gitlab: Upgrade to 8.7

- GitLab Software + patches ported to GitLab 8.7.X; - Configs synced with upstream; - No base software upgrades this time because it was all recently upgraded during a590b03e; TODO: allow configuration of trusted proxies /reviewed-by TrustMe

gitlab: Upgrade to 8.7
- GitLab Software + patches ported to GitLab 8.7.X; - Configs synced with upstream; - No base software upgrades this time because it was all recently upgraded during a590b03e; TODO: allow configuration of trusted proxies /reviewed-by TrustMe
abc0873b · Kirill Smelkov · 1711ab3a · af0c5b11 · abc0873b · abc0873b
Commit abc0873b authored Aug 07, 2016 by Kirill Smelkov
15 changed files
--- a/software/gitlab/gitlab-parameters.cfg
+++ b/software/gitlab/gitlab-parameters.cfg
@@ -6,7 +6,7 @@
 #
 # TODO better autogenerate from ^^^ (?)
 #
-# (last updated for omnibus-gitlab 8.6.5+ce.0-0-g342f8be)
+# (last updated for omnibus-gitlab 8.7.9+ce.1-0-gf589ad7)

 [gitlab-parameters]
 configuration.external_url              = http://lab.example.com
@@ -101,3 +101,8 @@ configuration.nginx_gzip_comp_level     = 2
 configuration.nginx_gzip_proxied        = any
 configuration.nginx_gzip_types          = text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript application/json
 configuration.nginx_keepalive_timeout   = 65
+
+# TODO allow configuring trusted proxies
+# configuration.nginx_real_ip_trusted_addresses
+# configuration.nginx_real_ip_header
+# configuration.nginx_real_ip_recursive
--- a/software/gitlab/instance-gitlab.cfg.in
+++ b/software/gitlab/instance-gitlab.cfg.in
@@ -197,10 +197,6 @@ rendered= ${gitlab:etc}/${:_buildout_section_name_}
 rendered= ${nginx:etc}/${:_buildout_section_name_}


-[config.ru]
-<= gitlab-etc-template
-template = {{ config_ru_in }}
-
 [database.yml]
 <= gitlab-etc-template
 template= {{ database_yml_in }}
@@ -366,12 +362,10 @@ update-command =
 <= work-base
 software = {{ gitlab_repository_location }}
 tune-command =
-# secret* config.ru tmp/ log/ shared/ builds/
+# secret* tmp/ log/ shared/ builds/
    rm -f .secret  &&
-    rm -f config.ru  &&
    rm -rf log tmp shared builds  &&
    ln -sf ${secrets:secrets}/gitlab_rails_secret .secret  &&
-    ln -sf ${config.ru:rendered} config.ru  &&
    ln -sf ${gitlab:log} log  &&
    ln -sf ${gitlab:tmp} tmp  &&
    ln -sf ${gitlab:shared} shared  &&
@@ -633,7 +627,7 @@ log     = ${sidekiq-dir:log}
 # NOTE see queue list here:
 # https://gitlab.com/gitlab-org/gitlab-ce/blob/master/Procfile
 # https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/sv-sidekiq-run.erb
-# (last updated for omnibus-gitlab 8.6.5+ce.0-0-g342f8be)
+# (last updated for omnibus-gitlab 8.7.9+ce.1-0-gf589ad7)
 [service-sidekiq]
 recipe  = slapos.cookbook:wrapper
 wrapper-path    = ${directory:service}/sidekiq

--- a/software/gitlab/instance.cfg.in
+++ b/software/gitlab/instance.cfg.in
@@ -51,7 +51,6 @@ context =
    raw watcher_sigkill             ${watcher-sigkill:rendered}

 # config files
-    raw config_ru_in                ${config.ru.in:target}
    raw database_yml_in             ${database.yml.in:target}
    raw gitconfig_in                ${gitconfig.in:target}
    raw gitlab_parameters_cfg       ${gitlab-parameters.cfg:target}

--- a/software/gitlab/software.cfg
+++ b/software/gitlab/software.cfg
@@ -113,23 +113,24 @@ git-executable = ${git:location}/bin/git
 <= git-repository
 #repository = https://gitlab.com/gitlab-org/gitlab-ce.git
 repository = https://lab.nexedi.com/nexedi/gitlab-ce.git
-# 8.6.X + NXD patches:
-revision = v8.6.9-9-g1aafce0d0634afa9b3cfaf1e3a5b090c8c980076
+# 8.7.X + NXD patches:
+revision = v8.7.9-10-g7728df66b90483dac467df95948a532783e782c8
 location = ${buildout:parts-directory}/gitlab

 [gitlab-shell-repository]
 <= git-repository
 #repository = https://gitlab.com/gitlab-org/gitlab-shell.git
 repository = https://lab.nexedi.com/nexedi/gitlab-shell.git
-# gitlab 8.6 wants gitlab-shell 2.6.12
-# 2.6.12 + NXD patches
-revision = v2.6.12-1-g03df9d7f9cfaa9e058f4c7053a497069b9b52657
+# gitlab 8.7 wants gitlab-shell 2.7.2
+# 2.7.2 + NXD patches
+revision = v2.6.10-50-gfbca95be784816349abc5930324659151eca50d1
 location = ${buildout:parts-directory}/gitlab-shell

 [gitlab-workhorse-repository]
 <= git-repository
 #repository = https://gitlab.com/gitlab-org/gitlab-workhorse.git
 repository = https://lab.nexedi.com/nexedi/gitlab-workhorse.git
+# gitlab 8.7 wants gitlab-workhorse 0.7.1
 # 0.7.1 + NXD patches
 revision = v0.7.1-5-gd23a3247829fc3200e3dc784dcd57b5a0febac48
 location = ${buildout:parts-directory}/gitlab-workhorse
@@ -193,7 +194,7 @@ eggs    =
 recipe  = slapos.recipe.template
 url     = ${:_profile_base_location_}/instance.cfg.in
 output  = ${buildout:directory}/instance.cfg
-md5sum  = e5e7ddede71265987bb0c534b009aa45
+md5sum  = ef85f02c4f6070c586d773b859a2f4e2

 [watcher-sigkill]
 recipe  = slapos.recipe.template:jinja2
@@ -221,25 +222,21 @@ destination = ${buildout:directory}/${:_buildout_section_name_}
 url     = ${:_profile_base_location_}/template/${:_buildout_section_name_}


-[config.ru.in]
-<= download-template
-md5sum  = 4f6191c6e6bbaf2cd39c6f155fe192e1
-
 [database.yml.in]
 <= download-template
-md5sum  = 60504181bf40fefd023b2b8facff291d
+md5sum  = 61d1d04b9347b3168a1ad7676e4681ef

 [gitconfig.in]
 <= download-template
-md5sum  = 56b135596e013c02bda5555dda6b376b
+md5sum  = eb1230fee50067924ba89f4dc6e82fa9

 [gitlab-parameters.cfg]
 <= download-file
-md5sum  = 8cbcdb8d9e942df67d2fbb4db5fbfaad
+md5sum  = 3edd435a984b51b94539ea1d4f1b3994

 [gitlab-shell-config.yml.in]
 <= download-template
-md5sum  = cdcb2036c33da547a2cf5d0515cf48ff
+md5sum  = 58c09b1e609f903e483a76fe9e57366c

 [gitlab-unicorn-startup.in]
 <= download-file
@@ -247,11 +244,11 @@ md5sum  = a9cb347f60aad3465932fd36cd4fe25d

 [gitlab.yml.in]
 <= download-template
-md5sum  = 043804b76affe91a0bd3686f93f80ac8
+md5sum  = 735a78d0733fd6617d3b5f3d91bfae8c

 [instance-gitlab.cfg.in]
 <= download-file
-md5sum  = 0e7c13b5a5a3ad8748a79eea177b0ce3
+md5sum  = ba83f01fd7a313b984766c50d6e48e54

 [macrolib.cfg.in]
 <= download-file
@@ -259,27 +256,27 @@ md5sum  = a56a44e96f65f5ed20211bb6a54279f4

 [nginx-gitlab-http.conf.in]
 <= download-template
-md5sum  = 27feb252c2eba8e665164ea3b496fcd7
+md5sum  = a11b50d2ff2b1fa842ba4aa20041e2fe

 [nginx.conf.in]
 <= download-template
-md5sum  = 5799afef0a60d07c9e6b52d0efaccec7
+md5sum  = 7da68dba86fff79eb93c27aa1aaf1055

 [rack_attack.rb.in]
 <= download-template
-md5sum  = 6218a2f01fea29da1f61d69584635b52
+md5sum  = bc1a7c1e83b7329d97bff6724f2bec3e

 [resque.yml.in]
 <= download-template
-md5sum  = acd686b43ae37c4282e67b668786986e
+md5sum  = 7c89a730889e3224548d9abe51a2d719

 [smtp_settings.rb.in]
 <= download-template
-md5sum  = a4dda9c94f2ee72851343f505d5f495e
+md5sum  = d66a424516ffacea34303e2f512a7d94

 [unicorn.rb.in]
 <= download-template
-md5sum  = 293143fecab603299bbc0a3dfd907ac3
+md5sum  = 83921db1835d9e81cbbe808631cc40a9


 [versions]

--- a/software/gitlab/template/config.ru.in
+++ b/software/gitlab/template/config.ru.in
-{{ autogenerated }}
-# see:
-# https://gitlab.com/gitlab-org/gitlab-ce/blob/master/config.ru
-# https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/gitlab-rails-config.ru.erb
-# (last updated for omnibus-gitlab 8.6.5+ce.0-0-g342f8be)
-
-# This file is used by Rack-based servers to start the application.
-
-{% from 'macrolib.cfg.in' import cfg  with context %}
-
-if defined?(Unicorn)
-  require 'unicorn'
-
-  if ENV['RAILS_ENV'] == 'production' || ENV['RAILS_ENV'] == 'staging'
-    # Unicorn self-process killer
-    require 'unicorn/worker_killer'
-
-    # Max memory size (RSS) per worker
-    use Unicorn::WorkerKiller::Oom, ({{ cfg('unicorn_worker_memory_limit_min') }}), ({{ cfg('unicorn_worker_memory_limit_max') }})
-  end
-end
-
-require ::File.expand_path('../config/environment',  __FILE__)
-
-map ENV['RAILS_RELATIVE_URL_ROOT'] || "/" do
-  run Gitlab::Application
-end
--- a/software/gitlab/template/database.yml.in
+++ b/software/gitlab/template/database.yml.in
@@ -2,7 +2,7 @@
 # see:
 # https://gitlab.com/gitlab-org/gitlab-ce/blob/master/config/database.yml.postgresql
 # https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/database.yml.erb
-# (last updated for 8.6.5+ce.0-0-g342f8be)
+# (last updated for 8.7.9+ce.1-0-gf589ad7)

 {% from 'macrolib.cfg.in' import cfg  with context %}

@@ -23,5 +23,6 @@ production:
  socket:
  {# not needed for unix socket
  sslmode: <%= single_quote(@db_sslmode) %>
-  sslrootcert: <%= single_quote(@db_sslrootcert) %>
+  sslrootcert: <%= single_quote(@db_sslrootcert) || single_quote(@db_sslca) %>
+  sslca: <%= single_quote(@db_sslca) || single_quote(@db_sslrootcert) %>
  #}
--- a/software/gitlab/template/gitconfig.in
+++ b/software/gitlab/template/gitconfig.in
@@ -3,7 +3,7 @@
 # see:
 # https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/attributes/default.rb
 # https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/gitconfig.erb
-# (last updated for omnibus-gitlab 8.6.5+ce.0-0-g342f8be)
+# (last updated for omnibus-gitlab 8.7.9+ce.1-0-gf589ad7)
 #
 {% from 'macrolib.cfg.in' import cfg  with context %}

@@ -22,3 +22,5 @@
        email = {{ cfg('email_from') }}
 [core]
        autocrlf = input
+[gc]
+        auto = 0
--- a/software/gitlab/template/gitlab-shell-config.yml.in
+++ b/software/gitlab/template/gitlab-shell-config.yml.in
@@ -2,7 +2,7 @@
 # see:
 # https://gitlab.com/gitlab-org/gitlab-shell/blob/master/config.yml.example
 # https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/gitlab-shell-config.yml.erb
-# (last updated for omnibus-gitlab 8.6.5+ce.0-0-g342f8be)
+# (last updated for omnibus-gitlab 8.7.9+ce.1-0-gf589ad7)

 # GitLab user. git by default
 user: {{ backend_info.user }}

--- a/software/gitlab/template/gitlab.yml.in
+++ b/software/gitlab/template/gitlab.yml.in
@@ -2,7 +2,7 @@
 # see:
 # https://gitlab.com/gitlab-org/gitlab-ce/blob/master/config/gitlab.yml.example
 # https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/gitlab.yml.erb
-# (last updated for omnibus-gitlab 8.6.5+ce.0-0-g342f8be)
+# (last updated for omnibus-gitlab 8.7.9+ce.1-0-gf589ad7)

 {% from 'macrolib.cfg.in' import cfg, cfg_https, external_url  with context %}

@@ -32,6 +32,16 @@ production: &base
    relative_url_root: <%= @gitlab_relative_url %>
    #}

+    # Trusted Proxies
+    # Customize if you have GitLab behind a reverse proxy which is running on a different machine.
+    # Add the IP address for your reverse proxy to the list, otherwise users will appear signed in from that address.
+    trusted_proxies:
+    {# TODO support configuring trusted proxies
+<% @trusted_proxies.each do |proxy| %>
+      - <%= proxy %>
+<% end %>
+    #}
+
    # Uncomment and customize if you can't use the default user to run GitLab (default: 'git')
    user: {{ backend_info.user }}

@@ -96,7 +106,7 @@ production: &base
    enabled: <%= @incoming_email_enabled %>

    # The email address including the `%{key}` placeholder that will be replaced to reference the item being replied to.
-    # The `%{key}` placeholder is added after the user part, after a `+` character, before the `@`.
+    # The placeholder can be omitted but if present, it must appear in the "user" part of the address (before the `@`).
    address: <%= single_quote(@incoming_email_address) %>

    # Email account username
@@ -167,7 +177,7 @@ production: &base
    #}


-  {# XXX cron jobs are disabled for now - we do not support CI and EE features
+  {# XXX cron jobs are disabled for now - we do not support CI and EE features or we are ok with defaults
  ## Auxiliary jobs
  # Periodically executed jobs, to self-heal GitLab, do external synchronizations, etc.
  # Please read here for more information: https://github.com/ondrejbartas/sidekiq-cron#adding-cron-job
@@ -176,6 +186,10 @@ production: &base
    stuck_ci_builds_worker:
      cron: <%= @stuck_ci_builds_worker_cron %>

+    # Remove outdated repository archives
+    repository_archive_cache_worker:
+      cron: <%= @repository_archive_cache_worker_cron %>
+
    ##
    # GitLab EE only jobs:

@@ -187,11 +201,20 @@ production: &base
    update_all_mirrors_worker:
      cron: <%= @update_all_mirrors_worker_cron %>

+    # Update remote mirrors
+    update_all_remote_mirrors_worker:
+      cron: <%= @update_all_remote_mirrors_worker_cron %>
+
    # In addition to refreshing users when they log in,
    # periodically refresh LDAP users membership.
    # NOTE: This will only take effect if LDAP is enabled
    ldap_sync_worker:
      cron: <%= @ldap_sync_worker_cron %>
+
+    # Gitlab Geo nodes notification worker
+    # NOTE: This will only take effect if Geo is enabled
+    geo_bulk_notify_worker:
+      cron: <%= @geo_bulk_notify_worker_cron %>
  #}

  #
@@ -303,6 +326,12 @@ production: &base
    # (default: false)
    auto_link_saml_user: <%= @omniauth_auto_link_saml_user.to_json %>

+    # Set different Omniauth providers as external so that all users creating accounts
+    # via these providers will not be able to have access to internal projects. You
+    # will need to use the full name of the provider, like `google_oauth2` for Google.
+    # Refer to the examples below for the full names of the supported providers.
+    # (default: [])
+    external_providers: <%= @omniauth_external_providers.to_json %>

    ## Auth providers
    # Uncomment the following lines and fill in the data of the auth provider you want to use

--- a/software/gitlab/template/nginx-gitlab-http.conf.in
+++ b/software/gitlab/template/nginx-gitlab-http.conf.in
 {{ autogenerated }}
 # see:
 # https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb
-# (last updated for omnibus-gitlab 8.6.5+ce.0-0-g342f8be)
+# (last updated for omnibus-gitlab 8.7.9+ce.1-0-gf589ad7)

 {% from 'macrolib.cfg.in' import cfg, cfg_bool, cfg_https, fqdn  with context %}

@@ -99,6 +99,20 @@ server {
  #}
  {% endif %}

+  ## Real IP Module Config
+  ## http://nginx.org/en/docs/http/ngx_http_realip_module.html
+  {# TODO support trusted proxies & realip
+  <% if @real_ip_header %>
+  real_ip_header <%= @real_ip_header %>;
+  <% end %>
+  <% if @real_ip_recursive %>
+  real_ip_recursive <%= @real_ip_recursive %>;
+  <% end %>
+  <% @real_ip_trusted_addresses.each do |trusted_address| %>
+  set_real_ip_from <%= trusted_address %>;
+  <% end %>
+  #}
+
  ## Individual nginx logs for this GitLab vhost
  access_log  {{ nginx.log }}/gitlab_access.log gitlab_access;
  error_log   {{ nginx.log }}/gitlab_error.log;

--- a/software/gitlab/template/nginx.conf.in
+++ b/software/gitlab/template/nginx.conf.in
@@ -2,7 +2,7 @@
 # see:
 # https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/support/nginx/gitlab-ssl
 # https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/nginx.conf.erb
-# (last updated for omnibus-gitlab 8.6.5+ce.0-0-g342f8be)
+# (last updated for omnibus-gitlab 8.7.9+ce.1-0-gf589ad7)

 {% from 'macrolib.cfg.in' import cfg  with context %}


--- a/software/gitlab/template/rack_attack.rb.in
+++ b/software/gitlab/template/rack_attack.rb.in
@@ -2,7 +2,7 @@
 # see:
 # https://gitlab.com/gitlab-org/gitlab-ce/blob/master/config/initializers/rack_attack.rb.example
 # https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/rack_attack.rb.erb
-# (last updated for omnibus-gitlab 8.6.5+ce.0-0-g342f8be)
+# (last updated for omnibus-gitlab 8.7.9+ce.1-0-gf589ad7)

 {% from 'macrolib.cfg.in' import cfg  with context %}


--- a/software/gitlab/template/resque.yml.in
+++ b/software/gitlab/template/resque.yml.in
@@ -2,6 +2,6 @@
 # see:
 # https://gitlab.com/gitlab-org/gitlab-ce/blob/master/config/resque.yml.example
 # https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/resque.yml.erb
-# (last udpdated for omnibus-gitlab 8.6.5+ce.0-0-g342f8be)
+# (last udpdated for omnibus-gitlab 8.7.9+ce.1-0-gf589ad7)

 production: unix://{{ redis.unixsocket }}
--- a/software/gitlab/template/smtp_settings.rb.in
+++ b/software/gitlab/template/smtp_settings.rb.in
@@ -2,7 +2,7 @@
 # see:
 # https://gitlab.com/gitlab-org/gitlab-ce/blob/master/config/initializers/smtp_settings.rb.sample
 # https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/smtp_settings.rb.erb
-# (last updated for omnibus-gitlab 8.6.5+ce.0-0-g342f8be)
+# (last updated for omnibus-gitlab 8.7.9+ce.1-0-gf589ad7)

 {% from 'macrolib.cfg.in' import cfg, cfg_bool  with context %}

@@ -18,6 +18,7 @@ if Rails.env.production?
    domain:                 "{{ cfg('smtp_domain') }}",
    authentication:         :{{ cfg('smtp_authentication') }},
    enable_starttls_auto:   {{ cfg('smtp_enable_starttls_auto') }},
+    # ssl:
    openssl_verify_mode:    '{{ cfg("smtp_openssl_verify_mode") }}'
    # ca_path:
    # ca_file:

--- a/software/gitlab/template/unicorn.rb.in
+++ b/software/gitlab/template/unicorn.rb.in
@@ -3,7 +3,7 @@
 # https://gitlab.com/gitlab-org/gitlab-ce/blob/master/config/unicorn.rb.example
 # https://gitlab.com/gitlab-org/gitlab-ce/blob/master/config/unicorn.rb.example.development
 # https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/unicorn.rb.erb
-# (last updated for omnibus-gitlab 8.6.5+ce.0-0-g342f8be)
+# (last updated for omnibus-gitlab 8.7.9+ce.1-0-gf589ad7)

 {% from 'macrolib.cfg.in' import cfg  with context %}

@@ -79,3 +79,9 @@ ENV['RAILS_RELATIVE_URL_ROOT'] = "<%= @relative_url %>"

 <%- end %>
 #}
+
+# Min memory size (RSS) per worker
+ENV['GITLAB_UNICORN_MEMORY_MIN'] = ({{ cfg('unicorn_worker_memory_limit_min') }}).to_s
+
+# Max memory size (RSS) per worker
+ENV['GITLAB_UNICORN_MEMORY_MAX'] = ({{ cfg('unicorn_worker_memory_limit_max') }}).to_s