2015-08-03 12:57:33 +00:00 · 2015-08-03 12:57:33 +00:00 · 009aa7d2e6
parent 1bf58842ca fe0fb647ea
commit 009aa7d2e6
11 changed files with 170 additions and 0 deletions
--- a/config/projects/gitlab.rb
+++ b/config/projects/gitlab.rb
@ -69,6 +69,7 @@ dependency "nodejs"
 dependency "gitlab-ci"
 dependency "gitlab-rails"
 dependency "gitlab-shell"
+dependency "gitlab-git-http-server"
 dependency "gitlab-ctl"
 dependency "gitlab-cookbooks"
 dependency "gitlab-selinux"
--- a/config/software/gitlab-git-http-server.rb
+++ b/config/software/gitlab-git-http-server.rb
@ -0,0 +1,25 @@
+#
+# Copyright:: Copyright (c) 2015 GitLab B.V.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+name "gitlab-git-http-server"
+default_version "85e4d75c885617c983ecc664348195e3b06daf6a" # 0.2.0
+
+source :git => "https://gitlab.com/gitlab-org/gitlab-git-http-server.git"
+
+build do
+  make "install PREFIX=#{install_dir}/embedded"
+end
--- a/files/gitlab-cookbooks/gitlab/attributes/default.rb
+++ b/files/gitlab-cookbooks/gitlab/attributes/default.rb
@ -308,6 +308,20 @@ default['gitlab']['web-server']['home'] = '/var/opt/gitlab/nginx'
 # When bundled nginx is disabled we need to add the external webserver user to the GitLab webserver group
 default['gitlab']['web-server']['external_users'] = []

+####
+# gitlab-git-http-server
+####
+
+default['gitlab']['gitlab-git-http-server']['enable'] = false
+default['gitlab']['gitlab-git-http-server']['ha'] = false
+default['gitlab']['gitlab-git-http-server']['repo_root'] = "/var/opt/gitlab/git-data/repositories"
+default['gitlab']['gitlab-git-http-server']['listen_network'] = "unix"
+default['gitlab']['gitlab-git-http-server']['listen_umask'] = 000
+default['gitlab']['gitlab-git-http-server']['listen_addr'] = "/var/opt/gitlab/gitlab-git-http-server/socket"
+default['gitlab']['gitlab-git-http-server']['auth_backend'] = "http://localhost:8080"
+default['gitlab']['gitlab-git-http-server']['dir'] = "/var/opt/gitlab/gitlab-git-http-server"
+default['gitlab']['gitlab-git-http-server']['log_dir'] = "/var/log/gitlab/gitlab-git-http-server"
+
 ####
 # Nginx
 ####
--- a/files/gitlab-cookbooks/gitlab/libraries/gitlab.rb
+++ b/files/gitlab-cookbooks/gitlab/libraries/gitlab.rb
@ -47,6 +47,7 @@ module Gitlab
  ci_unicorn Mash.new
  sidekiq Mash.new
  ci_sidekiq Mash.new
+  gitlab_git_http_server Mash.new
  nginx Mash.new
  ci_nginx Mash.new
  logging Mash.new
@ -188,6 +189,13 @@ module Gitlab
      end
    end

+    def parse_unicorn_listen_address
+      # Make sure gitlab-git-http-server can talk to unicorn
+      listen_address = unicorn['listen'] || node['gitlab']['unicorn']['listen']
+      listen_port = unicorn['port'] || node['gitlab']['unicorn']['port']
+      gitlab_git_http_server['auth_backend'] ||= "http://#{listen_address}:#{listen_port}"
+    end
+
    def parse_nginx_listen_address
      return unless nginx['listen_address']

@ -269,6 +277,7 @@ module Gitlab
        "ci_unicorn",
        "sidekiq",
        "ci_sidekiq",
+        "gitlab_git_http_server",
        "nginx",
        "ci_nginx",
        "logging",
@ -297,6 +306,7 @@ module Gitlab
      # Parse ci_external_url _before_ gitlab_ci settings so that the user
      # can turn on gitlab_ci by only specifying ci_external_url
      parse_ci_external_url
+      parse_unicorn_listen_address
      parse_nginx_listen_address
      parse_nginx_listen_ports
      parse_gitlab_ci
--- a/files/gitlab-cookbooks/gitlab/recipes/default.rb
+++ b/files/gitlab-cookbooks/gitlab/recipes/default.rb
@ -102,6 +102,7 @@ include_recipe "runit"
  "ci-unicorn",
  "sidekiq",
  "ci-sidekiq",
+  "gitlab-git-http-server",
  "nginx",
  "remote-syslog",
  "logrotate",
--- a/files/gitlab-cookbooks/gitlab/recipes/gitlab-git-http-server.rb
+++ b/files/gitlab-cookbooks/gitlab/recipes/gitlab-git-http-server.rb
@ -0,0 +1,40 @@
+#
+# Copyright:: Copyright (c) 2015 GitLab B.V.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+working_dir = node['gitlab']['gitlab-git-http-server']['dir']
+log_dir = node['gitlab']['gitlab-git-http-server']['log_dir']
+
+directory working_dir do
+  owner node['gitlab']['user']['username']
+  group node['gitlab']['web-server']['username']
+  mode '0750'
+  recursive true
+end
+  
+directory log_dir do
+  owner node['gitlab']['user']['username']
+  mode '0700'
+  recursive true
+end
+
+runit_service 'gitlab-git-http-server' do
+  down node['gitlab']['gitlab-git-http-server']['ha']
+  options({
+    :log_directory => log_dir
+  }.merge(params))
+  log_options node['gitlab']['logging'].to_hash.merge(node['gitlab']['gitlab-git-http-server'].to_hash)
+end
--- a/files/gitlab-cookbooks/gitlab/recipes/gitlab-git-http-server_disable.rb
+++ b/files/gitlab-cookbooks/gitlab/recipes/gitlab-git-http-server_disable.rb
@ -0,0 +1,20 @@
+#
+# Copyright:: Copyright (c) 2015 GitLab B.V.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+runit_service "gitlab-git-http-server" do
+  action :disable
+end
--- a/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb
+++ b/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb
@ -34,6 +34,12 @@ upstream gitlab {
  server unix:<%= @socket %> fail_timeout=0;
 }

+<% if node['gitlab']['gitlab-git-http-server']['enable'] %>
+upstream gitlab-git-http-server {
+  server unix:<%= node['gitlab']['gitlab-git-http-server']['listen_addr'] %>;
+}
+<% end %>
+
 <% if @https && @redirect_http_to_https %>
 ## Redirects all HTTP traffic to the HTTPS host
 server {
@ -137,6 +143,30 @@ server {
    proxy_pass http://gitlab;
  }

+<% if node['gitlab']['gitlab-git-http-server']['enable'] %>
+  location ~ [-\/\w\.]+\.git\/ {
+    ## If you use HTTPS make sure you disable gzip compression
+    ## to be safe against BREACH attack.
+    <%= 'gzip off;' if @https %>
+
+    ## https://github.com/gitlabhq/gitlabhq/issues/694
+    ## Some requests take more than 30 seconds.
+    proxy_read_timeout      300;
+    proxy_connect_timeout   300;
+    proxy_redirect          off;
+
+    proxy_set_header    Host                $http_host;
+    proxy_set_header    X-Real-IP           $remote_addr;
+    <% if @https %>
+    proxy_set_header    X-Forwarded-Ssl     on;
+    <% end %>
+    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+    proxy_set_header    X-Forwarded-Proto   $scheme;
+
+    proxy_pass http://gitlab-git-http-server;
+  }
+<% end %>
+
  ## Enable gzip compression as per rails guide:
  ## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression
  ## WARNING: If you are using relative urls remove the block below
--- a/files/gitlab-cookbooks/gitlab/templates/default/sv-gitlab-git-http-server-log-config.erb
+++ b/files/gitlab-cookbooks/gitlab/templates/default/sv-gitlab-git-http-server-log-config.erb
@ -0,0 +1,6 @@
+<%= "s#@svlogd_size" if @svlogd_size %>
+<%= "n#@svlogd_num" if @svlogd_num %>
+<%= "t#@svlogd_timeout" if @svlogd_timeout %>
+<%= "!#@svlogd_filter" if @svlogd_filter %>
+<%= "u#@svlogd_udp" if @svlogd_udp %>
+<%= "p#@svlogd_prefix" if @svlogd_prefix %>
--- a/files/gitlab-cookbooks/gitlab/templates/default/sv-gitlab-git-http-server-log-run.erb
+++ b/files/gitlab-cookbooks/gitlab/templates/default/sv-gitlab-git-http-server-log-run.erb
@ -0,0 +1,2 @@
+#!/bin/sh
+exec svlogd -tt <%= @options[:log_directory] %>
--- a/files/gitlab-cookbooks/gitlab/templates/default/sv-gitlab-git-http-server-run.erb
+++ b/files/gitlab-cookbooks/gitlab/templates/default/sv-gitlab-git-http-server-run.erb
@ -0,0 +1,21 @@
+#!/bin/sh
+set -e # fail on errors
+
+# Redirect stderr -> stdout
+exec 2>&1
+
+<%= render("mount_point_check.erb") %>
+
+cd <%= node['gitlab']['gitlab-git-http-server']['dir'] %>
+
+exec chpst -P \
+  -U <%= node['gitlab']['user']['username'] %> \
+  -u <%= node['gitlab']['user']['username'] %> \
+  /usr/bin/env \
+    PATH=/opt/gitlab/bin:/opt/gitlab/embedded/bin:/usr/local/bin:/usr/bin:/bin \
+    /opt/gitlab/embedded/bin/gitlab-git-http-server \
+      -listenNetwork <%= node['gitlab']['gitlab-git-http-server']['listen_network'] %> \
+      -listenUmask <%= node['gitlab']['gitlab-git-http-server']['listen_umask'] %> \
+      -listenAddr <%= node['gitlab']['gitlab-git-http-server']['listen_addr'] %> \
+      -authBackend <%= node['gitlab']['gitlab-git-http-server']['auth_backend'] %> \
+      <%= node['gitlab']['gitlab-git-http-server']['repo_root'] %>