Fixes after 20240410

150_gitlab/010_projects/slides.md

@@ -92,7 +92,7 @@ For example: repository, issues etc.
 
 ### Members
 
-Invite other users
+Invite users/groups
 
 Control role
 

150_gitlab/030_authentication/slides.md

@@ -83,7 +83,7 @@ User can pull but not push
 
 Deploy keys belong to a user who can be blocked <i class="fa-solid fa-face-scream"></i> [gitlab-org/gitlab#35779](https://gitlab.com/gitlab-org/gitlab/-/issues/35779)
 
-Find and fix deploy keys using Ruby code in rals console [](https://docs.gitlab.com/ee/user/project/deploy_keys/#identify-deploy-keys-associated-with-non-member-and-blocked-users)
+Find and fix deploy keys using Ruby code in rails console [](https://docs.gitlab.com/ee/user/project/deploy_keys/#identify-deploy-keys-associated-with-non-member-and-blocked-users)
 
 ```ruby
 DeployKeysProject.with_write_access.find_each do |deploy_key_mapping|
@@ -107,30 +107,26 @@ end
 
 ## Comparison
 
-| | Password | Personal Access Token | Personal SSH Key | Group Access Token | Group Deploy Token | Project Access Token | Project Deploy Token | Project SSH Key (0) |
+| | Password | Personal Access Token | Personal SSH Key | Group Access Token | Group Deploy Token | Project Access Token | Project Deploy Token | Project SSH Key |
 |-|-|-|-|-|-|-|-|-|
 | Access to Web UI            | Yes          | No      | No       | No          | No          | No      | No      | No          |
 | Access to API               | Indirect (1) | Yes     | No       | Yes (2)     | No          | Yes (3) | No      | No          |
 | Read git repository         | Yes          | Yes     | Yes      | Yes         | Yes         | Yes     | Yes     | Yes         |
 | Write git repository        | Yes          | Yes     | Yes      | Yes         | No          | Yes     | No      | No          |
 | Access CI variables         | Yes          | Yes (4) | No       | Yes (4)     | No          | Yes (4) | No      | No          |
 | Access scope                | User         | User    | User     | Group       | Group       | Project | Project | Project     |
+| Employee layoffs            | Yes          | Yes     | Yes      | No          | No          | No      | No      | Yes         |
 | Credential reuse (5)        | Possible     | No      | Possible | No          | No          | No      | No      | Possible    |
 | Impact of security incident | High         | High    | High     | Medium      | Medium      | Low     | Low     | Medium      |
 | Recommendation              | No           | No      | No       | Limited (6) | Limited (6) | Yes     | Yes     | Limited (6) |
 
 <!-- .element: style="font-size: large;" -->
 
-(0) XXX
+- (1) Username and password can be used to retrieve a personal access token
+- (2) Group only
+- (3) Project only
+- (4) API only
+- (5) Can be used for multiple accounts and on multiple systems
+- (6) Acceptable for automation to avoid many project credentials
 
-(1) Username and password can be used to retrieve a personal access token
-
-(2) Group only
-
-(3) Project only
-
-(4) API only
-
-(5) Can be used for multiple accounts and on multiple systems
-
-(6) Acceptable for automation to avoid many project credentials
+<!-- .element: style="font-size: smaller;" -->

150_gitlab/060_api/slides.md

@@ -142,4 +142,4 @@ Rotation API introduced in GitLab 16.0 (May 2023)
 
 Automatic reuse detection [](https://docs.gitlab.com/ee/api/personal_access_tokens.html#automatic-reuse-detection) prevents use of rotated tokens:
 
-- Use of old tokens result in revocation of latest token
+- Use of old tokens for rotation results in revocation of whole token family

150_gitlab/090_maintenance/slides.md

@@ -28,9 +28,11 @@ Switch GitLab into read-only mode [<i class="fa-solid fa-arrow-up-right-from-squ
 
 <i class="fa-brands fa-git-alt fa-4x" style="float: right;"></i>
 
-Configure under Menu <i class="fa-regular fa-arrow-right"></i> Admin <i class="fa-regular fa-arrow-right"></i> Settings <i class="fa-regular fa-arrow-right"></i> Repository <i class="fa-regular fa-arrow-right"></i> Repository Maintenance
+Automatically optimize git repositories [](https://docs.gitlab.com/ee/administration/housekeeping.html), especially...
+- Compress objects and revisions
+- Remove unreachable objects
 
-Regular execution of...
-- `git fsck`
-- `git repack` (incremental and full)
-- `git gc`
+Configure under Menu <i class="fa-regular fa-arrow-right"></i> Admin <i class="fa-regular fa-arrow-right"></i> Settings <i class="fa-regular fa-arrow-right"></i> Repository <i class="fa-regular fa-arrow-right"></i> Repository Maintenance
+- Enable repository checks (default)
+- Enable housekeeping (default)
+- Configure optimization period (default: 10 pushes)

150_gitlab/100_reverse_proxy/compose.yml

@@ -60,11 +60,12 @@ services:
 
         gitlab_pages['enable'] = true
         pages_external_url 'http://gitlab.${DOMAIN:?You must supply DOMAIN}'
-        # Required due to https://gitlab.com/gitlab-org/gitlab-pages/issues/129
-        gitlab_pages['inplace_chroot'] = true
         # Set listen-proxy when behind reverse proxy. see https://docs.gitlab.com/ee/administration/pages/#configure-listener-for-reverse-proxy-requests
         gitlab_pages['listen_proxy'] = "0.0.0.0:8090"
-        # Fix for https://gitlab.com/gitlab-org/gitlab-pages/-/issues/534
+        # Required due to https://gitlab.com/gitlab-org/gitlab-pages/issues/129
+        # "chroot bind mount breaks containerised Omnibus deployment"
+        gitlab_pages['inplace_chroot'] = true
+        # Fix for https://gitlab.com/gitlab-org/gitlab-pages/-/issues/534 causing failed DNS queries
         gitlab_pages['internal_gitlab_server'] = "http://127.0.0.1"
 
         # Prevent conflict with host SSH port

150_gitlab/100_reverse_proxy/slides.md

@@ -22,6 +22,10 @@ Docker
 
 Template [](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-config-template/gitlab.rb.template)
 
+### Alternative
+
+Community container image [](https://github.com/sameersbn/docker-gitlab)
+
 ---
 
 ## Reverse Proxy in front of GitLab
@@ -49,6 +53,7 @@ Deploy using `docker compose` v2:
 # Clone repository with slides and demos
 git clone https://github.com/nicholasdille/container-slides
 cd container-slides/150_gitlab/100_reverse_proxy
+git pull
 
 # Remove existing instance of GitLab
 docker rm -f gitlab
@@ -62,7 +67,7 @@ Your VM has the necessary environment variables: `DOMAIN` and `IP`
 Extract password (or [reset](#/gitlab_troubleshooting)):
 
 ```bash
-docker compose --project-name gitlab exec gitlab
+docker compose --project-name gitlab exec gitlab \
     cat /etc/gitlab/initial_root_password \
     | grep ^Password | cut -d' ' -f2
 ```
@@ -83,6 +88,9 @@ Purge data by removing volumes:
 docker volume rm gitlab_config
 docker volume rm gitlab_logs
 docker volume rm gitlab_data
+docker volume create gitlab_config
+docker volume create gitlab_logs
+docker volume create gitlab_data
 ```
 
 A fresh instance has a new initial root password

150_gitlab/135_integrations/compose.yml

@@ -3,21 +3,21 @@
 services:
 
   kroki:
-    image: yuzutech/kroki:0.17.0
+    image: yuzutech/kroki:0.25.0
     environment:
       KROKI_BLOCKDIAG_HOST: blockdiag
       KROKI_MERMAID_HOST: mermaid
       KROKI_BPMN_HOST: bpmn
       KROKI_EXCALIDRAW_HOST: excalidraw
 
   blockdiag:
-    image: yuzutech/kroki-blockdiag:0.17.0
+    image: yuzutech/kroki-blockdiag:0.25.0
 
   mermaid:
-    image: yuzutech/kroki-mermaid:0.17.0
+    image: yuzutech/kroki-mermaid:0.25.0
 
   bpmn:
-    image: yuzutech/kroki-bpmn:0.17.0
+    image: yuzutech/kroki-bpmn:0.25.0
 
   excalidraw:
-    image: yuzutech/kroki-excalidraw:0.17.0
+    image: yuzutech/kroki-excalidraw:0.25.0

150_gitlab/140_troubleshooting/slides.md

@@ -41,7 +41,8 @@ But you have access to the console
 Use `gitlab-rake`:
 
 ```bash
-docker exec -it gitlab gitlab-rake "gitlab:password:reset[root]"
+docker exec -it gitlab \
+    gitlab-rake "gitlab:password:reset[root]"
 ```
 
 ---
@@ -72,7 +73,9 @@ ssh -Tvvv -i id_rsa git@gitlab.<DOMAIN>
 Find user for given SSH key fingerprint:
 
 ```bash
-curl --silent --header "Private-Token: admin-private-token" https://gitlab.haufedev.systems/api/v4/keys?fingerprint=d0:6d:2e:bb:fb:27:f1:6e:80:6c:16:b2:be:c6:d8:00 | jq
+curl --silent --header "Private-Token: admin-private-token" \
+    https://gitlab.example.com/api/v4/keys?fingerprint=d0:6d:2e:bb:fb:27:f1:6e:80:6c:16:b2:be:c6:d8:00 \
+| jq
 ```
 
 ---
@@ -96,10 +99,11 @@ curl -sH "Private-Token: <TOKEN>" http://gitlab.<DOMAIN>/api/v4/user \
 Example for group access token (group ID 6):
 
 ```bash
-curl -sH "Private-Token: <TOKEN>" http://gitlab.<DOMAIN>/api/v4/user | jq -r .username
+curl -sH "Private-Token: <TOKEN>" http://gitlab.<DOMAIN>/api/v4/user \
+| jq -r .username
 group_6_bot
 ```
 
 ### Deploy Token
 
-No known way to find group or project
+No known way to find group or project... except for log parsing for requests

150_gitlab/150_update/slides.md

@@ -37,4 +37,4 @@ You must update to every minor version due to schema updates
 1. Update `compose.yml` in 100_reverse_proxy<br>with new image `gitlab/gitlab-ce:16.9.2-ce.0`
 1. Run deployment from [reverse proxy section](#/gitlab_traefik)
 
-(Minor update to v15.10.0 possible.)
+(Minor update to v16.10.0 possible.)

150_gitlab/160_runner/slides.md

@@ -24,15 +24,17 @@ Jobs select runners by specifying a tag
 
 ---
 
-## Heads-up
+## Heads-up: New runner registration
 
-New runner registration process [](https://docs.gitlab.com/ee/architecture/blueprints/runner_tokens/)
+<i class="fa-duotone fa-person-running fa-4x fa-duotone-colors" style="float: right;"></i>
+
+Available since 15.10 [](https://docs.gitlab.com/ee/architecture/blueprints/runner_tokens/)
 
 New default in 16.0 (May 2023)
 
-Enforcement in 16.6 (November 2023)
+Old runner registration behind disabled feature flag in 17.0
 
-Removal of old runner registration in 17.0 (May 2024)
+Removal of old runner registration in 18.0 (May 2025)
 
 ### Old process
 
@@ -42,7 +44,7 @@ Credential leak causes a lot of work
 
 ### New process [](https://docs.gitlab.com/ee/ci/runners/new_creation_workflow.html)
 
-Create a runner through the UI or the API
+Create a runner through the UI [](https://docs.gitlab.com/ee/ci/runners/runners_scope.html) or the API [](https://docs.gitlab.com/ee/api/users.html#create-a-runner-linked-to-a-user)
 
 One token per runner
 
@@ -81,7 +83,7 @@ docuum [<i class="fa-solid fa-arrow-up-right-from-square"></i>](https://github.c
     cd ../160_runners
 
     # Deploy GitLab runner
-    export CI_SERVER_URL=https://gitlab.inmylab.de
+    export CI_SERVER_URL=https://gitlab.seat<N>.inmylab.de
     export CI_SERVER_TOKEN=<TOKEN>
     export RUNNER_EXECUTOR=docker
     docker compose --project-name gitlab \

150_gitlab/170_monitoring/compose.yml

@@ -1,7 +1,7 @@
 services:
 
   grafana:
-    image: grafana/grafana:10.2.2
+    image: grafana/grafana:10.2.6
     environment:
       GF_SECURITY_ADMIN_USER: seat
       GF_SECURITY_ADMIN_PASSWORD: "${SEAT_PASS:?You must supply SEAT_PASS}"

150_gitlab/170_monitoring/slides.md

@@ -12,7 +12,7 @@
 
 GitLab ships with Prometheus [<i class="fa-solid fa-arrow-up-right-from-square"></i>](https://docs.gitlab.com/omnibus/settings/grafana.html)
 
-Grafana was removed in 16.3.0 (May 2023) [](https://docs.gitlab.com/ee/update/deprecations.html?removal_milestone=16.3#bundled-grafana-deprecated-and-disabled)
+Grafana was removed in 16.3.0 (August 2023) [](https://docs.gitlab.com/ee/update/deprecations.html?removal_milestone=16.3#bundled-grafana-deprecated-and-disabled)
 
 All components expose metrics
 

150_gitlab/180_components/compose.yml

@@ -17,7 +17,7 @@ volumes:
 services:
 
   gitlab:
-    image: gitlab/gitlab-ee:16.5.2-ee.0
+    image: gitlab/gitlab-ee:16.9.2-ee.0
     environment:
       # https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-config-template/gitlab.rb.template
       GITLAB_OMNIBUS_CONFIG: |
@@ -73,7 +73,7 @@ services:
       traefik.tcp.routers.ssh.service: ssh
 
   db:
-    image: gitlab/gitlab-ee:16.5.2-ee.0
+    image: gitlab/gitlab-ee:16.9.2-ee.0
     environment:
       # https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-config-template/gitlab.rb.template
       GITLAB_OMNIBUS_CONFIG: |
@@ -110,7 +110,7 @@ services:
     - postgres-log:/var/log/gitlab
 
   redis:
-    image: gitlab/gitlab-ee:16.5.2-ee.0
+    image: gitlab/gitlab-ee:16.9.2-ee.0
     environment:
       # https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-config-template/gitlab.rb.template
       GITLAB_OMNIBUS_CONFIG: |
@@ -137,7 +137,7 @@ services:
     - redis-log:/var/log/gitlab
 
   gitaly:
-    image: gitlab/gitlab-ee:16.5.2-ee.0
+    image: gitlab/gitlab-ee:16.9.2-ee.0
     environment:
       # https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-config-template/gitlab.rb.template
       GITLAB_OMNIBUS_CONFIG: |

150_gitlab/190_database/slides.md

@@ -6,6 +6,30 @@
 
 ---
 
+## Database
+
+<i class="fa-duotone fa-database fa-4x fa-duotone-colors" style="float: right;"></i>
+
+Only PostgreSQL is supported [](https://docs.gitlab.com/omnibus/settings/database.html)
+- Packaged Linux packages as well as Docker
+- External instances are supported [](https://docs.gitlab.com/omnibus/settings/database.html#using-a-non-packaged-postgresql-database-management-server)
+
+Mind the version requirements [](https://docs.gitlab.com/ee/install/requirements.html#postgresql-requirements)
+
+### Multiple connections since v16
+
+GitLab is preparing a separate database for CI/CD features
+
+Two connections to single database since 16.0 (May 2023)
+
+Disable second connection to single database [](https://docs.gitlab.com/omnibus/settings/database.html#configuring-multiple-database-connections)
+
+Separate database required in 18.0 (May 2025)
+
+Migration to second database is not ready for production yet [](https://docs.gitlab.com/ee/administration/postgresql/multiple_databases.html)
+
+---
+
 ## Important database tables
 
 <i class="fa-duotone fa-database fa-4x fa-duotone-colors" style="float: right;"></i>