This notice applies only to /usr/local/bin/git
If you compiled Git from source on your GitLab server then please double-check that you are using a version that protects against CVE-2014-9390. For six months after this vulnerability became known the GitLab installation guide still contained instructions that would install the outdated, 'vulnerable' Git version 2.1.2.
Run the following command to get your current Git version:
/usr/local/bin/git --version
If you see 'No such file or directory' then you did not install Git according to the outdated instructions from the GitLab installation guide and you can go to the next step 'Stop server' below.
If you see a version string then it should be v1.8.5.6, v1.9.5, v2.0.5, v2.1.4, v2.2.1 or newer. You can use the instructions in the GitLab source installation guide to install a newer version of Git.
sudo service gitlab stop
cd /home/git/gitlab
sudo -u git -H bundle exec rake gitlab:backup:create RAILS_ENV=production
sudo -u git -H git fetch --all
sudo -u git -H git checkout -- db/schema.rb # local changes will be restored automatically
For GitLab Community Edition:
sudo -u git -H git checkout 8-0-stable
OR
For GitLab Enterprise Edition:
sudo -u git -H git checkout 8-0-stable-ee
cd /home/git/gitlab-shell
sudo -u git -H git fetch
sudo -u git -H git checkout v2.6.5
First we download Go 1.5 and install it into /usr/local/go
:
curl --remote-name --progress https://storage.googleapis.com/golang/go1.5.linux-amd64.tar.gz
echo '5817fa4b2252afdb02e11e8b9dc1d9173ef3bd5a go1.5.linux-amd64.tar.gz' | shasum -c - && \
sudo tar -C /usr/local -xzf go1.5.linux-amd64.tar.gz
sudo ln -sf /usr/local/go/bin/{go,godoc,gofmt} /usr/local/bin/
rm go1.5.linux-amd64.tar.gz
Now we download gitlab-git-http-server
and install it in /home/git/gitlab-git-http-server
:
cd /home/git
sudo -u git -H git clone https://gitlab.com/gitlab-org/gitlab-git-http-server.git
cd gitlab-git-http-server
sudo -u git -H git checkout 0.2.14
sudo -u git -H make
Make sure your unicorn.rb file contains a 'listen' line for '127.0.0.1:8080' and that this line is not commented out.
cd /home/git/gitlab
grep ^listen config/unicorn.rb
# If there is no 'listen' line for 127.0.0.1:8080, add it:
sudo -u git tee -a config/unicorn.rb <<EOF
listen "127.0.0.1:8080", :tcp_nopush => true
EOF
If your Git repositories are in a directory other than /home/git/repositories
, you need to tell gitlab-git-http-server
about it via /etc/default/gitlab
. See lib/support/init.d/gitlab.default.example
for the options.
The secrets.yml
file is used to store keys to encrypt sessions and encrypt secure variables. When you run migrations make sure to store it someplace safe. Don't store it in the same place as your database backups, otherwise your secrets are exposed if one of your backups is compromised.
cd /home/git/gitlab
sudo -u git -H cp config/secrets.yml.example config/secrets.yml
sudo -u git -H chmod 0600 config/secrets.yml
cd /home/git/gitlab
# MySQL installations (note: the line below states '--without postgres')
sudo -u git -H bundle install --without postgres development test --deployment
# PostgreSQL installations (note: the line below states '--without mysql')
sudo -u git -H bundle install --without mysql development test --deployment
# Run database migrations
sudo -u git -H bundle exec rake db:migrate RAILS_ENV=production
# Clean up assets and cache
sudo -u git -H bundle exec rake assets:clean assets:precompile cache:clear RAILS_ENV=production
# Update init.d script
sudo cp lib/support/init.d/gitlab /etc/init.d/gitlab
gitlab.yml
There are new configuration options available for gitlab.yml
. View them with the command below and apply them manually to your current gitlab.yml
:
git diff origin/7-14-stable:config/gitlab.yml.example origin/8-0-stable:config/gitlab.yml.example
The new options include configuration of GitLab CI that are now being part of GitLab CE and EE.
Because of the new gitlab-git-http-server
you need to update your Nginx configuration. If you skip this step 'git clone' and 'git push' over HTTP(S) will stop working.
View changes between the previous recommended Nginx configuration and the current one:
# For HTTPS configurations
git diff origin/7-14-stable:lib/support/nginx/gitlab-ssl origin/8-0-stable:lib/support/nginx/gitlab-ssl
# For HTTP configurations
git diff origin/7-14-stable:lib/support/nginx/gitlab origin/8-0-stable:lib/support/nginx/gitlab
If you are using Apache instead of NGINX please see the updated Apache templates. Also note that because Apache does not support upstreams behind Unix sockets you will need to let gitlab-git-http-server listen on a TCP port. You can do this via /etc/default/gitlab.
Now, GitLab CE and EE has CI integrated. However, migrations don't happen automatically and you need to do it manually. Please follow the following guide to migrate your GitLab CI instance to GitLab CE/EE.
Previous versions of GitLab allowed Redis versions >= 2.0 to be used, but Sidekiq jobs could fail due to lack of support for the SREM command. GitLab 8.0 now checks that Redis >= 2.4.0 is used. You can check your Redis version with the following command:
redis-cli info | grep redis_version
sudo service gitlab start
sudo service nginx restart
Check if GitLab and its environment are configured correctly:
sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production
To make sure you didn't miss anything run a more thorough check:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production
If all items are green, then congratulations, the upgrade is complete!
Follow the upgrade guide from 7.13 to 7.14, except for the database migration (The backup is already migrated to the previous version)
cd /home/git/gitlab
sudo -u git -H bundle exec rake gitlab:backup:restore RAILS_ENV=production
If you have more than one backup *.tar
file(s) please add BACKUP=timestamp_of_backup
to the command above.
If you see this message when attempting to clone a repository hosted by GitLab, this is likely due to an outdated Nginx or Apache configuration, or a missing or misconfigured gitlab-git-http-server
instance. Double-check that you correctly completed Step 5 to install the daemon and Step 8 to reconfigure Nginx.