@@ -25,14 +25,14 @@ instructions will break installations using older versions of OpenSSH, such as
...
@@ -25,14 +25,14 @@ instructions will break installations using older versions of OpenSSH, such as
those included with CentOS 6 as of September 2017. If you want to use this
those included with CentOS 6 as of September 2017. If you want to use this
feature for CentOS 6, follow [the instructions on how to build and install a custom OpenSSH package](#compiling-a-custom-version-of-openssh-for-centos-6) before continuing.
feature for CentOS 6, follow [the instructions on how to build and install a custom OpenSSH package](#compiling-a-custom-version-of-openssh-for-centos-6) before continuing.
## Fast lookup is required for GitLab Geo
## Fast lookup is required for Geo
By default, GitLab manages an `authorized_keys` file, which contains all the
By default, GitLab manages an `authorized_keys` file, which contains all the
public SSH keys for users allowed to access GitLab. However, to maintain a
public SSH keys for users allowed to access GitLab. However, to maintain a
single source of truth, [Geo](../../gitlab-geo/README.md) needs to be configured to perform SSH fingerprint
single source of truth, [Geo](../../gitlab-geo/README.md) needs to be configured to perform SSH fingerprint
lookups via database lookup.
lookups via database lookup.
As part of [setting up GitLab Geo](../../gitlab-geo/README.md#setup-instructions),
As part of [setting up Geo](../../gitlab-geo/README.md#setup-instructions),
you will be required to follow the steps outlined below for both the primary and
you will be required to follow the steps outlined below for both the primary and
secondary nodes, but note that the `Write to "authorized keys" file` checkbox
secondary nodes, but note that the `Write to "authorized keys" file` checkbox
only needs to be unchecked on the primary node since it will be reflected
only needs to be unchecked on the primary node since it will be reflected
- Using GitLab Geo in combination with High Availability is considered **GA** in GitLab Enterprise Edition 10.4
- Using Geo in combination with High Availability is considered **GA** in GitLab Enterprise Edition 10.4
>**Note:**
>**Note:**
GitLab Geo changes significantly from release to release. Upgrades **are**
Geo changes significantly from release to release. Upgrades **are**
supported and [documented](#updating-the-geo-nodes), but you should ensure that
supported and [documented](#updating-the-geo-nodes), but you should ensure that
you're following the right version of the documentation for your installation!
you're following the right version of the documentation for your installation!
The best way to do this is to follow the documentation from the `/help` endpoint
The best way to do this is to follow the documentation from the `/help` endpoint
on your **primary** node, but you can also navigate to [this page on GitLab.com](https://gitlab.com/gitlab-org/gitlab-ee/blob/master/doc/gitlab-geo/README.md)
on your **primary** node, but you can also navigate to [this page on GitLab.com](https://gitlab.com/gitlab-org/gitlab-ee/blob/master/doc/gitlab-geo/README.md)
and choose the appropriate release from the `tags` dropdown, e.g., `v10.0.0-ee`.
and choose the appropriate release from the `tags` dropdown, e.g., `v10.0.0-ee`.
GitLab Geo allows you to replicate your GitLab instance to other geographical
Geo allows you to replicate your GitLab instance to other geographical
locations as a read-only fully operational version.
locations as a read-only fully operational version.
## Overview
## Overview
...
@@ -31,7 +31,7 @@ Your Geo instance can be used for cloning and fetching projects, in addition to
...
@@ -31,7 +31,7 @@ Your Geo instance can be used for cloning and fetching projects, in addition to
reading any data. This will make working with large repositories over large
reading any data. This will make working with large repositories over large
distances much faster.
distances much faster.
![GitLab Geo overview](img/geo-overview.png)
![Geo overview](img/geo-overview.png)
When Geo is enabled, we refer to your original instance as a **primary** node
When Geo is enabled, we refer to your original instance as a **primary** node
and the replicated read-only ones as **secondaries**.
and the replicated read-only ones as **secondaries**.
...
@@ -57,9 +57,9 @@ custom integrations and internal workflows
...
@@ -57,9 +57,9 @@ custom integrations and internal workflows
## Architecture
## Architecture
The following diagram illustrates the underlying architecture of GitLab Geo:
The following diagram illustrates the underlying architecture of Geo:
This document describes a minimal reference architecture for running GitLab Geo
This document describes a minimal reference architecture for running Geo
in a high availability configuration. If your HA setup differs from the one
in a high availability configuration. If your HA setup differs from the one
described, it is possible to adapt these instructions to your needs.
described, it is possible to adapt these instructions to your needs.
...
@@ -17,11 +17,11 @@ one geographic location can communicate with each other using their private IP a
...
@@ -17,11 +17,11 @@ one geographic location can communicate with each other using their private IP a
The IP addresses given are examples and may be different depending on the
The IP addresses given are examples and may be different depending on the
network topology of your deployment.
network topology of your deployment.
The only external way to access the two GitLab Geo deployments is by HTTPS at
The only external way to access the two Geo deployments is by HTTPS at
`gitlab.us.example.com` and `gitlab.eu.example.com` in the example above.
`gitlab.us.example.com` and `gitlab.eu.example.com` in the example above.
NOTE: **Note:**
> **Note:** The primary and secondary Geo deployments must be able to
The primary and secondary GitLab Geo deployments must be able to communicate to each other over HTTPS.
> communicate to each other over HTTPS.
## Redis and PostgreSQL High Availability
## Redis and PostgreSQL High Availability
...
@@ -130,7 +130,7 @@ the addresses of the remote endpoints for PostgreSQL and Redis will need to be s
...
@@ -130,7 +130,7 @@ the addresses of the remote endpoints for PostgreSQL and Redis will need to be s
On the secondary the remote endpoint for the PostgreSQL Geo database will
On the secondary the remote endpoint for the PostgreSQL Geo database will
be specified.
be specified.
1. Edit `/etc/gitlab/gitlab.rb` and ensure the following to disable PostgreSQL and Redis from running locally. Configure the secondary to connect to the GitLab Geo tracking database.
1. Edit `/etc/gitlab/gitlab.rb` and ensure the following to disable PostgreSQL and Redis from running locally. Configure the secondary to connect to the Geo tracking database.
The following security review of the GitLab Geo feature set focuses on security
The following security review of the Geo feature set focuses on security
aspects of the feature as they apply to customers running their own GitLab
aspects of the feature as they apply to customers running their own GitLab
instances. The review questions are based in part on the [application security architecture](https://www.owasp.org/index.php/Application_Security_Architecture_Cheat_Sheet)
instances. The review questions are based in part on the [application security architecture](https://www.owasp.org/index.php/Application_Security_Architecture_Cheat_Sheet)
questions from [owasp.org](https://www.owasp.org).
questions from [owasp.org](https://www.owasp.org).