- Description
- Setup
- Usage
- Reference
- Limitations
- Development
This module provides profiles for integrating GitLab Omnibus with SIMP.
This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.
It is designed to be used within a larger SIMP ecosystem, but it can be used independently:
- When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.
- If used as an independent module, all SIMP-managed security subsystems are
disabled by default and must be explicitly opted into by administrators.
Please review the parameters in
simp/simp_optionsfor details.
If you run into problems, please let us know by filing an issue at https://simp-project.atlassian.net/.
This module is a profile that integrates Gitlab with SIMP. It makes extensive
use of the component module puppet/gitlab. It is important to
note that puppet-gitlab configures the GitLab Omnibus's /etc/gitlab/gitlab.rb
and runs gitlab-ctl reconfigure.
As a profile module, simp_gitlab has a few functions:
- Integrate SIMP and SIMP's global catalysts with GitLab Omnibus
- Supported SIMP Options (global catalysts):
-
simp_options::trusted_nets -
simp_options::firewall -
simp_options::pki -
simp_options::ldap::*
-
- Intentionally unimplemented:
simp_options::selinux: The GitLab Omnibus installer appears to handle SELinux correctlysimp_options::tcpwrappers: Nothing in Omnibus is linked to TCP Wrappersimp_options::auditing: Nothing in Omnibus needs special auditd logic
- Deferred:
simp_options::syslog(not clear that we want to support this outside ofee)
- SIMP integrations:
- Open access for a local
gitSSH user- set up a SIMP
pam::access::ruleto permit GitLab's localgituser - configures
sshdsuch that the GitLab's localgituser's SSH authorized keys file path is managed only by the GitLab Omnibus installer.
- set up a SIMP
- The postfix service that comes with GitLab Omnibus is disabled in favor
of the SIMP
postfixmodule.
- Open access for a local
- Supported SIMP Options (global catalysts):
- Ensure that GitLab Omnibus can be installed without internet access
- This requires a local mirror of the Gitlab repositories
- Simplify GitLab configuration for common scenarios
- GitLab
- GitLab + Omnibus version of NGINX
- Let's Encrypt
- Mattermost
- GitLab CI runner
- Intentionally unimplemented:
- Prometheus
- (Omnibus's integrated Prometheus app monitoring requires Gitlab Omnibus to be installed within a docker container)
- GitLab CI Runner (docker)
- Prometheus
- Permit customization of GitLab Omnibus
- Satisfy as many compliance-relevant criteria as possible
This module was last tested with GitLab Community Edition 15.0.1. It may work for other GitLab versions. You can verify it works for a specific version by executing the acceptance tests with that version.
If using this module from an isolated network, ensure that package and repo
management are disabled from the module, and that the gitlab-ce or
gitlab-ee package is installed. Be sure that the $simp_gitlab::edition
parameter is set to the correct edition.
simp_gitlab version 0.7.0 now defaults simp_gitlab::allow_fips to true, as
the version of GitLab this module was tested with, 14.0.0, supports FIPS mode.
This will allow you to install and configure GitLab on FIPS_enabled servers,
but not affect existing GitLab servers configured by earlier versions of this
module.
simp_gitlab version 0.6.0 introduced a new mechanism for setting the GitLab
root user password upon initial installation of GitLab. As a side effect,
by default, the password will be automatically set to the value of
simp_gitlab::gitlab_root_password, unless the (empty) marker file
/etc/gitlab/.root_password_set exists or the parameter
simp_gitlab::set_gitlab_root_password is set to false. If during an
upgrade of this module you forget to disable this automation or just want
to reset the GitLab root password, simply run
/usr/local/sbin/change_gitlab_root_password <new_password> manually.
You do not need to know the previous password to set the new password.
Upgrading from simp_gitlab 0.2.0 to 0.3.0 requires you to copy the authorized key file
from /etc/ssh/local_keys/git to /var/opt/gitlab/.ssh/authorized_keys. Alternately
you can re-add your deployment keys in the gitlab interface.
See the CHANGELOG entries for version 0.3.0 for more details.
The most basic GitLab usage within a SIMP-managed infrastructure where all
simp_options:: are present:
include 'simp_gitlab'class { 'simp_gitlab':
trusted_nets => [
'10.0.0.0/8',
'192.168.21.21',
'192.168.21.22',
'127.0.0.1/32',
],
pki => 'simp',
firewall => true,
}Parameters for puppet/gitlab can be passed in directly using the
(Hash) $simp_gitlab::gitlab_options parameter.
Warning: $simp_gitlab::gitlab_options parameters that conflict with the
rest of simp_gitlab may lead to undefined behavior / broken systems.
Hint: Many of the data structures used by puppet/gitlab's
parameters are documented at
https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-config-template/gitlab.rb.template
# Name the local git user account `gitlab` (instead of the default `git`)
class { 'simp_gitlab':
trusted_nets => $simp_options::trusted_nets
pki => 'simp',
firewall => true,
gitlab_options => {
'user' => {
'username' => 'gitlab',
'group' => 'gitlab',
}
},
}simp_gitlab configures the GitLab's internal Nginx server to look for
additional .conf files under /etc/gitlab/nginx/conf.d/.
If you need to configure the main Nginx server, use a file resource from your
own profiles to establish a new .conf file.
See REFERENCE.md for API documentation.
- GitLab Omnibus
- documentation: https://docs.gitlab.com/omnibus/README.html
- architecture: https://docs.gitlab.com/omnibus/architecture/README.html
- source: https://gitlab.com/gitlab-org/omnibus-gitlab
- optional services:
- Mattermost (chat): https://docs.gitlab.com/omnibus/gitlab-mattermost/README.html
- Prometheus (monitoring): https://docs.gitlab.com/ce/administration/monitoring/prometheus/index.html
- GitLab Docker images: https://docs.gitlab.com/omnibus/docker/README.html
- puppet/gitlab component module:
- Security & compliance
GitLab LDAP Setup has detailed information about configuring GitLab to authenticate users using LDAP. Within this section, there are two sub-sections especially of interest when debugging LDAP connection problems:
simp_gitlab PKI management does not yet support the use of Let's Encrypt
within GitLab. At this time, if you want to use Let's Encrypt, you will need to
disable SIMP management of PKI by setting simp_gitlab::pki to false and
then manage the certificates manually.
simp_gitlab configures the GitLab Rails server LDAP TLS settings to use the
Omnibus trusted_certs (built from /etc/gitlab/trusted-certs) instead of its
own ca_file option.
The LDAP ca_file setting is known to cause problems elsewhere in GitLab
SSL. There is a (currently undocumented)
workaround to these issues: GitLab's LDAP TLS will re-use
the GitLab Omnibus trusted-certificates/ directory―but only when the LDAP
ca_file option has not been set
The drawback to this solution is that GitLab's LDAP client must share the same TLS settings as GitLab's web server―which is something that we try to keep distinct, as there could be situations in which their configurations legitimately vary.
Note: These are limitations of upstream components
-
The Exec that runs
gitlab-ctl reconfiguremay take a long time start its internal services, particularly during the first run that installs GitLab. These services are internal to the GitLab Omnibus installation and are not registered with the host OS or the Puppet providers forservice. It is possible for the services to take so long to start in the background that dependencies withinpuppet-gitlabwill fail.In these cases, it should be sufficient to simply run Puppet again after the services finish starting (status with
gitlab-ctl status). -
If the GitLab Omnibus package is already installed but the
gitlab-runsvdirservice is stopped, the service will not start and catalog compilation will fail.
Exec[set_gitlab_root_password] will fail if the gitlab-rails console does not
come up within the time configured by simp_gitlab::rails_console_load_timeout.
If this happens, set the GitLab root password by running
/usr/local/sbin/change_gitlab_root_password <new_password> manually, and then
run puppet again.
This is almost certainly a false positive―GitLab configures compression to 0 when HTTPS is enabled.
- See https://docs.gitlab.com/ce/security/crime_vulnerability.html for details.
Right now, redis logs these warnings (running in beaker/vagrant VMs):
# WARNING overcommit_memory is set to 0! Background save may fail under low
memory condition. To fix this issue add 'vm.overcommit_memory = 1' to
/etc/sysctl.conf and then reboot or run the command 'sysctl
vm.overcommit_memory=1' for this to take effect.
# WARNING you have Transparent Huge Pages (THP) support enabled in your kernel.
This will create latency and memory usage issues with Redis. To fix this issue
run the command 'echo never > /sys/kernel/mm/transparent_hugepage/enabled' as
root, and add it to your /etc/rc.local in order to retain the setting after
a reboot. Redis must be restarted after THP is disabled.
Please read our Contribution Guide.
This module includes Beaker acceptance tests using the SIMP Beaker Helpers. By default the tests use Vagrant with VirtualBox as a back-end; Vagrant and VirtualBox must both be installed to run these tests without modification. To execute the tests run the following:
bundle install
bundle exec rake beaker:suitesPlease refer to the SIMP Beaker Helpers documentation for more information.
TEST_GITLAB_CE_VERSION is an environment variable that can be used
to specify the version of gitlab-ce to use in the acceptance tests.
When set, it must either a version string for a specific gitlab-ce
package version or 'latest' to indicate the latest available version.
When unset, the latest version is tested.
TEST_GITLAB_CE_VERSION=15.0.1 bundle exec rake beaker:suitesTRUSTED_NETS is an environment variable that may contain a comma-delimited
list of trusted networks to add to the gitlab SUT's firewall.
TRUSTED_NETS=192.168.11.0/24,10.0.2.2 bundle exec rake beaker:suitesNote: if the TRUSTED_NETS configuration is too broad, it may cause
some acceptance tests (for denied clients) to fail.
Each nodeset in spec/acceptance/nodesets/ contains a commented-out
forwarded_ports: section. If you want to use a web browser to manually
inspect the SUT GitLab server during any of the tests, uncomment this section
and add the NAT network router's IP address to the TRUSTED_NETS variable.
For example:
TRUSTED_NETS=10.0.2.2 BEAKER_destroy=no bundle exec rake beaker:suitesThen, in a browser on the host machine, navigate to https://127.0.0.1:<port>,
where <port> is the forwarded port for the test being executed, i.e.,
8080, 8443, or 8777.
Note: If you need to login as the administrator to the GitLab instance,
use the login of root and the password found on the GitLab server host at
/opt/puppetlabs/puppet/cache/simp/environments/production/simp_autofiles/gen_passwd/simp_gitlab_server.<your domain>.
Setting the environment variable PRY=yes will cause the acceptance tests to
drop into a pry console under certain circumstances (usually just before
failures in examples with complex or hard-to-debug state). This will
effectively pause the test, to allow you to debug.
TRUSTED_NETS=10.0.2.2 BEAKER_destroy=no PRY=yes bundle exec rake beaker:suites