praefect.md 49.2 KB
Newer Older
1
---
2 3
stage: Create
group: Gitaly
4
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
5 6
type: reference
---
7

8
# Configure Gitaly Cluster **(FREE SELF)**
9

Evan Read's avatar
Evan Read committed
10 11
Configure Gitaly Cluster using either:

12 13 14 15 16 17 18 19
- Gitaly Cluster configuration instructions available as part of
  [reference architectures](../reference_architectures/index.md) for installations of up to:
  - [3000 users](../reference_architectures/3k_users.md#configure-gitaly-cluster).
  - [5000 users](../reference_architectures/5k_users.md#configure-gitaly-cluster).
  - [10,000 users](../reference_architectures/10k_users.md#configure-gitaly-cluster).
  - [25,000 users](../reference_architectures/25k_users.md#configure-gitaly-cluster).
  - [50,000 users](../reference_architectures/50k_users.md#configure-gitaly-cluster).
- The custom configuration instructions that follow on this page.
Evan Read's avatar
Evan Read committed
20 21

Smaller GitLab installations may need only [Gitaly itself](index.md).
22

23 24 25
To upgrade a Gitaly Cluster, follow the documentation for
[zero downtime upgrades](../../update/zero_downtime.md#gitaly-cluster).

26
## Requirements
27

28
The minimum recommended configuration for a Gitaly Cluster requires:
29

Russell Dickenson's avatar
Russell Dickenson committed
30 31
- 1 load balancer
- 1 PostgreSQL server (PostgreSQL 11 or newer)
32
- 3 Praefect nodes
33 34
- 3 Gitaly nodes (1 primary, 2 secondary)

35
See the [design document](https://gitlab.com/gitlab-org/gitaly/-/blob/master/doc/design_ha.md)
36 37
for implementation details.

Evan Read's avatar
Evan Read committed
38 39 40 41
NOTE:
If not set in GitLab, feature flags are read as false from the console and Praefect uses their
default value. The default value depends on the GitLab version.

42 43 44 45 46
### Network connectivity

Gitaly Cluster [components](index.md#components) need to communicate with each other over many
routes. Your firewall rules must allow the following for Gitaly Cluster to function properly:

47 48 49 50 51 52 53 54 55
| From                   | To                     | Default port | TLS port |
|:-----------------------|:-----------------------|:-------------|:---------|
| GitLab                 | Praefect load balancer | `2305`       | `3305`   |
| Praefect load balancer | Praefect               | `2305`       | `3305`   |
| Praefect               | Gitaly                 | `8075`       | `9999`   |
| Gitaly                 | GitLab (internal API)  | `80`         | `443`    |
| Gitaly                 | Praefect load balancer | `2305`       | `3305`   |
| Gitaly                 | Praefect               | `2305`       | `3305`   |
| Gitaly                 | Gitaly                 | `8075`       | `9999`   |
56 57 58 59 60 61

NOTE:
Gitaly does not directly connect to Praefect. However, requests from Gitaly to the Praefect
load balancer may still be blocked unless firewalls on the Praefect nodes allow traffic from
the Gitaly nodes.

62
## Setup Instructions
63

64 65
If you [installed](https://about.gitlab.com/install/) GitLab using the Omnibus GitLab package
(highly recommended), follow the steps below:
66

67 68 69 70
1. [Preparation](#preparation)
1. [Configuring the Praefect database](#postgresql)
1. [Configuring the Praefect proxy/router](#praefect)
1. [Configuring each Gitaly node](#gitaly) (once for each Gitaly node)
71
1. [Configure the load balancer](#load-balancer)
72
1. [Updating the GitLab server configuration](#gitlab)
73
1. [Configure Grafana](#grafana)
74

75
### Preparation
76

77 78
Before beginning, you should already have a working GitLab instance. [Learn how
to install GitLab](https://about.gitlab.com/install/).
79

80 81 82
Provision a PostgreSQL server. We recommend using the PostgreSQL that is shipped
with Omnibus GitLab and use it to configure the PostgreSQL database. You can use an
external PostgreSQL server (version 11 or newer) but you must set it up [manually](#manual-database-setup).
83

84
Prepare all your new nodes by [installing GitLab](https://about.gitlab.com/install/). You need:
85

86 87
- 1 PostgreSQL node
- 1 PgBouncer node (optional)
88
- At least 1 Praefect node (minimal storage required)
89
- 3 Gitaly nodes (high CPU, high memory, fast storage)
90
- 1 GitLab server
91

92
You also need the IP/host address for each node:
93

94 95 96
1. `PRAEFECT_LOADBALANCER_HOST`: the IP/host address of Praefect load balancer
1. `POSTGRESQL_HOST`: the IP/host address of the PostgreSQL server
1. `PGBOUNCER_HOST`: the IP/host address of the PostgreSQL server
97
1. `PRAEFECT_HOST`: the IP/host address of the Praefect server
98
1. `GITALY_HOST_*`: the IP or host address of each Gitaly server
99 100
1. `GITLAB_HOST`: the IP/host address of the GitLab server

101
If you are using Google Cloud Platform, SoftLayer, or any other vendor that provides a virtual private cloud (VPC) you can use the private addresses for each cloud instance (corresponds to "internal address" for Google Cloud Platform) for `PRAEFECT_HOST`, `GITALY_HOST_*`, and `GITLAB_HOST`.
102

103 104
#### Secrets

105 106
The communication between components is secured with different secrets, which
are described below. Before you begin, generate a unique secret for each, and
107
make note of it. This enables you to replace these placeholder tokens
108 109 110 111 112 113 114 115 116 117 118
with secure tokens as you complete the setup process.

1. `GITLAB_SHELL_SECRET_TOKEN`: this is used by Git hooks to make callback HTTP
   API requests to GitLab when accepting a Git push. This secret is shared with
   GitLab Shell for legacy reasons.
1. `PRAEFECT_EXTERNAL_TOKEN`: repositories hosted on your Praefect cluster can
   only be accessed by Gitaly clients that carry this token.
1. `PRAEFECT_INTERNAL_TOKEN`: this token is used for replication traffic inside
   your Praefect cluster. This is distinct from `PRAEFECT_EXTERNAL_TOKEN`
   because Gitaly clients must not be able to access internal nodes of the
   Praefect cluster directly; that could lead to data loss.
119
1. `PRAEFECT_SQL_PASSWORD`: this password is used by Praefect to connect to
120
   PostgreSQL.
121 122 123 124 125 126 127 128
1. `PRAEFECT_SQL_PASSWORD_HASH`: the hash of password of the Praefect user.
   Use `gitlab-ctl pg-password-md5 praefect` to generate the hash. The command
   asks for the password for `praefect` user. Enter `PRAEFECT_SQL_PASSWORD`
   plaintext password. By default, Praefect uses `praefect` user, but you can
   change it.
1. `PGBOUNCER_SQL_PASSWORD_HASH`: the hash of password of the PgBouncer user.
   PgBouncer uses this password to connect to PostgreSQL. For more details
   see [bundled PgBouncer](../postgresql/pgbouncer.md) documentation.
129

130
We note in the instructions below where these secrets are required.
131

132
NOTE:
133
Omnibus GitLab installations can use `gitlab-secrets.json` for `GITLAB_SHELL_SECRET_TOKEN`.
134

135
### PostgreSQL
136

137
NOTE:
138
Do not store the GitLab application database and the Praefect
139 140 141
database on the same PostgreSQL server if using [Geo](../geo/index.md).
The replication state is internal to each instance of GitLab and should
not be replicated.
142

143
These instructions help set up a single PostgreSQL database, which creates a single point of
144 145 146
failure. Alternatively, [you can use PostgreSQL replication and failover](../postgresql/replication_and_failover.md).

The following options are available:
147

148 149
- For non-Geo installations, either:
  - Use one of the documented [PostgreSQL setups](../postgresql/index.md).
150
  - Use your own third-party database setup. This requires [manual setup](#manual-database-setup).
151 152 153
- For Geo instances, either:
  - Set up a separate [PostgreSQL instance](https://www.postgresql.org/docs/11/high-availability.html).
  - Use a cloud-managed PostgreSQL service. AWS
154
     [Relational Database Service](https://aws.amazon.com/rds/) is recommended.
155

156 157
#### Manual database setup

158
To complete this section you need:
159

160 161 162
- One Praefect node
- One PostgreSQL node (version 11 or newer)
  - A PostgreSQL user with permissions to manage the database server
163

164 165
In this section, we configure the PostgreSQL database. This can be used for both external
and Omnibus-provided PostgreSQL server.
166

167 168 169
To run the following instructions, you can use the Praefect node, where `psql` is installed
by Omnibus GitLab (`/opt/gitlab/embedded/bin/psql`). If you are using the Omnibus-provided
PostgreSQL you can use `gitlab-psql` on the PostgreSQL node instead:
170

171
1. Create a new user `praefect` to be used by Praefect:
172

173 174
   ```sql
   CREATE ROLE praefect WITH LOGIN PASSWORD 'PRAEFECT_SQL_PASSWORD';
175
   ```
176

177 178 179
   Replace `PRAEFECT_SQL_PASSWORD` with the strong password you generated in the preparation step.

1. Create a new database `praefect_production` that is owned by `praefect` user.
180

181
   ```sql
182
   CREATE DATABASE praefect_production WITH OWNER praefect ENCODING UTF8;
183
   ```
184

185 186 187
For using Omnibus-provided PgBouncer you need to take the following additional steps. We strongly
recommend using the PostgreSQL that is shipped with Omnibus as the backend. The following
instructions only work on Omnibus-provided PostgreSQL:
188

189 190 191 192 193
1. For Omnibus-provided PgBouncer, you need to use the hash of `praefect` user instead the of the
   actual password:

   ```sql
   ALTER ROLE praefect WITH PASSWORD 'md5<PRAEFECT_SQL_PASSWORD_HASH>';
194
   ```
195

196
   Replace `<PRAEFECT_SQL_PASSWORD_HASH>` with the hash of the password you generated in the
197
   preparation step. It is prefixed with `md5` literal.
198 199 200 201

1. The PgBouncer that is shipped with Omnibus is configured to use [`auth_query`](https://www.pgbouncer.org/config.html#generic-settings)
   and uses `pg_shadow_lookup` function. You need to create this function in `praefect_production`
   database:
202

203
   ```sql
204 205 206 207 208 209 210 211 212 213
   CREATE OR REPLACE FUNCTION public.pg_shadow_lookup(in i_username text, out username text, out password text) RETURNS record AS $$
   BEGIN
       SELECT usename, passwd FROM pg_catalog.pg_shadow
       WHERE usename = i_username INTO username, password;
       RETURN;
   END;
   $$ LANGUAGE plpgsql SECURITY DEFINER;

   REVOKE ALL ON FUNCTION public.pg_shadow_lookup(text) FROM public, pgbouncer;
   GRANT EXECUTE ON FUNCTION public.pg_shadow_lookup(text) TO pgbouncer;
214
   ```
215

216
The database used by Praefect is now configured.
217

218
If you see Praefect database errors after configuring PostgreSQL, see
219
[troubleshooting steps](troubleshooting.md#relation-does-not-exist-errors).
220

221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252
#### Reads distribution caching

Praefect performance can be improved by additionally configuring the `database_direct`
settings:

```ruby
praefect['database_direct_host'] = POSTGRESQL_HOST
praefect['database_direct_port'] = 5432

# Use the following to override parameters of direct database connection.
# Comment out where the parameters are the same for both connections.

praefect['database_direct_user'] = 'praefect'
praefect['database_direct_password'] = PRAEFECT_SQL_PASSWORD
praefect['database_direct_dbname'] = 'praefect_production'
#praefect['database_direct_sslmode'] = '...'
#praefect['database_direct_sslcert'] = '...'
#praefect['database_direct_sslkey'] = '...'
#praefect['database_direct_sslrootcert'] = '...'
```

Once configured, this connection is automatically used for the
[SQL LISTEN](https://www.postgresql.org/docs/11/sql-listen.html) feature and
allows Praefect to receive notifications from PostgreSQL for cache invalidation.

Verify this feature is working by looking for the following log entry in the Praefect
log:

```plaintext
reads distribution caching is enabled by configuration
```

253
#### Use PgBouncer
254

255
To reduce PostgreSQL resource consumption, we recommend setting up and configuring
256
[PgBouncer](https://www.pgbouncer.org/) in front of the PostgreSQL instance. To do
257
this, you must point Praefect to PgBouncer by setting Praefect database parameters:
258

259 260
```ruby
praefect['database_host'] = PGBOUNCER_HOST
261
praefect['database_port'] = 5432
262 263 264 265 266 267 268 269
praefect['database_user'] = 'praefect'
praefect['database_password'] = PRAEFECT_SQL_PASSWORD
praefect['database_dbname'] = 'praefect_production'
#praefect['database_sslmode'] = '...'
#praefect['database_sslcert'] = '...'
#praefect['database_sslkey'] = '...'
#praefect['database_sslrootcert'] = '...'
```
270

271 272 273 274
Praefect requires an additional connection to the PostgreSQL that supports the
[LISTEN](https://www.postgresql.org/docs/11/sql-listen.html) feature. With PgBouncer
this feature is only available with `session` pool mode (`pool_mode = session`).
It is not supported in `transaction` pool mode (`pool_mode = transaction`).
275

276
For the additional connection, you must either:
277

278 279 280
- Connect Praefect directly to PostgreSQL and bypass PgBouncer.
- Configure a new PgBouncer database that uses to the same PostgreSQL database endpoint,
  but with different pool mode. That is, `pool_mode = session`.
281

282 283
Praefect can be configured to use different connection parameters for direct access
to PostgreSQL. This is the connection that supports the `LISTEN` feature.
284

285
Here is an example of Praefect that bypasses PgBouncer and directly connects to PostgreSQL:
286

287 288 289 290 291 292 293 294 295 296 297 298 299 300 301
```ruby
praefect['database_direct_host'] = POSTGRESQL_HOST
praefect['database_direct_port'] = 5432

# Use the following to override parameters of direct database connection.
# Comment out where the parameters are the same for both connections.

praefect['database_direct_user'] = 'praefect'
praefect['database_direct_password'] = PRAEFECT_SQL_PASSWORD
praefect['database_direct_dbname'] = 'praefect_production'
#praefect['database_direct_sslmode'] = '...'
#praefect['database_direct_sslcert'] = '...'
#praefect['database_direct_sslkey'] = '...'
#praefect['database_direct_sslrootcert'] = '...'
```
302

303 304
We recommend using PgBouncer with `session` pool mode instead. You can use the
[bundled PgBouncer](../postgresql/pgbouncer.md) or use an external PgBouncer and [configure it
305
manually](https://www.pgbouncer.org/config.html).
306

307 308 309
The following example uses the bundled PgBouncer and sets up two separate connection pools,
one in `session` pool mode and the other in `transaction` pool mode. For this example to work,
you need to prepare PostgreSQL server with [setup instruction](#manual-database-setup):
310

311 312
```ruby
pgbouncer['databases'] = {
Ville Skyttä's avatar
Ville Skyttä committed
313
  # Other database configuration including gitlabhq_production
314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366
  ...

  praefect_production: {
    host: POSTGRESQL_HOST,
    # Use `pgbouncer` user to connect to database backend.
    user: 'pgbouncer',
    password: PGBOUNCER_SQL_PASSWORD_HASH,
    pool_mode: 'transaction'
  }
  praefect_production_direct: {
    host: POSTGRESQL_HOST,
    # Use `pgbouncer` user to connect to database backend.
    user: 'pgbouncer',
    password: PGBOUNCER_SQL_PASSWORD_HASH,
    dbname: 'praefect_production',
    pool_mode: 'session'
  },

  ...
}
```

Both `praefect_production` and `praefect_production_direct` use the same database endpoint
(`praefect_production`), but with different pool modes. This translates to the following
`databases` section of PgBouncer:

```ini
[databases]
praefect_production = host=POSTGRESQL_HOST auth_user=pgbouncer pool_mode=transaction
praefect_production_direct = host=POSTGRESQL_HOST auth_user=pgbouncer dbname=praefect_production pool_mode=session
```

Now you can configure Praefect to use PgBouncer for both connections:

```ruby
praefect['database_host'] = PGBOUNCER_HOST
praefect['database_port'] = 6432
praefect['database_user'] = 'praefect'
# `PRAEFECT_SQL_PASSWORD` is the plain-text password of
# Praefect user. Not to be confused with `PRAEFECT_SQL_PASSWORD_HASH`.
praefect['database_password'] = PRAEFECT_SQL_PASSWORD

praefect['database_dbname'] = 'praefect_production'
praefect['database_direct_dbname'] = 'praefect_production_direct'

# There is no need to repeat the following. Parameters of direct
# database connection will fall back to the values above.

#praefect['database_direct_host'] = PGBOUNCER_HOST
#praefect['database_direct_port'] = 6432
#praefect['database_direct_user'] = 'praefect'
#praefect['database_direct_password'] = PRAEFECT_SQL_PASSWORD
```
367

368
With this configuration, Praefect uses PgBouncer for both connection types.
369

370
NOTE:
371 372 373 374
Omnibus GitLab handles the authentication requirements (using `auth_query`), but if you are preparing
your databases manually and configuring an external PgBouncer, you must include `praefect` user and
its password in the file used by PgBouncer. For example, `userlist.txt` if the [`auth_file`](https://www.pgbouncer.org/config.html#auth_file)
configuration option is set. For more details, consult the PgBouncer documentation.
375

376
### Praefect
377

378 379
> [Introduced](https://gitlab.com/gitlab-org/gitaly/-/issues/2634) in GitLab 13.4, Praefect nodes can no longer be designated as `primary`.

380 381
If there are multiple Praefect nodes:

382 383
1. Designate one node as the deploy node, and configure it using the following steps.
1. Complete the following steps for each additional node.
384

385
To complete this section you need a [configured PostgreSQL server](#postgresql), including:
386

387
WARNING:
388 389
Praefect should be run on a dedicated node. Do not run Praefect on the
application server, or a Gitaly node.
390

391
On the **Praefect** node:
392

393
1. Disable all other services by editing `/etc/gitlab/gitlab.rb`:
394

395 396 397 398 399
   ```ruby
   # Disable all other services on the Praefect node
   postgresql['enable'] = false
   redis['enable'] = false
   nginx['enable'] = false
400
   alertmanager['enable'] = false
401 402
   prometheus['enable'] = false
   grafana['enable'] = false
403
   puma['enable'] = false
404 405 406 407 408 409 410 411 412
   sidekiq['enable'] = false
   gitlab_workhorse['enable'] = false
   gitaly['enable'] = false

   # Enable only the Praefect service
   praefect['enable'] = true

   # Prevent database connections during 'gitlab-ctl reconfigure'
   gitlab_rails['auto_migrate'] = false
413
   praefect['auto_migrate'] = false
414 415 416 417 418 419
   ```

1. Configure **Praefect** to listen on network interfaces by editing
   `/etc/gitlab/gitlab.rb`:

   ```ruby
420
   praefect['listen_addr'] = '0.0.0.0:2305'
421 422 423

   # Enable Prometheus metrics access to Praefect. You must use firewalls
   # to restrict access to this address/port.
424
   praefect['prometheus_listen_addr'] = '0.0.0.0:9652'
425 426 427
   ```

1. Configure a strong `auth_token` for **Praefect** by editing
428 429
   `/etc/gitlab/gitlab.rb`. This is needed by clients outside the cluster
   (like GitLab Shell) to communicate with the Praefect cluster:
430 431 432 433 434

   ```ruby
   praefect['auth_token'] = 'PRAEFECT_EXTERNAL_TOKEN'
   ```

435 436
1. Configure **Praefect** to [connect to the PostgreSQL database](#postgresql). We
   highly recommend using [PgBouncer](#use-pgbouncer) as well.
437 438 439 440

   If you want to use a TLS client certificate, the options below can be used:

   ```ruby
441
   # Connect to PostgreSQL using a TLS client certificate
442 443
   # praefect['database_sslcert'] = '/path/to/client-cert'
   # praefect['database_sslkey'] = '/path/to/client-key'
444

445 446 447 448
   # Trust a custom certificate authority
   # praefect['database_sslrootcert'] = '/path/to/rootcert'
   ```

449
   By default, Praefect refuses to make an unencrypted connection to
450 451 452 453 454 455 456 457 458
   PostgreSQL. You can override this by uncommenting the following line:

   ```ruby
   # praefect['database_sslmode'] = 'disable'
   ```

1. Configure the **Praefect** cluster to connect to each Gitaly node in the
   cluster by editing `/etc/gitlab/gitlab.rb`.

459 460 461
   The virtual storage's name must match the configured storage name in GitLab
   configuration. In a later step, we configure the storage name as `default`
   so we use `default` here as well. This cluster has three Gitaly nodes `gitaly-1`,
462
   `gitaly-2`, and `gitaly-3`, which are intended to be replicas of each other.
463

464
   WARNING:
465
   If you have data on an already existing storage called
466
   `default`, you should configure the virtual storage with another name and
467
   [migrate the data to the Gitaly Cluster storage](index.md#migrating-to-gitaly-cluster)
468
   afterwards.
469

470
   Replace `PRAEFECT_INTERNAL_TOKEN` with a strong secret, which is used by
471 472 473
   Praefect when communicating with Gitaly nodes in the cluster. This token is
   distinct from the `PRAEFECT_EXTERNAL_TOKEN`.

474
   Replace `GITALY_HOST_*` with the IP or host address of the each Gitaly node.
475 476 477 478

   More Gitaly nodes can be added to the cluster to increase the number of
   replicas. More clusters can also be added for very large GitLab instances.

479 480 481 482 483
   NOTE:
   When adding additional Gitaly nodes to a virtual storage, all storage names
   within that virtual storage must be unique. Additionally, all Gitaly node
   addresses referenced in the Praefect configuration must be unique.

484 485
   ```ruby
   # Name of storage hash must match storage name in git_data_dirs on GitLab
486
   # server ('default') and in git_data_dirs on Gitaly nodes ('gitaly-1')
487
   praefect['virtual_storages'] = {
488
     'default' => {
489 490 491 492 493 494 495 496 497 498 499 500 501
       'nodes' => {
         'gitaly-1' => {
           'address' => 'tcp://GITALY_HOST_1:8075',
           'token'   => 'PRAEFECT_INTERNAL_TOKEN',
         },
         'gitaly-2' => {
           'address' => 'tcp://GITALY_HOST_2:8075',
           'token'   => 'PRAEFECT_INTERNAL_TOKEN'
         },
         'gitaly-3' => {
           'address' => 'tcp://GITALY_HOST_3:8075',
           'token'   => 'PRAEFECT_INTERNAL_TOKEN'
         }
502 503 504 505 506
       }
     }
   }
   ```

507 508 509 510
   NOTE:
   In [GitLab 13.8 and earlier](https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/4988),
   Gitaly nodes were configured directly under the virtual storage, and not under the `nodes` key.

511
1. [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/2013) in GitLab 13.1 and later, enable [distribution of reads](index.md#distributed-reads).
512

513 514
1. Save the changes to `/etc/gitlab/gitlab.rb` and
   [reconfigure Praefect](../restart_gitlab.md#omnibus-gitlab-reconfigure):
515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536

   ```shell
   gitlab-ctl reconfigure
   ```

1. For:

   - The "deploy node":
     1. Enable Praefect auto-migration again by setting `praefect['auto_migrate'] = true` in
        `/etc/gitlab/gitlab.rb`.
     1. To ensure database migrations are only run during reconfigure and not automatically on
        upgrade, run:

        ```shell
        sudo touch /etc/gitlab/skip-auto-reconfigure
        ```

   - The other nodes, you can leave the settings as they are. Though
     `/etc/gitlab/skip-auto-reconfigure` isn't required, you may want to set it to prevent GitLab
     running reconfigure automatically when running commands such as `apt-get update`. This way any
     additional configuration changes can be done and then reconfigure can be run manually.

537 538
1. Save the changes to `/etc/gitlab/gitlab.rb` and
   [reconfigure Praefect](../restart_gitlab.md#omnibus-gitlab-reconfigure):
539 540

   ```shell
541
   gitlab-ctl reconfigure
542 543
   ```

544
1. To ensure that Praefect [has updated its Prometheus listen
545 546
   address](https://gitlab.com/gitlab-org/gitaly/-/issues/2734),
   [restart Praefect](../restart_gitlab.md#omnibus-gitlab-restart):
547 548 549 550 551

   ```shell
   gitlab-ctl restart praefect
   ```

552 553 554 555 556 557 558 559 560 561
1. Verify that Praefect can reach PostgreSQL:

   ```shell
   sudo -u git /opt/gitlab/embedded/bin/praefect -config /var/opt/gitlab/praefect/config.toml sql-ping
   ```

   If the check fails, make sure you have followed the steps correctly. If you
   edit `/etc/gitlab/gitlab.rb`, remember to run `sudo gitlab-ctl reconfigure`
   again before trying the `sql-ping` command.

562
#### Enabling TLS support
563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596

> [Introduced](https://gitlab.com/gitlab-org/gitaly/-/issues/1698) in GitLab 13.2.

Praefect supports TLS encryption. To communicate with a Praefect instance that listens
for secure connections, you must:

- Use a `tls://` URL scheme in the `gitaly_address` of the corresponding storage entry
  in the GitLab configuration.
- Bring your own certificates because this isn't provided automatically. The certificate
  corresponding to each Praefect server must be installed on that Praefect server.

Additionally the certificate, or its certificate authority, must be installed on all Gitaly servers
and on all Praefect clients that communicate with it following the procedure described in
[GitLab custom certificate configuration](https://docs.gitlab.com/omnibus/settings/ssl.html#install-custom-public-certificates) (and repeated below).

Note the following:

- The certificate must specify the address you use to access the Praefect server. If
  addressing the Praefect server by:

  - Hostname, you can either use the Common Name field for this, or add it as a Subject
    Alternative Name.
  - IP address, you must add it as a Subject Alternative Name to the certificate.

- You can configure Praefect servers with both an unencrypted listening address
  `listen_addr` and an encrypted listening address `tls_listen_addr` at the same time.
  This allows you to do a gradual transition from unencrypted to encrypted traffic, if
  necessary.

To configure Praefect with TLS:

**For Omnibus GitLab**

1. Create certificates for Praefect servers.
597

598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615
1. On the Praefect servers, create the `/etc/gitlab/ssl` directory and copy your key
   and certificate there:

   ```shell
   sudo mkdir -p /etc/gitlab/ssl
   sudo chmod 755 /etc/gitlab/ssl
   sudo cp key.pem cert.pem /etc/gitlab/ssl/
   sudo chmod 644 key.pem cert.pem
   ```

1. Edit `/etc/gitlab/gitlab.rb` and add:

   ```ruby
   praefect['tls_listen_addr'] = "0.0.0.0:3305"
   praefect['certificate_path'] = "/etc/gitlab/ssl/cert.pem"
   praefect['key_path'] = "/etc/gitlab/ssl/key.pem"
   ```

616 617
1. Save the file and [reconfigure](../restart_gitlab.md#omnibus-gitlab-reconfigure).

618 619 620 621 622 623 624 625 626 627 628 629
1. On the Praefect clients (including each Gitaly server), copy the certificates,
   or their certificate authority, into `/etc/gitlab/trusted-certs`:

   ```shell
   sudo cp cert.pem /etc/gitlab/trusted-certs/
   ```

1. On the Praefect clients (except Gitaly servers), edit `git_data_dirs` in
   `/etc/gitlab/gitlab.rb` as follows:

   ```ruby
   git_data_dirs({
630
     "default" => {
631
       "gitaly_address" => 'tls://PRAEFECT_LOADBALANCER_HOST:2305',
632 633
       "gitaly_token" => 'PRAEFECT_EXTERNAL_TOKEN'
     }
634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667
   })
   ```

1. Save the file and [reconfigure GitLab](../restart_gitlab.md#omnibus-gitlab-reconfigure).

**For installations from source**

1. Create certificates for Praefect servers.
1. On the Praefect servers, create the `/etc/gitlab/ssl` directory and copy your key and certificate
   there:

   ```shell
   sudo mkdir -p /etc/gitlab/ssl
   sudo chmod 755 /etc/gitlab/ssl
   sudo cp key.pem cert.pem /etc/gitlab/ssl/
   sudo chmod 644 key.pem cert.pem
   ```

1. On the Praefect clients (including each Gitaly server), copy the certificates,
   or their certificate authority, into the system trusted certificates:

   ```shell
   sudo cp cert.pem /usr/local/share/ca-certificates/praefect.crt
   sudo update-ca-certificates
   ```

1. On the Praefect clients (except Gitaly servers), edit `storages` in
   `/home/git/gitlab/config/gitlab.yml` as follows:

   ```yaml
   gitlab:
     repositories:
       storages:
         default:
668
           gitaly_address: tls://PRAEFECT_LOADBALANCER_HOST:3305
669
           path: /some/local/path
670 671
   ```

672
   NOTE:
673
   `/some/local/path` should be set to a local folder that exists, however no
674
   data is stored in this folder. This requirement is scheduled to be removed when
675 676 677 678
   [this issue](https://gitlab.com/gitlab-org/gitaly/-/issues/1282) is resolved.

1. Save the file and [restart GitLab](../restart_gitlab.md#installations-from-source).
1. Copy all Praefect server certificates, or their certificate authority, to the system
679
   trusted certificates on each Gitaly server so the Praefect server trusts the
680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698
   certificate when called by Gitaly servers:

   ```shell
   sudo cp cert.pem /usr/local/share/ca-certificates/praefect.crt
   sudo update-ca-certificates
   ```

1. Edit `/home/git/praefect/config.toml` and add:

   ```toml
   tls_listen_addr = '0.0.0.0:3305'

   [tls]
   certificate_path = '/etc/gitlab/ssl/cert.pem'
   key_path = '/etc/gitlab/ssl/key.pem'
   ```

1. Save the file and [restart GitLab](../restart_gitlab.md#installations-from-source).

699 700
### Gitaly

701
NOTE:
702
Complete these steps for **each** Gitaly node.
703

704
To complete this section you need:
705 706 707 708 709 710

- [Configured Praefect node](#praefect)
- 3 (or more) servers, with GitLab installed, to be configured as Gitaly nodes.
  These should be dedicated nodes, do not run other services on these nodes.

Every Gitaly server assigned to the Praefect cluster needs to be configured. The
711
configuration is the same as a normal [standalone Gitaly server](index.md),
712 713
except:

714 715
- The storage names are exposed to Praefect, not GitLab
- The secret token is shared with Praefect, not GitLab
716 717 718 719 720 721

The configuration of all Gitaly nodes in the Praefect cluster can be identical,
because we rely on Praefect to route operations correctly.

Particular attention should be shown to:

722
- The `gitaly['auth_token']` configured in this section must match the `token`
723
  value under `praefect['virtual_storages']['nodes']` on the Praefect node. This was set
724 725
  in the [previous section](#praefect). This document uses the placeholder
  `PRAEFECT_INTERNAL_TOKEN` throughout.
726
- The storage names in `git_data_dirs` configured in this section must match the
727 728 729 730
  storage names under `praefect['virtual_storages']` on the Praefect node. This
  was set in the [previous section](#praefect). This document uses `gitaly-1`,
  `gitaly-2`, and `gitaly-3` as Gitaly storage names.

731 732
For more information on Gitaly server configuration, see our
[Gitaly documentation](configure_gitaly.md#configure-gitaly-servers).
733 734 735 736 737 738 739 740 741 742 743 744 745 746 747

1. SSH into the **Gitaly** node and login as root:

   ```shell
   sudo -i
   ```

1. Disable all other services by editing `/etc/gitlab/gitlab.rb`:

   ```ruby
   # Disable all other services on the Praefect node
   postgresql['enable'] = false
   redis['enable'] = false
   nginx['enable'] = false
   grafana['enable'] = false
748
   puma['enable'] = false
749 750 751 752
   sidekiq['enable'] = false
   gitlab_workhorse['enable'] = false
   prometheus_monitoring['enable'] = false

753
   # Enable only the Gitaly service
754 755
   gitaly['enable'] = true

756 757 758
   # Enable Prometheus if needed
   prometheus['enable'] = true

759 760 761 762 763 764 765 766 767 768
   # Prevent database connections during 'gitlab-ctl reconfigure'
   gitlab_rails['auto_migrate'] = false
   ```

1. Configure **Gitaly** to listen on network interfaces by editing
   `/etc/gitlab/gitlab.rb`:

   ```ruby
   # Make Gitaly accept connections on all network interfaces.
   # Use firewalls to restrict access to this address/port.
769
   gitaly['listen_addr'] = '0.0.0.0:8075'
770 771 772

   # Enable Prometheus metrics access to Gitaly. You must use firewalls
   # to restrict access to this address/port.
773
   gitaly['prometheus_listen_addr'] = '0.0.0.0:9236'
774 775 776
   ```

1. Configure a strong `auth_token` for **Gitaly** by editing
777 778
   `/etc/gitlab/gitlab.rb`. This is needed by clients to communicate with
   this Gitaly nodes. Typically, this token is the same for all Gitaly
779 780 781 782 783 784
   nodes.

   ```ruby
   gitaly['auth_token'] = 'PRAEFECT_INTERNAL_TOKEN'
   ```

785
1. Configure the GitLab Shell secret token, which is needed for `git push` operations. Either:
786

787
   - Method 1:
788

789 790 791 792 793 794 795 796 797 798 799 800 801 802
     1. Copy `/etc/gitlab/gitlab-secrets.json` from the Gitaly client to same path on the Gitaly
        servers and any other Gitaly clients.
     1. [Reconfigure GitLab](../restart_gitlab.md#omnibus-gitlab-reconfigure) on Gitaly servers.

   - Method 2:

     1. Edit `/etc/gitlab/gitlab.rb`.
     1. Replace `GITLAB_SHELL_SECRET_TOKEN` with the real secret.

        ```ruby
        gitlab_shell['secret_token'] = 'GITLAB_SHELL_SECRET_TOKEN'
        ```

1. Configure and `internal_api_url`, which is also needed for `git push` operations:
803

804
   ```ruby
805 806
   # Configure the gitlab-shell API callback URL. Without this, `git push` will
   # fail. This can be your front door GitLab URL or an internal load balancer.
807
   # Examples: 'https://gitlab.example.com', 'http://1.2.3.4'
808
   gitlab_rails['internal_api_url'] = 'http://GITLAB_HOST'
809 810 811 812
   ```

1. Configure the storage location for Git data by setting `git_data_dirs` in
   `/etc/gitlab/gitlab.rb`. Each Gitaly node should have a unique storage name
813
   (such as `gitaly-1`).
814 815 816 817

   Instead of configuring `git_data_dirs` uniquely for each Gitaly node, it is
   often easier to have include the configuration for all Gitaly nodes on every
   Gitaly node. This is supported because the Praefect `virtual_storages`
818
   configuration maps each storage name (such as `gitaly-1`) to a specific node, and
819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838
   requests are routed accordingly. This means every Gitaly node in your fleet
   can share the same configuration.

   ```ruby
   # You can include the data dirs for all nodes in the same config, because
   # Praefect will only route requests according to the addresses provided in the
   # prior step.
   git_data_dirs({
     "gitaly-1" => {
       "path" => "/var/opt/gitlab/git-data"
     },
     "gitaly-2" => {
       "path" => "/var/opt/gitlab/git-data"
     },
     "gitaly-3" => {
       "path" => "/var/opt/gitlab/git-data"
     }
   })
   ```

839 840
1. Save the changes to `/etc/gitlab/gitlab.rb` and
   [reconfigure Gitaly](../restart_gitlab.md#omnibus-gitlab-reconfigure):
841 842

   ```shell
843
   gitlab-ctl reconfigure
844 845
   ```

846
1. To ensure that Gitaly [has updated its Prometheus listen
847 848
   address](https://gitlab.com/gitlab-org/gitaly/-/issues/2734),
   [restart Gitaly](../restart_gitlab.md#omnibus-gitlab-restart):
849 850 851 852 853

   ```shell
   gitlab-ctl restart gitaly
   ```

854
**The steps above must be completed for each Gitaly node!**
855

856
After all Gitaly nodes are configured, run the Praefect connection
Paul Okstad's avatar
Paul Okstad committed
857
checker to verify Praefect can connect to all Gitaly servers in the Praefect
858
configuration.
Paul Okstad's avatar
Paul Okstad committed
859

860
1. SSH into each **Praefect** node and run the Praefect connection checker:
Paul Okstad's avatar
Paul Okstad committed
861

862 863 864
   ```shell
   sudo /opt/gitlab/embedded/bin/praefect -config /var/opt/gitlab/praefect/config.toml dial-nodes
   ```
865

866 867
### Load Balancer

868
In a fault-tolerant Gitaly configuration, a load balancer is needed to route
869 870 871 872
internal traffic from the GitLab application to the Praefect nodes. The
specifics on which load balancer to use or the exact configuration is beyond the
scope of the GitLab documentation.

873
NOTE:
Will Chandler's avatar
Will Chandler committed
874 875
The load balancer must be configured to accept traffic from the Gitaly nodes in
addition to the GitLab nodes. Some requests handled by
876
[`gitaly-ruby`](configure_gitaly.md#gitaly-ruby) sidecar processes call into the main Gitaly
Will Chandler's avatar
Will Chandler committed
877 878 879
process. `gitaly-ruby` uses the Gitaly address set in the GitLab server's
`git_data_dirs` setting to make this connection.

880
We hope that if you're managing fault-tolerant systems like GitLab, you have a load balancer
881 882 883
of choice already. Some examples include [HAProxy](https://www.haproxy.org/)
(open-source), [Google Internal Load Balancer](https://cloud.google.com/load-balancing/docs/internal/),
[AWS Elastic Load Balancer](https://aws.amazon.com/elasticloadbalancing/), F5
884
Big-IP LTM, and Citrix Net Scaler. This documentation outlines what ports
885 886
and protocols you need configure.

887 888 889
NOTE:
We recommend the equivalent of HAProxy `leastconn` load-balancing strategy because long-running operations (for example,
clones) keep some connections open for extended periods.
890

891
| LB Port | Backend Port | Protocol |
892
|:--------|:-------------|:---------|
893 894
| 2305    | 2305         | TCP      |

895
### GitLab
896

897
To complete this section you need:
898

899 900
- [Configured Praefect node](#praefect)
- [Configured Gitaly nodes](#gitaly)
901

902 903 904 905 906 907
The Praefect cluster needs to be exposed as a storage location to the GitLab
application. This is done by updating the `git_data_dirs`.

Particular attention should be shown to:

- the storage name added to `git_data_dirs` in this section must match the
908
  storage name under `praefect['virtual_storages']` on the Praefect node(s). This
909
  was set in the [Praefect](#praefect) section of this guide. This document uses
910
  `default` as the Praefect storage name.
911 912 913 914 915 916 917

1. SSH into the **GitLab** node and login as root:

   ```shell
   sudo -i
   ```

918 919 920
1. Configure the `external_url` so that files could be served by GitLab
   by proper endpoint access by editing `/etc/gitlab/gitlab.rb`:

921
   You need to replace `GITLAB_SERVER_URL` with the real external facing
922 923 924 925 926 927
   URL on which current GitLab instance is serving:

   ```ruby
   external_url 'GITLAB_SERVER_URL'
   ```

928 929
1. Disable the default Gitaly service running on the GitLab host. It isn't needed
   because GitLab connects to the configured cluster.
930

931
   WARNING:
932
   If you have existing data stored on the default Gitaly storage,
933
   you should [migrate the data your Gitaly Cluster storage](index.md#migrating-to-gitaly-cluster)
Evan Read's avatar
Evan Read committed
934
   first.
935 936 937 938 939

   ```ruby
   gitaly['enable'] = false
   ```

940 941 942
1. Add the Praefect cluster as a storage location by editing
   `/etc/gitlab/gitlab.rb`.

943
   You need to replace:
944

945
   - `PRAEFECT_LOADBALANCER_HOST` with the IP address or hostname of the load
946
     balancer.
947
   - `PRAEFECT_EXTERNAL_TOKEN` with the real secret
948

949 950
   If you are using TLS, the `gitaly_address` should begin with `tls://`.

951 952 953
   ```ruby
   git_data_dirs({
     "default" => {
954
       "gitaly_address" => "tcp://PRAEFECT_LOADBALANCER_HOST:2305",
955 956 957 958
       "gitaly_token" => 'PRAEFECT_EXTERNAL_TOKEN'
     }
   })
   ```
959

960 961
1. Configure the GitLab Shell secret token so that callbacks from Gitaly nodes during a `git push`
   are properly authenticated. Either:
962

963
   - Method 1:
964

965 966 967 968 969 970 971 972 973 974 975 976
     1. Copy `/etc/gitlab/gitlab-secrets.json` from the Gitaly client to same path on the Gitaly
        servers and any other Gitaly clients.
     1. [Reconfigure GitLab](../restart_gitlab.md#omnibus-gitlab-reconfigure) on Gitaly servers.

   - Method 2:

     1. Edit `/etc/gitlab/gitlab.rb`.
     1. Replace `GITLAB_SHELL_SECRET_TOKEN` with the real secret.

        ```ruby
        gitlab_shell['secret_token'] = 'GITLAB_SHELL_SECRET_TOKEN'
        ```
977

978 979
1. Add Prometheus monitoring settings by editing `/etc/gitlab/gitlab.rb`. If Prometheus
   is enabled on a different node, make edits on that node instead.
980

981
   You need to replace:
982 983

   - `PRAEFECT_HOST` with the IP address or hostname of the Praefect node
984
   - `GITALY_HOST_*` with the IP address or hostname of each Gitaly node
985 986 987 988 989 990 991

   ```ruby
   prometheus['scrape_configs'] = [
     {
       'job_name' => 'praefect',
       'static_configs' => [
         'targets' => [
992 993 994
           'PRAEFECT_HOST:9652', # praefect-1
           'PRAEFECT_HOST:9652', # praefect-2
           'PRAEFECT_HOST:9652', # praefect-3
995 996 997 998 999 1000 1001
         ]
       ]
     },
     {
       'job_name' => 'praefect-gitaly',
       'static_configs' => [
         'targets' => [
1002 1003 1004
           'GITALY_HOST_1:9236', # gitaly-1
           'GITALY_HOST_2:9236', # gitaly-2
           'GITALY_HOST_3:9236', # gitaly-3
1005 1006 1007 1008 1009 1010
         ]
       ]
     }
   ]
   ```

1011 1012 1013
1. Save the changes to `/etc/gitlab/gitlab.rb` and [reconfigure GitLab](../restart_gitlab.md#omnibus-gitlab-reconfigure):

   ```shell
1014
   gitlab-ctl reconfigure
1015 1016
   ```

1017
1. Verify on each Gitaly node the Git Hooks can reach GitLab. On each Gitaly node run:
1018 1019

   ```shell
1020
   /opt/gitlab/embedded/bin/gitaly-hooks check /var/opt/gitlab/gitaly/config.toml
1021 1022
   ```

1023 1024 1025
1. Verify that GitLab can reach Praefect:

   ```shell
1026
   gitlab-rake gitlab:gitaly:check
1027 1028
   ```

1029 1030
1. Check that the Praefect storage is configured to store new repositories:

1031
   1. On the top bar, select **Menu > Admin**.
1032 1033 1034 1035
   1. On the left sidebar, select **Settings > Repository**.
   1. Expand the **Repository storage** section.

   Following this guide, the `default` storage should have weight 100 to store all new repositories.
1036

1037
1. Verify everything is working by creating a new project. Check the
1038 1039 1040 1041
   "Initialize repository with a README" box so that there is content in the
   repository that viewed. If the project is created, and you can see the
   README file, it works!

1042 1043 1044 1045
#### Use TCP for existing GitLab instances

When adding Gitaly Cluster to an existing Gitaly instance, the existing Gitaly storage
must use a TCP address. If `gitaly_address` is not specified, then a Unix socket is used,
1046
which prevents the communication with the cluster.
1047 1048 1049 1050 1051 1052 1053

For example:

```ruby
git_data_dirs({
  'default' => { 'gitaly_address' => 'tcp://old-gitaly.internal:8075' },
  'cluster' => {
1054
    'gitaly_address' => 'tcp://<PRAEFECT_LOADBALANCER_HOST>:2305',
1055 1056 1057 1058 1059 1060 1061 1062
    'gitaly_token' => '<praefect_external_token>'
  }
})
```

See [Mixed Configuration](configure_gitaly.md#mixed-configuration) for further information on
running multiple Gitaly storages.

1063
### Grafana
1064

1065 1066 1067 1068
Grafana is included with GitLab, and can be used to monitor your Praefect
cluster. See [Grafana Dashboard
Service](https://docs.gitlab.com/omnibus/settings/grafana.html)
for detailed documentation.
1069

1070
To get started quickly:
1071

1072
1. SSH into the **GitLab** node (or whichever node has Grafana enabled) and login as root:
1073

1074 1075 1076
   ```shell
   sudo -i
   ```
1077

1078
1. Enable the Grafana login form by editing `/etc/gitlab/gitlab.rb`.
1079 1080

   ```ruby
1081
   grafana['disable_login_form'] = false
1082 1083
   ```

1084 1085
1. Save the changes to `/etc/gitlab/gitlab.rb` and
   [reconfigure GitLab](../restart_gitlab.md#omnibus-gitlab-reconfigure):
1086

1087 1088 1089
   ```shell
   gitlab-ctl reconfigure
   ```
1090

1091
1. Set the Grafana administrator password. This command prompts you to enter a new
1092
   password:
1093

1094 1095 1096
   ```shell
   gitlab-ctl set-grafana-password
   ```
1097

1098
1. In your web browser, open `/-/grafana` (such as
1099
   `https://gitlab.example.com/-/grafana`) on your GitLab server.
1100

1101
   Login using the password you set, and the username `admin`.
1102

1103 1104
1. Go to **Explore** and query `gitlab_build_info` to verify that you are
   getting metrics from all your machines.
1105

1106
Congratulations! You've configured an observable fault-tolerant Praefect
1107
cluster.
1108

1109
## Configure replication factor
1110 1111

WARNING:
1112
Configurable replication factors require [repository-specific primary nodes](#repository-specific-primary-nodes) to be used.
1113 1114 1115 1116

Praefect supports configuring a replication factor on a per-repository basis, by assigning
specific storage nodes to host a repository.

1117
Praefect does not store the actual replication factor, but assigns enough storages to host the repository
1118 1119 1120
so the desired replication factor is met. If a storage node is later removed from the virtual storage,
the replication factor of repositories assigned to the storage is decreased accordingly.

1121 1122 1123 1124 1125 1126 1127 1128 1129
You can configure:

- A default replication factor for each virtual storage that is applied to newly-created repositories.
  The configuration is added to the `/etc/gitlab/gitlab.rb` file:

  ```ruby
  praefect['virtual_storages'] = {
    'default' => {
      'default_replication_factor' => 1,
1130
      # ...
1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 1150 1151 1152 1153 1154 1155 1156
    }
  }
  ```

- A replication factor for an existing repository using the `set-replication-factor` sub-command.
  `set-replication-factor` automatically assigns or unassigns random storage nodes as
  necessary to reach the desired replication factor. The repository's primary node is
  always assigned first and is never unassigned.

  ```shell
  sudo /opt/gitlab/embedded/bin/praefect -config /var/opt/gitlab/praefect/config.toml set-replication-factor -virtual-storage <virtual-storage> -repository <relative-path> -replication-factor <replication-factor>
  ```

  - `-virtual-storage` is the virtual storage the repository is located in.
  - `-repository` is the repository's relative path in the storage.
  - `-replication-factor` is the desired replication factor of the repository. The minimum value is
    `1`, as the primary needs a copy of the repository. The maximum replication factor is the number of
    storages in the virtual storage.

  On success, the assigned host storages are printed. For example:

  ```shell
  $ sudo /opt/gitlab/embedded/bin/praefect -config /var/opt/gitlab/praefect/config.toml set-replication-factor -virtual-storage default -repository @hashed/3f/db/3fdba35f04dc8c462986c992bcf875546257113072a909c162f7e470e581e278.git -replication-factor 2

  current assignments: gitaly-1, gitaly-2
  ```
1157

1158
## Automatic failover and primary election strategies
1159

1160 1161
Praefect regularly checks the health of each Gitaly node. This is used to automatically fail over
to a newly-elected primary Gitaly node if the current primary node is found to be unhealthy.
1162

1163
We recommend using [repository-specific primary nodes](#repository-specific-primary-nodes). This is
1164
[the only available election strategy](https://gitlab.com/gitlab-org/gitaly/-/issues/3574) from GitLab 14.0.
1165

1166 1167 1168
### Repository-specific primary nodes

> [Introduced](https://gitlab.com/gitlab-org/gitaly/-/issues/3492) in GitLab 13.12.
1169

1170 1171 1172
Gitaly Cluster supports electing repository-specific primary Gitaly nodes. Repository-specific
Gitaly primary nodes are enabled in `/etc/gitlab/gitlab.rb` by setting
`praefect['failover_election_strategy'] = 'per_repository'`.
1173

1174
Praefect's [deprecated election strategies](#deprecated-election-strategies):
1175

1176 1177 1178 1179
- Elected a primary Gitaly node for each virtual storage, which was used as the primary node for
  each repository in the virtual storage.
- Prevented horizontal scaling of a virtual storage. The primary Gitaly node needed a replica of
  each repository and thus became the bottleneck.
1180

1181 1182 1183
The `per_repository` election strategy solves this problem by electing a primary Gitaly node separately for each
repository. Combined with [configurable replication factors](#configure-replication-factor), you can
horizontally scale storage capacity and distribute write load across Gitaly nodes.
1184

1185
Primary elections are run:
1186

1187 1188 1189 1190 1191 1192
- In GitLab 14.1 and later, lazily. This means that Praefect doesn't immediately elect
  a new primary node if the current one is unhealthy. A new primary is elected if it is
  necessary to serve a request while the current primary is unavailable.
- In GitLab 13.12 to GitLab 14.0 when:
  - Praefect starts up.
  - The cluster's consensus of a Gitaly node's health changes.
1193

1194
A valid primary node candidate is a Gitaly node that:
1195

1196 1197 1198
- Is healthy. A Gitaly node is considered healthy if `>=50%` Praefect nodes have
  successfully health checked the Gitaly node in the previous ten seconds.
- Has a fully up to date copy of the repository.
1199

1200
If there are multiple primary node candidates, Praefect:
1201

1202 1203 1204 1205 1206
- Picks one of them randomly.
- Prioritizes promoting a Gitaly node that is assigned to host the repository. If
  there are no assigned Gitaly nodes to elect as the primary, Praefect may temporarily
  elect an unassigned one. The unassigned primary is demoted in favor of an assigned
  one when one becomes available.
1207

1208
If there are no valid primary candidates for a repository:
1209 1210 1211 1212

- The unhealthy primary node is demoted and the repository is left without a primary node.
- Operations that require a primary node fail until a primary is successfully elected.

1213
#### Migrate to repository-specific primary Gitaly nodes
1214

1215
New Gitaly Clusters can start using the `per_repository` election strategy immediately.
1216 1217 1218

To migrate existing clusters:

1219
1. Praefect nodes didn't historically keep database records of every repository stored on the cluster. When
1220 1221 1222 1223 1224 1225 1226 1227 1228 1229 1230 1231 1232 1233 1234 1235 1236 1237 1238 1239 1240 1241 1242
   the `per_repository` election strategy is configured, Praefect expects to have database records of
   each repository. A [background migration](https://gitlab.com/gitlab-org/gitaly/-/merge_requests/2749) is
   included in GitLab 13.6 and later to create any missing database records for repositories. Before migrating
   you should verify the migration has run by checking Praefect's logs:

   Check Praefect's logs for `repository importer finished` message. The `virtual_storages` field contains
   the names of virtual storages and whether they've had any missing database records created.

   For example, the `default` virtual storage has been successfully migrated:

   ```json
   {"level":"info","msg":"repository importer finished","pid":19752,"time":"2021-04-28T11:41:36.743Z","virtual_storages":{"default":true}}
   ```

   If a virtual storage has not been successfully migrated, it would have `false` next to it:

   ```json
   {"level":"info","msg":"repository importer finished","pid":19752,"time":"2021-04-28T11:41:36.743Z","virtual_storages":{"default":false}}
   ```

   The migration is ran when Praefect starts up. If the migration is unsuccessful, you can restart
   a Praefect node to reattempt it. The migration only runs with `sql` election strategy configured.

1243
1. Running two different election strategies side by side can cause a split brain, where different
1244
   Praefect nodes consider repositories to have different primaries. This can be avoided either:
1245

1246
   - If a short downtime is acceptable:
1247

1248
      1. Shut down all Praefect nodes before changing the election strategy. Do this by running `gitlab-ctl stop praefect` on the Praefect nodes.
1249

1250 1251 1252 1253 1254 1255
      1. On the Praefect nodes, configure the election strategy in `/etc/gitlab/gitlab.rb` with `praefect['failover_election_strategy'] = 'per_repository'`.

      1. Run `gitlab-ctl reconfigure && gitlab-ctl start` to reconfigure and start the Praefects.

   - If downtime is unacceptable:

1256
      1. Determine which Gitaly node is [the current primary](troubleshooting.md#determine-primary-gitaly-node).
1257 1258 1259 1260 1261 1262 1263 1264 1265 1266 1267 1268 1269 1270 1271 1272 1273

      1. Comment out the secondary Gitaly nodes from the virtual storage's configuration in `/etc/gitlab/gitlab.rb`
      on all Praefect nodes. This ensures there's only one Gitaly node configured, causing both of the election
      strategies to elect the same Gitaly node as the primary.

      1. Run `gitlab-ctl reconfigure` on all Praefect nodes. Wait until all Praefect processes have restarted and
      the old processes have exited. This can take up to one minute.

      1. On all Praefect nodes, configure the election strategy in `/etc/gitlab/gitlab.rb` with
      `praefect['failover_election_strategy'] = 'per_repository'`.

      1. Run `gitlab-ctl reconfigure` on all Praefect nodes. Wait until all of the Praefect processes have restarted and
      the old processes have exited. This can take up to one minute.

      1. Uncomment the secondary Gitaly node configuration commented out in the earlier step on all Praefect nodes.

      1. Run `gitlab-ctl reconfigure` on all Praefect nodes to reconfigure and restart the Praefect processes.
1274

1275
### Deprecated election strategies
1276 1277

WARNING:
1278
The below election strategies are deprecated and were removed in GitLab 14.0.
1279 1280 1281
Migrate to [repository-specific primary nodes](#repository-specific-primary-nodes).

- **PostgreSQL:** Enabled by default until GitLab 14.0, and equivalent to:
1282 1283 1284 1285 1286 1287 1288 1289 1290
  `praefect['failover_election_strategy'] = 'sql'`.

  This configuration option:

  - Allows multiple Praefect nodes to coordinate via the PostgreSQL database to elect a primary
    Gitaly node.
  - Causes Praefect nodes to elect a new primary Gitaly node, monitor its health, and elect a new primary
    Gitaly node if the current one is not reached within 10 seconds by a majority of the Praefect
    nodes.
1291
- **Memory:** Enabled by setting `praefect['failover_election_strategy'] = 'local'`
1292 1293 1294 1295 1296
  in `/etc/gitlab/gitlab.rb` on the Praefect node.

  If a sufficient number of health checks fail for the current primary Gitaly node, a new primary is
  elected. **Do not use with multiple Praefect nodes!** Using with multiple Praefect nodes is
  likely to result in a split brain.