Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
slapos
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Labels
Merge Requests
107
Merge Requests
107
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Jobs
Commits
Open sidebar
nexedi
slapos
Commits
1cd727c6
Commit
1cd727c6
authored
Apr 05, 2024
by
Alain Takoudjou
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
gitlab: fixes, puma is now used by default instead of unicorn
parent
ead9b432
Changes
15
Show whitespace changes
Inline
Side-by-side
Showing
15 changed files
with
261 additions
and
154 deletions
+261
-154
software/gitlab/buildout.hash.cfg
software/gitlab/buildout.hash.cfg
+16
-20
software/gitlab/gitlab-parameters.cfg
software/gitlab/gitlab-parameters.cfg
+9
-4
software/gitlab/gitlab-puma-startup.in
software/gitlab/gitlab-puma-startup.in
+5
-5
software/gitlab/instance-gitlab-export.cfg.in
software/gitlab/instance-gitlab-export.cfg.in
+4
-3
software/gitlab/instance-gitlab.cfg.in
software/gitlab/instance-gitlab.cfg.in
+43
-46
software/gitlab/instance.cfg.in
software/gitlab/instance.cfg.in
+2
-3
software/gitlab/software.cfg
software/gitlab/software.cfg
+4
-11
software/gitlab/template/gitaly-config.toml.in
software/gitlab/template/gitaly-config.toml.in
+15
-6
software/gitlab/template/gitconfig.in
software/gitlab/template/gitconfig.in
+10
-1
software/gitlab/template/gitlab-shell-config.yml.in
software/gitlab/template/gitlab-shell-config.yml.in
+3
-2
software/gitlab/template/gitlab.yml.in
software/gitlab/template/gitlab.yml.in
+47
-4
software/gitlab/template/puma.rb.in
software/gitlab/template/puma.rb.in
+91
-0
software/gitlab/template/rack_attack.rb.in
software/gitlab/template/rack_attack.rb.in
+0
-35
software/gitlab/template/smtp_settings.rb.in
software/gitlab/template/smtp_settings.rb.in
+0
-2
software/gitlab/template/template-gitlab-resiliency-restore.sh.in
.../gitlab/template/template-gitlab-resiliency-restore.sh.in
+12
-12
No files found.
software/gitlab/buildout.hash.cfg
View file @
1cd727c6
...
...
@@ -14,7 +14,7 @@
# not need these here).
[instance.cfg]
filename = instance.cfg.in
md5sum =
31b04cdc566bc7072a834c931a5c1305
md5sum =
956ae53af22b551fbb087415e835868b
[watcher]
_update_hash_filename_ = watcher.in
...
...
@@ -30,35 +30,35 @@ md5sum = 61d1d04b9347b3168a1ad7676e4681ef
[gitconfig.in]
_update_hash_filename_ = template/gitconfig.in
md5sum =
eb1230fee50067924ba89f4dc6e82fa9
md5sum =
c559a24ab6281268b608ed3bccb8e4ce
[gitlab-parameters.cfg]
_update_hash_filename_ = gitlab-parameters.cfg
md5sum =
cfda6d959bb90bf0b9c947383f45ce0a
md5sum =
f02bc3416d9597c6bc6bf627db732dbf
[gitlab-shell-config.yml.in]
_update_hash_filename_ = template/gitlab-shell-config.yml.in
md5sum =
c57a64fd4940c18a5c325da1da8d2f7c
md5sum =
70d394305f4e1482a5c1a673b0762c6a
[gitlab-
unicorn
-startup.in]
_update_hash_filename_ = gitlab-
unicorn
-startup.in
md5sum =
705825e6d8c6b37699f1321805d09de3
[gitlab-
puma
-startup.in]
_update_hash_filename_ = gitlab-
puma
-startup.in
md5sum =
0bec1b52f6345024a76ee9a18d98e752
[gitlab.yml.in]
_update_hash_filename_ = template/gitlab.yml.in
md5sum =
671604bb2aee6fdf2238e7df61aea3be
md5sum =
72171b2a3628be79f4b57f8249c64882
[gitaly-config.toml.in]
_update_hash_filename_ = template/gitaly-config.toml.in
md5sum =
b0d37a41f280089f83afac0347ad5671
md5sum =
d769ea27820e932c596c35bbbf3f2902
[instance-gitlab.cfg.in]
_update_hash_filename_ = instance-gitlab.cfg.in
md5sum =
33f6f505502722cf3203e7228c5b211e
md5sum =
17a17668b4b6f6a3f518713b60c43fa6
[instance-gitlab-export.cfg.in]
_update_hash_filename_ = instance-gitlab-export.cfg.in
md5sum =
b1921bebb75f71c8d3a25386eea6f878
md5sum =
c8231583d04bf0d3fe2d26230b94d78d
[macrolib.cfg.in]
_update_hash_filename_ = macrolib.cfg.in
...
...
@@ -72,22 +72,18 @@ md5sum = 4980c1571a4dd7753aaa60d065270849
_update_hash_filename_ = template/nginx.conf.in
md5sum = 8c904510eb39dc212204f68f2b81b068
[rack_attack.rb.in]
_update_hash_filename_ = template/rack_attack.rb.in
md5sum = 7d0e6dc6b826f6df6b20d8574a29e2f8
[resque.yml.in]
_update_hash_filename_ = template/resque.yml.in
md5sum = 7c89a730889e3224548d9abe51a2d719
[smtp_settings.rb.in]
_update_hash_filename_ = template/smtp_settings.rb.in
md5sum =
4e1ced687a86e4cfff2dde91237e3942
md5sum =
b1becd9ec4c2eeefe573af4bb53c9751
[template-gitlab-resiliency-restore.sh.in]
_update_hash_filename_ = template/template-gitlab-resiliency-restore.sh.in
md5sum = 8
7f16b4f4a2370acada46b2751ef3366
md5sum = 8
ce31a27e814e750dfd38c92a278fb9e
[
unicorn
.rb.in]
_update_hash_filename_ = template/
unicorn
.rb.in
md5sum =
c2a0f5c50ba2198baea9d764cd119d97
[
puma
.rb.in]
_update_hash_filename_ = template/
puma
.rb.in
md5sum =
707c0c713af41518d21724c1be8efe22
software/gitlab/gitlab-parameters.cfg
View file @
1cd727c6
...
...
@@ -15,8 +15,11 @@ configuration.external_url = https://lab.example.com
configuration.db_pool = 10
# rack-attack
configuration.rate_limit_requests_per_period = 10
configuration.rate_limit_period = 60
configuration.rack_attack_enable = true
configuration.rack_attack_max_retry = 10
configuration.rack_attack_find_time = 60
configuration.rack_attack_ban_time = 3600
configuration.rack_attack_ip_whitelist =
configuration.time_zone = UTC
...
...
@@ -64,8 +67,10 @@ configuration.sidekiq_memory_killer_max_rss = 1000000
# unicorn
configuration.unicorn_worker_timeout = 60
configuration.unicorn_worker_processes = 2
configuration.puma_worker_timeout = 60
configuration.puma_worker_processes = 2
configuration.puma_min_threads = 1
configuration.puma_max_threads = 16
# unicorn advanced
configuration.unicorn_backlog_socket = 1024
...
...
software/gitlab/gitlab-
unicorn
-startup.in
→
software/gitlab/gitlab-
puma
-startup.in
View file @
1cd727c6
...
...
@@ -38,6 +38,8 @@ echo "I: PostgreSQL ready." 1>&2
# make sure pg_trgm extension is enabled for gitlab db
psql -c 'CREATE EXTENSION IF NOT EXISTS pg_trgm;' || die "pg_trgm setup failed"
psql -c 'CREATE EXTENSION IF NOT EXISTS btree_gist;' || die "pg_trgm setup failed"
if echo "$pgtables" | grep -q '^Did not find any relations' ; then
$RAKE gitlab:setup RAILS_ENV=production force=yes || die "initial db setup failed"
fi
...
...
@@ -70,8 +72,6 @@ $RAKE cache:clear || die "cache:clear failed"
force=yes $RAKE gitlab:shell:setup || die "gitlab:shell:setup failed"
# 3. finally exec to unicorn
exec {{ gitlab_unicorn }} \
-E production \
-c {{ unicorn_rb.output }} \
{{ gitlab_work.location }}/config.ru
# 3. finally exec to puma
exec {{ gitlab_puma }} \
-C {{ puma_rb.output }}
software/gitlab/instance-gitlab-export.cfg.in
View file @
1cd727c6
...
...
@@ -54,7 +54,7 @@ input = inline: gitlab-shell-work*
srv/backup/logrotate/**
etc/service/postgres-start
srv/redis/**
srv/
unicorn/unicorn
.socket
srv/
puma/puma
.socket
.cache
output = ${directory:srv}/exporter.exclude
...
...
@@ -71,13 +71,14 @@ context =
raw git_location {{ git_location }}
raw bin_directory ${directory:bin}
raw etc_directory ${directory:etc}
raw
run_directory ${directory:run
}
raw
var_directory ${directory:var
}
raw postgress_script ${service-postgresql:services}/postgres-start
raw redis_script ${service-redis:wrapper}
raw
unicorn_script ${service-unicorn
:wrapper-path}
raw
puma_script ${service-puma
:wrapper-path}
raw sidekiq_script ${service-sidekiq:wrapper-path}
raw gitlab_backup_dir ${gitlab-backup-directory:backup-gitlab.git}
raw redis_pid_file ${service-redis:pid-file}
raw postgres_pid_file ${service-postgresql:pgdata-directory}/postmaster.pid
raw puma_pid_file ${puma:pid}/puma.pid
raw gitlab_work_location ${gitlab-work:location}
raw promise_lab_location ${directory:promise.slow}
software/gitlab/instance-gitlab.cfg.in
View file @
1cd727c6
...
...
@@ -12,7 +12,7 @@ parts =
# gitlab-<prog>
# ? mailroom
{% set gitlab_progv = 'rails rake
unicorn sidekiq unicorn
-startup' .split() %}
{% set gitlab_progv = 'rails rake
puma sidekiq puma
-startup' .split() %}
{% for prog in gitlab_progv %}
gitlab-{{ prog }}
{% endfor %}
...
...
@@ -23,7 +23,7 @@ parts =
gitlab-shell-work
service-gitlab-workhorse
service-
unicorn
service-
puma
service-sidekiq
service-nginx
...
...
@@ -51,29 +51,29 @@ offline = true
[worker-processes]
recipe = slapos.recipe.build
unicorn-worker-processes = {{ instance_parameter_dict['configuration.unicorn
_worker_processes'] }}
puma-worker-processes = {{ instance_parameter_dict['configuration.puma
_worker_processes'] }}
init =
import multiprocessing
worker_count = int(options['
unicorn
-worker-processes'])
worker_count = int(options['
puma
-worker-processes'])
if worker_count == 0:
# automatically load all available CPUs
worker_count = multiprocessing.cpu_count() + 1
worker_count = 2 if worker_count < 2 else worker_count
options['
unicorn
-worker-processes'] = worker_count
options['
puma
-worker-processes'] = worker_count
options['nginx-worker-processes'] = worker_count -1
[instance-parameter]
{#- There are dangerous keys like recipe, etc #}
{#- XXX: Some other approach would be useful #}
{%- set DROP_KEY_LIST = ['recipe', '__buildout_signature__', 'computer', 'partition', 'url', 'key', 'cert',
'configuration.
unicorn
_worker_processes', 'configuration.nginx_worker_processes'] %}
'configuration.
puma
_worker_processes', 'configuration.nginx_worker_processes'] %}
{%- for key, value in instance_parameter_dict.items() -%}
{%- if key not in DROP_KEY_LIST %}
{{ key }} = {{ value }}
{%- endif -%}
{%- endfor %}
# settings for worker processes:
configuration.
unicorn_worker_processes = ${worker-processes:unicorn
-worker-processes}
configuration.
puma_worker_processes = ${worker-processes:puma
-worker-processes}
configuration.nginx_worker_processes = ${worker-processes:nginx-worker-processes}
...
...
@@ -251,7 +251,7 @@ context-extra =
section gitlab gitlab
section gitlab_shell gitlab-shell
section gitlab_shell_work gitlab-shell-work
section
unicorn unicorn
section
puma puma
section service_redis service-redis
raw redis_binprefix {{ redis_binprefix }}
...
...
@@ -263,6 +263,7 @@ context-extra =
section gitlab gitlab
section gitlab_shell gitlab-shell
section gitlab_shell_work gitlab-shell-work
section gitlab_workhorse gitlab-workhorse
section gitaly gitaly
[nginx.conf]
...
...
@@ -294,10 +295,6 @@ context-extra =
section gitlab_workhorse gitlab-workhorse
section gitaly gitaly
[rack_attack.rb]
<= gitlab-etc-template
url = {{ rack_attack_rb_in }}
[resque.yml]
<= gitlab-etc-template
url = {{ resque_yml_in }}
...
...
@@ -310,11 +307,11 @@ url = {{ smtp_settings_rb_in }}
# contains smtp password
mode = 0600
[
unicorn
.rb]
[
puma
.rb]
<= gitlab-etc-template
url = {{
unicorn
_rb_in }}
url = {{
puma
_rb_in }}
context-extra =
section
unicorn unicorn
section
puma puma
section directory directory
section gitlab_work gitlab-work
...
...
@@ -344,20 +341,20 @@ prog = {{ prog }}
{% endfor %}
[gitlab-
unicorn
-startup]
[gitlab-
puma
-startup]
recipe = slapos.recipe.template:jinja2
mode = 0755
url = {{ gitlab_
unicorn
_startup_in }}
url = {{ gitlab_
puma
_startup_in }}
output= ${directory:bin}/${:_buildout_section_name_}
context =
raw bash_bin {{ bash_bin }}
raw gitlab_rake ${gitlab-rake:wrapper-path}
raw gitlab_
unicorn ${gitlab-unicorn
:wrapper-path}
raw gitlab_
puma ${gitlab-puma
:wrapper-path}
raw psql_bin {{ postgresql_location }}/bin/psql
section pgsql service-postgresql
raw log_dir ${gitlab:log}
raw var_dir ${directory:var}
section
unicorn_rb unicorn
.rb
section
puma_rb puma
.rb
section gitlab_work gitlab-work
...
...
@@ -425,15 +422,13 @@ tune-command =
ln -sf ${gitlab-workhorse:secret} .gitlab_workhorse_secret
# config/
cd config &&
ln -sf ${
unicorn.rb:output} unicorn
.rb &&
ln -sf ${
puma.rb:output} puma
.rb &&
ln -sf ${gitlab.yml:output} gitlab.yml &&
ln -sf ${database.yml:output} database.yml &&
ln -sf ${resque.yml:output} resque.yml &&
ln -sf ${secrets:secrets}/gitlab_secrets.yml secrets.yml &&
# config/initializers/
cd initializers &&
# rack_attack.rb is not present in gitlab13 config
# ln -sf ${rack_attack.rb:output} rack_attack.rb &&
ln -sf ${smtp_settings.rb:output} smtp_settings.rb &&
# public/
cd ../../public &&
...
...
@@ -578,7 +573,7 @@ wrapper-path = ${directory:service}/gitlab-workhorse
command-line = {{ gitlab_workhorse }}
-listenNetwork unix
-listenAddr ${gitlab-workhorse:socket}
-authSocket ${
unicorn
:socket}
-authSocket ${
puma
:socket}
-documentRoot ${gitlab-work:location}/public
-secretPath ${gitlab-workhorse:secret}
-logFile ${gitlab-workhorse:log}
...
...
@@ -611,41 +606,43 @@ config-command = {{ curl_bin }} --unix-socket ${gitlab-workhorse:socket} ht
######################
#
unicorn
worker #
#
puma
worker #
######################
[
unicorn
-dir]
[
puma
-dir]
recipe = slapos.cookbook:mkdirectory
srv = ${directory:srv}/unicorn
log = ${directory:log}/unicorn
srv = ${directory:srv}/puma
log = ${directory:log}/puma
pid = ${directory:srv}/pids
[unicorn]
srv = ${unicorn-dir:srv}
log = ${unicorn-dir:log}
socket = ${directory:srv}/unicorn.socket
[puma]
srv = ${puma-dir:srv}
log = ${puma-dir:log}
socket = ${puma-dir:srv}/puma.socket
pid = ${puma-dir:pid}
[service-
unicorn
]
[service-
puma
]
recipe = slapos.cookbook:wrapper
wrapper-path = ${directory:service}/
unicorn
# NOTE we perform db setup / migrations as part of
unicorn
startup.
wrapper-path = ${directory:service}/
puma
# NOTE we perform db setup / migrations as part of
puma
startup.
# Those operations require PG and Redis to be up and running already, that's
# why we do it here. See gitlab-
unicorn
-startup for details.
command-line = ${gitlab-
unicorn
-startup:output}
# why we do it here. See gitlab-
puma
-startup for details.
command-line = ${gitlab-
puma
-startup:output}
depend =
${promise-
unicorn
:recipe}
${promise-
puma
:recipe}
${promise-gitlab-app:recipe}
${promise-gitlab-shell:recipe}
${logrotate-entry-
unicorn
:recipe}
# gitlab is a service "run" under
unicorn
${logrotate-entry-
puma
:recipe}
# gitlab is a service "run" under
puma
# gitlab-shell is called by gitlab
# -> associate their logs rotation to here
${logrotate-entry-gitlab:recipe}
[promise-
unicorn
]
[promise-
puma
]
<= promise-byurl
config-command = {{ curl_bin }} --unix-socket ${
unicorn
:socket} http://localhost/
config-command = {{ curl_bin }} --unix-socket ${
puma
:socket} http://localhost/
[promise-rakebase]
recipe = slapos.cookbook:wrapper
...
...
@@ -667,10 +664,10 @@ command-line = ${:rake} gitlab:gitlab_shell:check
# rake gitlab:repo:check (fsck all repos)
[logrotate-entry-
unicorn
]
[logrotate-entry-
puma
]
<= logrotate-entry-base
log = ${
unicorn
:log}/*.log
name =
unicorn
log = ${
puma
:log}/*.log
name =
puma
copytruncate = true
[logrotate-entry-gitlab]
...
...
@@ -844,8 +841,8 @@ environment =
# 6. on-reinstantiate actions
# NOTE here we only recompile assets. Other on-reinstantiate actions, which
# require pg and redis running, are performed as part of
unicorn
service -
# right before its startup (see gitlab-
unicorn
-startup).
# require pg and redis running, are performed as part of
puma
service -
# right before its startup (see gitlab-
puma
-startup).
[on-reinstantiate]
recipe = plone.recipe.command
stop-on-error = true
...
...
software/gitlab/instance.cfg.in
View file @
1cd727c6
...
...
@@ -89,17 +89,16 @@ context =
raw gitconfig_in ${gitconfig.in:target}
raw monitor_template ${monitor2-template:output}
raw gitlab_shell_config_yml_in ${gitlab-shell-config.yml.in:target}
raw gitlab_
unicorn_startup_in ${gitlab-unicorn
-startup.in:target}
raw gitlab_
puma_startup_in ${gitlab-puma
-startup.in:target}
raw gitlab_yml_in ${gitlab.yml.in:target}
raw gitaly_config_toml_in ${gitaly-config.toml.in:target}
raw macrolib_cfg_in ${macrolib.cfg.in:target}
raw nginx_conf_in ${nginx.conf.in:target}
raw nginx_gitlab_http_conf_in ${nginx-gitlab-http.conf.in:target}
raw rack_attack_rb_in ${rack_attack.rb.in:target}
raw resque_yml_in ${resque.yml.in:target}
raw smtp_settings_rb_in ${smtp_settings.rb.in:target}
raw gitlab_restore_sh_in ${template-gitlab-resiliency-restore.sh.in:target}
raw
unicorn_rb_in ${unicorn
.rb.in:target}
raw
puma_rb_in ${puma
.rb.in:target}
$${:context-extra}
context-extra =
...
...
software/gitlab/software.cfg
View file @
1cd727c6
...
...
@@ -186,6 +186,7 @@ configure-command = cd ${:path} &&
${:bundle} config --local build.nokogiri --with-zlib-dir=${zlib:location} --with-cflags=-I${xz-utils:location}/include --with-ldflags="-L${xz-utils:location}/lib -Wl,-rpath=${xz-utils:location}/lib"
${:bundle} config --local build.rugged --use-system-libraries --with-git2-dir=${libgit2:location}
${:bundle} config --local build.openssl --with-openssl-dir=${openssl:location}
${:bundle} config --local build.puma --with-openssl-dir=${openssl:location}
${:bundle} config set without 'development test mysql aws kerberos'
${:bundle} config set deployment 'true'
...
...
@@ -251,7 +252,7 @@ path = ${gitlab-repository:location}/workhorse
configure-command = :
make-binary =
make-targets =
. ${gowork:env.sh} && make
test && make
install PREFIX=${gowork:directory}
. ${gowork:env.sh} && make install PREFIX=${gowork:directory}
binary = ${gowork:bin}/${:_buildout_section_name_}
[gitlab-backup]
...
...
@@ -363,7 +364,7 @@ destination = ${buildout:directory}/${:_buildout_section_name_}
[gitlab-shell-config.yml.in]
<= download-file
[gitlab-
unicorn
-startup.in]
[gitlab-
puma
-startup.in]
<= download-file
[gitlab.yml.in]
...
...
@@ -387,9 +388,6 @@ destination = ${buildout:directory}/${:_buildout_section_name_}
[nginx.conf.in]
<= download-file
[rack_attack.rb.in]
<= download-file
[resque.yml.in]
<= download-file
...
...
@@ -399,14 +397,9 @@ destination = ${buildout:directory}/${:_buildout_section_name_}
[template-gitlab-resiliency-restore.sh.in]
<= download-file
[
unicorn
.rb.in]
[
puma
.rb.in]
<= download-file
[gitlab-demo-backup.git]
recipe = slapos.recipe.build:download-unpacked
url = https://lab.nexedi.com/alain.takoudjou/labdemo.backup/repository/archive.tar.gz?ref=master
md5sum = d40e5e211dc9a4e5ada9c0250377c639
[versions]
docutils = 0.16
cns.recipe.symlink = 0.2.3
...
...
software/gitlab/template/gitaly-config.toml.in
View file @
1cd727c6
...
...
@@ -36,15 +36,11 @@ internal_socket_dir = "{{ gitaly.internal_socket }}"
# # Git settings
[git]
bin_path = "{{ git }}"
# # Maximum number of cached 'cat-file' processes, which constitute a pair of 'git cat-file --batch' and
# # 'git cat-file --batch-check' processes. Defaults to '100'.
# catfile_cache_size = 100
# [[git.config]]
# key = fetch.fsckObjects
# value = true
# # Storages are the directories where Gitaly stores its data such as the repositories and runtime state.
# # Each storage must have a unique name.
[[storage]]
name = "default"
...
...
@@ -70,8 +66,8 @@ level = "warn"
#
# # Additionally exceptions from the Go server can be reported to Sentry
# sentry_dsn = "https://<key>:<secret>@sentry.io/<project>"
# #
Sentry Environment for exception monitoring.
sentry_environment = "
"
# #
Exceptions from gitaly-ruby can also be reported to Sentry
# ruby_sentry_dsn = "https://<key>:<secret>@sentry.io/<project>
"
# # You can optionally configure Gitaly to record histogram latencies on GRPC method calls
...
...
@@ -133,3 +129,16 @@ url = "http+unix://{{ urllib.parse.unquote_plus(gitlab_workhorse.socket) }}"
# duration = "45m"
# storages = ["default"]
# disabled = false
# [cgroups]
# count = 10
# mountpoint = "/sys/fs/cgroup"
# hierarchy_root = "gitaly"
# [cgroups.memory]
# enabled = true
# limit = 1048576
# [cgroups.cpu]
# enabled = true
# shares = 512
software/gitlab/template/gitconfig.in
View file @
1cd727c6
...
...
@@ -12,15 +12,24 @@
[pack]
threads = 1
# Enable packfile bitmaps
[repack]
writeBitmaps = true
# don't allow corrupt/broken objects to go in
# Enable push (advertisePushOptions) options
[receive]
fsckObjects = true
advertisePushOptions = true
[user]
name = {{ cfg('email_display_name') }}
email = {{ cfg('email_from') }}
# Enable fsyncObjectFiles to reduce risk of repository corruption if the server crashes
[core]
autocrlf = input
fsyncObjectFiles = true
[gc]
auto = 0
software/gitlab/template/gitlab-shell-config.yml.in
View file @
1cd727c6
...
...
@@ -7,8 +7,9 @@
# GitLab user. git by default
user: {{ backend_info.user }}
# Url to gitlab instance. Used for api calls. Should end with a slash.
gitlab_url: "http+unix://{{ urllib.parse.quote_plus(unicorn.socket) }}/"
# URL to GitLab instance, used for API calls. Default: http://localhost:8080.
# For relative URL support read http://doc.gitlab.com/ce/install/relative_url.html
gitlab_url: "http+unix://{{ urllib.parse.quote_plus(puma.socket) }}/"
http_settings:
{# we don't need any
...
...
software/gitlab/template/gitlab.yml.in
View file @
1cd727c6
{{ autogenerated }}
# see:
# https://gitlab.com/gitlab-org/gitlab-ce/blob/master/config/gitlab.yml.example
# https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/gitlab.yml.erb
# (last updated for omnibus-gitlab 8.8.9+ce.0-g25376053)
{% from 'macrolib.cfg.in' import cfg, cfg_https, external_url with context %}
# # # # # # # # # # # # # # # # # #
# GitLab application config file #
# # # # # # # # # # # # # # # # # #
#
########################### NOTE #####################################
# This file should not receive new settings. All configuration options #
# * are being moved to ApplicationSetting model! #
# If a setting requires an application restart say so in that screen. #
# If you change this file in a merge request, please also create #
# a MR on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests. #
# For more details see https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/gitlab.yml.md #
########################################################################
#
#
# How to use:
# 1. Copy file as gitlab.yml
# 2. Update gitlab -> host with your fully qualified domain name
# 3. Update gitlab -> email_from
# 4. If you installed Git from source, change git -> bin_path to /usr/local/bin/git
# IMPORTANT: If Git was installed in a different location use that instead.
# You can check with `which git`. If a wrong path of Git is specified, it will
# result in various issues such as failures of GitLab CI builds.
# 5. Review this configuration file for other settings you may want to adjust
production: &base
#
# 1. GitLab app settings
...
...
@@ -497,6 +519,11 @@ production: &base
# gitlab-shell needs to be set to true
git_annex_enabled: <%= @git_annex_enabled %>
workhorse:
# File that contains the secret key for verifying access for gitlab-workhorse.
# secret_file: {{ gitlab_workhorse.secret }}
## Git settings
# CAUTION!
# Use the default values unless you really know what you are doing
...
...
@@ -538,6 +565,22 @@ production: &base
{# ICP: '{{ cfg("icp_license") }}' #}
{% endif %}
rack_attack:
git_basic_auth:
# Rack Attack IP banning enabled
enabled: {{ cfg("rack_attack_enable") }}
#
# Whitelist requests from 127.0.0.1 for web proxies (NGINX/Apache) with incorrect headers
ip_whitelist: [{{ cfg("rack_attack_ip_whitelist")}}]
#
# Limit the number of Git HTTP authentication attempts per IP
maxretry: {{ cfg("rack_attack_max_retry") }}
#
# Reset the auth attempt counter per IP after 60 seconds
findtime: {{ cfg("rack_attack_find_time") }}
#
# Ban an IP for one hour (3600s) after too many auth attempts
bantime: {{ cfg("rack_attack_ban_time") }}
development:
<<: *base
...
...
software/gitlab/template/puma.rb.in
0 → 100644
View file @
1cd727c6
# see: https://gitlab.com/gitlab-org/omnibus-gitlab/-/blob/master/files/gitlab-cookbooks/gitlab/templates/default/puma.rb.erb
{% from 'macrolib.cfg.in' import cfg with context %}
# frozen_string_literal: true
# Load "path" as a rackup file.
#
# The default is "config.ru".
#
rackup 'config.ru'
pidfile '{{ puma.pid }}/puma.pid'
state_path '{{ puma.pid }}/puma.state'
stdout_redirect '{{ puma.log }}/puma.stdout.log',
'{{ puma.log }}/puma.stderr.log',
true
# Configure "min" to be the minimum number of threads to use to answer
# requests and "max" the maximum.
#
# The default is "0, 16".
#
threads {{ cfg("puma_min_threads") }}, {{ cfg("puma_max_threads") }}
# By default, workers accept all requests and queue them to pass to handlers.
# When false, workers accept the number of simultaneous requests configured.
#
# Queueing requests generally improves performance, but can cause deadlocks if
# the app is waiting on a request to itself. See https://github.com/puma/puma/issues/612
#
# When set to false this may require a reverse proxy to handle slow clients and
# queue requests before they reach puma. This is due to disabling HTTP keepalive
queue_requests false
# Bind the server to "url". "tcp://", "unix://" and "ssl://" are the only
# accepted protocols.
bind 'unix://{{ puma.socket }}'
directory '{{ gitlab_work.location }}'
workers {{ cfg("puma_worker_processes") }}
require_relative "{{ gitlab_work.location }}/lib/gitlab/cluster/lifecycle_events"
require_relative "{{ gitlab_work.location }}/lib/gitlab/cluster/puma_worker_killer_initializer"
on_restart do
# Signal application hooks that we're about to restart
Gitlab::Cluster::LifecycleEvents.do_before_master_restart
end
options = { workers: {{ cfg("puma_worker_processes") }} }
before_fork do
# Signal to the puma killer
Gitlab::Cluster::PumaWorkerKillerInitializer.start options unless ENV['DISABLE_PUMA_WORKER_KILLER']
# Signal application hooks that we're about to fork
Gitlab::Cluster::LifecycleEvents.do_before_fork
end
Gitlab::Cluster::LifecycleEvents.set_puma_options options
on_worker_boot do
# Signal application hooks of worker start
Gitlab::Cluster::LifecycleEvents.do_worker_start
end
# Preload the application before starting the workers; this conflicts with
# phased restart feature. (off by default)
preload_app!
tag 'gitlab-puma-worker'
# Verifies that all workers have checked in to the master process within
# the given timeout. If not the worker process will be restarted. Default
# value is 60 seconds.
#
worker_timeout {{ cfg("puma_worker_timeout") }}
# https://github.com/puma/puma/blob/master/5.0-Upgrade.md#lower-latency-better-throughput
wait_for_less_busy_worker ENV.fetch('PUMA_WAIT_FOR_LESS_BUSY_WORKER', 0.001).to_f
# https://github.com/puma/puma/blob/master/5.0-Upgrade.md#nakayoshi_fork
nakayoshi_fork unless ENV['DISABLE_PUMA_NAKAYOSHI_FORK'] == 'true'
# Use json formatter
require_relative "{{ gitlab_work.location }}/lib/gitlab/puma_logging/json_formatter"
json_formatter = Gitlab::PumaLogging::JSONFormatter.new
log_formatter do |str|
json_formatter.call(str)
end
software/gitlab/template/rack_attack.rb.in
deleted
100644 → 0
View file @
ead9b432
{{ autogenerated }}
# see:
# https://gitlab.com/gitlab-org/gitlab-ce/blob/master/config/initializers/rack_attack.rb.example
# https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/rack_attack.rb.erb
# (last updated for omnibus-gitlab 8.8.9+ce.0-g25376053)
{% from 'macrolib.cfg.in' import cfg with context %}
# 1. Rename this file to rack_attack.rb
# 2. Review the paths_to_be_protected and add any other path you need protecting
#
paths_to_be_protected = [
"#{Rails.application.config.relative_url_root}/users/password",
"#{Rails.application.config.relative_url_root}/users/sign_in",
"#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session.json",
"#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session",
"#{Rails.application.config.relative_url_root}/users",
"#{Rails.application.config.relative_url_root}/users/confirmation",
"#{Rails.application.config.relative_url_root}/unsubscribes/"
]
# Create one big regular expression that matches strings starting with any of
# the paths_to_be_protected.
paths_regex = Regexp.union(paths_to_be_protected.map { |path| /\A#{Regexp.escape(path)}/ })
rack_attack_enabled = Gitlab.config.rack_attack.git_basic_auth['enabled']
unless Rails.env.test? || !rack_attack_enabled
Rack::Attack.throttle('protected paths', limit: {{ cfg('rate_limit_requests_per_period') }}, period: {{ cfg('rate_limit_period') }}.seconds) do |req|
if req.post? && req.path =~ paths_regex
req.ip
end
end
end
software/gitlab/template/smtp_settings.rb.in
View file @
1cd727c6
...
...
@@ -21,8 +21,6 @@ if Rails.env.production?
enable_starttls_auto: {{ cfg('smtp_enable_starttls_auto') }},
# ssl:
openssl_verify_mode: '{{ cfg("smtp_openssl_verify_mode") }}'
# ca_path:
# ca_file:
}
end
{% else %}
...
...
software/gitlab/template/template-gitlab-resiliency-restore.sh.in
View file @
1cd727c6
...
...
@@ -21,15 +21,15 @@ redis_pid_file="{{ redis_pid_file }}"
postgres_pid_file="{{ postgres_pid_file }}"
bin_location="{{ bin_directory }}"
run_location="{{ run_directory }}"
git_location="{{ git_location }}"
go_work_bin="{{ go_work_bin }}"
etc_location="{{ etc_directory }}"
gitlab_work="{{ gitlab_work_location }}"
promise_check="{{ promise_lab_location }}"
unicorn_script="{{ unicorn_script }}"
puma_script="{{ puma_script }}"
puma_pid_file="{{ puma_pid_file }}"
sidekiq_script="{{ sidekiq_script }}"
var_location="{{
run_directory }}/..
"
var_location="{{
var_directory }}
"
# export GIT_EXEC_PATH=$git_location/libexec/git-core/
...
...
@@ -56,7 +56,7 @@ kill_process () {
check_process $postgres_pid_file "Postgres"
check_process $redis_pid_file "Redis"
check_process $
run_location/unicorn.pid "Unicorn
"
check_process $
puma_pid_file "Puma
"
if [ -f "$postgres_pid_file" ]; then
rm $postgres_pid_file
...
...
@@ -90,14 +90,14 @@ echo "Checking gitlab promises..."
echo "[info] Not all promises are checked!"
$promise_check/gitlab-app
echo "Starting
Unicorn
to check gitlab-shell promise..."
$
unicorn
_script &
unicorn
_pid=$!
trap "kill $postgres_pid $redis_pid $
unicorn
_pid" EXIT TERM INT
echo "Starting
Puma
to check gitlab-shell promise..."
$
puma
_script &
puma
_pid=$!
trap "kill $postgres_pid $redis_pid $
puma
_pid" EXIT TERM INT
sleep 60
if [ -s "$
run_location/unicorn.pid
" ]; then
unicorn_ppid=$(head -n 1 $run_location/unicorn.pid
) > /dev/null 2>&1
trap "kill $postgres_pid $redis_pid $
unicorn_p
pid" EXIT TERM INT
if [ -s "$
puma_pid_file
" ]; then
puma_pid=$(head -n 1 $puma_pid_file
) > /dev/null 2>&1
trap "kill $postgres_pid $redis_pid $
puma_
pid" EXIT TERM INT
fi
$promise_check/gitlab-shell
...
...
@@ -109,7 +109,7 @@ $promise_check/gitlab-shell
kill_process $postgres_pid
kill_process $redis_pid
kill_process $
unicorn
_pid
kill_process $
puma
_pid
RESTORE_EXIT_CODE=$?
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment