From a10ecb5052e1d5ae434885f6098d9bb3e5ae2480 Mon Sep 17 00:00:00 2001
From: Armando Miani <armadom@google.com>
Date: Tue, 19 Sep 2023 11:27:44 +0200
Subject: [PATCH] [gitlab] Docker images updates - 2023-09-14-124113 (#2442)

---
 docker/gitlab/14/debian11/14.10/Dockerfile    |  54 +++++++
 .../14/debian11/14.10/assets/generate-release |  23 +++
 .../gitlab/14/debian11/14.10/assets/gitlab.rb |  38 +++++
 .../14/debian11/14.10/assets/gitlab_sysctl.rb |  50 ++++++
 docker/gitlab/14/debian11/14.10/assets/setup  |  67 ++++++++
 .../14/debian11/14.10/assets/sshd_config      |  26 ++++
 .../debian11/14.10/assets/update-permissions  | 109 +++++++++++++
 .../gitlab/14/debian11/14.10/assets/wrapper   | 146 ++++++++++++++++++
 docker/gitlab/16/debian11/16.3/Dockerfile     |   6 +-
 docker/gitlab/versions.yaml                   |  21 ++-
 10 files changed, 534 insertions(+), 6 deletions(-)
 create mode 100644 docker/gitlab/14/debian11/14.10/Dockerfile
 create mode 100755 docker/gitlab/14/debian11/14.10/assets/generate-release
 create mode 100644 docker/gitlab/14/debian11/14.10/assets/gitlab.rb
 create mode 100644 docker/gitlab/14/debian11/14.10/assets/gitlab_sysctl.rb
 create mode 100755 docker/gitlab/14/debian11/14.10/assets/setup
 create mode 100644 docker/gitlab/14/debian11/14.10/assets/sshd_config
 create mode 100755 docker/gitlab/14/debian11/14.10/assets/update-permissions
 create mode 100755 docker/gitlab/14/debian11/14.10/assets/wrapper

diff --git a/docker/gitlab/14/debian11/14.10/Dockerfile b/docker/gitlab/14/debian11/14.10/Dockerfile
new file mode 100644
index 0000000000..753cc33a73
--- /dev/null
+++ b/docker/gitlab/14/debian11/14.10/Dockerfile
@@ -0,0 +1,54 @@
+FROM marketplace.gcr.io/google/c2d-debian11
+
+ENV GITLAB_VERSION 14.10.5
+ENV DOWNLOAD_URL "https://packages.gitlab.com/gitlab/gitlab-ee/packages/debian/bullseye/gitlab-ee_14.10.5-ee.0_amd64.deb/download.deb"
+
+ENV C2D_RELEASE 14.10.5
+
+SHELL ["/bin/sh", "-c"],
+
+# Default to supporting utf-8
+ENV LANG C.UTF-8
+
+# Install required packages
+RUN apt-get update -q \
+    && DEBIAN_FRONTEND=noninteractive apt-get install -yq --no-install-recommends \
+      ca-certificates \
+      openssh-server \
+      wget \
+      apt-transport-https \
+      vim \
+      tzdata \
+      nano \
+      less \
+      openssl \
+      perl \
+      jq \
+    && rm -rf /var/lib/apt/lists/* \
+    && sed 's/session\s*required\s*pam_loginuid.so/session optional pam_loginuid.so/g' -i /etc/pam.d/sshd
+
+# Remove MOTD
+RUN rm -rf /etc/update-motd.d /etc/motd /etc/motd.dynamic
+RUN ln -fs /dev/null /run/motd.dynamic
+
+# Resolve error: TERM environment variable not set.
+ENV TERM xterm
+
+# Copy assets
+COPY assets/ /assets/
+RUN /assets/setup
+
+# Allow to access embedded tools
+ENV PATH /opt/gitlab/embedded/bin:/opt/gitlab/bin:/assets:$PATH
+
+# Expose web & ssh
+EXPOSE 443 80 22
+
+# Define data volumes
+VOLUME ["/etc/gitlab", "/var/opt/gitlab", "/var/log/gitlab"]
+
+# Wrapper to handle signal, trigger runit and reconfigure GitLab
+CMD ["/assets/wrapper"]
+
+HEALTHCHECK --interval=60s --timeout=30s --retries=5 \
+CMD /opt/gitlab/bin/gitlab-healthcheck --fail --max-time 10
diff --git a/docker/gitlab/14/debian11/14.10/assets/generate-release b/docker/gitlab/14/debian11/14.10/assets/generate-release
new file mode 100755
index 0000000000..1cda82917b
--- /dev/null
+++ b/docker/gitlab/14/debian11/14.10/assets/generate-release
@@ -0,0 +1,23 @@
+#!/bin/bash
+#
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -e
+
+cat > /RELEASE <<EOF
+RELEASE_PACKAGE=gitlab-ee
+RELEASE_VERSION=${GITLAB_VERSION}-ee.0
+DOWNLOAD_URL=${DOWNLOAD_URL}
+EOF
diff --git a/docker/gitlab/14/debian11/14.10/assets/gitlab.rb b/docker/gitlab/14/debian11/14.10/assets/gitlab.rb
new file mode 100644
index 0000000000..4f9bb54d07
--- /dev/null
+++ b/docker/gitlab/14/debian11/14.10/assets/gitlab.rb
@@ -0,0 +1,38 @@
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Docker options
+## Prevent Postgres from trying to allocate 25% of total memory
+postgresql['shared_buffers'] = '1MB'
+
+# Disable Prometheus node_exporter inside Docker.
+node_exporter['enable'] = false
+
+# Manage accounts with docker
+manage_accounts['enable'] = false
+
+# Get hostname from shell
+host = `hostname`.strip
+external_url "http://#{host}"
+
+# Explicitly disable init detection since we are running on a container
+package['detect_init'] = false
+
+# Load custom config from environment variable: GITLAB_OMNIBUS_CONFIG
+# Disabling the cop since rubocop considers using eval to be security risk but
+# we don't have an easy way out, atleast yet.
+eval ENV["GITLAB_OMNIBUS_CONFIG"].to_s # rubocop:disable Security/Eval
+
+# Load configuration stored in /etc/gitlab/gitlab.rb
+from_file("/etc/gitlab/gitlab.rb")
diff --git a/docker/gitlab/14/debian11/14.10/assets/gitlab_sysctl.rb b/docker/gitlab/14/debian11/14.10/assets/gitlab_sysctl.rb
new file mode 100644
index 0000000000..4ea0e3f8be
--- /dev/null
+++ b/docker/gitlab/14/debian11/14.10/assets/gitlab_sysctl.rb
@@ -0,0 +1,50 @@
+# Copyright 2020 Google LLC
+# Copyright:: Copyright (c) 2016 GitLab Inc
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+resource_name :gitlab_sysctl
+provides :gitlab_sysctl
+
+actions :create
+default_action :create
+
+property :value, [Integer, Float, String, nil], default: nil
+
+action :create do
+  directory "create /etc/sysctl.d for #{new_resource.name}" do
+    path "/etc/sysctl.d"
+    mode "0755"
+    recursive true
+  end
+
+  conf_name = "90-omnibus-gitlab-#{new_resource.name}.conf"
+
+  file "create /opt/gitlab/embedded/etc/#{conf_name} #{new_resource.name}" do
+    path "/opt/gitlab/embedded/etc/#{conf_name}"
+    content "#{new_resource.name} = #{new_resource.value}\n"
+    # notifies :run, "execute[load sysctl conf #{new_resource.name}]", :immediately
+  end
+
+  link "/etc/sysctl.d/#{conf_name}" do
+    to "/opt/gitlab/embedded/etc/#{conf_name}"
+    # notifies :run, "execute[load sysctl conf #{new_resource.name}]", :immediately
+  end
+
+  # Load the settings right away
+  execute "load sysctl conf #{new_resource.name}" do
+    command "sysctl -e --system"
+    action :nothing
+  end
+end
diff --git a/docker/gitlab/14/debian11/14.10/assets/setup b/docker/gitlab/14/debian11/14.10/assets/setup
new file mode 100755
index 0000000000..786bd3798a
--- /dev/null
+++ b/docker/gitlab/14/debian11/14.10/assets/setup
@@ -0,0 +1,67 @@
+#!/bin/bash
+#
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -e
+
+source /etc/os-release
+
+# Generate release file
+/assets/generate-release
+
+# Install GitLab
+wget --quiet ${DOWNLOAD_URL} -O /tmp/gitlab.deb && dpkg -i /tmp/gitlab.deb && rm /tmp/gitlab.deb
+rm -rf /var/lib/apt/lists/*
+
+# Create sshd daemon
+mkdir -p /opt/gitlab/sv/sshd/supervise /opt/gitlab/sv/sshd/log/supervise
+mkfifo /opt/gitlab/sv/sshd/supervise/ok /opt/gitlab/sv/sshd/log/supervise/ok
+printf "#!/bin/sh\nexec 2>&1\numask 077\nexec /usr/sbin/sshd -D -f /assets/sshd_config -e" > /opt/gitlab/sv/sshd/run
+printf "#!/bin/sh\nexec svlogd -tt /var/log/gitlab/sshd" > /opt/gitlab/sv/sshd/log/run
+chmod a+x /opt/gitlab/sv/sshd/run /opt/gitlab/sv/sshd/log/run
+
+# Remove current gitlab.rb file
+rm -f /etc/gitlab/gitlab.rb
+
+# Patch omnibus package
+sed -i "s/external_url 'GENERATED_EXTERNAL_URL'/# external_url 'GENERATED_EXTERNAL_URL'/" /opt/gitlab/etc/gitlab.rb.template
+sed -i "s/\/etc\/gitlab\/gitlab.rb/\/assets\/gitlab.rb/" /opt/gitlab/embedded/cookbooks/gitlab/recipes/show_config.rb
+sed -i "s/\/etc\/gitlab\/gitlab.rb/\/assets\/gitlab.rb/" /opt/gitlab/embedded/cookbooks/gitlab/recipes/config.rb
+
+cp /assets/gitlab_sysctl.rb /opt/gitlab/embedded/cookbooks/package/resources/gitlab_sysctl.rb
+
+# Set install type to docker
+echo 'gitlab-docker' > /opt/gitlab/embedded/service/gitlab-rails/INSTALLATION_TYPE
+
+# Create groups
+groupadd -g 998 git
+groupadd -g 999 gitlab-www
+groupadd -g 997 gitlab-redis
+groupadd -g 996 gitlab-psql
+
+groupadd -g 994 mattermost
+groupadd -g 993 registry
+groupadd -g 992 gitlab-prometheus
+groupadd -g 991 gitlab-consul
+
+# Create accounts
+useradd -m -u 998 -g git -m -s /bin/sh -d /var/opt/gitlab git
+useradd -m -u 999 -g gitlab-www -m -s /bin/false -d /var/opt/gitlab/nginx gitlab-www
+useradd -m -u 997 -g gitlab-redis -m -s /bin/false -d /var/opt/gitlab/redis gitlab-redis
+useradd -m -u 996 -g gitlab-psql -m -s /bin/sh -d /var/opt/gitlab/postgresql gitlab-psql
+useradd -m -u 994 -g mattermost -m -s /bin/sh -d /var/opt/gitlab/mattermost mattermost
+useradd -m -u 993 -g registry -m -s /bin/sh -d /var/opt/gitlab/registry registry
+useradd -m -u 992 -g gitlab-prometheus -m -s /bin/sh -d /var/opt/gitlab/prometheus gitlab-prometheus
+useradd -m -u 991 -g gitlab-consul -m -s /bin/sh -d /var/opt/gitlab/consul gitlab-consul
diff --git a/docker/gitlab/14/debian11/14.10/assets/sshd_config b/docker/gitlab/14/debian11/14.10/assets/sshd_config
new file mode 100644
index 0000000000..657a67f083
--- /dev/null
+++ b/docker/gitlab/14/debian11/14.10/assets/sshd_config
@@ -0,0 +1,26 @@
+Port 22
+ChallengeResponseAuthentication no
+HostKey /etc/gitlab/ssh_host_rsa_key
+HostKey /etc/gitlab/ssh_host_ecdsa_key
+HostKey /etc/gitlab/ssh_host_ed25519_key
+Protocol 2
+PermitRootLogin no
+PasswordAuthentication no
+MaxStartups 100:30:200
+AllowUsers git
+PrintMotd no
+PrintLastLog no
+PubkeyAuthentication yes
+AuthorizedKeysFile %h/.ssh/authorized_keys /gitlab-data/ssh/authorized_keys
+AuthorizedKeysCommand /opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell-authorized-keys-check git %u %k
+AuthorizedKeysCommandUser git
+
+# Fix: User username not allowed because account is locked
+# With "UsePAM yes" the "!" is seen as a password disabled account and not fully locked so ssh public key login works
+UsePAM yes
+
+# Disabling use DNS in ssh since it tends to slow connecting
+UseDNS no
+
+# Enable the use of Git protcol v2
+AcceptEnv GIT_PROTOCOL
diff --git a/docker/gitlab/14/debian11/14.10/assets/update-permissions b/docker/gitlab/14/debian11/14.10/assets/update-permissions
new file mode 100755
index 0000000000..4a79a3ffbb
--- /dev/null
+++ b/docker/gitlab/14/debian11/14.10/assets/update-permissions
@@ -0,0 +1,109 @@
+#!/bin/bash
+#
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -x
+
+# chown_if_exists
+# input: matches `chown` command, see `man chown`
+# Simply, this checks that the file you're trying to chown actually exists
+# before making the chown call. DRY'ing the rest of this script's checks.
+chown_if_exists()
+{
+    # the last argument of chown is the file or path
+    path="${@:${#@}}"
+    if [ -e "$path" ]; then
+        chown $@
+    else
+        echo "skipping, path does not exist: $path"
+    fi
+}
+
+chmod_if_exists()
+{
+    # the last argument of chown is the file or path
+    path="${@:${#@}}"
+    if [ -e "$path" ]; then
+        chmod $@
+    else
+        echo "skipping, path does not exist: $path"
+    fi
+}
+
+# Fix GitLab permissions
+if id -u git; then
+    # Fix data storage
+    chown_if_exists -R git:git /var/opt/gitlab/.ssh
+    chown_if_exists -R git:git /var/opt/gitlab/.gitconfig
+    chown_if_exists -R git:git /var/opt/gitlab/git-data
+    chmod_if_exists 2770 /var/opt/gitlab/git-data/repositories
+    chown_if_exists -R git:git /var/opt/gitlab/gitlab-ci/builds
+    chown_if_exists -R git:git /var/opt/gitlab/gitlab-rails
+    chown_if_exists -R git:git /var/opt/gitlab/gitlab-shell
+    if id -g gitlab-www; then
+        chown_if_exists -R git:gitlab-www /var/opt/gitlab/gitlab-workhorse
+    fi
+
+    # Fix log storage
+    chown_if_exists git /var/log/gitlab/gitlab-workhorse
+    chown_if_exists git /var/log/gitlab/gitlab-rails
+    chown_if_exists git /var/log/gitlab/gitlab-shell
+    chown_if_exists git /var/log/gitlab/sidekiq
+    chown_if_exists git /var/log/gitlab/unicorn
+
+    # Update log files
+    chown_if_exists -R git:git /var/log/gitlab/gitlab-rails/*.log
+    chown_if_exists -R git:git /var/log/gitlab/gitlab-shell/*.log
+    chown_if_exists -R git:git /var/log/gitlab/unicorn/*.log
+fi
+
+# Fix nginx buffering directory permission
+if id -u gitlab-www; then
+    chown_if_exists -R gitlab-www:gitlab-www /var/opt/gitlab/nginx/*_temp
+    chown_if_exists -R gitlab-www:gitlab-www /var/opt/gitlab/nginx/*_cache
+fi
+
+# Fix database storage and logs
+if id -u gitlab-psql; then
+    chown_if_exists -R gitlab-psql:gitlab-psql /var/opt/gitlab/postgresql
+    chown_if_exists gitlab-psql /var/log/gitlab/postgresql
+fi
+
+# Fix prometheus storage and logs
+if id -u gitlab-prometheus; then
+    chown_if_exists -R gitlab-prometheus:gitlab-prometheus /var/opt/gitlab/prometheus
+    chown_if_exists gitlab-prometheus /var/log/gitlab/prometheus
+    chown_if_exists -R gitlab-prometheus:gitlab-prometheus /var/opt/gitlab/alertmanager
+    chown_if_exists gitlab-prometheus /var/log/gitlab/alertmanager
+fi
+
+# Fix redis storage and logs
+if id -u gitlab-redis; then
+    chown_if_exists -R gitlab-redis:gitlab-redis /var/opt/gitlab/redis
+    if id -g git ; then
+        chown_if_exists gitlab-redis:git /var/opt/gitlab/redis
+    fi
+    chown_if_exists gitlab-redis /var/log/gitlab/redis
+fi
+
+# Fix registry storage
+if id -u registry; then
+    chown_if_exists -R registry:git /var/opt/gitlab/gitlab-rails/shared/registry
+fi
+
+# Fix mattermost storage
+if id -u mattermost; then
+    chown_if_exists -R mattermost /var/opt/gitlab/mattermost
+fi
diff --git a/docker/gitlab/14/debian11/14.10/assets/wrapper b/docker/gitlab/14/debian11/14.10/assets/wrapper
new file mode 100755
index 0000000000..4fb130f8e8
--- /dev/null
+++ b/docker/gitlab/14/debian11/14.10/assets/wrapper
@@ -0,0 +1,146 @@
+#!/bin/bash
+#
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -e
+
+function sigterm_handler() {
+    echo "SIGTERM signal received, try to gracefully shutdown all services..."
+    gitlab-ctl stop
+}
+
+function failed_pg_upgrade() {
+    echo 'Upgrading the existing database failed and was reverted.'
+    echo 'Please check the output, and open an issue at:'
+    echo 'https://gitlab.com/gitlab-org/omnibus-gitlab/issues'
+    echo 'If you would like to restart the instance without attempting to'
+    echo 'upgrade, add the following to your docker command:'
+    echo '-e GITLAB_SKIP_PG_UPGRADE=true'
+    exit 1
+}
+
+function clean_stale_pids() {
+    # cleanup known pid/socket files
+    for x in /opt/gitlab/sv /run $(ls -d /tmp/gitaly-ruby* 2>/dev/null) ; do
+        # find
+        #  - any (s)ocket or regular (f)ile
+        #  - by the name of "*.pid" or "socket.?"
+        #  - and delete them
+        find $x \
+            \( \
+              -type f \
+              -o -type s \
+            \) \(\
+              -name pid \
+              -o -name "*.pid" \
+              -o -name "socket.?" \
+            \) \
+            -delete ;
+    done
+}
+
+function detect_unclean_start() {
+    set +e
+    echo "Cleaning stale PIDs & sockets"
+    clean_stale_pids
+    set -e
+}
+
+trap "sigterm_handler; exit" TERM
+
+source /RELEASE
+echo "Thank you for using GitLab Docker Image!"
+echo "Current version: $RELEASE_PACKAGE=$RELEASE_VERSION"
+echo ""
+if [[ "$PACKAGECLOUD_REPO" == "unstable" ]]; then
+    echo "You are using UNSTABLE version of $RELEASE_PACKAGE!"
+    echo ""
+fi
+echo "Configure GitLab for your system by editing /etc/gitlab/gitlab.rb file"
+echo "And restart this container to reload settings."
+echo "To do it use docker exec:"
+echo
+echo "  docker exec -it gitlab vim /etc/gitlab/gitlab.rb"
+echo "  docker restart gitlab"
+echo
+echo "For a comprehensive list of configuration options please see the Omnibus GitLab readme"
+echo "https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/README.md"
+echo
+echo "If this container fails to start due to permission problems try to fix it by executing:"
+echo
+echo "  docker exec -it gitlab update-permissions"
+echo "  docker restart gitlab"
+echo
+sleep 3s
+
+# Run unclean start detection & cleanup
+detect_unclean_start
+
+# Copy gitlab.rb for the first time
+if [[ ! -e /etc/gitlab/gitlab.rb ]]; then
+    echo "Installing gitlab.rb config..."
+    cp /opt/gitlab/etc/gitlab.rb.template /etc/gitlab/gitlab.rb
+    chmod 0600 /etc/gitlab/gitlab.rb
+fi
+
+# Generate ssh host key for the first time
+if [[ ! -f /etc/gitlab/ssh_host_rsa_key ]]; then
+    echo "Generating ssh_host_rsa_key..."
+    ssh-keygen -f /etc/gitlab/ssh_host_rsa_key -N '' -t rsa
+    chmod 0600 /etc/gitlab/ssh_host_rsa_key
+fi
+if [[ ! -f /etc/gitlab/ssh_host_ecdsa_key ]]; then
+    echo "Generating ssh_host_ecdsa_key..."
+    ssh-keygen -f /etc/gitlab/ssh_host_ecdsa_key -N '' -t ecdsa
+    chmod 0600 /etc/gitlab/ssh_host_ecdsa_key
+fi
+if [[ ! -f /etc/gitlab/ssh_host_ed25519_key ]]; then
+    echo "Generating ssh_host_ed25519_key..."
+    ssh-keygen -f /etc/gitlab/ssh_host_ed25519_key -N '' -t ed25519
+    chmod 0600 /etc/gitlab/ssh_host_ed25519_key
+fi
+
+# Remove all services, the reconfigure will create them
+echo "Preparing services..."
+rm -f /opt/gitlab/service/*
+ln -s /opt/gitlab/sv/sshd /opt/gitlab/service
+ln -sf /opt/gitlab/embedded/bin/sv /opt/gitlab/init/sshd
+mkdir -p /var/run/sshd
+mkdir -p /var/log/gitlab/sshd
+mkdir -p /var/log/gitlab/reconfigure
+
+# Start service manager
+echo "Starting services..."
+GITLAB_OMNIBUS_CONFIG= /opt/gitlab/embedded/bin/runsvdir-start &
+
+echo "Configuring GitLab..."
+gitlab-ctl reconfigure
+
+# Make sure PostgreSQL is at the latest version.
+# If it fails, print a message with a workaround and exit
+if [ "${GITLAB_SKIP_PG_UPGRADE}" != true ]; then
+    gitlab-ctl pg-upgrade -w || failed_pg_upgrade
+fi
+
+if [ -n "${GITLAB_POST_RECONFIGURE_SCRIPT+x}" ]; then
+  echo "Running Post Reconfigure Script..."
+  eval "${GITLAB_POST_RECONFIGURE_SCRIPT}"
+fi
+
+# Tail all logs
+gitlab-ctl tail &
+
+# Wait for SIGTERM
+wait
diff --git a/docker/gitlab/16/debian11/16.3/Dockerfile b/docker/gitlab/16/debian11/16.3/Dockerfile
index ead1ca8f81..4c4064383e 100644
--- a/docker/gitlab/16/debian11/16.3/Dockerfile
+++ b/docker/gitlab/16/debian11/16.3/Dockerfile
@@ -1,9 +1,9 @@
 FROM marketplace.gcr.io/google/c2d-debian11
 
-ENV GITLAB_VERSION 16.3.2
-ENV DOWNLOAD_URL "https://packages.gitlab.com/gitlab/gitlab-ee/packages/debian/bullseye/gitlab-ee_16.3.2-ee.0_amd64.deb/download.deb"
+ENV GITLAB_VERSION 16.3.3
+ENV DOWNLOAD_URL "https://packages.gitlab.com/gitlab/gitlab-ee/packages/debian/bullseye/gitlab-ee_16.3.3-ee.0_amd64.deb/download.deb"
 
-ENV C2D_RELEASE 16.3.2
+ENV C2D_RELEASE 16.3.3
 
 SHELL ["/bin/sh", "-c"],
 
diff --git a/docker/gitlab/versions.yaml b/docker/gitlab/versions.yaml
index 8d8a6ba9e2..d71d664220 100644
--- a/docker/gitlab/versions.yaml
+++ b/docker/gitlab/versions.yaml
@@ -21,13 +21,13 @@ versions:
   from: marketplace.gcr.io/google/c2d-debian11
   packages:
     gitlab:
-      version: 16.3.2
+      version: 16.3.3
   repo: gitlab16
   tags:
-  - 16.3.2-debian11
+  - 16.3.3-debian11
   - 16.3-debian11
   - 16-debian11
-  - 16.3.2
+  - 16.3.3
   - '16.3'
   - '16'
   - latest
@@ -45,3 +45,18 @@ versions:
   - '15.11'
   - '15'
   - latest
+- dir: 14/debian11/14.10
+  from: marketplace.gcr.io/google/c2d-debian11
+  packages:
+    gitlab:
+      version: 14.10.5
+  repo: gitlab14
+  tags:
+  - 14.10.5-debian11
+  - 14.10-debian11
+  - 14-debian11
+  - 14.10.5
+  - '14.10'
+  - '14'
+  - latest
+