Add PGbouncer as EE specific dependency, as part of the Gitlab PostgreSQL HA automation

.custom_sources.yml

@@ -49,4 +49,3 @@ gitlab-elasticsearch-indexer:
 logrotate:
   remote: "git@dev.gitlab.org:omnibus-mirror/logrotate.git"
   alternative: "https://gitlab.com/omnibus-mirror/logrotate.git"
-

CHANGELOG.md

@@ -17,9 +17,12 @@ omnibus-gitlab repository.
 - Generate PO translation files 6b6c936a
 - Change service running detection 18b51873
-9.1.0
+9.1.2
 - Add support for the following PostgreSQL settings: random_page_cost, max_locks_per_transaction, log_temp_files, log_checkpoints
+
+9.1.0
+
 - Remove deprecated satellites configuration f88ba40b
 - Add configuration file for Gitaly 7c7c728
 - Add support for Gitaly address per shard 2096928

config/software/gitlab-rails.rb

@@ -51,6 +51,7 @@ dependency 'unzip'
 if EE
   dependency 'mysql-client'
+  dependency 'pgbouncer'
   dependency 'gitlab-elasticsearch-indexer'
 end

config/software/libevent.rb

+#
+# Copyright:: Copyright (c) 2017 GitLab Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+name 'libevent'
+default_version '2.1.8'
+
+license 'BSD-3-Clause'
+license_file 'LICENSE'
+
+version '2.1.8' do
+  source sha256: '965cc5a8bb46ce4199a47e9b2c9e1cae3b137e8356ffdad6d94d3b9069b71dc2'
+end
+
+source url: "https://github.com/libevent/libevent/releases/download/release-#{version}-stable/libevent-#{version}-stable.tar.gz"
+
+relative_path "libevent-#{version}-stable"
+
+build do
+  env = with_standard_compiler_flags(with_embedded_path)
+  command './configure ' \
+    "--prefix=#{install_dir}/embedded", env: env
+
+  make "-j #{workers}", env: env
+  make 'install', env: env
+end

config/software/pgbouncer.rb

+#
+# Copyright:: Copyright (c) 2017 GitLab Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+name 'pgbouncer'
+default_version '1.7.2'
+
+license 'ISC'
+license_file 'COPYRIGHT'
+
+dependency 'libevent'
+dependency 'openssl'
+
+version '1.7.2' do
+  source sha256: 'de36b318fe4a2f20a5f60d1c5ea62c1ca331f6813d2c484866ecb59265a160ba'
+end
+
+source url: "https://pgbouncer.github.io/downloads/files/#{version}/pgbouncer-#{version}.tar.gz"
+
+relative_path "pgbouncer-#{version}"
+
+build do
+  env = with_standard_compiler_flags(with_embedded_path)
+
+  prefix = "#{install_dir}/embedded"
+
+  command './configure ' \
+    "--prefix=#{prefix} " \
+    "--with-openssl=#{prefix} " \
+    "--with-libevent=#{prefix}", env: env
+
+  make "-j #{workers}", env: env
+  make 'install', env: env
+end

doc/package-information/defaults.md

@@ -36,7 +36,7 @@ by default:
 | Remote syslog    | No            | Port             | X           | 514                                    |
 | Mattermost       | No            | Port             | X           | 8065                                   |
 | Mattermost       | No            | Port             | X           | 80 or 443                              |
-
+| PgBouncer        | No            | Port             | X           | 6432                                   |
 Legend:
 * `Component` - Name of the component.

doc/settings/smtp.md

@@ -384,7 +384,7 @@ Request to save other people time.
 ## Testing the SMTP configuration
-You can verify GitLab's ability to send emails properly using the Rails console. 
+You can verify GitLab's ability to send emails properly using the Rails console.
 On the GitLab server, execute `gitlab-rails console` to enter the console. Then,
 you can enter the following command at the console prompt to cause GitLab to
 send a test email:

files/gitlab-config-template/gitlab.rb.template

@@ -643,6 +643,7 @@ external_url 'GENERATED_EXTERNAL_URL'
 # postgresql['log_temp_files'] = -1
 # postgresql['log_checkpoints'] = 'off'
+
 # Backup/Archive settings
 # default['gitlab']['postgresql']['archive_mode'] = "off"
 # default['gitlab']['postgresql']['archive_command'] = nil
@@ -1539,3 +1540,45 @@ external_url 'GENERATED_EXTERNAL_URL'
 # geo_postgresql['ha'] = false
 # geo_postgresql['dir'] = '/var/opt/gitlab/geo-postgresql'
 # geo_postgresql['data_dir'] = '/var/opt/gitlab/geo-postgresql/data'
+#
+################################################################################
+# Pgbouncer (EE only)
+# See [GitLab PgBouncer documentation](http://docs.gitlab.com/omnibus/settings/database.html#enabling-pgbouncer-ee-only)
+# See the [PgBouncer page](https://pgbouncer.github.io/config.html) for details
+################################################################################
+# pgbouncer['enable'] = false
+# pgbouncer['log_directory'] = '/var/log/gitlab/pgbouncer'
+# pgbouncer['data_directory'] = '/var/opt/gitlab/pgbouncer'
+# pgbouncer['listen_addr'] = '0.0.0.0'
+# pgbouncer['listen_port'] = '6432'
+# pgbouncer['pool_mode'] = 'session'
+# pgbouncer['server_reset_query'] = 'DISCARD ALL'
+# pgbouncer['max_client_conn'] = '100'
+# pgbouncer['default_pool_size'] = '20'
+# pgbouncer['min_pool_size'] = '0'
+# pgbouncer['reserve_pool_size'] = '0'
+# pgbouncer['reserve_pool_timeout'] = '5.0'
+# pgbouncer['server_round_robin'] = '0'
+# pgbouncer['log_connections'] = '0'
+# pgbouncer['server_idle_timeout'] = '600.0'
+# pgbouncer['dns_max_ttl'] = '15.0'
+# pgbouncer['dns_zone_check_period'] = '0'
+# pgbouncer['dns_nxdomain_ttl'] = '15.0'
+# pgbouncer['admin_users'] = %w(gitlab-psql postgres pgbouncer)
+# pgbouncer['stats_users'] = %w(gitlab-psql postgres pgbouncer)
+# pgbouncer['ignore_startup_parameters'] = 'extra_float_digits'
+# pgbouncer['databases'] = {
+#   DATABASE_NAME: {
+#     host: HOSTNAME,
+#     port: PORT
+#     user: USERNAME,
+#     password: PASSWORD
+###! generate this with `echo -n '$password + $username' | md5sum`
+#   }
+#   ...
+# }
+# pgbouncer['auth_type'] = 'md5'
+# pgbouncer['auth_hba_file'] = nil
+# pgbouncer['auth_query'] = 'SELECT username, password FROM public.pg_shadow_lookup($1)'
+# postgresql['pgbouncer_user'] = nil
+# postgresql['pgbouncer_user_password'] = nil

files/gitlab-cookbooks/gitlab-ee/attributes/default.rb

@@ -121,3 +121,43 @@ default['gitlab']['geo-postgresql']['hot_standby_feedback'] = 'off'
 default['gitlab']['geo-postgresql']['archive_mode'] = 'off'
 default['gitlab']['geo-postgresql']['archive_command'] = nil
 default['gitlab']['geo-postgresql']['archive_timeout'] = '60'
+
+####
+# Pgbouncer
+####
+
+default['gitlab']['postgresql']['pgbouncer_user'] = 'pgbouncer'
+default['gitlab']['postgresql']['pgbouncer_user_password'] = nil
+default['gitlab']['pgbouncer']['enable'] = false
+default['gitlab']['pgbouncer']['log_directory'] = '/var/log/gitlab/pgbouncer'
+default['gitlab']['pgbouncer']['data_directory'] = '/var/opt/gitlab/pgbouncer'
+default['gitlab']['pgbouncer']['listen_addr'] = '0.0.0.0'
+default['gitlab']['pgbouncer']['listen_port'] = 6432
+default['gitlab']['pgbouncer']['pool_mode'] = 'session'
+default['gitlab']['pgbouncer']['server_reset_query'] = 'DISCARD ALL'
+default['gitlab']['pgbouncer']['max_client_conn'] = 100
+default['gitlab']['pgbouncer']['default_pool_size'] = 20
+default['gitlab']['pgbouncer']['min_pool_size'] = 0
+default['gitlab']['pgbouncer']['reserve_pool_size'] = 0
+default['gitlab']['pgbouncer']['reserve_pool_timeout'] = '5.0'
+default['gitlab']['pgbouncer']['server_round_robin'] = 0
+default['gitlab']['pgbouncer']['log_connections'] = 0
+default['gitlab']['pgbouncer']['server_idle_timeout'] = '600.0'
+default['gitlab']['pgbouncer']['dns_max_ttl'] = '15.0'
+default['gitlab']['pgbouncer']['dns_zone_check_period'] = 0
+default['gitlab']['pgbouncer']['dns_nxdomain_ttl'] = '15.0'
+default['gitlab']['pgbouncer']['admin_users'] = %w(gitlab-psql postgres pgbouncer)
+default['gitlab']['pgbouncer']['stats_users'] = %w(gitlab-psql postgres pgbouncer)
+default['gitlab']['pgbouncer']['ignore_startup_parameters'] = 'extra_float_digits'
+default['gitlab']['pgbouncer']['databases'] = {
+  gitlabhq_production: {
+    host: '127.0.0.1',
+    port: 5432,
+    user: 'pgbouncer',
+    # generate password with md5(password + username)
+    password: nil
+  }
+}
+default['gitlab']['pgbouncer']['auth_type'] = 'md5'
+default['gitlab']['pgbouncer']['auth_hba_file'] = nil
+default['gitlab']['pgbouncer']['auth_query'] = 'SELECT username, password FROM public.pg_shadow_lookup($1)'

files/gitlab-cookbooks/gitlab-ee/recipes/default.rb

@@ -21,6 +21,7 @@ include_recipe 'gitlab::default'
   'sentinel',
   'sidekiq-cluster',
   'geo-postgresql',
+  "pgbouncer"
 ].each do |service|
   if node['gitlab'][service]['enable']
     include_recipe "gitlab-ee::#{service}"
@@ -36,3 +37,11 @@ if node['gitlab']['geo-postgresql']['enable']
   include_recipe 'gitlab-ee::geo-secondary'
   include_recipe 'gitlab-ee::geo_database_migrations'
 end
+
+# pgbouncer_user and pgbouncer_user_password are settings for the account
+# pgbouncer will use to authenticate to the database.
+if node['gitlab']['postgresql']['enable'] &&
+    !node['gitlab']['postgresql']['pgbouncer_user'].nil? &&
+    !node['gitlab']['postgresql']['pgbouncer_user_password'].nil?
+  include_recipe 'gitlab-ee::pgbouncer_user'
+end

files/gitlab-cookbooks/gitlab-ee/recipes/geo-postgresql.rb

@@ -23,12 +23,12 @@ postgresql_data_dir = node['gitlab']['geo-postgresql']['data_dir']
 postgresql_data_dir_symlink = File.join(postgresql_dir, 'data')
 postgresql_log_dir = node['gitlab']['geo-postgresql']['log_directory']
 postgresql_socket_dir = node['gitlab']['geo-postgresql']['unix_socket_directory']
-postgresql_user = account_helper.postgresql_user
+postgresql_username = account_helper.postgresql_user
 pg_helper = GeoPgHelper.new(node)
 directory postgresql_dir do
-  owner postgresql_user
+  owner postgresql_username
   mode '0755'
   recursive true
 end
@@ -38,7 +38,7 @@ end
   postgresql_log_dir
 ].each do |dir|
   directory dir do
-    owner postgresql_user
+    owner postgresql_username
     mode '0700'
     recursive true
   end
@@ -50,7 +50,7 @@ link postgresql_data_dir_symlink do
 end
 execute "/opt/gitlab/embedded/bin/initdb -D #{postgresql_data_dir} -E UTF8" do
-  user postgresql_user
+  user postgresql_username
   not_if { pg_helper.bootstrapped? }
 end
@@ -60,7 +60,7 @@ should_notify = omnibus_helper.should_notify?('geo-postgresql') && !bootstrappin
 template postgresql_config do
   source 'postgresql.conf.erb'
-  owner postgresql_user
+  owner postgresql_username
   mode '0644'
   helper(:pg_helper) { pg_helper }
   variables(node['gitlab']['geo-postgresql'].to_hash)
@@ -72,7 +72,7 @@ pg_hba_config = File.join(postgresql_data_dir, 'pg_hba.conf')
 template pg_hba_config do
   source 'pg_hba.conf.erb'
-  owner postgresql_user
+  owner postgresql_username
   mode '0644'
   variables(node['gitlab']['geo-postgresql'].to_hash)
   cookbook 'gitlab'
@@ -80,7 +80,7 @@ template pg_hba_config do
 end
 template File.join(postgresql_data_dir, 'pg_ident.conf') do
-  owner postgresql_user
+  owner postgresql_username
   mode '0644'
   variables(node['gitlab']['geo-postgresql'].to_hash)
   cookbook 'gitlab'
@@ -127,24 +127,20 @@ gitlab_sql_user = node['gitlab']['geo-postgresql']['sql_user']
 database_name = node['gitlab']['geo-secondary']['db_database']
 if node['gitlab']['geo-postgresql']['enable']
-  execute "create #{gitlab_sql_user} database user" do
-    command "/opt/gitlab/bin/gitlab-geo-psql -d template1 -c \"CREATE USER #{gitlab_sql_user}\""
-    user postgresql_user
-    # Added retries to give the service time to start on slower systems
-    retries 20
-    not_if { !pg_helper.is_running? || pg_helper.user_exists?(gitlab_sql_user) }
+  postgresql_user gitlab_sql_user do
+    action :create
   end
   execute "create #{database_name} database" do
     command "/opt/gitlab/embedded/bin/createdb --port #{pg_port} -h #{postgresql_socket_dir} -O #{gitlab_sql_user} #{database_name}"
-    user postgresql_user
+    user postgresql_username
     retries 30
     not_if { !pg_helper.is_running? || pg_helper.database_exists?(database_name) }
   end
   execute 'enable pg_trgm extension on geo-postgresql' do
     command "/opt/gitlab/bin/gitlab-geo-psql -d #{database_name} -c \"CREATE EXTENSION IF NOT EXISTS pg_trgm;\""
-    user postgresql_user
+    user postgresql_username
     retries 20
     action :nothing
     not_if { !pg_helper.is_running? || pg_helper.is_slave? || pg_helper.extension_enabled?('pg_trgm', database_name) }

files/gitlab-cookbooks/gitlab-ee/recipes/pgbouncer.rb

+#
+# Copyright:: Copyright (c) 2017 GitLab Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+account_helper = AccountHelper.new(node)
+omnibus_helper = OmnibusHelper.new(node)
+
+include_recipe 'gitlab::postgresql_user'
+[
+  node['gitlab']['pgbouncer']['log_directory'],
+  node['gitlab']['pgbouncer']['data_directory']
+].each do |dir|
+  directory dir do
+    owner account_helper.postgresql_user
+    mode '0700'
+    recursive true
+  end
+end
+
+template "#{node['gitlab']['pgbouncer']['data_directory']}/pg_auth" do
+  source "pg_auth.erb"
+  variables node['gitlab']['pgbouncer'].to_hash
+end
+
+runit_service 'pgbouncer' do
+  options(
+    username: node['gitlab']['postgresql']['username'],
+    data_directory: node['gitlab']['pgbouncer']['data_directory'],
+    log_directory: node['gitlab']['pgbouncer']['log_directory']
+  )
+end
+
+template "#{node['gitlab']['pgbouncer']['data_directory']}/pgbouncer.ini" do
+  source "pgbouncer.ini.erb"
+  variables node['gitlab']['pgbouncer'].to_hash
+  notifies :run, 'execute[reload pgbouncer]', :immediately
+end
+
+execute 'reload pgbouncer' do
+  command '/opt/gitlab/embedded/bin/sv hup pgbouncer'
+  action :nothing
+end

files/gitlab-cookbooks/gitlab-ee/recipes/pgbouncer_disable.rb

+#
+# Copyright:: Copyright (c) 2017 GitLab Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+runit_service 'pgbouncer' do
+  action :disable
+end

files/gitlab-cookbooks/gitlab-ee/recipes/pgbouncer_user.rb

+#
+# Copyright:: Copyright (c) 2017 GitLab Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+account_helper = AccountHelper.new(node)
+pg_helper = PgHelper.new(node)
+
+database = node['gitlab']['gitlab-rails']['db_database']
+
+postgresql_user node['gitlab']['postgresql']['pgbouncer_user'] do
+  password "md5#{node['gitlab']['postgresql']['pgbouncer_user_password']}"
+  action :create
+end
+
+pgbouncer_auth_function = pg_helper.pg_shadow_lookup
+
+execute 'Add pgbouncer auth function' do
+  command %(/opt/gitlab/bin/gitlab-psql -d #{database} -c '#{pgbouncer_auth_function}')
+  user account_helper.postgresql_user
+  not_if { pg_helper.has_function?(database, "pg_shadow_lookup") }
+  only_if { node.default['gitlab']['pgbouncer']['auth_query'].eql?(node['gitlab']['pgbouncer']['auth_query']) }
+end

files/gitlab-cookbooks/gitlab-ee/templates/default/pg_auth.erb

+<% @databases.each do |_db, settings| %>
+"<%= settings['user'] %>" "md5<%= settings['password'] %>"
+<% end %>

files/gitlab-cookbooks/gitlab-ee/templates/default/pgbouncer.ini.erb

+;; database name = connect string
+;;
+;; connect string params:
+;;   dbname= host= port= user= password=
+;;   client_encoding= datestyle= timezone=
+;;   pool_size= connect_query=
+[databases]
+<% @databases.each do |db, settings| %>
+<%= db %> = host=<%= settings['host'] %> port=<%= settings['port'] %> dbname=<%= db %> auth_user=<%= settings['user'] %>
+<% end %>
+; foodb over unix socket
+;foodb =
+
+; redirect bardb to bazdb on localhost
+;bardb = host=localhost dbname=bazdb
+
+; access to dest database will go with single user
+;forcedb = host=127.0.0.1 port=300 user=baz password=foo client_encoding=UNICODE datestyle=ISO connect_query='SELECT 1'
+
+; use custom pool sizes
+;nondefaultdb = pool_size=50 reserve_pool_size=10
+
+; fallback connect string
+;* = host=testserver
+
+;; Configuration section
+[pgbouncer]
+
+;;;
+;;; Administrative settings
+;;;
+
+logfile = <%= @log_directory %>/pgbouncer.log
+pidfile = <%= @data_directory %>/pgbouncer.pid
+
+;;;
+;;; Where to wait for clients
+;;;
+
+; ip address or * which means all ip-s
+listen_addr = <%= @listen_addr %>
+listen_port = <%= @listen_port %>
+
+; unix socket is also used for -R.
+; On debian it should be /var/run/postgresql
+;unix_socket_dir = /tmp
+;unix_socket_mode = 0777
+;unix_socket_group =
+
+;;;
+;;; TLS settings for accepring clients
+;;;
+
+;; disable, allow, require, verify-ca, verify-full
+;client_tls_sslmode = disable
+
+;; Path to file that contains trusted CA certs
+;client_tls_ca_file = <system default>
+
+;; Private key and cert to present to clients.
+;; Required for accepting TLS connections from clients.
+;client_tls_key_file =
+;client_tls_cert_file =
+
+;; fast, normal, secure, legacy, <ciphersuite string>
+;client_tls_ciphers = fast
+
+;; all, secure, tlsv1.0, tlsv1.1, tlsv1.2
+;client_tls_protocols = all
+
+;; none, auto, legacy
+;client_tls_dheparams = auto
+
+;; none, auto, <curve name>
+;client_tls_ecdhcurve = auto
+
+;;;
+;;; TLS settings for connecting to backend databases
+;;;
+
+;; disable, allow, require, verify-ca, verify-full
+;server_tls_sslmode = disable
+
+;; Path to that contains trusted CA certs
+;server_tls_ca_file = <system default>
+
+;; Private key and cert to present to backend.
+;; Needed only if backend server require client cert.
+;server_tls_key_file =
+;server_tls_cert_file =
+
+;; all, secure, tlsv1.0, tlsv1.1, tlsv1.2
+;server_tls_protocols = all
+
+;; fast, normal, secure, legacy, <ciphersuite string>
+;server_tls_ciphers = fast
+
+;;;
+;;; Authentication settings
+;;;
+
+; any, trust, plain, crypt, md5
+auth_type = <%= @auth_type %>
+;auth_file = /8.0/main/global/pg_auth
+auth_file = <%= @data_directory %>/pg_auth
+
+<% unless @auth_hba_file.nil? %>
+;; Path to HBA-style auth config
+auth_hba_file = <%= @auth_hba_file %>
+
+<% end %>
+;; Query to use to fetch password from database.  Result
+;; must have 2 columns - username and password hash.
+auth_query = <%= @auth_query %>
+;;;
+;;; Users allowed into database 'pgbouncer'
+;;;
+
+; comma-separated list of users, who are allowed to change settings
+admin_users = <%= @admin_users.join(', ') %>
+
+; comma-separated list of users who are just allowed to use SHOW command
+stats_users = <%= @stats_users.join(', ') %>
+
+;;;
+;;; Pooler personality questions
+;;;
+
+; When server connection is released back to pool:
+;   session      - after client disconnects
+;   transaction  - after transaction finishes
+;   statement    - after statement finishes
+pool_mode = <%= @pool_mode %>
+
+;
+; Query for cleaning connection immediately after releasing from client.
+; No need to put ROLLBACK here, pgbouncer does not reuse connections
+; where transaction is left open.
+;
+; Query for 8.3+:
+;   DISCARD ALL;
+;
+; Older versions:
+;   RESET ALL; SET SESSION AUTHORIZATION DEFAULT
+;
+; Empty if transaction pooling is in use.
+;
+server_reset_query = <%= @server_reset_query %>
+
+
+; Whether server_reset_query should run in all pooling modes.
+; If it is off, server_reset_query is used only for session-pooling.
+;server_reset_query_always = 0
+
+;
+; Comma-separated list of parameters to ignore when given
+; in startup packet.  Newer JDBC versions require the
+; extra_float_digits here.
+;
+ignore_startup_parameters = <%= @ignore_startup_parameters %>
+
+;
+; When taking idle server into use, this query is ran first.
+;   SELECT 1
+;
+;server_check_query = select 1
+
+; If server was used more recently that this many seconds ago,
+; skip the check query.  Value 0 may or may not run in immediately.
+;server_check_delay = 30
+
+;; Use <appname - host> as application_name on server.
+;application_name_add_host = 0
+
+;;;
+;;; Connection limits
+;;;
+
+; total number of clients that can connect
+max_client_conn = <%= @max_client_conn %>
+
+; default pool size.  20 is good number when transaction pooling
+; is in use, in session pooling it needs to be the number of
+; max clients you want to handle at any moment
+default_pool_size = <%= @default_pool_size %>
+
+;; Minimum number of server connections to keep in pool.
+min_pool_size = <%= @min_pool_size %>
+
+; how many additional connection to allow in case of trouble
+reserve_pool_size = <%= @reserve_pool_size %>
+
+; if a clients needs to wait more than this many seconds, use reserve pool
+reserve_pool_timeout = <%= @reserve_pool_timeout %>
+
+; how many total connections to a single database to allow from all pools
+;max_db_connections = 50
+;max_user_connections = 50
+
+; If off, then server connections are reused in LIFO manner
+server_round_robin = <%= @server_round_robin %>
+
+;;;
+;;; Logging
+;;;
+
+;; Syslog settings
+;syslog = 0
+;syslog_facility = daemon
+;syslog_ident = pgbouncer
+
+; log if client connects or server connection is made
+log_connections = <%= @log_connections %>
+
+; log if and why connection was closed
+;log_disconnections = 1
+
+; log error messages pooler sends to clients
+;log_pooler_errors = 1
+
+;; Period for writing aggregated stats into log.
+;stats_period = 60
+
+;; Logging verbosity.  Same as -v switch on command line.
+;verbose=0
+
+;;;
+;;; Timeouts
+;;;
+
+;; Close server connection if its been connected longer.
+;server_lifetime = 1200
+
+;; Close server connection if its not been used in this time.
+;; Allows to clean unnecessary connections from pool after peak.
+server_idle_timeout = <%= @server_idle_timeout %>
+
+;; Cancel connection attempt if server does not answer takes longer.
+;server_connect_timeout = 15
+
+;; If server login failed (server_connect_timeout or auth failure)
+;; then wait this many second.
+;server_login_retry = 15
+
+;; Dangerous.  Server connection is closed if query does not return
+;; in this time.  Should be used to survive network problems,
+;; _not_ as statement_timeout. (default: 0)
+;query_timeout = 0
+
+;; Dangerous.  Client connection is closed if the query is not assigned
+;; to a server in this time.  Should be used to limit the number of queued
+;; queries in case of a database or network failure. (default: 120)
+;query_wait_timeout = 120
+
+;; Dangerous.  Client connection is closed if no activity in this time.
+;; Should be used to survive network problems. (default: 0)
+;client_idle_timeout = 0
+
+;; Disconnect clients who have not managed to log in after connecting
+;; in this many seconds.
+;client_login_timeout = 60
+
+;; Clean automatically created database entries (via "*") if they
+;; stay unused in this many seconds.
+; autodb_idle_timeout = 3600
+
+;; How long SUSPEND/-R waits for buffer flush before closing connection.
+;suspend_timeout = 10
+
+;; Close connections which are in "IDLE in transaction" state longer than
+;; this many seconds.
+;idle_transaction_timeout = 0
+
+;;;
+;;; Low-level tuning options
+;;;
+
+;; buffer for streaming packets
+;pkt_buf = 4096
+
+;; man 2 listen
+;listen_backlog = 128
+
+;; Max number pkt_buf to process in one event loop.
+;sbuf_loopcnt = 5
+
+;; Maximum Postgres protocol packet size.
+;max_packet_size = 2147483647
+
+;; networking options, for info: man 7 tcp
+
+;; Linux: notify program about new connection only if there
+;; is also data received.  (Seconds to wait.)
+;; On Linux the default is 45, on other OS'es 0.
+;tcp_defer_accept = 0
+
+;; In-kernel buffer size (Linux default: 4096)
+;tcp_socket_buffer = 0
+
+;; whether tcp keepalive should be turned on (0/1)
+;tcp_keepalive = 1
+
+;; following options are Linux-specific.
+;; they also require tcp_keepalive=1
+
+;; count of keepaliva packets
+;tcp_keepcnt = 0
+
+;; how long the connection can be idle,
+;; before sending keepalive packets
+;tcp_keepidle = 0
+
+;; The time between individual keepalive probes.
+;tcp_keepintvl = 0
+
+;; DNS lookup caching time
+dns_max_ttl = <%= @dns_max_ttl %>
+
+;; DNS zone SOA lookup period
+dns_zone_check_period = <%= @dns_zone_check_period %>
+
+;; DNS negative result caching time
+dns_nxdomain_ttl = <%= @dns_nxdomain_ttl %>
+
+;;;
+;;; Random stuff
+;;;
+
+;; Hackish security feature.  Helps against SQL-injection - when PQexec is disabled,
+;; multi-statement cannot be made.
+;disable_pqexec=0
+
+;; Config file to use for next RELOAD/SIGHUP.
+;; By default contains config file from command line.
+;conffile
+
+;; Win32 service name to register as.  job_name is alias for service_name,
+;; used by some Skytools scripts.
+;service_name = pgbouncer
+;job_name = pgbouncer
+
+;; Read additional config from the /etc/pgbouncer/pgbouncer-other.ini file
+;%include /etc/pgbouncer/pgbouncer-other.ini

files/gitlab-cookbooks/gitlab-ee/templates/default/sv-pgbouncer-log-config.erb

+<%= "s#@svlogd_size" if @svlogd_size %>
+<%= "n#@svlogd_num" if @svlogd_num %>
+<%= "t#@svlogd_timeout" if @svlogd_timeout %>
+<%= "!#@svlogd_filter" if @svlogd_filter %>
+<%= "u#@svlogd_udp" if @svlogd_udp %>
+<%= "p#@svlogd_prefix" if @svlogd_prefix %>

files/gitlab-cookbooks/gitlab-ee/templates/default/sv-pgbouncer-log-run.erb

+#!/bin/sh
+exec svlogd -tt <%= @options[:log_directory] %>

files/gitlab-cookbooks/gitlab-ee/templates/default/sv-pgbouncer-run.erb

+#!/bin/sh
+exec 2>&1
+umask 077
+exec chpst -P -U <%= @options[:username]  %> -u <%= @options[:username] %> /opt/gitlab/embedded/bin/pgbouncer <%= File.join(@options[:data_directory], "pgbouncer.ini") %>

files/gitlab-cookbooks/gitlab/attributes/default.rb

@@ -351,6 +351,7 @@ default['gitlab']['postgresql']['home'] = "/var/opt/gitlab/postgresql"
 # defaults to /opt/gitlab/embedded/bin:/opt/gitlab/bin/$PATH. The install-dir path is set at build time
 default['gitlab']['postgresql']['user_path'] = "#{node['package']['install-dir']}/embedded/bin:#{node['package']['install-dir']}/bin:$PATH"
 default['gitlab']['postgresql']['sql_user'] = "gitlab"
+default['gitlab']['postgresql']['sql_user_password'] = nil
 default['gitlab']['postgresql']['sql_mattermost_user'] = "gitlab_mattermost"
 default['gitlab']['postgresql']['port'] = 5432
 # Postgres allow multi listen_address, comma-separated values.