You are browsing a read-only backup copy of Wikitech. The primary site can be found at wikitech.wikimedia.org

GitLab: Difference between revisions

From Wikitech-static
Jump to navigation Jump to search
imported>Dzahn
(adding ticket links)
imported>Jelto
mNo edit summary
 
(6 intermediate revisions by 3 users not shown)
Line 10: Line 10:
{{Special:PrefixIndex/{{FULLPAGENAME}}/ |hideredirects=1 |stripprefix=1}}
{{Special:PrefixIndex/{{FULLPAGENAME}}/ |hideredirects=1 |stripprefix=1}}
* External resources:
* External resources:
** [[mw:GitLab]] - User documentation
** [https://gitlab.wikimedia.org/ Production GitLab]
** [https://gitlab.wikimedia.org/ Production GitLab]
** [https://docs.gitlab.com GitLab docs]
** [https://docs.gitlab.com Upstream GitLab docs]  
** [https://www.mediawiki.org/wiki/GitLab GitLab in MediaWiki]
** [https://phabricator.wikimedia.org/project/view/5057/ GitLab in Phabricator]
** [https://phabricator.wikimedia.org/project/view/5057/ GitLab in Phabricator]
}}
}}
Line 20: Line 20:
GitLab is reachable at https://gitlab.wikimedia.org/. We run multiple instances of GitLab:
GitLab is reachable at https://gitlab.wikimedia.org/. We run multiple instances of GitLab:


* gitlab1001 runs production GitLab serving https://gitlab.wikimedia.org/
* gitlab1004 runs production GitLab serving https://gitlab.wikimedia.org/
* gitlab2001 runs a passive GitLab [[GitLab/Replica|replica]] serving https://gitlab-replica.wikimedia.org/ (WIP)
* gitlab1003 runs a passive GitLab [[GitLab/Replica|replica]] serving https://gitlab-replica.wikimedia.org/
* gitlab-ansible-test in WMCS gitlab-test project serving https://gitlab-test.wmcloud.org/
* gitlab-prod-1001.devtools.eqiad1.wikimedia.cloud runs a production-like [[GitLab/Test Instance|test instance]] in WMCS/VPS serving https://gitlab.devtools.wmcloud.org/


== GitLab instances ==
== GitLab instances ==


[[gitlab1001]] and [[gitlab2001]] are setup using puppet. The configuration currently lives in [[gerrit:plugins/gitiles/operations/puppet/+/refs/heads/production/modules/profile/manifests/gitlab.pp|profile::gitlab]]. Former configuration from [[gerrit:plugins/gitiles/operations/gitlab-ansible|gitlab-ansible]] was migrated completely to puppet (see [[phab:T283076|T283076]]). GitLab is installed as a [https://docs.gitlab.com/omnibus/ Omnibus installation] on all instances. So all GitLab components are installed using the official packages and are executed on a single host. The reasons for this setup can be found in the [[mw:GitLab/Initialization|Initialization docs in Mediawiki]].
gitlab1003, gitlab1004 and test instance gitlab-prod-1001 are setup using puppet. The configuration currently lives in [[gerrit:plugins/gitiles/operations/puppet/+/refs/heads/production/modules/profile/manifests/gitlab.pp|profile::gitlab]]. Former configuration from [[gerrit:plugins/gitiles/operations/gitlab-ansible|gitlab-ansible]] was migrated completely to puppet (see [[phab:T283076|T283076]]). GitLab is installed as a [https://docs.gitlab.com/omnibus/ Omnibus installation] on all instances. So all GitLab components are installed using the official packages and are executed on a single host. The reasons for this setup can be found in the [[mw:GitLab/Initialization|Initialization docs in Mediawiki]].


GitLab login is implemented with SSO using the [[CAS-SSO|CAS/SSO]]. So users will be redirected to idp.wikimedia.org to login to the SSO portal. Authentication is currently open to all users with a Wikimedia developer account.
GitLab login is implemented with SSO using the [[CAS-SSO|CAS/SSO]]. So users will be redirected to idp.wikimedia.org (idp.wmcloud.org on WMCS/VPS) to login to the SSO portal. Authentication is currently open to all users with a Wikimedia developer account for the production instance. Access to the replica and test instance is restricted to WMF/NDA groups.


== GitLab runners ==
== GitLab runners ==


For our current and future runner setups, see [[GitLab/Gitlab Runner]].
GitLab offers CI/CD capabilities. For our current and Runner documentation, see [[GitLab/Gitlab Runner]].
 
== Network topology ==
GitLab hosts (production and replica) are running in eqiad/codfw datacenter. Each hosts have two public IPv4 and two public IPv6 addresses. The first address pair is used for general access to the machine (mostly ssh and system monitoring). The second address pair is needed to run a dedicated SSH daemon (for git pull and push) independent from the existing management SSH daemon. Furthermore the second address is used to serve https traffic without LVS. This ensures that GitLab (thus deployments and rollbacks) is independent from LVS. The second address pair is called "service address" or <code>service_ip</code> sometimes in puppet/docs.
 
The primary address is not required to be public, but due to networking conventions one private and one public IP/VLAN is not encouraged currently (see [[phab:T310265|T310265]]).
 
GitLab Runner machines have a single, private IPv4 and IPv6 address only. Some (Trusted) Runners are running in eqiad/codfw datacenter, other Runners are in WMCS <code>gitlab-runners</code> project.
[[File:GitLab Network Topology.drawio.png|thumb|458x458px]]


== SSH fingerprints ==
== SSH fingerprints ==


Each gitlab server has 4 IPs on the same network interface. One IPv4 and one IPv6 for server, the standard sshd that admins use to connect to the individual backend (gitlab1001.wikimedia.org/gitlab2001.wikimedia.org) and one IPv4 and IPv6 for the service address (gitlab.wikimedia.org).
See [[Help:SSH_Fingerprints/gitlab.wikimedia.org]] for an overview of all fingerprints at once.
 
Each gitlab server has 4 IPs on the same network interface (see above). One IPv4 and one IPv6 is used for the standard sshd that admins use to connect to the individual backend (gitlab1001.wikimedia.org/gitlab2001.wikimedia.org) and one IPv4 and IPv6 is used for the service address (gitlab.wikimedia.org).


If you connect to the service as a user you _should_ expect to see the one for the service IP but currently you will see the one for the backend you are connecting to. Currently this is [[gitlab1001]] but it could change when we switch data centers or fail over.
If you connect to the service as a user you _should_ expect to see the one for the service IP but currently you will see the one for the backend you are connecting to. Currently this is gitlab1004 but it could change when we switch data centers or fail over.


We are looking into getting a new configuration option into gitlab upstream to properly fix this. Meanwhile you can find fingerprints linked on the server pages, [[gitlab1001]] and [[gitlab2001]].
We are looking into getting a new configuration option into gitlab upstream to properly fix this. Meanwhile you can find fingerprints linked on [[Help:SSH_Fingerprints/gitlab.wikimedia.org]].


also see the status of this ticket: [[phab:T296944]]
also see the status of this ticket: [[phab:T296944]]
== How to create or migrate a repo / group / project ==
See [[mw:GitLab/Hosting a project on GitLab]] for full user documentation.


== Tickets ==
== Tickets ==

Latest revision as of 13:54, 26 July 2022

This page contains SRE related topics for GitLab. For GitLab application-specific information, user documentation, and policy, please see mw:GitLab on mediawiki.org.

GitLab is reachable at https://gitlab.wikimedia.org/. We run multiple instances of GitLab:

GitLab instances

gitlab1003, gitlab1004 and test instance gitlab-prod-1001 are setup using puppet. The configuration currently lives in profile::gitlab. Former configuration from gitlab-ansible was migrated completely to puppet (see T283076). GitLab is installed as a Omnibus installation on all instances. So all GitLab components are installed using the official packages and are executed on a single host. The reasons for this setup can be found in the Initialization docs in Mediawiki.

GitLab login is implemented with SSO using the CAS/SSO. So users will be redirected to idp.wikimedia.org (idp.wmcloud.org on WMCS/VPS) to login to the SSO portal. Authentication is currently open to all users with a Wikimedia developer account for the production instance. Access to the replica and test instance is restricted to WMF/NDA groups.

GitLab runners

GitLab offers CI/CD capabilities. For our current and Runner documentation, see GitLab/Gitlab Runner.

Network topology

GitLab hosts (production and replica) are running in eqiad/codfw datacenter. Each hosts have two public IPv4 and two public IPv6 addresses. The first address pair is used for general access to the machine (mostly ssh and system monitoring). The second address pair is needed to run a dedicated SSH daemon (for git pull and push) independent from the existing management SSH daemon. Furthermore the second address is used to serve https traffic without LVS. This ensures that GitLab (thus deployments and rollbacks) is independent from LVS. The second address pair is called "service address" or service_ip sometimes in puppet/docs.

The primary address is not required to be public, but due to networking conventions one private and one public IP/VLAN is not encouraged currently (see T310265).

GitLab Runner machines have a single, private IPv4 and IPv6 address only. Some (Trusted) Runners are running in eqiad/codfw datacenter, other Runners are in WMCS gitlab-runners project.

SSH fingerprints

See Help:SSH_Fingerprints/gitlab.wikimedia.org for an overview of all fingerprints at once.

Each gitlab server has 4 IPs on the same network interface (see above). One IPv4 and one IPv6 is used for the standard sshd that admins use to connect to the individual backend (gitlab1001.wikimedia.org/gitlab2001.wikimedia.org) and one IPv4 and IPv6 is used for the service address (gitlab.wikimedia.org).

If you connect to the service as a user you _should_ expect to see the one for the service IP but currently you will see the one for the backend you are connecting to. Currently this is gitlab1004 but it could change when we switch data centers or fail over.

We are looking into getting a new configuration option into gitlab upstream to properly fix this. Meanwhile you can find fingerprints linked on Help:SSH_Fingerprints/gitlab.wikimedia.org.

also see the status of this ticket: phab:T296944

How to create or migrate a repo / group / project

See mw:GitLab/Hosting a project on GitLab for full user documentation.

Tickets

  • phab:T274459 (VM creation request)
  • phab:T296944 (Self-reported GitLab SSH host key fingerprints don’t appear to match actual host key fingerprints)
  • phab:T295481 (Setup GitLab Runner in trusted environment)