gitlab
/
omnibus-gitlab
mirror of https://gitlab.com/gitlab-org/omnibus-gitlab.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'bundle_registry' into 'master' 

Bundle registry

Fixes gitlab-org/omnibus-gitlab#1218

Depends on gitlab-org/gitlab-ce!3787

See merge request !764
This commit is contained in:
Marin Jankovski 2016-05-19 14:54:36 +00:00
parent 680f92e6a8 39fa688f2b
commit f74472d45b
21 changed files with 508 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
config/software/gitlab-rails.rb
View File

@ -33,6 +33,7 @@ dependency "libicu"
dependency "postgresql"
dependency "python-docutils"
dependency "krb5"
dependency "registry"
if EE
dependency "mysql-client"

35
config/software/registry.rb Normal file
View File

@ -0,0 +1,35 @@
#
## Copyright:: Copyright (c) 2016 GitLab Inc.
## License:: Apache License, Version 2.0
##
## Licensed under the Apache License, Version 2.0 (the "License");
## you may not use this file except in compliance with the License.
## You may obtain a copy of the License at
##
## http://www.apache.org/licenses/LICENSE-2.0
##
## Unless required by applicable law or agreed to in writing, software
## distributed under the License is distributed on an "AS IS" BASIS,
## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
## See the License for the specific language governing permissions and
## limitations under the License.
##
#
name "registry"
default_version "v2.4.0"
source :git => "https://github.com/docker/distribution.git"
relative_path "github.com/docker/distribution"
build do
env = with_standard_compiler_flags(with_embedded_path)
env = { 'GOPATH' => "#{Omnibus::Config.base_dir}"}
cwd = "#{Omnibus::Config.source_dir}/github.com/docker/distribution"
command "go get github.com/tools/godep", env: env, cwd: cwd
command "$GOPATH/bin/godep restore", env: env, cwd: cwd
make "build PREFIX=#{install_dir}/embedded", env: env, cwd: cwd
make "binaries PREFIX=#{install_dir}/embedded", env: env, cwd: cwd
end

30
files/gitlab-config-template/gitlab.rb.template
View File

@ -44,7 +44,7 @@ external_url 'GENERATED_EXTERNAL_URL'
# gitlab_rails['ldap_sync_worker_cron'] = "30 1 * * *"
# gitlab_rails['geo_bulk_notify_worker_cron'] = "*/10 * * * * *"
# gitlab_rails['webhook_timeout'] = 10
# gitlab_rails['trusted_proxies'] = []
# gitlab_rails['trusted_proxies'] = []
## Reply by email
# Allow users to comment on issues and merge requests by replying to notification emails.
@ -309,6 +309,32 @@ external_url 'GENERATED_EXTERNAL_URL'
# gitlab_rails['smtp_ca_path'] = "/etc/ssl/certs"
# gitlab_rails['smtp_ca_file'] = "/etc/ssl/certs/ca-certificates.crt"
###############################
# Container registry settings #
###############################
# see LINK
#
# Settings used by GitLab application
# gitlab_rails['registry_enabled'] = true
# gitlab_rails['registry_host'] = "registry.gitlab.example.com"
# gitlab_rails['registry_port'] = "7443"
# gitlab_rails['registry_api_url'] = "http://localhost:5000"
# gitlab_rails['registry_key_path'] = "/var/opt/gitlab/gitlab-rails/certificate.key"
# gitlab_rails['registry_path'] = "/var/opt/gitlab/gitlab-rails/shared/registry"
# gitlab_rails['registry_issuer'] = "omnibus-gitlab-issuer"
# Settings used by Registry application
# registry['enable'] = true
# registry['username'] = "registry"
# registry['group'] = "registry"
# registry['uid'] = nil
# registry['gid'] = nil
# registry['dir'] = "/var/opt/gitlab/registry"
# registry['log_directory'] = "/var/log/gitlab/registry"
# registry['log_level'] = "info"
# registry['rootcertbundle'] = "/var/opt/gitlab/registry/certificate.crt"
####################
# GitLab Workhorse #
####################
@ -425,11 +451,13 @@ external_url 'GENERATED_EXTERNAL_URL'
# postgresql['shmmax'] = 17179869184 # or 4294967295
# postgresql['shmall'] = 4194304 # or 1048575
# postgresql['work_mem'] = "8MB"
# postgresql['maintenance_work_mem'] = "16MB"
# postgresql['effective_cache_size'] = "1MB"
# postgresql['checkpoint_segments'] = 10
# postgresql['checkpoint_timeout'] = "5min"
# postgresql['checkpoint_completion_target'] = 0.9
# postgresql['checkpoint_warning'] = "30s"
# postgresql['wal_buffers'] = "-1"
## Replication settings
# postgresql['sql_replication_user'] = "gitlab_replicator"

31
files/gitlab-cookbooks/gitlab/attributes/default.rb
View File

@ -118,6 +118,13 @@ default['gitlab']['gitlab-rails']['pages_host'] = nil
default['gitlab']['gitlab-rails']['pages_port'] = nil
default['gitlab']['gitlab-rails']['pages_https'] = false
default['gitlab']['gitlab-rails']['pages_path'] = nil
default['gitlab']['gitlab-rails']['registry_enabled'] = false
default['gitlab']['gitlab-rails']['registry_host'] = nil
default['gitlab']['gitlab-rails']['registry_port'] = nil
default['gitlab']['gitlab-rails']['registry_api_url'] = nil
default['gitlab']['gitlab-rails']['registry_key_path'] = nil
default['gitlab']['gitlab-rails']['registry_path'] = nil
default['gitlab']['gitlab-rails']['registry_issuer'] = "omnibus-gitlab-issuer"
####
# These LDAP settings are deprecated in favor of the new syntax. They are kept here for backwards compatibility.
@ -333,12 +340,15 @@ else
end
default['gitlab']['postgresql']['work_mem'] = "8MB"
default['gitlab']['postgresql']['maintenance_work_mem'] = "16MB"
default['gitlab']['postgresql']['effective_cache_size'] = "#{(node['memory']['total'].to_i / 2) / (1024)}MB"
default['gitlab']['postgresql']['log_min_duration_statement'] = -1 # Disable slow query logging by default
default['gitlab']['postgresql']['checkpoint_segments'] = 10
default['gitlab']['postgresql']['checkpoint_timeout'] = "5min"
default['gitlab']['postgresql']['checkpoint_completion_target'] = 0.9
default['gitlab']['postgresql']['checkpoint_warning'] = "30s"
default['gitlab']['postgresql']['wal_buffers'] = "-1"
# Replication settings
default['gitlab']['postgresql']['sql_replication_user'] = "gitlab_replicator"
default['gitlab']['postgresql']['wal_level'] = "minimal"
@ -420,6 +430,21 @@ default['gitlab']['gitlab-pages']['use_http2'] = true
default['gitlab']['gitlab-pages']['dir'] = "/var/opt/gitlab/gitlab-pages"
default['gitlab']['gitlab-pages']['log_directory'] = "/var/log/gitlab/gitlab-pages"
####
# Registry
####
default['gitlab']['registry']['enable'] = false
default['gitlab']['registry']['username'] = "registry"
default['gitlab']['registry']['group'] = "registry"
default['gitlab']['registry']['uid'] = nil
default['gitlab']['registry']['gid'] = nil
default['gitlab']['registry']['dir'] = "/var/opt/gitlab/registry"
default['gitlab']['registry']['log_directory'] = "/var/log/gitlab/registry"
default['gitlab']['registry']['log_level'] = "info"
default['gitlab']['registry']['rootcertbundle'] = nil
####
# Nginx
####
@ -765,3 +790,9 @@ default['gitlab']['mattermost-nginx']['enable'] = false
####
default['gitlab']['pages-nginx'] = default['gitlab']['nginx'].dup
default['gitlab']['pages-nginx']['enable'] = true
####
# GitLab Registry NGINX
####
default['gitlab']['registry-nginx'] = default['gitlab']['nginx'].dup
default['gitlab']['registry-nginx']['enable'] = true

11
files/gitlab-cookbooks/gitlab/libraries/account_helper.rb
View File

@ -78,6 +78,14 @@ class AccountHelper
node['gitlab']['mattermost']['group']
end
def registry_user
node['gitlab']['registry']['username']
end
def registry_group
node['gitlab']['registry']['group']
end
def users
%W(
#{gitlab_user}
@ -87,6 +95,7 @@ class AccountHelper
#{gitlab_ci_user}
#{ci_redis_user}
#{mattermost_user}
#{registry_user}
)
end
@ -99,7 +108,7 @@ class AccountHelper
#{gitlab_ci_group}
#{ci_redis_group}
#{mattermost_group}
#{registry_group}
)
end
end

100
files/gitlab-cookbooks/gitlab/libraries/gitlab.rb
View File

@ -52,6 +52,7 @@ module Gitlab
gitlab_workhorse Mash.new
gitlab_git_http_server Mash.new # legacy from GitLab 7.14, 8.0, 8.1
pages_nginx Mash.new
registry_nginx Mash.new
mailroom Mash.new
nginx Mash.new
ci_nginx Mash.new
@ -63,11 +64,13 @@ module Gitlab
web_server Mash.new
mattermost Mash.new
gitlab_pages Mash.new
registry Mash.new
node nil
external_url nil
pages_external_url nil
ci_external_url nil
mattermost_external_url nil
registry_external_url nil
git_data_dir nil
class << self
@ -91,6 +94,11 @@ module Gitlab
end
Gitlab['gitlab_ci']['db_key_base'] ||= generate_hex(64)
Gitlab['registry']['http_secret'] ||= generate_hex(64)
gitlab_registry_crt, gitlab_registry_key = generate_registry_keypair
Gitlab['registry']['internal_certificate'] ||= gitlab_registry_crt
Gitlab['registry']['internal_key'] ||= gitlab_registry_key
Gitlab['mattermost']['email_invite_salt'] ||= generate_hex(16)
Gitlab['mattermost']['file_public_link_salt'] ||= generate_hex(16)
Gitlab['mattermost']['email_password_reset_salt'] ||= generate_hex(16)
@ -101,6 +109,22 @@ module Gitlab
SecretsHelper.write_to_gitlab_secrets
end
def generate_registry_keypair
key = OpenSSL::PKey::RSA.new(4096)
subject = "/C=USA/O=GitLab/OU=Container/CN=Registry"
cert = OpenSSL::X509::Certificate.new
cert.subject = cert.issuer = OpenSSL::X509::Name.parse(subject)
cert.not_before = Time.now
cert.not_after = Time.now + 18250 * 24 * 60 * 60
cert.public_key = key.public_key
cert.serial = 0x0
cert.version = 2
cert.sign key, OpenSSL::Digest::SHA256.new
[cert.to_pem, key.to_pem]
end
def parse_gitlab_git_http_server
Gitlab['gitlab_git_http_server'].each do |k, v|
Chef::Log.warn "gitlab_git_http_server is deprecated. Please use gitlab_workhorse in gitlab.rb"
@ -355,7 +379,7 @@ module Gitlab
uri = URI(ci_external_url.to_s)
unless uri.host
raise "GitLab CI external URL must must include a schema and FQDN, e.g. http://ci.example.com/"
raise "GitLab CI external URL must include a schema and FQDN, e.g. http://ci.example.com/"
end
Gitlab['gitlab_ci']['gitlab_ci_host'] = uri.host
Gitlab['gitlab_ci']['gitlab_ci_email_from'] ||= "gitlab-ci@#{uri.host}"
@ -396,7 +420,7 @@ module Gitlab
uri = URI(pages_external_url.to_s)
unless uri.host
raise "GitLab Pages external URL must must include a schema and FQDN, e.g. http://pages.example.com/"
raise "GitLab Pages external URL must include a schema and FQDN, e.g. http://pages.example.com/"
end
Gitlab['gitlab_rails']['pages_host'] = uri.host
@ -442,7 +466,7 @@ module Gitlab
uri = URI(mattermost_external_url.to_s)
unless uri.host
raise "GitLab Mattermost external URL must must include a schema and FQDN, e.g. http://mattermost.example.com/"
raise "GitLab Mattermost external URL must include a schema and FQDN, e.g. http://mattermost.example.com/"
end
Gitlab['mattermost']['host'] = uri.host
@ -477,6 +501,70 @@ module Gitlab
mailroom['enable'] = true if mailroom['enable'].nil?
end
def parse_registry_external_url
return if registry['enable'] == false
if registry_external_url
uri = URI(registry_external_url.to_s)
unless uri.host
raise "GitLab Container Registry external URL must include a schema and FQDN, e.g. https://registry.example.com/"
end
listen_port = uri.port
else
gitlab_uri = URI(external_url.to_s)
if gitlab_uri.scheme == "https"
uri = gitlab_uri
listen_port = 5005
Gitlab['registry_nginx']['ssl_certificate'] ||= Gitlab['nginx']['ssl_certificate']
Gitlab['registry_nginx']['ssl_certificate_key'] ||= Gitlab['nginx']['ssl_certificate_key']
else
# Registry needs to be on https
# so disable the service and exit
registry['enable'] = false
return
end
end
if registry['enable'].nil?
registry['enable'] = true
Gitlab['gitlab_rails']['registry_enabled'] = true
end
Gitlab['registry']['registry_http_addr'] ||= "localhost:5000"
Gitlab['registry']['registry_http_addr'].gsub(/^https?\:\/\/(www.)?/,'')
Gitlab['gitlab_rails']['registry_api_url'] ||= "http://#{Gitlab['registry']['registry_http_addr']}"
Gitlab['registry']['token_realm'] ||= external_url
Gitlab['gitlab_rails']['registry_host'] = uri.host
Gitlab['registry_nginx']['listen_port'] ||= Gitlab['gitlab_rails']['registry_port'] || listen_port
if uri.scheme == "https"
Gitlab['registry_nginx']['https'] ||= true
Gitlab['registry_nginx']['ssl_certificate'] ||= "/etc/gitlab/ssl/#{uri.host}.crt"
Gitlab['registry_nginx']['ssl_certificate_key'] ||= "/etc/gitlab/ssl/#{uri.host}.key"
Gitlab['registry_nginx']['redirect_http_to_https'] = true
else
raise "Unsupported GitLab Registry external URL scheme: #{uri.scheme}"
end
unless ["", "/"].include?(uri.path)
raise "Unsupported GitLab Registry external URL path: #{uri.path}"
end
unless [80, 443].include?(listen_port)
Gitlab['gitlab_rails']['registry_port'] ||= listen_port
end
end
def parse_registry
return unless registry['enable']
gitlab_rails['registry_path'] = "#{gitlab_rails['shared_path']}/registry" if gitlab_rails['registry_path'].nil?
end
def disable_gitlab_rails_services
if gitlab_rails["enable"] == false
redis["enable"] = false
@ -509,6 +597,7 @@ module Gitlab
"ci_nginx",
"mattermost_nginx",
"pages_nginx",
"registry_nginx",
"logging",
"remote_syslog",
"logrotate",
@ -520,7 +609,8 @@ module Gitlab
"ci_external_url",
"mattermost_external_url",
"pages_external_url",
"gitlab_pages"
"gitlab_pages",
"registry"
].each do |key|
rkey = key.gsub('_', '-')
results['gitlab'][rkey] = Gitlab[key]
@ -547,6 +637,7 @@ module Gitlab
parse_ci_external_url
parse_pages_external_url
parse_mattermost_external_url
parse_registry_external_url
parse_unicorn_listen_address
parse_nginx_listen_address
parse_nginx_listen_ports
@ -555,6 +646,7 @@ module Gitlab
parse_gitlab_mattermost
parse_incoming_email
parse_gitlab_pages_daemon
parse_registry
disable_gitlab_rails_services
# The last step is to convert underscores to hyphens in top-level keys
generate_hash

6
files/gitlab-cookbooks/gitlab/libraries/helper.rb
View File

@ -264,6 +264,12 @@ class SecretsHelper
'secret_key_base' => Gitlab['gitlab_ci']['secret_key_base'],
'db_key_base' => Gitlab['gitlab_ci']['db_key_base'],
},
'registry' => {
'http_secret' => Gitlab['registry']['http_secret'],
'internal_certificate' => Gitlab['registry']['internal_certificate'],
'internal_key' => Gitlab['registry']['internal_key']
},
'mattermost' => {
'email_invite_salt' => Gitlab['mattermost']['email_invite_salt'],
'file_public_link_salt' => Gitlab['mattermost']['file_public_link_salt'],

5
files/gitlab-cookbooks/gitlab/recipes/default.rb
View File

@ -62,6 +62,8 @@ template "#{install_dir}/embedded/etc/gitconfig" do
variables gitconfig: node['gitlab']['omnibus-gitconfig']['system']
end
# This recipe needs to run before gitlab-rails
# because we add `gitlab-www` user to some groups created by that recipe
include_recipe "gitlab::web-server"
if node['gitlab']['gitlab-rails']['enable']
@ -104,7 +106,8 @@ include_recipe "runit"
"logrotate",
"bootstrap",
"mattermost",
"gitlab-pages"
"gitlab-pages",
"registry"
].each do |service|
if node["gitlab"][service]["enable"]
include_recipe "gitlab::#{service}"

3
files/gitlab-cookbooks/gitlab/recipes/gitlab-rails.rb
View File

@ -30,6 +30,9 @@ gitlab_ci_dir = node['gitlab']['gitlab-ci']['dir']
gitlab_ci_builds_dir = node['gitlab']['gitlab-ci']['builds_directory']
upgrade_status_dir = File.join(gitlab_rails_dir, "upgrade-status")
# Set path to the private key used for communication between registry and Gitlab.
node.default['gitlab']['gitlab-rails']['registry_key_path'] = File.join(gitlab_rails_etc_dir, "gitlab-registry.key")
ssh_dir = File.join(node['gitlab']['user']['home'], ".ssh")
known_hosts = File.join(ssh_dir, "known_hosts")

31
files/gitlab-cookbooks/gitlab/recipes/nginx.rb
View File

@ -43,6 +43,7 @@ nginx_config = File.join(nginx_conf_dir, "nginx.conf")
gitlab_rails_http_conf = File.join(nginx_conf_dir, "gitlab-http.conf")
gitlab_pages_http_conf = File.join(nginx_conf_dir, "gitlab-pages.conf")
gitlab_registry_http_conf = File.join(nginx_conf_dir, "gitlab-registry.conf")
gitlab_mattermost_http_conf = File.join(nginx_conf_dir, "gitlab-mattermost-http.conf")
# If the service is enabled, check if we are using internal nginx
@ -64,6 +65,12 @@ gitlab_pages_enabled = if node['gitlab']['gitlab-rails']['pages_enabled']
false
end
gitlab_registry_enabled = if node['gitlab']['registry']['enable']
node['gitlab']['registry-nginx']['enable']
else
false
end
# Include the config file for gitlab-rails in nginx.conf later
nginx_vars = node['gitlab']['nginx'].to_hash.merge({
:gitlab_http_config => gitlab_rails_enabled ? gitlab_rails_http_conf : nil
@ -79,6 +86,10 @@ nginx_vars = nginx_vars.to_hash.merge!({
:gitlab_pages_http_config => gitlab_pages_enabled ? gitlab_pages_http_conf : nil
})
nginx_vars = nginx_vars.to_hash.merge!({
:gitlab_registry_http_config => gitlab_registry_enabled ? gitlab_registry_http_conf : nil
})
if nginx_vars['listen_https'].nil?
nginx_vars['https'] = node['gitlab']['gitlab-rails']['gitlab_https']
else
@ -98,7 +109,8 @@ template gitlab_rails_http_conf do
:kerberos_enabled => node['gitlab']['gitlab-rails']['kerberos_enabled'],
:kerberos_use_dedicated_port => node['gitlab']['gitlab-rails']['kerberos_use_dedicated_port'],
:kerberos_port => node['gitlab']['gitlab-rails']['kerberos_port'],
:kerberos_https => node['gitlab']['gitlab-rails']['kerberos_https']
:kerberos_https => node['gitlab']['gitlab-rails']['kerberos_https'],
:registry_api_url => node['gitlab']['gitlab-rails']['registry_api_url']
}
))
notifies :restart, 'service[nginx]' if OmnibusHelper.should_notify?("nginx")
@ -128,6 +140,23 @@ template gitlab_pages_http_conf do
action gitlab_pages_enabled ? :create : :delete
end
registry_nginx_vars = node['gitlab']['registry-nginx'].to_hash
template gitlab_registry_http_conf do
source "nginx-gitlab-registry-http.conf.erb"
owner "root"
group "root"
mode "0644"
variables(registry_nginx_vars.merge(
{
registry_api_url: node['gitlab']['gitlab-rails']['registry_api_url'],
registry_host: node['gitlab']['gitlab-rails']['registry_host'],
registry_http_addr: node['gitlab']['registry']['registry_http_addr']
}
))
notifies :restart, 'service[nginx]' if OmnibusHelper.should_notify?("nginx")
action gitlab_registry_enabled ? :create : :delete
end
mattermost_nginx_vars = node['gitlab']['mattermost-nginx'].to_hash
if mattermost_nginx_vars['listen_https'].nil?

100
files/gitlab-cookbooks/gitlab/recipes/registry.rb Normal file
View File

@ -0,0 +1,100 @@
#
# Copyright:: Copyright (c) 2016 GitLab Inc.
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
account_helper = AccountHelper.new(node)
registry_uid = node['gitlab']['registry']['uid']
registry_gid = node['gitlab']['registry']['gid']
working_dir = node['gitlab']['registry']['dir']
log_directory = node['gitlab']['registry']['log_directory']
directory working_dir do
recursive true
end
account "Docker registry user and group" do
username account_helper.registry_user
uid registry_uid
ugid account_helper.registry_group
groupname account_helper.registry_group
gid registry_gid
shell '/bin/sh'
home working_dir
manage node['gitlab']['manage-accounts']['enable']
end
# Add registry user to web server group
# To allow access to the registry directory located in shared
if node['gitlab']['manage-accounts']['enable']
group account_helper.web_server_group do
append true
members account_helper.registry_user
end
end
[
working_dir,
log_directory,
].each do |dir|
directory dir do
owner account_helper.registry_user
mode '0700'
recursive true
end
end
directory node['gitlab']['gitlab-rails']['registry_path'] do
owner account_helper.registry_user
group account_helper.web_server_group
mode '0750'
recursive true
only_if { node['gitlab']['manage-storage-directories']['enable'] }
end
key_file_path = node['gitlab']['gitlab-rails']['registry_key_path']
file key_file_path do
content node['gitlab']['registry']['internal_key']
owner account_helper.gitlab_user
group account_helper.gitlab_group
end
cert_file_path = File.join(working_dir, "gitlab-registry.crt")
node.default['gitlab']['registry']['rootcertbundle'] = cert_file_path
file cert_file_path do
content node['gitlab']['registry']['internal_certificate']
owner account_helper.registry_user
group account_helper.registry_group
end
template "#{working_dir}/config.yml" do
source "registry-config.yml.erb"
owner account_helper.registry_user
variables node['gitlab']['registry'].to_hash.merge(node['gitlab']['gitlab-rails'].to_hash)
mode "0644"
notifies :restart, "service[registry]"
end
runit_service 'registry' do
options({
:log_directory => log_directory
}.merge(params))
log_options node['gitlab']['logging'].to_hash.merge(node['gitlab']['registry'].to_hash)
end
file File.join(working_dir, "VERSION") do
content VersionHelper.version("/opt/gitlab/embedded/bin/registry --version")
notifies :restart, "service[registry]"
end

20
files/gitlab-cookbooks/gitlab/recipes/registry_disable.rb Normal file
View File

@ -0,0 +1,20 @@
#
# Copyright:: Copyright (c) 2016 GitLab Inc.
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
runit_service "registry" do
action :disable
end

14
files/gitlab-cookbooks/gitlab/recipes/web-server.rb
View File

@ -18,12 +18,20 @@
account_helper = AccountHelper.new(node)
webserver_username = account_helper.web_server_user
webserver_group = account_helper.web_server_group
external_webserver_users = node['gitlab']['web-server']['external_users']
external_webserver_users = node['gitlab']['web-server']['external_users'].to_a
# This recipe runs before registry recipe so we need to make sure that the
# registry users is appended to the webserver group as registry requires access
# to the gitlab-rails/shared folder.
# Without this check the reconfigure run would fail on the first run and also
# the group would end up being altered on every reconfigure run
if node["gitlab"]["registry"]["enable"] && OmnibusHelper.user_exists?(account_helper.registry_user)
external_webserver_users << account_helper.registry_user
end
# Create the group for the GitLab user
# If external webserver is used, add the external webserver user to
# GitLab webserver group
append_members = external_webserver_users.any? && !node['gitlab']['nginx']['enable']
account "Webserver user and group" do
username webserver_username
@ -33,7 +41,7 @@ account "Webserver user and group" do
gid node['gitlab']['web-server']['gid']
shell node['gitlab']['web-server']['shell']
home node['gitlab']['web-server']['home']
append_to_group append_members
append_to_group external_webserver_users.any?
group_members external_webserver_users
user_supports manage_home: false
manage node['gitlab']['manage-accounts']['enable']

10
files/gitlab-cookbooks/gitlab/templates/default/gitlab.yml.erb
View File

@ -124,6 +124,16 @@ production: &base
# The location where LFS objects are stored (default: shared/lfs-objects).
storage_path: <%= @lfs_storage_path %>
## Container Registry
registry:
enabled: <%= @registry_enabled %>
host: <%= @registry_host %>
port: <%= @registry_port %>
api_url: <%= @registry_api_url %> # internal address to the registry, will be used by GitLab to directly communicate with API
path: <%= @registry_path %>
key: <%= @registry_key_path %>
issuer: <%= @registry_issuer %>
## GitLab Pages (EE only)
pages:
enabled: <%= @pages_enabled %>

69
files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-registry-http.conf.erb Normal file
View File

@ -0,0 +1,69 @@
# This file is managed by gitlab-ctl. Manual changes will be
# erased! To change the contents below, edit /etc/gitlab/gitlab.rb
# and run `sudo gitlab-ctl reconfigure`.
## Lines starting with two hashes (##) are comments with information.
## Lines starting with one hash (#) are configuration parameters that can be uncommented.
##
###################################
## configuration ##
###################################
## Redirects all HTTP traffic to the HTTPS host
server {
<% @listen_addresses.each do |listen_address| %>
listen <%= listen_address %>:<%= @redirect_http_to_https_port %>;
<% end %>
server_name <%= @registry_host %>;
server_tokens off; ## Don't show the nginx version number, a security best practice
return 301 https://$http_host:<%= @port %>$request_uri;
access_log <%= @log_directory %>/gitlab_registry_access.log gitlab_access;
error_log <%= @log_directory %>/gitlab_registry_error.log;
}
server {
<% @listen_addresses.each do |listen_address| %>
listen <%= listen_address %>:<%= @listen_port %><% if @https %> ssl http2<% end %>;
<% end %>
server_name <%= @registry_host %>;
server_tokens off; ## Don't show the nginx version number, a security best practice
client_max_body_size 0;
chunked_transfer_encoding on;
<% if @https %>
## Strong SSL Security
## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
ssl on;
ssl_certificate <%= @ssl_certificate %>;
ssl_certificate_key <%= @ssl_certificate_key %>;
<% if @ssl_client_certificate %>
ssl_client_certificate <%= @ssl_client_certificate%>;
<% end %>
ssl_ciphers '<%= @ssl_ciphers %>';
ssl_protocols <%= @ssl_protocols %>;
ssl_prefer_server_ciphers <%= @ssl_prefer_server_ciphers %>;
ssl_session_cache <%= @ssl_session_cache %>;
ssl_session_timeout <%= @ssl_session_timeout %>;
<% if @ssl_dhparam %>
ssl_dhparam <%= @ssl_dhparam %>;
<% end %>
<% end %>
access_log <%= @log_directory %>/gitlab_registry_access.log gitlab_access;
error_log <%= @log_directory %>/gitlab_registry_error.log;
location / {
proxy_set_header Host $http_host; # required for docker client's sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900;
proxy_pass http://<%= @registry_http_addr %>;
}
<%= @custom_gitlab_server_config %>
}

4
files/gitlab-cookbooks/gitlab/templates/default/nginx.conf.erb
View File

@ -51,5 +51,9 @@ http {
include <%= @gitlab_mattermost_http_config %>;
<% end %>
<% if @gitlab_registry_http_config %>
include <%= @gitlab_registry_http_config %>;
<% end %>
<%= @custom_nginx_config %>
}

4
files/gitlab-cookbooks/gitlab/templates/default/postgresql.conf.erb
View File

@ -120,7 +120,7 @@ shared_buffers = <%= node['gitlab']['postgresql']['shared_buffers'] %> # min 128
# It is not advisable to set max_prepared_transactions nonzero unless you
# actively intend to use prepared transactions.
work_mem = <%= node['gitlab']['postgresql']['work_mem'] %> # min 64kB
#maintenance_work_mem = 16MB # min 1MB
maintenance_work_mem = <%= node['gitlab']['postgresql']['maintenance_work_mem'] %> # 16MB # min 1MB
#max_stack_depth = 2MB # min 100kB
# - Kernel Resource Usage -
@ -166,7 +166,7 @@ wal_level = <%= node['gitlab']['postgresql']['wal_level'] %>
# fsync_writethrough
# open_sync
#full_page_writes = on # recover from partial page writes
#wal_buffers = -1 # min 32kB, -1 sets based on shared_buffers
wal_buffers = <%= node['gitlab']['postgresql']['wal_buffers'] %> # -1 # min 32kB, -1 sets based on shared_buffers
# (change requires restart)
#wal_writer_delay = 200ms # 1-10000 milliseconds

27
files/gitlab-cookbooks/gitlab/templates/default/registry-config.yml.erb Normal file
View File

@ -0,0 +1,27 @@
version: 0.1
log:
level: <%= @log_level %>
fields:
service: registry
environment: production
storage:
cache:
blobdescriptor: inmemory
filesystem:
rootdirectory: <%= @registry_path %>
http:
addr: <%= @registry_http_addr %>
secret: "<%= @http_secret %>"
headers:
X-Content-Type-Options: [nosniff]
health:
storagedriver:
enabled: true
interval: 10s
threshold: 3
auth:
token:
realm: <%= @token_realm %>/jwt/auth
service: container_registry
issuer: <%= @registry_issuer %>
rootcertbundle: <%= @rootcertbundle %>

6
files/gitlab-cookbooks/gitlab/templates/default/sv-registry-log-config.erb Normal file
View File

@ -0,0 +1,6 @@
<%= "s#@svlogd_size" if @svlogd_size %>
<%= "n#@svlogd_num" if @svlogd_num %>
<%= "t#@svlogd_timeout" if @svlogd_timeout %>
<%= "!#@svlogd_filter" if @svlogd_filter %>
<%= "u#@svlogd_udp" if @svlogd_udp %>
<%= "p#@svlogd_prefix" if @svlogd_prefix %>

2
files/gitlab-cookbooks/gitlab/templates/default/sv-registry-log-run.erb Normal file
View File

@ -0,0 +1,2 @@
#!/bin/sh
exec svlogd -tt <%= @options[:log_directory] %>

12
files/gitlab-cookbooks/gitlab/templates/default/sv-registry-run.erb Normal file
View File

@ -0,0 +1,12 @@
#!/bin/bash
set -e # fail on errors
# Redirect stderr -> stdout
exec 2>&1
cd <%= node['gitlab']['registry']['dir'] %>
exec chpst -P \
-U <%= node['gitlab']['registry']['username'] %> \
-u <%= node['gitlab']['registry']['group'] %> \
/opt/gitlab/embedded/bin/registry serve ./config.yml