doc: give examples for setting initial root credentials on instantiation (preventing the 'set your password' race)
as per https://gitlab.com/gitlab-org/gitlab-ce/issues/15589 and https://gitlab.com/axil/gitlab-ce/commit/599a6d78737237e806dcfe0105b8b81dc696b71f and https://docs.gitlab.com/ee/security/reset_root_password.html
The documentation (and cookbook?) may be missing hints on setting root password - and avoiding the new race condition where the first person to hit the web page owns/pwns the server - via the cookbook.
I had thought following would work (to set something, the string to be pre-generated if this worked) but it seems to be no good. Anything to prevent "someone logged in first and took my amazon host" disease? What am I missing that's right in front of me?
bash 'set admin password' do
code <<-EOH
gitlab-rails console production <<-EOF
user = User.where(id: 1).first
user.password = 'secret_pass'
user.password_confirmation = 'secret_pass'
user.save!
EOF
EOH
only_if "wget -q -O- http://127.0.0.1/users/sign_in | grep -q \"Change your password\""
endActivity
@bishopolis does this answer your question? https://docs.gitlab.com/omnibus/settings/database.html#seed-the-database-fresh-installs-only
FANTASTIC ! That fixes me perfectly. In my case:
node['omnibus-gitlab']["gitlab_rb"]["gitlab-rails"]['initial_root_password'] = 'newpassword'
And it's done. One has to either
- zero that out later on in the invocation and worry about the /var/chef code being groveled
- dump that into a crypto dbag
But that's about it. SO nice. Thanks so very much for the help.
Edited by username-removed-1568249
