4 files changed, 68 insertions, 264 deletions
diff --git a/doc/administration/raketasks/check.md b/doc/administration/raketasks/check.md
index 9ced19b53b7..ec28b6bee67 100644
--- a/doc/administration/raketasks/check.md
+++ b/doc/administration/raketasks/check.md
@@ -283,6 +283,54 @@ I, [2020-06-11T17:18:15.575711 #27148]  INFO -- : Done!
 
 <!-- vale gitlab.SentenceSpacing = YES -->
 
+## Reset encrypted tokens when they can't be recovered
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131893) in GitLab 16.6.
+
+WARNING:
+This operation is dangerous and can result in data-loss. Proceed with extreme caution.
+You must have knowledge about GitLab internals before you perform this operation.
+
+In some cases, encrypted tokens can no longer be recovered and cause issues.
+Most often, runner registration tokens for groups and projects might be broken on very large instances.
+
+To reset broken tokens:
+
+1. Identify the database models that have broken encrypted tokens. For example, it can be `Group` and `Project`.
+1. Identify the broken tokens. For example `runners_token`.
+1. To reset broken tokens, run `gitlab:doctor:reset_encrypted_tokens` with `VERBOSE=true MODEL_NAMES=Model1,Model2 TOKEN_NAMES=broken_token1,broken_token2`. For example:
+
+    ```shell
+    VERBOSE=true MODEL_NAMES=Project,Group TOKEN_NAMES=runners_token bundle exec rake gitlab:doctor:reset_encrypted_tokens
+    ```
+
+    You will see every action this task would try to perform:
+
+    ```plain
+    I, [2023-09-26T16:20:23.230942 #88920]  INFO -- : Resetting runners_token on Project, Group if they can not be read
+    I, [2023-09-26T16:20:23.230975 #88920]  INFO -- : Executing in DRY RUN mode, no records will actually be updated
+    D, [2023-09-26T16:20:30.151585 #88920] DEBUG -- : > Fix Project[1].runners_token
+    I, [2023-09-26T16:20:30.151617 #88920]  INFO -- : Checked 1/9 Projects
+    D, [2023-09-26T16:20:30.151873 #88920] DEBUG -- : > Fix Project[3].runners_token
+    D, [2023-09-26T16:20:30.152975 #88920] DEBUG -- : > Fix Project[10].runners_token
+    I, [2023-09-26T16:20:30.152992 #88920]  INFO -- : Checked 11/29 Projects
+    I, [2023-09-26T16:20:30.153230 #88920]  INFO -- : Checked 21/29 Projects
+    I, [2023-09-26T16:20:30.153882 #88920]  INFO -- : Checked 29 Projects
+    D, [2023-09-26T16:20:30.195929 #88920] DEBUG -- : > Fix Group[22].runners_token
+    I, [2023-09-26T16:20:30.196125 #88920]  INFO -- : Checked 1/19 Groups
+    D, [2023-09-26T16:20:30.196192 #88920] DEBUG -- : > Fix Group[25].runners_token
+    D, [2023-09-26T16:20:30.197557 #88920] DEBUG -- : > Fix Group[82].runners_token
+    I, [2023-09-26T16:20:30.197581 #88920]  INFO -- : Checked 11/19 Groups
+    I, [2023-09-26T16:20:30.198455 #88920]  INFO -- : Checked 19 Groups
+    I, [2023-09-26T16:20:30.198462 #88920]  INFO -- : Done!
+    ```
+
+1. If you are confident that this operation resets the correct tokens, disable dry-run mode and run the operation again:
+
+    ```shell
+    DRY_RUN=false VERBOSE=true MODEL_NAMES=Project,Group TOKEN_NAMES=runners_token bundle exec rake gitlab:doctor:reset_encrypted_tokens
+    ```
+
 ## Troubleshooting
 
 The following are solutions to problems you might discover using the Rake tasks documented
diff --git a/doc/administration/raketasks/ldap.md b/doc/administration/raketasks/ldap.md
index e6700288631..d8909440ceb 100644
--- a/doc/administration/raketasks/ldap.md
+++ b/doc/administration/raketasks/ldap.md
@@ -1,6 +1,6 @@
 ---
 stage: Govern
-group: Authentication and Authorization
+group: Authentication
 info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
 ---
 
diff --git a/doc/administration/raketasks/maintenance.md b/doc/administration/raketasks/maintenance.md
index cdb70ca715b..724dcc2046a 100644
--- a/doc/administration/raketasks/maintenance.md
+++ b/doc/administration/raketasks/maintenance.md
@@ -454,3 +454,15 @@ main: == [advisory_lock_connection] object_id: 173580, pg_backend_pid: 5532
 ```
 
 The messages returned are informational and can be ignored.
+
+### PostgreSQL socket errors when executing the `gitlab:env:info` Rake task
+
+After running `sudo gitlab-rake gitlab:env:info` on Gitaly or other non-Rails nodes , you might see the following error:
+
+```plaintext
+PG::ConnectionBad: could not connect to server: No such file or directory
+Is the server running locally and accepting
+connections on Unix domain socket "/var/opt/gitlab/postgresql/.s.PGSQL.5432"?
+```
+
+This is because, in a multi-node environment, the `gitlab:env:info` Rake task should only be executed on the nodes running **GitLab Rails**.
diff --git a/doc/administration/raketasks/storage.md b/doc/administration/raketasks/storage.md
index ce931e78c2b..33ddcd96de6 100644
--- a/doc/administration/raketasks/storage.md
+++ b/doc/administration/raketasks/storage.md
@@ -1,267 +1,11 @@
 ---
-stage: Systems
-group: Distribution
-info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
+redirect_to: '../repository_storage_paths.md'
+remove_date: '2024-01-11'
 ---
 
-# Repository storage Rake tasks **(FREE SELF)**
+This document was moved to [another location](../repository_storage_paths.md).
 
-This is a collection of Rake tasks to help you list and migrate
-existing projects and their attachments to the new
-[hashed storage](../repository_storage_paths.md) that GitLab
-uses to organize the Git data.
-
-## List projects and attachments
-
-The following Rake tasks lists the projects and attachments that are
-available on legacy and hashed storage.
-
-### On legacy storage
-
-To have a summary and then a list of projects and their attachments using legacy storage:
-
-- Linux package installations:
-
-  ```shell
-  # Projects
-  sudo gitlab-rake gitlab:storage:legacy_projects
-  sudo gitlab-rake gitlab:storage:list_legacy_projects
-
-  # Attachments
-  sudo gitlab-rake gitlab:storage:legacy_attachments
-  sudo gitlab-rake gitlab:storage:list_legacy_attachments
-  ```
-
-- Self-compiled installations:
-
-  ```shell
-  # Projects
-  sudo -u git -H bundle exec rake gitlab:storage:legacy_projects RAILS_ENV=production
-  sudo -u git -H bundle exec rake gitlab:storage:list_legacy_projects RAILS_ENV=production
-
-  # Attachments
-  sudo -u git -H bundle exec rake gitlab:storage:legacy_attachments RAILS_ENV=production
-  sudo -u git -H bundle exec rake gitlab:storage:list_legacy_attachments RAILS_ENV=production
-  ```
-
-### On hashed storage
-
-To have a summary and then a list of projects and their attachments using hashed storage:
-
-- Linux package installations:
-
-  ```shell
-  # Projects
-  sudo gitlab-rake gitlab:storage:hashed_projects
-  sudo gitlab-rake gitlab:storage:list_hashed_projects
-
-  # Attachments
-  sudo gitlab-rake gitlab:storage:hashed_attachments
-  sudo gitlab-rake gitlab:storage:list_hashed_attachments
-  ```
-
-- Self-compiled installations:
-
-  ```shell
-  # Projects
-  sudo -u git -H bundle exec rake gitlab:storage:hashed_projects RAILS_ENV=production
-  sudo -u git -H bundle exec rake gitlab:storage:list_hashed_projects RAILS_ENV=production
-
-  # Attachments
-  sudo -u git -H bundle exec rake gitlab:storage:hashed_attachments RAILS_ENV=production
-  sudo -u git -H bundle exec rake gitlab:storage:list_hashed_attachments RAILS_ENV=production
-  ```
-
-## Migrate to hashed storage
-
-WARNING:
-In GitLab 13.0, [hashed storage](../repository_storage_paths.md#hashed-storage)
-is enabled by default and the legacy storage is deprecated.
-GitLab 14.0 eliminates support for legacy storage. If you're on GitLab
-13.0 and later, switching new projects to legacy storage is not possible.
-The option to choose between hashed and legacy storage in the Admin Area has
-been disabled.
-
-This task must be run on any machine that has Rails/Sidekiq configured, and the task
-schedules all your existing projects and attachments associated with it to be
-migrated to the **Hashed** storage type:
-
-- Linux package installations:
-
-  ```shell
-  sudo gitlab-rake gitlab:storage:migrate_to_hashed
-  ```
-
-- Self-compiled installations:
-
-  ```shell
-  sudo -u git -H bundle exec rake gitlab:storage:migrate_to_hashed RAILS_ENV=production
-  ```
-
-If you have any existing integration, you may want to do a small rollout first,
-to validate. You can do so by specifying an ID range with the operation by using
-the environment variables `ID_FROM` and `ID_TO`. For example, to limit the rollout
-to project IDs 50 to 100 in a Linux package installation:
-
-```shell
-sudo gitlab-rake gitlab:storage:migrate_to_hashed ID_FROM=50 ID_TO=100
-```
-
-To monitor the progress in GitLab:
-
-1. On the left sidebar, select **Search or go to**.
-1. Select **Admin Area**.
-1. On the left sidebar, select **Monitoring > Background Jobs**.
-1. Watch how long the `hashed_storage:hashed_storage_project_migrate` queue
-   takes to finish. After it reaches zero, you can confirm every project
-   has been migrated by running the commands above.
-
-If you find it necessary, you can run the previous migration script again to schedule missing projects.
-
-Any error or warning is logged in Sidekiq's log file.
-
-If [Geo](../geo/index.md) is enabled, each project that is successfully migrated
-generates an event to replicate the changes on any **secondary** nodes.
-
-You only need the `gitlab:storage:migrate_to_hashed` Rake task to migrate your repositories, but there are
-[additional commands](#list-projects-and-attachments) to help you inspect projects and attachments in both legacy and hashed storage.
-
-## Rollback from hashed storage to legacy storage
-
-WARNING:
-In GitLab 13.0, [hashed storage](../repository_storage_paths.md#hashed-storage)
-is enabled by default and the legacy storage is deprecated.
-GitLab 14.0 eliminates support for legacy storage. If you're on GitLab
-13.0 and later, switching new projects to legacy storage is not possible.
-The option to choose between hashed and legacy storage in the Admin Area has
-been disabled.
-
-This task schedules all your existing projects and associated attachments to be rolled back to the
-legacy storage type.
-
-- Linux package installations:
-
-  ```shell
-  sudo gitlab-rake gitlab:storage:rollback_to_legacy
-  ```
-
-- Self-compiled installations:
-
-  ```shell
-  sudo -u git -H bundle exec rake gitlab:storage:rollback_to_legacy RAILS_ENV=production
-  ```
-
-If you have any existing integration, you may want to do a small rollback first,
-to validate. You can do so by specifying an ID range with the operation by using
-the environment variables `ID_FROM` and `ID_TO`. For example, to limit the rollout
-to project IDs 50 to 100 in a Linux package installation:
-
-```shell
-sudo gitlab-rake gitlab:storage:rollback_to_legacy ID_FROM=50 ID_TO=100
-```
-
-You can monitor the progress in the **Admin Area > Monitoring > Background Jobs** page.
-On the **Queues** tab, you can watch the `hashed_storage:hashed_storage_project_rollback` queue to see how long the process takes to finish.
-
-After it reaches zero, you can confirm every project has been rolled back by running the commands above.
-If some projects weren't rolled back, you can run this rollback script again to schedule further rollbacks.
-Any error or warning is logged in Sidekiq's log file.
-
-If you have a Geo setup, the rollback is not reflected automatically
-on the **secondary** node. You may need to wait for a backfill operation to kick-in and remove
-the remaining repositories from the special `@hashed/` folder manually.
-
-## Troubleshooting
-
-The Rake task might not be able to complete the migration to hashed storage.
-Checks on the instance will continue to report that there is legacy data:
-
-```plaintext
-* Found 1 projects using Legacy Storage
-- janedoe/testproject (id: 1234)
-```
-
-If you have a subscription, [raise a ticket with GitLab support](https://support.gitlab.com)
-as most of the fixes are relatively high risk, involving running code on the Rails console.
-
-### Read only projects
-
-If you have set projects as read only they might fail to migrate.
-
-1. [Start a Rails console](../operations/rails_console.md#starting-a-rails-console-session).
-
-1. Check if the project is read only:
-
-   ```ruby
-   project = Project.find_by_full_path('janedoe/testproject')
-   project.repository_read_only
-   ```
-
-1. If it returns `true` (not `nil` or `false`), set it writable:
-
-   ```ruby
-   project.update!(repository_read_only: false)
-   ```
-
-1. [Re-run the migration Rake task](#migrate-to-hashed-storage).
-
-1. Set the project read-only again:
-
-   ```ruby
-   project.update!(repository_read_only: true)
-   ```
-
-### Projects pending deletion
-
-Check the project details in the Admin Area. If deleting the project failed
-it will show as `Marked For Deletion At ..`, `Scheduled Deletion At ..` and
-`pending removal`, but the dates will not be recent.
-
-Delete the project using the Rails console:
-
-1. [Start a Rails console](../operations/rails_console.md#starting-a-rails-console-session).
-
-1. With the following code, select the project to be deleted and account to action it:
-
-   ```ruby
-   project = Project.find_by_full_path('janedoe/testproject')
-   user = User.find_by_username('admin_handle')
-   puts "\nproject selected for deletion is:\nID: #{project.id}\nPATH: #{project.full_path}\nNAME: #{project.name}\n\n"
-   ```
-
-   - Replace `janedoe/testproject` with your project path from the Rake take output or from the Admin Area.
-   - Replace `admin_handle` with the handle of an instance administrator or with `root`.
-   - Verify the output before proceeding. **There are no other checks performed**.
-
-1. [Destroy the project](../../user/project/working_with_projects.md#delete-a-project-using-console) **immediately**:
-
-   ```ruby
-   Projects::DestroyService.new(project, user).execute
-   ```
-
-If destroying the project generates a stack trace relating to encryption or the error `OpenSSL::Cipher::CipherError`:
-
-1. [Verify your GitLab secrets](check.md#verify-database-values-can-be-decrypted-using-the-current-secrets).
-
-1. If the affected projects have secrets that cannot be decrypted it will be necessary to remove those specific secrets.
-   [Our documentation for dealing with lost secrets](../../administration/backup_restore/backup_gitlab.md#when-the-secrets-file-is-lost)
-   is for loss of all secrets, but it's possible for specific projects to be affected. For example,
-   to [reset specific runner registration tokens](../../administration/backup_restore/backup_gitlab.md#reset-runner-registration-tokens)
-   for a specific project ID:
-
-   ```sql
-   UPDATE projects SET runners_token = null, runners_token_encrypted = null where id = 1234;
-   ```
-
-### `Repository cannot be moved from` errors in Sidekiq log
-
-Projects might fail to migrate with errors in the Sidekiq log:
-
-```shell
-# grep 'Repository cannot be moved' /var/log/gitlab/sidekiq/current
-{"severity":"ERROR","time":"2021-02-29T02:29:02.021Z","message":"Repository cannot be moved from 'janedoe/testproject' to '@hashed<value>' (PROJECT_ID=1234)"}
-```
-
-This might be caused by [a bug](https://gitlab.com/gitlab-org/gitlab/-/issues/259605) in the original code for hashed storage migration.
-
-[There is a workaround for projects still affected by this issue](https://gitlab.com/-/snippets/2039252).
+<!-- This redirect file can be deleted after <2024-01-11>. -->
+<!-- Redirects that point to other docs in the same project expire in three months. -->
+<!-- Redirects that point to docs in a different project or site (link is not relative and starts with `https:`) expire in one year. -->
+<!-- Before deletion, see: https://docs.gitlab.com/ee/development/documentation/redirects.html -->