GitLab 7.11: 2FA, publicly viewable Enterprise Edition

May 22nd, 2015

It’s the 22nd of the month, so we have a new GitLab release ready!
GitLab 7.11 brings more improvements to the look and feel of GitLab,
two-factor authentication, a version check and more!

Of course we’re also releasing GitLab CI 7.11, with a new backup and restore
utility, improvements in the UI and other new features.

This month’s MVP is James Newton (newton on IRC)!
James is very active on our #gitlab IRC channel, often helping people out
with issues or helping people getting started with GitLab. We’re very
happy to have James supporting the community and believe that is deserving
of a MVP award!
Thanks James!

Enterprise Edition broken

Important Notice

There is a bug with the license management part of GitLab Enterprise Edition 7.11.1. It will fail when uploading a
license file. We are currently working on a fix and will release 7.11.2-ee as soon as possible.

Better looking sidebar

We changed the look of the sidebar to reflect its function better and make it look
more pretty:

The new sidebar in GitLab 7.11

Clean project dashboard

The project dashboard was a good example of design by committee, one GitLab
contributor noted. We broomed through it and cleaned it up:

Project Dashboard in GitLab 7.11

Two-factor authentication

Keep your code more secure and start using two-factor authentication (2FA)!
GitLab has built-in 2FA in both CE and EE now and makes use of the convenient
Google Authenticator.

All you have to do is go to your Profile > Account and scan the QR code using
Google’s app.

two-factor authentication

From now on, on login you’ll be required to provide the code the app gives you
for GitLab. Two-factor authentication only works with the web-UI for now.

User roles in comments

Now you know who’s who in your favorite project. On comments you will see
the role of the person in that project:

not an actual conversation

Task lists everywhere

Want a task list in the comments? Now you can!

Task list in comments

Version Check

GitLab releases a new version every single month on the 22nd, so we understand
that people are not always up to date. We wanted to give you some help with
this, so from now on you can quickly see which version of GitLab you have running
by visiting the Help or Admin page. It will show if you are up to date and
if there is a security release you should have installed.

Read more about the version check in our blog post about it.

You can turn off the version check under Admin > Settings.

License keys for Enterprise Edition

GitLab Enterprise Edition used to live in a private repository, which was fine up
until now. However, with the addition of our package server, we want
to make it easier to start using GitLab Enterprise Edition.

Rather than locking up the package repository of GitLab EE, we decided to
open up all the code and packages and start using license keys. The code
is still proprietary, but now is publicly viewable.

This has several advantages. The installation of GitLab EE becomes as easy as
installing GitLab CE. You no longer needs access to specific repositories,
rather you can download it using the same methods as CE (including AWS/Azure templates, Docker images, etc).

In addition, the code for Enterprise Edition is now becoming open to inspect
for everyone. This will make it easier to send enhancements and makes it easier
to do a trial of Enterprise Edition.

Getting organizations to purchase a subscription after their trial expires or
at renewal time sometimes took a substantial effort from us.
We don’t want to raise prices for customers that renew without prompting because
we need to invest more time in unresponsive customers.
Therefore we decided to introduce license keys that prompt customers automatically.
We regret the inconvenience that license keys introduce
but we think it is the best solution to keep prices low.

True-up model for subscriptions

The worst thing about license keys is that they can be very inflexible.
Most GitLab installations quickly grow in popularity within the organization.
Having to purchase a new license key every time this happens is very inefficient.
Also, we noticed that the majority of our customers didn’t have a compliant subscription, for us this indicates that having to renew the subscription multiple times a year is very inconvenient.

Therefore we will switch to a true-up model that allows you to grow now and pay later.
When you get a new license you should get it for your current number of active users.
For users that are added during the year you pay half price when you renew.

So if you have 100 active users today you get a 100 user subscription.
Suppose that when you renew a year from now you have 300 active users.
You pay for a 300 user subscription and pay half a year for the 200 users that you added during the year.

Getting the license key

If you are currently a GitLab customer, you should have received your license
key already at the email you registered with your payment. You can also email
sales at gitlab dot com to request it at any time.

New subscribers will receive their license key automatically.

Installing the license key

To install the license, vist /admin/license in your GitLab instance as an
admin. Here you can upload your .gitlab-license file, which will instantly
unlock GitLab Enterprise Edition.

Installing your license

You can also download and review your current license here.

Please note that we will release GitLab 7.10.5 soon, that will allow you to
upload the license key to your GitLab instance before upgrading, to avoid
unnecessary downtime.

Two-Factor Authentication for LDAP / Active Directory (EE-only)

Want to use two-factor authentication together with your LDAP or Active Directory
integration? With GitLab Enterprise Edition you can.

New GitLab CI Features

With the release of GitLab 7.11, we also updated GitLab CI to 7.11.
Some changes worth mentioning are an improved runners page,
public accessible build and commit pages for public projects
, a new backup/restore utility that will backup your CI database and
HipChat notifications!

Other awesome changes in GitLab CE

We can never cover all the new stuff in each GitLab release, but these
are worth to have a quick look at as well:

Quick quote-reply You can now reply with a quotation by simply selecting text in an issue
or merge request and pressing r. It will set the focus to the editing window
and have the quoted text already in it!

Atom feeds for all! There is now an atom feed for each project!

Settings in admin UI We moved default project and snippet visibility settings
to the admin web interface.

Improved UI for mobile GitLab is now better viewable on mobile!

WIP your MRs! If you add WIP or [WIP] (work in progress) to the start of the title of a merge request,
it will be protected from merging now.

WIP blocking the merge request of this blog post!

This release has more improvements, including security fixes, please check out the Changelog to see the all named changes.

Upgrade barometer

Coming from 7.10, the migrations in 7.11 are pretty fast (under 1 minute), but one of them is tricky:
we rename any existing users with names ending in a period (‘.’).
This migration updates both the database and the filesystem and previous versions
of this migration have proven to be fragile.

If you have no user namespaces with paths ending in ‘.’ in your database and if you trust your users not to
create any until after you upgrade to GitLab 7.11 you can perform this upgrade online.
If not, we recommend to take downtime (this is what we did for
You can find the current number of affected database records with the following command:

 sudo gitlab-rails runner "puts Namespace.where(type: nil).where(%q{path LIKE '%.'}).count"


If you are setting up a new GitLab installation please see the installing GitLab page.


Check out our update page.

Please note that cookbook-omnibus-gitlab, our Chef cookbook that installs/manages GitLab omnibus packages,
does not yet support See this issue.

Enterprise Edition

The mentioned EE-only features and things like LDAP group support can be found in GitLab Enterprise Edition.
For a complete overview please have a look at the feature list of GitLab EE.

Access to GitLab Enterprise Edition is included with a subscription.
No time to upgrade GitLab yourself?
A subscription also entitles you to our upgrade and installation services.

Install GitLab on your own server in 2 minutes

Browse all posts

For the latest and most detailed news follow @gitlab
on Twitter.

Get every GitLab blog post and stay up to date.

Please enable JavaScript to view the comments powered by Disqus.

Original URL:

Original article

Secure SSH with Google Authenticator Two-Factor Authentication on CentOS 7

SSH access is always critical and you might want to find ways to improve the security of your SSH login. In this article we will see how we can secure SSH with simple two factor authentication by using Google Authenticator. Before using it you have to integrate the SSH daemon on your server with Google Authenticator one time password protocol TOTP and another restriction is that you must have your android phone with you all the time or at least the time you want SSH access. This tutorials is written for CentOS 7.

Original URL:

Original article

Ask HN: I wrote a Slack compatible server. Can I open source it?

Ask HN: I wrote a Slack compatible server. Can I open source it?
29 points by sysk 1 hour ago | 18 comments
I had to implement a chat server for a project I’m working on and since I had never done this before, I used Slack’s documentation as a roadmap and ended up re-implementing pretty much their whole API (I went a bit overboard I know).

I would like to open source this code but was wondering if it was legal for me to do so or would I be infringing on Slack’s IP.

| Support
| Security
| Lists
| Bookmarklet
| Apply to YC
| Contact

Original URL:

Original article

Zero Downtime with HAProxy

The internet is rife with promises of 100% availability when using HAProxy for load balancing. THEY ARE LIES!

When you instruct HAProxy to reload it’s configuration, the following occurs:

  1. A new process is created that signals the old process to unbind it’s ports
  2. The new process binds to the ports
  3. Existing connections are finished on the old process, or passed on to the new process

Seems pretty straight forward but there’s a small window of time between steps 1 and 2 where neither process is bound to the configured ports and requests are rejected. For most this seems to be a negligible window of error, but if you’re serving enough traffic and your requests are important to you it can be a deal breaker.

Some TCP

When a client makes a request over TCP/HTTP a series of handshakes occurs before the connection is established. The details of this handshake are for another post. All you need to know is that the first packet comes from the requestor and it’s typically referred to as a SYN (synchronize) packet. Once the requestor sends this packet, it waits for a response and retries at a decaying interval until it receives a response or times out.

So how can we use this to make sure we don’t lose requests while reloading HAProxy configuration?

Disclaimer: This next part describes a way to avoid dropped connections that some might consider dangerous. Use at your own risk 😉

Hacking TCP

Turns out, we can use iptables to trick clients into retrying their connections while the process is down!

iptables -I INPUT -p tcp -m multiport —dports 80,443 —syn -j DROP && sleep 0.5 && 
/etc/init.d/haproxy reload;
iptables -D INPUT -p -tcp -m multiport —dports 80,443 —syn -j DROP

So what’s happening here. First a rule is added to the beginning of the iptables INPUT chain that drops all SYN tcp packets on ports 80 and 443. After waiting a half a second for the changes to take affect, we reload HAProxy config and then remove the SYN packet rule from the firewall. Notice the semicolon after the HAProxy reload command that ensures the iptables rule will be removed even if the reload fails.

Running this command to restart your HAProxy process will help to guarantee reloading load balancer configuration won’t hurt your sites availability. Happy hacking! ☺

Original URL:

Original article

Announcing qboot, a minimal x86 firmware for QEMU

[Posted May 21, 2015 by jake]
From:   Paolo Bonzini
To:   qemu-devel , KVM list
Subject:   Announcing qboot, a minimal x86 firmware for QEMU
Date:   Thu, 21 May 2015 15:51:43 +0200
Archive-link:   Article, Thread
Some of you may have heard about the "Clear Containers" initiative from
Intel, which couple KVM with various kernel tricks to create extremely
lightweight virtual machines.  The experimental Clear Containers setup
requires only 18-20 MB to launch a virtual machine, and needs about 60
ms to boot.

Now, as all of you probably know, "QEMU is great for running Windows or
legacy Linux guests, but that flexibility comes at a hefty price. Not
only does all of the emulation consume memory, it also requires some
form of low-level firmware in the guest as well. All of this adds quite
a bit to virtual-machine startup times (500 to 700 milliseconds is not

Right?  In fact, it's for this reason that Clear Containers uses kvmtool
instead of QEMU.

No, wrong!  In fact, reporting bad performance is pretty much the same
as throwing down the gauntlet.

Enter qboot, a minimal x86 firmware that runs on QEMU and, together with
a slimmed-down QEMU configuration, boots a virtual machine in 40
milliseconds[2] on an Ivy Bridge Core i7 processor.

qboot is available at git://  In all the
glory of its 8KB of code, it brings together various existing open
source components:

* a minimal (really minimal) 16-bit BIOS runtime based on kvmtool's own BIOS

* a couple hardware initialization routines written mostly from scratch
but with good help from SeaBIOS source code

* a minimal 32-bit libc based on kvm-unit-tests

* the Linux loader from QEMU itself

The repository has more information on how to achieve fast boot times,
and examples of using qboot.  Right now there is a limit of 8 MB for
vmlinuz+initrd+cmdline, which however should be enough for initrd-less

The first commit to qboot is more or less 24 hours old, so there is
definitely more work to do, in particular to extract ACPI tables from
QEMU and present them to the guest.  This is probably another day of
work or so, and it will enable multiprocessor guests with little or no
impact on the boot times.  SMBIOS information is also available from QEMU.

On the QEMU side, there is no support yet for persistent memory and the
NFIT tables from ACPI 6.0.  Once that (and ACPI support) is added, qboot
will automatically start using it.

Happy hacking!


(Log in to post comments)

Original URL:

Original article

Yahoo Open-Sources MySQL Performance Analyzer

MySQL Performance Analyzer is an open source project for MySQL performance monitoring and analysis.
This repository includes two sub projects:
Java web application project myperf
Java web server jetty wrapper


MySQL Performance Analyzer is a Java Maven project.
JDK and Maven 3.0 or later are required to build it.

Although JDK 8 is specified in pom.xml, this project does not use Java 8 specific features, so the user can modify pom.xml files of the two sub projects to use different JDK version.
For example, if the build host only has JDK 7, modify the file myperf/pom.xml, change the lines




The build will create a zip file named as under directory perfJettyServer/target. To build it, at top level, run

  mvn clean package

Installation and Usage Instructions

  1. Requirement: Java JDK 8, or the one specified by in pom.xml if changed during build time.

  2. Unzip to the desired installation directory. If you intend to install on Windows host, please review two shell scripts and create Windows equivalent.

  3. For a more formal installation, it is recommended to have a MySQL database server to store the metrics.
    Otherwise, use the built-in derby db.
    a. Create a database, for example, named as metrics, with the MySQL database server.
    b. Create a MySQL user (for example, ‘metrics’@’my_host’ -> here my_host is the machine where you MySQL perf analyzer) with all privileges on above schema.
    c. The above information will be required when you first login to the analyzer to setup metrics gathering.

  4. Review script to see if you need to modify any command line settings. Usually, port number is the only one you need change
    -j: jettyHome, leave it as it is
    -p: http port to be used, 9092 by default
    -w: war (web archive) file, has to be myperf.war
    -k: working directory, if not specified, it will use ./work
    -c: url context, default to /myperf, leave it as is.

    Modify java command path inside, if needed.

  5. Start up:
    Check nohup.out and logs directory for any error logs.

  6. Shutdown:

  7. First time Login and Setup
    After startup, point your browser to http://your_host:9092/myperf (or the port number you changed).
    The initial login user and credential are myperf/change.

After login, you will be directed to setup page:

You can add an email address for notifications. The email uses OS “mailx” command.

Configure the metrics storage database, using the one that you created in the earlier steps.
A metrics scan interval of 1 or 5 minutes should be good enough.

If use built-in derbydb, choose short retention days.

After configuration is done, you need to start the scanner (“Start Scanner” button on top of the page).

Everytime you change the configuration, you need to restart the scanner.

If the scanner does not work as expected, restart the analyzer

  1. For each database server you want to monitor, you need to create a MySQL user with the following privileges:
    a. process
    b. replication client
    c. show databases
    d. show view
    e. select on all (if you want to use it to check data dictionary or run explain plans)

  2. The analyzer relies on Linux SNMP to gather OS level data. Check snmpd service status.

Known Limitations

  1. snmpd is based on the Linux specification.
  2. Email notification uses Linux’s “mailx” command.


This code licensed under the Apache license. See the LICENSE file for terms.

Original URL:

Original article

Proudly powered by WordPress | Theme: Baskerville 2 by Anders Noren.

Up ↑

%d bloggers like this: