ruby-licensee should be installed from unstable and not experimental
add commands to apply patch to gitaly Gemfile
|Deletions are marked like this.||Additions are marked like this.|
|Line 215:||Line 215:|
|Modify /usr/share/gitaly/ruby/Gemfile by applying this patch||Modify /usr/share/gitaly/ruby/Gemfile by applying this patch (save this as /tmp/gitaly-Gemfile.patch)|
|Line 248:||Line 248:|
# cd /usr/share/gitaly/ruby
# patch < /tmp/gitaly-Gemfile.patch
See /omnibus if you are looking for instructions to install upstream provided packages.
New upstream releases (including security updates) are announced at https://about.gitlab.com/releases/categories/releases/.
New in gitlab 13.6.7-1: New user created after a fresh installation should be approved using gitlab-rails-console. See gitlab#your_account_is_awaiting_approval_from_your_GitLab_administrator for steps to approving users and creating a user with Administrative privileges.
New in gitlab 13.3.8-1: You will need to install grpc gem from rubygems.org gem install -v 1.30.2 grpc (more details below). If you run gitaly on a different machine, you will need to do this on that machine as well.
New in gitlab 13.2.6-3: We have switched to puma as application server replacing unicorn. Upstream already made the switch from 12.9 and unicorn support will be dropped in gitlab 14.0. They saw a memory reduction of 37% in gitlab.com after the switch. See more details about this switch at this upstream blog post https://about.gitlab.com/blog/2020/07/08/migrating-to-puma-on-gitlab/. puma defaults to listening only on unix sockets and if you are running gitaly on a different machine, then you will have to edit /etc/gitlab/puma.rb to bind to tcp:// url as well.
Buster Fast Track (Recommended)
Gitlab 13.6.7 is available in unofficial fasttrack repo targeting buster as base distribution. (no open security issues).
A video demo of the whole installation process with commentary on packaging challenges and troubleshooting steps is available on Debian Social Peertube instance.
Make sure contrib section is enabled for buster and buster/updates
Modify /etc/apt/sources.list to add official buster-backports and contrib section if missing:
deb http://deb.debian.org/debian buster main contrib deb http://security.debian.org/ buster/updates main contrib deb http://deb.debian.org/debian buster-backports main contrib
From gitlab 13.2.3
Now gitaly is also built with ruby2.7 so it is now moved to buster-fasttrack from buster-backports. See the new repository link below.
Import fasttrack archive keyring:
# apt -t buster-backports install fasttrack-archive-keyring
And add the following lines for fasttrack repo:
deb https://fasttrack.debian.net/debian/ buster-fasttrack main contrib # For dependency packages not in testing only temporarily due to freeze, transitions or delayed by backports-new or NEW. deb https://fasttrack.debian.net/debian/ buster-backports main contrib
Eventually the packages in this repo will be moved to fasttrack or official backports after fixing https://salsa.debian.org/fasttrack-team/support/-/issues/8 (Need help)
deb https://people.debian.org/~praveen/gitaly buster-backports main deb https://people.debian.org/~praveen/gitaly buster-fasttrack main
Optional: To avoid some hours of delay between upload and availability in archive
deb http://incoming.debian.org/debian-buildd buildd-buster-backports main contrib
Refresh list of available packages:
# apt update
You may encounter the following error message:
If so, these commands can help (trust these repositories):
# wget https://people.debian.org/~praveen/gitaly/praveen.key.new.asc # apt-key add praveen.key.new.asc
If you are upgrading ruby version to 2.7 (if your current ruby version is 2.5), you will need to use dist-upgrade first. Make sure /var/lib/gems/2.5.0/ is empty if you see any issues after the ruby version upgrade.
See https://git.fosscommunity.in/debian-ruby/TaskTracker/-/issues/166 for current status of ruby 2.7 in fasttrack.
Currently gitlab installation is broken due to libsass in buster-backports . See 953415 for more details.
A work around is to downgrade libsass and libsass-dev to versions in buster and hold it at the older version.
# apt install libsass1/buster libsass-dev/buster && apt-mark hold libsass1 libsass-dev
gitlab crash work around (install grpc from rubygems.org)
To avoid installation crashing with an error message like,
/usr/share/rubygems-integration/all/gems/gitaly-13.4.6/ruby/proto/gitaly/lint_pb.rb:17: [BUG] Segmentation fault at 0x0000000000000000 ruby 2.7.2p137 (2020-10-01 revision 5445e04352) [x86_64-linux-gnu]
We have to use versions of grpc from rubygems.org (don't forget to remove this version when ruby-grpc is fixed in debian)
# apt -t buster-fasttrack install ruby2.7
# gem install -v 1.30.2 grpc
and follow gitlab#manually_installing_ruby_dependencies if you are seeing this crash again
See 966653 for details.
Use apt pinning for resolving dependencies
Since buster-backports and buster-fasttrack have lower apt priorities compared to buster, we have to manually give higher priority to packages we want installed from these suites.
# apt install gitlab-apt-pin-preferences # apt install gitlab
Note: https://gitlab.debian.net is running on this version.
Buster Fast Track Staging
gitlab 13.6.7 is available in fasttrack-staging (no open security issues).
If you'd like to test gitlab packages before they are uploaded to buster-fasttrack, you can add the following lines to /etc/apt/sources.list.
deb https://people.debian.org/~praveen/fasttrack-staging buster-backports main contrib deb https://people.debian.org/~praveen/fasttrack-staging buster-fasttrack main contrib
and install gitlab
apt -t buster-backports install gitlab/buster-fasttrack gitaly/buster-fasttrack
Unstable (be careful when updating packages)
Gitlab 13.4.7 is available in unstable (many security release behind, see experimental).
Now install gitlab
# apt install gitlab
Currently gitlab installation is broken due to a change in libsass. See 953415 for more details.
A work around is to downgrade libsass and libsass-dev to 3.6.1. Use http://snapshot.debian.org/package/libsass/3.6.1-1/ and hold it at the older version.
# apt-mark hold libsass1 libsass-dev
See gitlab#gitlab_crash_work_around_.28install_grpc_from_rubygems.org.29 for installing grpc gem from rubygems.org (just use apt install ruby2.7 for installing ruby)
Experimental - During freeze and transitions
gitlab 13.6.7 is available in experimental (no open security issues). But this version is not yet compatible with rugged/libgit2 1.x so not recommended (See 979563)
As a workaround, use snapshot.debian.org to install ruby-rugged 0.28 and its dependencies/reverse dependencies,
First install gitlab,
# apt install gitlab/experimental ruby-rack/experimental ruby-gitlab-labkit/experimental \ ruby-jaeger-client/experimental ruby-prometheus-client-mmap/experimental ruby-gitaly/experimental gitaly/experimental
Now downgrade ruby-rugged and its dependencies/reverse dependencies,
# wget http://snapshot.debian.org/archive/debian/20201103T210717Z/pool/main/r/ruby-rugged/ruby-rugged_0.28.4.1%2Bds-1%2Bb3_amd64.deb # dpkg -i ruby-rugged_0.28.4.1+ds-1+b3_amd64.deb
# wget http://snapshot.debian.org/archive/debian/20200113T205619Z/pool/main/r/ruby-gollum-rugged-adapter/ruby-gollum-rugged-adapter_0.4.4.2-2_all.deb # dpkg -i ruby-gollum-rugged-adapter_0.4.4.2-2_all.deb
# wget http://snapshot.debian.org/archive/debian/20201201T205219Z/pool/main/r/ruby-gollum-lib/ruby-gollum-lib_18.104.22.168-3_all.deb # dpkg -i ruby-gollum-lib_22.214.171.124-3_all.deb
# apt install ruby-licensee/unstable
# apt-mark hold ruby-licensee ruby-gollum-lib ruby-gollum-rugged-adapter ruby-rugged
Modify /usr/share/gitaly/ruby/Gemfile by applying this patch (save this as /tmp/gitaly-Gemfile.patch)
diff --git a/Gemfile.orig b/Gemfile index ab7fcfe..b90a487 100644 --- a/Gemfile.orig +++ b/Gemfile @@ -1,12 +1,12 @@ source 'https://rubygems.org' -gem 'rugged', '~> 1.0' +gem 'rugged', '~> 0.28' gem 'github-linguist', '~> 7.12', require: 'linguist' gem 'github-markup', '~> 1.7' gem 'activesupport', '~> 6.0.3', '>= 126.96.36.199' gem 'rdoc', '~> 6.0' -gem 'gitlab-gollum-lib', '~> 188.8.131.52.gitlab.1', require: false -gem 'gitlab-gollum-rugged_adapter', '~> 0.4.4.3.gitlab.1', require: false +gem 'gitlab-gollum-lib', '~> 184.108.40.206', require: false +gem 'gitlab-gollum-rugged_adapter', '~> 0.4.4.2', require: false gem 'grpc', '~> 1.30', '>= 1.30.2' gem 'sentry-raven', '~> 3.0', require: false gem 'faraday', '~> 1.0' @@ -17,7 +17,7 @@ gem 'gitlab-labkit', '~> 0.13.2' # Detects the open source license the repository includes # This version needs to be in sync with GitLab CE/EE -gem 'licensee', '~> 9.14' +gem 'licensee', '~> 8.9' gem 'google-protobuf', '~> 3.12'
# cd /usr/share/gitaly/ruby # patch < /tmp/gitaly-Gemfile.patch
# cd /usr/share/gitaly/ruby # truncate -s0 Gemfile.lock # sudo -u gitlab bundle install --local
Now restart gitlab and gitaly services
# systemctl restart gitlab gitaly
If you are using experimental for the first time, check DebianExperimental.
You will have to follow the notes mentioned in unstable section above.
Gitlab on Stretch
This is moved to gitlab/stretch now.
Gitlab with apache2
Basically you will have to : Disable nginx Set www-data as web server user. Allow Modules dependencies # mod_rewrite # mod_ssl # mod_proxy # mod_proxy_http # mod_headers
a2enmod rewrite proxy_http headers
and as says in recipe
Allow gitlab-workhorse to listen on port 8181, edit or create /etc/default/gitlab and change or add the following:
gitlab_workhorse_options="-listenUmask 0 -listenNetwork tcp -listenAddr 127.0.0.1:8181 -authBackend http://127.0.0.1:8080"
Gitlab Common Errors
If you have this kind of error
Cloning into'public-test-project-ssh'... Received disconnect from YOUR_SERVER_IP port 22:2: Too many authentication failures Disconnected from YOUR_SERVER_IP port 22 fatal: Can't read distant repository.
on an ssh clone
git clone firstname.lastname@example.org:public-test-group/public-test-project.git public-test-project-ssh
Note : In your command line host should match your ssh hostname for gitlab as group and project name.
To be sure you should find a line like the following in /var/log/auth.log
User gitlab from YOUR_CLIENT_IP not allowed because not listed in AllowUsers
You may have to allow gitlab user in /etc/ssh/sshd_config
AllowUsers user1 user2 gitlab AllowGroups user1 group2 gitlab
Note : user1, user2, group2 are here for the example adapt to your setup.
Do not forget to restart the service
service ssh restart
Debug installation and configuration
# gitlab-rake gitlab:check # gitlab-rake gitlab:env:info
rake aborted errors during installation
If your update failed for some reason (usually when dependencies are not satisfied for bundle install --local), and you retry installation after fixing dependencies, you may see errors like
rake aborted! NameError: uninitialized constant Gitlab::Patch::ActiveRecordQueryCache /usr/share/gitlab/config/initializers/active_record_query_cache.rb:3:in `<top (required)>'
You will have to manually remove problem creating initializers from /etc/gitlab/initializers. A list of such initializers can be found from gitlab source package or from https://salsa.debian.org/ruby-team/gitlab in debian/maintscript` file.
All lines starting with rm_conffile and corresponding versions are what you need to check.
Additionally, if there is any extra files present in your system at /etc/gitlab/initializers that is not installed by the current package as shown in dpkg -L gitlab | grep '/etc/gitlab/initializers', you need to remove that. We usually try to remove obsolete initializers automatically, but sometimes we miss some files.
The following command returns the list of obsolete initializer files:
for fname in /etc/gitlab/initializers/*; do dpkg -L gitlab | grep -qFx "$fname" || echo "$fname"; done
manually installing ruby dependencies
When ruby dependencies are installed manually, we need to update gitlab and gitaly's Gemfile.lock to use the recently installed version. See 944698 for details.
cd /usr/share/gitlab truncate -s0 Gemfile.lock sudo -u gitlab bundle install --local # use the gitlab username instead of gitlab if you changed it cd /usr/share/gitaly/ruby truncate -s0 Gemfile.lock sudo -u gitlab bundle install --local # use the gitlab username instead of gitlab if you changed it
remote: GitLab: 401 Unauthorized
If you got this error after a purge and reinstall when trying git push, then it is because the old .gitlab_shell_secret was not cleaned up during purge. So you need to purge again and remove this file manually before you reinstall
# rm /usr/share/gitlab-shell/.gitlab_shell_secret
TODO: Clean this in purge
your account is awaiting approval from your GitLab administrator
If you saw this message after creating an account for the first time,
You have signed up successfully. However, we could not sign you in because your account is awaiting approval from your GitLab administrator.
You can approve the user and grant Administration access by using gitlab-rails-console command. The steps are documented in /usr/share/doc/gitlab/README.Debian.gz.
You can reach the maintainers of the gitlab package via https://wiki.debian.org/gitlab/BackportChecklist
Matrix at #debian-gitlab:poddery.com (join via browser)
IRC #debian-gitlab on OFTC network (join via browser)
Installing gitlab on an lxc container to test - See gitlab/lxc
Backport/Fasttrack checklist - See gitlab/BackportChecklist
Dependencies Transitions checklist - See gitlab/DependenciesTransitions
Managing Components - See gitlab/ManagingComponents
Mixing apt and yarn installed node modules - See gitlab/yarn
Manually running webpack to troubleshoot bundling issues - See gitlab/webpack
Get autopkgtest working so we can detect problems when someone updates dependencies without coordinating with us. Current Status
We should try to pick tasks according to the following priority list,
Update to latest security release (in unstable/experimental and fasttrack). Remember to add the CVEs fixed in the release (listed in the release blog post) to debian/changelog. Subscribe to Security Alerts: Notification alerts to critical security updates. at https://about.gitlab.com/company/preference-center/ to get notified by email about new security releases. Usually we have security releases once or twice per month.
Update to next feature release (in unstable/experimental and fasttrack) before support for current stable release ends (usually 3 months). See Teams/Ruby/Packaging/newUpstreamRailsApp.
- We should try to keep the same upstream version in both unstable/experimental and fasttrack to avoid maintaining two versions. This means not starting a feature update close to a scheduled security release (usually at the end or starting of every month). Because a feature update may take more days to complete and involve complexities compared to a security update.
- Getting packages from experimental to unstable can take time as it involves transitions and coordinating with many others, so we should prioritize moving directly from experimental to fasttrack before we attempt moving from experimental to unstable.
Package remaining node modules and switch to packaged versions. Update 0740-use-packaged-modules.patch by removing the newly packaged module from package.json and adding it to Depends in debian/control. It is better to backport the packaged modules first to avoid updates getting blocked (sometimes you may need to backport a large number of build dependencies). See https://git.fosscommunity.in/debian-ruby/TaskTracker/-/issues/175