Merge pull request #14 from jubilee2/16.3

16.3.6

Dockerfile

@@ -32,6 +32,9 @@ RUN busybox --install \
 RUN rm -rf /etc/update-motd.d /etc/motd /etc/motd.dynamic
 RUN ln -fs /dev/null /run/motd.dynamic
 
+# Legacy code to be removed on 17.0. See: https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7035
+ENV GITLAB_ALLOW_SHA1_RSA=false
+
 # Copy assets
 COPY RELEASE /
 COPY assets/ /assets/

RELEASE

@@ -1,4 +1,4 @@
 PACKAGECLOUD_REPO=raspberry-pi2
 RELEASE_PACKAGE=gitlab-ce
-RELEASE_VERSION=16.1.5-ce.0
+RELEASE_VERSION=16.3.6-ce.0
 DOWNLOAD_URL=https://packages.gitlab.com/gitlab/${PACKAGECLOUD_REPO}/packages/raspbian/buster/${RELEASE_PACKAGE}_${RELEASE_VERSION}_armhf.deb/download.deb

assets/download-package

@@ -1,14 +1,7 @@
 #!/bin/bash
 
-if [[ ${DOWNLOAD_URL} == *"amazonaws"* ]]; then
- echo "Downloading package from Amazon bucket - ${DOWNLOAD_URL}"
- wget --quiet ${DOWNLOAD_URL} -O /tmp/gitlab.deb
-else
- echo "Downloading package as artifact - ${DOWNLOAD_URL}"
- # If we are fetching the package which is available as an artifact, we need
- # to authenticate to access it. Hence, we pass PRIVATE-TOKEN header.
- wget --quiet --header "PRIVATE-TOKEN: ${TRIGGER_PRIVATE_TOKEN}" ${DOWNLOAD_URL} -O /tmp/gitlab.deb
-fi
+echo "Downloading package as artifact - ${DOWNLOAD_URL}"
+wget --quiet --header "JOB-TOKEN: ${CI_JOB_TOKEN}" ${DOWNLOAD_URL} -O /tmp/gitlab.deb
 
 results=$?
 if [ ${results} -ne 0 ]; then

assets/setup

@@ -6,14 +6,14 @@ source /RELEASE
 
 # Remove sensitive content from RELEASE file. We can't remove the file because
 # we are using it in assets/wrapper.
-sed -i "/DOWNLOAD_URL/d;/TRIGGER_PRIVATE_TOKEN/d;" /RELEASE
+sed -i "/DOWNLOAD_URL/d;/CI_JOB_TOKEN/d;" /RELEASE
 
 # Install GitLab
-DOWNLOAD_URL=${DOWNLOAD_URL} TRIGGER_PRIVATE_TOKEN=${TRIGGER_PRIVATE_TOKEN} /assets/download-package && dpkg -i /tmp/gitlab.deb && rm /tmp/gitlab.deb
+DOWNLOAD_URL=${DOWNLOAD_URL} CI_JOB_TOKEN=${CI_JOB_TOKEN} /assets/download-package && dpkg -i /tmp/gitlab.deb && rm /tmp/gitlab.deb
 rm -rf /var/lib/apt/lists/*
 
 unset DOWNLOAD_URL
-unset TRIGGER_PRIVATE_TOKEN
+unset CI_JOB_TOKEN
 
 # Create sshd daemon
 mkdir -p /opt/gitlab/sv/sshd/supervise /opt/gitlab/sv/sshd/log/supervise
@@ -45,7 +45,7 @@ groupadd -g 992 gitlab-prometheus
 groupadd -g 991 gitlab-consul
 
 # Create accounts
-## The git account is created with * as crypted password as ssh treats the account as locked if it has a ! 
+## The git account is created with * as crypted password as ssh treats the account as locked if it has a !
 ## Issue #5891 https://gitlab.com/gitlab-org/omnibus-gitlab
 useradd -m -u 998 -g git -p '*' -m -s /bin/sh -d /var/opt/gitlab git
 useradd -m -u 999 -g gitlab-www -m -s /bin/false -d /var/opt/gitlab/nginx gitlab-www

assets/wrapper

@@ -106,6 +106,13 @@ sleep 3s
 # Run unclean start detection & cleanup
 detect_unclean_start
 
+# Legacy block to be removed on 17.0. See: https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7035
+# It re-adds support for rsa key types which was removed on 16.0 without going
+# through the proper deprecation process.
+if [ "${GITLAB_ALLOW_SHA1_RSA}" == 'true' ]; then
+ printf '\n# Enabled/Disabled via GITLAB_ALLOW_SHA1_RSA=[true/false]\nHostKeyAlgorithms +ssh-rsa\nPubkeyAcceptedKeyTypes +ssh-rsa' >> /assets/sshd_config
+fi
+
 # Check if this is a valid upgrade path
 # If the VERSION file doesn't exist, then this is not an upgrade
 if old_version=$(cat /var/opt/gitlab/gitlab-rails/VERSION)
@@ -189,7 +196,7 @@ fi
 
 # This must be false when the opt-in PostgreSQL version is the default for pg-upgrade,
 # otherwise it must be true.
-ATTEMPT_AUTO_PG_UPGRADE='true'
+ATTEMPT_AUTO_PG_UPGRADE='false'
 
 # Make sure PostgreSQL is at the latest version.
 # If it fails, print a message with a workaround and exit