gitlab-org--gitlab-foss/doc/administration/raketasks/check.md

# Integrity Check Rake Task

## Repository Integrity

Even though Git is very resilient and tries to prevent data integrity issues,
there are times when things go wrong. The following Rake tasks intend to
help GitLab administrators diagnose problem repositories so they can be fixed.

There are 3 things that are checked to determine integrity.

1. Git repository file system check ([`git fsck`](https://git-scm.com/docs/git-fsck)).
   This step verifies the connectivity and validity of objects in the repository.
1. Check for `config.lock` in the repository directory.
1. Check for any branch/references lock files in `refs/heads`.

It's important to note that the existence of `config.lock` or reference locks
alone do not necessarily indicate a problem. Lock files are routinely created
and removed as Git and GitLab perform operations on the repository. They serve
to prevent data integrity issues. However, if a Git operation is interrupted these
locks may not be cleaned up properly.

The following symptoms may indicate a problem with repository integrity. If users
experience these symptoms you may use the rake tasks described below to determine
exactly which repositories are causing the trouble.

- Receiving an error when trying to push code - `remote: error: cannot lock ref`
- A 500 error when viewing the GitLab dashboard or when accessing a specific project.

### Check all GitLab repositories

This task loops through all repositories on the GitLab server and runs the
integrity check described previously.

**Omnibus Installation**

```shell
sudo gitlab-rake gitlab:git:fsck
```

**Source Installation**

```shell
sudo -u git -H bundle exec rake gitlab:git:fsck RAILS_ENV=production
```

## Uploaded Files Integrity

Various types of files can be uploaded to a GitLab installation by users.
These integrity checks can detect missing files. Additionally, for locally
stored files, checksums are generated and stored in the database upon upload,
and these checks will verify them against current files.

Currently, integrity checks are supported for the following types of file:

- CI artifacts (Available from version 10.7.0)
- LFS objects (Available from version 10.6.0)
- User uploads (Available from version 10.6.0)

**Omnibus Installation**

```shell
sudo gitlab-rake gitlab:artifacts:check
sudo gitlab-rake gitlab:lfs:check
sudo gitlab-rake gitlab:uploads:check
```

**Source Installation**

```shell
sudo -u git -H bundle exec rake gitlab:artifacts:check RAILS_ENV=production
sudo -u git -H bundle exec rake gitlab:lfs:check RAILS_ENV=production
sudo -u git -H bundle exec rake gitlab:uploads:check RAILS_ENV=production
```

These tasks also accept some environment variables which you can use to override
certain values:

Variable  | Type    | Description
--------- | ------- | -----------
`BATCH`   | integer | Specifies the size of the batch. Defaults to 200.
`ID_FROM` | integer | Specifies the ID to start from, inclusive of the value.
`ID_TO`   | integer | Specifies the ID value to end at, inclusive of the value.
`VERBOSE` | boolean | Causes failures to be listed individually, rather than being summarized.

```shell
sudo gitlab-rake gitlab:artifacts:check BATCH=100 ID_FROM=50 ID_TO=250
sudo gitlab-rake gitlab:lfs:check BATCH=100 ID_FROM=50 ID_TO=250
sudo gitlab-rake gitlab:uploads:check BATCH=100 ID_FROM=50 ID_TO=250
```

Example output:

```shell
$ sudo gitlab-rake gitlab:uploads:check
Checking integrity of Uploads
- 1..1350: Failures: 0
- 1351..2743: Failures: 0
- 2745..4349: Failures: 2
- 4357..5762: Failures: 1
- 5764..7140: Failures: 2
- 7142..8651: Failures: 0
- 8653..10134: Failures: 0
- 10135..11773: Failures: 0
- 11777..13315: Failures: 0
Done!
```

Example verbose output:

```shell
$ sudo gitlab-rake gitlab:uploads:check VERBOSE=1
Checking integrity of Uploads
- 1..1350: Failures: 0
- 1351..2743: Failures: 0
- 2745..4349: Failures: 2
  - Upload: 3573: #<Errno::ENOENT: No such file or directory @ rb_sysopen - /opt/gitlab/embedded/service/gitlab-rails/public/uploads/user-foo/project-bar/7a77cc52947bfe188adeff42f890bb77/image.png>
  - Upload: 3580: #<Errno::ENOENT: No such file or directory @ rb_sysopen - /opt/gitlab/embedded/service/gitlab-rails/public/uploads/user-foo/project-bar/2840ba1ba3b2ecfa3478a7b161375f8a/pug.png>
- 4357..5762: Failures: 1
  - Upload: 4636: #<Google::Apis::ServerError: Server error>
- 5764..7140: Failures: 2
  - Upload: 5812: #<NoMethodError: undefined method `hashed_storage?' for nil:NilClass>
  - Upload: 5837: #<NoMethodError: undefined method `hashed_storage?' for nil:NilClass>
- 7142..8651: Failures: 0
- 8653..10134: Failures: 0
- 10135..11773: Failures: 0
- 11777..13315: Failures: 0
Done!
```

## LDAP Check

The LDAP check Rake task will test the bind_dn and password credentials
(if configured) and will list a sample of LDAP users. This task is also
executed as part of the `gitlab:check` task, but can run independently.
See [LDAP Rake Tasks - LDAP Check](ldap.md#check) for details.

[git-fsck]: https://git-scm.com/docs/git-fsck
Remove gitlab:user:check_repos task While reviewing this branch it was noted that this task was broken. Given the limited value this task brings, and given the fact that much of the old behaviour has been moved to be automatically fixed, removing was a good option. Suggestion in: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/20806#note_91261001 2018-07-30 13:23:59 -04:00			`# Integrity Check Rake Task`
Introduce better credential and error checking to `rake gitlab:ldap:check` It was previously possible for invalid credential errors to go unnoticed in this task. Users would believe everything was configured correctly and then sign in would fail with 'invalid credentials'. This adds a specific bind check, plus catches errors connecting to the server. Also, specs :) 2016-09-29 15:08:27 -04:00
			`## Repository Integrity`

			`Even though Git is very resilient and tries to prevent data integrity issues,`
			`there are times when things go wrong. The following Rake tasks intend to`
			`help GitLab administrators diagnose problem repositories so they can be fixed.`

			`There are 3 things that are checked to determine integrity.`

Add latest changes from gitlab-org/gitlab@master 2019-09-26 02:06:27 -04:00			1. Git repository file system check ([`git fsck`](https://git-scm.com/docs/git-fsck)).
Introduce better credential and error checking to `rake gitlab:ldap:check` It was previously possible for invalid credential errors to go unnoticed in this task. Users would believe everything was configured correctly and then sign in would fail with 'invalid credentials'. This adds a specific bind check, plus catches errors connecting to the server. Also, specs :) 2016-09-29 15:08:27 -04:00			`This step verifies the connectivity and validity of objects in the repository.`
			1. Check for `config.lock` in the repository directory.
			1. Check for any branch/references lock files in `refs/heads`.

			It's important to note that the existence of `config.lock` or reference locks
			`alone do not necessarily indicate a problem. Lock files are routinely created`
			`and removed as Git and GitLab perform operations on the repository. They serve`
			`to prevent data integrity issues. However, if a Git operation is interrupted these`
			`locks may not be cleaned up properly.`

			`The following symptoms may indicate a problem with repository integrity. If users`
			`experience these symptoms you may use the rake tasks described below to determine`
			`exactly which repositories are causing the trouble.`

			- Receiving an error when trying to push code - `remote: error: cannot lock ref`
			`- A 500 error when viewing the GitLab dashboard or when accessing a specific project.`

			`### Check all GitLab repositories`

			`This task loops through all repositories on the GitLab server and runs the`
Remove gitlab:user:check_repos task While reviewing this branch it was noted that this task was broken. Given the limited value this task brings, and given the fact that much of the old behaviour has been moved to be automatically fixed, removing was a good option. Suggestion in: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/20806#note_91261001 2018-07-30 13:23:59 -04:00			`integrity check described previously.`
Introduce better credential and error checking to `rake gitlab:ldap:check` It was previously possible for invalid credential errors to go unnoticed in this task. Users would believe everything was configured correctly and then sign in would fail with 'invalid credentials'. This adds a specific bind check, plus catches errors connecting to the server. Also, specs :) 2016-09-29 15:08:27 -04:00
			`Omnibus Installation`

Add latest changes from gitlab-org/gitlab@master 2020-01-30 10:09:15 -05:00			```shell
refactor spec, add docs 2018-01-04 05:02:43 -05:00			`sudo gitlab-rake gitlab:git:fsck`
Introduce better credential and error checking to `rake gitlab:ldap:check` It was previously possible for invalid credential errors to go unnoticed in this task. Users would believe everything was configured correctly and then sign in would fail with 'invalid credentials'. This adds a specific bind check, plus catches errors connecting to the server. Also, specs :) 2016-09-29 15:08:27 -04:00			```

			`Source Installation`

Add latest changes from gitlab-org/gitlab@master 2020-01-30 10:09:15 -05:00			```shell
refactor spec, add docs 2018-01-04 05:02:43 -05:00			`sudo -u git -H bundle exec rake gitlab:git:fsck RAILS_ENV=production`
Introduce better credential and error checking to `rake gitlab:ldap:check` It was previously possible for invalid credential errors to go unnoticed in this task. Users would believe everything was configured correctly and then sign in would fail with 'invalid credentials'. This adds a specific bind check, plus catches errors connecting to the server. Also, specs :) 2016-09-29 15:08:27 -04:00			```

Add docs for the gitlab:uploads:check rake task 2018-01-08 16:22:17 -05:00			`## Uploaded Files Integrity`

Add support for verifying remote uploads, artifacts, and LFS objects in check rake tasks 2018-06-13 13:11:43 -04:00			`Various types of files can be uploaded to a GitLab installation by users.`
			`These integrity checks can detect missing files. Additionally, for locally`
			`stored files, checksums are generated and stored in the database upon upload,`
			`and these checks will verify them against current files.`
Add docs for the gitlab:uploads:check rake task 2018-01-08 16:22:17 -05:00
Foreground verification of uploads and LFS objects 2018-02-27 14:15:25 -05:00			`Currently, integrity checks are supported for the following types of file:`

Make unordered lists conform to styleguide - Also makes other minor Markdown fixes that were near the main fixes. 2018-11-13 01:07:16 -05:00			`- CI artifacts (Available from version 10.7.0)`
			`- LFS objects (Available from version 10.6.0)`
			`- User uploads (Available from version 10.6.0)`
Add docs for the gitlab:uploads:check rake task 2018-01-08 16:22:17 -05:00
			`Omnibus Installation`

Add latest changes from gitlab-org/gitlab@master 2020-01-30 10:09:15 -05:00			```shell
Implement foreground verification of CI artifacts 2018-03-06 13:46:36 -05:00			`sudo gitlab-rake gitlab:artifacts:check`
Foreground verification of uploads and LFS objects 2018-02-27 14:15:25 -05:00			`sudo gitlab-rake gitlab:lfs:check`
Add docs for the gitlab:uploads:check rake task 2018-01-08 16:22:17 -05:00			`sudo gitlab-rake gitlab:uploads:check`
			```

			`Source Installation`

Add latest changes from gitlab-org/gitlab@master 2020-01-30 10:09:15 -05:00			```shell
Implement foreground verification of CI artifacts 2018-03-06 13:46:36 -05:00			`sudo -u git -H bundle exec rake gitlab:artifacts:check RAILS_ENV=production`
Foreground verification of uploads and LFS objects 2018-02-27 14:15:25 -05:00			`sudo -u git -H bundle exec rake gitlab:lfs:check RAILS_ENV=production`
Add docs for the gitlab:uploads:check rake task 2018-01-08 16:22:17 -05:00			`sudo -u git -H bundle exec rake gitlab:uploads:check RAILS_ENV=production`
			```

Foreground verification of uploads and LFS objects 2018-02-27 14:15:25 -05:00			`These tasks also accept some environment variables which you can use to override`
Add docs for ENV variables take gitlab:uploads:check rake task supports 2018-01-09 19:02:44 -05:00			`certain values:`

Foreground verification of uploads and LFS objects 2018-02-27 14:15:25 -05:00			`Variable \| Type \| Description`
			`--------- \| ------- \| -----------`
			`BATCH` \| integer \| Specifies the size of the batch. Defaults to 200.
			`ID_FROM` \| integer \| Specifies the ID to start from, inclusive of the value.
			`ID_TO` \| integer \| Specifies the ID value to end at, inclusive of the value.
			`VERBOSE` \| boolean \| Causes failures to be listed individually, rather than being summarized.
Add docs for ENV variables take gitlab:uploads:check rake task supports 2018-01-09 19:02:44 -05:00
Add latest changes from gitlab-org/gitlab@master 2020-01-30 10:09:15 -05:00			```shell
Implement foreground verification of CI artifacts 2018-03-06 13:46:36 -05:00			`sudo gitlab-rake gitlab:artifacts:check BATCH=100 ID_FROM=50 ID_TO=250`
Foreground verification of uploads and LFS objects 2018-02-27 14:15:25 -05:00			`sudo gitlab-rake gitlab:lfs:check BATCH=100 ID_FROM=50 ID_TO=250`
Add docs for ENV variables take gitlab:uploads:check rake task supports 2018-01-09 19:02:44 -05:00			`sudo gitlab-rake gitlab:uploads:check BATCH=100 ID_FROM=50 ID_TO=250`
			```

Add example output for file integrity check 2018-07-24 19:17:57 -04:00			`Example output:`

Add latest changes from gitlab-org/gitlab@master 2020-01-30 10:09:15 -05:00			```shell
Add example output for file integrity check 2018-07-24 19:17:57 -04:00			`$ sudo gitlab-rake gitlab:uploads:check`
			`Checking integrity of Uploads`
			`- 1..1350: Failures: 0`
			`- 1351..2743: Failures: 0`
			`- 2745..4349: Failures: 2`
			`- 4357..5762: Failures: 1`
			`- 5764..7140: Failures: 2`
			`- 7142..8651: Failures: 0`
			`- 8653..10134: Failures: 0`
			`- 10135..11773: Failures: 0`
			`- 11777..13315: Failures: 0`
			`Done!`
			```

			`Example verbose output:`

Add latest changes from gitlab-org/gitlab@master 2020-01-30 10:09:15 -05:00			```shell
Add example output for file integrity check 2018-07-24 19:17:57 -04:00			`$ sudo gitlab-rake gitlab:uploads:check VERBOSE=1`
			`Checking integrity of Uploads`
			`- 1..1350: Failures: 0`
			`- 1351..2743: Failures: 0`
			`- 2745..4349: Failures: 2`
			`- Upload: 3573: #<Errno::ENOENT: No such file or directory @ rb_sysopen - /opt/gitlab/embedded/service/gitlab-rails/public/uploads/user-foo/project-bar/7a77cc52947bfe188adeff42f890bb77/image.png>`
			`- Upload: 3580: #<Errno::ENOENT: No such file or directory @ rb_sysopen - /opt/gitlab/embedded/service/gitlab-rails/public/uploads/user-foo/project-bar/2840ba1ba3b2ecfa3478a7b161375f8a/pug.png>`
			`- 4357..5762: Failures: 1`
			`- Upload: 4636: #<Google::Apis::ServerError: Server error>`
			`- 5764..7140: Failures: 2`
			- Upload: 5812: #<NoMethodError: undefined method `hashed_storage?' for nil:NilClass>
			- Upload: 5837: #<NoMethodError: undefined method `hashed_storage?' for nil:NilClass>
			`- 7142..8651: Failures: 0`
			`- 8653..10134: Failures: 0`
			`- 10135..11773: Failures: 0`
			`- 11777..13315: Failures: 0`
			`Done!`
			```

Introduce better credential and error checking to `rake gitlab:ldap:check` It was previously possible for invalid credential errors to go unnoticed in this task. Users would believe everything was configured correctly and then sign in would fail with 'invalid credentials'. This adds a specific bind check, plus catches errors connecting to the server. Also, specs :) 2016-09-29 15:08:27 -04:00			`## LDAP Check`

			`The LDAP check Rake task will test the bind_dn and password credentials`
			`(if configured) and will list a sample of LDAP users. This task is also`
Add LDAP task to rename a provider Sometimes admins will change the LDAP configuration, not realizing that problems will occur if the user's LDAP identities are not also updated to use the new provider name. This task will give admins a single command to run to update identities and will prevent having to run multiple Rails console queries. 2015-12-22 16:09:35 -05:00			executed as part of the `gitlab:check` task, but can run independently.
			`See [LDAP Rake Tasks - LDAP Check](ldap.md#check) for details.`
add deprecation and removal issue to docs 2018-01-05 05:16:18 -05:00
Remove git rake tasks These tasks are happening through housekeeping right now, by default ever 10th push. This removes the need for these tasks. Side note, this removes one of my first contributions to GitLab, as back than I introduced these tasks through: 54e6c0045bb13c05cc5478cbdf47d3246bd9fe2b Closes https://gitlab.com/gitlab-org/gitaly/issues/768 2018-07-24 06:17:29 -04:00			`[git-fsck]: https://git-scm.com/docs/git-fsck`