You are browsing a read-only backup copy of Wikitech. The primary site can be found at wikitech.wikimedia.org

GitLab: Difference between revisions

From Wikitech-static
Jump to navigation Jump to search
imported>Brennen Bearnes
m (Tweak mw.org link.)
imported>Dzahn
(adding ticket links)
Line 26: Line 26:
== GitLab instances ==
== GitLab instances ==


gitlab1001 and gitlab2001 are setup using puppet. The configuration currently lives in [[gerrit:plugins/gitiles/operations/puppet/+/refs/heads/production/modules/profile/manifests/gitlab.pp|profile::gitlab]]. Former configuration from [[gerrit:plugins/gitiles/operations/gitlab-ansible|gitlab-ansible]] was migrated completely to puppet (see [[phab:T283076|T283076]]). GitLab is installed as a [https://docs.gitlab.com/omnibus/ Omnibus installation] on all instances. So all GitLab components are installed using the official packages and are executed on a single host. The reasons for this setup can be found in the [[mw:GitLab/Initialization|Initialization docs in Mediawiki]].
[[gitlab1001]] and [[gitlab2001]] are setup using puppet. The configuration currently lives in [[gerrit:plugins/gitiles/operations/puppet/+/refs/heads/production/modules/profile/manifests/gitlab.pp|profile::gitlab]]. Former configuration from [[gerrit:plugins/gitiles/operations/gitlab-ansible|gitlab-ansible]] was migrated completely to puppet (see [[phab:T283076|T283076]]). GitLab is installed as a [https://docs.gitlab.com/omnibus/ Omnibus installation] on all instances. So all GitLab components are installed using the official packages and are executed on a single host. The reasons for this setup can be found in the [[mw:GitLab/Initialization|Initialization docs in Mediawiki]].


GitLab login is implemented with SSO using the [[CAS-SSO|CAS/SSO]]. So users will be redirected to idp.wikimedia.org to login to the SSO portal. Authentication is currently open to all users with a Wikimedia developer account.
GitLab login is implemented with SSO using the [[CAS-SSO|CAS/SSO]]. So users will be redirected to idp.wikimedia.org to login to the SSO portal. Authentication is currently open to all users with a Wikimedia developer account.
Line 33: Line 33:


For our current and future runner setups, see [[GitLab/Gitlab Runner]].
For our current and future runner setups, see [[GitLab/Gitlab Runner]].
== SSH fingerprints ==
Each gitlab server has 4 IPs on the same network interface. One IPv4 and one IPv6 for server, the standard sshd that admins use to connect to the individual backend (gitlab1001.wikimedia.org/gitlab2001.wikimedia.org) and one IPv4 and IPv6 for the service address (gitlab.wikimedia.org).
If you connect to the service as a user you _should_ expect to see the one for the service IP but currently you will see the one for the backend you are connecting to. Currently this is [[gitlab1001]] but it could change when we switch data centers or fail over.
We are looking into getting a new configuration option into gitlab upstream to properly fix this. Meanwhile you can find fingerprints linked on the server pages, [[gitlab1001]] and [[gitlab2001]].
also see the status of this ticket: [[phab:T296944]]
== Tickets ==
*[[phab:T274459]] (VM creation request)
*[[phab:T296944]] (Self-reported GitLab SSH host key fingerprints don’t appear to match actual host key fingerprints)
*[[phab:T295481]] (Setup GitLab Runner in trusted environment)


[[Category:SRE Service Operations]]
[[Category:SRE Service Operations]]

Revision as of 17:08, 21 December 2021

This page contains SRE related topics for GitLab. For GitLab application-specific information, user documentation, and policy, please see mw:GitLab on mediawiki.org.

GitLab is reachable at https://gitlab.wikimedia.org/. We run multiple instances of GitLab:

GitLab instances

gitlab1001 and gitlab2001 are setup using puppet. The configuration currently lives in profile::gitlab. Former configuration from gitlab-ansible was migrated completely to puppet (see T283076). GitLab is installed as a Omnibus installation on all instances. So all GitLab components are installed using the official packages and are executed on a single host. The reasons for this setup can be found in the Initialization docs in Mediawiki.

GitLab login is implemented with SSO using the CAS/SSO. So users will be redirected to idp.wikimedia.org to login to the SSO portal. Authentication is currently open to all users with a Wikimedia developer account.

GitLab runners

For our current and future runner setups, see GitLab/Gitlab Runner.

SSH fingerprints

Each gitlab server has 4 IPs on the same network interface. One IPv4 and one IPv6 for server, the standard sshd that admins use to connect to the individual backend (gitlab1001.wikimedia.org/gitlab2001.wikimedia.org) and one IPv4 and IPv6 for the service address (gitlab.wikimedia.org).

If you connect to the service as a user you _should_ expect to see the one for the service IP but currently you will see the one for the backend you are connecting to. Currently this is gitlab1001 but it could change when we switch data centers or fail over.

We are looking into getting a new configuration option into gitlab upstream to properly fix this. Meanwhile you can find fingerprints linked on the server pages, gitlab1001 and gitlab2001.

also see the status of this ticket: phab:T296944

Tickets

  • phab:T274459 (VM creation request)
  • phab:T296944 (Self-reported GitLab SSH host key fingerprints don’t appear to match actual host key fingerprints)
  • phab:T295481 (Setup GitLab Runner in trusted environment)