From d58721005edc2eba6ac9d60773516101a1e1fd8c Mon Sep 17 00:00:00 2001 From: DJ Mountney Date: Tue, 31 Dec 2019 13:27:15 -0800 Subject: [PATCH] The 12.6 release of GitLab --- 12.6/Dockerfile | 58 +++++++++++++++++++++++ 12.6/LICENSE | 21 +++++++++ 12.6/README.md | 42 +++++++++++++++++ 12.6/build-scripts/build.sh | 41 ++++++++++++++++ 12.6/build-scripts/cleanup.sh | 5 ++ 12.6/build-scripts/prepare.sh | 23 +++++++++ 12.6/scripts/custom-instance-setup | 20 ++++++++ 12.6/scripts/db-migrate | 19 ++++++++ 12.6/scripts/geo-db-migrate | 25 ++++++++++ 12.6/scripts/prebuild.sh | 57 ++++++++++++++++++++++ 12.6/scripts/wait-for-deps | 76 ++++++++++++++++++++++++++++++ 11 files changed, 387 insertions(+) create mode 100644 12.6/Dockerfile create mode 100644 12.6/LICENSE create mode 100644 12.6/README.md create mode 100755 12.6/build-scripts/build.sh create mode 100755 12.6/build-scripts/cleanup.sh create mode 100755 12.6/build-scripts/prepare.sh create mode 100755 12.6/scripts/custom-instance-setup create mode 100755 12.6/scripts/db-migrate create mode 100755 12.6/scripts/geo-db-migrate create mode 100755 12.6/scripts/prebuild.sh create mode 100755 12.6/scripts/wait-for-deps diff --git a/12.6/Dockerfile b/12.6/Dockerfile new file mode 100644 index 0000000..c7ecb6d --- /dev/null +++ b/12.6/Dockerfile @@ -0,0 +1,58 @@ +ARG BASE_REGISTRY=registry.access.redhat.com +ARG BASE_IMAGE=ubi8/ubi +ARG BASE_TAG=8.0 + +ARG GITLAB_VERSION=v12.6.1-ubi8 + +ARG UBI_IMAGE=${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} +ARG RUBY_IMAGE=registry.access.redhat.com/gitlab/gitlab/gitlab-ruby:12.6 + +FROM ${UBI_IMAGE} AS builder + +ARG NEXUS_SERVER +ARG VENDOR=gitlab +ARG GITLAB_VERSION +ARG PACKAGE_NAME=ubi8-build-dependencies-${GITLAB_VERSION}.tar +ARG PACKAGE_URL=https://${NEXUS_SERVER}/repository/dsop/${VENDOR}/gitlab-rails/${PACKAGE_NAME} + +ADD build-scripts/ /build-scripts/ + +RUN /build-scripts/prepare.sh "${PACKAGE_URL}" + +FROM ${RUBY_IMAGE} + +ARG GITLAB_USER=git +ARG GITLAB_DATA=/var/opt/gitlab + +RUN dnf clean all \ + && rm -r /var/cache/dnf \ + && dnf --disableplugin=subscription-manager --nogpgcheck install -yb --nodocs libicu tzdata uuid \ + && adduser -m ${GITLAB_USER} \ + && mkdir -p ${GITLAB_DATA}/{.upgrade-status,data,repo,config} \ + && chown -R ${GITLAB_USER}:${GITLAB_USER} ${GITLAB_DATA} \ + && chmod -R ug+rwX,o-rwx ${GITLAB_DATA}/repo \ + && chmod -R ug-s ${GITLAB_DATA}/repo + +COPY --from=builder /prepare/dependencies / + +COPY scripts/ /scripts + +RUN chown -R ${GITLAB_USER}:${GITLAB_USER} /scripts /srv/gitlab \ + && mv /srv/gitlab/log /var/log/gitlab \ + && ln -s /var/log/gitlab /srv/gitlab/log \ + && cd /srv/gitlab \ + && mkdir -p public/uploads \ + && chmod o-rwx config/database.yml \ + && chmod 0600 config/secrets.yml \ + && chmod -R u+rwX builds/ shared/artifacts/ \ + && chmod -R ug+rwX shared/pages/ \ + && chmod 0700 public/uploads \ + && sed -e '/host: localhost/d' -e '/port: 80/d' -i config/gitlab.yml \ + && sed -e "s/# user:.*/user: ${GITLAB_USER}/" -e "s:/home/git/repositories:${GITLAB_DATA}/repo:" -i config/gitlab.yml + +ENV RAILS_ENV=production +ENV EXECJS_RUNTIME=Disabled +ENV CONFIG_TEMPLATE_DIRECTORY=/srv/gitlab/config +ENV UPGRADE_STATUS_DIR=${GITLAB_DATA}/.upgrade-status + +VOLUME ${GITLAB_DATA} /var/log diff --git a/12.6/LICENSE b/12.6/LICENSE new file mode 100644 index 0000000..5285f42 --- /dev/null +++ b/12.6/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2017 + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/12.6/README.md b/12.6/README.md new file mode 100644 index 0000000..9b0101d --- /dev/null +++ b/12.6/README.md @@ -0,0 +1,42 @@ +# gitlab-rails-container + +Base Rails image, used to build other Rails based GitLab containers, and for running one-off rake task in jobs. + +## GitLab 12.6.0 release + +The hardened containers for GitLab 12.6 require the gitlab 12.6 blob to be available for download. + +There are some included scripts to make this easier for user building images offline on their machine. + + +## Building + +1. Switch to the 12.6 directory +2. Run `./build-scripts/build.sh` + * Runs docker build, and takes care of setting the appropriate build args for users running locally + * Uses the `NEXUS_SERVER` variable from your environment, or full `PACKAGE_URL`. + + +`build-script/build.sh` is provided as an example and helpful for building locally. You can also instead call docker build and pass build-args directly. + +## Build Phases + +Some of the GitLab containers are build ontop of previous containers, building the containers in ordered phases is necessary to build all containers. + +- Phase One + * kubectl + * gitlab-ruby + * gitlab-container-registry +- Phase Two + * git-base + * gitlab-exporter + * gitlab-mailroom + * gitlab-shell + * gitlab-rails + * gitlab-workhorse +- Phase 3 + * gitaly +- Phase 4 + * gitlab-sidekiq + * gitlab-task-runner + * gitlab-unicorn diff --git a/12.6/build-scripts/build.sh b/12.6/build-scripts/build.sh new file mode 100755 index 0000000..7d8576d --- /dev/null +++ b/12.6/build-scripts/build.sh @@ -0,0 +1,41 @@ +#!/bin/bash + +# NOTICE: This script requires `docker`. + +set -euxo pipefail + +TAG=${1:-12.6} +REPOSITORY=${2:-} +NEXUS_SERVER=${NEXUS_SERVER:-} +PACKAGE_URL=${PACKAGE_URL:-} +DOCKER_OPTS=${DOCKER_OPTS:-""} + +imageName() { + printf "${REPOSITORY}${1}:${TAG}" +} + +buildImage() { + IMAGE="${1}" + CONTEXT="${IMAGE%*-ee}" + { + docker build \ + -t "$(imageName ${IMAGE})" . \ + ${DOCKER_OPTS:-} | tee ${CONTEXT}.out + } || { + echo "${CONTEXT}" >> failed.log + } +} + +# Cleanup log outputs from previous build +rm -f *.out failed.log + +if [ $NEXUS_SERVER ]; then + DOCKER_OPTS="$DOCKER_OPTS --build-arg NEXUS_SERVER=${NEXUS_SERVER}" +fi + +if [ $PACKAGE_URL ]; then + DOCKER_OPTS="$DOCKER_OPTS --build-arg PACKAGE_URL=${PACKAGE_URL}" +fi + +DOCKER_OPTS="$DOCKER_OPTS --build-arg RUBY_IMAGE=$(imageName gitlab-ruby)" +buildImage gitlab-rails diff --git a/12.6/build-scripts/cleanup.sh b/12.6/build-scripts/cleanup.sh new file mode 100755 index 0000000..ad291f9 --- /dev/null +++ b/12.6/build-scripts/cleanup.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +set -euxo pipefail + +rm -f *.tar.gz *.out failed.log diff --git a/12.6/build-scripts/prepare.sh b/12.6/build-scripts/prepare.sh new file mode 100755 index 0000000..c272d24 --- /dev/null +++ b/12.6/build-scripts/prepare.sh @@ -0,0 +1,23 @@ +#!/bin/bash + +set -euxo pipefail + +PACKAGE_URL=$1 +WORKSPACE="${WORKSPACE:-/prepare}" +PACKAGE_NAME="${PACKAGE_NAME:-ubi8-build-dependencies.tar}" + +# Download UBI dependencies package and it sha256 +curl -fLk --create-dirs "${PACKAGE_URL}.sha256" -o "${WORKSPACE}/${PACKAGE_NAME}.sha256" +curl -fLk --create-dirs "${PACKAGE_URL}" -o "${WORKSPACE}/${PACKAGE_NAME}" + +# Verify the package integrity +echo "$(cat ${PACKAGE_NAME}.sha256) ${PACKAGE_NAME}" | sha256sum --check --status \ +&& if [ $? == '0' ]; then printf "\nSHA256 check for ${PACKAGE_NAME} succeeded\n\n"; \ +else printf "SHA256 check for ${PACKAGE_NAME} failed\n\n"; fi + +# Extract UBI dependencies +tar -xvf "${WORKSPACE}/${PACKAGE_NAME}" -C "${WORKSPACE}" + +# Extract the specific depenencies needed for this contianer +mkdir ${WORKSPACE}/dependencies +tar -xvf "${WORKSPACE}/gitlab-rails-ee.tar.gz" -C "${WORKSPACE}/dependencies" diff --git a/12.6/scripts/custom-instance-setup b/12.6/scripts/custom-instance-setup new file mode 100755 index 0000000..b760ee3 --- /dev/null +++ b/12.6/scripts/custom-instance-setup @@ -0,0 +1,20 @@ +#!/bin/bash + +set -e + +# This `echo` should be updated whenever there are alterations to the script below +echo "Disable authorized keys write in the database and enable the 'ci_enable_live_trace' feature flag" + +# Workaround for disabling the authorized_keys write to the database. +# A proper fix is being tracked in: https://gitlab.com/gitlab-org/gitlab-ee/issues/4156 +# +# Also, enable feature flags for object storage: +# - ci_enable_live_trace: archive traces in object storage as artifacts, live data in Redis +read -r -d '\0' CUSTOM_INSTANCE_SETUP <<- EOM +(::ApplicationSetting.current_without_cache || ::ApplicationSetting.create_from_defaults).update_attribute(:authorized_keys_enabled, false) + +Feature.enable('ci_enable_live_trace') +\0 +EOM + +/srv/gitlab/bin/rails runner -e production "$CUSTOM_INSTANCE_SETUP" diff --git a/12.6/scripts/db-migrate b/12.6/scripts/db-migrate new file mode 100755 index 0000000..ad6679e --- /dev/null +++ b/12.6/scripts/db-migrate @@ -0,0 +1,19 @@ +#!/bin/bash + +set -e + +ROOT_PASSWORD_FILE="${ROOT_PASSWORD_FILE:-/srv/gitlab/config/initial_root_password}" + +if [ -f "${ROOT_PASSWORD_FILE}" ]; then + export GITLAB_ROOT_PASSWORD=$(cat "${ROOT_PASSWORD_FILE}") +fi + +echo "Checking database migrations are up-to-date" + +# Seed or migrate the database via gitlab:db:configure +echo "Performing migrations (this will initialized if needed)" +cd /srv/gitlab +/srv/gitlab/bin/rake gitlab:db:configure + +echo "Performing custom instance setup" +/scripts/custom-instance-setup diff --git a/12.6/scripts/geo-db-migrate b/12.6/scripts/geo-db-migrate new file mode 100755 index 0000000..7583f50 --- /dev/null +++ b/12.6/scripts/geo-db-migrate @@ -0,0 +1,25 @@ +#!/bin/bash + +set -e + +echo "Checking Geo database migrations are up-to-date" + +cd /srv/gitlab + +# Ask for the current DB schema version, via Rake +DB_SCHEMA_VERSION=$(/srv/gitlab/bin/bundle exec rake geo:db:version) +DB_SCHEMA_VERSION=$(echo ${DB_SCHEMA_VERSION} | grep 'Current version: ' | sed -e 's/_//g' -e 's/.* \([[:digit:]]\+\)/\1/') + +# If DB_SCHEMA_VERSION is 0, then the database needs initialized +RAKE_TASK="geo:db:migrate" +if [ "${DB_SCHEMA_VERSION}" == "0" ]; then + echo "Geo Database appears to need initializing." + RAKE_TASK="geo:db:setup" +fi + +echo "Performing '${RAKE_TASK}'" +/srv/gitlab/bin/rake ${RAKE_TASK} && STATUS=$? || STATUS=$? + +# Attempt to update the FDW +echo "Performing refresh of foreign tables 'geo:db:refresh_foreign_tables'" +/srv/gitlab/bin/rake geo:db:refresh_foreign_tables diff --git a/12.6/scripts/prebuild.sh b/12.6/scripts/prebuild.sh new file mode 100755 index 0000000..c98fb72 --- /dev/null +++ b/12.6/scripts/prebuild.sh @@ -0,0 +1,57 @@ +#!/bin/bash +set -e + +### Environment Variables ### +GITLAB_VERSION=v12.6.1-ubi8 +VENDOR=gitlab + + +# These three variables are required to push whatever outside binaries your container needs at build time to our Nexus repo +NEXUS_SERVER=${NEXUS_SERVER} +NEXUS_USERNAME=${NEXUS_USERNAME} +NEXUS_PASSWORD=${NEXUS_PASSWORD} + + +## Download variables +DOWNLOAD_DIR=tmp/${VENDOR} +UPLOAD_URL=https://${NEXUS_SERVER}/repository/dsop/${VENDOR}/kubectl + +### Download files/dependencies ### +# temporarily place your binaries locally in the download directory +curl --create-dirs https://gitlab-ubi.s3.us-east-2.amazonaws.com/ubi8-build-dependencies-${GITLAB_VERSION}.tar -o ${DOWNLOAD_DIR}/ubi8-build-dependencies-${GITLAB_VERSION}.tar + + +### GPG Signature Check ### +# GPG signature verification is a requirement in the case that the downloaded files have a GPG signature +# For more information on GPG keys visit https://access.redhat.com/solutions/1541303 or https://gnupg.org/gph/en/manual.html +curl --create-dirs https://gitlab-ubi.s3.us-east-2.amazonaws.com/ubi8-build-dependencies-${GITLAB_VERSION}.tar.asc -o ${DOWNLOAD_DIR}/ubi8-build-dependencies-${GITLAB_VERSION}.tar.asc + +for server in $(shuf -e ha.pool.sks-keyservers.net \ + hkp://p80.pool.sks-keyservers.net:80 \ + keyserver.ubuntu.com \ + hkp://keyserver.ubuntu.com:80 \ + pgp.mit.edu) ; +do + gpg --batch --keyserver "$server" --recv-keys 8040EEFCCED8C668EF27F7C61DC5606C0C7E9A9B && break || : ; \ +done + +gpg --verify ${DOWNLOAD_DIR}/ubi8-build-dependencies-${GITLAB_VERSION}.tar.asc ${DOWNLOAD_DIR}/ubi8-build-dependencies-${GITLAB_VERSION}.tar + + +### SHA256 Verification ### +# Verifying the files with the SHA256 is a requirement for all files +# Make sure to not download the SHA256 from the internet, but create it, check it and upload it to the Nexus repo +cd ${DOWNLOAD_DIR} +sha256sum ubi8-build-dependencies-${GITLAB_VERSION}.tar | awk '{print $1}' > ubi8-build-dependencies-${GITLAB_VERSION}.tar.sha256 \ +&& echo "$(cat ubi8-build-dependencies-${GITLAB_VERSION}.tar.sha256) ubi8-build-dependencies-${GITLAB_VERSION}.tar" | sha256sum --check --status \ +&& if [ $? == '0' ]; then printf "\nSHA256 check for ubi8-build-dependencies-${GITLAB_VERSION}.tar succeeded\n\n"; \ +else printf "SHA256 check for ubi8-build-dependencies-${GITLAB_VERSION}.tar failed\n\n"; fi +cd - + +### Nexus Repo Upload ### +# Push whatever binaries you need to ${NEXUS_SERVER}/dsop/vendor/project/ as you see in the example below. Follow the same +# format as in Gitlab. You will also need to push the GPG signature file and SHA256 file +for package in ubi8-build-dependencies-${GITLAB_VERSION}.tar ubi8-build-dependencies-${GITLAB_VERSION}.tar.sha256 ubi8-build-dependencies-${GITLAB_VERSION}.tar.asc +do + curl -kfS -u ${NEXUS_USERNAME}:${NEXUS_PASSWORD} -T ${DOWNLOAD_DIR}/${package} https://${NEXUS_SERVER}/repository/dsop/${VENDOR}/gitlab-rails/${package} +done diff --git a/12.6/scripts/wait-for-deps b/12.6/scripts/wait-for-deps new file mode 100755 index 0000000..ea862f4 --- /dev/null +++ b/12.6/scripts/wait-for-deps @@ -0,0 +1,76 @@ +#!/bin/bash + +WAIT_FOR_TIMEOUT="${WAIT_FOR_TIMEOUT:-5}" + +# Configure for which schema to be verifying +SCHEMA_FILE=db/schema.rb +SCHEMA_RAKE_TASK=db:version +if [ "${DB_SCHEMA_TARGET,,}" == "geo" ]; then + SCHEMA_FILE=ee/db/geo/schema.rb + SCHEMA_RAKE_TASK=geo:db:version +fi + +cd /srv/gitlab + +# fetch the schema desired version directly from the source code +SCHEMA_VERSION=$(grep '(version: ' ${SCHEMA_FILE} | sed -e 's/_//g' -e 's/.* \([[:digit:]]\+\)) do/\1/') + +# Stash DB_SCHEMA_VERSION, so we can check it at exit. +DB_SCHEMA_VERSION="0" + +# Compare desired schema version to active schema version in the database +# - set BYPASS_SCHEMA_VERSION to skip version check, and only test DB online +function checkSchemaVersion() { + # Ask for the current DB schema version, via Rake + DB_SCHEMA_VERSION=$(/srv/gitlab/bin/bundle exec rake ${SCHEMA_RAKE_TASK}) + + # If rake failed, we're not connected to the DB, and DB_SCHEMA_VERSION is empty. + if [ $? -ne 0 ]; then + return 1 + fi + + DB_SCHEMA_VERSION=$(echo ${DB_SCHEMA_VERSION} | grep 'Current version: ' | sed -e 's/_//g' -e 's/.* \([[:digit:]]\+\)/\1/') + + # Output the current schema version + echo "Database Schema - current: ${DB_SCHEMA_VERSION}, codebase: ${SCHEMA_VERSION}" + + # If DB_SCHEMA_VERSION is 0, then the DB has not been initialized. Output message as such. + if [ "${DB_SCHEMA_VERSION}" == "0" ]; then + echo "NOTICE: Database has not been initialized yet." + fi + + # Some uses (migrations) only care if the DB is up + if [ -n "${BYPASS_SCHEMA_VERSION}" ]; then + return 0 + fi + + # Compare local to db, pass if local less than or equal to db + [ $SCHEMA_VERSION -le $DB_SCHEMA_VERSION ]; + return $? +} + +for i in $(seq 1 $WAIT_FOR_TIMEOUT); do + echo "Checking database connection and schema version" + if checkSchemaVersion ; then + if [ "$@" ]; then + exec "$@" + else + exit 0 + fi + fi + sleep 1 +done + +# If DB_SCHEMA_VERSION is 0, then the DB has not been initialized. +# Warn that we're restarting the container whilst we wait. +if [ "${DB_SCHEMA_VERSION}" == "0" ]; then + echo "WARNING: Database has not been initialized yet." +else + echo "WARNING: Waiting for all services to be operational, and data migrations to complete." +fi + +# Output a message as to how to resolve this container failing. +echo "If this container continues to fail / restart, please see:" +echo " https://docs.gitlab.com/charts/troubleshooting/index.html#application-containers-constantly-initializing" + +exit 1 -- GitLab