diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-04-14 00:09:57 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-04-14 00:09:57 +0000 |
commit | 9398d718d92a40a0a917040645a55dea51467a91 (patch) | |
tree | ce1242c69221f1e6abd701439631cf6e6d1b948d /doc | |
parent | 602ea42669779ec431bcaeb41fd95e079b1a7021 (diff) | |
download | gitlab-ce-9398d718d92a40a0a917040645a55dea51467a91.tar.gz |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'doc')
-rw-r--r-- | doc/administration/availability/index.md | 8 | ||||
-rw-r--r-- | doc/api/deploy_tokens.md | 4 | ||||
-rw-r--r-- | doc/subscriptions/index.md | 4 | ||||
-rw-r--r-- | doc/user/application_security/dast/index.md | 37 | ||||
-rw-r--r-- | doc/user/project/deploy_tokens/img/deploy_tokens.png | bin | 62979 -> 177352 bytes | |||
-rw-r--r-- | doc/user/project/deploy_tokens/index.md | 21 |
6 files changed, 67 insertions, 7 deletions
diff --git a/doc/administration/availability/index.md b/doc/administration/availability/index.md index 90113985ad5..a0d4ea7919f 100644 --- a/doc/administration/availability/index.md +++ b/doc/administration/availability/index.md @@ -26,6 +26,14 @@ watch [this 1 hour Q&A](https://www.youtube.com/watch?v=uCU8jdYzpac) with [John Northrup](https://gitlab.com/northrup), and live questions coming in from some of our customers. +GitLab offers a number of options to manage availability and resiliency. Below are the options to consider with trade-offs. + +| Event | GitLab Feature | Recovery Point Objective (RPO) | Recovery Time Objective (RTO) | Cost | +| ----- | -------------- | --- | --- | ---- | +| Availability Zone failure | "GitLab HA" | No loss | No loss | 2x Git storage, multiple nodes balanced across AZ's | +| Region failure | "GitLab Disaster Recovery" | 5-10 minutes | 30 minutes | 2x primary cost | +| All failures | Backup/Restore | Last backup | Hours to Days | Cost of storing the backups | + ## High availability ### Omnibus installation with automatic database failover diff --git a/doc/api/deploy_tokens.md b/doc/api/deploy_tokens.md index 4663159f1eb..461957847df 100644 --- a/doc/api/deploy_tokens.md +++ b/doc/api/deploy_tokens.md @@ -92,7 +92,7 @@ POST /projects/:id/deploy_tokens | `name` | string | yes | New deploy token's name | | `expires_at` | datetime | no | Expiration date for the deploy token. Does not expire if no value is provided. | | `username` | string | no | Username for deploy token. Default is `gitlab+deploy-token-{n}` | -| `scopes` | array of strings | yes | Indicates the deploy token scopes. Must be at least one of `read_repository` or `read_registry`. | +| `scopes` | array of strings | yes | Indicates the deploy token scopes. Must be at least one of `read_repository`, `read_registry`, or `write_registry`. | ```shell curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" --header "Content-Type: application/json" --data '{"name": "My deploy token", "expires_at": "2021-01-01", "username": "custom-user", "scopes": ["read_repository"]}' "https://gitlab.example.com/api/v4/projects/5/deploy_tokens/" @@ -193,7 +193,7 @@ POST /groups/:id/deploy_tokens | `name` | string | yes | New deploy token's name | | `expires_at` | datetime | no | Expiration date for the deploy token. Does not expire if no value is provided. | | `username` | string | no | Username for deploy token. Default is `gitlab+deploy-token-{n}` | -| `scopes` | array of strings | yes | Indicates the deploy token scopes. Must be at least one of `read_repository` or `read_registry`. | +| `scopes` | array of strings | yes | Indicates the deploy token scopes. Must be at least one of `read_repository`, `read_registry`, or `write_registry`. | Example request: diff --git a/doc/subscriptions/index.md b/doc/subscriptions/index.md index e2868d648de..f3488b45bbb 100644 --- a/doc/subscriptions/index.md +++ b/doc/subscriptions/index.md @@ -75,6 +75,10 @@ count as active users in the subscription period in which they were originally a - Members with Guest permissions on an Ultimate subscription. - GitLab-created service accounts: `Ghost User` and `Support Bot`. +##### User Statistics + +A breakdown of the users within your instance including active, billable and blocked can be found by navigating to **Admin Area > Overview > Dashboard** and selecting `Users Statistics` button within the `Users` widget.. + NOTE: **Note:** If you have LDAP integration enabled, anyone in the configured domain can sign up for a GitLab account. This can result in an unexpected bill at time of renewal. Consider [disabling new signups](../user/admin_area/settings/sign_up_restrictions.md) and managing new users manually instead. diff --git a/doc/user/application_security/dast/index.md b/doc/user/application_security/dast/index.md index c65d6adcff6..57d2a383768 100644 --- a/doc/user/application_security/dast/index.md +++ b/doc/user/application_security/dast/index.md @@ -463,10 +463,41 @@ The DAST job does not require the project's repository to be present when runnin ## Running DAST in an offline environment -DAST can be executed on an offline GitLab Ultimate installation by using the following process: +For self-managed GitLab instances in an environment with limited, restricted, or intermittent access +to external resources through the internet, some adjustments are required for the DAST job to +successfully run. For more information, see [Offline environments](../offline_deployments/index.md). + +### Requirements for offline DAST support + +To use DAST in an offline environment, you need: + +- GitLab Runner with the [`docker` or `kubernetes` executor](#requirements). +- Docker Container Registry with a locally available copy of the DAST [container image](https://gitlab.com/gitlab-org/security-products/dast), found in the [DAST container registry](https://gitlab.com/gitlab-org/security-products/dast/container_registry). + +NOTE: **Note:** +GitLab Runner has a [default `pull policy` of `always`](https://docs.gitlab.com/runner/executors/docker.html#using-the-always-pull-policy), +meaning the runner may try to pull remote images even if a local copy is available. Set GitLab +Runner's [`pull_policy` to `if-not-present`](https://docs.gitlab.com/runner/executors/docker.html#using-the-if-not-present-pull-policy) +in an offline environment if you prefer using only locally available Docker images. + +### Make GitLab DAST analyzer images available inside your Docker registry + +For DAST, import the following default DAST analyzer image from `registry.gitlab.com` to your local "offline" +registry: + +- `registry.gitlab.com/gitlab-org/security-products/dast:latest` + +The process for importing Docker images into a local offline Docker registry depends on +**your network security policy**. Please consult your IT staff to find an accepted and approved +process by which external resources can be imported or temporarily accessed. Note that these scanners are [updated periodically](../index.md#maintenance-and-update-of-the-vulnerabilities-database) +with new definitions, so consider if you are able to make periodic updates yourself. + +For details on saving and transporting Docker images as a file, see Docker's documentation on +[`docker save`](https://docs.docker.com/engine/reference/commandline/save/), [`docker load`](https://docs.docker.com/engine/reference/commandline/load/), +[`docker export`](https://docs.docker.com/engine/reference/commandline/export/), and [`docker import`](https://docs.docker.com/engine/reference/commandline/import/). + +### Set DAST CI job variables to use local DAST analyzers -1. Host the DAST image `registry.gitlab.com/gitlab-org/security-products/dast:latest` in your local - Docker container registry. 1. Add the following configuration to your `.gitlab-ci.yml` file. You must replace `image` to refer to the DAST Docker image hosted on your local Docker container registry: diff --git a/doc/user/project/deploy_tokens/img/deploy_tokens.png b/doc/user/project/deploy_tokens/img/deploy_tokens.png Binary files differindex 493de8e0fce..afe1dfb922f 100644 --- a/doc/user/project/deploy_tokens/img/deploy_tokens.png +++ b/doc/user/project/deploy_tokens/img/deploy_tokens.png diff --git a/doc/user/project/deploy_tokens/index.md b/doc/user/project/deploy_tokens/index.md index 0bd511cf837..ebb12a6ed5d 100644 --- a/doc/user/project/deploy_tokens/index.md +++ b/doc/user/project/deploy_tokens/index.md @@ -2,8 +2,9 @@ > - [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/17894) in GitLab 10.7. > - [Moved](https://gitlab.com/gitlab-org/gitlab/issues/199370) from **Settings > Repository** in GitLab 12.9. +> - [Added `write_registry` scope](https://gitlab.com/gitlab-org/gitlab/-/issues/22743) in GitLab 12.10. -Deploy tokens allow you to download (`git clone`) or read the container registry images of a project without having a user and a password. +Deploy tokens allow you to download (`git clone`) or push and pull the container registry images of a project without having a user and a password. Deploy tokens can be managed by [maintainers only](../../permissions.md). @@ -44,6 +45,7 @@ the following table. | ----- | ----------- | | `read_repository` | Allows read-access to the repository through `git clone` | | `read_registry` | Allows read-access to [container registry](../../packages/container_registry/index.md) images if a project is private and authorization is required. | +| `write_registry` | Allows write-access (push) to [container registry](../../packages/container_registry/index.md). | ## Deploy token custom username @@ -83,6 +85,21 @@ docker login -u <username> -p <deploy_token> registry.example.com Just replace `<username>` and `<deploy_token>` with the proper values. Then you can simply pull images from your Container Registry. +### Push Container Registry images + +To push the container registry images, you'll need to: + +1. Create a Deploy Token with `write_registry` as a scope. +1. Take note of your `username` and `token`. +1. Log in to GitLab’s Container Registry using the deploy token: + + ```shell + docker login -u <username> -p <deploy_token> registry.example.com + ``` + +Just replace `<username>` and `<deploy_token>` with the proper values. Then you can simply +push images to your Container Registry. + ### Group Deploy Token > [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/21765) in GitLab 12.9. @@ -107,7 +124,7 @@ There's a special case when it comes to Deploy Tokens. If a user creates one named `gitlab-deploy-token`, the username and token of the Deploy Token will be automatically exposed to the CI/CD jobs as environment variables: `CI_DEPLOY_USER` and `CI_DEPLOY_PASSWORD`, respectively. With the GitLab Deploy Token, the -`read_registry` scope is implied. +`read_registry` and `write_registry` scopes are implied. After you create the token, you can login to the Container Registry using those variables: |