Merge branch 'master' of gitlab.com:gitlab-org/omnibus-gitlab into wrapper-no-double-privilege-drop

.gitlab-ci.yml

+# This file is generated by GitLab CI
+jobs:
+- script: |
+    bundle install --binstubs --path ~/gems
+    ssh -T git@dev.gitlab.org
+    make do_release
+  name: Ubuntu 12.04
+  branches: false
+  tags: true
+  runner: ubuntu1204
+- script: |
+    bundle install --binstubs --path ~/gems
+    ssh -T git@dev.gitlab.org
+    make do_release
+  name: Ubuntu 14.04
+  branches: false
+  tags: true
+  runner: ubuntu1404
+- script: |
+    bundle install --binstubs --path ~/gems
+    ssh -T git@dev.gitlab.org
+    make do_release
+  name: Debian 7
+  branches: false
+  tags: true
+  runner: debian7
+- script: |
+    bundle install --binstubs --path ~/gems
+    ssh -T git@dev.gitlab.org
+    make do_release
+  name: Centos 6
+  branches: false
+  tags: true
+  runner: centos6
+- script: |
+    bundle install --binstubs --path ~/gems
+    ssh -T git@dev.gitlab.org
+    make do_release
+  name: Centos 7
+  branches: false
+  tags: true
+  runner: centos7
+- script: |
+    bundle install --binstubs --path ~/gems
+    ssh -T git@dev.gitlab.org
+    make test
+  name: Ubuntu 12.04 master
+  branches: true
+  tags: false
+  runner: ubuntu1204
+- script: |
+    bundle install --binstubs --path ~/gems
+    ssh -T git@dev.gitlab.org
+    make test
+  name: Ubuntu 14.04 master
+  branches: true
+  tags: false
+  runner: ubuntu1404
+- script: |
+    bundle install --binstubs --path ~/gems
+    ssh -T git@dev.gitlab.org
+    make test
+  name: Debian 7 master
+  branches: true
+  tags: false
+  runner: debian7
+- script: |
+    bundle install --binstubs --path ~/gems
+    ssh -T git@dev.gitlab.org
+    make test
+  name: CentOS 6 master
+  branches: true
+  tags: false
+  runner: centos6
+- script: |
+    bundle install --binstubs --path ~/gems
+    ssh -T git@dev.gitlab.org
+    make test
+  name: CentOS 7 master
+  branches: true
+  tags: false
+  runner: centos7
+- script: |
+    bundle install --binstubs --path ~/gems
+    ssh -T git@dev.gitlab.org
+    make do_release
+  name: Debian 8
+  branches: false
+  tags: true
+  runner: debian8
+- script: |
+    bundle install --binstubs --path ~/gems
+    ssh -T git@dev.gitlab.org
+    make test
+  name: Debian 8 master
+  branches: true
+  tags: false
+  runner: debian8
+- script: |
+    bundle install --binstubs --path ~/gems
+    make test
+  name: Raspberry Pi 2 master
+  branches: true
+  tags: false
+  runner: RaspberryPi2
+- script: |
+    bundle install --binstubs --path ~/gems
+    ssh -T git@dev.gitlab.org
+    make do_release
+  name: Raspberry Pi 2
+  branches: false
+  tags: true
+  runner: RaspberryPi2
+
+deploy_jobs: []
+skip_refs: ''

CHANGELOG.md

@@ -3,6 +3,25 @@
 The latest version of this file can be found at the master branch of the
 omnibus-gitlab repository.
+7.12.0
+
+- Allow install_dir to be changed to allow different build paths (DJ Mountney) d205dc9e4da86ea39af18a6715f9538d3893488cf
+- Switched to omnibus fork 99c713cb579e8371a334b4e43a7d7863794d8374
+- Upgraded chef to 12.4.0.rc.0 b1a3870bd5a5bc60335655a4965f8f80a9be939f
+- Remove generated gitlab_shell_secret file during build 8ba8e9221516a0235f565bc5560bd0cec9c3c48e
+- Update redis to 2.8.20 6589e23ed79c883988e0ebefc356699f5f94228f
+- Exit on package installation if backup failed and wasn't skipped 710253c318a029bf1bb158c6c9fc81f0f695fe34
+- Added sslmode and sslrootcert database configuration option (Anthony Brodard) dbeb00346ccafdda50e52cf601c6b457b5981b74
+
+7.11.0
+
+- Set the default certificate authority bundle to the embedded copy (Stan Hu) 673ac210216b9c01d58196e826b98db780a4ccd5
+- Use a different mirror for libossp-uuid (DJ Mountney) 7f46d70855a4d97eb2b833fc2d120ddfc514dfd4
+- Update omnibus-software 42839a91c297b9c637a13fbe4beb05058672abe2
+- Add option to disable gitlab-rails when using only CI a784851e268ca1f23ce817c13a8d421c3211f96a
+- Point to different state file for gitlab logrotate 42591805f64c48cb845538012b2a43fe765637d2
+- Allow setting ssl_dhparam in nginx config 7b0c80ed9c1d85bebeedfc211a9b9e395593278c
+
 7.10.0
 - Add option to disable HTTPS on nginx to support proxied SSL (Stan Hu) 80f4204052ceb3d47a0fdde2e006e79c099e5237
@@ -24,6 +43,13 @@ omnibus-gitlab repository.
 - Restart nginx instead of issuing a HUP signal changes so that changes in listen_address work (Stan Hu) 72d09b9b29a1a974e35aa6088912b6a6c4d7e4ac
 - Automatically stop GitLab, backup, reconfigure and start after a new package is installed
 - Rename the package from 'gitlab' to 'gitlab-ce' / 'gitlab-ee'
+- Update cacerts version e57085281e9f4d3ae15d4f2e14a88b3399cb4df3
+- Better parsing of DB settings in gitlab.rb 503fad5f9d0a4653d8540331f77f487a7b51ce3d
+- Update omnibus-ctl version to 0.3.4 b5972560c801bc22658d459ad00fa4f33a6c34d2
+- Try to detect init system in use on Debian (nextime) 7dd0234c19616e1cbe0656e55ef8a53be3fe882b
+- Devuan support added in runit (nextime) 7dd0234c19616e1cbe0656e55ef8a53be3fe882b
+- Disable EC2 plugin 70ba5285e1e89ababf25c9cb9ac817bb582f5a43
+- Disable multiple ohai plugins 0026ba26757a2b7168e7de86ab0652c0aec62ddf
 7.9.0

Gemfile

 source 'https://rubygems.org'
-gem 'omnibus'
+gem 'omnibus', git: 'https://gitlab.com/gitlab-org/omnibus.git', branch: 'gitlab_omnibus'
 gem 'omnibus-software', :git => 'git://github.com/opscode/omnibus-software.git', :branch => 'master'
 gem 'ohai'
 gem 'package_cloud'

Gemfile.lock

 GIT
   remote: git://github.com/opscode/omnibus-software.git
-  revision: be79783ecc0e5d9caf816f13718d2f45ac049605
+  revision: ea7a40b61917f78493c59920a2e691d56a096691
   branch: master
   specs:
     omnibus-software (4.0.0)
+GIT
+  remote: https://gitlab.com/gitlab-org/omnibus.git
+  revision: c009e40aeb5e87116255386ab454ebf35bcfd496
+  branch: gitlab_omnibus
+  specs:
+    omnibus (4.0.0)
+      chef-sugar (~> 2.2)
+      cleanroom (~> 1.0)
+      mixlib-shellout (~> 1.4)
+      ohai (~> 7.2)
+      thor (~> 0.18)
+      uber-s3
+
 GEM
   remote: https://rubygems.org/
   specs:
@@ -36,13 +49,6 @@ GEM
       mixlib-shellout (~> 1.2)
       systemu (~> 2.6.4)
       wmi-lite (~> 1.0)
-    omnibus (4.0.0)
-      chef-sugar (~> 2.2)
-      cleanroom (~> 1.0)
-      mixlib-shellout (~> 1.4)
-      ohai (~> 7.2)
-      thor (~> 0.18)
-      uber-s3
     package_cloud (0.2.18)
       colorize (= 0.6.0)
       highline (= 1.6.20)
@@ -63,7 +69,7 @@ PLATFORMS
 DEPENDENCIES
   json
   ohai
-  omnibus
+  omnibus!
   omnibus-software!
   package_cloud
   thor (= 0.18.1)

Makefile

@@ -4,22 +4,16 @@ RELEASE_BUCKET_REGION=eu-west-1
 SECRET_DIR:=$(shell openssl rand -hex 20)
 PLATFORM_DIR:=$(shell bundle exec support/ohai-helper platform-dir)
 PACKAGECLOUD_USER=gitlab
-PACKAGECLOUD_REPO:=$(shell if support/is_gitlab_ee.sh ; then echo gitlab-ee; else echo gitlab-ce; fi)
+PACKAGECLOUD_REPO:=$(shell support/repo_name.sh)
 PACKAGECLOUD_OS:=$(shell bundle exec support/ohai-helper repo-string)
-UUID_TARBALL=/var/cache/omnibus/cache/uuid-1.6.2.tar.gz
-build: ${UUID_TARBALL}
+build:
 	bin/omnibus build ${PROJECT} --override append_timestamp:false --log-level info
 # No need to suppress timestamps on the test builds
-test_build: ${UUID_TARBALL}
+test_build:
 	bin/omnibus build ${PROJECT} --log-level info
-${UUID_TARBALL}:
-	# Download libossp-uuid outside of omnibus, because FTP through firewalls sucks
-	mkdir -p /var/cache/omnibus/cache
-	curl ftp://ftp.ossp.org/pkg/lib/uuid/uuid-1.6.2.tar.gz > ${UUID_TARBALL}
-
 # If this task were called 'release', running 'make release' would confuse Make
 # because there exists a file called 'release.sh' in this directory. Make has
 # built-in rules on how to build .sh files. By calling this task do_release, it
@@ -30,6 +24,10 @@ do_release: no_changes on_tag purge build move_to_platform_dir sync packagecloud
 test: RELEASE_BUCKET=omnibus-builds
 test: no_changes purge test_build move_to_platform_dir sync
+# Redefine PLATFORM_DIR for Raspberry Pi 2 packages. Do not sync to packagecloud
+do_rpi2_release: PLATFORM_DIR=raspberry-pi
+do_rpi2_release: no_changes purge test_build move_to_platform_dir sync
+
 no_changes:
 	git diff --quiet HEAD
@@ -56,7 +54,7 @@ move_to_platform_dir:
 sync: move_to_secret_dir md5 s3_sync
 move_to_secret_dir:
-	if support/is_gitlab_ee.sh || support/is_gitlab_com.sh ; then \
+	if support/is_gitlab_ee.sh ; then \
 	  mv pkg ${SECRET_DIR} \
 	  && mkdir pkg \
 	  && mv ${SECRET_DIR} pkg/ \
@@ -72,5 +70,5 @@ s3_sync:
 	find pkg -type f | sed "s|pkg|https://${RELEASE_BUCKET}.s3.amazonaws.com|"
 packagecloud:
-	# We set LC_ALL below because package_cloud is picky about the locale
+	# - We set LC_ALL below because package_cloud is picky about the locale
 	LC_ALL='en_US.UTF-8' bin/package_cloud push ${PACKAGECLOUD_USER}/${PACKAGECLOUD_REPO}/${PACKAGECLOUD_OS} $(shell find pkg -name '*.rpm' -or -name '*.deb')

README.md

@@ -18,6 +18,10 @@ stable branch (example shown below).
 ![documentation version](doc/images/omnibus-documentation-version.png)
+## Omnibus fork
+
+Omnibus GitLab is using a fork of [omnibus project](https://github.com/chef/omnibus). Fork is located at [gitlab.com](https://gitlab.com/gitlab-org/omnibus).
+
 ## GitLab CI
 To setup GitLab CI please see the [separate GitLab CI
@@ -514,68 +518,6 @@ gitlab_rails['backup_path'] = '/mnt/backups'
 For details check [backup restore document of GitLab CE](https://gitlab.com/gitlab-org/gitlab-ce/blob/966f68b33e1f15f08e383ec68346ed1bd690b59b/doc/raketasks/backup_restore.md#upload-backups-to-remote-cloud-storage).
-### Scheduling a backup
-
-To schedule a cron job that backs up your repositories and GitLab metadata, use the root user:
-
-```
-sudo su -
-crontab -e
-```
-
-There, add the following line to schedule the backup for everyday at 2 AM:
-
-```
-0 2 * * * /opt/gitlab/bin/gitlab-rake gitlab:backup:create CRON=1
-```
-
-You may also want to set a limited lifetime for backups to prevent regular
-backups using all your disk space.  To do this add the following lines to
-`/etc/gitlab/gitlab.rb` and reconfigure:
-
-```
-# limit backup lifetime to 7 days - 604800 seconds
-gitlab_rails['backup_keep_time'] = 604800
-```
-
-NOTE: This cron job does not [backup your omnibus-gitlab configuration](#backup-and-restore-omnibus-gitlab-configuration) or [SSH host keys](https://superuser.com/questions/532040/copy-ssh-keys-from-one-server-to-another-server/532079#532079).
-
-### Restoring an application backup
-
-We will assume that you have installed GitLab from an omnibus package and run
-`sudo gitlab-ctl reconfigure` at least once.
-
-First make sure your backup tar file is in `/var/opt/gitlab/backups`.
-
-```shell
-sudo cp 1393513186_gitlab_backup.tar /var/opt/gitlab/backups/
-```
-
-Next, restore the backup by running the restore command. You need to specify the
-timestamp of the backup you are restoring.
-
-```shell
-# Stop processes that are connected to the database
-sudo gitlab-ctl stop unicorn
-sudo gitlab-ctl stop sidekiq
-
-# This command will overwrite the contents of your GitLab database!
-sudo gitlab-rake gitlab:backup:restore BACKUP=1393513186
-
-# Start GitLab
-sudo gitlab-ctl start
-
-# Create satellites
-sudo gitlab-rake gitlab:satellites:create
-
-# Check GitLab
-sudo gitlab-rake gitlab:check SANITIZE=true
-```
-
-If there is a GitLab version mismatch between your backup tar file and the installed
-version of GitLab, the restore command will abort with an error. Install a package for
-the [required version](https://www.gitlab.com/downloads/archives/) and try again.
-
 ## Invoking Rake tasks
 To invoke a GitLab Rake task, use `gitlab-rake` (for GitLab) or

config/projects/gitlab.rb

@@ -15,7 +15,7 @@
 ## limitations under the License.
 ##
 #
-ee = system("#{Omnibus::Config.project_root}/support/is_gitlab_ee.sh") || system("#{Omnibus::Config.project_root}/support/is_gitlab_com.sh")
+ee = system("#{Omnibus::Config.project_root}/support/is_gitlab_ee.sh")
 if ee
   name "gitlab-ee"
@@ -44,20 +44,23 @@ build_iteration 1
 override :ruby, version: '2.1.6',  source: { md5: "6e5564364be085c45576787b48eeb75f" }
 override :rubygems, version: '2.2.1'
-override :'chef-gem', version: '11.18.0'
-override :'omnibus-ctl', version: '0.3.3'
+override :chef, version: '12.4.0.rc.0'
+override :'omnibus-ctl', version: '0.3.4'
 override :zlib, version: '1.2.8'
+override :cacerts, version: '2015.04.22', source: { md5: '380df856e8f789c1af97d0da9a243769' }
+override :redis, version: '2.8.20', source: { md5: 'a2588909eb497719bbbf664e6364962a' }
 # Openssh needs to be installed
 runtime_dependency "openssh-server"
 # creates required build directories
 dependency "preparation"
+dependency "package-scripts"
 dependency "git"
 dependency "redis"
 dependency "nginx"
-dependency "chef-gem"
+dependency "chef"
 dependency "remote-syslog" if ee
 dependency "logrotate"
 dependency "runit"
@@ -76,10 +79,10 @@ dependency "version-manifest"
 exclude "\.git*"
 exclude "bundler\/git"
-# Because we have a dynamic 'name' (gitlab-ce or gitlab-ee), omnibus-ruby would
-# look in either package-scripts/gitlab-ce or package-scripts/gitlab-ee. We
-# don't want that so let's hard-code the path.
-package_scripts_path "#{Omnibus::Config.project_root}/package-scripts/gitlab"
+# Our package scripts are generated from .erb files,
+# so we will grab them from an excluded folder
+package_scripts_path "#{install_dir}/.package_util/package-scripts"
+exclude '.package_util'
 package_user 'root'
 package_group 'root'

config/software/gitlab-ci.rb

@@ -16,7 +16,7 @@
 #
 name "gitlab-ci"
-default_version "3e0faedeefb86392dfcd90549584886f7e0c1860" # CI 7.10.0.rc2
+default_version "e82ecff54272c8d13c3283de7c5aa78b4438ba49" # CI 7.11.0
 EE = system("#{Omnibus::Config.project_root}/support/is_gitlab_ee.sh")

config/software/gitlab-cookbooks.rb

@@ -31,4 +31,11 @@ source :path => File.expand_path("files/gitlab-cookbooks", Omnibus::Config.proje
 build do
   command "mkdir -p #{install_dir}/embedded/cookbooks"
   command "#{install_dir}/embedded/bin/rsync --delete -a ./ #{install_dir}/embedded/cookbooks/"
+
+  # Create a package cookbook.
+  command "mkdir -p #{install_dir}/embedded/cookbooks/package/attributes"
+  erb :dest => "#{install_dir}/embedded/cookbooks/package/attributes/default.rb",
+      :source => "cookbook_packages_default.erb",
+      :mode => 0755,
+      :vars => { :install_dir => project.install_dir }
 end

config/software/gitlab-ctl.rb

@@ -57,7 +57,7 @@ do
   unset $ruby_env_var
 done
-#{install_dir}/embedded/bin/omnibus-ctl gitlab #{install_dir}/embedded/service/omnibus-ctl $@
+#{install_dir}/embedded/bin/omnibus-ctl #{File.basename(install_dir)} #{install_dir}/embedded/service/omnibus-ctl $@
        EOH
     end
   end

config/software/gitlab-rails.rb

@@ -17,7 +17,7 @@
 #
 name "gitlab-rails"
-default_version "743f3ed60c9a8545bf7bc038bb561ca468485780" # CE 7.10.0.rc2
+default_version "e3e32921a2016a2a80b17532a500b067e4568ba4" # CE 7.11.0
 EE = system("#{Omnibus::Config.project_root}/support/is_gitlab_ee.sh")
@@ -64,7 +64,10 @@ build do
   # Tear down now that the assets:precompile is done.
   delete 'config/gitlab.yml'
   delete 'config/database.yml'
+
+  # Remove auto-generated files
   delete '.secret'
+  delete '.gitlab_shell_secret'
   # Remove directories that will be created by `gitlab-ctl reconfigure`
   delete 'log'

config/software/gitlab-shell.rb

@@ -17,7 +17,7 @@
 #
 name "gitlab-shell"
-default_version "fcb6bb46e88b1c050ca68045461e8663c3b4a77a" # 2.6.2
+default_version "4d30c0c5d3d0f23a221ee507b6bd110a539b8570" # 2.6.3
 dependency "ruby"
 dependency "rsync"

config/software/package-scripts.rb

+#
+# Copyright:: Copyright (c) 2012 Opscode, Inc.
+# Copyright:: Copyright (c) 2015 GitLab.com
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+name "package-scripts"
+
+# Help omnibus-ruby to cache the build product of this software. This is a
+# workaround for the deprecation of `always_build true`. What happens now is
+# that we build only if the contents of the specified directory have changed
+# according to git.
+default_version `git ls-tree HEAD -- config/templates/package-scripts | awk '{ print $3 }'`
+
+build do
+  # Create the package-script folder. The gitlab.rb project excludes this folder from the package.
+  command "mkdir -p #{install_dir}/.package_util/package-scripts"
+
+  # Render the package script erb files
+  Dir.glob(File.join(Omnibus::Config.project_root, 'config/templates/package-scripts/*.erb')).each do |package_script|
+    script = File.basename(package_script, '.*')
+    erb :dest => "#{install_dir}/.package_util/package-scripts/#{script}",
+        :source => File.basename(package_script),
+        :mode => 0755,
+        :vars => { :install_dir => project.install_dir }
+  end
+end
\ No newline at end of file

config/software/cacerts.rb → config/templates/gitlab-cookbooks/cookbook_packages_default.erb

 #
-# Copyright 2012-2014 Chef Software, Inc.
-# Copyright 2014 GitLab B.V.
+# Copyright:: Copyright (c) 2012 Opscode, Inc.
+# Copyright:: Copyright (c) 2015 GitLab B.V.
+# License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -15,45 +16,8 @@
 # limitations under the License.
 #
-name "cacerts"
-# Date of the file is in a comment at the start, or in the changelog
-default_version "2015.02.25"
-
-version "2015.02.25" do
-  source md5: "19e7f27540ee694308729fd677163649"
-end
-
-version "2014.09.03" do
-  source md5: "d7f7dd7e3ede3e323fc0e09381f16caf"
-end
-
-version "2014.08.20" do
-  source md5: "c9f4f7f4d6a5ef6633e893577a09865e"
-end
-
-version "2014.07.15" do
-  source md5: "fd48275847fa10a8007008379ee902f1"
-end
-
-version "2014.04.22" do
-  source md5: "9f92a0d9f605e227ae068e605f4c86fa"
-end
-
-version "2014.01.28" do
-  source md5: "5d108f8ab86afacc6663aafca8604dd3"
-end
-
-source url: "http://curl.haxx.se/ca/cacert.pem"
-
-relative_path "cacerts-#{version}"
-
-build do
-  mkdir "#{install_dir}/embedded/ssl/certs"
-  copy "#{project_dir}/cacert.pem", "#{install_dir}/embedded/ssl/certs/cacert.pem"
-
-  # Windows does not support symlinks
-  unless windows?
-    link "#{install_dir}/embedded/ssl/certs/cacert.pem", "#{install_dir}/embedded/ssl/cert.pem"
-  end
-end
+# Package attributes
+# Default location of install-dir is /opt/gitlab/. This path is set during build time.
+# DO NOT change this value unless you are building your own GitLab packages
+default['package']['install-dir'] = "<%= install_dir %>"

package-scripts/gitlab/postinst → config/templates/package-scripts/postinst.erb

@@ -5,6 +5,15 @@
 #
 PROGNAME=$(basename $0)
+DEST_DIR=<%= install_dir %>
+usr_bin_symlinks="\
+  ${DEST_DIR}/bin/gitlab-ctl \
+  ${DEST_DIR}/bin/gitlab-rake \
+  ${DEST_DIR}/bin/gitlab-rails \
+  ${DEST_DIR}/bin/gitlab-ci-rake \
+  ${DEST_DIR}/bin/gitlab-ci-rails \
+"
+symlink_command="ln -sf ${usr_bin_symlinks} /usr/bin/"
 # Try collecting fqdn if it is set correctly
 fqdn=$(/bin/hostname -f)
@@ -22,15 +31,12 @@ error_exit()
 notify()
 {
-  echo "gitlab postinstall: $1"
+  echo "gitlab: $1"
 }
 create_symlinks()
 {
-  for command in gitlab-ctl gitlab-rake gitlab-rails gitlab-ci-rake gitlab-ci-rails
-  do
-    ln -sf /opt/gitlab/bin/$command /usr/bin || error_exit "Could not symlink $command in /usr/bin"
-  done
+  ${symlink_command} || error_exit "Failed to create symlinks in /usr/bin"
 }
 create_config_template()
@@ -38,7 +44,7 @@ create_config_template()
   # Create a minimal gitlab.rb template if /etc/gitlab/gitlab.rb does not exist.
   if ! [ -e /etc/gitlab/gitlab.rb ] ; then
     mkdir -p /etc/gitlab
-    cp /opt/gitlab/etc/gitlab.rb.template /etc/gitlab/gitlab.rb
+    cp "${DEST_DIR}/etc/gitlab.rb.template" /etc/gitlab/gitlab.rb
     sed -i 's!GENERATED_EXTERNAL_URL!'$external_url'!g' /etc/gitlab/gitlab.rb
     chmod 600 /etc/gitlab/gitlab.rb
   fi
@@ -49,7 +55,7 @@ fix_directory_permissions()
   if [ -x /usr/bin/dpkg-query ] ; then
     # We are in the land of .deb packages. We should fix package directory owners
     # because of the faulty 7.2.0 / 7.2.1 .deb packages.
-    /usr/bin/dpkg-query -L gitlab | while read f ; do
+    /usr/bin/dpkg-query -L gitlab-ce gitlab-ee 2>/dev/null | while read f ; do
     if [ -d "$f" ] ; then
       # This directory may have been created when installing omnibus-gitlab
       # 7.2.0 / 7.2.1, so it could have the wrong owner.
@@ -87,13 +93,23 @@ print_welcome
 case "$1" in
   2)
     # Looks like an RPM upgrade
-    /opt/gitlab/bin/gitlab-ctl upgrade
+    ${DEST_DIR}/bin/gitlab-ctl upgrade
     ;;
   configure)
     # Looks like a DEB install. We don't know if it is a fresh install or an
     # upgrade.
-    /opt/gitlab/bin/gitlab-ctl upgrade
+    ${DEST_DIR}/bin/gitlab-ctl upgrade
     ;;
   *)
+    if [ -x /bin/rpm ] ; then
+      # This might be a fresh RPM install, replacing the legacy 'gitlab' package.
+      # The postuninstall script of 'gitlab' will clobber our symlinks, so we
+      # kindly ask the user to recreate them.
+      notify
+      notify "If you just upgraded from GitLab 7.9 or earlier, please run the following"
+      notify "command:"
+      notify
+      notify "sudo ${symlink_command}"
+    fi
     ;;
 esac

package-scripts/gitlab/preinst → config/templates/package-scripts/preinst.erb

 #!/bin/sh
 # GitLab pre-install script
+DEST_DIR=<%= install_dir %>
+
+skip_migrations_file=/etc/gitlab/skip-auto-migrations
+
 main() {
+  if [ -e "${skip_migrations_file}" ] ; then
+    # The user wants us to do nothing
+    return
+  fi
+
   notify "Backing up GitLab SQL database (excluding Git repositories, uploads)"
-  /opt/gitlab/bin/gitlab-rake gitlab:backup:create SKIP=repositories,uploads
+  if ! ${DEST_DIR}/bin/gitlab-rake gitlab:backup:create SKIP=repositories,uploads ; then
+    notify
+    notify "Backup failed! If you want to skip this backup, run the following command and"
+    notify "try again:"
+    notify
+    notify "  sudo touch ${skip_migrations_file}"
+    notify
+    exit 1
+  fi
+
   # Missing: GitLab CI backup
 }

doc/gitlab-ci/README.md

@@ -17,10 +17,10 @@ GitLab CI expects to run on its own virtual host. In your DNS you would then
 have two entries pointing to the same machine, e.g. `gitlab.example.com` and
 `ci.example.com`.
-GitLab CI is disabled by default, to enable it just tell omnibus-gitlab what 
+GitLab CI is disabled by default, to enable it just tell omnibus-gitlab what
 the external URL for the CI server is:
-```
+```ruby
 # in /etc/gitlab/gitlab.rb
 ci_external_url 'http://ci.example.com'
 ```
@@ -29,13 +29,13 @@ After you run `sudo gitlab-ctl reconfigure`, your GitLab CI Coordinator should
 now be reachable at `http://ci.example.com`.
 Follow the on screen instructions on how to generate the app id and secret.
-Once generated, add them to `/etc/gitlab/gitlab.rb`
-```
+Once generated, edit `/etc/gitlab/gitlab.rb` to set the URL for your GitLab server, your generated app id and generated secret:
+```ruby
 gitlab_ci['gitlab_server'] = { 'url' => 'http://gitlab.example.com', 'app_id' => "1234", 'app_secret' => 'qwertyuio'}
 ```
-and run `sudo gitlab-ctl reconfigure` again.
+then run `sudo gitlab-ctl reconfigure` again.
 ## Running GitLab CI on its own server
@@ -45,14 +45,14 @@ the GitLab service bundled into the Omnibus package. The GitLab services will
 still be set up on your CI server, but they will not accept user requests or
 consume system resources.
-```
-external_url 'http://localhost'
+```ruby
 ci_external_url 'http://ci.example.com'
 # Tell GitLab CI to integrate with gitlab.example.com
 gitlab_ci['gitlab_server'] = { 'url' => 'http://gitlab.example.com', 'app_id' => "1234", 'app_secret' => 'qwertyuio'}
 # Shut down GitLab services on the CI server
+gitlab_rails['enable'] = false
 unicorn['enable'] = false
 sidekiq['enable'] = false
-```
\ No newline at end of file
+```

doc/settings/gitlab.yml.md

@@ -4,7 +4,9 @@ Some of GitLab's features can be customized through
 [gitlab.yml][gitlab.yml.example] and [application.yml (GitLab
 CI)][application.yml.example]. If you want to change a `gitlab.yml` setting
 with omnibus-gitlab, you need to do so via `/etc/gitlab/gitlab.rb`. The
-translation works as follows.
+translation works as follows. For a complete list of available options, visit the
+[gitlab.rb.template](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-config-template/gitlab.rb.template). New installations starting from GitLab 7.6, will have
+all the options of the template listed in `/etc/gitlab/gitlab.rb` by default.
 In `gitlab.yml`, you will find structure like this:

doc/settings/nginx.md

@@ -33,7 +33,7 @@ sudo cp gitlab.example.com.key gitlab.example.com.crt /etc/gitlab/ssl/
 ```
 Now run `sudo gitlab-ctl reconfigure`. When the reconfigure finishes your
-GitLab instance should be reachable at `http://gitlab.example.com`.
+GitLab instance should be reachable at `https://gitlab.example.com`.
 The SSL certificate and key paths are derived the same way for GitLab CI. If
 you write `ci_external_url "https://ci.example.com"` then `gitlab-ctl
@@ -166,6 +166,36 @@ information, see:
 http://stackoverflow.com/questions/16042647/whats-the-de-facto-standard-for-a-reverse-proxy-to-tell-the-backend-ssl-is-used
 https://wiki.apache.org/couchdb/Nginx_As_a_Reverse_Proxy
+## Using custom ssl ciphers
+
+By default GitLab is using SSL ciphers that are combination of testing on gitlab.com and various best practices contributed by the GitLab community.
+
+However, you can change the ssl ciphers by adding to `gitlab.rb`:
+
+```ruby
+  nginx['ssl_ciphers'] = "CIPHER:CIPHER1"
+```
+
+and running reconfigure. Similar, for GitLab CI:
+
+```ruby
+  ci_nginx['ssl_ciphers'] = "CIPHER:CIPHER1"
+```
+
+You can also enable `ssl_dhparam` directive.
+
+First, generate `dhparams.pem` with `openssl dhparam -out dhparams.pem 2048`. Then, in `gitlab.rb` add a path to the generated file, for example:
+
+```ruby
+  nginx['ssl_dhparam'] = "/etc/gitlab/ssl/dhparams.pem"
+```
+
+After the change run `sudo gitlab-ctl reconfigure`. Similar, for GitLab CI:
+
+```ruby
+  ci_nginx['ssl_dhparam'] = "/etc/gitlab/ssl/ci_dhparams.pem"
+```
+
 ## Inserting custom NGINX settings into the GitLab server block
 If you need to add custom settings into the NGINX `server` block for GitLab for
@@ -201,6 +231,8 @@ In some cases you may want to host GitLab using an existing Passenger/Nginx
 installation but still have the convenience of updating and installing using
 the omnibus packages.
+### Configuration
+
 First, you'll need to setup your `/etc/gitlab/gitlab.rb` to disable the built-in
 Nginx and Unicorn:
@@ -208,6 +240,9 @@ Nginx and Unicorn:
 # Disable the built-in nginx
 nginx['enable'] = false
+# Disable the built-in nginx for Gitlab CI
+ci_nginx['enable'] = false
+
 # Disable the built-in unicorn
 unicorn['enable'] = false
@@ -217,13 +252,17 @@ gitlab_rails['internal_api_url'] = 'http://git.yourdomain.com'
 Make sure you run `sudo gitlab-ctl reconfigure` for the changes to take effect.
+### Vhost (server block)
+
 Then, in your custom Passenger/Nginx installation, create the following site
-configuration file:
+configuration files:
+
+#### Gitlab
 ```
 server {
   listen *:80;
-  server_name git.yourdomain.com;
+  server_name git.example.com;
   server_tokens off;
   root /opt/gitlab/embedded/service/gitlab-rails/public;
@@ -255,6 +294,57 @@ For a typical Passenger installation this file should probably
 be located at `/etc/nginx/sites-available/gitlab` and symlinked to
 `/etc/nginx/sites-enabled/gitlab`.
+#### Gitlab CI
+
+```
+upstream gitlab_ci {
+  server unix:/var/opt/gitlab/gitlab-ci/sockets/gitlab.socket;
+}
+
+server {
+  listen *:80;
+  server_name ci.example.com;
+  server_tokens off;
+  root /opt/gitlab/embedded/service/gitlab-ci/public;
+
+  client_max_body_size 250m;
+
+  access_log  /var/log/gitlab/nginx/gitlab_ci_access.log;
+  error_log   /var/log/gitlab/nginx/gitlab_ci_error.log;
+
+  location / {
+    ## Serve static files from defined root folder.
+    ## @gitlab_ci is a named location for the upstream fallback, see below.
+    try_files $uri $uri/index.html $uri.html @gitlab_ci;
+  }
+
+  ## If a file, which is not found in the root folder is requested,
+  ## then the proxy passes the request to the upsteam (gitlab-ci unicorn).
+  location @gitlab_ci {
+    ## https://github.com/gitlabhq/gitlabhq/issues/694
+    ## Some requests take more than 30 seconds.
+    proxy_read_timeout      300;
+    proxy_connect_timeout   300;
+    proxy_redirect          off;
+
+    proxy_set_header   X-Forwarded-Proto $scheme;
+    proxy_set_header   Host              $http_host;
+    proxy_set_header   X-Real-IP         $remote_addr;
+    proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
+    proxy_set_header   X-Frame-Options   SAMEORIGIN;
+
+    proxy_pass http://gitlab_ci;
+  }
+
+}
+```
+
+For a typical Passenger installation this file should probably
+be located at `/etc/nginx/sites-available/gitlab_ci` and symlinked to
+`/etc/nginx/sites-enabled/gitlab_ci`.
+
+#### Warning
+
 To ensure that user uploads are accessible your Nginx user (usually `www-data`)
 should be added to the `gitlab-www` group. This can be done using the following command:
@@ -262,9 +352,13 @@ should be added to the `gitlab-www` group. This can be done using the following
 sudo usermod -aG gitlab-www www-data
 ```
+#### Templates
+
 Other than the Passenger configuration in place of Unicorn and the lack of HTTPS
-(although this could be enabled) this file is mostly identical to the
-[bundled Nginx configuration](files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb).
+(although this could be enabled) these files are mostly identical to :
+
+- [bundled Gitlab Nginx configuration](files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb)
+- [bundled Gitlab CI Nginx configuration](files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-ci-http.conf.erb)
 Don't forget to restart Nginx to load the new configuration (on Debian-based
 systems `sudo service nginx restart`).