Gitlab promox turnkey image version 17.1 from 6th April first login issue (not a duplicate) #1823
Description
Description
When using the latest turnkey gitlab turnkey CT image downloaded via templates debian-11-turnkey-gitlab_17.1-1_amd64.tar.gz I'm not able to login with root. When creating a new admin user via console you can login but wont be able to visit runners page nor save any changes done to settings. It would result in 500 internal server error.
How to reproduce
- Download turnkey template in proxmox
debian-11-turnkey-gitlab_17.1-1_amd64.tar.gz - Create CT with image
- Run the container and follow instructions
- Set Gitlab Root password
- Try to login to gitlab with root:
- Get gitlab 500 internal server error page
Check issue
Run gitlab-rake gitlab:doctor:secrets VERBOSE=1 via ssh console and see that ApplicationSettings failure exists
ApplicationSetting failures: 1
D, [2023-04-09T13:40:44.055247 #1733] DEBUG -- : - ApplicationSetting[1]: runners_registration_token, error_tracking_access_token
Side-Issue
- Gitlab version 15.10.0 is installed which has a security issue. Needed to do
apt update && apt upgradeafter applying fixes. - After applying fixes version check was disabled. used
gitlab-rails runner 'ApplicationSetting.last.update(version_check_enabled: true)'to enable them again
How to fix first time login issue
The commit for file conf.d/main implements resetting the runner token but is not enough. The command from the closed issue #1342 needs to be applied after deleting ApplicationSetting.first
The following commands fixed the first time login issue for me. After that i could login and rake doctor:secrets didnt gave me errors. Please note that I had 15.10.0 installed at the time beeing that was installed with the image and did not yet upgrade to latest 15.10.2.
$ export LC_ALL=C.UTF-8
$ echo -e 'ApplicationSetting.first.delete\n' | gitlab-rails console -e production
cat <<EOF | gitlab-rails dbconsole --database main
UPDATE projects SET runners_token = null, runners_token_encrypted = null;
UPDATE namespaces SET runners_token = null, runners_token_encrypted = null;
UPDATE application_settings SET runners_registration_token_encrypted = null;
UPDATE application_settings SET encrypted_ci_jwt_signing_key = null;
UPDATE ci_runners SET token = null, token_encrypted = null;
TRUNCATE integrations, chat_names, issue_tracker_data, jira_tracker_data, slack_integrations, web_hooks, zentao_tracker_data, web_hook_logs, dingtalk_tracker_data, slack_integrations_scopes;
EOF
$ gitlab-rails runner -e production "ApplicationSetting.current.reset_runners_registration_token!"
$ /usr/lib/inithooks/bin/gitlab.py --email="your@mail.com" --domain="your.externail-domain.com"
Running gitlab-rails runner -e production "ApplicationSetting.current.reset_runners_registration_token!" without deleting first application-setting results in /opt/gitlab/embedded/lib/ruby/gems/3.0.0/gems/encryptor-3.0.0/lib/encryptor.rb:98:in final': OpenSSL::Cipher::CipherError`. So the combination of the two is needed to fix this in my opinion.
Additional Suggestion
I assume the target audience for turnkey-gitlab is most likely in the private sector. When setting up the instance signup should be disabled. I recommend adding gitlab-rails runner 'ApplicationSetting.last.update(signup_enabled: false)' to conf.d/main would be a security improvement.
When finishing setting up the instance some can always enable this setting later.