database.md 19.4 KB
Newer Older
1
# Geo database replication (GitLab Omnibus) **[PREMIUM ONLY]**
2

3
NOTE: **Note:**
4 5
This is the documentation for the Omnibus GitLab packages. For installations
from source, follow the
6
[Geo database replication (source)](database_source.md) guide.
7

8
NOTE: **Note:**
9 10
If your GitLab installation uses external (not managed by Omnibus) PostgreSQL
instances, the Omnibus roles will not be able to perform all necessary
11 12
configuration steps. In this case,
[follow the Geo with external PostgreSQL instances document instead](external_database.md).
13

14
NOTE: **Note:**
15 16 17 18
The stages of the setup process must be completed in the documented order.
Before attempting the steps in this stage, [complete all prior stages][toc].

This document describes the minimal steps you have to take in order to
19
replicate your **primary** GitLab database to a **secondary** node's database. You may
20 21 22 23 24 25 26
have to change some values according to your database setup, how big it is, etc.

You are encouraged to first read through all the steps before executing them
in your testing/production environment.

## PostgreSQL replication

27 28 29
The GitLab **primary** node where the write operations happen will connect to
the **primary** database server, and **secondary** nodes will
connect to their own database servers (which are also read-only).
30

31
NOTE: **Note:**
32 33
In database documentation, you may see "**primary**" being referenced as "master"
and "**secondary**" as either "slave" or "standby" server (read-only).
34

35
We recommend using [PostgreSQL replication slots][replication-slots-article]
36
to ensure that the **primary** node retains all the data necessary for the **secondary** nodes to
37 38 39 40 41 42 43
recover. See below for more details.

The following guide assumes that:

- You are using Omnibus and therefore you are using PostgreSQL 9.6 or later
  which includes the  [`pg_basebackup` tool][pgback] and improved
  [Foreign Data Wrapper][FDW] support.
44
- You have a **primary** node already set up (the GitLab server you are
45
  replicating from), running Omnibus' PostgreSQL (or equivalent version), and
46
  you have a new **secondary** server set up with the same versions of the OS,
47
  PostgreSQL, and GitLab on all nodes.
48

49
CAUTION: **Warning:**
50
Geo works with streaming replication. Logical replication is not supported at this time.
51
There is an [issue where support is being discussed](https://gitlab.com/gitlab-org/gitlab-ee/issues/7420).
52

53
### Step 1. Configure the **primary** server
54 55 56

1. SSH into your GitLab **primary** server and login as root:

57
    ```sh
58 59 60
    sudo -i
    ```

61
1. Execute the command below to define the node as **primary** node:
62

63
    ```sh
64 65 66 67 68
    gitlab-ctl set-geo-primary-node
    ```

    This command will use your defined `external_url` in `/etc/gitlab/gitlab.rb`.

69
1. GitLab 10.4 and up only: Do the following to make sure the `gitlab` database user has a password defined:
70 71 72

    Generate a MD5 hash of the desired password:

73
    ```sh
74
    gitlab-ctl pg-password-md5 gitlab
75 76
    # Enter password: <your_password_here>
    # Confirm password: <your_password_here>
77 78 79 80 81 82 83
    # fca0b89a972d69f00eb3ec98a5838484
    ```

    Edit `/etc/gitlab/gitlab.rb`:

    ```ruby
    # Fill with the hash generated by `gitlab-ctl pg-password-md5 gitlab`
84
    postgresql['sql_user_password'] = '<md5_hash_of_your_password>'
85

86 87 88
    # Every node that runs Unicorn or Sidekiq needs to have the database
    # password specified as below. If you have a high-availability setup, this
    # must be present in all application nodes.
89
    gitlab_rails['db_password'] = '<your_password_here>'
90 91
    ```

92
1. Omnibus GitLab already has a [replication user]
93 94 95
   called `gitlab_replicator`. You must set the password for this user manually.
   You will be prompted to enter a password:

96
    ```sh
97 98 99 100 101 102
    gitlab-ctl set-replication-password
    ```

    This command will also read the `postgresql['sql_replication_user']` Omnibus
    setting in case you have changed `gitlab_replicator` username to something
    else.
103

104 105
    If you are using an external database not managed by Omnibus GitLab, you need
    to create the replicator user and define a password to it manually.
106 107 108
    For information on how to create a replication user, refer to the
    [appropriate step](database_source.md#step-1-configure-the-primary-server)
    in [Geo database replication (source)](database_source.md).
109

110
1. Configure PostgreSQL to listen on network interfaces:
111 112

    For security reasons, PostgreSQL does not listen on any network interfaces
113 114
    by default. However, Geo requires the **secondary** node to be able to
    connect to the **primary** node's database. For this reason, we need the address of
115
    each node. Note: For external PostgreSQL instances, see [additional instructions](external_database.md).
116 117 118 119 120 121

    If you are using a cloud provider, you can lookup the addresses for each
    Geo node through your cloud provider's management console.

    To lookup the address of a Geo node, SSH in to the Geo node and execute:

122
    ```sh
123 124 125 126 127 128 129 130
    ##
    ## Private address
    ##
    ip route get 255.255.255.255 | awk '{print "Private address:", $NF; exit}'

    ##
    ## Public address
    ##
131
    echo "External address: $(curl --silent ipinfo.io/ip)"
132 133 134 135 136
    ```

    In most cases, the following addresses will be used to configure GitLab
    Geo:

137 138 139 140
    | Configuration                           | Address                                               |
    |:----------------------------------------|:------------------------------------------------------|
    | `postgresql['listen_address']`          | **Primary** node's public or VPC private address.     |
    | `postgresql['md5_auth_cidr_addresses']` | **Secondary** node's public or VPC private addresses. |
141 142

    If you are using Google Cloud Platform, SoftLayer, or any other vendor that
143
    provides a virtual private cloud (VPC) you can use the **secondary** node's private
144
    address (corresponds to "internal address" for Google Cloud Platform) for
145
    `postgresql['md5_auth_cidr_addresses']` and `postgresql['listen_address']`.
146 147 148

    The `listen_address` option opens PostgreSQL up to network connections
    with the interface corresponding to the given address. See [the PostgreSQL
149
    documentation][pg-docs-runtime-conn] for more details.
150 151

    Depending on your network configuration, the suggested addresses may not
152
    be correct. If your **primary** node and **secondary** nodes connect over a local
153 154
    area network, or a virtual network connecting availability zones like
    [Amazon's VPC](https://aws.amazon.com/vpc/) or [Google's VPC](https://cloud.google.com/vpc/)
155
    you should use the **secondary** node's private address for `postgresql['md5_auth_cidr_addresses']`.
156 157 158 159 160

    Edit `/etc/gitlab/gitlab.rb` and add the following, replacing the IP
    addresses with addresses appropriate to your network configuration:

    ```ruby
161 162 163 164
    ##
    ## Geo Primary role
    ## - configure dependent flags automatically to enable Geo
    ##
165
    roles ['geo_primary_role']
166 167 168

    ##
    ## Primary address
169
    ## - replace '<primary_node_ip>' with the public or VPC address of your Geo primary node
170
    ##
171
    postgresql['listen_address'] = '<primary_node_ip>'
172

173
    ##
174 175
    # Allow PostgreSQL client authentication from the primary and secondary IPs. These IPs may be
    # public or VPC addresses in CIDR format, for example ['198.51.100.1/32', '198.51.100.2/32']
176
    ##
177
    postgresql['md5_auth_cidr_addresses'] = ['<primary_node_ip>/32', '<secondary_node_ip>/32']
178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193

    ##
    ## Replication settings
    ## - set this to be the number of Geo secondary nodes you have
    ##
    postgresql['max_replication_slots'] = 1
    # postgresql['max_wal_senders'] = 10
    # postgresql['wal_keep_segments'] = 10

    ##
    ## Disable automatic database migrations temporarily
    ## (until PostgreSQL is restarted and listening on the private address).
    ##
    gitlab_rails['auto_migrate'] = false
    ```

194
1. Optional: If you want to add another **secondary** node, the relevant setting would look like:
195 196

    ```ruby
197
    postgresql['md5_auth_cidr_addresses'] = ['<primary_node_ip>/32', '<secondary_node_ip>/32', '<another_secondary_node_ip>/32']
198 199 200 201
    ```

    You may also want to edit the `wal_keep_segments` and `max_wal_senders` to
    match your database replication requirements. Consult the [PostgreSQL -
202
    Replication documentation][pg-docs-runtime-replication]
203 204 205
    for more information.

1. Save the file and reconfigure GitLab for the database listen changes and
206
   the replication slot changes to be applied:
207

208
    ```sh
209 210 211 212 213
    gitlab-ctl reconfigure
    ```

    Restart PostgreSQL for its changes to take effect:

214
    ```sh
215 216 217 218 219 220 221 222 223 224 225 226 227 228
    gitlab-ctl restart postgresql
    ```

1. Re-enable migrations now that PostgreSQL is restarted and listening on the
   private address.

    Edit `/etc/gitlab/gitlab.rb` and **change** the configuration to `true`:

    ```ruby
    gitlab_rails['auto_migrate'] = true
    ```

    Save the file and reconfigure GitLab:

229
    ```sh
230 231 232 233 234
    gitlab-ctl reconfigure
    ```

1. Now that the PostgreSQL server is set up to accept remote connections, run
   `netstat -plnt | grep 5432` to make sure that PostgreSQL is listening on port
235
   `5432` to the **primary** server's private address.
236 237 238 239

1. A certificate was automatically generated when GitLab was reconfigured. This
   will be used automatically to protect your PostgreSQL traffic from
   eavesdroppers, but to protect against active ("man-in-the-middle") attackers,
240 241
   the **secondary** node needs a copy of the certificate. Make a copy of the PostgreSQL
    `server.crt` file on the **primary** node by running this command:
242

243
    ```sh
244 245 246 247
    cat ~gitlab-psql/data/server.crt
    ```

    Copy the output into a clipboard or into a local file. You
248
    will need it when setting up the **secondary** node! The certificate is not sensitive
249 250
    data.

251
### Step 2. Configure the **secondary** server
252

253
1. SSH into your GitLab **secondary** server and login as root:
254 255

    ```
256
    sudo -i
257 258
    ```

259
1. Stop application server and Sidekiq
260 261

    ```
262 263
    gitlab-ctl stop unicorn
    gitlab-ctl stop sidekiq
264 265
    ```

266 267
    NOTE: **Note**:
    This step is important so we don't try to execute anything before the node is fully configured.
268

269
1. [Check TCP connectivity][rake-maintenance] to the **primary** node's PostgreSQL server:
270

271
    ```sh
272
    gitlab-rake gitlab:tcp_check[<primary_node_ip>,5432]
273 274
    ```

275
    NOTE: **Note**:
276
    If this step fails, you may be using the wrong IP address, or a firewall may
277 278
    be preventing access to the server. Check the IP address, paying close
    attention to the difference between public and private addresses and ensure
279 280
    that, if a firewall is present, the **secondary** node is permitted to connect to the
    **primary** node on port 5432.
281

282
1. Create a file `server.crt` in the **secondary** server, with the content you got on the last step of the **primary** node's setup:
283 284 285 286 287

    ```
    editor server.crt
    ```

288
1. Set up PostgreSQL TLS verification on the **secondary** node:
289 290 291

    Install the `server.crt` file:

292
    ```sh
293 294 295 296 297 298
    install \
       -D \
       -o gitlab-psql \
       -g gitlab-psql \
       -m 0400 \
       -T server.crt ~gitlab-psql/.postgresql/root.crt
299 300 301 302
    ```

    PostgreSQL will now only recognize that exact certificate when verifying TLS
    connections. The certificate can only be replicated by someone with access
303
    to the private key, which is **only** present on the **primary** node.
304

305 306
1. Test that the `gitlab-psql` user can connect to the **primary** node's database
   (the default Omnibus database name is gitlabhq_production):
307

308
    ```sh
309 310 311 312 313 314 315
    sudo \
       -u gitlab-psql /opt/gitlab/embedded/bin/psql \
       --list \
       -U gitlab_replicator \
       -d "dbname=gitlabhq_production sslmode=verify-ca" \
       -W \
       -h <primary_node_ip>
316 317 318 319
    ```

    When prompted enter the password you set in the first step for the
    `gitlab_replicator` user. If all worked correctly, you should see
320
    the list of **primary** node's databases.
321 322

    A failure to connect here indicates that the TLS configuration is incorrect.
323 324
    Ensure that the contents of `~gitlab-psql/data/server.crt` on the **primary** node
    match the contents of `~gitlab-psql/.postgresql/root.crt` on the **secondary** node.
325

326
1. Configure PostgreSQL to enable FDW support:
327

328
    This step is similar to how we configured the **primary** instance.
329 330 331 332 333 334
    We need to enable this, to enable FDW support, even if using a single node.

    Edit `/etc/gitlab/gitlab.rb` and add the following, replacing the IP
    addresses with addresses appropriate to your network configuration:

    ```ruby
335 336 337 338
    ##
    ## Geo Secondary role
    ## - configure dependent flags automatically to enable Geo
    ##
339 340
    roles ['geo_secondary_role']

341 342
    ##
    ## Secondary address
343
    ## - replace '<secondary_node_ip>' with the public or VPC address of your Geo secondary node 
344
    ##
345 346
    postgresql['listen_address'] = '<secondary_node_ip>'
    postgresql['md5_auth_cidr_addresses'] = ['<secondary_node_ip>/32']
347

348 349
    ##
    ## Database credentials password (defined previously in primary node)
350
    ## - replicate same values here as defined in primary node
351
    ##
352 353
    postgresql['sql_user_password'] = '<md5_hash_of_your_password>'
    gitlab_rails['db_password'] = '<your_password_here>'
354

355 356 357
    ##
    ## Enable FDW support for the Geo Tracking Database (improves performance)
    ##
358 359 360
    geo_secondary['db_fdw'] = true
    ```

361
    For external PostgreSQL instances, see [additional instructions](external_database.md).
362
    If you bring a former **primary** node back online to serve as a **secondary** node, then you also need to remove `roles ['geo_primary_role']` or `geo_primary_role['enable'] = true`.
363 364 365

1. Reconfigure GitLab for the changes to take effect:

366
    ```sh
367 368 369
    gitlab-ctl reconfigure
    ```

370
1. Restart PostgreSQL for the IP change to take effect and reconfigure again:
371

372
    ```sh
373
    gitlab-ctl restart postgresql
374
    gitlab-ctl reconfigure
375
    ```
376

377
    This last reconfigure will provision the FDW configuration and enable it.
378

379
### Step 3. Initiate the replication process
380

381 382
Below we provide a script that connects the database on the **secondary** node to
the database on the **primary** node, replicates the database, and creates the
383 384 385 386 387 388
needed files for streaming replication.

The directories used are the defaults that are set up in Omnibus. If you have
changed any defaults or are using a source installation, configure it as you
see fit replacing the directories and paths.

389
CAUTION: **Warning:**
390 391 392 393 394
Make sure to run this on the **secondary** server as it removes all PostgreSQL's
data before running `pg_basebackup`.

1. SSH into your GitLab **secondary** server and login as root:

395
    ```sh
396 397 398
    sudo -i
    ```

399
1. Choose a database-friendly name to use for your **secondary** node to
400 401 402 403 404
   use as the replication slot name. For example, if your domain is
   `secondary.geo.example.com`, you may use `secondary_example` as the slot
   name as shown in the commands below.

1. Execute the command below to start a backup/restore and begin the replication
405
    CAUTION: **Warning:** Each Geo **secondary** node must have its own unique replication slot name.
406
    Using the same slot name between two secondaries will break PostgreSQL replication.
407

408
    ```sh
409 410
    gitlab-ctl replicate-geo-database \
       --slot-name=<secondary_node_name> \
411
       --host=<primary_node_ip>
412 413 414 415 416 417 418
    ```

    When prompted, enter the _plaintext_ password you set up for the `gitlab_replicator`
    user in the first step.

    This command also takes a number of additional options. You can use `--help`
    to list them all, but here are a couple of tips:
419 420 421 422 423 424 425 426 427 428 429 430
     - If PostgreSQL is listening on a non-standard port, add `--port=` as well.
     - If your database is too large to be transferred in 30 minutes, you will need
       to increase the timeout, e.g., `--backup-timeout=3600` if you expect the
       initial replication to take under an hour.
     - Pass `--sslmode=disable` to skip PostgreSQL TLS authentication altogether
       (e.g., you know the network path is secure, or you are using a site-to-site
       VPN). This is **not** safe over the public Internet!
     - You can read more details about each `sslmode` in the
       [PostgreSQL documentation][pg-docs-ssl];
       the instructions above are carefully written to ensure protection against
       both passive eavesdroppers and active "man-in-the-middle" attackers.
     - Change the `--slot-name` to the name of the replication slot
431
       to be used on the **primary** database. The script will attempt to create the
432
       replication slot automatically if it does not exist.
433
     - If you're repurposing an old server into a Geo **secondary** node, you'll need to
434 435 436
       add `--force` to the command line.
     - When not in a production machine you can disable backup step if you
       really sure this is what you want by adding `--skip-backup`
437 438 439

The replication process is now complete.

440 441 442 443 444
## PGBouncer support (optional)

[PGBouncer](http://pgbouncer.github.io/) may be used with GitLab Geo to pool
PostgreSQL connections. We recommend using PGBouncer if you use GitLab in a
high-availability configuration with a cluster of nodes supporting a Geo
445
**primary** node and another cluster of nodes supporting a Geo **secondary** node. For more
446 447 448
information, see the [Omnibus HA](https://docs.gitlab.com/ee/administration/high_availability/database.html#configure-using-omnibus-for-high-availability)
documentation.

449
For a Geo **secondary** node to work properly with PGBouncer in front of the database,
450 451 452
it will need a separate read-only user to make [PostgreSQL FDW queries][FDW]
work:

453 454
1. On the **primary** Geo database, enter the PostgreSQL on the console as an
    admin user. If you are using an Omnibus-managed database, log onto the **primary**
455
    node that is running the PostgreSQL database (the default Omnibus database name is gitlabhq_production):
456

457
    ```sh
458 459 460
     sudo \
        -u gitlab-psql /opt/gitlab/embedded/bin/psql \
        -h /var/opt/gitlab/postgresql gitlabhq_production
461 462
    ```

463
1. Then create the read-only user:
464 465 466 467 468 469 470 471 472 473 474 475 476 477 478

    ```sql
    -- NOTE: Use the password defined earlier
    CREATE USER gitlab_geo_fdw WITH password 'mypassword';
    GRANT CONNECT ON DATABASE gitlabhq_production to gitlab_geo_fdw;
    GRANT USAGE ON SCHEMA public TO gitlab_geo_fdw;
    GRANT SELECT ON ALL TABLES IN SCHEMA public TO gitlab_geo_fdw;
    GRANT SELECT ON ALL SEQUENCES IN SCHEMA public TO gitlab_geo_fdw;

    -- Tables created by "gitlab" should be made read-only for "gitlab_geo_fdw"
    -- automatically.
    ALTER DEFAULT PRIVILEGES FOR USER gitlab IN SCHEMA public GRANT SELECT ON TABLES TO gitlab_geo_fdw;
    ALTER DEFAULT PRIVILEGES FOR USER gitlab IN SCHEMA public GRANT SELECT ON SEQUENCES TO gitlab_geo_fdw;
    ```

479
1. On the **secondary** nodes, change `/etc/gitlab/gitlab.rb`:
480 481 482 483 484

    ```
    geo_postgresql['fdw_external_user'] = 'gitlab_geo_fdw'
    ```

485
1. Save the file and reconfigure GitLab for the changes to be applied:
486

487
    ```sh
488 489 490
    gitlab-ctl reconfigure
    ```

491 492 493 494 495 496 497 498
## MySQL replication

MySQL replication is not supported for Geo.

## Troubleshooting

Read the [troubleshooting document](troubleshooting.md).

499
[replication-slots-article]: https://medium.com/@tk512/replication-slots-in-postgresql-b4b03d277c75
500
[pgback]: http://www.postgresql.org/docs/9.2/static/app-pgbasebackup.html
501
[replication user]:https://wiki.postgresql.org/wiki/Streaming_Replication
502
[FDW]: https://www.postgresql.org/docs/9.6/static/postgres-fdw.html
James Ramsay's avatar
James Ramsay committed
503
[toc]: index.md#using-omnibus-gitlab
504 505 506 507
[rake-maintenance]: ../../raketasks/maintenance.md
[pg-docs-ssl]: https://www.postgresql.org/docs/9.6/static/libpq-ssl.html#LIBPQ-SSL-PROTECTION
[pg-docs-runtime-conn]: https://www.postgresql.org/docs/9.6/static/runtime-config-connection.html
[pg-docs-runtime-replication]: https://www.postgresql.org/docs/9.6/static/runtime-config-replication.html