Merge tag 'debian/13.2.6-3' into buster-fasttrack

gitlab Debian release 13.2.6-3

debian/changelog

@@ -1,3 +1,26 @@
+gitlab (13.2.6-3) unstable; urgency=medium
+
+  [ Karthik ]
+  * Add puma dependency to debian/control, add puma systemd service, update
+    gitlab service with puma
+
+  [ Pirate Praveen ]
+  * Add gitlab-puma.service as dependency of gitlab.service
+  * Remove unicorn from Gemfile and choose puma
+  * Add puma.rb and use it from gitlab-puma.service
+  * Update minimum version of gitlab-common to use unix socket in gitlab-shell
+  * Remove gitlab-unicorn.service and install gitlab-puma.service
+
+ -- Pirate Praveen <praveen@debian.org>  Thu, 20 Aug 2020 23:23:49 +0530
+
+gitlab (13.2.6-2) unstable; urgency=medium
+
+  * Switch to aws-sdk v3 with upstream patch
+  * Drop phantomjs from autopkgtest dependencies
+  * Add needs-internet restriction to autopkgtest
+
+ -- Pirate Praveen <praveen@debian.org>  Thu, 20 Aug 2020 17:30:32 +0530
+
 gitlab (13.2.6-1+fto10+1) buster-fasttrack; urgency=medium
 
   * Rebuild for buster-fasttrack.

debian/conf/gitlab.target

@@ -8,7 +8,7 @@
 
 [Unit]
 Description=GitLab Service
-Requires=gitlab-unicorn.service gitlab-sidekiq.service gitlab-mailroom.service gitlab-workhorse.service
+Requires=gitlab-puma.service gitlab-sidekiq.service gitlab-mailroom.service gitlab-workhorse.service
 
 [Install]
 WantedBy=multi-user.target

debian/conf/puma.rb

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+
+# Load "path" as a rackup file.
+#
+# The default is "config.ru".
+#
+rackup 'config.ru'
+pidfile "#{ENV['gitlab_pid_path']}/puma.pid"
+state_path "#{ENV['gitlab_pid_path']}/puma.state"
+
+stdout_redirect File.join(ENV['gitlab_log_dir'],"puma.stdout.log"),
+  File.join(ENV['gitlab_log_dir'],"puma.stderr.log"),
+  true
+
+# Configure "min" to be the minimum number of threads to use to answer
+# requests and "max" the maximum.
+#
+# The default is "0, 16".
+#
+threads 1, 16
+
+# By default, workers accept all requests and queue them to pass to handlers.
+# When false, workers accept the number of simultaneous requests configured.
+#
+# Queueing requests generally improves performance, but can cause deadlocks if
+# the app is waiting on a request to itself. See https://github.com/puma/puma/issues/612
+#
+# When set to false this may require a reverse proxy to handle slow clients and
+# queue requests before they reach puma. This is due to disabling HTTP keepalive
+queue_requests false
+
+# Bind the server to "url". "tcp://", "unix://" and "ssl://" are the only
+# accepted protocols.
+bind "unix://#{ENV['gitlab_pid_path']}/gitlab.socket"
+
+workers 3
+
+require_relative "#{ENV['gitlab_app_root']}/lib/gitlab/cluster/lifecycle_events"
+require_relative "#{ENV['gitlab_app_root']}/lib/gitlab/cluster/puma_worker_killer_initializer"
+
+on_restart do
+  # Signal application hooks that we're about to restart
+  Gitlab::Cluster::LifecycleEvents.do_before_master_restart
+end
+
+before_fork do
+  # Signal to the puma killer
+  Gitlab::Cluster::PumaWorkerKillerInitializer.start @config.options unless ENV['DISABLE_PUMA_WORKER_KILLER']
+
+  # Signal application hooks that we're about to fork
+  Gitlab::Cluster::LifecycleEvents.do_before_fork
+end
+
+Gitlab::Cluster::LifecycleEvents.set_puma_options @config.options
+on_worker_boot do
+  # Signal application hooks of worker start
+  Gitlab::Cluster::LifecycleEvents.do_worker_start
+end
+
+# Preload the application before starting the workers; this conflicts with
+# phased restart feature. (off by default)
+preload_app!
+
+tag 'gitlab-puma-worker'
+
+# Verifies that all workers have checked in to the master process within
+# the given timeout. If not the worker process will be restarted. Default
+# value is 60 seconds.
+#
+worker_timeout 60
+
+# Use json formatter
+require_relative "#{ENV['gitlab_app_root']}/lib/gitlab/puma_logging/json_formatter"
+
+json_formatter = Gitlab::PumaLogging::JSONFormatter.new
+log_formatter do |str|
+  json_formatter.call(str)
+end

debian/conf/unicorn.rb

@@ -1,126 +0,0 @@
-# Sample verbose configuration file for Unicorn (not Rack)
-#
-# This configuration file documents many features of Unicorn
-# that may not be needed for some applications. See
-# http://unicorn.bogomips.org/examples/unicorn.conf.minimal.rb
-# for a much simpler configuration file.
-#
-# See http://unicorn.bogomips.org/Unicorn/Configurator.html for complete
-# documentation.
-
-# Note: If you change this file in a Merge Request, please also create a
-# Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests
-#
-# WARNING: See config/application.rb under "Relative url support" for the list of
-# other files that need to be changed for relative url support
-#
-# ENV['RAILS_RELATIVE_URL_ROOT'] = "/gitlab"
-
-# Read about unicorn workers here:
-# http://doc.gitlab.com/ee/install/requirements.html#unicorn-workers
-#
-worker_processes 3
-
-# Since Unicorn is never exposed to outside clients, it does not need to
-# run on the standard HTTP port (80), there is no reason to start Unicorn
-# as root unless it's from system init scripts.
-# If running the master process as root and the workers as an unprivileged
-# user, do this to switch euid/egid in the workers (also chowns logs):
-# user "unprivileged_user", "unprivileged_group"
-
-# Help ensure your application will always spawn in the symlinked
-# "current" directory that Capistrano sets up.
-working_directory ENV['gitlab_app_root'] # available in 0.94.0+
-
-# Listen on both a Unix domain socket and a TCP port.
-# If you are load-balancing multiple Unicorn masters, lower the backlog
-# setting to e.g. 64 for faster failover.
-listen "#{ENV['gitlab_pid_path']}/gitlab.socket", :backlog => 1024
-listen "127.0.0.1:8080", :tcp_nopush => true
-
-# nuke workers after 30 seconds instead of 60 seconds (the default)
-#
-# NOTICE: git push over http depends on this value.
-# If you want be able to push huge amount of data to git repository over http
-# you will have to increase this value too.
-#
-# Example of output if you try to push 1GB repo to GitLab over http.
-#   -> git push http://gitlab.... master
-#
-#   error: RPC failed; result=18, HTTP code = 200
-#   fatal: The remote end hung up unexpectedly
-#   fatal: The remote end hung up unexpectedly
-#
-# For more information see http://stackoverflow.com/a/21682112/752049
-#
-timeout 60
-
-# feel free to point this anywhere accessible on the filesystem
-pid "#{ENV['gitlab_pid_path']}/unicorn.pid"
-
-# By default, the Unicorn logger will write to stderr.
-# Additionally, some applications/frameworks log to stderr or stdout,
-# so prevent them from going to /dev/null when daemonized here:
-stderr_path File.join(ENV['gitlab_log_dir'],"unicorn.stderr.log")
-stdout_path File.join(ENV['gitlab_log_dir'],"unicorn.stdout.log")
-
-# combine Ruby 2.0.0dev or REE with "preload_app true" for memory savings
-# http://rubyenterpriseedition.com/faq.html#adapt_apps_for_cow
-preload_app true
-GC.respond_to?(:copy_on_write_friendly=) and
-  GC.copy_on_write_friendly = true
-
-# Enable this flag to have unicorn test client connections by writing the
-# beginning of the HTTP headers before calling the application.  This
-# prevents calling the application for connections that have disconnected
-# while queued.  This is only guaranteed to detect clients on the same
-# host unicorn runs on, and unlikely to detect disconnects even on a
-# fast LAN.
-check_client_connection false
-
-before_fork do |server, worker|
-  # the following is highly recomended for Rails + "preload_app true"
-  # as there's no need for the master process to hold a connection
-  defined?(ActiveRecord::Base) and
-    ActiveRecord::Base.connection.disconnect!
-
-  # The following is only recommended for memory/DB-constrained
-  # installations.  It is not needed if your system can house
-  # twice as many worker_processes as you have configured.
-  #
-  # This allows a new master process to incrementally
-  # phase out the old master process with SIGTTOU to avoid a
-  # thundering herd (especially in the "preload_app false" case)
-  # when doing a transparent upgrade.  The last worker spawned
-  # will then kill off the old master process with a SIGQUIT.
-  old_pid = "#{server.config[:pid]}.oldbin"
-  if old_pid != server.pid
-    begin
-      sig = (worker.nr + 1) >= server.worker_processes ? :QUIT : :TTOU
-      Process.kill(sig, File.read(old_pid).to_i)
-    rescue Errno::ENOENT, Errno::ESRCH
-    end
-  end
-  #
-  # Throttle the master from forking too quickly by sleeping.  Due
-  # to the implementation of standard Unix signal handlers, this
-  # helps (but does not completely) prevent identical, repeated signals
-  # from being lost when the receiving process is busy.
-  # sleep 1
-end
-
-after_fork do |server, worker|
-  # per-process listener ports for debugging/admin/migrations
-  # addr = "127.0.0.1:#{9293 + worker.nr}"
-  # server.listen(addr, :tries => -1, :delay => 5, :tcp_nopush => true)
-
-  # the following is *required* for Rails + "preload_app true",
-  defined?(ActiveRecord::Base) and
-    ActiveRecord::Base.establish_connection
-
-  # if preload_app is true, then you may also want to check and
-  # restart any other shared sockets/descriptors such as Memcached,
-  # and Redis.  TokyoCabinet file handles are safe to reuse
-  # between any number of forked children (assuming your kernel
-  # correctly implements pread()/pwrite() system calls)
-end

debian/control

@@ -19,7 +19,7 @@ Section: contrib/net
 Architecture: all
 XB-Ruby-Versions: ${ruby:Versions}
 Depends: ${shlibs:Depends}, ${misc:Depends},
- gitlab-common (>= 13.2~),
+ gitlab-common (>= 13.2.1+dfsg-3~),
  ruby (>= 1:2.7~),
    rubygems-integration (>= 1.17.1~),
  lsb-base (>= 3.0-6),
@@ -134,8 +134,10 @@ Depends: ${shlibs:Depends}, ${misc:Depends},
  ruby-elasticsearch (>= 5.0.3~),
 # ruby-elasticsearch-rails (>= 0.1.9~), embedded
  ruby-elasticsearch-api (>= 6.8~),
- ruby-aws-sdk (>= 2.9.32-2~),
-# ruby-faraday-middleware-aws-signers-v4, embedded
+ ruby-aws-sdk-core (>= 3.0~),
+ ruby-aws-sdk-cloudformation (>= 1.0~),
+ ruby-aws-sdk-s3 (>= 1.0~),
+ ruby-faraday-middleware-aws-sigv4,
 # Markdown and HTML processing
  ruby-html-pipeline (>= 2.12~),
  ruby-task-list (>= 2.3.1~),
@@ -161,14 +163,10 @@ Depends: ${shlibs:Depends}, ${misc:Depends},
  ruby-diffy (>= 3.3~),
  ruby-diff-match-patch (>= 0.1~),
 # Application server
-# The 2.0.6 version of rack requires monkeypatch to be present in
-# `config.ru`. This can be removed once a new update for Rack
-# is available that contains https://github.com/rack/rack/pull/1201
  ruby-rack (>= 2.1~),
  ruby-rack-timeout (>= 0.5.1~),
- unicorn (>= 5.5~),
-   ruby-kgio (>= 2.11.2~),
- ruby-unicorn-worker-killer (>= 0.4.4-2~),
+ puma (>= 4.0~),
+ ruby-puma-worker-killer,
 # State machine
  ruby-state-machines-activerecord (>= 0.6~),
    ruby-state-machines-activemodel (>= 0.7.1~),

debian/gitlab.gitlab-mailroom.service

@@ -1,11 +1,11 @@
 [Unit]
 Description=Gitlab mailroom Worker
 PartOf=gitlab.target
-Requires=gitlab-unicorn.service
-Wants=gitlab-unicorn.service
-After=gitlab-unicorn.service
+Requires=gitlab-puma.service
+Wants=gitlab-puma.service
+After=gitlab-puma.service
 PartOf=gitlab.service
-ReloadPropagatedFrom=gitlab-unicorn.service
+ReloadPropagatedFrom=gitlab-puma.service
 
 [Service]
 Type=simple

debian/gitlab.gitlab-puma.service

@@ -1,19 +1,20 @@
 [Unit]
-Description=GitLab Unicorn Server
+Description=GitLab Puma Server
 PartOf=gitlab.target
 Requires=redis-server.service
 Wants=postgresql.service
 After=redis-server.service postgresql.service
 PartOf=gitlab.service
 ReloadPropagatedFrom=gitlab.service
+Conflicts=gitlab-unicorn.service
 
 [Service]
 Type=simple
 WorkingDirectory=/usr/share/gitlab
 EnvironmentFile=/etc/gitlab/gitlab-debian.conf
 EnvironmentFile=-/etc/default/gitlab
-SyslogIdentifier=gitlab-unicorn
-ExecStart=/usr/bin/bundle exec unicorn_rails -c config/unicorn.rb -E $RAILS_ENV
+SyslogIdentifier=gitlab-puma
+ExecStart=/usr/bin/bundle exec puma -C config/puma.rb -e $RAILS_ENV
 ExecReload=/bin/kill -USR2 $MAINPID
 Restart=on-abnormal
 

debian/gitlab.gitlab-workhorse.service

@@ -1,11 +1,11 @@
 [Unit]
 Description=Gitlab Workhorse handles slow HTTP requests for Gitlab.
 PartOf=gitlab.target
-Requires=gitlab-unicorn.service
-Wants=gitlab-unicorn.service
-After=gitlab-unicorn.service
+Requires=gitlab-puma.service
+Wants=gitlab-puma.service
+After=gitlab-puma.service
 PartOf=gitlab.service
-ReloadPropagatedFrom=gitlab-unicorn.service
+ReloadPropagatedFrom=gitlab-puma.service
 
 [Service]
 Type=simple

debian/gitlab.install

@@ -1,5 +1,5 @@
 debian/conf/gitlab etc/default
-debian/conf/unicorn.rb etc/gitlab
+debian/conf/puma.rb etc/gitlab
 debian/conf/database.yml etc/gitlab
 debian/conf/gitlab.yml.example usr/lib/gitlab/templates
 debian/conf/resque.yml etc/gitlab
@@ -67,4 +67,3 @@ public var/lib/gitlab
 db var/lib/gitlab
 elasticsearch-model usr/share/gitlab/vendor/gems
 elasticsearch-rails usr/share/gitlab/vendor/gems
-faraday-middleware-aws-signers-v4 usr/share/gitlab/vendor/gems

debian/gitlab.postinst

@@ -260,7 +260,7 @@ case "$1" in
     fi
 
       # Override User for systemd services
-      for service in mailroom unicorn sidekiq workhorse; do
+      for service in mailroom puma sidekiq workhorse; do
         path=/etc/systemd/system/gitlab-${service}.service.d
         mkdir -p $path
         if [ -e $path/override.conf ]; then

debian/gitlab.service

@@ -1,7 +1,7 @@
 [Unit]
 Description=GitLab Services
-BindsTo=gitlab-unicorn.service gitlab-sidekiq.service gitlab-mailroom.service gitlab-workhorse.service
-After=gitlab-unicorn.service gitlab-sidekiq.service gitlab-mailroom.service gitlab-workhorse.service
+BindsTo=gitlab-puma.service gitlab-sidekiq.service gitlab-mailroom.service gitlab-workhorse.service
+After=gitlab-puma.service gitlab-sidekiq.service gitlab-mailroom.service gitlab-workhorse.service
 
 [Service]
 Type=idle

debian/patches/0440-remove-puma.patch

@@ -1,16 +0,0 @@
-We are using unicorn so don't need puma
-
---- a/Gemfile
-+++ b/Gemfile
-@@ -172,11 +172,6 @@
-   gem 'unicorn-worker-killer', '~> 0.4.4'
- end
- 
--group :puma do
--  gem 'gitlab-puma', '~> 4.3.3.gitlab.2', require: false
--  gem 'gitlab-puma_worker_killer', '~> 0.1.1.gitlab.1', require: false
--end
--
- # State machine
- gem 'state_machines-activerecord', '~> 0.6.0'
- 

debian/patches/0440-remove-unicorn.patch

@@ -0,0 +1,22 @@
+puma is default from gitlab 12.9 and unicorn will be removed from 14.0
+gitlab-puma changes is included in puma package.
+
+--- a/Gemfile
++++ b/Gemfile
+@@ -167,14 +167,9 @@
+ # https://github.com/sharpstone/rack-timeout/blob/master/README.md#rails-apps-manually
+ gem 'rack-timeout', '~> 0.5.1', require: 'rack/timeout/base'
+ 
+-group :unicorn do
+-  gem 'unicorn', '~> 5.5'
+-  gem 'unicorn-worker-killer', '~> 0.4.4'
+-end
+-
+ group :puma do
+-  gem 'gitlab-puma', '~> 4.3.3.gitlab.2', require: false
+-  gem 'gitlab-puma_worker_killer', '~> 0.1.1.gitlab.1', require: false
++  gem 'puma', '~> 4.3.3', require: false
++  gem 'puma_worker_killer', '~> 0.1.1', require: false
+ end
+ 
+ # State machine

debian/patches/0791-aws-sdk-v3.patch

@@ -0,0 +1,85 @@
+--- a/Gemfile
++++ b/Gemfile
+@@ -129,8 +129,10 @@
+ gem 'elasticsearch-model', '~> 6.1', path: 'vendor/gems/elasticsearch-model'
+ gem 'elasticsearch-rails', '~> 6.1', require: 'elasticsearch/rails/instrumentation', path: 'vendor/gems/elasticsearch-rails'
+ gem 'elasticsearch-api',   '~> 6.8'
+-gem 'aws-sdk'
+-gem 'faraday_middleware-aws-signers-v4', path: 'vendor/gems/faraday-middleware-aws-signers-v4'
++gem 'aws-sdk-core', '~> 3'
++gem 'aws-sdk-cloudformation', '~> 1'
++gem 'aws-sdk-s3', '~> 1'
++gem 'faraday_middleware-aws-sigv4', '~> 0.3.0'
+ 
+ # Markdown and HTML processing
+ gem 'html-pipeline', '~> 2.12'
+--- a/Gemfile.lock
++++ b/Gemfile.lock
+@@ -93,16 +93,25 @@
+       encryptor (~> 3.0.0)
+     attr_required (1.0.1)
+     awesome_print (1.8.0)
+-    aws-eventstream (1.0.3)
+-    aws-sdk (2.11.374)
+-      aws-sdk-resources (= 2.11.374)
+-    aws-sdk-core (2.11.374)
+-      aws-sigv4 (~> 1.0)
++    aws-eventstream (1.1.0)
++    aws-partitions (1.345.0)
++    aws-sdk-cloudformation (1.41.0)
++      aws-sdk-core (~> 3, >= 3.99.0)
++      aws-sigv4 (~> 1.1)
++    aws-sdk-core (3.104.3)
++      aws-eventstream (~> 1, >= 1.0.2)
++      aws-partitions (~> 1, >= 1.239.0)
++      aws-sigv4 (~> 1.1)
+       jmespath (~> 1.0)
+-    aws-sdk-resources (2.11.374)
+-      aws-sdk-core (= 2.11.374)
+-    aws-sigv4 (1.1.0)
+-      aws-eventstream (~> 1.0, >= 1.0.2)
++    aws-sdk-kms (1.36.0)
++      aws-sdk-core (~> 3, >= 3.99.0)
++      aws-sigv4 (~> 1.1)
++    aws-sdk-s3 (1.75.0)
++      aws-sdk-core (~> 3, >= 3.104.1)
++      aws-sdk-kms (~> 1)
++      aws-sigv4 (~> 1.1)
++    aws-sigv4 (1.2.1)
++      aws-eventstream (~> 1, >= 1.0.2)
+     babosa (1.0.2)
+     base32 (0.3.2)
+     batch-loader (1.4.0)
+@@ -306,9 +315,9 @@
+       faraday (~> 0.8)
+     faraday_middleware (0.14.0)
+       faraday (>= 0.7.4, < 1.0)
+-    faraday_middleware-aws-signers-v4 (0.1.7)
+-      aws-sdk-resources (~> 2)
+-      faraday (~> 0.9)
++    faraday_middleware-aws-sigv4 (0.3.0)
++      aws-sigv4 (~> 1.0)
++      faraday (>= 0.15)
+     faraday_middleware-multi_json (0.0.6)
+       faraday_middleware
+       multi_json
+@@ -1183,7 +1192,9 @@
+   atlassian-jwt (~> 0.2.0)
+   attr_encrypted (~> 3.1.0)
+   awesome_print
+-  aws-sdk
++  aws-sdk-cloudformation (~> 1)
++  aws-sdk-core (~> 3)
++  aws-sdk-s3 (~> 1)
+   babosa (~> 1.0.2)
+   base32 (~> 0.3.0)
+   batch-loader (~> 1.4.0)
+@@ -1230,7 +1241,7 @@
+   escape_utils (~> 1.1)
+   factory_bot_rails (~> 5.1.0)
+   faraday (~> 0.12)
+-  faraday_middleware-aws-signers-v4
++  faraday_middleware-aws-sigv4 (~> 0.3.0)
+   fast_blank
+   ffaker (~> 2.10)
+   flipper (~> 0.17.1)

debian/patches/series

@@ -5,7 +5,7 @@
 0350-relax-rdoc.patch
 0350-relax-method-source.patch
 0430-remove-gitlab-markup.patch
-0440-remove-puma.patch
+0440-remove-unicorn.patch
 0480-embed-elasticsearch-model.patch
 0480-embed-elasticsearch-rails.patch
 0480-embed-faraday-middleware-aws-signers-v4.patch
@@ -27,3 +27,4 @@
 0740-use-packaged-modules.patch
 0750-fix-relative-paths.patch
 0790-protobuf-compat.patch
+0791-aws-sdk-v3.patch

debian/rules

@@ -19,7 +19,7 @@ override_dh_install:
 
 override_dh_installinit:
 	dh_installinit --no-start -p gitlab --name=gitlab-sidekiq
-	dh_installinit --no-start -p gitlab --name=gitlab-unicorn
+	dh_installinit --no-start -p gitlab --name=gitlab-puma
 	dh_installinit --no-start -p gitlab --name=gitlab-mailroom
 	dh_installinit --no-start -p gitlab --name=gitlab-workhorse
 	dh_installinit

debian/tests/control

@@ -10,7 +10,6 @@ Depends: @,
   ruby-sqlite3,
 # For building gitlab-shell
   golang-any,
-  phantomjs,
 # Dependencies in test group
   ruby-fuubar (>= 2.2~),
   ruby-rspec-retry (>= 0.6.1~),
@@ -27,4 +26,4 @@ Depends: @,
   ruby-rspec-rails (>= 4.0~beta3~),
   ruby-spring (>= 2.0~),
   ruby-simplecov
-Restrictions: needs-root
+Restrictions: needs-root, needs-internet

debian/watch

@@ -10,9 +10,6 @@ https://gemwatch.debian.net/elasticsearch-model .*/elasticsearch-model-(6.1.*).t
 opts="pgpmode=none,component=elasticsearch-rails" \
 https://gemwatch.debian.net/elasticsearch-rails .*/elasticsearch-rails-(6.1.*).tar.gz ignore
 
-opts="pgpmode=none,component=faraday-middleware-aws-signers-v4" \
-https://gemwatch.debian.net/faraday_middleware-aws-signers-v4 .*/faraday_middleware-aws-signers-v4-(0.1.*).tar.gz ignore
-
 opts="pgpmode=none,component=snowplow-javascript-tracker,\
 filenamemangle=s/.+\/v?(\d\S*)\.tar\.gz/snowplow-javascript-tracker-\$1\.tar\.gz/" \
 https://github.com/snowplow/snowplow-javascript-tracker/tags?after=2.11.0-rc3 .*/v?(2.10.0)\.tar\.gz ignore