GITLAB_SECRETS_DB_KEY_BASE parameter

[pnelsonsr]

Went to upgrade to 8.0.2 and when I start it I get an error:

ERROR:
Please configure the GITLAB_SECRETS_DB_KEY_BASE parameter.
Cannot continue. Aborting...

what is this and how do I fix it?

[Allineer]

README.md

[pnelsonsr]

@Allineer I only had read through the Upgrading part. So here is what needs to happen...

1. generate a long random string with:
   pwgen -Bsv1 64
2. then add that to my docker run command with:
   GITLAB_SECRETS_DB_KEY_BASE="<generated string>"
3. then do the docker run
   great everything works. but I'm still unclear what this is for?

[Allineer]

@pnelsonsr

  # db_key_base is used to encrypt for Variables. Ensure that you don't lose it.
  # If you change or lose this key you will be unable to access variables stored in database.
  # Make sure the secret is at least 30 characters and all random,
  # no regular words or you'll be exposed to dictionary attacks.

This option is coming from GitLab CI & now it's used only here

[pnelsonsr]

Ahh its for db encryption. So, the key will be needed for back up systems. Its important to keep secret in a password kind of way.

[sameersbn]

It is used by the CI feature of gitlab to encrypt build variables.

[sameersbn]

@Allineer Thanks for helping users resolve issues. Your the best 👍

[sameersbn]

ps. please subscribe to issue #39 to get notified about such breaking changes.

[pnelsonsr]

@sameersbn yeah it kind of hit me at a moment of weakness as I had a few headaches going on with other systems. If you had something in upgrade section of the readme then I would have been golden. I just entered a issue because you are always there for us! I'll subscribe to #39 and hopefully catch this kind of thing next time.

So, I understand what the key does but the reason I kind of needed to know what it was doing is we keep a couple of docker systems ready to take on a promotion if a failure happens. So understanding if this value was unique to the server or unique to the db (pg) was important. Kind of a "Why its there?" and "What is it doing?" in important to us from an operational standpoint. That's the why and what of what I was asking about.

[favorinfo]

what if I forgot my secret?

I had used sameersbn/gitlab:7.9.0, and I forget the path I stored the secret or never owned the sercret?

[sameersbn]

@favorinfo The GITLAB_SECRETS_DB_KEY_BASE variable has been added only since version 8.0.0 for the Gitlab CE image. Before that it existed as the GITLAB_CI_SECRETS_DB_KEY_BASE parameter in the GitLab CI image.

This variable is used to encrypt build script variables. Loosing/changing this key would mean that any variables that you may have added for your CI jobs cannot be decrypted and hence would not be usable.

The build script variables can be used to encrypt sensitive information such as usernames and passwords in your ci jobs and can be added at Continuous Integration > project > Variables, which become available as environment variables in you build jobs.

[sameersbn]

@pnelsonsr I have now added a note in the upgrading section

[pnelsonsr]

@sameersbn cool!
@favorinfo you didn't have to have GITLAB_SECRETS_DB_KEY_BASE prior to 8.0.0 so you probably didn't have one. Just create a random string with pwgen -Bsv1 64 and assign it in your docker run command options docker run --name gitlab -d [OPTIONS] sameersbn/gitlab:8.0.2. Once it is set you will need it after that.

[sameersbn]

marking this issue resolved.

[bor8]

Sorry if I'm involved.

I forgot to change the variables GITLAB_SECRETS_DB_KEY_BASE, GITLAB_SECRETS_SECRET_KEY_BASE and GITLAB_SECRETS_OTP_KEY_BASE, i.e. they are still at the default value.

Is that a problem? What happens if I change the values afterwards? I haven't worked much with CI yet.