GitLab 16 changes

This page contains upgrade information for minor and patch versions of GitLab 16. Ensure you review these instructions for:

  • Your installation type.
  • All versions between your current version and your target version.

Some GitLab installations must upgrade to GitLab 16.0 before upgrading to any other version. For more information, see Long-running user type data change.

For more information about upgrading GitLab Helm Chart, see the release notes for 7.0.

16.3.0

Linux package installations

Specific information applies to Linux package installations:

  • In GitLab 16.0, we announced an upgraded base Docker image, which has a new version of OpenSSH Server. An unintended consequence of the new version is that it disables accepting SSH RSA SHA-1 signatures by default. This issue should only impact users using very outdated SSH clients.

    To avoid problems with SHA-1 signatures being unavailable, users should update their SSH clients because using SHA-1 signatures is discouraged by the upstream library for security reasons.

    To allow for a transition period where users can't immediately upgrade their SSH clients, GitLab 16.3 and later has support for a GITLAB_ALLOW_SHA1_RSA environment variable in the Dockerfile. If GITLAB_ALLOW_SHA1_RSA is set to true, this deprecated support is reactivated.

    Because we want to foster security best practices and follow the upstream recommendation, this environment variable will only be available until GitLab 17.0, when we plan to drop support for it.

    For more information, see:

16.2.0

  • Legacy LDAP configuration settings may cause NoMethodError: undefined method 'devise' for User:Class errors. This error occurs if you have TLS options (such as ca_file) not specified in the tls_options hash, or use the legacy gitlab_rails['ldap_host'] option. See the configuration workarounds for more details.

  • New job artifacts are not replicated if job artifacts are configured to be stored in object storage and direct_upload is enabled. This bug is fixed in GitLab versions 16.1.4, 16.2.3, 16.3.0, and later.

    • Impacted versions: GitLab versions 16.1.0 - 16.1.3 and 16.2.0 - 16.2.2.
    • If you deployed an affected version, after upgrading to a fixed GitLab version, follow these instructions to resync the affected job artifacts.
  • You might encounter the following error while upgrading to GitLab 16.2 or later:

    main: == 20230620134708 ValidateUserTypeConstraint: migrating =======================
    main: -- execute("ALTER TABLE users VALIDATE CONSTRAINT check_0dd5948e38;")
    rake aborted!
    StandardError: An error has occurred, all later migrations canceled:
    PG::CheckViolation: ERROR:  check constraint "check_0dd5948e38" of relation "users" is violated by some row

    For more information, see issue 421629.

Linux package installations

Specific information applies to Linux package installations:

  • In 16.2, we are upgrading Redis from 6.2.11 to 7.0.12. This upgrade is expected to be fully backwards compatible.

    Redis is not automatically restarted as part of gitlab-ctl reconfigure. Hence, users are manually required to run sudo gitlab-ctl restart redis after the reconfigure run so that the new Redis version gets used. A warning mentioning that the installed Redis version is different than the one running is displayed at the end of reconfigure run until the restart is performed.

    If your instance has Redis HA with Sentinel, follow the upgrade steps mentioned in Zero Downtime documentation.

Self-compiled installations

16.1.0

  • A BackfillPreparedAtMergeRequests background migration is finalized with the FinalizeBackFillPreparedAtMergeRequests post-deploy migration. GitLab 15.10.0 introduced a batched background migration to backfill prepared_at values on the merge_requests table. This migration may take multiple days to complete on larger GitLab instances. Make sure the migration has completed successfully before upgrading to 16.1.0.
  • New job artifacts are not replicated if job artifacts are configured to be stored in object storage and direct_upload is enabled. This bug is fixed in GitLab versions 16.1.4, 16.2.3, 16.3.0, and later.
    • Impacted versions: GitLab versions 16.1.0 - 16.1.3 and 16.2.0 - 16.2.2.
    • If you deployed an affected version, after upgrading to a fixed GitLab version, follow these instructions to resync the affected job artifacts.

Self-compiled installations

  • You must remove any settings related to Puma worker killer from the puma.rb configuration file, because those have been removed. For more information, see the puma.rb.example file.

Geo installations

Specific information applies to installations using Geo:

  • Some project imports do not initialize wiki repositories on project creation. Because of the migration of project wikis to SSF, missing wiki repositories are being incorrectly flagged as failing verification. This issue is not a result of an actual replication/verification failure but an invalid internal state for these missing repositories inside Geo and results in errors in the logs and the verification progress reporting a failed state for these wiki repositories. If you have not imported projects you are not impacted by this issue.
    • Impacted versions: GitLab versions 15.11.x, 16.0.x, and 16.1.0 - 16.1.2.
    • Versions containing fix: GitLab 16.1.3 and later.
  • Because of the migration of project designs to SSF, missing design repositories are being incorrectly flagged as failing verification. This issue is not a result of an actual replication/verification failure but an invalid internal state for these missing repositories inside Geo and results in errors in the logs and the verification progress reporting a failed state for these design repositories. You could be impacted by this issue even if you have not imported projects.
    • Impacted versions: GitLab versions 16.1.x.
    • Versions containing fix: GitLab 16.2.0 and later.

16.0.0

  • Sidekiq crashes if there are non-ASCII characters in the /etc/gitlab/gitlab.rb file. You can fix this by following the workaround in issue 412767.
  • Sidekiq jobs are only routed to default and mailers queues by default, and as a result, every Sidekiq process also listens to those queues to ensure all jobs are processed across all queues. This behavior does not apply if you have configured the routing rules.
  • Docker 20.10.10 or later is required to run the GitLab Docker image. Older versions throw errors on startup.
  • Starting with 16.0, GitLab self-managed installations now have two database connections by default, instead of one. This change doubles the number of PostgreSQL connections. It makes self-managed versions of GitLab behave similarly to GitLab.com, and is a step toward enabling a separate database for CI features for self-managed versions of GitLab. Before upgrading to 16.0, determine if you need to increase max connections for PostgreSQL.
    • This change applies to installation methods with Linux packages (Omnibus), GitLab Helm chart, GitLab Operator, GitLab Docker images, and self-compiled installations.

Linux package installations

Specific information applies to Linux package installations:

  • The binaries for PostgreSQL 12 have been removed.

    Prior to upgrading, administrators of Linux package installations must ensure the installation is using PostgreSQL 13.

  • Bundled Grafana is deprecated and is no longer supported. It is removed in GitLab 16.3.

    For more information, see deprecation notes.

  • This upgrades openssh-server to 1:8.9p1-3.

    Using ssh-keyscan -t rsa with older OpenSSH clients to obtain public key information is no longer viable because of the deprecations listed in OpenSSH 8.7 Release Notes.

    Workaround is to make use of a different key type, or upgrade the client OpenSSH to a version >= 8.7.

Geo installations

Specific information applies to installations using Geo:

  • Some project imports do not initialize wiki repositories on project creation. Because of the migration of project wikis to SSF, missing wiki repositories are being incorrectly flagged as failing verification. This issue is not a result of an actual replication/verification failure but an invalid internal state for these missing repositories inside Geo and results in errors in the logs and the verification progress reporting a failed state for these wiki repositories. If you have not imported projects you are not impacted by this issue.

    • Impacted versions: GitLab versions 15.11.x, 16.0.x, and 16.1.0 - 16.1.2.
    • Versions containing fix: GitLab 16.1.3 and later.

Long-running user type data change

GitLab 16.0 is a required stop for large GitLab instances with a lot of records in the users table.

The threshold is 30,000 users, which includes:

  • Developers and other users in any state, including active, blocked, and pending approval.
  • Bot accounts for project and group access tokens.

GitLab 16.0 introduced a batched background migration to migrate user_type values from NULL to 0. This migration might take multiple days to complete on larger GitLab instances. Make sure the migration has completed successfully before upgrading to 16.1.0 or later.

GitLab 16.1 introduces the FinalizeUserTypeMigration migration which ensures the 16.0 MigrateHumanUserType background migration is completed, making the 16.0 changes synchronously during the upgrade if it's not completed.

GitLab 16.2 implements a NOT NULL database constraint which fails if the 16.0 migration is not complete.

If 16.0 has been skipped (or the 16.0 migration is not complete) subsequent Linux package (Omnibus) and Docker upgrades might fail after an hour:

FATAL: Mixlib::ShellOut::CommandTimeout: rails_migration[gitlab-rails]
[..]
Mixlib::ShellOut::CommandTimeout: Command timed out after 3600s:

There is a fix-forward workaround for this issue.

While the workaround is completing the database changes, GitLab is likely to be in an unusable state, generating 500 errors. The errors are caused by Sidekiq and Puma running application code that is incompatible with the database schema.

At the end of the workaround process, Sidekiq and Puma are restarted to resolve that issue.