Automatic merge of gitlab-org/gitlab-ce master

0b09d31c · GitLab Bot · 3e14e05e · 4072c8e1 · 0b09d31c · 0b09d31c
Commit 0b09d31c authored Aug 01, 2019 by GitLab Bot
6 changed files
--- a/.gitlab/ci/review.gitlab-ci.yml
+++ b/.gitlab/ci/review.gitlab-ci.yml
@@ -101,8 +101,7 @@ schedule:review-build-cng:
    - install_tiller
    - install_external_dns
    - download_chart
-    - deploy || display_deployment_debug
-    - wait_for_review_app_to_be_accessible
+    - deploy || (display_deployment_debug && exit 1)
    - add_license
  artifacts:
    paths: [review_app_url.txt]

--- a/doc/administration/gitaly/index.md
+++ b/doc/administration/gitaly/index.md
@@ -510,3 +510,94 @@ implemented as calls to `gitaly-ruby`:
 ```
 sum(rate(grpc_client_handled_total[5m])) by (grpc_method) > 0
 ```
+
+### Repository changes fail with a `401 Unauthorized` error
+
+If you're running Gitaly on its own server and notice that users can
+successfully clone and fetch repositories (via both SSH and HTTPS), but can't
+push to them or make changes to the repository in the web UI without getting a
+`401 Unauthorized` message, then it's possible Gitaly is failing to authenticate
+with the other nodes due to having the [wrong secrets file](#3-gitaly-server-configuration).
+
+Confirm the following are all true:
+
+- When any user performs a `git push` to any repository on this Gitaly node, it
+  fails with the following error (note the `401 Unauthorized`):
+
+  ```sh
+  remote: GitLab: 401 Unauthorized
+  To <REMOTE_URL>
+  ! [remote rejected] branch-name -> branch-name (pre-receive hook declined)
+  error: failed to push some refs to '<REMOTE_URL>'
+  ```
+
+- When any user adds or modifies a file from the repository using the GitLab
+  UI, it immediatley fails with a red `401 Unauthorized` banner.
+- Creating a new project and [initializing it with a README](../../gitlab-basics/create-project.md#blank-projects)
+  successfully creates the project but doesn't create the README.
+- When [tailing the logs](https://docs.gitlab.com/omnibus/settings/logs.md#tail-logs-in-a-console-on-the-server) on an app node and reproducing the error, you get `401` errors
+  when reaching the `/api/v4/internal/allowed` endpoint:
+
+  ```sh
+  # api_json.log
+  {
+    "time": "2019-07-18T00:30:14.967Z",
+    "severity": "INFO",
+    "duration": 0.57,
+    "db": 0,
+    "view": 0.57,
+    "status": 401,
+    "method": "POST",
+    "path": "\/api\/v4\/internal\/allowed",
+    "params": [
+      {
+        "key": "action",
+        "value": "git-receive-pack"
+      },
+      {
+        "key": "changes",
+        "value": "REDACTED"
+      },
+      {
+        "key": "gl_repository",
+        "value": "REDACTED"
+      },
+      {
+        "key": "project",
+        "value": "\/path\/to\/project.git"
+      },
+      {
+        "key": "protocol",
+        "value": "web"
+      },
+      {
+        "key": "env",
+        "value": "{\"GIT_ALTERNATE_OBJECT_DIRECTORIES\":[],\"GIT_ALTERNATE_OBJECT_DIRECTORIES_RELATIVE\":[],\"GIT_OBJECT_DIRECTORY\":null,\"GIT_OBJECT_DIRECTORY_RELATIVE\":null}"
+      },
+      {
+        "key": "user_id",
+        "value": "2"
+      },
+      {
+        "key": "secret_token",
+        "value": "[FILTERED]"
+      }
+    ],
+    "host": "gitlab.example.com",
+    "ip": "REDACTED",
+    "ua": "Ruby",
+    "route": "\/api\/:version\/internal\/allowed",
+    "queue_duration": 4.24,
+    "gitaly_calls": 0,
+    "gitaly_duration": 0,
+    "correlation_id": "XPUZqTukaP3"
+  }
+
+  # nginx_access.log
+  [IP] - - [18/Jul/2019:00:30:14 +0000] "POST /api/v4/internal/allowed HTTP/1.1" 401 30 "" "Ruby"
+  ```
+
+To fix this problem, confirm that your [`gitlab-secrets.json` file](#3-gitaly-server-configuration)
+on the Gitaly node matches the one on all other nodes. If it doesn't match,
+update the secrets file on the Gitaly node to match the others, then
+[reconfigure the node](../restart_gitlab.md#omnibus-gitlab-reconfigure).
--- a/lib/gitlab/profiler.rb
+++ b/lib/gitlab/profiler.rb
@@ -21,6 +21,9 @@ module Gitlab
      lib/gitlab/profiler.rb
      lib/gitlab/correlation_id.rb
      lib/gitlab/webpack/dev_server_middleware.rb
+      lib/gitlab/sidekiq_status/
+      lib/gitlab/sidekiq_logging/
+      lib/gitlab/sidekiq_middleware/
    ].freeze

    # Takes a URL to profile (can be a fully-qualified URL, or an absolute path)

--- a/lib/peek/views/rugged.rb
+++ b/lib/peek/views/rugged.rb
@@ -29,8 +29,12 @@ module Peek

      def format_args(args)
        args.map do |arg|
-          # Needed to avoid infinite as_json calls
-          if arg.is_a?(Gitlab::Git::Repository)
+          # ActiveSupport::JSON recursively calls as_json on all
+          # instance variables, and if that instance variable points to
+          # something that refers back to the same instance, we can wind
+          # up in an infinite loop. Currently this only seems to happen with
+          # Gitlab::Git::Repository and ::Repository.
+          if arg.instance_variables.present?
            arg.to_s
          else
            arg

--- a/scripts/review_apps/review-apps.sh
+++ b/scripts/review_apps/review-apps.sh
@@ -340,31 +340,6 @@ function display_deployment_debug() {
  fi
 }

-function wait_for_review_app_to_be_accessible() {
-  echoinfo "Waiting for the Review App at ${CI_ENVIRONMENT_URL} to be accessible..." true
-
-  local interval=5
-  local elapsed_seconds=0
-  local max_seconds=$((2 * 60))
-  while true; do
-    local review_app_http_code
-    review_app_http_code=$(curl --silent --output /dev/null --max-time 5 --write-out "%{http_code}" "${CI_ENVIRONMENT_URL}/users/sign_in")
-    if [[ "${review_app_http_code}" -eq "200" ]] || [[ "${elapsed_seconds}" -gt "${max_seconds}" ]]; then
-      break
-    fi
-
-    let "elapsed_seconds+=interval"
-    sleep ${interval}
-  done
-
-  if [[ "${review_app_http_code}" -eq "200" ]]; then
-    echoinfo "The Review App at ${CI_ENVIRONMENT_URL} is ready after ${elapsed_seconds} seconds!"
-  else
-    echoerr "The Review App at ${CI_ENVIRONMENT_URL} isn't ready after ${max_seconds} seconds of polling..."
-    exit 1
-  fi
-}
-
 function add_license() {
  if [ -z "${REVIEW_APPS_EE_LICENSE}" ]; then echo "License not found" && return; fi


--- a/spec/lib/peek/views/rugged_spec.rb
+++ b/spec/lib/peek/views/rugged_spec.rb
@@ -24,7 +24,7 @@ describe Peek::Views::Rugged, :request_store do
                                                     args: [project.repository.raw, 'HEAD'],
                                                     duration: 0.123)
    ::Gitlab::RuggedInstrumentation.add_call_details(feature: :rugged_test2,
-                                                     args: [project.repository.raw, 'refs/heads/master'],
+                                                     args: [project.repository, 'refs/heads/master'],
                                                     duration: 0.456)

    results = subject.results
@@ -32,7 +32,11 @@ describe Peek::Views::Rugged, :request_store do
    expect(results[:duration]).to eq('1234.00ms')
    expect(results[:details].count).to eq(2)

-    expect(results[:details][0][:args]).to eq([project.repository.raw.to_s, "refs/heads/master"])
-    expect(results[:details][1][:args]).to eq([project.repository.raw.to_s, "HEAD"])
+    expected = [
+      [project.repository.raw.to_s, "HEAD"],
+      [project.repository.to_s, "refs/heads/master"]
+    ]
+
+    expect(results[:details].map { |data| data[:args] }).to match_array(expected)
  end
 end