diff options
Diffstat (limited to 'doc/ci/troubleshooting.md')
-rw-r--r-- | doc/ci/troubleshooting.md | 36 |
1 files changed, 34 insertions, 2 deletions
diff --git a/doc/ci/troubleshooting.md b/doc/ci/troubleshooting.md index 623589e2cbc..3d5bcc64889 100644 --- a/doc/ci/troubleshooting.md +++ b/doc/ci/troubleshooting.md @@ -5,7 +5,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w type: reference --- -# Troubleshooting CI/CD **(FREE)** +# Troubleshooting CI/CD **(FREE ALL)** GitLab provides several tools to help make troubleshooting your pipelines easier. @@ -283,6 +283,36 @@ If the merge train pipeline was canceled before the merge request was merged, wi - Add it to the train again. +### Merge request rules widget shows a scan result policy is invalid or duplicated **(ULTIMATE SELF)** + +On GitLab self-managed 15.0 and later, the most likely cause is that the project was exported from a +group and imported into another, and had scan result policy rules. These rules are stored in a +separate project to the one that was exported. As a result, the project contains policy rules that +reference entities that don't exist in the imported project's group. The result is policy rules that +are invalid, duplicated, or both. + +To remove all invalid scan result policy rules from a GitLab instance, an administrator can run +the following script in the [Rails console](../administration/operations/rails_console.md). + +```ruby +Project.joins(:approval_rules).where(approval_rules: { report_type: %i[scan_finding license_scanning] }).where.not(approval_rules: { security_orchestration_policy_configuration_id: nil }).find_in_batches.flat_map do |batch| + batch.map do |project| + # Get projects and their configuration_ids for applicable project rules + [project, project.approval_rules.where(report_type: %i[scan_finding license_scanning]).pluck(:security_orchestration_policy_configuration_id).uniq] + end.uniq.map do |project, configuration_ids| # We take only unique combinations of project + configuration_ids + # If we find more configurations than what is available for the project, we take records with the extra configurations + [project, configuration_ids - project.all_security_orchestration_policy_configurations.pluck(:id)] + end.select { |_project, configuration_ids| configuration_ids.any? } +end.each do |project, configuration_ids| + # For each found pair project + ghost configuration, we remove these rules for a given project + Security::OrchestrationPolicyConfiguration.where(id: configuration_ids).each do |configuration| + configuration.delete_scan_finding_rules_for_project(project.id) + end + # Ensure we sync any potential rules from new group's policy + Security::ScanResultPolicies::SyncProjectWorker.perform_async(project.id) +end +``` + ### Project `group/project` not found or access denied This message is shown if configuration is added with [`include`](yaml/index.md#include) and one of the following: @@ -330,6 +360,8 @@ start a new pipeline to use the new configuration. ### Unable to pull image from another project +> **Allow access to this project with a CI_JOB_TOKEN** setting [renamed to **Limit access _to_ this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/411406) in GitLab 16.3. + When a runner tries to pull an image from a private project, the job could fail with the following error: ```shell @@ -338,7 +370,7 @@ WARNING: Failed to pull image with policy "always": Error response from daemon: This error can happen if the following are both true: -- The **Allow access to this project with a CI_JOB_TOKEN** option is enabled in the private project +- The **Limit access _to_ this project** option is enabled in the private project hosting the image. - The job attempting to fetch the image is running for a project that is not listed in the private project's allowlist. |