gitlab: fixes, puma is now used by default instead of unicorn

software/gitlab/buildout.hash.cfg

@@ -14,7 +14,7 @@
 # not need these here).
 [instance.cfg]
 filename = instance.cfg.in
-md5sum = 31b04cdc566bc7072a834c931a5c1305
+md5sum = 956ae53af22b551fbb087415e835868b
 
 [watcher]
 _update_hash_filename_ = watcher.in
@@ -30,35 +30,35 @@ md5sum = 61d1d04b9347b3168a1ad7676e4681ef
 
 [gitconfig.in]
 _update_hash_filename_ = template/gitconfig.in
-md5sum = eb1230fee50067924ba89f4dc6e82fa9
+md5sum = c559a24ab6281268b608ed3bccb8e4ce
 
 [gitlab-parameters.cfg]
 _update_hash_filename_ = gitlab-parameters.cfg
-md5sum = cfda6d959bb90bf0b9c947383f45ce0a
+md5sum = f02bc3416d9597c6bc6bf627db732dbf
 
 [gitlab-shell-config.yml.in]
 _update_hash_filename_ = template/gitlab-shell-config.yml.in
-md5sum = c57a64fd4940c18a5c325da1da8d2f7c
+md5sum = 70d394305f4e1482a5c1a673b0762c6a
 
-[gitlab-unicorn-startup.in]
-_update_hash_filename_ = gitlab-unicorn-startup.in
-md5sum = 705825e6d8c6b37699f1321805d09de3
+[gitlab-puma-startup.in]
+_update_hash_filename_ = gitlab-puma-startup.in
+md5sum = 0bec1b52f6345024a76ee9a18d98e752
 
 [gitlab.yml.in]
 _update_hash_filename_ = template/gitlab.yml.in
-md5sum = 671604bb2aee6fdf2238e7df61aea3be
+md5sum = 72171b2a3628be79f4b57f8249c64882
 
 [gitaly-config.toml.in]
 _update_hash_filename_ = template/gitaly-config.toml.in
-md5sum = b0d37a41f280089f83afac0347ad5671
+md5sum = d769ea27820e932c596c35bbbf3f2902
 
 [instance-gitlab.cfg.in]
 _update_hash_filename_ = instance-gitlab.cfg.in
-md5sum = 33f6f505502722cf3203e7228c5b211e
+md5sum = 17a17668b4b6f6a3f518713b60c43fa6
 
 [instance-gitlab-export.cfg.in]
 _update_hash_filename_ = instance-gitlab-export.cfg.in
-md5sum = b1921bebb75f71c8d3a25386eea6f878
+md5sum = c8231583d04bf0d3fe2d26230b94d78d
 
 [macrolib.cfg.in]
 _update_hash_filename_ = macrolib.cfg.in
@@ -72,22 +72,18 @@ md5sum = 4980c1571a4dd7753aaa60d065270849
 _update_hash_filename_ = template/nginx.conf.in
 md5sum = 8c904510eb39dc212204f68f2b81b068
 
-[rack_attack.rb.in]
-_update_hash_filename_ = template/rack_attack.rb.in
-md5sum = 7d0e6dc6b826f6df6b20d8574a29e2f8
-
 [resque.yml.in]
 _update_hash_filename_ = template/resque.yml.in
 md5sum = 7c89a730889e3224548d9abe51a2d719
 
 [smtp_settings.rb.in]
 _update_hash_filename_ = template/smtp_settings.rb.in
-md5sum = 4e1ced687a86e4cfff2dde91237e3942
+md5sum = b1becd9ec4c2eeefe573af4bb53c9751
 
 [template-gitlab-resiliency-restore.sh.in]
 _update_hash_filename_ = template/template-gitlab-resiliency-restore.sh.in
-md5sum = 87f16b4f4a2370acada46b2751ef3366
+md5sum = 8ce31a27e814e750dfd38c92a278fb9e
 
-[unicorn.rb.in]
-_update_hash_filename_ = template/unicorn.rb.in
-md5sum = c2a0f5c50ba2198baea9d764cd119d97
+[puma.rb.in]
+_update_hash_filename_ = template/puma.rb.in
+md5sum = 707c0c713af41518d21724c1be8efe22

software/gitlab/gitlab-parameters.cfg

@@ -15,8 +15,11 @@ configuration.external_url              = https://lab.example.com
 configuration.db_pool                   = 10
 
 # rack-attack
-configuration.rate_limit_requests_per_period    = 10
-configuration.rate_limit_period                 = 60
+configuration.rack_attack_enable        = true
+configuration.rack_attack_max_retry     = 10
+configuration.rack_attack_find_time     = 60
+configuration.rack_attack_ban_time      = 3600
+configuration.rack_attack_ip_whitelist  =
 
 configuration.time_zone                 = UTC
 
@@ -64,8 +67,10 @@ configuration.sidekiq_memory_killer_max_rss = 1000000
 
 
 # unicorn
-configuration.unicorn_worker_timeout    = 60
-configuration.unicorn_worker_processes  = 2
+configuration.puma_worker_timeout      = 60
+configuration.puma_worker_processes    = 2
+configuration.puma_min_threads         = 1
+configuration.puma_max_threads         = 16
 
 # unicorn advanced
 configuration.unicorn_backlog_socket    = 1024

software/gitlab/gitlab-unicorn-startup.in → software/gitlab/gitlab-puma-startup.in

@@ -38,6 +38,8 @@ echo "I: PostgreSQL ready." 1>&2
 # make sure pg_trgm extension is enabled for gitlab db
 psql -c 'CREATE EXTENSION IF NOT EXISTS pg_trgm;'   || die "pg_trgm setup failed"
 
+psql -c 'CREATE EXTENSION IF NOT EXISTS btree_gist;'  || die "pg_trgm setup failed"
+
 if echo "$pgtables" | grep -q '^Did not find any relations' ; then
     $RAKE gitlab:setup RAILS_ENV=production force=yes || die "initial db setup failed"
 fi
@@ -70,8 +72,6 @@ $RAKE cache:clear   || die "cache:clear failed"
 force=yes $RAKE gitlab:shell:setup   || die "gitlab:shell:setup failed"
 
 
-# 3. finally exec to unicorn
-exec {{ gitlab_unicorn }}   \
-    -E production   \
-    -c {{ unicorn_rb.output }}    \
-    {{ gitlab_work.location }}/config.ru
+# 3. finally exec to puma
+exec {{ gitlab_puma }}   \
+    -C {{ puma_rb.output }}

software/gitlab/instance-gitlab-export.cfg.in

@@ -54,7 +54,7 @@ input = inline: gitlab-shell-work*
   srv/backup/logrotate/**
   etc/service/postgres-start
   srv/redis/**
-  srv/unicorn/unicorn.socket
+  srv/puma/puma.socket
   .cache
 output = ${directory:srv}/exporter.exclude
 
@@ -71,13 +71,14 @@ context =
   raw     git_location            {{ git_location }}
   raw     bin_directory           ${directory:bin}
   raw     etc_directory           ${directory:etc}
-  raw     run_directory           ${directory:run}
+  raw     var_directory           ${directory:var}
   raw     postgress_script        ${service-postgresql:services}/postgres-start
   raw     redis_script            ${service-redis:wrapper}
-  raw     unicorn_script          ${service-unicorn:wrapper-path}
+  raw     puma_script             ${service-puma:wrapper-path}
   raw     sidekiq_script          ${service-sidekiq:wrapper-path}
   raw     gitlab_backup_dir       ${gitlab-backup-directory:backup-gitlab.git}
   raw     redis_pid_file          ${service-redis:pid-file}
   raw     postgres_pid_file       ${service-postgresql:pgdata-directory}/postmaster.pid
+  raw     puma_pid_file           ${puma:pid}/puma.pid
   raw     gitlab_work_location    ${gitlab-work:location}
   raw     promise_lab_location    ${directory:promise.slow}

software/gitlab/instance-gitlab.cfg.in

@@ -12,7 +12,7 @@ parts =
 
 #   gitlab-<prog>
 # ? mailroom
-{% set gitlab_progv = 'rails rake unicorn sidekiq unicorn-startup' .split() %}
+{% set gitlab_progv = 'rails rake puma sidekiq puma-startup' .split() %}
 {% for prog in gitlab_progv %}
     gitlab-{{ prog }}
 {% endfor %}
@@ -23,7 +23,7 @@ parts =
     gitlab-shell-work
 
     service-gitlab-workhorse
-    service-unicorn
+    service-puma
     service-sidekiq
 
     service-nginx
@@ -51,29 +51,29 @@ offline = true
 
 [worker-processes]
 recipe = slapos.recipe.build
-unicorn-worker-processes = {{ instance_parameter_dict['configuration.unicorn_worker_processes'] }}
+puma-worker-processes = {{ instance_parameter_dict['configuration.puma_worker_processes'] }}
 init =
   import multiprocessing
-  worker_count = int(options['unicorn-worker-processes'])
+  worker_count = int(options['puma-worker-processes'])
   if worker_count == 0:
     # automatically load all available CPUs
     worker_count = multiprocessing.cpu_count() + 1
   worker_count = 2 if worker_count < 2 else worker_count
-  options['unicorn-worker-processes'] = worker_count
+  options['puma-worker-processes'] = worker_count
   options['nginx-worker-processes'] = worker_count -1
 
 [instance-parameter]
 {#- There are dangerous keys like recipe, etc #}
 {#- XXX: Some other approach would be useful #}
 {%- set DROP_KEY_LIST = ['recipe', '__buildout_signature__', 'computer', 'partition', 'url', 'key', 'cert',
-                         'configuration.unicorn_worker_processes', 'configuration.nginx_worker_processes'] %}
+                         'configuration.puma_worker_processes', 'configuration.nginx_worker_processes'] %}
 {%- for key, value in instance_parameter_dict.items() -%}
 {%-   if key not in DROP_KEY_LIST %}
 {{ key }} = {{ value }}
 {%-   endif -%}
 {%- endfor %}
 # settings for worker processes:
-configuration.unicorn_worker_processes = ${worker-processes:unicorn-worker-processes}
+configuration.puma_worker_processes = ${worker-processes:puma-worker-processes}
 configuration.nginx_worker_processes   = ${worker-processes:nginx-worker-processes}
 
 
@@ -251,7 +251,7 @@ context-extra =
     section gitlab                  gitlab
     section gitlab_shell            gitlab-shell
     section gitlab_shell_work       gitlab-shell-work
-    section unicorn                 unicorn
+    section puma                    puma
     section service_redis           service-redis
     raw     redis_binprefix         {{ redis_binprefix }}
 
@@ -263,6 +263,7 @@ context-extra =
     section gitlab                  gitlab
     section gitlab_shell            gitlab-shell
     section gitlab_shell_work       gitlab-shell-work
+    section gitlab_workhorse        gitlab-workhorse
     section gitaly                  gitaly
 
 [nginx.conf]
@@ -294,10 +295,6 @@ context-extra =
     section gitlab_workhorse        gitlab-workhorse
     section gitaly                  gitaly
 
-[rack_attack.rb]
-<= gitlab-etc-template
-url = {{ rack_attack_rb_in }}
-
 [resque.yml]
 <= gitlab-etc-template
 url = {{ resque_yml_in }}
@@ -310,11 +307,11 @@ url = {{ smtp_settings_rb_in }}
 # contains smtp password
 mode    = 0600
 
-[unicorn.rb]
+[puma.rb]
 <= gitlab-etc-template
-url = {{ unicorn_rb_in }}
+url = {{ puma_rb_in }}
 context-extra =
-    section unicorn                 unicorn
+    section puma                    puma
     section directory               directory
     section gitlab_work             gitlab-work
 
@@ -344,20 +341,20 @@ prog    = {{ prog }}
 {% endfor %}
 
 
-[gitlab-unicorn-startup]
+[gitlab-puma-startup]
 recipe  = slapos.recipe.template:jinja2
 mode    = 0755
-url = {{ gitlab_unicorn_startup_in }}
+url = {{ gitlab_puma_startup_in }}
 output= ${directory:bin}/${:_buildout_section_name_}
 context =
     raw     bash_bin                {{ bash_bin }}
     raw     gitlab_rake             ${gitlab-rake:wrapper-path}
-    raw     gitlab_unicorn          ${gitlab-unicorn:wrapper-path}
+    raw     gitlab_puma            ${gitlab-puma:wrapper-path}
     raw     psql_bin                {{ postgresql_location }}/bin/psql
     section pgsql                   service-postgresql
     raw     log_dir                 ${gitlab:log}
     raw     var_dir                 ${directory:var}
-    section unicorn_rb              unicorn.rb
+    section puma_rb                 puma.rb
     section gitlab_work             gitlab-work
 
 
@@ -425,15 +422,13 @@ tune-command =
     ln -sf ${gitlab-workhorse:secret} .gitlab_workhorse_secret
 # config/
     cd config  &&
-    ln -sf ${unicorn.rb:output} unicorn.rb  &&
+    ln -sf ${puma.rb:output} puma.rb  &&
     ln -sf ${gitlab.yml:output} gitlab.yml  &&
     ln -sf ${database.yml:output} database.yml  &&
     ln -sf ${resque.yml:output} resque.yml  &&
     ln -sf ${secrets:secrets}/gitlab_secrets.yml secrets.yml  &&
 # config/initializers/
     cd initializers  &&
-#    rack_attack.rb is not present in gitlab13 config
-#    ln -sf ${rack_attack.rb:output} rack_attack.rb  &&
     ln -sf ${smtp_settings.rb:output} smtp_settings.rb  &&
 # public/
     cd ../../public  &&
@@ -578,7 +573,7 @@ wrapper-path    = ${directory:service}/gitlab-workhorse
 command-line    = {{ gitlab_workhorse }}
     -listenNetwork unix
     -listenAddr ${gitlab-workhorse:socket}
-    -authSocket ${unicorn:socket}
+    -authSocket ${puma:socket}
     -documentRoot ${gitlab-work:location}/public
     -secretPath ${gitlab-workhorse:secret}
     -logFile ${gitlab-workhorse:log}
@@ -611,41 +606,43 @@ config-command     = {{ curl_bin }} --unix-socket ${gitlab-workhorse:socket}  ht
 
 
 ######################
-#   unicorn worker   #
+#   puma worker   #
 ######################
-[unicorn-dir]
+[puma-dir]
 recipe  = slapos.cookbook:mkdirectory
-srv     = ${directory:srv}/unicorn
-log     = ${directory:log}/unicorn
+srv     = ${directory:srv}/puma
+log     = ${directory:log}/puma
+pid     = ${directory:srv}/pids
 
-[unicorn]
-srv     = ${unicorn-dir:srv}
-log     = ${unicorn-dir:log}
-socket  = ${directory:srv}/unicorn.socket
+[puma]
+srv     = ${puma-dir:srv}
+log     = ${puma-dir:log}
+socket  = ${puma-dir:srv}/puma.socket
+pid     = ${puma-dir:pid}
 
-[service-unicorn]
+[service-puma]
 recipe  = slapos.cookbook:wrapper
-wrapper-path    = ${directory:service}/unicorn
-# NOTE we perform db setup / migrations as part of unicorn startup.
+wrapper-path    = ${directory:service}/puma
+# NOTE we perform db setup / migrations as part of puma startup.
 # Those operations require PG and Redis to be up and running already, that's
-# why we do it here. See gitlab-unicorn-startup for details.
-command-line    = ${gitlab-unicorn-startup:output}
+# why we do it here. See gitlab-puma-startup for details.
+command-line    = ${gitlab-puma-startup:output}
 
 depend  =
-    ${promise-unicorn:recipe}
+    ${promise-puma:recipe}
     ${promise-gitlab-app:recipe}
     ${promise-gitlab-shell:recipe}
 
-    ${logrotate-entry-unicorn:recipe}
-# gitlab is a service "run" under unicorn
+    ${logrotate-entry-puma:recipe}
+# gitlab is a service "run" under puma
 # gitlab-shell is called by gitlab
 # -> associate their logs rotation to here
     ${logrotate-entry-gitlab:recipe}
 
 
-[promise-unicorn]
+[promise-puma]
 <= promise-byurl
-config-command = {{ curl_bin }} --unix-socket ${unicorn:socket}  http://localhost/
+config-command = {{ curl_bin }} --unix-socket ${puma:socket}  http://localhost/
 
 [promise-rakebase]
 recipe  = slapos.cookbook:wrapper
@@ -667,10 +664,10 @@ command-line    = ${:rake} gitlab:gitlab_shell:check
 # rake gitlab:repo:check        (fsck all repos)
 
 
-[logrotate-entry-unicorn]
+[logrotate-entry-puma]
 <= logrotate-entry-base
-log     = ${unicorn:log}/*.log
-name    = unicorn
+log     = ${puma:log}/*.log
+name    = puma
 copytruncate = true
 
 [logrotate-entry-gitlab]
@@ -844,8 +841,8 @@ environment =
 # 6. on-reinstantiate actions
 
 # NOTE here we only recompile assets. Other on-reinstantiate actions, which
-# require pg and redis running, are performed as part of unicorn service -
-# right before its startup (see gitlab-unicorn-startup).
+# require pg and redis running, are performed as part of puma service -
+# right before its startup (see gitlab-puma-startup).
 [on-reinstantiate]
 recipe  = plone.recipe.command
 stop-on-error   = true

software/gitlab/instance.cfg.in

@@ -89,17 +89,16 @@ context =
     raw gitconfig_in                ${gitconfig.in:target}
     raw monitor_template            ${monitor2-template:output}
     raw gitlab_shell_config_yml_in  ${gitlab-shell-config.yml.in:target}
-    raw gitlab_unicorn_startup_in   ${gitlab-unicorn-startup.in:target}
+    raw gitlab_puma_startup_in      ${gitlab-puma-startup.in:target}
     raw gitlab_yml_in               ${gitlab.yml.in:target}
     raw gitaly_config_toml_in       ${gitaly-config.toml.in:target}
     raw macrolib_cfg_in             ${macrolib.cfg.in:target}
     raw nginx_conf_in               ${nginx.conf.in:target}
     raw nginx_gitlab_http_conf_in   ${nginx-gitlab-http.conf.in:target}
-    raw rack_attack_rb_in           ${rack_attack.rb.in:target}
     raw resque_yml_in               ${resque.yml.in:target}
     raw smtp_settings_rb_in         ${smtp_settings.rb.in:target}
     raw gitlab_restore_sh_in        ${template-gitlab-resiliency-restore.sh.in:target}
-    raw unicorn_rb_in               ${unicorn.rb.in:target}
+    raw puma_rb_in                  ${puma.rb.in:target}
 
     $${:context-extra}
 context-extra =

software/gitlab/software.cfg

@@ -186,6 +186,7 @@ configure-command = cd ${:path} &&
     ${:bundle} config --local build.nokogiri --with-zlib-dir=${zlib:location} --with-cflags=-I${xz-utils:location}/include --with-ldflags="-L${xz-utils:location}/lib -Wl,-rpath=${xz-utils:location}/lib"
     ${:bundle} config --local build.rugged --use-system-libraries --with-git2-dir=${libgit2:location}
     ${:bundle} config --local build.openssl --with-openssl-dir=${openssl:location}
+    ${:bundle} config --local build.puma --with-openssl-dir=${openssl:location}
     ${:bundle} config set without 'development test mysql aws kerberos'
     ${:bundle} config set deployment 'true'
 
@@ -251,7 +252,7 @@ path = ${gitlab-repository:location}/workhorse
 configure-command = :
 make-binary =
 make-targets =
- . ${gowork:env.sh} && make test && make install PREFIX=${gowork:directory}
+ . ${gowork:env.sh} && make install PREFIX=${gowork:directory}
 binary = ${gowork:bin}/${:_buildout_section_name_}
 
 [gitlab-backup]
@@ -363,7 +364,7 @@ destination = ${buildout:directory}/${:_buildout_section_name_}
 [gitlab-shell-config.yml.in]
 <= download-file
 
-[gitlab-unicorn-startup.in]
+[gitlab-puma-startup.in]
 <= download-file
 
 [gitlab.yml.in]
@@ -387,9 +388,6 @@ destination = ${buildout:directory}/${:_buildout_section_name_}
 [nginx.conf.in]
 <= download-file
 
-[rack_attack.rb.in]
-<= download-file
-
 [resque.yml.in]
 <= download-file
 
@@ -399,14 +397,9 @@ destination = ${buildout:directory}/${:_buildout_section_name_}
 [template-gitlab-resiliency-restore.sh.in]
 <= download-file
 
-[unicorn.rb.in]
+[puma.rb.in]
 <= download-file
 
-[gitlab-demo-backup.git]
-recipe = slapos.recipe.build:download-unpacked
-url = https://lab.nexedi.com/alain.takoudjou/labdemo.backup/repository/archive.tar.gz?ref=master
-md5sum = d40e5e211dc9a4e5ada9c0250377c639
-
 [versions]
 docutils = 0.16
 cns.recipe.symlink = 0.2.3

software/gitlab/template/gitaly-config.toml.in

@@ -36,15 +36,11 @@ internal_socket_dir = "{{ gitaly.internal_socket }}"
 # # Git settings
 [git]
 bin_path = "{{ git }}"
-# # Maximum number of cached 'cat-file' processes, which constitute a pair of 'git cat-file --batch' and
-# # 'git cat-file --batch-check' processes. Defaults to '100'.
 # catfile_cache_size = 100
 
 # [[git.config]]
 # key = fetch.fsckObjects
 # value = true
-# # Storages are the directories where Gitaly stores its data such as the repositories and runtime state.
-# # Each storage must have a unique name.
 
 [[storage]]
 name = "default"
@@ -70,8 +66,8 @@ level = "warn"
 #
 # # Additionally exceptions from the Go server can be reported to Sentry
 # sentry_dsn = "https://<key>:<secret>@sentry.io/<project>"
-# # Sentry Environment for exception monitoring.
-sentry_environment = ""
+# # Exceptions from gitaly-ruby can also be reported to Sentry
+# ruby_sentry_dsn = "https://<key>:<secret>@sentry.io/<project>"
 
 
 # # You can optionally configure Gitaly to record histogram latencies on GRPC method calls
@@ -133,3 +129,16 @@ url = "http+unix://{{ urllib.parse.unquote_plus(gitlab_workhorse.socket) }}"
 # duration = "45m"
 # storages = ["default"]
 # disabled = false
+
+# [cgroups]
+# count = 10
+# mountpoint = "/sys/fs/cgroup"
+# hierarchy_root = "gitaly"
+
+# [cgroups.memory]
+# enabled = true
+# limit = 1048576
+
+# [cgroups.cpu]
+# enabled = true
+# shares = 512

software/gitlab/template/gitconfig.in

@@ -12,15 +12,24 @@
 [pack]
         threads = 1
 
+# Enable packfile bitmaps
+[repack]
+        writeBitmaps = true
+
 # don't allow corrupt/broken objects to go in
+# Enable push (advertisePushOptions) options
 [receive]
         fsckObjects = true
-
+        advertisePushOptions = true
 
 [user]
         name = {{ cfg('email_display_name') }}
         email = {{ cfg('email_from') }}
+
+# Enable fsyncObjectFiles to reduce risk of repository corruption if the server crashes
 [core]
         autocrlf = input
+        fsyncObjectFiles = true
 [gc]
         auto = 0
+

software/gitlab/template/gitlab-shell-config.yml.in

@@ -7,8 +7,9 @@
 # GitLab user. git by default
 user: {{ backend_info.user }}
 
-# Url to gitlab instance. Used for api calls. Should end with a slash.
-gitlab_url: "http+unix://{{ urllib.parse.quote_plus(unicorn.socket) }}/"
+# URL to GitLab instance, used for API calls. Default: http://localhost:8080.
+# For relative URL support read http://doc.gitlab.com/ce/install/relative_url.html
+gitlab_url: "http+unix://{{ urllib.parse.quote_plus(puma.socket) }}/"
 
 http_settings:
 {# we don't need any

software/gitlab/template/gitlab.yml.in

 {{ autogenerated }}
-# see:
-# https://gitlab.com/gitlab-org/gitlab-ce/blob/master/config/gitlab.yml.example
-# https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/gitlab.yml.erb
-# (last updated for omnibus-gitlab 8.8.9+ce.0-g25376053)
 
 {% from 'macrolib.cfg.in' import cfg, cfg_https, external_url  with context %}
 
+# # # # # # # # # # # # # # # # # #
+# GitLab application config file  #
+# # # # # # # # # # # # # # # # # #
+#
+###########################  NOTE  #####################################
+# This file should not receive new settings. All configuration options #
+# * are being moved to ApplicationSetting model!                       #
+# If a setting requires an application restart say so in that screen.  #
+# If you change this file in a merge request, please also create       #
+# a MR on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests. #
+# For more details see https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/gitlab.yml.md #
+########################################################################
+#
+#
+# How to use:
+# 1. Copy file as gitlab.yml
+# 2. Update gitlab -> host with your fully qualified domain name
+# 3. Update gitlab -> email_from
+# 4. If you installed Git from source, change git -> bin_path to /usr/local/bin/git
+#    IMPORTANT: If Git was installed in a different location use that instead.
+#    You can check with `which git`. If a wrong path of Git is specified, it will
+#     result in various issues such as failures of GitLab CI builds.
+# 5. Review this configuration file for other settings you may want to adjust
+
+
+
 production: &base
   #
   # 1. GitLab app settings
@@ -497,6 +519,11 @@ production: &base
     # gitlab-shell needs to be set to true
     git_annex_enabled: <%= @git_annex_enabled %>
 
+workhorse:
+    # File that contains the secret key for verifying access for gitlab-workhorse.
+    # secret_file: {{ gitlab_workhorse.secret }}
+
+
   ## Git settings
   # CAUTION!
   # Use the default values unless you really know what you are doing
@@ -538,6 +565,22 @@ production: &base
     {# ICP: '{{ cfg("icp_license") }}' #}
     {% endif %}
 
+rack_attack:
+    git_basic_auth:
+      # Rack Attack IP banning enabled
+      enabled: {{ cfg("rack_attack_enable") }}
+      #
+      # Whitelist requests from 127.0.0.1 for web proxies (NGINX/Apache) with incorrect headers
+      ip_whitelist: [{{ cfg("rack_attack_ip_whitelist")}}]
+      #
+      # Limit the number of Git HTTP authentication attempts per IP
+      maxretry: {{ cfg("rack_attack_max_retry") }}
+      #
+      # Reset the auth attempt counter per IP after 60 seconds
+      findtime: {{ cfg("rack_attack_find_time") }}
+      #
+      # Ban an IP for one hour (3600s) after too many auth attempts
+      bantime: {{ cfg("rack_attack_ban_time") }}
 
 development:
   <<: *base

software/gitlab/template/puma.rb.in

+
+# see: https://gitlab.com/gitlab-org/omnibus-gitlab/-/blob/master/files/gitlab-cookbooks/gitlab/templates/default/puma.rb.erb
+
+{% from 'macrolib.cfg.in' import cfg  with context %}
+# frozen_string_literal: true
+
+# Load "path" as a rackup file.
+#
+# The default is "config.ru".
+#
+rackup 'config.ru'
+pidfile '{{ puma.pid }}/puma.pid'
+state_path '{{ puma.pid }}/puma.state'
+
+stdout_redirect '{{ puma.log }}/puma.stdout.log',
+  '{{ puma.log }}/puma.stderr.log',
+  true
+
+# Configure "min" to be the minimum number of threads to use to answer
+# requests and "max" the maximum.
+#
+# The default is "0, 16".
+#
+threads {{ cfg("puma_min_threads") }}, {{ cfg("puma_max_threads") }}
+
+# By default, workers accept all requests and queue them to pass to handlers.
+# When false, workers accept the number of simultaneous requests configured.
+#
+# Queueing requests generally improves performance, but can cause deadlocks if
+# the app is waiting on a request to itself. See https://github.com/puma/puma/issues/612
+#
+# When set to false this may require a reverse proxy to handle slow clients and
+# queue requests before they reach puma. This is due to disabling HTTP keepalive
+queue_requests false
+
+# Bind the server to "url". "tcp://", "unix://" and "ssl://" are the only
+# accepted protocols.
+bind 'unix://{{ puma.socket }}'
+
+directory '{{ gitlab_work.location }}'
+workers {{ cfg("puma_worker_processes") }}
+
+require_relative "{{ gitlab_work.location }}/lib/gitlab/cluster/lifecycle_events"
+require_relative "{{ gitlab_work.location }}/lib/gitlab/cluster/puma_worker_killer_initializer"
+
+on_restart do
+  # Signal application hooks that we're about to restart
+  Gitlab::Cluster::LifecycleEvents.do_before_master_restart
+end
+
+options = { workers: {{ cfg("puma_worker_processes") }} }
+
+before_fork do
+  # Signal to the puma killer
+  Gitlab::Cluster::PumaWorkerKillerInitializer.start options unless ENV['DISABLE_PUMA_WORKER_KILLER']
+
+  # Signal application hooks that we're about to fork
+  Gitlab::Cluster::LifecycleEvents.do_before_fork
+end
+
+Gitlab::Cluster::LifecycleEvents.set_puma_options options
+on_worker_boot do
+  # Signal application hooks of worker start
+  Gitlab::Cluster::LifecycleEvents.do_worker_start
+end
+
+# Preload the application before starting the workers; this conflicts with
+# phased restart feature. (off by default)
+preload_app!
+
+tag 'gitlab-puma-worker'
+
+# Verifies that all workers have checked in to the master process within
+# the given timeout. If not the worker process will be restarted. Default
+# value is 60 seconds.
+#
+worker_timeout {{ cfg("puma_worker_timeout") }}
+
+# https://github.com/puma/puma/blob/master/5.0-Upgrade.md#lower-latency-better-throughput
+wait_for_less_busy_worker ENV.fetch('PUMA_WAIT_FOR_LESS_BUSY_WORKER', 0.001).to_f
+
+# https://github.com/puma/puma/blob/master/5.0-Upgrade.md#nakayoshi_fork
+nakayoshi_fork unless ENV['DISABLE_PUMA_NAKAYOSHI_FORK'] == 'true'
+
+# Use json formatter
+require_relative "{{ gitlab_work.location }}/lib/gitlab/puma_logging/json_formatter"
+
+json_formatter = Gitlab::PumaLogging::JSONFormatter.new
+log_formatter do |str|
+  json_formatter.call(str)
+end

software/gitlab/template/rack_attack.rb.in

-{{ autogenerated }}
-# see:
-# https://gitlab.com/gitlab-org/gitlab-ce/blob/master/config/initializers/rack_attack.rb.example
-# https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/rack_attack.rb.erb
-# (last updated for omnibus-gitlab 8.8.9+ce.0-g25376053)
-
-{% from 'macrolib.cfg.in' import cfg  with context %}
-
-# 1. Rename this file to rack_attack.rb
-# 2. Review the paths_to_be_protected and add any other path you need protecting
-#
-
-paths_to_be_protected = [
-  "#{Rails.application.config.relative_url_root}/users/password",
-  "#{Rails.application.config.relative_url_root}/users/sign_in",
-  "#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session.json",
-  "#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session",
-  "#{Rails.application.config.relative_url_root}/users",
-  "#{Rails.application.config.relative_url_root}/users/confirmation",
-  "#{Rails.application.config.relative_url_root}/unsubscribes/"
-
-]
-
-# Create one big regular expression that matches strings starting with any of
-# the paths_to_be_protected.
-paths_regex = Regexp.union(paths_to_be_protected.map { |path| /\A#{Regexp.escape(path)}/ })
-rack_attack_enabled = Gitlab.config.rack_attack.git_basic_auth['enabled']
-
-unless Rails.env.test? || !rack_attack_enabled
-  Rack::Attack.throttle('protected paths', limit: {{ cfg('rate_limit_requests_per_period') }}, period: {{ cfg('rate_limit_period') }}.seconds) do |req|
-    if req.post? && req.path =~ paths_regex
-      req.ip
-    end
-  end
-end

software/gitlab/template/smtp_settings.rb.in

@@ -21,8 +21,6 @@ if Rails.env.production?
     enable_starttls_auto:   {{ cfg('smtp_enable_starttls_auto') }},
     # ssl:
     openssl_verify_mode:    '{{ cfg("smtp_openssl_verify_mode") }}'
-    # ca_path:
-    # ca_file:
   }
 end
 {% else %}

software/gitlab/template/template-gitlab-resiliency-restore.sh.in

@@ -21,15 +21,15 @@ redis_pid_file="{{ redis_pid_file }}"
 postgres_pid_file="{{ postgres_pid_file }}"
 
 bin_location="{{ bin_directory }}"
-run_location="{{ run_directory }}"
 git_location="{{ git_location }}"
 go_work_bin="{{ go_work_bin }}"
 etc_location="{{ etc_directory }}"
 gitlab_work="{{ gitlab_work_location }}"
 promise_check="{{ promise_lab_location }}"
-unicorn_script="{{ unicorn_script }}"
+puma_script="{{ puma_script }}"
+puma_pid_file="{{ puma_pid_file }}"
 sidekiq_script="{{ sidekiq_script }}"
-var_location="{{ run_directory }}/.."
+var_location="{{ var_directory }}"
 
 # export GIT_EXEC_PATH=$git_location/libexec/git-core/
 
@@ -56,7 +56,7 @@ kill_process () {
 
 check_process $postgres_pid_file "Postgres"
 check_process $redis_pid_file "Redis"
-check_process $run_location/unicorn.pid "Unicorn"
+check_process $puma_pid_file "Puma"
 
 if [ -f "$postgres_pid_file" ]; then
   rm $postgres_pid_file
@@ -90,14 +90,14 @@ echo "Checking gitlab promises..."
 echo "[info] Not all promises are checked!"
 $promise_check/gitlab-app
 
-echo "Starting Unicorn to check gitlab-shell promise..."
-$unicorn_script &
-unicorn_pid=$!
-trap "kill $postgres_pid $redis_pid $unicorn_pid" EXIT TERM INT
+echo "Starting Puma to check gitlab-shell promise..."
+$puma_script &
+puma_pid=$!
+trap "kill $postgres_pid $redis_pid $puma_pid" EXIT TERM INT
 sleep 60
-if [ -s "$run_location/unicorn.pid" ]; then
-  unicorn_ppid=$(head -n 1 $run_location/unicorn.pid) > /dev/null 2>&1
-  trap "kill $postgres_pid $redis_pid $unicorn_ppid" EXIT TERM INT
+if [ -s "$puma_pid_file" ]; then
+  puma_pid=$(head -n 1 $puma_pid_file) > /dev/null 2>&1
+  trap "kill $postgres_pid $redis_pid $puma_pid" EXIT TERM INT
 fi
 $promise_check/gitlab-shell
 
@@ -109,7 +109,7 @@ $promise_check/gitlab-shell
 
 kill_process $postgres_pid
 kill_process $redis_pid
-kill_process $unicorn_pid
+kill_process $puma_pid
 
 RESTORE_EXIT_CODE=$?