Skip to content
GitLab

Upgrading GitLab (FREE SELF)

Upgrading GitLab is a relatively straightforward process, but the complexity can increase based on the installation method you have used, how old your GitLab version is, if you're upgrading to a major version, and so on.

Make sure to read the whole page as it contains information related to every upgrade method.

The maintenance policy documentation has additional information about upgrading, including:

  • How to interpret GitLab product versioning.
  • Recommendations on what release to run.
  • How we use patch and security patch releases.
  • When we backport code changes.

Upgrade based on installation method

Depending on the installation method and your GitLab version, there are multiple official ways to upgrade GitLab:

Linux packages (Omnibus)

The package upgrade guide contains the steps needed to upgrade a package installed by official GitLab repositories.

There are also instructions when you want to upgrade to a specific version.

Self-compiled installation

In the past we used separate documents for the upgrading instructions, but we have switched to using a single document. The old upgrading guidelines can still be found in the Git repository:

Installation using Docker

GitLab provides official Docker images for both Community and Enterprise editions, and they are based on the Omnibus package. See how to install GitLab using Docker.

Installation using Helm

GitLab can be deployed into a Kubernetes cluster using Helm. Instructions on how to upgrade a cloud-native deployment are in a separate document.

Use the version mapping from the chart version to GitLab version to determine the upgrade path.

Plan your upgrade

See the guide to plan your GitLab upgrade.

Check for background migrations before upgrading

Certain releases may require different migrations to be finished before you upgrade to the newer version.

For more information, see background migrations.

Dealing with running CI/CD pipelines and jobs

If you upgrade your GitLab instance while the GitLab Runner is processing jobs, the trace updates fail. When GitLab is back online, the trace updates should self-heal. However, depending on the error, the GitLab Runner either retries, or eventually terminates, job handling.

As for the artifacts, the GitLab Runner attempts to upload them three times, after which the job eventually fails.

To address the above two scenarios, it is advised to do the following prior to upgrading:

  1. Plan your maintenance.

  2. Pause your runners or block new jobs from starting by adding following to your /etc/gitlab/gitlab.rb:

    nginx['custom_gitlab_server_config'] = "location /api/v4/jobs/request {\n deny all;\n return 503;\n}\n"

    And reconfigure GitLab with:

    sudo gitlab-ctl reconfigure

  3. Wait until all jobs are finished.

  4. Upgrade GitLab.

  5. Upgrade GitLab Runner to the same version as your GitLab version. Both versions should be the same.

  6. Unpause your runners and unblock new jobs from starting by reverting the previous /etc/gitlab/gitlab.rb change.

Checking for pending advanced search migrations (PREMIUM SELF)

This section is only applicable if you have enabled the Elasticsearch integration (PREMIUM SELF).

Major releases require all advanced search migrations to be finished from the most recent minor release in your current version before the major version upgrade. You can find pending migrations by running the following command.

::Tabs

:::TabTitle Linux package (Omnibus)

sudo gitlab-rake gitlab:elastic:list_pending_migrations

:::TabTitle Self-compiled (source)

cd /home/git/gitlab
sudo -u git -H bundle exec rake gitlab:elastic:list_pending_migrations

::EndTabs

What do you do if your advanced search migrations are stuck?

In GitLab 15.0, an advanced search migration named DeleteOrphanedCommit can be permanently stuck in a pending state across upgrades. This issue is corrected in GitLab 15.1.

If you are a self-managed customer who uses GitLab 15.0 with advanced search, you will experience performance degradation. To clean up the migration, upgrade to 15.1 or later.

For other advanced search migrations stuck in pending, see how to retry a halted migration.

If you upgrade GitLab before all pending advanced search migrations are completed, any pending migrations that have been removed in the new version cannot be executed or retried. In this case, you must re-create your index from scratch.

What do you do for the error Elasticsearch version not compatible

Confirm that your version of Elasticsearch or OpenSearch is compatible with your version of GitLab.

Upgrading without downtime

Read how to upgrade without downtime.

Upgrading to a new major version

Upgrading the major version requires more attention. Backward-incompatible changes are reserved for major versions. Follow the directions carefully as we cannot guarantee that upgrading between major versions is seamless.

A major upgrade requires the following steps:

  1. Identify a supported upgrade path.
  2. Ensure that any background migrations have been fully completed before upgrading to a new major version.
  3. If you have enabled the Elasticsearch integration, then before proceeding with the major version upgrade, ensure that all advanced search migrations are completed.
  4. If your GitLab instance has any runners associated with it, it is very important to upgrade them to match the current GitLab version. This ensures compatibility with GitLab versions.

Upgrade paths

Upgrading across multiple GitLab versions in one go is only possible by accepting downtime. If you don't want any downtime, read how to upgrade with zero downtime.

For a dynamic view of examples of supported upgrade paths, try the Upgrade Path tool maintained by the GitLab Support team. To share feedback and help improve the tool, create an issue or MR in the upgrade-path project.

When upgrading:

  1. Find where your version sits in the upgrade path:

  2. Check for required upgrade stops.

  3. Consult the version-specific upgrade instructions.

  4. Upgrade GitLab accordingly.

NOTE: When not explicitly specified, upgrade GitLab to the latest available patch release of the major.minor release rather than the first patch release, for example 13.8.8 instead of 13.8.0. This includes major.minor versions you must stop at on the upgrade path as there may be fixes for issues relating to the upgrade process. Specifically around a major version, crucial database schema and migration patches may be included in the latest patch releases.

Required upgrade stops

Required upgrade stops are versions of GitLab that you must upgrade to before upgrading to later versions. Required upgrade stops allow required background migrations to finish.

During GitLab 16.x, we are scheduling two or three required upgrade stops. We will give at least two milestones of notice when we schedule a required upgrade stop.

The first planned required upgrade stop is scheduled for GitLab 16.3. If nothing is introduced requiring an upgrade stop, GitLab 16.3 will be treated as a regular upgrade.

Earlier GitLab versions

For information on upgrading to earlier GitLab versions, see the documentation archives. The versions of the documentation in the archives contain version-specific information for even earlier versions of GitLab.

For example, the documentation for GitLab 15.11 contains information on versions back to GitLab 12.

Upgrading between editions

GitLab comes in two flavors: Community Edition which is MIT licensed, and Enterprise Edition which builds on top of the Community Edition and includes extra features mainly aimed at organizations with more than 100 users.

Below you can find some guides to help you change GitLab editions.

Community to Enterprise Edition

NOTE: The following guides are for subscribers of the Enterprise Edition only.

If you wish to upgrade your GitLab installation from Community to Enterprise Edition, follow the guides below based on the installation method:

  • Source CE to EE upgrade guides - The steps are very similar to a version upgrade: stop the server, get the code, update configuration files for the new functionality, install libraries and do migrations, update the init script, start the application and check its status.
  • Omnibus CE to EE - Follow this guide to upgrade your Omnibus GitLab Community Edition to the Enterprise Edition.
  • Docker CE to EE - Follow this guide to upgrade your GitLab Community Edition container to an Enterprise Edition container.
  • Helm chart (Kubernetes) CE to EE - Follow this guide to upgrade your GitLab Community Edition Helm deployment to Enterprise Edition.

Enterprise to Community Edition

To downgrade your Enterprise Edition installation back to Community Edition, you can follow this guide to make the process as smooth as possible.

Version-specific upgrading instructions

Each month, major or minor as well as possibly patch releases of GitLab are published along with a release post. You should read the release posts for all versions you're passing over. At the end of major and minor release posts, there are three sections to look for specifically:

  • Deprecations
  • Removals
  • Important notes on upgrading

These include:

  • Steps you must perform as part of an upgrade. For example 8.12 required the Elasticsearch index to be recreated. Any older version of GitLab upgrading to 8.12 or later would require this.
  • Changes to the versions of software we support such as ceasing support for IE11 in GitLab 13.

Apart from the instructions in this section, you should also check the installation-specific upgrade instructions, based on how you installed GitLab:

NOTE: Specific information that follow related to Ruby and Git versions do not apply to Omnibus installations and Helm Chart deployments. They come with appropriate Ruby and Git versions and are not using system binaries for Ruby and Git. There is no need to install Ruby or Git when utilizing these two approaches.

GitLab 16

Before upgrading, see GitLab 16 changes.

15.11.1

  • Many project importers and group importers now require the Maintainer role instead of only requiring the Developer role. For more information, see the documentation for any importers you use.
  • Geo: Some project imports do not initialize wiki repositories on project creation. Since the migration of project wikis to SSF, missing wiki repositories are being incorrectly flagged as failing verification. This is not a result of an actual replication/verification failure but an invalid internal state for these missing repositories inside Geo and results in errors in the logs and the verification progress reporting a failed state for these wiki repositories. If you have not imported projects you are not impacted by this issue.
    • Impacted versions: GitLab versions 15.11.x, 16.0.x, and 16.1.0 - 16.1.2.
    • Versions containing fix: GitLab 16.1.3 and later.
  • Geo: A bug in the built-in pg-upgrade tool prevents upgrading the bundled PostgreSQL database to version 13. This leaves the secondary site in a broken state, and prevents upgrading the Geo installation to GitLab 16.x (PostgreSQL 12 support has removed in 16.0 and later releases). This occurs on secondary sites using the bundled PostgreSQL software, running both the secondary main Rails database and tracking database on the same node. There is a manual workaround for those impacted until a fix is backported to 15.11.
    • Impacted versions: GitLab versions 15.2 - 15.11
    • Versions containing fix: 15.11.12 and later.
    • Version 16.0 and later are not impacted. Note, 15.11 is a mandatory upgrade stop on the way to 16.0.

15.11.0

  • Upgrade to patch release 15.11.3 or later. This avoids issue 408304 when upgrading from 15.5.0 and earlier.
  • Geo: Some project imports do not initialize wiki repositories on project creation. Since the migration of project wikis to SSF, missing wiki repositories are being incorrectly flagged as failing verification. This is not a result of an actual replication/verification failure but an invalid internal state for these missing repositories inside Geo and results in errors in the logs and the verification progress reporting a failed state for these wiki repositories. If you have not imported projects you are not impacted by this issue.
    • Impacted versions: GitLab versions 15.11.x, 16.0.x, and 16.1.0 - 16.1.2.
    • Versions containing fix: GitLab 16.1.3 and later.
  • Geo: A bug in the built-in pg-upgrade tool prevents upgrading the bundled PostgreSQL database to version 13. This leaves the secondary site in a broken state, and prevents upgrading the Geo installation to GitLab 16.x (PostgreSQL 12 support has removed in 16.0 and later releases). This occurs on secondary sites using the bundled PostgreSQL software, running both the secondary main Rails database and tracking database on the same node. There is a manual workaround for those impacted until a fix is backported to 15.11.
    • Impacted versions: GitLab versions 15.2 - 15.11.11.
    • Versions containing fix: 15.11.12 and later.
    • Version 16.0 and later are not impacted. Note, 15.11 is a mandatory upgrade stop on the way to 16.0.

15.11.x

  • A bug can cause new LDAP users signing in for the first time to be assigned a username based on their email address instead of their LDAP username attribute. A manual workaround is to set gitlab_rails['omniauth_auto_link_ldap_user'] = true, or upgrade to GitLab 16.1 or later where the bug has been fixed.

15.10.5

  • A bug with Elastic Indexer Cron Workers can cause saturation in Sidekiq.
    • When this issue occurs, merge request merges, pipelines, Slack notifications, and other events are not created or take a long time to occur.
    • This issue may not manifest immediately as it can take up to a week before the Sidekiq is saturated enough.
    • Elasticsearch does not need to be enabled for this to occur.
    • To resolve this issue, upgrade to 15.11 or use the workaround in the issue.
  • Many project importers and group importers now require the Maintainer role instead of only requiring the Developer role. For more information, see the documentation for any importers you use.

15.10.0

  • A bug with Elastic Indexer Cron Workers can cause saturation in Sidekiq.

    • When this issue occurs, merge request merges, pipelines, Slack notifications, and other events are not created or take a long time to occur.
    • This issue may not manifest immediately as it can take up to a week before the Sidekiq is saturated enough.
    • Elasticsearch does not need to be enabled for this to occur.
    • To resolve this issue, upgrade to 15.11 or use the workaround in the issue.

  • Gitaly configuration changes significantly in Omnibus GitLab 16.0. You can begin migrating to the new structure in Omnibus GitLab 15.10 while backwards compatibility is maintained in the lead up to Omnibus GitLab 16.0. Read more about this change.

  • You might encounter the following error while upgrading to GitLab 15.10 or later:

    STDOUT: rake aborted!
StandardError: An error has occurred, all later migrations canceled:
PG::CheckViolation: ERROR:  check constraint "check_70f294ef54" is violated by some row

    This error is caused by a batched background migration introduced in GitLab 15.8 not being finalized before GitLab 15.10. To resolve this error:

    1. Execute the following SQL statement using the database console (sudo gitlab-psql for Linux package installs):

      UPDATE oauth_access_tokens SET expires_in = '7200' WHERE expires_in IS NULL;

    2. Re-run database migrations.

  • You might also encounter the following error while upgrading to GitLab 15.10 or later:

    "exception.class": "ActiveRecord::StatementInvalid",
"exception.message": "PG::SyntaxError: ERROR:  zero-length delimited identifier at or near \"\"\"\"\nLINE 1: ...COALESCE(\"lock_version\", 0) + 1 WHERE \"ci_builds\".\"\" IN (SEL...\n

    This error is caused by a batched background migration introduced in GitLab 14.9 not being finalized before upgrading to GitLab 15.10 or later. To resolve this error, it is safe to mark the migration as complete:

    # Start the rails console

connection = Ci::ApplicationRecord.connection

Gitlab::Database::SharedModel.using_connection(connection) do
  migration = Gitlab::Database::BackgroundMigration::BatchedMigration.find_for_configuration(
    Gitlab::Database.gitlab_schemas_for_connection(connection), 'NullifyOrphanRunnerIdOnCiBuilds', :ci_builds, :id, [])

  # mark all jobs completed
  migration.batched_jobs.update_all(status: Gitlab::Database::BackgroundMigration::BatchedJob.state_machine.states[:succeeded].value)
  migration.update_attribute(:status, Gitlab::Database::BackgroundMigration::BatchedMigration.state_machine.states[:finished].value)
end

For more information, see issue 415724.

15.9.0

  • A bug with Elastic Indexer Cron Workers can cause saturation in Sidekiq.

    • When this issue occurs, merge request merges, pipelines, Slack notifications, and other events are not created or take a long time to occur.
    • This issue may not manifest immediately as it can take up to a week before the Sidekiq is saturated enough.
    • Elasticsearch does not need to be enabled for this to occur.
    • To resolve this issue, upgrade to 15.11 or use the workaround in the issue.

  • Upgrade to patch release 15.9.3 or later. This provides fixes for two database migration bugs:

  • As part of the CI Partitioning effort, a new Foreign Key was added to ci_builds_needs. On GitLab instances with large CI tables, adding this constraint can take longer than usual.

  • Praefect's metadata verifier's invalid metadata deletion behavior is now enabled by default.

    The metadata verifier processes replica records in the Praefect database and verifies the replicas actually exist on the Gitaly nodes. If the replica doesn't exist, its metadata record is deleted. This enables Praefect to fix situations where a replica has a metadata record indicating it's fine but, in reality, it doesn't exist on disk. After the metadata record is deleted, Praefect's reconciler schedules a replication job to recreate the replica.

    Because of past issues with the state management logic, there may be invalid metadata records in the database. These could exist, for example, because of incomplete deletions of repositories or partially completed renames. The verifier deletes these stale replica records of affected repositories. These repositories may show up as unavailable repositories in the metrics and praefect dataloss sub-command because of the replica records being removed. If you encounter such repositories, remove the repository using praefect remove-repository to remove the repository's remaining records.

    You can find repositories with invalid metadata records prior in GitLab 15.0 and later by searching for the log records outputted by the verifier. Read more about repository verification, and to see an example log entry.

  • Praefect configuration changes significantly in Omnibus GitLab 16.0. You can begin migrating to the new structure in Omnibus GitLab 15.9 while backwards compatibility is maintained in the lead up to Omnibus GitLab 16.0. Read more about this change.

  • For self-compiled (source) installations, with the addition of gitlab-sshd the Kerberos headers are needed to build GitLab Shell.

    sudo apt install libkrb5-dev

15.8.2

  • Geo: We discovered an issue where replication and verification of projects and wikis was not keeping up on small number of Geo installations. Your installation may be affected if you see some projects and/or wikis persistently in the "Queued" state for verification. This can lead to data loss after a failover.
    • Affected versions: GitLab versions 15.6.x, 15.7.x, and 15.8.0 - 15.8.2.
    • Versions containing fix: GitLab 15.8.3 and later.

15.8.1

15.8.0

15.7.6

15.7.5

15.7.4

15.7.3

15.7.2

  • Geo: Container registry push events are rejected by the /api/v4/container_registry_event/events endpoint resulting in Geo secondary sites not being aware of updates to container registry images and subsequently not replicating the upgrades. Secondary sites may contain out of date container images after a failover as a consequence. This affects versions 15.6.0 - 15.6.6 and 15.7.0 - 15.7.2. If you're using Geo with container repositories, you are advised to upgrade to GitLab 15.6.7, 15.7.3, or 15.8.0 which contain a fix for this issue and avoid potential data loss after a failover.
  • Geo: We discovered an issue where replication and verification of projects and wikis was not keeping up on small number of Geo installations. Your installation may be affected if you see some projects and/or wikis persistently in the "Queued" state for verification. This can lead to data loss after a failover.
    • Affected versions: GitLab versions 15.6.x, 15.7.x, and 15.8.0 - 15.8.2.
    • Versions containing fix: GitLab 15.8.3 and later.
  • Due to a bug introduced in GitLab 15.4, if one or more Git repositories in Gitaly Cluster is unavailable, then Repository checks and Geo replication and verification stop running for all project or project wiki repositories in the affected Gitaly Cluster. The bug was fixed by reverting the change in GitLab 15.9.0. Before upgrading to this version, check if you have any "unavailable" repositories. See the bug issue for more information.

15.7.1

  • Geo: Container registry push events are rejected by the /api/v4/container_registry_event/events endpoint resulting in Geo secondary sites not being aware of updates to container registry images and subsequently not replicating the updates. Secondary sites may contain out of date container images after a failover as a consequence. This affects versions 15.6.0 - 15.6.6 and 15.7.0 - 15.7.2. If you're using Geo with container repositories, you are advised to upgrade to GitLab 15.6.7, 15.7.3, or 15.8.0 which contain a fix for this issue and avoid potential data loss after a failover.
  • Geo: We discovered an issue where replication and verification of projects and wikis was not keeping up on small number of Geo installations. Your installation may be affected if you see some projects and/or wikis persistently in the "Queued" state for verification. This can lead to data loss after a failover.
    • Affected versions: GitLab versions 15.6.x, 15.7.x, and 15.8.0 - 15.8.2.
    • Versions containing fix: GitLab 15.8.3 and later.
  • Due to a bug introduced in GitLab 15.4, if one or more Git repositories in Gitaly Cluster is unavailable, then Repository checks and Geo replication and verification stop running for all project or project wiki repositories in the affected Gitaly Cluster. The bug was fixed by reverting the change in GitLab 15.9.0. Before upgrading to this version, check if you have any "unavailable" repositories. See the bug issue for more information.

15.7.0

  • This version validates a NOT NULL DB constraint on the issues.work_item_type_id column. To upgrade to this version, no records with a NULL work_item_type_id should exist on the issues table. There are multiple BackfillWorkItemTypeIdForIssues background migrations that will be finalized with the EnsureWorkItemTypeBackfillMigrationFinished post-deploy migration.

  • GitLab 15.4.0 introduced a batched background migration to backfill namespace_id values on issues table. This migration might take multiple hours or days to complete on larger GitLab instances. Make sure the migration has completed successfully before upgrading to 15.7.0.

  • A database constraint is added, specifying that the namespace_id column on the issues table has no NULL values.

    • If the namespace_id batched background migration from 15.4 failed (see above) then the 15.7 upgrade fails with a database migration error.

    • On GitLab instances with large issues tables, validating this constraint causes the upgrade to take longer than usual. All database changes need to complete within a one-hour limit:

      FATAL: Mixlib::ShellOut::CommandTimeout: rails_migration[gitlab-rails]
[..]
Mixlib::ShellOut::CommandTimeout: Command timed out after 3600s:

      A workaround exists to complete the data change and the upgrade manually.

  • The default Sidekiq max_concurrency has been changed to 20. This is now consistent in our documentation and product defaults.

    For example, previously:

    • Linux package installation default (sidekiq['max_concurrency']): 50
    • Self-compiled installation default: 50
    • Helm chart default (gitlab.sidekiq.concurrency): 25

    Reference architectures still use a default of 10 as this is set specifically for those configurations.

    Sites that have configured max_concurrency will not be affected by this change. Read more about the Sidekiq concurrency setting.

  • GitLab Runner 15.7.0 introduced a breaking change that affects CI/CD jobs: Correctly handle expansion of job file variables. Previously, job-defined variables that referred to file type variables were expanded to the value of the file variable (its content). This behavior did not respect the typical rules of shell variable expansion. There was also the potential that secrets or sensitive information could leak if the file variable and its contents printed. For example, if they were printed in an echo output. For more information, see Understanding the file type variable expansion change in GitLab 15.7.

  • Geo: Container registry push events are rejected by the /api/v4/container_registry_event/events endpoint resulting in Geo secondary sites not being aware of updates to container registry images and subsequently not replicating the updates. Secondary sites may contain out of date container images after a failover as a consequence. This affects versions 15.6.0 - 15.6.6 and 15.7.0 - 15.7.2. If you're using Geo with container repositories, you are advised to upgrade to GitLab 15.6.7, 15.7.3, or 15.8.0 which contain a fix for this issue and avoid potential data loss after a failover.

  • Due to a bug introduced in GitLab 15.4, if one or more Git repositories in Gitaly Cluster is unavailable, then Repository checks and Geo replication and verification stop running for all project or project wiki repositories in the affected Gitaly Cluster. The bug was fixed by reverting the change in GitLab 15.9.0. Before upgrading to this version, check if you have any "unavailable" repositories. See the bug issue for more information.

  • Geo: We discovered an issue where replication and verification of projects and wikis was not keeping up on small number of Geo installations. Your installation may be affected if you see some projects and/or wikis persistently in the "Queued" state for verification. This can lead to data loss after a failover.

    • Affected versions: GitLab versions 15.6.x, 15.7.x, and 15.8.0 - 15.8.2.
    • Versions containing fix: GitLab 15.8.3 and later.

15.6.7

15.6.6

  • Geo: Container registry push events are rejected by the /api/v4/container_registry_event/events endpoint resulting in Geo secondary sites not being aware of updates to container registry images and subsequently not replicating the updates. Secondary sites may contain out of date container images after a failover as a consequence. This affects versions 15.6.0 - 15.6.6 and 15.7.0 - 15.7.2. If you're using Geo with container repositories, you are advised to upgrade to GitLab 15.6.7, 15.7.3, or 15.8.0 which contain a fix for this issue and avoid potential data loss after a failover.
  • Geo: We discovered an issue where replication and verification of projects and wikis was not keeping up on small number of Geo installations. Your installation may be affected if you see some projects and/or wikis persistently in the "Queued" state for verification. This can lead to data loss after a failover.
    • Affected versions: GitLab versions 15.6.x, 15.7.x, and 15.8.0 - 15.8.2.
    • Versions containing fix: GitLab 15.8.3 and later.
  • Due to a bug introduced in GitLab 15.4, if one or more Git repositories in Gitaly Cluster is unavailable, then Repository checks and Geo replication and verification stop running for all project or project wiki repositories in the affected Gitaly Cluster. The bug was fixed by reverting the change in GitLab 15.9.0. Before upgrading to this version, check if you have any "unavailable" repositories. See the bug issue for more information.

15.6.5

  • Geo: Container registry push events are rejected by the /api/v4/container_registry_event/events endpoint resulting in Geo secondary sites not being aware of updates to container registry images and subsequently not replicating the updates. Secondary sites may contain out of date container images after a failover as a consequence. This affects versions 15.6.0 - 15.6.6 and 15.7.0 - 15.7.2. If you're using Geo with container repositories, you are advised to upgrade to GitLab 15.6.7, 15.7.3, or 15.8.0 which contain a fix for this issue and avoid potential data loss after a failover.
  • Geo: We discovered an issue where replication and verification of projects and wikis was not keeping up on small number of Geo installations. Your installation may be affected if you see some projects and/or wikis persistently in the "Queued" state for verification. This can lead to data loss after a failover.
    • Affected versions: GitLab versions 15.6.x, 15.7.x, and 15.8.0 - 15.8.2.
    • Versions containing fix: GitLab 15.8.3 and later.
  • Due to a bug introduced in GitLab 15.4, if one or more Git repositories in Gitaly Cluster is unavailable, then Repository checks and Geo replication and verification stop running for all project or project wiki repositories in the affected Gitaly Cluster. The bug was fixed by reverting the change in GitLab 15.9.0. Before upgrading to this version, check if you have any "unavailable" repositories. See the bug issue for more information.

15.6.4

  • Geo: Container registry push events are rejected by the /api/v4/container_registry_event/events endpoint resulting in Geo secondary sites not being aware of updates to container registry images and subsequently not replicating the updates. Secondary sites may contain out of date container images after a failover as a consequence. This affects versions 15.6.0 - 15.6.6, and 15.7.0 - 15.7.2. If you're using Geo with container repositories, you are advised to upgrade to GitLab 15.6.7, 15.7.3, or 15.8.0 which contain a fix for this issue and avoid potential data loss after a failover.
  • Geo: We discovered an issue where replication and verification of projects and wikis was not keeping up on small number of Geo installations. Your installation may be affected if you see some projects and/or wikis persistently in the "Queued" state for verification. This can lead to data loss after a failover.
    • Affected versions: GitLab versions 15.6.x, 15.7.x, and 15.8.0 - 15.8.2.
    • Versions containing fix: GitLab 15.8.3 and later.
  • Due to a bug introduced in GitLab 15.4, if one or more Git repositories in Gitaly Cluster is unavailable, then Repository checks and Geo replication and verification stop running for all project or project wiki repositories in the affected Gitaly Cluster. The bug was fixed by reverting the change in GitLab 15.9.0. Before upgrading to this version, check if you have any "unavailable" repositories. See the bug issue for more information.

15.6.3

  • Geo: Container registry push events are rejected by the /api/v4/container_registry_event/events endpoint resulting in Geo secondary sites not being aware of updates to container registry images and subsequently not replicating the updates. Secondary sites may contain out of date container images after a failover as a consequence. This affects versions 15.6.0 - 15.6.6 and 15.7.0 - 15.7.2. If you're using Geo with container repositories, you are advised to upgrade to GitLab 15.6.7, 15.7.3, or 15.8.0 which contain a fix for this issue and avoid potential data loss after a failover.
  • Geo: We discovered an issue where replication and verification of projects and wikis was not keeping up on small number of Geo installations. Your installation may be affected if you see some projects and/or wikis persistently in the "Queued" state for verification. This can lead to data loss after a failover.
    • Affected versions: GitLab versions 15.6.x, 15.7.x, and 15.8.0 - 15.8.2.
    • Versions containing fix: GitLab 15.8.3 and later.
  • Due to a bug introduced in GitLab 15.4, if one or more Git repositories in Gitaly Cluster is unavailable, then Repository checks and Geo replication and verification stop running for all project or project wiki repositories in the affected Gitaly Cluster. The bug was fixed by reverting the change in GitLab 15.9.0. Before upgrading to this version, check if you have any "unavailable" repositories. See the bug issue for more information.

15.6.2

  • Geo: Container registry push events are rejected by the /api/v4/container_registry_event/events endpoint resulting in Geo secondary sites not being aware of updates to container registry images and subsequently not replicating the updates. Secondary sites may contain out of date container images after a failover as a consequence. This affects versions 15.6.0 - 15.6.6 and 15.7.0 - 15.7.2. If you're using Geo with container repositories, you are advised to upgrade to GitLab 15.6.7, 15.7.3, or 15.8.0 which contain a fix for this issue and avoid potential data loss after a failover.
  • Geo: We discovered an issue where replication and verification of projects and wikis was not keeping up on small number of Geo installations. Your installation may be affected if you see some projects and/or wikis persistently in the "Queued" state for verification. This can lead to data loss after a failover.
    • Affected versions: GitLab versions 15.6.x, 15.7.x, and 15.8.0 - 15.8.2.
    • Versions containing fix: GitLab 15.8.3 and later.
  • Due to a bug introduced in GitLab 15.4, if one or more Git repositories in Gitaly Cluster is unavailable, then Repository checks and Geo replication and verification stop running for all project or project wiki repositories in the affected Gitaly Cluster. The bug was fixed by reverting the change in GitLab 15.9.0. Before upgrading to this version, check if you have any "unavailable" repositories. See the bug issue for more information.

15.6.1

  • Geo: Container registry push events are rejected by the /api/v4/container_registry_event/events endpoint resulting in Geo secondary sites not being aware of updates to container registry images and subsequently not replicating the updates. Secondary sites may contain out of date container images after a failover as a consequence. This affects versions 15.6.0 - 15.6.6 and 15.7.0 - 15.7.2. If you're using Geo with container repositories, you are advised to upgrade to GitLab 15.6.7, 15.7.3, or 15.8.0 which contain a fix for this issue and avoid potential data loss after a failover.
  • Geo: We discovered an issue where replication and verification of projects and wikis was not keeping up on small number of Geo installations. Your installation may be affected if you see some projects and/or wikis persistently in the "Queued" state for verification. This can lead to data loss after a failover.
    • Affected versions: GitLab versions 15.6.x, 15.7.x, and 15.8.0 - 15.8.2.
    • Versions containing fix: GitLab 15.8.3 and later.
  • Due to a bug introduced in GitLab 15.4, if one or more Git repositories in Gitaly Cluster is unavailable, then Repository checks and Geo replication and verification stop running for all project or project wiki repositories in the affected Gitaly Cluster. The bug was fixed by reverting the change in GitLab 15.9.0. Before upgrading to this version, check if you have any "unavailable" repositories. See the bug issue for more information.

15.6.0

  • You should use one of the officially supported PostgreSQL versions. Some database migrations can cause stability and performance issues with older PostgreSQL versions.

  • Git 2.37.0 and later is required by Gitaly. For self-compiled installations, you should use the Git version provided by Gitaly.

  • A database change to modify the behavior of four indexes fails on instances where these indexes do not exist:

    Caused by:
PG::UndefinedTable: ERROR:  relation "index_issues_on_title_trigram" does not exist

    The other three indexes are: index_merge_requests_on_title_trigram, index_merge_requests_on_description_trigram, and index_issues_on_description_trigram.

    This issue was fixed in GitLab 15.7 and backported to GitLab 15.6.2. The issue can also be worked around: read about how to create these indexes.

  • Geo: Container registry push events are rejected by the /api/v4/container_registry_event/events endpoint resulting in Geo secondary sites not being aware of updates to container registry images and subsequently not replicating the updates. Secondary sites may contain out of date container images after a failover as a consequence. This affects versions 15.6.0 - 15.6.6 and 15.7.0 - 15.7.2. If you're using Geo with container repositories, you are advised to upgrade to GitLab 15.6.7, 15.7.3, or 15.8.0 which contain a fix for this issue and avoid potential data loss after a failover.

  • Geo: We discovered an issue where replication and verification of projects and wikis was not keeping up on small number of Geo installations. Your installation may be affected if you see some projects and/or wikis persistently in the "Queued" state for verification. This can lead to data loss after a failover.

    • Affected versions: GitLab versions 15.6.x, 15.7.x, and 15.8.0 - 15.8.2.
    • Versions containing fix: GitLab 15.8.3 and later.

  • Due to a bug introduced in GitLab 15.4, if one or more Git repositories in Gitaly Cluster is unavailable, then Repository checks and Geo replication and verification stop running for all project or project wiki repositories in the affected Gitaly Cluster. The bug was fixed by reverting the change in GitLab 15.9.0. Before upgrading to this version, check if you have any "unavailable" repositories. See the bug issue for more information.

15.5.5

15.5.4

15.5.3

  • GitLab 15.4.0 introduced a default Sidekiq routing rule that routes all jobs to the default queue. For instances using queue selectors, this causes performance problems as some Sidekiq processes will be idle.

    • The default routing rule has been reverted in 15.5.4, so upgrading to that version or later will return to the previous behavior.

    • If a GitLab instance now listens only to the default queue (which is not currently recommended), it will be required to add this routing rule back in /etc/gitlab/gitlab.rb:

      sidekiq['routing_rules'] = [['*', 'default']]

  • Due to a bug introduced in GitLab 15.4, if one or more Git repositories in Gitaly Cluster is unavailable, then Repository checks and Geo replication and verification stop running for all project or project wiki repositories in the affected Gitaly Cluster. The bug was fixed by reverting the change in GitLab 15.9.0. Before upgrading to this version, check if you have any "unavailable" repositories. See the bug issue for more information.

15.5.2

  • GitLab 15.4.0 introduced a default Sidekiq routing rule that routes all jobs to the default queue. For instances using queue selectors, this causes performance problems as some Sidekiq processes will be idle.

    • The default routing rule has been reverted in 15.5.4, so upgrading to that version or later will return to the previous behavior.

    • If a GitLab instance now listens only to the default queue (which is not currently recommended), it will be required to add this routing rule back in /etc/gitlab/gitlab.rb:

      sidekiq['routing_rules'] = [['*', 'default']]

  • Due to a bug introduced in GitLab 15.4, if one or more Git repositories in Gitaly Cluster is unavailable, then Repository checks and Geo replication and verification stop running for all project or project wiki repositories in the affected Gitaly Cluster. The bug was fixed by reverting the change in GitLab 15.9.0. Before upgrading to this version, check if you have any "unavailable" repositories. See the bug issue for more information.

15.5.1

  • GitLab 15.4.0 introduced a default Sidekiq routing rule that routes all jobs to the default queue. For instances using queue selectors, this causes performance problems as some Sidekiq processes will be idle.

    • The default routing rule has been reverted in 15.5.4, so upgrading to that version or later will return to the previous behavior.

    • If a GitLab instance now listens only to the default queue (which is not currently recommended), it will be required to add this routing rule back in /etc/gitlab/gitlab.rb:

      sidekiq['routing_rules'] = [['*', 'default']]

  • Due to a bug introduced in GitLab 15.4, if one or more Git repositories in Gitaly Cluster is unavailable, then Repository checks and Geo replication and verification stop running for all project or project wiki repositories in the affected Gitaly Cluster. The bug was fixed by reverting the change in GitLab 15.9.0. Before upgrading to this version, check if you have any "unavailable" repositories. See the bug issue for more information.

15.5.0

  • GitLab 15.4.0 introduced a default Sidekiq routing rule that routes all jobs to the default queue. For instances using queue selectors, this causes performance problems as some Sidekiq processes will be idle.

    • The default routing rule has been reverted in 15.5.4, so upgrading to that version or later will return to the previous behavior.

    • If a GitLab instance now listens only to the default queue (which is not currently recommended), it will be required to add this routing rule back in /etc/gitlab/gitlab.rb:

      sidekiq['routing_rules'] = [['*', 'default']]

  • Due to a bug introduced in GitLab 15.4, if one or more Git repositories in Gitaly Cluster is unavailable, then Repository checks and Geo replication and verification stop running for all project or project wiki repositories in the affected Gitaly Cluster. The bug was fixed by reverting the change in GitLab 15.9.0. Before upgrading to this version, check if you have any "unavailable" repositories. See the bug issue for more information.

15.4.6

15.4.5

15.4.4

15.4.3

15.4.2

  • A license caching issue prevents some premium features of GitLab from working correctly if you add a new license. Workarounds for this issue:
    • Restart all Rails, Sidekiq and Gitaly nodes after applying a new license. This clears the relevant license caches and allows all premium features to operate correctly.
    • Upgrade to a version that is not affected by this issue. The following upgrade paths are available for affected versions:
      • 15.2.5 --> 15.3.5
      • 15.3.0 - 15.3.4 --> 15.3.5
      • 15.4.1 --> 15.4.3
  • Due to a bug introduced in GitLab 15.4, if one or more Git repositories in Gitaly Cluster is unavailable, then Repository checks and Geo replication and verification stop running for all project or project wiki repositories in the affected Gitaly Cluster. The bug was fixed by reverting the change in GitLab 15.9.0. Before upgrading to this version, check if you have any "unavailable" repositories. See the bug issue for more information.

15.4.1

  • A license caching issue prevents some premium features of GitLab from working correctly if you add a new license. Workarounds for this issue:
    • Restart all Rails, Sidekiq and Gitaly nodes after applying a new license. This clears the relevant license caches and allows all premium features to operate correctly.
    • Upgrade to a version that is not affected by this issue. The following upgrade paths are available for affected versions:
      • 15.2.5 --> 15.3.5
      • 15.3.0 - 15.3.4 --> 15.3.5
      • 15.4.1 --> 15.4.3
  • Due to a bug introduced in GitLab 15.4, if one or more Git repositories in Gitaly Cluster is unavailable, then Repository checks and Geo replication and verification stop running for all project or project wiki repositories in the affected Gitaly Cluster. The bug was fixed by reverting the change in GitLab 15.9.0. Before upgrading to this version, check if you have any "unavailable" repositories. See the bug issue for more information.

15.4.0

  • GitLab 15.4.0 includes a batched background migration to remove incorrect values from expire_at in ci_job_artifacts table. This migration might take hours or days to complete on larger GitLab instances.

  • By default, Gitaly and Praefect nodes use the time server at pool.ntp.org. If your instance can not connect to pool.ntp.org, configure the NTP_HOST variable.

  • GitLab 15.4.0 introduced a default Sidekiq routing rule that routes all jobs to the default queue. For instances using queue selectors, this causes performance problems as some Sidekiq processes will be idle.

    • The default routing rule has been reverted in 15.4.5, so upgrading to that version or later will return to the previous behavior.

    • If a GitLab instance now listens only to the default queue (which is not currently recommended), it will be required to add this routing rule back in /etc/gitlab/gitlab.rb:

      sidekiq['routing_rules'] = [['*', 'default']]

  • New Git repositories created in Gitaly cluster no longer use the @hashed storage path. Server hooks for new repositories must be copied into a different location.

  • The structure of /etc/gitlab/gitlab-secrets.json was modified in GitLab 15.4, and new configuration was added to gitlab_pages, grafana, and mattermost sections. In a highly available or GitLab Geo environment, secrets need to be the same on all nodes. If you're manually syncing the secrets file across nodes, or manually specifying secrets in /etc/gitlab/gitlab.rb, make sure /etc/gitlab/gitlab-secrets.json is the same on all nodes.

  • GitLab 15.4.0 introduced a batched background migration to backfill namespace_id values on issues table. This migration might take multiple hours or days to complete on larger GitLab instances. Make sure the migration has completed successfully before upgrading to 15.7.0 or later.

  • Due to a bug introduced in GitLab 15.4, if one or more Git repositories in Gitaly Cluster is unavailable, then Repository checks and Geo replication and verification stop running for all project or project wiki repositories in the affected Gitaly Cluster. The bug was fixed by reverting the change in GitLab 15.9.0. Before upgrading to this version, check if you have any "unavailable" repositories. See the bug issue for more information.

  • A redesigned sign-in page is enabled by default in GitLab 15.4 and later, with improvements shipping in later releases. For more information, see epic 8557. It can be disabled with a feature flag. Start a Rails console and run:

    Feature.disable(:restyle_login_page)

15.3.4

A license caching issue prevents some premium features of GitLab from working correctly if you add a new license. Workarounds for this issue:

  • Restart all Rails, Sidekiq and Gitaly nodes after applying a new license. This clears the relevant license caches and allows all premium features to operate correctly.
  • Upgrade to a version that is not affected by this issue. The following upgrade paths are available for affected versions:
    • 15.2.5 --> 15.3.5
    • 15.3.0 - 15.3.4 --> 15.3.5
    • 15.4.1 --> 15.4.3

15.3.3

  • In GitLab 15.3.3, SAML Group Links API access_level attribute type changed to integer. See the API documentation.

  • A license caching issue prevents some premium features of GitLab from working correctly if you add a new license. Workarounds for this issue:

    • Restart all Rails, Sidekiq and Gitaly nodes after applying a new license. This clears the relevant license caches and allows all premium features to operate correctly.
    • Upgrade to a version that is not affected by this issue. The following upgrade paths are available for affected versions:
      • 15.2.5 --> 15.3.5
      • 15.3.0 - 15.3.4 --> 15.3.5
      • 15.4.1 --> 15.4.3

15.3.2

A license caching issue prevents some premium features of GitLab from working correctly if you add a new license. Workarounds for this issue:

  • Restart all Rails, Sidekiq and Gitaly nodes after applying a new license. This clears the relevant license caches and allows all premium features to operate correctly.
  • Upgrade to a version that is not affected by this issue. The following upgrade paths are available for affected versions:
    • 15.2.5 --> 15.3.5
    • 15.3.0 - 15.3.4 --> 15.3.5
    • 15.4.1 --> 15.4.3

15.3.1

A license caching issue prevents some premium features of GitLab from working correctly if you add a new license. Workarounds for this issue:

  • Restart all Rails, Sidekiq and Gitaly nodes after applying a new license. This clears the relevant license caches and allows all premium features to operate correctly.
  • Upgrade to a version that is not affected by this issue. The following upgrade paths are available for affected versions:
    • 15.2.5 --> 15.3.5
    • 15.3.0 - 15.3.4 --> 15.3.5
    • 15.4.1 --> 15.4.3

15.3.0

15.2.5

A license caching issue prevents some premium features of GitLab from working correctly if you add a new license. Workarounds for this issue:

  • Restart all Rails, Sidekiq and Gitaly nodes after applying a new license. This clears the relevant license caches and allows all premium features to operate correctly.
  • Upgrade to a version that is not affected by this issue. The following upgrade paths are available for affected versions:
    • 15.2.5 --> 15.3.5
    • 15.3.0 - 15.3.4 --> 15.3.5
    • 15.4.1 --> 15.4.3

15.2.0

15.1.0

15.0.0

  • Elasticsearch 6.8 is no longer supported. Before you upgrade to GitLab 15.0, update Elasticsearch to any 7.x version.

  • If you run external PostgreSQL, particularly AWS RDS, check you have a PostgreSQL bug fix to avoid the database crashing.

  • The use of encrypted S3 buckets with storage-specific configuration is no longer supported after removing support for using background_upload.

  • The certificate-based Kubernetes integration (DEPRECATED) is disabled by default, but you can be re-enable it through the certificate_based_clusters feature flag until GitLab 16.0.

  • When you use the GitLab Helm Chart project with a custom serviceAccount, ensure it has get and list permissions for the serviceAccount and secret resources.

  • The custom_hooks_dir setting for configuring global server hooks is now configured in Gitaly. The previous implementation in GitLab Shell was removed in GitLab 15.0. With this change, global server hooks are stored only inside a subdirectory named after the hook type. Global server hooks can no longer be a single hook file in the root of the custom hooks directory. For example, you must use <custom_hooks_dir>/<hook_name>.d/* rather than <custom_hooks_dir>/<hook_name>.

    • Use gitaly['custom_hooks_dir'] in gitlab.rb (introduced in 14.3) for Omnibus GitLab. This replaces gitlab_shell['custom_hooks_dir'].

  • Incorrect deletion of object storage files on Geo secondary sites can occur in certain situations. See Geo: Incorrect object storage LFS file deletion on secondary site issue in GitLab 15.0.0 to 15.3.2.

  • The FF_GITLAB_REGISTRY_HELPER_IMAGE feature flag is removed and helper images are always pulled from GitLab Registry.

  • The AES256-GCM-SHA384 SSL cipher is no longer allowed by NGINX. See how you can add the cipher back to the allow list.

  • Support for more than one database has been added to GitLab. For self-compiled (source) installations, config/database.yml must include a database name in the database configuration. The main: database must be first. If an invalid or deprecated syntax is used, an error is generated during application start:

    ERROR: This installation of GitLab uses unsupported 'config/database.yml'.
The main: database needs to be defined as a first configuration item instead of primary. (RuntimeError)

    Previously, the config/database.yml file looked like the following:

    production:
  adapter: postgresql
  encoding: unicode
  database: gitlabhq_production
  ...

    Starting with GitLab 15.0, it must define a main database first:

    production:
  main:
    adapter: postgresql
    encoding: unicode
    database: gitlabhq_production
    ...

14.10.0

  • Before upgrading to GitLab 14.10, you must already have the latest 14.9.Z installed on your instance. The upgrade to GitLab 14.10 executes a concurrent index drop of unneeded entries from the ci_job_artifacts database table. This could potentially run for multiple minutes, especially if the table has a lot of traffic and the migration is unable to acquire a lock. It is advised to let this process finish as restarting may result in data loss.

  • If you run external PostgreSQL, particularly AWS RDS, check you have a PostgreSQL bug fix to avoid the database crashing.

  • Upgrading to patch level 14.10.3 or later might encounter a one-hour timeout due to a long running database data change, if it was not completed while running GitLab 14.9.

    FATAL: Mixlib::ShellOut::CommandTimeout: rails_migration[gitlab-rails]
(gitlab::database_migrations line 51) had an error:
[..]
Mixlib::ShellOut::CommandTimeout: Command timed out after 3600s:

    A workaround exists to complete the data change and the upgrade manually.

14.9.0

  • Database changes made by the upgrade to GitLab 14.9 can take hours or days to complete on larger GitLab instances. These batched background migrations update whole database tables to ensure corresponding records in namespaces table for each record in projects table.

    After you upgrade to 14.9.0 or a later 14.9 patch version, batched background migrations must finish before you upgrade to a later version.

    If the migrations are not finished and you try to upgrade to a later version, you see errors like:

    Expected batched background migration for the given configuration to be marked as 'finished', but it is 'active':

    Or

    Error executing action `run` on resource 'bash[migrate gitlab-rails database]'
================================================================================

Mixlib::ShellOut::ShellCommandFailed
------------------------------------
Command execution failed. STDOUT/STDERR suppressed for sensitive resource

  • GitLab 14.9.0 includes a background migration ResetDuplicateCiRunnersTokenValuesOnProjects that may remain stuck permanently in a pending state.

    To clean up this stuck job, run the following in the GitLab Rails Console:

    Gitlab::Database::BackgroundMigrationJob.pending.where(class_name: "ResetDuplicateCiRunnersTokenValuesOnProjects").find_each do |job|
  puts Gitlab::Database::BackgroundMigrationJob.mark_all_as_succeeded("ResetDuplicateCiRunnersTokenValuesOnProjects", job.arguments)
end

  • If you run external PostgreSQL, particularly AWS RDS, check you have a PostgreSQL bug fix to avoid the database crashing.

14.8.0

  • If upgrading from a version earlier than 14.6.5, 14.7.4, or 14.8.2, review the Critical Security Release: 14.8.2, 14.7.4, and 14.6.5 blog post. Updating to 14.8.2 or later resets runner registration tokens for your groups and projects.

  • The agent server for Kubernetes is enabled by default on Omnibus installations. If you run GitLab at scale, such as the reference architectures, you must disable the agent on the following server types, if the agent is not required.

    • Praefect
    • Gitaly
    • Sidekiq
    • Redis (if configured using redis['enable'] = true and not via roles)
    • Container registry
    • Any other server types based on roles(['application_role']), such as the GitLab Rails nodes

    The reference architectures have been updated with this configuration change and a specific role for standalone Redis servers.

    Steps to disable the agent:

    1. Add gitlab_kas['enable'] = false to gitlab.rb.
    2. If the server is already upgraded to 14.8, run gitlab-ctl reconfigure.

  • GitLab 14.8.0 includes a background migration PopulateTopicsNonPrivateProjectsCount that may remain stuck permanently in a pending state.

    To clean up this stuck job, run the following in the GitLab Rails Console:

    Gitlab::Database::BackgroundMigrationJob.pending.where(class_name: "PopulateTopicsNonPrivateProjectsCount").find_each do |job|
  puts Gitlab::Database::BackgroundMigrationJob.mark_all_as_succeeded("PopulateTopicsNonPrivateProjectsCount", job.arguments)
end

  • If upgrading from a version earlier than 14.3.0, to avoid an issue with job retries, first upgrade to GitLab 14.7.x and make sure all batched migrations have finished.

  • If upgrading from version 14.3.0 or later, you might notice a failed batched migration named BackfillNamespaceIdForNamespaceRoute. You can ignore this. Retry it after you upgrade to version 14.9.x.

  • If you run external PostgreSQL, particularly AWS RDS, check you have a PostgreSQL bug fix to avoid the database crashing.

14.7.0

  • See LFS objects import and mirror issue in GitLab 14.6.0 to 14.7.2.

  • If upgrading from a version earlier than 14.6.5, 14.7.4, or 14.8.2, review the Critical Security Release: 14.8.2, 14.7.4, and 14.6.5 blog post. Updating to 14.7.4 or later resets runner registration tokens for your groups and projects.

  • GitLab 14.7 introduced a change where Gitaly expects persistent files in the /tmp directory. When using the noatime mount option on /tmp in a node running Gitaly, most Linux distributions run into an issue with Git server hooks getting deleted. These conditions are present in the default Amazon Linux configuration.

    If your Linux distribution manages files in /tmp with the tmpfiles.d service, you can override the behavior of tmpfiles.d for the Gitaly files and avoid this issue:

    sudo printf "x /tmp/gitaly-%s-*\n" hooks git-exec-path >/etc/tmpfiles.d/gitaly-workaround.conf

    This issue is fixed in GitLab 14.10 and later when using the Gitaly runtime directory to specify a location to store persistent files.

14.6.0

14.5.0

  • When make is run, Gitaly builds are now created in _build/bin and no longer in the root directory of the source directory. If you are using a self-compiled installation, update paths to these binaries in your systemd unit files or init scripts by following the documentation.

  • Connections between Workhorse and Gitaly use the Gitaly backchannel protocol by default. If you deployed a gRPC proxy between Workhorse and Gitaly, Workhorse can no longer connect. As a workaround, disable the temporary workhorse_use_sidechannel feature flag. If you need a proxy between Workhorse and Gitaly, use a TCP proxy. If you have feedback about this change, go to this issue.

  • In 14.1 we introduced a background migration that changes how we store merge request diff commits, to significantly reduce the amount of storage needed. In 14.5 we introduce a set of migrations that wrap up this process by making sure that all remaining jobs over the merge_request_diff_commits table are completed. These jobs have already been processed in most cases so that no extra time is necessary during an upgrade to 14.5. However, if there are remaining jobs or you haven't already upgraded to 14.1, the deployment may take multiple hours to complete.

    All merge request diff commits automatically incorporate these changes, and there are no additional requirements to perform the upgrade. Existing data in the merge_request_diff_commits table remains unpacked until you run VACUUM FULL merge_request_diff_commits. However, the VACUUM FULL operation locks and rewrites the entire merge_request_diff_commits table, so the operation takes some time to complete and it blocks access to this table until the end of the process. We advise you to only run this command while GitLab is not actively used or it is taken offline for the duration of the process. The time it takes to complete depends on the size of the table, which can be obtained by using select pg_size_pretty(pg_total_relation_size('merge_request_diff_commits'));.

    For more information, refer to this issue.

  • GitLab 14.5.0 includes a background migration UpdateVulnerabilityOccurrencesLocation that may remain stuck permanently in a pending state when the instance lacks records that match the migration's target.

    To clean up this stuck job, run the following in the GitLab Rails Console:

    Gitlab::Database::BackgroundMigrationJob.pending.where(class_name: "UpdateVulnerabilityOccurrencesLocation").find_each do |job|
  puts Gitlab::Database::BackgroundMigrationJob.mark_all_as_succeeded("UpdateVulnerabilityOccurrencesLocation", job.arguments)
end

  • Upgrading to 14.5 (or later) might encounter a one hour timeout owing to a long running database data change.

    FATAL: Mixlib::ShellOut::CommandTimeout: rails_migration[gitlab-rails]
(gitlab::database_migrations line 51) had an error:
[..]
Mixlib::ShellOut::CommandTimeout: Command timed out after 3600s:

    There is a workaround to complete the data change and the upgrade manually

  • As part of enabling real-time issue assignees, Action Cable is now enabled by default. For self-compiled (source) installations, config/cable.yml is required to be present.

    Configure this by running:

    cd /home/git/gitlab
sudo -u git -H cp config/cable.yml.example config/cable.yml

# Change the Redis socket path if you are not using the default Debian / Ubuntu configuration
sudo -u git -H editor config/cable.yml

14.4.4

  • For zero-downtime upgrades on a GitLab cluster with separate Web and API nodes, you must enable the paginated_tree_graphql_query feature flag before upgrading GitLab Web nodes to 14.4. This is because we enabled paginated_tree_graphql_query by default in 14.4, so if GitLab UI is on 14.4 and its API is on 14.3, the frontend has this feature enabled but the backend has it disabled. This results in the following error:

    bundle.esm.js:63 Uncaught (in promise) Error: GraphQL error: Field 'paginatedTree' doesn't exist on type 'Repository'

14.4.0

14.3.0

  • Instances running 14.0.0 - 14.0.4 should not upgrade directly to GitLab 14.2 or later.

  • Ensure batched background migrations finish before upgrading to 14.3.Z from earlier GitLab 14 releases.

  • Ruby 2.7.4 is required. Refer to the Ruby installation instructions for how to proceed.

  • GitLab 14.3.0 contains post-deployment migrations to address Primary Key overflow risk for tables with an integer PK for the tables listed below:

    If the migrations are executed as part of a no-downtime deployment, there's a risk of failure due to lock conflicts with the application logic, resulting in lock timeout or deadlocks. In each case, these migrations are safe to re-run until successful:

    # For Omnibus GitLab
sudo gitlab-rake db:migrate

# For source installations
sudo -u git -H bundle exec rake db:migrate RAILS_ENV=production

  • After upgrading to 14.3, ensure that all the MigrateMergeRequestDiffCommitUsers background migration jobs have completed before continuing with upgrading to GitLab 14.5 or later. This is especially important if your GitLab instance has a large merge_request_diff_commits table. Any pending MigrateMergeRequestDiffCommitUsers background migration jobs are foregrounded in GitLab 14.5, and may take a long time to complete. You can check the count of pending jobs for MigrateMergeRequestDiffCommitUsers by using the PostgreSQL console (or sudo gitlab-psql):

    select status, count(*) from background_migration_jobs
where class_name = 'MigrateMergeRequestDiffCommitUsers' group by status;

    As jobs are completed, the database records change from 0 (pending) to 1. If the number of pending jobs doesn't decrease after a while, it's possible that the MigrateMergeRequestDiffCommitUsers background migration jobs have failed. You can check for errors in the Sidekiq logs:

    sudo grep MigrateMergeRequestDiffCommitUsers /var/log/gitlab/sidekiq/current | grep -i error

    If needed, you can attempt to run the MigrateMergeRequestDiffCommitUsers background migration jobs manually in the GitLab Rails Console. This can be done using Sidekiq asynchronously, or by using a Rails process directly:

    • Using Sidekiq to schedule jobs asynchronously:

      # For the first run, only attempt to execute 1 migration. If successful, increase
# the limit for subsequent runs
limit = 1

jobs = Gitlab::Database::BackgroundMigrationJob.for_migration_class('MigrateMergeRequestDiffCommitUsers').pending.to_a

pp "#{jobs.length} jobs remaining"

jobs.first(limit).each do |job|
  BackgroundMigrationWorker.perform_in(5.minutes, 'MigrateMergeRequestDiffCommitUsers', job.arguments)
end

      NOTE: The queued jobs can be monitored using the Sidekiq admin panel, which can be accessed at the /admin/sidekiq endpoint URI.

    • Using a Rails process to run jobs synchronously:

      def process(concurrency: 1)
  queue = Queue.new

  Gitlab::Database::BackgroundMigrationJob
    .where(class_name: 'MigrateMergeRequestDiffCommitUsers', status: 0)
    .each { |job| queue << job }

  concurrency
    .times
    .map do
      Thread.new do
        Thread.abort_on_exception = true

        loop do
          job = queue.pop(true)
          time = Benchmark.measure do
            Gitlab::BackgroundMigration::MigrateMergeRequestDiffCommitUsers
              .new
              .perform(*job.arguments)
          end

          puts "#{job.id} finished in #{time.real.round(2)} seconds"
        rescue ThreadError
          break
        end
      end
    end
    .each(&:join)
end

ActiveRecord::Base.logger.level = Logger::ERROR
process

      NOTE: When using Rails to execute these background migrations synchronously, make sure that the machine running the process has sufficient resources to handle the task. If the process gets terminated, it's likely due to insufficient memory available. If your SSH session times out after a while, it might be necessary to run the previous code by using a terminal multiplexer like screen or tmux.

  • See Maintenance mode issue in GitLab 13.9 to 14.4.

  • You may see the following error when setting up two factor authentication (2FA) for accounts that authenticate using an LDAP password:

    You must provide a valid current password

  • If you encounter the error, I18n::InvalidLocale: :en is not a valid locale, when starting the application, follow the patching process. Use 122978 as the mr_iid.

14.2.0

14.1.0

  • Instances running 14.0.0 - 14.0.4 should not upgrade directly to GitLab 14.2 or later but can upgrade to 14.1.Z.

    It is not required for instances already running 14.0.5 (or later) to stop at 14.1.Z. 14.1 is included on the upgrade path for the broadest compatibility with self-managed installations, and ensure 14.0.0-14.0.4 installations do not encounter issues with batched background migrations.

  • Upgrading to GitLab 14.5 (or later) may take a lot longer if you do not upgrade to at least 14.1 first. The 14.1 merge request diff commits database migration can take hours to run, but runs in the background while GitLab is in use. GitLab instances upgraded directly from 14.0 to 14.5 or later must run the migration in the foreground and therefore take a lot longer to complete.

  • See Maintenance mode issue in GitLab 13.9 to 14.4.

  • If you encounter the error, I18n::InvalidLocale: :en is not a valid locale, when starting the application, follow the patching process. Use 123475 as the mr_iid.

14.0.0

Prerequisites:

Long running batched background database migrations:

  • Database changes made by the upgrade to GitLab 14.0 can take hours or days to complete on larger GitLab instances. These batched background migrations update whole database tables to mitigate primary key overflow and must be finished before upgrading to GitLab 14.2 or later.

  • Due to an issue where BatchedBackgroundMigrationWorkers were not working for self-managed instances, a fix was created that requires an update to at least 14.0.5. The fix was also released in 14.1.0.

    After you update to 14.0.5 or a later 14.0 patch version, batched background migrations must finish before you upgrade to a later version.

    If the migrations are not finished and you try to upgrade to a later version, you see an error like:

    Expected batched background migration for the given configuration to be marked as 'finished', but it is 'active':

    See how to resolve this error.

Other issues:

Upgrading to later 14.Y releases

User profile data loss bug in 15.9.x

There is a database migration bug in 15.9.0, 15.9.1, and 15.9.2 that can cause data loss from the user profile fields linkedin, twitter, skype, website_url, location, and organization.

This bug is fixed in patch releases 15.9.3 and later.

The following upgrade path also works around the bug:

  1. Upgrade to GitLab 15.6.x, 15.7.x, or 15.8.x.
  2. Ensure batched background migrations are complete.
  3. Upgrade to an earlier GitLab 15.9 patch release that doesn't have the bug fix.

It is not then required to upgrade to 15.9.3 or later for this issue.

Read the issue for more information.

Gitaly: Omnibus GitLab configuration structure change

Gitaly configuration structure in Omnibus GitLab changes in GitLab 16.0 to be consistent with the Gitaly configuration structure used in self-compiled installations.

As a result of this change, a single hash under gitaly['configuration'] holds most Gitaly configuration. Some gitaly['..'] configuration options will continue to be used by Omnibus GitLab 16.0 and later:

  • enable
  • dir
  • bin_path
  • env_directory
  • env
  • open_files_ulimit
  • consul_service_name
  • consul_service_meta

Migrate by moving your existing configuration under the new structure. The new structure is supported from Omnibus GitLab 15.10.

The new structure is documented below with the old keys described in a comment above the new keys. When applying the new structure to your configuration:

  1. Replace the ... with the value from the old key.
  2. Skip any keys you haven't configured a value for previously.
  3. Remove the old keys from the configuration once migrated.
  4. Optional but recommended. Include a trailing comma for all hash keys so the hash remains valid when keys are re-ordered or additional keys are added.
  5. When configuring storage to replace git_data_dirs, you must append repositories to the path as documented below. If you omit this step, your Git repositories are inaccessible until the configuration is fixed.
gitaly['configuration'] = {
# gitaly['socket_path']
socket_path: ...,
# gitaly['runtime_dir']
runtime_dir: ...,
# gitaly['listen_addr']
listen_addr: ...,
# gitaly['prometheus_listen_addr']
prometheus_listen_addr: ...,
# gitaly['tls_listen_addr']
tls_listen_addr: ...,
tls: {
  # gitaly['certificate_path']
  certificate_path: ...,
  # gitaly['key_path']
  key_path: ...,
},
# gitaly['graceful_restart_timeout']
graceful_restart_timeout: ...,
logging: {
  # gitaly['logging_level']
  level: ...,
  # gitaly['logging_format']
  format: ...,
  # gitaly['logging_sentry_dsn']
  sentry_dsn: ...,
  # gitaly['logging_ruby_sentry_dsn']
  ruby_sentry_dsn: ...,
  # gitaly['logging_sentry_environment']
  sentry_environment: ...,
  # gitaly['log_directory']
  dir: ...,
},
prometheus: {
  # gitaly['prometheus_grpc_latency_buckets']. The old value was configured as a string
  # such as '[0, 1, 2]'. The new value must be an array like [0, 1, 2].
  grpc_latency_buckets: ...,
},
auth: {
  # gitaly['auth_token']
  token: ...,
  # gitaly['auth_transitioning']
  transitioning: ...,
},
git: {
  # gitaly['git_catfile_cache_size']
  catfile_cache_size: ...,
  # gitaly['git_bin_path']
  bin_path: ...,
  # gitaly['use_bundled_git']
  use_bundled_binaries: ...,
  # gitaly['gpg_signing_key_path']
  signing_key: ...,
  # gitaly['gitconfig']. This is still an array but the type of the elements have changed.
  config: [
    {
      # Previously the elements contained 'section', and 'subsection' in addition to 'key'. Now
      # these all should be concatenated into just 'key', separated by dots. For example,
      # {section: 'first', subsection: 'middle', key: 'last', value: 'value'}, should become
      # {key: 'first.middle.last', value: 'value'}.
      key: ...,
      value: ...,
    },
  ],
},
# Storage could previously be configured through either gitaly['storage'] or 'git_data_dirs'. Migrate
# the relevant configuration according to the instructions below.
# For 'git_data_dirs', migrate only the 'path' to the gitaly['configuration'] and leave the rest of it untouched.
storage: [
  {
    # gitaly['storage'][<index>]['name']
    #
    # git_data_dirs[<name>]. The storage name was configured as a key in the map.
    name: ...,
    # gitaly['storage'][<index>]['path']
    #
    # git_data_dirs[<name>]['path']. Use the value from git_data_dirs[<name>]['path'] and append '/repositories' to it.
    #
    # For example, if the path in 'git_data_dirs' was '/var/opt/gitlab/git-data', use
    # '/var/opt/gitlab/git-data/repositories'. The '/repositories' extension was automatically
    # appended to the path configured in `git_data_dirs`.
    path: ...,
  },
],
hooks: {
  # gitaly['custom_hooks_dir']
  custom_hooks_dir: ...,
},
daily_maintenance: {
  # gitaly['daily_maintenance_disabled']
  disabled: ...,
  # gitaly['daily_maintenance_start_hour']
  start_hour: ...,
  # gitaly['daily_maintenance_start_minute']
  start_minute: ...,
  # gitaly['daily_maintenance_duration']
  duration: ...,
  # gitaly['daily_maintenance_storages']
  storages: ...,
},
cgroups: {
  # gitaly['cgroups_mountpoint']
  mountpoint: ...,
  # gitaly['cgroups_hierarchy_root']
  hierarchy_root: ...,
  # gitaly['cgroups_memory_bytes']
  memory_bytes: ...,
  # gitaly['cgroups_cpu_shares']
  cpu_shares: ...,
  repositories: {
    # gitaly['cgroups_repositories_count']
    count: ...,
    # gitaly['cgroups_repositories_memory_bytes']
    memory_bytes: ...,
    # gitaly['cgroups_repositories_cpu_shares']
    cpu_shares: ...,
  }
},
# gitaly['concurrency']. While the structure is the same, the string keys in the array elements
# should be replaced by symbols as elsewhere. {'key' => 'value'}, should become {key: 'value'}.
concurrency: ...,
# gitaly['rate_limiting']. While the structure is the same, the string keys in the array elements
# should be replaced by symbols as elsewhere. {'key' => 'value'}, should become {key: 'value'}.
rate_limiting: ...,
pack_objects_cache: {
  # gitaly['pack_objects_cache_enabled']
  enabled: ...,
  # gitaly['pack_objects_cache_dir']
  dir: ...,
  # gitaly['pack_objects_cache_max_age']
  max_age: ...,
}
}

Praefect: Omnibus GitLab configuration structure change

Praefect configuration structure in Omnibus GitLab changes in GitLab 16.0 to be consistent with the Praefect configuration structure used in self-compiled installations.

As a result of this change, a single hash under praefect['configuration'] holds most Praefect configuration. Some praefect['..'] configuration options will continue to be used by Omnibus GitLab 16.0 and later:

  • enable
  • dir
  • log_directory
  • env_directory
  • env
  • wrapper_path
  • auto_migrate
  • consul_service_name

Migrate by moving your existing configuration under the new structure. The new structure is supported from Omnibus GitLab 15.9.

The new structure is documented below with the old keys described in a comment above the new keys. When applying the new structure to your configuration:

  1. Replace the ... with the value from the old key.
  2. Skip any keys you haven't configured a value for previously.
  3. Remove the old keys from the configuration once migrated.
  4. Optional but recommended. Include a trailing comma for all hash keys so the hash remains valid when keys are re-ordered or additional keys are added.
praefect['configuration'] = {
  # praefect['listen_addr']
  listen_addr: ...,
  # praefect['socket_path']
  socket_path: ...,
  # praefect['prometheus_listen_addr']
  prometheus_listen_addr: ...,
  # praefect['tls_listen_addr']
  tls_listen_addr: ...,
  # praefect['separate_database_metrics']
  prometheus_exclude_database_from_default_metrics: ...,
  auth: {
    # praefect['auth_token']
    token: ...,
    # praefect['auth_transitioning']
    transitioning: ...,
  },
  logging: {
    # praefect['logging_format']
    format: ...,
    # praefect['logging_level']
    level: ...,
  },
  failover: {
    # praefect['failover_enabled']
    enabled: ...,
  },
  background_verification: {
    # praefect['background_verification_delete_invalid_records']
    delete_invalid_records: ...,
    # praefect['background_verification_verification_interval']
    verification_interval: ...,
  },
  reconciliation: {
    # praefect['reconciliation_scheduling_interval']
    scheduling_interval: ...,
    # praefect['reconciliation_histogram_buckets']. The old value was configured as a string
    # such as '[0, 1, 2]'. The new value must be an array like [0, 1, 2].
    histogram_buckets: ...,
  },
  tls: {
    # praefect['certificate_path']
    certificate_path: ...,
    # praefect['key_path']
    key_path: ...,
  },
  database: {
    # praefect['database_host']
    host: ...,
    # praefect['database_port']
    port: ...,
    # praefect['database_user']
    user: ...,
    # praefect['database_password']
    password: ...,
    # praefect['database_dbname']
    dbname: ...,
    # praefect['database_sslmode']
    sslmode: ...,
    # praefect['database_sslcert']
    sslcert: ...,
    # praefect['database_sslkey']
    sslkey: ...,
    # praefect['database_sslrootcert']
    sslrootcert: ...,
    session_pooled: {
      # praefect['database_direct_host']
      host: ...,
      # praefect['database_direct_port']
      port: ...,
      # praefect['database_direct_user']
      user: ...,
      # praefect['database_direct_password']
      password: ...,
      # praefect['database_direct_dbname']
      dbname: ...,
      # praefect['database_direct_sslmode']
      sslmode: ...,
      # praefect['database_direct_sslcert']
      sslcert: ...,
      # praefect['database_direct_sslkey']
      sslkey: ...,
      # praefect['database_direct_sslrootcert']
      sslrootcert: ...,
    }
  },
  sentry: {
    # praefect['sentry_dsn']
    sentry_dsn: ...,
    # praefect['sentry_environment']
    sentry_environment: ...,
  },
  prometheus: {
    # praefect['prometheus_grpc_latency_buckets']. The old value was configured as a string
    # such as '[0, 1, 2]'. The new value must be an array like [0, 1, 2].
    grpc_latency_buckets: ...,
  },
  # praefect['graceful_stop_timeout']
  graceful_stop_timeout: ...,

  # praefect['virtual_storages']. The old value was a hash map but the new value is an array.
  virtual_storage: [
    {
      # praefect['virtual_storages'][VIRTUAL_STORAGE_NAME]. The name was previously the key in
      # the 'virtual_storages' hash.
      name: ...,
      # praefect['virtual_storages'][VIRTUAL_STORAGE_NAME]['nodes'][NODE_NAME]. The old value was a hash map
      # but the new value is an array.
      node: [
        {
          # praefect['virtual_storages'][VIRTUAL_STORAGE_NAME]['nodes'][NODE_NAME]. Use NODE_NAME key as the
          # storage.
          storage: ...,
          # praefect['virtual_storages'][VIRTUAL_STORAGE_NAME]['nodes'][NODE_NAME]['address'].
          address: ...,
          # praefect['virtual_storages'][VIRTUAL_STORAGE_NAME]['nodes'][NODE_NAME]['token'].
          token: ...,
        },
      ],
    }
  ]
}

Change to Praefect-generated replica paths in GitLab 15.3

New Git repositories created in Gitaly cluster no longer use the @hashed storage path.

Praefect now generates replica paths for use by Gitaly cluster. This change is a pre-requisite for Gitaly cluster atomically creating, deleting, and renaming Git repositories.

To identify the replica path, query the Praefect repository metadata and pass the @hashed storage path to -relative-path.

With this information, you can correctly install server hooks.

Geo: LFS transfers redirect to primary from secondary site mid-session in GitLab 15.1.0 to 15.3.2

LFS transfers can redirect to the primary from secondary site mid-session causing failed pull and clone requests in GitLab 15.1.0 to 15.3.2 when Geo proxying is enabled. Geo proxying is enabled by default in GitLab 15.1 and later.

This issue is resolved in GitLab 15.3.3, so customers with the following configuration should upgrade to 15.3.3 or later:

  • LFS is enabled.
  • LFS objects are being replicated across Geo sites.
  • Repositories are being pulled by using a Geo secondary site.

Geo: Incorrect object storage LFS file deletion on secondary sites in GitLab 15.0.0 to 15.3.2

Incorrect deletion of object storage files on Geo secondary sites can occur in GitLab 15.0.0 to 15.3.2 in the following situations:

  • GitLab-managed object storage replication is disabled, and LFS objects are created while importing a project with object storage enabled.
  • GitLab-managed replication to sync object storage is enabled and subsequently disabled.

This issue is resolved in 15.3.3. Customers who have both LFS enabled and LFS objects being replicated across Geo sites should upgrade directly to 15.3.3 to reduce the risk of data loss on secondary sites.

PostgreSQL segmentation fault issue

If you run GitLab with external PostgreSQL, particularly AWS RDS, ensure you upgrade PostgreSQL to patch levels to a minimum of 12.7 or 13.3 before upgrading to GitLab 14.8 or later.

In 14.8 for GitLab Enterprise Edition and in 15.1 for GitLab Community Edition a GitLab feature called Loose Foreign Keys was enabled.

After it was enabled, we have had reports of unplanned PostgreSQL restarts caused by a database engine bug that causes a segmentation fault.

Read more in the issue.

LFS objects import and mirror issue in GitLab 14.6.0 to 14.7.2

When Geo is enabled, LFS objects fail to be saved for imported or mirrored projects.

This bug was fixed in GitLab 14.8.0 and backported into 14.7.3.

Maintenance mode issue in GitLab 13.9 to 14.4

When Maintenance mode is enabled, users cannot sign in with SSO, SAML, or LDAP.

Users who were signed in before Maintenance mode was enabled, continue to be signed in. If the administrator who enabled Maintenance mode loses their session, then they can't disable Maintenance mode via the UI. In that case, you can disable Maintenance mode via the API or Rails console.

This bug was fixed in GitLab 14.5.0 and backported into 14.4.3 and 14.3.5.

Miscellaneous