diff options
-rw-r--r-- | doc/administration/index.md | 2 | ||||
-rw-r--r-- | doc/administration/operations/extra_sidekiq_processes.md | 14 | ||||
-rw-r--r-- | doc/ci/metrics_reports.md | 5 | ||||
-rw-r--r-- | doc/development/README.md | 4 | ||||
-rw-r--r-- | doc/development/geo.md | 100 | ||||
-rw-r--r-- | doc/development/integrations/jira_connect.md | 41 | ||||
-rw-r--r-- | doc/integration/elasticsearch.md | 197 | ||||
-rw-r--r-- | doc/user/admin_area/geo_nodes.md | 37 | ||||
-rw-r--r-- | doc/user/application_security/dependency_scanning/index.md | 1 | ||||
-rw-r--r-- | doc/user/application_security/sast/index.md | 2 | ||||
-rw-r--r-- | doc/user/project/labels.md | 2 |
11 files changed, 330 insertions, 75 deletions
diff --git a/doc/administration/index.md b/doc/administration/index.md index 986f8146831..02e88dbd2a6 100644 --- a/doc/administration/index.md +++ b/doc/administration/index.md @@ -72,7 +72,7 @@ Learn how to install, configure, update, and maintain your GitLab instance. - [Branded login page](../customization/branded_login_page.md): Customize the login page with your own logo, title, and description. - [Welcome message](../customization/welcome_message.md): Add a custom welcome message to the sign-in page. - ["New Project" page](../customization/new_project_page.md): Customize the text to be displayed on the page that opens whenever your users create a new project. -- [Additional custom email text](https://docs.gitlab.com/ee/user/admin_area/settings/email.html#custom-additional-text): Add additional custom text to emails sent from GitLab. **[PREMIUM ONLY]** +- [Additional custom email text](https://docs.gitlab.com/ee/user/admin_area/settings/email.html#custom-additional-text-premium-only): Add additional custom text to emails sent from GitLab. **[PREMIUM ONLY]** ### Maintaining GitLab diff --git a/doc/administration/operations/extra_sidekiq_processes.md b/doc/administration/operations/extra_sidekiq_processes.md index 6f23610345f..286b99aceb5 100644 --- a/doc/administration/operations/extra_sidekiq_processes.md +++ b/doc/administration/operations/extra_sidekiq_processes.md @@ -93,11 +93,11 @@ This tells the additional processes how often to check for enqueued jobs. ## Starting extra processes via command line Starting extra Sidekiq processes can be done using the command -`/opt/gitlab/embedded/service/gitlab-rails/bin/sidekiq-cluster`. This command +`/opt/gitlab/embedded/service/gitlab-rails/ee/bin/sidekiq-cluster`. This command takes arguments using the following syntax: ```bash -/opt/gitlab/embedded/service/gitlab-rails/bin/sidekiq-cluster [QUEUE,QUEUE,...] [QUEUE, ...] +/opt/gitlab/embedded/service/gitlab-rails/ee/bin/sidekiq-cluster [QUEUE,QUEUE,...] [QUEUE, ...] ``` Each separate argument denotes a group of queues that have to be processed by a @@ -115,14 +115,14 @@ For example, say you want to start 2 extra processes: one to process the done as follows: ```bash -/opt/gitlab/embedded/service/gitlab-rails/bin/sidekiq-cluster process_commit post_receive +/opt/gitlab/embedded/service/gitlab-rails/ee/bin/sidekiq-cluster process_commit post_receive ``` If you instead want to start one process processing both queues you'd use the following syntax: ```bash -/opt/gitlab/embedded/service/gitlab-rails/bin/sidekiq-cluster process_commit,post_receive +/opt/gitlab/embedded/service/gitlab-rails/ee/bin/sidekiq-cluster process_commit,post_receive ``` If you want to have one Sidekiq process process the "process_commit" and @@ -130,7 +130,7 @@ If you want to have one Sidekiq process process the "process_commit" and you'd use the following: ```bash -/opt/gitlab/embedded/service/gitlab-rails/bin/sidekiq-cluster process_commit,post_receive gitlab_shell +/opt/gitlab/embedded/service/gitlab-rails/ee/bin/sidekiq-cluster process_commit,post_receive gitlab_shell ``` ### Monitoring @@ -162,7 +162,7 @@ file is written, but this can be changed by passing the `--pidfile` option to `sidekiq-cluster`. For example: ```bash -/opt/gitlab/embedded/service/gitlab-rails/bin/sidekiq-cluster --pidfile /var/run/gitlab/sidekiq_cluster.pid process_commit +/opt/gitlab/embedded/service/gitlab-rails/ee/bin/sidekiq-cluster --pidfile /var/run/gitlab/sidekiq_cluster.pid process_commit ``` Keep in mind that the PID file will contain the PID of the `sidekiq-cluster` @@ -199,7 +199,7 @@ one thread per queue up to a maximum of 50. If you wish to change the cap, use the `-m N` option. For example, this would cap the maximum number of threads to 1: ```bash -/opt/gitlab/embedded/service/gitlab-rails/bin/sidekiq-cluster process_commit,post_receive -m 1 +/opt/gitlab/embedded/service/gitlab-rails/ee/bin/sidekiq-cluster process_commit,post_receive -m 1 ``` For each queue group, the concurrency factor will be set to min(number of diff --git a/doc/ci/metrics_reports.md b/doc/ci/metrics_reports.md index 36e7c82cc3a..83a7094faaa 100644 --- a/doc/ci/metrics_reports.md +++ b/doc/ci/metrics_reports.md @@ -34,6 +34,7 @@ For example: metrics: script: - echo 'metric_name metric_value' > metrics.txt - reports: - metrics: metrics.txt + artifacts: + reports: + metrics: metrics.txt ``` diff --git a/doc/development/README.md b/doc/development/README.md index 9547f9a285f..83a1145c020 100644 --- a/doc/development/README.md +++ b/doc/development/README.md @@ -104,6 +104,10 @@ description: 'Learn how to contribute to GitLab.' - [Query Count Limits](query_count_limits.md) - [Database helper modules](database_helpers.md) +## Integration guides + +- [Jira Connect app](integrations/jira_connect.md) + ## Testing guides - [Testing standards and style guidelines](testing_guide/index.md) diff --git a/doc/development/geo.md b/doc/development/geo.md index d8669d377b0..c8e6a86eb52 100644 --- a/doc/development/geo.md +++ b/doc/development/geo.md @@ -2,10 +2,48 @@ Geo connects GitLab instances together. One GitLab instance is designated as a **primary** node and can be run with multiple -**secondary** nodes. Geo orchestrates quite a few components that are -described in more detail below. +**secondary** nodes. Geo orchestrates quite a few components that can be seen on +the diagram below and are described in more detail within this document. -## Database replication +![Geo Architecture Diagram](../administration/geo/replication/img/geo_architecture.png) + +## Replication layer + +Geo handles replication for different components: +- [Database](#database-replication): includes the entire application, except cache and jobs. +- [Git repositories](#repository-replication): includes both projects and wikis. +- [Uploaded blobs](#uploads-replication): includes anything from images attached on issues +to raw logs and assets from CI. + +With the exception of the Database replication, on a *secondary* node, everything is coordinated +by the [Geo Log Cursor](#geo-log-cursor). + +### Geo Log Cursor daemon + +The [Geo Log Cursor daemon](#geo-log-cursor-daemon) is a separate process running on +each **secondary** node. It monitors the [Geo Event Log](#geo-event-log) +for new events and creates background jobs for each specific event type. + +For example when a repository is updated, the Geo **primary** node creates +a Geo event with an associated repository updated event. The Geo Log Cursor daemon +picks the event up and schedules a `Geo::ProjectSyncWorker` job which will +use the `Geo::RepositorySyncService` and `Geo::WikiSyncService` classes +to update the repository and the wiki respectively. + +The Geo Log Cursor daemon can operate in High Availability mode automatically. +The daemon will try to acquire a lock from time to time and once acquired, it +will behave as the *active* daemon. + +Any additional running daemons on the same node, will be in standby +mode, ready to resume work if the *active* daemon releases its lock. + +We use the [`ExclusiveLease`](https://www.rubydoc.info/github/gitlabhq/gitlabhq/Gitlab/ExclusiveLease) lock type with a small TTL, that is renewed at every +pooling cycle. That allows us to implement this global lock with a timeout. + +At the end of the pooling cycle, if the daemon can't renew and/or reacquire +the lock, it switches to standby mode. + +### Database replication Geo uses [streaming replication](#streaming-replication) to replicate the database from the **primary** to the **secondary** nodes. This @@ -13,7 +51,7 @@ replication gives the **secondary** nodes access to all the data saved in the database. So users can log in on the **secondary** and read all the issues, merge requests, etc. on the **secondary** node. -## Repository replication +### Repository replication Geo also replicates repositories. Each **secondary** node keeps track of the state of every repository in the [tracking database](#tracking-database). @@ -23,7 +61,7 @@ There are a few ways a repository gets replicated by the: - [Repository Sync worker](#repository-sync-worker). - [Geo Log Cursor](#geo-log-cursor). -### Project Registry +#### Project Registry The `Geo::ProjectRegistry` class defines the model used to track the state of repository replication. For each project in the main @@ -32,15 +70,15 @@ database, one record in the tracking database is kept. It records the following about repositories: - The last time they were synced. -- The last time they were synced successfully. +- The last time they were successfully synced. - If they need to be resynced. -- When retry should be attempted. +- When a retry should be attempted. - The number of retries. -- If and when the they were verified. +- If and when they were verified. It also stores these attributes for project wikis in dedicated columns. -### Repository Sync worker +#### Repository Sync worker The `Geo::RepositorySyncWorker` class runs periodically in the background and it searches the `Geo::ProjectRegistry` model for @@ -59,26 +97,12 @@ times, Geo does a so-called _redownload_. It will do a clean clone into the `@geo-temporary` directory in the root of the storage. When it's successful, we replace the main repo with the newly cloned one. -### Geo Log Cursor - -The [Geo Log Cursor](#geo-log-cursor) is a separate process running on -each **secondary** node. It monitors the [Geo Event Log](#geo-event-log) -and handles all of the events. When it sees an unhandled event, it -starts a background worker to handle that event, depending on the type -of event. - -When a repository receives an update, the Geo **primary** node creates -a Geo event with an associated repository updated event. The cursor -picks that up, and schedules a `Geo::ProjectSyncWorker` job which will -use the `Geo::RepositorySyncService` class and `Geo::WikiSyncService` -class to update the repository and the wiki. - -## Uploads replication +### Uploads replication File uploads are also being replicated to the **secondary** node. To track the state of syncing, the `Geo::FileRegistry` model is used. -### File Registry +#### File Registry Similar to the [Project Registry](#project-registry), there is a `Geo::FileRegistry` model that tracks the synced uploads. @@ -86,7 +110,7 @@ Similar to the [Project Registry](#project-registry), there is a CI Job Artifacts are synced in a similar way as uploads or LFS objects, but they are tracked by `Geo::JobArtifactRegistry` model. -### File Download Dispatch worker +#### File Download Dispatch worker Also similar to the [Repository Sync worker](#repository-sync-worker), there is a `Geo::FileDownloadDispatchWorker` class that is run @@ -113,7 +137,7 @@ Authorization: GL-Geo <access_key>:<JWT payload> ``` The **primary** node uses the `access_key` field to look up the -corresponding Geo **secondary** node and decrypts the JWT payload, +corresponding **secondary** node and decrypts the JWT payload, which contains additional information to identify the file request. This ensures that the **secondary** node downloads the right file for the right database ID. For example, for an LFS object, the @@ -133,6 +157,28 @@ NOTE: **Note:** JWT requires synchronized clocks between the machines involved, otherwise it may fail with an encryption error. +## Git Push to Geo secondary + +The Git Push Proxy exists as a functionality built inside the `gitlab-shell` component. +It is active on a **secondary** node only. It allows the user that has cloned a repository +from the secondary node to push to the same URL. + +Git `push` requests directed to a **secondary** node will be sent over to the **primary** node, +while `pull` requests will continue to be served by the **secondary** node for maximum efficiency. + +HTTPS and SSH requests are handled differently: + +- With HTTPS, we will give the user a `HTTP 302 Redirect` pointing to the project on the **primary** node. +The git client is wise enough to understand that status code and process the redirection. +- With SSH, because there is no equivalent way to perform a redirect, we have to proxy the request. +This is done inside [`gitlab-shell`](https://gitlab.com/gitlab-org/gitlab-shell), by first translating the request +to the HTTP protocol, and then proxying it to the **primary** node. + +The [`gitlab-shell`](https://gitlab.com/gitlab-org/gitlab-shell) daemon knows when to proxy based on the response +from `/api/v4/allowed`. A special `HTTP 300` status code is returned and we execute a "custom action", +specified in the response body. The response contains additional data that allows the proxied `push` operation +to happen on the **primary** node. + ## Using the Tracking Database Along with the main database that is replicated, a Geo **secondary** diff --git a/doc/development/integrations/jira_connect.md b/doc/development/integrations/jira_connect.md new file mode 100644 index 00000000000..5bf43d320c6 --- /dev/null +++ b/doc/development/integrations/jira_connect.md @@ -0,0 +1,41 @@ +# Setting up a development environment + +The following are required to install and test the app: + +1. A Jira Cloud instance + + Atlassian provides free instances for development and testing. [Click here to sign up](http://go.atlassian.com/cloud-dev). + +1. A GitLab instance available over the internet + + For the app to work, Jira Cloud should be able to connect to the GitLab instance through the internet. + + To easily expose your local development environment, you can use tools like [serveo](https://serveo.net) or [ngrok](https://ngrok.com). + These also take care of SSL for you because Jira requires all connections to the app host to be over SSL. + +> This feature is currently behind the `:jira_connect_app` feature flag + +# Installing the app in Jira + +1. Enable Jira development mode to install apps that are not from the Atlassian Marketplace + + 1. Navigate to **Jira settings** (cog icon) > **Apps** > **Manage apps**. + 1. Scroll to the bottom of the **Manage apps** page and click **Settings**. + 1. Select **Enable development mode** and click **Apply**. + +1. Install the app + + 1. Navigate to Jira, then choose **Jira settings** (cog icon) > **Apps** > **Manage apps**. + 1. Click **Upload app**. + 1. In the **From this URL** field, provide a link to the app descriptor. The host and port must point to your GitLab instance. + + For example: + ``` + https://xxxx.serveo.net/-/jira_connect/app_descriptor.json + ``` + 1. Click **Upload**. + + If the install was successful, you should see the **GitLab for Jira** app under **Manage apps**. + You can also click **Getting Started** to open the configuration page rendered from your GitLab instance. + + _Note that any changes to the app descriptor requires you to uninstall then reinstall the app._ diff --git a/doc/integration/elasticsearch.md b/doc/integration/elasticsearch.md index ca6c92f11f1..7cef664bc98 100644 --- a/doc/integration/elasticsearch.md +++ b/doc/integration/elasticsearch.md @@ -30,7 +30,7 @@ is out of the scope of this document. Once the data is added to the database or repository and [Elasticsearch is enabled in the admin area](#enabling-elasticsearch) the search index will be updated automatically. Elasticsearch can be installed on the same machine as -GitLab, or on a separate server, or you can use the [Amazon Elasticsearch](http://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-gsg.html) +GitLab or on a separate server, or you can use the [Amazon Elasticsearch](http://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-gsg.html) service. You can follow the steps as described in the [official web site](https://www.elastic.co/guide/en/elasticsearch/reference/current/install-elasticsearch.html "Elasticsearch installation documentation") or @@ -38,7 +38,7 @@ use the packages that are available for your OS. ## Elasticsearch repository indexer (beta) -In order to improve elasticsearch indexing performance GitLab has made available a [new indexer written in Go](https://gitlab.com/gitlab-org/gitlab-elasticsearch-indexer). +In order to improve elasticsearch indexing performance, GitLab has made available a [new indexer written in Go](https://gitlab.com/gitlab-org/gitlab-elasticsearch-indexer). This will replace the included Ruby indexer in the future but should be considered beta software for now, so there may be some bugs. If you would like to use it, please follow the instructions below. @@ -56,12 +56,20 @@ installed before running `make`. ##### Debian / Ubuntu -To install on Debian or Ubutu, run: +To install on Debian or Ubuntu, run: ```sh sudo apt install libicu-dev ``` +##### CentOS / RHEL + +To install on CentOS or RHEL, run: + +```sh +sudo yum install libicu-devel +``` + ##### Mac OSX To install on macOS, run: @@ -76,6 +84,8 @@ export PKG_CONFIG_PATH="/usr/local/opt/icu4c/lib/pkgconfig:$PKG_CONFIG_PATH" To build and install the indexer, run: ```sh +git clone https://gitlab.com/gitlab-org/gitlab-elasticsearch-indexer.git +cd /gitlab-elasticsearch-indexer make sudo make install ``` @@ -97,10 +107,13 @@ Once installed, enable it under your instance's elasticsearch settings explained Elasticsearch requires additional resources in excess of those documented in the [GitLab system requirements](../install/requirements.md). These will vary by -installation size, but you should ensure **at least** an additional 8 GiB of RAM +installation size, but you should ensure **at least** an additional **8 GiB of RAM** for each Elasticsearch node, per the [official guidelines](https://www.elastic.co/guide/en/elasticsearch/guide/current/hardware.html). -Storage requirements also vary based on installation side, but as a rule of +Keep in mind, this is the **minimum requirements** as per Elasticsearch. For +production instances, they recommend considerably more resources. + +Storage requirements also vary based on the installation side, but as a rule of thumb, you should allocate the total size of your production database, **plus** two-thirds of the total size of your git repositories. Efforts to reduce this total are being tracked in this epic: [gitlab-org&153](https://gitlab.com/groups/gitlab-org/-/epics/153). @@ -114,7 +127,7 @@ The following Elasticsearch settings are available: | Parameter | Description | | --------- | ----------- | -| `Elasticsearch indexing` | Enables/disables Elasticsearch indexing. You may want to enable indexing but disable search in order to give the index time to be fully completed, for example. Also keep in mind that this option doesn't have any impact on existing data, this only enables/disables background indexer which tracks data changes. So by enabling this you will not get your existing data indexed, use special rake task for that as explained in [Adding GitLab's data to the Elasticsearch index](#adding-gitlabs-data-to-the-elasticsearch-index). | +| `Elasticsearch indexing` | Enables/disables Elasticsearch indexing. You may want to enable indexing but disable search in order to give the index time to be fully completed, for example. Also, keep in mind that this option doesn't have any impact on existing data, this only enables/disables background indexer which tracks data changes. So by enabling this you will not get your existing data indexed, use special rake task for that as explained in [Adding GitLab's data to the Elasticsearch index](#adding-gitlabs-data-to-the-elasticsearch-index). | | `Use the new repository indexer (beta)` | Perform repository indexing using [GitLab Elasticsearch Indexer](https://gitlab.com/gitlab-org/gitlab-elasticsearch-indexer). | | `Search with Elasticsearch enabled` | Enables/disables using Elasticsearch in search. | | `URL` | The URL to use for connecting to Elasticsearch. Use a comma-separated list to support clustering (e.g., "http://host1, https://host2:9200"). If your Elasticsearch instance is password protected, pass the `username:password` in the URL (e.g., `http://<username>:<password>@<elastic_host>:9200/`). | @@ -152,22 +165,13 @@ To disable the Elasticsearch integration: 1. Find the 'Elasticsearch' section and uncheck 'Search with Elasticsearch enabled' and 'Elasticsearch indexing' 1. Click **Save** for the changes to take effect +1. [Optional] Delete the existing index by running the command `sudo gitlab-rake gitlab:elastic:delete_index` ## Adding GitLab's data to the Elasticsearch index ### Indexing small instances (database size less than 500 MiB, size of repos less than 5 GiB) -Configure Elasticsearch's host and port in **Admin > Settings > Integrations**. Then create empty indexes using one of the following commands: - -```sh -# Omnibus installations -sudo gitlab-rake gitlab:elastic:create_empty_index - -# Installations from source -bundle exec rake gitlab:elastic:create_empty_index RAILS_ENV=production -``` - -Then enable Elasticsearch indexing and run repository indexing tasks: +Configure Elasticsearch's host and port in **Admin > Settings**. Then index the data using one of the following commands: ```sh # Omnibus installations @@ -177,12 +181,17 @@ sudo gitlab-rake gitlab:elastic:index bundle exec rake gitlab:elastic:index RAILS_ENV=production ``` -Enable Elasticsearch search. +After it completes the indexing process, [enable Elasticsearch searching](elasticsearch.md#enabling-elasticsearch). ### Indexing large instances +WARNING: **Warning**: +Performing asynchronous indexing, as this will describe, will generate a lot of sidekiq jobs. +Make sure to prepare for this task by either [Horizontally Scaling](../administration/high_availability/README.md#basic-scaling) +or creating [extra sidekiq processes](../administration/operations/extra_sidekiq_processes.md) + NOTE: **Note**: -After indexing the repositories asynchronously, you MUST index the database to be able to search. +After indexing the repositories asynchronously, you **MUST** index the database to be able to search. Configure Elasticsearch's host and port in **Admin > Settings > Integrations**. Then create empty indexes using one of the following commands: @@ -195,8 +204,8 @@ bundle exec rake gitlab:elastic:create_empty_index RAILS_ENV=production ``` Indexing large Git repositories can take a while. To speed up the process, you -can temporarily disable auto-refreshing and replicating. In our experience you can expect a 20% -time drop. We'll enable them when indexing is done. This step is optional! +can temporarily disable auto-refreshing and replicating. In our experience, you can expect a 20% +decrease in indexing time. We'll enable them when indexing is done. This step is optional! ```bash curl --request PUT localhost:9200/gitlab-production/_settings --data '{ @@ -235,7 +244,7 @@ projects, you may wish to increase the batch size, by setting the `BATCH` environment variable. You can also run the initial indexing synchronously - this is most useful if -you have a small number of projects, or need finer-grained control over indexing +you have a small number of projects or need finer-grained control over indexing than Sidekiq permits: ```sh @@ -293,7 +302,7 @@ bundle exec rake gitlab:elastic:index_repositories UPDATE_INDEX=true ID_TO=1000 ``` You can also use the `gitlab:elastic:clear_index_status` Rake task to force the -indexer to "forget" all progresss, so retrying the indexing process from the +indexer to "forget" all progress, so retrying the indexing process from the start. To index all wikis: @@ -309,7 +318,7 @@ bundle exec rake gitlab:elastic:index_wikis RAILS_ENV=production The wiki indexer also supports the `ID_FROM` and `ID_TO` parameters if you want to limit a project set. -Index all database entities (Keep in mind it can take a while so consider using `screen` or `tmux`): +Index all database entities (Keep in mind it can take a while, so consider using `screen` or `tmux`): ```sh # Omnibus installations @@ -337,6 +346,116 @@ curl --request POST 'http://localhost:9200/_forcemerge?max_num_segments=5' Enable Elasticsearch search in **Admin > Settings > Integrations**. That's it. Enjoy it! +## GitLab Elasticsearch Rake Tasks + +There are several rake tasks available to you via the command line: + +- [sudo gitlab-rake gitlab:elastic:index](https://gitlab.com/gitlab-org/gitlab-ee/blob/master/ee/lib/tasks/gitlab/elastic.rake) + - This is a wrapper task. It does the following: + - `sudo gitlab-rake gitlab:elastic:create_empty_index` + - `sudo gitlab-rake gitlab:elastic:clear_index_status` + - `sudo gitlab-rake gitlab:elastic:index_wikis` + - `sudo gitlab-rake gitlab:elastic:index_database` + - `sudo gitlab-rake gitlab:elastic:index_repositories` +- [sudo gitlab-rake gitlab:elastic:index_repositories_async](https://gitlab.com/gitlab-org/gitlab-ee/blob/master/ee/lib/tasks/gitlab/elastic.rake) + - This iterates over all projects and places them in batches. It then sends these batches to the background via sidekiq jobs to be indexed. +- [sudo gitlab-rake gitlab:elastic:index_repositories_status](https://gitlab.com/gitlab-org/gitlab-ee/blob/master/ee/lib/tasks/gitlab/elastic.rake) + - This determines the overall status of the indexing. It is done by counting the total number of indexed projects, dividing by a count of the total number of projects, then multiplying by 100. +- [sudo gitlab-rake gitlab:elastic:index_repositories](https://gitlab.com/gitlab-org/gitlab-ee/blob/master/ee/lib/tasks/gitlab/elastic.rake) + - This iterates over all projects and places them in batches. It then performs indexing on said batches synchronously. +- [sudo gitlab-rake gitlab:elastic:index_wikis](https://gitlab.com/gitlab-org/gitlab-ee/blob/master/ee/lib/tasks/gitlab/elastic.rake) + - Iterates over every project, determines if said project contains wiki data, and then indexes the blobs (content) of said wiki data. +- [sudo gitlab-rake gitlab:elastic:index_database](https://gitlab.com/gitlab-org/gitlab-ee/blob/master/ee/lib/tasks/gitlab/elastic.rake) + - This is a [rake multitask](https://www.rubydoc.info/github/ruby/rake/Rake/MultiTask). It does the following: + - `sudo gitlab-rake gitlab:elastic:index_projects` + - `sudo gitlab-rake gitlab:elastic:index_issues` + - `sudo gitlab-rake gitlab:elastic:index_merge_requests` + - `sudo gitlab-rake gitlab:elastic:index_snippets` + - `sudo gitlab-rake gitlab:elastic:index_notes` + - `sudo gitlab-rake gitlab:elastic:index_milestones` +- [sudo gitlab-rake gitlab:elastic:create_empty_index](https://gitlab.com/gitlab-org/gitlab-ee/blob/master/ee/lib/tasks/gitlab/elastic.rake) + - This generates an empty index on the Elasticsearch side. +- [sudo gitlab-rake gitlab:elastic:clear_index_status](https://gitlab.com/gitlab-org/gitlab-ee/blob/master/ee/lib/tasks/gitlab/elastic.rake) + - This deletes all instances of IndexStatus for all projects. +- [sudo gitlab-rake gitlab:elastic:delete_index](https://gitlab.com/gitlab-org/gitlab-ee/blob/master/ee/lib/tasks/gitlab/elastic.rake) + - This removes the GitLab index on the Elasticsearch instance. +- [sudo gitlab-rake gitlab:elastic:recreate_index](https://gitlab.com/gitlab-org/gitlab-ee/blob/master/ee/lib/tasks/gitlab/elastic.rake) + - Does the same thing as `sudo gitlab-rake gitlab:elastic:create_empty_index` +- [sudo gitlab-rake gitlab:elastic:add_feature_visibility_levels_to_project](https://gitlab.com/gitlab-org/gitlab-ee/blob/master/ee/lib/tasks/gitlab/elastic.rake) + - Adds visibility information to the indices for projects. +- [sudo gitlab-rake gitlab:elastic:index_projects](https://gitlab.com/gitlab-org/gitlab-ee/blob/master/ee/lib/tasks/gitlab/elastic.rake) + - Performs an Elasticsearch import that indexes projects data. +- [sudo gitlab-rake gitlab:elastic:index_issues](https://gitlab.com/gitlab-org/gitlab-ee/blob/master/ee/lib/tasks/gitlab/elastic.rake) + - Performs an Elasticsearch import that indexes issues data. +- [sudo gitlab-rake gitlab:elastic:index_merge_requests](https://gitlab.com/gitlab-org/gitlab-ee/blob/master/ee/lib/tasks/gitlab/elastic.rake) + - Performs an Elasticsearch import that indexes merge requests data. +- [sudo gitlab-rake gitlab:elastic:index_snippets](https://gitlab.com/gitlab-org/gitlab-ee/blob/master/ee/lib/tasks/gitlab/elastic.rake) + - Performs an Elasticsearch import that indexes the snippets data. +- [sudo gitlab-rake gitlab:elastic:index_notes](https://gitlab.com/gitlab-org/gitlab-ee/blob/master/ee/lib/tasks/gitlab/elastic.rake) + - Performs an Elasticsearch import that indexes the notes data. +- [sudo gitlab-rake gitlab:elastic:index_milestones](https://gitlab.com/gitlab-org/gitlab-ee/blob/master/ee/lib/tasks/gitlab/elastic.rake) + - Performs an Elasticsearch import that indexes the milestones data. + +### Environment Variables + +In addition to the rake tasks, there are some environment variables that can be used to modify the process: + +| Environment Variable | Data Type | What it does | +| -------------------- |:---------:| ---------------------------------------------------------------------------- | +| `BATCH` | Integer | Modifies the size of the indexing batch (default 300 projects). | +| `UPDATE_INDEX` | Boolean | Tells the indexer to overwrite any existing index data (true/false). | +| `ID_TO` | Integer | Tells the indexer to only index projects less than or equal to the value. | +| `ID_FROM` | Integer | Tells the indexer to only index projects greater than or equal to the value. | + +### Batching + +The ability to apply batching makes the indexer run more efficiently. The default +size of a batch is 300 projects, which may or may not be ideal for your setup. +Depending on the resources available to your GitLab instance (sidekiq) and your +Elasticsearch instance (RAM, CPU), you may be able to increase or decrease the +batch size for more efficiency. + +- The larger the batch size is, the less sidekiq jobs and indexing requests get created. +- The larger the batch size is, the more time and RAM it takes to process. +- The smaller the batch size, the more sidekiq jobs, and indexing requests get created. +- The smaller the batch size, the more CPU gets utilized. + +Finding the ideal size can be tricky, and will vary from GitLab instance to GitLab instance. +Generally speaking, if the default is not ideal for you, try reducing it to somewhere in +the 50-150 range (for bigger sized repos) or 450-600 range (for many small-sized repos). + +Example use: + +```sh +sudo gitlab-rake gitlab:elastic:index_repositories_async BATCH=50 +``` + +### Indexing a specific project + +Because the `ID_TO` and `ID_FROM` environment variables use the `or equal to` comparison, you can index only one project by using both these variables with the same project ID number: + +```sh +root@git:~# sudo gitlab-rake gitlab:elastic:index_repositories ID_TO=5 ID_FROM=5 +Indexing project repositories...I, [2019-03-04T21:27:03.083410 #3384] INFO -- : Indexing GitLab User / test (ID=33)... +I, [2019-03-04T21:27:05.215266 #3384] INFO -- : Indexing GitLab User / test (ID=33) is done! +``` + +## Elasticsearch Index Scopes + +When performing a search, the GitLab index will use the following scopes: + +| Scope Name | What it searches | +| ---------------- | ---------------------- | +| `commits` | Commit data | +| `projects` | Project data (default) | +| `blobs` | Code | +| `issues` | Issue data | +| `merge_requests` | Merge Request data | +| `milestones` | Milestone data | +| `notes` | Note data | +| `snippets` | Snippet data | +| `wiki_blobs` | Wiki contents | + ## Tuning ### Deleted documents @@ -357,7 +476,7 @@ However, some larger installations may wish to tune the merge policy settings: }' ``` -- You can also adjust `index.merge.policy.reclaim_deletes_weight`, which controls how aggressively deletions are targetd. But this can lead to costly merge decisions, so we recommend not changing this unless you understand the tradeoffs. +- You can also adjust `index.merge.policy.reclaim_deletes_weight`, which controls how aggressively deletions are targeted. But this can lead to costly merge decisions, so we recommend not changing this unless you understand the tradeoffs. ```bash curl --request PUT http://localhost:9200/gitlab-production/_settings --data '{ @@ -373,6 +492,18 @@ However, some larger installations may wish to tune the merge policy settings: Here are some common pitfalls and how to overcome them: +- **How can I verify my GitLab instance is using Elasticsearch?** + + The easiest method is via the rails console (`sudo gitlab-rails console`) by running the following: + + ```ruby + u = User.find_by_username('your-username') + s = SearchService.new(u, {:search => 'search_term'}) + pp s.search_objects.class.name + ``` + + If you see `Elasticsearch::Model::Response::Records`, you are using Elasticsearch. + - **I updated GitLab and now I can't find anything** We continuously make updates to our indexing strategies and aim to support @@ -382,10 +513,26 @@ Here are some common pitfalls and how to overcome them: - **I indexed all the repositories but I can't find anything** Make sure you indexed all the database data [as stated above](#adding-gitlabs-data-to-the-elasticsearch-index). + + Beyond that, check via the [Elasticsearch Search API](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-search.html) to see if the data shows up on the Elasticsearch side. + + If it shows up via the [Elasticsearch Search API](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-search.html), check that it shows up via the rails console (`sudo gitlab-rails console`): + + ```ruby + u = User.find_by_username('your-username') + s = SearchService.new(u, {:search => 'search_term', :scope => ‘blobs’}) + pp s.search_objects.to_a + ``` + + See [Elasticsearch Index Scopes](elasticsearch.md#elasticsearch-index-scopes) for more information on searching for specific types of data. - **I indexed all the repositories but then switched elastic search servers and now I can't find anything** You will need to re-run all the rake tasks to re-index the database, repositories, and wikis. + +- **The indexing process is taking a very long time** + + The more data present in your GitLab instance, the longer the indexing process takes. You might want to try adjusting the BATCH sizes for asynchronous indexing to help speed up the process. - **No new data is added to the Elasticsearch index when I push code** diff --git a/doc/user/admin_area/geo_nodes.md b/doc/user/admin_area/geo_nodes.md index d6d6d9b2517..776ab139c64 100644 --- a/doc/user/admin_area/geo_nodes.md +++ b/doc/user/admin_area/geo_nodes.md @@ -11,37 +11,38 @@ All Geo nodes have the following settings: | Setting | Description | | --------| ----------- | -| Primary | This marks a Geo Node as primary. There can be only one primary, make sure that you first add the primary node and then all the others. | -| URL | The instance's full URL, in the same way it is configured in `/etc/gitlab/gitlab.rb` (Omnibus GitLab installations) or `gitlab.yml` (source based installations). | +| Primary | This marks a Geo Node as **primary** node. There can be only one **primary** node; make sure that you first add the **primary** node and then all the others. | +| Name | The unique identifier for the Geo node. Must match the setting `gitlab_rails[geo_node_name]` in `/etc/gitlab/gitlab.rb`. The setting defaults to `external_url` with a trailing slash. | +| URL | The instance's user-facing URL. | The node you're reading from is indicated with a green `Current node` label, and -the primary is given a blue `Primary` label. Remember that you can only make -changes on the primary! +the **primary** node is given a blue `Primary` label. Remember that you can only make +changes on the **primary** node! -## Secondary node settings +## **Secondary** node settings -Secondaries have a number of additional settings available: +**Secondary** nodes have a number of additional settings available: | Setting | Description | |---------------------------|-------------| - Selective synchronization | Enable Geo [selective sync](https://docs.gitlab.com/ee/administration/geo/replication/configuration.html#selective-synchronization) for this **secondary** node. | +| Selective synchronization | Enable Geo [selective sync](https://docs.gitlab.com/ee/administration/geo/replication/configuration.html#selective-synchronization) for this **secondary** node. | | Repository sync capacity | Number of concurrent requests this **secondary** node will make to the **primary** node when backfilling repositories. | | File sync capacity | Number of concurrent requests this **secondary** node will make to the **primary** node when backfilling files. | ## Geo backfill -Secondaries are notified of changes to repositories and files by the primary, +**Secondary** nodes are notified of changes to repositories and files by the **primary** node, and will always attempt to synchronize those changes as quickly as possible. -Backfill is the act of populating the secondary with repositories and files that -existed *before* the secondary was added to the database. Since there may be +Backfill is the act of populating the **secondary** node with repositories and files that +existed *before* the **secondary** node was added to the database. Since there may be extremely large numbers of repositories and files, it's infeasible to attempt to download them all at once, so GitLab places an upper limit on the concurrency of these operations. How long the backfill takes is a function of the maximum concurrency, but higher -values place more strain on the primary node. From [GitLab 10.2](https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/3107), -the limits are configurable - if your primary node has lots of surplus capacity, +values place more strain on the **primary** node. From [GitLab 10.2](https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/3107), +the limits are configurable. If your **primary** node has lots of surplus capacity, you can increase the values to complete backfill in a shorter time. If it's under heavy load and backfill is reducing its availability for normal requests, you can decrease them. @@ -55,3 +56,15 @@ which is used by users. Internal URL does not need to be a private address. Internal URL defaults to External URL, but you can customize it under **Admin area > Geo Nodes**. + +## Multiple secondary nodes behind a load balancer + +In GitLab 11.11, **secondary** nodes can use identical external URLs as long as +a unique `name` is set for each Geo node. The `gitlab.rb` setting +`gitlab_rails[geo_node_name]` must: + +- Be set for each GitLab instance that runs `unicorn`, `sidekiq`, or `geo_logcursor`. +- Match a Geo node name. + +The load balancer must use sticky sessions in order to avoid authentication +failures and cross site request errors. diff --git a/doc/user/application_security/dependency_scanning/index.md b/doc/user/application_security/dependency_scanning/index.md index 29db6fc8958..2d0c2be4233 100644 --- a/doc/user/application_security/dependency_scanning/index.md +++ b/doc/user/application_security/dependency_scanning/index.md @@ -201,6 +201,7 @@ dependency_scanning: --env DS_ANALYZER_IMAGE_PREFIX \ --env DS_ANALYZER_IMAGE_TAG \ --env DS_DEFAULT_ANALYZERS \ + --env DS_EXCLUDED_PATHS \ --env DEP_SCAN_DISABLE_REMOTE_CHECKS \ --env DS_DOCKER_CLIENT_NEGOTIATION_TIMEOUT \ --env DS_PULL_ANALYZER_IMAGE_TIMEOUT \ diff --git a/doc/user/application_security/sast/index.md b/doc/user/application_security/sast/index.md index 377d218321a..02c115b7f22 100644 --- a/doc/user/application_security/sast/index.md +++ b/doc/user/application_security/sast/index.md @@ -171,6 +171,8 @@ sast: --env SAST_ANALYZER_IMAGE_PREFIX \ --env SAST_ANALYZER_IMAGE_TAG \ --env SAST_DEFAULT_ANALYZERS \ + --env SAST_EXCLUDED_PATHS \ + --env SAST_BANDIT_EXCLUDED_PATHS \ --env SAST_BRAKEMAN_LEVEL \ --env SAST_GOSEC_LEVEL \ --env SAST_FLAWFINDER_LEVEL \ diff --git a/doc/user/project/labels.md b/doc/user/project/labels.md index bfc3e3a7de0..9003018a521 100644 --- a/doc/user/project/labels.md +++ b/doc/user/project/labels.md @@ -24,7 +24,7 @@ in the label’s title, using the format `key::value`. For example: ![A sample scoped label](img/key_value_labels.png) -Two scoped labels with the same key but a different value cannot simultaneeously +Two scoped labels with the same key but a different value cannot simultaneously apply to an issue, epic, or merge request. For example, if an issue already has `priority::3` and you apply `priority::2` to it, `priority::3` is automatically removed from the issue. |