Repository files navigation

• Introduction
  • Changelog
• Contributing
• Team
• Issues
• Announcements
• Prerequisites
• Installation
• Quick Start
• Configuration
  • Data Store
  • Database
    • PostgreSQL (Recommended)
      • External PostgreSQL Server
      • Linking to PostgreSQL Container
      • Upgrading PostgreSQL
  • Redis
    • Internal Redis Server
    • External Redis Server
    • Linking to Redis Container
  • Mail
    • Reply by email
  • SSL
    • Generation of a Self Signed Certificate
    • Strengthening the server security
    • Installation of the SSL Certificates
    • Enabling HTTPS support
    • Configuring HSTS
    • Using HTTPS with a load balancer
    • Establishing trust with your server
    • Installing Trusted SSL Server Certificates
  • Deploy to a subdirectory (relative url root)
  • OmniAuth Integration
    • CAS3
    • Authentiq
    • Google
    • Twitter
    • GitHub
    • GitLab
    • BitBucket
    • SAML
    • Crowd
    • Microsoft Azure
    • Generic OAuth2
    • OpenID Connect
    • JWT
  • Gitlab Pages
  • External Issue Trackers
  • Host UID / GID Mapping
  • Piwik
  • Feature flags
  • Exposing ssh port in dockerized gitlab-ce
  • Available Configuration Parameters
• Maintenance
  • Creating Backups
  • Restoring Backups
  • Automated Backups
  • Amazon Web Services (AWS) Remote Backups
  • Google Cloud Storage (GCS) Remote Backups
  • Rake Tasks
  • Import Repositories
  • Upgrading
  • Shell Access
• Monitoring
  • Health Check
• Container Registry
• Deploy in Docker Swarm mode, with HTTPS handled by Traefik proxy and Docker Registry
• References

Dockerfile to build aGitLab image for theDocker open source container platform.

GitLab CE is set up in the Docker image using theinstall from source method as documented in the official GitLab documentation.

For other methods to install GitLab please refer to theOfficial GitLab Installation Guide which includes aGitLab image for Docker.

If you find this image useful here's how you can help:

• Send a Pull Request with your awesome new features and bug fixes
• Be a part of the community and help resolveIssues
• Support the development of this image with adonation

• Niclas Mietz (solidnerd)
• Sameer Naik (sameersbn)

SeeContributors for the complete list developers that have contributed to this project.

Docker is actively being developed and tested by a thriving community of developers and testers and every release of Docker features many enhancements and bugfixes.

Given the nature of the development and release cycle it is very important that you have the latest version of Docker installed because any issue that you encounter might have already been fixed with a newer Docker release.

Install the most recent version of the Docker Engine for your platform using theofficial Docker releases, which can also be installed using:

wget -qO- https://get.docker.com/| sh

Fedora and RHEL/CentOS users should try disabling selinux withsetenforce 0 and check if resolves the issue. If it does than there is not much that I can help you with. You can either stick with selinux disabled (not recommended by redhat) or switch to using ubuntu.

You may also setDEBUG=true to enable debugging of the entrypoint script, which could help you pinpoint any configuration issues.

If using the latest docker version and/or disabling selinux does not fix the issue then please file an issue request on theissues page.

In your issue report please make sure you provide the following information:

• The host distribution and release version.
• Output of thedocker version command
• Output of thedocker info command
• Thedocker run command you used to run the image (mask out the sensitive bits).

Your docker host needs to have 1GB or more of available RAM to run GitLab. Please refer to the GitLabhardware requirements documentation for additional information.

Automated builds of the image are available onDockerhub and is the recommended method of installation.

docker pull sameersbn/gitlab:18.2.0

You can also pull thelatest tag which is built from the repositoryHEAD

docker pull sameersbn/gitlab:latest

Alternatively you can build the image locally.

docker build -t sameersbn/gitlab github.com/sameersbn/docker-gitlab

The quickest way to get started is usingdocker-compose.

wget https://raw.githubusercontent.com/sameersbn/docker-gitlab/master/docker-compose.yml

Generate random strings that are at least64 characters long for each ofGITLAB_SECRETS_OTP_KEY_BASE,GITLAB_SECRETS_DB_KEY_BASE,GITLAB_SECRETS_SECRET_KEY_BASE,GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE. These values are used for the following:

• GITLAB_SECRETS_OTP_KEY_BASE is used to encrypt 2FA secrets in the database. If you lose or rotate this secret, none of your users will be able to log in using 2FA.
• GITLAB_SECRETS_DB_KEY_BASE is used to encrypt CI secret variables, as well as import credentials, in the database. If you lose or rotate this secret, you will not be able to use existing CI secrets.
• GITLAB_SECRETS_SECRET_KEY_BASE is used for password reset links, and other 'standard' auth features. If you lose or rotate this secret, password reset tokens in emails will reset.
• GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE is used for reading settings from encrypted files such as SMTP or LDAP credentials.

Tip: You can generate a random string usingpwgen -Bsv1 64 and assign it as the value ofGITLAB_SECRETS_DB_KEY_BASE.

Also generate random strings that are typically32 characters long for each of:

• GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY
• GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY
• GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT

These values are used forActiveRecord::Encryption encrypted columns. Details can be found underActive Record Encryption.

Start GitLab using:

docker-compose up

Alternatively, you can manually launch thegitlab container and the supportingpostgresql andredis containers by following this three step guide.

Step 1. Launch a postgresql container

docker run --name gitlab-postgresql -d \    --env'DB_NAME=gitlabhq_production' \    --env'DB_USER=gitlab' --env'DB_PASS=password' \    --env'DB_EXTENSION=pg_trgm,btree_gist' \    --volume /srv/docker/gitlab/postgresql:/var/lib/postgresql \    kkimurak/sameersbn-postgresql:16

Step 2. Launch a redis container

docker run --name gitlab-redis -d \    --volume /srv/docker/gitlab/redis:/data \    redis:7

Step 3. Launch the gitlab container

docker run --name gitlab -d \    --link gitlab-postgresql:postgresql --link gitlab-redis:redisio \    --publish 10022:22 --publish 10080:80 \    --env'GITLAB_PORT=10080' --env'GITLAB_SSH_PORT=10022' \    --env'GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alpha-numeric-string' \    --env'GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alpha-numeric-string' \    --env'GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alpha-numeric-string' \    --env'GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=long-and-random-alpha-numeric-string' \    --env'GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=["long-and-random-alpha-numeric-string"]' \    --env'GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=["long-and-random-alpha-numeric-string"]' \    --env'GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=long-and-random-alpha-numeric-string' \    --volume /srv/docker/gitlab/gitlab:/home/git/data \    sameersbn/gitlab:18.2.0

Please refer toAvailable Configuration Parameters to understandGITLAB_PORT and other configuration options

NOTE: Please allow a couple of minutes for the GitLab application to start.

Point your browser tohttp://localhost:10080 and set a password for theroot user account.

You should now have the GitLab application up and ready for testing. If you want to use this image in production then please read on.

The rest of the document will use the docker command line. You can quite simply adapt your configuration into adocker-compose.yml file if you wish to do so.

GitLab is a code hosting software and as such you don't want to lose your code when the docker container is stopped/deleted. To avoid losing any data, you should mount a volume at,

• /home/git/data

Note: that if you are using thedocker-compose approach, you must "inspect" the volumes (docker volume inspect) to check the mounted path.

SELinux users are also required to change the security context of the mount point so that it plays nicely with selinux.

mkdir -p /srv/docker/gitlab/gitlabsudo chcon -Rt svirt_sandbox_file_t /srv/docker/gitlab/gitlab

Volumes can be mounted in docker by specifying the-v option in the docker run command.

docker run --name gitlab -d \    --volume /srv/docker/gitlab/gitlab:/home/git/data \    sameersbn/gitlab:18.2.0

GitLab uses a database backend to store its data. You can configure this image to use PostgreSQL.

Note: GitLab requires PostgreSQL now. So use an older image < 12.1 or migrate to PostgresSQL

Important note: This image is shipped with different versions of thepostgresql-client.

During the startup of the container, the major version of the database system is checked based on the specified connection destination. Only the version of thepostgresql-client, that matches the major version of the Postgres database is used. If the major version of any version of the included clients does not match, the latest client is used (but may cause issues). All other versions of thepostgresql-client are deleted at runtime.

This behavior can be checked using the commanddocker logs and an output like the following should be available:

…Configuring gitlab::database- Installing postgresql client to avoid version mismatch on dumping-- Detected server version: 160009- Generating /home/git/.postgresqlrc16 postgresql:5432 gitlabhq_production- Uninstalling unused client(s): postgresql-client-13 postgresql-client-14 postgresql-client-15 postgresql-client-17…

Please note furthermore, that only compatible versions of thepostgresql-client to GitLab are shipped with this image. Currently, these belong to

• postgresql-client-13,
• postgresql-client-14,
• postgresql-client-15,
• postgresql-client-16,
• andpostgresql-client-17.

Notes:

• GitLab CE version 13.7.0 and later requires PostgreSQL version 12.x.
• GitLab CE version 16.0.0 and later requires PostgreSQL version 13.x.
• GitLab CE version 17.0.0 and later requires PostgreSQL version 14.x.
• GitLab CE version 18.0.0 and later requires PostgreSQL version 16.x.

The image also supports using an external PostgreSQL Server. This is also controlled via environment variables.

CREATE ROLE gitlab with LOGIN CREATEDB PASSWORD'password';CREATEDATABASEgitlabhq_production;GRANT ALL PRIVILEGESON DATABASE gitlabhq_production to gitlab;

Additionally, since GitLab8.6.0 thepg_trgm extension should also be loaded for thegitlabhq_production database.

We are now ready to start the GitLab application.

Note: The following applies assuming that the PostgreSQL server host is192.168.1.100.

docker run --name gitlab -d \    --env'DB_HOST=192.168.1.100' \    --env'DB_NAME=gitlabhq_production' \    --env'DB_USER=gitlab' --env'DB_PASS=password' \    --volume /srv/docker/gitlab/gitlab:/home/git/data \    sameersbn/gitlab:18.2.0

You can link this image with a postgresql container for the database requirements. The alias of the postgresql server container should be set topostgresql while linking with the gitlab image.

If a postgresql container is linked, only theDB_HOST andDB_PORT settings are automatically retrieved using the linkage. You may still need to set other database connection parameters such as theDB_NAME,DB_USER,DB_PASS and so on.

To illustrate linking with a postgresql container, we will use thesameersbn/postgresql image. When using postgresql image in production you should mount a volume for the postgresql data store. Please refer theREADME of docker-postgresql for details.

First, let's pull the postgresql image from the docker index.

docker pull kkimurak/sameersbn-postgresql:16

For data persistence lets create a store for the postgresql and start the container.

SELinux users are also required to change the security context of the mount point so that it plays nicely with selinux.

mkdir -p /srv/docker/gitlab/postgresqlsudo chcon -Rt svirt_sandbox_file_t /srv/docker/gitlab/postgresql

The run command looks like this.

docker run --name gitlab-postgresql -d \    --env'DB_NAME=gitlabhq_production' \    --env'DB_USER=gitlab' --env'DB_PASS=password' \    --env'DB_EXTENSION=pg_trgm' \    --volume /srv/docker/gitlab/postgresql:/var/lib/postgresql \    kkimurak/sameersbn-postgresql:16

The above command will create a database namedgitlabhq_production and also create a user namedgitlab with the passwordpassword with access to thegitlabhq_production database.

We are now ready to start the GitLab application.

docker run --name gitlab -d --link gitlab-postgresql:postgresql \    --volume /srv/docker/gitlab/gitlab:/home/git/data \    sameersbn/gitlab:18.2.0

Here the image will also automatically fetch theDB_NAME,DB_USER andDB_PASS variables from the postgresql container as they are specified in thedocker run command for the postgresql container. This is made possible using the magic of docker links and works with the following images:

• postgres,
• kkimurak/sameersbn-postgresql, or
• sameersbn/postgresql .

When this Gitlab image upgrades its dependency on specific version of PostgreSQL you will need to make sure to use corresponding version of PostgreSQL.

If you are setting a brand new install, there is no data migration involved. However, if you already have an existing setup, the PostgreSQL data will need to be migrated as you are upgrading the version of PostgreSQL.

If you are using PostgreSQL image other thansameersbn/postgresql you will need make sure that the image you are using can handle migration itself,or, you will need to migrate the data yourself before starting newer version of PostgreSQL.

Following project provides Docker image that handles migration of PostgreSQL data:tianon/postgres-upgrade

After migration of the data, verify that other PostgreSQL configuration files in its data folder are copied over as well. One such file ispg_hba.conf, it will need to be copied from old version data folder into new version data folder.

GitLab uses the redis server for its key-value data store. The redis server connection details can be specified using environment variables.

The internal redis server has been removed from the image. Please use alinked redis container or specify aexternal redis connection.

The image can be configured to use an external redis server. The configuration should be specified using environment variables while starting the GitLab image.

Note: The following applies assuming that the redis server host is192.168.1.100.

docker run --name gitlab -it --rm \    --env'REDIS_HOST=192.168.1.100' --env'REDIS_PORT=6379' \    sameersbn/gitlab:18.2.0

You can link this image with a redis container to satisfy gitlab's redis requirement. The alias of the redis server container should be set toredisio while linking with the gitlab image.

To illustrate linking with a redis container, we will use theredis image. Please refer theREADME for details.

First, let's pull the redis image from the docker index.

docker pull redis:7

Lets start the redis container

docker run --name gitlab-redis -d \    --volume /srv/docker/gitlab/redis:/data \    redis:7

We are now ready to start the GitLab application.

docker run --name gitlab -d --link gitlab-redis:redisio \    sameersbn/gitlab:18.2.0

The mail configuration should be specified using environment variables while starting the GitLab image. The configuration defaults to using gmail to send emails and requires the specification of a valid username and password to login to the gmail servers.

If you are using Gmail then all you need to do is:

docker run --name gitlab -d \    --env'SMTP_USER=USER@gmail.com' --env'SMTP_PASS=PASSWORD' \    --volume /srv/docker/gitlab/gitlab:/home/git/data \    sameersbn/gitlab:18.2.0

Please refer theAvailable Configuration Parameters section for the list of SMTP parameters that can be specified.

Since version8.0.0 GitLab adds support for commenting on issues by replying to emails.

To enable this feature you need to provide IMAP configuration parameters that will allow GitLab to connect to your mail server and read mails. Additionally, you may need to specifyGITLAB_INCOMING_EMAIL_ADDRESS if your incoming email address is not the same as theIMAP_USER.

If your email provider supports emailsub-addressing then you should add the+%{key} placeholder after the user part of the email address, eg.GITLAB_INCOMING_EMAIL_ADDRESS=reply+%{key}@example.com. Please read thedocumentation on reply by email to understand the requirements for this feature.

If you are using Gmail then all you need to do is:

docker run --name gitlab -d \    --env'IMAP_USER=USER@gmail.com' --env'IMAP_PASS=PASSWORD' \    --env'GITLAB_INCOMING_EMAIL_ADDRESS=USER+%{key}@gmail.com' \    --volume /srv/docker/gitlab/gitlab:/home/git/data \    sameersbn/gitlab:18.2.0

Please refer theAvailable Configuration Parameters section for the list of IMAP parameters that can be specified.

Access to the gitlab application can be secured using SSL so as to prevent unauthorized access to the data in your repositories. While a CA certified SSL certificate allows for verification of trust via the CA, a self-signed certificate can also provide an equal level of trust verification as long as each client takes some additional steps to verify the identity of your website. I will provide instructions on achieving this towards the end of this section.

Jump to theUsing HTTPS with a load balancer section if you are using a load balancer such as hipache, haproxy or nginx.

To secure your application via SSL you basically need two things:

• Private key (.key)
• SSL certificate (.crt)

When using CA certified certificates, these files are provided to you by the CA. When using self-signed certificates you need to generate these files yourself. Skip toStrengthening the server security section if you are armed with CA certified SSL certificates.

Generation of a self-signed SSL certificate involves a simple 3-step procedure:

STEP 1: Create the server private key

openssl genrsa -out gitlab.key 2048

STEP 2: Create the certificate signing request (CSR)

openssl req -new -key gitlab.key -out gitlab.csr

STEP 3: Sign the certificate using the private key and CSR

openssl x509 -req -days 3650 -in gitlab.csr -signkey gitlab.key -out gitlab.crt

Congratulations! You now have a self-signed SSL certificate valid for 10 years.

This section provides you with instructions tostrengthen your server security. To achieve this we need to generate stronger DHE parameters.

openssl dhparam -out dhparam.pem 2048

Out of the four files generated above, we need to install thegitlab.key,gitlab.crt anddhparam.pem files at the gitlab server. The CSR file is not needed, but do make sure you safely backup the file (in case you ever need it again).

The default path that the gitlab application is configured to look for the SSL certificates is at/home/git/data/certs, this can however be changed using theSSL_KEY_PATH,SSL_CERTIFICATE_PATH andSSL_DHPARAM_PATH configuration options.

If you remember from above, the/home/git/data path is the path of thedata store, which means that we have to create a folder namedcerts/ inside the volume to where/home/git/data point and copy the files into it and as a measure of security we'll update the permission on thegitlab.key file to only be readable by the owner.

In case use of docker-compose ...

$>docker volume inspect

Look for "< user >_gitlab-data" and copy the "certs" directory into the "Mountpoint"

mkdir -p /srv/docker/gitlab/gitlab/certscp gitlab.key /srv/docker/gitlab/gitlab/certs/cp gitlab.crt /srv/docker/gitlab/gitlab/certs/cp dhparam.pem /srv/docker/gitlab/gitlab/certs/chmod 400 /srv/docker/gitlab/gitlab/certs/gitlab.key

Great! We are now just one step away from having our application secured.

HTTPS support can be enabled by setting theGITLAB_HTTPS option totrue. Additionally, when using self-signed SSL certificates you need to the setSSL_SELF_SIGNED option totrue as well. Assuming we are using self-signed certificates

docker run --name gitlab -d \    --publish 10022:22 --publish 10080:80 --publish 10443:443 \    --env'GITLAB_SSH_PORT=10022' --env'GITLAB_PORT=10443' \    --env'GITLAB_HTTPS=true' --env'SSL_SELF_SIGNED=true' \    --volume /srv/docker/gitlab/gitlab:/home/git/data \    sameersbn/gitlab:18.2.0

In this configuration, any requests made over the plain http protocol will automatically be redirected to use the https protocol. However, this is not optimal when using a load balancer.

HSTS if supported by the browsers makes sure that your users will only reach your sever via HTTPS. When the user comes for the first time it sees a header from the server which states for how long from now this site should only be reachable via HTTPS - that's the HSTS max-age value.

WithNGINX_HSTS_MAXAGE you can configure that value. The default value is31536000 seconds. If you want to disable an already sent HSTS MAXAGE value, set it to0.

docker run --name gitlab -d \ --env'GITLAB_HTTPS=true' --env'SSL_SELF_SIGNED=true' \ --env'NGINX_HSTS_MAXAGE=2592000' \ --volume /srv/docker/gitlab/gitlab:/home/git/data \ sameersbn/gitlab:18.2.0

If you want to completely disable HSTS setNGINX_HSTS_ENABLED tofalse.

Load balancers like nginx/haproxy/hipache talk to backend applications over plain http and as such the installation of ssl keys and certificates are not required and shouldNOT be installed in the container. The SSL configuration has to instead be done at the load balancer.

However, when using a load balancer youMUST setGITLAB_HTTPS totrue. Additionally, you will need to set theSSL_SELF_SIGNED option totrue if self-signed SSL certificates are in use.

With this in place, you should configure the load balancer to support handling of https requests. But that is out of the scope of this document. Please refer toUsing SSL/HTTPS with HAProxy for information on the subject.

When using a load balancer, you probably want to make sure the load balancer performs the automatic http to https redirection. Information on this can also be found in the link above.

In summation, when using a load balancer, the docker command would look for the most part something like this:

docker run --name gitlab -d \    --publish 10022:22 --publish 10080:80 \    --env'GITLAB_SSH_PORT=10022' --env'GITLAB_PORT=443' \    --env'GITLAB_HTTPS=true' --env'SSL_SELF_SIGNED=true' \    --volume /srv/docker/gitlab/gitlab:/home/git/data \    sameersbn/gitlab:18.2.0

Again, drop the--env 'SSL_SELF_SIGNED=true' option if you are using CA certified SSL certificates.

In case GitLab responds to any kind of POST request (login, OAUTH, changing settings etc.) with a 422 HTTP Error, consider adding this to your reverse proxy configuration:

proxy_set_header X-Forwarded-Ssl on; (nginx format)

This section deals will self-signed ssl certificates. If you are using CA certified certificates, you're done.

This section is more of a client side configuration so as to add a level of confidence at the client to be 100 percent sure they are communicating with whom they think they.

This is simply done by adding the servers certificate into their list of trusted certificates. On ubuntu, this is done by copying thegitlab.crt file to/usr/local/share/ca-certificates/ and executingupdate-ca-certificates.

Again, this is a client side configuration which means that everyone who is going to communicate with the server should perform this configuration on their machine. In short, distribute thegitlab.crt file among your developers and ask them to add it to their list of trusted ssl certificates. Failure to do so will result in errors that look like this:

git clone https://git.local.host/gitlab-foss.gitfatal: unable to access'https://git.local.host/gitlab-foss.git': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

You can do the same at the web browser. Instructions for installing the root certificate for firefox can be foundhere. You will find similar options chrome, just make sure you install the certificate under the authorities tab of the certificate manager dialog.

There you have it, that's all there is to it.

If your GitLab CI server is using self-signed SSL certificates then you should make sure the GitLab CI server certificate is trusted on the GitLab server for them to be able to talk to each other.

The default path image is configured to look for the trusted SSL certificates is at/home/git/data/certs/ca.crt, this can however be changed using theSSL_CA_CERTIFICATES_PATH configuration option.

Copy theca.crt file into the certs directory on thedatastore. Theca.crt file should contain the root certificates of all the servers you want to trust. With respect to GitLab CI, this will be the contents of the gitlab_ci.crt file as described in theREADME of thedocker-gitlab-ci container.

By default, our own server certificategitlab.crt is added to the trusted certificates list.

By default, GitLab expects that your application is running at the root (e.g.. /). This section explains how to run your application inside a directory.

Let's assume we want to deploy our application to '/git'. GitLab needs to know this directory to generate the appropriate routes. This can be specified using theGITLAB_RELATIVE_URL_ROOT configuration option like so:

docker run --name gitlab -it --rm \    --env'GITLAB_RELATIVE_URL_ROOT=/git' \    --volume /srv/docker/gitlab/gitlab:/home/git/data \    sameersbn/gitlab:18.2.0

GitLab will now be accessible at the/git path, e.g.http://www.example.com/git.

Note:TheGITLAB_RELATIVE_URL_ROOT parameter should always begin with a slash andSHOULD NOThave any trailing slashes.

GitLab leverages OmniAuth to allow users to sign in using Twitter, GitHub, and other popular services. Configuring OmniAuth does not prevent standard GitLab authentication or LDAP (if configured) from continuing to work. Users can choose to sign in using any of the configured mechanisms.

Refer to the GitLabdocumentation for additional information.

To enable the CAS OmniAuth provider you must register your application with your CAS instance. This requires the service URL GitLab will supply to CAS. It should be something like:https://git.example.com:443/users/auth/cas3/callback?url. By default handling for SLO is enabled, you only need to configure CAS for backchannel logout.

For example, if your cas server url ishttps://sso.example.com, then adding--env 'OAUTH_CAS3_SERVER=https://sso.example.com' to the docker run command enables support for CAS3 OAuth. Please refer toAvailable Configuration Parameters for additional CAS3 configuration parameters.

To enable the Authentiq OmniAuth provider for passwordless authentication you must register an application withAuthentiq. Please refer to the GitLabdocumentation for the procedure to generate the client ID and secret key with Authentiq.

Once you have the API client id and client secret generated, configure them using theOAUTH_AUTHENTIQ_CLIENT_ID andOAUTH_AUTHENTIQ_CLIENT_SECRET environment variables respectively.

For example, if your API key isxxx and the API secret key isyyy, then adding--env 'OAUTH_AUTHENTIQ_CLIENT_ID=xxx' --env 'OAUTH_AUTHENTIQ_CLIENT_SECRET=yyy' to the docker run command enables support for Authentiq OAuth.

You may want to specifyOAUTH_AUTHENTIQ_REDIRECT_URI as well. The OAuth scope can be altered as well withOAUTH_AUTHENTIQ_SCOPE (defaults to'aq:name email~rs address aq:push').

To enable the Google OAuth2 OmniAuth provider you must register your application with Google. Google will generate a client ID and secret key for you to use. Please refer to the GitLabdocumentation for the procedure to generate the client ID and secret key with google.

Once you have the client ID and secret keys generated, configure them using theOAUTH_GOOGLE_API_KEY andOAUTH_GOOGLE_APP_SECRET environment variables respectively.

For example, if your client ID isxxx.apps.googleusercontent.com and client secret key isyyy, then adding--env 'OAUTH_GOOGLE_API_KEY=xxx.apps.googleusercontent.com' --env 'OAUTH_GOOGLE_APP_SECRET=yyy' to the docker run command enables support for Google OAuth.

You can also restrict logins to a single domain by adding--env "OAUTH_GOOGLE_RESTRICT_DOMAIN='example.com'".

To enable the Facebook OAuth2 OmniAuth provider you must register your application with Facebook. Facebook will generate an API key and secret for you to use. Please refer to the GitLabdocumentation for the procedure to generate the API key and secret.

Once you have the API key and secret generated, configure them using theOAUTH_FACEBOOK_API_KEY andOAUTH_FACEBOOK_APP_SECRET environment variables respectively.

For example, if your API key isxxx and the API secret key isyyy, then adding--env 'OAUTH_FACEBOOK_API_KEY=xxx' --env 'OAUTH_FACEBOOK_APP_SECRET=yyy' to the docker run command enables support for Facebook OAuth.

To enable the Twitter OAuth2 OmniAuth provider you must register your application with Twitter. Twitter will generate an API key and secret for you to use. Please refer to the GitLabdocumentation for the procedure to generate the API key and secret with twitter.

Once you have the API key and secret generated, configure them using theOAUTH_TWITTER_API_KEY andOAUTH_TWITTER_APP_SECRET environment variables respectively.

For example, if your API key isxxx and the API secret key isyyy, then adding--env 'OAUTH_TWITTER_API_KEY=xxx' --env 'OAUTH_TWITTER_APP_SECRET=yyy' to the docker run command enables support for Twitter OAuth.

To enable the GitHub OAuth2 OmniAuth provider you must register your application with GitHub. GitHub will generate a Client ID and secret for you to use. Please refer to the GitLabdocumentation for the procedure to generate the Client ID and secret with github.

Once you have the Client ID and secret generated, configure them using theOAUTH_GITHUB_API_KEY andOAUTH_GITHUB_APP_SECRET environment variables respectively.

For example, if your Client ID isxxx and the Client secret isyyy, then adding--env 'OAUTH_GITHUB_API_KEY=xxx' --env 'OAUTH_GITHUB_APP_SECRET=yyy' to the docker run command enables support for GitHub OAuth.

Users of GitHub Enterprise may want to specifyOAUTH_GITHUB_URL andOAUTH_GITHUB_VERIFY_SSL as well.

To enable the GitLab OAuth2 OmniAuth provider you must register your application with GitLab. GitLab will generate a Client ID and secret for you to use. Please refer to the GitLabdocumentation for the procedure to generate the Client ID and secret with GitLab.

Once you have the Client ID and secret generated, configure them using theOAUTH_GITLAB_API_KEY andOAUTH_GITLAB_APP_SECRET environment variables respectively.

For example, if your Client ID isxxx and the Client secret isyyy, then adding--env 'OAUTH_GITLAB_API_KEY=xxx' --env 'OAUTH_GITLAB_APP_SECRET=yyy' to the docker run command enables support for GitLab OAuth.

To enable the BitBucket OAuth2 OmniAuth provider you must register your application with BitBucket. BitBucket will generate a Client ID and secret for you to use. Please refer to the GitLabdocumentation for the procedure to generate the Client ID and secret with BitBucket.

Once you have the Client ID and secret generated, configure them using theOAUTH_BITBUCKET_API_KEY andOAUTH_BITBUCKET_APP_SECRET environment variables respectively.

For example, if your Client ID isxxx and the Client secret isyyy, then adding--env 'OAUTH_BITBUCKET_API_KEY=xxx' --env 'OAUTH_BITBUCKET_APP_SECRET=yyy' to the docker run command enables support for BitBucket OAuth.

GitLab can be configured to act as a SAML 2.0 Service Provider (SP). This allows GitLab to consume assertions from a SAML 2.0 Identity Provider (IdP) such as Microsoft ADFS to authenticate users. Please refer to the GitLabdocumentation.

The following parameters have to be configured to enable SAML OAuth support in this image:OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL,OAUTH_SAML_IDP_CERT_FINGERPRINT,OAUTH_SAML_IDP_SSO_TARGET_URL,OAUTH_SAML_ISSUER andOAUTH_SAML_NAME_IDENTIFIER_FORMAT.

You can also override the default "Sign in with" button label withOAUTH_SAML_LABEL.

Please refer toAvailable Configuration Parameters for the default configurations of these parameters.

To enable the Crowd server OAuth2 OmniAuth provider you must register your application with Crowd server.

Configure GitLab to enable access the Crowd server by specifying theOAUTH_CROWD_SERVER_URL,OAUTH_CROWD_APP_NAME andOAUTH_CROWD_APP_PASSWORD environment variables.

To enable the Auth0 OmniAuth provider you must register your application withauth0.

Configure the following environment variablesOAUTH_AUTH0_CLIENT_ID,OAUTH_AUTH0_CLIENT_SECRET andOAUTH_AUTH0_DOMAIN to complete the integration.

To enable the Microsoft Azure OAuth2 OmniAuth provider you must register your application with Azure. Azure will generate a Client ID, Client secret and Tenant ID for you to use. Please refer to the GitLabdocumentation for the procedure.

Once you have the Client ID, Client secret and Tenant ID generated, configure them using theOAUTH_AZURE_API_KEY,OAUTH_AZURE_API_SECRET andOAUTH_AZURE_TENANT_ID environment variables respectively.

For example, if your Client ID isxxx, the Client secret isyyy and the Tenant ID iszzz, then adding--env 'OAUTH_AZURE_API_KEY=xxx' --env 'OAUTH_AZURE_API_SECRET=yyy' --env 'OAUTH_AZURE_TENANT_ID=zzz' to the docker run command enables support for Microsoft Azure OAuth.

Also you can configure v2 endpoint (azure_activedirectory_v2) by usingOAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_ID,OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_SECRET andOAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID environment variables. Optionally you can change label of login button using theOAUTH_AZURE_ACTIVEDIRECTORY_V2_LABEL.

To enable the Generic OAuth2 provider, you must register your application with your provider. You also need to confirm OAuth2 provider app's ID and secret, the client options and the user's response structure.

As an example this code has been tested with Keycloak, with the following variables:OAUTH2_GENERIC_APP_ID,OAUTH2_GENERIC_APP_SECRET,OAUTH2_GENERIC_CLIENT_SITE,OAUTH2_GENERIC_CLIENT_USER_INFO_URL,OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL,OAUTH2_GENERIC_CLIENT_TOKEN_URL,OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT,OAUTH2_GENERIC_ID_PATH,OAUTH2_GENERIC_USER_UID,OAUTH2_GENERIC_USER_NAME,OAUTH2_GENERIC_USER_EMAIL,OAUTH2_GENERIC_AUTHORIZE_PARAMS_SCOPE,OAUTH2_GENERIC_LABEL andOAUTH2_GENERIC_NAME.

SeeGitLab documentation andOmniauth-oauth2-generic documentation for more details.

To enable OpenID Connect provider, you must register your application with your provider. You also need to confirm OpenID Connect provider app's ID and secret, the client options and the user's response structure.

To use OIDC set at leastOAUTH_OIDC_ISSUER andOAUTH_OIDC_CLIENT_ID.

SeeGitLab OIDC documentation andOmniAuth OpenID Connect documentation.

To enable the JWT OmniAuth provider, you must register your application with JWT. JWT provides you with a secret key for you to use.

To use JWT set at leastOAUTH_JWT_SECRET andOAUTH_JWT_AUTH_URL.

SeeOmniAuth JWT documentation.

Gitlab Pages allows a user to host static websites from a project. Gitlab pages can be enabled with setting the environment variableGITLAB_PAGES_ENABLED totrue.

Since version11.5.0 Gitlab pages supports access control. This allows only access to a published website if you are a project member, or have access to a certain project.

Gitlab pages access control requires additional configuration before activating it through the variableGITLAB_PAGES_ACCESS_CONTROL.

GitLab pages access control makes use of the Gitlab OAuth Module.

• Goto the Gitlab Admin area
• SelectApplications in the menu
• CreateNew Application
  • Name:Gitlab Pages
  • Scopes:
    • api
  • Trusted: NO (Do not select)
  • Redirect URI:https://projects.<GITLAB_PAGES_DOMAIN>/auth

Note about theRedirect URI; this can be tricky to configure or figure out, What needs to be achieved is the following, the redirect URI needs to end up at thegitlab-pages daemon with the/auth endpoint.

This means that if you run your gitlab pages at domainpages.example.io this will be a wildcard domain where your projects are created based on their namespace. The best trick is to enter a NON-Existing gitlab project pages URI as the redirect URI.

In the example above; the pages domainprojects has been chosen. This will cause the nginx, either the built in or your own load balancer to redirect*.<GITLAB_PAGES_DOMAIN> to thegitlab-pages daemon. Which will trigger the pages endpoint.

Make sure to choose own which does not exist and make sure that the request is routed to thegitlab-pages daemon if you are using your own HTTP load balancer in front of Gitlab.

After creating the OAuth application endpoint for the Gitlab Pages Daemon. Gitlab pages access control can now be enabled.

Add to following environment variables to your Gitlab Container.

After you have enabled the gitlab pages access control. When you go to a projectGeneral Settings ->Permissions you can choose the pages permission level for the project.

Since version7.10.0 support for external issue trackers can be enabled in the "Service Templates" section of the settings panel.

If you are using thedocker-redmine image, you canone up the gitlab integration with redmine by adding--volumes-from=gitlab flag to the docker run command while starting the redmine container.

By using the above option the/home/git/data/repositories directory will be accessible by the redmine container and now you can add your git repository path to your redmine project. If, for example, in your gitlab server you have a project namedopensource/gitlab, the bare repository will be accessible at/home/git/data/repositories/opensource/gitlab.git in the redmine container.

Per default the container is configured to run gitlab as user and groupgit withuid andgid1000. The host possibly uses this ids for different purposes leading to unfavorable effects. From the host it appears as if the mounted data volumes are owned by the host's user/group1000.

Also the container processes seem to be executed as the host's user/group1000. The container can be configured to map theuid andgid ofgit to different ids on host by passing the environment variablesUSERMAP_UID andUSERMAP_GID. The following command maps the ids to user and groupgit on the host.

docker run --name gitlab -it --rm [options] \    --env"USERMAP_UID=$(id -u git)" --env"USERMAP_GID=$(id -g git)" \    sameersbn/gitlab:18.2.0

When changing this mapping, all files and directories in the mounted data volume/home/git/data have to be re-owned by the new ids. This can be achieved automatically using the following command:

docker run --name gitlab -d [OPTIONS] \    sameersbn/gitlab:18.2.0 app:sanitize

If you want to monitor your gitlab instance withPiwik, there are two options to setup:PIWIK_URL andPIWIK_SITE_ID.These options should contain something like:

• PIWIK_URL=piwik.example.org
• PIWIK_SITE_ID=42

In this section, we talk about feature flags that administrators can change the state (Seehttps://docs.gitlab.com/ee/administration/feature_flags.html). If you are looking for documentation for "Feature flags" that configured on project deploy settings, seehttps://docs.gitlab.com/ee/operations/feature_flags.html

GitLab adopted feature flags strategies to deploy features in an early stage of development so that they can be incrementally rolled out. GitLab administrators with access to theRails console or theFeature flags API can control them (note thatsameersbn/gitlab is a container image that provides GitLab installations from the source).You can see all feature flags in GitLab at corresponding version of documentation:https://docs.gitlab.com/ee/user/feature_flags.html

Forsameersbn/gitlab, you can control them via environment parameterGITLAB_FEATURE_FLAGS_DISABLE_TARGETS andGITLAB_FEATURE_FLAGS_ENABLE_TARGETS in addition to the above methods.This image searches yml files in${GITLAB_INSTALL_DIR}/config/feature_flags (typically/home/git/gitlab/config/feature_flags/) recursively and use the file list as a source of active feature flags.

Here is a part of exampledocker-compose.yml:

services:gitlab:image:sameersbn/gitlab:latestenvironment:    -GITLAB_FEATURE_FLAGS_DISABLE_TARGETS=auto_devops_banner_disabled,ci_enable_live_trace    -GITLAB_FEATURE_FLAGS_ENABLE_TARGETS=git_push_create_all_pipelines,build_service_proxy

Once the container up, you can see following messages in container log like below.

...Configuring gitlab::feature_flags...- specified feature flags: {:to_be_disabled=>["auto_devops_banner_disabled","ci_enable_live_trace"], :to_be_enabled=>["git_push_create_all_pipelines","build_service_proxy"]}- auto_devops_banner_disabled: off- ci_enable_live_trace: off- git_push_create_all_pipelines: on- build_service_proxy: on...

If specified flag names are not included in the list, they will be ignored and appears to container log like below:

...Configuring gitlab::feature_flags...- specified feature flags: {:to_be_disabled=>["auto_devops_banner_disabled","invalid_flag_name"], :to_be_enabled=>["git_push_create_all_pipelines","another_invalid_flag_name"]}- Following flags are probably invalid and have been ignored: invalid_flag_name,another_invalid_flag_name- auto_devops_banner_disabled: off- git_push_create_all_pipelines: on...

Please refer the docker run command options for the--env-file flag where you can specify all required environment variables in a single file. This will save you from writing a potentially long docker run command. Alternatively you can use docker-compose. docker-compose users and Docker Swarm mode users can also use thesecrets and config file options

Below is the complete list of available options that can be used to customize your gitlab installation.

Set this totrue to enable entrypoint debugging.

Set the container timezone. Defaults toUTC. Values are expected to be in Canonical format. Example:Europe/Amsterdam See the list ofacceptable values. For configuring the timezone of gitlab see variableGITLAB_TIMEZONE.

The hostname of the GitLab server. Defaults tolocalhost

If you are migrating from GitLab CI use this parameter to configure the redirection to the GitLab service so that your existing runners continue to work without any changes. No defaults.

The port of the GitLab server. This value indicates the public port on which the GitLab application will be accessible on the network and appropriately configures GitLab to generate the correct urls. It does not affect the port on which the internal nginx server will be listening on. Defaults to443 ifGITLAB_HTTPS=true, else defaults to80.

Encryption key for GitLab CI secret variables, as well as import credentials, in the database. Ensure that your key is at least 32 characters long and that you don't lose it. You can generate one usingpwgen -Bsv1 64. If you are migrating from GitLab CI, you need to set this value to the value ofGITLAB_CI_SECRETS_DB_KEY_BASE. No defaults.

Encryption key for session secrets. Ensure that your key is at least 64 characters long and that you don't lose it. This secret can be rotated with minimal impact - the main effect is that previously-sent password reset emails will no longer work. You can generate one usingpwgen -Bsv1 64. No defaults.

Encryption key for OTP related stuff with GitLab. Ensure that your key is at least 64 characters long and that you don't lose it.If you lose or change this secret, 2FA will stop working for all users. You can generate one usingpwgen -Bsv1 64. No defaults.

Encryption key for encrypted settings related stuff with GitLab. Ensure that your key is at least 64 characters long and that you don't lose it.If you lose or change this secret, encrypted settings will not work and might cause errors in merge requests and so on You can generate one usingpwgen -Bsv1 64. No defaults.

The base key used to encrypt data for non-deterministicActiveRecord::Encryption encrypted columns. This value is used to setactive_record_encryption_primary_key inconfig/secrets.yml. Ensure that your key is an alphanumeric string. Preferred to be 32 characters long. If you need to set multiple keys, set this parameter in the format["first_primary_key","second_primary_key"]. Indocker-compose.yml, the value must NOT have additional quotes!If you lose or change this secret, encrypted settings will not work and might cause errors in the API and the web interface. No defaults.

The base key used to encrypt data for deterministicActiveRecord::Encryption encrypted columns. This value is used to setactive_record_encryption_deterministic_key inconfig/secrets.yml. Ensure that your key is an alphanumeric string. Preferred to be 32 characters long. If you need to set multiple keys, set this parameter in the format["first_deterministic_key","second_deterministic_key"]. Indocker-compose.yml, the value must NOT have additional quotes!If you lose or change this secret, encrypted settings will not work and might cause errors in the API and the web interface. No defaults.

The salt used to encrypt data forActiveRecord::Encryption encrypted columns. This value is used to setactive_record_encryption_key_derivation_salt inconfig/secrets.yml. Ensure that your salt is an alphanumeric string. Preferred to be 32 characters long.If you lose or change this secret, encrypted settings will not work and might cause errors in the API and the web interface. No defaults.

Configure the timezone for the gitlab application. This configuration does not effect cron jobs. Defaults toUTC. See the list ofacceptable values. For settings the container timezone which will affect cron, see variableTZ

The password for the root user on firstrun. Defaults to5iveL!fe. GitLab requires this to be at least8 characters long.

The email for the root user on firstrun. Defaults toadmin@example.com

The email address for the GitLab server. Defaults to value ofSMTP_USER, else defaults toexample@example.com.

The name displayed in emails sent out by the GitLab mailer. Defaults toGitLab.

The reply-to address of emails sent out by GitLab. Defaults to value ofGITLAB_EMAIL, else defaults tonoreply@example.com.

The e-mail subject suffix used in e-mails sent by GitLab. No defaults.

Enable or disable gitlab mailer. Defaults to theSMTP_ENABLED configuration.

Enable or disable email S/MIME signing. Defaults isfalse.

Specifies the path to a S/MIME private key file in PEM format, unencrypted. Defaults to ``.

Specifies the path to a S/MIME public certificate key in PEM format. Defaults to ``.

Default theme ID, by default 2. (1 - Indigo, 2 - Dark, 3 - Light, 4 - Blue, 5 - Green, 6 - Light Indigo, 7 - Light Blue, 8 - Light Green, 9 - Red, 10 - Light Red)

Issue closing pattern regex. SeeGitLab's documentation for more detail. Defaults to\b((?:[Cc]los(?:e[sd]?|ing)|\b[Ff]ix(?:e[sd]|ing)?|\b[Rr]esolv(?:e[sd]?|ing)|\b[Ii]mplement(?:s|ed|ing)?)(:?) +(?:(?:issues? +)?%{issue_ref}(?:(?:, *| +and +)?)|([A-Z][A-Z0-9_]+-\d+))+) .

The incoming email address for reply by email. Defaults to the value ofIMAP_USER, else defaults toreply@example.com. Please read thereply by email documentation to currently set this parameter.

Enable or disable gitlab reply by email feature. Defaults to the value ofIMAP_ENABLED.

Enable or disable user signups (first run only). Default istrue.

Enable or disable impersonation. Defaults totrue.

Set default projects limit. Defaults to100.

Enable or disable ability for users to change their username. Defaults totrue.

Enable or disable ability for users to create groups. Defaults totrue.

Set ifissues feature should be enabled by default for new projects. Defaults totrue.

Set ifmerge requests feature should be enabled by default for new projects. Defaults totrue.

Set ifwiki feature should be enabled by default for new projects. Defaults totrue.

Set ifsnippets feature should be enabled by default for new projects. Defaults tofalse.

Set ifbuilds feature should be enabled by default for new projects. Defaults totrue.

Set ifcontainer_registry feature should be enabled by default for new projects. Defaults totrue.

Global custom hooks directory. Defaults to/home/git/gitlab-shell/hooks.

Sets the timeout for webhooks. Defaults to10 seconds.

Enable or disable broken build notification emails. Defaults totrue

Add pusher to recipients list of broken build notification emails. Defaults tofalse

The git repositories folder in the container. Defaults to/home/git/data/repositories

The backup folder in the container. Defaults to/home/git/data/backups

Optionally change ownership of backup files on start-up. Defaults totrue

Optionally group backups into a subfolder. Can also be used to place backups in to a subfolder on remote storage. Not used by default.

The build traces directory. Defaults to/home/git/data/builds

The repository downloads directory. A temporary zip is created in this directory when users clickDownload Zip on a project. Defaults to/home/git/data/tmp/downloads.

The directory to store the build artifacts. Defaults to/home/git/data/shared

Enable/Disable GitLab artifacts support. Defaults totrue.

Directory to store the artifacts. Defaults to$GITLAB_SHARED_DIR/artifacts

Default AWS access key to be used for object store. Defaults toAWS_ACCESS_KEY_ID

Default AWS access key to be used for object store. Defaults toAWS_SECRET_ACCESS_KEY

AWS Region. Defaults tous-east-1

Configure this for an compatible AWS host like minio. Defaults to$AWS_HOST. Defaults tos3.amazon.com

AWS Endpoint likehttp://127.0.0.1:9000. Defaults tonil

Changes AWS Path Style to 'host/bucket_name/object' instead of 'bucket_name.host/object'. Defaults totrue

AWS signature version to use. 2 or 4 are valid options. Digital Ocean Spaces and other providers may need 2. Defaults to4

Default Google project to use for Object Store.

Default Google service account email to use for Object Store.

Default Google key file Defaults to/gcs/key.json

Default object store connection provider. Defaults toAWS

Enables Object Store for Artifacts that will be remote stored. Defaults tofalse

Bucket name to store the artifacts. Defaults toartifacts

Set to true to enable direct upload of Artifacts without the need of local shared storage. Defaults tofalse

Temporary option to limit automatic upload. Defaults tofalse

Passthrough all downloads via GitLab instead of using Redirects to Object Storage. Defaults tofalse

Connection Provider for the Object Store. (AWS orGoogle) Defaults to$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER (AWS)

AWS Access Key ID for the Bucket. Defaults to$AWS_ACCESS_KEY_ID

AWS Secret Access Key. Defaults to$AWS_SECRET_ACCESS_KEY

AWS Region. Defaults to$AWS_REGION

Configure this for an compatible AWS host like minio. Defaults to$AWS_HOST

AWS Endpoint likehttp://127.0.0.1:9000. Defaults to$AWS_ENDPOINT

Changes AWS Path Style to 'host/bucket_name/object' instead of 'bucket_name.host/object'. Defaults to$AWS_PATH_STYLE

AWS signature version to use. 2 or 4 are valid options. Digital Ocean Spaces and other providers may need 2. Defaults to$AWS_SIGNATURE_VERSION

Google project. Defaults to$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT

Google service account. Defaults to$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL

Default Google key file. Defaults to$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION (/gcs/key.json)

Cron notation for the GitLab pipeline schedule worker. Defaults to'19 * * * *'

Enable/Disable Git LFS support. Defaults totrue.

Directory to store the lfs-objects. Defaults to$GITLAB_SHARED_DIR/lfs-objects

Enables Object Store for LFS that will be remote stored. Defaults tofalse

Bucket name to store the LFS. Defaults tolfs-object

Temporary option to limit automatic upload. Defaults tofalse

Passthrough all downloads via GitLab instead of using Redirects to Object Storage. Defaults tofalse

Connection Provider for the Object Store. (AWS orGoogle) Defaults to$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER (AWS)

AWS Access Key ID for the Bucket. Defaults toAWS_ACCESS_KEY_ID

AWS Secret Access Key. Defaults toAWS_SECRET_ACCESS_KEY

AWS Region. Defaults to$AWS_REGION

Configure this for an compatible AWS host like minio. Defaults to$AWS_HOST

AWS Endpoint likehttp://127.0.0.1:9000. Defaults to$AWS_ENDPOINT

Changes AWS Path Style to 'host/bucket_name/object' instead of 'bucket_name.host/object'. Defaults to$AWS_PATH_STYLE

AWS signature version to use. 2 or 4 are valid options. Digital Ocean Spaces and other providers may need 2. Defaults to$AWS_SIGNATURE_VERSION

Google project. Defaults to$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT

Google service account. Defaults to$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL

Default Google key file. Defaults to$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION (/gcs/key.json)

Enable/Disable Packages support. Defaults totrue.

Directory to store the packages data. Defaults to$GITLAB_SHARED_DIR/packages

Enables Object Store for Packages that will be remote stored. Defaults tofalse

Bucket name to store the packages. Defaults topackages

Set to true to enable direct upload of Packages without the need of local shared storage. Defaults tofalse

Temporary option to limit automatic upload. Defaults tofalse

Passthrough all downloads via GitLab instead of using Redirects to Object Storage. Defaults tofalse

Connection Provider for the Object Store. (AWS orGoogle) Defaults to$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER (AWS)

AWS Access Key ID for the Bucket. Defaults to$AWS_ACCESS_KEY_ID

AWS Secret Access Key. Defaults to$AWS_SECRET_ACCESS_KEY

AWS Region. Defaults to$AWS_REGION

Configure this for an compatible AWS host like minio. Defaults to$AWS_HOST

AWS Endpoint likehttp://127.0.0.1:9000. Defaults to$AWS_ENDPOINT

Changes AWS Path Style to 'host/bucket_name/object' instead of 'bucket_name.host/object'. Defaults toAWS_PATH_STYLE

Google project. Defaults to$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT

Google service account. Defaults to$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL

Default Google key file. Defaults to$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION (/gcs/key.json)

Enable/Disable Terraform State support. Defaults totrue.

Directory to store the terraform state data. Defaults to$GITLAB_SHARED_DIR/terraform_state

Enables Object Store for Terraform state that will be remote stored. Defaults tofalse

Bucket name to store the Terraform state. Defaults toterraform_state

Connection Provider for the Object Store (AWS or Google). Defaults to $GITLAB_OBJECT_STORE_CONNECTION_PROVIDER (i.e. AWS).

AWS Access Key ID for the Bucket. Defaults to$AWS_ACCESS_KEY_ID

AWS Secret Access Key. Defaults to$AWS_SECRET_ACCESS_KEY

AWS Region. Defaults to$AWS_REGION

Configure this for an compatible AWS host like minio. Defaults to$AWS_HOST

AWS Endpoint likehttp://127.0.0.1:9000. Defaults to$AWS_ENDPOINT

Changes AWS Path Style to 'host/bucket_name/object' instead of 'bucket_name.host/object'. Defaults toAWS_PATH_STYLE

Google project. Defaults to$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT

Google service account. Defaults to$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL

Default Google key file. Defaults to$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION (/gcs/key.json)

The location where uploads objects are stored. Defaults to$GITLAB_SHARED_DIR/public.

Mapping for theGITLAB_UPLOADS_STORAGE_PATH. Defaults touploads/-/system

Enables Object Store for UPLOADS that will be remote stored. Defaults tofalse

Bucket name to store the UPLOADS. Defaults touploads

Temporary option to limit automatic upload. Defaults tofalse

Passthrough all downloads via GitLab instead of using Redirects to Object Storage. Defaults tofalse

Connection Provider for the Object Store. (AWS orGoogle) Defaults to$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER (AWS)

AWS Access Key ID for the Bucket. Defaults toAWS_ACCESS_KEY_ID

AWS Secret Access Key. Defaults toAWS_SECRET_ACCESS_KEY

AWS Region. Defaults to$AWS_REGION

Configure this for an compatible AWS host like minio. Defaults to$AWS_HOST

AWS Endpoint likehttp://127.0.0.1:9000. Defaults to$AWS_ENDPOINT

Changes AWS Path Style to 'host/bucket_name/object' instead of 'bucket_name.host/object'. Defaults toAWS_PATH_STYLE

Google project. Defaults to$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT

Google service account. Defaults to$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL

Default Google key file. Defaults to$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION (/gcs/key.json)

Enable/Disable GitLab Mattermost forAdd Mattermost button. Defaults tofalse.

Sets Mattermost URL. Defaults tohttps://mattermost.example.com.

Setup cron job to automatic backups. Possible valuesdisable,daily,weekly ormonthly. Disabled by default

Configure how long (in seconds) to keep backups before they are deleted. By default when automated backups are disabled backups are kept forever (0 seconds), else the backups expire in 7 days (604800 seconds).

Specify the PostgreSQL schema for the backups. No defaults, which means that all schemas will be backed up. see #524

Sets the permissions of the backup archives. Defaults to0600.See

Set a time for the automatic backups inHH:MM format. Defaults to04:00.

Specified sections are skipped by the backups. Defaults to empty, i.e.lfs,uploads.See

The ssh host. Defaults toGITLAB_HOST.

The ssh port for SSHD to listen on. Defaults to22

The ssh "MaxStartups" parameter, defaults to10:30:60.

The ssh port number. Defaults to$GITLAB_SSH_LISTEN_PORT.

The relative url of the GitLab server, e.g./git. No default.

Add IP address reverse proxy to trusted proxy list, otherwise users will appear signed in from that address. Currently only a single entry is permitted. No defaults.

Enables the GitLab Container Registry. Defaults tofalse.

Sets the GitLab Registry Host. Defaults toregistry.example.com

Sets the GitLab Registry Port. Defaults to443.

Sets the GitLab Registry API URL. Defaults tohttp://localhost:5000

Sets the GitLab Registry Key Path. Defaults toconfig/registry.key

Directory to store the container images will be shared with registry. Defaults to$GITLAB_SHARED_DIR/registry

Sets the GitLab Registry Issuer. Defaults togitlab-issuer.

Set totrue to generate SSL internal Registry keys. Used to communicate between a Docker Registry and GitLab. It will generate a self-signed certificate key at the location given by$GITLAB_REGISTRY_KEY_PATH, e.g./certs/registry.key. And will generate the certificate file at the same location, with the same name, but changing the extension fromkey tocrt, e.g./certs/registry.crt

Enables the GitLab Pages. Defaults tofalse.

Sets the GitLab Pages Domain. Defaults toexample.com

Sets GitLab Pages directory where all pages will be stored. Defaults to$GITLAB_SHARED_DIR/pages

Sets GitLab Pages Port that will be used in NGINX. Defaults to80

Sets GitLab Pages to HTTPS and the gitlab-pages-ssl config will be used. Defaults tofalse

Set totrue to enable pages artifacts server, enabled by default.

IfGITLAB_PAGES_ARTIFACTS_SERVER is enabled, set to API endpoint for GitLab Pages (e.g.https://example.com/api/v4). No default.

Sets GitLab Pages external http to receive request on an independent port. Disabled by default

Sets GitLab Pages external https to receive request on an independent port. Disabled by default

Set totrue to enable access control for pages. Allows access to a Pages site to be controlled based on a user’s membership to that project. Disabled by default.

Disable the nginx proxy for gitlab pages, defaults totrue. When set tofalse this will turn off the nginx proxy to the gitlab pages daemon, used when the user provides their own http load balancer in combination with a gitlab pages custom domain setup.

Secret Hash, minimal 32 characters, if omitted, it will be auto generated.

Gitlab instance URI, example:https://gitlab.example.io

Client ID from earlier generated OAuth application

Client Secret from earlier generated OAuth application

Redirect URI, non existing pages domain to redirect to pages daemon,https://projects.example.io/auth

Set totrue to enable https support, disabled by default.

Set default path for gitaly. defaults to/home/git/gitaly

Set a gitaly token, blank by default.

Time between sampling of unicorn socket metrics, in seconds, defaults to10

IP whitelist to access monitoring endpoints. No defaults.

Set totrue to enable the sidekiq exporter, enabled by default.

Sidekiq exporter address, defaults to0.0.0.0

Sidekiq exporter port, defaults to3807

Set totrue to enableContent Security Policy, enabled by default.

Set totrue to setContent-Security-Policy-Report-Only header, disabled by default

The value of thebase-uri directive in theContent-Security-Policy header

The value of thechild-src directive in theContent-Security-Policy header

The value of theconnect-src directive in theContent-Security-Policy header. Default to'self' http://localhost:* ws://localhost:* wss://localhost:*

The value of thedefault-src directive in theContent-Security-Policy header. Default to'self'

The value of thefont-src directive in theContent-Security-Policy header

The value of theform-action directive in theContent-Security-Policy header

The value of theframe-ancestors directive in theContent-Security-Policy header. Default to'self'

The value of theframe-src directive in theContent-Security-Policy header. Default to'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com

The value of theimg-src directive in theContent-Security-Policy header. Default to* data: blob:

The value of themanifest-src directive in theContent-Security-Policy header

The value of themedia-src directive in theContent-Security-Policy header

The value of theobject-src directive in theContent-Security-Policy header. Default to'none'

The value of thescript-src directive in theContent-Security-Policy header. Default to'self' 'unsafe-eval' http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com

The value of thestyle-src directive in theContent-Security-Policy header. Default to'self' 'unsafe-inline'

The value of theworker-src directive in theContent-Security-Policy header. Default to'self' blob:

The value of thereport-uri directive in theContent-Security-Policy header

Comma separated list of feature flag names to be disabled. No whitespace is allowed.You can see all feature flags in GitLab at corresponding version of documentation:https://docs.gitlab.com/ee/user/feature_flags.htmlFeature flags name and its statement will be appear to container log. Note that some of the feature flags are implicitly enabled or disabled by GitLab itself, and are not appear to container log.No defaults.

This parameter is the same asGITLAB_FEATURE_FLAGS_DISABLE_TARGETS, except its purpose is to enable the feature flag. No defaults.

Set totrue when using self-signed ssl certificates.false by default.

Location of the ssl certificate. Defaults to/home/git/data/certs/gitlab.crt

Location of the ssl private key. Defaults to/home/git/data/certs/gitlab.key

Location of the dhparam file. Defaults to/home/git/data/certs/dhparam.pem

Enable verification of client certificates using theSSL_CA_CERTIFICATES_PATH file or setting this variable toon. Defaults tooff

List of SSL certificates to trust. Defaults to/home/git/data/certs/ca.crt.

Location of the ssl private key for gitlab container registry. Defaults to/home/git/data/certs/registry.key

Location of the ssl certificate for the gitlab container registry. Defaults to/home/git/data/certs/registry.crt

Location of the ssl private key for gitlab pages. Defaults to/home/git/data/certs/pages.key

Location of the ssl certificate for the gitlab pages. Defaults to/home/git/data/certs/pages.crt

List of supported SSL ciphers: Defaults toECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4

List of supported SSL protocols: Defaults toTLSv1 TLSv1.1 TLSv1.2 TLSv1.3

List of supported SSL ciphers for the gitlab pages: Defaults toSSL_CIPHERS

List of supported SSL protocols for the gitlab pages: Defaults toSSL_PROTOCOLS

List of supported SSL ciphers for gitlab container registry: Defaults toSSL_CIPHERS

List of supported SSL protocols for gitlab container registry: Defaults toSSL_PROTOCOLS

The number of nginx workers to start. Defaults to1.

Sets the bucket size for the server names hash tables. This is needed when you have long server_names or your an error message from nginx likenginx: [emerg] could not build server_names_hash, you should increase server_names_hash_bucket_size:... It should be only increment by a power of 2. Defaults to32.

Advanced configuration option for turning off the HSTS configuration. Applicable only when SSL is in use. Defaults totrue. See#138 for use case scenario.

Advanced configuration option for setting the HSTS max-age in the gitlab nginx vHost configuration. Applicable only when SSL is in use. Defaults to31536000.

Enableproxy_buffering. Defaults tooff.

EnableX-Accel-Buffering header. Default tono

Advanced configuration option for theproxy_set_header X-Forwarded-Proto setting in the gitlab nginx vHost configuration. Defaults tohttps whenGITLAB_HTTPS istrue, else defaults to$scheme.

set toon if docker container runs behind a reverse proxy,you may not want the IP address of the proxy to show up as the client address.off by default.

You can have NGINX look for a different address to use by adding your reverse proxy to theNGINX_REAL_IP_TRUSTED_ADDRESSES. Currently only a single entry is permitted. No defaults.

Advanced configuration option. You can add custom configuration for nginx as you like (e.g. custom location proxy). This is similar to settingnginx['custom_gitlab_server_config'] togitlab.rb for gitlab-omnibus. No defaults.

The hostname of the redis server. Defaults tolocalhost

The connection port of the redis server. Defaults to6379.

The redis database number. Defaults to '0'.

The number of puma workers to start. Defaults to3.

Sets the timeout of puma worker processes. Defaults to60 seconds.

The number of puma minimum threads. Defaults to1.

The number of puma maximum threads. Defaults to16.

Maximum memory size of per puma worker process. Defaults to1024.

Maximum memory size of puma master process. Defaults to800.

The number of concurrent sidekiq jobs to run. Defaults to25

Timeout for sidekiq shutdown. Defaults to4

Non-zero value enables the SidekiqMemoryKiller. Defaults to2000000. For additional options referConfiguring the MemoryKiller

Sidekiq log format that will be used. Defaults tojson

The database type. Currently only postgresql is supported. Possible values:postgresql. Defaults topostgresql.

The database encoding. ForDB_ADAPTER valuespostgresql this parameter defaults andutf8 respectively.

The database server hostname. Defaults tolocalhost.

The database server port. Defaults to5432 for postgresql.

The database database name. Defaults togitlabhq_production

The database database user. Defaults toroot

The database database password. Defaults to no password

The database database connection pool count. Defaults to10.

Whether to use database prepared statements. No defaults. But set tofalse if you want to use withPgBouncer

Enable mail delivery via SMTP. Defaults totrue ifSMTP_USER is defined, else defaults tofalse.

SMTP domain. Defaults towww.gmail.com

SMTP server host. Defaults tosmtp.gmail.com.

SMTP server port. Defaults to587.

SMTP username.

SMTP password.

Enable STARTTLS. Defaults totrue.

Enable SSL/TLS. Defaults tofalse.

SMTP openssl verification mode. Accepted values arenone,peer,client_once andfail_if_no_peer_cert. Defaults tonone.

Specify the SMTP authentication method. Defaults tologin ifSMTP_USER is set.

Enable custom CA certificates for SMTP email configuration. Defaults tofalse.

Specify theca_path parameter for SMTP email configuration. Defaults to/home/git/data/certs.

Specify theca_file parameter for SMTP email configuration. Defaults to/home/git/data/certs/ca.crt.

Enable mail delivery via IMAP. Defaults totrue ifIMAP_USER is defined, else defaults tofalse.

IMAP server host. Defaults toimap.gmail.com.

IMAP server port. Defaults to993.

IMAP username.

IMAP password.

Enable SSL. Defaults totrue.

Enable STARTTLS. Defaults tofalse.

The name of the mailbox where incoming mail will end up. Defaults toinbox.

Enable LDAP. Defaults tofalse

Label to show on login tab for LDAP server. Defaults to 'LDAP'

LDAP Host

LDAP Port. Defaults to389

LDAP UID. Defaults tosAMAccountName

LDAP method, Possible values aresimple_tls,start_tls andplain. Defaults toplain

LDAP verify ssl certificate for installations that are usingLDAP_METHOD: 'simple_tls' orLDAP_METHOD: 'start_tls'. Defaults totrue

Specifies the path to a file containing a PEM-format CA certificate. Defaults to ``

Specifies the SSL version for OpenSSL to use, if the OpenSSL default is not appropriate. Example: 'TLSv1_1'. Defaults to ``

No default.

LDAP password

Timeout, in seconds, for LDAP queries. Defaults to10.

Specifies if LDAP server is Active Directory LDAP server. If your LDAP server is not AD, set this tofalse. Defaults totrue,

If enabled, GitLab will ignore everything after the first '@' in the LDAP username submitted by the user on login. Defaults tofalse ifLDAP_UID isuserPrincipalName, elsetrue.

Locks down those users until they have been cleared by the admin. Defaults tofalse.

Base where we can search for users. No default.

Filter LDAP users. No default.

Attribute fields for the identification of a user. Default to['uid', 'userid', 'sAMAccountName']

Attribute fields for the shown mail address. Default to['mail', 'email', 'userPrincipalName']

Attribute field for the used username of a user. Defaults tocn.

Attribute field for the forename of a user. Default togivenName

Attribute field for the surname of a user. Default tosn

GitLab will lower case the username for the LDAP Server. Defaults tofalse

Set totrue toDisable LDAP web sign in, defaults tofalse

Enable OAuth support. Defaults totrue if any of the support OAuth providers is configured, else defaults tofalse.

Automatically sign in with a specific OAuth provider without showing GitLab sign-in page. Accepted values arecas3,github,bitbucket,gitlab,google_oauth2,facebook,twitter,saml,crowd,auth0 andazure_oauth2. No default.

Comma separated list of oauth providers for single sign-on. This allows users to login without having a user account. The account is created automatically when authentication is successful. Accepted values arecas3,github,bitbucket,gitlab,google_oauth2,facebook,twitter,saml,crowd,auth0 andazure_oauth2. No default.

Locks down those users until they have been cleared by the admin. Defaults totrue.

Look up new users in LDAP servers. If a match is found (same uid), automatically link the omniauth identity with the LDAP account. Defaults tofalse.

Allow users with existing accounts to login and auto link their account via SAML login, without having to do a manual login first and manually add SAML. Defaults tofalse.

Allow users with existing accounts to login and auto link their account via the defined Omniauth providers login, without having to do a manual login first and manually connect their chosen provider. Defaults to[].

Comma separated list if oauth providers to disallow access tointernal projects. Users creating accounts via these providers will have access internal projects. Accepted values arecas3,github,bitbucket,gitlab,google_oauth2,facebook,twitter,saml,crowd,auth0 andazure_oauth2. No default.

Specify oauth providers where users can sign in without using two-factor authentication (2FA). You can define this using an array of providers like["twitter", "google_oauth2"]. Setting this totrue orfalse applies to all - allow all or none. Defaults tofalse.

The "Sign in with" button label. Defaults to "cas3".

CAS3 server URL. No defaults.

Disable CAS3 SSL verification. Defaults tofalse.

CAS3 login URL. Defaults to/cas/login

CAS3 validation URL. Defaults to/cas/p3/serviceValidate

CAS3 logout URL. Defaults to/cas/logout

Google App Client ID. No defaults.

Google App Client Secret. No defaults.

List of Google App restricted domains. Value is comma separated list of single quoted groups. Example:'exemple.com','exemple2.com'. No defaults.

Facebook App API key. No defaults.

Facebook App API secret. No defaults.

Twitter App API key. No defaults.

Twitter App API secret. No defaults.

authentiq Client ID. No defaults.

authentiq Client secret. No defaults.

Scope of Authentiq Application Defaults to'aq:name email~rs address aq:push'

Callback URL for Authentiq. No defaults.

GitHub App Client ID. No defaults.

GitHub App Client secret. No defaults.

Url to the GitHub Enterprise server. Defaults tohttps://github.com

Enable SSL verification while communicating with the GitHub server. Defaults totrue.

GitLab App Client ID. No defaults.

GitLab App Client secret. No defaults.

BitBucket App Client ID. No defaults.

BitBucket App Client secret. No defaults.

Bitbucket URL. Defaults:https://bitbucket.org/

The URL at which the SAML assertion should be received. WhenGITLAB_HTTPS=true, defaults tohttps://${GITLAB_HOST}/users/auth/saml/callback else defaults tohttp://${GITLAB_HOST}/users/auth/saml/callback.

The SHA1 fingerprint of the certificate. No Defaults.

The URL to which the authentication request should be sent. No defaults.

The name of your application. WhenGITLAB_HTTPS=true, defaults tohttps://${GITLAB_HOST} else defaults tohttp://${GITLAB_HOST}.

The "Sign in with" button label. Defaults to "Our SAML Provider".

Describes the format of the username required by GitLab, Defaults tourn:oasis:names:tc:SAML:2.0:nameid-format:transient

Map groups attribute in a SAMLResponse to external groups. No defaults.

List of external groups in a SAMLResponse. Value is comma separated list of single quoted groups. Example:'group1','group2'. No defaults.

Map 'email' attribute name in a SAMLResponse to entries in the OmniAuth info hash, No defaults. SeeGitLab documentation for more details.

Map 'username' attribute in a SAMLResponse to entries in the OmniAuth info hash, No defaults. SeeGitLab documentation for more details.

Map 'name' attribute in a SAMLResponse to entries in the OmniAuth info hash, No defaults. SeeGitLab documentation for more details.

Map 'first_name' attribute in a SAMLResponse to entries in the OmniAuth info hash, No defaults. SeeGitLab documentation for more details.

Map 'last_name' attribute in a SAMLResponse to entries in the OmniAuth info hash, No defaults. SeeGitLab documentation for more details.

Crowd server url. No defaults.

Crowd server application name. No defaults.

Crowd server application password. No defaults.

Auth0 Client ID. No defaults.

Auth0 Client secret. No defaults.

Auth0 Domain. No defaults.

Auth0 Scope. Defaults toopenid profile email.

Azure Client ID. No defaults.

Azure Client secret. No defaults.

Azure Tenant ID. No defaults.

Client ID for oauth providerazure_activedirectory_v2. If not set, corresponding oauth provider configuration will be removed fromgitlab.yml during container startup. No defaults.

Client secret for oauth providerazure_activedirectory_v2. If not set, corresponding oauth provider configuration will be removed fromgitlab.yml during container startup. No defaults.

Tenant ID for oauth providerazure_activedirectory_v2. If not set, corresponding oauth provider configuration will be removed fromgitlab.yml during container startup. No defaults.

Optional label for login button forazure_activedirectory_v2. Defaults toAzure AD v2

Your OAuth2 App ID. No defaults.

Your OAuth2 App Secret. No defaults.

The OAuth2 generic client site. No defaults

The OAuth2 generic client user info url. No defaults

The OAuth2 generic client authorize url. No defaults

The OAuth2 generic client token url. No defaults

The OAuth2 generic client end session endpoint. No defaults

The OAuth2 generic id path. No defaults

The OAuth2 generic user id path. No defaults

The OAuth2 generic user name. No defaults

The OAuth2 generic user email. No defaults

The scope of your OAuth2 provider. No defaults

The label of your OAuth2 provider. No defaults

The name of your OAuth2 provider. No defaults

Enables gravatar integration. Defaults totrue.

Sets a custom gravatar url. Defaults tohttp://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon. This can be used forLibravatar integration.

Same as above, but for https. Defaults tohttps://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon.

Sets the uid for usergit to the specified uid. Defaults to1000.

Sets the gid for groupgit to the specified gid. Defaults toUSERMAP_UID if defined, else defaults to1000.

Google Analytics ID. No defaults.

Sets the Piwik URL. No defaults.

Sets the Piwik site ID. No defaults.

Enables automatic uploads to an Amazon S3 instance. Defaults tofalse.

AWS region. No defaults.

AWS endpoint. No defaults.

AWS access key id. No defaults.

AWS secret access key. No defaults.

AWS bucket for backup uploads. No defaults.

Enables multipart uploads when file size reaches a defined size. See atAWS S3 Docs

Turns on AWS Server-Side Encryption. Defaults tofalse. See atAWS S3 Docs

Configure the storage class for the item. Defaults toSTANDARD See atAWS S3 Docs

Configure the storage signature version. Defaults to4 See atAWS S3 Docs

Enables automatic uploads to an Google Cloud Storage (GCS) instance. Defaults tofalse.

GCS access key id. No defaults

GCS secret access key. No defaults

GCS bucket for backup uploads. No defaults

Location of customrobots.txt. Uses GitLab's defaultrobots.txt configuration by default. Seewww.robotstxt.org for examples.

Enable/disable rack middleware for blocking & throttling abusive requests Defaults totrue.

Always allow requests from whitelisted host.This should be a valid yaml sequence of host address. Each host address string must be a valid IP address that can be passed toIPAddr.new of ruby. Seeruby-lang reference for detail.If you need to set multiple hosts, set this parameter like["1.1.1.1","192.168.0.0/24"] for example.

environment:# pattern 1: `- key=value` style : you can specify array of hosts as is-RACK_ATTACK_WHITELIST=["1.1.1.1","192.168.0.0/24"]# pattern 2: `key: value` style : you must surround with quote, as the value of environment variable must not be an arrayRACK_ATTACK_WHITELIST:"['1.1.1.1','192.168.0.0/24']"

Defaults to["127.0.0.1"]

Number of failed auth attempts before which an IP should be banned. Defaults to10

Number of seconds before resetting the per IP auth attempt counter. Defaults to60.

Number of seconds an IP should be banned after too many auth attempts. Defaults to3600.

Timeout for gitlab workhorse http proxy. Defaults to5m0s.

Enables Error Reporting and Logging with Sentry. Defaults tofalse.

Sentry DSN. No defaults.

Sentry client side DSN. No defaults.

Sentry environment. Defaults toproduction.

All the above environment variables can be put into asecrets orconfig fileand then both docker-compose and Docker Swarm can import them into your gitlab container.

On startup, the gitlab container will source env vars from a config file labeledgitlab-config, and then a secrets file labeledgitlab-secrets (both mounted in the default locations).

See the examplecontrib/docker-swarm/docker-compose.yml file, and theexamplegitlab.configs andgitlab.secrets file.You may as well choose file names other than the example source files (gitlab.configs andgitlab.secrets) and updatethefile: ./gitlab.configs andfile: ./gitlab.secrets references accordingly. But do not alter the configkeysgitlab-configs andgitlab-secrets as they are currentlyhardcoded and thus must be kept as in the example.

If you're not using one of these files, then don't include its entry in the docker-compose file.

GitLab defines a rake task to take a backup of your gitlab installation. The backup consists of all git repositories, uploaded files and as you might expect, the sql database.

Before taking a backup make sure the container is stopped and removed to avoid container name conflicts.

docker stop gitlab&& docker rm gitlab

Execute the rake task to create a backup.

docker run --name gitlab -it --rm [OPTIONS] \    sameersbn/gitlab:18.2.0 app:rake gitlab:backup:create

A backup will be created in the backups folder of theData Store. You can change the location of the backups using theGITLAB_BACKUP_DIR configuration parameter.

P.S. Backups can also be generated on a running instance usingdocker exec as described in theRake Tasks section. However, to avoid undesired side-effects, I advice against running backup and restore operations on a running instance.

When usingdocker-compose you may use the following command to execute the backup.

docker-compose rm -sf gitlabdocker-compose run --rm gitlab app:rake gitlab:backup:create

Afterwards you can bring your Instance back with the following command:

docker-compose up -d

GitLab also defines a rake task to restore a backup.

Before performing a restore make sure the container is stopped and removed to avoid container name conflicts.

docker stop gitlab&& docker rm gitlab

If this is a fresh database that you're doing the restore on, firstyou need to prepare the database:

docker run --name gitlab -it --rm [OPTIONS] \    sameersbn/gitlab:18.2.0 app:rake db:setup

Execute the rake task to restore a backup. Make sure you run the container in interactive mode-it.

docker run --name gitlab -it --rm [OPTIONS] \    sameersbn/gitlab:18.2.0 app:rake gitlab:backup:restore

The list of all available backups will be displayed in reverse chronological order. Select the backup you want to restore and continue.

To avoid user interaction in the restore operation, specify the timestamp, date and version of the backup using theBACKUP argument to the rake task.

docker run --name gitlab -it --rm [OPTIONS] \    sameersbn/gitlab:18.2.0 app:rake gitlab:backup:restore BACKUP=1515629493_2020_12_06_13.0.6

When usingdocker-compose you may use the following command to execute the restore.

docker-compose run --rm gitlab app:rake gitlab:backup:restore# List available backupsdocker-compose run --rm gitlab app:rake gitlab:backup:restore BACKUP=1515629493_2020_12_06_13.10.0# Choose to restore from 1515629493

SSH keys are not backed up in the normal gitlab backup process. Youwill need to backup thessh/ directory in the data volume by handand you will want to restore it prior to doing a gitlab restore.

The image can be configured to automatically take backupsdaily,weekly ormonthly using theGITLAB_BACKUP_SCHEDULE configuration option.

Daily backups are created atGITLAB_BACKUP_TIME which defaults to04:00 everyday. Weekly backups are created every Sunday at the same time as the daily backups. Monthly backups are created on the 1st of every month at the same time as the daily backups.

By default, when automated backups are enabled, backups are held for a period of 7 days. While when automated backups are disabled, the backups are held for an infinite period of time. This behavior can be configured via theGITLAB_BACKUP_EXPIRY option.

The image can be configured to automatically upload the backups to an AWS S3 bucket. To enable automatic AWS backups first add--env 'AWS_BACKUPS=true' to the docker run command. In additionAWS_BACKUP_REGION andAWS_BACKUP_BUCKET must be properly configured to point to the desired AWS location. Finally an IAM user must be configured with appropriate access permission and their AWS keys exposed throughAWS_BACKUP_ACCESS_KEY_ID andAWS_BACKUP_SECRET_ACCESS_KEY.

More details about the appropriate IAM user properties can found ondoc.gitlab.com

For remote backup to self-hosted s3 compatible storage, useAWS_BACKUP_ENDPOINT.

AWS uploads are performed alongside normal backups, both through the appropriateapp:rake command and when an automatic backup is performed.

The image can be configured to automatically upload the backups to an Google Cloud Storage bucket. To enable automatic GCS backups first add--env 'GCS_BACKUPS=true' to the docker run command. In additionGCS_BACKUP_BUCKET must be properly configured to point to the desired GCS location.Finally a couple ofInteroperable storage access keys user must be created and their keys exposed throughGCS_BACKUP_ACCESS_KEY_ID andGCS_BACKUP_SECRET_ACCESS_KEY.

More details about the Cloud storage interoperability properties can found oncloud.google.com/storage

GCS uploads are performed alongside normal backups, both through the appropriateapp:rake command and when an automatic backup is performed.

Theapp:rake command allows you to run gitlab rake tasks. To run a rake task simply specify the task to be executed to theapp:rake command. For example, if you want to gather information about GitLab and the system it runs on.

docker run --name gitlab -it --rm [OPTIONS] \    sameersbn/gitlab:18.2.0 app:rake gitlab:env:info

You can also usedocker exec to run rake tasks on running gitlab instance. For example,

dockerexec --user git -it gitlab bundleexec rake gitlab:env:info RAILS_ENV=production

Similarly, to import bare repositories into GitLab project instance

docker run --name gitlab -it --rm [OPTIONS] \    sameersbn/gitlab:18.2.0 app:rake gitlab:import:repos

Or

dockerexec -it gitlab sudo -HEu git bundleexec rake gitlab:import:repos RAILS_ENV=production

For a complete list of available rake tasks please referhttps://github.com/gitlabhq/gitlabhq/tree/master/doc/raketasks or the help section of your gitlab installation.

P.S. Please avoid running the rake tasks for backup and restore operations on a running gitlab instance.

To use theapp:rake command withdocker-compose use the following command.

## For stopped instancesdocker-compose run --rm gitlab app:rake gitlab:env:infodocker-compose run --rm gitlab app:rake gitlab:import:repos## For running instancesdocker-composeexec --user git gitlab bundleexec rake gitlab:env:info RAILS_ENV=productiondocker-composeexec gitlab sudo -HEu git bundleexec rake gitlab:import:repos RAILS_ENV=production

Copy all thebare git repositories to therepositories/ directory of thedata store and execute thegitlab:import:repos rake task like so:

docker run --name gitlab -it --rm [OPTIONS] \    sameersbn/gitlab:18.2.0 app:rake gitlab:import:repos

Watch the logs and your repositories should be available into your new gitlab container.

SeeRake Tasks for more information on executing rake tasks.Usage when usingdocker-compose can also be found there.

Important Notice

Since GitLab release8.6.0 PostgreSQL users should enablepg_trgm extension on the GitLab database. Refer to GitLab'sPostgresql Requirements for more information

If you're usingsameersbn/postgresql then please upgrade tokkimurak/sameersbn-postgresql:16 or later and addDB_EXTENSION=pg_trgm,btree_gist to the environment of the PostgreSQL container (see:https://github.com/sameersbn/docker-gitlab/blob/master/docker-compose.yml#L21).

Please keep in mind that:

• As of version 13.7.0, the required PostgreSQL version is 12.x.
• As of version 16.0.0, the required PostgreSQL version is 13.x.
• As of version 17.0.0, the required PostgreSQL version is 14.x.
• As of version 18.0.0, the required PostgreSQL version is 16.x.

If you're using PostgreSQL image other than the above, please review sectionUpgrading PostgreSQL.

GitLabHQ releases new versions on the 22nd of every month, bugfix releases immediately follow. I update this project almost immediately when a release is made (at least it has been the case so far). If you are using the image in production environments I recommend that you delay updates by a couple of days after the gitlab release, allowing some time for the dust to settle down.

To upgrade to newer gitlab releases, simply follow this 4 step upgrade procedure.

Note

Upgrading tosameersbn/gitlab:18.2.0 fromsameersbn/gitlab:7.x.x can cause issues. It is therefore required that you first upgrade tosameersbn/gitlab:8.0.5-1 before upgrading tosameersbn/gitlab:8.1.0 or higher.

• Step 1: Update the docker image.

docker pull sameersbn/gitlab:18.2.0

• Step 2: Stop and remove the currently running image

docker stop gitlabdocker rm gitlab

• Step 3: Create a backup

docker run --name gitlab -it --rm [OPTIONS] \    sameersbn/gitlab:x.x.x app:rake gitlab:backup:create

Replacex.x.x with the version you are upgrading from. For example, if you are upgrading from version6.0.0, setx.x.x to6.0.0

• Step 4: Start the image

Note: Since GitLab8.0.0 you need to provide theGITLAB_SECRETS_DB_KEY_BASE parameter while starting the image.

Note: Since GitLab8.11.0 you need to provide theGITLAB_SECRETS_SECRET_KEY_BASE andGITLAB_SECRETS_OTP_KEY_BASE parameters while starting the image. These should initially both have the same value as the contents of the/home/git/data/.secret file. SeeAvailable Configuration Parameters for more information on these parameters.

Note: Since Gitlab 13.7 you need to provide theGITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE parameter while starting the image. If not provided, the key will be generated by gitlab. So you can start the image without setting this parameter. But you will lose the key when you shutting down the container without taking a backup ofsecrets.yml.

Note: Since Gitlab 17.8 you need to provideGITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY,GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY andGITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT. If not provided, these keys will be generated by gitlab. The image can be started without setting these parameters,but you will lose the settings when you shutting down the container without taking a backup ofsecrets.yml and settings stored securely (such as the Dependency Proxy) will be unusable and unrecoverable.

docker run --name gitlab -d [OPTIONS] sameersbn/gitlab:18.2.0

For debugging and maintenance purposes you may want access the containers shell. If you are using docker version1.3.0 or higher you can access a running containers shell usingdocker exec command.

dockerexec -it gitlab bash

You can monitor your GitLab instance status as described in theofficial documentation, for example:

curl'https://gitlab.example.com/-/liveness'

On success, the endpoint will return a200 HTTP status code, and a response like below.

{"status":"ok"}

To do that you will need to set the environment variableGITLAB_MONITORING_IP_WHITELIST to allow your IP or subnet to make requests to your GitLab instance.

You can also set yourdocker-compose.ymlhealthcheck configuration to make periodic checks:

services:gitlab:image:sameersbn/gitlab:18.2.0healthcheck:test:["CMD", "/usr/local/sbin/healthcheck"]interval:1mtimeout:5sretries:5start_period:2m

Then you will be able to consult the health check log by executing:

docker inspect --format"{{json .State.Health }}"$(docker-compose ps -q gitlab)| jq

• https://github.com/gitlabhq/gitlabhq
• https://github.com/gitlabhq/gitlabhq/blob/master/doc/install/installation.md
• http://wiki.nginx.org/HttpSslModule
• https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
• https://github.com/gitlabhq/gitlab-recipes/blob/master/web-server/nginx/gitlab-ssl
• https://github.com/jpetazzo/nsenter
• https://jpetazzo.github.io/2014/03/23/lxc-attach-nsinit-nsenter-docker-0-9/