Add latest changes from gitlab-org/gitlab@13-2-stable-ee

4 files changed, 38 insertions, 16 deletions

diff --git a/doc/administration/operations/fast_ssh_key_lookup.md b/doc/administration/operations/fast_ssh_key_lookup.md
index 9f67c927128..b874a4257f0 100644
--- a/doc/administration/operations/fast_ssh_key_lookup.md
+++ b/doc/administration/operations/fast_ssh_key_lookup.md
@@ -3,7 +3,8 @@
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/1631) in [GitLab Starter](https://about.gitlab.com/pricing/) 9.3.
 > - [Available in](https://gitlab.com/gitlab-org/gitlab/-/issues/3953) GitLab Community Edition 10.4.
 
-NOTE: **Note:** This document describes a drop-in replacement for the
+NOTE: **Note:**
+This document describes a drop-in replacement for the
 `authorized_keys` file. For normal (non-deploy key) users, consider using
 [SSH certificates](ssh_certificates.md). They are even faster, but are not a
 drop-in replacement.
@@ -67,19 +68,25 @@ sudo service ssh reload
 sudo service sshd reload
 ```
 
-Confirm that SSH is working by removing your user's SSH key in the UI, adding a
-new one, and attempting to pull a repository.
+Confirm that SSH is working by commenting out your user's key in the `authorized_keys`
+(start the line with a `#` to comment it), and attempting to pull a repository.
 
-NOTE: **Note:** For Omnibus Docker, `AuthorizedKeysCommand` is setup by default in
+A successful pull would mean that GitLab was able to find the key in the database,
+since it is not present in the file anymore.
+
+NOTE: **Note:**
+For Omnibus Docker, `AuthorizedKeysCommand` is setup by default in
 GitLab 11.11 and later.
 
-NOTE: **Note:** For Installations from source, the command would be located at
+NOTE: **Note:**
+For Installations from source, the command would be located at
 `/home/git/gitlab-shell/bin/gitlab-shell-authorized-keys-check` if [the install from source](../../install/installation.md#install-gitlab-shell) instructions were followed.
 You might want to consider creating a wrapper script somewhere else since this command needs to be
 owned by `root` and not be writable by group or others. You could also consider changing the ownership of this command
 as required, but that might require temporary ownership changes during `gitlab-shell` upgrades.
 
-CAUTION: **Caution:** Do not disable writes until SSH is confirmed to be working
+CAUTION: **Caution:**
+Do not disable writes until SSH is confirmed to be working
 perfectly, because the file will quickly become out-of-date.
 
 In the case of lookup failures (which are common), the `authorized_keys`
@@ -96,6 +103,8 @@ Again, confirm that SSH is working by removing your user's SSH key in the UI,
 adding a new one, and attempting to pull a repository.
 
 Then you can backup and delete your `authorized_keys` file for best performance.
+The current users' keys are already present in the database, so there is no need for migration
+or for asking users to re-add their keys.
 
 ## How to go back to using the `authorized_keys` file
 
@@ -200,3 +209,13 @@ the database. The following instructions can be used to build OpenSSH 7.5:
    # Only run this if you run into a problem logging in
    yum downgrade openssh-server openssh openssh-clients
    ```
+
+## SELinux support and limitations
+
+> [Introduced](https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/2855) in GitLab 10.5.
+
+GitLab supports `authorized_keys` database lookups with [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux).
+
+Because the SELinux policy is static, GitLab doesn't support the ability to change
+internal Unicorn ports at the moment. Admins would have to create a special `.te`
+file for the environment, since it isn't generated dynamically.
diff --git a/doc/administration/operations/filesystem_benchmarking.md b/doc/administration/operations/filesystem_benchmarking.md
index c5c5a8b4313..856061348ed 100644
--- a/doc/administration/operations/filesystem_benchmarking.md
+++ b/doc/administration/operations/filesystem_benchmarking.md
@@ -65,7 +65,8 @@ operations per second.
 
 ### Simple benchmarking
 
-NOTE: **Note:** This test is naive but may be useful if `fio` is not
+NOTE: **Note:**
+This test is naive but may be useful if `fio` is not
 available on the system. It's possible to receive good results on this
 test but still have poor performance due to read speed and various other
 factors.
diff --git a/doc/administration/operations/puma.md b/doc/administration/operations/puma.md
index af28335ef91..62b93d40a6b 100644
--- a/doc/administration/operations/puma.md
+++ b/doc/administration/operations/puma.md
@@ -1,11 +1,11 @@
 # Switching to Puma
 
-## Puma
-
 As of GitLab 12.9, [Puma](https://github.com/puma/puma) has replaced [Unicorn](https://yhbt.net/unicorn/).
-as the default web server. Starting with 13.0, both all-in-one package based
-installations as well as Helm chart based installations will run Puma instead of
-Unicorn unless explicitly specified not to.
+as the default web server. From GitLab 13.0, the following run Puma instead of Unicorn unless
+explicitly configured not to:
+
+- All-in-one package-based installations.
+- Helm chart-based installations.
 
 ## Why switch to Puma?
 
@@ -32,10 +32,12 @@ Additionally we strongly recommend that multi-node deployments [configure their
 ## Performance caveat when using Puma with Rugged
 
 For deployments where NFS is used to store Git repository, we allow GitLab to use
-[Direct Git Access](../gitaly/#direct-git-access-in-gitlab-rails) to improve performance via usage of [Rugged](https://github.com/libgit2/rugged).
+[direct Git access](../gitaly/index.md#direct-access-to-git-in-gitlab) to improve performance using
+[Rugged](https://github.com/libgit2/rugged).
 
-Rugged usage is automatically enabled if Direct Git Access is present, unless it
-is disabled by [feature flags](../../development/gitaly.md#legacy-rugged-code).
+Rugged usage is automatically enabled if direct Git access
+[is available](../gitaly/index.md#how-it-works), unless it is disabled by
+[feature flags](../../development/gitaly.md#legacy-rugged-code).
 
 MRI Ruby uses a GVL. This allows MRI Ruby to be multi-threaded, but running at
 most on a single core. Since Rugged can use a thread for long periods of
diff --git a/doc/administration/operations/unicorn.md b/doc/administration/operations/unicorn.md
index eabf99eb08c..a1593c3a6c3 100644
--- a/doc/administration/operations/unicorn.md
+++ b/doc/administration/operations/unicorn.md
@@ -45,7 +45,7 @@ master process has PID 56227 below.
 The main tunable options for Unicorn are the number of worker processes and the
 request timeout after which the Unicorn master terminates a worker process.
 See the [Omnibus GitLab Unicorn settings
-documentation](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/unicorn.md)
+documentation](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/unicorn.html)
 if you want to adjust these settings.
 
 ## unicorn-worker-killer