diff options
Diffstat (limited to 'doc/administration')
| -rw-r--r-- | doc/administration/auth/how_to_configure_ldap_gitlab_ce/index.md | 4 | ||||
| -rw-r--r-- | doc/administration/auth/ldap.md | 59 | ||||
| -rw-r--r-- | doc/administration/auth/okta.md | 11 | ||||
| -rw-r--r-- | doc/administration/compliance.md | 10 | ||||
| -rw-r--r-- | doc/administration/gitaly/index.md | 31 | ||||
| -rw-r--r-- | doc/administration/high_availability/nfs.md | 22 | ||||
| -rw-r--r-- | doc/administration/index.md | 2 | ||||
| -rw-r--r-- | doc/administration/job_artifacts.md | 2 | ||||
| -rw-r--r-- | doc/administration/monitoring/prometheus/index.md | 2 | ||||
| -rw-r--r-- | doc/administration/operations/sidekiq_memory_killer.md | 5 | ||||
| -rw-r--r-- | doc/administration/pages/source.md | 2 | ||||
| -rw-r--r-- | doc/administration/raketasks/uploads/migrate.md | 2 | ||||
| -rw-r--r-- | doc/administration/repository_checks.md | 2 | ||||
| -rw-r--r-- | doc/administration/uploads.md | 3 |
14 files changed, 112 insertions, 45 deletions
diff --git a/doc/administration/auth/how_to_configure_ldap_gitlab_ce/index.md b/doc/administration/auth/how_to_configure_ldap_gitlab_ce/index.md index 0d03b481881..15276d364a0 100644 --- a/doc/administration/auth/how_to_configure_ldap_gitlab_ce/index.md +++ b/doc/administration/auth/how_to_configure_ldap_gitlab_ce/index.md @@ -14,7 +14,7 @@ Managing a large number of users in GitLab can become a burden for system admini In this guide we will focus on configuring GitLab with Active Directory. [Active Directory](https://en.wikipedia.org/wiki/Active_Directory) is a popular LDAP compatible directory service provided by Microsoft, included in all modern Windows Server operating systems. -GitLab has supported LDAP integration since [version 2.2](https://about.gitlab.com/2012/02/22/gitlab-version-2-2/). With GitLab LDAP [group syncing](#group-syncing-ee) being added to GitLab Enterprise Edition in [version 6.0](https://about.gitlab.com/2013/08/20/gitlab-6-dot-0-released/). LDAP integration has become one of the most popular features in GitLab. +GitLab has supported LDAP integration since [version 2.2](https://about.gitlab.com/2012/02/22/gitlab-version-2-2/). With GitLab LDAP [group syncing](https://docs.gitlab.com/ee/administration/auth/how_to_configure_ldap_gitlab_ee/index.html#group-sync) being added to GitLab Enterprise Edition in [version 6.0](https://about.gitlab.com/2013/08/20/gitlab-6-dot-0-released/). LDAP integration has become one of the most popular features in GitLab. ## Getting started @@ -111,7 +111,7 @@ The initial configuration of LDAP in GitLab requires changes to the `gitlab.rb` The two Active Directory specific values are `active_directory: true` and `uid: 'sAMAccountName'`. `sAMAccountName` is an attribute returned by Active Directory used for GitLab usernames. See the example output from `ldapsearch` for a full list of attributes a "person" object (user) has in **AD** - [`ldapsearch` example](#using-ldapsearch-unix) -> Both group_base and admin_group configuration options are only available in GitLab Enterprise Edition. See [GitLab EE - LDAP Features](#gitlab-enterprise-edition---ldap-features) +> Both group_base and admin_group configuration options are only available in GitLab Enterprise Edition. See [GitLab EE - LDAP Features](https://docs.gitlab.com/ee/administration/auth/how_to_configure_ldap_gitlab_ee/index.html#gitlab-enterprise-edition---ldap-features) ### Example `gitlab.rb` LDAP diff --git a/doc/administration/auth/ldap.md b/doc/administration/auth/ldap.md index d5d0d99ac24..440c2b1285a 100644 --- a/doc/administration/auth/ldap.md +++ b/doc/administration/auth/ldap.md @@ -81,6 +81,9 @@ library. `tls` corresponds to StartTLS, not to be confused with regular TLS. Normally, if you specify `ssl` it will be on port 636, while `tls` (StartTLS) would be on port 389. `plain` also operates on port 389. +NOTE: **Note:** +LDAP users must have an email address set, regardless of whether it is used to log in. + **Omnibus configuration** ```ruby @@ -136,14 +139,54 @@ main: ## verify_certificates: true - ## - ## Specifies the SSL version for OpenSSL to use, if the OpenSSL default - ## is not appropriate. - ## - ## Example: 'TLSv1_1' - ## - ## - ssl_version: '' + # OpenSSL::SSL::SSLContext options. + tls_options: + # Specifies the path to a file containing a PEM-format CA certificate, + # e.g. if you need to use an internal CA. + # + # Example: '/etc/ca.pem' + # + ca_file: '' + + # Specifies the SSL version for OpenSSL to use, if the OpenSSL default + # is not appropriate. + # + # Example: 'TLSv1_1' + # + ssl_version: '' + + # Specific SSL ciphers to use in communication with LDAP servers. + # + # Example: 'ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2' + ciphers: '' + + # Client certificate + # + # Example: + # cert: | + # -----BEGIN CERTIFICATE----- + # MIIDbDCCAlSgAwIBAgIGAWkJxLmKMA0GCSqGSIb3DQEBCwUAMHcxFDASBgNVBAoTC0dvb2dsZSBJ + # bmMuMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQDEwtMREFQIENsaWVudDEPMA0GA1UE + # CxMGR1N1aXRlMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTAeFw0xOTAyMjAwNzE4 + # rntnF4d+0dd7zP3jrWkbdtoqjLDT/5D7NYRmVCD5vizV98FJ5//PIHbD1gL3a9b2MPAc6k7NV8tl + # ... + # 4SbuJPAiJxC1LQ0t39dR6oMCAMab3hXQqhL56LrR6cRBp6Mtlphv7alu9xb/x51y2x+g2zWtsf80 + # Jrv/vKMsIh/sAyuogb7hqMtp55ecnKxceg== + # -----END CERTIFICATE ----- + cert: '' + + # Client private key + # key: | + # -----BEGIN PRIVATE KEY----- + # MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC3DmJtLRmJGY4xU1QtI3yjvxO6 + # bNuyE4z1NF6Xn7VSbcAaQtavWQ6GZi5uukMo+W5DHVtEkgDwh92ySZMuJdJogFbNvJvHAayheCdN + # 7mCQ2UUT9jGXIbmksUn9QMeJVXTZjgJWJzPXToeUdinx9G7+lpVa62UATEd1gaI3oyL72WmpDy/C + # rntnF4d+0dd7zP3jrWkbdtoqjLDT/5D7NYRmVCD5vizV98FJ5//PIHbD1gL3a9b2MPAc6k7NV8tl + # ... + # +9IhSYX+XIg7BZOVDeYqlPfxRvQh8vy3qjt/KUihmEPioAjLaGiihs1Fk5ctLk9A2hIUyP+sEQv9 + # l6RG+a/mW+0rCWn8JAd464Ps9hE= + # -----END PRIVATE KEY----- + key: '' ## ## Set a timeout, in seconds, for LDAP queries. This helps avoid blocking diff --git a/doc/administration/auth/okta.md b/doc/administration/auth/okta.md index 3136923fa96..638405126a5 100644 --- a/doc/administration/auth/okta.md +++ b/doc/administration/auth/okta.md @@ -1,6 +1,6 @@ # Okta SSO provider -Okta is a [Single Sign-on provider][okta-sso] that can be used to authenticate +Okta is a [Single Sign-on provider](https://www.okta.com/products/single-sign-on/) that can be used to authenticate with GitLab. The following documentation enables Okta as a SAML provider. @@ -140,7 +140,7 @@ Now that the Okta app is configured, it's time to enable it in GitLab. } ``` -1. [Reconfigure][reconf] or [restart] GitLab for Omnibus and installations +1. [Reconfigure](../restart_gitlab.md#omnibus-gitlab-reconfigure) or [restart](../restart_gitlab.md#installations-from-source) GitLab for Omnibus and installations from source respectively for the changes to take effect. You might want to try this out on an incognito browser window. @@ -150,10 +150,5 @@ You might want to try this out on an incognito browser window. >**Note:** Make sure the groups exist and are assigned to the Okta app. -You can take a look of the [SAML documentation][saml] on external groups since +You can take a look of the [SAML documentation](../../integration/saml.md#marking-users-as-external-based-on-saml-groups) on external groups since it works the same. - -[okta-sso]: https://www.okta.com/products/single-sign-on/ -[saml]: ../../integration/saml.md#external-groups -[reconf]: ../restart_gitlab.md#omnibus-gitlab-reconfigure -[restart]: ../restart_gitlab.md#installations-from-source diff --git a/doc/administration/compliance.md b/doc/administration/compliance.md index 0414b3ec12e..72cb57fb36c 100644 --- a/doc/administration/compliance.md +++ b/doc/administration/compliance.md @@ -6,12 +6,12 @@ GitLab’s [security features](../security/README.md) may also help you meet rel |Feature |GitLab tier |GitLab.com | | ---------| :--------: | :-------: | -|**[Restrict SSH Keys](../README.html#administrator-documentation)**<br>Control the technology and key length of SSH keys used to access GitLab|Core+|| -|**[Granular user roles and flexible permissions](../user/permissions.html)**<br>Manage access and permissions with five different user roles and settings for external users. Set permissions according to people's role, rather than either read or write access to a repository. Don't share the source code with people that only need access to the issue tracker.|Core+|✓| -|**[Enforce TOS acceptance](../user/admin_area/settings/terms.html)**<br>Enforce your users accepting new terms of service by blocking GitLab traffic.|Core+|| -|**[Email all users of a project, group, or entire server](../user/admin_area/settings/terms.html)**<br>An admin can email groups of users based on project or group membership, or email everyone using the GitLab instance. This is great for scheduled maintenance or upgrades.|Starter+|| +|**[Restrict SSH Keys](../security/ssh_keys_restrictions.md)**<br>Control the technology and key length of SSH keys used to access GitLab|Core+|| +|**[Granular user roles and flexible permissions](../user/permissions.md)**<br>Manage access and permissions with five different user roles and settings for external users. Set permissions according to people's role, rather than either read or write access to a repository. Don't share the source code with people that only need access to the issue tracker.|Core+|✓| +|**[Enforce TOS acceptance](../user/admin_area/settings/terms.md)**<br>Enforce your users accepting new terms of service by blocking GitLab traffic.|Core+|| +|**[Email all users of a project, group, or entire server](../user/admin_area/settings/terms.md)**<br>An admin can email groups of users based on project or group membership, or email everyone using the GitLab instance. This is great for scheduled maintenance or upgrades.|Starter+|| |**[Omnibus package supports log forwarding](https://docs.gitlab.com/omnibus/settings/logs.html#udp-log-forwarding)**<br>Forward your logs to a central system.|Starter+|| -|**[Lock project membership to group](../workflow/groups.html#lock-project-membership-to-members-of-this-group)**<br>Group owners can prevent new members from being added to projects within a group.|Starter+|✓| +|**[Lock project membership to group](https://docs.gitlab.com/ee/user/group/index.html#member-lock-starter)**<br>Group owners can prevent new members from being added to projects within a group.|Starter+|✓| |**[LDAP group sync](https://docs.gitlab.com/ee/administration/auth/ldap-ee.html#group-sync)**<br>GitLab Enterprise Edition gives admins the ability to automatically sync groups and manage SSH keys, permissions, and authentication, so you can focus on building your product, not configuring your tools.|Starter+|| |**[LDAP group sync filters](https://docs.gitlab.com/ee/administration/auth/ldap-ee.html#group-sync)**<br>GitLab Enterprise Edition Premium gives more flexibility to synchronize with LDAP based on filters, meaning you can leverage LDAP attributes to map GitLab permissions.|Premium+|| |**[Audit logs](https://docs.gitlab.com/ee/administration/audit_events.html)**<br>To maintain the integrity of your code, GitLab Enterprise Edition Premium gives admins the ability to view any modifications made within the GitLab server in an advanced audit log system, so you can control, analyze and track every change.|Premium+|| diff --git a/doc/administration/gitaly/index.md b/doc/administration/gitaly/index.md index 0795d3dad40..2d4b5c65c46 100644 --- a/doc/administration/gitaly/index.md +++ b/doc/administration/gitaly/index.md @@ -45,9 +45,13 @@ installations that are larger than a single machine. Most installations will be better served with the default configuration used by Omnibus and the GitLab source installation guide. -Starting with GitLab 11.4, Gitaly is a replacement for NFS except -when the [Elastic Search indexer](https://gitlab.com/gitlab-org/gitlab-elasticsearch-indexer) -is used. +Starting with GitLab 11.4, Gitaly is able to serve all Git requests without +needed a shared NFS mount for Git repository data. +Between 11.4 and 11.8 the exception was the +[Elastic Search indexer](https://gitlab.com/gitlab-org/gitlab-elasticsearch-indexer). +But since 11.8 the indexer uses Gitaly for data access as well. NFS can still +be leveraged for redudancy on block level of the Git data. But only has to +be mounted on the Gitaly server. ### Network architecture @@ -62,14 +66,16 @@ is used. - Gitaly addresses must be specified in such a way that they resolve correctly for ALL Gitaly clients - Gitaly clients are: unicorn, sidekiq, gitlab-workhorse, - gitlab-shell, and Gitaly itself + gitlab-shell, Elasticsearch Indexer, and Gitaly itself - special case: a Gitaly server must be able to make RPC calls **to itself** via its own (Gitaly address, Gitaly token) pair as specified in `gitlab-rails/config/gitlab.yml` - Gitaly servers must not be exposed to the public internet -Gitaly network traffic is unencrypted so you should use a firewall to -restrict access to your Gitaly server. +Gitaly network traffic is unencrypted by default, but supports +[TLS](#tls-support). Authentication is done through a static token. For +security in depth, its recommended to use a firewall to restrict access +to your Gitaly server. Below we describe how to configure a Gitaly server at address `gitaly.internal:8075` with secret token `abc123secret`. We assume @@ -194,17 +200,16 @@ server from reaching the Gitaly server then all Gitaly requests will fail. We assume that your Gitaly server can be reached at -`gitaly.internal:8075` from your GitLab server, and that your GitLab -NFS shares are mounted at `/mnt/gitlab/default` and -`/mnt/gitlab/storage1` respectively. +`gitaly.internal:8075` from your GitLab server, and that Gitaly can read and +write to `/mnt/gitlab/default` and `/mnt/gitlab/storage1` respectively. Omnibus installations: ```ruby # /etc/gitlab/gitlab.rb git_data_dirs({ - 'default' => { 'path' => '/mnt/gitlab/default', 'gitaly_address' => 'tcp://gitaly.internal:8075' }, - 'storage1' => { 'path' => '/mnt/gitlab/storage1', 'gitaly_address' => 'tcp://gitaly.internal:8075' }, + 'default' => { 'gitaly_address' => 'tcp://gitaly.internal:8075' }, + 'storage1' => { 'gitaly_address' => 'tcp://gitaly.internal:8075' }, }) gitlab_rails['gitaly_token'] = 'abc123secret' @@ -218,10 +223,8 @@ gitlab: repositories: storages: default: - path: /mnt/gitlab/default/repositories gitaly_address: tcp://gitaly.internal:8075 storage1: - path: /mnt/gitlab/storage1/repositories gitaly_address: tcp://gitaly.internal:8075 gitaly: @@ -236,7 +239,7 @@ repository from your GitLab server over HTTP. ## TLS support -> [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/22602) in GitLab 11.7. +> [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/22602) in GitLab 11.8. Gitaly supports TLS credentials for GRPC authentication. To be able to communicate with a Gitaly instance that listens for secure connections you will need to use `tls://` url diff --git a/doc/administration/high_availability/nfs.md b/doc/administration/high_availability/nfs.md index 74b0e2c8184..78ebf8a083b 100644 --- a/doc/administration/high_availability/nfs.md +++ b/doc/administration/high_availability/nfs.md @@ -37,6 +37,28 @@ options: circumstances it could lead to data loss if a failure occurs before data has synced. +### Improving NFS performance with GitLab + +If you are using NFS to share Git data, we recommend that you enable a +number of feature flags that will allow GitLab application processes to +access Git data directly instead of going through the [Gitaly +service](../gitaly/index.md). Depending on your workload and disk +performance, these flags may help improve performance. See [the +issue](https://gitlab.com/gitlab-org/gitlab-ce/issues/57317) for more +details. + +To do this, run the Rake task: + +```sh +gitlab-rake gitlab:features:enable_rugged +``` + +If you need to undo this setting for some reason, run: + +```sh +gitlab-rake gitlab:features:disable_rugged +``` + ### Known issues On some customer systems, we have seen NFS clients slow precipitously due to diff --git a/doc/administration/index.md b/doc/administration/index.md index 6e08d4633cd..b723edfc78f 100644 --- a/doc/administration/index.md +++ b/doc/administration/index.md @@ -130,7 +130,7 @@ Learn how to install, configure, update, and maintain your GitLab instance. - [Job artifacts](job_artifacts.md): Enable, disable, and configure job artifacts (a set of files and directories which are outputted by a job when it completes successfully). - [Job traces](job_traces.md): Information about the job traces (logs). - [Register Shared and specific Runners](../ci/runners/README.md#registering-a-shared-runner): Learn how to register and configure Shared and specific Runners to your own instance. -- [Shared Runners pipelines quota](../user/admin_area/settings/continuous_integration.md#shared-runners-pipeline-minutes-quota): Limit the usage of pipeline minutes for Shared Runners. +- [Shared Runners pipelines quota](https://docs.gitlab.com/ee/user/admin_area/settings/continuous_integration.html#shared-runners-pipeline-minutes-quota-starter-only): Limit the usage of pipeline minutes for Shared Runners. **[STARTER ONLY]** - [Enable/disable Auto DevOps](../topics/autodevops/index.md#enablingdisabling-auto-devops): Enable or disable Auto DevOps for your instance. ## Git configuration options diff --git a/doc/administration/job_artifacts.md b/doc/administration/job_artifacts.md index 25ae535d1ec..8522d046a92 100644 --- a/doc/administration/job_artifacts.md +++ b/doc/administration/job_artifacts.md @@ -274,7 +274,7 @@ you can flip the feature flag from a Rails console. ## Set the maximum file size of the artifacts Provided the artifacts are enabled, you can change the maximum file size of the -artifacts through the [Admin area settings](../user/admin_area/settings/continuous_integration.md#maximum-artifacts-size). +artifacts through the [Admin area settings](../user/admin_area/settings/continuous_integration.md#maximum-artifacts-size-core-only). ## Storage statistics diff --git a/doc/administration/monitoring/prometheus/index.md b/doc/administration/monitoring/prometheus/index.md index 8f65cd6418c..20d7ef9bb74 100644 --- a/doc/administration/monitoring/prometheus/index.md +++ b/doc/administration/monitoring/prometheus/index.md @@ -17,7 +17,7 @@ access to high quality time-series monitoring of GitLab services. ## Overview Prometheus works by periodically connecting to data sources and collecting their -performance metrics via the [various exporters](#prometheus-exporters). To view +performance metrics via the [various exporters](#bundled-software-metrics). To view and work with the monitoring data, you can either [connect directly to Prometheus](#viewing-performance-metrics) or utilize a dashboard tool like [Grafana]. diff --git a/doc/administration/operations/sidekiq_memory_killer.md b/doc/administration/operations/sidekiq_memory_killer.md index cbffd883774..8eac42f2fe2 100644 --- a/doc/administration/operations/sidekiq_memory_killer.md +++ b/doc/administration/operations/sidekiq_memory_killer.md @@ -17,6 +17,11 @@ With the default settings, the MemoryKiller will cause a Sidekiq restart no more often than once every 15 minutes, with the restart causing about one minute of delay for incoming background jobs. +Some background jobs rely on long-running external processes. To ensure these +are cleanly terminated when Sidekiq is restarted, each Sidekiq process should be +run as a process group leader (e.g., using `chpst -P`). If using Omnibus or the +`bin/background_jobs` script with `runit` installed, this is handled for you. + ## Configuring the MemoryKiller The MemoryKiller is controlled using environment variables. diff --git a/doc/administration/pages/source.md b/doc/administration/pages/source.md index 60800d445b8..2100f7cd707 100644 --- a/doc/administration/pages/source.md +++ b/doc/administration/pages/source.md @@ -137,7 +137,7 @@ The Pages daemon doesn't listen to the outside world. ``` gitlab_pages_enabled=true - gitlab_pages_options="-pages-domain example.io -pages-root $app_root/shared/pages -listen-proxy 127.0.0.1:8090 + gitlab_pages_options="-pages-domain example.io -pages-root $app_root/shared/pages -listen-proxy 127.0.0.1:8090" ``` 1. Copy the `gitlab-pages` Nginx configuration file: diff --git a/doc/administration/raketasks/uploads/migrate.md b/doc/administration/raketasks/uploads/migrate.md index b5c40478ea5..fd8ea8d3162 100644 --- a/doc/administration/raketasks/uploads/migrate.md +++ b/doc/administration/raketasks/uploads/migrate.md @@ -2,7 +2,7 @@ ## Migrate to Object Storage -After [configuring the object storage](../../uploads.md#using-object-storage) for GitLab's uploads, you may use this task to migrate existing uploads from the local storage to the remote storage. +After [configuring the object storage](../../uploads.md#using-object-storage-core-only) for GitLab's uploads, you may use this task to migrate existing uploads from the local storage to the remote storage. >**Note:** All of the processing will be done in a background worker and requires **no downtime**. diff --git a/doc/administration/repository_checks.md b/doc/administration/repository_checks.md index 8b725e50f58..7cf8f20a9dc 100644 --- a/doc/administration/repository_checks.md +++ b/doc/administration/repository_checks.md @@ -31,7 +31,7 @@ panel. If the repository check fails for some repository you should look up the error in `repocheck.log`: -- in the [admin panel](logs.md#repocheck-log) +- in the [admin panel](logs.md#repochecklog) - or on disk, see: - `/var/log/gitlab/gitlab-rails` for Omnibus installations - `/home/git/gitlab/log` for installations from source diff --git a/doc/administration/uploads.md b/doc/administration/uploads.md index 9dfe085425f..8c0c7a36736 100644 --- a/doc/administration/uploads.md +++ b/doc/administration/uploads.md @@ -53,7 +53,7 @@ _The uploads are stored by default in > **Notes:** > > - [Introduced][ee-3867] in [GitLab Premium][eep] 10.5. -> - [Introduced][ce17358] in [GitLab Core][ce] 10.7. +> - [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/17358) in [GitLab Core][ce] 10.7. > - Since version 11.1, we support direct_upload to S3. If you don't want to use the local disk where GitLab is installed to store the @@ -152,4 +152,3 @@ _The uploads are stored by default in [eep]: https://about.gitlab.com/gitlab-ee/ "GitLab Premium" [ce]: https://about.gitlab.com/gitlab-ce/ "GitLab Community Edition" [ee-3867]: https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/3867 -[ce-17358]: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/17358 |