diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-08-28 21:11:00 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-08-28 21:11:00 +0300 |
| commit | 672c5fcf46b385257ce01c2f773a65aa3578175d (patch) | |
| tree | 6fd83630d0f8eea286e2a34d5fa782770802dddc /doc | |
| parent | 8b992ba2281a5da786195b1fd1c2e424b0f441c4 (diff) | |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/administration/object_storage.md | 6 | ||||
| -rw-r--r-- | doc/api/graphql/reference/index.md | 1 | ||||
| -rw-r--r-- | doc/api/settings.md | 6 | ||||
| -rw-r--r-- | doc/api/vulnerability_exports.md | 14 | ||||
| -rw-r--r-- | doc/architecture/blueprints/runner_tokens/index.md | 8 | ||||
| -rw-r--r-- | doc/ci/runners/configure_runners.md | 28 | ||||
| -rw-r--r-- | doc/ci/runners/new_creation_workflow.md | 22 | ||||
| -rw-r--r-- | doc/ci/runners/runners_scope.md | 22 | ||||
| -rw-r--r-- | doc/development/documentation/styleguide/index.md | 20 | ||||
| -rw-r--r-- | doc/development/secure_coding_guidelines.md | 2 | ||||
| -rw-r--r-- | doc/operations/error_tracking.md | 12 | ||||
| -rw-r--r-- | doc/security/token_overview.md | 8 | ||||
| -rw-r--r-- | doc/tutorials/create_register_first_runner/index.md | 2 | ||||
| -rw-r--r-- | doc/tutorials/hugo/index.md | 2 | ||||
| -rw-r--r-- | doc/user/profile/notifications.md | 1 | ||||
| -rw-r--r-- | doc/user/project/pages/custom_domains_ssl_tls_certification/index.md | 2 | ||||
| -rw-r--r-- | doc/user/project/pages/getting_started_part_one.md | 17 | ||||
| -rw-r--r-- | doc/user/project/pages/introduction.md | 10 | ||||
| -rw-r--r-- | doc/user/project/pages/redirects.md | 11 |
19 files changed, 104 insertions, 90 deletions
diff --git a/doc/administration/object_storage.md b/doc/administration/object_storage.md index 07cb8157960..0b12d41eb4e 100644 --- a/doc/administration/object_storage.md +++ b/doc/administration/object_storage.md @@ -156,12 +156,12 @@ For the storage-specific form, [direct upload may become the default](https://gitlab.com/gitlab-org/gitlab/-/issues/27331) because it does not require a shared folder. -For configuring object storage in GitLab 13.1 and earlier, or for storage types not -supported by consolidated form, refer to the following guides: +For configuring object storage in GitLab 13.1 and earlier, _or_ for storage types not +For storage types not supported by the consolidated form, refer to the following guides: | Object storage type | Supported by consolidated form? | |---------------------|------------------------------------------| -| [Project-level Secure Files](secure_files.md#using-object-storage) | **{dotted-circle}** No | +| [Secure Files](secure_files.md#using-object-storage) | **{dotted-circle}** No | | [Backups](../administration/backup_restore/backup_gitlab.md#upload-backups-to-a-remote-cloud-storage) | **{dotted-circle}** No | | [Container Registry](packages/container_registry.md#use-object-storage) (optional feature) | **{dotted-circle}** No | | [Mattermost](https://docs.mattermost.com/configure/file-storage-configuration-settings.html)| **{dotted-circle}** No | diff --git a/doc/api/graphql/reference/index.md b/doc/api/graphql/reference/index.md index cbfe096a169..90d27749b0c 100644 --- a/doc/api/graphql/reference/index.md +++ b/doc/api/graphql/reference/index.md @@ -2383,6 +2383,7 @@ Input type: `CreateTestCaseInput` | Name | Type | Description | | ---- | ---- | ----------- | | <a id="mutationcreatetestcaseclientmutationid"></a>`clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. | +| <a id="mutationcreatetestcaseconfidential"></a>`confidential` | [`Boolean`](#boolean) | Sets the test case confidentiality. | | <a id="mutationcreatetestcasedescription"></a>`description` | [`String`](#string) | Test case description. | | <a id="mutationcreatetestcaselabelids"></a>`labelIds` | [`[ID!]`](#id) | IDs of labels to be added to the test case. | | <a id="mutationcreatetestcaseprojectpath"></a>`projectPath` | [`ID!`](#id) | Project full path to create the test case in. | diff --git a/doc/api/settings.md b/doc/api/settings.md index 6d21f0b120d..7df57a0163d 100644 --- a/doc/api/settings.md +++ b/doc/api/settings.md @@ -542,9 +542,9 @@ listed in the descriptions of the relevant settings. | `shared_runners_enabled` | boolean | no | (**If enabled, requires:** `shared_runners_text` and `shared_runners_minutes`) Enable shared runners for new projects. | | `shared_runners_minutes` **(PREMIUM ALL)** | integer | required by: `shared_runners_enabled` | Set the maximum number of compute minutes that a group can use on shared runners per month. | | `shared_runners_text` | string | required by: `shared_runners_enabled` | Shared runners text. | -| `runner_token_expiration_interval` | integer | no | Set the expiration time (in seconds) of authentication tokens of newly registered instance runners. Minimum value is 7200 seconds. For more information, see [Automatically rotate authentication tokens](../ci/runners/configure_runners.md#automatically-rotate-authentication-tokens). | -| `group_runner_token_expiration_interval` | integer | no | Set the expiration time (in seconds) of authentication tokens of newly registered group runners. Minimum value is 7200 seconds. For more information, see [Automatically rotate authentication tokens](../ci/runners/configure_runners.md#automatically-rotate-authentication-tokens). | -| `project_runner_token_expiration_interval` | integer | no | Set the expiration time (in seconds) of authentication tokens of newly registered project runners. Minimum value is 7200 seconds. For more information, see [Automatically rotate authentication tokens](../ci/runners/configure_runners.md#automatically-rotate-authentication-tokens). | +| `runner_token_expiration_interval` | integer | no | Set the expiration time (in seconds) of authentication tokens of newly registered instance runners. Minimum value is 7200 seconds. For more information, see [Automatically rotate authentication tokens](../ci/runners/configure_runners.md#automatically-rotate-runner-authentication-tokens). | +| `group_runner_token_expiration_interval` | integer | no | Set the expiration time (in seconds) of authentication tokens of newly registered group runners. Minimum value is 7200 seconds. For more information, see [Automatically rotate authentication tokens](../ci/runners/configure_runners.md#automatically-rotate-runner-authentication-tokens). | +| `project_runner_token_expiration_interval` | integer | no | Set the expiration time (in seconds) of authentication tokens of newly registered project runners. Minimum value is 7200 seconds. For more information, see [Automatically rotate authentication tokens](../ci/runners/configure_runners.md#automatically-rotate-runner-authentication-tokens). | | `sidekiq_job_limiter_mode` | string | no | `track` or `compress`. Sets the behavior for [Sidekiq job size limits](../administration/settings/sidekiq_job_limits.md). Default: 'compress'. | | `sidekiq_job_limiter_compression_threshold_bytes` | integer | no | The threshold in bytes at which Sidekiq jobs are compressed before being stored in Redis. Default: 100,000 bytes (100 KB). | | `sidekiq_job_limiter_limit_bytes` | integer | no | The threshold in bytes at which Sidekiq jobs are rejected. Default: 0 bytes (doesn't reject any job). | diff --git a/doc/api/vulnerability_exports.md b/doc/api/vulnerability_exports.md index ab25ca9e511..0886db257dd 100644 --- a/doc/api/vulnerability_exports.md +++ b/doc/api/vulnerability_exports.md @@ -187,11 +187,11 @@ The response is `404 Not Found` if the vulnerability export is not finished yet Example response: ```csv -Group Name,Project Name,Tool,Scanner Name,Status,Vulnerability,Details,Additional Info,Severity,CVE,CWE,Other Identifiers,Detected At,Location,Activity,Comments, -Gitlab.org,Defend,container_scanning,Trivy,resolved,CVE-2019-14697 in musl-utils-1.1.20-r4,"musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.",CVE-2019-14697 in musl-utils-1.1.20-r4,critical,CVE-2019-14697,,"",2022-10-07 13:34:41 UTC,"{""image""=>""python:3.4-alpine"", ""dependency""=>{""package""=>{""name""=>""musl-utils""}, ""version""=>""1.1.20-r4""}, ""operating_system""=>""alpine 3.9.2""}",true,"2022-10-07 13:41:08 UTC|root|resolved|changed vulnerability status to resolved", -Gitlab.org,Defend,container_scanning,Trivy,detected,CVE-2019-19242 in sqlite-libs-3.26.0-r3,"SQLite 3.30.1 mishandles pExpr->y.pTab, as demonstrated by the TK_COLUMN case in sqlite3ExprCodeTarget in expr.c.",CVE-2019-19242 in sqlite-libs-3.26.0-r3,medium,CVE-2019-19242,,"",2022-10-07 13:34:41 UTC,"{""image""=>""python:3.4-alpine"", ""dependency""=>{""package""=>{""name""=>""sqlite-libs""}, ""version""=>""3.26.0-r3""}, ""operating_system""=>""alpine 3.9.2""}",true,"", -Gitlab.org,Defend,container_scanning,Trivy,detected,CVE-2020-28928 in musl-1.1.20-r4,"In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).",CVE-2020-28928 in musl-1.1.20-r4,medium,CVE-2020-28928,,"",2022-10-07 13:34:41 UTC,"{""image""=>""python:3.4-alpine"", ""dependency""=>{""package""=>{""name""=>""musl""}, ""version""=>""1.1.20-r4""}, ""operating_system""=>""alpine 3.9.2""}",true,"", -Gitlab.org,Defend,dependency_scanning,Gemnasium,detected,Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in rack,Carefully crafted requests can cause shell escape sequences to be written to the terminal via Rack's Lint middleware and CommonLogger middleware. These escape sequences can be leveraged to possibly execute commands in the victim's terminal.,Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in rack,unknown,Gemfile.lock:rack:gemnasium:60b5a27f-4e4d-4ab4-8ae7-74b4b212e177,,Gemnasium-60b5a27f-4e4d-4ab4-8ae7-74b4b212e177; GHSA-wq4h-7r42-5hrr,2022-10-14 13:16:00 UTC,"{""file""=>""Gemfile.lock"", ""dependency""=>{""package""=>{""name""=>""rack""}, ""version""=>""2.2.3""}}",false,"", -Gitlab.org,Defend,dependency_scanning,Gemnasium,detected,Denial of Service Vulnerability in Rack Multipart Parsing in rack,"Carefully crafted multipart POST requests can cause Rack's multipart parser to take much longer than expected, leading to a possible denial of service vulnerability. Impacted code will use Rack's multipart parser to parse multipart posts.",Denial of Service Vulnerability in Rack Multipart Parsing in rack,unknown,Gemfile.lock:rack:gemnasium:20daa17a-47b5-4f79-80c2-cd8f2db9805c,,Gemnasium-20daa17a-47b5-4f79-80c2-cd8f2db9805c; GHSA-hxqx-xwvh-44m2,2022-10-14 13:16:00 UTC,"{""file""=>""Gemfile.lock"", ""dependency""=>{""package""=>{""name""=>""rack""}, ""version""=>""2.2.3""}}",false,"", -Gitlab.org,Defend,sast,Brakeman,detected,Possible SQL injection,,Possible SQL injection,medium,e52f23a259cd489168b4313317ac94a3f13bffde57b9635171c1a44a9f329e9a,,"""Brakeman Warning Code 0""",2022-10-13 15:16:36 UTC,"{""file""=>""main.rb"", ""class""=>""User"", ""method""=>""index"", ""start_line""=>3}",false,"" +Group Name,Project Name,Tool,Scanner Name,Status,Vulnerability,Details,Additional Info,Severity,CVE,CWE,Other Identifiers,Detected At,Location,Activity,Comments,Full Path +Gitlab.org,Defend,container_scanning,Trivy,resolved,CVE-2019-14697 in musl-utils-1.1.20-r4,"musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.",CVE-2019-14697 in musl-utils-1.1.20-r4,critical,CVE-2019-14697,,"",2022-10-07 13:34:41 UTC,"{""image""=>""python:3.4-alpine"", ""dependency""=>{""package""=>{""name""=>""musl-utils""}, ""version""=>""1.1.20-r4""}, ""operating_system""=>""alpine 3.9.2""}",true,"2022-10-07 13:41:08 UTC|root|resolved|changed vulnerability status to resolved",group/project/1 +Gitlab.org,Defend,container_scanning,Trivy,detected,CVE-2019-19242 in sqlite-libs-3.26.0-r3,"SQLite 3.30.1 mishandles pExpr->y.pTab, as demonstrated by the TK_COLUMN case in sqlite3ExprCodeTarget in expr.c.",CVE-2019-19242 in sqlite-libs-3.26.0-r3,medium,CVE-2019-19242,,"",2022-10-07 13:34:41 UTC,"{""image""=>""python:3.4-alpine"", ""dependency""=>{""package""=>{""name""=>""sqlite-libs""}, ""version""=>""3.26.0-r3""}, ""operating_system""=>""alpine 3.9.2""}",true,"",group/project/2 +Gitlab.org,Defend,container_scanning,Trivy,detected,CVE-2020-28928 in musl-1.1.20-r4,"In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).",CVE-2020-28928 in musl-1.1.20-r4,medium,CVE-2020-28928,,"",2022-10-07 13:34:41 UTC,"{""image""=>""python:3.4-alpine"", ""dependency""=>{""package""=>{""name""=>""musl""}, ""version""=>""1.1.20-r4""}, ""operating_system""=>""alpine 3.9.2""}",true,"",group/project/3 +Gitlab.org,Defend,dependency_scanning,Gemnasium,detected,Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in rack,Carefully crafted requests can cause shell escape sequences to be written to the terminal via Rack's Lint middleware and CommonLogger middleware. These escape sequences can be leveraged to possibly execute commands in the victim's terminal.,Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in rack,unknown,Gemfile.lock:rack:gemnasium:60b5a27f-4e4d-4ab4-8ae7-74b4b212e177,,Gemnasium-60b5a27f-4e4d-4ab4-8ae7-74b4b212e177; GHSA-wq4h-7r42-5hrr,2022-10-14 13:16:00 UTC,"{""file""=>""Gemfile.lock"", ""dependency""=>{""package""=>{""name""=>""rack""}, ""version""=>""2.2.3""}}",false,"",group/project/4 +Gitlab.org,Defend,dependency_scanning,Gemnasium,detected,Denial of Service Vulnerability in Rack Multipart Parsing in rack,"Carefully crafted multipart POST requests can cause Rack's multipart parser to take much longer than expected, leading to a possible denial of service vulnerability. Impacted code will use Rack's multipart parser to parse multipart posts.",Denial of Service Vulnerability in Rack Multipart Parsing in rack,unknown,Gemfile.lock:rack:gemnasium:20daa17a-47b5-4f79-80c2-cd8f2db9805c,,Gemnasium-20daa17a-47b5-4f79-80c2-cd8f2db9805c; GHSA-hxqx-xwvh-44m2,2022-10-14 13:16:00 UTC,"{""file""=>""Gemfile.lock"", ""dependency""=>{""package""=>{""name""=>""rack""}, ""version""=>""2.2.3""}}",false,"",group/project/5 +Gitlab.org,Defend,sast,Brakeman,detected,Possible SQL injection,,Possible SQL injection,medium,e52f23a259cd489168b4313317ac94a3f13bffde57b9635171c1a44a9f329e9a,,"""Brakeman Warning Code 0""",2022-10-13 15:16:36 UTC,"{""file""=>""main.rb"", ""class""=>""User"", ""method""=>""index"", ""start_line""=>3}",false,"",group/project/6 ``` diff --git a/doc/architecture/blueprints/runner_tokens/index.md b/doc/architecture/blueprints/runner_tokens/index.md index 29d7c05c553..338547ba2a9 100644 --- a/doc/architecture/blueprints/runner_tokens/index.md +++ b/doc/architecture/blueprints/runner_tokens/index.md @@ -78,7 +78,7 @@ graph TD <!-- vale gitlab.Spelling = NO --> In this proposal, runners created in the GitLab UI are assigned -[authentication tokens](../../../security/token_overview.md#runner-authentication-tokens-also-called-runner-tokens) +[authentication tokens](../../../security/token_overview.md#runner-authentication-tokens) prefixed with `glrt-` (**G**it**L**ab **R**unner **T**oken). <!-- vale gitlab.Spelling = YES --> The prefix allows the existing `register` command to use the authentication token _in lieu_ @@ -97,8 +97,8 @@ token in the `--registration-token` argument: | Token type | Behavior | | ---------- | -------- | -| [Registration token](../../../security/token_overview.md#runner-authentication-tokens-also-called-runner-tokens) | Leverages the `POST /api/v4/runners` REST endpoint to create a new runner, creating a new entry in `config.toml`. | -| [Authentication token](../../../security/token_overview.md#runner-authentication-tokens-also-called-runner-tokens) | Leverages the `POST /api/v4/runners/verify` REST endpoint to ensure the validity of the authentication token. Creates an entry in `config.toml` file and a `system_id` value in a sidecar file if missing (`.runner_system_id`). | +| [Registration token](../../../security/token_overview.md#runner-authentication-tokens) | Leverages the `POST /api/v4/runners` REST endpoint to create a new runner, creating a new entry in `config.toml`. | +| [Runner authentication token](../../../security/token_overview.md#runner-authentication-tokens) | Leverages the `POST /api/v4/runners/verify` REST endpoint to ensure the validity of the authentication token. Creates an entry in `config.toml` file and a `system_id` value in a sidecar file if missing (`.runner_system_id`). | ### Transition period @@ -427,7 +427,7 @@ scope. | GitLab Rails app | `%16.6` | Disable registration tokens on the instance level by running database migration (except GitLab.com) | | | GitLab Rails app | `%16.8` | Disable registration tokens on the instance level for GitLab.com | | | GitLab Rails app | `%16.3` | Implement new `:create_runner` PPGAT scope so that we don't require a full `api` scope. | -| GitLab Rails app | | Document gotchas when [automatically rotating runner tokens](../../../ci/runners/configure_runners.md#automatically-rotate-authentication-tokens) with multiple machines. | +| GitLab Rails app | | Document gotchas when [automatically rotating runner tokens](../../../ci/runners/configure_runners.md#automatically-rotate-runner-authentication-tokens) with multiple machines. | ### Stage 7 - Removals diff --git a/doc/ci/runners/configure_runners.md b/doc/ci/runners/configure_runners.md index 3e26c120f74..dc55353dd18 100644 --- a/doc/ci/runners/configure_runners.md +++ b/doc/ci/runners/configure_runners.md @@ -64,9 +64,9 @@ of shared runners on large GitLab instances. This ensures that you control access to your GitLab instances and secure [runner executors](https://docs.gitlab.com/runner/executors/). If certain executors run a job, the file system, the code the runner executes, -and the runner token may be exposed. This means that anyone that runs jobs +and the runner authentication token may be exposed. This means that anyone that runs jobs on a _shared runner_ can access another user's code that runs on the runner. -Users with access to the runner token can use it to create a clone of +Users with access to the runner authentication token can use it to create a clone of a runner and submit false jobs in a vector attack. For more information, see [Security Considerations](https://docs.gitlab.com/runner/security/). ### Prevent runners from revealing sensitive information @@ -124,19 +124,19 @@ you use to provision and register new values. ### Reset the runner authentication token -If an authentication token is revealed, an attacker could use the token to [clone a runner](https://docs.gitlab.com/runner/security/#cloning-a-runner). +If a runner authentication token is revealed, an attacker could use the token to [clone a runner](https://docs.gitlab.com/runner/security/#cloning-a-runner). -To reset the authentication token: +To reset the runner authentication token: 1. Delete the runner: - [Delete a shared runner](runners_scope.md#delete-shared-runners). - [Delete a group runner](runners_scope.md#delete-a-group-runner). - [Delete a project runner](runners_scope.md#delete-a-project-runner). -1. Create a new runner so that it is assigned a new authentication token: - - [Create a shared runner](runners_scope.md#create-a-shared-runner-with-an-authentication-token). - - [Create a group runner](runners_scope.md#create-a-group-runner-with-an-authentication-token). - - [Create a project runner](runners_scope.md#create-a-project-runner-with-an-authentication-token). -1. Optional. To verify that the previous authentication token has been revoked, use the [Runners API](../../api/runners.md#verify-authentication-for-a-registered-runner). +1. Create a new runner so that it is assigned a new runner authentication token: + - [Create a shared runner](runners_scope.md#create-a-shared-runner-with-a-runner-authentication-token). + - [Create a group runner](runners_scope.md#create-a-group-runner-with-a-runner-authentication-token). + - [Create a project runner](runners_scope.md#create-a-project-runner-with-a-runner-authentication-token). +1. Optional. To verify that the previous runner authentication token has been revoked, use the [Runners API](../../api/runners.md#verify-authentication-for-a-registered-runner). ## Use tags to control which jobs a runner can run @@ -874,7 +874,7 @@ defaults to the number of CPUs available. > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/30942) in GitLab 15.3 [with a flag](../../administration/feature_flags.md) named `enforce_runner_token_expires_at`. Disabled by default. > - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/377902) in GitLab 15.5. Feature flag `enforce_runner_token_expires_at` removed. -Each runner has an [authentication token](../../api/runners.md#registration-and-authentication-tokens) +Each runner has an [runner authentication token](../../api/runners.md#registration-and-authentication-tokens) to connect with the GitLab instance. To help prevent the token from being compromised, you can have the @@ -883,12 +883,12 @@ they are updated for each runner, regardless of the runner's status (`online` or No manual intervention should be required, and no running jobs should be affected. -If you need to manually update the authentication token, you can run a +If you need to manually update the runner authentication token, you can run a command to [reset the token](https://docs.gitlab.com/runner/commands/#gitlab-runner-reset-token). -### Automatically rotate authentication tokens +### Automatically rotate runner authentication tokens -You can specify an interval for authentication tokens to rotate. +You can specify an interval for runner authentication tokens to rotate. This rotation helps ensure the security of the tokens assigned to your runners. Prerequisites: @@ -904,4 +904,4 @@ To automatically rotate runner authentication tokens: 1. Set a **Runners expiration** time for runners, leave empty for no expiration. 1. Select **Save**. -Before the interval expires, runners automatically request a new authentication token. +Before the interval expires, runners automatically request a new runner authentication token. diff --git a/doc/ci/runners/new_creation_workflow.md b/doc/ci/runners/new_creation_workflow.md index 02bedccef6b..56a712fec4c 100644 --- a/doc/ci/runners/new_creation_workflow.md +++ b/doc/ci/runners/new_creation_workflow.md @@ -14,7 +14,7 @@ As with all projects, the items mentioned on this page are subject to change or The development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc. -In GitLab 16.0, we introduced a new runner creation workflow that uses authentication tokens to register +In GitLab 16.0, we introduced a new runner creation workflow that uses runner authentication tokens to register runners. The legacy workflow that uses registration tokens is deprecated and will be removed in GitLab 17.0. For information about the current development status of the new workflow, see [epic 7663](https://gitlab.com/groups/gitlab-org/-/epics/7663). @@ -30,8 +30,8 @@ you can let us know in the [feedback issue](https://gitlab.com/gitlab-org/gitlab For the new runner registration workflow, you: 1. [Create a runner](register_runner.md) directly in the GitLab UI. -1. Receive an authentication token. -1. Use the authentication token instead of the registration token when you register +1. Receive a runner authentication token. +1. Use the runner authentication token instead of the registration token when you register a runner with this configuration. Runner managers registered in multiple hosts appear under the same runner in the GitLab UI, but with an identifying system ID. @@ -59,7 +59,7 @@ workflow will break. To avoid a broken workflow, you must: -1. [Create a shared runner](runners_scope.md#create-a-shared-runner-with-an-authentication-token) and obtain the authentication token. +1. [Create a shared runner](runners_scope.md#create-a-shared-runner-with-a-runner-authentication-token) and obtain the authentication token. 1. Replace the registration token in your runner registration workflow with the authentication token. @@ -74,15 +74,15 @@ Plans to implement a UI setting to re-enable registration tokens are proposed in ## Changes to the `gitlab-runner register` command syntax -The `gitlab-runner register` command will stop accepting registration tokens and instead accept new +The `gitlab-runner register` command will stop accepting registration tokens and instead accept new runner authentication tokens generated in the GitLab runners administration page. -These authentication tokens are recognizable by their `glrt-` prefix. +The runner authentication tokens are recognizable by their `glrt-` prefix. When you create a runner in the GitLab UI, you specify configuration values that were previously command-line options prompted by the `gitlab-runner register` command. These command-line options have been [deprecated](../../update/deprecations.md#registration-tokens-and-server-side-runner-arguments-in-post-apiv4runners-endpoint). -If you specify an authentication token with: +If you specify a runner authentication token with: - the `--token` command-line option, the `gitlab-runner register` command does not accept the configuration values. - the `--registration-token` command-line option, the `gitlab-runner register` command ignores the configuration values. @@ -91,7 +91,7 @@ Authentication tokens have the prefix, `glrt-`. To ensure minimal disruption to your automation workflow, [legacy-compatible registration processing](https://docs.gitlab.com/runner/register/#legacy-compatible-registration-processing) -triggers if an authentication token is specified in the legacy parameter `--registration-token`. +triggers if a runner authentication token is specified in the legacy parameter `--registration-token`. Example command for GitLab 15.9: @@ -124,7 +124,7 @@ gitlab-runner register \ ## Impact on autoscaling In autoscaling scenarios such as GitLab Runner Operator or GitLab Runner Helm Chart, the -registration token is replaced with the authentication token generated from the UI. +registration token is replaced with the runner authentication token generated from the UI. This means that the same runner configuration is reused across jobs, instead of creating a runner for each job. The specific runner can be identified by the unique system ID that is generated when the runner @@ -137,7 +137,7 @@ Existing runners will continue to work as usual. This change only affects regist ## Creating runners programmatically In GitLab 15.11 and later, you can use the [POST /user/runners REST API](../../api/users.md#create-a-runner) to create a runner as an authenticated user. This should only be used if the runner configuration is dynamic or not reusable. If the runner configuration is static, you should -reuse the authentication token of an existing runner. For more information, see [How to automate the creation of GitLab Runners](https://about.gitlab.com/blog/2023/07/06/how-to-automate-creation-of-runners/). +reuse the runner authentication token of an existing runner. For more information, see [How to automate the creation of GitLab Runners](https://about.gitlab.com/blog/2023/07/06/how-to-automate-creation-of-runners/). The following snippet shows how a group runner could be created and registered with a [Group Access Token](../../user/group/settings/group_access_tokens.md) using the new creation flow. @@ -181,7 +181,7 @@ runUntagged: true protected: true ``` -If you store the runner token in `secrets`, you must also modify them. +If you store the runner authentication token in `secrets`, you must also modify them. In the legacy runner registration workflow, fields were specified with: diff --git a/doc/ci/runners/runners_scope.md b/doc/ci/runners/runners_scope.md index fff695eb606..440c0d5d4ee 100644 --- a/doc/ci/runners/runners_scope.md +++ b/doc/ci/runners/runners_scope.md @@ -34,7 +34,7 @@ If you are using GitLab.com: - The shared runners consume the [compute minutes](../pipelines/cicd_minutes.md) included with your account. -### Create a shared runner with an authentication token +### Create a shared runner with a runner authentication token > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/383139) in GitLab 15.10. Deployed behind the `create_runner_workflow_for_admin` [flag](../../administration/feature_flags.md) > - [Enabled by default](https://gitlab.com/gitlab-org/gitlab/-/issues/389269) in GitLab 16.0. @@ -44,7 +44,7 @@ Prerequisite: - You must be an administrator. -When you create a runner, it is assigned an authentication token that you use to register it. The runner uses the token to authenticate with GitLab when picking up jobs from the job queue. +When you create a runner, it is assigned a runner authentication token that you use to register it. The runner uses the token to authenticate with GitLab when picking up jobs from the job queue. To create a shared runner: @@ -57,10 +57,10 @@ To create a shared runner: 1. Select **Submit**. 1. Follow the on-screen instructions to register the runner from the command line. -You can also [create a runner](../../api/users.md#create-a-runner) with the API to generate an authentication token. +You can also [create a runner](../../api/users.md#create-a-runner) with the API to generate a runner authentication token. NOTE: -The authentication token displays in the UI for only a short period of time during registration. +The runner authentication token displays in the UI for only a short period of time during registration. ### Create a shared runner with a registration token (deprecated) @@ -222,7 +222,7 @@ to have access to a set of runners. Group runners process jobs by using a first in, first out queue. -### Create a group runner with an authentication token +### Create a group runner with a runner authentication token > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/383143) in GitLab 15.10. Deployed behind the `create_runner_workflow_for_namespace` [flag](../../administration/feature_flags.md). Disabled by default. > - [Enabled by default](https://gitlab.com/gitlab-org/gitlab/-/issues/393919) in GitLab 16.0. @@ -233,7 +233,7 @@ Prerequisites: - You must have the Owner role for the group. You can create a group runner for your self-managed GitLab instance or for GitLab.com. -When you create a runner, it is assigned an authentication token that you use to register it. The runner uses the token to authenticate with GitLab when picking up jobs from the job queue. +When you create a runner, it is assigned a runner authentication token that you use to register it. The runner uses the token to authenticate with GitLab when picking up jobs from the job queue. To create a group runner: @@ -248,7 +248,7 @@ To create a group runner: You can also [create a runner](../../api/users.md#create-a-runner) with the API to generate an authentication token. NOTE: -The authentication token displays in the UI for only a short period of time during registration. +The runner authentication token displays in the UI for only a short period of time during registration. ### Create a group runner with a registration token (deprecated) @@ -399,7 +399,7 @@ NOTE: Project runners do not get shared with forked projects automatically. A fork *does* copy the CI/CD settings of the cloned repository. -### Create a project runner with an authentication token +### Create a project runner with a runner authentication token > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/383143) in GitLab 15.10. Deployed behind the `create_runner_workflow_for_namespace` [flag](../../administration/feature_flags.md). Disabled by default. > - [Enabled by default](https://gitlab.com/gitlab-org/gitlab/-/issues/393919) in GitLab 16.0. @@ -409,7 +409,7 @@ Prerequisites: - You must have the Maintainer role for the project. -You can create a project runner for your self-managed GitLab instance or for GitLab.com. When you create a runner, it is assigned an authentication token that you use to register to the runner. The runner uses the token to authenticate with GitLab when picking up jobs from the job queue. +You can create a project runner for your self-managed GitLab instance or for GitLab.com. When you create a runner, it is assigned a runner authentication token that you use to register to the runner. The runner uses the token to authenticate with GitLab when picking up jobs from the job queue. To create a project runner: @@ -422,10 +422,10 @@ To create a project runner: 1. Select **Submit**. 1. Follow the on-screen instructions to register the runner from the command line. -You can also [create a runner](../../api/users.md#create-a-runner) with the API to generate an authentication token. +You can also [create a runner](../../api/users.md#create-a-runner) with the API to generate a runner authentication token. NOTE: -The authentication token displays in the UI for only a short period of time during registration. +The runner authentication token displays in the UI for only a short period of time during registration. ### Create a project runner with a registration token (deprecated) diff --git a/doc/development/documentation/styleguide/index.md b/doc/development/documentation/styleguide/index.md index 4c65089bb63..aecbc90210c 100644 --- a/doc/development/documentation/styleguide/index.md +++ b/doc/development/documentation/styleguide/index.md @@ -984,7 +984,7 @@ To be consistent, use these templates when you write navigation steps in a task To open project settings: ```markdown -1. On the left sidebar, at the top, select **Search GitLab** (**{search}**) to find your project. +1. On the left sidebar, select **Search or go to** and find your project. 1. Select **Settings > CI/CD**. 1. Expand **General pipelines**. ``` @@ -992,7 +992,7 @@ To open project settings: To open group settings: ```markdown -1. On the left sidebar, at the top, select **Search GitLab** (**{search}**) to find your group. +1. On the left sidebar, select **Search or go to** and find your group. 1. Select **Settings > CI/CD**. 1. Expand **General pipelines**. ``` @@ -1000,7 +1000,7 @@ To open group settings: To open either project or group settings: ```markdown -1. On the left sidebar, at the top, select **Search GitLab** (**{search}**) to find your project or group. +1. On the left sidebar, select **Search or go to** and find your project or group. 1. Select **Settings > CI/CD**. 1. Expand **General pipelines**. ``` @@ -1020,14 +1020,14 @@ To create a group: To open the Admin Area: ```markdown -1. On the left sidebar, expand the top-most chevron (**{chevron-down}**). +1. On the left sidebar, select **Search or go to**. 1. Select **Admin Area**. ``` To open the **Your work** menu item: ```markdown -1. On the left sidebar, expand the top-most chevron (**{chevron-down}**). +1. On the left sidebar, select **Search or go to**. 1. Select **Your work**. ``` @@ -1049,15 +1049,15 @@ To save the selection in some dropdown lists: To view all your projects: ```markdown -1. On the left sidebar, expand the top-most chevron (**{chevron-down}**). -1. Select **View all your projects**. +1. On the left sidebar, select **Search or go to**. +1. Select **View all my projects**. ``` To view all your groups: ```markdown -1. On the left sidebar, expand the top-most chevron (**{chevron-down}**). -1. Select **View all your groups**. +1. On the left sidebar, select **Search or go to**. +1. Select **View all my groups**. ``` ### Optional steps @@ -1089,7 +1089,7 @@ Use the phrase **Complete the fields**. For example: -1. On the left sidebar, at the top, select **Search GitLab** (**{search}**) to find your project. +1. On the left sidebar, select **Search or go to** and find your project. 1. Select **Settings > Repository**. 1. Expand **Push rules**. 1. Complete the fields. diff --git a/doc/development/secure_coding_guidelines.md b/doc/development/secure_coding_guidelines.md index 186239cc547..806fbd8d1f6 100644 --- a/doc/development/secure_coding_guidelines.md +++ b/doc/development/secure_coding_guidelines.md @@ -1279,7 +1279,7 @@ Credentials can be: - Login details like username and password. - Private keys. -- Tokens (PAT, runner tokens, JWT token, CSRF tokens, project access tokens, etc). +- Tokens (PAT, runner authentication tokens, JWT token, CSRF tokens, project access tokens, etc). - Session cookies. - Any other piece of information that can be used for authentication or authorization purposes. diff --git a/doc/operations/error_tracking.md b/doc/operations/error_tracking.md index 36c5ed03197..1404644d2a9 100644 --- a/doc/operations/error_tracking.md +++ b/doc/operations/error_tracking.md @@ -206,3 +206,15 @@ To rectify the following error, specify the deprecated DSN in **Sentry.io > Proj ```plaintext ERROR: Sentry failure builds=0 error=raven: dsn missing private key ``` + +## Troubleshooting + +When working with Error Tracking, you might encounter the following issues. + +### Error `Connection failed. Check auth token and try again` + +If the Monitor feature is disabled in the [project settings](../user/project/settings/index.md#configure-project-features-and-permissions), +you might see an error when you try to [enable Sentry integration for a project](#enable-sentry-integration-for-a-project). +The resulting request to `/project/path/-/error_tracking/projects.json?api_host=https:%2F%2Fsentry.example.com%2F&token=<token>` returns a 404 status. + +To fix this issue, enable the Monitor feature for the project. diff --git a/doc/security/token_overview.md b/doc/security/token_overview.md index e081ac61fb5..8c4c2bc3ad4 100644 --- a/doc/security/token_overview.md +++ b/doc/security/token_overview.md @@ -99,20 +99,20 @@ Runner registration tokens are used to [register](https://docs.gitlab.com/runner You can use the runner registration token to add runners that execute jobs in a project or group. The runner has access to the project's code, so be careful when assigning project and group-level permissions. -## Runner authentication tokens (also called runner tokens) +## Runner authentication tokens -Once created, the runner receives an authentication token, which it uses to authenticate with GitLab when picking up jobs from the job queue. The authentication token is stored locally in the runner's [`config.toml`](https://docs.gitlab.com/runner/configuration/advanced-configuration.html) file. +Once created, the runner receives a runner authentication token, which it uses to authenticate with GitLab when picking up jobs from the job queue. The runner authentication token is stored locally in the runner's [`config.toml`](https://docs.gitlab.com/runner/configuration/advanced-configuration.html) file. After authentication with GitLab, the runner receives a [job token](../ci/jobs/ci_job_token.md), which it uses to execute the job. In case of Docker Machine/Kubernetes/VirtualBox/Parallels/SSH executors, the execution environment has no access to the runner authentication token, because it stays on the runner machine. They have access to the job token only, which is needed to execute the job. -Malicious access to a runner's file system may expose the `config.toml` file and thus the authentication token, allowing an attacker to [clone the runner](https://docs.gitlab.com/runner/security/#cloning-a-runner). +Malicious access to a runner's file system may expose the `config.toml` file and thus the runner authentication token, allowing an attacker to [clone the runner](https://docs.gitlab.com/runner/security/#cloning-a-runner). In GitLab 16.0 and later, you can use an authentication token to register runners instead of a registration token. Runner registration tokens have been [deprecated](../update/deprecations.md#registration-tokens-and-server-side-runner-arguments-in-gitlab-runner-register-command). -To generate an authentication token, you create a runner in the GitLab UI and use the authentication token +To generate a runner authentication token, you create a runner in the GitLab UI and use the authentication token instead of the registration token. | Process | Registration command | diff --git a/doc/tutorials/create_register_first_runner/index.md b/doc/tutorials/create_register_first_runner/index.md index 05bf5cd8288..af5fe006db7 100644 --- a/doc/tutorials/create_register_first_runner/index.md +++ b/doc/tutorials/create_register_first_runner/index.md @@ -107,7 +107,7 @@ To create a project runner: ### Check the runner configuration file -After you register the runner, the configuration and authentication token is saved to your `config.toml`. The runner uses the +After you register the runner, the configuration and runner authentication token is saved to your `config.toml`. The runner uses the token to authenticate with GitLab when picking up jobs from the job queue. You can use the `config.toml` to diff --git a/doc/tutorials/hugo/index.md b/doc/tutorials/hugo/index.md index 97c79e77392..5f466234a36 100644 --- a/doc/tutorials/hugo/index.md +++ b/doc/tutorials/hugo/index.md @@ -139,7 +139,7 @@ You'll see that GitLab has run your `test` and `pages` jobs. To view your site, on the left-hand navigation, select **Settings > Pages** -The `pages` job in your pipeline has deployed the contents of your `public` directory to GitLab Pages. Under **Access pages**, you should see the link in the format: `https://<your-namespace>.gitlab.io/<project-name>`. +The `pages` job in your pipeline has deployed the contents of your `public` directory to GitLab Pages. Under **Access pages**, you should see the link in the format: `https://<your-namespace>.gitlab.io/<project-path>`. You won't see this link if you haven't yet run your pipeline. diff --git a/doc/user/profile/notifications.md b/doc/user/profile/notifications.md index f1310bbb323..5135b2be359 100644 --- a/doc/user/profile/notifications.md +++ b/doc/user/profile/notifications.md @@ -275,6 +275,7 @@ epics: | Merge Request | New note | Participants, Watchers, Subscribers, and Custom notification level with this event selected. Also anyone mentioned by username in the comment, with notification level "Mention" or higher. | | Merge Request | Pushed | Participants and Custom notification level with this event selected. | | Merge Request | Reassigned | Participants, Watchers, Subscribers, Custom notification level with this event selected, and the old assignee. | +| Merge Request | Review requested | Participants, Watchers, Subscribers, Custom notification level with this event selected, and the old reviewer. | | Merge Request | Reopened | Subscribers and participants. | | Merge Request | Title or description changed | Any new mentions by username. | | Pipeline | Failed | The author of the pipeline. | diff --git a/doc/user/project/pages/custom_domains_ssl_tls_certification/index.md b/doc/user/project/pages/custom_domains_ssl_tls_certification/index.md index 8bf4875ba1e..160d2101718 100644 --- a/doc/user/project/pages/custom_domains_ssl_tls_certification/index.md +++ b/doc/user/project/pages/custom_domains_ssl_tls_certification/index.md @@ -113,7 +113,7 @@ Subdomains (`subdomain.example.com`) require: Whether it's a user or a project website, the DNS record should point to your Pages domain (`namespace.gitlab.io`), -without any `/project-name`. +without any path (for example, `/project-slug`).  diff --git a/doc/user/project/pages/getting_started_part_one.md b/doc/user/project/pages/getting_started_part_one.md index e44a7bf347f..e3750152a29 100644 --- a/doc/user/project/pages/getting_started_part_one.md +++ b/doc/user/project/pages/getting_started_part_one.md @@ -25,13 +25,14 @@ For GitLab self-managed instances, replace `example.io` with your instance's Pages domain. For GitLab.com, Pages domains are `*.gitlab.io`. -| Type of GitLab Pages | The name of the project created in GitLab | Website URL | +| Type of GitLab Pages | The path of the project created in GitLab | Website URL | | -------------------- | ------------ | ----------- | -| User pages | `username.example.io` | `http(s)://username.example.io` | -| Group pages | `groupname.example.io` | `http(s)://groupname.example.io` | -| Project pages owned by a user | `projectname` | `http(s)://username.example.io/projectname` | -| Project pages owned by a group | `projectname` | `http(s)://groupname.example.io/projectname`| -| Project pages owned by a subgroup | `subgroup/projectname` | `http(s)://groupname.example.io/subgroup/projectname`| +| User pages | `username/username.example.io` | `http(s)://username.example.io` | +| Group pages | `acmecorp/acmecorp.example.io` | `http(s)://acmecorp.example.io` | +| Project pages owned by a user | `username/my-website` | `http(s)://username.example.io/my-website` | +| Project pages owned by a group | `acmecorp/webshop` | `http(s)://acmecorp.example.io/webshop`| +| Project pages owned by a subgroup | `acmecorp/documentation/product-manual` | `http(s)://acmecorp.example.io/documentation/product-manual`| +| Project pages owned by a subgroup | `group-path/subgroup-slug/project-slug` | `http(s)://group-path.example.io/subgroup-slug/project-slug`| WARNING: There are some known [limitations](introduction.md#subdomains-of-subdomains) @@ -72,7 +73,7 @@ To understand Pages domains clearly, read the examples below. **General example:** - On GitLab.com, a project site is always available under - `https://namespace.gitlab.io/project-name` + `https://namespace.gitlab.io/project-slug` - On GitLab.com, a user or group website is available under `https://namespace.gitlab.io/` - On your GitLab instance, replace `gitlab.io` above with your @@ -86,7 +87,7 @@ The `baseurl` option might be named differently in some static site generators. Every Static Site Generator (SSG) default configuration expects to find your website under a (sub)domain (`example.com`), not in a subdirectory of that domain (`example.com/subdir`). Therefore, -whenever you publish a project website (`namespace.gitlab.io/project-name`), +whenever you publish a project website (for example, `namespace.gitlab.io/project-slug`), you must look for this configuration (base URL) on your static site generator's documentation and set it up to reflect this pattern. diff --git a/doc/user/project/pages/introduction.md b/doc/user/project/pages/introduction.md index 4585ee2cecd..87e30c1279e 100644 --- a/doc/user/project/pages/introduction.md +++ b/doc/user/project/pages/introduction.md @@ -47,9 +47,9 @@ depending on your static generator configuration. If the case of `404.html`, there are different scenarios. For example: -- If you use project Pages (served under `/projectname/`) and try to access - `/projectname/non/existing_file`, GitLab Pages tries to serve first - `/projectname/404.html`, and then `/404.html`. +- If you use project Pages (served under `/project-slug/`) and try to access + `/project-slug/non/existing_file`, GitLab Pages tries to serve first + `/project-slug/404.html`, and then `/404.html`. - If you use user or group Pages (served under `/`) and try to access `/non/existing_file` GitLab Pages tries to serve `/404.html`. - If you use a custom domain and try to access `/non/existing_file`, GitLab @@ -87,7 +87,7 @@ For [group websites](../../project/pages/getting_started_part_one.md#user-and-gr the group must be at the top level and not a subgroup. For [project websites](../../project/pages/getting_started_part_one.md#project-website-examples), -you can create your project first and access it under `http(s)://namespace.example.io/projectname`. +you can create your project first and access it under `http(s)://namespace.example.io/project-path`. ## Enable unique domains @@ -308,7 +308,7 @@ For a list of known issues, see the GitLab [public issue tracker](https://gitlab This problem most likely results from a missing `index.html` file in the public directory. If after deploying a Pages site a 404 is encountered, confirm that the public directory contains an `index.html` file. If the file contains a different name -such as `test.html`, the Pages site can still be accessed, but the full path would be needed. For example: `https//group-name.pages.example.com/project-name/test.html`. +such as `test.html`, the Pages site can still be accessed, but the full path would be needed. For example: `https//group-name.pages.example.com/project-slug/test.html`. The contents of the public directory can be confirmed by [browsing the artifacts](../../../ci/jobs/job_artifacts.md#download-job-artifacts) from the latest pipeline. diff --git a/doc/user/project/pages/redirects.md b/doc/user/project/pages/redirects.md index 5f1f5bc59ae..ff1f138e5b7 100644 --- a/doc/user/project/pages/redirects.md +++ b/doc/user/project/pages/redirects.md @@ -47,14 +47,14 @@ To create redirects, create a configuration file named `_redirects` in the configured at the instance level. Only the first matching rules within the configured maximum are processed. The default file size limit is 64 KB, and the default maximum number of rules is 1,000. - If your GitLab Pages site uses the default domain name (such as - `namespace.gitlab.io/projectname`) you must prefix every rule with the project name: + `namespace.gitlab.io/project-slug`) you must prefix every rule with the path: ```plaintext - /projectname/wardrobe.html /projectname/narnia.html 302 + /project-slug/wardrobe.html /project-slug/narnia.html 302 ``` - If your GitLab Pages site uses [custom domains](custom_domains_ssl_tls_certification/index.md), - no project name prefix is needed. For example, if your custom domain is `example.com`, + no project path prefix is needed. For example, if your custom domain is `example.com`, your `_redirects` file would look like: ```plaintext @@ -69,7 +69,7 @@ the file instead of your redirect. For example, if the files `hello.html` and is ignored because `hello.html` exists: ```plaintext -/projectname/hello.html /projectname/world.html 302 +/project-slug/hello.html /project-slug/world.html 302 ``` GitLab does not support Netlify @@ -210,8 +210,7 @@ would **not** match a request URL like `/old/file`: ## Debug redirect rules If a redirect isn't working as expected, or you want to check your redirect syntax, visit -`https://[namespace.gitlab.io]/projectname/_redirects`, replacing `[namespace.gitlab.io]` with -your domain name. The `_redirects` file isn't served directly, but your browser +`[your pages url]/_redirects`. The `_redirects` file isn't served directly, but your browser displays a numbered list of your redirect rules, and whether the rule is valid or invalid: ```plaintext |