diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-03-10 12:08:16 +0000 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-03-10 12:08:16 +0000 |
| commit | 1fa79760ad2d4bd67f5c5a27f372a7533b9b7c69 (patch) | |
| tree | ffdfbd9113743831ff4f1290959a62cf6567fde5 /doc | |
| parent | 82fa8a3d1e8466ef36b58604d20fcc145ea12118 (diff) | |
| download | gitlab-ce-1fa79760ad2d4bd67f5c5a27f372a7533b9b7c69.tar.gz | |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'doc')
20 files changed, 227 insertions, 64 deletions
diff --git a/doc/administration/gitaly/praefect.md b/doc/administration/gitaly/praefect.md index 42437ecd7f4..f9b1fdae056 100644 --- a/doc/administration/gitaly/praefect.md +++ b/doc/administration/gitaly/praefect.md @@ -278,7 +278,7 @@ application server, or a Gitaly node. 1. Save the changes to `/etc/gitlab/gitlab.rb` and [reconfigure Praefect](../restart_gitlab.md#omnibus-gitlab-reconfigure): ```shell - sudo gitlab-ctl reconfigure + gitlab-ctl reconfigure ``` 1. Verify that Praefect can reach PostgreSQL: @@ -420,7 +420,7 @@ documentation](index.md#3-gitaly-server-configuration). 1. Save the changes to `/etc/gitlab/gitlab.rb` and [reconfigure Gitaly](../restart_gitlab.md#omnibus-gitlab-reconfigure): ```shell - sudo gitlab-ctl reconfigure + gitlab-ctl reconfigure ``` **Complete these steps for each Gitaly node!** @@ -488,6 +488,16 @@ Particular attention should be shown to: gitlab_shell['secret_token'] = 'GITLAB_SHELL_SECRET_TOKEN' ``` +1. Configure the `external_url` so that files could be served by GitLab + by proper endpoint access by editing `/etc/gitlab/gitlab.rb`: + + You will need to replace `GITLAB_SERVER_URL` with the real URL on which + current GitLab instance is serving: + + ```ruby + external_url 'GITLAB_SERVER_URL' + ``` + 1. Add Prometheus monitoring settings by editing `/etc/gitlab/gitlab.rb`. You will need to replace: @@ -523,19 +533,19 @@ Particular attention should be shown to: 1. Save the changes to `/etc/gitlab/gitlab.rb` and [reconfigure GitLab](../restart_gitlab.md#omnibus-gitlab-reconfigure): ```shell - sudo gitlab-ctl reconfigure + gitlab-ctl reconfigure ``` 1. Verify that GitLab can reach Praefect: ```shell - sudo gitlab-rake gitlab:gitaly:check + gitlab-rake gitlab:gitaly:check ``` 1. Set the Grafana admin password. This command will prompt you to enter a new password: ```shell - sudo gitlab-ctl set-grafana-password + gitlab-ctl set-grafana-password ``` 1. Update the **Repository storage** settings from **Admin Area > Settings > diff --git a/doc/administration/monitoring/gitlab_self_monitoring_project/index.md b/doc/administration/monitoring/gitlab_self_monitoring_project/index.md index 6f9821f4ace..2058aa4f01c 100644 --- a/doc/administration/monitoring/gitlab_self_monitoring_project/index.md +++ b/doc/administration/monitoring/gitlab_self_monitoring_project/index.md @@ -63,3 +63,29 @@ You can add custom metrics in the self monitoring project by: 1. [Duplicating](../../../user/project/integrations/prometheus.md#duplicating-a-gitlab-defined-dashboard) the default dashboard. 1. [Editing](../../../user/project/integrations/prometheus.md#view-and-edit-the-source-file-of-a-custom-dashboard) the newly created dashboard file and configuring it with [dashboard YAML properties](../../../user/project/integrations/prometheus.md#dashboard-yaml-properties). + +## Troubleshooting + +### Getting error message in logs: `Could not create instance administrators group. Errors: ["You don’t have permission to create groups."]` + +There is [a bug](https://gitlab.com/gitlab-org/gitlab/issues/208676) which causes +project creation to fail with the following error (which appears in the log file) +when the first admin user is an +[external user](../../../user/permissions.md#external-users-core-only): + +```text +Could not create instance administrators group. Errors: ["You don’t have permission to create groups."] +``` + +Run the following in a Rails console to check if the first admin user is an external user: + +```ruby +User.admins.active.first.external? +``` + +If this returns true, the first admin user is an external user. + +If you face this issue, you can temporarily +[make the admin user a non-external user](../../../user/permissions.md#external-users-core-only) +and then try to create the project. +Once the project is created, the admin user can be changed back to an external user. diff --git a/doc/administration/monitoring/prometheus/gitlab_metrics.md b/doc/administration/monitoring/prometheus/gitlab_metrics.md index 565a2fafa10..6f1f49ddf84 100644 --- a/doc/administration/monitoring/prometheus/gitlab_metrics.md +++ b/doc/administration/monitoring/prometheus/gitlab_metrics.md @@ -86,13 +86,15 @@ The following metrics are available: | `failed_login_captcha_total` | Gauge | 11.0 | Counter of failed CAPTCHA attempts during login | | | `successful_login_captcha_total` | Gauge | 11.0 | Counter of successful CAPTCHA attempts during login | | | `auto_devops_pipelines_completed_total` | Counter | 12.7 | Counter of completed Auto DevOps pipelines, labeled by status | | -| `sidekiq_jobs_cpu_seconds` | Histogram | 12.4 | Seconds of cpu time to run Sidekiq job | | -| `sidekiq_jobs_completion_seconds` | Histogram | 12.2 | Seconds to complete Sidekiq job | | -| `sidekiq_jobs_queue_duration_seconds` | Histogram | 12.5 | Duration in seconds that a Sidekiq job was queued before being executed | | -| `sidekiq_jobs_failed_total` | Counter | 12.2 | Sidekiq jobs failed | | -| `sidekiq_jobs_retried_total` | Counter | 12.2 | Sidekiq jobs retried | | -| `sidekiq_running_jobs` | Gauge | 12.2 | Number of Sidekiq jobs running | | -| `sidekiq_concurrency` | Gauge | 12.5 | Maximum number of Sidekiq jobs | | +| `sidekiq_jobs_cpu_seconds` | Histogram | 12.4 | Seconds of cpu time to run Sidekiq job | queue, boundary, external_dependencies, feature_category, job_status, urgency | +| `sidekiq_jobs_completion_seconds` | Histogram | 12.2 | Seconds to complete Sidekiq job | queue, boundary, external_dependencies, feature_category, job_status, urgency | +| `sidekiq_jobs_db_seconds` | Histogram | 12.9 | Seconds of DB time to run Sidekiq job | queue, boundary, external_dependencies, feature_category, job_status, urgency | +| `sidekiq_jobs_gitaly_seconds` | Histogram | 12.9 | Seconds of Gitaly time to run Sidekiq job | queue, boundary, external_dependencies, feature_category, job_status, urgency | +| `sidekiq_jobs_queue_duration_seconds` | Histogram | 12.5 | Duration in seconds that a Sidekiq job was queued before being executed | queue, boundary, external_dependencies, feature_category, urgency | +| `sidekiq_jobs_failed_total` | Counter | 12.2 | Sidekiq jobs failed | queue, boundary, external_dependencies, feature_category, urgency | +| `sidekiq_jobs_retried_total` | Counter | 12.2 | Sidekiq jobs retried | queue, boundary, external_dependencies, feature_category, urgency | +| `sidekiq_running_jobs` | Gauge | 12.2 | Number of Sidekiq jobs running | queue, boundary, external_dependencies, feature_category, urgency | +| `sidekiq_concurrency` | Gauge | 12.5 | Maximum number of Sidekiq jobs | | ## Metrics controlled by a feature flag diff --git a/doc/ci/variables/predefined_variables.md b/doc/ci/variables/predefined_variables.md index 65381d512e5..a340f8b705d 100644 --- a/doc/ci/variables/predefined_variables.md +++ b/doc/ci/variables/predefined_variables.md @@ -33,7 +33,7 @@ future GitLab releases.** | `CI_COMMIT_DESCRIPTION` | 10.8 | all | The description of the commit: the message without first line, if the title is shorter than 100 characters; full message in other case. | | `CI_COMMIT_MESSAGE` | 10.8 | all | The full commit message. | | `CI_COMMIT_REF_NAME` | 9.0 | all | The branch or tag name for which project is built | -| `CI_COMMIT_REF_PROTECTED` | 11.11 | all | `true` if the job is running on a protected branch, `false` if not | +| `CI_COMMIT_REF_PROTECTED` | 11.11 | all | `true` if the job is running on a protected reference, `false` if not | | `CI_COMMIT_REF_SLUG` | 9.0 | all | `$CI_COMMIT_REF_NAME` lowercased, shortened to 63 bytes, and with everything except `0-9` and `a-z` replaced with `-`. No leading / trailing `-`. Use in URLs, host names and domain names. | | `CI_COMMIT_SHA` | 9.0 | all | The commit revision for which project is built | | `CI_COMMIT_SHORT_SHA` | 11.7 | all | The first eight characters of `CI_COMMIT_SHA` | diff --git a/doc/ci/yaml/README.md b/doc/ci/yaml/README.md index d4d3127b444..10f35a4afcf 100644 --- a/doc/ci/yaml/README.md +++ b/doc/ci/yaml/README.md @@ -165,33 +165,79 @@ rspec 2.6: You can disable inheritance of globally defined defaults and variables with the `inherit:` parameter. +To enable or disable the inheritance of all `variables:` or `default:` parameters, use the following format: + +- `default: true` or `default: false` +- `variables: true` or `variables: false` + +To inherit only a subset of `default:` parameters or `variables:`, specify what +you wish to inherit, and any not listed will **not** be inherited. Use +one of the following formats: + +```yaml +inherit: + default: [parameter1, parameter2] + variables: [VARIABLE1, VARIABLE2] +``` + +Or: + +```yaml +inherit: + default: + - parameter1 + - parameter2 + variables: + - VARIABLE1 + - VARIABLE2 +``` + In the example below: -- `rubocop` **will** inherit both the `before_script` and the variable `DOMAIN`. -- `rspec` **will not** inherit the `before_script` or the variable `DOMAIN`. -- `capybara` **will** inherit the `before_script`, but **will not** inherit the variable `DOMAIN`. +- `rubocop`: + - **will** inherit: Nothing. +- `rspec`: + - **will** inherit: the default `image` and the `WEBHOOK_URL` variable. + - **will not** inherit: the default `before_script` and the `DOMAIN` variable. +- `capybara`: + - **will** inherit: the default `before_script` and `image`. + - **will not** inherit: the `DOMAIN` and `WEBHOOK_URL` variables. +- `karma`: + - **will** inherit: the default `image` and `before_script`, and the `DOMAIN` variable. + - **will not** inherit: `WEBHOOK_URL` variable. ```yaml default: + image: 'ruby:2.4' before_script: - echo Hello World variables: DOMAIN: example.com + WEBHOOK_URL: https://my-webhook.example.com rubocop: + inherit: + default: false + variables: false script: bundle exec rubocop rspec: inherit: - default: false - variables: false + default: [image] + variables: [WEBHOOK_URL] script: bundle exec rspec capybara: inherit: variables: false script: bundle exec capybara + +karma: + inherit: + default: true + variables: [DOMAIN] + script: karma ``` ## Parameter details diff --git a/doc/development/integrations/secure.md b/doc/development/integrations/secure.md index b230927a7de..74e16751b31 100644 --- a/doc/development/integrations/secure.md +++ b/doc/development/integrations/secure.md @@ -191,6 +191,15 @@ then `artifacts:reports:dependency_scanning` must be set to `depscan.json`. Following the POSIX exit code standard, the scanner will exit with 0 for success and any number from 1 to 255 for anything else. Success also includes the case when vulnerabilities are found. +When executing a scanning job using the [Docker-in-Docker privileged mode](../../user/application_security/sast/index.md#requirements), +we reserve the following standard exit codes. + +| Orchestrator Exit Code | Description | +|------------------------|----------------------------------| +| 3 | No match, no compatible analyzer | +| 4 | Project directory empty | +| 5 | No compatible Docker image | + ### Logging The scanner should log error messages and warnings so that users can easily investigate diff --git a/doc/development/kubernetes.md b/doc/development/kubernetes.md index 1a8aa7647af..9e0e686f447 100644 --- a/doc/development/kubernetes.md +++ b/doc/development/kubernetes.md @@ -159,7 +159,7 @@ rescues `StandardError` which can make it harder to debug issues in an development environment. The current workaround is to temporarily comment out the `rescue` in your local development source. -You can also follow the installation pod logs to debug issues related to +You can also follow the installation logs to debug issues related to installation. Once the installation/upgrade is underway, wait for the pod to be created. Then run the following to obtain the pods logs as they are written: diff --git a/doc/install/aws/img/aws_ha_architecture_diagram.png b/doc/install/aws/img/aws_ha_architecture_diagram.png Binary files differindex 1b30a244778..4011150a358 100644 --- a/doc/install/aws/img/aws_ha_architecture_diagram.png +++ b/doc/install/aws/img/aws_ha_architecture_diagram.png diff --git a/doc/install/aws/index.md b/doc/install/aws/index.md index 3727897b4b7..e763a6919f7 100644 --- a/doc/install/aws/index.md +++ b/doc/install/aws/index.md @@ -327,6 +327,46 @@ On the Route 53 dashboard, click **Hosted zones** in the left navigation bar: 1. Click **Create**. 1. Update your DNS records with your domain registrar. The steps for doing this vary depending on which registrar you use and is beyond the scope of this guide. +## Setting up Bastion Hosts + +Since our GitLab instances will be in private subnets, we need a way to connect to these instances via SSH to make configuration changes, perform upgrades, etc. One way of doing this is via a [bastion host](https://en.wikipedia.org/wiki/Bastion_host), sometimes also referred to as a jump box. + +TIP: **Tip:** If you do not want to maintain bastion hosts, you can set up [AWS Systems Manager Session Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html) for access to instances. This is beyond the scope of this document. + +### Create Bastion Host A + +1. Navigate to the EC2 Dashboard and click on **Launch instance**. +1. Select the **Ubuntu Server 18.04 LTS (HVM)** AMI. +1. Choose an instance type. We'll use a `t2.micro` as we'll only use the bastion host to SSH into our other instances. +1. Click **Configure Instance Details**. + 1. Under **Network**, select the `gitlab-vpc` from the dropdown menu. + 1. Under **Subnet**, select the public subnet we created earlier (`gitlab-public-10.0.0.0`). + 1. Double check that under **Auto-assign Public IP** you have **Use subnet setting (Enable)** selected. + 1. Leave everything else as default and click **Add Storage**. +1. For storage, we'll leave everything as default and only add an 8GB root volume. We won't store anything on this instance. +1. Click **Add Tags** and on the next screen click **Add Tag**. + 1. We’ll only set `Key: Name` and `Value: Bastion Host A`. +1. Click **Configure Security Group**. + 1. Select **Create a new security group**, enter a **Security group name** (we'll use `bastion-sec-group`), and add a description. + 1. We'll enable SSH access from anywhere (`0.0.0.0/0`). If you want stricter security, specify a single IP address or an IP address range in CIDR notation. + 1. Click **Review and Launch** +1. Review all your settings and, if you're happy, click **Launch**. +1. Acknowledge that you have access to an existing key pair or create a new one. Click **Launch Instance**. + +Confirm that you can SHH into the instance: + +1. On the EC2 Dashboard, click on **Instances** in the left menu. +1. Select **Bastion Host A** from your list of instances. +1. Click **Connect** and follow the connection instructions. +1. If you are able to connect successfully, let's move on to setting up our second bastion host for redundancy. + +### Create Bastion Host B + +1. Create an EC2 instance following the same steps as above with the following changes: + 1. For the **Subnet**, select the second public subnet we created earlier (`gitlab-public-10.0.2.0`). + 1. Under the **Add Tags** section, we’ll set `Key: Name` and `Value: Bastion Host B` so that we can easily identify our two instances. + 1. For the security group, select the existing `bastion-sec-group` we created above. + ## Deploying GitLab inside an auto scaling group We'll use AWS's wizard to deploy GitLab and then SSH into the instance to diff --git a/doc/topics/application_development_platform/index.md b/doc/topics/application_development_platform/index.md index 2ea561eb943..8de440c7f00 100644 --- a/doc/topics/application_development_platform/index.md +++ b/doc/topics/application_development_platform/index.md @@ -59,4 +59,4 @@ responsibility. The Application Development Platform integrates key performance into GitLab, automatically. The following features are included: - [Auto Monitoring](../autodevops/index.md#auto-monitoring) -- [In-app Kubernetes Pod Logs](../../user/project/clusters/kubernetes_pod_logs.md) +- [In-app Kubernetes Logs](../../user/project/clusters/kubernetes_pod_logs.md) diff --git a/doc/user/application_security/dependency_scanning/index.md b/doc/user/application_security/dependency_scanning/index.md index bac1b6a5a59..b711a652a2f 100644 --- a/doc/user/application_security/dependency_scanning/index.md +++ b/doc/user/application_security/dependency_scanning/index.md @@ -129,33 +129,44 @@ dependency_scanning: Dependency Scanning can be [configured](#customizing-the-dependency-scanning-settings) using environment variables. -| Environment variable | Description | -| --------------------------------------- | ----------- | -| `DS_ANALYZER_IMAGES` | Comma separated list of custom images. The official default images are still enabled. Read more about [customizing analyzers](analyzers.md). | -| `DS_ANALYZER_IMAGE_PREFIX` | Override the name of the Docker registry providing the official default images (proxy). Read more about [customizing analyzers](analyzers.md). | -| `DS_ANALYZER_IMAGE_TAG` | Override the Docker tag of the official default images. Read more about [customizing analyzers](analyzers.md). | -| `DS_PYTHON_VERSION` | Version of Python. If set to 2, dependencies are installed using Python 2.7 instead of Python 3.6. ([Introduced](https://gitlab.com/gitlab-org/gitlab/issues/12296) in GitLab 12.1)| -| `DS_PIP_VERSION` | Force the install of a specific pip version (example: `"19.3"`), otherwise the pip installed in the Docker image is used. ([Introduced](https://gitlab.com/gitlab-org/gitlab/issues/12811) in GitLab 12.7) | -| `DS_PIP_DEPENDENCY_PATH` | Path to load Python pip dependencies from. ([Introduced](https://gitlab.com/gitlab-org/gitlab/issues/12412) in GitLab 12.2) | -| `GEMNASIUM_DB_LOCAL_PATH` | Path to local gemnasium database (default `/gemnasium-db`). -| `GEMNASIUM_DB_REMOTE_URL` | Repository URL for fetching the gemnasium database (default `https://gitlab.com/gitlab-org/security-products/gemnasium-db.git`). -| `GEMNASIUM_DB_REF_NAME` | Branch name for remote repository database (default `master`). `GEMNASIUM_DB_REMOTE_URL` is required. -| `DS_DEFAULT_ANALYZERS` | Override the names of the official default images. Read more about [customizing analyzers](analyzers.md). | -| `DS_DISABLE_DIND` | Disable Docker in Docker and run analyzers [individually](#disabling-docker-in-docker-for-dependency-scanning).| -| `DS_PULL_ANALYZER_IMAGES` | Pull the images from the Docker registry (set to `0` to disable). | -| `DS_EXCLUDED_PATHS` | Exclude vulnerabilities from output based on the paths. A comma-separated list of patterns. Patterns can be globs, file or folder paths (e.g., `doc,spec`). Parent directories will also match patterns. | -| `DS_DOCKER_CLIENT_NEGOTIATION_TIMEOUT` | Time limit for Docker client negotiation. Timeouts are parsed using Go's [`ParseDuration`](https://golang.org/pkg/time/#ParseDuration). Valid time units are `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. For example, `300ms`, `1.5h`, or `2h45m`. | -| `DS_PULL_ANALYZER_IMAGE_TIMEOUT` | Time limit when pulling the image of an analyzer. Timeouts are parsed using Go's [`ParseDuration`](https://golang.org/pkg/time/#ParseDuration). Valid time units are `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. For example, `300ms`, `1.5h`, or `2h45m`. | -| `DS_RUN_ANALYZER_TIMEOUT` | Time limit when running an analyzer. Timeouts are parsed using Go's [`ParseDuration`](https://golang.org/pkg/time/#ParseDuration). Valid time units are `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. For example, `300ms`, `1.5h`, or `2h45m`. | -| `PIP_INDEX_URL` | Base URL of Python Package Index (default `https://pypi.org/simple`). | -| `PIP_EXTRA_INDEX_URL` | Array of [extra URLs](https://pip.pypa.io/en/stable/reference/pip_install/#cmdoption-extra-index-url) of package indexes to use in addition to `PIP_INDEX_URL`. Comma separated. | -| `PIP_REQUIREMENTS_FILE` | Pip requirements file to be scanned. | -| `MAVEN_CLI_OPTS` | List of command line arguments that will be passed to `maven` by the analyzer. The default is `"-DskipTests --batch-mode"`. See an example for [using private repos](#using-private-maven-repos). | -| `BUNDLER_AUDIT_UPDATE_DISABLED` | Disable automatic updates for the `bundler-audit` analyzer (default: `"false"`). Useful if you're running Dependency Scanning in an offline, air-gapped environment.| -| `BUNDLER_AUDIT_ADVISORY_DB_URL` | URL of the advisory database used by bundler-audit (default: `https://github.com/rubysec/ruby-advisory-db`). | -| `BUNDLER_AUDIT_ADVISORY_DB_REF_NAME` | Git ref for the advisory database specified by `BUNDLER_AUDIT_ADVISORY_DB_URL` (default: `master`). | -| `RETIREJS_JS_ADVISORY_DB` | Path or URL to Retire.js [`jsrepository.json`](https://raw.githubusercontent.com/RetireJS/retire.js/master/repository/jsrepository.json) vulnerability data file. | -| `RETIREJS_NODE_ADVISORY_DB` | Path or URL to Retire.js [`npmrepository.json`](https://raw.githubusercontent.com/RetireJS/retire.js/master/repository/npmrepository.json) vulnerability data file. | +#### Configuring Dependency Scanning + +The following variables allow configuration of global dependency scanning settings. + +| Environment variable | Default | Description | +| --------------------------------------- | ----------- | ----------- | +| `DS_ANALYZER_IMAGES` | | Comma separated list of custom images. The official default images are still enabled. Read more about [customizing analyzers](analyzers.md). | +| `DS_ANALYZER_IMAGE_PREFIX` | | Override the name of the Docker registry providing the official default images (proxy). Read more about [customizing analyzers](analyzers.md). | +| `DS_ANALYZER_IMAGE_TAG` | | Override the Docker tag of the official default images. Read more about [customizing analyzers](analyzers.md). | +| `DS_DEFAULT_ANALYZERS` | | Override the names of the official default images. Read more about [customizing analyzers](analyzers.md). | +| `DS_DISABLE_DIND` | | Disable Docker in Docker and run analyzers [individually](#disabling-docker-in-docker-for-dependency-scanning).| +| `DS_PULL_ANALYZER_IMAGES` | | Pull the images from the Docker registry (set to `0` to disable). | +| `DS_EXCLUDED_PATHS` | | Exclude vulnerabilities from output based on the paths. A comma-separated list of patterns. Patterns can be globs, file or folder paths (for example, `doc,spec`). Parent directories will also match patterns. | +| `DS_DOCKER_CLIENT_NEGOTIATION_TIMEOUT` | 2m | Time limit for Docker client negotiation. Timeouts are parsed using Go's [`ParseDuration`](https://golang.org/pkg/time/#ParseDuration). Valid time units are `ns`, `us` (or `µs`), `ms`, `s`, `m`, or `h`. For example, `300ms`, `1.5h`, or `2h45m`. | +| `DS_PULL_ANALYZER_IMAGE_TIMEOUT` | 5m | Time limit when pulling an analyzer's image. Timeouts are parsed using Go's [`ParseDuration`](https://golang.org/pkg/time/#ParseDuration). Valid time units are `ns`, `us` (or `µs`), `ms`, `s`, `m`, or `h`. For example, `300ms`, `1.5h`, or `2h45m`. | +| `DS_RUN_ANALYZER_TIMEOUT` | 20m | Time limit when running an analyzer. Timeouts are parsed using Go's [`ParseDuration`](https://golang.org/pkg/time/#ParseDuration). Valid time units are `ns`, `us` (or `µs`), `ms`, `s`, `m`, or `h`. For example, `300ms`, `1.5h`, or `2h45m`. | + +#### Configuring specific analyzers used by Dependency Scanning + +The following variables are used for configuring specific analyzers (used for a specific language/framework). + +| Environment variable | Analyzer | Default | Description | +| --------------------------------------- | ------------------ | ---------------------------- |------------ | +| `GEMNASIUM_DB_LOCAL_PATH` | `gemnasium` | `/gemnasium-db` | Path to local gemnasium database. | +| `GEMNASIUM_DB_REMOTE_URL` | `gemnasium` | `https://gitlab.com/gitlab-org/security-products/gemnasium-db.git` | Repository URL for fetching the gemnasium database. | +| `GEMNASIUM_DB_REF_NAME` | `gemnasium` | `master` | Branch name for remote repository database. `GEMNASIUM_DB_REMOTE_URL` is required. | +| `PIP_INDEX_URL` | `gemnasium-python` | `https://pypi.org/simple` | Base URL of Python Package Index. | +| `PIP_EXTRA_INDEX_URL` | `gemnasium-python` | | Array of [extra URLs](https://pip.pypa.io/en/stable/reference/pip_install/#cmdoption-extra-index-url) of package indexes to use in addition to `PIP_INDEX_URL`. Comma separated. | +| `PIP_REQUIREMENTS_FILE` | `gemnasium-python` | | Pip requirements file to be scanned. | +| `DS_PIP_VERSION` | `gemnasium-python` | | Force the install of a specific pip version (example: `"19.3"`), otherwise the pip installed in the Docker image is used. ([Introduced](https://gitlab.com/gitlab-org/gitlab/issues/12811) in GitLab 12.7) | +| `DS_PIP_DEPENDENCY_PATH` | `gemnasium-python` | | Path to load Python pip dependencies from. ([Introduced](https://gitlab.com/gitlab-org/gitlab/issues/12412) in GitLab 12.2) | +| `DS_PYTHON_VERSION` | `retire.js` | | Version of Python. If set to 2, dependencies are installed using Python 2.7 instead of Python 3.6. ([Introduced](https://gitlab.com/gitlab-org/gitlab/issues/12296) in GitLab 12.1)| +| `MAVEN_CLI_OPTS` | `gemnasium-maven` | `"-DskipTests --batch-mode"` | List of command line arguments that will be passed to `maven` by the analyzer. See an example for [using private repos](#using-private-maven-repos). | +| `BUNDLER_AUDIT_UPDATE_DISABLED` | `bundler-audit` | `false` | Disable automatic updates for the `bundler-audit` analyzer. Useful if you're running Dependency Scanning in an offline, air-gapped environment.| +| `BUNDLER_AUDIT_ADVISORY_DB_URL` | `bundler-audit` | `https://github.com/rubysec/ruby-advisory-db` | URL of the advisory database used by bundler-audit. | +| `BUNDLER_AUDIT_ADVISORY_DB_REF_NAME` | `bundler-audit` | `master` | Git ref for the advisory database specified by `BUNDLER_AUDIT_ADVISORY_DB_URL`. | +| `RETIREJS_JS_ADVISORY_DB` | `retire.js` | `https://raw.githubusercontent.com/RetireJS/retire.js/master/repository/jsrepository.json` | Path or URL to Retire.js js vulnerability data file. | +| `RETIREJS_NODE_ADVISORY_DB` | `retire.js` | `https://raw.githubusercontent.com/RetireJS/retire.js/master/repository/npmrepository.json` | Path or URL to Retire.js node vulnerability data file. | ### Using private Maven repos diff --git a/doc/user/clusters/applications.md b/doc/user/clusters/applications.md index db629b2cf34..3af5f43dca5 100644 --- a/doc/user/clusters/applications.md +++ b/doc/user/clusters/applications.md @@ -825,7 +825,7 @@ management project. Refer to the available configuration options. NOTE: **Note:** -In this alpha implementation of installing Elastic Stack through CI, reading the environment pod logs through Elasticsearch is unsupported. This is supported if [installed via the UI](#elastic-stack). +In this alpha implementation of installing Elastic Stack through CI, reading the environment logs through Elasticsearch is unsupported. This is supported if [installed via the UI](#elastic-stack). ## Upgrading applications diff --git a/doc/user/group/index.md b/doc/user/group/index.md index b901fd13ed8..8135b8e38ab 100644 --- a/doc/user/group/index.md +++ b/doc/user/group/index.md @@ -256,7 +256,7 @@ and give all group members access to the project at once. Alternatively, you can [lock the sharing with group feature](#share-with-group-lock). -## Sharing a group with another group **(CORE ONLY)** +## Sharing a group with another group > [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/18328) in GitLab 12.7. diff --git a/doc/user/incident_management/index.md b/doc/user/incident_management/index.md index e003b6d5eaa..249dc8c8ad8 100644 --- a/doc/user/incident_management/index.md +++ b/doc/user/incident_management/index.md @@ -96,7 +96,7 @@ The options are: > [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/201846) in GitLab Ultimate 12.8. This can be useful if you are triaging an application incident and need to -[explore logs](../project/integrations/prometheus.md#view-pod-logs-ultimate) +[explore logs](../project/integrations/prometheus.md#view-logs-ultimate) from across your application. It also helps you to understand what is affecting your application's performance and quickly resolve any problems. diff --git a/doc/user/project/clusters/img/kubernetes_pod_logs_v12_8.png b/doc/user/project/clusters/img/kubernetes_pod_logs_v12_8.png Binary files differdeleted file mode 100644 index 7be0cd01768..00000000000 --- a/doc/user/project/clusters/img/kubernetes_pod_logs_v12_8.png +++ /dev/null diff --git a/doc/user/project/clusters/img/kubernetes_pod_logs_v12_9.png b/doc/user/project/clusters/img/kubernetes_pod_logs_v12_9.png Binary files differnew file mode 100644 index 00000000000..6e5cf1af227 --- /dev/null +++ b/doc/user/project/clusters/img/kubernetes_pod_logs_v12_9.png diff --git a/doc/user/project/clusters/index.md b/doc/user/project/clusters/index.md index e221d81c280..9087653145b 100644 --- a/doc/user/project/clusters/index.md +++ b/doc/user/project/clusters/index.md @@ -27,7 +27,7 @@ Using the GitLab project Kubernetes integration, you can: - Use [Web terminals](#web-terminals). - Use [Deploy Boards](#deploy-boards-premium). **(PREMIUM)** - Use [Canary Deployments](#canary-deployments-premium). **(PREMIUM)** -- View [Pod logs](#pod-logs-ultimate). **(ULTIMATE)** +- View [Logs](#logs-ultimate). **(ULTIMATE)** - Run serverless workloads on [Kubernetes with Knative](serverless/index.md). ### Deploy Boards **(PREMIUM)** @@ -48,11 +48,11 @@ the need to leave GitLab. [Read more about Canary Deployments](../canary_deployments.md) -### Pod logs **(ULTIMATE)** +### Logs **(ULTIMATE)** GitLab makes it easy to view the logs of running pods in connected Kubernetes clusters. By displaying the logs directly in GitLab, developers can avoid having to manage console tools or jump to a different interface. -[Read more about Kubernetes pod logs](kubernetes_pod_logs.md) +[Read more about Kubernetes logs](kubernetes_pod_logs.md) ### Kubernetes monitoring diff --git a/doc/user/project/clusters/kubernetes_pod_logs.md b/doc/user/project/clusters/kubernetes_pod_logs.md index 76622380e92..7fb3e797fc7 100644 --- a/doc/user/project/clusters/kubernetes_pod_logs.md +++ b/doc/user/project/clusters/kubernetes_pod_logs.md @@ -1,4 +1,4 @@ -# Kubernetes Pod Logs **(ULTIMATE)** +# Kubernetes Logs **(ULTIMATE)** > [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/4752) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 11.0. @@ -11,17 +11,17 @@ Everything you need to build, test, deploy, and run your app at scale. ## Overview -[Kubernetes](https://kubernetes.io) pod logs can be viewed directly within GitLab. +[Kubernetes](https://kubernetes.io) logs can be viewed directly within GitLab. - + ## Requirements -[Deploying to a Kubernetes environment](../deploy_boards.md#enabling-deploy-boards) is required in order to be able to use Pod Logs. +[Deploying to a Kubernetes environment](../deploy_boards.md#enabling-deploy-boards) is required in order to be able to use Logs. ## Usage -To access pod logs, you must have the right [permissions](../../permissions.md#project-members-permissions). +To access logs, you must have the right [permissions](../../permissions.md#project-members-permissions). You can access them in two ways. @@ -29,7 +29,7 @@ You can access them in two ways. > [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/22011) in GitLab 12.5. -Go to **{cloud-gear}** **Operations > Pod logs** on the sidebar menu. +Go to **{cloud-gear}** **Operations > Logs** on the sidebar menu.  diff --git a/doc/user/project/integrations/img/prometheus_cluster_health_embed_v12_9.png b/doc/user/project/integrations/img/prometheus_cluster_health_embed_v12_9.png Binary files differnew file mode 100644 index 00000000000..c669467757f --- /dev/null +++ b/doc/user/project/integrations/img/prometheus_cluster_health_embed_v12_9.png diff --git a/doc/user/project/integrations/prometheus.md b/doc/user/project/integrations/prometheus.md index ae643127018..e1790bfc30c 100644 --- a/doc/user/project/integrations/prometheus.md +++ b/doc/user/project/integrations/prometheus.md @@ -585,17 +585,17 @@ From each of the panels in the dashboard, you can access the context menu by cli The options are: -- [View logs](#view-pod-logs-ultimate) +- [View logs](#view-logs-ultimate) - [Download CSV](#downloading-data-as-csv) - [Generate link to chart](#embedding-gitlab-managed-kubernetes-metrics) - [Alerts](#setting-up-alerts-for-prometheus-metrics-ultimate) -### View Pod Logs **(ULTIMATE)** +### View Logs **(ULTIMATE)** > [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/122013) in GitLab 12.8. -If you have [Pod Logs](../clusters/kubernetes_pod_logs.md) enabled, -you can navigate from the charts in the dashboard to view Pod Logs by +If you have [Logs](../clusters/kubernetes_pod_logs.md) enabled, +you can navigate from the charts in the dashboard to view Logs by clicking on the context menu in the upper-right corner. If you use the **Timeline zoom** function at the bottom of the chart, logs will narrow down to the time range you selected. @@ -710,7 +710,7 @@ Prometheus server. > [Introduced][ce-29691] in GitLab 12.2. -It is possible to display metrics charts within [GitLab Flavored Markdown](../../markdown.md#gitlab-flavored-markdown-gfm). The maximum number of embeds allowed in a GitLab Flavored Markdown field is 100. +It is possible to display metrics charts within [GitLab Flavored Markdown](../../markdown.md#gitlab-flavored-markdown-gfm) fields such as issue or merge request descriptions. The maximum number of embedded charts allowed in a GitLab Flavored Markdown field is 100. This can be useful if you are sharing an application incident or performance metrics to others and want to have relevant information directly available. @@ -748,6 +748,25 @@ It is also possible to embed either the default dashboard metrics or individual  +### Embedding Cluster Health Charts **(ULTIMATE)** + +> [Introduced](<https://gitlab.com/gitlab-org/gitlab/issues/40997>) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.9. + +[Cluster Health Metrics](../clusters/index.md#monitoring-your-kubernetes-cluster-ultimate) can also be embedded in [GitLab-flavored Markdown](../../markdown.md). + +To embed a metric chart, include a link to that chart in the form `https://<root_url>/<project>/-/cluster/<cluster_id>?<query_params>` anywhere that GitLab-flavored Markdown is supported. To generate and copy a link to the chart, follow the instructions in the [Cluster Health Metric documentation](../clusters/index.md#monitoring-your-kubernetes-cluster-ultimate). + +The following requirements must be met for the metric to unfurl: + +- The `<cluster_id>` must correspond to a real cluster. +- Prometheus must be monitoring the cluster. +- The user must be allowed access to the project cluster metrics. +- The dashboards must be reporting data on the [Cluster Health Page](../clusters/index.md#monitoring-your-kubernetes-cluster-ultimate) + + If the above requirements are met, then the metric will unfurl as seen below. + + + ### Embedding Grafana charts Grafana metrics can be embedded in [GitLab Flavored Markdown](../../markdown.md). |
