1. 17 Jan, 2016 38 commits
    • Kirill Smelkov's avatar
      GitLab Software Release - first version · 866d9051
      Kirill Smelkov authored
      Hello up there,
      
      Here comes SlapOS port of GitLab. We start from GitLab 8.2.X as that is what we
      currently run on KVM on lab.nexedi.com, so that our data can be
      straightforwardly migrated.
      
      The SR compiles all needed software and organized all (sub-)services in one
      partition and interconnects them with unix sockets for security and speed
      reasons (see patch "gitlab: Make a plan to base instance layout on
      gitlab-omnibus and to interconnect all internal services").
      
      Services configuration files are originally taken from omnibus-gitlab
      "distribution" and incrementally ported to slapos variant. This way we
      establish a (imho) good path on how to track upstream changes and minimize our
      delta & effort supporting it.
      
      GitLab itself is patched (above patches that were already applied by upstream):
      
        - to support HTTP(S) only
        - to show site's ICP number
        - to speedup raw blob downloading ~ 17x times
          ( see patch "gitlab: Optimize raw blob downloading" for details and
            https://gitlab.com/gitlab-org/gitlab-workhorse/merge_requests/17 )
      
      Overall it should work and we should finally be able to migrate slapos.git
      (because of raw blob downloading is not slow now) to GitLab and all other
      Nexedi git repositories.
      
      Thanks,
      Kirill
      
      P.S.
      
      Somewhat outdated, but this picture on GitLab architecture might help to
      understand how parts are glued together:
      
      https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/architecture.md
      
      P.P.S.
      
      Native resiliency is not implemented yet, but we should be able to use gitlab
      inside resilient webrunner already.
      
      /proposed-for-review-on !39
      /partly-reviewed-by @kazuhiko, @jerome, @Yanni, @jp
      /cc @rafael, @jm
      866d9051
    • Kirill Smelkov's avatar
      gitlab: First SR version works - freeze md5 sums · 729be3b8
      Kirill Smelkov authored
      We've reached a state where first gitlab SR version should work. So as
      promised let's freeze the md5 checksums.
      
      All later patches should update corresponding md5 info when they change
      a file.
      
      /cc @kazuhiko, @jerome
      729be3b8
    • Kirill Smelkov's avatar
      gitlab: Optimize raw blob downloading · a913c2e4
      Kirill Smelkov authored
      In slapos we do a lot of automated software rebuild constantly, and thus
      there is constant flow of requests to get raw blobs from git service,
      e.g. like this
      
          https://lab.nexedi.com/nexedi/slapos/raw/master/software/wendelin/software.cfg
      
      A lot of requests comes to slapos.git repository and currently gitlab,
      out of the box, cannot keep up with that load.
      
      I've prepared patches to offload raw blobs download requests handling
      from unicorn (ruby) to gitlab-workhorse (go), and that resulted in ~ 17x
      speedup - e.g. previously our std shuttle can handle ~ 70 raw-blob
      requests/s and with my changes it is now ~ 1200 requests/s.
      
      The patches were sent upstream
      
          https://gitlab.com/gitlab-org/gitlab-workhorse/merge_requests/17
      
      and we discussed with GitLab people and made a plan how to proceed
      incrementally. It will probably take some time for gitlab team to fully
      accept the approach though.
      
      For now we can use our gitlab-workhorse fork. The patches itself are:
      
          kirr/gitlab-workhorse@1b274d0d
          kirr/gitlab-workhorse@2beb8c95
      
      /cc @kazuhiko, @jerome, @jm
      a913c2e4
    • Kirill Smelkov's avatar
      gitlab: Switch to "GitLab Nexedi Edition" · 74d4ea62
      Kirill Smelkov authored
      GitLab Nexedi Edition is currently upstream 8.2.X + the following
      patches:
      
          - HTTP(S) is made to be default clone protocol
      
              kirr/gitlab-ce@5c1f2fb3
      
            and SSH info is completely removed from UI
      
              kirr/gitlab-ce@dfe9fb16
              kirr/gitlab-ce@f3f84743
      
            so essentially the only way to access a repository is via HTTP(S).
      
          - Rake check tasks are adjusted to exit with non-zero code if there
            is a failure
      
              kirr/gitlab-ce@a93ae418
      
            We need this for promises to work correctly with failures being
            detected, not silently skipped. The patch was sent upstream:
      
              https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/1885
      
          - GitLab supports setting up site's ICP License in gitlab.yml and
            shows it in appropriate places together with info about GitLab
            itself:
      
              kirr/gitlab-ce@e7e0fd88
              kirr/gitlab-ce@79c127e6
      
          + other cosmetic/minor changes.
      
      More patches will probably come (e.g. apply a single patch from a
      merge-request with `git am` without creating merge commit for just 1
      patch, etc) but for now that's all.
      
      NOTE ICP is non-ascii text with hieroglyphs. slapos.core was taught to
          be able to pass parameters with non-ascii values to instance:
      
              slapos.core@347d33d6
      
          That patch is included in slapos.core 1.3.15, but as we currently
          have a lot of older slapos.core deployed (e.g. 1.3.5 on my
          development webrunner) a workaround is (hopefully temporarily) used
          to pass non-ascii values as URL-encoded strings.
      
      /cc @kazuhiko, @jerome, @rafael
      74d4ea62
    • Kirill Smelkov's avatar
      gitlab: Publish connection URL · 3c445ad3
      Kirill Smelkov authored
      In the previous patch we setup nginx service which listens to the world
      and as such gitlab service becomes to be ready to used - so publish
      backend URL.
      
      NOTE we'll need to optimise and tweak gitlab a bit further in upcoming
          patches, so it can be really used under load and with our use-cases,
          but even now it listens to http ok and generally works.
      
      /cc @kazuhiko, @jerome
      3c445ad3
    • Kirill Smelkov's avatar
      gitlab/nginx: Slapos'ify config and turn nginx into a service · 85f7d7e3
      Kirill Smelkov authored
      Go through nginx configuration templates and convert them to jinja2 with
      slapos parameters (reminder: names and default values are imported from
      omnibus-gitlab 8.2.3+ce.0-0-g8eda093), except commenting out features we
      do not want to support (yet ?).
      
      As nginx is a reverse-proxy, i.e. it integrates all internal services
      and works as frontend to them, our gitlab service is now ready to listen
      and talk to the world over (standard to slapos services backend) IPv6.
      
      Nginx also acts as SSL termination point - for it to work by default we
      setup self-signed certificate for the backend, which can be manually
      changed to proper certificate if needed. Backend certificate is used
      if gitlab is configured to work in HTTPS mode (and frontend certificate
      is another story).
      
      NOTE ssl certificate is generated with just `openssl req ...` - yes, there
          is slapos.cookbook:certificate_authority.request but it requires
          to start whole service and has up to 60 seconds latency to generate
          certificate. And we only need to run 1 command to do that...
      
      The features disabled are:
      
          - http -> https redirection
      
            not needed for us at nginx level - the frontend can do the
            redirection and also gitlab speaks HSTS on https port so when we access
            https port via http protocol, it gets redirected to https.
      
          - kerberos
          - ssl_dhparam
          - providing custom nginx configuration via instance parameter
      
      /cc @kazuhiko, @jerome
      85f7d7e3
    • Kirill Smelkov's avatar
      gitlab: Hook nginx configuration files into SR system · 45127f6d
      Kirill Smelkov authored
      Like with Rails configuration files, hook nginx configuration files into
      SR / instance build process; rename *.erb -> *.in and add our header.
      
      The templates are still not valid - a lot of erb code is left there -
      we'll slapos'ify it incrementally in the following patches.
      
      /cc @kazuhiko, @jerome
      45127f6d
    • Kirill Smelkov's avatar
      gitlab: Import nginx http configuration from omnibus-gitlab · 61544d87
      Kirill Smelkov authored
      Like with Rails configuration this first step is pristine import of
      nginx configuration files from omnibus-gitlab. All files were imported
      as-is in their ERB form and filenames from omnibus-gitlab
      8.2.3+ce.0-0-g8eda093 from here:
      
          https://gitlab.com/gitlab-org/omnibus-gitlab/tree/8eda093/files/gitlab-cookbooks/gitlab/templates/default
      
      We import only nginx main http configuration - nginx's CI and Mattermost
      configurations are not imported, as we do not support CI and Mattermost (yet ?).
      
      As with Rails configuration files, we will convert the templates to
      jinja2 and adjust them to slapos version in the following patches.  We
      will also use the same (commit from last-erb-mod commit + merge)
      approach to track upstream changes.
      
      /cc @kazuhiko, @jerome
      61544d87
    • Kirill Smelkov's avatar
      gitlab: Setup sidekiq service · 4c127fdd
      Kirill Smelkov authored
      Sidekiq[1] is used in GitLab as background jobs manager - i.e. if a
      request handler needs to spawn some non-light job - it adds it to
      sidekiq queue (in Redis) and relies on sidekiq service to later pick
      this job up and execute it.
      
      The service is setup with just to run bin/gitlab-sidekiq with
      appropriate queues (extracted from omnibus-gitlab) and appropriate
      settings to controlling GitLab's sidekiq Out-Of-Memory killer[2].
      
      NOTE Unlike unicorn OOM killer, Sidekiq memory killer just makes sidekiq
          processes to be SIGKILL terminated and relies on managing service to
          restart it. In slapos we don't have mechanism to set autorestart=true,
          nor bang/watchdog currently work with slapproxy, so we setup to do
          such monitoring ourselves manually with here-introduced
          watcher-sigkill program.
      
      NOTE2 sidekiq promise, because it is rake/gitlab based, is slow to
          load/run and thus is put into etc/promise.slow/
      
      [1] http://sidekiq.org/
      [2] https://gitlab.com/gitlab-org/gitlab-ce/blob/1322bd78/doc/operations/sidekiq_memory_killer.md
      
      /cc @kazuhiko, @jerome
      4c127fdd
    • Kirill Smelkov's avatar
      gitlab: Upgrade gitlab-shell & gitlab-workhorse to versions which propagate $HOME · 76e371cd
      Kirill Smelkov authored
      As was described in the previous patch, we need $HOME to be propagated
      by this programs so that git can find partition's .gitconfig.
      
      Specifically we need the following patches to be present in our build:
      
          https://gitlab.com/gitlab-org/gitlab-shell/commit/9e087f64
          https://gitlab.com/gitlab-org/gitlab-workhorse/commit/b5f1b803
      
      They both have been applied upstream very close to revisions we
      previously had in software.cfg, so we only need to update the revisions
      to get them.
      
      /cc @kazuhiko, @jerome
      76e371cd
    • Kirill Smelkov's avatar
      gitlab: Slapos'ify / tweak gitconfig and hook it into the system · 264d785a
      Kirill Smelkov authored
      Convert gitconfig template to jinja2 (reusing already-there
      `email_display_name` and `email_from` parameters for commits generated by
      gitlab).
      
      System-level git config from gitlab-omnibus is also imported to this
      file (on slapos we cannot tweak system-level git config -
      software/.../parts/git/... is read-only for programs in instance
      partitions - so we move all gitlab's system-wide git settings to this
      "user-level" gitconfig.
      
      System gitconfig in omnibus is defined here:
      
          https://gitlab.com/gitlab-org/omnibus-gitlab/blob/8eda093/files/gitlab-cookbooks/gitlab/attributes/default.rb#L23
      
      so it is
      
          pack.threads = 1    and
          receive.fsckObjects = true
      
      which makes sense to not waste a lot of memory when packing and not to
      allow corrupt objects to enter to system by evil users intentionally.
      
      To make the file foundable by git - we put it into partition root
      directory and set $HOME to point to partition root when running
      appropriate programs / services.
      
      NOTE we'll need to upgrade gitlab-shell and gitlab-workhorse to
          propagate $HOME for this setting to actually have effect.
          See the next patch.
      
      /cc @kazuhiko, @jerome
      264d785a
    • Kirill Smelkov's avatar
      gitlab: Import gitconfig from omnibus-gitlab · 8f945bd2
      Kirill Smelkov authored
      Like with Rails configuration files, this is pristine import of template
      gitconfig from omnibus GitLab from
      
          https://gitlab.com/gitlab-org/omnibus-gitlab/tree/8eda093/files/gitlab-cookbooks/gitlab/templates/default
      
      This is only a "user" part of git configuration. System-wide
      configuration is generated dynamically:
      
          https://gitlab.com/gitlab-org/omnibus-gitlab/blob/8eda093/files/gitlab-cookbooks/gitlab/attributes/default.rb#L23
      
      and we'll import it by hand in the follow-up patches.
      
      /cc @kazuhiko, @jerome
      8f945bd2
    • Kirill Smelkov's avatar
      gitlab: Setup gitlab-workhorse service · 6ddc1c30
      Kirill Smelkov authored
      Gitlab-workhorse[1] is a service which offloads Ruby-on-Rails based
      GitLab from long-running and slow requests. It is written in Go.
      
      Now as we have unicorn service set up, we can setup gitlab-workhorse
      service (which uses unicorn as authentication backend).
      
      Gitlab-workhorse setup is easy - it is just one program and several
      command line options to point to unicorn socket and to configure on
      which unix socket gitlab-workhorse will listen itself.
      
      NOTE we have to care that git and ruby to be on PATH when running
          gitlab-workhorse - because on e.g. git push'ing workhorse will run `git
          receive-pack` and a hook will be called which calls gitlab-shell,
          which is written in ruby.
      
      NOTE2 promise to check whether gitlab-workhorse is alive is to ping it
          via URL to non-existent endpoint and check for proper 403 HTTP code
          returned.
      
      [1] https://gitlab.com/gitlab-org/gitlab-workhorse
      
      /cc @kazuhiko, @jerome
      6ddc1c30
    • Kirill Smelkov's avatar
      gitlab: Compile assets on instantiation and make sure DB is properly... · 5a744de7
      Kirill Smelkov authored
      gitlab: Compile assets on instantiation and make sure DB is properly setup/migrated before unicorn runs
      
      There are several actions that needs to be done on gitlab instance
      upgrade:
      
          - we have to (re-)compile assets
          - we have to migrate DB
      
      and also before the first run
      
          - we have to initialize DB
      
      We can compile assets as part of instantiation process, but regarding
      DB migration / setup - it is not currently possible to do that as part
      of instantiation - for that operations we need PG & Redis to be already
      running, but the first time slapos instantiates an SR it first prepares
      all services, and only after instantiation is done, starts them all. There is
      currently no way to hook into starting process, and run some scripts
      after one service is started but before another service startup...
      
      So the solution is: to perform such actions in delayed mode as part of
      application - unicorn service - startup: it makes sure PG is running and
      initializes it and does other actions which needs to be done to migrate
      the DB. Only if/after they succeed the main application is started.
      
      NOTE the comment about unicorn/gitlab startup slowness from the previous
          patch still holds true - so in order to get "all ok" after
          instantiation, it is required to perform the instantiation several
          times, because unicorn promise initially fails.
      
      /cc @kazuhiko, @jerome
      5a744de7
    • Kirill Smelkov's avatar
      gitlab: Set up unicorn service · 481e4758
      Kirill Smelkov authored
      Now that all gitlab Rails application configuration files are ready, we
      can setup unicorn service to start it.
      
      NOTE there is a promise to check unicorn by url which works, but there
          are also rake tasks to check gitlab itself, e.g. like
      
              gitlab:app:check
              gitlab:gitlab_shell:check
              gitlab:repo:check
      
          Unfortunately this tasks are slow to run (and gitlab:repo:check is
          very slow to run). That's why we do not put them into etc/promise/ -
          if we do - slapos reports promises time outs.
      
          What we do is we put them into etc/promise.slow/ so we have those
          scripts ready, but currently no one automatically checks them.
      
          Again, the promise to check unicorn just by accessing it by URL is
          there and is checked automatically out of the box.
      
      NOTE2 GitLab is very slow to load. That's why it can take some time
          after unicorn starts that it's promise start to report ok. This can
          show itself as temporary instantiation errors which say promise such and
          such failed.
      
      NOTE3 Unicorn start, but so far we did not cared to setup GitLab DB
          schema on instantiation. That's why unicorn remains not very usable
          and a lot of requests fail. We'll teach instance to setup DB and
          perform all other needed settings in the next patch.
      
      /cc @kazuhiko, @jerome
      481e4758
    • Kirill Smelkov's avatar
      gitlab: Add helper to set up promise to check something via url · 2772191c
      Kirill Smelkov authored
      Like with [promise-wrapper] a recipe could do
      
          [promise-<service>]
          <= promise-byurl
          url     = ...
      
      and a script to check such ur will be generated and automatically put
      into etc/promise/<service>.
      
      /cc @kazuhiko, @jerome
      2772191c
    • Kirill Smelkov's avatar
      gitlab/unicorn: Automatically load all available CPUs by default · 5dc6321c
      Kirill Smelkov authored
      Automatically configure unicorn to spawn as much worker processes as
      there are CPUs on the system by default.
      
      GitLab omnibus pre-hardcodes this value default to 2 (which we copied)
      and then also tweaks it this way in active code
      
          https://gitlab.com/gitlab-org/omnibus-gitlab/blob/8eda0933/files/gitlab-cookbooks/gitlab/attributes/default.rb#L230
      
      which we also do here.
      
      /cc @kazuhiko, @jerome
      5dc6321c
    • Kirill Smelkov's avatar
      gitlab/gitlab-shell-config.yml: Explicitly point it to secret file · b55d823d
      Kirill Smelkov authored
      Explicitly point gitlab-shell to location where we keep secrets.
      
      We already pointeg gitlab to that place and now we do that for
      gitlab-shell so those 2 peieces can connect to each other ok.
      
      Regarding the setting itself - there is no such block in omnibus-gitlab,
      but it is present in gitlab-shell configuration example:
      
          https://gitlab.com/gitlab-org/gitlab-shell/blob/82b3a4e8/config.yml.example#L35
      
      /cc @kazuhiko, @jerome
      b55d823d
    • Kirill Smelkov's avatar
      gitlab/gitlab-shell-config.yml: Slapos'ify it · 0cd14ef6
      Kirill Smelkov authored
      Convert gitlab-shell configuration file to slapos:
      
          - convert to jinja2,
          - connect gitlab-shell to unicorn & redis unix sockets
      
      NOTE
      
          - http_settings are left to be default (empty) ones - as that works ok.
          - `auth_file` is still configured to point to wont-be-used sshkeys
            file, as without it gitlab-shell check will fail.
          - support for audit_usernames and git_annex is disabled and
            remains not configurable.
      
      /cc @kazuhiko, @jerome
      0cd14ef6
    • Kirill Smelkov's avatar
      gitlab/unicorn.rb: Configure preload_app and pre-/post- forking actions · d599096a
      Kirill Smelkov authored
      Unicorn is a forking server with the idea that master process preloads
      heavy Ruby-on-Rails application, and then to handle new request a worker
      process is forked with application already loaded in its memory (and
      modification being tracked by OS via copy-on-write).
      
      From this point of view the only reasonable value for preload_app is
      always "true" and omnibus-gitlab does this:
      
          https://gitlab.com/gitlab-org/omnibus-gitlab/blob/8eda0933/files/gitlab-cookbooks/gitlab/definitions/unicorn_service.rb#L65
      
      Then unicorn documentation shows what code has to be there in pre-/post-
      forking event:
      
          http://bogomips.org/unicorn.git/tree/examples/unicorn.conf.rb?id=3312aca8#n57
      
      GitLab uses only part of it that "allows a new master process to
      incrementally phase out the old master process with SIGTTOU to avoid a
      thundering herd":
      
          https://gitlab.com/gitlab-org/omnibus-gitlab/blob/8eda0933/files/gitlab-cookbooks/gitlab/definitions/unicorn_service.rb#L69
          http://bogomips.org/unicorn.git/tree/examples/unicorn.conf.rb?id=3312aca8#n75
      
      but strangely does not use code parts that are "highly recommended" or
      "require" for "Rails + "preload_app true"" case.
      
      For the reference I've added such codes, but kept them being commented
      out.
      
      /cc @kazuhiko, @jerome
      d599096a
    • Kirill Smelkov's avatar
      gitlab/unicorn.rb: First round of slaposification · 0aae33d9
      Kirill Smelkov authored
      Convert unicorn parameters to slapos and configure it to listen on unix
      socket only.
      
      ( Omnibus configures unicorn to listen on unix socket and
        loopback TCP, mainly because gitlab-shell could not connect to unicorn
        via unix socket until recently:
      
            https://gitlab.com/gitlab-org/gitlab-shell/commit/184385ac
      
        But as it can now, there is no point to keep on TCP port open )
      
      To be able to do such configuration we add stub to unicorn service
      section (to create needed directories where to keep the socket).
      
      There will be follow-up patch which configures unicorn pre/post-forking
      actions, which is not trivial and thus better be done on its own.
      
      /cc @kazuhiko, @jerome
      0aae33d9
    • Kirill Smelkov's avatar
      gitlab/gitlab.yml: Slapos'ify rest of it · c3f1f0a9
      Kirill Smelkov authored
      Convert the rest of this configuration file to slapos.
      
      It is straightforward conversion of parameters except:
      
          - access-via-ssh is disabled (gitlab slapos version does not support
            ssh access and supports HTTP(S) only by design on purpose)
      
          - we do not support restricting possible projects visibility via
            instance parameter (very low chance this will be needed in
            practice)
      
          - default issue-closing pattern is just ok for now and not
            configurable
      
          - support for builds, build artifacts & CI is disabled (we do not
            support CI (yet ?))
      
          - some internal defaults are just ok (e.g. where to organize
            directory for keeping repositories archives for downloads)
      
          - reply-by-email is not supported (yet ?)
      
          - we do not support LFS (yet ?) - just plain git hosting is ok for now.
      
          - Gravatar defaults are ok for now and not configurable.
      
          - Support for LDAP is disabled
      
          - Support for Kerberos is disabled
      
          - Support for OmniAuth is disabled
      
          - Satellites path is just /dev/null as we start from version where
            satellites are already non-existent.
      
          - Uploading backups to somewhere via GitLab's builtin mechanism is
            not supported - we'll use SlapOS native backup and resiliency for
            this.
      
          - Support for Google analytics is disabled.
      
          - Support for Piwik is disabled.
      
          - we are ok (for now) with default rack-attack git settings
      
      /cc @kazuhiko, @jerome
      c3f1f0a9
    • Kirill Smelkov's avatar
      gitlab: Determine current slapuserX in instance · 34419064
      Kirill Smelkov authored
      This user will need to be specified several times in configuration
      files, as by default gitlab uses 'git' user and does "sudo" to it if it
      is not current.
      
      We will use {{ backend_info.user }} in the upcoming patches.
      
      /cc @kazuhiko, @jerome
      34419064
    • Kirill Smelkov's avatar
      gitlab/gitlab.yml: Handle "external URL" · 93362a08
      Kirill Smelkov authored
      GitLab has a notion of "external URL" - the canonical "frontend" URL the
      server is reachable through: this URL is used as prefix to show
      e.g. git-clone URL for repositories, etc, even if a server can be
      reachable via several frontends.
      
      Add external_url handling to slapos instance.
      
      NOTE whether to use https or not is also defined by external_url, in
      particular by external_url scheme.
      
      /cc @kazuhiko, @jerome
      93362a08
    • Kirill Smelkov's avatar
      gitlab/smtp_settings.rb: Convert/integrate to slapos · c64f7ece
      Kirill Smelkov authored
      Convert to slapos SMTP settings for gitlab:
      
          - convert to jinja2
          - remove support for gitlab CI (we do not support it (yet ?))
          - add handling of `smtp_enable` parameter directly to that file
            ( omnibus handles this parameter externally and just removes
              smtp_settings.rb if it is true )
      
      NOTE smtp_settings.rb contains SMTP password, so it is mode is set to 0600.
      
      /cc @kazuhiko, @jerome
      c64f7ece
    • Kirill Smelkov's avatar
      gitlab/rack_attack.rb: Convert/integrate to slapos · a44f5a43
      Kirill Smelkov authored
      Just another 2 simple parameters (attack detection tunables) conversion
      to jinja2/slapos.
      
      /cc @kazuhiko, @jerome
      a44f5a43
    • Kirill Smelkov's avatar
      gitlab/config.ru: Convert/integrate to slapos · 41b1edb5
      Kirill Smelkov authored
      Just convert 2 parameters used in that file to jinja syntax and add
      those parameters (unicorn OOM killer tunables) to gitlab-parameters.cfg
      
      /cc @kazuhiko, @jerome
      41b1edb5
    • Kirill Smelkov's avatar
      gitlab/resque.yml: Tweak to integrate gitlab with internal redis · b20c258b
      Kirill Smelkov authored
      A simple change just to point resque to redis unix socket.
      
      /cc @kazuhiko, @jerome
      b20c258b
    • Kirill Smelkov's avatar
      gitlab/database.yml: Tweak to integrate gitlab with internal postgresql · a73d20f4
      Kirill Smelkov authored
      We tweak database.yml to point to our postgresql unix socket; set
      adapter to hardcoded postgresql, encoding to unicode and omit collation
      (which according to omnibus-gitlab is used for mysql only).
      
      The only instance parameter imported from omnibus is `db_pool` - how
      many connection to a DB to keep open in a RoR thread/process.
      
      XXX we use db's superuser as a user to connect. Is it ok to do even if
          the whole DB is used only for gitlab? (I think it is ok for the
          first iteration, but we'll probably need to refine this later)
      
      /cc @kazuhiko, @jerome
      a73d20f4
    • Kirill Smelkov's avatar
      gitlab: Introduce macro library · 2e81276b
      Kirill Smelkov authored
      Introduce a library of Jinja2 macros that will be handy to use in
      templates. For now we add only 2 macros:
      
          cfg(name)   - to get instance configuration parameter `name`,   and
          cfg_bool    - to get truth value of ----//----
      
      The reason we introduce cfg() is that we will need to use a lot of
      parameters in many places and it is much more handy to write, e.g.
      
          cfg('email_enabled')
      
      compared to
      
          instance_parameter:configuration.email_enabled
      
      /cc @kazuhiko, @jerome
      2e81276b
    • Kirill Smelkov's avatar
      gitlab: Organize place to keep parameters & their default imported from gitlab-omnibus · de860ba5
      Kirill Smelkov authored
      We will be using a several dozens of parameters to control gitlab
      instance. It makes sense not to deviate in such parameters namings and
      defaults from omnibus version.
      
      Thus for such parameters - for clarity - we organize a separate file
      where we will be keeping them - gitlab-parameters.cfg.
      
      In this patch series all used parameters will be "imported" from
      omnibus-gitlab 8.2.3+ce.0-0-g8eda093.
      
      NOTE it is maybe better to try to autogenerate that file from upstream
          omnibus parameters definitions. If time will tell it becomes hard to
          maintain our copy - we'll consider going that way.
      
      /cc @kazuhiko, @jerome
      de860ba5
    • Kirill Smelkov's avatar
      gitlab: Hook gitlab- and gitlab-shell- configuration files into the system · 13169cab
      Kirill Smelkov authored
      - Download them on SR build and pass info to instance
      - Instance prepares to process them as jinja2 templates
      - Instance hooks the files into configuration location as appropriate
      
      Every file so far is renamed *.erb -> *.in and a header added showing
      that this file is autogenerated with links about what was the base
      gitlab and/or omnibus version and omnibus reference revision this
      template was last updated for.
      
      So far all result configuration files are invalid - because ERB syntax
      is there. We will convert the configuration files to proper jinja2
      syntax and to using slapos parameters incrementally in the upcoming
      patches.
      
      NOTE (again): md5 sums are not yet fixed - we will fix them in the end
          of gitlab patches series after applying all tweaking changes.
      
      /cc @kazuhiko, @jerome
      13169cab
    • Kirill Smelkov's avatar
      gitlab: Import gitlab-ce & gitlab-shell configs from omnibus-gitlab · 6fd7b987
      Kirill Smelkov authored
      Pristine import of template configuration files from omnibus GitLab
      package. All files were imported as-is in their ERB form and filenames
      from omnibus-gitlab 8.2.3+ce.0-0-g8eda093 from here:
      
          https://gitlab.com/gitlab-org/omnibus-gitlab/tree/8eda093/files/gitlab-cookbooks/gitlab/templates/default
      
      We will convert the templates to jinja2 and adjust them to slapos
      version in the following patches.
      
      Scheme for synchronizing with future upstream changes is envisioned as this:
      
          - checkout latest commit which updated pristine erb files
          - copy updated files from omnibus-gitlab, and commit the updates
          - checkout slapos master
          - merge commit that updated erb
      
      That should reasonably work with not too-many conflicts and even those
      should be not hard to resolve (with `git mergetool` e.g. in kdiff3)
      
      /cc @kazuhiko, @jerome
      6fd7b987
    • Kirill Smelkov's avatar
      gitlab: Organize per-instance gitlab work tree · 2ddc5b0c
      Kirill Smelkov authored
      Organize per-instance place for gitlab configuration and work directory.
      
      Unfortunately as GitLab is Ruby-on-Rails application, it is not possible
      to keep its code in one place and have multiple separate configuration
      sets in different places and start that code for a configuration set -
      GitLab and Rails insist to get configuration from relative to source
      code tree.
      
      GitLab omnibus "solves" this by having only one configuration set and
      having symlinks from code to that only configiration set. In slapos we
      can potentially have several instances for one software and thus we
      cannot do that.
      
      With such limitations a proper solution would be to bind-mount software
      code into instance filesystem namespace close to configuration - that
      way the code will be only one and will find proper per-instance config.
      Currently we do not have namespaces available on slapos unfortunately,
      thus something else is needed.
      
      The workaround I decided to do is this: to clone cloned gitlab
      repository from software/ space to instance/ space and adjust it in
      instance space. This has the following drawbacks:
      
          - code is duplicated
          - code becomes read-write, instead of being read-only
      
      but imho it is the most practical thing to do. Another solution could be
      to patch GitLab / Rails to remove "config lives in code" assumption, but
      the number of places where this needs to be done is really many.
      
      NOTE gems which gitlab uses and which were installed during software
          compilation are not duplicated - they are reused via bundler - via
          pointing BUNDLE_GEMFILE to original location in software.
      
      NOTE2 For instance tasks and also for maintanace convenience we establish
          <instance>/bin/gitlab-* programs, e.g. gitlab-rake, which e.g. for
          gitlab-rake will run rake with correctly loaded gitlab environment -
          like in gitlab-omnibus.
      
      /cc @kazuhiko, @jerome, @jp
      2ddc5b0c
    • Kirill Smelkov's avatar
      gitlab: Redis service · 0d286c5d
      Kirill Smelkov authored
      Organize internal Redis service, like with PostgreSQL in the previous
      patch, with the help of slapos.cookbook:redis.server recipe.
      
      Like with postgresql, and as we planned, redis listens only on
      internal-to-partition unix socket.
      
      The recipe establishes both service and promise to check it is alive;
      we only need to setup log rotation manually.
      
      /cc @kazuhiko, @jerome
      0d286c5d
    • Kirill Smelkov's avatar
      gitlab: PostgreSQL service · 470719fe
      Kirill Smelkov authored
      Organize internal PostgreSQL database which will be used as DB for
      Roby-on-Rails GitLab and listens only on unix socket (for security and
      performance reasons - see earlier intro patch).
      
      To do it we use slapos.cookbook:postgres recipe, with disabling
      "listen-to-network" via passing empty sets to ipv4 and ipv6 recipe
      arguments.
      
      The promise to check whether DB is alive is just `psql -c '\q'` which
      will error if failing to connect to DB, but exit silently if connected ok.
      
      Explicit log rotation is not needed - as postgresql logs to
      stdout/stderr - not to a file - logs are handled by slapos - put into
      .slappartX_postgresql.log and automatically rotated there.
      
      XXX omnibus-gitlab tunes postgresql with shared_buffers and other
      parameters, most likely for performance reasons - see e.g.
      
          https://gitlab.com/gitlab-org/omnibus-gitlab/blob/8-2-stable/files/gitlab-cookbooks/gitlab/templates/default/postgresql.conf.erb#L113
      
      I decided not to fine-tune postgresql for now, and get on-field feedback
      first, and then, if needed, we can tune.
      
      /cc @kazuhiko, @jerome
      470719fe
    • Kirill Smelkov's avatar
      golang: v↑ (1.5.3) · 3f4cde22
      Kirill Smelkov authored
      This is a security-bugfix release:
      
      From https://golang.org/doc/devel/release.html#go1.5.minor:
      
          go1.5.3 (released 2016/01/13) includes a security fix to the math/big
          package affecting the crypto/tls package. See the Go 1.5.3 milestone on
          our issue tracker[1] and the release announcement[2] for details.
      
          [1] https://github.com/golang/go/issues?q=milestone%3AGo1.5.3
          [2] https://golang.org/s/go153announce
      
      I've rebuild helloworld software release and briefly tested helloweb.go
      with go 1.5.3 ok.
      
      /reviewed-by: TrustMe
      /cc @kazuhiko, !39
      3f4cde22
    • Kirill Smelkov's avatar
      helloweb/ruby: Abandon usage of slapos.cookbook:wrapper · 22124832
      Kirill Smelkov authored
      It turned out we cannot currently use slapos.cookbook in software part
      of SR - the reason is slapos.cookbook egg depends on lxml egg, which in
      turn needs libxml to be also installed via slapos.
      
      For this reason stack/slapos.cfg has
      
          [slapos-cookbook]   # NOTE _not_ slapos.cookbook
          recipe = zc.recipe.egg
          eggs =
            ${lxml-python:egg}
          ...
      
      and lxml-python is lxml building recipe to build it together with
      libxml:
      
          [lxml-python]
          recipe = zc.recipe.egg:custom
          egg = lxml
      
          rpath =
            ${libxml2:location}/lib/
            ${libxslt:location}/lib/
            ${zlib:location}/lib/
          environment = lxml-python-env
          ...
      
      So underlying idea, as I understand it, is: every SR contains
      slapos-cookbook in parts and this way lxml-python gets build. Then when
      there is slapos.cookbook egg usage, it is already correctly built.
      
      BUT
      
      This works when such slapos.cookbook egg usage happens _only_ in instance
      part of an SR: otherwise, if buildout sees slapos.cookbook egg usage in
      some recipe, e.g. like it currently is in helloweb-ruby:
      
          [helloweb-ruby]
          recipe  = slapos.cookbook:wrapper
          ...
      
      it _first_ tries to install slapos.cookbook egg directly - as needed for
      recipes eggs are installed as a first step, _before_ further buildout
      processing. What happens then is that slapos.cookbook (note not "-") egg
      sources and dependencies are downloaded from pypi, including lxml egg,
      all are tried to build, and in lxml egg it fails this way:
      
          ...
          Processing lxml-3.5.0
          Writing /tmp/tmpLGK4xWbuild/lxml-3.5.0/setup.cfg
          Running setup.py -q bdist_egg --dist-dir /tmp/tmpLGK4xWbuild/lxml-3.5.0/egg-dist-tmp-DJvofa
          Building lxml version 3.5.0.
          Building without Cython.
          ERROR: /bin/sh: 1: xslt-config: not found
      
          ** make sure the development packages of libxml2 and libxslt are installed **
      
          Using build configuration of libxslt
          In file included from src/lxml/lxml.etree.c:323:0:
          src/lxml/includes/etree_defs.h:14:31: fatal error: libxml/xmlversion.h: No such file or directory
           #include "libxml/xmlversion.h"
                                         ^
          compilation terminated.
          Compile failed: command 'gcc' failed with exit status 1
          /tmp/tmpLGK4xWbuild/lxml-3.5.0/temp/xmlXPathInitGlEAOF.c:1:26: fatal error: libxml/xpath.h: No such file or directory
           #include "libxml/xpath.h"
                                    ^
          compilation terminated.
          *********************************************************************************
          Could not find function xmlCheckVersion in library libxml2. Is libxml2 installed?
          *********************************************************************************
          error: Setup script exited with error: command 'gcc' failed with exit status 1
          An error occurred when trying to install lxml 3.5.0. Look above this message for any errors that were output by easy_install.
          Could't load zc.buildout entry point wrapper
          from slapos.cookbook:
          Couldn't install: lxml 3.5.0.
          While:
            Installing.
            Getting section helloweb-ruby.
            Initializing section helloweb-ruby.
            Installing recipe slapos.cookbook.
          Error: Couldn't install: lxml 3.5.0
      
      Previously it probably used to work because we had system libxml
      installed, and this way lxml compilation succeeded (but was incorrect
      from slapos point of view).
      
      ( The problem turned out to be already known somehow - see e.g. c7d00913
        "Initial neoppod commit." and look for "Note on LXML/END LXML" there )
      
      Solution could be: either fix slapos.cookbook installation via e.g.
      teaching buildout to take into account pre-dependencies for eggs (for
      lxml) or just to avoid using slapos.cookbook:wrapper for executable
      generation.
      
      While @kazuhiko is working on the first more-generic solution, here goes
      a simpler one to just make helloweb component alive again: like it is
      done in a lot of places (e.g. in software/kvm/) let's use
      collective.recipe.template to generate a short shell script.
      
      NOTE
      
      previously the command line was
      
          ${bundler:bundle} exec sh -c 'helloweb.rb "$@"' ${:_buildout_section_name_}
      
      but now it is the same with "$@" appended:
      
          exec ${bundler:bundle} exec sh -c 'helloweb.rb "$@"' ${:_buildout_section_name_} "$@"
      
      The reason is slapos.cookbook:wrapper uses slapos.recipe.librecipe.execute.generic_exec()
      in generated script, which appends sys.argv[1:] to the command-line implicitly:
      
          def generic_exec(args):
            ...
            os.execve(exec_list[0], exec_list + sys.argv[1:], exec_env)
                                              ^^^^^^^^^^^^^^
      
          https://lab.nexedi.com/nexedi/slapos/blob/54bbe0a9/slapos/recipe/librecipe/execute.py#L84
      
      that's why last "$@" was not present in original version.
      
      P.S.
      
      Otherwise currently slapos.cookbook is used only in instance parts of
      recipes in whole slapos.git
      
      /reviewed-by TrustMe
      /debugged-with @kazuhiko
      /cc @vpelletier
      22124832
  2. 15 Jan, 2016 1 commit
    • Aurel's avatar
      python-magic : do not fail to import the lib · 54bbe0a9
      Aurel authored
      ctypes lib does not read the rpath of the current binary to look after the
      desired library, so although it exits the import failed. Pass-by the first
      find to make the import work
      54bbe0a9
  3. 14 Jan, 2016 1 commit