diff options
Diffstat (limited to 'doc/administration/gitaly/configure_gitaly.md')
| -rw-r--r-- | doc/administration/gitaly/configure_gitaly.md | 61 |
1 files changed, 23 insertions, 38 deletions
diff --git a/doc/administration/gitaly/configure_gitaly.md b/doc/administration/gitaly/configure_gitaly.md index 426d07b154d..4b2832bebc0 100644 --- a/doc/administration/gitaly/configure_gitaly.md +++ b/doc/administration/gitaly/configure_gitaly.md @@ -1,5 +1,5 @@ --- -stage: Create +stage: Systems group: Gitaly info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments --- @@ -130,57 +130,49 @@ Install Gitaly on each Gitaly server using either Omnibus GitLab or install it f - To install from source, follow the steps at [Install Gitaly](../../install/installation.md#install-gitaly). -### Configure authentication +### Configure Gitaly servers -Gitaly and GitLab use two shared secrets for authentication: +To configure Gitaly servers, you must: -- One to authenticate gRPC requests to Gitaly. -- A second for authentication callbacks from GitLab Shell to the GitLab internal API. +- Configure authentication. +- Configure storage paths. +- Enable the network listener. -**For Omnibus GitLab** +The `git` user must be able to read, write, and set permissions on the configured storage path. -To configure the Gitaly token: +To avoid downtime while rotating Gitaly's token, you can temporarily disable authentication using the `gitaly['auth_transitioning']` setting. For more information, see the documentation on +[enabling "auth transitioning mode"](#enable-auth-transitioning-mode). -1. On the Gitaly clients, edit `/etc/gitlab/gitlab.rb`: +#### Configure authentication - ```ruby - gitlab_rails['gitaly_token'] = 'abc123secret' - ``` +Gitaly and GitLab use two shared secrets for authentication: -1. Save the file and [reconfigure GitLab](../restart_gitlab.md#omnibus-gitlab-reconfigure). -1. On the Gitaly server, edit `/etc/gitlab/gitlab.rb`: +- _Gitaly token_: used to authenticate gRPC requests to Gitaly +- _GitLab Shell token_: used for authentication callbacks from GitLab Shell to the GitLab internal API + +**For Omnibus GitLab** + +To configure the _Gitaly token_, edit `/etc/gitlab/gitlab.rb`: ```ruby gitaly['auth_token'] = 'abc123secret' ``` -1. [Reconfigure GitLab](../restart_gitlab.md#omnibus-gitlab-reconfigure). - -There are two ways to configure the GitLab Shell token. +There are two ways to configure the _GitLab Shell token_. -Method 1: +Method 1 (recommended): -1. Copy `/etc/gitlab/gitlab-secrets.json` from the Gitaly client to same path on the Gitaly servers +Copy `/etc/gitlab/gitlab-secrets.json` from the Gitaly client to same path on the Gitaly servers (and any other Gitaly clients). -1. [Reconfigure GitLab](../restart_gitlab.md#omnibus-gitlab-reconfigure) on Gitaly servers. Method 2: -1. On the Gitaly clients, edit `/etc/gitlab/gitlab.rb`: +Edit `/etc/gitlab/gitlab.rb`: ```ruby gitlab_shell['secret_token'] = 'shellsecret' ``` -1. Save the file and [reconfigure GitLab](../restart_gitlab.md#omnibus-gitlab-reconfigure). -1. On the Gitaly servers, edit `/etc/gitlab/gitlab.rb`: - - ```ruby - gitlab_shell['secret_token'] = 'shellsecret' - ``` - -1. [Reconfigure GitLab](../restart_gitlab.md#omnibus-gitlab-reconfigure). - **For installations from source** 1. Copy `/home/git/gitlab/.gitlab_shell_secret` from the Gitaly client to the same path on the @@ -203,14 +195,7 @@ Method 2: 1. Save the file and [restart GitLab](../restart_gitlab.md#installations-from-source). -### Configure Gitaly servers - -On the Gitaly servers, you must configure storage paths and enable the network listener. -The Gitaly server must be able to read, write, and set permissions on the configured path. - -If you want to reduce the risk of downtime when you enable authentication, you can temporarily -disable enforcement. For more information, see the documentation on configuring -[Gitaly authentication](https://gitlab.com/gitlab-org/gitaly/blob/master/doc/configuration/README.md#authentication). +#### Configure Gitaly server **For Omnibus GitLab** @@ -904,7 +889,7 @@ gitaly['cgroups_repositories_cpu_shares'] => 512 which represents 100% of CPU. This value cannot exceed that of the top level`cgroups_cpu_shares`. -#### Configure cgroups (legacy method) +#### Configure cgroups (legacy method) To configure cgroups in Gitaly for GitLab versions using the legacy method, add `gitaly['cgroups']` to `/etc/gitlab/gitlab.rb`. For example: |