Commit 728029bc authored by James Ramsay's avatar James Ramsay Committed by Achilleas Pipinellis

Improve geo docs post demo

parent 4af45a23
...@@ -180,9 +180,10 @@ groups to be replicated. ...@@ -180,9 +180,10 @@ groups to be replicated.
## Replicating wikis and repositories over SSH ## Replicating wikis and repositories over SSH
>**Warning:**
In GitLab 10.2, replicating repositories and wikis over SSH was deprecated. In GitLab 10.2, replicating repositories and wikis over SSH was deprecated.
Support for this option will be removed within a few releases, but if you need Support for SSH replication will be removed in 10.3. These instructions should
to add a new secondary in the short term, you can follow these instructions: only be used if you need to add a new secondary in the short term.
1. SSH into the **secondary** node and login as root: 1. SSH into the **secondary** node and login as root:
......
...@@ -103,14 +103,34 @@ will not be able to perform all necessary configuration steps. Refer to ...@@ -103,14 +103,34 @@ will not be able to perform all necessary configuration steps. Refer to
"man-in-the-middle" attackers. "man-in-the-middle" attackers.
To do this, PostgreSQL needs to be provided with a key and certificate to To do this, PostgreSQL needs to be provided with a key and certificate to
use. You can re-use the same files you're using for your main GitLab use. There are two options to do this:
instance, or generate a self-signed certificate just for PostgreSQL's use.
Prefer the first option if you already have a long-lived certificate. Prefer **Option A**: Re-use the same files you're using for your main GitLab
the second if your certificates expire regularly (e.g. LetsEncrypt), or if instance.
**Option B**: Generate a self-signed certificate just for PostgreSQL's use.
Prefer option A if you already have a long-lived certificate. Prefer
option B if your certificates expire regularly (e.g., Let's Encrypt), or if
PostgreSQL is running on a different server to the main GitLab services PostgreSQL is running on a different server to the main GitLab services
(this may be the case in a HA configuration, for instance). (this may be the case in a HA configuration, for instance).
For **Option A**:
Copy the SSL keys from your existing GitLab installation. If you're
re-using certificates already in GitLab, they are likely to be in the
`/etc/gitlab/ssl` directory. Copy them into the PostgreSQL directory via
this example:
```bash
# Certificate and key currently used by GitLab
# - replace primary.geo.example.com with your domain
install -o gitlab-psql -g gitlab-psql -m 0400 -T /etc/gitlab/ssl/primary.geo.example.com.crt ~gitlab-psql/data/server.crt
install -o gitlab-psql -g gitlab-psql -m 0400 -T /etc/gitlab/ssl/primary.geo.example.com.key ~gitlab-psql/data/server.key
```
For **Option B**:
To generate a self-signed certificate and key, run this command: To generate a self-signed certificate and key, run this command:
```bash ```bash
...@@ -122,28 +142,16 @@ will not be able to perform all necessary configuration steps. Refer to ...@@ -122,28 +142,16 @@ will not be able to perform all necessary configuration steps. Refer to
PostgreSQL's permission requirements are very strict, so whether you're PostgreSQL's permission requirements are very strict, so whether you're
re-using your certificates or just generated new ones, **copy** the files re-using your certificates or just generated new ones, **copy** the files
to the correct location. to the correct location:
If you're re-using certificates already in GitLab, they are likely to be in
the `/etc/gitlab/ssl` directory. If your domain is `primary.geo.example.com`,
the commands would be:
```bash
# Copying a certificate and key currently used by GitLab
install -o gitlab-psql -g gitlab-psql -m 0400 -T /etc/gitlab/ssl/primary.geo.example.com.crt ~gitlab-psql/data/server.crt
install -o gitlab-psql -g gitlab-psql -m 0400 -T /etc/gitlab/ssl/primary.geo.example.com.key ~gitlab-psql/data/server.key
``` ```
# Self-signed certificate and key
If you just generated a self-signed certificate and key, the files will be # - assumes the files are in your current working directory
in your current working directory, so run:
```bash
# Copying a self-signed certificate and key
install -o gitlab-psql -g gitlab-psql -m 0400 -T server.crt ~gitlab-psql/data/server.crt install -o gitlab-psql -g gitlab-psql -m 0400 -T server.crt ~gitlab-psql/data/server.crt
install -o gitlab-psql -g gitlab-psql -m 0400 -T server.key ~gitlab-psql/data/server.key install -o gitlab-psql -g gitlab-psql -m 0400 -T server.key ~gitlab-psql/data/server.key
``` ```
Add this configuration to `/etc/gitlab/gitlab.rb`. Additional options are 1. Add this configuration to `/etc/gitlab/gitlab.rb`. Additional options are
documented [here](http://docs.gitlab.com/omnibus/settings/database.html#enabling-ssl). documented [here](http://docs.gitlab.com/omnibus/settings/database.html#enabling-ssl).
```ruby ```ruby
...@@ -228,7 +236,7 @@ will not be able to perform all necessary configuration steps. Refer to ...@@ -228,7 +236,7 @@ will not be able to perform all necessary configuration steps. Refer to
for more information. for more information.
1. Check to make sure your firewall rules are set so that the secondary nodes 1. Check to make sure your firewall rules are set so that the secondary nodes
can access port 5432 on the primary node. can access port `5432` on the primary node.
1. Save the file and [reconfigure GitLab][] for the DB listen changes to take effect. 1. Save the file and [reconfigure GitLab][] for the DB listen changes to take effect.
This will fail and is expected. This will fail and is expected.
1. You will need to manually restart postgres `gitlab-ctl restart postgresql` until [Omnibus#2797](https://gitlab.com/gitlab-org/omnibus-gitlab/issues/2797) gets fixed. 1. You will need to manually restart postgres `gitlab-ctl restart postgresql` until [Omnibus#2797](https://gitlab.com/gitlab-org/omnibus-gitlab/issues/2797) gets fixed.
...@@ -236,8 +244,8 @@ will not be able to perform all necessary configuration steps. Refer to ...@@ -236,8 +244,8 @@ will not be able to perform all necessary configuration steps. Refer to
1. New for 9.4: Restart your primary PostgreSQL server to ensure the replication slot changes 1. New for 9.4: Restart your primary PostgreSQL server to ensure the replication slot changes
take effect (`sudo gitlab-ctl restart postgresql` for Omnibus-provided PostgreSQL). take effect (`sudo gitlab-ctl restart postgresql` for Omnibus-provided PostgreSQL).
1. Now that the PostgreSQL server is set up to accept remote connections, run 1. Now that the PostgreSQL server is set up to accept remote connections, run
`netstat -plnt` to make sure that PostgreSQL is listening to the server's `netstat -plnt` to make sure that PostgreSQL is listening on port `5432` to
public IP. the server's public IP.
### Step 2. Add the secondary GitLab node ### Step 2. Add the secondary GitLab node
...@@ -263,24 +271,26 @@ primary before the database is replicated. ...@@ -263,24 +271,26 @@ primary before the database is replicated.
``` ```
1. Set up PostgreSQL TLS verification on the secondary 1. Set up PostgreSQL TLS verification on the secondary
If you configured PostgreSQL to accept TLS connections in If you configured PostgreSQL to accept TLS connections in
[Step 1](#step-1-configure-the-primary-server), then you need to provide a [Step 1](#step-1-configure-the-primary-server), then you need to provide a
list of "known-good" certificates to the secondary. It uses this list to list of "known-good" certificates to the secondary. It uses this list to
keep the connection secure against an active "man-in-the-middle" attack. keep the connection secure against an active "man-in-the-middle" attack.
If you reused your existing certificates on the primary, you can use the If you reused your existing certificates on the primary, you can use the
list of valid root certificates provided with omnibus: list of valid root certificates provided with omnibus.
Or, if you generated a self-signed certificate, copy the generated
`server.crt` file onto the secondary server from the primary, then install
it in the right location.
```bash ```bash
# Certificate and key currently used by GitLab
mkdir -p ~gitlab-psql/.postgresql mkdir -p ~gitlab-psql/.postgresql
ln -s /opt/gitlab/embedded/ssl/certs/cacert.pem ~gitlab-psql/.postgresql/root.crt ln -s /opt/gitlab/embedded/ssl/certs/cacert.pem ~gitlab-psql/.postgresql/root.crt
```
If you generated a self-signed certificate, that won't work. Copy the
generated `server.crt` file onto the secondary server from the primary, then
install it in the right place:
```bash # Self-signed certificate and key
install -o gitlab-psql -g gitlab-psql -m 0400 -T server.crt ~gitlab-psql/.postgresql/root.crt install -o gitlab-psql -g gitlab-psql -m 0400 -T server.crt ~gitlab-psql/.postgresql/root.crt
``` ```
...@@ -290,15 +300,12 @@ primary before the database is replicated. ...@@ -290,15 +300,12 @@ primary before the database is replicated.
1. Test that the remote connection to the primary server works. 1. Test that the remote connection to the primary server works.
If you're using a CA-issued certificate and connecting by FQDN:
``` ```
# Certificate and key currently used by GitLab
sudo -u gitlab-psql /opt/gitlab/embedded/bin/psql -h primary.geo.example.com -U gitlab_replicator -d "dbname=gitlabhq_production sslmode=verify-ca" -W sudo -u gitlab-psql /opt/gitlab/embedded/bin/psql -h primary.geo.example.com -U gitlab_replicator -d "dbname=gitlabhq_production sslmode=verify-ca" -W
```
If you're using a self-signed certificate or connecting by IP address:
``` # Self-signed certificate and key
sudo -u gitlab-psql /opt/gitlab/embedded/bin/psql -h 1.2.3.4 -U gitlab_replicator -d "dbname=gitlabhq_production sslmode=verify-full" -W sudo -u gitlab-psql /opt/gitlab/embedded/bin/psql -h 1.2.3.4 -U gitlab_replicator -d "dbname=gitlabhq_production sslmode=verify-full" -W
``` ```
...@@ -358,7 +365,11 @@ data before running `pg_basebackup`. ...@@ -358,7 +365,11 @@ data before running `pg_basebackup`.
1. Execute the command below to start a backup/restore and begin the replication: 1. Execute the command below to start a backup/restore and begin the replication:
``` ```
# Certificate and key currently used by GitLab
gitlab-ctl replicate-geo-database --host=geo.primary.my.domain.com --slot-name=geo_secondary_my_domain_com gitlab-ctl replicate-geo-database --host=geo.primary.my.domain.com --slot-name=geo_secondary_my_domain_com
# Self-signed certificate and key
gitlab-ctl replicate-geo-database --host=1.2.3.4 --slot-name=geo_secondary_my_domain_com --sslmode=verify-ca
``` ```
If PostgreSQL is listening on a non-standard port, add `--port=` as well. If PostgreSQL is listening on a non-standard port, add `--port=` as well.
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment