diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-05-31 06:10:03 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-05-31 06:10:03 +0300 |
commit | 96fb7f03bd25a123567fa8a10ccaf4922f01a8aa (patch) | |
tree | dd24f91a37d72f0b37961d412177e65fcf07a5c0 /doc | |
parent | 6ac9f963e62db1a2c347517694b94bd86c1fb37f (diff) |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'doc')
-rw-r--r-- | doc/administration/packages/container_registry.md | 27 | ||||
-rw-r--r-- | doc/ci/docker/using_kaniko.md | 2 | ||||
-rw-r--r-- | doc/ci/troubleshooting.md | 17 | ||||
-rw-r--r-- | doc/development/identity_verification.md | 111 | ||||
-rw-r--r-- | doc/security/identity_verification.md | 42 |
5 files changed, 198 insertions, 1 deletions
diff --git a/doc/administration/packages/container_registry.md b/doc/administration/packages/container_registry.md index fd3cbb2ad05..87422f1ddeb 100644 --- a/doc/administration/packages/container_registry.md +++ b/doc/administration/packages/container_registry.md @@ -1285,6 +1285,33 @@ specified in its configuration and allows the operation. GitLab background jobs processing (through Sidekiq) also interacts with Registry. These jobs talk directly to Registry to handle image deletion. +## Migrate from a third-party registry + +Using external container registries in GitLab was [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/376217) +in GitLab 15.8 and the end of support occurred in GitLab 16.0. See the [deprecation notice](../../update/deprecations.md#use-of-third-party-container-registries-is-deprecated) for more details. + +The integration is not disabled in GitLab 16.0, but support for debugging and fixing issues +is no longer provided. Additionally, the integration is no longer being developed or +enhanced with new features. Third-party registry functionality might be completely removed +after the new GitLab Container Registry version is available for self-managed (see epic [5521](https://gitlab.com/groups/gitlab-org/-/epics/5521)). Only the GitLab Container Registry is planned to be supported. + +This section has guidance for administrators migrating from third-party registries +to the GitLab Container Registry. If the third-party container registry you are using is not listed here, +you can describe your use cases in [the feedback issue](https://gitlab.com/gitlab-org/container-registry/-/issues/958). + +For all of the instructions provided below, you should try them first on a test environment. +Make sure everything continues to work as expected before replicating it in production. + +### Docker Distribution Registry + +The [Docker Distribution Registry](https://docs.docker.com/registry/) was donated to the CNCF +and is now known as the [Distribution Registry](https://github.com/distribution/distribution). +This registry is the open source implementation that the GitLab Container Registry is based on. +The GitLab Container Registry is compatible with the basic functionality provided by the Distribution Registry, +including all the supported storage backends. To migrate to the GitLab Container Registry +you can follow the instructions on this page, and use the same storage backend as the Distribution Registry. +The GitLab Container Registry should accept the same configuration that you are using for the Distribution Registry. + ## Troubleshooting Before diving in to the following sections, here's some basic troubleshooting: diff --git a/doc/ci/docker/using_kaniko.md b/doc/ci/docker/using_kaniko.md index 32f95052980..b7affe28984 100644 --- a/doc/ci/docker/using_kaniko.md +++ b/doc/ci/docker/using_kaniko.md @@ -134,7 +134,7 @@ before_script: - | echo "-----BEGIN CERTIFICATE----- ... - -----END CERTIFICATE-----" >> /kaniko/ssl/certs/additional-ca-cert-bundle.crt + -----END CERTIFICATE-----" >> /kaniko/ssl/certs/ca-certificates.crt ``` ## Video walkthrough of a working example diff --git a/doc/ci/troubleshooting.md b/doc/ci/troubleshooting.md index c56ca439c83..fb33ad5500f 100644 --- a/doc/ci/troubleshooting.md +++ b/doc/ci/troubleshooting.md @@ -328,6 +328,23 @@ When you rerun a job, uses the same configuration each time. If you update confi including separate files added with [`include`](yaml/index.md#include), you must start a new pipeline to use the new configuration. +### Unable to pull image from another project + +When a runner tries to pull an image from a private project, the job could fail with the following error: + +```shell +WARNING: Failed to pull image with policy "always": Error response from daemon: pull access denied for registry.example.com/path/to/project, repository does not exist or may require 'docker login': denied: requested access to the resource is denied +``` + +This error can happen if the following are both true: + +- The **Allow access to this project with a CI_JOB_TOKEN** option is enabled in the private project + hosting the image. +- The job attempting to fetch the image is running for a project that is not listed in + the private project's allowlist. + +The recommended solution is to [add your project to the private project's job token scope allowlist](jobs/ci_job_token.md#add-a-project-to-the-job-token-scope-allowlist). + ## Pipeline warnings Pipeline configuration warnings are shown when you: diff --git a/doc/development/identity_verification.md b/doc/development/identity_verification.md new file mode 100644 index 00000000000..14a944807a8 --- /dev/null +++ b/doc/development/identity_verification.md @@ -0,0 +1,111 @@ +--- +stage: Data Science +group: Anti-Abuse +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments +--- + +# Identity verification development + +For information on this feature that are not development-specific, see the [feature documentation](../security/identity_verification.md). + +## Feature flags + +Because of the many registration paths and multiple verification stages, identity verification has several feature flags. + +Before you enable these features, ensure [hard email confirmation](../security/user_email_confirmation.md) is enabled and [Arkose](../integration/arkose.md#configuration) is configured properly. + + +| Feature flag name | Description | +|---------|-------------| +| `identity_verification` | Turns on email verification for all registration paths | +| `identity_verification_phone_number` | Turns on phone verification for medium risk users for all flows (the Arkose challenge flag for the specific flow and the `identity_verification` flag must be enabled for this to have effect) | +| `identity_verification_credit_card` | Turns on credit card verification for high risk users for all flows (the Arkose challenge flag for the specific flow and the `identity_verification` flag must be enabled for this to have effect) | +| `arkose_labs_signup_challenge` | Enables Arkose challenge for all flows, except the Trial and OAuth flows | +| `arkose_labs_trial_signup_challenge` | Enables Arkose challenge for the Trial flow (the `arkose_labs_signup_challenge` flag must be enabled as well for this to have effect) | +| `arkose_labs_oauth_signup_challenge` | Enables Arkose challenge for the OAuth flow | + +## Logging + +You can triage and debug issues raised by identity verification with the [GitLab production logs](https://log.gprd.gitlab.net). + +### View logs associated to a user and email verification + +To view logs associated to the [email stage](../security/identity_verification.md#email-verification) for a user: + +- Query the GitLab production logs with the following KQL: + + ```plaintext + KQL: json.controller:"IdentityVerificationController" AND json.username:replace_username_here + ``` + +Valuable debugging information can be found in the `json.action` and `json.location` columns. + +### View logs associated to a user and phone verification + +To view logs associated to the [phone stage](../security/identity_verification.md#phone-number-verification) for a user: + +- Query the GitLab production logs with the following KQL: + + ```plaintext + KQL: json.message: "IdentityVerification::Phone" AND json.username:replace_username_here + ``` + +On rows where `json.event` is `Failed Attempt`, you can find valuable debugging information in the `json.reason` column such as: + +| Reason | Description | +|---------|-------------| + | `invalid_phone_number` | Either there was a typo in the phone number, or the user used a VOIP number. GitLab does not allow users to sign up with non-mobile phone numbers. | +| `invalid_code` | The user entered an incorrect verification code. | +| `rate_limited` | The user had 10 or more failed attempts, so they were rate-limited for one hour. | +| `related_to_banned_user` | The user tried a phone number already related to a banned user. | + +### View logs associated to a user and credit card verification + +To view logs associated to the [credit card stage](../security/identity_verification.md#credit-card-verification) for a user: + +- Query the GitLab production logs with the following KQL: + + ```plaintext + KQL: json.message: "IdentityVerification::CreditCard" AND json.username:replace_username_here + ``` + +On rows where `json.event` is `Failed Attempt`, you can find valuable debugging information in the `json.reason` column such as: + +| Reason | Description | +|---------|-------------| +| `rate_limited` | The user had 10 or more failed attempts, so they were rate-limited for one hour. | +| `related_to_banned_user` | The user tried a credit card number already related to a banned user. | + +### View logs associated with high-risk users + +To view logs associated with the [credit card stage](../security/identity_verification.md#credit-card-verification) for high-risk users: + +- Query the GitLab production logs with the following KQL: + + ```plaintext + json.controller:"SubscriptionsController" AND json.action:"payment_form" AND json.params.value:"cc_registration_validation" + ``` + +## Code walkthrough + +<i class="fa fa-youtube-play youtube" aria-hidden="true"></i> +For a walkthrough and high level explanation of the code, see [Identity Verification - Code walkthrough](https://www.youtube.com/watch?v=DIsnMiNzND8). + +## QA Integration + +For end-to-end production and staging tests to function properly, GitLab [allows QA users to bypass identity verification](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/117633). + +## Additional resources + +<!-- markdownlint-disable MD044 --> +The [Anti-abuse team](https://about.gitlab.com/handbook/engineering/development/data-science/anti-abuse/#team-members) owns identity verification. You can join our channel on Slack: [#g_anti-abuse](https://gitlab.slack.com/archives/C03EH5HCLPR). +<!-- markdownlint-enable MD044 --> + +For help with Telesign: + +<!-- markdownlint-disable MD044 --> +- Telesign/GitLab collaboration channel on Slack: [#gitlab-telesign-support](https://gitlab.slack.com/archives/C052EAXB6BY) +<!-- markdownlint-enable MD044 --> +- Telesign support contact: `support@telesign.com` +- [Telesign portal](https://teleportal.telesign.com/) +- [Telesign documentation](https://developer.telesign.com/enterprise/docs/get-started-with-docs) diff --git a/doc/security/identity_verification.md b/doc/security/identity_verification.md new file mode 100644 index 00000000000..cf2beaf229f --- /dev/null +++ b/doc/security/identity_verification.md @@ -0,0 +1,42 @@ +--- +stage: Anti-Abuse +group: Anti-Abuse +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments +--- + +# Identity verification **(FREE)** + +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/95722) in GitLab 15.4 [with a flag](../administration/feature_flags.md) named `identity_verification`. Disabled by default. + +FLAG: +On self-managed GitLab, by default this feature is not available. +This feature is not ready for production use. + +Identity verification provides multiple layers of GitLab account security. +Depending on your [risk score](../integration/arkose.md), you might be required to perform up to +three stages of verification to register an account: + +- **All users** - Email verification. +- **Medium-risk users** - Phone number verification. +- **High-risk users** - Credit card verification. + +## Email verification + +To register an account, you must provide a valid email address. +See [Account email verification](email_verification.md). + +## Phone number verification + +In addition to email verification, you might have to provide a valid phone number and verify a one-time code. + +You cannot verify an account with a phone number associated with a banned user. + +## Credit card verification + +In addition to email and phone number verification, you might have to provide a valid credit card number. + +You cannot verify an account with a credit card number associated with a banned user. + +## Related topics + +- [Identity verification development documentation](../development/identity_verification.md) |