upgrade to gitlab-ce 7.3.0.rc1

Changelog.md

@@ -1,6 +1,7 @@
 # Changelog
 
 **latest**
+- upgrade to gitlab-ce 7.3.0.rc1
 - upgrade to gitlab-shell 2.0.0
 - removed internal redis server
 - shutdown the container gracefully

VERSION

@@ -1 +1 @@
-7.2.2
+7.3.0.rc1

assets/config/gitlabhq/gitlab.yml

@@ -3,9 +3,11 @@
 # # # # # # # # # # # # # # # # # #
 #
 # How to use:
-# 1. copy file as gitlab.yml
-# 2. Replace gitlab -> host with your domain
-# 3. Replace gitlab -> email_from
+# 1. Copy file as gitlab.yml
+# 2. Update gitlab -> host with your fully qualified domain name
+# 3. Update gitlab -> email_from
+# 4. If you installed Git from source, change git -> bin_path to /usr/local/bin/git
+# 5. Review this configuration file for other settings you may want to adjust
 
 production: &base
   #
@@ -78,6 +80,10 @@ production: &base
       snippets: false
       visibility_level: "{{GITLAB_PROJECTS_VISIBILITY}}"  # can be "private" | "internal" | "public"
 
+    ## Webhook settings
+    # Number of seconds to wait for HTTP response after sending webhook HTTP POST request (default: 10)
+    # webhook_timeout: 10
+
     ## Repository downloads directory
     # When a user clicks e.g. 'Download zip' on a project, a temporary zip file is created in the following directory.
     # The default is 'tmp/repositories' relative to the root of the Rails app.
@@ -224,7 +230,7 @@ production: &base
   # CAUTION!
   # Use the default values unless you really know what you are doing
   git:
-    bin_path: "/usr/bin/git"
+    bin_path: /usr/bin/git
     # The next value is the maximum memory size grit can use
     # Given in number of bytes per git object (e.g. a commit)
     # This value can be increased if you have very large commits

assets/config/gitlabhq/rack_attack.rb

@@ -8,11 +8,19 @@ paths_to_be_protected = [
   "#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session.json",
   "#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session",
   "#{Rails.application.config.relative_url_root}/users",
-  "#{Rails.application.config.relative_url_root}/users/confirmation"
+  "#{Rails.application.config.relative_url_root}/users/confirmation",
+  "#{Rails.application.config.relative_url_root}/unsubscribes/"
+
 ]
 
+# Create one big regular expression that matches strings starting with any of
+# the paths_to_be_protected.
+paths_regex = Regexp.union(paths_to_be_protected.map { |path| /\A#{Regexp.escape(path)}/ })
+
 unless Rails.env.test?
   Rack::Attack.throttle('protected paths', limit: 10, period: 60.seconds) do |req|
-    req.ip if paths_to_be_protected.include?(req.path) && req.post?
+    if req.post? && req.path =~ paths_regex
+      req.ip
+    end
   end
 end

assets/config/gitlabhq/unicorn.rb

@@ -28,9 +28,10 @@ worker_processes {{UNICORN_WORKERS}}
 # "current" directory that Capistrano sets up.
 working_directory "{{GITLAB_INSTALL_DIR}}" # available in 0.94.0+
 
-# listen on both a Unix domain socket and a TCP port,
-# we use a shorter backlog for quicker failover when busy
-listen "{{GITLAB_INSTALL_DIR}}/tmp/sockets/gitlab.socket", :backlog => 64
+# Listen on both a Unix domain socket and a TCP port.
+# If you are load-balancing multiple Unicorn masters, lower the backlog
+# setting to e.g. 64 for faster failover.
+listen "{{GITLAB_INSTALL_DIR}}/tmp/sockets/gitlab.socket", :backlog => 1024
 listen "127.0.0.1:8080", :tcp_nopush => true
 
 # nuke workers after 30 seconds instead of 60 seconds (the default)

assets/config/nginx/gitlab

@@ -1,66 +1,85 @@
-# GITLAB
-# Maintainer: @randx
-
-# CHUNKED TRANSFER
-# It is a known issue that Git-over-HTTP requires chunked transfer encoding [0] which is not
-# supported by Nginx < 1.3.9 [1]. As a result, pushing a large object with Git (i.e. a single large file)
-# can lead to a 411 error. In theory you can get around this by tweaking this configuration file and either
-# - installing an old version of Nginx with the chunkin module [2] compiled in, or
-# - using a newer version of Nginx.
-#
-# At the time of writing we do not know if either of these theoretical solutions works. As a workaround
-# users can use Git over SSH to push large files.
-#
-# [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99
-# [1] https://github.com/agentzh/chunkin-nginx-module#status
-# [2] https://github.com/agentzh/chunkin-nginx-module
+## GitLab
+## Maintainer: @randx
+##
+## Lines starting with two hashes (##) are comments with information.
+## Lines starting with one hash (#) are configuration parameters that can be uncommented.
+##
+##################################
+##        CHUNKED TRANSFER      ##
+##################################
+##
+## It is a known issue that Git-over-HTTP requires chunked transfer encoding [0]
+## which is not supported by Nginx < 1.3.9 [1]. As a result, pushing a large object
+## with Git (i.e. a single large file) can lead to a 411 error. In theory you can get
+## around this by tweaking this configuration file and either:
+## - installing an old version of Nginx with the chunkin module [2] compiled in, or
+## - using a newer version of Nginx.
+##
+## At the time of writing we do not know if either of these theoretical solutions works. 
+## As a workaround users can use Git over SSH to push large files.
+##
+## [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99
+## [1] https://github.com/agentzh/chunkin-nginx-module#status
+## [2] https://github.com/agentzh/chunkin-nginx-module
+##
+###################################
+##         configuration         ##
+###################################
+##
 
 upstream gitlab {
-  server unix:{{GITLAB_INSTALL_DIR}}/tmp/sockets/gitlab.socket;
+  server unix:{{GITLAB_INSTALL_DIR}}/tmp/sockets/gitlab.socket fail_timeout=0;
 }
 
+## Normal HTTP host
 server {
-  listen *:80 default_server;         # e.g., listen 192.168.1.1:80; In most cases *:80 is a good idea
-  server_name {{YOUR_SERVER_FQDN}};     # e.g., server_name source.example.com;
-  server_tokens off;     # don't show the version number, a security best practice
+  listen *:80 default_server;
+  server_name {{YOUR_SERVER_FQDN}}; ## Replace this with something like gitlab.example.com
+  server_tokens off; ## Don't show the nginx version number, a security best practice
   root {{GITLAB_INSTALL_DIR}}/public;
-  
-  # Increase this if you want to upload large attachments
-  # Or if you want to accept large git objects over http
+
+  ## Increase this if you want to upload large attachments
+  ## Or if you want to accept large git objects over http
   client_max_body_size {{NGINX_MAX_UPLOAD_SIZE}};
 
-  # individual nginx logs for this gitlab vhost
+  ## Individual nginx logs for this GitLab vhost
   access_log  /var/log/nginx/gitlab_access.log;
   error_log   /var/log/nginx/gitlab_error.log;
 
   location {{GITLAB_RELATIVE_URL_ROOT}} {
     # alias {{GITLAB_INSTALL_DIR}}/public;
-    # serve static files from defined root folder;.
-    # @gitlab is a named location for the upstream fallback, see below
+    ## Serve static files from defined root folder.
+    ## @gitlab is a named location for the upstream fallback, see below.
     try_files $uri $uri/index.html $uri.html @gitlab;
   }
 
-  # if a file, which is not found in the root folder is requested,
-  # then the proxy pass the request to the upsteam (gitlab unicorn)
+  ## If a file, which is not found in the root folder is requested,
+  ## then the proxy passes the request to the upsteam (gitlab unicorn).
   location @gitlab {
-    # If you use https make sure you disable gzip compression 
-    # to be safe against BREACH attack
+    ## If you use HTTPS make sure you disable gzip compression
+    ## to be safe against BREACH attack.
     # gzip off;
 
-    proxy_read_timeout 300; # Some requests take more than 30 seconds.
-    proxy_connect_timeout 300; # Some requests take more than 30 seconds.
-    proxy_redirect     off;
+    ## https://github.com/gitlabhq/gitlabhq/issues/694
+    ## Some requests take more than 30 seconds.
+    proxy_read_timeout      300;
+    proxy_connect_timeout   300;
+    proxy_redirect          off;
 
-    proxy_set_header   X-Forwarded-Proto {{NGINX_X_FORWARDED_PROTO}};
-    proxy_set_header   Host              $http_host;
-    proxy_set_header   X-Real-IP         $remote_addr;
-    proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
-    proxy_set_header   X-Frame-Options   SAMEORIGIN;
+    proxy_set_header    Host                $http_host;
+    proxy_set_header    X-Real-IP           $remote_addr;
+    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+    proxy_set_header    X-Forwarded-Proto   {{NGINX_X_FORWARDED_PROTO}};
+    proxy_set_header    X-Frame-Options     SAMEORIGIN;
 
     proxy_pass http://gitlab;
   }
 
-  # Enable gzip compression as per rails guide: http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression
+  ## Enable gzip compression as per rails guide:
+  ## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression
+  ## WARNING: If you are using relative urls remove the block below
+  ## See config/application.rb under "Relative url support" for the list of
+  ## other files that need to be changed for relative url support
   location ~ ^{{GITLAB_RELATIVE_URL_ROOT__with_trailing_slash}}assets/(.*) {
     alias {{GITLAB_INSTALL_DIR}}/public/assets/$1;
     gzip_static on; # to serve pre-gzipped version

assets/config/nginx/gitlab-ssl

@@ -3,33 +3,10 @@
 ##
 ## Modified from nginx http version
 ## Modified from http://blog.phusion.nl/2012/04/21/tutorial-setting-up-gitlab-on-debian-6/
+## Modified from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
 ##
-## Lines starting with two hashes (##) are comments containing information
-## for configuration. One hash (#) comments are actual configuration parameters
-## which you can comment/uncomment to your liking.
-##
-###################################
-##        SSL configuration      ##
-###################################
-##
-## Optimal configuration is taken from:
-## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
-## Make sure to read it and understand what each option does.
-##
-## [Optional] Generate a self-signed ssl certificate:
-##    mkdir /etc/nginx/ssl/
-##    cd /etc/nginx/ssl/
-##    sudo openssl req -newkey rsa:2048 -x509 -nodes -days 3560 -out gitlab.crt -keyout gitlab.key
-##    sudo chmod o-r gitlab.key
-##
-## Edit `gitlab-shell/config.yml`:
-##  1) Set "gitlab_url" param in `gitlab-shell/config.yml` to `https://git.example.com`
-##  2) Set "ca_file" to `/etc/nginx/ssl/gitlab.crt`
-##  3) Set "self_signed_cert" to `true`
-## Edit `gitlab/config/gitlab.yml`:
-##  1) Define port for http "port: 443"
-##  2) Enable https "https: true"
-##  3) Update ssl for gravatar "ssl_url: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=mm"
+## Lines starting with two hashes (##) are comments with information.
+## Lines starting with one hash (#) are configuration parameters that can be uncommented.
 ##
 ##################################
 ##        CHUNKED TRANSFER      ##
@@ -42,39 +19,39 @@
 ## - installing an old version of Nginx with the chunkin module [2] compiled in, or
 ## - using a newer version of Nginx.
 ##
-## At the time of writing we do not know if either of these theoretical solutions works. As a workaround
-## users can use Git over SSH to push large files.
+## At the time of writing we do not know if either of these theoretical solutions works. 
+## As a workaround users can use Git over SSH to push large files.
 ##
 ## [0] https://git.kernel.org/cgit/git/git.git/tree/Documentation/technical/http-protocol.txt#n99
 ## [1] https://github.com/agentzh/chunkin-nginx-module#status
 ## [2] https://github.com/agentzh/chunkin-nginx-module
-
+##
+##
+###################################
+##        SSL configuration      ##
+###################################
+##
+## See installation.md#using-https for additional HTTPS configuration details.
 
 upstream gitlab {
-
-  ## Uncomment if you have set up unicorn to listen on a unix socket (recommended).
-  server unix:{{GITLAB_INSTALL_DIR}}/tmp/sockets/gitlab.socket;
-
-  ## Uncomment if unicorn is configured to listen on a tcp port.
-  ## Check the port number in {{GITLAB_INSTALL_DIR}}/config/unicorn.rb
-  # server 127.0.0.1:8080;
+  server unix:{{GITLAB_INSTALL_DIR}}/tmp/sockets/gitlab.socket fail_timeout=0;
 }
 
-## This is a normal HTTP host which redirects all traffic to the HTTPS host.
+## Normal HTTP host
 server {
-  listen *:80;
-  ## Replace git.example.com with your FQDN.
-  server_name _;
-  server_tokens off;
-  ## root doesn't have to be a valid path since we are redirecting
-  root /nowhere;
+  listen *:80 default_server;
+  server_name _; ## Replace this with something like gitlab.example.com
+  server_tokens off; ## Don't show the nginx version number, a security best practice
+  
+  ## Redirects all traffic to the HTTPS host
+  root /nowhere; ## root doesn't have to be a valid path since we are redirecting
   rewrite ^ https://$host:{{GITLAB_PORT}}$request_uri? permanent;
 }
 
+## HTTPS host
 server {
   listen 443 ssl spdy;
-  ## Replace git.example.com with your FQDN.
-  server_name {{YOUR_SERVER_FQDN}};
+  server_name {{YOUR_SERVER_FQDN}}; ## Replace this with something like gitlab.example.com
   server_tokens off;
   root {{GITLAB_INSTALL_DIR}}/public;
 
@@ -88,32 +65,34 @@ server {
   ssl_certificate {{SSL_CERTIFICATE_PATH}};
   ssl_certificate_key {{SSL_KEY_PATH}};
 
-  ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4';
+  ssl_ciphers 'AES256+EECDH:AES256+EDH';
 
   ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
   ssl_session_cache  builtin:1000  shared:SSL:10m;
 
-  ## Enable OCSP stapling to reduce the overhead and latency of running SSL.
+  ssl_prefer_server_ciphers   on;
+
+  add_header Strict-Transport-Security max-age={{GITLAB_HTTPS_HSTS_MAXAGE}};
+  # add_header X-Frame-Options SAMEORIGIN;
+  add_header X-Content-Type-Options nosniff;
+
+  ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL.
   ## Replace with your ssl_trusted_certificate. For more info see:
   ## - https://medium.com/devops-programming/4445f4862461
   ## - https://www.ruby-forum.com/topic/4419319
+  ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
   # ssl_stapling on;
   # ssl_stapling_verify on;
   # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
-  # resolver 208.67.222.222 208.67.222.220 valid=300s;
+  # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired
   # resolver_timeout 10s;
 
-  ssl_prefer_server_ciphers   on;
-  ## [Optional] Generate a stronger DHE parameter (recommended):
+  ## [Optional] Generate a stronger DHE parameter:
   ##   cd /etc/ssl/certs
-  ##   openssl dhparam -out dhparam.pem 2048
+  ##   sudo openssl dhparam -out dhparam.pem 4096
   ##
   ssl_dhparam {{SSL_DHPARAM_PATH}};
 
-  add_header Strict-Transport-Security max-age={{GITLAB_HTTPS_HSTS_MAXAGE}};
-  # add_header X-Frame-Options DENY;
-  add_header X-Content-Type-Options nosniff;
-
   ## Individual nginx logs for this GitLab vhost
   access_log  /var/log/nginx/gitlab_access.log;
   error_log   /var/log/nginx/gitlab_error.log;
@@ -126,10 +105,9 @@ server {
   }
 
   ## If a file, which is not found in the root folder is requested,
-  ## then the proxy pass the request to the upsteam (gitlab unicorn).
+  ## then the proxy passes the request to the upsteam (gitlab unicorn).
   location @gitlab {
-
-    ## If you use https make sure you disable gzip compression
+    ## If you use HTTPS make sure you disable gzip compression
     ## to be safe against BREACH attack.
     gzip off;
 
@@ -151,7 +129,7 @@ server {
 
   ## Enable gzip compression as per rails guide:
   ## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression
-  ## WARNING: If you are using relative urls do remove the block below
+  ## WARNING: If you are using relative urls remove the block below
   ## See config/application.rb under "Relative url support" for the list of
   ## other files that need to be changed for relative url support
   location ~ ^{{GITLAB_RELATIVE_URL_ROOT__with_trailing_slash}}assets/(.*) {

assets/setup/install

@@ -1,7 +1,7 @@
 #!/bin/bash
 set -e
 
-GITLAB_VERSION=7.2.2
+GITLAB_VERSION=7.3.0.rc1
 GITLAB_SHELL_VERSION=2.0.0
 
 GITLAB_INSTALL_DIR="/home/git/gitlab"