22

Im trying to do an automated deployment of gitlab that has everything pre-configured. I need to specify an initial root password so first-time logins are not prompted with the password reset screen. I see the omnibus config option in the template: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-config-template/gitlab.rb.template#L509

506 #### Change the initial default admin password and shared runner registration tokens.
507 ####! **Only applicable on initial setup, changing these settings after database
508 ####!   is created and seeded won't yield any change.**
509 # gitlab_rails['initial_root_password'] = "password"

However, as the documentation says, this option will not take affect after installation. So, using gitlab-ctl reconfigure does not deploy these changes, as I have tested.

When I try the solution from this this post:

$ sudo gitlab-rake gitlab:setup RAILS_ENV=production GITLAB_ROOT_PASSWORD="Pa$$w0rd!" GITLAB_ROOT_EMAIL="gitlab@domain.com" DISABLE_DATABASE_ENVIRONMENT_CHECK=1
This will create the necessary database tables and seed the database.
You will lose any previous data stored in the database.
Do you want to continue (yes/no)? yes

PG::ObjectInUse: ERROR:  database "gitlabhq_production" is being accessed by other users
DETAIL:  There are 10 other sessions using the database.
: DROP DATABASE IF EXISTS "gitlabhq_production"
Couldn't drop database 'gitlabhq_production'
rake aborted!
ActiveRecord::StatementInvalid: PG::ObjectInUse: ERROR:  database "gitlabhq_production" is being accessed by other users
DETAIL:  There are 10 other sessions using the database.
: DROP DATABASE IF EXISTS "gitlabhq_production"
/opt/gitlab/embedded/service/gitlab-rails/lib/tasks/gitlab/setup.rake:33:in `setup_db'
/opt/gitlab/embedded/service/gitlab-rails/lib/tasks/gitlab/setup.rake:5:in `block (2 levels) in <top (required)>'
/opt/gitlab/embedded/bin/bundle:23:in `load'
/opt/gitlab/embedded/bin/bundle:23:in `<main>'

Caused by:
PG::ObjectInUse: ERROR:  database "gitlabhq_production" is being accessed by other users
DETAIL:  There are 10 other sessions using the database.
/opt/gitlab/embedded/service/gitlab-rails/lib/tasks/gitlab/setup.rake:33:in `setup_db'
/opt/gitlab/embedded/service/gitlab-rails/lib/tasks/gitlab/setup.rake:5:in `block (2 levels) in <top (required)>'
/opt/gitlab/embedded/bin/bundle:23:in `load'
/opt/gitlab/embedded/bin/bundle:23:in `<main>'
Tasks: TOP => db:drop:_unsafe
(See full trace by running task with --trace)

When I try to stop gitlab so no users are accessing it with gitlab-ctl stop, it fails with the following error:

$ sudo gitlab-rake gitlab:setup RAILS_ENV=production GITLAB_ROOT_PASSWORD="Pa$$w0rd!" GITLAB_ROOT_EMAIL="gitlab@domain.com" DISABLE_DATABASE_ENVIRONMENT_CHECK=1
rake aborted!
PG::ConnectionBad: could not connect to server: No such file or directory
        Is the server running locally and accepting
        connections on Unix domain socket "/var/opt/gitlab/postgresql/.s.PGSQL.5432"?
/opt/gitlab/embedded/service/gitlab-rails/ee/app/models/license.rb:261:in `load_license'
/opt/gitlab/embedded/service/gitlab-rails/ee/app/models/license.rb:250:in `current'
/opt/gitlab/embedded/service/gitlab-rails/ee/app/models/license.rb:254:in `feature_available?'
/opt/gitlab/embedded/service/gitlab-rails/ee/lib/ee/gitlab/auth/ldap/config.rb:19:in `_available_servers'
/opt/gitlab/embedded/service/gitlab-rails/lib/gitlab/auth/ldap/config.rb:39:in `available_servers'
/opt/gitlab/embedded/service/gitlab-rails/config/initializers/omniauth.rb:3:in `<module:Strategies>'
/opt/gitlab/embedded/service/gitlab-rails/config/initializers/omniauth.rb:2:in `<top (required)>'
/opt/gitlab/embedded/service/gitlab-rails/config/environment.rb:6:in `<top (required)>'
/opt/gitlab/embedded/bin/bundle:23:in `load'
/opt/gitlab/embedded/bin/bundle:23:in `<main>'
Tasks: TOP => gitlab:setup => gitlab_environment => environment
(See full trace by running task with --trace)

How do I set an initial root password for gitlab with the omnibus install?

CoconutBandit
  • 476
  • 1
  • 3
  • 13

6 Answers6

46

I had a similar problem. Even if I set the environment variable, it seems that my gitlab ce still can't login. So I reset the password with the "root" user.

# dir: /etc/gitlab
gitlab-rake "gitlab:password:reset[root]"

Wait 10 minutes. And result

Enter password:
Confirm password:
Password successfully updated for user with username root.

Then all works as usual.

Khai Vu
  • 1,280
  • 10
  • 9
6

This worked for me details here:

    docker run -d  \
-v $GITLAB_HOME/config:/etc/gitlab \
-v $GITLAB_HOME/logs:/var/log/gitlab \
-v $GITLAB_HOME/data:/var/opt/gitlab \
--hostname example.com \
-p 443:443 -p 80:80 -p 2222:22 \
-e GITLAB_ROOT_EMAIL="root@local" -e GITLAB_ROOT_PASSWORD="gitlab_root_password" -e EXTERNAL_URL="http://example.com" \
--name gitlab --restart unless-stopped gitlab/gitlab-ce:latest

So for omnibus installation you can set following as env variables and then do a yum/apt install of gitlab-ce or gitlab-ee:

GITLAB_ROOT_EMAIL="root@local"
GITLAB_ROOT_PASSWORD="gitlab_root_password" 
EXTERNAL_URL="http://example.com"

Off course do change the values accordingly.

Suleman Hasib
  • 149
  • 1
  • 8
5

If you are using Docker, you can get this bash:

docker exec -it gitlab_continer bash

and open Rails console.

gitlab-rails console -e production

and Enter the code below

user = User.where(id: 1).first
user.password = 'your secret'
user.password_confirmation = 'your secret'
user.save
exit

You can get more information from the link below https://docs.gitlab.com/ee/security/reset_user_password.html

سعید خیری
  • 61
  • 1
  • 3
3

the following 'currently' works for the omnibus install via Ansible on a centos-8 machine. If you are not using ansible you can see the steps that could be scripted another way.

I tried setting the environment variables that were supposed to set the password,but they didn't seem to work, so in the end I used the rails console to set the password, and that allows me to use a username and password to get an oauth token I can use with the rest of the gitlab API

- name: PLAYBOOK gitlab-omnibus.yml
  hosts: all
  become: yes
  vars_files:
    - vars.yml

  tasks:
    - name: install gitlab pre-reqs for centos/8 (curl, policycoreutils, openssh-server, jq)
      dnf:
        name:
          - curl
          - policycoreutils
          - openssh-server
          - jq # just used for troubleshooting

    - name: get_url https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.rpm.sh
      get_url:
        url: https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.rpm.sh
        dest: ./script.rpm.sh
        mode: 0740
    - name: Run script to install and configure gitlab repo 
      shell: ./script.rpm.sh
       
    - name: Install the GitLab package for "https://{{new_hostname}}" WITH PROVIDED PASSWORD
      shell: sudo EXTERNAL_URL="https://{{new_hostname}}" dnf install -y gitlab-ee

    - name: use the rails console to change the password
      # {{':'}} is to escape the colon
      shell: sudo gitlab-rails runner "user = User.where(id{{':'}} 1).first; user.password = '{{gitlab_root_password}}'; user.password_confirmation = '{{gitlab_root_password}}'; user.save!"

    - name: restart gitlab wait 5 mins and then try to connect to "https://{{new_hostname}}"
      command: "gitlab-ctl restart"

    - name: install pip3
      dnf:
        name: python3-pip

    - name: Install gitlab python package
      pip:
        name: python-gitlab

    - name: Wait for two mins for gitlab to restart
      pause: 
        minutes: 2

    - name: Get oauth token from https://{{new_hostname}}/oauth/token
      uri: 
        url: https://{{new_hostname}}/oauth/token?grant_type=password&username=root&password={{gitlab_root_password}}
        method: POST
        return_content: yes
        status_code: 200
        body_format: json
        validate_certs: yes
      register: token

    - name: create a user
      uri:
        url: https://{{new_hostname}}/api/v4/users
        method: POST
        headers: 
          Authorization: "Bearer {{token.json.access_token}}"
        body_format: json
        body:
          email: any.body@gmail.com
          username: bodya
          name: "Any Body"
          password: "{{gitlab_root_password}}"
        status_code: 201, 409 # 201 is created, 409 is already exists; makes idempotent
        validate_certs: yes
      register: gitlab_users
P Burke
  • 1,630
  • 2
  • 17
  • 31
1

I personnaly add the issue with all those methods. turns out it was the password was too weak and did not match the requirements. Making a more difficult inital password was enought to make it work

Pixsaoul
  • 11
  • 1
  • As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Mar 05 '23 at 19:49
0

The environment variables need to be set before running the installer, but it's oddly specific and needs to be on the same line if running it manually. If running using ansible, you can use the environment keyword to supply the variables.

Manual solution sudo EXTERNAL_URL="http://example.gitlab.com" GITLAB_ROOT_PASSWORD="testing1234" yum install -y gitlab-ce

Ansible solution

- name: Install Gitlab
  yum:
    name: gitlab-ce
    state: present
  environment:
    - EXTERNAL_URL: "http://example.gitlab.com"
    - GITLAB_ROOT_PASSWORD: "testing1234"
trb
  • 120
  • 2
  • 12