# Object Storage
> 原文:[https://docs.gitlab.com/ee/administration/object_storage.html](https://docs.gitlab.com/ee/administration/object_storage.html)
* [Options](#options)
* [Configuration guides](#configuration-guides)
* [Consolidated object storage configuration](#consolidated-object-storage-configuration)
* [Common parameters](#common-parameters)
* [Connection settings](#connection-settings)
* [S3-compatible connection settings](#s3-compatible-connection-settings)
* [Oracle Cloud S3 connection settings](#oracle-cloud-s3-connection-settings)
* [Google Cloud Storage (GCS)](#google-cloud-storage-gcs)
* [Google example (consolidated form)](#google-example-consolidated-form)
* [OpenStack-compatible connection settings](#openstack-compatible-connection-settings)
* [Rackspace Cloud Files](#rackspace-cloud-files)
* [Object-specific configuration](#object-specific-configuration)
* [Selectively disabling object storage](#selectively-disabling-object-storage)
* [Transition to consolidated form](#transition-to-consolidated-form)
* [Storage-specific configuration](#storage-specific-configuration)
* [Other alternatives to filesystem storage](#other-alternatives-to-filesystem-storage)
* [Warnings, limitations, and known issues](#warnings-limitations-and-known-issues)
* [Use separate buckets](#use-separate-buckets)
* [S3 API compatibility issues](#s3-api-compatibility-issues)
* [GitLab Pages requires NFS](#gitlab-pages-requires-nfs)
* [Incremental logging is required for CI to use object storage](#incremental-logging-is-required-for-ci-to-use-object-storage)
* [Proxy Download](#proxy-download)
* [ETag mismatch](#etag-mismatch)
* [Using Amazon instance profiles](#using-amazon-instance-profiles)
* [Encrypted S3 buckets](#encrypted-s3-buckets)
* [Disabling the feature](#disabling-the-feature)
* [IAM Permissions](#iam-permissions)
# Object Storage[](#object-storage "Permalink")
GitLab 支持使用對象存儲服務來保存多種類型的數據. 建議在 NFS 上使用它,并且通常在較大的設置中更好,因為對象存儲通常具有更高的性能,可靠性和可伸縮性.
## Options[](#options "Permalink")
GitLab 已在許多對象存儲提供程序上進行了測試:
* [Amazon S3](https://aws.amazon.com/s3/)
* [Google Cloud Storage](https://cloud.google.com/storage)
* [Digital Ocean Spaces](https://www.digitalocean.com/products/spaces)
* [Oracle Cloud Infrastructure](https://docs.cloud.oracle.com/en-us/iaas/Content/Object/Tasks/s3compatibleapi.htm)
* [Openstack Swift](https://s0docs0openstack0org.icopy.site/swift/latest/s3_compat.html)
* 來自各種存儲供應商的本地硬件和設備.
* MinIO. 我們在 Helm Chart 文檔中提供[了有關部署此配置的指南](https://docs.gitlab.com/charts/advanced/external-object-storage/minio.html) .
## Configuration guides[](#configuration-guides "Permalink")
在 GitLab 中有兩種指定對象存儲配置的方式:
* [合并形式](#consolidated-object-storage-configuration) :所有支持的對象類型都共享一個憑證.
* [Storage-specific form](#storage-specific-configuration): Every object defines its own object storage [connection and configuration](#connection-settings).
有關差異以及從一種形式過渡到另一種形式的更多信息,請參見[過渡到合并形式](#transition-to-consolidated-form) .
### Consolidated object storage configuration[](#consolidated-object-storage-configuration "Permalink")
在[GitLab 13.2 中](https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/4368)引入.
使用合并對象存儲配置具有許多優點:
* 由于連接詳細信息在對象類型之間共享,因此可以簡化您的 GitLab 配置.
* 它允許使用[加密的 S3 存儲桶](#encrypted-s3-buckets) .
* It [uploads files to S3 with proper `Content-MD5` headers](https://gitlab.com/gitlab-org/gitlab-workhorse/-/issues/222).
**注意:**由于必須使用[直接上載模式](../development/uploads.html#direct-upload) ,目前僅支持與 AWS S3 兼容的提供商和 Google. 此模式不支持后臺上傳. 我們建議直接上傳模式,因為它不需要共享文件夾,并且[此設置可能成為默認設置](https://gitlab.com/gitlab-org/gitlab/-/issues/27331) .**注意:**合并對象存儲配置不能用于備份或 Mattermost. 有關[完整列表,](#storage-specific-configuration)請參見[完整表](#storage-specific-configuration) .
通過為具有多個存儲桶的對象存儲指定單個憑證,可以將大多數類型的對象(例如 CI 工件,LFS 文件,上傳附件等)保存在對象存儲中. [每種類型必須使用不同的存儲桶](#use-separate-buckets) .
當合并形式為:
* 通過與 S3 兼容的對象存儲一起使用,Workhorse 使用其內部的 S3 客戶端上載文件.
* 不與 S3 兼容的對象存儲一起使用,Workhorse 退回到使用預簽名的 URL.
有關更多詳細信息,請參見" [ETag 不匹配錯誤](#etag-mismatch) "部分.
**在所有安裝中;**
1. 編輯`/etc/gitlab/gitlab.rb`并添加以下行,以替換所需的值:
```
# Consolidated object storage configuration
gitlab_rails['object_store']['enabled'] = true
gitlab_rails['object_store']['proxy_download'] = true
gitlab_rails['object_store']['connection'] = {
'provider' => 'AWS',
'region' => '<eu-central-1>',
'aws_access_key_id' => '<AWS_ACCESS_KEY_ID>',
'aws_secret_access_key' => '<AWS_SECRET_ACCESS_KEY>'
}
gitlab_rails['object_store']['objects']['artifacts']['bucket'] = '<artifacts>'
gitlab_rails['object_store']['objects']['external_diffs']['bucket'] = '<external-diffs>'
gitlab_rails['object_store']['objects']['lfs']['bucket'] = '<lfs-objects>'
gitlab_rails['object_store']['objects']['uploads']['bucket'] = '<uploads>'
gitlab_rails['object_store']['objects']['packages']['bucket'] = '<packages>'
gitlab_rails['object_store']['objects']['dependency_proxy']['bucket'] = '<dependency-proxy>'
gitlab_rails['object_store']['objects']['terraform_state']['bucket'] = '<terraform-state>'
```
對于 GitLab 9.4 或更高版本,如果您使用的是 AWS IAM 配置文件,請確保省略 AWS 訪問密鑰和秘密訪問密鑰/值對. 例如:
```
gitlab_rails['object_store_connection'] = {
'provider' => 'AWS',
'region' => '<eu-central-1>',
'use_iam_profile' => true
}
```
2. 保存文件并[重新配置 GitLab,](restart_gitlab.html#omnibus-gitlab-reconfigure)以使更改生效.
**在源安裝中:**
1. 編輯`/home/git/gitlab/config/gitlab.yml`并添加或修改以下行:
```
object_store:
enabled: true
proxy_download: true
connection:
provider: AWS
aws_access_key_id: <AWS_ACCESS_KEY_ID>
aws_secret_access_key: <AWS_SECRET_ACCESS_KEY>
region: <eu-central-1>
objects:
artifacts:
bucket: <artifacts>
external_diffs:
bucket: <external-diffs>
lfs:
bucket: <lfs-objects>
uploads:
bucket: <uploads>
packages:
bucket: <packages>
dependency_proxy:
bucket: <dependency_proxy>
terraform_state:
bucket: <terraform>
```
2. 編輯`/home/git/gitlab-workhorse/config.toml`并添加或修改以下行:
```
[object_storage]
enabled = true
provider = "AWS"
[object_storage.s3]
aws_access_key_id = "<AWS_ACCESS_KEY_ID>"
aws_secret_access_key = "<AWS_SECRET_ACCESS_KEY>"
```
3. 保存文件并[重新啟動 GitLab,](restart_gitlab.html#installations-from-source)以使更改生效.
#### Common parameters[](#common-parameters "Permalink")
在統一配置中, `object_store`部分定義了一組公共參數. 在這里,我們使用源安裝中的 YAML,因為它更容易看到繼承:
```
object_store:
enabled: true
proxy_download: true
connection:
provider: AWS
aws_access_key_id: <AWS_ACCESS_KEY_ID>
aws_secret_access_key: <AWS_SECRET_ACCESS_KEY>
objects:
...
```
Omnibus 配置直接映射到此:
```
gitlab_rails['object_store']['enabled'] = true
gitlab_rails['object_store']['proxy_download'] = true
gitlab_rails['object_store']['connection'] = {
'provider' => 'AWS',
'aws_access_key_id' => '<AWS_ACCESS_KEY_ID',
'aws_secret_access_key' => '<AWS_SECRET_ACCESS_KEY>'
}
```
| Setting | Description |
| --- | --- |
| `enabled` | 啟用/禁用對象存儲 |
| `proxy_download` | 設置為`true`以[啟用代理服務的所有文件](#proxy-download) . Option 可以減少出口流量,因為這允許客戶端直接從遠程存儲下載而不是代理所有數據 |
| `connection` | 下述各種連接選項 |
| `objects` | [Object-specific configuration](#object-specific-configuration) |
### Connection settings[](#connection-settings "Permalink")
合并配置表單和特定于存儲的配置表單都必須配置連接. 以下各節介紹可在`connection`設置中使用的參數.
#### S3-compatible connection settings[](#s3-compatible-connection-settings "Permalink")
連接設置與[fog-aws](https://github.com/fog/fog-aws)提供的設置匹配:
| Setting | Description | Default |
| --- | --- | --- |
| `provider` | 始終適用于兼容主機的`AWS` | `AWS` |
| `aws_access_key_id` | AWS 憑證或兼容 | ? |
| `aws_secret_access_key` | AWS 憑證或兼容 | ? |
| `aws_signature_version` | 要使用的 AWS 簽名版本. `2`或`4`是有效選項. 數字海洋空間和其他提供商可能需要`2` . | `4` |
| `enable_signature_v4_streaming` | 設置為`true`以啟用具有[AWS v4 簽名的](https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-streaming.html) HTTP 分塊傳輸. Oracle Cloud S3 需要將此設置為`false` . | `true` |
| `region` | AWS 區域 | us-east-1 |
| `host` | 不使用 AWS 時與 S3 兼容的主機,例如`localhost`或`storage.example.com` . 假定使用 HTTPS 和端口 443. | `s3.amazonaws.com` |
| `endpoint` | 在配置 S3 兼容服務(例如[MinIO)時](https://min.io) ,可以通過輸入 URL(例如`http://127.0.0.1:9000` . 這優先于`host` . | (optional) |
| `path_style` | 設置為`true`以使用`host/bucket_name/object`樣式路徑而不是`bucket_name.host/object` . 對于 AWS S3,保留為`false` . | `false` |
| `use_iam_profile` | Set to `true` to use IAM profile instead of access keys | `false` |
#### Oracle Cloud S3 connection settings[](#oracle-cloud-s3-connection-settings "Permalink")
請注意,Oracle Cloud S3 必須確保使用以下設置:
| Setting | Value |
| --- | --- |
| `enable_signature_v4_streaming` | `false` |
| `path_style` | `true` |
如果將`enable_signature_v4_streaming`設置為`true` ,那么您可能會在`production.log`看到以下錯誤:
```
STREAMING-AWS4-HMAC-SHA256-PAYLOAD is not supported
```
#### Google Cloud Storage (GCS)[](#google-cloud-storage-gcs "Permalink")
這是 GCS 的有效連接參數:
| Setting | Description | example |
| --- | --- | --- |
| `provider` | 提供者名稱 | `Google` |
| `google_project` | GCP 項目名稱 | `gcp-project-12345` |
| `google_client_email` | 服務帳戶的電子郵件地址 | `foo@gcp-project-12345.iam.gserviceaccount.com` |
| `google_json_key_location` | JSON 密鑰路徑 | `/path/to/gcp-project-12345-abcde.json` |
**注意:**服務帳戶必須具有訪問存儲桶的權限. [看更多](https://cloud.google.com/storage/docs/authentication)
##### Google example (consolidated form)[](#google-example-consolidated-form "Permalink")
對于 Omnibus 安裝,這是`connection`設置的示例:
```
gitlab_rails['object_store']['connection'] = {
'provider' => 'Google',
'google_project' => '<GOOGLE PROJECT>',
'google_client_email' => '<GOOGLE CLIENT EMAIL>',
'google_json_key_location' => '<FILENAME>'
}
```
#### OpenStack-compatible connection settings[](#openstack-compatible-connection-settings "Permalink")
**注意**這與統一對象存儲表單不兼容. 僅特定于存儲的表單支持 OpenStack Swift. 如果要使用合并表格,請參閱[S3 設置](#s3-compatible-connection-settings) .
盡管 OpenStack Swift 提供了 S3 兼容性,但某些用戶可能希望使用[Swift API](https://s0docs0openstack0org.icopy.site/swift/latest/api/object_api_v1_overview.html) . 這是以下由[swift-openstack](https://github.com/fog/fog-openstack)提供的 Swift API 的有效連接設置:
| Setting | Description | Default |
| --- | --- | --- |
| `provider` | 始終使用`OpenStack`兼容主機 | `OpenStack` |
| `openstack_username` | OpenStack 用戶名 | ? |
| `openstack_api_key` | OpenStack API key | ? |
| `openstack_temp_url_key` | 用于生成臨時 URL 的 OpenStack 密鑰 | ? |
| `openstack_auth_url` | OpenStack 身份驗證端點 | ? |
| `openstack_region` | OpenStack 區域 | ? |
| `openstack_tenant` | OpenStack 租戶 ID | ? |
#### Rackspace Cloud Files[](#rackspace-cloud-files "Permalink")
**注意**這與統一對象存儲表單不兼容. 僅特定于存儲的表單支持 Rackspace Cloud.
這是[fog-rackspace](https://github.com/fog/fog-rackspace/)提供的 Rackspace Cloud 的有效連接參數:
| Setting | Description | example |
| --- | --- | --- |
| `provider` | 提供者名稱 | `Rackspace` |
| `rackspace_username` | 可訪問容器的 Rackspace 帳戶的用戶名 | `joe.smith` |
| `rackspace_api_key` | 可訪問容器的 Rackspace 帳戶的 API 密鑰 | `ABC123DEF456ABC123DEF456ABC123DE` |
| `rackspace_region` | 要使用的 Rackspace 存儲區域,來自[服務訪問端點列表的](https://developer.rackspace.com/docs/cloud-files/v1/general-api-info/service-access/)三個字母代碼 | `iad` |
| `rackspace_temp_url_key` | 您在 Rackspace API 中為臨時 URL 設置的私鑰. [在這里](https://developer.rackspace.com/docs/cloud-files/v1/use-cases/public-access-to-your-cloud-files-account/#tempurl)閱讀更多 | `ABC123DEF456ABC123DEF456ABC123DE` |
**注意:**無論容器啟用還是禁用了公共訪問,Fog 都會使用 TempURL 方法來授予對 LFS 對象的訪問權限. 如果您在引用使用`temp-url-key`實例化存儲的日志中看到錯誤,請確保已在 Rackspace API 和`gitlab.rb`正確設置了密鑰. 您可以通過將帶有令牌標頭的 GET 請求發送到服務訪問端點 URL 并比較返回的標頭的輸出,來驗證 Rackspace 密鑰的設置值.
### Object-specific configuration[](#object-specific-configuration "Permalink")
以下 YAML 顯示了`object_store`部分如何定義特定于對象的配置塊,以及如何覆蓋`enabled`和`proxy_download`標志. `bucket`是每種類型中唯一需要的參數:
```
object_store:
connection:
...
objects:
artifacts:
bucket: artifacts
proxy_download: false
external_diffs:
bucket: external-diffs
lfs:
bucket: lfs-objects
uploads:
bucket: uploads
packages:
bucket: packages
dependency_proxy:
enabled: false
bucket: dependency_proxy
terraform_state:
bucket: terraform
```
這映射到此 Omnibus GitLab 配置:
```
gitlab_rails['object_store']['objects']['artifacts']['bucket'] = 'artifacts'
gitlab_rails['object_store']['objects']['artifacts']['proxy_download'] = false
gitlab_rails['object_store']['objects']['external_diffs']['bucket'] = 'external-diffs'
gitlab_rails['object_store']['objects']['lfs']['bucket'] = 'lfs-objects'
gitlab_rails['object_store']['objects']['uploads']['bucket'] = 'uploads'
gitlab_rails['object_store']['objects']['packages']['bucket'] = 'packages'
gitlab_rails['object_store']['objects']['dependency_proxy']['enabled'] = false
gitlab_rails['object_store']['objects']['dependency_proxy']['bucket'] = 'dependency-proxy'
gitlab_rails['object_store']['objects']['terraform_state']['bucket'] = 'terraform-state'
```
這是可以使用的有效`objects`的列表:
| Type | Description |
| --- | --- |
| `artifacts` | [CI artifacts](job_artifacts.html) |
| `external_diffs` | [Merge request diffs](merge_request_diffs.html) |
| `uploads` | [User uploads](uploads.html) |
| `lfs` | [Git Large File Storage objects](lfs/index.html) |
| `packages` | [Project packages (e.g. PyPI, Maven, NuGet, etc.)](packages/index.html) |
| `dependency_proxy` | [GitLab Dependency Proxy](packages/dependency_proxy.html) |
| `terraform_state` | [Terraform state files](terraform_state.html) |
在每種對象類型中,可以定義三個參數:
| Setting | Required? | Description |
| --- | --- | --- |
| `bucket` | Yes | 對象存儲的存儲桶名稱. |
| `enabled` | No | 覆蓋通用參數 |
| `proxy_download` | No | 覆蓋通用參數 |
#### Selectively disabling object storage[](#selectively-disabling-object-storage "Permalink")
如上所示,可以通過將`enabled`標志設置為`false`來禁用特定類型的對象存儲. 例如,要禁用 CI 工件的對象存儲:
```
gitlab_rails['object_store']['objects']['artifacts']['enabled'] = false
```
如果功能完全禁用,則不需要存儲桶. 例如,如果使用此設置禁用了 CI 構件,則不需要存儲桶:
```
gitlab_rails['artifacts_enabled'] = false
```
### Transition to consolidated form[](#transition-to-consolidated-form "Permalink")
在 GitLab 13.2 之前:
* 所有類型的對象(例如 CI / CD 工件,LFS 文件,上載附件等)的對象存儲配置都必須獨立配置.
* 對于每種類型,必須復制對象存儲連接參數,例如密碼和端點 URL.
例如,Omnibus GitLab 安裝可能具有以下配置:
```
# Original object storage configuration
gitlab_rails['artifacts_object_store_enabled'] = true
gitlab_rails['artifacts_object_store_direct_upload'] = true
gitlab_rails['artifacts_object_store_proxy_download'] = true
gitlab_rails['artifacts_object_store_remote_directory'] = 'artifacts'
gitlab_rails['artifacts_object_store_connection'] = { 'provider' => 'AWS', 'aws_access_key_id' => 'access_key', 'aws_secret_access_key' => 'secret' }
gitlab_rails['uploads_object_store_enabled'] = true
gitlab_rails['uploads_object_store_direct_upload'] = true
gitlab_rails['uploads_object_store_proxy_download'] = true
gitlab_rails['uploads_object_store_remote_directory'] = 'uploads'
gitlab_rails['uploads_object_store_connection'] = { 'provider' => 'AWS', 'aws_access_key_id' => 'access_key', 'aws_secret_access_key' => 'secret' }
```
盡管這樣做提供了靈活性,但它使得 GitLab 可以跨不同的云提供商存儲對象,但同時也帶來了額外的復雜性和不必要的冗余. 由于 GitLab Rails 和 Workhorse 組件都需要訪問對象存儲,因此合并后的表單避免了過多的憑據重復.
**注意** **僅**當省略原始表單中的所有行時, **才**使用合并對象存儲配置. 要移至合并的表單,請除去原始配置(例如, `artifacts_object_store_enabled` , `uploads_object_store_connection`等).
## Storage-specific configuration[](#storage-specific-configuration "Permalink")
有關在 GitLab 13.1 和更早版本中配置對象存儲的信息,或對于統一配置表單不支持的存儲類型的信息,請參閱以下指南:
| 對象存儲類型 | 支持統一配置嗎? |
| --- | --- |
| [Backups](../raketasks/backup_restore.html#uploading-backups-to-a-remote-cloud-storage) | No |
| [Job artifacts](job_artifacts.html#using-object-storage) and [incremental logging](job_logs.html#new-incremental-logging-architecture) | Yes |
| [LFS objects](lfs/index.html#storing-lfs-objects-in-remote-object-storage) | Yes |
| [Uploads](uploads.html#using-object-storage-core-only) | Yes |
| [容器注冊表](packages/container_registry.html#container-registry-storage-driver) (可選功能) | No |
| [Merge request diffs](merge_request_diffs.html#using-object-storage) | Yes |
| [Mattermost](https://docs.mattermost.com/administration/config-settings.html#file-storage) | No |
| [軟件包](packages/index.html#using-object-storage) (可選功能) | Yes |
| [依賴代理](packages/dependency_proxy.html#using-object-storage) (可選功能) | Yes |
| [假名生成器](pseudonymizer.html#configuration) (可選功能) | No |
| [Autoscale Runner 緩存](https://docs.gitlab.com/runner/configuration/autoscale.html) (可選以提高性能) | No |
| [Terraform state files](terraform_state.html#using-object-storage-core-only) | Yes |
### Other alternatives to filesystem storage[](#other-alternatives-to-filesystem-storage "Permalink")
如果您正在努力[擴展](reference_architectures/index.html) GitLab 實施,或增加容錯能力和冗余性,則可能正在考慮消除對塊或網絡文件系統的依賴. 請參閱以下指南,并[注意 Pages 需要磁盤存儲](#gitlab-pages-requires-nfs) :
1. 確保[`git`用戶主目錄](https://docs.gitlab.com/omnibus/settings/configuration.html)位于本地磁盤上.
2. 配置[SSH 密鑰的數據庫查找,](operations/fast_ssh_key_lookup.html)以消除對共享的`authorized_keys`文件的需要.
## Warnings, limitations, and known issues[](#warnings-limitations-and-known-issues "Permalink")
### Use separate buckets[](#use-separate-buckets "Permalink")
對于 GitLab,建議為每種數據類型使用單獨的存儲桶.
我們的配置的局限性是對象存儲的每次使用都是單獨配置的. [我們有一個需要改進的問題](https://gitlab.com/gitlab-org/gitlab/-/issues/23345) ,輕松地將一個存儲桶與單獨的文件夾一起使用可能會帶來一個改進.
使用同一個存儲桶至少有一個特定的問題:當使用 Helm 圖表部署 GitLab 時,除非使用單獨的存儲桶,否則從備份還原[將無法正常工作](https://docs.gitlab.com/charts/advanced/external-object-storage/) .
使用單個存儲桶的風險之一是,如果您的組織將來決定將 GitLab 遷移到 Helm 部署. GitLab 可以運行,但是直到組織對備份起作用的關鍵要求之前,備份的情況可能無法實現.
### S3 API compatibility issues[](#s3-api-compatibility-issues "Permalink")
并非所有 S3 提供程序[都](../raketasks/backup_restore.html#other-s3-providers)與 GitLab 使用的 Fog 庫[完全兼容](../raketasks/backup_restore.html#other-s3-providers) . 癥狀包括`production.log`的錯誤:
```
411 Length Required
```
### GitLab Pages requires NFS[](#gitlab-pages-requires-nfs "Permalink")
如果您要添加更多的 GitLab 服務器以進行[縮放或容錯,](reference_architectures/index.html)并且您的要求之一是[GitLab 頁面,](../user/project/pages/index.html)則當前需要 NFS. 有[工作正在進行中](https://gitlab.com/gitlab-org/gitlab-pages/-/issues/196)去除這種依賴性. 將來,GitLab 頁面可能會使用[對象存儲](https://gitlab.com/gitlab-org/gitlab/-/issues/208135) .
對磁盤存儲的依賴性還阻止了使用[GitLab Helm 圖表](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/37)部署 Pages.
### Incremental logging is required for CI to use object storage[](#incremental-logging-is-required-for-ci-to-use-object-storage "Permalink")
如果將 GitLab 配置為將對象存儲用于 CI 日志和工件,則[還必須啟用增量日志記錄](job_artifacts.html#using-object-storage) .
### Proxy Download[](#proxy-download "Permalink")
對象存儲的許多使用情況都允許將客戶端流量重定向到對象存儲后端,例如當 Git 客戶端通過 LFS 請求大文件時或在下載 CI 工件和日志時.
When the files are stored on local block storage or NFS, GitLab has to act as a proxy. This is not the default behavior with object storage.
`proxy_download`設置控制此行為:默認設置通常為`false` . 在每個用例的文檔中對此進行驗證. 將其設置為`true`以便 GitLab 代理文件.
當不代理文件時,GitLab 將返回[HTTP 302 重定向,該重定向帶有預先簽名的有時間限制的對象存儲 URL](https://gitlab.com/gitlab-org/gitlab/-/issues/32117#note_218532298) . 這可能會導致以下一些問題:
* 如果 GitLab 使用非安全的 HTTP 訪問對象存儲,則客戶端可能會生成`https->http`降級錯誤,并拒絕處理重定向. 解決方案是讓 GitLab 使用 HTTPS. 例如,LFS 將產生此錯誤:
```
LFS: lfsapi/client: refusing insecure redirect, https->http
```
* 客戶端將需要信任頒發對象存儲證書的證書頒發機構,或者可能返回常見的 TLS 錯誤,例如:
```
x509: certificate signed by unknown authority
```
* 客戶端將需要網絡訪問對象存儲. 如果沒有此訪問權限,則可能導致的錯誤包括:
```
Received status code 403 from server: Forbidden
```
[軟件包存儲庫文檔中](packages/index.html#using-object-storage)特別注明了獲取" `403 Forbidden`響應",這是某些構建工具的工作方式的副作用.
### ETag mismatch[](#etag-mismatch "Permalink")
使用默認的 GitLab 設置,某些對象存儲后端(例如[MinIO](https://gitlab.com/gitlab-org/gitlab/-/issues/23188)和[Alibaba)](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/1564)可能會生成`ETag mismatch`錯誤.
如果您在 Amazon Web Services S3 中看到此 ETag 不匹配錯誤,則可能是由于[存儲桶上的加密設置](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTCommonResponseHeaders.html)所致. 要解決此問題,您有兩種選擇:
* [Use the consolidated object configuration](#consolidated-object-storage-configuration).
* [Use Amazon instance profiles](#using-amazon-instance-profiles).
對于 MinIO,建議使用第一個選項. 否則, [MinIO](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/1564#note_244497658)的[解決方法](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/1564#note_244497658)是在服務器上使用`--compat`參數.
在未啟用統一對象存儲配置或實例配置文件的情況下,GitLab Workhorse 將使用沒有為它們計算出`Content-MD5` HTTP 標頭的預簽名 URL 將文件上傳到 S3\. 為了確保數據沒有損壞,Workhorse 檢查發送的數據的 MD5 哈希值是否等于從 S3 服務器返回的 ETag 標頭. 啟用加密后,情況并非如此,這將導致 Workhorse 在上傳期間報告`ETag mismatch`錯誤.
通過整合的對象配置和實例配置文件,Workhorse 具有 S3 憑據,因此可以計算`Content-MD5`標頭. 這樣就無需比較從 S3 服務器返回的 ETag 標頭.
### Using Amazon instance profiles[](#using-amazon-instance-profiles "Permalink")
可以將 GitLab 配置為使用 IAM 角色來設置[Amazon 實例配置文件](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html) ,而不是在對象存儲配置中提供 AWS 訪問和秘密密鑰. 使用此功能時,每次訪問 S3 存儲桶時,GitLab 都會獲取臨時憑證,因此配置中不需要硬編碼的值.
#### Encrypted S3 buckets[](#encrypted-s3-buckets "Permalink")
版本歷史
* 在[GitLab 13.1](https://gitlab.com/gitlab-org/gitlab-workhorse/-/merge_requests/466)中僅針對實例配置文件引入.
* 使用[整合對象存儲配置](#consolidated-object-storage-configuration)時,在[GitLab 13.2 中](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/34460)引入了用于靜態證書的功能.
使用實例概要文件或統一對象配置進行配置時,GitLab Workhorse 可以將文件正確上載到[默認情況下啟用 SSE-S3 或 SSE-KMS 加密的](https://docs.aws.amazon.com/kms/latest/developerguide/services-s3.html) S3 存儲桶. 請注意, [尚不支持](https://gitlab.com/gitlab-org/gitlab/-/issues/226006)客戶主密鑰(CMK)和 SSE-C 加密, [因為這需要向 GitLab 配置提供密鑰](https://gitlab.com/gitlab-org/gitlab/-/issues/226006) .
##### Disabling the feature[](#disabling-the-feature "Permalink")
當[`use_iam_profile`配置選項](#iam-permissions)設置為`true`時,默認情況下啟用 Workhorse S3 客戶端.
可以使用`:use_workhorse_s3_client`功能標記禁用該功能. 要禁用該功能,請要求具有[Rails 控制臺訪問權限](feature_flags.html#how-to-enable-and-disable-features-behind-flags)的 GitLab 管理員運行以下命令:
```
Feature.disable(:use_workhorse_s3_client)
```
#### IAM Permissions[](#iam-permissions "Permalink")
設置實例配置文件:
1. 創建具有必要權限的 Amazon Identity Access and Management(IAM)角色. 以下示例是名為`test-bucket`的 S3 存儲桶的角色:
```
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:AbortMultipartUpload", "s3:DeleteObject" ], "Resource": "arn:aws:s3:::test-bucket/*" } ] }
```
2. [將此角色附加](https://aws.amazon.com/premiumsupport/knowledge-center/attach-replace-ec2-instance-profile/)到托管您的 GitLab 實例的 EC2 實例.
3. 通過`use_iam_profile`配置選項配置 GitLab 以使用它.
- GitLab Docs
- Installation
- Requirements
- GitLab cloud native Helm Chart
- Install GitLab with Docker
- Installation from source
- Install GitLab on Microsoft Azure
- Installing GitLab on Google Cloud Platform
- Installing GitLab on Amazon Web Services (AWS)
- Analytics
- Code Review Analytics
- Productivity Analytics
- Value Stream Analytics
- Kubernetes clusters
- Adding and removing Kubernetes clusters
- Adding EKS clusters
- Adding GKE clusters
- Group-level Kubernetes clusters
- Instance-level Kubernetes clusters
- Canary Deployments
- Cluster Environments
- Deploy Boards
- GitLab Managed Apps
- Crossplane configuration
- Cluster management project (alpha)
- Kubernetes Logs
- Runbooks
- Serverless
- Deploying AWS Lambda function using GitLab CI/CD
- Securing your deployed applications
- Groups
- Contribution Analytics
- Custom group-level project templates
- Epics
- Manage epics
- Group Import/Export
- Insights
- Issues Analytics
- Iterations
- Public access
- SAML SSO for GitLab.com groups
- SCIM provisioning using SAML SSO for GitLab.com groups
- Subgroups
- Roadmap
- Projects
- GitLab Secure
- Security Configuration
- Container Scanning
- Dependency Scanning
- Dependency List
- Static Application Security Testing (SAST)
- Secret Detection
- Dynamic Application Security Testing (DAST)
- GitLab Security Dashboard
- Offline environments
- Standalone Vulnerability pages
- Security scanner integration
- Badges
- Bulk editing issues and merge requests at the project level
- Code Owners
- Compliance
- License Compliance
- Compliance Dashboard
- Create a project
- Description templates
- Deploy Keys
- Deploy Tokens
- File finder
- Project integrations
- Integrations
- Atlassian Bamboo CI Service
- Bugzilla Service
- Custom Issue Tracker service
- Discord Notifications service
- Enabling emails on push
- GitHub project integration
- Hangouts Chat service
- Atlassian HipChat
- Irker IRC Gateway
- GitLab Jira integration
- Mattermost Notifications Service
- Mattermost slash commands
- Microsoft Teams service
- Mock CI Service
- Prometheus integration
- Redmine Service
- Slack Notifications Service
- Slack slash commands
- GitLab Slack application
- Webhooks
- YouTrack Service
- Insights
- Issues
- Crosslinking Issues
- Design Management
- Confidential issues
- Due dates
- Issue Boards
- Issue Data and Actions
- Labels
- Managing issues
- Milestones
- Multiple Assignees for Issues
- Related issues
- Service Desk
- Sorting and ordering issue lists
- Issue weight
- Associate a Zoom meeting with an issue
- Merge requests
- Allow collaboration on merge requests across forks
- Merge Request Approvals
- Browser Performance Testing
- How to create a merge request
- Cherry-pick changes
- Code Quality
- Load Performance Testing
- Merge Request dependencies
- Fast-forward merge requests
- Merge when pipeline succeeds
- Merge request conflict resolution
- Reverting changes
- Reviewing and managing merge requests
- Squash and merge
- Merge requests versions
- Draft merge requests
- Members of a project
- Migrating projects to a GitLab instance
- Import your project from Bitbucket Cloud to GitLab
- Import your project from Bitbucket Server to GitLab
- Migrating from ClearCase
- Migrating from CVS
- Import your project from FogBugz to GitLab
- Gemnasium
- Import your project from GitHub to GitLab
- Project importing from GitLab.com to your private GitLab instance
- Import your project from Gitea to GitLab
- Import your Jira project issues to GitLab
- Migrating from Perforce Helix
- Import Phabricator tasks into a GitLab project
- Import multiple repositories by uploading a manifest file
- Import project from repo by URL
- Migrating from SVN to GitLab
- Migrating from TFVC to Git
- Push Options
- Releases
- Repository
- Branches
- Git Attributes
- File Locking
- Git file blame
- Git file history
- Repository mirroring
- Protected branches
- Protected tags
- Push Rules
- Reduce repository size
- Signing commits with GPG
- Syntax Highlighting
- GitLab Web Editor
- Web IDE
- Requirements Management
- Project settings
- Project import/export
- Project access tokens (Alpha)
- Share Projects with other Groups
- Snippets
- Static Site Editor
- Wiki
- Project operations
- Monitor metrics for your CI/CD environment
- Set up alerts for Prometheus metrics
- Embedding metric charts within GitLab-flavored Markdown
- Embedding Grafana charts
- Using the Metrics Dashboard
- Dashboard YAML properties
- Metrics dashboard settings
- Panel types for dashboards
- Using Variables
- Templating variables for metrics dashboards
- Prometheus Metrics library
- Monitoring AWS Resources
- Monitoring HAProxy
- Monitoring Kubernetes
- Monitoring NGINX
- Monitoring NGINX Ingress Controller
- Monitoring NGINX Ingress Controller with VTS metrics
- Alert Management
- Error Tracking
- Tracing
- Incident Management
- GitLab Status Page
- Feature Flags
- GitLab CI/CD
- GitLab CI/CD pipeline configuration reference
- GitLab CI/CD include examples
- Introduction to CI/CD with GitLab
- Getting started with GitLab CI/CD
- How to enable or disable GitLab CI/CD
- Using SSH keys with GitLab CI/CD
- Migrating from CircleCI
- Migrating from Jenkins
- Auto DevOps
- Getting started with Auto DevOps
- Requirements for Auto DevOps
- Customizing Auto DevOps
- Stages of Auto DevOps
- Upgrading PostgreSQL for Auto DevOps
- Cache dependencies in GitLab CI/CD
- GitLab ChatOps
- Cloud deployment
- Docker integration
- Building Docker images with GitLab CI/CD
- Using Docker images
- Building images with kaniko and GitLab CI/CD
- GitLab CI/CD environment variables
- Predefined environment variables reference
- Where variables can be used
- Deprecated GitLab CI/CD variables
- Environments and deployments
- Protected Environments
- GitLab CI/CD Examples
- Test a Clojure application with GitLab CI/CD
- Using Dpl as deployment tool
- Testing a Phoenix application with GitLab CI/CD
- End-to-end testing with GitLab CI/CD and WebdriverIO
- DevOps and Game Dev with GitLab CI/CD
- Deploy a Spring Boot application to Cloud Foundry with GitLab CI/CD
- How to deploy Maven projects to Artifactory with GitLab CI/CD
- Testing PHP projects
- Running Composer and NPM scripts with deployment via SCP in GitLab CI/CD
- Test and deploy Laravel applications with GitLab CI/CD and Envoy
- Test and deploy a Python application with GitLab CI/CD
- Test and deploy a Ruby application with GitLab CI/CD
- Test and deploy a Scala application to Heroku
- GitLab CI/CD for external repositories
- Using GitLab CI/CD with a Bitbucket Cloud repository
- Using GitLab CI/CD with a GitHub repository
- GitLab Pages
- GitLab Pages
- GitLab Pages domain names, URLs, and baseurls
- Create a GitLab Pages website from scratch
- Custom domains and SSL/TLS Certificates
- GitLab Pages integration with Let's Encrypt
- GitLab Pages Access Control
- Exploring GitLab Pages
- Incremental Rollouts with GitLab CI/CD
- Interactive Web Terminals
- Optimizing GitLab for large repositories
- Metrics Reports
- CI/CD pipelines
- Pipeline Architecture
- Directed Acyclic Graph
- Multi-project pipelines
- Parent-child pipelines
- Pipelines for Merge Requests
- Pipelines for Merged Results
- Merge Trains
- Job artifacts
- Pipeline schedules
- Pipeline settings
- Triggering pipelines through the API
- Review Apps
- Configuring GitLab Runners
- GitLab CI services examples
- Using MySQL
- Using PostgreSQL
- Using Redis
- Troubleshooting CI/CD
- GitLab Package Registry
- GitLab Container Registry
- Dependency Proxy
- GitLab Composer Repository
- GitLab Conan Repository
- GitLab Maven Repository
- GitLab NPM Registry
- GitLab NuGet Repository
- GitLab PyPi Repository
- API Docs
- API resources
- .gitignore API
- GitLab CI YMLs API
- Group and project access requests API
- Appearance API
- Applications API
- Audit Events API
- Avatar API
- Award Emoji API
- Project badges API
- Group badges API
- Branches API
- Broadcast Messages API
- Project clusters API
- Group clusters API
- Instance clusters API
- Commits API
- Container Registry API
- Custom Attributes API
- Dashboard annotations API
- Dependencies API
- Deploy Keys API
- Deployments API
- Discussions API
- Dockerfiles API
- Environments API
- Epics API
- Events
- Feature Flags API
- Feature flag user lists API
- Freeze Periods API
- Geo Nodes API
- Group Activity Analytics API
- Groups API
- Import API
- Issue Boards API
- Group Issue Boards API
- Issues API
- Epic Issues API
- Issues Statistics API
- Jobs API
- Keys API
- Labels API
- Group Labels API
- License
- Licenses API
- Issue links API
- Epic Links API
- Managed Licenses API
- Markdown API
- Group and project members API
- Merge request approvals API
- Merge requests API
- Project milestones API
- Group milestones API
- Namespaces API
- Notes API
- Notification settings API
- Packages API
- Pages domains API
- Pipeline schedules API
- Pipeline triggers API
- Pipelines API
- Project Aliases API
- Project import/export API
- Project repository storage moves API
- Project statistics API
- Project templates API
- Projects API
- Protected branches API
- Protected tags API
- Releases API
- Release links API
- Repositories API
- Repository files API
- Repository submodules API
- Resource label events API
- Resource milestone events API
- Resource weight events API
- Runners API
- SCIM API
- Search API
- Services API
- Application settings API
- Sidekiq Metrics API
- Snippets API
- Project snippets
- Application statistics API
- Suggest Changes API
- System hooks API
- Tags API
- Todos API
- Users API
- Project-level Variables API
- Group-level Variables API
- Version API
- Vulnerabilities API
- Vulnerability Findings API
- Wikis API
- GraphQL API
- Getting started with GitLab GraphQL API
- GraphQL API Resources
- API V3 to API V4
- Validate the .gitlab-ci.yml (API)
- User Docs
- Abuse reports
- User account
- Active sessions
- Deleting a User account
- Permissions
- Personal access tokens
- Profile preferences
- Threads
- GitLab and SSH keys
- GitLab integrations
- Git
- GitLab.com settings
- Infrastructure as code with Terraform and GitLab
- GitLab keyboard shortcuts
- GitLab Markdown
- AsciiDoc
- GitLab Notification Emails
- GitLab Quick Actions
- Autocomplete characters
- Reserved project and group names
- Search through GitLab
- Advanced Global Search
- Advanced Syntax Search
- Time Tracking
- GitLab To-Do List
- Administrator Docs
- Reference architectures
- Reference architecture: up to 1,000 users
- Reference architecture: up to 2,000 users
- Reference architecture: up to 3,000 users
- Reference architecture: up to 5,000 users
- Reference architecture: up to 10,000 users
- Reference architecture: up to 25,000 users
- Reference architecture: up to 50,000 users
- Troubleshooting a reference architecture set up
- Working with the bundled Consul service
- Configuring PostgreSQL for scaling
- Configuring GitLab application (Rails)
- Load Balancer for multi-node GitLab
- Configuring a Monitoring node for Scaling and High Availability
- NFS
- Working with the bundled PgBouncer service
- Configuring Redis for scaling
- Configuring Sidekiq
- Admin Area settings
- Continuous Integration and Deployment Admin settings
- Custom instance-level project templates
- Diff limits administration
- Enable and disable GitLab features deployed behind feature flags
- Geo nodes Admin Area
- GitLab Pages administration
- Health Check
- Job logs
- Labels administration
- Log system
- PlantUML & GitLab
- Repository checks
- Repository storage paths
- Repository storage types
- Account and limit settings
- Service templates
- System hooks
- Changing your time zone
- Uploads administration
- Abuse reports
- Activating and deactivating users
- Audit Events
- Blocking and unblocking users
- Broadcast Messages
- Elasticsearch integration
- Gitaly
- Gitaly Cluster
- Gitaly reference
- Monitoring GitLab
- Monitoring GitLab with Prometheus
- Performance Bar
- Usage statistics
- Object Storage
- Performing Operations in GitLab
- Cleaning up stale Redis sessions
- Fast lookup of authorized SSH keys in the database
- Filesystem Performance Benchmarking
- Moving repositories managed by GitLab
- Run multiple Sidekiq processes
- Sidekiq MemoryKiller
- Switching to Puma
- Understanding Unicorn and unicorn-worker-killer
- User lookup via OpenSSH's AuthorizedPrincipalsCommand
- GitLab Package Registry administration
- GitLab Container Registry administration
- Replication (Geo)
- Geo database replication
- Geo with external PostgreSQL instances
- Geo configuration
- Using a Geo Server
- Updating the Geo nodes
- Geo with Object storage
- Docker Registry for a secondary node
- Geo for multiple nodes
- Geo security review (Q&A)
- Location-aware Git remote URL with AWS Route53
- Tuning Geo
- Removing secondary Geo nodes
- Geo data types support
- Geo Frequently Asked Questions
- Geo Troubleshooting
- Geo validation tests
- Disaster Recovery (Geo)
- Disaster recovery for planned failover
- Bring a demoted primary node back online
- Automatic background verification
- Rake tasks
- Back up and restore GitLab
- Clean up
- Namespaces
- Maintenance Rake tasks
- Geo Rake Tasks
- GitHub import
- Import bare repositories
- Integrity check Rake task
- LDAP Rake tasks
- Listing repository directories
- Praefect Rake tasks
- Project import/export administration
- Repository storage Rake tasks
- Generate sample Prometheus data
- Uploads migrate Rake tasks
- Uploads sanitize Rake tasks
- User management
- Webhooks administration
- X.509 signatures
- Server hooks
- Static objects external storage
- Updating GitLab
- GitLab release and maintenance policy
- Security
- Password Storage
- Custom password length limits
- Restrict allowed SSH key technologies and minimum length
- Rate limits
- Webhooks and insecure internal web services
- Information exclusivity
- How to reset your root password
- How to unlock a locked user from the command line
- User File Uploads
- How we manage the TLS protocol CRIME vulnerability
- User email confirmation at sign-up
- Security of running jobs
- Proxying assets
- CI/CD Environment Variables
- Contributor and Development Docs
- Contribute to GitLab
- Community members & roles
- Implement design & UI elements
- Issues workflow
- Merge requests workflow
- Code Review Guidelines
- Style guides
- GitLab Architecture Overview
- CI/CD development documentation
- Database guides
- Database Review Guidelines
- Database Review Guidelines
- Migration Style Guide
- What requires downtime?
- Understanding EXPLAIN plans
- Rake tasks for developers
- Mass inserting Rails models
- GitLab Documentation guidelines
- Documentation Style Guide
- Documentation structure and template
- Documentation process
- Documentation site architecture
- Global navigation
- GitLab Docs monthly release process
- Telemetry Guide
- Usage Ping Guide
- Snowplow Guide
- Experiment Guide
- Feature flags in development of GitLab
- Feature flags process
- Developing with feature flags
- Feature flag controls
- Document features deployed behind feature flags
- Frontend Development Guidelines
- Accessibility & Readability
- Ajax
- Architecture
- Axios
- Design Patterns
- Frontend Development Process
- DropLab
- Emojis
- Filter
- Frontend FAQ
- GraphQL
- Icons and SVG Illustrations
- InputSetter
- Performance
- Principles
- Security
- Tooling
- Vuex
- Vue
- Geo (development)
- Geo self-service framework (alpha)
- Gitaly developers guide
- GitLab development style guides
- API style guide
- Go standards and style guidelines
- GraphQL API style guide
- Guidelines for shell commands in the GitLab codebase
- HTML style guide
- JavaScript style guide
- Migration Style Guide
- Newlines style guide
- Python Development Guidelines
- SCSS style guide
- Shell scripting standards and style guidelines
- Sidekiq debugging
- Sidekiq Style Guide
- SQL Query Guidelines
- Vue.js style guide
- Instrumenting Ruby code
- Testing standards and style guidelines
- Flaky tests
- Frontend testing standards and style guidelines
- GitLab tests in the Continuous Integration (CI) context
- Review Apps
- Smoke Tests
- Testing best practices
- Testing levels
- Testing Rails migrations at GitLab
- Testing Rake tasks
- End-to-end Testing
- Beginner's guide to writing end-to-end tests
- End-to-end testing Best Practices
- Dynamic Element Validation
- Flows in GitLab QA
- Page objects in GitLab QA
- Resource class in GitLab QA
- Style guide for writing end-to-end tests
- Testing with feature flags
- Translate GitLab to your language
- Internationalization for GitLab
- Translating GitLab
- Proofread Translations
- Merging translations from CrowdIn
- Value Stream Analytics development guide
- GitLab subscription
- Activate GitLab EE with a license