Add notes about gitaly network architecture
This commit is contained in:
Jacob Vosmaer
parent
ed1da73020
commit
687df21f5c
1 changed files with 19 additions and 0 deletions
|
|
@ -49,6 +49,25 @@ Starting with GitLab 11.4, Gitaly is a replacement for NFS except
|
||||||
when the [Elastic Search indexer](https://gitlab.com/gitlab-org/gitlab-elasticsearch-indexer)
|
when the [Elastic Search indexer](https://gitlab.com/gitlab-org/gitlab-elasticsearch-indexer)
|
||||||
is used.
|
is used.
|
||||||
|
|
||||||
|
### Network architecture
|
||||||
|
|
||||||
|
- gitlab-rails shards repositories into "repository storages"
|
||||||
|
- gitlab-rails/config/gitlab.yml contains a map from storage names to
|
||||||
|
(Gitaly address, Gitaly token) pairs
|
||||||
|
- the `storage name` -\> `(Gitaly address, Gitaly token)` map in
|
||||||
|
gitlab.yml is the single source of truth for the Gitaly network
|
||||||
|
topology
|
||||||
|
- a (Gitaly address, Gitaly token) corresponds to a Gitaly server
|
||||||
|
- a Gitaly server hosts one or more storages
|
||||||
|
- Gitaly addresses must be specified in such a way that they resolve
|
||||||
|
correctly for ALL Gitaly clients
|
||||||
|
- Gitaly clients are: unicorn, sidekiq, gitlab-workhorse,
|
||||||
|
gitlab-shell, and Gitaly itself
|
||||||
|
- special case: a Gitaly server must be able to make RPC calls **to
|
||||||
|
itself** via its own (Gitaly address, Gitaly token) pair as
|
||||||
|
specified in gitlab-rails/config/gitlab.yml
|
||||||
|
- Gitaly servers must not be exposed to the public internet
|
||||||
|
|
||||||
Gitaly network traffic is unencrypted so you should use a firewall to
|
Gitaly network traffic is unencrypted so you should use a firewall to
|
||||||
restrict access to your Gitaly server.
|
restrict access to your Gitaly server.
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue