kotovalexarian-likes-gitlab/gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity

Add latest changes from gitlab-org/gitlab@master

Browse source
This commit is contained in:
GitLab Bot 2022-05-23 00:08:37 +00:00
parent 480fdbd639
commit 05c5ce9bce
8 changed files with 225 additions and 45 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
.gitlab/CODEOWNERS
View file

@ -175,8 +175,19 @@ Dangerfile @gl-quality/eng-prod
^[Workhorse]
/workhorse/ @jacobvosmaer-gitlab @nick.thomas @nolith @patrickbajao
^[Application Security]
[Application Security]
/app/assets/javascripts/lib/dompurify.js @gitlab-com/gl-security/appsec
/app/validators/addressable_url_validator.rb @gitlab-com/gl-security/appsec
/app/validators/public_url_validator.rb @gitlab-com/gl-security/appsec
/config/initializers/content_security_policy.rb @gitlab-com/gl-security/appsec
/lib/gitlab/content_security_policy/ @gitlab-com/gl-security/appsec
/lib/gitlab/http.rb @gitlab-com/gl-security/appsec
/lib/gitlab/http_connection_adapter.rb @gitlab-com/gl-security/appsec
/lib/gitlab/sanitizers @gitlab-com/gl-security/appsec
/lib/gitlab/untrusted_regexp.rb @gitlab-com/gl-security/appsec
/lib/gitlab/url_blocker.rb @gitlab-com/gl-security/appsec
/lib/gitlab/url_blockers/ @gitlab-com/gl-security/appsec
/lib/gitlab/utils.rb @gitlab-com/gl-security/appsec
^[Gitaly]
lib/gitlab/git_access.rb @proglottis @toon @zj-gitlab

9
app/workers/container_registry/migration/guard_worker.rb
View file

@ -22,7 +22,7 @@ module ContainerRegistry
repositories = ::ContainerRepository.with_stale_migration(step_before_timestamp)
.limit(max_capacity)
aborts_count = 0
long_running_migration_ids = []
long_running_migrations = []
# the #to_a is safe as the amount of entries is limited.
# In addition, we're calling #each in the next line and we don't want two different SQL queries for these two lines
@ -32,7 +32,7 @@ module ContainerRegistry
if actively_importing?(repository)
# if a repository is actively importing but not yet long_running, do nothing
if long_running_migration?(repository)
long_running_migration_ids << repository.id
long_running_migrations << repository
cancel_long_running_migration(repository)
aborts_count += 1
end
@ -44,8 +44,9 @@ module ContainerRegistry
log_extra_metadata_on_done(:aborted_stale_migrations_count, aborts_count)
if long_running_migration_ids.any?
log_extra_metadata_on_done(:aborted_long_running_migration_ids, long_running_migration_ids)
if long_running_migrations.any?
log_extra_metadata_on_done(:aborted_long_running_migration_ids, long_running_migrations.map(&:id))
log_extra_metadata_on_done(:aborted_long_running_migration_paths, long_running_migrations.map(&:path))
end
end

6
doc/administration/auth/smartcard.md
View file

@ -120,8 +120,14 @@ more information, see [the relevant issue](https://gitlab.com/gitlab-org/gitlab/
1. Edit `/etc/gitlab/gitlab.rb`:
```ruby
# Allow smartcard authentication
gitlab_rails['smartcard_enabled'] = true
# Path to a file containing a CA certificate
gitlab_rails['smartcard_ca_file'] = "/etc/ssl/certs/CA.pem"
# Host and port where the client side certificate is requested by the
# webserver (NGINX/Apache)
gitlab_rails['smartcard_client_certificate_required_host'] = "smartcard.example.com"
gitlab_rails['smartcard_client_certificate_required_port'] = 3444
```

195
doc/administration/docs_self_host.md
View file

@ -4,11 +4,16 @@ group: Distribution
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
---
# How to host the GitLab product documentation **(FREE SELF)**
# Host the GitLab product documentation **(FREE SELF)**
If you are not able to access the GitLab product documentation at `docs.gitlab.com`,
you can host the documentation yourself instead.
Prerequisites:
- The version of the product documentation site must be the same as the version of
your GitLab installation.
## Documentation self-hosting options
To host the GitLab product documentation, you can use:
@ -30,28 +35,48 @@ The following examples use GitLab 14.5.
### Self-host the product documentation with Docker
You can run the GitLab product documentation website in a Docker container:
The documentation website is served under the port `4000` inside the container.
In the following example, we expose this on the host under the same port.
Make sure you either:
- Allow port `4000` in your firewall.
- Use a different port. In following examples, replace the leftmost `4000` with the port different port.
To run the GitLab product documentation website in a Docker container:
1. Expose port `4000`. The Docker image uses this port for the web server.
1. On the server where you host GitLab, or on any other server that your GitLab instance
can communicate with, pull the docs site:
can communicate with:
```shell
docker run -it --rm -p 4000:4000 registry.gitlab.com/gitlab-org/gitlab-docs:14.5
```
- If you use plain Docker, run:
If you host your GitLab instance using [Docker compose](../install/docker.md#install-gitlab-using-docker-compose),
add the following to `docker-compose.yaml`:
```shell
docker run --detach --name gitlab_docs -it --rm -p 4000:4000 registry.gitlab.com/gitlab-org/gitlab-docs:14.5
```
```yaml
version: '3.6'
services:
docs:
image: registry.gitlab.com/gitlab-org/gitlab-docs:14.5
hostname: 'https://gitlab.example.com'
ports:
- '4000:4000'
```
- If you host your GitLab instance using
[Docker compose](../install/docker.md#install-gitlab-using-docker-compose),
add the following to your existing `docker-compose.yaml`:
```yaml
version: '3.6'
services:
gitlab_docs:
image: registry.gitlab.com/gitlab-org/gitlab-docs:14.5
hostname: 'https://docs.gitlab.example.com:4000'
ports:
- '4000:4000'
```
Then, pull the changes:
```shell
docker-compose up -d
```
1. Visit `http://0.0.0.0:4000` to view the documentation website and verify
it works.
1. [Redirect the help links to the new Docs site](#redirect-the-help-links-to-the-new-docs-site).
### Self-host the product documentation with GitLab Pages
@ -89,29 +114,59 @@ To host the product documentation site with GitLab Pages:
| [Project website](../user/project/pages/getting_started_part_one.md#project-website-examples) | Not supported | Supported |
| [User or group website](../user/project/pages/getting_started_part_one.md#user-and-group-website-examples) | Supported | Supported |
1. [Redirect the help links to the new Docs site](#redirect-the-help-links-to-the-new-docs-site).
### Self-host the product documentation on your own web server
Because the product documentation site is static, from the container, you can take the contents
of `/usr/share/nginx/html` and use your own web server to host
Because the product documentation site is static, you can take the contents of
`/usr/share/nginx/html` from inside the container, and use your own web server to host
the docs wherever you want.
Run the following commands, replacing `<destination>` with the directory where the
documentation files will be copied to:
The `html` directory should be served as is and it has the following structure:
```shell
docker create -it --name gitlab-docs registry.gitlab.com/gitlab-org/gitlab-docs:14.5
docker cp gitlab-docs:/usr/share/nginx/html <destination>
docker rm -f gitlab-docs
```plaintext
├── 14.5/
├── index.html
```
## Redirect the `/help` links to the new docs page
In this example:
- `14.5/` is the directory where the documentation is hosted.
- `index.html` is a simple HTML file that redirects to the directory containing the documentation. In this
case, `14.5/`.
To extract the HTML files of the Docs site:
1. Create the container that holds the HTML files of the documentation website:
```shell
docker create -it --name gitlab_docs registry.gitlab.com/gitlab-org/gitlab-docs:14.5
```
1. Copy the website under `/srv/gitlab/`:
```shell
docker cp gitlab-docs:/usr/share/nginx/html /srv/gitlab/
```
You will end up with a `/srv/gitlab/html/` directory that holds the documentation website.
1. Remove the container:
```shell
docker rm -f gitlab_docs
```
1. Point your web server to serve the contents of `/srv/gitlab/html/`.
1. [Redirect the help links to the new Docs site](#redirect-the-help-links-to-the-new-docs-site).
## Redirect the `/help` links to the new Docs site
After your local product documentation site is running,
[redirect the help links](../user/admin_area/settings/help_page.md#redirect-help-pages)
in the GitLab application to your local site.
Be sure to use the fully qualified domain name as the docs URL. For example, if you
used the [Docker method](#self-host-the-product-documentation-with-docker), enter `http://0.0.0.0:4000`.
in the GitLab application to your local site, by using the fully qualified domain
name as the docs URL. For example, if you used the
[Docker method](#self-host-the-product-documentation-with-docker), enter `http://0.0.0.0:4000`.
You don't need to append the version. GitLab detects it and appends it to
documentation URL requests as needed. For example, if your GitLab version is
@ -124,6 +179,84 @@ documentation URL requests as needed. For example, if your GitLab version is
To test the setting, select a **Learn more** link within the GitLab application.
## Upgrade the product documentation to a later version
Upgrading the Docs site to a later version requires downloading the newer Docker image tag.
### Upgrade using Docker
To upgrade to a later version [using Docker](#self-host-the-product-documentation-with-docker):
- If you use plain Docker:
1. Stop the running container:
```shell
sudo docker stop gitlab_docs
```
1. Remove the existing container:
```shell
sudo docker rm gitlab_docs
```
1. Pull the new image. For example, 14.6:
```shell
docker run --detach --name gitlab_docs -it --rm -p 4000:4000 registry.gitlab.com/gitlab-org/gitlab-docs:14.6
```
- If you use Docker compose:
1. Change the version in `docker-compose.yaml`, for example 14.6:
```yaml
version: '3.6'
services:
gitlab_docs:
image: registry.gitlab.com/gitlab-org/gitlab-docs:14.6
hostname: 'https://docs.gitlab.example.com:4000'
ports:
- '4000:4000'
```
1. Pull the changes:
```shell
docker-compose up -d
```
### Upgrade using GitLab Pages
To upgrade to a later version [using GitLab Pages](#self-host-the-product-documentation-with-gitlab-pages):
1. Edit your existing `.gitlab-ci.yml` file, and replace the `image`'s version number:
```yaml
image: registry.gitlab.com/gitlab-org/gitlab-docs:14.5
```
1. Commit the changes, push, and GitLab Pages pulls the new Docs site version.
### Upgrade using your own web-server
To upgrade to a later version [using your own web-server](#self-host-the-product-documentation-on-your-own-web-server):
1. Copy the HTML files of the Docs site:
```shell
docker create -it --name gitlab_docs registry.gitlab.com/gitlab-org/gitlab-docs:14.6
docker cp gitlab_docs:/usr/share/nginx/html /srv/gitlab/
docker rm -f gitlab_docs
```
1. Optional. Remove the old site:
```shell
rm -r /srv/gitlab/html/14.5/
```
## Known issues
If you self-host the product documentation:

6
doc/administration/gitaly/index.md
View file

@ -320,9 +320,9 @@ Use the [`praefect metadata`](troubleshooting.md#view-repository-metadata) subco
- The virtual storage and relative path.
- The repository ID.
The repository on disk also contains the project path in the Git configuration file. The configuration file can be used to determine
the project's location even if the repository's metadata has been deleted. Follow the
[instructions in hashed storage's documentation](../repository_storage_types.md#from-hashed-path-to-project-name).
The repository on disk also contains the project path in the Git configuration file. The configuration
file can be used to determine the project path even if the repository's metadata has been deleted.
Follow the [instructions in hashed storage's documentation](../repository_storage_types.md#from-hashed-path-to-project-name).
#### Atomicity of operations

10
doc/administration/gitaly/praefect.md
View file

@ -632,12 +632,8 @@ and on all Praefect clients that communicate with it following the procedure des
Note the following:
- The certificate must specify the address you use to access the Praefect server. If
addressing the Praefect server by:
- Hostname, you can either use the Common Name field for this, or add it as a Subject
Alternative Name.
- IP address, you must add it as a Subject Alternative Name to the certificate.
- The certificate must specify the address you use to access the Praefect server. You must add the hostname or IP
address as a Subject Alternative Name to the certificate.
- When running Praefect sub-commands such as `dial-nodes` and `list-untracked-repositories` from the command line with
[Gitaly TLS enabled](configure_gitaly.md#enable-tls-support), you must set the `SSL_CERT_DIR` or `SSL_CERT_FILE`
environment variable so that the Gitaly certificate is trusted. For example:
@ -651,6 +647,8 @@ Note the following:
This allows you to do a gradual transition from unencrypted to encrypted traffic, if
necessary.
To disable the unencrypted listener, set `praefect['listen_addr'] = nil`.
To configure Praefect with TLS:
**For Omnibus GitLab**

29
doc/user/group/saml_sso/index.md
View file

@ -176,6 +176,35 @@ If using [Group Sync](#group-sync), customize the name of the group claim to mat
See the [troubleshooting page](../../../administration/troubleshooting/group_saml_scim.md#azure-active-directory) for an example configuration.
### Google Workspace setup notes
Follow the Google Workspace documentation on
[setting up SSO with Google as your identity provider](https://support.google.com/a/answer/6087519?hl=en)
with the notes below for consideration.
| GitLab setting | Google Workspace field |
|:-------------------------------|:-----------------------|
| Identifier | Entity ID |
| Assertion consumer service URL | ACS URL |
You must download the certificate to get the SHA1 certificate fingerprint.
The recommended attributes and claims settings are:
- **Primary email** set to `email`.
- **First name** set to `first_name`.
- **Last name** set to `last_name`.
For NameID, the following settings are recommended:
- **Name ID format** is set to `EMAIL`.
- **NameID** set to `Basic Information > Primary email`.
When selecting **Verify SAML Configuration** on the GitLab SAML SSO page, disregard the warning about the NameID format
"persistent" recommended.
See the [troubleshooting page](../../../administration/troubleshooting/group_saml_scim.md#google-workspace) for an example configuration.
### Okta setup notes
Please follow the Okta documentation on [setting up a SAML application in Okta](https://developer.okta.com/docs/guides/build-sso-integration/saml2/main/) with the notes below for consideration.

2
spec/workers/container_registry/migration/guard_worker_spec.rb
View file

@ -37,6 +37,7 @@ RSpec.describe ContainerRegistry::Migration::GuardWorker, :aggregate_failures do
expect(worker).to receive(:log_extra_metadata_on_done).with(:stale_migrations_count, 1)
expect(worker).to receive(:log_extra_metadata_on_done).with(:aborted_stale_migrations_count, 1)
expect(worker).to receive(:log_extra_metadata_on_done).with(:aborted_long_running_migration_ids, [stale_migration.id])
expect(worker).to receive(:log_extra_metadata_on_done).with(:aborted_long_running_migration_paths, [stale_migration.path])
expect(ContainerRegistry::Migration).to receive(timeout).and_call_original
expect { subject }
@ -75,6 +76,7 @@ RSpec.describe ContainerRegistry::Migration::GuardWorker, :aggregate_failures do
expect(worker).to receive(:log_extra_metadata_on_done).with(:stale_migrations_count, 1)
expect(worker).to receive(:log_extra_metadata_on_done).with(:aborted_stale_migrations_count, 1)
expect(worker).to receive(:log_extra_metadata_on_done).with(:aborted_long_running_migration_ids, [stale_migration.id])
expect(worker).to receive(:log_extra_metadata_on_done).with(:aborted_long_running_migration_paths, [stale_migration.path])
expect(ContainerRegistry::Migration).to receive(timeout).and_call_original
expect { subject }