weivi001

centos7 安装部署 gitlab-ce-14

首先去下载软件包
[root@localhost ~]# wget -c https://mirrors.tuna.tsinghua.edu.cn/gitlab-ce/yum/el7/gitlab-ce-14.0.3-ce.0.el7.x86_64.rpm

第一步：
rpm -ivh gitlab-ce-14.0.3-ce.0.el7.x86_64.rpm

第二步：
vim /etc/gitlab/gitlab.rb
修改这里：external_url ‘http://192.168.80.13:9000’

第三步启动重新配置
[root@localhost ~]# sudo gitlab-ctl reconfigure
这个步骤非常耗费内存，土豪不用担心内存，也非常耗时间，执行reconfigure期间如果内存不足会出现
ruby_block[authorize Grafana with GitLab] action run错误
以下是重新配重过程
Starting Chef Infra Client, version 15.14.0
resolving cookbooks for run list: [“gitlab”]
Synchronizing Cookbooks:

gitlab (0.0.1)
redis (0.1.0)
package (0.1.0)
mattermost (0.1.0)
consul (0.1.0)
gitaly (0.1.0)
praefect (0.1.0)
gitlab-kas (0.1.0)
letsencrypt (0.1.0)
runit (5.1.3)
acme (4.1.1)
crond (0.1.0)
registry (0.1.0)
logrotate (0.1.0)
postgresql (0.1.0)
gitlab-pages (0.1.0)
monitoring (0.1.0)
nginx (0.1.0)
Installing Cookbook Gems:
Compiling Cookbooks…
Recipe: gitlab::default

directory[/etc/gitlab] action create
- change mode from ‘0755’ to ‘0775’
- restore selinux security context
  Converging 286 resources
directory[/etc/gitlab] action create (up to date)
directory[Create /var/opt/gitlab] action create
- create new directory /var/opt/gitlab
- change mode from ‘’ to ‘0755’
- change owner from ‘’ to ‘root’
- change group from ‘’ to ‘root’
- restore selinux security context
directory[Create /var/log/gitlab] action create (up to date)
directory[/opt/gitlab/embedded/etc] action create
- create new directory /opt/gitlab/embedded/etc
- change mode from ‘’ to ‘0755’
- change owner from ‘’ to ‘root’
- change group from ‘’ to ‘root’
- restore selinux security context
template[/opt/gitlab/embedded/etc/gitconfig] action create
- create new file /opt/gitlab/embedded/etc/gitconfig
- update content in file /opt/gitlab/embedded/etc/gitconfig from none to 5a725a
  — /opt/gitlab/embedded/etc/gitconfig 2023-05-13 15:43:51.018906079 +0800
  +++ /opt/gitlab/embedded/etc/.chef-gitconfig20230513-36927-o57a0i 2023-05-13 15:43:51.018906079 +0800
  @@ -1,16 +1,32 @@
  +[pack]
- threads = 1
  +[receive]
- fsckObjects = true
  +advertisePushOptions = true
  +[repack]
- writeBitmaps = true
  +[transfer]
- hideRefs=^refs/tmp/
  +hideRefs=^refs/keep-around/
  +hideRefs=^refs/remotes/
  +[core]
- alternateRefsCommand=“exit 0 #”
  +fsyncObjectFiles = true
  +[fetch]
- writeCommitGraph = true
- change mode from ‘’ to ‘0755’
- restore selinux security context
  Recipe: gitlab::web-server
account[Webserver user and group] action create
- group[Webserver user and group] action create
  - create group gitlab-www
- linux_user[Webserver user and group] action create
  - create user gitlab-www

Recipe: gitlab::users

directory[/var/opt/gitlab] action create (up to date)
account[GitLab user and group] action create
- group[GitLab user and group] action create
  - create group git
- linux_user[GitLab user and group] action create
  - create user git
template[/var/opt/gitlab/.gitconfig] action create
- create new file /var/opt/gitlab/.gitconfig
- update content in file /var/opt/gitlab/.gitconfig from none to f27e0c
  — /var/opt/gitlab/.gitconfig 2023-05-13 15:43:51.285906661 +0800
  +++ /var/opt/gitlab/.chef-.gitconfig20230513-36927-1l9jbmz.gitconfig 2023-05-13 15:43:51.285906661 +0800
  @@ -1,13 +1,26 @@
  +# This file is managed by gitlab-ctl. Manual changes will be
  +# erased! To change the contents below, edit /etc/gitlab/gitlab.rb
  +# and run sudo gitlab-ctl reconfigure.
+[user]
- ```
   name = GitLab
```
- ```
   email = [email protected]
```
+[core]
- ```
   autocrlf = input
```
- ```
   alternateRefsCommand="exit 0 #"
```
- ```
   fsyncObjectFiles = true
```
+[gc]
- ```
   auto = 0
```
- change mode from ‘’ to ‘0644’
- change owner from ‘’ to ‘git’
- change group from ‘’ to ‘git’
- restore selinux security context
directory[/var/opt/gitlab/.bundle] action create
- create new directory /var/opt/gitlab/.bundle
- change owner from ‘’ to ‘git’
- change group from ‘’ to ‘git’
- restore selinux security context
  Recipe: gitlab::gitlab-shell
storage_directory[/var/opt/gitlab/.ssh] action create
- ruby_block[directory resource: /var/opt/gitlab/.ssh] action run
  - execute the ruby block directory resource: /var/opt/gitlab/.ssh
directory[/var/log/gitlab/gitlab-shell/] action create
- create new directory /var/log/gitlab/gitlab-shell/
- change mode from ‘’ to ‘0700’
- change owner from ‘’ to ‘git’
- restore selinux security context
directory[/var/opt/gitlab/gitlab-shell] action create
- create new directory /var/opt/gitlab/gitlab-shell
- change mode from ‘’ to ‘0700’
- change owner from ‘’ to ‘git’
- restore selinux security context
templatesymlink[Create a config.yml and create a symlink to Rails root] action create
- template[/var/opt/gitlab/gitlab-shell/config.yml] action create
  - create new file /var/opt/gitlab/gitlab-shell/config.yml
  - update content in file /var/opt/gitlab/gitlab-shell/config.yml from none to 301fbf
    — /var/opt/gitlab/gitlab-shell/config.yml 2023-05-13 15:43:51.671907504 +0800
    +++ /var/opt/gitlab/gitlab-shell/.chef-config20230513-36927-1k064pj.yml 2023-05-13 15:43:51.671907504 +0800
    @@ -1,45 +1,90 @@
    +# This file is managed by gitlab-ctl. Manual changes will be
    +# erased! To change the contents below, edit /etc/gitlab/gitlab.rb
    +# and run sudo gitlab-ctl reconfigure.
  +# GitLab user. git by default
  +user: git
  +
  +# Url to gitlab instance. Used for api calls. May but need not end with a slash.
  +gitlab_url: “http+unix://%2Fvar%2Fopt%2Fgitlab%2Fgitlab-workhorse%2Fsockets%2Fsocket”
  +
  +gitlab_relative_url_root:
  +
  +http_settings:
  +
  +# user: someone
  +# password: somepass
  +# ca_file: /etc/ssl/cert.pem
  +# ca_path: /etc/pki/tls/certs
  +# self_signed_cert: false
  +
  +# File used as authorized_keys for gitlab user
  +auth_file: “/var/opt/gitlab/.ssh/authorized_keys”
  +
  +# SSL certificate dir where custom certificates can be placed
  +# https://golang.org/pkg/crypto/x509/
  +ssl_cert_dir: “/opt/gitlab/embedded/ssl/certs/”
  +
  +# Log file.
  +# Default is gitlab-shell.log in the root directory.
  +log_file: “/var/log/gitlab/gitlab-shell/gitlab-shell.log”
  +
  +# Log level. INFO by default
  +log_level:
  +
  +log_format: json
  +
  +# Audit usernames.
  +# Set to true to see real usernames in the logs instead of key ids, which is easier to follow, but
  +# incurs an extra API call on every gitlab-shell command.
  +audit_usernames:
  +
  +migration:
  - {“enabled”:true,“features”:[]}
  - change mode from ‘’ to ‘0640’
  - change owner from ‘’ to ‘root’
  - change group from ‘’ to ‘git’
  - restore selinux security context
- link[Link /opt/gitlab/embedded/service/gitlab-shell/config.yml to /var/opt/gitlab/gitlab-shell/config.yml] action create
  - create symlink at /opt/gitlab/embedded/service/gitlab-shell/config.yml to /var/opt/gitlab/gitlab-shell/config.yml
link[/opt/gitlab/embedded/service/gitlab-shell/.gitlab_shell_secret] action create
- create symlink at /opt/gitlab/embedded/service/gitlab-shell/.gitlab_shell_secret to /opt/gitlab/embedded/service/gitlab-rails/.gitlab_shell_secret
file[/var/opt/gitlab/.ssh/authorized_keys] action create_if_missing
- create new file /var/opt/gitlab/.ssh/authorized_keys
- change mode from ‘’ to ‘0600’
- change owner from ‘’ to ‘git’
- change group from ‘’ to ‘git’
- restore selinux security context
  Recipe: gitlab::gitlab-rails
storage_directory[/var/opt/gitlab/git-data] action create
- ruby_block[directory resource: /var/opt/gitlab/git-data] action run
  - execute the ruby block directory resource: /var/opt/gitlab/git-data
storage_directory[/var/opt/gitlab/git-data/repositories] action create
- ruby_block[directory resource: /var/opt/gitlab/git-data/repositories] action run
  - execute the ruby block directory resource: /var/opt/gitlab/git-data/repositories

Recipe: gitlab::rails_pages_shared_path

storage_directory[/var/opt/gitlab/gitlab-rails/shared] action create
- ruby_block[directory resource: /var/opt/gitlab/gitlab-rails/shared] action run
  - execute the ruby block directory resource: /var/opt/gitlab/gitlab-rails/shared
storage_directory[/var/opt/gitlab/gitlab-rails/shared/pages] action create
- ruby_block[directory resource: /var/opt/gitlab/gitlab-rails/shared/pages] action run
  - execute the ruby block directory resource: /var/opt/gitlab/gitlab-rails/shared/pages

Recipe: gitlab::gitlab-rails

storage_directory[/var/opt/gitlab/gitlab-rails/shared/artifacts] action create
- ruby_block[directory resource: /var/opt/gitlab/gitlab-rails/shared/artifacts] action run
  - execute the ruby block directory resource: /var/opt/gitlab/gitlab-rails/shared/artifacts
storage_directory[/var/opt/gitlab/gitlab-rails/shared/external-diffs] action create
- ruby_block[directory resource: /var/opt/gitlab/gitlab-rails/shared/external-diffs] action run
  - execute the ruby block directory resource: /var/opt/gitlab/gitlab-rails/shared/external-diffs
storage_directory[/var/opt/gitlab/gitlab-rails/shared/lfs-objects] action create
- ruby_block[directory resource: /var/opt/gitlab/gitlab-rails/shared/lfs-objects] action run
  - execute the ruby block directory resource: /var/opt/gitlab/gitlab-rails/shared/lfs-objects
storage_directory[/var/opt/gitlab/gitlab-rails/shared/packages] action create
- ruby_block[directory resource: /var/opt/gitlab/gitlab-rails/shared/packages] action run
  - execute the ruby block directory resource: /var/opt/gitlab/gitlab-rails/shared/packages
storage_directory[/var/opt/gitlab/gitlab-rails/shared/dependency_proxy] action create
- ruby_block[directory resource: /var/opt/gitlab/gitlab-rails/shared/dependency_proxy] action run
  - execute the ruby block directory resource: /var/opt/gitlab/gitlab-rails/shared/dependency_proxy
storage_directory[/var/opt/gitlab/gitlab-rails/shared/terraform_state] action create
- ruby_block[directory resource: /var/opt/gitlab/gitlab-rails/shared/terraform_state] action run
  - execute the ruby block directory resource: /var/opt/gitlab/gitlab-rails/shared/terraform_state
storage_directory[/var/opt/gitlab/gitlab-rails/shared/encrypted_settings] action create
- ruby_block[directory resource: /var/opt/gitlab/gitlab-rails/shared/encrypted_settings] action run
  - execute the ruby block directory resource: /var/opt/gitlab/gitlab-rails/shared/encrypted_settings
storage_directory[/var/opt/gitlab/gitlab-rails/uploads] action create
- ruby_block[directory resource: /var/opt/gitlab/gitlab-rails/uploads] action run
  - execute the ruby block directory resource: /var/opt/gitlab/gitlab-rails/uploads
storage_directory[/var/opt/gitlab/gitlab-ci/builds] action create
- ruby_block[directory resource: /var/opt/gitlab/gitlab-ci/builds] action run
  - execute the ruby block directory resource: /var/opt/gitlab/gitlab-ci/builds
storage_directory[/var/opt/gitlab/gitlab-rails/shared/cache] action create
- ruby_block[directory resource: /var/opt/gitlab/gitlab-rails/shared/cache] action run
  - execute the ruby block directory resource: /var/opt/gitlab/gitlab-rails/shared/cache
storage_directory[/var/opt/gitlab/gitlab-rails/shared/tmp] action create
- ruby_block[directory resource: /var/opt/gitlab/gitlab-rails/shared/tmp] action run
  - execute the ruby block directory resource: /var/opt/gitlab/gitlab-rails/shared/tmp
storage_directory[/opt/gitlab/embedded/service/gitlab-rails/public] action create (skipped due to only_if)
directory[create /var/opt/gitlab/gitlab-rails/etc] action create
- create new directory /var/opt/gitlab/gitlab-rails/etc
- change mode from ‘’ to ‘0700’
- change owner from ‘’ to ‘git’
- restore selinux security context
directory[create /opt/gitlab/etc/gitlab-rails] action create
- create new directory /opt/gitlab/etc/gitlab-rails
- change mode from ‘’ to ‘0700’
- change owner from ‘’ to ‘git’
- restore selinux security context
directory[create /var/opt/gitlab/gitlab-rails/working] action create
- create new directory /var/opt/gitlab/gitlab-rails/working
- change mode from ‘’ to ‘0700’
- change owner from ‘’ to ‘git’
- restore selinux security context
directory[create /var/opt/gitlab/gitlab-rails/tmp] action create
- create new directory /var/opt/gitlab/gitlab-rails/tmp
- change mode from ‘’ to ‘0700’
- change owner from ‘’ to ‘git’
- restore selinux security context
directory[create /var/opt/gitlab/gitlab-rails/upgrade-status] action create
- create new directory /var/opt/gitlab/gitlab-rails/upgrade-status
- change mode from ‘’ to ‘0700’
- change owner from ‘’ to ‘git’
- restore selinux security context
directory[create /var/log/gitlab/gitlab-rails] action create
- create new directory /var/log/gitlab/gitlab-rails
- change mode from ‘’ to ‘0700’
- change owner from ‘’ to ‘git’
- restore selinux security context
storage_directory[/var/opt/gitlab/backups] action create
- ruby_block[directory resource: /var/opt/gitlab/backups] action run
  - execute the ruby block directory resource: /var/opt/gitlab/backups
directory[/var/opt/gitlab/gitlab-rails] action create
- change owner from ‘root’ to ‘git’
- restore selinux security context
directory[/var/opt/gitlab/gitlab-ci] action create
- change owner from ‘root’ to ‘git’
- restore selinux security context
file[/var/opt/gitlab/gitlab-rails/etc/gitlab-registry.key] action create (skipped due to only_if)
template[/opt/gitlab/etc/gitlab-rails/gitlab-rails-rc] action create
- create new file /opt/gitlab/etc/gitlab-rails/gitlab-rails-rc
- update content in file /opt/gitlab/etc/gitlab-rails/gitlab-rails-rc from none to 7b16c8
  — /opt/gitlab/etc/gitlab-rails/gitlab-rails-rc 2023-05-13 15:43:55.020914812 +0800
  +++ /opt/gitlab/etc/gitlab-rails/.chef-gitlab-rails-rc20230513-36927-1ncvcq0 2023-05-13 15:43:55.020914812 +0800
  @@ -1,5 +1,10 @@
  +gitlab_user=‘git’
  +gitlab_group=‘git’
  +registry_dir=‘’
  +registry_user=‘registry’
  +registry_group=‘registry’
- restore selinux security context
file[/opt/gitlab/embedded/service/gitlab-rails/.secret] action delete (up to date)
file[/var/opt/gitlab/gitlab-rails/etc/secret] action delete (up to date)
templatesymlink[Create a database.yml and create a symlink to Rails root] action create
- template[/var/opt/gitlab/gitlab-rails/etc/database.yml] action create
  - create new file /var/opt/gitlab/gitlab-rails/etc/database.yml
  - update content in file /var/opt/gitlab/gitlab-rails/etc/database.yml from none to 35aaf2
    — /var/opt/gitlab/gitlab-rails/etc/database.yml 2023-05-13 15:43:55.114915017 +0800
    +++ /var/opt/gitlab/gitlab-rails/etc/.chef-database20230513-36927-1k6ymhs.yml 2023-05-13 15:43:55.114915017 +0800
    @@ -1,30 +1,60 @@
    +# This file is managed by gitlab-ctl. Manual changes will be
    +# erased! To change the contents below, edit /etc/gitlab/gitlab.rb
    +# and run sudo gitlab-ctl reconfigure.
  +production:
  - adapter: postgresql
  - encoding: unicode
  - collation:
  - database: gitlabhq_production
  - username: “gitlab”
  - password:
  - host: “/var/opt/gitlab/postgresql”
  - port: 5432
  - socket:
  - sslmode:
  - sslcompression: 0
  - sslrootcert:
  - sslca:
  - load_balancing: {“hosts”:[]}
  - prepared_statements: false
  - statement_limit: 1000
  - connect_timeout:
  - keepalives:
  - keepalives_idle:
  - keepalives_interval:
  - keepalives_count:
  - tcp_user_timeout:
  - application_name:
  - variables:
  - statement_timeout:
  - change mode from ‘’ to ‘0640’
  - change owner from ‘’ to ‘root’
  - change group from ‘’ to ‘git’
  - restore selinux security context
- link[Link /opt/gitlab/embedded/service/gitlab-rails/config/database.yml to /var/opt/gitlab/gitlab-rails/etc/database.yml] action create
  - create symlink at /opt/gitlab/embedded/service/gitlab-rails/config/database.yml to /var/opt/gitlab/gitlab-rails/etc/database.yml
templatesymlink[Create a secrets.yml and create a symlink to Rails root] action create
- template[/var/opt/gitlab/gitlab-rails/etc/secrets.yml] action create
  - create new file /var/opt/gitlab/gitlab-rails/etc/secrets.yml
  - update content in file /var/opt/gitlab/gitlab-rails/etc/secrets.yml from none to de1328
  - suppressed sensitive resource
  - change mode from ‘’ to ‘0644’
  - change owner from ‘’ to ‘root’
  - change group from ‘’ to ‘root’
  - restore selinux security context
- link[Link /opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml to /var/opt/gitlab/gitlab-rails/etc/secrets.yml] action create
  - create symlink at /opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml to /var/opt/gitlab/gitlab-rails/etc/secrets.yml
templatesymlink[Create a resque.yml and create a symlink to Rails root] action create
- template[/var/opt/gitlab/gitlab-rails/etc/resque.yml] action create
  - create new file /var/opt/gitlab/gitlab-rails/etc/resque.yml
  - update content in file /var/opt/gitlab/gitlab-rails/etc/resque.yml from none to ec4232
    — /var/opt/gitlab/gitlab-rails/etc/resque.yml 2023-05-13 15:43:55.223915254 +0800
    +++ /var/opt/gitlab/gitlab-rails/etc/.chef-resque20230513-36927-hq10px.yml 2023-05-13 15:43:55.223915254 +0800
    @@ -1,2 +1,4 @@
    +production:
  - url: unix:/var/opt/gitlab/redis/redis.socket
  - change mode from ‘’ to ‘0644’
  - change owner from ‘’ to ‘root’
  - change group from ‘’ to ‘root’
  - restore selinux security context
- link[Link /opt/gitlab/embedded/service/gitlab-rails/config/resque.yml to /var/opt/gitlab/gitlab-rails/etc/resque.yml] action create
  - create symlink at /opt/gitlab/embedded/service/gitlab-rails/config/resque.yml to /var/opt/gitlab/gitlab-rails/etc/resque.yml
templatesymlink[Create a cable.yml and create a symlink to Rails root] action create
- template[/var/opt/gitlab/gitlab-rails/etc/cable.yml] action create
  - create new file /var/opt/gitlab/gitlab-rails/etc/cable.yml
  - update content in file /var/opt/gitlab/gitlab-rails/etc/cable.yml from none to 551667
    — /var/opt/gitlab/gitlab-rails/etc/cable.yml 2023-05-13 15:43:55.272915361 +0800
    +++ /var/opt/gitlab/gitlab-rails/etc/.chef-cable20230513-36927-m3oqxx.yml 2023-05-13 15:43:55.272915361 +0800
    @@ -1,3 +1,6 @@
    +production:
  - adapter: redis
  - url: unix:/var/opt/gitlab/redis/redis.socket
  - change mode from ‘’ to ‘0644’
  - change owner from ‘’ to ‘root’
  - change group from ‘’ to ‘root’
  - restore selinux security context
- link[Link /opt/gitlab/embedded/service/gitlab-rails/config/cable.yml to /var/opt/gitlab/gitlab-rails/etc/cable.yml] action create
  - create symlink at /opt/gitlab/embedded/service/gitlab-rails/config/cable.yml to /var/opt/gitlab/gitlab-rails/etc/cable.yml
templatesymlink[Create a redis.cache.yml and create a symlink to Rails root] action create (skipped due to not_if)
file[/opt/gitlab/embedded/service/gitlab-rails/config/redis.cache.yml] action delete (up to date)
file[/var/opt/gitlab/gitlab-rails/etc/redis.cache.yml] action delete (up to date)
templatesymlink[Create a redis.queues.yml and create a symlink to Rails root] action create (skipped due to not_if)
file[/opt/gitlab/embedded/service/gitlab-rails/config/redis.queues.yml] action delete (up to date)
file[/var/opt/gitlab/gitlab-rails/etc/redis.queues.yml] action delete (up to date)
templatesymlink[Create a redis.shared_state.yml and create a symlink to Rails root] action create (skipped due to not_if)
file[/opt/gitlab/embedded/service/gitlab-rails/config/redis.shared_state.yml] action delete (up to date)
file[/var/opt/gitlab/gitlab-rails/etc/redis.shared_state.yml] action delete (up to date)
templatesymlink[Create a redis.trace_chunks.yml and create a symlink to Rails root] action create (skipped due to not_if)
file[/opt/gitlab/embedded/service/gitlab-rails/config/redis.trace_chunks.yml] action delete (up to date)
file[/var/opt/gitlab/gitlab-rails/etc/redis.trace_chunks.yml] action delete (up to date)
templatesymlink[Create a smtp_settings.rb and create a symlink to Rails root] action delete
- file[/var/opt/gitlab/gitlab-rails/etc/smtp_settings.rb] action delete (up to date)
- link[/opt/gitlab/embedded/service/gitlab-rails/config/initializers/smtp_settings.rb] action delete (up to date)
  (up to date)
templatesymlink[Create a gitlab.yml and create a symlink to Rails root] action create
- template[/var/opt/gitlab/gitlab-rails/etc/gitlab.yml] action create
  - create new file /var/opt/gitlab/gitlab-rails/etc/gitlab.yml
  - update content in file /var/opt/gitlab/gitlab-rails/etc/gitlab.yml from none to 4ca5ae
    — /var/opt/gitlab/gitlab-rails/etc/gitlab.yml 2023-05-13 15:43:55.515915892 +0800
    +++ /var/opt/gitlab/gitlab-rails/etc/.chef-gitlab20230513-36927-8z9p3m.yml 2023-05-13 15:43:55.514915889 +0800
    @@ -1,801 +1,1602 @@
    +# This file is managed by gitlab-ctl. Manual changes will be
    +# erased! To change the contents below, edit /etc/gitlab/gitlab.rb
    +# and run sudo gitlab-ctl reconfigure.
  +production: &base
  - 1. GitLab app settings
  - ==========================
  - GitLab settings
  - gitlab:
  - Web server settings (note: host is the FQDN, do not include http://)
  - host: 192.168.80.128
  - port: 9000
  - https: false
  - The maximum time puma can spend on the request. This needs to be smaller than the worker timeout.
  - Default is 95% of the worker timeout
  - max_request_duration_seconds: 57
  - Uncommment this line below if your ssh host is different from HTTP/HTTPS one
  - (you’d obviously need to replace ssh.host_example.com with your own host).
  - Otherwise, ssh host will be set to the host: value above
  - ssh_host:
  - If your ssh user differs from the system user, you need to specify it here
  - Set it to an empty string to omit the username from any ssh url altogether
  - ssh_user:
  - WARNING: See config/application.rb under “Relative url support” for the list of
  - other files that need to be changed for relative url support
  - relative_url_root:
  - Trusted Proxies
  - Customize if you have GitLab behind a reverse proxy which is running on a different machine.
  - Add the IP address for your reverse proxy to the list, otherwise users will appear signed in from that address.
  - trusted_proxies:
  - Uncomment and customize if you can’t use the default user to run GitLab (default: ‘git’)
  - user: git
  - Date & Time settings
  - time_zone:
  - Email settings
  - Uncomment and set to false if you need to disable email sending from GitLab (default: true)
  - email_enabled:
  - Email address used in the “From” field in mails sent by GitLab
  - email_from: [email protected]
  - email_display_name:
  - email_reply_to:
  - email_subject_suffix:
  - Email SMIME signing settings
  - email_smime:
  - ```
   enabled: false
```
- ```
 key_file: /etc/gitlab/ssl/gitlab_smime.key
```
  - ```
   cert_file: /etc/gitlab/ssl/gitlab_smime.crt
```
- ```
 ca_certs_file: 
```
  - Email server smtp settings are in a separate file.
  - User settings
  - default_can_create_group: # default: true
  - username_changing_enabled: # default: true - User can change her username/namespace
  - Default theme
  - 1 - Graphite
  - 2 - Charcoal
  - 3 - Green
  - 4 - Gray
  - 5 - Violet
  - 6 - Blue
  - default_theme: # default: 2
  - Automatic issue closing
  - If a commit message matches this regular expression, all issues referenced from the matched text will be closed.
  - This happens when the commit is pushed or merged into the default branch of a project.
  - When not specified the default issue_closing_pattern as specified below will be used.
  - Tip: you can test your closing pattern at http://rubular.com
  - issue_closing_pattern:
  - Default project features settings
  - default_projects_features:
  - ```
   issues: 
```
- ```
 merge_requests: 
```
  - ```
   wiki: 
```
- ```
 snippets: 
```
  - ```
   builds: 
```
- ```
 container_registry: 
```
  - Webhook settings
  - Number of seconds to wait for HTTP response after sending webhook HTTP POST request (default: 10)
  - webhook_timeout:
  - GraphQL Settings
  - Tells the rails application how long it has to complete a GraphQL request.
  - We suggest this value to be higher than the database timeout value
  - and lower than the worker timeout set in puma. (default: 30)
  - graphql_timeout:
  - Repository downloads directory
  - When a user clicks e.g. ‘Download zip’ on a project, a temporary zip file is created in the following directory.
  - The default is ‘tmp/repositories’ relative to the root of the Rails app.
  - repository_downloads_path:
  - Impersonation settings
  - impersonation_enabled:
  - Application settings cache expiry in seconds. (default: 60)
  - application_settings_cache_seconds:
  - usage_ping_enabled:
  - Seat link setting
  - When disabled the customer instances would not send seat link information via cron service everyday. (default: true)
  - seat_link_enabled: true
  - Print initial root password to stdout during initialization
  - display_initial_root_password: false
  - Reply by email
  - Allow users to comment on issues and merge requests by replying to notification emails.
  - For documentation on how to set this up, see https://docs.gitlab.com/ee/administration/reply_by_email.html
  - incoming_email:
  - enabled: false
  - The email address including the %{key} placeholder that will be replaced to reference the item being replied to.
  - The placeholder can be omitted but if present, it must appear in the “user” part of the address (before the @).
  - address:
  - Email account username
  - With third party providers, this is usually the full email address.
  - With self-hosted email servers, this is usually the user part of the email address.
  - user:
  - Email account password
  - password:
  - IMAP server host
  - host:
  - IMAP server port
  - port:
  - Whether the IMAP server uses SSL
  - ssl:
  - Whether the IMAP server uses StartTLS
  - start_tls:
  - Inbox configuration (for Microsoft Graph)
  - inbox_method: imap
  - The mailbox where incoming mail will end up. Usually “inbox”.
  - mailbox: “inbox”
  - The IDLE command timeout.
  - idle_timeout:
  - file path of internal mail_room JSON logs
  - log_path: /var/log/gitlab/mailroom/mail_room_json.log
  - Whether to expunge (permanently remove) messages from the mailbox when they are deleted after delivery
  - expunge_deleted:
  - Service desk email
  - Allow users to use a separate service desk address
  - For documentation on how to set this up, see http://doc.gitlab.com/ce/administration/reply_by_email.html
  - service_desk_email:
  - enabled: false
  - The email address including the %{key} placeholder that will be replaced to reference the item being replied to.
  - The placeholder can be omitted but if present, it must appear in the “user” part of the address (before the @).
  - address:
  - Email account username
  - With third party providers, this is usually the full email address.
  - With self-hosted email servers, this is usually the user part of the email address.
  - user:
  - Email account password
  - password:
  - IMAP server host
  - host:
  - IMAP server port
  - port:
  - Whether the IMAP server uses SSL
  - ssl:
  - Whether the IMAP server uses StartTLS
  - start_tls:
  - Inbox configuration (for Microsoft Graph)
  - inbox_method: imap
  - The mailbox where incoming mail will end up. Usually “inbox”.
  - mailbox: “inbox”
  - The IDLE command timeout.
  - idle_timeout:
  - file path of internal mail_room JSON logs
  - log_path: /var/log/gitlab/mailroom/mail_room_json.log
  - Build Artifacts
  - artifacts:
  - enabled: true
  - The location where Build Artifacts are stored (default: shared/artifacts).
  - path: /var/opt/gitlab/gitlab-rails/shared/artifacts
  - object_store:
  - ```
   enabled: false
```
- ```
 direct_upload: false
```
  - ```
   background_upload: true
```
- ```
 proxy_download: false
```
  - ```
   remote_directory: "artifacts"
```
- ```
 connection: {}
```
  - External merge request diffs
  - external_diffs:
  - enabled:
  - The location where merge request diffs are stored (default: shared/external-diffs).
  - storage_path: /var/opt/gitlab/gitlab-rails/shared/external-diffs
  - object_store:
  - ```
   enabled: false
```
- ```
 direct_upload: false
```
  - ```
   background_upload: true
```
- ```
 proxy_download: false
```
  - ```
   remote_directory: "external-diffs"
```
- ```
 connection: {}
```
  - Git LFS
  - lfs:
  - enabled:
  - The location where LFS objects are stored (default: shared/lfs-objects).
  - storage_path: /var/opt/gitlab/gitlab-rails/shared/lfs-objects
  - object_store:
  - ```
   enabled: false
```
- ```
 direct_upload: false
```
  - ```
   background_upload: true
```
- ```
 proxy_download: false
```
  - ```
   remote_directory: "lfs-objects"
```
- ```
 connection: {}
```
  - Uploads
  - uploads:
  - The location where uploads objects are stored (default: public/).
  - storage_path: /opt/gitlab/embedded/service/gitlab-rails/public
  - object_store:
  - ```
   enabled: false
```
- ```
 direct_upload: false
```
  - ```
   background_upload: true
```
- ```
 proxy_download: false
```
  - ```
   remote_directory: "uploads"
```
- ```
 connection: {}
```
  - Packages
  - packages:
  - enabled:
  - The location where build packages are stored (default: shared/packages).
  - storage_path: /var/opt/gitlab/gitlab-rails/shared/packages
  - object_store:
  - ```
   enabled: false
```
- ```
 direct_upload: false
```
  - ```
   background_upload: true
```
- ```
 proxy_download: false
```
  - ```
   remote_directory: "packages"
```
- ```
 connection: {}
```
  - Dependency proxy (EE only)
  - dependency_proxy:
  - enabled:
  - The location where dependency_proxy blobs are stored (default: shared/dependency_proxy).
  - storage_path: /var/opt/gitlab/gitlab-rails/shared/dependency_proxy
  - object_store:
  - ```
   enabled: false
```
- ```
 direct_upload: false
```
  - ```
   background_upload: true
```
- ```
 proxy_download: false
```
  - ```
   remote_directory: "dependency_proxy"
```
- ```
 connection: {}
```
  - Terraform state
  - terraform_state:
  - enabled:
  - The location where terraform state files are stored (default: shared/terraform_state).
  - storage_path: /var/opt/gitlab/gitlab-rails/shared/terraform_state
  - object_store:
  - ```
   enabled: false
```
- ```
 remote_directory: "terraform"
```
  - ```
   connection: {}
```
- Container Registry
- registry:
- enabled: false
- host:
- port:
- api_url: # internal address to the registry, will be used by GitLab to directly communicate with API
- path:
- key: /var/opt/gitlab/gitlab-rails/etc/gitlab-registry.key
- issuer: omnibus-gitlab-issuer
- notification_secret:
- Kubernetes Agent Server
- gitlab_kas:
- enabled: false
- internal_url:
- external_url:
- Error Reporting and Logging with Sentry
- sentry:
- enabled: false
- dsn:
- clientside_dsn:
- environment: # e.g. development, staging, production
- mattermost:
- enabled: false
- host:
- GitLab Pages
- pages:
- enabled: false
- access_control: false
- path: /var/opt/gitlab/gitlab-rails/shared/pages
- host:
- port:
- https: false
- external_http: false
- external_https: false
- artifacts_server: true
- object_store:
- ```
 enabled: false
```
  - ```
   remote_directory: "pages"
```
- ```
 connection: {}
```
  - local_store:
  - ```
   enabled: true
```
- ```
 path: /var/opt/gitlab/gitlab-rails/shared/pages
```
  - Gravatar
  - For Libravatar see: https://docs.gitlab.com/ee/customization/libravatar.html
  - gravatar:
  - gravatar urls: possible placeholders: %{hash} %{size} %{email}
  - plain_url: # default: http://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon
  - ssl_url: # default: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon
  - Sidekiq
  - sidekiq:
  - log_format: json
  - Auxiliary jobs
  - Periodically executed jobs, to self-heal GitLab, do external synchronizations, etc.
  - Please read here for more information: https://github.com/ondrejbartas/sidekiq-cron#adding-cron-job
  - cron_jobs:
  - Flag stuck CI builds as failed
  - Remove expired build artifacts
  - Stop expired environments
  - Schedule pipelines in the near future
  - Periodically run ‘git fsck’ on all repositories. If started more than
  - once per hour you will have concurrent ‘git fsck’ jobs.
  - Send admin emails once a week
  - Send emails about personal tokens about to expired
  - Send emails about personal tokens that have expired
  - Remove outdated repository archives
  - Archive live traces which have not been archived yet
  - Verify custom GitLab Pages domains
  - Obtain and renew SSL certificates for pages domain through Let’s Encrypt
  - Removes unverified pages domains
  - Remove unaccepted member invitations
  - Periodically migrate diffs from the database to external storage
  - Update CI Platform Metrics daily
  - Send emails about ssh keys that have expired
  - Send emails about ssh keys that are expiring soon
  - GitLab EE only jobs:
  - Snapshot Devops Adoption statistics
  - Snapshot active users statistics
  - In addition to refreshing users when they log in,
  - periodically refresh LDAP users membership.
  - NOTE: This will only take effect if LDAP is enabled
  - GitLab LDAP group sync worker
  - NOTE: This will only take effect if LDAP is enabled
  - GitLab Geo prune event log worker
  - NOTE: This will only take effect if Geo is enabled (primary node only)
  - GitLab Geo repository sync worker
  - NOTE: This will only take effect if Geo is enabled
  - GitLab Geo registry backfill worker
  - NOTE: This will only take effect if Geo is enabled (secondary nodes only)
  - GitLab Geo Secondary Usage Data worker
  - NOTE: This will only take effect if Geo and Usage Data are enabled (secondary nodes only)
  - GitLab Geo file download dispatch worker
  - NOTE: This will only take effect if Geo is enabled
  - GitLab Geo repository verification primary batch worker
  - NOTE: This will only take effect if Geo is enabled
  - GitLab Geo repository verification secondary scheduler worker
  - NOTE: This will only take effect if Geo is enabled
  - GitLab Geo migrated local files clean up worker
  - NOTE: This will only take effect if Geo is enabled (secondary nodes only)
  - Export pseudonymized data in CSV format for analysis
  - Worker for triggering counter jobs for usage trends
  - Worker for triggering member invitation reminder emails
  - Worker for the scheduled user status cleanup
  - Worker for triggering in-product marketing emails
  - Geo
  - NOTE: These settings will only take effect if Geo is enabled
  - geo:
  - This is an optional identifier which Geo nodes can use to identify themselves.
  - For example, if external_url is the same for two secondaries, you must specify
  - a unique Geo node name for those secondaries.
  - If it is blank, it defaults to external_url.
  - node_name:
  - registry_replication:
  - ```
   enabled: 
```
- ```
 primary_api_url:  # internal address to the primary registry, will be used by GitLab to directly communicate with primary registry API
```
  - Feature Flag https://docs.gitlab.com/ee/user/project/operations/feature_flags.html
  - feature_flags:
  - unleash:
  - ```
   enabled: false
```
- 2. GitLab CI settings
- ==========================
- gitlab_ci:
- Default project notifications settings:
- Send emails only on broken builds (default: true)
- all_broken_builds:
- Add pusher to recipients list (default: false)
- add_pusher:
- The location where build traces are stored (default: builds/). Relative paths are relative to Rails.root
- builds_path: /var/opt/gitlab/gitlab-ci/builds
- 3. Auth settings
- ==========================
- LDAP settings
- You can inspect a sample of the LDAP users with login access by running:
- bundle exec rake gitlab:ldap:check RAILS_ENV=production
- ldap:
- enabled: false
- sync_time:
- prevent_ldap_sign_in: false
- host:
- port:
- uid:
- method: # “tls” or “ssl” or “plain”
- bind_dn:
- password:
- active_directory:
- allow_username_or_email_login:
- lowercase_usernames:
- base:
- user_filter:
- EE only
- group_base:
- admin_group:
- sync_ssh_keys:
- sync_time:
- Smartcard authentication settings
- smartcard:
- Allow smartcard authentication
- enabled: false
- Path to a file containing a CA certificate
- ca_file: “/etc/gitlab/ssl/CA.pem”
- Host and port where the client side certificate is requested by the
- webserver (NGINX/Apache)
- client_certificate_required_host:
- client_certificate_required_port: 3444
- Browser session with smartcard sign-in is required for Git access
- required_for_git_access: false
- SAN extensions to match users with certificates
- san_extensions: false
- Kerberos settings
- kerberos:
- Allow the HTTP Negotiate authentication method for Git clients
- enabled:
- Kerberos 5 keytab file. The keytab file must be readable by the GitLab user,
- and should be different from other keytabs in the system.
- (default: use default keytab from Krb5 config)
- keytab:
- The Kerberos service name to be used by GitLab.
- (default: accept any service name in keytab file)
- service_principal_name:
- Kerberos realms/domains that are allowed to automatically link LDAP identities.
- By default, GitLab accepts a realm that matches the domain derived from the
- LDAP base DN. For example, ou=users,dc=example,dc=com would allow users
- with a realm matching example.com.
- simple_ldap_linking_allowed_realms: null
- Dedicated port: Git before 2.4 does not fall back to Basic authentication if Negotiate fails.
- To support both Basic and Negotiate methods with older versions of Git, configure
- nginx to proxy GitLab on an extra port (e.g. 8443) and uncomment the following lines
- to dedicate this port to Kerberos authentication. (default: false)
- use_dedicated_port:
- port:
- https:
- OmniAuth settings
- omniauth:
- Allow login via Twitter, Google, etc. using OmniAuth providers
- enabled:
- Uncomment this to automatically sign in with a specific omniauth provider’s without
- showing GitLab’s sign-in page (default: show the GitLab sign-in page)
- auto_sign_in_with_provider:
- Sync user’s email address from the specified Omniauth provider every time the user logs
- in (default: nil). And consequently make this field read-only.
- Sync user’s profile from the specified Omniauth providers every time the user logs in (default: empty).
- Define the allowed providers using an array, e.g. [“cas3”, “saml”, “twitter”],
- or as true/false to allow all providers or none.
- sync_profile_from_provider: []
- Select which info to sync from the providers above. (default: email).
- Define the synced profile info using an array. Available options are “name”, “email” and “location”
- e.g. [“name”, “email”, “location”] or as true to sync all available.
- This consequently will make the selected attributes read-only.
- sync_profile_attributes: true
- CAUTION!
- This allows users to login without having a user account first. Define the allowed
- providers using an array, e.g. [“saml”, “twitter”]
- User accounts will be created automatically when authentication was successful.
- allow_single_sign_on: [“saml”]
- Locks down those users until they have been cleared by the admin (default: true).
- block_auto_created_users:
- Look up new users in LDAP servers. If a match is found (same uid), automatically
- link the omniauth identity with the LDAP account. (default: false)
- auto_link_ldap_user:
- Allow users with existing accounts to login and auto link their account via SAML
- login, without having to do a manual login first and manually add SAML
- (default: false)
- auto_link_saml_user: null
- Allow users with existing accounts to sign in and auto link their account via OmniAuth
- login, without having to do a manual login first and manually add OmniAuth. Links on email.
- Define the allowed providers using an array, e.g. [“saml”, “twitter”], or as true/false to
- allow all providers or none.
- (default: false)
- auto_link_user: null
- Set different Omniauth providers as external so that all users creating accounts
- via these providers will not be able to have access to internal projects. You
- will need to use the full name of the provider, like google_oauth2 for Google.
- Refer to the examples below for the full names of the supported providers.
- (default: [])
- external_providers: null
- CAUTION!
- This allows users to login with the specified providers without two factor. Define the allowed providers
- using an array, e.g. [“twitter”, ‘google_oauth2’], or as true/false to allow all providers or none.
- This option should only be configured for providers which already have two factor.
- (default: false)
- allow_bypass_two_factor: null
- Auth providers
- Uncomment the following lines and fill in the data of the auth provider you want to use
- If your favorite auth provider is not listed you can use others:
- see https://github.com/gitlabhq/gitlab-public-wiki/wiki/Custom-omniauth-provider-configurations
- The ‘app_id’ and ‘app_secret’ parameters are always passed as the first two
- arguments, followed by optional ‘args’ which can be either a hash or an array.
- Documentation for this is available at https://docs.gitlab.com/ee/integration/omniauth.html
- providers:
- ```
 # - { name: 'google_oauth2', app_id: 'YOUR APP ID',
```
  - ```
   #     app_secret: 'YOUR APP SECRET',
```
- ```
 #     args: { access_type: 'offline', approval_prompt: '' } }
```
  - ```
   # - { name: 'twitter', app_id: 'YOUR APP ID',
```
- ```
 #     app_secret: 'YOUR APP SECRET'}
```
  - ```
   # - { name: 'github', app_id: 'YOUR APP ID',
```
- ```
 #     app_secret: 'YOUR APP SECRET',
```
  - ```
   #     args: { scope: 'user:email' } }
```
- FortiAuthenticator settings
- forti_authenticator:
- Allow using FortiAuthenticator as OTP provider
- enabled: false
- FortiToken Cloud settings
- forti_token_cloud:
- Allow using FortiToken Cloud as OTP provider
- enabled: false
- Shared file storage settings
- shared:
- path: /var/opt/gitlab/gitlab-rails/shared
- Encrypted Settings configuration
- encrypted_settings:
- path: /var/opt/gitlab/gitlab-rails/shared/encrypted_settings
- Gitaly settings
- This setting controls whether GitLab uses Gitaly
- Eventually Gitaly use will become mandatory and
- this option will disappear.
- gitaly:
- client_path: /opt/gitlab/embedded/bin
- token: “”
- 4. Advanced settings
- ==========================
- Repositories settings
- repositories:
- Paths where repositories can be stored. Give the canonicalized absolute pathname.
- NOTE: REPOS PATHS MUST NOT CONTAIN ANY SYMLINK!!!
- storages: {“default”:{“path”:“/var/opt/gitlab/git-data/repositories”,“gitaly_address”:“unix:/var/opt/gitlab/gitaly/gitaly.socket”}}
- Backup settings
- backup:
- path: “/var/opt/gitlab/backups” # Relative paths are relative to Rails.root (default: tmp/backups/)
- archive_permissions: # Permissions for the resulting backup.tar file (default: 0600)
- keep_time: # default: 0 (forever) (in seconds)
- pg_schema: # default: nil, it means that all schemas will be backed up
- upload:
- ```
 # Fog storage connection settings, see http://fog.io/storage/ .
```
  - ```
   connection: 
```
- ```
 # The remote 'directory' to store your backups. For S3, this would be the bucket name.
```
  - ```
   remote_directory: 
```
- ```
 multipart_chunk_size: 
```
  - ```
   encryption: 
```
- ```
 encryption_key: 
```
  - ```
   storage_class: 
```
- Pseudonymizer settings
- pseudonymizer:
- manifest:
- upload:
- ```
 remote_directory: 
```
  - ```
   connection: {}
```
- GitLab Shell settings
- gitlab_shell:
- path: /opt/gitlab/embedded/service/gitlab-shell/
- hooks_path: /opt/gitlab/embedded/service/gitlab-shell/hooks/
- authorized_keys_file: /var/opt/gitlab/.ssh/authorized_keys
- Git over HTTP
- upload_pack:
- receive_pack:
- If you use non-standard ssh port you need to specify it
- ssh_port:
- Git import/fetch timeout
- git_timeout: 10800
- Git settings
- CAUTION!
- Use the default values unless you really know what you are doing
- git:
- bin_path: /opt/gitlab/embedded/bin/git
- monitoring:
- IP whitelist controlling access to monitoring endpoints
- ip_whitelist:
- ```
 - "127.0.0.0/8"
```
  - ```
   - "::1/128"
```
- Sidekiq exporter is webserver built in to Sidekiq to expose Prometheus metrics
- sidekiq_exporter:
- ```
 enabled: true
```
  - ```
   log_enabled: false
```
- ```
 address: 127.0.0.1
```
  - ```
   port: 8082
```
- Web exporter is webserver built in to Unicorn/Puma to expose Prometheus metrics
- web_exporter:
- ```
 enabled: false
```
  - ```
   address: 127.0.0.1
```
- ```
 port: 8083
```
  - shutdown:
  - blackout_seconds: 10
  - Prometheus settings
  - Do not modify these settings here. They should be modified in /etc/gitlab/gitlab.rb
  - if you installed GitLab via Omnibus.
  - If you installed from source, you need to install and configure Prometheus
  - yourself, and then update the values here.
  - https://docs.gitlab.com/ee/administration/monitoring/prometheus/
  - prometheus:
  - enabled: true
  - server_address: “localhost:9090”
  - Consul settings
  - consul:
  - api_url: “”
  - 5. Extra customization
  - ==========================
  - extra:
  - rack_attack:
  - git_basic_auth:
  +development:
  - <<: *base
  +test:
  - <<: *base
  - gravatar:
  - enabled: true
  - gitlab:
  - host: localhost
  - port: 80
  - When you run tests we clone and setup gitlab-shell
  - In order to setup it correctly you need to specify
  - your system username you use to run GitLab
  - user: YOUR_USERNAME
  - repositories:
  - storages:
  - ```
   default: { "path": "tmp/tests/repositories/" }
```
- gitlab_shell:
- path: tmp/tests/gitlab-shell/
- hooks_path: tmp/tests/gitlab-shell/hooks/
- issues_tracker:
- redmine:
- ```
 title: "Redmine"
```
  - ```
   project_url: "http://redmine/projects/:issues_tracker_id"
```
- ```
 issues_url: "http://redmine/:project_id/:issues_tracker_id/:id"
```
  - ```
   new_issue_url: "http://redmine/projects/:issues_tracker_id/issues/new"
```
- jira:
- ```
 title: "JIRA"
```
  - ```
   url: https://samplecompany.example.net
```
- ```
 project_key: PROJECT
```
  - ldap:
  - enabled: false
  - servers:
  - ```
   main:
```
- ```
   label: ldap
```
  - ```
     host: 127.0.0.1
```
- ```
   port: 3890
```
  - ```
     uid: 'uid'
```
- ```
   method: 'plain' # "tls" or "ssl" or "plain"
```
  - ```
     base: 'dc=example,dc=com'
```
- ```
   user_filter: ''
```
  - ```
     group_base: 'ou=groups,dc=example,dc=com'
```
- ```
   admin_group: ''
```
  - ```
     sync_ssh_keys: false
```
+staging:
- <<: *base
- change mode from ‘’ to ‘0640’
- change owner from ‘’ to ‘root’
- change group from ‘’ to ‘git’
- restore selinux security context
- link[Link /opt/gitlab/embedded/service/gitlab-rails/config/gitlab.yml to /var/opt/gitlab/gitlab-rails/etc/gitlab.yml] action create
  - create symlink at /opt/gitlab/embedded/service/gitlab-rails/config/gitlab.yml to /var/opt/gitlab/gitlab-rails/etc/gitlab.yml
templatesymlink[Create a gitlab_workhorse_secret and create a symlink to Rails root] action create
- template[/var/opt/gitlab/gitlab-rails/etc/gitlab_workhorse_secret] action create
  - create new file /var/opt/gitlab/gitlab-rails/etc/gitlab_workhorse_secret
  - update content in file /var/opt/gitlab/gitlab-rails/etc/gitlab_workhorse_secret from none to 5f656f
  - suppressed sensitive resource
  - change mode from ‘’ to ‘0644’
  - change owner from ‘’ to ‘root’
  - change group from ‘’ to ‘root’
  - restore selinux security context
- link[Link /opt/gitlab/embedded/service/gitlab-rails/.gitlab_workhorse_secret to /var/opt/gitlab/gitlab-rails/etc/gitlab_workhorse_secret] action create
  - create symlink at /opt/gitlab/embedded/service/gitlab-rails/.gitlab_workhorse_secret to /var/opt/gitlab/gitlab-rails/etc/gitlab_workhorse_secret
templatesymlink[Create a gitlab_shell_secret and create a symlink to Rails root] action create
- template[/var/opt/gitlab/gitlab-rails/etc/gitlab_shell_secret] action create
  - create new file /var/opt/gitlab/gitlab-rails/etc/gitlab_shell_secret
  - update content in file /var/opt/gitlab/gitlab-rails/etc/gitlab_shell_secret from none to 4e592a
  - suppressed sensitive resource
  - change mode from ‘’ to ‘0644’
  - change owner from ‘’ to ‘root’
  - change group from ‘’ to ‘root’
  - restore selinux security context
- link[Link /opt/gitlab/embedded/service/gitlab-rails/.gitlab_shell_secret to /var/opt/gitlab/gitlab-rails/etc/gitlab_shell_secret] action create
  - create symlink at /opt/gitlab/embedded/service/gitlab-rails/.gitlab_shell_secret to /var/opt/gitlab/gitlab-rails/etc/gitlab_shell_secret
templatesymlink[Create a gitlab_pages_secret and create a symlink to Rails root] action create
- template[/var/opt/gitlab/gitlab-rails/etc/gitlab_pages_secret] action create
  - create new file /var/opt/gitlab/gitlab-rails/etc/gitlab_pages_secret
  - update content in file /var/opt/gitlab/gitlab-rails/etc/gitlab_pages_secret from none to 63ff07
  - suppressed sensitive resource
  - change mode from ‘’ to ‘0644’
  - change owner from ‘’ to ‘root’
  - change group from ‘’ to ‘root’
  - restore selinux security context
- link[Link /opt/gitlab/embedded/service/gitlab-rails/.gitlab_pages_secret to /var/opt/gitlab/gitlab-rails/etc/gitlab_pages_secret] action create
  - create symlink at /opt/gitlab/embedded/service/gitlab-rails/.gitlab_pages_secret to /var/opt/gitlab/gitlab-rails/etc/gitlab_pages_secret
templatesymlink[Create a gitlab_kas_secret and create a symlink to Rails root] action create
- template[/var/opt/gitlab/gitlab-rails/etc/gitlab_kas_secret] action create
  - create new file /var/opt/gitlab/gitlab-rails/etc/gitlab_kas_secret
  - update content in file /var/opt/gitlab/gitlab-rails/etc/gitlab_kas_secret from none to 710f2a
  - suppressed sensitive resource
  - change mode from ‘’ to ‘0644’
  - change owner from ‘’ to ‘root’
  - change group from ‘’ to ‘root’
  - restore selinux security context
- link[Link /opt/gitlab/embedded/service/gitlab-rails/.gitlab_kas_secret to /var/opt/gitlab/gitlab-rails/etc/gitlab_kas_secret] action create
  - unlink existing symlink to file at /opt/gitlab/embedded/service/gitlab-rails/.gitlab_kas_secret
  - create symlink at /opt/gitlab/embedded/service/gitlab-rails/.gitlab_kas_secret to /var/opt/gitlab/gitlab-rails/etc/gitlab_kas_secret
link[/opt/gitlab/embedded/service/gitlab-rails/config/initializers/relative_url.rb] action delete (up to date)
file[/var/opt/gitlab/gitlab-rails/etc/relative_url.rb] action delete (up to date)
env_dir[/opt/gitlab/etc/gitlab-rails/env] action create
- directory[/opt/gitlab/etc/gitlab-rails/env] action create
  - create new directory /opt/gitlab/etc/gitlab-rails/env
  - restore selinux security context
- file[/opt/gitlab/etc/gitlab-rails/env/HOME] action create
  - create new file /opt/gitlab/etc/gitlab-rails/env/HOME
  - update content in file /opt/gitlab/etc/gitlab-rails/env/HOME from none to 205bb9
  - suppressed sensitive resource
  - restore selinux security context
- file[/opt/gitlab/etc/gitlab-rails/env/RAILS_ENV] action create
  - create new file /opt/gitlab/etc/gitlab-rails/env/RAILS_ENV
  - update content in file /opt/gitlab/etc/gitlab-rails/env/RAILS_ENV from none to ab8e18
  - suppressed sensitive resource
  - restore selinux security context
- file[/opt/gitlab/etc/gitlab-rails/env/LD_PRELOAD] action create
  - create new file /opt/gitlab/etc/gitlab-rails/env/LD_PRELOAD
  - update content in file /opt/gitlab/etc/gitlab-rails/env/LD_PRELOAD from none to f79114
  - suppressed sensitive resource
  - restore selinux security context
- file[/opt/gitlab/etc/gitlab-rails/env/SIDEKIQ_MEMORY_KILLER_MAX_RSS] action create
  - create new file /opt/gitlab/etc/gitlab-rails/env/SIDEKIQ_MEMORY_KILLER_MAX_RSS
  - update content in file /opt/gitlab/etc/gitlab-rails/env/SIDEKIQ_MEMORY_KILLER_MAX_RSS from none to dd80d7
  - suppressed sensitive resource
  - restore selinux security context
- file[/opt/gitlab/etc/gitlab-rails/env/BUNDLE_GEMFILE] action create
  - create new file /opt/gitlab/etc/gitlab-rails/env/BUNDLE_GEMFILE
  - update content in file /opt/gitlab/etc/gitlab-rails/env/BUNDLE_GEMFILE from none to 28d586
  - suppressed sensitive resource
  - restore selinux security context
- file[/opt/gitlab/etc/gitlab-rails/env/PATH] action create
  - create new file /opt/gitlab/etc/gitlab-rails/env/PATH
  - update content in file /opt/gitlab/etc/gitlab-rails/env/PATH from none to d5dc07
  - suppressed sensitive resource
  - restore selinux security context
- file[/opt/gitlab/etc/gitlab-rails/env/ICU_DATA] action create
  - create new file /opt/gitlab/etc/gitlab-rails/env/ICU_DATA
  - update content in file /opt/gitlab/etc/gitlab-rails/env/ICU_DATA from none to a04260
  - suppressed sensitive resource
  - restore selinux security context
- file[/opt/gitlab/etc/gitlab-rails/env/PYTHONPATH] action create
  - create new file /opt/gitlab/etc/gitlab-rails/env/PYTHONPATH
  - update content in file /opt/gitlab/etc/gitlab-rails/env/PYTHONPATH from none to 83b536
  - suppressed sensitive resource
  - restore selinux security context
- file[/opt/gitlab/etc/gitlab-rails/env/EXECJS_RUNTIME] action create
  - create new file /opt/gitlab/etc/gitlab-rails/env/EXECJS_RUNTIME
  - update content in file /opt/gitlab/etc/gitlab-rails/env/EXECJS_RUNTIME from none to 75081b
  - suppressed sensitive resource
  - restore selinux security context
- file[/opt/gitlab/etc/gitlab-rails/env/TZ] action create
  - create new file /opt/gitlab/etc/gitlab-rails/env/TZ
  - update content in file /opt/gitlab/etc/gitlab-rails/env/TZ from none to 983a95
  - suppressed sensitive resource
  - restore selinux security context
link[/opt/gitlab/embedded/service/gitlab-rails/tmp] action create
- create symlink at /opt/gitlab/embedded/service/gitlab-rails/tmp to /var/opt/gitlab/gitlab-rails/tmp
link[/opt/gitlab/embedded/service/gitlab-rails/public/uploads] action create
- create symlink at /opt/gitlab/embedded/service/gitlab-rails/public/uploads to /var/opt/gitlab/gitlab-rails/uploads
link[/opt/gitlab/embedded/service/gitlab-rails/log] action create
- create symlink at /opt/gitlab/embedded/service/gitlab-rails/log to /var/log/gitlab/gitlab-rails
link[/var/log/gitlab/gitlab-rails/sidekiq.log] action delete (skipped due to only_if)
file[/opt/gitlab/embedded/service/gitlab-rails/db/structure.sql] action create
- change owner from ‘root’ to ‘git’
- restore selinux security context
remote_file[/var/opt/gitlab/gitlab-rails/VERSION] action create/opt/gitlab/embedded/lib/ruby/gems/2.7.0/gems/chef-15.14.0/lib/chef/provider/remote_file/local_file.rb:43: warning: URI.unescape is obsolete
- create new file /var/opt/gitlab/gitlab-rails/VERSION
- update content in file /var/opt/gitlab/gitlab-rails/VERSION from none to 103579
  — /var/opt/gitlab/gitlab-rails/VERSION 2023-05-13 15:43:56.325917659 +0800
  +++ /var/opt/gitlab/gitlab-rails/.chef-VERSION20230513-36927-c2cyqb 2023-05-13 15:43:56.325917659 +0800
  @@ -1 +1,2 @@
  +14.0.3
- restore selinux security context
remote_file[/var/opt/gitlab/gitlab-rails/REVISION] action create/opt/gitlab/embedded/lib/ruby/gems/2.7.0/gems/chef-15.14.0/lib/chef/provider/remote_file/local_file.rb:43: warning: URI.unescape is obsolete
- create new file /var/opt/gitlab/gitlab-rails/REVISION
- update content in file /var/opt/gitlab/gitlab-rails/REVISION from none to a68c73
  — /var/opt/gitlab/gitlab-rails/REVISION 2023-05-13 15:43:56.364917744 +0800
  +++ /var/opt/gitlab/gitlab-rails/.chef-REVISION20230513-36927-tisoy7 2023-05-13 15:43:56.364917744 +0800
  @@ -1 +1,2 @@
  +f53d20d4fc9
- restore selinux security context
version_file[Create version file for Rails] action create
- file[/var/opt/gitlab/gitlab-rails/RUBY_VERSION] action create
  - create new file /var/opt/gitlab/gitlab-rails/RUBY_VERSION
  - update content in file /var/opt/gitlab/gitlab-rails/RUBY_VERSION from none to 22dcc2
    — /var/opt/gitlab/gitlab-rails/RUBY_VERSION 2023-05-13 15:43:56.431917890 +0800
    +++ /var/opt/gitlab/gitlab-rails/.chef-RUBY_VERSION20230513-36927-15rjzvd 2023-05-13 15:43:56.431917890 +0800
    @@ -1 +1,2 @@
    +ruby 2.7.2p137 (2020-10-01 revision 5445e04352) [x86_64-linux]
  - restore selinux security context
execute[clear the gitlab-rails cache] action nothing (skipped due to action :nothing)
file[/var/opt/gitlab/gitlab-rails/config.ru] action delete (up to date)
Recipe: gitlab::selinux
execute[semodule -i /opt/gitlab/embedded/selinux/rhel/7/gitlab-7.2.0-ssh-keygen.pp] action run
- execute semodule -i /opt/gitlab/embedded/selinux/rhel/7/gitlab-7.2.0-ssh-keygen.pp
execute[semodule -i /opt/gitlab/embedded/selinux/rhel/7/gitlab-10.5.0-ssh-authorized-keys.pp] action run
- execute semodule -i /opt/gitlab/embedded/selinux/rhel/7/gitlab-10.5.0-ssh-authorized-keys.pp
execute[semodule -i /opt/gitlab/embedded/selinux/rhel/7/gitlab-13.5.0-gitlab-shell.pp] action run
- execute semodule -i /opt/gitlab/embedded/selinux/rhel/7/gitlab-13.5.0-gitlab-shell.pp
bash[Set proper security context on ssh files for selinux] action nothing (skipped due to action :nothing)
Recipe: gitlab::add_trusted_certs
directory[/etc/gitlab/trusted-certs] action create
- create new directory /etc/gitlab/trusted-certs
- change mode from ‘’ to ‘0755’
- restore selinux security context
directory[/opt/gitlab/embedded/ssl/certs] action create (up to date)
file[/opt/gitlab/embedded/ssl/certs/README] action create
- create new file /opt/gitlab/embedded/ssl/certs/README
- update content in file /opt/gitlab/embedded/ssl/certs/README from none to 623059
  — /opt/gitlab/embedded/ssl/certs/README 2023-05-13 15:44:28.849988630 +0800
  +++ /opt/gitlab/embedded/ssl/certs/.chef-README20230513-36927-1j269r1 2023-05-13 15:44:28.848988628 +0800
  @@ -1,3 +1,6 @@
  +This directory is managed by omnibus-gitlab.
- Any file placed in this directory will be ignored
  +. Place certificates in /etc/gitlab/trusted-certs.
- change mode from ‘’ to ‘0644’
- restore selinux security context
ruby_block[Move existing certs and link to /opt/gitlab/embedded/ssl/certs] action run
Moving existing certificates found in /opt/gitlab/embedded/ssl/certs
Symlinking existing certificates found in /etc/gitlab/trusted-certs
- execute the ruby block Move existing certs and link to /opt/gitlab/embedded/ssl/certs
  Recipe: gitlab::default
service[create a temporary puma service] action nothing (skipped due to action :nothing)
service[create a temporary sidekiq service] action nothing (skipped due to action :nothing)
service[create a temporary mailroom service] action nothing (skipped due to action :nothing)
Recipe: package::runit_systemd
directory[/usr/lib/systemd/system] action create (up to date)
template[/usr/lib/systemd/system/gitlab-runsvdir.service] action create
- create new file /usr/lib/systemd/system/gitlab-runsvdir.service
- update content in file /usr/lib/systemd/system/gitlab-runsvdir.service from none to 6ca59d
  — /usr/lib/systemd/system/gitlab-runsvdir.service 2023-05-13 15:44:28.930988807 +0800
  +++ /usr/lib/systemd/system/.chef-gitlab-runsvdir20230513-36927-171lscx.service 2023-05-13 15:44:28.930988807 +0800
  @@ -1,10 +1,20 @@
  +[Unit]
  +Description=GitLab Runit supervision process
  +After=multi-user.target
+[Service]
+ExecStart=/opt/gitlab/embedded/bin/runsvdir-start
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
- change mode from ‘’ to ‘0644’
- restore selinux security context
execute[systemctl daemon-reload] action run
- execute systemctl daemon-reload
execute[systemctl enable gitlab-runsvdir] action run
[execute] Created symlink from /etc/systemd/system/multi-user.target.wants/gitlab-runsvdir.service to /usr/lib/systemd/system/gitlab-runsvdir.service.
- execute systemctl enable gitlab-runsvdir
execute[systemctl start gitlab-runsvdir] action run
- execute systemctl start gitlab-runsvdir
file[/etc/systemd/system/default.target.wants/gitlab-runsvdir.service] action delete (up to date)
file[/etc/systemd/system/basic.target.wants/gitlab-runsvdir.service] action delete (up to date)
execute[systemctl daemon-reload] action nothing (skipped due to action :nothing)
execute[systemctl enable gitlab-runsvdir] action nothing (skipped due to action :nothing)
execute[systemctl start gitlab-runsvdir] action nothing (skipped due to action :nothing)
Recipe: package::sysctl
execute[reload all sysctl conf] action nothing (skipped due to action :nothing)
Recipe: logrotate::folders_and_configs
directory[/var/opt/gitlab/logrotate] action create
- create new directory /var/opt/gitlab/logrotate
- change mode from ‘’ to ‘0700’
- restore selinux security context
directory[/var/opt/gitlab/logrotate/logrotate.d] action create
- create new directory /var/opt/gitlab/logrotate/logrotate.d
- change mode from ‘’ to ‘0700’
- restore selinux security context
directory[/var/log/gitlab/logrotate] action create
- create new directory /var/log/gitlab/logrotate
- change mode from ‘’ to ‘0700’
- restore selinux security context
template[/var/opt/gitlab/logrotate/logrotate.conf] action create
- create new file /var/opt/gitlab/logrotate/logrotate.conf
- update content in file /var/opt/gitlab/logrotate/logrotate.conf from none to c1c320
  — /var/opt/gitlab/logrotate/logrotate.conf 2023-05-13 15:44:29.413989861 +0800
  +++ /var/opt/gitlab/logrotate/.chef-logrotate20230513-36927-189db18.conf 2023-05-13 15:44:29.413989861 +0800
  @@ -1,12 +1,24 @@
  +# Generated by ‘gitlab-ctl reconfigure’.
  +# Modifications will be overwritten!
+include /var/opt/gitlab/logrotate/logrotate.d/nginx
+include /var/opt/gitlab/logrotate/logrotate.d/puma
+include /var/opt/gitlab/logrotate/logrotate.d/gitlab-rails
+include /var/opt/gitlab/logrotate/logrotate.d/gitlab-shell
+include /var/opt/gitlab/logrotate/logrotate.d/gitlab-workhorse
+include /var/opt/gitlab/logrotate/logrotate.d/gitlab-pages
+include /var/opt/gitlab/logrotate/logrotate.d/gitlab-kas
+include /var/opt/gitlab/logrotate/logrotate.d/gitaly
+include /var/opt/gitlab/logrotate/logrotate.d/mailroom
- change mode from ‘’ to ‘0644’
- restore selinux security context
template[/var/opt/gitlab/logrotate/logrotate.d/nginx] action create
- create new file /var/opt/gitlab/logrotate/logrotate.d/nginx
- update content in file /var/opt/gitlab/logrotate/logrotate.d/nginx from none to e17e19
  — /var/opt/gitlab/logrotate/logrotate.d/nginx 2023-05-13 15:44:29.458989959 +0800
  +++ /var/opt/gitlab/logrotate/logrotate.d/.chef-nginx20230513-36927-138abga 2023-05-13 15:44:29.458989959 +0800
  @@ -1,17 +1,34 @@
  +# Generated by gitlab-ctl reconfigure
  +# Modifications will be overwritten!
+/var/log/gitlab/nginx/*.log {
- su root root
- daily
- rotate 30
- compress
- copytruncate
- missingok
- notifempty
- postrotate
- endscript
  +}
- restore selinux security context
template[/var/opt/gitlab/logrotate/logrotate.d/puma] action create
- create new file /var/opt/gitlab/logrotate/logrotate.d/puma
- update content in file /var/opt/gitlab/logrotate/logrotate.d/puma from none to 44ad27
  — /var/opt/gitlab/logrotate/logrotate.d/puma 2023-05-13 15:44:29.500990051 +0800
  +++ /var/opt/gitlab/logrotate/logrotate.d/.chef-puma20230513-36927-fwlmd6 2023-05-13 15:44:29.500990051 +0800
  @@ -1,17 +1,34 @@
  +# Generated by gitlab-ctl reconfigure
  +# Modifications will be overwritten!
+/var/log/gitlab/puma/*.log {
- su git git
- daily
- rotate 30
- compress
- copytruncate
- missingok
- notifempty
- postrotate
- endscript
  +}
- restore selinux security context
template[/var/opt/gitlab/logrotate/logrotate.d/gitlab-rails] action create
- create new file /var/opt/gitlab/logrotate/logrotate.d/gitlab-rails
- update content in file /var/opt/gitlab/logrotate/logrotate.d/gitlab-rails from none to 26254a
  — /var/opt/gitlab/logrotate/logrotate.d/gitlab-rails 2023-05-13 15:44:29.543990144 +0800
  +++ /var/opt/gitlab/logrotate/logrotate.d/.chef-gitlab-rails20230513-36927-b6doc 2023-05-13 15:44:29.543990144 +0800
  @@ -1,17 +1,34 @@
  +# Generated by gitlab-ctl reconfigure
  +# Modifications will be overwritten!
+/var/log/gitlab/gitlab-rails/*.log {
- su git git
- daily
- rotate 30
- compress
- copytruncate
- missingok
- notifempty
- postrotate
- endscript
  +}
- restore selinux security context
template[/var/opt/gitlab/logrotate/logrotate.d/gitlab-shell] action create
- create new file /var/opt/gitlab/logrotate/logrotate.d/gitlab-shell
- update content in file /var/opt/gitlab/logrotate/logrotate.d/gitlab-shell from none to 3a880d
  — /var/opt/gitlab/logrotate/logrotate.d/gitlab-shell 2023-05-13 15:44:29.595990258 +0800
  +++ /var/opt/gitlab/logrotate/logrotate.d/.chef-gitlab-shell20230513-36927-1q6we2d 2023-05-13 15:44:29.595990258 +0800
  @@ -1,17 +1,34 @@
  +# Generated by gitlab-ctl reconfigure
  +# Modifications will be overwritten!
+/var/log/gitlab/gitlab-shell//*.log {
- su git git
- daily
- rotate 30
- compress
- copytruncate
- missingok
- notifempty
- postrotate
- endscript
  +}
- restore selinux security context
template[/var/opt/gitlab/logrotate/logrotate.d/gitlab-workhorse] action create
- create new file /var/opt/gitlab/logrotate/logrotate.d/gitlab-workhorse
- update content in file /var/opt/gitlab/logrotate/logrotate.d/gitlab-workhorse from none to 3453f6
  — /var/opt/gitlab/logrotate/logrotate.d/gitlab-workhorse 2023-05-13 15:44:29.648990373 +0800
  +++ /var/opt/gitlab/logrotate/logrotate.d/.chef-gitlab-workhorse20230513-36927-te19ii 2023-05-13 15:44:29.648990373 +0800
  @@ -1,17 +1,34 @@
  +# Generated by gitlab-ctl reconfigure
  +# Modifications will be overwritten!
+/var/log/gitlab/gitlab-workhorse/*.log {
- su git git
- daily
- rotate 30
- compress
- copytruncate
- missingok
- notifempty
- postrotate
- endscript
  +}
- restore selinux security context
template[/var/opt/gitlab/logrotate/logrotate.d/gitlab-pages] action create
- create new file /var/opt/gitlab/logrotate/logrotate.d/gitlab-pages
- update content in file /var/opt/gitlab/logrotate/logrotate.d/gitlab-pages from none to 3c118a
  — /var/opt/gitlab/logrotate/logrotate.d/gitlab-pages 2023-05-13 15:44:29.688990461 +0800
  +++ /var/opt/gitlab/logrotate/logrotate.d/.chef-gitlab-pages20230513-36927-1m84ehw 2023-05-13 15:44:29.688990461 +0800
  @@ -1,17 +1,34 @@
  +# Generated by gitlab-ctl reconfigure
  +# Modifications will be overwritten!
+/var/log/gitlab/gitlab-pages/*.log {
- su git git
- daily
- rotate 30
- compress
- copytruncate
- missingok
- notifempty
- postrotate
- endscript
  +}
- restore selinux security context
template[/var/opt/gitlab/logrotate/logrotate.d/gitlab-kas] action create
- create new file /var/opt/gitlab/logrotate/logrotate.d/gitlab-kas
- update content in file /var/opt/gitlab/logrotate/logrotate.d/gitlab-kas from none to 0ba4f0
  — /var/opt/gitlab/logrotate/logrotate.d/gitlab-kas 2023-05-13 15:44:29.727990546 +0800
  +++ /var/opt/gitlab/logrotate/logrotate.d/.chef-gitlab-kas20230513-36927-1a03352 2023-05-13 15:44:29.727990546 +0800
  @@ -1,17 +1,34 @@
  +# Generated by gitlab-ctl reconfigure
  +# Modifications will be overwritten!
+/var/log/gitlab/gitlab-kas/*.log {
- su git git
- daily
- rotate 30
- compress
- copytruncate
- missingok
- notifempty
- postrotate
- endscript
  +}
- restore selinux security context
template[/var/opt/gitlab/logrotate/logrotate.d/gitaly] action create
- create new file /var/opt/gitlab/logrotate/logrotate.d/gitaly
- update content in file /var/opt/gitlab/logrotate/logrotate.d/gitaly from none to 02bda7
  — /var/opt/gitlab/logrotate/logrotate.d/gitaly 2023-05-13 15:44:29.767990633 +0800
  +++ /var/opt/gitlab/logrotate/logrotate.d/.chef-gitaly20230513-36927-evczhq 2023-05-13 15:44:29.767990633 +0800
  @@ -1,17 +1,34 @@
  +# Generated by gitlab-ctl reconfigure
  +# Modifications will be overwritten!
+/var/log/gitlab/gitaly/*.log {
- su git git
- daily
- rotate 30
- compress
- copytruncate
- missingok
- notifempty
- postrotate
- endscript
  +}
- restore selinux security context
template[/var/opt/gitlab/logrotate/logrotate.d/mailroom] action create
- create new file /var/opt/gitlab/logrotate/logrotate.d/mailroom
- update content in file /var/opt/gitlab/logrotate/logrotate.d/mailroom from none to 8fcea3
  — /var/opt/gitlab/logrotate/logrotate.d/mailroom 2023-05-13 15:44:29.809990725 +0800
  +++ /var/opt/gitlab/logrotate/logrotate.d/.chef-mailroom20230513-36927-xof3a3 2023-05-13 15:44:29.809990725 +0800
  @@ -1,17 +1,34 @@
  +# Generated by gitlab-ctl reconfigure
  +# Modifications will be overwritten!
+/var/log/gitlab/mailroom/*.log {
- su git git
- daily
- rotate 30
- compress
- copytruncate
- missingok
- notifempty
- postrotate
- endscript
  +}
- restore selinux security context
  Recipe: logrotate::enable
service[logrotate] action nothing (skipped due to action :nothing)
runit_service[logrotate] action enable
- ruby_block[restart_service] action nothing (skipped due to action :nothing)
- ruby_block[restart_log_service] action nothing (skipped due to action :nothing)
- ruby_block[reload_log_service] action nothing (skipped due to action :nothing)
- directory[/opt/gitlab/sv/logrotate] action create
  - create new directory /opt/gitlab/sv/logrotate
  - change mode from ‘’ to ‘0755’
  - change owner from ‘’ to ‘root’
  - change group from ‘’ to ‘root’
  - restore selinux security context
- template[/opt/gitlab/sv/logrotate/run] action create
  - create new file /opt/gitlab/sv/logrotate/run
  - update content in file /opt/gitlab/sv/logrotate/run from none to 07f1b6
    — /opt/gitlab/sv/logrotate/run 2023-05-13 15:44:29.881990882 +0800
    +++ /opt/gitlab/sv/logrotate/.chef-run20230513-36927-4f30qp 2023-05-13 15:44:29.881990882 +0800
    @@ -1,10 +1,20 @@
    +#!/bin/sh
    +exec 2>&1
  +cd /var/opt/gitlab/logrotate
  +
  +exec /opt/gitlab/embedded/bin/chpst -P /usr/bin/env \
  - dir=/var/opt/gitlab/logrotate \
  - pre_sleep=600 \
  - post_sleep=3000 \
  - /opt/gitlab/embedded/bin/gitlab-logrotate-wrapper
  - change mode from ‘’ to ‘0755’
  - change owner from ‘’ to ‘root’
  - change group from ‘’ to ‘root’
  - restore selinux security context
- directory[/opt/gitlab/sv/logrotate/log] action create
  - create new directory /opt/gitlab/sv/logrotate/log
  - change mode from ‘’ to ‘0755’
  - change owner from ‘’ to ‘root’
  - change group from ‘’ to ‘root’
  - restore selinux security context
- directory[/opt/gitlab/sv/logrotate/log/main] action create
  - create new directory /opt/gitlab/sv/logrotate/log/main
  - change mode from ‘’ to ‘0755’
  - change owner from ‘’ to ‘root’
  - change group from ‘’ to ‘root’
  - restore selinux security context
- template[/opt/gitlab/sv/logrotate/log/config] action create
  - create new file /opt/gitlab/sv/logrotate/log/config
  - update content in file /opt/gitlab/sv/logrotate/log/config from none to 623c00
    — /opt/gitlab/sv/logrotate/log/config 2023-05-13 15:44:29.978991094 +0800
    +++ /opt/gitlab/sv/logrotate/log/.chef-config20230513-36927-1vc5odm 2023-05-13 15:44:29.978991094 +0800
    @@ -1,6 +1,12 @@
    +s209715200
    +n30
    +t86400
    +!gzip
  - change mode from ‘’ to ‘0644’
  - change owner from ‘’ to ‘root’
  - change group from ‘’ to ‘root’
  - restore selinux security context
- ruby_block[verify_chown_persisted_on_logrotate] action create
  - execute the ruby block verify_chown_persisted_on_logrotate
- ruby_block[verify_chown_persisted_on_logrotate] action nothing (skipped due to action :nothing)
- link[/var/log/gitlab/logrotate/config] action create
  - create symlink at /var/log/gitlab/logrotate/config to /opt/gitlab/sv/logrotate/log/config
- template[/opt/gitlab/sv/logrotate/log/run] action create
  - create new file /opt/gitlab/sv/logrotate/log/run
  - update content in file /opt/gitlab/sv/logrotate/log/run from none to 94afe6
    — /opt/gitlab/sv/logrotate/log/run 2023-05-13 15:44:30.029991205 +0800
    +++ /opt/gitlab/sv/logrotate/log/.chef-run20230513-36927-1rw8b5c 2023-05-13 15:44:30.028991203 +0800
    @@ -1,2 +1,4 @@
    +#!/bin/sh
    +exec svlogd -tt /var/log/gitlab/logrotate
  - change mode from ‘’ to ‘0755’
  - change owner from ‘’ to ‘root’
  - change group from ‘’ to ‘root’
  - restore selinux security context
- directory[/opt/gitlab/sv/logrotate/env] action create
  - create new directory /opt/gitlab/sv/logrotate/env
  - change mode from ‘’ to ‘0755’
  - change owner from ‘’ to ‘root’
  - change group from ‘’ to ‘root’
  - restore selinux security context
- ruby_block[Delete unmanaged env files for logrotate service] action run (skipped due to only_if)
- template[/opt/gitlab/sv/logrotate/check] action create (skipped due to only_if)
- template[/opt/gitlab/sv/logrotate/finish] action create (skipped due to only_if)
- directory[/opt/gitlab/sv/logrotate/control] action create
  - create new directory /opt/gitlab/sv/logrotate/control
  - change mode from ‘’ to ‘0755’
  - change owner from ‘’ to ‘root’
  - change group from ‘’ to ‘root’
  - restore selinux security context
- template[/opt/gitlab/sv/logrotate/control/t] action create
  - create new file /opt/gitlab/sv/logrotate/control/t
  - update content in file /opt/gitlab/sv/logrotate/control/t from none to 8fa3fa
    — /opt/gitlab/sv/logrotate/control/t 2023-05-13 15:44:30.127991419 +0800
    +++ /opt/gitlab/sv/logrotate/control/.chef-t20230513-36927-1jt9k0s 2023-05-13 15:44:30.127991419 +0800
    @@ -1,3 +1,6 @@
    +#!/bin/sh
    +echo “Received TERM from runit, sending to process group (-PID)”
    +kill – -$(cat /opt/gitlab/service/logrotate/supervise/pid)
  - change mode from ‘’ to ‘0755’
  - change owner from ‘’ to ‘root’
  - change group from ‘’ to ‘root’
  - restore selinux security context
- link[/opt/gitlab/init/logrotate] action create
  - create symlink at /opt/gitlab/init/logrotate to /opt/gitlab/embedded/bin/sv
- file[/opt/gitlab/sv/logrotate/down] action nothing (skipped due to action :nothing)
- ruby_block[restart_service] action run (skipped due to only_if)
- ruby_block[reload_log_service] action create
  - ruby_block[restart_service] action nothing (skipped due to action :nothing)
  - ruby_block[restart_log_service] action nothing (skipped due to action :nothing)
  - ruby_block[reload_log_service] action nothing (skipped due to action :nothing)
  - directory[/opt/gitlab/sv/logrotate] action create (up to date)
  - template[/opt/gitlab/sv/logrotate/run] action create (up to date)
  - directory[/opt/gitlab/sv/logrotate/log] action create (up to date)
  - directory[/opt/gitlab/sv/logrotate/log/main] action create (up to date)
  - template[/opt/gitlab/sv/logrotate/log/config] action create (up to date)
  - ruby_block[verify_chown_persisted_on_logrotate] action nothing (skipped due to action :nothing)
  - link[/var/log/gitlab/logrotate/config] action create (up to date)
  - template[/opt/gitlab/sv/logrotate/log/run] action create (up to date)
  - directory[/opt/gitlab/sv/logrotate/env] action create (up to date)
  - ruby_block[Delete unmanaged env files for logrotate service] action run (skipped due to only_if)
  - template[/opt/gitlab/sv/logrotate/check] action create (skipped due to only_if)
  - template[/opt/gitlab/sv/logrotate/finish] action create (skipped due to only_if)
  - directory[/opt/gitlab/sv/logrotate/control] action create (up to date)
  - template[/opt/gitlab/sv/logrotate/control/t] action create (up to date)
  - link[/opt/gitlab/init/logrotate] action create (up to date)
  - file[/opt/gitlab/sv/logrotate/down] action nothing (skipped due to action :nothing)
  - directory[/opt/gitlab/service] action create (up to date)
  - link[/opt/gitlab/service/logrotate] action create
    - create symlink at /opt/gitlab/service/logrotate to /opt/gitlab/sv/logrotate
  - ruby_block[wait for logrotate service socket] action run
    - execute the ruby block wait for logrotate service socket
  - execute the ruby block reload_log_service
- ruby_block[restart_log_service] action run
  - ruby_block[restart_service] action nothing (skipped due to action :nothing)
  - ruby_block[restart_log_service] action nothing (skipped due to action :nothing)
  - ruby_block[reload_log_service] action nothing (skipped due to action :nothing)
  - directory[/opt/gitlab/sv/logrotate] action create (up to date)
  - template[/opt/gitlab/sv/logrotate/run] action create (up to date)
  - directory[/opt/gitlab/sv/logrotate/log] action create (up to date)
  - directory[/opt/gitlab/sv/logrotate/log/main] action create (up to date)
  - template[/opt/gitlab/sv/logrotate/log/config] action create (up to date)
  - ruby_block[verify_chown_persisted_on_logrotate] action nothing (skipped due to action :nothing)
  - link[/var/log/gitlab/logrotate/config] action create (up to date)
  - template[/opt/gitlab/sv/logrotate/log/run] action create (up to date)
  - directory[/opt/gitlab/sv/logrotate/env] action create (up to date)
  - ruby_block[Delete unmanaged env files for logrotate service] action run (skipped due to only_if)
  - template[/opt/gitlab/sv/logrotate/check] action create (skipped due to only_if)
  - template[/opt/gitlab/sv/logrotate/finish] action create (skipped due to only_if)
  - directory[/opt/gitlab/sv/logrotate/control] action create (up to date)
  - template[/opt/gitlab/sv/logrotate/control/t] action create (up to date)
  - link[/opt/gitlab/init/logrotate] action create (up to date)
  - file[/opt/gitlab/sv/logrotate/down] action nothing (skipped due to action :nothing)
  - directory[/opt/gitlab/service] action create (up to date)
  - link[/opt/gitlab/service/logrotate] action create (up to date)
  - ruby_block[wait for logrotate service socket] action run (skipped due to not_if)
  - execute the ruby block restart_log_service
- directory[/opt/gitlab/service] action create (up to date)
- link[/opt/gitlab/service/logrotate] action create (up to date)
- ruby_block[wait for logrotate service socket] action run (skipped due to not_if)
execute[/opt/gitlab/bin/gitlab-ctl start logrotate] action run
[execute] ok: run: logrotate: (pid 38721) 2s
- execute /opt/gitlab/bin/gitlab-ctl start logrotate
  Recipe: redis::enable
redis_service[redis] action create
- account[user and group for redis] action create
  - group[user and group for redis] action create
    - create group gitlab-redis
  - linux_user[user and group for redis] action create
    - create user gitlab-redis
- group[Socket group] action create (up to date)
- directory[/var/opt/gitlab/redis] action create
  - create new directory /var/opt/gitlab/redis
  - change mode from ‘’ to ‘0750’
  - change owner from ‘’ to ‘gitlab-redis’
  - change group from ‘’ to ‘git’
  - restore selinux security context
- directory[/var/log/gitlab/redis] action create
  - create new directory /var/log/gitlab/redis
  - change mode from ‘’ to ‘0700’
  - change owner from ‘’ to ‘gitlab-redis’
  - restore selinux security context
- template[/var/opt/gitlab/redis/redis.conf] action create
  - create new file /var/opt/gitlab/redis/redis.conf
  - update content in file /var/opt/gitlab/redis/redis.conf from none to d126ed
    — /var/opt/gitlab/redis/redis.conf 2023-05-13 15:44:36.806005991 +0800
    +++ /var/opt/gitlab/redis/.chef-redis20230513-36927-9qr0cn.conf 2023-05-13 15:44:36.806005991 +0800
    @@ -1,1159 +1,2318 @@
    +# This file is managed by gitlab-ctl. Manual changes will be
    +# erased! To change the contents below, edit /etc/gitlab/gitlab.rb
    +# and run sudo gitlab-ctl reconfigure.
  +# Redis configuration file example.
  +#
  +# Note that in order to read the configuration file, Redis must be
  +# started with the file path as first argument:
  +#
  +# ./redis-server /path/to/redis.conf
  +
  +# Note on units: when memory size is needed, it is possible to specify
  +# it in the usual form of 1k 5GB 4M and so forth:
  +#
  +# 1k => 1000 bytes
  +# 1kb => 1024 bytes
  +# 1m => 1000000 bytes
  +# 1mb => 10241024 bytes
  +# 1g => 1000000000 bytes
  +# 1gb => 10241024*1024 bytes
  +#
  +# units are case insensitive so 1GB 1Gb 1gB are all the same.
  +
  +################################## INCLUDES ###################################
  +
  +# Include one or more other config files here. This is useful if you
  +# have a standard template that goes to all Redis servers but also need
  +# to customize a few per-server settings. Include files can include
  +# other files, so use this wisely.
  +#
  +# Notice option “include” won’t be rewritten by command “CONFIG REWRITE”
  +# from admin or Redis Sentinel. Since Redis always uses the last processed
  +# line as value of a configuration directive, you’d better put includes
  +# at the beginning of this file to avoid overwriting config change at runtime.
  +#
  +# If instead you are interested in using includes to override configuration
  +# options, it is better to use include as the last line.
  +#
  +# include /path/to/local.conf
  +# include /path/to/other.conf
  +
  +################################## NETWORK #####################################
  +
  +# By default, if no “bind” configuration directive is specified, Redis listens
  +# for connections from all the network interfaces available on the server.
  +# It is possible to listen to just one or multiple selected interfaces using
  +# the “bind” configuration directive, followed by one or more IP addresses.
  +#
  +# Examples:
  +#
  +# bind 192.168.1.100 10.0.0.1
  +# bind 127.0.0.1 ::1
  +#
  +# ~~~ WARNING ~~~ If the computer running Redis is directly exposed to the
  +# internet, binding to all the interfaces is dangerous and will expose the
  +# instance to everybody on the internet. So by default we uncomment the
  +# following bind directive, that will force Redis to listen only into
  +# the IPv4 lookback interface address (this means Redis will be able to
  +# accept connections only from clients running into the same computer it
  +# is running).
  +#
  +# IF YOU ARE SURE YOU WANT YOUR INSTANCE TO LISTEN TO ALL THE INTERFACES
  +# JUST COMMENT THE FOLLOWING LINE.
  +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  +bind 127.0.0.1
  +
  +# Protected mode is a layer of security protection, in order to avoid that
  +# Redis instances left open on the internet are accessed and exploited.
  +#
  +# When protected mode is on and if:
  +#
  +# 1) The server is not binding explicitly to a set of addresses using the
  +# “bind” directive.
  +# 2) No password is configured.
  +#
  +# The server only accepts connections from clients connecting from the
  +# IPv4 and IPv6 loopback addresses 127.0.0.1 and ::1, and from Unix domain
  +# sockets.
  +#
  +# By default protected mode is enabled. You should disable it only if
  +# you are sure you want clients from other hosts to connect to Redis
  +# even if no authentication is configured, nor a specific set of interfaces
  +# are explicitly listed using the “bind” directive.
  +# protected-mode yes
  +
  +# Accept connections on the specified port, default is 6379 (IANA #815344).
  +# If port 0 is specified Redis will not listen on a TCP socket.
  +port 0
  +
  +# TCP listen() backlog.
  +#
  +# In high requests-per-second environments you need an high backlog in order
  +# to avoid slow clients connections issues. Note that the Linux kernel
  +# will silently truncate it to the value of /proc/sys/net/core/somaxconn so
  +# make sure to raise both the value of somaxconn and tcp_max_syn_backlog
  +# in order to get the desired effect.
  +tcp-backlog 511
  +
  +# Unix socket.
  +#
  +# Specify the path for the Unix socket that will be used to listen for
  +# incoming connections. There is no default, so Redis will not listen
  +# on a unix socket when not specified.
  +#
  +unixsocket /var/opt/gitlab/redis/redis.socket
  +unixsocketperm 777
  +
  +# Close the connection after a client is idle for N seconds (0 to disable)
  +timeout 60
  +
  +# TCP keepalive.
  +#
  +# If non-zero, use SO_KEEPALIVE to send TCP ACKs to clients in absence
  +# of communication. This is useful for two reasons:
  +#
  +# 1) Detect dead peers.
  +# 2) Take the connection alive from the point of view of network
  +# equipment in the middle.
  +#
  +# On Linux, the specified value (in seconds) is the period used to send ACKs.
  +# Note that to close the connection the double of the time is needed.
  +# On other kernels the period depends on the kernel configuration.
  +#
  +# A reasonable value for this option is 300 seconds, which is the new
  +# Redis default starting with Redis 3.2.1.
  +tcp-keepalive 300
  +
  +################################# GENERAL #####################################
  +
  +# By default Redis does not run as a daemon. Use ‘yes’ if you need it.
  +# Note that Redis will write a pid file in /var/run/redis.pid when daemonized.
  +daemonize no
  +
  +# If you run Redis from upstart or systemd, Redis can interact with your
  +# supervision tree. Options:
  +# supervised no - no supervision interaction
  +# supervised upstart - signal upstart by putting Redis into SIGSTOP mode
  +# supervised systemd - signal systemd by writing READY=1 to $NOTIFY_SOCKET
  +# supervised auto - detect upstart or systemd method based on
  +# UPSTART_JOB or NOTIFY_SOCKET environment variables
  +# Note: these supervision methods only signal “process is ready.”
  +# They do not enable continuous liveness pings back to your supervisor.
  +# supervised no
  +
  +# If a pid file is specified, Redis writes it where specified at startup
  +# and removes it at exit.
  +#
  +# When the server runs non daemonized, no pid file is created if none is
  +# specified in the configuration. When the server is daemonized, the pid file
  +# is used even if not specified, defaulting to “/var/run/redis.pid”.
  +#
  +# Creating a pid file is best effort: if Redis is not able to create it
  +# nothing bad happens, the server will start and run normally.
  +pidfile “/var/run/redis_0.pid”
  +
  +# Specify the server verbosity level.
  +# This can be one of:
  +# debug (a lot of information, useful for development/testing)
  +# verbose (many rarely useful info, but not a mess like the debug level)
  +# notice (moderately verbose, what you want in production probably)
  +# warning (only very important / critical messages are logged)
  +loglevel notice
  +
  +# Specify the log file name. Also the empty string can be used to force
  +# Redis to log on the standard output. Note that if you use standard
  +# output for logging but daemonize, logs will be sent to /dev/null
  +logfile “”
  +
  +# To enable logging to the system logger, just set ‘syslog-enabled’ to yes,
  +# and optionally update the other syslog parameters to suit your needs.
  +# syslog-enabled no
  +
  +# Specify the syslog identity.
  +# syslog-ident redis
  +
  +# Specify the syslog facility. Must be USER or between LOCAL0-LOCAL7.
  +# syslog-facility local0
  +
  +# Set the number of databases. The default database is DB 0, you can select
  +# a different one on a per-connection basis using SELECT where
  +# dbid is a number between 0 and ‘databases’-1
  +databases 16
  +
  +################################ SNAPSHOTTING ################################
  +#
  +# Save the DB on disk:
  +#
  +# save
  +#
  +# Will save the DB if both the given number of seconds and the given
  +# number of write operations against the DB occurred.
  +#
  +# In the example below the behaviour will be to save:
  +# after 900 sec (15 min) if at least 1 key changed
  +# after 300 sec (5 min) if at least 10 keys changed
  +# after 60 sec if at least 10000 keys changed
  +#
  +# Note: you can disable saving completely by commenting out all “save” lines.
  +#
  +# It is also possible to remove all the previously configured save
  +# points by adding a save directive with a single empty string argument
  +# like in the following example:
  +#
  +# save “”
  +
  +save 900 1
  +save 300 10
  +save 60 10000
  +
  +# By default Redis will stop accepting writes if RDB snapshots are enabled
  +# (at least one save point) and the latest background save failed.
  +# This will make the user aware (in a hard way) that data is not persisting
  +# on disk properly, otherwise chances are that no one will notice and some
  +# disaster will happen.
  +#
  +# If the background saving process will start working again Redis will
  +# automatically allow writes again.
  +#
  +# However if you have setup your proper monitoring of the Redis server
  +# and persistence, you may want to disable this feature so that Redis will
  +# continue to work as usual even if there are problems with disk,
  +# permissions, and so forth.
  +stop-writes-on-bgsave-error yes
  +
  +# Compress string objects using LZF when dump .rdb databases?
  +# For default that’s set to ‘yes’ as it’s almost always a win.
  +# If you want to save some CPU in the saving child set it to ‘no’ but
  +# the dataset will likely be bigger if you have compressible values or keys.
  +rdbcompression yes
  +
  +# Since version 5 of RDB a CRC64 checksum is placed at the end of the file.
  +# This makes the format more resistant to corruption but there is a performance
  +# hit to pay (around 10%) when saving and loading RDB files, so you can disable it
  +# for maximum performances.
  +#
  +# RDB files created with checksum disabled have a checksum of zero that will
  +# tell the loading code to skip the check.
  +rdbchecksum yes
  +
  +# The filename where to dump the DB
  +dbfilename “dump.rdb”
  +
  +# The working directory.
  +#
  +# The DB will be written inside this directory, with the filename specified
  +# above using the ‘dbfilename’ configuration directive.
  +#
  +# The Append Only File will also be created inside this directory.
  +#
  +# Note that you must specify a directory here, not a file name.
  +dir “/var/opt/gitlab/redis”
  +
  +################################# REPLICATION #################################
  +
  +# Master-Replica replication. Use replicaof to make a Redis instance a copy of
  +# another Redis server. A few things to understand ASAP about Redis replication.
  +#
  +# 1) Redis replication is asynchronous, but you can configure a master to
  +# stop accepting writes if it appears to be not connected with at least
  +# a given number of replicas.
  +# 2) Redis replicas are able to perform a partial resynchronization with the
  +# master if the replication link is lost for a relatively small amount of
  +# time. You may want to configure the replication backlog size (see the next
  +# sections of this file) with a sensible value depending on your needs.
  +# 3) Replication is automatic and does not need user intervention. After a
  +# network partition replicas automatically try to reconnect to masters
  +# and resynchronize with them.
  +#
  +# replicaof
  +
  +
  +# If the master is password protected (using the “requirepass” configuration
  +# directive below) it is possible to tell the replica to authenticate before
  +# starting the replication synchronization process, otherwise the master will
  +# refuse the replica request.
  +#
  +# masterauth
  +
  +
  +# When a replica loses its connection with the master, or when the replication
  +# is still in progress, the replica can act in two different ways:
  +#
  +# 1) if replica-serve-stale-data is set to ‘yes’ (the default) the replica will
  +# still reply to client requests, possibly with out of date data, or the
  +# data set may just be empty if this is the first synchronization.
  +#
  +# 2) if replica-serve-stale-data is set to ‘no’ the replica will reply with
  +# an error “SYNC with master in progress” to all the kind of commands
  +# but to INFO and REPLICAOF.
  +#
  +replica-serve-stale-data yes
  +
  +# You can configure a replica instance to accept writes or not. Writing against
  +# a replica instance may be useful to store some ephemeral data (because data
  +# written on a replica will be easily deleted after resync with the master) but
  +# may also cause problems if clients are writing to it because of a
  +# misconfiguration.
  +#
  +# Since Redis 2.6 by default replicas are read-only.
  +#
  +# Note: read only replicas are not designed to be exposed to untrusted clients
  +# on the internet. It’s just a protection layer against misuse of the instance.
  +# Still a read only replica exports by default all the administrative commands
  +# such as CONFIG, DEBUG, and so forth. To a limited extent you can improve
  +# security of read only replicas using ‘rename-command’ to shadow all the
  +# administrative / dangerous commands.
  +replica-read-only yes
  +
  +# Replication SYNC strategy: disk or socket.
  +#
  +# -------------------------------------------------------
  +# WARNING: DISKLESS REPLICATION IS EXPERIMENTAL CURRENTLY
  +# -------------------------------------------------------
  +#
  +# New replicas and reconnecting replicas that are not able to continue the replication
  +# process just receiving differences, need to do what is called a “full
  +# synchronization”. An RDB file is transmitted from the master to the replicas.
  +# The transmission can happen in two different ways:
  +#
  +# 1) Disk-backed: The Redis master creates a new process that writes the RDB
  +# file on disk. Later the file is transferred by the parent
  +# process to the replicas incrementally.
  +# 2) Diskless: The Redis master creates a new process that directly writes the
  +# RDB file to replica sockets, without touching the disk at all.
  +#
  +# With disk-backed replication, while the RDB file is generated, more replicas
  +# can be queued and served with the RDB file as soon as the current child producing
  +# the RDB file finishes its work. With diskless replication instead once
  +# the transfer starts, new replicas arriving will be queued and a new transfer
  +# will start when the current one terminates.
  +#
  +# When diskless replication is used, the master waits a configurable amount of
  +# time (in seconds) before starting the transfer in the hope that multiple replicas
  +# will arrive and the transfer can be parallelized.
  +#
  +# With slow disks and fast (large bandwidth) networks, diskless replication
  +# works better.
  +# repl-diskless-sync no
  +
  +# When diskless replication is enabled, it is possible to configure the delay
  +# the server waits in order to spawn the child that transfers the RDB via socket
  +# to the replicas.
  +#
  +# This is important since once the transfer starts, it is not possible to serve
  +# new replicas arriving, that will be queued for the next RDB transfer, so the server
  +# waits a delay in order to let more replicas arrive.
  +#
  +# The delay is specified in seconds, and by default is 5 seconds. To disable
  +# it entirely just set it to 0 seconds and the transfer will start ASAP.
  +# repl-diskless-sync-delay 5
  +
  +# replicas send PINGs to server in a predefined interval. It’s possible to change
  +# this interval with the repl_ping_replica_period option. The default value is 10
  +# seconds.
  +#
  +# repl-ping-replica-period 10
  +
  +# The following option sets the replication timeout for:
  +#
  +# 1) Bulk transfer I/O during SYNC, from the point of view of replica.
  +# 2) Master timeout from the point of view of replicas (data, pings).
  +# 3) replica timeout from the point of view of masters (REPLCONF ACK pings).
  +#
  +# It is important to make sure that this value is greater than the value
  +# specified for repl-ping-replica-period otherwise a timeout will be detected
  +# every time there is low traffic between the master and the replica.
  +#
  +# repl-timeout 60
  +
  +# Disable TCP_NODELAY on the replica socket after SYNC?
  +#
  +# If you select “yes” Redis will use a smaller number of TCP packets and
  +# less bandwidth to send data to replicas. But this can add a delay for
  +# the data to appear on the replica side, up to 40 milliseconds with
  +# Linux kernels using a default configuration.
  +#
  +# If you select “no” the delay for data to appear on the replica side will
  +# be reduced but more bandwidth will be used for replication.
  +#
  +# By default we optimize for low latency, but in very high traffic conditions
  +# or when the master and replicas are many hops away, turning this to “yes” may
  +# be a good idea.
  +repl-disable-tcp-nodelay no
  +
  +# Set the replication backlog size. The backlog is a buffer that accumulates
  +# replica data when replicas are disconnected for some time, so that when a replica
  +# wants to reconnect again, often a full resync is not needed, but a partial
  +# resync is enough, just passing the portion of data the replica missed while
  +# disconnected.
  +#
  +# The bigger the replication backlog, the longer the time the replica can be
  +# disconnected and later be able to perform a partial resynchronization.
  +#
  +# The backlog is only allocated once there is at least a replica connected.
  +#
  +# repl-backlog-size 1mb
  +
  +# After a master has no longer connected replicas for some time, the backlog
  +# will be freed. The following option configures the amount of seconds that
  +# need to elapse, starting from the time the last replica disconnected, for
  +# the backlog buffer to be freed.
  +#
  +# A value of 0 means to never release the backlog.
  +#
  +# repl-backlog-ttl 3600
  +
  +# The replica priority is an integer number published by Redis in the INFO output.
  +# It is used by Redis Sentinel in order to select a replica to promote into a
  +# master if the master is no longer working correctly.
  +#
  +# A replica with a low priority number is considered better for promotion, so
  +# for instance if there are three replicas with priority 10, 100, 25 Sentinel will
  +# pick the one with priority 10, that is the lowest.
  +#
  +# However a special priority of 0 marks the replica as not able to perform the
  +# role of master, so a replica with priority of 0 will never be selected by
  +# Redis Sentinel for promotion.
  +#
  +# By default the priority is 100.
  +replica-priority 100
  +
  +# It is possible for a master to stop accepting writes if there are less than
  +# N replicas connected, having a lag less or equal than M seconds.
  +#
  +# The N replicas need to be in “online” state.
  +#
  +# The lag in seconds, that must be <= the specified value, is calculated from
  +# the last ping received from the replica, that is usually sent every second.
  +#
  +# This option does not GUARANTEE that N replicas will accept the write, but
  +# will limit the window of exposure for lost writes in case not enough replicas
  +# are available, to the specified number of seconds.
  +#
  +# For example to require at least 3 replicas with a lag <= 10 seconds use:
  +#
  +# min-replicas-to-write 3
  +# min-replicas-max-lag 10
  +#
  +# Setting one or the other to 0 disables the feature.
  +#
  +# By default min-replicas-to-write is set to 0 (feature disabled) and
  +# min-replicas-max-lag is set to 10.
  +
  +# A Redis master is able to list the address and port of the attached
  +# replicas in different ways. For example the “INFO replication” section
  +# offers this information, which is used, among other tools, by
  +# Redis Sentinel in order to discover replica instances.
  +# Another place where this info is available is in the output of the
  +# “ROLE” command of a masteer.
  +#
  +# The listed IP and address normally reported by a replica is obtained
  +# in the following way:
  +#
  +# IP: The address is auto detected by checking the peer address
  +# of the socket used by the replica to connect with the master.
  +#
  +# Port: The port is communicated by the replica during the replication
  +# handshake, and is normally the port that the replica is using to
  +# list for connections.
  +#
  +# However when port forwarding or Network Address Translation (NAT) is
  +# used, the replica may be actually reachable via different IP and port
  +# pairs. The following two options can be used by a replica in order to
  +# report to its master a specific set of IP and port, so that both INFO
  +# and ROLE will report those values.
  +#
  +# There is no need to use both the options if you need to override just
  +# the port or the IP address.
  +#
  +
  +
  +
  +################################## SECURITY ###################################
  +
  +# Require clients to issue AUTH before processing any other
  +# commands. This might be useful in environments in which you do not trust
  +# others with access to the host running redis-server.
  +#
  +# This should stay commented out for backward compatibility and because most
  +# people do not need auth (e.g. they run their own servers).
  +#
  +# Warning: since Redis is pretty fast an outside user can try up to
  +# 150k passwords per second against a good box. This means that you should
  +# use a very strong password otherwise it will be very easy to break.
  +#
  +
  +
  +# Command renaming.
  +#
  +# It is possible to change the name of dangerous commands in a shared
  +# environment. For instance the CONFIG command may be renamed into something
  +# hard to guess so that it will still be available for internal-use tools
  +# but not available for general clients.
  +#
  +# Example:
  +#
  +# rename-command CONFIG b840fc02d524045429941cc15f59e41cb7be6c52
  +#
  +# It is also possible to completely kill a command by renaming it into
  +# an empty string:
  +#
  +# rename-command CONFIG “”
  +#
  +# Please note that changing the name of commands that are logged into the
  +# AOF file or transmitted to replicas may cause problems.
  +rename-command KEYS “”
  +################################### LIMITS ####################################
  +
  +# Set the max number of connected clients at the same time. By default
  +# this limit is set to 10000 clients, however if the Redis server is not
  +# able to configure the process file limit to allow for the specified limit
  +# the max number of allowed clients is set to the current file limit
  +# minus 32 (as Redis reserves a few file descriptors for internal uses).
  +#
  +# Once the limit is reached Redis will close all the new connections sending
  +# an error ‘max number of clients reached’.
  +#
  +maxclients 10000
  +
  +# Don’t use more memory than the specified amount of bytes.
  +# When the memory limit is reached Redis will try to remove keys
  +# according to the eviction policy selected (see maxmemory-policy).
  +#
  +# If Redis can’t remove keys according to the policy, or if the policy is
  +# set to ‘noeviction’, Redis will start to reply with errors to commands
  +# that would use more memory, like SET, LPUSH, and so on, and will continue
  +# to reply to read-only commands like GET.
  +#
  +# This option is usually useful when using Redis as an LRU cache, or to set
  +# a hard memory limit for an instance (using the ‘noeviction’ policy).
  +#
  +# WARNING: If you have replicas attached to an instance with maxmemory on,
  +# the size of the output buffers needed to feed the replicas are subtracted
  +# from the used memory count, so that network problems / resyncs will
  +# not trigger a loop where keys are evicted, and in turn the output
  +# buffer of replicas is full with DELs of keys evicted triggering the deletion
  +# of more keys, and so forth until the database is completely emptied.
  +#
  +# In short… if you have replicas attached it is suggested that you set a lower
  +# limit for maxmemory so that there is some free RAM on the system for replica
  +# output buffers (but this is not needed if the policy is ‘noeviction’).
  +#
  +# maxmemory
  +maxmemory 0
  +
  +# MAXMEMORY POLICY: how Redis will select what to remove when maxmemory
  +# is reached. You can select among five behaviors:
  +#
  +# volatile-lru -> remove the key with an expire set using an LRU algorithm
  +# allkeys-lru -> remove any key according to the LRU algorithm
  +# volatile-random -> remove a random key with an expire set
  +# allkeys-random -> remove a random key, any key
  +# volatile-ttl -> remove the key with the nearest expire time (minor TTL)
  +# noeviction -> don’t expire at all, just return an error on write operations
  +#
  +# Note: with any of the above policies, Redis will return an error on write
  +# operations, when there are no suitable keys for eviction.
  +#
  +# At the date of writing these commands are: set setnx setex append
  +# incr decr rpush lpush rpushx lpushx linsert lset rpoplpush sadd
  +# sinter sinterstore sunion sunionstore sdiff sdiffstore zadd zincrby
  +# zunionstore zinterstore hset hsetnx hmset hincrby incrby decrby
  +# getset mset msetnx exec sort
  +#
  +# The default is:
  +#
  +# maxmemory-policy noeviction
  +maxmemory-policy noeviction
  +
  +# LRU and minimal TTL algorithms are not precise algorithms but approximated
  +# algorithms (in order to save memory), so you can tune it for speed or
  +# accuracy. For default Redis will check five keys and pick the one that was
  +# used less recently, you can change the sample size using the following
  +# configuration directive.
  +#
  +# The default of 5 produces good enough results. 10 Approximates very closely
  +# true LRU but costs a bit more CPU. 3 is very fast but not very accurate.
  +#
  +# maxmemory-samples 5
  +maxmemory-samples 5
  +
  +############################# LAZY FREEING ####################################
  +
  +# Redis has two primitives to delete keys. One is called DEL and is a blocking
  +# deletion of the object. It means that the server stops processing new commands
  +# in order to reclaim all the memory associated with an object in a synchronous
  +# way. If the key deleted is associated with a small object, the time needed
  +# in order to execute the DEL command is very small and comparable to most other
  +# O(1) or O(log_N) commands in Redis. However if the key is associated with an
  +# aggregated value containing millions of elements, the server can block for
  +# a long time (even seconds) in order to complete the operation.
  +#
  +# For the above reasons Redis also offers non blocking deletion primitives
  +# such as UNLINK (non blocking DEL) and the ASYNC option of FLUSHALL and
  +# FLUSHDB commands, in order to reclaim memory in background. Those commands
  +# are executed in constant time. Another thread will incrementally free the
  +# object in the background as fast as possible.
  +#
  +# DEL, UNLINK and ASYNC option of FLUSHALL and FLUSHDB are user-controlled.
  +# It’s up to the design of the application to understand when it is a good
  +# idea to use one or the other. However the Redis server sometimes has to
  +# delete keys or flush the whole database as a side effect of other operations.
  +# Specifically Redis deletes objects independently of a user call in the
  +# following scenarios:
  +#
  +# 1) On eviction, because of the maxmemory and maxmemory policy configurations,
  +# in order to make room for new data, without going over the specified
  +# memory limit.
  +# 2) Because of expire: when a key with an associated time to live (see the
  +# EXPIRE command) must be deleted from memory.
  +# 3) Because of a side effect of a command that stores data on a key that may
  +# already exist. For example the RENAME command may delete the old key
  +# content when it is replaced with another one. Similarly SUNIONSTORE
  +# or SORT with STORE option may delete existing keys. The SET command
  +# itself removes any old content of the specified key in order to replace
  +# it with the specified string.
  +# 4) During replication, when a replica performs a full resynchronization with
  +# its master, the content of the whole database is removed in order to
  +# load the RDB file just transferred.
  +#
  +# In all the above cases the default is to delete objects in a blocking way,
  +# like if DEL was called. However you can configure each case specifically
  +# in order to instead release memory in a non-blocking way like if UNLINK
  +# was called, using the following configuration directives:
  +
  +lazyfree-lazy-eviction no
  +lazyfree-lazy-expire no
  +lazyfree-lazy-server-del no
  +replica-lazy-flush no
  +
  +################################ THREADED I/O #################################
  +
  +# Redis is mostly single threaded, however there are certain threaded
  +# operations such as UNLINK, slow I/O accesses and other things that are
  +# performed on side threads.
  +#
  +# Now it is also possible to handle Redis clients socket reads and writes
  +# in different I/O threads. Since especially writing is so slow, normally
  +# Redis users use pipelining in order to speed up the Redis performances per
  +# core, and spawn multiple instances in order to scale more. Using I/O
  +# threads it is possible to easily speedup two times Redis without resorting
  +# to pipelining nor sharding of the instance.
  +#
  +# By default threading is disabled, we suggest enabling it only in machines
  +# that have at least 4 or more cores, leaving at least one spare core.
  +# Using more than 8 threads is unlikely to help much. We also recommend using
  +# threaded I/O only if you actually have performance problems, with Redis
  +# instances being able to use a quite big percentage of CPU time, otherwise
  +# there is no point in using this feature.
  +#
  +# So for instance if you have a four cores boxes, try to use 2 or 3 I/O
  +# threads, if you have a 8 cores, try to use 6 threads. In order to
  +# enable I/O threads use the following configuration directive:
  +#
  +# io-threads 4
  +#
  +# Setting io-threads to 1 will just use the main thread as usual.
  +# When I/O threads are enabled, we only use threads for writes, that is
  +# to thread the write(2) syscall and transfer the client buffers to the
  +# socket. However it is also possible to enable threading of reads and
  +# protocol parsing using the following configuration directive, by setting
  +# it to yes:
  +#
  +# io-threads-do-reads no
  +#
  +# Usually threading reads doesn’t help much.
  +#
  +# NOTE 1: This configuration directive cannot be changed at runtime via
  +# CONFIG SET. Aso this feature currently does not work when SSL is
  +# enabled.
  +#
  +# NOTE 2: If you want to test the Redis speedup using redis-benchmark, make
  +# sure you also run the benchmark itself in threaded mode, using the
  +# --threads option to match the number of Redis threads, otherwise you’ll not
  +# be able to notice the improvements.
  +
  +io-threads 1
  +io-threads-do-reads no
  +
  +############################## APPEND ONLY MODE ###############################
  +
  +# By default Redis asynchronously dumps the dataset on disk. This mode is
  +# good enough in many applications, but an issue with the Redis process or
  +# a power outage may result into a few minutes of writes lost (depending on
  +# the configured save points).
  +#
  +# The Append Only File is an alternative persistence mode that provides
  +# much better durability. For instance using the default data fsync policy
  +# (see later in the config file) Redis can lose just one second of writes in a
  +# dramatic event like a server power outage, or a single write if something
  +# wrong with the Redis process itself happens, but the operating system is
  +# still running correctly.
  +#
  +# AOF and RDB persistence can be enabled at the same time without problems.
  +# If the AOF is enabled on startup Redis will load the AOF, that is the file
  +# with the better durability guarantees.
  +#
  +# Please check http://redis.io/topics/persistence for more information.
  +
  +appendonly no
  +
  +# The name of the append only file (default: “appendonly.aof”)
  +
  +# appendfilename “appendonly.aof”
  +
  +# The fsync() call tells the Operating System to actually write data on disk
  +# instead of waiting for more data in the output buffer. Some OS will really flush
  +# data on disk, some other OS will just try to do it ASAP.
  +#
  +# Redis supports three different modes:
  +#
  +# no: don’t fsync, just let the OS flush the data when it wants. Faster.
  +# always: fsync after every write to the append only log. Slow, Safest.
  +# everysec: fsync only one time every second. Compromise.
  +#
  +# The default is “everysec”, as that’s usually the right compromise between
  +# speed and data safety. It’s up to you to understand if you can relax this to
  +# “no” that will let the operating system flush the output buffer when
  +# it wants, for better performances (but if you can live with the idea of
  +# some data loss consider the default persistence mode that’s snapshotting),
  +# or on the contrary, use “always” that’s very slow but a bit safer than
  +# everysec.
  +#
  +# More details please check the following article:
  +# http://antirez.com/post/redis-persistence-demystified.html
  +#
  +# If unsure, use “everysec”.
  +
  +# appendfsync always
  +appendfsync everysec
  +# appendfsync no
  +
  +# When the AOF fsync policy is set to always or everysec, and a background
  +# saving process (a background save or AOF log background rewriting) is
  +# performing a lot of I/O against the disk, in some Linux configurations
  +# Redis may block too long on the fsync() call. Note that there is no fix for
  +# this currently, as even performing fsync in a different thread will block
  +# our synchronous write(2) call.
  +#
  +# In order to mitigate this problem it’s possible to use the following option
  +# that will prevent fsync() from being called in the main process while a
  +# BGSAVE or BGREWRITEAOF is in progress.
  +#
  +# This means that while another child is saving, the durability of Redis is
  +# the same as “appendfsync none”. In practical terms, this means that it is
  +# possible to lose up to 30 seconds of log in the worst scenario (with the
  +# default Linux settings).
  +#
  +# If you have latency problems turn this to “yes”. Otherwise leave it as
  +# “no” that is the safest pick from the point of view of durability.
  +
  +no-appendfsync-on-rewrite no
  +
  +# Automatic rewrite of the append only file.
  +# Redis is able to automatically rewrite the log file implicitly calling
  +# BGREWRITEAOF when the AOF log size grows by the specified percentage.
  +#
  +# This is how it works: Redis remembers the size of the AOF file after the
  +# latest rewrite (if no rewrite has happened since the restart, the size of
  +# the AOF at startup is used).
  +#
  +# This base size is compared to the current size. If the current size is
  +# bigger than the specified percentage, the rewrite is triggered. Also
  +# you need to specify a minimal size for the AOF file to be rewritten, this
  +# is useful to avoid rewriting the AOF file even if the percentage increase
  +# is reached but it is still pretty small.
  +#
  +# Specify a percentage of zero in order to disable the automatic AOF
  +# rewrite feature.
  +
  +auto-aof-rewrite-percentage 100
  +auto-aof-rewrite-min-size 64mb
  +
  +# An AOF file may be found to be truncated at the end during the Redis
  +# startup process, when the AOF data gets loaded back into memory.
  +# This may happen when the system where Redis is running
  +# crashes, especially when an ext4 filesystem is mounted without the
  +# data=ordered option (however this can’t happen when Redis itself
  +# crashes or aborts but the operating system still works correctly).
  +#
  +# Redis can either exit with an error when this happens, or load as much
  +# data as possible (the default now) and start if the AOF file is found
  +# to be truncated at the end. The following option controls this behavior.
  +#
  +# If aof-load-truncated is set to yes, a truncated AOF file is loaded and
  +# the Redis server starts emitting a log to inform the user of the event.
  +# Otherwise if the option is set to no, the server aborts with an error
  +# and refuses to start. When the option is set to no, the user requires
  +# to fix the AOF file using the “redis-check-aof” utility before to restart
  +# the server.
  +#
  +# Note that if the AOF file will be found to be corrupted in the middle
  +# the server will still exit with an error. This option only applies when
  +# Redis will try to read more data from the AOF file but not enough bytes
  +# will be found.
  +# aof-load-truncated yes
  +
  +################################ LUA SCRIPTING ###############################
  +
  +# Max execution time of a Lua script in milliseconds.
  +#
  +# If the maximum execution time is reached Redis will log that a script is
  +# still in execution after the maximum allowed time and will start to
  +# reply to queries with an error.
  +#
  +# When a long running script exceeds the maximum execution time only the
  +# SCRIPT KILL and SHUTDOWN NOSAVE commands are available. The first can be
  +# used to stop a script that did not yet called write commands. The second
  +# is the only way to shut down the server in the case a write command was
  +# already issued by the script but the user doesn’t want to wait for the natural
  +# termination of the script.
  +#
  +# Set it to 0 or a negative value for unlimited execution without warnings.
  +lua-time-limit 5000
  +
  +################################ REDIS CLUSTER ###############################
  +#
  +# ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  +# WARNING EXPERIMENTAL: Redis Cluster is considered to be stable code, however
  +# in order to mark it as “mature” we need to wait for a non trivial percentage
  +# of users to deploy it in production.
  +# ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  +#
  +# Normal Redis instances can’t be part of a Redis Cluster; only nodes that are
  +# started as cluster nodes can. In order to start a Redis instance as a
  +# cluster node enable the cluster support uncommenting the following:
  +#
  +# cluster-enabled yes
  +
  +# Every cluster node has a cluster configuration file. This file is not
  +# intended to be edited by hand. It is created and updated by Redis nodes.
  +# Every Redis Cluster node requires a different cluster configuration file.
  +# Make sure that instances running in the same system do not have
  +# overlapping cluster configuration file names.
  +#
  +# cluster-config-file nodes-6379.conf
  +
  +# Cluster node timeout is the amount of milliseconds a node must be unreachable
  +# for it to be considered in failure state.
  +# Most other internal time limits are multiple of the node timeout.
  +#
  +# cluster-node-timeout 15000
  +
  +# A replica of a failing master will avoid to start a failover if its data
  +# looks too old.
  +#
  +# There is no simple way for a replica to actually have a exact measure of
  +# its “data age”, so the following two checks are performed:
  +#
  +# 1) If there are multiple replicas able to failover, they exchange messages
  +# in order to try to give an advantage to the replica with the best
  +# replication offset (more data from the master processed).
  +# replicas will try to get their rank by offset, and apply to the start
  +# of the failover a delay proportional to their rank.
  +#
  +# 2) Every single replica computes the time of the last interaction with
  +# its master. This can be the last ping or command received (if the master
  +# is still in the “connected” state), or the time that elapsed since the
  +# disconnection with the master (if the replication link is currently down).
  +# If the last interaction is too old, the replica will not try to failover
  +# at all.
  +#
  +# The point “2” can be tuned by user. Specifically a replica will not perform
  +# the failover if, since the last interaction with the master, the time
  +# elapsed is greater than:
  +#
  +# (node-timeout * replica-validity-factor) + repl-ping-replica-period
  +#
  +# So for example if node-timeout is 30 seconds, and the replica-validity-factor
  +# is 10, and assuming a default repl-ping-replica-period of 10 seconds, the
  +# replica will not try to failover if it was not able to talk with the master
  +# for longer than 310 seconds.
  +#
  +# A large replica-validity-factor may allow replicas with too old data to failover
  +# a master, while a too small value may prevent the cluster from being able to
  +# elect a replica at all.
  +#
  +# For maximum availability, it is possible to set the replica-validity-factor
  +# to a value of 0, which means, that replicas will always try to failover the
  +# master regardless of the last time they interacted with the master.
  +# (However they’ll always try to apply a delay proportional to their
  +# offset rank).
  +#
  +# Zero is the only value able to guarantee that when all the partitions heal
  +# the cluster will always be able to continue.
  +#
  +# cluster-replica-validity-factor 10
  +
  +# Cluster replicas are able to migrate to orphaned masters, that are masters
  +# that are left without working replicas. This improves the cluster ability
  +# to resist to failures as otherwise an orphaned master can’t be failed over
  +# in case of failure if it has no working replicas.
  +#
  +# replicas migrate to orphaned masters only if there are still at least a
  +# given number of other working replicas for their old master. This number
  +# is the “migration barrier”. A migration barrier of 1 means that a replica
  +# will migrate only if there is at least 1 other working replica for its master
  +# and so forth. It usually reflects the number of replicas you want for every
  +# master in your cluster.
  +#
  +# Default is 1 (replicas migrate only if their masters remain with at least
  +# one replica). To disable migration just set it to a very large value.
  +# A value of 0 can be set but is useful only for debugging and dangerous
  +# in production.
  +#
  +# cluster-migration-barrier 1
  +
  +# By default Redis Cluster nodes stop accepting queries if they detect there
  +# is at least an hash slot uncovered (no available node is serving it).
  +# This way if the cluster is partially down (for example a range of hash slots
  +# are no longer covered) all the cluster becomes, eventually, unavailable.
  +# It automatically returns available as soon as all the slots are covered again.
  +#
  +# However sometimes you want the subset of the cluster which is working,
  +# to continue to accept queries for the part of the key space that is still
  +# covered. In order to do so, just set the cluster-require-full-coverage
  +# option to no.
  +#
  +# cluster-require-full-coverage yes
  +
  +# In order to setup your cluster make sure to read the documentation
  +# available at http://redis.io web site.
  +
  +################################## SLOW LOG ###################################
  +
  +# The Redis Slow Log is a system to log queries that exceeded a specified
  +# execution time. The execution time does not include the I/O operations
  +# like talking with the client, sending the reply and so forth,
  +# but just the time needed to actually execute the command (this is the only
  +# stage of command execution where the thread is blocked and can not serve
  +# other requests in the meantime).
  +#
  +# You can configure the slow log with two parameters: one tells Redis
  +# what is the execution time, in microseconds, to exceed in order for the
  +# command to get logged, and the other parameter is the length of the
  +# slow log. When a new command is logged the oldest one is removed from the
  +# queue of logged commands.
  +
  +# The following time is expressed in microseconds, so 1000000 is equivalent
  +# to one second. Note that a negative number disables the slow log, while
  +# a value of zero forces the logging of every command.
  +slowlog-log-slower-than 10000
  +
  +# There is no limit to this length. Just be aware that it will consume memory.
  +# You can reclaim memory used by the slow log with SLOWLOG RESET.
  +slowlog-max-len 128
  +
  +################################ LATENCY MONITOR ##############################
  +
  +# The Redis latency monitoring subsystem samples different operations
  +# at runtime in order to collect data related to possible sources of
  +# latency of a Redis instance.
  +#
  +# Via the LATENCY command this information is available to the user that can
  +# print graphs and obtain reports.
  +#
  +# The system only logs operations that were performed in a time equal or
  +# greater than the amount of milliseconds specified via the
  +# latency-monitor-threshold configuration directive. When its value is set
  +# to zero, the latency monitor is turned off.
  +#
  +# By default latency monitoring is disabled since it is mostly not needed
  +# if you don’t have latency issues, and collecting data has a performance
  +# impact, that while very small, can be measured under big load. Latency
  +# monitoring can easily be enabled at runtime using the command
  +# “CONFIG SET latency-monitor-threshold ” if needed.
  +# latency-monitor-threshold 0
  +
  +############################# EVENT NOTIFICATION ##############################
  +
  +# Redis can notify Pub/Sub clients about events happening in the key space.
  +# This feature is documented at http://redis.io/topics/notifications
  +#
  +# For instance if keyspace events notification is enabled, and a client
  +# performs a DEL operation on key “foo” stored in the Database 0, two
  +# messages will be published via Pub/Sub:
  +#
  +# PUBLISH keyspace@0:foo del
  +# PUBLISH keyevent@0:del foo
  +#
  +# It is possible to select the events that Redis will notify among a set
  +# of classes. Every class is identified by a single character:
  +#
  +# K Keyspace events, published with keyspace@ prefix.
  +# E Keyevent events, published with keyevent@ prefix.
  +# g Generic commands (non-type specific) like DEL, EXPIRE, RENAME, …
  +# $ String commands
  +# l List commands
  +# s Set commands
  +# h Hash commands
  +# z Sorted set commands
  +# x Expired events (events generated every time a key expires)
  +# e Evicted events (events generated when a key is evicted for maxmemory)
  +# A Alias for g$lshzxe, so that the “AKE” string means all the events.
  +#
  +# The “notify-keyspace-events” takes as argument a string that is composed
  +# of zero or multiple characters. The empty string means that notifications
  +# are disabled.
  +#
  +# Example: to enable list and generic events, from the point of view of the
  +# event name, use:
  +#
  +# notify-keyspace-events Elg
  +#
  +# Example 2: to get the stream of the expired keys subscribing to channel
  +# name keyevent@0:expired use:
  +#
  +# notify-keyspace-events Ex
  +#
  +# By default all notifications are disabled because most users don’t need
  +# this feature and the feature has some overhead. Note that if you don’t
  +# specify at least one of K or E, no events will be delivered.
  +notify-keyspace-events “”
  +
  +############################### ADVANCED CONFIG ###############################
  +
  +# Hashes are encoded using a memory efficient data structure when they have a
  +# small number of entries, and the biggest entry does not exceed a given
  +# threshold. These thresholds can be configured using the following directives.
  +hash-max-ziplist-entries 512
  +hash-max-ziplist-value 64
  +
  +# Lists are also encoded in a special way to save a lot of space.
  +# The number of entries allowed per internal list node can be specified
  +# as a fixed maximum size or a maximum number of elements.
  +# For a fixed maximum size, use -5 through -1, meaning:
  +# -5: max size: 64 Kb <-- not recommended for normal workloads
  +# -4: max size: 32 Kb <-- not recommended
  +# -3: max size: 16 Kb <-- probably not recommended
  +# -2: max size: 8 Kb <-- good
  +# -1: max size: 4 Kb <-- good
  +# Positive numbers mean store up to exactly that number of elements
  +# per list node.
  +# The highest performing option is usually -2 (8 Kb size) or -1 (4 Kb size),
  +# but if your use case is unique, adjust the settings as necessary.
  +# list-max-ziplist-size -2
  +
  +# Lists may also be compressed.
  +# Compress depth is the number of quicklist ziplist nodes from each side of
  +# the list to exclude from compression. The head and tail of the list
  +# are always uncompressed for fast push/pop operations. Settings are:
  +# 0: disable all list compression
  +# 1: depth 1 means “don’t start compressing until after 1 node into the list,
  +# going from either the head or tail”
  +# So: [head]->node->node->…->node->[tail]
  +# [head], [tail] will always be uncompressed; inner nodes will compress.
  +# 2: [head]->[next]->node->node->…->node->[prev]->[tail]
  +# 2 here means: don’t compress head or head->next or tail->prev or tail,
  +# but compress all nodes between them.
  +# 3: [head]->[next]->[next]->node->node->…->node->[prev]->[prev]->[tail]
  +# etc.
  +# list-compress-depth 0
  +
  +# Sets have a special encoding in just one case: when a set is composed
  +# of just strings that happen to be integers in radix 10 in the range
  +# of 64 bit signed integers.
  +# The following configuration setting sets the limit in the size of the
  +# set in order to use this special memory saving encoding.
  +set-max-intset-entries 512
  +
  +# Similarly to hashes and lists, sorted sets are also specially encoded in
  +# order to save a lot of space. This encoding is only used when the length and
  +# elements of a sorted set are below the following limits:
  +zset-max-ziplist-entries 128
  +zset-max-ziplist-value 64
  +
  +# HyperLogLog sparse representation bytes limit. The limit includes the
  +# 16 bytes header. When an HyperLogLog using the sparse representation crosses
  +# this limit, it is converted into the dense representation.
  +#
  +# A value greater than 16000 is totally useless, since at that point the
  +# dense representation is more memory efficient.
  +#
  +# The suggested value is ~ 3000 in order to have the benefits of
  +# the space efficient encoding without slowing down too much PFADD,
  +# which is O(N) with the sparse encoding. The value can be raised to
  +# ~ 10000 when CPU is not a concern, but space is, and the data set is
  +# composed of many HyperLogLogs with cardinality in the 0 - 15000 range.
  +# hll-sparse-max-bytes 3000
  +
  +# Active rehashing uses 1 millisecond every 100 milliseconds of CPU time in
  +# order to help rehashing the main Redis hash table (the one mapping top-level
  +# keys to values). The hash table implementation Redis uses (see dict.c)
  +# performs a lazy rehashing: the more operation you run into a hash table
  +# that is rehashing, the more rehashing “steps” are performed, so if the
  +# server is idle the rehashing is never complete and some more memory is used
  +# by the hash table.
  +#
  +# The default is to use this millisecond 10 times every second in order to
  +# actively rehash the main dictionaries, freeing memory when possible.
  +#
  +# If unsure:
  +# use “activerehashing no” if you have hard latency requirements and it is
  +# not a good thing in your environment that Redis can reply from time to time
  +# to queries with 2 milliseconds delay.
  +#
  +# use “activerehashing yes” if you don’t have such hard requirements but
  +# want to free memory asap when possible.
  +activerehashing yes
  +
  +# The client output buffer limits can be used to force disconnection of clients
  +# that are not reading data from the server fast enough for some reason (a
  +# common reason is that a Pub/Sub client can’t consume messages as fast as the
  +# publisher can produce them).
  +#
  +# The limit can be set differently for the three different classes of clients:
  +#
  +# normal -> normal clients including MONITOR clients
  +# replica -> replica clients
  +# pubsub -> clients subscribed to at least one pubsub channel or pattern
  +#
  +# The syntax of every client-output-buffer-limit directive is the following:
  +#
  +# client-output-buffer-limit
  +#
  +# A client is immediately disconnected once the hard limit is reached, or if
  +# the soft limit is reached and remains reached for the specified number of
  +# seconds (continuously).
  +# So for instance if the hard limit is 32 megabytes and the soft limit is
  +# 16 megabytes / 10 seconds, the client will get disconnected immediately
  +# if the size of the output buffers reach 32 megabytes, but will also get
  +# disconnected if the client reaches 16 megabytes and continuously overcomes
  +# the limit for 10 seconds.
  +#
  +# By default normal clients are not limited because they don’t receive data
  +# without asking (in a push way), but just after a request, so only
  +# asynchronous clients may create a scenario where data is requested faster
  +# than it can read.
  +#
  +# Instead there is a default limit for pubsub and replica clients, since
  +# subscribers and replicas receive data in a push fashion.
  +#
  +# Both the hard or the soft limit can be disabled by setting them to zero.
  +client-output-buffer-limit normal 0 0 0
  +client-output-buffer-limit replica 256mb 64mb 60
  +client-output-buffer-limit pubsub 32mb 8mb 60
  +
  +# Redis calls an internal function to perform many background tasks, like
  +# closing connections of clients in timeout, purging expired keys that are
  +# never requested, and so forth.
  +#
  +# Not all tasks are performed with the same frequency, but Redis checks for
  +# tasks to perform according to the specified “hz” value.
  +#
  +# By default “hz” is set to 10. Raising the value will use more CPU when
  +# Redis is idle, but at the same time will make Redis more responsive when
  +# there are many keys expiring at the same time, and timeouts may be
  +# handled with more precision.
  +#
  +# The range is between 1 and 500, however a value over 100 is usually not
  +# a good idea. Most users should use the default of 10 and raise this up to
  +# 100 only in environments where very low latency is required.
  +hz 10
  +
  +# When a child rewrites the AOF file, if the following option is enabled
  +# the file will be fsync-ed every 32 MB of data generated. This is useful
  +# in order to commit the file to the disk more incrementally and avoid
  +# big latency spikes.
  +aof-rewrite-incremental-fsync yes
  - change mode from ‘’ to ‘0644’
  - change owner from ‘’ to ‘gitlab-redis’
  - restore selinux security context
    Recipe:
- service[redis] action nothing (skipped due to action :nothing)
- runit_service[redis] action enable
  - ruby_block[restart_service] action nothing (skipped due to action :nothing)
  - ruby_block[restart_log_service] action nothing (skipped due to action :nothing)
  - ruby_block[reload_log_service] action nothing (skipped due to action :nothing)
  - directory[/opt/gitlab/sv/redis] action create
    - create new directory /opt/gitlab/sv/redis
    - change mode from ‘’ to ‘0755’
    - change owner from ‘’ to ‘root’
    - change group from ‘’ to ‘root’
    - restore selinux security context
  - template[/opt/gitlab/sv/redis/run] action create
    - create new file /opt/gitlab/sv/redis/run
    - update content in file /opt/gitlab/sv/redis/run from none to da365d
      — /opt/gitlab/sv/redis/run 2023-05-13 15:44:36.925006250 +0800
      +++ /opt/gitlab/sv/redis/.chef-run20230513-36927-qmw52c 2023-05-13 15:44:36.925006250 +0800
      @@ -1,5 +1,10 @@
      +#!/bin/sh
      +exec 2>&1
    +umask 077
    +exec chpst -P -U gitlab-redis:gitlab-redis -u gitlab-redis:gitlab-redis /opt/gitlab/embedded/bin/redis-server /var/opt/gitlab/redis/redis.conf
    - change mode from ‘’ to ‘0755’
    - change owner from ‘’ to ‘root’
    - change group from ‘’ to ‘root’
    - restore selinux security context
  - directory[/opt/gitlab/sv/redis/log] action create
    - create new directory /opt/gitlab/sv/redis/log
    - change mode from ‘’ to ‘0755’
    - change owner from ‘’ to ‘root’
    - change group from ‘’ to ‘root’
    - restore selinux security context
  - directory[/opt/gitlab/sv/redis/log/main] action create
    - create new directory /opt/gitlab/sv/redis/log/main
    - change mode from ‘’ to ‘0755’
    - change owner from ‘’ to ‘root’
    - change group from ‘’ to ‘root’
    - restore selinux security context
  - template[/opt/gitlab/sv/redis/log/config] action create
    - create new file /opt/gitlab/sv/redis/log/config
    - update content in file /opt/gitlab/sv/redis/log/config from none to 623c00
      — /opt/gitlab/sv/redis/log/config 2023-05-13 15:44:37.022006462 +0800
      +++ /opt/gitlab/sv/redis/log/.chef-config20230513-36927-tqwq11 2023-05-13 15:44:37.022006462 +0800
      @@ -1,6 +1,12 @@
      +s209715200
- file[/opt/gitlab/etc/gitaly/env/SSL_CERT_DIR] action create
  - create new file /opt/gitlab/etc/gitaly/env/SSL_CERT_DIR
  - update content in file /opt/gitlab/etc/gitaly/env/SSL_CERT_DIR from none to 4f45cf
  - suppressed sensitive resource
  - restore selinux security context
- file[/opt/gitlab/etc/gitaly/env/GITALY_PID_FILE] action create
  - create new file /opt/gitlab/etc/gitaly/env/GITALY_PID_FILE
  - update content in file /opt/gitlab/etc/gitaly/env/GITALY_PID_FILE from none to e82748
  - suppressed sensitive resource
  - restore selinux security context
- file[/opt/gitlab/etc/gitaly/env/WRAPPER_JSON_LOGGING] action create
  - create new file /opt/gitlab/etc/gitaly/env/WRAPPER_JSON_LOGGING
  - update content in file /opt/gitlab/etc/gitaly/env/WRAPPER_JSON_LOGGING from none to b5bea4
  - suppressed sensitive resource
  - restore selinux security context
template[Create Gitaly config.toml] action create
- create new file /var/opt/gitlab/gitaly/config.toml
- update content in file /var/opt/gitlab/gitaly/config.toml from none to 2d31eb
  — /var/opt/gitlab/gitaly/config.toml 2023-05-13 15:44:44.105021918 +0800
  +++ /var/opt/gitlab/gitaly/.chef-config20230513-36927-17dic4t.toml 2023-05-13 15:44:44.105021918 +0800
  @@ -1,55 +1,110 @@
  +# Gitaly configuration file
  +# This file is managed by gitlab-ctl. Manual changes will be
  +# erased! To change the contents below, edit /etc/gitlab/gitlab.rb
  +# and run:
  +# sudo gitlab-ctl reconfigure
+socket_path = ‘/var/opt/gitlab/gitaly/gitaly.socket’
+
+internal_socket_dir = ‘/var/opt/gitlab/gitaly/internal_sockets’
+bin_dir = ‘/opt/gitlab/embedded/bin’
+
+
+# Optional: export metrics via Prometheus
+prometheus_listen_addr = ‘localhost:9236’
+
+
+[[storage]]
+name = ‘default’
+path = ‘/var/opt/gitlab/git-data/repositories’
+
+[logging]
+format = ‘json’
+dir = ‘/var/log/gitlab/gitaly’
+
+
+[auth]
+
+[git]
+
+
+[gitaly-ruby]
+dir = “/opt/gitlab/embedded/service/gitaly-ruby”
+rugged_git_config_search_path = “/opt/gitlab/embedded/etc”
- change mode from ‘’ to ‘0640’
- change owner from ‘’ to ‘root’
- change group from ‘’ to ‘git’
- restore selinux security context
service[gitaly] action nothing (skipped due to action :nothing)
runit_service[gitaly] action enable
- ruby_block[restart_service] action nothing (skipped due to action :nothing)
- ruby_block[restart_log_service] action nothing (skipped due to action :nothing)
- ruby_block[reload_log_service] action nothing (skipped due to action :nothing)
- directory[/opt/gitlab/sv/gitaly] action create
  - create new directory /opt/gitlab/sv/gitaly
  - change mode from ‘’ to ‘0755’
  - change owner from ‘’ to ‘root’
  - change group from ‘’ to ‘root’
  - restore selinux security context
- template[/opt/gitlab/sv/gitaly/run] action create
  - create new file /opt/gitlab/sv/gitaly/run
  - update content in file /opt/gitlab/sv/gitaly/run from none to 1a05c2
    — /opt/gitlab/sv/gitaly/run 2023-05-13 15:44:44.187022097 +0800
    +++ /opt/gitlab/sv/gitaly/.chef-run20230513-36927-1fni7ts 2023-05-13 15:44:44.187022097 +0800
    @@ -1,18 +1,36 @@
    +#!/bin/sh
  +# Attempt to change ulimit before the set -e flag, ignore failures
  +ulimit -n 15000
  +
  +set -e # fail on errors
  +
  +# Redirect stderr -> stdout
  +exec 2>&1
  +
  +
  +
  +cd /var/opt/gitlab/gitaly
  +
  +exec chpst -e /opt/gitlab/etc/gitaly/env -P \
  - -U git:git \
  - -u git:git \
  - /opt/gitlab/embedded/bin/gitaly-wrapper /opt/gitlab/embedded/bin/gitaly /var/opt/gitlab/gitaly/config.toml
  - change mode from ‘’ to ‘0755’
  - change owner from ‘’ to ‘root’
  - change group from ‘’ to ‘root’
  - restore selinux security context
- directory[/opt/gitlab/sv/gitaly/log] action create
  - create new directory /opt/gitlab/sv/gitaly/log
  - change mode from ‘’ to ‘0755’
  - change owner from ‘’ to ‘root’
  - change group from ‘’ to ‘root’
  - restore selinux security context
- directory[/opt/gitlab/sv/gitaly/log/main] action create
  - create new directory /opt/gitlab/sv/gitaly/log/main
  - change mode from ‘’ to ‘0755’
  - change owner from ‘’ to ‘root’
  - change group from ‘’ to ‘root’
  - restore selinux security context
- template[/opt/gitlab/sv/gitaly/log/config] action create
  - create new file /opt/gitlab/sv/gitaly/log/config
  - update content in file /opt/gitlab/sv/gitaly/log/config from none to 623c00
    — /opt/gitlab/sv/gitaly/log/config 2023-05-13 15:44:44.280022300 +0800
    +++ /opt/gitlab/sv/gitaly/log/.chef-config20230513-36927-mygt5p 2023-05-13 15:44:44.280022300 +0800
    @@ -1,6 +1,12 @@
    +s209715200
    +n30
    +t86400
    +!gzip
  - change mode from ‘’ to ‘0644’
  - change owner from ‘’ to ‘root’
  - change group from ‘’ to ‘root’
  - restore selinux security context
- ruby_block[verify_chown_persisted_on_gitaly] action create
  - execute the ruby block verify_chown_persisted_on_gitaly
- ruby_block[verify_chown_persisted_on_gitaly] action nothing (skipped due to action :nothing)
- link[/var/log/gitlab/gitaly/config] action create
  - create symlink at /var/log/gitlab/gitaly/config to /opt/gitlab/sv/gitaly/log/config
- template[/opt/gitlab/sv/gitaly/log/run] action create
  - create new file /opt/gitlab/sv/gitaly/log/run
  - update content in file /opt/gitlab/sv/gitaly/log/run from none to fa6dcc
    — /opt/gitlab/sv/gitaly/log/run 2023-05-13 15:44:44.326022400 +0800
    +++ /opt/gitlab/sv/gitaly/log/.chef-run20230513-36927-1qow0cc 2023-05-13 15:44:44.326022400 +0800
    @@ -1,2 +1,4 @@
    +#!/bin/sh
    +exec svlogd /var/log/gitlab/gitaly
  - change mode from ‘’ to ‘0755’
  - change owner from ‘’ to ‘root’
  - change group from ‘’ to ‘root’
  - restore selinux security context
- directory[/opt/gitlab/sv/gitaly/env] action create
  - create new directory /opt/gitlab/sv/gitaly/env
  - change mode from ‘’ to ‘0755’
  - change owner from ‘’ to ‘root’
  - change group from ‘’ to ‘root’
  - restore selinux security context
- ruby_block[Delete unmanaged env files for gitaly service] action run (skipped due to only_if)
- template[/opt/gitlab/sv/gitaly/check] action create (skipped due to only_if)
- template[/opt/gitlab/sv/gitaly/finish] action create (skipped due to only_if)
- directory[/opt/gitlab/sv/gitaly/control] action create
  - create new directory /opt/gitlab/sv/gitaly/control
  - change mode from ‘’ to ‘0755’
  - change owner from ‘’ to ‘root’
  - change group from ‘’ to ‘root’
  - restore selinux security context
- link[/opt/gitlab/init/gitaly] action create
  - create symlink at /opt/gitlab/init/gitaly to /opt/gitlab/embedded/bin/sv
- file[/opt/gitlab/sv/gitaly/down] action nothing (skipped due to action :nothing)
- ruby_block[restart_service] action run (skipped due to only_if)
- ruby_block[reload_log_service] action create
  - ruby_block[restart_service] action nothing (skipped due to action :nothing)
  - ruby_block[restart_log_service] action nothing (skipped due to action :nothing)
  - ruby_block[reload_log_service] action nothing (skipped due to action :nothing)
  - directory[/opt/gitlab/sv/gitaly] action create (up to date)
  - template[/opt/gitlab/sv/gitaly/run] action create (up to date)
  - directory[/opt/gitlab/sv/gitaly/log] action create (up to date)
  - directory[/opt/gitlab/sv/gitaly/log/main] action create (up to date)
  - template[/opt/gitlab/sv/gitaly/log/config] action create (up to date)
  - ruby_block[verify_chown_persisted_on_gitaly] action nothing (skipped due to action :nothing)
  - link[/var/log/gitlab/gitaly/config] action create (up to date)
  - template[/opt/gitlab/sv/gitaly/log/run] action create (up to date)
  - directory[/opt/gitlab/sv/gitaly/env] action create (up to date)
  - ruby_block[Delete unmanaged env files for gitaly service] action run (skipped due to only_if)
  - template[/opt/gitlab/sv/gitaly/check] action create (skipped due to only_if)
  - template[/opt/gitlab/sv/gitaly/finish] action create (skipped due to only_if)
  - directory[/opt/gitlab/sv/gitaly/control] action create (up to date)
  - link[/opt/gitlab/init/gitaly] action create (up to date)
  - file[/opt/gitlab/sv/gitaly/down] action nothing (skipped due to action :nothing)
  - directory[/opt/gitlab/service] action create (up to date)
  - link[/opt/gitlab/service/gitaly] action create
    - create symlink at /opt/gitlab/service/gitaly to /opt/gitlab/sv/gitaly
  - ruby_block[wait for gitaly service socket] action run
    - execute the ruby block wait for gitaly service socket
  - execute the ruby block reload_log_service
- ruby_block[restart_log_service] action run
  - ruby_block[restart_service] action nothing (skipped due to action :nothing)
  - ruby_block[restart_log_service] action nothing (skipped due to action :nothing)
  - ruby_block[reload_log_service] action nothing (skipped due to action :nothing)
  - directory[/opt/gitlab/sv/gitaly] action create (up to date)
  - template[/opt/gitlab/sv/gitaly/run] action create (up to date)
  - directory[/opt/gitlab/sv/gitaly/log] action create (up to date)
  - directory[/opt/gitlab/sv/gitaly/log/main] action create (up to date)
  - template[/opt/gitlab/sv/gitaly/log/config] action create (up to date)
  - ruby_block[verify_chown_persisted_on_gitaly] action nothing (skipped due to action :nothing)
  - link[/var/log/gitlab/gitaly/config] action create (up to date)
  - template[/opt/gitlab/sv/gitaly/log/run] action create (up to date)
  - directory[/opt/gitlab/sv/gitaly/env] action create (up to date)
  - ruby_block[Delete unmanaged env files for gitaly service] action run (skipped due to only_if)
  - template[/opt/gitlab/sv/gitaly/check] action create (skipped due to only_if)
  - template[/opt/gitlab/sv/gitaly/finish] action create (skipped due to only_if)
  - directory[/opt/gitlab/sv/gitaly/control] action create (up to date)
  - link[/opt/gitlab/init/gitaly] action create (up to date)
  - file[/opt/gitlab/sv/gitaly/down] action nothing (skipped due to action :nothing)
  - directory[/opt/gitlab/service] action create (up to date)
  - link[/opt/gitlab/service/gitaly] action create (up to date)
  - ruby_block[wait for gitaly service socket] action run (skipped due to not_if)
  - execute the ruby block restart_log_service
- directory[/opt/gitlab/service] action create (up to date)
- link[/opt/gitlab/service/gitaly] action create (up to date)
- ruby_block[wait for gitaly service socket] action run (skipped due to not_if)
execute[/opt/gitlab/bin/gitlab-ctl start gitaly] action run
[execute] ok: run: gitaly: (pid 39050) 2s
- execute /opt/gitlab/bin/gitlab-ctl start gitaly
version_file[Create version file for Gitaly] action create
- file[/var/opt/gitlab/gitaly/VERSION] action create
  - create new file /var/opt/gitlab/gitaly/VERSION
  - update content in file /var/opt/gitlab/gitaly/VERSION from none to 47c340
    — /var/opt/gitlab/gitaly/VERSION 2023-05-13 15:44:49.267033182 +0800
    +++ /var/opt/gitlab/gitaly/.chef-VERSION20230513-36927-5dnwae 2023-05-13 15:44:49.267033182 +0800
    @@ -1 +1,2 @@
    +Gitaly, version 14.0.3
  - restore selinux security context
version_file[Create Ruby version file for Gitaly] action create
- file[/var/opt/gitlab/gitaly/RUBY_VERSION] action create
  - create new file /var/opt/gitlab/gitaly/RUBY_VERSION
  - update content in file /var/opt/gitlab/gitaly/RUBY_VERSION from none to 22dcc2
    — /var/opt/gitlab/gitaly/RUBY_VERSION 2023-05-13 15:44:49.365033396 +0800
    +++ /var/opt/gitlab/gitaly/.chef-RUBY_VERSION20230513-36927-nmqnya 2023-05-13 15:44:49.365033396 +0800
    @@ -1 +1,2 @@
    +ruby 2.7.2p137 (2020-10-01 revision 5445e04352) [x86_64-linux]
  - restore selinux security context
consul_service[gitaly] action delete
- file[/var/opt/gitlab/consul/config.d/gitaly-service.json] action delete (up to date)
  (up to date)
  Recipe: postgresql::bin
ruby_block[check_postgresql_version] action run (skipped due to not_if)
ruby_block[check_postgresql_version_is_deprecated] action run (skipped due to not_if)
ruby_block[Link postgresql bin files to the correct version] action run
- execute the ruby block Link postgresql bin files to the correct version
template[/opt/gitlab/etc/gitlab-psql-rc] action create
- create new file /opt/gitlab/etc/gitlab-psql-rc
- update content in file /opt/gitlab/etc/gitlab-psql-rc from none to b7b8fc
  — /opt/gitlab/etc/gitlab-psql-rc 2023-05-13 15:44:49.529033754 +0800
  +++ /opt/gitlab/etc/.chef-gitlab-psql-rc20230513-36927-1fabz9i 2023-05-13 15:44:49.529033754 +0800
  @@ -1,5 +1,10 @@
  +psql_user=‘gitlab-psql’
  +psql_group=‘gitlab-psql’
  +psql_host=‘/var/opt/gitlab/postgresql’
  +psql_port=‘5432’
  +psql_dbname=‘gitlabhq_production’
- change owner from ‘’ to ‘root’
- change group from ‘’ to ‘root’
- restore selinux security context
  Recipe: postgresql::user
account[Postgresql user and group] action create
- group[Postgresql user and group] action create
  - create group gitlab-psql
- linux_user[Postgresql user and group] action create
  - create user gitlab-psql
directory[/var/opt/gitlab/postgresql] action create
- create new directory /var/opt/gitlab/postgresql
- change mode from ‘’ to ‘0755’
- change owner from ‘’ to ‘gitlab-psql’
- restore selinux security context
file[/var/opt/gitlab/postgresql/.profile] action create
- create new file /var/opt/gitlab/postgresql/.profile
- update content in file /var/opt/gitlab/postgresql/.profile from none to 3b0387
  — /var/opt/gitlab/postgresql/.profile 2023-05-13 15:44:49.692034109 +0800
  +++ /var/opt/gitlab/postgresql/.chef-.profile20230513-36927-lil3mf.profile 2023-05-13 15:44:49.692034109 +0800
  @@ -1 +1,2 @@
  +PATH=/opt/gitlab/embedded/bin:/opt/gitlab/bin:$PATH
- change mode from ‘’ to ‘0600’
- change owner from ‘’ to ‘gitlab-psql’
- restore selinux security context
  Recipe: postgresql::sysctl
gitlab_sysctl[kernel.shmmax] action create
- directory[create /etc/sysctl.d for kernel.shmmax] action create (up to date)
- file[create /opt/gitlab/embedded/etc/90-omnibus-gitlab-kernel.shmmax.conf kernel.shmmax] action create
  - create new file /opt/gitlab/embedded/etc/90-omnibus-gitlab-kernel.shmmax.conf
  - update content in file /opt/gitlab/embedded/etc/90-omnibus-gitlab-kernel.shmmax.conf from none to 75a195
    — /opt/gitlab/embedded/etc/90-omnibus-gitlab-kernel.shmmax.conf 2023-05-13 15:44:49.746034227 +0800
    +++ /opt/gitlab/embedded/etc/.chef-90-omnibus-gitlab-kernel20230513-36927-1i18s9k.shmmax.conf 2023-05-13 15:44:49.745034225 +0800
    @@ -1 +1,2 @@
    +kernel.shmmax = 17179869184
  - restore selinux security context
- link[/etc/sysctl.d/90-omnibus-gitlab-kernel.shmmax.conf] action create
  - create symlink at /etc/sysctl.d/90-omnibus-gitlab-kernel.shmmax.conf to /opt/gitlab/embedded/etc/90-omnibus-gitlab-kernel.shmmax.conf
- execute[load sysctl conf kernel.shmmax] action nothing (skipped due to action :nothing)
- execute[load sysctl conf kernel.shmmax] action run
  [execute] kernel.shmmax = 17179869184
  - execute sysctl -e -p /opt/gitlab/embedded/etc/90-omnibus-gitlab-kernel.shmmax.conf
gitlab_sysctl[kernel.shmall] action create
- directory[create /etc/sysctl.d for kernel.shmall] action create (up to date)
- file[create /opt/gitlab/embedded/etc/90-omnibus-gitlab-kernel.shmall.conf kernel.shmall] action create
  - create new file /opt/gitlab/embedded/etc/90-omnibus-gitlab-kernel.shmall.conf
  - update content in file /opt/gitlab/embedded/etc/90-omnibus-gitlab-kernel.shmall.conf from none to 6d765d
    — /opt/gitlab/embedded/etc/90-omnibus-gitlab-kernel.shmall.conf 2023-05-13 15:44:49.812034371 +0800
    +++ /opt/gitlab/embedded/etc/.chef-90-omnibus-gitlab-kernel20230513-36927-1s1f03w.shmall.conf 2023-05-13 15:44:49.811034369 +0800
    @@ -1 +1,2 @@
    +kernel.shmall = 4194304
  - restore selinux security context
- link[/etc/sysctl.d/90-omnibus-gitlab-kernel.shmall.conf] action create
  - create symlink at /etc/sysctl.d/90-omnibus-gitlab-kernel.shmall.conf to /opt/gitlab/embedded/etc/90-omnibus-gitlab-kernel.shmall.conf
- execute[load sysctl conf kernel.shmall] action nothing (skipped due to action :nothing)
- execute[load sysctl conf kernel.shmall] action run
  [execute] kernel.shmall = 4194304
  - execute sysctl -e -p /opt/gitlab/embedded/etc/90-omnibus-gitlab-kernel.shmall.conf
gitlab_sysctl[kernel.sem] action create
- directory[create /etc/sysctl.d for kernel.sem] action create (up to date)
- file[create /opt/gitlab/embedded/etc/90-omnibus-gitlab-kernel.sem.conf kernel.sem] action create
  - create new file /opt/gitlab/embedded/etc/90-omnibus-gitlab-kernel.sem.conf
  - update content in file /opt/gitlab/embedded/etc/90-omnibus-gitlab-kernel.sem.conf from none to 09a346
    — /opt/gitlab/embedded/etc/90-omnibus-gitlab-kernel.sem.conf 2023-05-13 15:44:49.875034509 +0800
    +++ /opt/gitlab/embedded/etc/.chef-90-omnibus-gitlab-kernel20230513-36927-1kllzvz.sem.conf 2023-05-13 15:44:49.874034507 +0800
    @@ -1 +1,2 @@
    +kernel.sem = 250 32000 32 262
  - restore selinux security context
- link[/etc/sysctl.d/90-omnibus-gitlab-kernel.sem.conf] action create
  - create symlink at /etc/sysctl.d/90-omnibus-gitlab-kernel.sem.conf to /opt/gitlab/embedded/etc/90-omnibus-gitlab-kernel.sem.conf
- execute[load sysctl conf kernel.sem] action nothing (skipped due to action :nothing)
- execute[load sysctl conf kernel.sem] action run
  [execute] kernel.sem = 250 32000 32 262
  - execute sysctl -e -p /opt/gitlab/embedded/etc/90-omnibus-gitlab-kernel.sem.conf
    -# These are only used in recovery mode.
    +archive_mode = off # allows archiving to be done
  - ```
     # (change requires restart, also requires 'wal_level' of 'hot_standby' OR 'replica')
```
-#restore_command = ‘’ # command to use to restore an archived logfile segment
- ```
                    # placeholders: %p = path of file to restore
```
  - ```
                      #               %f = file name only
```
- ```
                    # e.g. 'cp /mnt/server/archivedir/%f %p'
```
  - ```
                      # (change requires restart)
```
-#archive_cleanup_command = ‘’ # command to execute at every restartpoint
-#recovery_end_command = ‘’ # command to execute at completion of recovery

-# - Recovery Target -

-# Set these only when performing a targeted recovery.

-#recovery_target = ‘’ # ‘immediate’ to end recovery as soon as a
- ```
                           # consistent state is reached
```
  - ```
                      # (change requires restart)
```
-#recovery_target_name = ‘’ # the named restore point to which recovery will proceed
- ```
                    # (change requires restart)
```
  -#recovery_target_time = ‘’ # the time stamp up to which recovery will proceed
  - ```
                      # (change requires restart)
```
-#recovery_target_xid = ‘’ # the transaction ID up to which recovery will proceed
- ```
                    # (change requires restart)
```
  -#recovery_target_lsn = ‘’ # the WAL LSN up to which recovery will proceed
  - ```
                      # (change requires restart)
```
-#recovery_target_inclusive = on # Specifies whether to stop:
- ```
                    # just after the specified recovery target (on)
```
  - ```
                      # just before the recovery target (off)
```
- ```
                    # (change requires restart)
```
  -#recovery_target_timeline = ‘latest’ # ‘current’, ‘latest’, or timeline ID
  - ```
                      # (change requires restart)
```
-#recovery_target_action = ‘pause’ # ‘pause’, ‘promote’, ‘shutdown’
- ```
                    # (change requires restart)
```
  #------------------------------------------------------------------------------
  
  REPLICATION
  
  #------------------------------------------------------------------------------
  
  -# - Sending Servers -
  
  -# Set these on the master and on any standby that will send replication data.
  
  -#max_wal_senders = 10 # max number of walsender processes
  - ```
                      # (change requires restart)
```
-#wal_keep_segments = 0 # in logfile segments; 0 disables
-#wal_sender_timeout = 60s # in milliseconds; 0 disables

-#max_replication_slots = 10 # max number of replication slots
- ```
                    # (change requires restart)
```
  -#track_commit_timestamp = off # collect timestamp of transaction commit
  - ```
                      # (change requires restart)
```
- Master Server -

-# These settings are ignored on a standby server.
+# These settings are ignored on a standby server

-#synchronous_standby_names = ‘’ # standby servers that provide sync rep
- ```
                    # method to choose sync standbys, number of sync standbys,
```
  - ```
                      # and comma-separated list of application_name
```
- ```
                    # from standby(s); '*' = all
```
  -#vacuum_defer_cleanup_age = 0 # number of xacts by which cleanup is delayed
  +max_wal_senders = 0
  - ```
     # (change requires restart)
```
+#wal_sender_delay = 1s # walsender cycle time, 1-10000 milliseconds
+#vacuum_defer_cleanup_age = 0 # number of xacts by which cleanup is delayed
+#replication_timeout = 60s # in milliseconds; 0 disables
+#synchronous_standby_names = ‘’ # standby servers that provide sync rep
- ```
   # comma-separated list of application_name
```
  - ```
     # from standby(s); '*' = all
```
- Standby Servers -

-# These settings are ignored on a master server.
+# These settings are ignored on a master server

-#primary_conninfo = ‘’ # connection string to sending server
- ```
                            # (change requires restart)
```
  -#primary_slot_name = ‘’ # replication slot on sending server
  - ```
                              # (change requires restart)
```
-#promote_trigger_file = ‘’ # file name whose presence ends recovery
-#hot_standby = on # “off” disallows queries during recovery
- ```
                            # (change requires restart)
```
  -#max_standby_archive_delay = 30s # max delay before canceling queries
  - ```
                              # when reading WAL from archive;
```
- ```
                            # -1 allows indefinite delay
```
  -#max_standby_streaming_delay = 30s # max delay before canceling queries
  - ```
                              # when reading streaming WAL;
```
- ```
                            # -1 allows indefinite delay
```
  -#wal_receiver_status_interval = 10s # send replies at least this often
  - ```
                              # 0 disables
```
-#hot_standby_feedback = off # send info from standby to prevent
- ```
                            # query conflicts
```
  -#wal_receiver_timeout = 60s # time that receiver waits for
  - ```
                              # communication from master
```
- ```
                            # in milliseconds; 0 disables
```
  -#wal_retrieve_retry_interval = 5s # time to wait before retrying to
  - ```
                              # retrieve WAL after a failed attempt
```
-#recovery_min_apply_delay = 0 # minimum delay for applying changes during recovery
+hot_standby = off
- ```
     # (change requires restart)
```
  +#wal_receiver_status_interval = 10s # send replies at least this often
  - ```
       # 0 disables
```
-# - Subscribers -

-# These settings are ignored on a publisher.

-#max_logical_replication_workers = 4 # taken from max_worker_processes
- ```
                            # (change requires restart)
```
  -#max_sync_workers_per_subscription = 2 # taken from max_logical_replication_workers
  #------------------------------------------------------------------------------
  
  QUERY TUNING
  
  #------------------------------------------------------------------------------
  @@ -350,218 +228,126 @@
  #enable_hashagg = on
  #enable_hashjoin = on
  #enable_indexscan = on
  -#enable_indexonlyscan = on
  #enable_material = on
  #enable_mergejoin = on
  #enable_nestloop = on
  -#enable_parallel_append = on
  #enable_seqscan = on
  #enable_sort = on
  #enable_tidscan = on
  -#enable_partitionwise_join = off
  -#enable_partitionwise_aggregate = off
  -#enable_parallel_hash = on
  -#enable_partition_pruning = on
  
  - Planner Cost Constants -
  
  -#seq_page_cost = 1.0 # measured on an arbitrary scale
  -#random_page_cost = 4.0 # same scale as above
  -#cpu_tuple_cost = 0.01 # same scale as above
  -#cpu_index_tuple_cost = 0.005 # same scale as above
  -#cpu_operator_cost = 0.0025 # same scale as above
  -#parallel_tuple_cost = 0.1 # same scale as above
  -#parallel_setup_cost = 1000.0 # same scale as above
  +#cpu_tuple_cost = 0.01 # same scale as above
  +#cpu_index_tuple_cost = 0.005 # same scale as above
  +#cpu_operator_cost = 0.0025 # same scale as above
  
  -#jit_above_cost = 100000 # perform JIT compilation if available
  - ```
                              # and query more expensive than this;
```
- ```
                            # -1 disables
```
  -#jit_inline_above_cost = 500000 # inline small functions if query is
  - ```
                              # more expensive than this; -1 disables
```
-#jit_optimize_above_cost = 500000 # use expensive JIT optimizations if
- ```
                            # query is more expensive than this;
```
  - ```
                              # -1 disables
```
-#min_parallel_table_scan_size = 8MB
-#min_parallel_index_scan_size = 512kB
-#effective_cache_size = 4GB

- Genetic Query Optimizer -

#geqo = on
#geqo_threshold = 12
-#geqo_effort = 5 # range 1-10
-#geqo_pool_size = 0 # selects default based on effort
-#geqo_generations = 0 # selects default based on effort
-#geqo_selection_bias = 2.0 # range 1.5-2.0
-#geqo_seed = 0.0 # range 0.0-1.0
+#geqo_effort = 5 # range 1-10
+#geqo_pool_size = 0 # selects default based on effort
+#geqo_generations = 0 # selects default based on effort
+#geqo_selection_bias = 2.0 # range 1.5-2.0
+#geqo_seed = 0.0 # range 0.0-1.0

- Other Planner Options -

-#default_statistics_target = 100 # range 1-10000
-#constraint_exclusion = partition # on, off, or partition
-#cursor_tuple_fraction = 0.1 # range 0.0-1.0
+#default_statistics_target = 100 # range 1-10000
+#constraint_exclusion = partition # on, off, or partition
+#cursor_tuple_fraction = 0.1 # range 0.0-1.0
#from_collapse_limit = 8
-#join_collapse_limit = 8 # 1 disables collapsing of explicit
- ```
                            # JOIN clauses
```
  -#force_parallel_mode = off
  -#jit = on # allow JIT compilation
  -#plan_cache_mode = auto # auto, force_generic_plan or
  - ```
                              # force_custom_plan
```
+#join_collapse_limit = 8 # 1 disables collapsing of explicit
- ```
     # JOIN clauses
```
  #debug_print_parse = off
  #debug_print_rewritten = off
  #debug_print_plan = off
  #debug_pretty_print = on
  -#log_checkpoints = off
  #log_connections = off
  #log_disconnections = off
  #log_duration = off
  -#log_error_verbosity = default # terse, default, or verbose messages
  +#log_error_verbosity = default # terse, default, or verbose messages
  #log_hostname = off
  -#log_line_prefix = '%m [%p] ’ # special values:
  - ```
                              #   %a = application name
```
- ```
                            #   %u = user name
```
  - ```
                              #   %d = database name
```
- ```
                            #   %r = remote host and port
```
  - ```
                              #   %h = remote host
```
- ```
                            #   %p = process ID
```
  - ```
                              #   %t = timestamp without milliseconds
```
- ```
                            #   %m = timestamp with milliseconds
```
  - ```
                              #   %n = timestamp with milliseconds (as a Unix epoch)
```
- ```
                            #   %i = command tag
```
  - ```
                              #   %e = SQL state
```
- ```
                            #   %c = session ID
```
  - ```
                              #   %l = session line number
```
- ```
                            #   %s = session start timestamp
```
  - ```
                              #   %v = virtual transaction ID
```
- ```
                            #   %x = transaction ID (0 if none)
```
  - ```
                              #   %q = stop here in non-session
```
- ```
                            #        processes
```
  - ```
                              #   %% = '%'
```
- ```
                            # e.g. '<%u%%%d> '
```
  -#log_lock_waits = off # log lock waits >= deadlock_timeout
  -#log_statement = ‘none’ # none, ddl, mod, all
  -#log_replication_commands = off
  -#log_temp_files = -1 # log temporary files equal or larger
  - ```
                              # than the specified size in kilobytes;
```
- ```
                            # -1 disables, 0 logs all temp files
```
  -log_timezone = ‘Asia/Shanghai’
  +#log_lock_waits = off # log lock waits >= deadlock_timeout
  +#log_statement = ‘none’ # none, ddl, mod, all
  +#log_timezone = ‘(defaults to server environment setting)’
  
  -#------------------------------------------------------------------------------
  -# PROCESS TITLE
  -#------------------------------------------------------------------------------
  
  -#cluster_name = ‘’ # added to process titles if nonempty
  - ```
                              # (change requires restart)
```
-#update_process_title = on
#------------------------------------------------------------------------------
-# STATISTICS
+# RUNTIME STATISTICS
#------------------------------------------------------------------------------

-# - Query and Index Statistics Collector -
+# - Query/Index Statistics Collector -

#track_activities = on
#track_counts = on
-#track_io_timing = off
-#track_functions = none # none, pl, all
-#track_activity_query_size = 1024 # (change requires restart)
+#track_functions = none # none, pl, all
+track_activity_query_size = 1024 # (change requires restart)
+#update_process_title = on
#stats_temp_directory = ‘pg_stat_tmp’

-# - Monitoring -
+# - Statistics Monitoring -

#log_parser_stats = off
#log_planner_stats = off
@@ -570,117 +356,53 @@

#------------------------------------------------------------------------------
-# AUTOVACUUM
+# AUTOVACUUM PARAMETERS
#------------------------------------------------------------------------------

-#autovacuum = on # Enable autovacuum subprocess? ‘on’
- ```
                            # requires track_counts to also be on.
```
  -#log_autovacuum_min_duration = -1 # -1 disables, 0 logs all actions and
  - ```
                              # their durations, > 0 logs only
```
- ```
                            # actions running at least this number
```
  - ```
                              # of milliseconds.
```
-#autovacuum_max_workers = 3 # max number of autovacuum subprocesses
- ```
                            # (change requires restart)
```
  -#autovacuum_naptime = 1min # time between autovacuum runs
  -#autovacuum_vacuum_threshold = 50 # min number of row updates before
  - ```
                              # vacuum
```
-#autovacuum_analyze_threshold = 50 # min number of row updates before
- ```
                            # analyze
```
  -#autovacuum_vacuum_scale_factor = 0.2 # fraction of table size before vacuum
  -#autovacuum_analyze_scale_factor = 0.1 # fraction of table size before analyze
  -#autovacuum_freeze_max_age = 200000000 # maximum XID age before forced vacuum
  - ```
                              # (change requires restart)
```
-#autovacuum_multixact_freeze_max_age = 400000000 # maximum multixact age
- ```
                            # before forced vacuum
```
  - ```
                              # (change requires restart)
```
-#autovacuum_vacuum_cost_delay = 2ms # default vacuum cost delay for
- ```
                            # autovacuum, in milliseconds;
```
  - ```
                              # -1 means use vacuum_cost_delay
```
-#autovacuum_vacuum_cost_limit = -1 # default vacuum cost limit for
- ```
                            # autovacuum, -1 means use
```
  - ```
                              # vacuum_cost_limit
```
+autovacuum_max_workers = 3 # max number of autovacuum subprocesses
- ```
     # (change requires restart)
```
  +autovacuum_freeze_max_age = 200000000 # maximum XID age before forced vacuum
  - ```
       # (change requires restart)
```
#------------------------------------------------------------------------------

CLIENT CONNECTION DEFAULTS

#------------------------------------------------------------------------------

-#search_path = ‘“$user”, public’ # schema names
-#row_security = on
-#default_tablespace = ‘’ # a tablespace name, ‘’ uses the default
-#temp_tablespaces = ‘’ # a list of tablespace names, ‘’ uses
- ```
                            # only default tablespace
```
  -#default_table_access_method = ‘heap’
  +#search_path = ‘“$user”,public’ # schema names
  +#default_tablespace = ‘’ # a tablespace name, ‘’ uses the default
  +#temp_tablespaces = ‘’ # a list of tablespace names, ‘’ uses
  - ```
       # only default tablespace
```
#check_function_bodies = on
#default_transaction_isolation = ‘read committed’
#default_transaction_read_only = off
#default_transaction_deferrable = off
#session_replication_role = ‘origin’
-#statement_timeout = 0 # in milliseconds, 0 is disabled
-#lock_timeout = 0 # in milliseconds, 0 is disabled
-#idle_in_transaction_session_timeout = 0 # in milliseconds, 0 is disabled
#vacuum_freeze_min_age = 50000000
#vacuum_freeze_table_age = 150000000
-#vacuum_multixact_freeze_min_age = 5000000
-#vacuum_multixact_freeze_table_age = 150000000
-#vacuum_cleanup_index_scale_factor = 0.1 # fraction of total number of tuples
- ```
                                    # before index cleanup, 0 always performs
```
  - ```
                                      # index cleanup
```
-#bytea_output = ‘hex’ # hex, escape
+#bytea_output = ‘hex’ # hex, escape
#xmlbinary = ‘base64’
#xmloption = ‘content’
-#gin_fuzzy_search_limit = 0
-#gin_pending_list_limit = 4MB

- Locale and Formatting -

-datestyle = ‘iso, ymd’
#intervalstyle = ‘postgres’
-timezone = ‘Asia/Shanghai’
+#timezone = ‘(defaults to server environment setting)’
#timezone_abbreviations = ‘Default’ # Select the set of available time zone
- ```
                            # abbreviations.  Currently, there are
```
  - ```
                              #   Default
```
- ```
                            #   Australia (historical usage)
```
  - ```
                              #   India
```
- ```
                            # You can create your own file in
```
  - ```
                              # share/timezonesets/.
```
-#extra_float_digits = 1 # min -15, max 3; any value >0 actually
- ```
                            # selects precise output mode
```
  -#client_encoding = sql_ascii # actually, defaults to database
  - ```
                              # encoding
```
- ```
     # abbreviations.  Currently, there are
```
  - ```
       #   Default
```
- ```
     #   Australia
```
  - ```
       #   India
```
- ```
     # You can create your own file in
```
  - ```
       # share/timezonesets/.
```
+#extra_float_digits = 0 # min -15, max 3
+#client_encoding = sql_ascii # actually, defaults to database
- ```
     # encoding
```
  -# These settings are initialized by initdb, but they can be changed.
  -lc_messages = ‘zh_CN.UTF-8’ # locale for system error message
  - ```
                              # strings
```
-lc_monetary = ‘zh_CN.UTF-8’ # locale for monetary formatting
-lc_numeric = ‘zh_CN.UTF-8’ # locale for number formatting
-lc_time = ‘zh_CN.UTF-8’ # locale for time formatting

-# default configuration for text search
-default_text_search_config = ‘pg_catalog.simple’

-# - Shared Library Preloading -

-#shared_preload_libraries = ‘’ # (change requires restart)
-#local_preload_libraries = ‘’
-#session_preload_libraries = ‘’
-#jit_provider = ‘llvmjit’ # JIT library to use

- Other Defaults -

#dynamic_library_path = ‘$libdir’
+#local_preload_libraries = ‘’

#------------------------------------------------------------------------------
@@ -688,28 +410,27 @@
#------------------------------------------------------------------------------

#deadlock_timeout = 1s
-#max_locks_per_transaction = 64 # min 10
- ```
                            # (change requires restart)
```
  -#max_pred_locks_per_transaction = 64 # min 10
  - ```
                              # (change requires restart)
```
-#max_pred_locks_per_relation = -2 # negative values mean
- ```
                            # (max_pred_locks_per_transaction
```
  - ```
                              #  / -max_pred_locks_per_relation) - 1
```
-#max_pred_locks_per_page = 2 # min 0
+max_locks_per_transaction = 128 # min 10
- ```
     # (change requires restart)
```
  +# Note: Each lock table slot uses ~270 bytes of shared memory, and there are
  +# max_locks_per_transaction * (max_connections + max_prepared_transactions)
  +# lock table slots.
  +#max_pred_locks_per_transaction = 64 # min 10
  - ```
       # (change requires restart)
```
#------------------------------------------------------------------------------
-# VERSION AND PLATFORM COMPATIBILITY
+# VERSION/PLATFORM COMPATIBILITY
#------------------------------------------------------------------------------

- Previous PostgreSQL Versions -

#array_nulls = on
-#backslash_quote = safe_encoding # on, off, or safe_encoding
+#backslash_quote = safe_encoding # on, off, or safe_encoding
+#default_with_oids = off
#escape_string_warning = on
#lo_compat_privileges = off
-#operator_precedence_warning = off
#quote_all_identifiers = off
+#sql_inheritance = on
#standard_conforming_strings = on
#synchronize_seqscans = on

@@ -722,30 +443,15 @@

ERROR HANDLING

#------------------------------------------------------------------------------

-#exit_on_error = off # terminate session on any error?
-#restart_after_crash = on # reinitialize after backend crash?
-#data_sync_retry = off # retry or panic on failure to fsync
- ```
                            # data?
```
  - ```
                              # (change requires restart)
```
+#exit_on_error = off # terminate session on any error?
+#restart_after_crash = on # reinitialize after backend crash?

#------------------------------------------------------------------------------
-# CONFIG FILE INCLUDES
-#------------------------------------------------------------------------------

-# These options allow settings to be loaded from files other than the
-# default postgresql.conf. Note that these are directives, not variable
-# assignments, so they can usefully be given more than once.

-#include_dir = ‘…’ # include files ending in ‘.conf’ from
- ```
                            # a directory, e.g., 'conf.d'
```
  -#include_if_exists = ‘…’ # include file only if it exists
  -#include = ‘…’ # include file
  -#------------------------------------------------------------------------------
  
  CUSTOMIZED OPTIONS
  
  #------------------------------------------------------------------------------
  
  -# Add settings for extensions here
  +#custom_variable_classes = ‘’ # list of custom variable class names
  +
  +include ‘runtime.conf’
  - change mode from ‘0600’ to ‘0644’
  - restore selinux security context
- template[/var/opt/gitlab/postgresql/data/runtime.conf] action create
  - create new file /var/opt/gitlab/postgresql/data/runtime.conf
  - update content in file /var/opt/gitlab/postgresql/data/runtime.conf from none to aee97c
    — /var/opt/gitlab/postgresql/data/runtime.conf 2023-05-13 15:44:51.737038572 +0800
    +++ /var/opt/gitlab/postgresql/data/.chef-runtime20230513-36927-3ynupy.conf 2023-05-13 15:44:51.736038570 +0800
    @@ -1,134 +1,268 @@
    +# This file is managed by gitlab-ctl. Manual changes will be
    +# erased! To change the contents below, edit /etc/gitlab/gitlab.rb
    +# and run sudo gitlab-ctl reconfigure.
  +# Changing variables in this file should only require a reload of PostgreSQL
  +# As the gitlab-psql user, run:
  +# /opt/gitlab/embedded/bin/pg_ctl reload -D /var/opt/gitlab/postgresql/data
  +work_mem = 16MB # min 64kB
  +maintenance_work_mem = 16MB # 16MB # min 1MB
  +synchronous_commit = on # synchronization level; on, off, or local
  +synchronous_standby_names = ‘’
  +
  +# - Checkpoints -
  +min_wal_size = 80MB
  +max_wal_size = 1GB
  +
  +checkpoint_timeout = 5min # range 30s-1h, default 5min
  +checkpoint_completion_target = 0.9 # checkpoint target duration, 0.0 - 1.0, default 0.5
  +checkpoint_warning = 30s # 0 disables, default 30s
  +
  +# - Logging -
  +log_directory = ‘/var/log/gitlab/postgresql’
  +
  +# - Archiving -
  +archive_command = ‘’ # command to use to archive a logfile segment
  +archive_timeout = 0 # force a logfile segment switch after this
  - ```
     # number of seconds; 0 disables
```
+# - Replication
+wal_keep_segments = 10
+
+max_standby_archive_delay = 30s # max delay before canceling queries
- ```
     # when reading WAL from archive;
```
  - ```
       # -1 allows indefinite delay
```
+max_standby_streaming_delay = 30s # max delay before canceling queries
- ```
     # when reading streaming WAL;
```
  - ```
       # -1 allows indefinite delay
```
+hot_standby_feedback = off # send info from standby to prevent
- ```
     # query conflicts
```
  +# - Planner Cost Constants -
  +#seq_page_cost = 1.0 # measured on an arbitrary scale
  +random_page_cost = 2.0 # same scale as above
  +
  +effective_cache_size = 1751MB # Default 128MB
  +
  +log_min_duration_statement = -1 # -1 is disabled, 0 logs all statements
  - ```
       # and their durations, > 0 logs only
```
- ```
     # statements running at least this number
```
  - ```
       # of milliseconds
```
+log_checkpoints = off
+
+log_line_prefix = ‘’ # default ‘’, special values:
- ```
     #   %a = application name
```
  - ```
       #   %u = user name
```
- ```
     #   %d = database name
```
  - ```
       #   %r = remote host and port
```
- ```
     #   %h = remote host
```
  - ```
       #   %p = process ID
```
- ```
     #   %t = timestamp without milliseconds
```
  - ```
       #   %m = timestamp with milliseconds
```
- ```
     #   %i = command tag
```
  - ```
       #   %e = SQL state
```
- ```
     #   %c = session ID
```
  - ```
       #   %l = session line number
```
- ```
     #   %s = session start timestamp
```
  - ```
       #   %v = virtual transaction ID
```
- ```
     #   %x = transaction ID (0 if none)
```
  - ```
       #   %q = stop here in non-session
```
- ```
     #        processes
```
  - ```
       #   %% = '%'
```
+log_temp_files = -1 # log temporary files equal or larger
- ```
     # than the specified size in kilobytes;
```
  - ```
       # -1 disables, 0 logs all temp files
```
+# - Autovacuum parameters -
+autovacuum = on # Enable autovacuum subprocess? ‘on’
- ```
     # requires track_counts to also be on.
```
  +log_autovacuum_min_duration = -1 # -1 disables, 0 logs all actions and
  - ```
       # their durations, > 0 logs only
```
- ```
     # actions running at least this number
```
  - ```
       # of milliseconds.
```
+autovacuum_naptime = 1min # time between autovacuum runs
+autovacuum_vacuum_threshold = 50 # min number of row updates before
- ```
     # vacuum
```
  +autovacuum_analyze_threshold = 50 # min number of row updates before
  - ```
       # analyze
```
+autovacuum_vacuum_scale_factor = 0.02 # fraction of table size before vacuum
+autovacuum_analyze_scale_factor = 0.01 # fraction of table size before analyze
+autovacuum_vacuum_cost_delay = 20ms # default vacuum cost delay for
- ```
     # autovacuum, in milliseconds;
```
  - ```
       # -1 means use vacuum_cost_delay
```
+autovacuum_vacuum_cost_limit = -1 # default vacuum cost limit for
- ```
     # autovacuum, -1 means use
```
  - ```
       # vacuum_cost_limit
```
+# Parameters for gathering statistics
+default_statistics_target = 1000
+
+# - Client connection timeouts
+statement_timeout = 60000
+
+idle_in_transaction_session_timeout = 60000
+
+# IO settings
+effective_io_concurrency = 1
+track_io_timing = ‘off’
+
+# Parallel worker settings
+max_worker_processes = 8
+max_parallel_workers_per_gather = 0
+
+# Deadlock handling and logging
+deadlock_timeout = ‘5s’
+log_lock_waits = 1
+
+# - Locale and Formatting -
+datestyle = ‘iso, mdy’
+
+# These settings are initialized by initdb, but they can be changed.
+lc_messages = ‘C’ # locale for system error message
- ```
     # strings
```
  +lc_monetary = ‘C’ # locale for monetary formatting
  +lc_numeric = ‘C’ # locale for number formatting
  +lc_time = ‘C’ # locale for time formatting
  +
  +# default configuration for text search
  +default_text_search_config = ‘pg_catalog.english’
  - change mode from ‘’ to ‘0644’
  - change owner from ‘’ to ‘gitlab-psql’
  - restore selinux security context
- template[/var/opt/gitlab/postgresql/data/pg_hba.conf] action create
  - update content in file /var/opt/gitlab/postgresql/data/pg_hba.conf from 98c8d4 to 40e348
    — /var/opt/gitlab/postgresql/data/pg_hba.conf 2023-05-13 15:44:50.126035056 +0800
    +++ /var/opt/gitlab/postgresql/data/.chef-pg_hba20230513-36927-qc415d.conf 2023-05-13 15:44:51.787038681 +0800
    @@ -1,98 +1,74 @@
    +# This file is managed by gitlab-ctl. Manual changes will be
    +# erased! To change the contents below, edit /etc/gitlab/gitlab.rb
    +# and run sudo gitlab-ctl reconfigure.
  PostgreSQL Client Authentication Configuration File
  
  ===================================================
  
  -# Refer to the “Client Authentication” section in the PostgreSQL
  -# documentation for a complete description of this file. A short
  -# synopsis follows.
  +# Refer to the “Client Authentication” section in the
  +# PostgreSQL documentation for a complete description
  +# of this file. A short synopsis follows.
  
  This file controls: which hosts are allowed to connect, how clients
  
  are authenticated, which PostgreSQL user names they can use, which
  
  databases they can access. Records take one of these forms:
  
  -# local DATABASE USER METHOD [OPTIONS]
  -# host DATABASE USER ADDRESS METHOD [OPTIONS]
  -# hostssl DATABASE USER ADDRESS METHOD [OPTIONS]
  -# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS]
  -# hostgssenc DATABASE USER ADDRESS METHOD [OPTIONS]
  -# hostnogssenc DATABASE USER ADDRESS METHOD [OPTIONS]
  +# local DATABASE USER METHOD [OPTION]
  +# host DATABASE USER CIDR-ADDRESS METHOD [OPTION]
  +# hostssl DATABASE USER CIDR-ADDRESS METHOD [OPTION]
  +# hostnossl DATABASE USER CIDR-ADDRESS METHOD [OPTION]
  
  (The uppercase items must be replaced by actual values.)
  
  -# The first field is the connection type: “local” is a Unix-domain
  -# socket, “host” is either a plain or SSL-encrypted TCP/IP socket,
  -# “hostssl” is an SSL-encrypted TCP/IP socket, and “hostnossl” is a
  -# non-SSL TCP/IP socket. Similarly, “hostgssenc” uses a
  -# GSSAPI-encrypted TCP/IP socket, while “hostnogssenc” uses a
  -# non-GSSAPI socket.
  +# The first field is the connection type: “local” is a Unix-domain socket,
  +# “host” is either a plain or SSL-encrypted TCP/IP socket, “hostssl” is an
  +# SSL-encrypted TCP/IP socket, and “hostnossl” is a plain TCP/IP socket.
  
  -# DATABASE can be “all”, “sameuser”, “samerole”, “replication”, a
  -# database name, or a comma-separated list thereof. The “all”
  -# keyword does not match “replication”. Access to replication
  -# must be enabled in a separate record (see example below).
  +# DATABASE can be “all”, “sameuser”, “samerole”, a database name, or
  +# a comma-separated list thereof.
  
  -# USER can be “all”, a user name, a group name prefixed with “+”, or a
  -# comma-separated list thereof. In both the DATABASE and USER fields
  -# you can also write a file name prefixed with “@” to include names
  -# from a separate file.
  +# USER can be “all”, a user name, a group name prefixed with “+”, or
  +# a comma-separated list thereof. In both the DATABASE and USER fields
  +# you can also write a file name prefixed with “@” to include names from
  +# a separate file.
  
  -# ADDRESS specifies the set of hosts the record matches. It can be a
  -# host name, or it is made up of an IP address and a CIDR mask that is
  -# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that
  -# specifies the number of significant bits in the mask. A host name
  -# that starts with a dot (.) matches a suffix of the actual host name.
  -# Alternatively, you can write an IP address and netmask in separate
  -# columns to specify the set of hosts. Instead of a CIDR-address, you
  -# can write “samehost” to match any of the server’s own IP addresses,
  -# or “samenet” to match any address in any subnet that the server is
  -# directly connected to.
  +# CIDR-ADDRESS specifies the set of hosts the record matches.
  +# It is made up of an IP address and a CIDR mask that is an integer
  +# (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that specifies
  +# the number of significant bits in the mask. Alternatively, you can write
  +# an IP address and netmask in separate columns to specify the set of hosts.
  
  -# METHOD can be “trust”, “reject”, “md5”, “password”, “scram-sha-256”,
  -# “gss”, “sspi”, “ident”, “peer”, “pam”, “ldap”, “radius” or “cert”.
  -# Note that “password” sends passwords in clear text; “md5” or
  -# “scram-sha-256” are preferred since they send encrypted passwords.
  +# METHOD can be “trust”, “reject”, “md5”, “crypt”, “password”, “gss”, “sspi”,
  +# “krb5”, “ident”, “pam” or “ldap”. Note that “password” sends passwords
  +# in clear text; “md5” is preferred since it sends encrypted passwords.
  
  -# OPTIONS are a set of options for the authentication in the format
  -# NAME=VALUE. The available options depend on the different
  -# authentication methods – refer to the “Client Authentication”
  -# section in the documentation for a list of which options are
  -# available for which authentication methods.
  +# OPTION is the ident map or the name of the PAM service, depending on METHOD.
  
  -# Database and user names containing spaces, commas, quotes and other
  -# special characters must be quoted. Quoting one of the keywords
  -# “all”, “sameuser”, “samerole” or “replication” makes the name lose
  -# its special character, and just match a database or username with
  -# that name.
  +# Database and user names containing spaces, commas, quotes and other special
  +# characters must be quoted. Quoting one of the keywords “all”, “sameuser” or
  +# “samerole” makes the name lose its special character, and just match a
  +# database or username with that name.
  
  -# This file is read on server startup and when the server receives a
  -# SIGHUP signal. If you edit the file on a running system, you have to
  -# SIGHUP the server for the changes to take effect, run “pg_ctl reload”,
  -# or execute “SELECT pg_reload_conf()”.
  -#
  +# This file is read on server startup and when the postmaster receives
  +# a SIGHUP signal. If you edit the file on a running system, you have
  +# to SIGHUP the postmaster for the changes to take effect. You can use
  +# “pg_ctl reload” to do that.
  +
  
  Put your actual configuration here
  
  ----------------------------------
  
  If you want to allow non-local connections, you need to add more
  
  -# “host” records. In that case you will also need to make PostgreSQL
  -# listen on a non-local interface via the listen_addresses
  -# configuration parameter, or via the -i or -h command line switches.
  +# “host” records. In that case you will also need to make PostgreSQL listen
  +# on a non-local interface via the listen_addresses configuration parameter,
  +# or via the -i or -h command line switches.
  +#

Notes:
Default admin account has been configured with following details:
Username: root
Password: You didn’t opt-in to print initial root password to STDOUT.
Password stored to /etc/gitlab/initial_root_password. This file will be cleaned up in first reconfigure run after 24 hours.

NOTE: Because these credentials might be present in your log files in plain text, it is highly recommended to reset the password following https://docs.gitlab.com/ee/security/reset_user_password.html#reset-your-root-password.

gitlab Reconfigured!

这里开启gitlab 服务
[root@localhost ~]# sudo gitlab-ctl start
ok: run: alertmanager: (pid 44149) 31s
ok: run: gitaly: (pid 43988) 34s
ok: run: gitlab-exporter: (pid 43997) 33s
ok: run: gitlab-workhorse: (pid 43928) 34s
ok: run: grafana: (pid 44179) 30s
ok: run: logrotate: (pid 38721) 234s
ok: run: nginx: (pid 41150) 144s
ok: run: node-exporter: (pid 43962) 34s
ok: run: postgres-exporter: (pid 44158) 30s
ok: run: postgresql: (pid 39386) 215s
ok: run: prometheus: (pid 44020) 32s
ok: run: puma: (pid 40667) 164s
ok: run: redis: (pid 38892) 228s
ok: run: redis-exporter: (pid 43999) 33s
ok: run: sidekiq: (pid 40827) 157s

这里要看防护墙是否放开9000端口，没有要放开

**[root@localhost ~]# firewall-cmd --query-port=9000/tcp
no
[root@localhost ~]# firewall-cmd --add-port=9000/tcp --permanent
success
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# firewall-cmd --query-port=9000/tcp
yes

**查看gitlab初始密码不然没法登陆
[root@localhost ~]# cat /etc/gitlab/initial_root_password **

WARNING: This value is valid only in the following conditions

1. If provided manually (either via `GITLAB_ROOT_PASSWORD` environment variable or via `gitlab_rails['initial_root_password']` setting in `gitlab.rb`, it was provided before database was seeded for the first time (usually, the first reconfigure run).

2. Password hasn’t been changed manually, either via UI or via command line.

If the password shown here doesn’t work, you must reset the admin password following https://docs.gitlab.com/ee/security/reset_user_password.html#reset-your-root-password.

Password: wCV+vmN5oA/GxtpBNYxZNrIL+prnHpiKhZt+pQD6+L8=

NOTE: This file will be automatically deleted in the first reconfigure run after 24 hours.

centos7 安装部署 gitlab-ce-14

第二步： vim /etc/gitlab/gitlab.rb 修改这里：external_url ‘http://192.168.80.13:9000’

1. GitLab app settings

==========================

GitLab settings

Web server settings (note: host is the FQDN, do not include http://)

The maximum time puma can spend on the request. This needs to be smaller than the worker timeout.

Default is 95% of the worker timeout

Uncommment this line below if your ssh host is different from HTTP/HTTPS one

(you’d obviously need to replace ssh.host_example.com with your own host).

Otherwise, ssh host will be set to the host: value above

If your ssh user differs from the system user, you need to specify it here

Set it to an empty string to omit the username from any ssh url altogether

WARNING: See config/application.rb under “Relative url support” for the list of

other files that need to be changed for relative url support

Trusted Proxies

Customize if you have GitLab behind a reverse proxy which is running on a different machine.

Add the IP address for your reverse proxy to the list, otherwise users will appear signed in from that address.

Uncomment and customize if you can’t use the default user to run GitLab (default: ‘git’)

Date & Time settings

Email settings

Uncomment and set to false if you need to disable email sending from GitLab (default: true)

Email address used in the “From” field in mails sent by GitLab

Email SMIME signing settings

Email server smtp settings are in a separate file.

User settings

Default theme

1 - Graphite

2 - Charcoal

3 - Green

4 - Gray

5 - Violet

6 - Blue

Automatic issue closing

If a commit message matches this regular expression, all issues referenced from the matched text will be closed.

This happens when the commit is pushed or merged into the default branch of a project.

When not specified the default issue_closing_pattern as specified below will be used.

Tip: you can test your closing pattern at http://rubular.com

Default project features settings

Webhook settings

Number of seconds to wait for HTTP response after sending webhook HTTP POST request (default: 10)

GraphQL Settings

Tells the rails application how long it has to complete a GraphQL request.

We suggest this value to be higher than the database timeout value

and lower than the worker timeout set in puma. (default: 30)

Repository downloads directory

When a user clicks e.g. ‘Download zip’ on a project, a temporary zip file is created in the following directory.

The default is ‘tmp/repositories’ relative to the root of the Rails app.

Impersonation settings

Application settings cache expiry in seconds. (default: 60)

Seat link setting

When disabled the customer instances would not send seat link information via cron service everyday. (default: true)

Print initial root password to stdout during initialization

Reply by email

Allow users to comment on issues and merge requests by replying to notification emails.

For documentation on how to set this up, see https://docs.gitlab.com/ee/administration/reply_by_email.html

The email address including the %{key} placeholder that will be replaced to reference the item being replied to.

The placeholder can be omitted but if present, it must appear in the “user” part of the address (before the @).

Email account username

With third party providers, this is usually the full email address.

With self-hosted email servers, this is usually the user part of the email address.

Email account password

IMAP server host

IMAP server port

Whether the IMAP server uses SSL

Whether the IMAP server uses StartTLS

Inbox configuration (for Microsoft Graph)

The mailbox where incoming mail will end up. Usually “inbox”.

The IDLE command timeout.

file path of internal mail_room JSON logs

Whether to expunge (permanently remove) messages from the mailbox when they are deleted after delivery

Service desk email

Allow users to use a separate service desk address

For documentation on how to set this up, see http://doc.gitlab.com/ce/administration/reply_by_email.html