brandon/oam
1
0
Fork 0
mirror of https://gitea.com/mcereda/oam.git synced 2026-02-09 05:44:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore(gitlab): update notes after maintenance

Browse Source
This commit is contained in:
Michele Cereda
2024-05-08 18:51:27 +02:00
parent 1022195035
commit 7c01d2bcd2
8 changed files with 269 additions and 69 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.vscode/settings.json vendored
View File

@@ -214,6 +214,7 @@
"psql",
"pstate",
"pulumi",
"pulumiverse",
"pvresize",
"radeon",
"replicatedctl",

112
knowledge base/gitlab.md
View File

@@ -1,6 +1,7 @@
# Gitlab
1. [Omnibus](#omnibus)
1. [TL;DR](#tldr)
1. [Package](#package)
1. [Kubernetes](#kubernetes)
1. [Helm chart](#helm-chart)
1. [Operator](#operator)
@@ -20,23 +21,51 @@
1. [Further readings](#further-readings)
1. [Sources](#sources)
## Omnibus
## TL;DR
```sh
# List the current application settings of the GitLab instance.
curl --header 'PRIVATE-TOKEN: glpat-m-…' 'https://gitlab.fqdn/api/v4/application/settings'
curl --header 'Authorization: bearer glpat-m-…' 'https://gitlab.fqdn/api/v4/application/settings'
```
## Package
Previously known as 'Omnibus'.
<details>
<summary>Installation</summary>
Refer [Install self-managed GitLab].
```sh
sudo dnf install 'gitlab-ee'
sudo EXTERNAL_URL='http://gitlab.example.com' GITLAB_ROOT_PASSWORD='smthng_Strong_0r_it_llfail' apt install 'gitlab-ee'
```
</details>
<details>
<summary>Configuration</summary>
[Template][omnibus configuration template]
[Template][package configuration file template]
The application of configuration changes is handled by [Chef Infra].<br/>
It runs checks, ensures directories, permissions, and services are in place and working, and restarts components if any
of their configuration files have changed.
```sh
# Change application settings.
# Useful to reach those ones not available in the configuration file.
sudo gitlab-rails runner '
::Gitlab::CurrentSettings.update!(gravatar_enabled: false);
::Gitlab::CurrentSettings.update!(remember_me_enabled: false);
::Gitlab::CurrentSettings.update!(email_confirmation_setting: "hard");
'
# Disable public registration.
sudo gitlab-rails runner '::Gitlab::CurrentSettings.update!(signup_enabled: false)'
```
```sh
# Validate.
# Just makes sure the file is readable from a ruby app.
@@ -78,9 +107,10 @@ gitlab_rails['backup_multipart_chunk_size'] = 104857600
gitlab_rails['backup_keep_time'] = 604800
```
Omnibus' installation procedure generates keys and a certificate for the external URL even when LetsEncrypt's support is
explicitly disabled.<br/>
These keys are in the OpenSSH format and are password protected.
The package's included nginx generates keys and a **self-signed** certificate for the external URL upon start if the
given URL's schema is HTTPS.<br/>
The Let's Encrypt account key is in OpenSSL format, while the certificate's key is in OpenSSH format. Both are **not**
password protected.
</details>
@@ -91,6 +121,14 @@ These keys are in the OpenSSH format and are password protected.
# Check the components' state.
sudo gitlab-ctl status
# Get the services' logs.
sudo gitlab-ctl tail
sudo gitlab-ctl tail 'nginx'
# Restart services.
sudo gitlab-ctl restart
sudo gitlab-ctl restart 'nginx'
# Create backups.
sudo gitlab-backup create BACKUP='prefix_override' STRATEGY='copy'
@@ -99,9 +137,51 @@ sudo gitlab-backup create BACKUP='prefix_override' STRATEGY='copy'
sudo gitlab-backup create … \
SKIP='db,repositories,uploads,builds,artifacts,pages,lfs,terraform_state,registry,packages,ci_secure_files'
# Package upgrade.
# Restore backups.
sudo gitlab-ctl stop 'puma' \
&& sudo gitlab-ctl stop 'sidekiq'
# Upgrade the package.
sudo yum check-update
tmux new-session -A -s 'gitlab-upgrade' "sudo yum update 'gitlab-ee'"
tmux new-session -As 'gitlab-upgrade' "sudo yum update 'gitlab-ee'"
# Reset the root user's password.
sudo gitlab-rake 'gitlab:password:reset[root]'
sudo gitlab-rails console \
# --> user = User.find_by_username 'root'
# --> user.password = 'QwerTy184'
# --> user.password_confirmation = 'QwerTy184'
# --> user.password_automatically_set = false
# --> user.save!
# --> quit
sudo gitlab-rails runner '
user = User.find_by_username "anUsernameHere";
new_password = "QwerTy184";
user.password = new_password;
user.password_confirmation = new_password;
user.password_automatically_set = false;
user.save!
'
# Disable users' two factor authentication.
sudo gitlab-rails runner 'User.where(username: "anUsernameHere").each(&:disable_two_factor!)'
```
</details>
<details>
<summary>Removal</summary>
```sh
# Remove all users and groups created by the package.
sudo gitlab-ctl stop && sudo gitlab-ctl remove-accounts
# Remove all data.
sudo gitlab-ctl cleanse && sudo rm -r '/opt/gitlab'
# Uninstall the package.
sudo apt remove 'gitlab-ee'
sudo dnf remove 'gitlab-ee'
```
</details>
@@ -576,7 +656,13 @@ Solution: give that user _developer_ access or have somebody else with enough pr
- [Use kaniko to build Docker images]
- [Specify when jobs run with `rules`][specify when jobs run with rules]
- [Install self-managed GitLab]
- [Omnibus configuration template]
- [Package configuration file template]
- [Install GitLab with the Linux package]
- [Reset a user's password]
- [Environment variables]
- [Sign-up restrictions]
- [Restore GitLab]
- [How to disable the Two-factor authentication in GitLab?]
<!--
References
@@ -605,16 +691,21 @@ Solution: give that user _developer_ access or have somebody else with enough pr
[deployment]: https://docs.gitlab.com/charts/installation/deployment.html
[docker machine's aws driver's options]: https://gitlab.com/gitlab-org/ci-cd/docker-machine/-/blob/main/docs/drivers/aws.md#options
[docker machine's supported cloud providers]: https://docs.gitlab.com/runner/configuration/autoscale.html#supported-cloud-providers
[environment variables]: https://docs.gitlab.com/ee/administration/environment_variables.html
[global settings]: https://docs.gitlab.com/charts/charts/globals.html
[how to restart gitlab]: https://docs.gitlab.com/ee/administration/restart_gitlab.html
[install gitlab with the linux package]: https://gitlab.com/gitlab-org/omnibus-gitlab/-/blob/master/doc/installation/index.md
[install self-managed gitlab]: https://about.gitlab.com/install
[merge request approval rules]: https://docs.gitlab.com/ee/user/project/merge_requests/approvals/rules.html
[minimal minikube example values file]: https://gitlab.com/gitlab-org/charts/gitlab/-/blob/master/examples/values-minikube-minimum.yaml
[omnibus configuration template]: https://gitlab.com/gitlab-org/omnibus-gitlab/-/raw/master/files/gitlab-config-template/gitlab.rb.template
[operator code]: https://gitlab.com/gitlab-org/cloud-native/gitlab-operator
[operator guide]: https://docs.gitlab.com/operator/
[package configuration file template]: https://gitlab.com/gitlab-org/omnibus-gitlab/-/raw/master/files/gitlab-config-template/gitlab.rb.template
[predefined ci/cd variables reference]: https://docs.gitlab.com/ee/ci/variables/predefined_variables.html
[reset a user's password]: https://docs.gitlab.com/ee/security/reset_user_password.html
[restore gitlab]: https://docs.gitlab.com/ee/administration/backup_restore/restore_gitlab.html
[runners on kubernetes]: https://docs.gitlab.com/runner/install/kubernetes.html
[sign-up restrictions]: https://docs.gitlab.com/ee/administration/settings/sign_up_restrictions.html
[specify when jobs run with rules]: https://docs.gitlab.com/ee/ci/jobs/job_rules.html
[support object storage bucket prefixes]: https://gitlab.com/gitlab-org/charts/gitlab/-/issues/3376
[tls]: https://docs.gitlab.com/charts/installation/tls.html
@@ -628,4 +719,5 @@ Solution: give that user _developer_ access or have somebody else with enough pr
[aws driver does not support multiple non default subnets]: https://github.com/docker/machine/issues/4700
[chef infra]: https://www.chef.io/products/chef-infra
[configuring private dns zones and upstream nameservers in kubernetes]: https://kubernetes.io/blog/2017/04/configuring-private-dns-zones-upstream-nameservers-kubernetes/
[how to disable the two-factor authentication in gitlab?]: https://stackoverflow.com/questions/31024771/how-to-disable-the-two-factor-authentication-in-gitlab
[using gitlab token to clone without authentication]: https://stackoverflow.com/questions/25409700/using-gitlab-token-to-clone-without-authentication#29570677

21
knowledge base/pulumi.md
View File

@@ -20,6 +20,7 @@
1. [Stack init fails because the stack supposedly already exists](#stack-init-fails-because-the-stack-supposedly-already-exists)
1. [Stack init fails due to missing scheme](#stack-init-fails-due-to-missing-scheme)
1. [Stack init fails due to invalid key identifier](#stack-init-fails-due-to-invalid-key-identifier)
1. [Change your program back to the original providers](#change-your-program-back-to-the-original-providers)
1. [Further readings](#further-readings)
1. [Sources](#sources)
@@ -850,6 +851,26 @@ Root cause: the secrets provider is set to use a KMS key, but one did not provid
Solution: Read [secrets] and fix the configuration by providing a correct key identifier.
### Change your program back to the original providers
Context: Typescript project, `preview` or `update` action.
Error message example:
> error: provider
> urn:pulumi:dev::projectName::pulumi:providers:aws::default_6_29_0::159e5843-63ae-4789-b332-4658578ba34c for resource
> urn:pulumi:dev::projectName::aws:ec2/instance:Instance::instanceName has not been registered yet, this is due to a
> change of providers mixed with --target. Change your program back to the original providers
Root cause: one is using a different provider version than the one the resource has been created with.
Solution:
1. Get the provider version the resource wants from the run output.
1. Fix the provider's version to the one wanted by the resource.
1. Run `pulumi install` to gather the required version.
1. Try the action again now.
## Further readings
- [Website]

1
snippets/aws.fish
View File

@@ -27,6 +27,7 @@ alias aws-ssm-gitlabAutoscalingManager-ita-b "aws ec2 describe-instances --outpu
| xargs -ot aws ssm start-session --target"
aws s3 rm 's3://bucket-name/prefix' --recursive --dry-run
aws s3 cp 's3://my-first-bucket/test.txt' 's3://my-other-bucket/'
aws ecs list-tasks --cluster 'testCluster' --family 'testService' --output 'text' --query 'taskArns' \
| xargs -p aws ecs wait tasks-running --cluster 'testCluster' --tasks

41
snippets/gitlab.omnibus.install.sh
View File

@@ -1,41 +0,0 @@
#!sh
# Instance OS: AmazonLinux 2023
# Instance size: t4g.xlarge
# Source: https://about.gitlab.com/install/#amazonlinux-2023
sudo systemctl is-active sshd.service
sudo systemctl is-enabled sshd.service
sudo systemctl enable --now 'sshd.service'
# Firewalld was not available on the instance
# ---
# sudo systemctl enable --now 'firewalld.service'
# sudo firewall-cmd --permanent --add-service=http
# sudo firewall-cmd --permanent --add-service=https
# sudo systemctl reload firewalld.service
# Can be avoided if emails are not used.
sudo dnf -y install 'postfix'
sudo systemctl enable --now 'postfix.service'
# Should have been `curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.rpm.sh | bash`, but
# blindly installing stuff from the Internet just sucks.
# Soooo, following their script…
source '/etc/os-release'
os="${ID}"
dist="${VERSION_ID}"
base_url='https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/config_file.repo'
curl -sSf "${base_url}?os=${os}&dist=${dist}&source=script" | sudo tee '/etc/yum.repos.d/gitlab_gitlab-ee.repo'
dnf -q makecache -y --disablerepo='*' --enablerepo='gitlab_gitlab-ee'
dnf -q makecache -y --disablerepo='*' --enablerepo='gitlab_gitlab-ee-source'
# For 'https://…' URLs, the package will automatically request a certificate with Let's Encrypt during installation.
# This requires inbound HTTP access and a valid hostname. You can also use your own certificate.
# To avoid this, just use 'http://…' without the final 's'.
sudo EXTERNAL_URL="http://ip-172-31-73-256.eu-south-2.compute.internal" dnf install -y 'gitlab-ee'
# File automatically removed after 24h.
sudo cat '/etc/gitlab/initial_root_password'
xdg-open 'http://ip-172-31-73-256.eu-south-2.compute.internal'

12
snippets/gitlab.omnibus.reconfigure.sh
View File

@@ -1,12 +0,0 @@
#!sh
# Updated config template available at
# https://gitlab.com/gitlab-org/omnibus-gitlab/blame/master/files/gitlab-config-template/gitlab.rb.template
# Local template (corresponding to the installed version) available at '/opt/gitlab/etc/gitlab.rb.template'
sudo dnf -y install 'ruby' 'vim'
sudo vim '/etc/gitlab/gitlab.rb'
sudo ruby -c '/etc/gitlab/gitlab.rb'
sudo gitlab-ctl show-config
sudo gitlab-ctl reconfigure

144
snippets/gitlab.omnibus.sh Normal file
View File

@@ -0,0 +1,144 @@
#!/usr/bin/env sh
##
# Installation - start
# --------------------------------------
# Instance OS: AmazonLinux 2023
# Instance size: t4g.xlarge
# Source: https://about.gitlab.com/install/#amazonlinux-2023
##
sudo systemctl is-active sshd.service
sudo systemctl is-enabled sshd.service
sudo systemctl enable --now 'sshd.service'
# Firewalld was not available on the instance
# ---
# sudo systemctl enable --now 'firewalld.service'
# sudo firewall-cmd --permanent --add-service=http
# sudo firewall-cmd --permanent --add-service=https
# sudo systemctl reload firewalld.service
# Can be avoided if emails are not used.
sudo dnf -y install 'postfix'
sudo systemctl enable --now 'postfix.service'
# Should have been `curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.rpm.sh | bash`, but
# blindly installing stuff from the Internet just sucks.
# Soooo, following their script…
source '/etc/os-release'
os="${ID}"
dist="${VERSION_ID}"
base_url='https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/config_file.repo'
curl -sSf "${base_url}?os=${os}&dist=${dist}&source=script" | sudo tee '/etc/yum.repos.d/gitlab_gitlab-ee.repo'
dnf -q makecache -y --disablerepo='*' --enablerepo='gitlab_gitlab-ee'
dnf -q makecache -y --disablerepo='*' --enablerepo='gitlab_gitlab-ee-source'
# For 'https://…' URLs, the package will automatically request a certificate with Let's Encrypt during installation.
# This requires inbound HTTP access and a valid hostname. You can also use your own certificate.
# To avoid this, just use 'http://…' without the final 's'.
sudo EXTERNAL_URL="http://ip-172-31-73-256.eu-south-2.compute.internal" dnf install -y 'gitlab-ee'
# File automatically removed after 24h.
sudo cat '/etc/gitlab/initial_root_password'
# Open the page.
open 'http://ip-172-31-73-256.eu-south-2.compute.internal'
xdg-open 'http://ip-172-31-73-256.eu-south-2.compute.internal'
## Installation - end ---------------- #
##
# Configuration - start
# --------------------------------------
##
# Updated config template available at
# https://gitlab.com/gitlab-org/omnibus-gitlab/blame/master/files/gitlab-config-template/gitlab.rb.template
# Local template (corresponding to the installed version) available at '/opt/gitlab/etc/gitlab.rb.template'
sudo dnf -y install 'ruby' 'vim'
sudo vim '/etc/gitlab/gitlab.rb'
sudo ruby -c '/etc/gitlab/gitlab.rb'
sudo gitlab-ctl show-config
sudo gitlab-ctl reconfigure
gitlab-rails runner '
::Gitlab::CurrentSettings.update!(signup_enabled: false);
::Gitlab::CurrentSettings.update!(require_admin_approval_after_user_signup: false);
::Gitlab::CurrentSettings.update!(email_confirmation_setting: "hard");
::Gitlab::CurrentSettings.update!(password_number_required: true);
::Gitlab::CurrentSettings.update!(password_lowercase_required: true);
::Gitlab::CurrentSettings.update!(password_uppercase_required: true);
'
# Configuration - end ---------------- #
##
# Maintenance - start
# --------------------------------------
##
# Package upgrade
sudo yum check-update
sudo yum info 'gitlab-ee'
sudo rpm -qa | grep 'gitlab-ee'
tmux new-session -A -s 'gitlab-upgrade' "sudo yum update 'gitlab-ee'"
# Password reset
sudo gitlab-rake 'gitlab:password:reset[root]'
sudo gitlab-rails console \
# --> user = User.find_by_username 'root'
# --> user.password = 'QwerTy184'
# --> user.password_confirmation = 'QwerTy184'
# --> user.password_automatically_set = false
# --> user.save!
# --> quit
sudo gitlab-rails runner '
user = User.find_by_username "anUsernameHere";
new_password = "QwerTy184";
user.password = new_password;
user.password_confirmation = new_password;
user.password_automatically_set = false;
user.save!
'
# Disable users' two factor authentication.
sudo gitlab-rails runner 'User.where(username: "anUsernameHere").each(&:disable_two_factor!)'
sudo gitlab-rails runner 'User.update_all(otp_required_for_login: false, encrypted_otp_secret: nil)'
## Maintenance - end ----------------- #
##
# Restore backups - start
# --------------------------------------
# Version *and* edition of the installed version must be the exact same of the
# ones from the backup.
##
sudo aws s3 cp 's3://backups/gitlab/gitlab-secrets.json' '/etc/gitlab/gitlab-secrets.json'
sudo aws s3 cp 's3://backups/gitlab/gitlab.rb' '/etc/gitlab/gitlab.rb'
sudo aws s3 cp \
's3://backups/gitlab/11493107454_2018_04_25_10.6.4-ce_gitlab_backup.tar' \
'/var/opt/gitlab/backups/'
sudo gitlab-ctl stop 'puma'
sudo gitlab-ctl stop 'sidekiq'
sudo gitlab-backup restore BACKUP='11493107454_2018_04_25_10.6.4-ce'
sudo gitlab-ctl start
## Restore backups - end ------------- #
##
# Removal - start
##
sudo gitlab-ctl stop
sudo gitlab-ctl remove-accounts
sudo gitlab-ctl cleanse
sudo rm -rf '/etc/gitlab' '/opt/gitlab'
sudo dnf -y remove --noautoremove 'gitlab-ee'
## Removal - end --------------------- #

6
snippets/gitlab.omnibus.upgrade.sh
View File

@@ -1,6 +0,0 @@
#!sh
sudo yum check-update
sudo yum info 'gitlab-ee'
sudo rpm -qa | grep 'gitlab-ee'
tmux new-session -A -s 'gitlab-upgrade' "sudo yum update 'gitlab-ee'"