
# Container Registry settings #
###############################
# see http://docs.gitlab.com/ce/administration/container_registry.html
# See https://docs.gitlab.com/ce/administration/container_registry.html
#
# registry_external_url 'https://registry.gitlab.example.com'
# Settings used by GitLab application
## Settings used by GitLab application
# gitlab_rails['registry_enabled'] = true
# gitlab_rails['registry_host'] = "registry.gitlab.example.com"
# gitlab_rails['registry_port'] = "5005"
# gitlab_rails['registry_path'] = "/var/opt/gitlab/gitlab-rails/shared/registry"
#
## Do not change the following 3 settings unless you know what you are doing
#
# gitlab_rails['registry_api_url'] = "http://localhost:5000"
# gitlab_rails['registry_key_path'] = "/var/opt/gitlab/gitlab-rails/certificate.key"
# gitlab_rails['registry_path'] = "/var/opt/gitlab/gitlab-rails/shared/registry"
# gitlab_rails['registry_issuer'] = "omnibus-gitlab-issuer"
# Settings used by Registry application
## Settings used by Registry application
# registry['enable'] = true
# registry['username'] = "registry"
# registry['group'] = "registry"
# registry['uid'] = nil
# registry['gid'] = nil
# registry['dir'] = "/var/opt/gitlab/registry"
# registry['registry_http_addr'] = "localhost:5000"
# registry['debug_addr'] = "localhost:5001"
# registry['log_directory'] = "/var/log/gitlab/registry"
# registry['log_level'] = "info"
# registry['rootcertbundle'] = "/var/opt/gitlab/registry/certificate.crt"
......@@ -395,6 +401,9 @@ external_url 'GENERATED_EXTERNAL_URL'
# gitlab_workhorse['dir'] = "/var/opt/gitlab/gitlab-workhorse"
# gitlab_workhorse['log_directory'] = "/var/log/gitlab/gitlab-workhorse"
# gitlab_workhorse['proxy_headers_timeout'] = "1m0s"
# gitlab_workhorse['api_limit'] = 0 # limit number of concurrent API requests, defaults to 0 which is unlimited
# gitlab_workhorse['api_queue_limit'] = 0 # limit number of API requests allowed to be queued, defaults to 0 which disables queuing
# gitlab_workhorse['api_queue_duration'] = "30s" # duration after which we timeout requests if they sit too long in the queue
# gitlab_workhorse['env'] = {
# 'PATH' => "/opt/gitlab/bin:/opt/gitlab/embedded/bin:/bin:/usr/bin"
# }
......@@ -633,7 +642,20 @@ external_url 'GENERATED_EXTERNAL_URL'
# nginx['cache_max_size'] = '5000m'
# nginx['server_names_hash_bucket_size'] = 64
## Nginx status
# nginx['status'] = {
# "enable" => true,
# "listen_addresses" => ["127.0.0.1"],
# "fqdn" => "dev.example.com",
# "port" => 9999,
# "options" => {
# "stub_status" => "on", # Turn on stats
# "server_tokens" => "off", # Don't show the version of NGINX
# "access_log" => "on", # Disable logs for stats
# "allow" => "127.0.0.1", # Only allow access from localhost
# "deny" => "all" # Deny access to anyone else
# }
# }
##################
# GitLab Logging #
......@@ -722,6 +744,7 @@ external_url 'GENERATED_EXTERNAL_URL'
# mattermost['service_address'] = "127.0.0.1"
# mattermost['service_port'] = "8065"
# mattermost['service_site_url'] = nil
# mattermost['service_maximum_login_attempts'] = 10
# mattermost['service_segment_developer_key'] = nil
# mattermost['service_google_developer_key'] = nil
......@@ -767,6 +790,7 @@ external_url 'GENERATED_EXTERNAL_URL'
# mattermost['log_enable_file'] = false
# mattermost['log_file_level'] = 'INFO'
# mattermost['log_file_format'] = nil
# mattermost['log_enable_diagnostics'] = true
# mattermost['gitlab_enable'] = false
# mattermost['gitlab_id'] = "12345656"
......@@ -794,6 +818,9 @@ external_url 'GENERATED_EXTERNAL_URL'
# mattermost['email_send_push_notifications'] = true
# mattermost['email_push_notification_server'] = ""
# mattermost['email_push_notification_contents'] = "generic"
# mattermost['email_enable_batching'] = false
# mattermost['email_batching_buffer_size'] = 256
# mattermost['email_batching_interval'] = 30
# mattermost['file_max_file_size'] = 52428800
# mattermost['file_driver_name'] = "local"
......@@ -854,7 +881,6 @@ external_url 'GENERATED_EXTERNAL_URL'
# mattermost_nginx['listen_port'] = nil # override only if you use a reverse proxy: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/nginx.md#setting-the-nginx-listen-port
# mattermost_nginx['listen_https'] = nil # override only if your reverse proxy internally communicates over HTTP: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/nginx.md#supporting-proxied-ssl
# mattermost_nginx['custom_gitlab_mattermost_server_config'] = "location ^~ /foo-namespace/bar-project/raw/ {\n deny all;\n}\n"
# mattermost_nginx['custom_nginx_config'] = "include /etc/nginx/conf.d/example.conf;"
# mattermost_nginx['proxy_set_headers'] = {
# "Host" => "$http_host",
# "X-Real-IP" => "$remote_addr",
......
......@@ -67,7 +67,7 @@ default['gitlab']['gitlab-rails']['env'] = {
'ICU_DATA' => "#{node['package']['install-dir']}/embedded/share/icu/current",
'PYTHONPATH' => "#{node['package']['install-dir']}/embedded/lib/python3.4/site-packages"
}
default['gitlab']['gitlab-rails']['enable_jemalloc'] = false
default['gitlab']['gitlab-rails']['enable_jemalloc'] = true
default['gitlab']['gitlab-rails']['internal_api_url'] = nil
default['gitlab']['gitlab-rails']['uploads_directory'] = "/var/opt/gitlab/gitlab-rails/uploads"
......@@ -82,6 +82,7 @@ default['gitlab']['gitlab-rails']['gitlab_ssh_host'] = nil
default['gitlab']['gitlab-rails']['time_zone'] = nil
default['gitlab']['gitlab-rails']['gitlab_email_from'] = nil
default['gitlab']['gitlab-rails']['gitlab_email_display_name'] = nil
default['gitlab']['gitlab-rails']['gitlab_email_subject_suffix'] = nil
default['gitlab']['gitlab-rails']['gitlab_default_can_create_group'] = nil
default['gitlab']['gitlab-rails']['gitlab_username_changing_enabled'] = nil
default['gitlab']['gitlab-rails']['gitlab_default_theme'] = nil
......@@ -456,6 +457,9 @@ default['gitlab']['gitlab-workhorse']['pprof_listen_addr'] = "''" # put an empty
default['gitlab']['gitlab-workhorse']['dir'] = "/var/opt/gitlab/gitlab-workhorse"
default['gitlab']['gitlab-workhorse']['log_directory'] = "/var/log/gitlab/gitlab-workhorse"
default['gitlab']['gitlab-workhorse']['proxy_headers_timeout'] = nil
default['gitlab']['gitlab-workhorse']['api_limit'] = nil
default['gitlab']['gitlab-workhorse']['api_queue_duration'] = nil
default['gitlab']['gitlab-workhorse']['api_queue_limit'] = nil
default['gitlab']['gitlab-workhorse']['env'] = {
'PATH' => "#{node['package']['install-dir']}/bin:#{node['package']['install-dir']}/embedded/bin:/bin:/usr/bin",
'HOME' => node['gitlab']['user']['home']
......@@ -497,8 +501,9 @@ default['gitlab']['registry']['dir'] = "/var/opt/gitlab/registry"
default['gitlab']['registry']['log_directory'] = "/var/log/gitlab/registry"
default['gitlab']['registry']['log_level'] = "info"
default['gitlab']['registry']['rootcertbundle'] = nil
default['gitlab']['registry']['storage_delete_enabled'] = true
default['gitlab']['registry']['storage_delete_enabled'] = nil
default['gitlab']['registry']['storage'] = nil
default['gitlab']['registry']['debug_addr'] = nil
####
# Nginx
......@@ -557,6 +562,20 @@ default['gitlab']['nginx']['real_ip_header'] = nil
default['gitlab']['nginx']['real_ip_recursive'] = nil
default['gitlab']['nginx']['server_names_hash_bucket_size'] = 64
###
# Nginx status
###
default['gitlab']['nginx']['status']['enable'] = true
default['gitlab']['nginx']['status']['listen_addresses'] = ['*']
default['gitlab']['nginx']['status']['fqdn'] = "localhost"
default['gitlab']['nginx']['status']['port'] = 8060
default['gitlab']['nginx']['status']['options'] = {
"stub_status" => "on",
"server_tokens" => "off",
"access_log" => "off",
"allow" => "127.0.0.1",
"deny" => "all",
}
###
# Logging
......@@ -736,11 +755,13 @@ default['gitlab']['mattermost']['log_console_level'] = 'INFO'
default['gitlab']['mattermost']['log_enable_file'] = true
default['gitlab']['mattermost']['log_file_level'] = 'ERROR'
default['gitlab']['mattermost']['log_file_format'] = nil
default['gitlab']['mattermost']['log_enable_diagnostics'] = true
default['gitlab']['mattermost']['service_use_ssl'] = false
default['gitlab']['mattermost']['service_address'] = "127.0.0.1"
default['gitlab']['mattermost']['service_port'] = "8065"
default['gitlab']['mattermost']['service_site_url'] = nil
default['gitlab']['mattermost']['service_maximum_login_attempts'] = 10
default['gitlab']['mattermost']['service_segment_developer_key'] = nil
default['gitlab']['mattermost']['service_google_developer_key'] = nil
......@@ -809,6 +830,9 @@ default['gitlab']['mattermost']['email_connection_security'] = nil
default['gitlab']['mattermost']['email_send_push_notifications'] = false
default['gitlab']['mattermost']['email_push_notification_server'] = nil
default['gitlab']['mattermost']['email_push_notification_contents'] = "generic"
default['gitlab']['mattermost']['email_enable_batching'] = false
default['gitlab']['mattermost']['email_batching_buffer_size'] = 256
default['gitlab']['mattermost']['email_batching_interval'] = 30
default['gitlab']['mattermost']['ratelimit_enable_rate_limiter'] = true
default['gitlab']['mattermost']['ratelimit_per_sec'] = 10
......
......@@ -30,7 +30,7 @@ if Gitlab::IncomingEmail.enabled?
:delivery_options:
:redis_url: <%= redis_url.to_json %>
:namespace: resque:gitlab
:queue: incoming_email
:queue: email_receiver
:worker: EmailReceiverWorker
:arbitration_method: redis
......
......@@ -71,7 +71,7 @@ module Registry
return unless Gitlab['registry']['enable']
Gitlab['gitlab_rails']['registry_path'] = "#{Gitlab['gitlab_rails']['shared_path']}/registry" if Gitlab['gitlab_rails']['registry_path'].nil?
Gitlab['registry']['storage_delete_enabled'] ||= Gitlab['node']['gitlab']['registry']['storage_delete_enabled']
Gitlab['registry']['storage_delete_enabled'] = true if Gitlab['registry']['storage_delete_enabled'].nil?
Gitlab['registry']['storage'] ||= {
'filesystem' => { 'rootdirectory' => Gitlab['gitlab_rails']['registry_path'] }
......
......@@ -26,7 +26,7 @@ class StorageDirectoryHelper
end
def writable?(path)
do_shell_out("test -w #{path}", @target_owner).exitstatus == 0
do_shell_out("test -w #{path} -a -w $(readlink -f #{path})", @target_owner).exitstatus == 0
end
def run_command(cmd, use_euid: false, throw_error: true)
......@@ -49,7 +49,11 @@ class StorageDirectoryHelper
# Set the correct mode on the directory, run using the euid if target_owner
# has write access, otherwise use root
run_command("chmod #{@target_mode} #{path}", use_euid: writable?(path)) if @target_mode
if @target_mode
# Prepend a 0 to force an octal set when 4 bits have been passed in. eg: 2755 or 0700
mode = @target_mode.length == 4 ? "0#{@target_mode}" : @target_mode
run_command("chmod #{mode} #{path}", use_euid: writable?(path))
end
# Set the group on the directory, run using the euid if target_owner has
# write access, otherwise use root
......@@ -60,13 +64,14 @@ class StorageDirectoryHelper
# Use stat to return the owner. The root user may not have execute permissions
# to the directory, but the target_owner will in the success case, so always
# use the euid to run the command
run_command("stat --printf='%U' #{path}", use_euid: true).stdout
run_command("stat --printf='%U' $(readlink -f #{path})", use_euid: true).stdout
end
def run_chown(path)
# Chown will not work if it's in a root_squash directory, so the only workarounds
# will be for the admin to manually chown on the nfs server, or use
# 'no_root_squash' mode in their exports and re-run reconfigure
path = File.realpath(path)
FileUtils.chown(@target_owner, @target_group, path)
rescue Errno::EPERM => e
raise(
......@@ -83,13 +88,9 @@ class StorageDirectoryHelper
end
def validate(path, throw_error: false)
# Test that directory is in expected state. The root user may not have
# execute permissions to the directory, but the target_owner will in the
# success case, so always use the euid to run the command
run_command(test_stat_cmd(path), use_euid: true, throw_error: throw_error).exitstatus == 0
end
commands = ["[ -d \"#{path}\" ]"]
commands_info = ["Failed expecting \"#{path}\" to be a directory."]
def test_stat_cmd(path)
format_string = '%U'
expect_string = "#{@target_owner}"
......@@ -98,11 +99,29 @@ class StorageDirectoryHelper
expect_string << ":#{@target_group}"
end
commands << "[ \"$(stat --printf='#{format_string}' $(readlink -f #{path}))\" = '#{expect_string}' ]"
commands_info << "Failed asserting that ownership of \"#{path}\" was #{expect_string}"
if @target_mode
format_string << ' %04a'
expect_string << " #{@target_mode}"
commands << "[ \"$(stat --printf='%04a' $(readlink -f #{path}) | grep -Po '.{#{@target_mode.length}}$')\" = '#{@target_mode}' ]"
commands_info << "Failed asserting that mode permissions on \"#{path}\" is #{@target_mode}"
end
"test -d \"#{path}\" -a \"$(stat --printf='#{format_string}' #{path})\" = '#{expect_string}'"
result = true
commands.each_index do |index|
result = result && validate_command(commands[index], throw_error: throw_error, error_message: commands_info[index])
break unless result
end
result
end
def validate_command(cmd, throw_error: false, error_message: nil)
# Test that directory is in expected state. The root user may not have
# execute permissions to the directory, but the target_owner will in the
# success case, so always use the euid to run the command, and use a custom error message
cmd = run_command("set -x && #{cmd}", use_euid: true, throw_error: false)
cmd.invalid!(error_message) if cmd.exitstatus != 0 && throw_error
cmd.exitstatus == 0
end
end
......@@ -44,9 +44,8 @@ db_migrate_status_file = ::File.join(upgrade_status_dir, "db-migrate-#{connectio
bash "migrate gitlab-rails database" do
code <<-EOH
set -e
log_file="/tmp/gitlab-rails-db-migrate-$(date +%s)-$$/output.log"
log_file="#{node['gitlab']['gitlab-rails']['log_directory']}/gitlab-rails-db-migrate-$(date +%s)-$$.log"
umask 077
mkdir $(dirname ${log_file})
/opt/gitlab/bin/gitlab-rake gitlab:db:configure 2>& 1 | tee ${log_file}
STATUS=${PIPESTATUS[0]}
echo $STATUS > #{db_migrate_status_file}
......
......@@ -45,6 +45,7 @@ gitlab_rails_http_conf = File.join(nginx_conf_dir, "gitlab-http.conf")
gitlab_pages_http_conf = File.join(nginx_conf_dir, "gitlab-pages.conf")
gitlab_registry_http_conf = File.join(nginx_conf_dir, "gitlab-registry.conf")
gitlab_mattermost_http_conf = File.join(nginx_conf_dir, "gitlab-mattermost-http.conf")
nginx_status_conf = File.join(nginx_conf_dir, "nginx-status.conf")
# If the service is enabled, check if we are using internal nginx
gitlab_rails_enabled = if node['gitlab']['gitlab-rails']['enable']
......@@ -71,6 +72,8 @@ gitlab_registry_enabled = if node['gitlab']['registry']['enable']
false
end
nginx_status_enabled = node['gitlab']['nginx']['status']['enable']
# Include the config file for gitlab-rails in nginx.conf later
nginx_vars = node['gitlab']['nginx'].to_hash.merge({
:gitlab_http_config => gitlab_rails_enabled ? gitlab_rails_http_conf : nil
......@@ -90,6 +93,12 @@ nginx_vars = nginx_vars.to_hash.merge!({
:gitlab_registry_http_config => gitlab_registry_enabled ? gitlab_registry_http_conf : nil
})
nginx_vars = nginx_vars.to_hash.merge!({
:nginx_status_config => nginx_status_enabled ? nginx_status_conf : nil
})
if nginx_vars['listen_https'].nil?
nginx_vars['https'] = node['gitlab']['gitlab-rails']['gitlab_https']
else
......@@ -187,6 +196,21 @@ template gitlab_mattermost_http_conf do
action gitlab_mattermost_enabled ? :create : :delete
end
template nginx_status_conf do
source "nginx-status.conf.erb"
owner "root"
group "root"
mode "0644"
variables ({
:listen_addresses => nginx_vars['status']['listen_addresses'],
:fqdn => nginx_vars['status']['fqdn'],
:port => nginx_vars['status']['port'],
:options => nginx_vars['status']['options']
})
notifies :restart, 'service[nginx]' if OmnibusHelper.should_notify?("nginx")
action nginx_status_enabled ? :create : :delete
end
nginx_vars['gitlab_access_log_format'] = node['gitlab']['nginx']['log_format']
nginx_vars['gitlab_ci_access_log_format'] = node['gitlab']['ci-nginx']['log_format']
nginx_vars['gitlab_mattermost_access_log_format'] = node['gitlab']['mattermost-nginx']['log_format']
......
{
"ServiceSettings": {
"SiteURL": "<%= @service_site_url %>",
"ListenAddress": "<%= @service_address %>:<%= @service_port %>",
"MaximumLoginAttempts": <%= @service_maximum_login_attempts %>,
"SegmentDeveloperKey": "<%= @service_segment_developer_key %>",
......@@ -48,7 +49,8 @@
"EnableFile": <%= @log_enable_file %>,
"FileLevel": "<%= @log_file_level %>",
"FileFormat": "<%= @log_file_format %>",
"FileLocation": "<%= @log_file_directory %>/mattermost.log"
"FileLocation": "<%= @log_file_directory %>/mattermost.log",
"EnableDiagnostics": <%= @log_enable_diagnostics %>
},
"FileSettings": {
"MaxFileSize": <%= @file_max_file_size %>,
......@@ -90,7 +92,10 @@
"PasswordResetSalt": "<%= @email_password_reset_salt %>",
"SendPushNotifications": <%= @email_send_push_notifications %>,
"PushNotificationServer": "<%= @email_push_notification_server %>",
"PushNotificationContents": "<%= @email_push_notification_contents %>"
"PushNotificationContents": "<%= @email_push_notification_contents %>",
"EnableEmailBatching": <%= @email_enable_batching %>,
"EmailBatchingBufferSize": <%= @email_batching_buffer_size %>,
"EmailBatchingInterval": <%= @email_batching_interval %>
},
"RateLimitSettings": {
"EnableRateLimiter": <%= @ratelimit_enable_rate_limiter %>,
......
......@@ -44,6 +44,7 @@ production: &base
email_from: <%= @gitlab_email_from %>
email_display_name: <%= @gitlab_email_display_name %>
email_reply_to: <%= @gitlab_email_reply_to %>
email_subject_suffix: <%= @gitlab_email_subject_suffix %>
# Email server smtp settings are in [a separate file](initializers/smtp_settings.rb.sample).
......
server {
<% @listen_addresses.each do |listen_address| %>
listen <%= listen_address %>:<%= @port %>;
<% end %>
server_name <%= @fqdn %>;
location /nginx_status {
<% @options.each do |key, value| %>
<%= key %> <%= value %>;
<% end %>
}
}
......@@ -57,5 +57,9 @@ http {
include <%= @gitlab_registry_http_config %>;
<% end %>
<% if @nginx_status_config %>
include <%= @nginx_status_config %>;
<% end %>
<%= @custom_nginx_config %>
}
......@@ -10,6 +10,10 @@ http:
secret: "<%= @http_secret %>"
headers:
X-Content-Type-Options: [nosniff]
<% if @debug_addr %>
debug:
addr: <%= @debug_addr %>
<% end %>
health:
storagedriver:
enabled: true
......
......@@ -20,6 +20,17 @@ exec chpst -e /opt/gitlab/etc/gitlab-workhorse/env -P \
-documentRoot /opt/gitlab/embedded/service/gitlab-rails/public \
-pprofListenAddr <%= node['gitlab']['gitlab-workhorse']['pprof_listen_addr'] %>\
<% if node['gitlab']['gitlab-workhorse']['proxy_headers_timeout'] %>
-proxyHeadersTimeout <%= node['gitlab']['gitlab-workhorse']['proxy_headers_timeout'] %>
-proxyHeadersTimeout <%= node['gitlab']['gitlab-workhorse']['proxy_headers_timeout'] %> \
<% end %>
-secretPath /opt/gitlab/embedded/service/gitlab-rails/.gitlab_workhorse_secret
<% if node['gitlab']['gitlab-workhorse']['api_limit'] %>
-apiLimit <%= node['gitlab']['gitlab-workhorse']['api_limit'] %> \
<% end %>
<% if node['gitlab']['gitlab-workhorse']['api_queue_duration'] %>
-apiQueueDuration <%= node['gitlab']['gitlab-workhorse']['api_queue_duration'] %> \
<% end %>
<% if node['gitlab']['gitlab-workhorse']['api_queue_limit'] %>
-apiQueueLimit <%= node['gitlab']['gitlab-workhorse']['api_queue_limit'] %> \
<% end %>
-secretPath /opt/gitlab/embedded/service/gitlab-rails/.gitlab_workhorse_secret \
# Do not remove this line; it prevents trouble with the trailing backslashes above.
......@@ -7,17 +7,7 @@ exec 2>&1
exec chpst -e /opt/gitlab/etc/<%= @options[:rails_app] %>/env -P \
-U <%= @options[:user] %> -u <%= @options[:user] %> \
/opt/gitlab/embedded/bin/bundle exec sidekiq \
-q post_receive \
-q mailers \
-q archive_repo \
-q system_hook \
-q project_web_hook \
-q gitlab_shell \
-q incoming_email \
-q common \
-q pages \
-q elasticsearch \
-q default \
-C /opt/gitlab/embedded/service/<%= @options[:rails_app] %>/config/sidekiq_queues.yml \
-e <%= node['gitlab'][@options[:rails_app]]['environment'] %> \
-r /opt/gitlab/embedded/service/<%= @options[:rails_app] %> \
-t <%= @options[:shutdown_timeout] %> \
......
......@@ -2,6 +2,7 @@ require 'chef_helper'
describe 'nginx' do
let(:chef_run) { ChefSpec::SoloRunner.converge('gitlab::default') }
let(:nginx_status_config) { /include \/var\/opt\/gitlab\/nginx\/conf\/nginx-status\.conf;/ }
let(:basic_nginx_headers) do
{
......@@ -90,6 +91,61 @@ describe 'nginx' do
end
end
context 'when is enabled' do
it 'enables nginx status by default' do
expect(chef_run.node['gitlab']['nginx']['status']).to eql({
"enable" => true,
"listen_addresses" => ["*"],
"fqdn" => "localhost",
"port" => 8060,
"options" => {
"stub_status" => "on",
"server_tokens" => "off",
"access_log" => "off",
"allow" => "127.0.0.1",
"deny" => "all"
}
})
expect(chef_run).to render_file('/var/opt/gitlab/nginx/conf/nginx.conf').with_content(nginx_status_config)
end
it "supports overrading nginx status default configuration" do
custom_nginx_status_config = {
"enable" => true,
"listen_addresses" => ["127.0.0.1"],
"fqdn" => "dev.example.com",
"port" => 9999,
"options" => {
"stub_status" => "on",
"server_tokens" => "off",
"access_log" => "on",
"allow" => "127.0.0.1",
"deny" => "all"
}
}
stub_gitlab_rb("nginx" => {
"status" => custom_nginx_status_config
})
chef_run.converge('gitlab::default')