1 files changed, 221 insertions, 0 deletions
diff --git a/doc/update/versions/gitlab_16_changes.md b/doc/update/versions/gitlab_16_changes.md
new file mode 100644
index 00000000000..cd51ca2a518
--- /dev/null
+++ b/doc/update/versions/gitlab_16_changes.md
@@ -0,0 +1,221 @@
+---
+stage: Systems
+group: Distribution
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
+---
+
+# GitLab 16 changes
+
+This page contains upgrade information for minor and patch versions of GitLab 16.
+Ensure you review these instructions for:
+
+- Your installation type.
+- All versions between your current version and your target version.
+
+Some GitLab installations must upgrade to GitLab 16.0 before upgrading to any other version. For more information, see
+[Long-running user type data change](#long-running-user-type-data-change).
+
+For more information about upgrading GitLab Helm Chart, see [the release notes for 7.0](https://docs.gitlab.com/charts/releases/7_0.html).
+
+## 16.3.0
+
+- For Go applications, [`crypto/tls`: verifying certificate chains containing large RSA keys is slow (CVE-2023-29409)](https://github.com/golang/go/issues/61460)
+  introduced a hard limit of 8192 bits for RSA keys. In the context of Go applications at GitLab, RSA keys can be configured for:
+
+  - [Container Registry](../../administration/packages/container_registry.md)
+  - [Gitaly](../../administration/gitaly/configure_gitaly.md#enable-tls-support)
+  - [GitLab Pages](../../user/project/pages/custom_domains_ssl_tls_certification/index.md#manual-addition-of-ssltls-certificates)
+  - [Workhorse](../../development/workhorse/configuration.md#tls-support)
+
+  You should check the size of your RSA keys (`openssl rsa -in <your-key-file> -text -noout | grep "Key:"`)
+  for any of the applications above before
+  upgrading.
+
+### Linux package installations
+
+Specific information applies to Linux package installations:
+
+- In GitLab 16.0, we [announced](https://about.gitlab.com/releases/2023/05/22/gitlab-16-0-released/#omnibus-improvements) an upgraded base Docker image,
+  which has a new version of OpenSSH Server. An unintended consequence of the new version is that it disables accepting SSH RSA SHA-1 signatures by default. This issue should only
+  impact users using very outdated SSH clients.
+
+  To avoid problems with SHA-1 signatures being unavailable, users should update their SSH clients because using SHA-1 signatures is discouraged by the upstream library for security
+  reasons.
+
+  To allow for a transition period where users can't immediately upgrade their SSH clients, GitLab 16.3 and later has support for a `GITLAB_ALLOW_SHA1_RSA` environment variable in
+  the `Dockerfile`. If `GITLAB_ALLOW_SHA1_RSA` is set to `true`, this deprecated support is reactivated.
+
+  Because we want to foster security best practices and follow the upstream recommendation, this environment variable will only be available until GitLab 17.0, when we plan to
+  drop support for it.
+
+  For more information, see:
+
+  - [OpenSSH 8.8 release notes](https://www.openssh.com/txt/release-8.8).
+  - [An informal explanation](https://gitlab.com/gitlab-org/gitlab/-/issues/416714#note_1482388504).
+  - `omnibus-gitlab` [merge request 7035](https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7035), which introduces the environment variable.
+
+## 16.2.0
+
+- Legacy LDAP configuration settings may cause
+  [`NoMethodError: undefined method 'devise' for User:Class` errors](https://gitlab.com/gitlab-org/gitlab/-/issues/419485).
+  This error occurs if you have TLS options (such as `ca_file`) not specified
+  in the `tls_options` hash, or use the legacy `gitlab_rails['ldap_host']` option.
+  See the [configuration workarounds](https://gitlab.com/gitlab-org/gitlab/-/issues/419485#workarounds)
+  for more details.
+- New job artifacts are not replicated if job artifacts are configured to be stored in object storage and `direct_upload` is enabled. This bug is fixed in GitLab versions 16.1.4,
+  16.2.3, 16.3.0, and later.
+  - Impacted versions: GitLab versions 16.1.0 - 16.1.3 and 16.2.0 - 16.2.2.
+  - If you deployed an affected version, after upgrading to a fixed GitLab version, follow [these instructions](https://gitlab.com/gitlab-org/gitlab/-/issues/419742#to-fix-data)
+    to resync the affected job artifacts.
+- You might encounter the following error while upgrading to GitLab 16.2 or later:
+
+  ```plaintext
+  main: == 20230620134708 ValidateUserTypeConstraint: migrating =======================
+  main: -- execute("ALTER TABLE users VALIDATE CONSTRAINT check_0dd5948e38;")
+  rake aborted!
+  StandardError: An error has occurred, all later migrations canceled:
+  PG::CheckViolation: ERROR:  check constraint "check_0dd5948e38" of relation "users" is violated by some row
+  ```
+
+  For more information, see [issue 421629](https://gitlab.com/gitlab-org/gitlab/-/issues/421629).
+
+### Linux package installations
+
+Specific information applies to Linux package installations:
+
+- In 16.2, we are upgrading Redis from 6.2.11 to 7.0.12. This upgrade is expected to be fully backwards compatible.
+
+  Redis is not automatically restarted as part of `gitlab-ctl reconfigure`.
+  Hence, users are manually required to run `sudo gitlab-ctl restart redis` after
+  the reconfigure run so that the new Redis version gets used. A warning
+  mentioning that the installed Redis version is different than the one running is
+  displayed at the end of reconfigure run until the restart is performed.
+
+  If your instance has Redis HA with Sentinel, follow the upgrade steps mentioned in
+  [Zero Downtime documentation](../zero_downtime.md#redis-ha-using-sentinel).
+
+### Self-compiled installations
+
+- Git 2.41.0 and later is required by Gitaly. You should use the [Git version provided by Gitaly](../../install/installation.md#git).
+
+## 16.1.0
+
+- A `BackfillPreparedAtMergeRequests` background migration is finalized with
+  the `FinalizeBackFillPreparedAtMergeRequests` post-deploy migration.
+  GitLab 15.10.0 introduced a [batched background migration](../background_migrations.md#batched-background-migrations) to
+  [backfill `prepared_at` values on the `merge_requests` table](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/111865). This
+  migration may take multiple days to complete on larger GitLab instances. Make sure the migration
+  has completed successfully before upgrading to 16.1.0.
+- New job artifacts are not replicated if job artifacts are configured to be stored in object storage and `direct_upload` is enabled. This bug is fixed in GitLab versions 16.1.4,
+  16.2.3, 16.3.0, and later.
+  - Impacted versions: GitLab versions 16.1.0 - 16.1.3 and 16.2.0 - 16.2.2.
+  - If you deployed an affected version, after upgrading to a fixed GitLab version, follow [these instructions](https://gitlab.com/gitlab-org/gitlab/-/issues/419742#to-fix-data)
+    to resync the affected job artifacts.
+
+### Self-compiled installations
+
+- You must remove any settings related to Puma worker killer from the `puma.rb` configuration file, because those have been
+  [removed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/118645). For more information, see the
+  [`puma.rb.example`](https://gitlab.com/gitlab-org/gitlab/-/blob/16-0-stable-ee/config/puma.rb.example) file.
+
+### Geo installations
+
+Specific information applies to installations using Geo:
+
+- Some project imports do not initialize wiki repositories on project creation. Because of the migration of project wikis to
+  SSF, [missing wiki repositories are being incorrectly flagged as failing verification](https://gitlab.com/gitlab-org/gitlab/-/issues/409704).
+  This issue is not a result of an actual replication/verification failure but an invalid internal state for these missing
+  repositories inside Geo and results in errors in the logs and the verification progress reporting a failed state for
+  these wiki repositories. If you have not imported projects you are not impacted by this issue.
+  - Impacted versions: GitLab versions 15.11.x, 16.0.x, and 16.1.0 - 16.1.2.
+  - Versions containing fix: GitLab 16.1.3 and later.
+- Because of the migration of project designs to SSF, [missing design repositories are being incorrectly flagged as failing verification](https://gitlab.com/gitlab-org/gitlab/-/issues/414279).
+  This issue is not a result of an actual replication/verification failure but an invalid internal state for these missing
+  repositories inside Geo and results in errors in the logs and the verification progress reporting a failed state for
+  these design repositories. You could be impacted by this issue even if you have not imported projects.
+  - Impacted versions: GitLab versions 16.1.x.
+  - Versions containing fix: GitLab 16.2.0 and later.
+
+## 16.0.0
+
+- Sidekiq crashes if there are non-ASCII characters in the `/etc/gitlab/gitlab.rb` file. You can fix this
+  by following the workaround in [issue 412767](https://gitlab.com/gitlab-org/gitlab/-/issues/412767#note_1404507549).
+- Sidekiq jobs are only routed to `default` and `mailers` queues by default, and as a result,
+  every Sidekiq process also listens to those queues to ensure all jobs are processed across
+  all queues. This behavior does not apply if you have configured the [routing rules](../../administration/sidekiq/processing_specific_job_classes.md#routing-rules).
+- Docker 20.10.10 or later is required to run the GitLab Docker image. Older versions
+  [throw errors on startup](../../install/docker.md#threaderror-cant-create-thread-operation-not-permitted).
+- Starting with 16.0, GitLab self-managed installations now have two database connections by default, instead of one. This change doubles the number of PostgreSQL connections. It makes self-managed versions of GitLab behave similarly to GitLab.com, and is a step toward enabling a separate database for CI features for self-managed versions of GitLab. Before upgrading to 16.0, determine if you need to [increase max connections for PostgreSQL](https://docs.gitlab.com/omnibus/settings/database.html#configuring-multiple-database-connections).
+  - This change applies to installation methods with Linux packages (Omnibus), GitLab Helm chart, GitLab Operator, GitLab Docker images, and self-compiled installations.
+
+### Linux package installations
+
+Specific information applies to Linux package installations:
+
+- The binaries for PostgreSQL 12 have been removed.
+
+  Prior to upgrading, administrators of Linux package installations must ensure the installation is using
+  [PostgreSQL 13](https://docs.gitlab.com/omnibus/settings/database.html#upgrade-packaged-postgresql-server).
+
+- Bundled Grafana is deprecated and is no longer supported. It is removed in GitLab 16.3.
+
+  For more information, see [deprecation notes](../../administration/monitoring/performance/grafana_configuration.md#deprecation-of-bundled-grafana).
+
+- This upgrades `openssh-server` to `1:8.9p1-3`.
+
+  Using `ssh-keyscan -t rsa` with older OpenSSH clients to obtain public key information is no longer viable because of
+  the deprecations listed in [OpenSSH 8.7 Release Notes](https://www.openssh.com/txt/release-8.7).
+
+  Workaround is to make use of a different key type, or upgrade the client OpenSSH to a version >= 8.7.
+
+### Geo installations
+
+Specific information applies to installations using Geo:
+
+- Some project imports do not initialize wiki repositories on project creation. Because of the migration of project wikis to
+  SSF, [missing wiki repositories are being incorrectly flagged as failing verification](https://gitlab.com/gitlab-org/gitlab/-/issues/409704).
+  This issue is not a result of an actual replication/verification failure but an invalid internal state for these missing
+  repositories inside Geo and results in errors in the logs and the verification progress reporting a failed state for
+  these wiki repositories. If you have not imported projects you are not impacted by this issue.
+
+  - Impacted versions: GitLab versions 15.11.x, 16.0.x, and 16.1.0 - 16.1.2.
+  - Versions containing fix: GitLab 16.1.3 and later.
+
+## Long-running user type data change
+
+GitLab 16.0 is a required stop for large GitLab instances with a lot of records in the `users` table.
+
+The threshold is **30,000 users**, which includes:
+
+- Developers and other users in any state, including active, blocked, and pending approval.
+- Bot accounts for project and group access tokens.
+
+GitLab 16.0 introduced a [batched background migration](../background_migrations.md#batched-background-migrations) to
+[migrate `user_type` values from `NULL` to `0`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/115849). This
+migration might take multiple days to complete on larger GitLab instances. Make sure the migration
+has completed successfully before upgrading to 16.1.0 or later.
+
+GitLab 16.1 introduces the `FinalizeUserTypeMigration` migration which ensures the
+16.0 `MigrateHumanUserType` background migration is completed, making the 16.0 changes synchronously
+during the upgrade if it's not completed.
+
+GitLab 16.2 [implements a `NOT NULL` database constraint](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/122454)
+which fails if the 16.0 migration is not complete.
+
+If 16.0 has been skipped (or the 16.0 migration is not complete) subsequent
+Linux package (Omnibus) and Docker upgrades might fail
+after an hour:
+
+```plaintext
+FATAL: Mixlib::ShellOut::CommandTimeout: rails_migration[gitlab-rails]
+[..]
+Mixlib::ShellOut::CommandTimeout: Command timed out after 3600s:
+```
+
+[There is a fix-forward workaround for this issue](../package/index.md#mixlibshelloutcommandtimeout-rails_migrationgitlab-rails--command-timed-out-after-3600s).
+
+While the workaround is completing the database changes, GitLab is likely to be in
+an unusable state, generating `500` errors. The errors are caused by Sidekiq and Puma running
+application code that is incompatible with the database schema.
+
+At the end of the workaround process, Sidekiq and Puma are restarted to resolve that issue.