[gitlab] Docker images updates - 2023-09-14-124113 (#2442)

docker/gitlab/14/debian11/14.10/Dockerfile

@@ -0,0 +1,54 @@
+FROM marketplace.gcr.io/google/c2d-debian11
+
+ENV GITLAB_VERSION 14.10.5
+ENV DOWNLOAD_URL "https://packages.gitlab.com/gitlab/gitlab-ee/packages/debian/bullseye/gitlab-ee_14.10.5-ee.0_amd64.deb/download.deb"
+
+ENV C2D_RELEASE 14.10.5
+
+SHELL ["/bin/sh", "-c"],
+
+# Default to supporting utf-8
+ENV LANG C.UTF-8
+
+# Install required packages
+RUN apt-get update -q \
+    && DEBIAN_FRONTEND=noninteractive apt-get install -yq --no-install-recommends \
+      ca-certificates \
+      openssh-server \
+      wget \
+      apt-transport-https \
+      vim \
+      tzdata \
+      nano \
+      less \
+      openssl \
+      perl \
+      jq \
+    && rm -rf /var/lib/apt/lists/* \
+    && sed 's/session\s*required\s*pam_loginuid.so/session optional pam_loginuid.so/g' -i /etc/pam.d/sshd
+
+# Remove MOTD
+RUN rm -rf /etc/update-motd.d /etc/motd /etc/motd.dynamic
+RUN ln -fs /dev/null /run/motd.dynamic
+
+# Resolve error: TERM environment variable not set.
+ENV TERM xterm
+
+# Copy assets
+COPY assets/ /assets/
+RUN /assets/setup
+
+# Allow to access embedded tools
+ENV PATH /opt/gitlab/embedded/bin:/opt/gitlab/bin:/assets:$PATH
+
+# Expose web & ssh
+EXPOSE 443 80 22
+
+# Define data volumes
+VOLUME ["/etc/gitlab", "/var/opt/gitlab", "/var/log/gitlab"]
+
+# Wrapper to handle signal, trigger runit and reconfigure GitLab
+CMD ["/assets/wrapper"]
+
+HEALTHCHECK --interval=60s --timeout=30s --retries=5 \
+CMD /opt/gitlab/bin/gitlab-healthcheck --fail --max-time 10

docker/gitlab/14/debian11/14.10/assets/generate-release

@@ -0,0 +1,23 @@
+#!/bin/bash
+#
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -e
+
+cat > /RELEASE <<EOF
+RELEASE_PACKAGE=gitlab-ee
+RELEASE_VERSION=${GITLAB_VERSION}-ee.0
+DOWNLOAD_URL=${DOWNLOAD_URL}
+EOF

docker/gitlab/14/debian11/14.10/assets/gitlab.rb

@@ -0,0 +1,38 @@
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Docker options
+## Prevent Postgres from trying to allocate 25% of total memory
+postgresql['shared_buffers'] = '1MB'
+
+# Disable Prometheus node_exporter inside Docker.
+node_exporter['enable'] = false
+
+# Manage accounts with docker
+manage_accounts['enable'] = false
+
+# Get hostname from shell
+host = `hostname`.strip
+external_url "http://#{host}"
+
+# Explicitly disable init detection since we are running on a container
+package['detect_init'] = false
+
+# Load custom config from environment variable: GITLAB_OMNIBUS_CONFIG
+# Disabling the cop since rubocop considers using eval to be security risk but
+# we don't have an easy way out, atleast yet.
+eval ENV["GITLAB_OMNIBUS_CONFIG"].to_s # rubocop:disable Security/Eval
+
+# Load configuration stored in /etc/gitlab/gitlab.rb
+from_file("/etc/gitlab/gitlab.rb")

docker/gitlab/14/debian11/14.10/assets/gitlab_sysctl.rb

@@ -0,0 +1,50 @@
+# Copyright 2020 Google LLC
+# Copyright:: Copyright (c) 2016 GitLab Inc
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+resource_name :gitlab_sysctl
+provides :gitlab_sysctl
+
+actions :create
+default_action :create
+
+property :value, [Integer, Float, String, nil], default: nil
+
+action :create do
+  directory "create /etc/sysctl.d for #{new_resource.name}" do
+    path "/etc/sysctl.d"
+    mode "0755"
+    recursive true
+  end
+
+  conf_name = "90-omnibus-gitlab-#{new_resource.name}.conf"
+
+  file "create /opt/gitlab/embedded/etc/#{conf_name} #{new_resource.name}" do
+    path "/opt/gitlab/embedded/etc/#{conf_name}"
+    content "#{new_resource.name} = #{new_resource.value}\n"
+    # notifies :run, "execute[load sysctl conf #{new_resource.name}]", :immediately
+  end
+
+  link "/etc/sysctl.d/#{conf_name}" do
+    to "/opt/gitlab/embedded/etc/#{conf_name}"
+    # notifies :run, "execute[load sysctl conf #{new_resource.name}]", :immediately
+  end
+
+  # Load the settings right away
+  execute "load sysctl conf #{new_resource.name}" do
+    command "sysctl -e --system"
+    action :nothing
+  end
+end

docker/gitlab/14/debian11/14.10/assets/setup

@@ -0,0 +1,67 @@
+#!/bin/bash
+#
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -e
+
+source /etc/os-release
+
+# Generate release file
+/assets/generate-release
+
+# Install GitLab
+wget --quiet ${DOWNLOAD_URL} -O /tmp/gitlab.deb && dpkg -i /tmp/gitlab.deb && rm /tmp/gitlab.deb
+rm -rf /var/lib/apt/lists/*
+
+# Create sshd daemon
+mkdir -p /opt/gitlab/sv/sshd/supervise /opt/gitlab/sv/sshd/log/supervise
+mkfifo /opt/gitlab/sv/sshd/supervise/ok /opt/gitlab/sv/sshd/log/supervise/ok
+printf "#!/bin/sh\nexec 2>&1\numask 077\nexec /usr/sbin/sshd -D -f /assets/sshd_config -e" > /opt/gitlab/sv/sshd/run
+printf "#!/bin/sh\nexec svlogd -tt /var/log/gitlab/sshd" > /opt/gitlab/sv/sshd/log/run
+chmod a+x /opt/gitlab/sv/sshd/run /opt/gitlab/sv/sshd/log/run
+
+# Remove current gitlab.rb file
+rm -f /etc/gitlab/gitlab.rb
+
+# Patch omnibus package
+sed -i "s/external_url 'GENERATED_EXTERNAL_URL'/# external_url 'GENERATED_EXTERNAL_URL'/" /opt/gitlab/etc/gitlab.rb.template
+sed -i "s/\/etc\/gitlab\/gitlab.rb/\/assets\/gitlab.rb/" /opt/gitlab/embedded/cookbooks/gitlab/recipes/show_config.rb
+sed -i "s/\/etc\/gitlab\/gitlab.rb/\/assets\/gitlab.rb/" /opt/gitlab/embedded/cookbooks/gitlab/recipes/config.rb
+
+cp /assets/gitlab_sysctl.rb /opt/gitlab/embedded/cookbooks/package/resources/gitlab_sysctl.rb
+
+# Set install type to docker
+echo 'gitlab-docker' > /opt/gitlab/embedded/service/gitlab-rails/INSTALLATION_TYPE
+
+# Create groups
+groupadd -g 998 git
+groupadd -g 999 gitlab-www
+groupadd -g 997 gitlab-redis
+groupadd -g 996 gitlab-psql
+
+groupadd -g 994 mattermost
+groupadd -g 993 registry
+groupadd -g 992 gitlab-prometheus
+groupadd -g 991 gitlab-consul
+
+# Create accounts
+useradd -m -u 998 -g git -m -s /bin/sh -d /var/opt/gitlab git
+useradd -m -u 999 -g gitlab-www -m -s /bin/false -d /var/opt/gitlab/nginx gitlab-www
+useradd -m -u 997 -g gitlab-redis -m -s /bin/false -d /var/opt/gitlab/redis gitlab-redis
+useradd -m -u 996 -g gitlab-psql -m -s /bin/sh -d /var/opt/gitlab/postgresql gitlab-psql
+useradd -m -u 994 -g mattermost -m -s /bin/sh -d /var/opt/gitlab/mattermost mattermost
+useradd -m -u 993 -g registry -m -s /bin/sh -d /var/opt/gitlab/registry registry
+useradd -m -u 992 -g gitlab-prometheus -m -s /bin/sh -d /var/opt/gitlab/prometheus gitlab-prometheus
+useradd -m -u 991 -g gitlab-consul -m -s /bin/sh -d /var/opt/gitlab/consul gitlab-consul

docker/gitlab/14/debian11/14.10/assets/sshd_config

@@ -0,0 +1,26 @@
+Port 22
+ChallengeResponseAuthentication no
+HostKey /etc/gitlab/ssh_host_rsa_key
+HostKey /etc/gitlab/ssh_host_ecdsa_key
+HostKey /etc/gitlab/ssh_host_ed25519_key
+Protocol 2
+PermitRootLogin no
+PasswordAuthentication no
+MaxStartups 100:30:200
+AllowUsers git
+PrintMotd no
+PrintLastLog no
+PubkeyAuthentication yes
+AuthorizedKeysFile %h/.ssh/authorized_keys /gitlab-data/ssh/authorized_keys
+AuthorizedKeysCommand /opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell-authorized-keys-check git %u %k
+AuthorizedKeysCommandUser git
+
+# Fix: User username not allowed because account is locked
+# With "UsePAM yes" the "!" is seen as a password disabled account and not fully locked so ssh public key login works
+UsePAM yes
+
+# Disabling use DNS in ssh since it tends to slow connecting
+UseDNS no
+
+# Enable the use of Git protcol v2
+AcceptEnv GIT_PROTOCOL

docker/gitlab/14/debian11/14.10/assets/update-permissions

@@ -0,0 +1,109 @@
+#!/bin/bash
+#
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -x
+
+# chown_if_exists
+# input: matches `chown` command, see `man chown`
+# Simply, this checks that the file you're trying to chown actually exists
+# before making the chown call. DRY'ing the rest of this script's checks.
+chown_if_exists()
+{
+    # the last argument of chown is the file or path
+    path="${@:${#@}}"
+    if [ -e "$path" ]; then
+        chown $@
+    else
+        echo "skipping, path does not exist: $path"
+    fi
+}
+
+chmod_if_exists()
+{
+    # the last argument of chown is the file or path
+    path="${@:${#@}}"
+    if [ -e "$path" ]; then
+        chmod $@
+    else
+        echo "skipping, path does not exist: $path"
+    fi
+}
+
+# Fix GitLab permissions
+if id -u git; then
+    # Fix data storage
+    chown_if_exists -R git:git /var/opt/gitlab/.ssh
+    chown_if_exists -R git:git /var/opt/gitlab/.gitconfig
+    chown_if_exists -R git:git /var/opt/gitlab/git-data
+    chmod_if_exists 2770 /var/opt/gitlab/git-data/repositories
+    chown_if_exists -R git:git /var/opt/gitlab/gitlab-ci/builds
+    chown_if_exists -R git:git /var/opt/gitlab/gitlab-rails
+    chown_if_exists -R git:git /var/opt/gitlab/gitlab-shell
+    if id -g gitlab-www; then
+        chown_if_exists -R git:gitlab-www /var/opt/gitlab/gitlab-workhorse
+    fi
+
+    # Fix log storage
+    chown_if_exists git /var/log/gitlab/gitlab-workhorse
+    chown_if_exists git /var/log/gitlab/gitlab-rails
+    chown_if_exists git /var/log/gitlab/gitlab-shell
+    chown_if_exists git /var/log/gitlab/sidekiq
+    chown_if_exists git /var/log/gitlab/unicorn
+
+    # Update log files
+    chown_if_exists -R git:git /var/log/gitlab/gitlab-rails/*.log
+    chown_if_exists -R git:git /var/log/gitlab/gitlab-shell/*.log
+    chown_if_exists -R git:git /var/log/gitlab/unicorn/*.log
+fi
+
+# Fix nginx buffering directory permission
+if id -u gitlab-www; then
+    chown_if_exists -R gitlab-www:gitlab-www /var/opt/gitlab/nginx/*_temp
+    chown_if_exists -R gitlab-www:gitlab-www /var/opt/gitlab/nginx/*_cache
+fi
+
+# Fix database storage and logs
+if id -u gitlab-psql; then
+    chown_if_exists -R gitlab-psql:gitlab-psql /var/opt/gitlab/postgresql
+    chown_if_exists gitlab-psql /var/log/gitlab/postgresql
+fi
+
+# Fix prometheus storage and logs
+if id -u gitlab-prometheus; then
+    chown_if_exists -R gitlab-prometheus:gitlab-prometheus /var/opt/gitlab/prometheus
+    chown_if_exists gitlab-prometheus /var/log/gitlab/prometheus
+    chown_if_exists -R gitlab-prometheus:gitlab-prometheus /var/opt/gitlab/alertmanager
+    chown_if_exists gitlab-prometheus /var/log/gitlab/alertmanager
+fi
+
+# Fix redis storage and logs
+if id -u gitlab-redis; then
+    chown_if_exists -R gitlab-redis:gitlab-redis /var/opt/gitlab/redis
+    if id -g git ; then
+        chown_if_exists gitlab-redis:git /var/opt/gitlab/redis
+    fi
+    chown_if_exists gitlab-redis /var/log/gitlab/redis
+fi
+
+# Fix registry storage
+if id -u registry; then
+    chown_if_exists -R registry:git /var/opt/gitlab/gitlab-rails/shared/registry
+fi
+
+# Fix mattermost storage
+if id -u mattermost; then
+    chown_if_exists -R mattermost /var/opt/gitlab/mattermost
+fi