During this section, we will configure the PostgreSQL server, from the Praefect
node, using
psql
which is installed by Omnibus GitLab.
sudo -i
Connect to the PostgreSQL server with administrative access. This is likely
the postgres
user. The database template1
is used because it is created
by default on all PostgreSQL servers.
/opt/gitlab/embedded/bin/psql -U postgres -d template1 -h POSTGRESQL_SERVER_ADDRESS
Create a new user praefect
which will be used by Praefect. Replace
PRAEFECT_SQL_PASSWORD
with the strong password you generated in the
preparation step.
CREATE ROLE praefect WITH LOGIN CREATEDB PASSWORD 'PRAEFECT_SQL_PASSWORD';
Reconnect to the PostgreSQL server, this time as the praefect
user:
/opt/gitlab/embedded/bin/psql -U praefect -d template1 -h POSTGRESQL_SERVER_ADDRESS
Create a new database praefect_production
. By creating the database while
connected as the praefect
user, we are confident they have access.
CREATE DATABASE praefect_production WITH ENCODING=UTF8;
The database used by Praefect is now configured.
PgBouncer
To reduce PostgreSQL resource consumption, we recommend setting up and configuring
PgBouncer in front of the PostgreSQL instance. To do
this, replace value of the POSTGRESQL_SERVER_ADDRESS
with corresponding IP or host
address of the PgBouncer instance.
This documentation doesn’t provide PgBouncer installation instructions,
but you can:
Find instructions on the official website.
Use a Docker image.
In addition to the base PgBouncer configuration options, set the following values in
your pgbouncer.ini
file:
The Praefect PostgreSQL database in the [databases]
section:
[databases]
* = host=POSTGRESQL_SERVER_ADDRESS port=5432 auth_user=praefect
pool_mode
and ignore_startup_parameters
in the [pgbouncer]
section:
[pgbouncer]
pool_mode = transaction
ignore_startup_parameters = extra_float_digits
The praefect
user and its password should be included in the file (default is
userlist.txt
) used by PgBouncer if the auth_file
configuration option is set.
Note:
By default PgBouncer uses port 6432
to accept incoming
connections. You can change it by setting the listen_port
configuration option. We recommend setting it to the default port value (5432
) used by
PostgreSQL instances. Otherwise you should change the configuration parameter
praefect['database_port']
for each Praefect instance to the correct value.
Praefect
Introduced in GitLab 13.4, Praefect nodes can no longer be designated as primary
.
Note:
If there are multiple Praefect nodes, complete these steps for each node.
To complete this section you will need:
Configured PostgreSQL server, including:
IP/host address (POSTGRESQL_SERVER_ADDRESS
)
password (PRAEFECT_SQL_PASSWORD
)
Praefect should be run on a dedicated node. Do not run Praefect on the
application server, or a Gitaly node.
SSH into the Praefect node and login as root:
sudo -i
Disable all other services by editing /etc/gitlab/gitlab.rb
:
# Disable all other services on the Praefect node
postgresql['enable'] = false
redis['enable'] = false
nginx['enable'] = false
alertmanager['enable'] = false
prometheus['enable'] = false
grafana['enable'] = false
puma['enable'] = false
sidekiq['enable'] = false
gitlab_workhorse['enable'] = false
gitaly['enable'] = false
# Enable only the Praefect service
praefect['enable'] = true
# Prevent database connections during 'gitlab-ctl reconfigure'
gitlab_rails['rake_cache_clear'] = false
gitlab_rails['auto_migrate'] = false
Configure Praefect to listen on network interfaces by editing
/etc/gitlab/gitlab.rb
:
praefect['listen_addr'] = '0.0.0.0:2305'
# Enable Prometheus metrics access to Praefect. You must use firewalls
# to restrict access to this address/port.
praefect['prometheus_listen_addr'] = '0.0.0.0:9652'
Configure a strong auth_token
for Praefect by editing
/etc/gitlab/gitlab.rb
. This will be needed by clients outside the cluster
(like GitLab Shell) to communicate with the Praefect cluster :
praefect['auth_token'] = 'PRAEFECT_EXTERNAL_TOKEN'
Configure Praefect to connect to the PostgreSQL database by editing
/etc/gitlab/gitlab.rb
.
You will need to replace POSTGRESQL_SERVER_ADDRESS
with the IP/host address
of the database, and PRAEFECT_SQL_PASSWORD
with the strong password set
above.
praefect['database_host'] = 'POSTGRESQL_SERVER_ADDRESS'
praefect['database_port'] = 5432
praefect['database_user'] = 'praefect'
praefect['database_password'] = 'PRAEFECT_SQL_PASSWORD'
praefect['database_dbname'] = 'praefect_production'
If you want to use a TLS client certificate, the options below can be used:
# Connect to PostgreSQL using a TLS client certificate
# praefect['database_sslcert'] = '/path/to/client-cert'
# praefect['database_sslkey'] = '/path/to/client-key'
# Trust a custom certificate authority
# praefect['database_sslrootcert'] = '/path/to/rootcert'
By default Praefect will refuse to make an unencrypted connection to
PostgreSQL. You can override this by uncommenting the following line:
# praefect['database_sslmode'] = 'disable'
Configure the Praefect cluster to connect to each Gitaly node in the
cluster by editing /etc/gitlab/gitlab.rb
.
The virtual storage’s name must match the configured storage name in GitLab
configuration. In a later step, we configure the storage name as default
so we use default
here as well. This cluster has three Gitaly nodes gitaly-1
,
gitaly-2
, and gitaly-3
, which will be replicas of each other.
Caution:
If you have data on an already existing storage called
default
, you should configure the virtual storage with another name and
migrate the data to the Gitaly Cluster storage
afterwards.
Replace PRAEFECT_INTERNAL_TOKEN
with a strong secret, which will be used by
Praefect when communicating with Gitaly nodes in the cluster. This token is
distinct from the PRAEFECT_EXTERNAL_TOKEN
.
Replace GITALY_HOST
with the IP/host address of the each Gitaly node.
More Gitaly nodes can be added to the cluster to increase the number of
replicas. More clusters can also be added for very large GitLab instances.
# Name of storage hash must match storage name in git_data_dirs on GitLab
# server ('praefect') and in git_data_dirs on Gitaly nodes ('gitaly-1')
praefect['virtual_storages'] = {
'default' => {
'gitaly-1' => {
'address' => 'tcp://GITALY_HOST:8075',
'token' => 'PRAEFECT_INTERNAL_TOKEN',
'gitaly-2' => {
'address' => 'tcp://GITALY_HOST:8075',
'token' => 'PRAEFECT_INTERNAL_TOKEN'
'gitaly-3' => {
'address' => 'tcp://GITALY_HOST:8075',
'token' => 'PRAEFECT_INTERNAL_TOKEN'
Introduced in GitLab 13.1 and later, enable distribution of reads.
Save the changes to /etc/gitlab/gitlab.rb
and reconfigure
Praefect:
gitlab-ctl reconfigure
To ensure that Praefect has updated its Prometheus listen
address, restart
Praefect:
gitlab-ctl restart praefect
Verify that Praefect can reach PostgreSQL:
sudo -u git /opt/gitlab/embedded/bin/praefect -config /var/opt/gitlab/praefect/config.toml sql-ping
If the check fails, make sure you have followed the steps correctly. If you
edit /etc/gitlab/gitlab.rb
, remember to run sudo gitlab-ctl reconfigure
again before trying the sql-ping
command.
The steps above must be completed for each Praefect node!
Enabling TLS support
Introduced in GitLab 13.2.
Praefect supports TLS encryption. To communicate with a Praefect instance that listens
for secure connections, you must:
Use a tls://
URL scheme in the gitaly_address
of the corresponding storage entry
in the GitLab configuration.
Bring your own certificates because this isn’t provided automatically. The certificate
corresponding to each Praefect server must be installed on that Praefect server.
Additionally the certificate, or its certificate authority, must be installed on all Gitaly servers
and on all Praefect clients that communicate with it following the procedure described in
GitLab custom certificate configuration (and repeated below).
Note the following:
The certificate must specify the address you use to access the Praefect server. If
addressing the Praefect server by:
Hostname, you can either use the Common Name field for this, or add it as a Subject
Alternative Name.
IP address, you must add it as a Subject Alternative Name to the certificate.
You can configure Praefect servers with both an unencrypted listening address
listen_addr
and an encrypted listening address tls_listen_addr
at the same time.
This allows you to do a gradual transition from unencrypted to encrypted traffic, if
necessary.
To configure Praefect with TLS:
For Omnibus GitLab
Create certificates for Praefect servers.
On the Praefect servers, create the /etc/gitlab/ssl
directory and copy your key
and certificate there:
sudo mkdir -p /etc/gitlab/ssl
sudo chmod 755 /etc/gitlab/ssl
sudo cp key.pem cert.pem /etc/gitlab/ssl/
sudo chmod 644 key.pem cert.pem
Edit /etc/gitlab/gitlab.rb
and add:
praefect['tls_listen_addr'] = "0.0.0.0:3305"
praefect['certificate_path'] = "/etc/gitlab/ssl/cert.pem"
praefect['key_path'] = "/etc/gitlab/ssl/key.pem"
Save the file and reconfigure GitLab.
On the Praefect clients (including each Gitaly server), copy the certificates,
or their certificate authority, into /etc/gitlab/trusted-certs
:
sudo cp cert.pem /etc/gitlab/trusted-certs/
On the Praefect clients (except Gitaly servers), edit git_data_dirs
in
/etc/gitlab/gitlab.rb
as follows:
git_data_dirs({
'default' => { 'gitaly_address' => 'tls://praefect1.internal:3305' },
'storage1' => { 'gitaly_address' => 'tls://praefect2.internal:3305' },
Save the file and reconfigure GitLab.
For installations from source
Create certificates for Praefect servers.
On the Praefect servers, create the /etc/gitlab/ssl
directory and copy your key and certificate
there:
sudo mkdir -p /etc/gitlab/ssl
sudo chmod 755 /etc/gitlab/ssl
sudo cp key.pem cert.pem /etc/gitlab/ssl/
sudo chmod 644 key.pem cert.pem
On the Praefect clients (including each Gitaly server), copy the certificates,
or their certificate authority, into the system trusted certificates:
sudo cp cert.pem /usr/local/share/ca-certificates/praefect.crt
sudo update-ca-certificates
On the Praefect clients (except Gitaly servers), edit storages
in
/home/git/gitlab/config/gitlab.yml
as follows:
gitlab:
repositories:
storages:
default:
gitaly_address: tls://praefect1.internal:3305
path: /some/local/path
storage1:
gitaly_address: tls://praefect2.internal:3305
path: /some/local/path
Note:
/some/local/path
should be set to a local folder that exists, however no
data will be stored in this folder. This will no longer be necessary after
this issue is resolved.
Save the file and restart GitLab.
Copy all Praefect server certificates, or their certificate authority, to the system
trusted certificates on each Gitaly server so the Praefect server will trust the
certificate when called by Gitaly servers:
sudo cp cert.pem /usr/local/share/ca-certificates/praefect.crt
sudo update-ca-certificates
Edit /home/git/praefect/config.toml
and add:
tls_listen_addr = '0.0.0.0:3305'
[tls]
certificate_path = '/etc/gitlab/ssl/cert.pem'
key_path = '/etc/gitlab/ssl/key.pem'
Save the file and restart GitLab.
To complete this section you will need:
Configured Praefect node
3 (or more) servers, with GitLab installed, to be configured as Gitaly nodes.
These should be dedicated nodes, do not run other services on these nodes.
Every Gitaly server assigned to the Praefect cluster needs to be configured. The
configuration is the same as a normal standalone Gitaly server,
except:
the storage names are exposed to Praefect, not GitLab
the secret token is shared with Praefect, not GitLab
The configuration of all Gitaly nodes in the Praefect cluster can be identical,
because we rely on Praefect to route operations correctly.
Particular attention should be shown to:
the gitaly['auth_token']
configured in this section must match the token
value under praefect['virtual_storages']
on the Praefect node. This was set
in the previous section. This document uses the placeholder
PRAEFECT_INTERNAL_TOKEN
throughout.
the storage names in git_data_dirs
configured in this section must match the
storage names under praefect['virtual_storages']
on the Praefect node. This
was set in the previous section. This document uses gitaly-1
,
gitaly-2
, and gitaly-3
as Gitaly storage names.
For more information on Gitaly server configuration, see our Gitaly
documentation.
SSH into the Gitaly node and login as root:
sudo -i
Disable all other services by editing /etc/gitlab/gitlab.rb
:
# Disable all other services on the Praefect node
postgresql['enable'] = false
redis['enable'] = false
nginx['enable'] = false
grafana['enable'] = false
puma['enable'] = false
sidekiq['enable'] = false
gitlab_workhorse['enable'] = false
prometheus_monitoring['enable'] = false
# Enable only the Gitaly service
gitaly['enable'] = true
# Enable Prometheus if needed
prometheus['enable'] = true
# Prevent database connections during 'gitlab-ctl reconfigure'
gitlab_rails['rake_cache_clear'] = false
gitlab_rails['auto_migrate'] = false
Configure Gitaly to listen on network interfaces by editing
/etc/gitlab/gitlab.rb
:
# Make Gitaly accept connections on all network interfaces.
# Use firewalls to restrict access to this address/port.
gitaly['listen_addr'] = '0.0.0.0:8075'
# Enable Prometheus metrics access to Gitaly. You must use firewalls
# to restrict access to this address/port.
gitaly['prometheus_listen_addr'] = '0.0.0.0:9236'
Configure a strong auth_token
for Gitaly by editing
/etc/gitlab/gitlab.rb
. This will be needed by clients to communicate with
this Gitaly nodes. Typically, this token will be the same for all Gitaly
nodes.
gitaly['auth_token'] = 'PRAEFECT_INTERNAL_TOKEN'
Configure the GitLab Shell secret_token
, and internal_api_url
which are
needed for git push
operations.
If you have already configured Gitaly on its own server
gitlab_shell['secret_token'] = 'GITLAB_SHELL_SECRET_TOKEN'
# Configure the gitlab-shell API callback URL. Without this, `git push` will
# fail. This can be your front door GitLab URL or an internal load balancer.
# Examples: 'https://gitlab.example.com', 'http://1.2.3.4'
gitlab_rails['internal_api_url'] = 'http://GITLAB_HOST'
Configure the storage location for Git data by setting git_data_dirs
in
/etc/gitlab/gitlab.rb
. Each Gitaly node should have a unique storage name
(such as gitaly-1
).
Instead of configuring git_data_dirs
uniquely for each Gitaly node, it is
often easier to have include the configuration for all Gitaly nodes on every
Gitaly node. This is supported because the Praefect virtual_storages
configuration maps each storage name (such as gitaly-1
) to a specific node, and
requests are routed accordingly. This means every Gitaly node in your fleet
can share the same configuration.
# You can include the data dirs for all nodes in the same config, because
# Praefect will only route requests according to the addresses provided in the
# prior step.
git_data_dirs({
"gitaly-1" => {
"path" => "/var/opt/gitlab/git-data"
"gitaly-2" => {
"path" => "/var/opt/gitlab/git-data"
"gitaly-3" => {
"path" => "/var/opt/gitlab/git-data"
Save the changes to /etc/gitlab/gitlab.rb
and reconfigure
Gitaly:
gitlab-ctl reconfigure
To ensure that Gitaly has updated its Prometheus listen
address, restart
Gitaly:
gitlab-ctl restart gitaly
The steps above must be completed for each Gitaly node!
After all Gitaly nodes are configured, you can run the Praefect connection
checker to verify Praefect can connect to all Gitaly servers in the Praefect
config.
SSH into each Praefect node and run the Praefect connection checker:
We hope that if you’re managing HA systems like GitLab, you have a load balancer
of choice already. Some examples include HAProxy
(open-source), Google Internal Load Balancer,
AWS Elastic Load Balancer, F5
Big-IP LTM, and Citrix Net Scaler. This documentation will outline what ports
and protocols you need configure.
LB Port
Backend Port
Protocol
Configured Praefect node
Configured Gitaly nodes
The Praefect cluster needs to be exposed as a storage location to the GitLab
application. This is done by updating the git_data_dirs
.
Particular attention should be shown to:
the storage name added to git_data_dirs
in this section must match the
storage name under praefect['virtual_storages']
on the Praefect node(s). This
was set in the Praefect section of this guide. This document uses
default
as the Praefect storage name.
SSH into the GitLab node and login as root:
sudo -i
Configure the external_url
so that files could be served by GitLab
by proper endpoint access by editing /etc/gitlab/gitlab.rb
:
You will need to replace GITLAB_SERVER_URL
with the real external facing
URL on which current GitLab instance is serving:
external_url 'GITLAB_SERVER_URL'
Disable the default Gitaly service running on the GitLab host. It won’t be needed
as GitLab will connect to the configured cluster.
Caution:
If you have existing data stored on the default Gitaly storage,
you should migrate the data your Gitaly Cluster storage
first.
gitaly['enable'] = false
Add the Praefect cluster as a storage location by editing
/etc/gitlab/gitlab.rb
.
You will need to replace:
LOAD_BALANCER_SERVER_ADDRESS
with the IP address or hostname of the load
balancer.
PRAEFECT_EXTERNAL_TOKEN
with the real secret
git_data_dirs({
"default" => {
"gitaly_address" => "tcp://LOAD_BALANCER_SERVER_ADDRESS:2305",
"gitaly_token" => 'PRAEFECT_EXTERNAL_TOKEN'
Configure the gitlab_shell['secret_token']
so that callbacks from Gitaly
nodes during a git push
are properly authenticated by editing
/etc/gitlab/gitlab.rb
:
You will need to replace GITLAB_SHELL_SECRET_TOKEN
with the real secret.
gitlab_shell['secret_token'] = 'GITLAB_SHELL_SECRET_TOKEN'
Add Prometheus monitoring settings by editing /etc/gitlab/gitlab.rb
. If Prometheus
is enabled on a different node, make edits on that node instead.
You will need to replace:
PRAEFECT_HOST
with the IP address or hostname of the Praefect node
GITALY_HOST
with the IP address or hostname of each Gitaly node
prometheus['scrape_configs'] = [
'job_name' => 'praefect',
'static_configs' => [
'targets' => [
'PRAEFECT_HOST:9652', # praefect-1
'PRAEFECT_HOST:9652', # praefect-2
'PRAEFECT_HOST:9652', # praefect-3
'job_name' => 'praefect-gitaly',
'static_configs' => [
'targets' => [
'GITALY_HOST:9236', # gitaly-1
'GITALY_HOST:9236', # gitaly-2
'GITALY_HOST:9236', # gitaly-3
Save the changes to /etc/gitlab/gitlab.rb
and reconfigure GitLab:
gitlab-ctl reconfigure
Verify on each Gitaly node the Git Hooks can reach GitLab. On each Gitaly node run:
/opt/gitlab/embedded/bin/gitaly-hooks check /var/opt/gitlab/gitaly/config.toml
Verify that GitLab can reach Praefect:
gitlab-rake gitlab:gitaly:check
Check in Admin Area > Settings > Repository > Repository storage that the Praefect storage
is configured to store new repositories. Following this guide, the default
storage should have
weight 100 to store all new repositories.
Verify everything is working by creating a new project. Check the
“Initialize repository with a README” box so that there is content in the
repository that viewed. If the project is created, and you can see the
README file, it works!
Grafana
Grafana is included with GitLab, and can be used to monitor your Praefect
cluster. See Grafana Dashboard
Service
for detailed documentation.
To get started quickly:
SSH into the GitLab node (or whichever node has Grafana enabled) and login as root:
sudo -i
Enable the Grafana login form by editing /etc/gitlab/gitlab.rb
.
grafana['disable_login_form'] = false
Save the changes to /etc/gitlab/gitlab.rb
and reconfigure
GitLab:
gitlab-ctl reconfigure
Set the Grafana admin password. This command will prompt you to enter a new
password:
gitlab-ctl set-grafana-password
In your web browser, open /-/grafana
(e.g.
https://gitlab.example.com/-/grafana
) on your GitLab server.
Login using the password you set, and the username admin
.
Go to Explore and query gitlab_build_info
to verify that you are
getting metrics from all your machines.
Congratulations! You’ve configured an observable highly available Praefect
cluster.