Project:Infrastructure/Gitlab

Gitlab
Gitlab is currently deployed in a testing capacity on gitlab.gentoo.org and is not yet publicly available.

Gitlab Authentication
Currently only "Gentoo SSO" is supported. This means only developers can login at this time. We expect to add other omniauth login sources later (google, github, gitlab, etc.)

Backups
Gitlab backups are taken nightly.

Updates
The current pace by gitlab upstream is 1 minor release per month. We try stay within 3 minor releases of :latest.

SSH Keys
Currently we do not synchronize SSH keys with any identity platform, but we likely need to add syncing of ssh keys from LDAP.

Groups
We currently do not synchronize any group data from anywhere. Again this is an open item we need to address before going public.

SSH
The physical machine hosting gitlab has 2 IPs (both on v4 and v6.) sshing to gitlab.gentoo.org will try to connect to the specific IP for gitlab and you will be connected to gitlab's ssh.

Gitlab's ssh uses its own set of host keys and wrappers like a normal gitlab.

Gitlab for Infrastructure
Gitlab is configured a bit by puppet (see dist/gitlab) and a bit by hand.

We use the omnibus containers to deploy gitlab. The gitlab config is at /etc/gitlab/docker-compose.yml.

Starting gitlab
cd /etc/gitlab/ docker-compose up -d

Stopping gitlab
cd /etc/gitlab docker-compose down

Upgrading gitlab
We need to upgrade about every 2-4 weeks to stay up to date with gitlab development. Upgrades cause downtime, but its typically brief (15-20 minutes.) Announce it in #gentoo-dev beforehand, then:


 * 1) ssh towhee.gentoo.org
 * 2) sudo -i
 * 3) cd /etc/gitlab
 * 4) docker image pull gitlab/gitlab-ce:-ce.0
 * 5) docker-compose down
 * 6) docker-compose up -d
 * 7) This start may take 15-20 minutes.

I'm looking to write an ansible play for this.

SSHing into the gitlab host for infra
Currently gitlab runs on towhee, you need to 'ssh towhee.gentoo.org' to get to the host; sshing into 'gitlab.gentoo.org' will ssh into the gitlab container, which you do not want.

What about Gitolite?
Currently we plan to keep gentoo repos mastered in gitolite. We can set up automatic pushes to gitlab in gitolite configs. We will consider migrating repos to gitlab in the future.

TODOs for gitlab setup

 * Add Icinga monitoring for https (done)
 * Add infra-status.gentoo.org lines for gitlab.
 * Add ssh key sync
 * add group sync
 * add more admins to gitlab
 * add Gentoo org admins
 * add terraform for admnistration?