... | ... | @@ -384,6 +384,28 @@ Note that GitLab is working on an [attachment manager](https://gitlab.com/gitlab |
|
|
allow web operators to delete old files, but it's unclear how or when
|
|
|
this will be implemented, if ever.
|
|
|
|
|
|
## Publishing GitLab pages
|
|
|
|
|
|
GitLab features a way to publish websites directly from the continuous
|
|
|
integration pipelines, called [GitLab pages](https://gitlab.com/gitlab-org/gitlab-pages). Complete
|
|
|
documentation on how to publish such pages is better served by the
|
|
|
official documentation, but creating a `.gitlab-ci.yml` should get you
|
|
|
rolling. For example, this will publish a `hugo` site:
|
|
|
|
|
|
image: registry.gitlab.com/pages/hugo/hugo_extended:0.65.3
|
|
|
pages:
|
|
|
script:
|
|
|
- hugo
|
|
|
artifacts:
|
|
|
paths:
|
|
|
- public
|
|
|
only:
|
|
|
- main
|
|
|
|
|
|
If this file is committed in a project called `tpo/team/project`, the
|
|
|
pages will be published to
|
|
|
<https://tpo.pages.torproject.net/team/project/>.
|
|
|
|
|
|
## Pager playbook
|
|
|
|
|
|
<!-- information about common errors from the monitoring system and -->
|
... | ... | @@ -459,6 +481,8 @@ Untested procedure extracted from the [upstream docs](https://docs.gitlab.com/ee |
|
|
|
|
|
## Installation
|
|
|
|
|
|
### Main GitLab installation
|
|
|
|
|
|
The current GitLab server was setup in the [howto/ganeti](howto/ganeti) cluster in a
|
|
|
regular virtual machine. It was configured with [howto/puppet](howto/puppet) with the
|
|
|
`roles::gitlab`. That, in turn, relies on a series of `profile`
|
... | ... | @@ -493,6 +517,40 @@ working so well (e.g. [503 errors on merge requests](https://gitlab.torproject.o |
|
|
[migrated to the omnibus package](https://gitlab.torproject.org/tpo/tpa/team/-/issues/32949) in March 2020, which seems to
|
|
|
work better.
|
|
|
|
|
|
### GitLab CI installation
|
|
|
|
|
|
See [the CI documentation](service/ci) for documentation specific to GitLab CI.
|
|
|
|
|
|
### GitLab pages installation
|
|
|
|
|
|
To setup GitLab pages, we [followed the GitLab Pages administration
|
|
|
manual](https://docs.gitlab.com/ee/administration/pages). The steps taken were as follows:
|
|
|
|
|
|
1. add `pages.torproject.net` to the [public suffix list](https://publicsuffix.org/) ([issue
|
|
|
40121](https://gitlab.torproject.org/tpo/tpa/team/-/issues/40121) and [upstream PR](https://github.com/publicsuffix/list/pull/1196)) (although that takes months or
|
|
|
*years* to propagate everywhere)
|
|
|
1. add `*.pages.torproject.net` and `pages.torproject.net` to DNS
|
|
|
(`dns/domains.git` repository), as A records so that LE DNS-01
|
|
|
challenges still work, along with a CAA record to allow the
|
|
|
wildcard on `pages.torproject.net`
|
|
|
2. get the wildcard cert from Let's Encrypt (in
|
|
|
`letsencrypt-domains.git`)
|
|
|
3. deploy the TLS certificate, some GitLab config and a nginx vhost to gitlab-02
|
|
|
with Puppet
|
|
|
4. run the [status-site pipeline](https://gitlab.torproject.org/tpo/tpa/status-site/-/pipelines) to regenerate the pages
|
|
|
|
|
|
The GitLab pages configuration lives in the `profile::gitlab::app`
|
|
|
Puppet class. The following GitLab settings were added:
|
|
|
|
|
|
gitlab_pages => {
|
|
|
ssl_certificate => '/etc/ssl/torproject/certs/pages.torproject.net.crt-chained',
|
|
|
ssl_certificate_key => '/etc/ssl/private/pages.torproject.net.key',
|
|
|
},
|
|
|
pages_external_url => 'https://pages.torproject.net',
|
|
|
|
|
|
The virtual host for the `pages.torproject.org` domain was configured
|
|
|
through the `profile::gitlab::web` class.
|
|
|
|
|
|
## SLA
|
|
|
<!-- this describes an acceptable level of service for this service -->
|
|
|
|
... | ... | @@ -567,11 +625,35 @@ thrown hardware at GitLab when performance issues come up. |
|
|
### GitLab pages
|
|
|
|
|
|
[GitLab pages](https://gitlab.com/gitlab-org/gitlab-pages) is "a simple HTTP server written in Go, made to
|
|
|
serve GitLab Pages with CNAMEs and SNI using HTTP/HTTP2".
|
|
|
serve GitLab Pages with CNAMEs and SNI using HTTP/HTTP2". In practice,
|
|
|
the way this works is that artifacts from GitLab CI jobs get sent back
|
|
|
to the central server.
|
|
|
|
|
|
GitLab pages is designed to scale horizontally: multiple pages servers
|
|
|
can be deployed and fetch their content and configuration through NFS.
|
|
|
They are [rearchitecturing this with Object storage](https://docs.gitlab.com/ee/architecture/blueprints/cloud_native_gitlab_pages/) (ie. S3
|
|
|
through minio by default, or external existing providers) which might
|
|
|
simplify running this but this actually adds complexity to a
|
|
|
previously fairly simple design. Note that they have tried using
|
|
|
CephFS instead of NFS but that did not work for some reason.
|
|
|
|
|
|
The [new pages architecture](https://docs.gitlab.com/ee/architecture/blueprints/cloud_native_gitlab_pages/) also relies on the GitLab rails API
|
|
|
for configuration (it was a set of JSON files before), which makes it
|
|
|
dependent on the Rails API for availability, although [that part of
|
|
|
the design](https://gitlab.com/groups/gitlab-org/-/epics/4242) has [exponential back-off time](https://gitlab.com/groups/gitlab-org/-/epics/4242) for unavailability
|
|
|
of the rails API, so maybe it would survive a downtime of the rails
|
|
|
API.
|
|
|
|
|
|
GitLab pages is not currently in use in our setup, but could be used
|
|
|
as an alternative to the [static mirroring system](howto/static-component). See the
|
|
|
[discussion there](howto/static-component#alternatives-considered) for more information about that design.
|
|
|
[discussion there](howto/static-component#alternatives-considered) for more information about how that compares
|
|
|
with the static mirror system.
|
|
|
|
|
|
Update: [some tests of GitLab pages](https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/91) were performed in January
|
|
|
2021, with moderate success. There are still concerns about the
|
|
|
reliability and scalability of the service, but the service could be
|
|
|
used for small sites at this stage. See the [GitLab pages installation
|
|
|
instructions](#gitlab-pages-installation) for details on how this was setup.
|
|
|
|
|
|
## Issues
|
|
|
|
... | ... | |