| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Depends on gitlab-org/golang-crypto!5
|
| |
|
|
|
|
|
|
|
|
|
| |
When graceful shutdown timeout expires, the global context is
canceled. All the operations dependent on it are canceled as well.
Unfortunately, some of the operations doesn't respect the context.
For example, SSH connection initialization.
In this case, we need to manually close the connection.
One of the options is to wait for ctx.Done() and close the connection
|
| | |
|
| |
|
|
|
| |
It seems that a lot of users rely on this, let's return it and
deprecated later to make the migration less disruptive
|
| |
|
|
|
| |
The errors happen when a client closes a connection on handshake
They can be ignored to avoid noise
|
| |
|
|
|
|
|
| |
When a user hits repository rate limit, Gitaly returns an error
that the request can't be handled (Gitaly unavailable)
We should avoid this error to avoid exceeding the error rate
|
| |
|
|
|
| |
- Use console package to format the errors in gitlab-sshd
- Suppress internal Gitaly errors in client output
|
| |\
| |
| |
| |
| | |
Downgrade host key mismatch messages from warning to debug
See merge request gitlab-org/gitlab-shell!639
|
| | |
| |
| |
| | |
This message doesn't provide that much value, so let's just drop it.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In production, we often see SSH key scans requesting host key
algorithms that we don't support, such as `sk-ssh-ed25519@openssh.com`
or `sk-ecdsa-sha2-nistp256@openssh.com`.
These messages might be useful if someone forgets to configure a host
key that should be supported, but most of the time they are noise.
This commit downgrades these messages to DEBUG.
Relates to https://gitlab.com/gitlab-org/gitlab-shell/-/issues/581
Changelog: changed
|
| |/ |
|
| |
|
|
|
|
| |
We don't support diffie-hellman-group14-sha1 via OpenSSH currently
Let's avoid introducing it in gitlab-sshd because it's using
weak hashing algorithm
|
| |
|
|
|
|
|
|
| |
Issue: https://gitlab.com/gitlab-org/gitlab-shell/-/issues/576
ProxyHeaderTimeout must be small to avoid DoS risk
Let's make the value configurable and 500ms by default
|
| |
|
|
|
| |
- If an integer is specified, we assume that these are seconds
- A duration of format "500ms", "10s", "1m", etc... accepted
|
| |
|
|
|
| |
MACs, Ciphers and KEX algorithms now can be configured
If the values are empty, reasonable defaults are used
|
| |
|
|
|
|
| |
When API isn't responsible or the resource is not accessible
(returns 404 or 403), then we shouldn't consider it as an error
on gitlab-sshd side
|
| |
|
|
| |
When a request get canceled we don't want to consider it an error
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If they haven't been executed within a timeout, we unblock the
execution.
Issue: https://gitlab.com/gitlab-org/gitlab-shell/-/issues/563
We have an issue when a lot of git clones operations get canceled.
It was assumed that some clients close the connection just after
all the data has been received from Git server. If there was a
network delay and gitlab-sshd hadn't managed to gracefully close
the connection, context get canceled and Gitaly cancels the
execution and returns the error.
Let's wait for a perion to allow Gitaly to gracefully complete the
operation
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Git clients sometimes open a connection and leave it idling,
like when compressing objects.
Settings like timeout client in HAProxy might cause these
idle connections to be terminated.
Let's send the keepalive message in order to prevent a client
from closing
|
| |\
| |
| |
| |
| | |
Log the error that happens on sconn.Wait()
See merge request gitlab-org/gitlab-shell!613
|
| | |
| |
| |
| |
| |
| |
| | |
Warning level is used because a non-nil error is logged even for
successful scenarios
We plan to use it for debug reasons
|
| |\ \
| | |
| | |
| | |
| | | |
Make PROXY policy configurable
See merge request gitlab-org/gitlab-shell!619
|
| | | |
| | |
| | |
| | |
| | | |
It would give us more flexibility when we decide to enable
PROXY protocol
|
| |\ \ \
| |/ /
|/| |
| | |
| | | |
Exclude authentication errors from error rate
See merge request gitlab-org/gitlab-shell!611
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Most of the time a connection fails due to the client's
misconfiguration or when a client cancels a request, so we
shouldn't treat them as an error
Warnings will help us to track the errors whether
they happened on the server-side
|
| |\ \ \
| |_|/
|/| |
| | |
| | | |
Fix check_ip argument when gitlab-sshd used with PROXY protocol
See merge request gitlab-org/gitlab-shell!616
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When gitlab-sshd were used with the PROXY protocol, the `check_ip`
argument passed to `/api/v4/internal/allowed` was the Go remote
address, which is a host and port combination
(e.g. 127.0.0.1:12345). As a result, This prevents IP restrictions
from working properly on Rails. We fix this by stripping out the port
if it is present.
When OpenSSH is used, this is not an issue because the IP address
is extracted from `SSH_CONNECTION`.
Changelog: fixed
|
| | |/
|/|
| |
| |
| | |
New version of LabKit provides FIPS checks that we can use instead
of the custom code
|
| | |
| |
| |
| |
| |
| |
| | |
Before this change, the GitLab internal API could use a boolean
response field to indicate whether gitlab-shell should make
sidechannel connections go Gitaly. We now ignore that response field
and always use sidechannel connections.
|
| |\ \
| | |
| | |
| | |
| | | |
Remove `self_signed_cert` option
See merge request gitlab-org/gitlab-shell!602
|
| | | |
| | |
| | |
| | |
| | |
| | | |
Contributes to https://gitlab.com/gitlab-org/gitlab-shell/-/issues/541
Changelog: removed
|
| |\ \ \
| | | |
| | | |
| | | |
| | | | |
feat: replace status mutex with RWMutex
See merge request gitlab-org/gitlab-shell!604
|
| | |/ / |
|
| |/ /
| |
| |
| | |
This reverts commit 3a2c8f2c47774a35d840ec8baf54341beede5d43.
|
| |/
|
|
| |
Rename Gitaly -> gitlab-shell
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds support of using a FIPS-validated SSL library with
compiled Go executables when `FIPS_MODE=1 make` is run. A Go compiler
that supports BoringSSL either directly (e.g. the `dev.boringcrypto`
branch) or with a dynamically linked OpenSSL
(e.g. https://github.com/golang-fips/go) is required.
This is similar to the changes to support FIPS in GitLab Runner and in
GitLab Pages:
https://gitlab.com/gitlab-org/gitlab-pages/-/merge_requests/716
Changelog: added
|
| |
|
|
|
|
|
|
|
| |
- Observe time to establish a session
- Log the duration of the successfully established connection
- Observe total time to handle the connection
- Log the duration of the successfully executed connection
- Observe the count of ssh connections
- Observe the count of failed ssh connections
|
| |
|
|
| |
We need to pass time.Now as a param, otherwise it's calculated on call
|
| | |
|
| | |
|
| |\
| |
| |
| |
| | |
Reuse Gitaly connections and sidechannel
See merge request gitlab-org/gitlab-shell!575
|
| | |
| |
| |
| |
| |
| |
| |
| | |
When gitlab-sshd has been introduced we've started running our
own SSH server. In this case we're able to cache and reuse
Gitaly connections and Registry.
It helps to reduce memory usage.
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I'd assumed that the `omitempty` directive for LogLevel in
internal/config/config.go would get us this behaviour. If it did, we
wouldn't have had to specify the default twice. Unfortunately, it
doesn't, which is to say that given a config file like:
```
log_level:
```
The default *is* overridden by the empty string.
It's an easy enough fix.
Changelog: fixed
|
| |
|
|
|
|
| |
- Counter of HTTP merge requests
- Gauge of HTTP requests currently being performed
- Gauge of connections currently handled by gitlab sshd
|
| |
|
|
|
|
|
|
|
| |
Currently, we don't process the results of this execution,
because it's not really imprortant
Let's at least log the err if the execution went wrong
That will also make Vulnerability report happy
|
| |
|
|
|
|
|
| |
If the GitLab API returns an allowed response with use_sidechannel set
to true, gitlab-shell will establish a sidechannel connection and use
SSHUploadPackWithSidechannel instead of SSHUploadPack. This is an
efficiency improvement.
|
| |
|
|
|
|
| |
This field will act as a feature flag that controls whether
gitlab-shell uses the old SSHUploadPack RPC or the new
SSHUploadPackWithSidechannel.
|
| |
|
|
|
|
|
|
|
|
| |
This reduces coupling between tests in
internal/gitlabnet/accessverifier/client_test.go, and will make it
easier to add new test cases in the future.
Note that the test server had a special behavior for the username
"second", but this was never used. So we removed that behavior in this
commit.
|
| |
|
|
|
| |
This log entry doesn't respect log level, because the log level
is configured after this logging happens
|
