-
Kirill Smelkov authored
gitlab: Make a plan to base instance layout on gitlab-omnibus and to interconnect all internal services via unix sockets Upcoming changes will follow two points: - we try to base our gitlab setup on how it is done in gitlab-omnibus[1] with the idea to ease tracking upstream changes to instance setup. - we will interconnect all internal services via unix sockets only. The reason to do it is twofold: 1. easier security: currently files on different slapos partitions are isolated from each other, but there is no "in-between-partitions" networking isolation - thus (potentially evil) programs can access internal services on other slapos partition. permissions to access unix sockets, on the other hand, are managed by filesystem-level permissions, and thus unix sockets in one partition will be, by default, isolated from programs on another partitions. 2. It is well known that UNIX sockets are faster than TCP over loopback. For example for our std shuttles they have 2 times lower latency and ~ 2-3 times more throughput compared to TCP over loopback More details on 1 & 2 can be found e.g. here: nexedi/slapos!27 https://gitlab.com/gitlab-org/gitlab-shell/merge_requests/30 /cc @kazuhiko, @jerome [1] https://gitlab.com/gitlab-org/omnibus-gitlab
e7c5c05a