What is the recommended SAFE way to UPGRADE a GitLab CE instance on a VM?

We are using some virtualization system to host our Gitlab CE instance. We want to make a snapshot and then upgrade, and be able to revert if internal clients see problems.

The problem I see with our plan is that “gitlab-ctl stop” (omnibus co-ordinator) stops all services, and this breaks upgrades, which expect postgres (and maybe other bits) to be running.

What can we do? Can we somehow PREVENT GIT PUSH from occurring until we are sure we’re not going to revert the whole VM? If the upgrade works, we would love a way to “bring up” gitlab far enough to check it’s responding without permitting anybody to push.


You can put it into maintenance mode using gitlab-ctl deploy-page up and then take it out of maintenance mode using gitlab-ctl deploy-page down. I believe that doing this also prevents Git push/pull.

Further testing reveals that this doesn’t prevent push/pull, though I believe that it used to do so in earlier versions.


Please try this.
For any push to happen via SSH it has to get authorized from the authorized_keys file. Just rename the file an put an empty file in its place. Git push/clone request will fail due to authorization problem.

[root@GitLab123 .ssh]# pwd
[root@GitLab123.ssh]# ls -lrt
total 788
-rw-r--r-- 1 git git      0 May 30 16:49 authorized_keys.lock
-rw------- 1 git git 801087 May 30 16:49 authorized_keys
[root@GitLab123 .ssh]#

After the upgrade you can revert it or you can rebuild the authorized keys file with the below command

sudo gitlab-rake gitlab:shell:setup

I think this tweet will work Please give a try.

Very good idea! I will script this up so that our “apt-get update, apt-get upgrade” occurs WHILE push is disabled, and then we will re-enable the ssh authorized keys.

I do it a bit differently that I think is slightly better since I don’t have to muck with gitlab config, I disable ssh, http, and https access via the local firewall on the gitlab server. I also have an administrative ssh port enabled so I don’t lock myself out. :slight_smile:

It is easy enough to script the firewall commands.