# Object Storage
> 原文:[https://docs.gitlab.com/ee/administration/object_storage.html](https://docs.gitlab.com/ee/administration/object_storage.html)
* [Options](#options)
* [Configuration guides](#configuration-guides)
* [Consolidated object storage configuration](#consolidated-object-storage-configuration)
* [Common parameters](#common-parameters)
* [Connection settings](#connection-settings)
* [S3-compatible connection settings](#s3-compatible-connection-settings)
* [Oracle Cloud S3 connection settings](#oracle-cloud-s3-connection-settings)
* [Google Cloud Storage (GCS)](#google-cloud-storage-gcs)
* [Google example (consolidated form)](#google-example-consolidated-form)
* [OpenStack-compatible connection settings](#openstack-compatible-connection-settings)
* [Rackspace Cloud Files](#rackspace-cloud-files)
* [Object-specific configuration](#object-specific-configuration)
* [Selectively disabling object storage](#selectively-disabling-object-storage)
* [Transition to consolidated form](#transition-to-consolidated-form)
* [Storage-specific configuration](#storage-specific-configuration)
* [Other alternatives to filesystem storage](#other-alternatives-to-filesystem-storage)
* [Warnings, limitations, and known issues](#warnings-limitations-and-known-issues)
* [Use separate buckets](#use-separate-buckets)
* [S3 API compatibility issues](#s3-api-compatibility-issues)
* [GitLab Pages requires NFS](#gitlab-pages-requires-nfs)
* [Incremental logging is required for CI to use object storage](#incremental-logging-is-required-for-ci-to-use-object-storage)
* [Proxy Download](#proxy-download)
* [ETag mismatch](#etag-mismatch)
* [Using Amazon instance profiles](#using-amazon-instance-profiles)
* [Encrypted S3 buckets](#encrypted-s3-buckets)
* [Disabling the feature](#disabling-the-feature)
* [IAM Permissions](#iam-permissions)
# Object Storage[](#object-storage "Permalink")
GitLab 支持使用对象存储服务来保存多种类型的数据. 建议在 NFS 上使用它,并且通常在较大的设置中更好,因为对象存储通常具有更高的性能,可靠性和可伸缩性.
## Options[](#options "Permalink")
GitLab 已在许多对象存储提供程序上进行了测试:
* [Amazon S3](https://aws.amazon.com/s3/)
* [Google Cloud Storage](https://cloud.google.com/storage)
* [Digital Ocean Spaces](https://www.digitalocean.com/products/spaces)
* [Oracle Cloud Infrastructure](https://docs.cloud.oracle.com/en-us/iaas/Content/Object/Tasks/s3compatibleapi.htm)
* [Openstack Swift](https://s0docs0openstack0org.icopy.site/swift/latest/s3_compat.html)
* 来自各种存储供应商的本地硬件和设备.
* MinIO. 我们在 Helm Chart 文档中提供[了有关部署此配置的指南](https://docs.gitlab.com/charts/advanced/external-object-storage/minio.html) .
## Configuration guides[](#configuration-guides "Permalink")
在 GitLab 中有两种指定对象存储配置的方式:
* [合并形式](#consolidated-object-storage-configuration) :所有支持的对象类型都共享一个凭证.
* [Storage-specific form](#storage-specific-configuration): Every object defines its own object storage [connection and configuration](#connection-settings).
有关差异以及从一种形式过渡到另一种形式的更多信息,请参见[过渡到合并形式](#transition-to-consolidated-form) .
### Consolidated object storage configuration[](#consolidated-object-storage-configuration "Permalink")
在[GitLab 13.2 中](https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/4368)引入.
使用合并对象存储配置具有许多优点:
* 由于连接详细信息在对象类型之间共享,因此可以简化您的 GitLab 配置.
* 它允许使用[加密的 S3 存储桶](#encrypted-s3-buckets) .
* It [uploads files to S3 with proper `Content-MD5` headers](https://gitlab.com/gitlab-org/gitlab-workhorse/-/issues/222).
**注意:**由于必须使用[直接上载模式](../development/uploads.html#direct-upload) ,目前仅支持与 AWS S3 兼容的提供商和 Google. 此模式不支持后台上传. 我们建议直接上传模式,因为它不需要共享文件夹,并且[此设置可能成为默认设置](https://gitlab.com/gitlab-org/gitlab/-/issues/27331) .**注意:**合并对象存储配置不能用于备份或 Mattermost. 有关[完整列表,](#storage-specific-configuration)请参见[完整表](#storage-specific-configuration) .
通过为具有多个存储桶的对象存储指定单个凭证,可以将大多数类型的对象(例如 CI 工件,LFS 文件,上传附件等)保存在对象存储中. [每种类型必须使用不同的存储桶](#use-separate-buckets) .
当合并形式为:
* 通过与 S3 兼容的对象存储一起使用,Workhorse 使用其内部的 S3 客户端上载文件.
* 不与 S3 兼容的对象存储一起使用,Workhorse 退回到使用预签名的 URL.
有关更多详细信息,请参见" [ETag 不匹配错误](#etag-mismatch) "部分.
**在所有安装中;**
1. 编辑`/etc/gitlab/gitlab.rb`并添加以下行,以替换所需的值:
```
# Consolidated object storage configuration
gitlab_rails['object_store']['enabled'] = true
gitlab_rails['object_store']['proxy_download'] = true
gitlab_rails['object_store']['connection'] = {
'provider' => 'AWS',
'region' => '<eu-central-1>',
'aws_access_key_id' => '<AWS_ACCESS_KEY_ID>',
'aws_secret_access_key' => '<AWS_SECRET_ACCESS_KEY>'
}
gitlab_rails['object_store']['objects']['artifacts']['bucket'] = '<artifacts>'
gitlab_rails['object_store']['objects']['external_diffs']['bucket'] = '<external-diffs>'
gitlab_rails['object_store']['objects']['lfs']['bucket'] = '<lfs-objects>'
gitlab_rails['object_store']['objects']['uploads']['bucket'] = '<uploads>'
gitlab_rails['object_store']['objects']['packages']['bucket'] = '<packages>'
gitlab_rails['object_store']['objects']['dependency_proxy']['bucket'] = '<dependency-proxy>'
gitlab_rails['object_store']['objects']['terraform_state']['bucket'] = '<terraform-state>'
```
对于 GitLab 9.4 或更高版本,如果您使用的是 AWS IAM 配置文件,请确保省略 AWS 访问密钥和秘密访问密钥/值对. 例如:
```
gitlab_rails['object_store_connection'] = {
'provider' => 'AWS',
'region' => '<eu-central-1>',
'use_iam_profile' => true
}
```
2. 保存文件并[重新配置 GitLab,](restart_gitlab.html#omnibus-gitlab-reconfigure)以使更改生效.
**在源安装中:**
1. 编辑`/home/git/gitlab/config/gitlab.yml`并添加或修改以下行:
```
object_store:
enabled: true
proxy_download: true
connection:
provider: AWS
aws_access_key_id: <AWS_ACCESS_KEY_ID>
aws_secret_access_key: <AWS_SECRET_ACCESS_KEY>
region: <eu-central-1>
objects:
artifacts:
bucket: <artifacts>
external_diffs:
bucket: <external-diffs>
lfs:
bucket: <lfs-objects>
uploads:
bucket: <uploads>
packages:
bucket: <packages>
dependency_proxy:
bucket: <dependency_proxy>
terraform_state:
bucket: <terraform>
```
2. 编辑`/home/git/gitlab-workhorse/config.toml`并添加或修改以下行:
```
[object_storage]
enabled = true
provider = "AWS"
[object_storage.s3]
aws_access_key_id = "<AWS_ACCESS_KEY_ID>"
aws_secret_access_key = "<AWS_SECRET_ACCESS_KEY>"
```
3. 保存文件并[重新启动 GitLab,](restart_gitlab.html#installations-from-source)以使更改生效.
#### Common parameters[](#common-parameters "Permalink")
在统一配置中, `object_store`部分定义了一组公共参数. 在这里,我们使用源安装中的 YAML,因为它更容易看到继承:
```
object_store:
enabled: true
proxy_download: true
connection:
provider: AWS
aws_access_key_id: <AWS_ACCESS_KEY_ID>
aws_secret_access_key: <AWS_SECRET_ACCESS_KEY>
objects:
...
```
Omnibus 配置直接映射到此:
```
gitlab_rails['object_store']['enabled'] = true
gitlab_rails['object_store']['proxy_download'] = true
gitlab_rails['object_store']['connection'] = {
'provider' => 'AWS',
'aws_access_key_id' => '<AWS_ACCESS_KEY_ID',
'aws_secret_access_key' => '<AWS_SECRET_ACCESS_KEY>'
}
```
| Setting | Description |
| --- | --- |
| `enabled` | 启用/禁用对象存储 |
| `proxy_download` | 设置为`true`以[启用代理服务的所有文件](#proxy-download) . Option 可以减少出口流量,因为这允许客户端直接从远程存储下载而不是代理所有数据 |
| `connection` | 下述各种连接选项 |
| `objects` | [Object-specific configuration](#object-specific-configuration) |
### Connection settings[](#connection-settings "Permalink")
合并配置表单和特定于存储的配置表单都必须配置连接. 以下各节介绍可在`connection`设置中使用的参数.
#### S3-compatible connection settings[](#s3-compatible-connection-settings "Permalink")
连接设置与[fog-aws](https://github.com/fog/fog-aws)提供的设置匹配:
| Setting | Description | Default |
| --- | --- | --- |
| `provider` | 始终适用于兼容主机的`AWS` | `AWS` |
| `aws_access_key_id` | AWS 凭证或兼容 | |
| `aws_secret_access_key` | AWS 凭证或兼容 | |
| `aws_signature_version` | 要使用的 AWS 签名版本. `2`或`4`是有效选项. 数字海洋空间和其他提供商可能需要`2` . | `4` |
| `enable_signature_v4_streaming` | 设置为`true`以启用具有[AWS v4 签名的](https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-streaming.html) HTTP 分块传输. Oracle Cloud S3 需要将此设置为`false` . | `true` |
| `region` | AWS 区域 | us-east-1 |
| `host` | 不使用 AWS 时与 S3 兼容的主机,例如`localhost`或`storage.example.com` . 假定使用 HTTPS 和端口 443. | `s3.amazonaws.com` |
| `endpoint` | 在配置 S3 兼容服务(例如[MinIO)时](https://min.io) ,可以通过输入 URL(例如`http://127.0.0.1:9000` . 这优先于`host` . | (optional) |
| `path_style` | 设置为`true`以使用`host/bucket_name/object`样式路径而不是`bucket_name.host/object` . 对于 AWS S3,保留为`false` . | `false` |
| `use_iam_profile` | Set to `true` to use IAM profile instead of access keys | `false` |
#### Oracle Cloud S3 connection settings[](#oracle-cloud-s3-connection-settings "Permalink")
请注意,Oracle Cloud S3 必须确保使用以下设置:
| Setting | Value |
| --- | --- |
| `enable_signature_v4_streaming` | `false` |
| `path_style` | `true` |
如果将`enable_signature_v4_streaming`设置为`true` ,那么您可能会在`production.log`看到以下错误:
```
STREAMING-AWS4-HMAC-SHA256-PAYLOAD is not supported
```
#### Google Cloud Storage (GCS)[](#google-cloud-storage-gcs "Permalink")
这是 GCS 的有效连接参数:
| Setting | Description | example |
| --- | --- | --- |
| `provider` | 提供者名称 | `Google` |
| `google_project` | GCP 项目名称 | `gcp-project-12345` |
| `google_client_email` | 服务帐户的电子邮件地址 | `foo@gcp-project-12345.iam.gserviceaccount.com` |
| `google_json_key_location` | JSON 密钥路径 | `/path/to/gcp-project-12345-abcde.json` |
**注意:**服务帐户必须具有访问存储桶的权限. [看更多](https://cloud.google.com/storage/docs/authentication)
##### Google example (consolidated form)[](#google-example-consolidated-form "Permalink")
对于 Omnibus 安装,这是`connection`设置的示例:
```
gitlab_rails['object_store']['connection'] = {
'provider' => 'Google',
'google_project' => '<GOOGLE PROJECT>',
'google_client_email' => '<GOOGLE CLIENT EMAIL>',
'google_json_key_location' => '<FILENAME>'
}
```
#### OpenStack-compatible connection settings[](#openstack-compatible-connection-settings "Permalink")
**注意**这与统一对象存储表单不兼容. 仅特定于存储的表单支持 OpenStack Swift. 如果要使用合并表格,请参阅[S3 设置](#s3-compatible-connection-settings) .
尽管 OpenStack Swift 提供了 S3 兼容性,但某些用户可能希望使用[Swift API](https://s0docs0openstack0org.icopy.site/swift/latest/api/object_api_v1_overview.html) . 这是以下由[swift-openstack](https://github.com/fog/fog-openstack)提供的 Swift API 的有效连接设置:
| Setting | Description | Default |
| --- | --- | --- |
| `provider` | 始终使用`OpenStack`兼容主机 | `OpenStack` |
| `openstack_username` | OpenStack 用户名 | |
| `openstack_api_key` | OpenStack API key | |
| `openstack_temp_url_key` | 用于生成临时 URL 的 OpenStack 密钥 | |
| `openstack_auth_url` | OpenStack 身份验证端点 | |
| `openstack_region` | OpenStack 区域 | |
| `openstack_tenant` | OpenStack 租户 ID | |
#### Rackspace Cloud Files[](#rackspace-cloud-files "Permalink")
**注意**这与统一对象存储表单不兼容. 仅特定于存储的表单支持 Rackspace Cloud.
这是[fog-rackspace](https://github.com/fog/fog-rackspace/)提供的 Rackspace Cloud 的有效连接参数:
| Setting | Description | example |
| --- | --- | --- |
| `provider` | 提供者名称 | `Rackspace` |
| `rackspace_username` | 可访问容器的 Rackspace 帐户的用户名 | `joe.smith` |
| `rackspace_api_key` | 可访问容器的 Rackspace 帐户的 API 密钥 | `ABC123DEF456ABC123DEF456ABC123DE` |
| `rackspace_region` | 要使用的 Rackspace 存储区域,来自[服务访问端点列表的](https://developer.rackspace.com/docs/cloud-files/v1/general-api-info/service-access/)三个字母代码 | `iad` |
| `rackspace_temp_url_key` | 您在 Rackspace API 中为临时 URL 设置的私钥. [在这里](https://developer.rackspace.com/docs/cloud-files/v1/use-cases/public-access-to-your-cloud-files-account/#tempurl)阅读更多 | `ABC123DEF456ABC123DEF456ABC123DE` |
**注意:**无论容器启用还是禁用了公共访问,Fog 都会使用 TempURL 方法来授予对 LFS 对象的访问权限. 如果您在引用使用`temp-url-key`实例化存储的日志中看到错误,请确保已在 Rackspace API 和`gitlab.rb`正确设置了密钥. 您可以通过将带有令牌标头的 GET 请求发送到服务访问端点 URL 并比较返回的标头的输出,来验证 Rackspace 密钥的设置值.
### Object-specific configuration[](#object-specific-configuration "Permalink")
以下 YAML 显示了`object_store`部分如何定义特定于对象的配置块,以及如何覆盖`enabled`和`proxy_download`标志. `bucket`是每种类型中唯一需要的参数:
```
object_store:
connection:
...
objects:
artifacts:
bucket: artifacts
proxy_download: false
external_diffs:
bucket: external-diffs
lfs:
bucket: lfs-objects
uploads:
bucket: uploads
packages:
bucket: packages
dependency_proxy:
enabled: false
bucket: dependency_proxy
terraform_state:
bucket: terraform
```
这映射到此 Omnibus GitLab 配置:
```
gitlab_rails['object_store']['objects']['artifacts']['bucket'] = 'artifacts'
gitlab_rails['object_store']['objects']['artifacts']['proxy_download'] = false
gitlab_rails['object_store']['objects']['external_diffs']['bucket'] = 'external-diffs'
gitlab_rails['object_store']['objects']['lfs']['bucket'] = 'lfs-objects'
gitlab_rails['object_store']['objects']['uploads']['bucket'] = 'uploads'
gitlab_rails['object_store']['objects']['packages']['bucket'] = 'packages'
gitlab_rails['object_store']['objects']['dependency_proxy']['enabled'] = false
gitlab_rails['object_store']['objects']['dependency_proxy']['bucket'] = 'dependency-proxy'
gitlab_rails['object_store']['objects']['terraform_state']['bucket'] = 'terraform-state'
```
这是可以使用的有效`objects`的列表:
| Type | Description |
| --- | --- |
| `artifacts` | [CI artifacts](job_artifacts.html) |
| `external_diffs` | [Merge request diffs](merge_request_diffs.html) |
| `uploads` | [User uploads](uploads.html) |
| `lfs` | [Git Large File Storage objects](lfs/index.html) |
| `packages` | [Project packages (e.g. PyPI, Maven, NuGet, etc.)](packages/index.html) |
| `dependency_proxy` | [GitLab Dependency Proxy](packages/dependency_proxy.html) |
| `terraform_state` | [Terraform state files](terraform_state.html) |
在每种对象类型中,可以定义三个参数:
| Setting | Required? | Description |
| --- | --- | --- |
| `bucket` | Yes | 对象存储的存储桶名称. |
| `enabled` | No | 覆盖通用参数 |
| `proxy_download` | No | 覆盖通用参数 |
#### Selectively disabling object storage[](#selectively-disabling-object-storage "Permalink")
如上所示,可以通过将`enabled`标志设置为`false`来禁用特定类型的对象存储. 例如,要禁用 CI 工件的对象存储:
```
gitlab_rails['object_store']['objects']['artifacts']['enabled'] = false
```
如果功能完全禁用,则不需要存储桶. 例如,如果使用此设置禁用了 CI 构件,则不需要存储桶:
```
gitlab_rails['artifacts_enabled'] = false
```
### Transition to consolidated form[](#transition-to-consolidated-form "Permalink")
在 GitLab 13.2 之前:
* 所有类型的对象(例如 CI / CD 工件,LFS 文件,上载附件等)的对象存储配置都必须独立配置.
* 对于每种类型,必须复制对象存储连接参数,例如密码和端点 URL.
例如,Omnibus GitLab 安装可能具有以下配置:
```
# Original object storage configuration
gitlab_rails['artifacts_object_store_enabled'] = true
gitlab_rails['artifacts_object_store_direct_upload'] = true
gitlab_rails['artifacts_object_store_proxy_download'] = true
gitlab_rails['artifacts_object_store_remote_directory'] = 'artifacts'
gitlab_rails['artifacts_object_store_connection'] = { 'provider' => 'AWS', 'aws_access_key_id' => 'access_key', 'aws_secret_access_key' => 'secret' }
gitlab_rails['uploads_object_store_enabled'] = true
gitlab_rails['uploads_object_store_direct_upload'] = true
gitlab_rails['uploads_object_store_proxy_download'] = true
gitlab_rails['uploads_object_store_remote_directory'] = 'uploads'
gitlab_rails['uploads_object_store_connection'] = { 'provider' => 'AWS', 'aws_access_key_id' => 'access_key', 'aws_secret_access_key' => 'secret' }
```
尽管这样做提供了灵活性,但它使得 GitLab 可以跨不同的云提供商存储对象,但同时也带来了额外的复杂性和不必要的冗余. 由于 GitLab Rails 和 Workhorse 组件都需要访问对象存储,因此合并后的表单避免了过多的凭据重复.
**注意** **仅**当省略原始表单中的所有行时, **才**使用合并对象存储配置. 要移至合并的表单,请除去原始配置(例如, `artifacts_object_store_enabled` , `uploads_object_store_connection`等).
## Storage-specific configuration[](#storage-specific-configuration "Permalink")
有关在 GitLab 13.1 和更早版本中配置对象存储的信息,或对于统一配置表单不支持的存储类型的信息,请参阅以下指南:
| 对象存储类型 | 支持统一配置吗? |
| --- | --- |
| [Backups](../raketasks/backup_restore.html#uploading-backups-to-a-remote-cloud-storage) | No |
| [Job artifacts](job_artifacts.html#using-object-storage) and [incremental logging](job_logs.html#new-incremental-logging-architecture) | Yes |
| [LFS objects](lfs/index.html#storing-lfs-objects-in-remote-object-storage) | Yes |
| [Uploads](uploads.html#using-object-storage-core-only) | Yes |
| [容器注册表](packages/container_registry.html#container-registry-storage-driver) (可选功能) | No |
| [Merge request diffs](merge_request_diffs.html#using-object-storage) | Yes |
| [Mattermost](https://docs.mattermost.com/administration/config-settings.html#file-storage) | No |
| [软件包](packages/index.html#using-object-storage) (可选功能) | Yes |
| [依赖代理](packages/dependency_proxy.html#using-object-storage) (可选功能) | Yes |
| [假名生成器](pseudonymizer.html#configuration) (可选功能) | No |
| [Autoscale Runner 缓存](https://docs.gitlab.com/runner/configuration/autoscale.html) (可选以提高性能) | No |
| [Terraform state files](terraform_state.html#using-object-storage-core-only) | Yes |
### Other alternatives to filesystem storage[](#other-alternatives-to-filesystem-storage "Permalink")
如果您正在努力[扩展](reference_architectures/index.html) GitLab 实施,或增加容错能力和冗余性,则可能正在考虑消除对块或网络文件系统的依赖. 请参阅以下指南,并[注意 Pages 需要磁盘存储](#gitlab-pages-requires-nfs) :
1. 确保[`git`用户主目录](https://docs.gitlab.com/omnibus/settings/configuration.html)位于本地磁盘上.
2. 配置[SSH 密钥的数据库查找,](operations/fast_ssh_key_lookup.html)以消除对共享的`authorized_keys`文件的需要.
## Warnings, limitations, and known issues[](#warnings-limitations-and-known-issues "Permalink")
### Use separate buckets[](#use-separate-buckets "Permalink")
对于 GitLab,建议为每种数据类型使用单独的存储桶.
我们的配置的局限性是对象存储的每次使用都是单独配置的. [我们有一个需要改进的问题](https://gitlab.com/gitlab-org/gitlab/-/issues/23345) ,轻松地将一个存储桶与单独的文件夹一起使用可能会带来一个改进.
使用同一个存储桶至少有一个特定的问题:当使用 Helm 图表部署 GitLab 时,除非使用单独的存储桶,否则从备份还原[将无法正常工作](https://docs.gitlab.com/charts/advanced/external-object-storage/) .
使用单个存储桶的风险之一是,如果您的组织将来决定将 GitLab 迁移到 Helm 部署. GitLab 可以运行,但是直到组织对备份起作用的关键要求之前,备份的情况可能无法实现.
### S3 API compatibility issues[](#s3-api-compatibility-issues "Permalink")
并非所有 S3 提供程序[都](../raketasks/backup_restore.html#other-s3-providers)与 GitLab 使用的 Fog 库[完全兼容](../raketasks/backup_restore.html#other-s3-providers) . 症状包括`production.log`的错误:
```
411 Length Required
```
### GitLab Pages requires NFS[](#gitlab-pages-requires-nfs "Permalink")
如果您要添加更多的 GitLab 服务器以进行[缩放或容错,](reference_architectures/index.html)并且您的要求之一是[GitLab 页面,](../user/project/pages/index.html)则当前需要 NFS. 有[工作正在进行中](https://gitlab.com/gitlab-org/gitlab-pages/-/issues/196)去除这种依赖性. 将来,GitLab 页面可能会使用[对象存储](https://gitlab.com/gitlab-org/gitlab/-/issues/208135) .
对磁盘存储的依赖性还阻止了使用[GitLab Helm 图表](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/37)部署 Pages.
### Incremental logging is required for CI to use object storage[](#incremental-logging-is-required-for-ci-to-use-object-storage "Permalink")
如果将 GitLab 配置为将对象存储用于 CI 日志和工件,则[还必须启用增量日志记录](job_artifacts.html#using-object-storage) .
### Proxy Download[](#proxy-download "Permalink")
对象存储的许多使用情况都允许将客户端流量重定向到对象存储后端,例如当 Git 客户端通过 LFS 请求大文件时或在下载 CI 工件和日志时.
When the files are stored on local block storage or NFS, GitLab has to act as a proxy. This is not the default behavior with object storage.
`proxy_download`设置控制此行为:默认设置通常为`false` . 在每个用例的文档中对此进行验证. 将其设置为`true`以便 GitLab 代理文件.
当不代理文件时,GitLab 将返回[HTTP 302 重定向,该重定向带有预先签名的有时间限制的对象存储 URL](https://gitlab.com/gitlab-org/gitlab/-/issues/32117#note_218532298) . 这可能会导致以下一些问题:
* 如果 GitLab 使用非安全的 HTTP 访问对象存储,则客户端可能会生成`https->http`降级错误,并拒绝处理重定向. 解决方案是让 GitLab 使用 HTTPS. 例如,LFS 将产生此错误:
```
LFS: lfsapi/client: refusing insecure redirect, https->http
```
* 客户端将需要信任颁发对象存储证书的证书颁发机构,或者可能返回常见的 TLS 错误,例如:
```
x509: certificate signed by unknown authority
```
* 客户端将需要网络访问对象存储. 如果没有此访问权限,则可能导致的错误包括:
```
Received status code 403 from server: Forbidden
```
[软件包存储库文档中](packages/index.html#using-object-storage)特别注明了获取" `403 Forbidden`响应",这是某些构建工具的工作方式的副作用.
### ETag mismatch[](#etag-mismatch "Permalink")
使用默认的 GitLab 设置,某些对象存储后端(例如[MinIO](https://gitlab.com/gitlab-org/gitlab/-/issues/23188)和[Alibaba)](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/1564)可能会生成`ETag mismatch`错误.
如果您在 Amazon Web Services S3 中看到此 ETag 不匹配错误,则可能是由于[存储桶上的加密设置](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTCommonResponseHeaders.html)所致. 要解决此问题,您有两种选择:
* [Use the consolidated object configuration](#consolidated-object-storage-configuration).
* [Use Amazon instance profiles](#using-amazon-instance-profiles).
对于 MinIO,建议使用第一个选项. 否则, [MinIO](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/1564#note_244497658)的[解决方法](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/1564#note_244497658)是在服务器上使用`--compat`参数.
在未启用统一对象存储配置或实例配置文件的情况下,GitLab Workhorse 将使用没有为它们计算出`Content-MD5` HTTP 标头的预签名 URL 将文件上传到 S3\. 为了确保数据没有损坏,Workhorse 检查发送的数据的 MD5 哈希值是否等于从 S3 服务器返回的 ETag 标头. 启用加密后,情况并非如此,这将导致 Workhorse 在上传期间报告`ETag mismatch`错误.
通过整合的对象配置和实例配置文件,Workhorse 具有 S3 凭据,因此可以计算`Content-MD5`标头. 这样就无需比较从 S3 服务器返回的 ETag 标头.
### Using Amazon instance profiles[](#using-amazon-instance-profiles "Permalink")
可以将 GitLab 配置为使用 IAM 角色来设置[Amazon 实例配置文件](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html) ,而不是在对象存储配置中提供 AWS 访问和秘密密钥. 使用此功能时,每次访问 S3 存储桶时,GitLab 都会获取临时凭证,因此配置中不需要硬编码的值.
#### Encrypted S3 buckets[](#encrypted-s3-buckets "Permalink")
版本历史
* 在[GitLab 13.1](https://gitlab.com/gitlab-org/gitlab-workhorse/-/merge_requests/466)中仅针对实例配置文件引入.
* 使用[整合对象存储配置](#consolidated-object-storage-configuration)时,在[GitLab 13.2 中](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/34460)引入了用于静态证书的功能.
使用实例概要文件或统一对象配置进行配置时,GitLab Workhorse 可以将文件正确上载到[默认情况下启用 SSE-S3 或 SSE-KMS 加密的](https://docs.aws.amazon.com/kms/latest/developerguide/services-s3.html) S3 存储桶. 请注意, [尚不支持](https://gitlab.com/gitlab-org/gitlab/-/issues/226006)客户主密钥(CMK)和 SSE-C 加密, [因为这需要向 GitLab 配置提供密钥](https://gitlab.com/gitlab-org/gitlab/-/issues/226006) .
##### Disabling the feature[](#disabling-the-feature "Permalink")
当[`use_iam_profile`配置选项](#iam-permissions)设置为`true`时,默认情况下启用 Workhorse S3 客户端.
可以使用`:use_workhorse_s3_client`功能标记禁用该功能. 要禁用该功能,请要求具有[Rails 控制台访问权限](feature_flags.html#how-to-enable-and-disable-features-behind-flags)的 GitLab 管理员运行以下命令:
```
Feature.disable(:use_workhorse_s3_client)
```
#### IAM Permissions[](#iam-permissions "Permalink")
设置实例配置文件:
1. 创建具有必要权限的 Amazon Identity Access and Management(IAM)角色. 以下示例是名为`test-bucket`的 S3 存储桶的角色:
```
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:AbortMultipartUpload", "s3:DeleteObject" ], "Resource": "arn:aws:s3:::test-bucket/*" } ] }
```
2. [将此角色附加](https://aws.amazon.com/premiumsupport/knowledge-center/attach-replace-ec2-instance-profile/)到托管您的 GitLab 实例的 EC2 实例.
3. 通过`use_iam_profile`配置选项配置 GitLab 以使用它.
- GitLab Docs
- Installation
- Requirements
- GitLab cloud native Helm Chart
- Install GitLab with Docker
- Installation from source
- Install GitLab on Microsoft Azure
- Installing GitLab on Google Cloud Platform
- Installing GitLab on Amazon Web Services (AWS)
- Analytics
- Code Review Analytics
- Productivity Analytics
- Value Stream Analytics
- Kubernetes clusters
- Adding and removing Kubernetes clusters
- Adding EKS clusters
- Adding GKE clusters
- Group-level Kubernetes clusters
- Instance-level Kubernetes clusters
- Canary Deployments
- Cluster Environments
- Deploy Boards
- GitLab Managed Apps
- Crossplane configuration
- Cluster management project (alpha)
- Kubernetes Logs
- Runbooks
- Serverless
- Deploying AWS Lambda function using GitLab CI/CD
- Securing your deployed applications
- Groups
- Contribution Analytics
- Custom group-level project templates
- Epics
- Manage epics
- Group Import/Export
- Insights
- Issues Analytics
- Iterations
- Public access
- SAML SSO for GitLab.com groups
- SCIM provisioning using SAML SSO for GitLab.com groups
- Subgroups
- Roadmap
- Projects
- GitLab Secure
- Security Configuration
- Container Scanning
- Dependency Scanning
- Dependency List
- Static Application Security Testing (SAST)
- Secret Detection
- Dynamic Application Security Testing (DAST)
- GitLab Security Dashboard
- Offline environments
- Standalone Vulnerability pages
- Security scanner integration
- Badges
- Bulk editing issues and merge requests at the project level
- Code Owners
- Compliance
- License Compliance
- Compliance Dashboard
- Create a project
- Description templates
- Deploy Keys
- Deploy Tokens
- File finder
- Project integrations
- Integrations
- Atlassian Bamboo CI Service
- Bugzilla Service
- Custom Issue Tracker service
- Discord Notifications service
- Enabling emails on push
- GitHub project integration
- Hangouts Chat service
- Atlassian HipChat
- Irker IRC Gateway
- GitLab Jira integration
- Mattermost Notifications Service
- Mattermost slash commands
- Microsoft Teams service
- Mock CI Service
- Prometheus integration
- Redmine Service
- Slack Notifications Service
- Slack slash commands
- GitLab Slack application
- Webhooks
- YouTrack Service
- Insights
- Issues
- Crosslinking Issues
- Design Management
- Confidential issues
- Due dates
- Issue Boards
- Issue Data and Actions
- Labels
- Managing issues
- Milestones
- Multiple Assignees for Issues
- Related issues
- Service Desk
- Sorting and ordering issue lists
- Issue weight
- Associate a Zoom meeting with an issue
- Merge requests
- Allow collaboration on merge requests across forks
- Merge Request Approvals
- Browser Performance Testing
- How to create a merge request
- Cherry-pick changes
- Code Quality
- Load Performance Testing
- Merge Request dependencies
- Fast-forward merge requests
- Merge when pipeline succeeds
- Merge request conflict resolution
- Reverting changes
- Reviewing and managing merge requests
- Squash and merge
- Merge requests versions
- Draft merge requests
- Members of a project
- Migrating projects to a GitLab instance
- Import your project from Bitbucket Cloud to GitLab
- Import your project from Bitbucket Server to GitLab
- Migrating from ClearCase
- Migrating from CVS
- Import your project from FogBugz to GitLab
- Gemnasium
- Import your project from GitHub to GitLab
- Project importing from GitLab.com to your private GitLab instance
- Import your project from Gitea to GitLab
- Import your Jira project issues to GitLab
- Migrating from Perforce Helix
- Import Phabricator tasks into a GitLab project
- Import multiple repositories by uploading a manifest file
- Import project from repo by URL
- Migrating from SVN to GitLab
- Migrating from TFVC to Git
- Push Options
- Releases
- Repository
- Branches
- Git Attributes
- File Locking
- Git file blame
- Git file history
- Repository mirroring
- Protected branches
- Protected tags
- Push Rules
- Reduce repository size
- Signing commits with GPG
- Syntax Highlighting
- GitLab Web Editor
- Web IDE
- Requirements Management
- Project settings
- Project import/export
- Project access tokens (Alpha)
- Share Projects with other Groups
- Snippets
- Static Site Editor
- Wiki
- Project operations
- Monitor metrics for your CI/CD environment
- Set up alerts for Prometheus metrics
- Embedding metric charts within GitLab-flavored Markdown
- Embedding Grafana charts
- Using the Metrics Dashboard
- Dashboard YAML properties
- Metrics dashboard settings
- Panel types for dashboards
- Using Variables
- Templating variables for metrics dashboards
- Prometheus Metrics library
- Monitoring AWS Resources
- Monitoring HAProxy
- Monitoring Kubernetes
- Monitoring NGINX
- Monitoring NGINX Ingress Controller
- Monitoring NGINX Ingress Controller with VTS metrics
- Alert Management
- Error Tracking
- Tracing
- Incident Management
- GitLab Status Page
- Feature Flags
- GitLab CI/CD
- GitLab CI/CD pipeline configuration reference
- GitLab CI/CD include examples
- Introduction to CI/CD with GitLab
- Getting started with GitLab CI/CD
- How to enable or disable GitLab CI/CD
- Using SSH keys with GitLab CI/CD
- Migrating from CircleCI
- Migrating from Jenkins
- Auto DevOps
- Getting started with Auto DevOps
- Requirements for Auto DevOps
- Customizing Auto DevOps
- Stages of Auto DevOps
- Upgrading PostgreSQL for Auto DevOps
- Cache dependencies in GitLab CI/CD
- GitLab ChatOps
- Cloud deployment
- Docker integration
- Building Docker images with GitLab CI/CD
- Using Docker images
- Building images with kaniko and GitLab CI/CD
- GitLab CI/CD environment variables
- Predefined environment variables reference
- Where variables can be used
- Deprecated GitLab CI/CD variables
- Environments and deployments
- Protected Environments
- GitLab CI/CD Examples
- Test a Clojure application with GitLab CI/CD
- Using Dpl as deployment tool
- Testing a Phoenix application with GitLab CI/CD
- End-to-end testing with GitLab CI/CD and WebdriverIO
- DevOps and Game Dev with GitLab CI/CD
- Deploy a Spring Boot application to Cloud Foundry with GitLab CI/CD
- How to deploy Maven projects to Artifactory with GitLab CI/CD
- Testing PHP projects
- Running Composer and NPM scripts with deployment via SCP in GitLab CI/CD
- Test and deploy Laravel applications with GitLab CI/CD and Envoy
- Test and deploy a Python application with GitLab CI/CD
- Test and deploy a Ruby application with GitLab CI/CD
- Test and deploy a Scala application to Heroku
- GitLab CI/CD for external repositories
- Using GitLab CI/CD with a Bitbucket Cloud repository
- Using GitLab CI/CD with a GitHub repository
- GitLab Pages
- GitLab Pages
- GitLab Pages domain names, URLs, and baseurls
- Create a GitLab Pages website from scratch
- Custom domains and SSL/TLS Certificates
- GitLab Pages integration with Let's Encrypt
- GitLab Pages Access Control
- Exploring GitLab Pages
- Incremental Rollouts with GitLab CI/CD
- Interactive Web Terminals
- Optimizing GitLab for large repositories
- Metrics Reports
- CI/CD pipelines
- Pipeline Architecture
- Directed Acyclic Graph
- Multi-project pipelines
- Parent-child pipelines
- Pipelines for Merge Requests
- Pipelines for Merged Results
- Merge Trains
- Job artifacts
- Pipeline schedules
- Pipeline settings
- Triggering pipelines through the API
- Review Apps
- Configuring GitLab Runners
- GitLab CI services examples
- Using MySQL
- Using PostgreSQL
- Using Redis
- Troubleshooting CI/CD
- GitLab Package Registry
- GitLab Container Registry
- Dependency Proxy
- GitLab Composer Repository
- GitLab Conan Repository
- GitLab Maven Repository
- GitLab NPM Registry
- GitLab NuGet Repository
- GitLab PyPi Repository
- API Docs
- API resources
- .gitignore API
- GitLab CI YMLs API
- Group and project access requests API
- Appearance API
- Applications API
- Audit Events API
- Avatar API
- Award Emoji API
- Project badges API
- Group badges API
- Branches API
- Broadcast Messages API
- Project clusters API
- Group clusters API
- Instance clusters API
- Commits API
- Container Registry API
- Custom Attributes API
- Dashboard annotations API
- Dependencies API
- Deploy Keys API
- Deployments API
- Discussions API
- Dockerfiles API
- Environments API
- Epics API
- Events
- Feature Flags API
- Feature flag user lists API
- Freeze Periods API
- Geo Nodes API
- Group Activity Analytics API
- Groups API
- Import API
- Issue Boards API
- Group Issue Boards API
- Issues API
- Epic Issues API
- Issues Statistics API
- Jobs API
- Keys API
- Labels API
- Group Labels API
- License
- Licenses API
- Issue links API
- Epic Links API
- Managed Licenses API
- Markdown API
- Group and project members API
- Merge request approvals API
- Merge requests API
- Project milestones API
- Group milestones API
- Namespaces API
- Notes API
- Notification settings API
- Packages API
- Pages domains API
- Pipeline schedules API
- Pipeline triggers API
- Pipelines API
- Project Aliases API
- Project import/export API
- Project repository storage moves API
- Project statistics API
- Project templates API
- Projects API
- Protected branches API
- Protected tags API
- Releases API
- Release links API
- Repositories API
- Repository files API
- Repository submodules API
- Resource label events API
- Resource milestone events API
- Resource weight events API
- Runners API
- SCIM API
- Search API
- Services API
- Application settings API
- Sidekiq Metrics API
- Snippets API
- Project snippets
- Application statistics API
- Suggest Changes API
- System hooks API
- Tags API
- Todos API
- Users API
- Project-level Variables API
- Group-level Variables API
- Version API
- Vulnerabilities API
- Vulnerability Findings API
- Wikis API
- GraphQL API
- Getting started with GitLab GraphQL API
- GraphQL API Resources
- API V3 to API V4
- Validate the .gitlab-ci.yml (API)
- User Docs
- Abuse reports
- User account
- Active sessions
- Deleting a User account
- Permissions
- Personal access tokens
- Profile preferences
- Threads
- GitLab and SSH keys
- GitLab integrations
- Git
- GitLab.com settings
- Infrastructure as code with Terraform and GitLab
- GitLab keyboard shortcuts
- GitLab Markdown
- AsciiDoc
- GitLab Notification Emails
- GitLab Quick Actions
- Autocomplete characters
- Reserved project and group names
- Search through GitLab
- Advanced Global Search
- Advanced Syntax Search
- Time Tracking
- GitLab To-Do List
- Administrator Docs
- Reference architectures
- Reference architecture: up to 1,000 users
- Reference architecture: up to 2,000 users
- Reference architecture: up to 3,000 users
- Reference architecture: up to 5,000 users
- Reference architecture: up to 10,000 users
- Reference architecture: up to 25,000 users
- Reference architecture: up to 50,000 users
- Troubleshooting a reference architecture set up
- Working with the bundled Consul service
- Configuring PostgreSQL for scaling
- Configuring GitLab application (Rails)
- Load Balancer for multi-node GitLab
- Configuring a Monitoring node for Scaling and High Availability
- NFS
- Working with the bundled PgBouncer service
- Configuring Redis for scaling
- Configuring Sidekiq
- Admin Area settings
- Continuous Integration and Deployment Admin settings
- Custom instance-level project templates
- Diff limits administration
- Enable and disable GitLab features deployed behind feature flags
- Geo nodes Admin Area
- GitLab Pages administration
- Health Check
- Job logs
- Labels administration
- Log system
- PlantUML & GitLab
- Repository checks
- Repository storage paths
- Repository storage types
- Account and limit settings
- Service templates
- System hooks
- Changing your time zone
- Uploads administration
- Abuse reports
- Activating and deactivating users
- Audit Events
- Blocking and unblocking users
- Broadcast Messages
- Elasticsearch integration
- Gitaly
- Gitaly Cluster
- Gitaly reference
- Monitoring GitLab
- Monitoring GitLab with Prometheus
- Performance Bar
- Usage statistics
- Object Storage
- Performing Operations in GitLab
- Cleaning up stale Redis sessions
- Fast lookup of authorized SSH keys in the database
- Filesystem Performance Benchmarking
- Moving repositories managed by GitLab
- Run multiple Sidekiq processes
- Sidekiq MemoryKiller
- Switching to Puma
- Understanding Unicorn and unicorn-worker-killer
- User lookup via OpenSSH's AuthorizedPrincipalsCommand
- GitLab Package Registry administration
- GitLab Container Registry administration
- Replication (Geo)
- Geo database replication
- Geo with external PostgreSQL instances
- Geo configuration
- Using a Geo Server
- Updating the Geo nodes
- Geo with Object storage
- Docker Registry for a secondary node
- Geo for multiple nodes
- Geo security review (Q&A)
- Location-aware Git remote URL with AWS Route53
- Tuning Geo
- Removing secondary Geo nodes
- Geo data types support
- Geo Frequently Asked Questions
- Geo Troubleshooting
- Geo validation tests
- Disaster Recovery (Geo)
- Disaster recovery for planned failover
- Bring a demoted primary node back online
- Automatic background verification
- Rake tasks
- Back up and restore GitLab
- Clean up
- Namespaces
- Maintenance Rake tasks
- Geo Rake Tasks
- GitHub import
- Import bare repositories
- Integrity check Rake task
- LDAP Rake tasks
- Listing repository directories
- Praefect Rake tasks
- Project import/export administration
- Repository storage Rake tasks
- Generate sample Prometheus data
- Uploads migrate Rake tasks
- Uploads sanitize Rake tasks
- User management
- Webhooks administration
- X.509 signatures
- Server hooks
- Static objects external storage
- Updating GitLab
- GitLab release and maintenance policy
- Security
- Password Storage
- Custom password length limits
- Restrict allowed SSH key technologies and minimum length
- Rate limits
- Webhooks and insecure internal web services
- Information exclusivity
- How to reset your root password
- How to unlock a locked user from the command line
- User File Uploads
- How we manage the TLS protocol CRIME vulnerability
- User email confirmation at sign-up
- Security of running jobs
- Proxying assets
- CI/CD Environment Variables
- Contributor and Development Docs
- Contribute to GitLab
- Community members & roles
- Implement design & UI elements
- Issues workflow
- Merge requests workflow
- Code Review Guidelines
- Style guides
- GitLab Architecture Overview
- CI/CD development documentation
- Database guides
- Database Review Guidelines
- Database Review Guidelines
- Migration Style Guide
- What requires downtime?
- Understanding EXPLAIN plans
- Rake tasks for developers
- Mass inserting Rails models
- GitLab Documentation guidelines
- Documentation Style Guide
- Documentation structure and template
- Documentation process
- Documentation site architecture
- Global navigation
- GitLab Docs monthly release process
- Telemetry Guide
- Usage Ping Guide
- Snowplow Guide
- Experiment Guide
- Feature flags in development of GitLab
- Feature flags process
- Developing with feature flags
- Feature flag controls
- Document features deployed behind feature flags
- Frontend Development Guidelines
- Accessibility & Readability
- Ajax
- Architecture
- Axios
- Design Patterns
- Frontend Development Process
- DropLab
- Emojis
- Filter
- Frontend FAQ
- GraphQL
- Icons and SVG Illustrations
- InputSetter
- Performance
- Principles
- Security
- Tooling
- Vuex
- Vue
- Geo (development)
- Geo self-service framework (alpha)
- Gitaly developers guide
- GitLab development style guides
- API style guide
- Go standards and style guidelines
- GraphQL API style guide
- Guidelines for shell commands in the GitLab codebase
- HTML style guide
- JavaScript style guide
- Migration Style Guide
- Newlines style guide
- Python Development Guidelines
- SCSS style guide
- Shell scripting standards and style guidelines
- Sidekiq debugging
- Sidekiq Style Guide
- SQL Query Guidelines
- Vue.js style guide
- Instrumenting Ruby code
- Testing standards and style guidelines
- Flaky tests
- Frontend testing standards and style guidelines
- GitLab tests in the Continuous Integration (CI) context
- Review Apps
- Smoke Tests
- Testing best practices
- Testing levels
- Testing Rails migrations at GitLab
- Testing Rake tasks
- End-to-end Testing
- Beginner's guide to writing end-to-end tests
- End-to-end testing Best Practices
- Dynamic Element Validation
- Flows in GitLab QA
- Page objects in GitLab QA
- Resource class in GitLab QA
- Style guide for writing end-to-end tests
- Testing with feature flags
- Translate GitLab to your language
- Internationalization for GitLab
- Translating GitLab
- Proofread Translations
- Merging translations from CrowdIn
- Value Stream Analytics development guide
- GitLab subscription
- Activate GitLab EE with a license