{"id":13454046,"url":"https://github.com/sameersbn/docker-gitlab","last_synced_at":"2026-04-09T00:04:01.649Z","repository":{"id":11033921,"uuid":"13367154","full_name":"sameersbn/docker-gitlab","owner":"sameersbn","description":"Dockerized GitLab","archived":false,"fork":false,"pushed_at":"2026-03-26T18:24:35.000Z","size":7753,"stargazers_count":8083,"open_issues_count":570,"forks_count":2152,"subscribers_count":277,"default_branch":"master","last_synced_at":"2026-03-26T20:25:49.640Z","etag":null,"topics":["code-hosting","containers","docker","docker-image","git","gitlab","gitlab-ce"],"latest_commit_sha":null,"homepage":"http://www.damagehead.com/docker-gitlab/","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sameersbn.png","metadata":{"files":{"readme":"README.md","changelog":"Changelog.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2013-10-06T18:46:15.000Z","updated_at":"2026-03-26T18:18:47.000Z","dependencies_parsed_at":"2023-09-28T21:29:04.018Z","dependency_job_id":"3824e19f-476d-4092-8e27-42cac5e7b196","html_url":"https://github.com/sameersbn/docker-gitlab","commit_stats":{"total_commits":3127,"total_committers":254,"mean_commits":"12.311023622047244","dds":0.5733930284617845,"last_synced_commit":"76dad7812405afada9701b81fa1cf714fdaaf021"},"previous_names":[],"tags_count":908,"template":false,"template_full_name":null,"purl":"pkg:github/sameersbn/docker-gitlab","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sameersbn%2Fdocker-gitlab","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sameersbn%2Fdocker-gitlab/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sameersbn%2Fdocker-gitlab/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sameersbn%2Fdocker-gitlab/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sameersbn","download_url":"https://codeload.github.com/sameersbn/docker-gitlab/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sameersbn%2Fdocker-gitlab/sbom","scorecard":{"id":530938,"data":{"date":"2025-08-11","repo":{"name":"github.com/sameersbn/docker-gitlab","commit":"3f10d339b1b4593df6b07818ecb88ce9acd8563b"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":5.2,"checks":[{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Maintained","score":10,"reason":"30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Code-Review","score":5,"reason":"Found 9/16 approved changesets -- score normalized to 5","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: containerImage not pinned by hash: Dockerfile:1: pin your Docker image by updating ubuntu:noble-20250716 to ubuntu:noble-20250716@sha256:7c06e91f61fa88c08cc74f7e1b7c69ae24910d745357e0dfe1d2c0322aaf20f9","Info: 0 out of 1 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-20T05:43:03.168Z","repository_id":11033921,"created_at":"2025-08-20T05:43:03.168Z","updated_at":"2025-08-20T05:43:03.168Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31307145,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-02T12:59:32.332Z","status":"ssl_error","status_checked_at":"2026-04-02T12:54:48.875Z","response_time":89,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["code-hosting","containers","docker","docker-image","git","gitlab","gitlab-ce"],"created_at":"2024-07-31T08:00:50.542Z","updated_at":"2026-04-09T00:04:01.640Z","avatar_url":"https://github.com/sameersbn.png","language":"Shell","readme":"# sameersbn/gitlab:18.10.3\n\n[![CircleCI](https://circleci.com/gh/sameersbn/docker-gitlab/tree/master.svg?style=svg)](https://circleci.com/gh/sameersbn/docker-gitlab/tree/master)\n\n- [Introduction](#introduction)\n - [Changelog](Changelog.md)\n- [Contributing](#contributing)\n- [Team](#team)\n- [Issues](#issues)\n- [Announcements](https://github.com/sameersbn/docker-gitlab/issues/39)\n- [Prerequisites](#prerequisites)\n- [Installation](#installation)\n- [Quick Start](#quick-start)\n- [Configuration](#configuration)\n - [Data Store](#data-store)\n - [Database](#database)\n - [PostgreSQL (Recommended)](#postgresql)\n - [External PostgreSQL Server](#external-postgresql-server)\n - [Linking to PostgreSQL Container](#linking-to-postgresql-container)\n - [Upgrading PostgreSQL](#upgrading-postgresql)\n - [Redis](#redis)\n - [Internal Redis Server](#internal-redis-server)\n - [External Redis Server](#external-redis-server)\n - [Linking to Redis Container](#linking-to-redis-container)\n - [Mail](#mail)\n - [Reply by email](#reply-by-email)\n - [SSL](#ssl)\n - [Generation of a Self Signed Certificate](#generation-of-a-self-signed-certificate)\n - [Strengthening the server security](#strengthening-the-server-security)\n - [Installation of the SSL Certificates](#installation-of-the-ssl-certificates)\n - [Enabling HTTPS support](#enabling-https-support)\n - [Configuring HSTS](#configuring-hsts)\n - [Using HTTPS with a load balancer](#using-https-with-a-load-balancer)\n - [Establishing trust with your server](#establishing-trust-with-your-server)\n - [Installing Trusted SSL Server Certificates](#installing-trusted-ssl-server-certificates)\n - [Deploy to a subdirectory (relative url root)](#deploy-to-a-subdirectory-relative-url-root)\n - [OmniAuth Integration](#omniauth-integration)\n - [CAS3](#cas3)\n - [Authentiq](#authentiq)\n - [Google](#google)\n - [Twitter](#twitter)\n - [GitHub](#github)\n - [GitLab](#gitlab)\n - [BitBucket](#bitbucket)\n - [SAML](#saml)\n - [Crowd](#crowd)\n - [Microsoft Azure](#microsoft-azure)\n - [Generic OAuth2](#generic-oauth2)\n - [OpenID Connect](#openid-connect)\n - [JWT](#jwt)\n - [Gitlab Pages](#gitlab-pages)\n - [External Issue Trackers](#external-issue-trackers)\n - [Host UID / GID Mapping](#host-uid--gid-mapping)\n - [Piwik](#piwik)\n - [Feature flags](#feature-flags)\n - [Exposing ssh port in dockerized gitlab-ce](docs/exposing-ssh-port.md)\n - [Available Configuration Parameters](#available-configuration-parameters)\n- [Maintenance](#maintenance)\n - [Creating Backups](#creating-backups)\n - [Restoring Backups](#restoring-backups)\n - [Automated Backups](#automated-backups)\n - [Amazon Web Services (AWS) Remote Backups](#amazon-web-services-aws-remote-backups)\n - [Google Cloud Storage (GCS) Remote Backups](#google-cloud-storage-gcs-remote-backups)\n - [Rake Tasks](#rake-tasks)\n - [Import Repositories](#import-repositories)\n - [Upgrading](#upgrading)\n - [Shell Access](#shell-access)\n- [Monitoring](#monitoring)\n - [Health Check](#health-check)\n- [Container Registry](docs/container_registry.md)\n- [Deploy in Docker Swarm mode, with HTTPS handled by Traefik proxy and Docker Registry](docs/docker-swarm-traefik-registry.md)\n- [References](#references)\n\n## Introduction\n\nDockerfile to build a [GitLab](https://about.gitlab.com/) image for the [Docker](https://www.docker.com/products/docker-engine) open source container platform.\n\nGitLab CE is set up in the Docker image using the [install from source](https://docs.gitlab.com/ce/install/installation.html) method as documented in the official GitLab documentation.\n\nFor other methods to install GitLab please refer to the [Official GitLab Installation Guide](https://about.gitlab.com/install/) which includes a [GitLab image for Docker](https://docs.gitlab.com/omnibus/docker/).\n\n## Contributing\n\nIf you find this image useful here's how you can help:\n\n- Send a Pull Request with your awesome new features and bug fixes\n- Be a part of the community and help resolve [Issues](https://github.com/sameersbn/docker-gitlab/issues)\n- Support the development of this image with a [donation](http://www.damagehead.com/donate/)\n\n## Team\n\n- Niclas Mietz ([solidnerd](https://github.com/solidnerd))\n- Sameer Naik ([sameersbn](https://github.com/sameersbn))\n\nSee [Contributors](../../graphs/contributors) for the complete list developers that have contributed to this project.\n\n## Issues\n\nDocker is actively being developed and tested by a thriving community of developers and testers and every release of Docker features many enhancements and bugfixes.\n\nGiven the nature of the development and release cycle it is very important that you have the latest version of Docker installed because any issue that you encounter might have already been fixed with a newer Docker release.\n\nInstall the most recent version of the Docker Engine for your platform using the [official Docker releases](http://docs.docker.com/engine/installation/), which can also be installed using:\n\n```bash\nwget -qO- https://get.docker.com/ | sh\n```\n\nFedora and RHEL/CentOS users should try disabling selinux with `setenforce 0` and check if resolves the issue. If it does than there is not much that I can help you with. You can either stick with selinux disabled (not recommended by redhat) or switch to using ubuntu.\n\nYou may also set `DEBUG=true` to enable debugging of the entrypoint script, which could help you pinpoint any configuration issues.\n\nIf using the latest docker version and/or disabling selinux does not fix the issue then please file an issue request on the [issues](https://github.com/sameersbn/docker-gitlab/issues) page.\n\nIn your issue report please make sure you provide the following information:\n\n- The host distribution and release version.\n- Output of the `docker version` command\n- Output of the `docker info` command\n- The `docker run` command you used to run the image (mask out the sensitive bits).\n\n## Prerequisites\n\nYour docker host needs to have 1GB or more of available RAM to run GitLab. Please refer to the GitLab [hardware requirements](https://github.com/gitlabhq/gitlabhq/blob/master/doc/install/requirements.md#hardware-requirements) documentation for additional information.\n\n## Installation\n\nAutomated builds of the image are available on [Dockerhub](https://hub.docker.com/r/sameersbn/gitlab) and is the recommended method of installation.\n\n```bash\ndocker pull sameersbn/gitlab:18.10.3\n```\n\nYou can also pull the `latest` tag which is built from the repository *HEAD*\n\n```bash\ndocker pull sameersbn/gitlab:latest\n```\n\nAlternatively you can build the image locally.\n\n```bash\ndocker build -t sameersbn/gitlab github.com/sameersbn/docker-gitlab\n```\n\n## Quick Start\n\nThe quickest way to get started is using [docker-compose](https://docs.docker.com/compose/).\n\n```bash\nwget https://raw.githubusercontent.com/sameersbn/docker-gitlab/master/docker-compose.yml\n```\n\nGenerate random strings that are at least `64` characters long for each of `GITLAB_SECRETS_OTP_KEY_BASE`, `GITLAB_SECRETS_DB_KEY_BASE`, `GITLAB_SECRETS_SECRET_KEY_BASE`, `GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE`. These values are used for the following:\n\n- `GITLAB_SECRETS_OTP_KEY_BASE` is used to encrypt 2FA secrets in the database. If you lose or rotate this secret, none of your users will be able to log in using 2FA.\n- `GITLAB_SECRETS_DB_KEY_BASE` is used to encrypt CI secret variables, as well as import credentials, in the database. If you lose or rotate this secret, you will not be able to use existing CI secrets.\n- `GITLAB_SECRETS_SECRET_KEY_BASE` is used for password reset links, and other 'standard' auth features. If you lose or rotate this secret, password reset tokens in emails will reset.\n- `GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE` is used for reading settings from encrypted files such as SMTP or LDAP credentials.\n\n\u003e **Tip**: You can generate a random string using `pwgen -Bsv1 64` and assign it as the value of `GITLAB_SECRETS_DB_KEY_BASE`.\n\nAlso generate random strings that are typically `32` characters long for each of:\n\n- `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY`\n- `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY`\n- `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT`\n\nThese values are used for `ActiveRecord::Encryption` encrypted columns. Details can be found under [Active Record Encryption](https://guides.rubyonrails.org/active_record_encryption.html).\n\nStart GitLab using:\n\n```bash\ndocker-compose up\n```\n\nAlternatively, you can manually launch the `gitlab` container and the supporting `postgresql` and `redis` containers by following this three step guide.\n\nStep 1. Launch a postgresql container\n\n```bash\ndocker run --name gitlab-postgresql -d \\\n --env 'DB_NAME=gitlabhq_production' \\\n --env 'DB_USER=gitlab' --env 'DB_PASS=password' \\\n --env 'DB_EXTENSION=pg_trgm,btree_gist' \\\n --volume /srv/docker/gitlab/postgresql:/var/lib/postgresql \\\n kkimurak/sameersbn-postgresql:16\n```\n\nStep 2. Launch a redis container\n\n```bash\ndocker run --name gitlab-redis -d \\\n --volume /srv/docker/gitlab/redis:/data \\\n redis:7\n```\n\nStep 3. Launch the gitlab container\n\n```bash\ndocker run --name gitlab -d \\\n --link gitlab-postgresql:postgresql --link gitlab-redis:redisio \\\n --publish 10022:22 --publish 10080:80 \\\n --env 'GITLAB_PORT=10080' --env 'GITLAB_SSH_PORT=10022' \\\n --env 'GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alpha-numeric-string' \\\n --env 'GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alpha-numeric-string' \\\n --env 'GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alpha-numeric-string' \\\n --env 'GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=long-and-random-alpha-numeric-string' \\\n --env 'GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=[\"long-and-random-alpha-numeric-string\"]' \\\n --env 'GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=[\"long-and-random-alpha-numeric-string\"]' \\\n --env 'GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=long-and-random-alpha-numeric-string' \\\n --volume /srv/docker/gitlab/gitlab:/home/git/data \\\n sameersbn/gitlab:18.10.3\n```\n\n*Please refer to [Available Configuration Parameters](#available-configuration-parameters) to understand `GITLAB_PORT` and other configuration options*\n\n**NOTE**: Please allow a couple of minutes for the GitLab application to start.\n\nPoint your browser to `http://localhost:10080` and set a password for the `root` user account.\n\nYou should now have the GitLab application up and ready for testing. If you want to use this image in production then please read on.\n\n*The rest of the document will use the docker command line. You can quite simply adapt your configuration into a `docker-compose.yml` file if you wish to do so.*\n\n## Configuration\n\n### Data Store\n\nGitLab is a code hosting software and as such you don't want to lose your code when the docker container is stopped/deleted. To avoid losing any data, you should mount a volume at,\n\n- `/home/git/data`\n\n*Note: that if you are using the `docker-compose` approach, you must \"inspect\" the volumes (```docker volume inspect```) to check the mounted path.*\n\nSELinux users are also required to change the security context of the mount point so that it plays nicely with selinux.\n\n```bash\nmkdir -p /srv/docker/gitlab/gitlab\nsudo chcon -Rt svirt_sandbox_file_t /srv/docker/gitlab/gitlab\n```\n\nVolumes can be mounted in docker by specifying the `-v` option in the docker run command.\n\n```bash\ndocker run --name gitlab -d \\\n --volume /srv/docker/gitlab/gitlab:/home/git/data \\\n sameersbn/gitlab:18.10.3\n```\n\n### Database\n\nGitLab uses a database backend to store its data. You can configure this image to use PostgreSQL.\n\n*Note:* GitLab requires PostgreSQL now. So use an older image \u003c 12.1 or migrate to PostgresSQL\n\n#### PostgreSQL\n\n**Important note:** This image is shipped with different versions of the `postgresql-client`.\n\nDuring the startup of the container, the major version of the database system is checked based on the specified connection destination. Only the version of the `postgresql-client`, that matches the major version of the Postgres database is used. If the major version of any version of the included clients does not match, the latest client is used (but may cause issues). All other versions of the `postgresql-client` are deleted at runtime.\n\nThis behavior can be checked using the command `docker logs` and an output like the following should be available:\n\n````sh\n…\nConfiguring gitlab::database\n- Installing postgresql client to avoid version mismatch on dumping\n-- Detected server version: 160009\n- Generating /home/git/.postgresqlrc\n16 postgresql:5432 gitlabhq_production\n- Uninstalling unused client(s): postgresql-client-13 postgresql-client-14 postgresql-client-15 postgresql-client-17\n…\n````\n\nPlease note furthermore, that only compatible versions of the `postgresql-client` to GitLab are shipped with this image. Currently, these belong to\n\n- `postgresql-client-13`,\n- `postgresql-client-14`,\n- `postgresql-client-15`,\n- `postgresql-client-16`,\n- and `postgresql-client-17`.\n\n***Notes:***\n\n- GitLab CE version 13.7.0 and later requires PostgreSQL version 12.x.\n- GitLab CE version 16.0.0 and later requires PostgreSQL version 13.x.\n- GitLab CE version 17.0.0 and later requires PostgreSQL version 14.x.\n- GitLab CE version 18.0.0 and later requires PostgreSQL version 16.x.\n\n##### External PostgreSQL Server\n\nThe image also supports using an external PostgreSQL Server. This is also controlled via environment variables.\n\n```sql\nCREATE ROLE gitlab with LOGIN CREATEDB PASSWORD 'password';\nCREATE DATABASE gitlabhq_production;\nGRANT ALL PRIVILEGES ON DATABASE gitlabhq_production to gitlab;\n```\n\nAdditionally, since GitLab `8.6.0` the `pg_trgm` extension should also be loaded for the `gitlabhq_production` database.\n\nWe are now ready to start the GitLab application.\n\n*Note:* The following applies assuming that the PostgreSQL server host is `192.168.1.100`.\n\n```bash\ndocker run --name gitlab -d \\\n --env 'DB_HOST=192.168.1.100' \\\n --env 'DB_NAME=gitlabhq_production' \\\n --env 'DB_USER=gitlab' --env 'DB_PASS=password' \\\n --volume /srv/docker/gitlab/gitlab:/home/git/data \\\n sameersbn/gitlab:18.10.3\n```\n\n##### Linking to PostgreSQL Container\n\nYou can link this image with a postgresql container for the database requirements. The alias of the postgresql server container should be set to **postgresql** while linking with the gitlab image.\n\nIf a postgresql container is linked, only the `DB_HOST` and `DB_PORT` settings are automatically retrieved using the linkage. You may still need to set other database connection parameters such as the `DB_NAME`, `DB_USER`, `DB_PASS` and so on.\n\nTo illustrate linking with a postgresql container, we will use the [sameersbn/postgresql](https://github.com/sameersbn/docker-postgresql) image. When using postgresql image in production you should mount a volume for the postgresql data store. Please refer the [README](https://github.com/sameersbn/docker-postgresql/blob/master/README.md) of docker-postgresql for details.\n\nFirst, let's pull the postgresql image from the docker index.\n\n```bash\ndocker pull kkimurak/sameersbn-postgresql:16\n```\n\nFor data persistence lets create a store for the postgresql and start the container.\n\nSELinux users are also required to change the security context of the mount point so that it plays nicely with selinux.\n\n```bash\nmkdir -p /srv/docker/gitlab/postgresql\nsudo chcon -Rt svirt_sandbox_file_t /srv/docker/gitlab/postgresql\n```\n\nThe run command looks like this.\n\n```bash\ndocker run --name gitlab-postgresql -d \\\n --env 'DB_NAME=gitlabhq_production' \\\n --env 'DB_USER=gitlab' --env 'DB_PASS=password' \\\n --env 'DB_EXTENSION=pg_trgm' \\\n --volume /srv/docker/gitlab/postgresql:/var/lib/postgresql \\\n kkimurak/sameersbn-postgresql:16\n```\n\nThe above command will create a database named `gitlabhq_production` and also create a user named `gitlab` with the password `password` with access to the `gitlabhq_production` database.\n\nWe are now ready to start the GitLab application.\n\n```bash\ndocker run --name gitlab -d --link gitlab-postgresql:postgresql \\\n --volume /srv/docker/gitlab/gitlab:/home/git/data \\\n sameersbn/gitlab:18.10.3\n```\n\nHere the image will also automatically fetch the `DB_NAME`, `DB_USER` and `DB_PASS` variables from the postgresql container as they are specified in the `docker run` command for the postgresql container. This is made possible using the magic of docker links and works with the following images:\n\n- [postgres](https://hub.docker.com/_/postgres/),\n- [kkimurak/sameersbn-postgresql](https://hub.docker.com/r/kkimurak/sameersbn-postgresql), or\n- [sameersbn/postgresql](https://quay.io/repository/sameersbn/postgresql/) .\n\n##### Upgrading PostgreSQL\n\nWhen this Gitlab image upgrades its dependency on specific version of PostgreSQL you will need to make sure to use corresponding version of PostgreSQL.\n\nIf you are setting a brand new install, there is no data migration involved. However, if you already have an existing setup, the PostgreSQL data will need to be migrated as you are upgrading the version of PostgreSQL.\n\nIf you are using PostgreSQL image other than [sameersbn/postgresql](https://quay.io/repository/sameersbn/postgresql/) you will need make sure that the image you are using can handle migration itself, **or**, you will need to migrate the data yourself before starting newer version of PostgreSQL.\n\nFollowing project provides Docker image that handles migration of PostgreSQL data: [tianon/postgres-upgrade](https://hub.docker.com/r/tianon/postgres-upgrade/)\n\nAfter migration of the data, verify that other PostgreSQL configuration files in its data folder are copied over as well. One such file is `pg_hba.conf`, it will need to be copied from old version data folder into new version data folder.\n\n### Redis\n\nGitLab uses the redis server for its key-value data store. The redis server connection details can be specified using environment variables.\n\n#### Internal Redis Server\n\nThe internal redis server has been removed from the image. Please use a [linked redis](#linking-to-redis-container) container or specify a [external redis](#external-redis-server) connection.\n\n#### External Redis Server\n\nThe image can be configured to use an external redis server. The configuration should be specified using environment variables while starting the GitLab image.\n\n*Note:* The following applies assuming that the redis server host is `192.168.1.100`.\n\n```bash\ndocker run --name gitlab -it --rm \\\n --env 'REDIS_HOST=192.168.1.100' --env 'REDIS_PORT=6379' \\\n sameersbn/gitlab:18.10.3\n```\n\n#### Linking to Redis Container\n\nYou can link this image with a redis container to satisfy gitlab's redis requirement. The alias of the redis server container should be set to **redisio** while linking with the gitlab image.\n\nTo illustrate linking with a redis container, we will use the [redis](https://github.com/docker-library/redis) image. Please refer the [README](https://github.com/docker-library/docs/blob/master/redis/README.md) for details.\n\nFirst, let's pull the redis image from the docker index.\n\n```bash\ndocker pull redis:7\n```\n\nLets start the redis container\n\n```bash\ndocker run --name gitlab-redis -d \\\n --volume /srv/docker/gitlab/redis:/data \\\n redis:7\n```\n\nWe are now ready to start the GitLab application.\n\n```bash\ndocker run --name gitlab -d --link gitlab-redis:redisio \\\n sameersbn/gitlab:18.10.3\n```\n\n#### Mail\n\nThe mail configuration should be specified using environment variables while starting the GitLab image. The configuration defaults to using gmail to send emails and requires the specification of a valid username and password to login to the gmail servers.\n\nIf you are using Gmail then all you need to do is:\n\n```bash\ndocker run --name gitlab -d \\\n --env 'SMTP_USER=USER@gmail.com' --env 'SMTP_PASS=PASSWORD' \\\n --volume /srv/docker/gitlab/gitlab:/home/git/data \\\n sameersbn/gitlab:18.10.3\n```\n\nPlease refer the [Available Configuration Parameters](#available-configuration-parameters) section for the list of SMTP parameters that can be specified.\n\n##### Reply by email\n\nSince version `8.0.0` GitLab adds support for commenting on issues by replying to emails.\n\nTo enable this feature you need to provide IMAP configuration parameters that will allow GitLab to connect to your mail server and read mails. Additionally, you may need to specify `GITLAB_INCOMING_EMAIL_ADDRESS` if your incoming email address is not the same as the `IMAP_USER`.\n\nIf your email provider supports email [sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing) then you should add the `+%{key}` placeholder after the user part of the email address, eg. `GITLAB_INCOMING_EMAIL_ADDRESS=reply+%{key}@example.com`. Please read the [documentation on reply by email](http://doc.gitlab.com/ce/incoming_email/README.html) to understand the requirements for this feature.\n\nIf you are using Gmail then all you need to do is:\n\n```bash\ndocker run --name gitlab -d \\\n --env 'IMAP_USER=USER@gmail.com' --env 'IMAP_PASS=PASSWORD' \\\n --env 'GITLAB_INCOMING_EMAIL_ADDRESS=USER+%{key}@gmail.com' \\\n --volume /srv/docker/gitlab/gitlab:/home/git/data \\\n sameersbn/gitlab:18.10.3\n```\n\nPlease refer the [Available Configuration Parameters](#available-configuration-parameters) section for the list of IMAP parameters that can be specified.\n\n#### SSL\n\nAccess to the gitlab application can be secured using SSL so as to prevent unauthorized access to the data in your repositories. While a CA certified SSL certificate allows for verification of trust via the CA, a self-signed certificate can also provide an equal level of trust verification as long as each client takes some additional steps to verify the identity of your website. I will provide instructions on achieving this towards the end of this section.\n\nJump to the [Using HTTPS with a load balancer](#using-https-with-a-load-balancer) section if you are using a load balancer such as hipache, haproxy or nginx.\n\nTo secure your application via SSL you basically need two things:\n\n- **Private key (.key)**\n- **SSL certificate (.crt)**\n\nWhen using CA certified certificates, these files are provided to you by the CA. When using self-signed certificates you need to generate these files yourself. Skip to [Strengthening the server security](#strengthening-the-server-security) section if you are armed with CA certified SSL certificates.\n\n##### Generation of a Self Signed Certificate\n\nGeneration of a self-signed SSL certificate involves a simple 3-step procedure:\n\n**STEP 1**: Create the server private key\n\n```bash\nopenssl genrsa -out gitlab.key 2048\n```\n\n**STEP 2**: Create the certificate signing request (CSR)\n\n```bash\nopenssl req -new -key gitlab.key -out gitlab.csr\n```\n\n**STEP 3**: Sign the certificate using the private key and CSR\n\n```bash\nopenssl x509 -req -days 3650 -in gitlab.csr -signkey gitlab.key -out gitlab.crt\n```\n\nCongratulations! You now have a self-signed SSL certificate valid for 10 years.\n\n##### Strengthening the server security\n\nThis section provides you with instructions to [strengthen your server security](https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html). To achieve this we need to generate stronger DHE parameters.\n\n```bash\nopenssl dhparam -out dhparam.pem 2048\n```\n\n##### Installation of the SSL Certificates\n\nOut of the four files generated above, we need to install the `gitlab.key`, `gitlab.crt` and `dhparam.pem` files at the gitlab server. The CSR file is not needed, but do make sure you safely backup the file (in case you ever need it again).\n\nThe default path that the gitlab application is configured to look for the SSL certificates is at `/home/git/data/certs`, this can however be changed using the `SSL_KEY_PATH`, `SSL_CERTIFICATE_PATH` and `SSL_DHPARAM_PATH` configuration options.\n\nIf you remember from above, the `/home/git/data` path is the path of the [data store](#data-store), which means that we have to create a folder named `certs/` inside the volume to where `/home/git/data` point and copy the files into it and as a measure of security we'll update the permission on the `gitlab.key` file to only be readable by the owner.\n\nIn case use of docker-compose ...\n\n```$\u003edocker volume inspect```\n\nLook for \"\u003c user \u003e_gitlab-data\" and copy the \"certs\" directory into the \"Mountpoint\"\n\n```bash\nmkdir -p /srv/docker/gitlab/gitlab/certs\ncp gitlab.key /srv/docker/gitlab/gitlab/certs/\ncp gitlab.crt /srv/docker/gitlab/gitlab/certs/\ncp dhparam.pem /srv/docker/gitlab/gitlab/certs/\nchmod 400 /srv/docker/gitlab/gitlab/certs/gitlab.key\n```\n\nGreat! We are now just one step away from having our application secured.\n\n##### Enabling HTTPS support\n\nHTTPS support can be enabled by setting the `GITLAB_HTTPS` option to `true`. Additionally, when using self-signed SSL certificates you need to the set `SSL_SELF_SIGNED` option to `true` as well. Assuming we are using self-signed certificates\n\n```bash\ndocker run --name gitlab -d \\\n --publish 10022:22 --publish 10080:80 --publish 10443:443 \\\n --env 'GITLAB_SSH_PORT=10022' --env 'GITLAB_PORT=10443' \\\n --env 'GITLAB_HTTPS=true' --env 'SSL_SELF_SIGNED=true' \\\n --volume /srv/docker/gitlab/gitlab:/home/git/data \\\n sameersbn/gitlab:18.10.3\n```\n\nIn this configuration, any requests made over the plain http protocol will automatically be redirected to use the https protocol. However, this is not optimal when using a load balancer.\n\n##### Configuring HSTS\n\nHSTS if supported by the browsers makes sure that your users will only reach your sever via HTTPS. When the user comes for the first time it sees a header from the server which states for how long from now this site should only be reachable via HTTPS - that's the HSTS max-age value.\n\nWith `NGINX_HSTS_MAXAGE` you can configure that value. The default value is `31536000` seconds. If you want to disable an already sent HSTS MAXAGE value, set it to `0`.\n\n```bash\ndocker run --name gitlab -d \\\n --env 'GITLAB_HTTPS=true' --env 'SSL_SELF_SIGNED=true' \\\n --env 'NGINX_HSTS_MAXAGE=2592000' \\\n --volume /srv/docker/gitlab/gitlab:/home/git/data \\\n sameersbn/gitlab:18.10.3\n```\n\nIf you want to completely disable HSTS set `NGINX_HSTS_ENABLED` to `false`.\n\n##### Using HTTPS with a load balancer\n\nLoad balancers like nginx/haproxy/hipache talk to backend applications over plain http and as such the installation of ssl keys and certificates are not required and should **NOT** be installed in the container. The SSL configuration has to instead be done at the load balancer.\n\nHowever, when using a load balancer you **MUST** set `GITLAB_HTTPS` to `true`. Additionally, you will need to set the `SSL_SELF_SIGNED` option to `true` if self-signed SSL certificates are in use.\n\nWith this in place, you should configure the load balancer to support handling of https requests. But that is out of the scope of this document. Please refer to [Using SSL/HTTPS with HAProxy](http://seanmcgary.com/posts/using-sslhttps-with-haproxy) for information on the subject.\n\nWhen using a load balancer, you probably want to make sure the load balancer performs the automatic http to https redirection. Information on this can also be found in the link above.\n\nIn summation, when using a load balancer, the docker command would look for the most part something like this:\n\n```bash\ndocker run --name gitlab -d \\\n --publish 10022:22 --publish 10080:80 \\\n --env 'GITLAB_SSH_PORT=10022' --env 'GITLAB_PORT=443' \\\n --env 'GITLAB_HTTPS=true' --env 'SSL_SELF_SIGNED=true' \\\n --volume /srv/docker/gitlab/gitlab:/home/git/data \\\n sameersbn/gitlab:18.10.3\n```\n\nAgain, drop the `--env 'SSL_SELF_SIGNED=true'` option if you are using CA certified SSL certificates.\n\nIn case GitLab responds to any kind of POST request (login, OAUTH, changing settings etc.) with a 422 HTTP Error, consider adding this to your reverse proxy configuration:\n\n`proxy_set_header X-Forwarded-Ssl on;` (nginx format)\n\n##### Establishing trust with your server\n\nThis section deals will self-signed ssl certificates. If you are using CA certified certificates, you're done.\n\nThis section is more of a client side configuration so as to add a level of confidence at the client to be 100 percent sure they are communicating with whom they think they.\n\nThis is simply done by adding the servers certificate into their list of trusted certificates. On ubuntu, this is done by copying the `gitlab.crt` file to `/usr/local/share/ca-certificates/` and executing `update-ca-certificates`.\n\nAgain, this is a client side configuration which means that everyone who is going to communicate with the server should perform this configuration on their machine. In short, distribute the `gitlab.crt` file among your developers and ask them to add it to their list of trusted ssl certificates. Failure to do so will result in errors that look like this:\n\n```bash\ngit clone https://git.local.host/gitlab-foss.git\nfatal: unable to access 'https://git.local.host/gitlab-foss.git': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none\n```\n\nYou can do the same at the web browser. Instructions for installing the root certificate for firefox can be found [here](http://portal.threatpulse.com/docs/sol/Content/03Solutions/ManagePolicy/SSL/ssl_firefox_cert_ta.htm). You will find similar options chrome, just make sure you install the certificate under the authorities tab of the certificate manager dialog.\n\nThere you have it, that's all there is to it.\n\n##### Installing Trusted SSL Server Certificates\n\nIf your GitLab CI server is using self-signed SSL certificates then you should make sure the GitLab CI server certificate is trusted on the GitLab server for them to be able to talk to each other.\n\nThe default path image is configured to look for the trusted SSL certificates is at `/home/git/data/certs/ca.crt`, this can however be changed using the `SSL_CA_CERTIFICATES_PATH` configuration option.\n\nCopy the `ca.crt` file into the certs directory on the [datastore](#data-store). The `ca.crt` file should contain the root certificates of all the servers you want to trust. With respect to GitLab CI, this will be the contents of the gitlab_ci.crt file as described in the [README](https://github.com/sameersbn/docker-gitlab-ci/blob/master/README.md#ssl) of the [docker-gitlab-ci](https://github.com/sameersbn/docker-gitlab-ci) container.\n\nBy default, our own server certificate [gitlab.crt](#generation-of-a-self-signed-certificate) is added to the trusted certificates list.\n\n#### Deploy to a subdirectory (relative url root)\n\nBy default, GitLab expects that your application is running at the root (e.g.. /). This section explains how to run your application inside a directory.\n\nLet's assume we want to deploy our application to '/git'. GitLab needs to know this directory to generate the appropriate routes. This can be specified using the `GITLAB_RELATIVE_URL_ROOT` configuration option like so:\n\n```bash\ndocker run --name gitlab -it --rm \\\n --env 'GITLAB_RELATIVE_URL_ROOT=/git' \\\n --volume /srv/docker/gitlab/gitlab:/home/git/data \\\n sameersbn/gitlab:18.10.3\n```\n\nGitLab will now be accessible at the `/git` path, e.g. `http://www.example.com/git`.\n\n**Note**: *The `GITLAB_RELATIVE_URL_ROOT` parameter should always begin with a slash and* **SHOULD NOT** *have any trailing slashes.*\n\n#### OmniAuth Integration\n\nGitLab leverages OmniAuth to allow users to sign in using Twitter, GitHub, and other popular services. Configuring OmniAuth does not prevent standard GitLab authentication or LDAP (if configured) from continuing to work. Users can choose to sign in using any of the configured mechanisms.\n\nRefer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/omniauth.html) for additional information.\n\n##### CAS3\n\nTo enable the CAS OmniAuth provider you must register your application with your CAS instance. This requires the service URL GitLab will supply to CAS. It should be something like: `https://git.example.com:443/users/auth/cas3/callback?url`. By default handling for SLO is enabled, you only need to configure CAS for backchannel logout.\n\nFor example, if your cas server url is `https://sso.example.com`, then adding `--env 'OAUTH_CAS3_SERVER=https://sso.example.com'` to the docker run command enables support for CAS3 OAuth. Please refer to [Available Configuration Parameters](#available-configuration-parameters) for additional CAS3 configuration parameters.\n\n##### Authentiq\n\nTo enable the Authentiq OmniAuth provider for passwordless authentication you must register an application with [Authentiq](https://www.authentiq.com/). Please refer to the GitLab [documentation](https://docs.gitlab.com/ce/administration/auth/authentiq.html) for the procedure to generate the client ID and secret key with Authentiq.\n\nOnce you have the API client id and client secret generated, configure them using the `OAUTH_AUTHENTIQ_CLIENT_ID` and `OAUTH_AUTHENTIQ_CLIENT_SECRET` environment variables respectively.\n\nFor example, if your API key is `xxx` and the API secret key is `yyy`, then adding `--env 'OAUTH_AUTHENTIQ_CLIENT_ID=xxx' --env 'OAUTH_AUTHENTIQ_CLIENT_SECRET=yyy'` to the docker run command enables support for Authentiq OAuth.\n\nYou may want to specify `OAUTH_AUTHENTIQ_REDIRECT_URI` as well. The OAuth scope can be altered as well with `OAUTH_AUTHENTIQ_SCOPE` (defaults to `'aq:name email~rs address aq:push'`).\n\n##### Google\n\nTo enable the Google OAuth2 OmniAuth provider you must register your application with Google. Google will generate a client ID and secret key for you to use. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/google.html) for the procedure to generate the client ID and secret key with google.\n\nOnce you have the client ID and secret keys generated, configure them using the `OAUTH_GOOGLE_API_KEY` and `OAUTH_GOOGLE_APP_SECRET` environment variables respectively.\n\nFor example, if your client ID is `xxx.apps.googleusercontent.com` and client secret key is `yyy`, then adding `--env 'OAUTH_GOOGLE_API_KEY=xxx.apps.googleusercontent.com' --env 'OAUTH_GOOGLE_APP_SECRET=yyy'` to the docker run command enables support for Google OAuth.\n\nYou can also restrict logins to a single domain by adding `--env \"OAUTH_GOOGLE_RESTRICT_DOMAIN='example.com'\"`.\n\n##### Facebook\n\nTo enable the Facebook OAuth2 OmniAuth provider you must register your application with Facebook. Facebook will generate an API key and secret for you to use. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/facebook.html) for the procedure to generate the API key and secret.\n\nOnce you have the API key and secret generated, configure them using the `OAUTH_FACEBOOK_API_KEY` and `OAUTH_FACEBOOK_APP_SECRET` environment variables respectively.\n\nFor example, if your API key is `xxx` and the API secret key is `yyy`, then adding `--env 'OAUTH_FACEBOOK_API_KEY=xxx' --env 'OAUTH_FACEBOOK_APP_SECRET=yyy'` to the docker run command enables support for Facebook OAuth.\n\n##### Twitter\n\nTo enable the Twitter OAuth2 OmniAuth provider you must register your application with Twitter. Twitter will generate an API key and secret for you to use. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/twitter.html) for the procedure to generate the API key and secret with twitter.\n\nOnce you have the API key and secret generated, configure them using the `OAUTH_TWITTER_API_KEY` and `OAUTH_TWITTER_APP_SECRET` environment variables respectively.\n\nFor example, if your API key is `xxx` and the API secret key is `yyy`, then adding `--env 'OAUTH_TWITTER_API_KEY=xxx' --env 'OAUTH_TWITTER_APP_SECRET=yyy'` to the docker run command enables support for Twitter OAuth.\n\n##### GitHub\n\nTo enable the GitHub OAuth2 OmniAuth provider you must register your application with GitHub. GitHub will generate a Client ID and secret for you to use. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/github.html) for the procedure to generate the Client ID and secret with github.\n\nOnce you have the Client ID and secret generated, configure them using the `OAUTH_GITHUB_API_KEY` and `OAUTH_GITHUB_APP_SECRET` environment variables respectively.\n\nFor example, if your Client ID is `xxx` and the Client secret is `yyy`, then adding `--env 'OAUTH_GITHUB_API_KEY=xxx' --env 'OAUTH_GITHUB_APP_SECRET=yyy'` to the docker run command enables support for GitHub OAuth.\n\nUsers of GitHub Enterprise may want to specify `OAUTH_GITHUB_URL` and `OAUTH_GITHUB_VERIFY_SSL` as well.\n\n##### GitLab\n\nTo enable the GitLab OAuth2 OmniAuth provider you must register your application with GitLab. GitLab will generate a Client ID and secret for you to use. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/gitlab.html) for the procedure to generate the Client ID and secret with GitLab.\n\nOnce you have the Client ID and secret generated, configure them using the `OAUTH_GITLAB_API_KEY` and `OAUTH_GITLAB_APP_SECRET` environment variables respectively.\n\nFor example, if your Client ID is `xxx` and the Client secret is `yyy`, then adding `--env 'OAUTH_GITLAB_API_KEY=xxx' --env 'OAUTH_GITLAB_APP_SECRET=yyy'` to the docker run command enables support for GitLab OAuth.\n\n##### BitBucket\n\nTo enable the BitBucket OAuth2 OmniAuth provider you must register your application with BitBucket. BitBucket will generate a Client ID and secret for you to use. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/bitbucket.html) for the procedure to generate the Client ID and secret with BitBucket.\n\nOnce you have the Client ID and secret generated, configure them using the `OAUTH_BITBUCKET_API_KEY` and `OAUTH_BITBUCKET_APP_SECRET` environment variables respectively.\n\nFor example, if your Client ID is `xxx` and the Client secret is `yyy`, then adding `--env 'OAUTH_BITBUCKET_API_KEY=xxx' --env 'OAUTH_BITBUCKET_APP_SECRET=yyy'` to the docker run command enables support for BitBucket OAuth.\n\n##### SAML\n\nGitLab can be configured to act as a SAML 2.0 Service Provider (SP). This allows GitLab to consume assertions from a SAML 2.0 Identity Provider (IdP) such as Microsoft ADFS to authenticate users. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/saml.html).\n\nThe following parameters have to be configured to enable SAML OAuth support in this image: `OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL`, `OAUTH_SAML_IDP_CERT_FINGERPRINT`, `OAUTH_SAML_IDP_SSO_TARGET_URL`, `OAUTH_SAML_ISSUER` and `OAUTH_SAML_NAME_IDENTIFIER_FORMAT`.\n\nYou can also override the default \"Sign in with\" button label with `OAUTH_SAML_LABEL`.\n\nPlease refer to [Available Configuration Parameters](#available-configuration-parameters) for the default configurations of these parameters.\n\n##### Crowd\n\nTo enable the Crowd server OAuth2 OmniAuth provider you must register your application with Crowd server.\n\nConfigure GitLab to enable access the Crowd server by specifying the `OAUTH_CROWD_SERVER_URL`, `OAUTH_CROWD_APP_NAME` and `OAUTH_CROWD_APP_PASSWORD` environment variables.\n\n##### Auth0\n\nTo enable the Auth0 OmniAuth provider you must register your application with [auth0](https://auth0.com/).\n\nConfigure the following environment variables `OAUTH_AUTH0_CLIENT_ID`, `OAUTH_AUTH0_CLIENT_SECRET` and `OAUTH_AUTH0_DOMAIN` to complete the integration.\n\n##### Microsoft Azure\n\nTo enable the Microsoft Azure OAuth2 OmniAuth provider you must register your application with Azure. Azure will generate a Client ID, Client secret and Tenant ID for you to use. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/azure.html) for the procedure.\n\nOnce you have the Client ID, Client secret and Tenant ID generated, configure them using the `OAUTH_AZURE_API_KEY`, `OAUTH_AZURE_API_SECRET` and `OAUTH_AZURE_TENANT_ID` environment variables respectively.\n\nFor example, if your Client ID is `xxx`, the Client secret is `yyy` and the Tenant ID is `zzz`, then adding `--env 'OAUTH_AZURE_API_KEY=xxx' --env 'OAUTH_AZURE_API_SECRET=yyy' --env 'OAUTH_AZURE_TENANT_ID=zzz'` to the docker run command enables support for Microsoft Azure OAuth.\n\nAlso you can configure v2 endpoint (`azure_activedirectory_v2`) by using `OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_ID`, `OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_SECRET` and `OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID` environment variables. Optionally you can change label of login button using the `OAUTH_AZURE_ACTIVEDIRECTORY_V2_LABEL`.\n\n##### Generic OAuth2\n\nTo enable the Generic OAuth2 provider, you must register your application with your provider. You also need to confirm OAuth2 provider app's ID and secret, the client options and the user's response structure.\n\nAs an example this code has been tested with Keycloak, with the following variables: `OAUTH2_GENERIC_APP_ID`, `OAUTH2_GENERIC_APP_SECRET`, `OAUTH2_GENERIC_CLIENT_SITE`, `OAUTH2_GENERIC_CLIENT_USER_INFO_URL`, `OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL`, `OAUTH2_GENERIC_CLIENT_TOKEN_URL`, `OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT`, `OAUTH2_GENERIC_ID_PATH`, `OAUTH2_GENERIC_USER_UID`, `OAUTH2_GENERIC_USER_NAME`, `OAUTH2_GENERIC_USER_EMAIL`, `OAUTH2_GENERIC_AUTHORIZE_PARAMS_SCOPE`, `OAUTH2_GENERIC_LABEL` and `OAUTH2_GENERIC_NAME`.\n\nSee [GitLab documentation](https://docs.gitlab.com/ee/integration/oauth2_generic.html#sign-into-gitlab-with-almost-any-oauth2-provider) and [Omniauth-oauth2-generic documentation](https://gitlab.com/satorix/omniauth-oauth2-generic) for more details.\n\n##### OpenID Connect\n\nTo enable OpenID Connect provider, you must register your application with your provider. You also need to confirm OpenID Connect provider app's ID and secret, the client options and the user's response structure.\n\nTo use OIDC set at least `OAUTH_OIDC_ISSUER` and `OAUTH_OIDC_CLIENT_ID`.\n\n| GitLab setting | environment variable | default value |\n|--------------------------------|-------------------------------------|--------------------------------|\n| `label` | `OAUTH_OIDC_LABEL` | `OpenID Connect` |\n| `icon` | `OAUTH_OIDC_ICON` | |\n| `scope` | `OAUTH_OIDC_SCOPE` | `['openid','profile','email']` |\n| `response_type` | `OAUTH_OIDC_RESPONSE_TYPE` | `code` |\n| `issuer` | `OAUTH_OIDC_ISSUER` | |\n| `discovery` | `OAUTH_OIDC_DISCOVERY` | `true` |\n| `client_auth_method` | `OAUTH_OIDC_CLIENT_AUTH_METHOD` | `basic` |\n| `uid_field` | `OAUTH_OIDC_UID_FIELD` | `sub` |\n| `send_scope_to_token_endpoint` | `OAUTH_OIDC_SEND_SCOPE_TO_TOKEN_EP` | `false` |\n| `pkce` | `OAUTH_OIDC_PKCE` | `true` |\n| `client_options.identifier` | `OAUTH_OIDC_CLIENT_ID` | |\n| `client_options.secret` | `OAUTH_OIDC_CLIENT_SECRET` | `secret` |\n| `client_options.redirect_uri` | `OAUTH_OIDC_REDIRECT_URI` | `http://${GITLAB_HOST}/users/auth/openid_connect/callback` or `https://${GITLAB_HOST}/users/auth/openid_connect/callback` depending on the value of `GITLAB_HTTPS` |\n\nSee [GitLab OIDC documentation](https://docs.gitlab.com/ee/administration/auth/oidc.html) and [OmniAuth OpenID Connect documentation](https://github.com/omniauth/omniauth_openid_connect/).\n\n##### JWT\n\nTo enable the JWT OmniAuth provider, you must register your application with JWT. JWT provides you with a secret key for you to use.\n\nTo use JWT set at least `OAUTH_JWT_SECRET` and `OAUTH_JWT_AUTH_URL`.\n\n| GitLab setting | environment variable | default value |\n| ------------------------------ | ----------------------------------- | -------------------------------|\n| `label` | `OAUTH_JWT_LABEL` | `Jwt` |\n| `secret` | `OAUTH_JWT_SECRET` | |\n| `algorithm` | `OAUTH_JWT_ALGORITHM` | `HS256` |\n| `uid_claim` | `OAUTH_JWT_UID_CLAIM` | `email` |\n| `required_claims` | `OAUTH_JWT_REQUIRED_CLAIMS` | `[\"name\", \"email\"]` |\n| `info_map.name` | `OAUTH_JWT_INFO_MAP_NAME` | `name` |\n| `info_map.email` | `OAUTH_JWT_INFO_MAP_EMAIL` | `email` |\n| `auth_url` | `OAUTH_JWT_AUTH_URL` | |\n| `valid_within` | `OAUTH_JWT_VALID_WITHIN` | `3600` |\n\n\nSee [OmniAuth JWT documentation](https://docs.gitlab.com/administration/auth/jwt/).\n\n#### Gitlab Pages\n\nGitlab Pages allows a user to host static websites from a project. Gitlab pages can be enabled with setting the environment variable `GITLAB_PAGES_ENABLED` to `true`.\n\n#### Gitlab Pages Access Control\n\nSince version `11.5.0` Gitlab pages supports access control. This allows only access to a published website if you are a project member, or have access to a certain project.\n\nGitlab pages access control requires additional configuration before activating it through the variable `GITLAB_PAGES_ACCESS_CONTROL`.\n\nGitLab pages access control makes use of the Gitlab OAuth Module.\n\n- Goto the Gitlab Admin area\n- Select `Applications` in the menu\n- Create `New Application`\n - Name: `Gitlab Pages`\n - Scopes:\n - api\n - Trusted: NO (Do not select)\n - Redirect URI: `https://projects.\u003cGITLAB_PAGES_DOMAIN\u003e/auth`\n\nNote about the `Redirect URI`; this can be tricky to configure or figure out, What needs to be achieved is the following, the redirect URI needs to end up at the `gitlab-pages` daemon with the `/auth` endpoint.\n\nThis means that if you run your gitlab pages at domain `pages.example.io` this will be a wildcard domain where your projects are created based on their namespace. The best trick is to enter a NON-Existing gitlab project pages URI as the redirect URI.\n\nIn the example above; the pages domain `projects` has been chosen. This will cause the nginx, either the built in or your own load balancer to redirect `*.\u003cGITLAB_PAGES_DOMAIN\u003e` to the `gitlab-pages` daemon. Which will trigger the pages endpoint.\n\nMake sure to choose own which does not exist and make sure that the request is routed to the `gitlab-pages` daemon if you are using your own HTTP load balancer in front of Gitlab.\n\nAfter creating the OAuth application endpoint for the Gitlab Pages Daemon. Gitlab pages access control can now be enabled.\n\nAdd to following environment variables to your Gitlab Container.\n\n| Variable | R/O | Description |\n|----------|-----|-------------|\n| GITLAB_PAGES_ACCESS_CONTROL | Required | Set to `true` to enable access control. |\n| GITLAB_PAGES_ACCESS_SECRET | Optional | Secret Hash, minimal 32 characters, if omitted, it will be auto generated. |\n| GITLAB_PAGES_ACCESS_CONTROL_SERVER | Required | Gitlab instance URI, example: `https://gitlab.example.io` |\n| GITLAB_PAGES_ACCESS_CLIENT_ID | Required | Client ID from earlier generated OAuth application |\n| GITLAB_PAGES_ACCESS_CLIENT_SECRET | Required | Client Secret from earlier generated OAuth application |\n| GITLAB_PAGES_ACCESS_REDIRECT_URI | Required | Redirect URI, non existing pages domain to redirect to pages daemon, `https://projects.example.io` |\n\nAfter you have enabled the gitlab pages access control. When you go to a project `General Settings` -\u003e `Permissions` you can choose the pages permission level for the project.\n\n#### External Issue Trackers\n\nSince version `7.10.0` support for external issue trackers can be enabled in the \"Service Templates\" section of the settings panel.\n\nIf you are using the [docker-redmine](https://github.com/sameersbn/docker-redmine) image, you can *one up* the gitlab integration with redmine by adding `--volumes-from=gitlab` flag to the docker run command while starting the redmine container.\n\nBy using the above option the `/home/git/data/repositories` directory will be accessible by the redmine container and now you can add your git repository path to your redmine project. If, for example, in your gitlab server you have a project named `opensource/gitlab`, the bare repository will be accessible at `/home/git/data/repositories/opensource/gitlab.git` in the redmine container.\n\n#### Host UID / GID Mapping\n\nPer default the container is configured to run gitlab as user and group `git` with `uid` and `gid` `1000`. The host possibly uses this ids for different purposes leading to unfavorable effects. From the host it appears as if the mounted data volumes are owned by the host's user/group `1000`.\n\nAlso the container processes seem to be executed as the host's user/group `1000`. The container can be configured to map the `uid` and `gid` of `git` to different ids on host by passing the environment variables `USERMAP_UID` and `USERMAP_GID`. The following command maps the ids to user and group `git` on the host.\n\n```bash\ndocker run --name gitlab -it --rm [options] \\\n --env \"USERMAP_UID=$(id -u git)\" --env \"USERMAP_GID=$(id -g git)\" \\\n sameersbn/gitlab:18.10.3\n```\n\nWhen changing this mapping, all files and directories in the mounted data volume `/home/git/data` have to be re-owned by the new ids. This can be achieved automatically using the following command:\n\n```bash\ndocker run --name gitlab -d [OPTIONS] \\\n sameersbn/gitlab:18.10.3 app:sanitize\n```\n\n#### Piwik\n\nIf you want to monitor your gitlab instance with [Piwik](http://piwik.org/), there are two options to setup: `PIWIK_URL` and `PIWIK_SITE_ID`.\nThese options should contain something like:\n\n- `PIWIK_URL=piwik.example.org`\n- `PIWIK_SITE_ID=42`\n\n#### Feature flags\n\nIn this section, we talk about feature flags that administrators can change the state (See \u003chttps://docs.gitlab.com/ee/administration/feature_flags.html\u003e). If you are looking for documentation for \"Feature flags\" that configured on project deploy settings, see \u003chttps://docs.gitlab.com/ee/operations/feature_flags.html\u003e\n\nGitLab adopted feature flags strategies to deploy features in an early stage of development so that they can be incrementally rolled out. GitLab administrators with access to the [Rails console](https://docs.gitlab.com/ee/administration/feature_flags.html#how-to-enable-and-disable-features-behind-flags) or the [Feature flags API](https://docs.gitlab.com/ee/api/features.html) can control them (note that `sameersbn/gitlab` is a container image that provides GitLab installations from the source).\nYou can see all feature flags in GitLab at corresponding version of documentation: \u003chttps://docs.gitlab.com/ee/user/feature_flags.html\u003e\n\nFor `sameersbn/gitlab`, you can control them via environment parameter [`GITLAB_FEATURE_FLAGS_DISABLE_TARGETS`](#gitlab_feature_flags_disable_targets) and [`GITLAB_FEATURE_FLAGS_ENABLE_TARGETS`](#gitlab_feature_flags_enable_targets) in addition to the above methods.\nThis image searches yml files in [`${GITLAB_INSTALL_DIR}/config/feature_flags`](https://gitlab.com/gitlab-org/gitlab-foss/-/tree/master/config/feature_flags) (typically `/home/git/gitlab/config/feature_flags/`) recursively and use the file list as a source of active feature flags.\n\nHere is a part of example `docker-compose.yml`:\n\n````yml\nservices:\n gitlab:\n image: sameersbn/gitlab:latest\n environment:\n - GITLAB_FEATURE_FLAGS_DISABLE_TARGETS=auto_devops_banner_disabled,ci_enable_live_trace\n - GITLAB_FEATURE_FLAGS_ENABLE_TARGETS=git_push_create_all_pipelines,build_service_proxy\n````\n\nOnce the container up, you can see following messages in container log like below.\n\n````sh\n...\nConfiguring gitlab::feature_flags...\n- specified feature flags: {:to_be_disabled=\u003e[\"auto_devops_banner_disabled\", \"ci_enable_live_trace\"], :to_be_enabled=\u003e[\"git_push_create_all_pipelines\", \"build_service_proxy\"]}\n- auto_devops_banner_disabled : off\n- ci_enable_live_trace : off\n- git_push_create_all_pipelines : on\n- build_service_proxy : on\n...\n````\n\nIf specified flag names are not included in the list, they will be ignored and appears to container log like below:\n\n````sh\n...\nConfiguring gitlab::feature_flags...\n- specified feature flags: {:to_be_disabled=\u003e[\"auto_devops_banner_disabled\", \"invalid_flag_name\"], :to_be_enabled=\u003e[\"git_push_create_all_pipelines\", \"another_invalid_flag_name\"]}\n- Following flags are probably invalid and have been ignored: invalid_flag_name,another_invalid_flag_name\n- auto_devops_banner_disabled : off\n- git_push_create_all_pipelines : on\n...\n````\n\n#### Available Configuration Parameters\n\n*Please refer the docker run command options for the `--env-file` flag where you can specify all required environment variables in a single file. This will save you from writing a potentially long docker run command. Alternatively you can use docker-compose. docker-compose users and Docker Swarm mode users can also use the [secrets and config file options](#docker-secrets-and-configs)*\n\nBelow is the complete list of available options that can be used to customize your gitlab installation.\n\n##### `DEBUG`\n\nSet this to `true` to enable entrypoint debugging.\n\n##### `TZ`\n\nSet the container timezone. Defaults to `UTC`. Values are expected to be in Canonical format. Example: `Europe/Amsterdam` See the list of [acceptable values](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones). For configuring the timezone of gitlab see variable `GITLAB_TIMEZONE`.\n\n##### `GITLAB_HOST`\n\nThe hostname of the GitLab server. Defaults to `localhost`\n\n##### `GITLAB_CI_HOST`\n\nIf you are migrating from GitLab CI use this parameter to configure the redirection to the GitLab service so that your existing runners continue to work without any changes. No defaults.\n\n##### `GITLAB_PORT`\n\nThe port of the GitLab server. This value indicates the public port on which the GitLab application will be accessible on the network and appropriately configures GitLab to generate the correct urls. It does not affect the port on which the internal nginx server will be listening on. Defaults to `443` if `GITLAB_HTTPS=true`, else defaults to `80`.\n\n##### `GITLAB_SECRETS_DB_KEY_BASE`\n\nEncryption key for GitLab CI secret variables, as well as import credentials, in the database. Ensure that your key is at least 32 characters long and that you don't lose it. You can generate one using `pwgen -Bsv1 64`. If you are migrating from GitLab CI, you need to set this value to the value of `GITLAB_CI_SECRETS_DB_KEY_BASE`. No defaults.\n\n##### `GITLAB_SECRETS_SECRET_KEY_BASE`\n\nEncryption key for session secrets. Ensure that your key is at least 64 characters long and that you don't lose it. This secret can be rotated with minimal impact - the main effect is that previously-sent password reset emails will no longer work. You can generate one using `pwgen -Bsv1 64`. No defaults.\n\n##### `GITLAB_SECRETS_OTP_KEY_BASE`\n\n Encryption key for OTP related stuff with GitLab. Ensure that your key is at least 64 characters long and that you don't lose it. **If you lose or change this secret, 2FA will stop working for all users.** You can generate one using `pwgen -Bsv1 64`. No defaults.\n\n##### `GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE`\n\n Encryption key for encrypted settings related stuff with GitLab. Ensure that your key is at least 64 characters long and that you don't lose it. **If you lose or change this secret, encrypted settings will not work and might cause errors in merge requests and so on** You can generate one using `pwgen -Bsv1 64`. No defaults.\n\n##### `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY`\n\nThe base key used to encrypt data for non-deterministic `ActiveRecord::Encryption` encrypted columns. This value is used to set `active_record_encryption_primary_key` in `config/secrets.yml`. Ensure that your key is an alphanumeric string. Preferred to be 32 characters long. If you need to set multiple keys, set this parameter in the format `[\"first_primary_key\",\"second_primary_key\"]`. In `docker-compose.yml`, the value must NOT have additional quotes! **If you lose or change this secret, encrypted settings will not work and might cause errors in the API and the web interface.** No defaults.\n\n##### `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY`\n\nThe base key used to encrypt data for deterministic `ActiveRecord::Encryption` encrypted columns. This value is used to set `active_record_encryption_deterministic_key` in `config/secrets.yml`. Ensure that your key is an alphanumeric string. Preferred to be 32 characters long. If you need to set multiple keys, set this parameter in the format `[\"first_deterministic_key\",\"second_deterministic_key\"]`. In `docker-compose.yml`, the value must NOT have additional quotes! **If you lose or change this secret, encrypted settings will not work and might cause errors in the API and the web interface.** No defaults.\n\n##### `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT`\n\nThe salt used to encrypt data for `ActiveRecord::Encryption` encrypted columns. This value is used to set `active_record_encryption_key_derivation_salt` in `config/secrets.yml`. Ensure that your salt is an alphanumeric string. Preferred to be 32 characters long. **If you lose or change this secret, encrypted settings will not work and might cause errors in the API and the web interface.** No defaults.\n\n##### `GITLAB_TIMEZONE`\n\nConfigure the timezone for the gitlab application. This configuration does not effect cron jobs. Defaults to `UTC`. See the list of [acceptable values](http://api.rubyonrails.org/classes/ActiveSupport/TimeZone.html). For settings the container timezone which will affect cron, see variable `TZ`\n\n##### `GITLAB_ROOT_PASSWORD`\n\nThe password for the root user on firstrun. Defaults to `5iveL!fe`. GitLab requires this to be at least **8 characters long**.\n\n##### `GITLAB_ROOT_EMAIL`\n\nThe email for the root user on firstrun. Defaults to `admin@example.com`\n\n##### `GITLAB_EMAIL`\n\nThe email address for the GitLab server. Defaults to value of `SMTP_USER`, else defaults to `example@example.com`.\n\n##### `GITLAB_EMAIL_DISPLAY_NAME`\n\nThe name displayed in emails sent out by the GitLab mailer. Defaults to `GitLab`.\n\n##### `GITLAB_EMAIL_REPLY_TO`\n\nThe reply-to address of emails sent out by GitLab. Defaults to value of `GITLAB_EMAIL`, else defaults to `noreply@example.com`.\n\n##### `GITLAB_EMAIL_SUBJECT_SUFFIX`\n\nThe e-mail subject suffix used in e-mails sent by GitLab. No defaults.\n\n##### `GITLAB_EMAIL_ENABLED`\n\nEnable or disable gitlab mailer. Defaults to the `SMTP_ENABLED` configuration.\n\n##### `GITLAB_EMAIL_SMIME_ENABLE`\n\nEnable or disable email S/MIME signing. Defaults is `false`.\n\n##### `GITLAB_EMAIL_SMIME_KEY_FILE`\n\nSpecifies the path to a S/MIME private key file in PEM format, unencrypted. Defaults to ``.\n\n##### `GITLAB_EMAIL_SMIME_CERT_FILE`\n\nSpecifies the path to a S/MIME public certificate key in PEM format. Defaults to ``.\n\n##### `GITLAB_DEFAULT_THEME`\n\nDefault theme ID, by default 2. (1 - Indigo, 2 - Dark, 3 - Light, 4 - Blue, 5 - Green, 6 - Light Indigo, 7 - Light Blue, 8 - Light Green, 9 - Red, 10 - Light Red)\n\n##### `GITLAB_ISSUE_CLOSING_PATTERN`\n\nIssue closing pattern regex. See [GitLab's documentation](https://docs.gitlab.com/ee/administration/issue_closing_pattern.html) for more detail. Defaults to ` \\b((?:[Cc]los(?:e[sd]?|ing)|\\b[Ff]ix(?:e[sd]|ing)?|\\b[Rr]esolv(?:e[sd]?|ing)|\\b[Ii]mplement(?:s|ed|ing)?)(:?) +(?:(?:issues? +)?%{issue_ref}(?:(?:, *| +and +)?)|([A-Z][A-Z0-9_]+-\\d+))+) ` .\n\n##### `GITLAB_INCOMING_EMAIL_ADDRESS`\n\nThe incoming email address for reply by email. Defaults to the value of `IMAP_USER`, else defaults to `reply@example.com`. Please read the [reply by email](http://doc.gitlab.com/ce/incoming_email/README.html) documentation to currently set this parameter.\n\n##### `GITLAB_INCOMING_EMAIL_ENABLED`\n\nEnable or disable gitlab reply by email feature. Defaults to the value of `IMAP_ENABLED`.\n\n##### `GITLAB_SIGNUP_ENABLED`\n\nEnable or disable user signups (first run only). Default is `true`.\n\n##### `GITLAB_IMPERSONATION_ENABLED`\n\nEnable or disable impersonation. Defaults to `true`.\n\n##### `GITLAB_PROJECTS_LIMIT`\n\nSet default projects limit. Defaults to `100`.\n\n##### `GITLAB_USERNAME_CHANGE`\n\nEnable or disable ability for users to change their username. Defaults to `true`.\n\n##### `GITLAB_CREATE_GROUP`\n\nEnable or disable ability for users to create groups. Defaults to `true`.\n\n##### `GITLAB_PROJECTS_ISSUES`\n\nSet if *issues* feature should be enabled by default for new projects. Defaults to `true`.\n\n##### `GITLAB_PROJECTS_MERGE_REQUESTS`\n\nSet if *merge requests* feature should be enabled by default for new projects. Defaults to `true`.\n\n##### `GITLAB_PROJECTS_WIKI`\n\nSet if *wiki* feature should be enabled by default for new projects. Defaults to `true`.\n\n##### `GITLAB_PROJECTS_SNIPPETS`\n\nSet if *snippets* feature should be enabled by default for new projects. Defaults to `false`.\n\n##### `GITLAB_PROJECTS_BUILDS`\n\nSet if *builds* feature should be enabled by default for new projects. Defaults to `true`.\n\n##### `GITLAB_PROJECTS_CONTAINER_REGISTRY`\n\nSet if *container_registry* feature should be enabled by default for new projects. Defaults to `true`.\n\n##### `GITLAB_SHELL_CUSTOM_HOOKS_DIR`\n\nGlobal custom hooks directory. Defaults to `/home/git/gitlab-shell/hooks`.\n\n##### `GITLAB_WEBHOOK_TIMEOUT`\n\nSets the timeout for webhooks. Defaults to `10` seconds.\n\n##### `GITLAB_NOTIFY_ON_BROKEN_BUILDS`\n\nEnable or disable broken build notification emails. Defaults to `true`\n\n##### `GITLAB_NOTIFY_PUSHER`\n\nAdd pusher to recipients list of broken build notification emails. Defaults to `false`\n\n##### `GITLAB_REPOS_DIR`\n\nThe git repositories folder in the container. Defaults to `/home/git/data/repositories`\n\n##### `GITLAB_BACKUP_DIR`\n\nThe backup folder in the container. Defaults to `/home/git/data/backups`\n\n##### `GITLAB_BACKUP_DIR_CHOWN`\n\nOptionally change ownership of backup files on start-up. Defaults to `true`\n\n##### `GITLAB_BACKUP_DIR_GROUP`\n\nOptionally group backups into a subfolder. Can also be used to place backups in to a subfolder on remote storage. Not used by default.\n\n##### `GITLAB_BUILDS_DIR`\n\nThe build traces directory. Defaults to `/home/git/data/builds`\n\n##### `GITLAB_DOWNLOADS_DIR`\n\nThe repository downloads directory. A temporary zip is created in this directory when users click **Download Zip** on a project. Defaults to `/home/git/data/tmp/downloads`.\n\n##### `GITLAB_SHARED_DIR`\n\nThe directory to store the build artifacts. Defaults to `/home/git/data/shared`\n\n##### `GITLAB_ARTIFACTS_ENABLED`\n\nEnable/Disable GitLab artifacts support. Defaults to `true`.\n\n##### `GITLAB_ARTIFACTS_DIR`\n\nDirectory to store the artifacts. Defaults to `$GITLAB_SHARED_DIR/artifacts`\n\n##### `AWS_ACCESS_KEY_ID`\n\nDefault AWS access key to be used for object store. Defaults to `AWS_ACCESS_KEY_ID`\n\n##### `AWS_SECRET_ACCESS_KEY`\n\nDefault AWS access key to be used for object store. Defaults to `AWS_SECRET_ACCESS_KEY`\n\n##### `AWS_REGION`\n\nAWS Region. Defaults to `us-east-1`\n\n##### `AWS_HOST`\n\nConfigure this for an compatible AWS host like minio. Defaults to `$AWS_HOST`. Defaults to `s3.amazon.com`\n\n##### `AWS_ENDPOINT`\n\nAWS Endpoint like `http://127.0.0.1:9000`. Defaults to `nil`\n\n##### `AWS_PATH_STYLE`\n\nChanges AWS Path Style to 'host/bucket_name/object' instead of 'bucket_name.host/object'. Defaults to `true`\n\n##### `AWS_SIGNATURE_VERSION`\n\nAWS signature version to use. 2 or 4 are valid options. Digital Ocean Spaces and other providers may need 2. Defaults to `4`\n\n##### `GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT`\n\nDefault Google project to use for Object Store.\n\n##### `GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL`\n\nDefault Google service account email to use for Object Store.\n\n##### `GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION`\n\nDefault Google key file Defaults to `/gcs/key.json`\n\n##### `GITLAB_OBJECT_STORE_CONNECTION_PROVIDER`\n\nDefault object store connection provider. Defaults to `AWS`\n\n##### `GITLAB_ARTIFACTS_OBJECT_STORE_ENABLED`\n\nEnables Object Store for Artifacts that will be remote stored. Defaults to `false`\n\n##### `GITLAB_ARTIFACTS_OBJECT_STORE_REMOTE_DIRECTORY`\n\nBucket name to store the artifacts. Defaults to `artifacts`\n\n##### `GITLAB_ARTIFACTS_OBJECT_STORE_DIRECT_UPLOAD`\n\nSet to true to enable direct upload of Artifacts without the need of local shared storage. Defaults to `false`\n\n##### `GITLAB_ARTIFACTS_OBJECT_STORE_BACKGROUND_UPLOAD`\n\nTemporary option to limit automatic upload. Defaults to `false`\n\n##### `GITLAB_ARTIFACTS_OBJECT_STORE_PROXY_DOWNLOAD`\n\nPassthrough all downloads via GitLab instead of using Redirects to Object Storage. Defaults to `false`\n\n##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER`\n\nConnection Provider for the Object Store. (`AWS` or `Google`) Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER` (`AWS`)\n\n##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID`\n\nAWS Access Key ID for the Bucket. Defaults to `$AWS_ACCESS_KEY_ID`\n\n##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY`\n\nAWS Secret Access Key. Defaults to `$AWS_SECRET_ACCESS_KEY`\n\n##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_REGION`\n\nAWS Region. Defaults to `$AWS_REGION`\n\n##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_HOST`\n\nConfigure this for an compatible AWS host like minio. Defaults to `$AWS_HOST`\n\n##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT`\n\nAWS Endpoint like `http://127.0.0.1:9000`. Defaults to `$AWS_ENDPOINT`\n\n##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE`\n\nChanges AWS Path Style to 'host/bucket_name/object' instead of 'bucket_name.host/object'. Defaults to `$AWS_PATH_STYLE`\n\n##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION`\n\nAWS signature version to use. 2 or 4 are valid options. Digital Ocean Spaces and other providers may need 2. Defaults to `$AWS_SIGNATURE_VERSION`\n\n##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT`\n\nGoogle project. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT`\n\n##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL`\n\nGoogle service account. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL`\n\n##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION`\n\nDefault Google key file. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION` (`/gcs/key.json`)\n\n##### `GITLAB_PIPELINE_SCHEDULE_WORKER_CRON`\n\nCron notation for the GitLab pipeline schedule worker. Defaults to `'19 * * * *'`\n\n##### `GITLAB_LFS_ENABLED`\n\nEnable/Disable Git LFS support. Defaults to `true`.\n\n##### `GITLAB_LFS_OBJECTS_DIR`\n\nDirectory to store the lfs-objects. Defaults to `$GITLAB_SHARED_DIR/lfs-objects`\n\n##### `GITLAB_LFS_OBJECT_STORE_ENABLED`\n\nEnables Object Store for LFS that will be remote stored. Defaults to `false`\n\n##### `GITLAB_LFS_OBJECT_STORE_REMOTE_DIRECTORY`\n\nBucket name to store the LFS. Defaults to `lfs-object`\n\n##### `GITLAB_LFS_OBJECT_STORE_BACKGROUND_UPLOAD`\n\nTemporary option to limit automatic upload. Defaults to `false`\n\n##### `GITLAB_LFS_OBJECT_STORE_PROXY_DOWNLOAD`\n\nPassthrough all downloads via GitLab instead of using Redirects to Object Storage. Defaults to `false`\n\n##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER`\n\nConnection Provider for the Object Store. (`AWS` or `Google`) Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER` (`AWS`)\n\n##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID`\n\nAWS Access Key ID for the Bucket. Defaults to `AWS_ACCESS_KEY_ID`\n\n##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY`\n\nAWS Secret Access Key. Defaults to `AWS_SECRET_ACCESS_KEY`\n\n##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_REGION`\n\nAWS Region. Defaults to `$AWS_REGION`\n\n##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_HOST`\n\nConfigure this for an compatible AWS host like minio. Defaults to `$AWS_HOST`\n\n##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT`\n\nAWS Endpoint like `http://127.0.0.1:9000`. Defaults to `$AWS_ENDPOINT`\n\n##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE`\n\nChanges AWS Path Style to 'host/bucket_name/object' instead of 'bucket_name.host/object'. Defaults to `$AWS_PATH_STYLE`\n\n##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION`\n\nAWS signature version to use. 2 or 4 are valid options. Digital Ocean Spaces and other providers may need 2. Defaults to `$AWS_SIGNATURE_VERSION`\n\n##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT`\n\nGoogle project. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT`\n\n##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL`\n\nGoogle service account. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL`\n\n##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION`\n\nDefault Google key file. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION` (`/gcs/key.json`)\n\n##### `GITLAB_PACKAGES_ENABLED`\n\nEnable/Disable Packages support. Defaults to `true`.\n\n##### `GITLAB_PACKAGES_DIR`\n\nDirectory to store the packages data. Defaults to `$GITLAB_SHARED_DIR/packages`\n\n##### `GITLAB_PACKAGES_OBJECT_STORE_ENABLED`\n\nEnables Object Store for Packages that will be remote stored. Defaults to `false`\n\n##### `GITLAB_PACKAGES_OBJECT_STORE_REMOTE_DIRECTORY`\n\nBucket name to store the packages. Defaults to `packages`\n\n##### `GITLAB_PACKAGES_OBJECT_STORE_DIRECT_UPLOAD`\n\nSet to true to enable direct upload of Packages without the need of local shared storage. Defaults to `false`\n\n##### `GITLAB_PACKAGES_OBJECT_STORE_BACKGROUND_UPLOAD`\n\nTemporary option to limit automatic upload. Defaults to `false`\n\n##### `GITLAB_PACKAGES_OBJECT_STORE_PROXY_DOWNLOAD`\n\nPassthrough all downloads via GitLab instead of using Redirects to Object Storage. Defaults to `false`\n\n##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_PROVIDER`\n\nConnection Provider for the Object Store. (`AWS` or `Google`) Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER` (`AWS`)\n\n##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID`\n\nAWS Access Key ID for the Bucket. Defaults to `$AWS_ACCESS_KEY_ID`\n\n##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY`\n\nAWS Secret Access Key. Defaults to `$AWS_SECRET_ACCESS_KEY`\n\n##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_REGION`\n\nAWS Region. Defaults to `$AWS_REGION`\n\n##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_HOST`\n\nConfigure this for an compatible AWS host like minio. Defaults to `$AWS_HOST`\n\n##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ENDPOINT`\n\nAWS Endpoint like `http://127.0.0.1:9000`. Defaults to `$AWS_ENDPOINT`\n\n##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE`\n\nChanges AWS Path Style to 'host/bucket_name/object' instead of 'bucket_name.host/object'. Defaults to `AWS_PATH_STYLE`\n\n##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT`\n\nGoogle project. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT`\n\n##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL`\n\nGoogle service account. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL`\n\n##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION`\n\nDefault Google key file. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION` (`/gcs/key.json`)\n\n##### `GITLAB_TERRAFORM_STATE_ENABLED`\n\nEnable/Disable Terraform State support. Defaults to `true`.\n\n##### `GITLAB_TERRAFORM_STATE_STORAGE_PATH`\n\nDirectory to store the terraform state data. Defaults to `$GITLAB_SHARED_DIR/terraform_state`\n\n##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_ENABLED`\n\nEnables Object Store for Terraform state that will be remote stored. Defaults to `false`\n\n##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_REMOTE_DIRECTORY`\n\nBucket name to store the Terraform state. Defaults to `terraform_state`\n\n##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_PROVIDER`\n\nConnection Provider for the Object Store (AWS or Google). Defaults to $GITLAB_OBJECT_STORE_CONNECTION_PROVIDER (i.e. AWS).\n\n##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID`\n\nAWS Access Key ID for the Bucket. Defaults to `$AWS_ACCESS_KEY_ID`\n\n##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY`\n\nAWS Secret Access Key. Defaults to `$AWS_SECRET_ACCESS_KEY`\n\n##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_REGION`\n\nAWS Region. Defaults to `$AWS_REGION`\n\n##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_HOST`\n\nConfigure this for an compatible AWS host like minio. Defaults to `$AWS_HOST`\n\n##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ENDPOINT`\n\nAWS Endpoint like `http://127.0.0.1:9000`. Defaults to `$AWS_ENDPOINT`\n\n##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE`\n\nChanges AWS Path Style to 'host/bucket_name/object' instead of 'bucket_name.host/object'. Defaults to `AWS_PATH_STYLE`\n\n##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT`\n\nGoogle project. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT`\n\n##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL`\n\nGoogle service account. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL`\n\n##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION`\n\nDefault Google key file. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION` (`/gcs/key.json`)\n\n##### `GITLAB_UPLOADS_STORAGE_PATH`\n\nThe location where uploads objects are stored. Defaults to `$GITLAB_SHARED_DIR/public`.\n\n##### `GITLAB_UPLOADS_BASE_DIR`\n\nMapping for the `GITLAB_UPLOADS_STORAGE_PATH`. Defaults to `uploads/-/system`\n\n##### `GITLAB_UPLOADS_OBJECT_STORE_ENABLED`\n\nEnables Object Store for UPLOADS that will be remote stored. Defaults to `false`\n\n##### `GITLAB_UPLOADS_OBJECT_STORE_REMOTE_DIRECTORY`\n\nBucket name to store the UPLOADS. Defaults to `uploads`\n\n##### `GITLAB_UPLOADS_OBJECT_STORE_BACKGROUND_UPLOAD`\n\nTemporary option to limit automatic upload. Defaults to `false`\n\n##### `GITLAB_UPLOADS_OBJECT_STORE_PROXY_DOWNLOAD`\n\nPassthrough all downloads via GitLab instead of using Redirects to Object Storage. Defaults to `false`\n\n##### `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER`\n\nConnection Provider for the Object Store. (`AWS` or `Google`) Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_PROVIDER` (`AWS`)\n\n##### `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID`\n\nAWS Access Key ID for the Bucket. Defaults to `AWS_ACCESS_KEY_ID`\n\n##### `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY`\n\nAWS Secret Access Key. Defaults to `AWS_SECRET_ACCESS_KEY`\n\n##### `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_REGION`\n\nAWS Region. Defaults to `$AWS_REGION`\n\n##### `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_HOST`\n\nConfigure this for an compatible AWS host like minio. Defaults to `$AWS_HOST`\n\n##### `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT`\n\nAWS Endpoint like `http://127.0.0.1:9000`. Defaults to `$AWS_ENDPOINT`\n\n##### `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE`\n\nChanges AWS Path Style to 'host/bucket_name/object' instead of 'bucket_name.host/object'. Defaults to `AWS_PATH_STYLE`\n\n##### `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT`\n\nGoogle project. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT`\n\n##### `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL`\n\nGoogle service account. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL`\n\n##### `GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION`\n\nDefault Google key file. Defaults to `$GITLAB_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION` (`/gcs/key.json`)\n\n##### `GITLAB_MATTERMOST_ENABLED`\n\nEnable/Disable GitLab Mattermost for *Add Mattermost button*. Defaults to `false`.\n\n##### `GITLAB_MATTERMOST_URL`\n\nSets Mattermost URL. Defaults to `https://mattermost.example.com`.\n\n##### `GITLAB_BACKUP_SCHEDULE`\n\nSetup cron job to automatic backups. Possible values `disable`, `daily`, `weekly` or `monthly`. Disabled by default\n\n##### `GITLAB_BACKUP_EXPIRY`\n\nConfigure how long (in seconds) to keep backups before they are deleted. By default when automated backups are disabled backups are kept forever (0 seconds), else the backups expire in 7 days (604800 seconds).\n\n##### `GITLAB_BACKUP_PG_SCHEMA`\n\nSpecify the PostgreSQL schema for the backups. No defaults, which means that all schemas will be backed up. see #524\n\n##### `GITLAB_BACKUP_ARCHIVE_PERMISSIONS`\n\nSets the permissions of the backup archives. Defaults to `0600`. [See](http://doc.gitlab.com/ce/raketasks/backup_restore.html#backup-archive-permissions)\n\n##### `GITLAB_BACKUP_TIME`\n\nSet a time for the automatic backups in `HH:MM` format. Defaults to `04:00`.\n\n##### `GITLAB_BACKUP_SKIP`\n\nSpecified sections are skipped by the backups. Defaults to empty, i.e. `lfs,uploads`. [See](http://doc.gitlab.com/ce/raketasks/backup_restore.html#create-a-backup-of-the-gitlab-system)\n\n##### `GITLAB_SSH_HOST`\n\nThe ssh host. Defaults to **GITLAB_HOST**.\n\n##### `GITLAB_SSH_LISTEN_PORT`\n\nThe ssh port for SSHD to listen on. Defaults to `22`\n\n##### `GITLAB_SSH_MAXSTARTUPS`\n\nThe ssh \"MaxStartups\" parameter, defaults to `10:30:60`.\n\n##### `GITLAB_SSH_PORT`\n\nThe ssh port number. Defaults to `$GITLAB_SSH_LISTEN_PORT`.\n\n##### `GITLAB_RELATIVE_URL_ROOT`\n\nThe relative url of the GitLab server, e.g. `/git`. No default.\n\n##### `GITLAB_TRUSTED_PROXIES`\n\nAdd IP address reverse proxy to trusted proxy list, otherwise users will appear signed in from that address. Currently only a single entry is permitted. No defaults.\n\n##### `GITLAB_REGISTRY_ENABLED`\n\nEnables the GitLab Container Registry. Defaults to `false`.\n\n##### `GITLAB_REGISTRY_HOST`\n\nSets the GitLab Registry Host. Defaults to `registry.example.com`\n\n##### `GITLAB_REGISTRY_PORT`\n\nSets the GitLab Registry Port. Defaults to `443`.\n\n##### `GITLAB_REGISTRY_API_URL`\n\nSets the GitLab Registry API URL. Defaults to `http://localhost:5000`\n\n##### `GITLAB_REGISTRY_KEY_PATH`\n\nSets the GitLab Registry Key Path. Defaults to `config/registry.key`\n\n##### `GITLAB_REGISTRY_DIR`\n\nDirectory to store the container images will be shared with registry. Defaults to `$GITLAB_SHARED_DIR/registry`\n\n##### `GITLAB_REGISTRY_ISSUER`\n\nSets the GitLab Registry Issuer. Defaults to `gitlab-issuer`.\n\n##### `GITLAB_REGISTRY_GENERATE_INTERNAL_CERTIFICATES`\n\nSet to `true` to generate SSL internal Registry keys. Used to communicate between a Docker Registry and GitLab. It will generate a self-signed certificate key at the location given by `$GITLAB_REGISTRY_KEY_PATH`, e.g. `/certs/registry.key`. And will generate the certificate file at the same location, with the same name, but changing the extension from `key` to `crt`, e.g. `/certs/registry.crt`\n\n##### `GITLAB_PAGES_ENABLED`\n\nEnables the GitLab Pages. Defaults to `false`.\n\n##### `GITLAB_PAGES_DOMAIN`\n\nSets the GitLab Pages Domain. Defaults to `example.com`\n\n##### `GITLAB_PAGES_DIR`\n\nSets GitLab Pages directory where all pages will be stored. Defaults to `$GITLAB_SHARED_DIR/pages`\n\n##### `GITLAB_PAGES_PORT`\n\nSets GitLab Pages Port that will be used in NGINX. Defaults to `80`\n\n##### `GITLAB_PAGES_HTTPS`\n\nSets GitLab Pages to HTTPS and the gitlab-pages-ssl config will be used. Defaults to `false`\n\n##### `GITLAB_PAGES_ARTIFACTS_SERVER`\n\nSet to `true` to enable pages artifacts server, enabled by default.\n\n##### `GITLAB_PAGES_ARTIFACTS_SERVER_URL`\n\nIf `GITLAB_PAGES_ARTIFACTS_SERVER` is enabled, set to API endpoint for GitLab Pages (e.g. `https://example.com/api/v4`). No default.\n\n##### `GITLAB_PAGES_EXTERNAL_HTTP`\n\nSets GitLab Pages external http to receive request on an independent port. Disabled by default\n\n##### `GITLAB_PAGES_EXTERNAL_HTTPS`\n\nSets GitLab Pages external https to receive request on an independent port. Disabled by default\n\n##### `GITLAB_PAGES_ACCESS_CONTROL`\n\nSet to `true` to enable access control for pages. Allows access to a Pages site to be controlled based on a user’s membership to that project. Disabled by default.\n\n##### `GITLAB_PAGES_NGINX_PROXY`\n\nDisable the nginx proxy for gitlab pages, defaults to `true`. When set to `false` this will turn off the nginx proxy to the gitlab pages daemon, used when the user provides their own http load balancer in combination with a gitlab pages custom domain setup.\n\n##### `GITLAB_PAGES_ACCESS_SECRET`\n\nSecret Hash, minimal 32 characters, if omitted, it will be auto generated.\n\n##### `GITLAB_PAGES_ACCESS_CONTROL_SERVER`\n\nGitlab instance URI, example: `https://gitlab.example.io`\n\n##### `GITLAB_PAGES_ACCESS_CLIENT_ID`\n\nClient ID from earlier generated OAuth application\n\n##### `GITLAB_PAGES_ACCESS_CLIENT_SECRET`\n\nClient Secret from earlier generated OAuth application\n\n##### `GITLAB_PAGES_ACCESS_REDIRECT_URI`\n\nRedirect URI, non existing pages domain to redirect to pages daemon, `https://projects.example.io/auth`\n\n##### `GITLAB_PAGES_NAMESPACE_IN_PATH`\n\nEnable namespace-in-path option for gitlab pages, defaults to `false`.\n\n##### `GITLAB_PAGES_LOG_VERBOSE`\n\nEnable verbose logging for gitlab pages, defaults to `false`.\n\n##### `GITLAB_HTTPS`\n\nSet to `true` to enable https support, disabled by default.\n\n##### `GITALY_CLIENT_PATH`\n\nSet default path for gitaly. defaults to `/home/git/gitaly`\n\n##### `GITALY_TOKEN`\n\nSet a gitaly token, blank by default.\n\n##### `GITLAB_MONITORING_UNICORN_SAMPLER_INTERVAL`\n\nTime between sampling of unicorn socket metrics, in seconds, defaults to `10`\n\n##### `GITLAB_MONITORING_IP_WHITELIST`\n\nIP whitelist to access monitoring endpoints. No defaults.\n\n##### `GITLAB_MONITORING_SIDEKIQ_EXPORTER_ENABLED`\n\nSet to `true` to enable the sidekiq exporter, enabled by default.\n\n##### `GITLAB_MONITORING_SIDEKIQ_EXPORTER_ADDRESS`\n\nSidekiq exporter address, defaults to `0.0.0.0`\n\n##### `GITLAB_MONITORING_SIDEKIQ_EXPORTER_PORT`\n\nSidekiq exporter port, defaults to `3807`\n\n##### `GITLAB_CONTENT_SECURITY_POLICY_ENABLED`\n\nSet to `true` to enable [Content Security Policy](https://guides.rubyonrails.org/security.html#content-security-policy), enabled by default.\n\n##### `GITLAB_CONTENT_SECURITY_POLICY_REPORT_ONLY`\n\nSet to `true` to set `Content-Security-Policy-Report-Only` header, disabled by default\n\n##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_BASE_URI`\n\nThe value of the `base-uri` directive in the `Content-Security-Policy` header\n\n##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CHILD_SRC`\n\nThe value of the `child-src` directive in the `Content-Security-Policy` header\n\n##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_CONNECT_SRC`\n\nThe value of the `connect-src` directive in the `Content-Security-Policy` header. Default to `'self' http://localhost:* ws://localhost:* wss://localhost:*`\n\n##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_DEFAULT_SRC`\n\nThe value of the `default-src` directive in the `Content-Security-Policy` header. Default to `'self'`\n\n##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FONT_SRC`\n\nThe value of the `font-src` directive in the `Content-Security-Policy` header\n\n##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FORM_ACTION`\n\nThe value of the `form-action` directive in the `Content-Security-Policy` header\n\n##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_ANCESTORS`\n\nThe value of the `frame-ancestors` directive in the `Content-Security-Policy` header. Default to `'self'`\n\n##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_FRAME_SRC`\n\nThe value of the `frame-src` directive in the `Content-Security-Policy` header. Default to `'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com`\n\n##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_IMG_SRC`\n\nThe value of the `img-src` directive in the `Content-Security-Policy` header. Default to `* data: blob:`\n\n##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MANIFEST_SRC`\n\nThe value of the `manifest-src` directive in the `Content-Security-Policy` header\n\n##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_MEDIA_SRC`\n\nThe value of the `media-src` directive in the `Content-Security-Policy` header\n\n##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_OBJECT_SRC`\n\nThe value of the `object-src` directive in the `Content-Security-Policy` header. Default to `'none'`\n\n##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_SCRIPT_SRC`\n\nThe value of the `script-src` directive in the `Content-Security-Policy` header. Default to `'self' 'unsafe-eval' http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com`\n\n##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_STYLE_SRC`\n\nThe value of the `style-src` directive in the `Content-Security-Policy` header. Default to `'self' 'unsafe-inline'`\n\n##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_WORKER_SRC`\n\nThe value of the `worker-src` directive in the `Content-Security-Policy` header. Default to `'self' blob:`\n\n##### `GITLAB_CONTENT_SECURITY_POLICY_DIRECTIVES_REPORT_URI`\n\nThe value of the `report-uri` directive in the `Content-Security-Policy` header\n\n##### `GITLAB_FEATURE_FLAGS_DISABLE_TARGETS`\n\nComma separated list of feature flag names to be disabled. No whitespace is allowed.\nYou can see all feature flags in GitLab at corresponding version of documentation: \u003chttps://docs.gitlab.com/ee/user/feature_flags.html\u003e\nFeature flags name and its statement will be appear to container log. Note that some of the feature flags are implicitly enabled or disabled by GitLab itself, and are not appear to container log.\nNo defaults.\n\n##### `GITLAB_FEATURE_FLAGS_ENABLE_TARGETS`\n\nThis parameter is the same as [`GITLAB_FEATURE_FLAGS_DISABLE_TARGETS`](#gitlab_feature_flags_enable_targets), except its purpose is to enable the feature flag. No defaults.\n\n##### `SSL_SELF_SIGNED`\n\nSet to `true` when using self-signed ssl certificates. `false` by default.\n\n##### `SSL_CERTIFICATE_PATH`\n\nLocation of the ssl certificate. Defaults to `/home/git/data/certs/gitlab.crt`\n\n##### `SSL_KEY_PATH`\n\nLocation of the ssl private key. Defaults to `/home/git/data/certs/gitlab.key`\n\n##### `SSL_DHPARAM_PATH`\n\nLocation of the dhparam file. Defaults to `/home/git/data/certs/dhparam.pem`\n\n##### `SSL_VERIFY_CLIENT`\n\nEnable verification of client certificates using the `SSL_CA_CERTIFICATES_PATH` file or setting this variable to `on`. Defaults to `off`\n\n##### `SSL_CA_CERTIFICATES_PATH`\n\nList of SSL certificates to trust. Defaults to `/home/git/data/certs/ca.crt`.\n\n##### `SSL_REGISTRY_KEY_PATH`\n\nLocation of the ssl private key for gitlab container registry. Defaults to `/home/git/data/certs/registry.key`\n\n##### `SSL_REGISTRY_CERT_PATH`\n\nLocation of the ssl certificate for the gitlab container registry. Defaults to `/home/git/data/certs/registry.crt`\n\n##### `SSL_PAGES_KEY_PATH`\n\nLocation of the ssl private key for gitlab pages. Defaults to `/home/git/data/certs/pages.key`\n\n##### `SSL_PAGES_CERT_PATH`\n\nLocation of the ssl certificate for the gitlab pages. Defaults to `/home/git/data/certs/pages.crt`\n\n##### `SSL_CIPHERS`\n\nList of supported SSL ciphers: Defaults to `ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4`\n\n##### `SSL_PROTOCOLS`\n\nList of supported SSL protocols: Defaults to `TLSv1 TLSv1.1 TLSv1.2 TLSv1.3`\n\n##### `SSL_PAGES_CIPHERS`\n\nList of supported SSL ciphers for the gitlab pages: Defaults to `SSL_CIPHERS`\n\n##### `SSL_PAGES_PROTOCOLS`\n\nList of supported SSL protocols for the gitlab pages: Defaults to `SSL_PROTOCOLS`\n\n##### `SSL_REGISTRY_CIPHERS`\n\nList of supported SSL ciphers for gitlab container registry: Defaults to `SSL_CIPHERS`\n\n##### `SSL_REGISTRY_PROTOCOLS`\n\nList of supported SSL protocols for gitlab container registry: Defaults to `SSL_PROTOCOLS`\n\n##### `NGINX_WORKERS`\n\nThe number of nginx workers to start. Defaults to `1`.\n\n##### `NGINX_SERVER_NAMES_HASH_BUCKET_SIZE`\n\nSets the bucket size for the server names hash tables. This is needed when you have long server_names or your an error message from nginx like *nginx: [emerg] could not build server_names_hash, you should increase server_names_hash_bucket_size:..*. It should be only increment by a power of 2. Defaults to `32`.\n\n##### `NGINX_HSTS_ENABLED`\n\nAdvanced configuration option for turning off the HSTS configuration. Applicable only when SSL is in use. Defaults to `true`. See [#138](https://github.com/sameersbn/docker-gitlab/issues/138) for use case scenario.\n\n##### `NGINX_HSTS_MAXAGE`\n\nAdvanced configuration option for setting the HSTS max-age in the gitlab nginx vHost configuration. Applicable only when SSL is in use. Defaults to `31536000`.\n\n##### `NGINX_PROXY_BUFFERING`\n\nEnable `proxy_buffering`. Defaults to `off`.\n\n##### `NGINX_ACCEL_BUFFERING`\n\nEnable `X-Accel-Buffering` header. Default to `no`\n\n##### `NGINX_X_FORWARDED_PROTO`\n\nAdvanced configuration option for the `proxy_set_header X-Forwarded-Proto` setting in the gitlab nginx vHost configuration. Defaults to `https` when `GITLAB_HTTPS` is `true`, else defaults to `$scheme`.\n\n##### `NGINX_REAL_IP_RECURSIVE`\n\nset to `on` if docker container runs behind a reverse proxy,you may not want the IP address of the proxy to show up as the client address. `off` by default.\n\n##### `NGINX_REAL_IP_TRUSTED_ADDRESSES`\n\nYou can have NGINX look for a different address to use by adding your reverse proxy to the `NGINX_REAL_IP_TRUSTED_ADDRESSES`. Currently only a single entry is permitted. No defaults.\n\n##### `NGINX_CUSTOM_GITLAB_SERVER_CONFIG`\n\nAdvanced configuration option. You can add custom configuration for nginx as you like (e.g. custom location proxy). This is similar to setting `nginx['custom_gitlab_server_config']` to `gitlab.rb` for gitlab-omnibus. No defaults.\n\n##### `REDIS_HOST`\n\nThe hostname of the redis server. Defaults to `localhost`\n\n##### `REDIS_PORT`\n\nThe connection port of the redis server. Defaults to `6379`.\n\n##### `REDIS_DB_NUMBER`\n\nThe redis database number. Defaults to '0'.\n\n##### `PUMA_WORKERS`\n\nThe number of puma workers to start. Defaults to `3`.\n\n##### `PUMA_TIMEOUT`\n\nSets the timeout of puma worker processes. Defaults to `60` seconds.\n\n##### `PUMA_THREADS_MIN`\n\nThe number of puma minimum threads. Defaults to `1`.\n\n##### `PUMA_THREADS_MAX`\n\nThe number of puma maximum threads. Defaults to `16`.\n\n##### `PUMA_PER_WORKER_MAX_MEMORY_MB`\n\nMaximum memory size of per puma worker process. Defaults to `1024`.\n\n##### `PUMA_MASTER_MAX_MEMORY_MB`\n\nMaximum memory size of puma master process. Defaults to `800`.\n\n##### `SIDEKIQ_CONCURRENCY`\n\nThe number of concurrent sidekiq jobs to run. Defaults to `25`\n\n##### `SIDEKIQ_SHUTDOWN_TIMEOUT`\n\nTimeout for sidekiq shutdown. Defaults to `4`\n\n##### `SIDEKIQ_MEMORY_KILLER_MAX_RSS`\n\nNon-zero value enables the SidekiqMemoryKiller. Defaults to `2000000`. For additional options refer [Configuring the MemoryKiller](http://doc.gitlab.com/ce/operations/sidekiq_memory_killer.html)\n\n##### `GITLAB_SIDEKIQ_LOG_FORMAT`\n\nSidekiq log format that will be used. Defaults to `json`\n\n##### `DB_ADAPTER`\n\nThe database type. Currently only postgresql is supported. Possible values: `postgresql`. Defaults to `postgresql`.\n\n##### `DB_ENCODING`\n\nThe database encoding. For `DB_ADAPTER` values `postgresql` this parameter defaults and `utf8` respectively.\n\n##### `DB_HOST`\n\nThe database server hostname. Defaults to `localhost`.\n\n##### `DB_PORT`\n\nThe database server port. Defaults to `5432` for postgresql.\n\n##### `DB_NAME`\n\nThe database database name. Defaults to `gitlabhq_production`\n\n##### `DB_USER`\n\nThe database database user. Defaults to `root`\n\n##### `DB_PASS`\n\nThe database database password. Defaults to no password\n\n##### `DB_POOL`\n\nThe database database connection pool count. Defaults to `10`.\n\n##### `DB_PREPARED_STATEMENTS`\n\nWhether to use database prepared statements. No defaults. But set to `false` if you want to use with [PgBouncer](https://pgbouncer.github.io/)\n\n##### `SMTP_ENABLED`\n\nEnable mail delivery via SMTP. Defaults to `true` if `SMTP_USER` is defined, else defaults to `false`.\n\n##### `SMTP_DOMAIN`\n\nSMTP domain. Defaults to `www.gmail.com`\n\n##### `SMTP_HOST`\n\nSMTP server host. Defaults to `smtp.gmail.com`.\n\n##### `SMTP_PORT`\n\nSMTP server port. Defaults to `587`.\n\n##### `SMTP_USER`\n\nSMTP username.\n\n##### `SMTP_PASS`\n\nSMTP password.\n\n##### `SMTP_STARTTLS`\n\nEnable STARTTLS. Defaults to `true`.\n\n##### `SMTP_TLS`\n\nEnable SSL/TLS. Defaults to `false`.\n\n##### `SMTP_OPENSSL_VERIFY_MODE`\n\nSMTP openssl verification mode. Accepted values are `none`, `peer`, `client_once` and `fail_if_no_peer_cert`. Defaults to `none`.\n\n##### `SMTP_AUTHENTICATION`\n\nSpecify the SMTP authentication method. Defaults to `login` if `SMTP_USER` is set.\n\n##### `SMTP_CA_ENABLED`\n\nEnable custom CA certificates for SMTP email configuration. Defaults to `false`.\n\n##### `SMTP_CA_PATH`\n\nSpecify the `ca_path` parameter for SMTP email configuration. Defaults to `/home/git/data/certs`.\n\n##### `SMTP_CA_FILE`\n\nSpecify the `ca_file` parameter for SMTP email configuration. Defaults to `/home/git/data/certs/ca.crt`.\n\n##### `IMAP_ENABLED`\n\nEnable mail delivery via IMAP. Defaults to `true` if `IMAP_USER` is defined, else defaults to `false`.\n\n##### `IMAP_HOST`\n\nIMAP server host. Defaults to `imap.gmail.com`.\n\n##### `IMAP_PORT`\n\nIMAP server port. Defaults to `993`.\n\n##### `IMAP_USER`\n\nIMAP username.\n\n##### `IMAP_PASS`\n\nIMAP password.\n\n##### `IMAP_SSL`\n\nEnable SSL. Defaults to `true`.\n\n##### `IMAP_STARTTLS`\n\nEnable STARTTLS. Defaults to `false`.\n\n##### `IMAP_MAILBOX`\n\nThe name of the mailbox where incoming mail will end up. Defaults to `inbox`.\n\n##### `LDAP_ENABLED`\n\nEnable LDAP. Defaults to `false`\n\n##### `LDAP_LABEL`\n\nLabel to show on login tab for LDAP server. Defaults to 'LDAP'\n\n##### `LDAP_HOST`\n\nLDAP Host\n\n##### `LDAP_PORT`\n\nLDAP Port. Defaults to `389`\n\n##### `LDAP_UID`\n\nLDAP UID. Defaults to `sAMAccountName`\n\n##### `LDAP_METHOD`\n\nLDAP method, Possible values are `simple_tls`, `start_tls` and `plain`. Defaults to `plain`\n\n##### `LDAP_VERIFY_SSL`\n\nLDAP verify ssl certificate for installations that are using `LDAP_METHOD: 'simple_tls'` or `LDAP_METHOD: 'start_tls'`. Defaults to `true`\n\n##### `LDAP_CA_FILE`\n\nSpecifies the path to a file containing a PEM-format CA certificate. Defaults to ``\n\n##### `LDAP_SSL_VERSION`\n\nSpecifies the SSL version for OpenSSL to use, if the OpenSSL default is not appropriate. Example: 'TLSv1_1'. Defaults to ``\n\n##### `LDAP_BIND_DN`\n\nNo default.\n\n##### `LDAP_PASS`\n\nLDAP password\n\n##### `LDAP_TIMEOUT`\n\nTimeout, in seconds, for LDAP queries. Defaults to `10`.\n\n##### `LDAP_ACTIVE_DIRECTORY`\n\nSpecifies if LDAP server is Active Directory LDAP server. If your LDAP server is not AD, set this to `false`. Defaults to `true`,\n\n##### `LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN`\n\nIf enabled, GitLab will ignore everything after the first '@' in the LDAP username submitted by the user on login. Defaults to `false` if `LDAP_UID` is `userPrincipalName`, else `true`.\n\n##### `LDAP_BLOCK_AUTO_CREATED_USERS`\n\nLocks down those users until they have been cleared by the admin. Defaults to `false`.\n\n##### `LDAP_BASE`\n\nBase where we can search for users. No default.\n\n##### `LDAP_USER_FILTER`\n\nFilter LDAP users. No default.\n\n##### `LDAP_USER_ATTRIBUTE_USERNAME`\n\nAttribute fields for the identification of a user. Default to `['uid', 'userid', 'sAMAccountName']`\n\n##### `LDAP_USER_ATTRIBUTE_MAIL`\n\nAttribute fields for the shown mail address. Default to `['mail', 'email', 'userPrincipalName']`\n\n##### `LDAP_USER_ATTRIBUTE_NAME`\n\nAttribute field for the used username of a user. Defaults to `cn`.\n\n##### `LDAP_USER_ATTRIBUTE_FIRSTNAME`\n\nAttribute field for the forename of a user. Default to `givenName`\n\n##### `LDAP_USER_ATTRIBUTE_LASTNAME`\n\n Attribute field for the surname of a user. Default to `sn`\n\n##### `LDAP_LOWERCASE_USERNAMES`\n\nGitLab will lower case the username for the LDAP Server. Defaults to `false`\n\n##### `LDAP_PREVENT_LDAP_SIGN_IN`\n\nSet to `true` to [Disable LDAP web sign in](https://docs.gitlab.com/ce/administration/auth/ldap/#disable-ldap-web-sign-in), defaults to `false`\n\n##### `OAUTH_ENABLED`\n\nEnable OAuth support. Defaults to `true` if any of the support OAuth providers is configured, else defaults to `false`.\n\n##### `OAUTH_AUTO_SIGN_IN_WITH_PROVIDER`\n\nAutomatically sign in with a specific OAuth provider without showing GitLab sign-in page. Accepted values are `cas3`, `github`, `bitbucket`, `gitlab`, `google_oauth2`, `facebook`, `twitter`, `saml`, `crowd`, `auth0` and `azure_oauth2`. No default.\n\n##### `OAUTH_ALLOW_SSO`\n\nComma separated list of oauth providers for single sign-on. This allows users to login without having a user account. The account is created automatically when authentication is successful. Accepted values are `cas3`, `github`, `bitbucket`, `gitlab`, `google_oauth2`, `facebook`, `twitter`, `saml`, `crowd`, `auth0` and `azure_oauth2`. No default.\n\n##### `OAUTH_BLOCK_AUTO_CREATED_USERS`\n\nLocks down those users until they have been cleared by the admin. Defaults to `true`.\n\n##### `OAUTH_AUTO_LINK_LDAP_USER`\n\nLook up new users in LDAP servers. If a match is found (same uid), automatically link the omniauth identity with the LDAP account. Defaults to `false`.\n\n##### `OAUTH_AUTO_LINK_SAML_USER`\n\nAllow users with existing accounts to login and auto link their account via SAML login, without having to do a manual login first and manually add SAML. Defaults to `false`.\n\n##### `OAUTH_AUTO_LINK_USER`\n\nAllow users with existing accounts to login and auto link their account via the defined Omniauth providers login, without having to do a manual login first and manually connect their chosen provider. Defaults to `[]`.\n\n##### `OAUTH_EXTERNAL_PROVIDERS`\n\nComma separated list if oauth providers to disallow access to `internal` projects. Users creating accounts via these providers will have access internal projects. Accepted values are `cas3`, `github`, `bitbucket`, `gitlab`, `google_oauth2`, `facebook`, `twitter`, `saml`, `crowd`, `auth0` and `azure_oauth2`. No default.\n\n##### `OAUTH_ALLOW_BYPASS_TWO_FACTOR`\n\nSpecify oauth providers where users can sign in without using two-factor authentication (2FA). You can define this using an array of providers like `[\"twitter\", \"google_oauth2\"]`. Setting this to `true` or `false` applies to all - allow all or none. Defaults to `false`.\n\n##### `OAUTH_CAS3_LABEL`\n\nThe \"Sign in with\" button label. Defaults to \"cas3\".\n\n##### `OAUTH_CAS3_SERVER`\n\nCAS3 server URL. No defaults.\n\n##### `OAUTH_CAS3_DISABLE_SSL_VERIFICATION`\n\nDisable CAS3 SSL verification. Defaults to `false`.\n\n##### `OAUTH_CAS3_LOGIN_URL`\n\nCAS3 login URL. Defaults to `/cas/login`\n\n##### `OAUTH_CAS3_VALIDATE_URL`\n\nCAS3 validation URL. Defaults to `/cas/p3/serviceValidate`\n\n##### `OAUTH_CAS3_LOGOUT_URL`\n\nCAS3 logout URL. Defaults to `/cas/logout`\n\n##### `OAUTH_GOOGLE_API_KEY`\n\nGoogle App Client ID. No defaults.\n\n##### `OAUTH_GOOGLE_APP_SECRET`\n\nGoogle App Client Secret. No defaults.\n\n##### `OAUTH_GOOGLE_RESTRICT_DOMAIN`\n\nList of Google App restricted domains. Value is comma separated list of single quoted groups. Example: `'exemple.com','exemple2.com'`. No defaults.\n\n##### `OAUTH_FACEBOOK_API_KEY`\n\nFacebook App API key. No defaults.\n\n##### `OAUTH_FACEBOOK_APP_SECRET`\n\nFacebook App API secret. No defaults.\n\n##### `OAUTH_TWITTER_API_KEY`\n\nTwitter App API key. No defaults.\n\n##### `OAUTH_TWITTER_APP_SECRET`\n\nTwitter App API secret. No defaults.\n\n##### `OAUTH_AUTHENTIQ_CLIENT_ID`\n\nauthentiq Client ID. No defaults.\n\n##### `OAUTH_AUTHENTIQ_CLIENT_SECRET`\n\nauthentiq Client secret. No defaults.\n\n##### `OAUTH_AUTHENTIQ_SCOPE`\n\nScope of Authentiq Application Defaults to `'aq:name email~rs address aq:push'`\n\n##### `OAUTH_AUTHENTIQ_REDIRECT_URI`\n\n Callback URL for Authentiq. No defaults.\n\n##### `OAUTH_GITHUB_API_KEY`\n\nGitHub App Client ID. No defaults.\n\n##### `OAUTH_GITHUB_APP_SECRET`\n\nGitHub App Client secret. No defaults.\n\n##### `OAUTH_GITHUB_URL`\n\nUrl to the GitHub Enterprise server. Defaults to `https://github.com`\n\n##### `OAUTH_GITHUB_VERIFY_SSL`\n\nEnable SSL verification while communicating with the GitHub server. Defaults to `true`.\n\n##### `OAUTH_GITLAB_API_KEY`\n\nGitLab App Client ID. No defaults.\n\n##### `OAUTH_GITLAB_APP_SECRET`\n\nGitLab App Client secret. No defaults.\n\n##### `OAUTH_BITBUCKET_API_KEY`\n\nBitBucket App Client ID. No defaults.\n\n##### `OAUTH_BITBUCKET_APP_SECRET`\n\nBitBucket App Client secret. No defaults.\n\n##### `OAUTH_BITBUCKET_URL`\n\nBitbucket URL. Defaults: `https://bitbucket.org/`\n\n##### `OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL`\n\nThe URL at which the SAML assertion should be received. When `GITLAB_HTTPS=true`, defaults to `https://${GITLAB_HOST}/users/auth/saml/callback` else defaults to `http://${GITLAB_HOST}/users/auth/saml/callback`.\n\n##### `OAUTH_SAML_IDP_CERT_FINGERPRINT`\n\nThe SHA1 fingerprint of the certificate. No Defaults.\n\n##### `OAUTH_SAML_IDP_SSO_TARGET_URL`\n\nThe URL to which the authentication request should be sent. No defaults.\n\n##### `OAUTH_SAML_ISSUER`\n\nThe name of your application. When `GITLAB_HTTPS=true`, defaults to `https://${GITLAB_HOST}` else defaults to `http://${GITLAB_HOST}`.\n\n##### `OAUTH_SAML_LABEL`\n\nThe \"Sign in with\" button label. Defaults to \"Our SAML Provider\".\n\n##### `OAUTH_SAML_NAME_IDENTIFIER_FORMAT`\n\nDescribes the format of the username required by GitLab, Defaults to `urn:oasis:names:tc:SAML:2.0:nameid-format:transient`\n\n##### `OAUTH_SAML_GROUPS_ATTRIBUTE`\n\nMap groups attribute in a SAMLResponse to external groups. No defaults.\n\n##### `OAUTH_SAML_EXTERNAL_GROUPS`\n\nList of external groups in a SAMLResponse. Value is comma separated list of single quoted groups. Example: `'group1','group2'`. No defaults.\n\n##### `OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL`\n\nMap 'email' attribute name in a SAMLResponse to entries in the OmniAuth info hash, No defaults. See [GitLab documentation](http://doc.gitlab.com/ce/integration/saml.html#attribute_statements) for more details.\n\n##### `OAUTH_SAML_ATTRIBUTE_STATEMENTS_USERNAME`\n\nMap 'username' attribute in a SAMLResponse to entries in the OmniAuth info hash, No defaults. See [GitLab documentation](http://doc.gitlab.com/ce/integration/saml.html#attribute_statements) for more details.\n\n##### `OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME`\n\nMap 'name' attribute in a SAMLResponse to entries in the OmniAuth info hash, No defaults. See [GitLab documentation](http://doc.gitlab.com/ce/integration/saml.html#attribute_statements) for more details.\n\n##### `OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME`\n\nMap 'first_name' attribute in a SAMLResponse to entries in the OmniAuth info hash, No defaults. See [GitLab documentation](http://doc.gitlab.com/ce/integration/saml.html#attribute_statements) for more details.\n\n##### `OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME`\n\nMap 'last_name' attribute in a SAMLResponse to entries in the OmniAuth info hash, No defaults. See [GitLab documentation](http://doc.gitlab.com/ce/integration/saml.html#attribute_statements) for more details.\n\n##### `OAUTH_CROWD_SERVER_URL`\n\nCrowd server url. No defaults.\n\n##### `OAUTH_CROWD_APP_NAME`\n\nCrowd server application name. No defaults.\n\n##### `OAUTH_CROWD_APP_PASSWORD`\n\nCrowd server application password. No defaults.\n\n##### `OAUTH_AUTH0_CLIENT_ID`\n\nAuth0 Client ID. No defaults.\n\n##### `OAUTH_AUTH0_CLIENT_SECRET`\n\nAuth0 Client secret. No defaults.\n\n##### `OAUTH_AUTH0_DOMAIN`\n\nAuth0 Domain. No defaults.\n\n##### `OAUTH_AUTH0_SCOPE`\n\nAuth0 Scope. Defaults to `openid profile email`.\n\n##### `OAUTH_AZURE_API_KEY`\n\nAzure Client ID. No defaults.\n\n##### `OAUTH_AZURE_API_SECRET`\n\nAzure Client secret. No defaults.\n\n##### `OAUTH_AZURE_TENANT_ID`\n\nAzure Tenant ID. No defaults.\n\n#### `OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_ID`\n\nClient ID for oauth provider `azure_activedirectory_v2`. If not set, corresponding oauth provider configuration will be removed from `gitlab.yml` during container startup. No defaults.\n\n#### `OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_SECRET`\n\nClient secret for oauth provider `azure_activedirectory_v2`. If not set, corresponding oauth provider configuration will be removed from `gitlab.yml` during container startup. No defaults.\n\n#### `OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID`\n\nTenant ID for oauth provider `azure_activedirectory_v2`. If not set, corresponding oauth provider configuration will be removed from `gitlab.yml` during container startup. No defaults.\n\n#### `OAUTH_AZURE_ACTIVEDIRECTORY_V2_LABEL`\n\nOptional label for login button for `azure_activedirectory_v2`. Defaults to `Azure AD v2`\n\n##### `OAUTH2_GENERIC_APP_ID`\n\nYour OAuth2 App ID. No defaults.\n\n##### `OAUTH2_GENERIC_APP_SECRET`\n\nYour OAuth2 App Secret. No defaults.\n\n##### `OAUTH2_GENERIC_CLIENT_SITE`\n\nThe OAuth2 generic client site. No defaults\n\n##### `OAUTH2_GENERIC_CLIENT_USER_INFO_URL`\n\nThe OAuth2 generic client user info url. No defaults\n\n##### `OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL`\n\nThe OAuth2 generic client authorize url. No defaults\n\n##### `OAUTH2_GENERIC_CLIENT_TOKEN_URL`\n\nThe OAuth2 generic client token url. No defaults\n\n##### `OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT`\n\nThe OAuth2 generic client end session endpoint. No defaults\n\n##### `OAUTH2_GENERIC_ID_PATH`\n\nThe OAuth2 generic id path. No defaults\n\n##### `OAUTH2_GENERIC_USER_UID`\n\nThe OAuth2 generic user id path. No defaults\n\n##### `OAUTH2_GENERIC_USER_NAME`\n\nThe OAuth2 generic user name. No defaults\n\n##### `OAUTH2_GENERIC_USER_EMAIL`\n\nThe OAuth2 generic user email. No defaults\n\n##### `OAUTH2_GENERIC_AUTHORIZE_PARAMS_SCOPE`\n\nThe scope of your OAuth2 provider. No defaults\n\n##### `OAUTH2_GENERIC_LABEL`\n\nThe label of your OAuth2 provider. No defaults\n\n##### `OAUTH2_GENERIC_NAME`\n\nThe name of your OAuth2 provider. No defaults\n\n##### `GITLAB_GRAVATAR_ENABLED`\n\nEnables gravatar integration. Defaults to `true`.\n\n##### `GITLAB_GRAVATAR_HTTP_URL`\n\nSets a custom gravatar url. Defaults to `http://www.gravatar.com/avatar/%{hash}?s=%{size}\u0026d=identicon`. This can be used for [Libravatar integration](http://doc.gitlab.com/ce/customization/libravatar.html).\n\n##### `GITLAB_GRAVATAR_HTTPS_URL`\n\nSame as above, but for https. Defaults to `https://secure.gravatar.com/avatar/%{hash}?s=%{size}\u0026d=identicon`.\n\n##### `USERMAP_UID`\n\nSets the uid for user `git` to the specified uid. Defaults to `1000`.\n\n##### `USERMAP_GID`\n\nSets the gid for group `git` to the specified gid. Defaults to `USERMAP_UID` if defined, else defaults to `1000`.\n\n##### `GOOGLE_ANALYTICS_ID`\n\nGoogle Analytics ID. No defaults.\n\n##### `PIWIK_URL`\n\nSets the Piwik URL. No defaults.\n\n##### `PIWIK_SITE_ID`\n\nSets the Piwik site ID. No defaults.\n\n##### `AWS_BACKUPS`\n\nEnables automatic uploads to an Amazon S3 instance. Defaults to `false`.\n\n##### `AWS_BACKUP_REGION`\n\nAWS region. No defaults.\n\n##### `AWS_BACKUP_ENDPOINT`\n\nAWS endpoint. No defaults.\n\n##### `AWS_BACKUP_ACCESS_KEY_ID`\n\nAWS access key id. No defaults.\n\n##### `AWS_BACKUP_SECRET_ACCESS_KEY`\n\nAWS secret access key. No defaults.\n\n##### `AWS_BACKUP_BUCKET`\n\nAWS bucket for backup uploads. No defaults.\n\n##### `AWS_BACKUP_MULTIPART_CHUNK_SIZE`\n\nEnables multipart uploads when file size reaches a defined size. See at [AWS S3 Docs](http://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html)\n\n##### `AWS_BACKUP_ENCRYPTION`\n\nTurns on AWS Server-Side Encryption. Defaults to `false`. See at [AWS S3 Docs](http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html)\n\n##### `AWS_BACKUP_STORAGE_CLASS`\n\nConfigure the storage class for the item. Defaults to `STANDARD` See at [AWS S3 Docs](http://docs.aws.amazon.com/AmazonS3/latest/dev/storage-class-intro.html)\n\n##### `AWS_BACKUP_SIGNATURE_VERSION`\n\nConfigure the storage signature version. Defaults to `4` See at [AWS S3 Docs](https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html#specify-signature-version)\n\n##### `GCS_BACKUPS`\n\nEnables automatic uploads to an Google Cloud Storage (GCS) instance. Defaults to `false`.\n\n##### `GCS_BACKUP_ACCESS_KEY_ID`\n\nGCS access key id. No defaults\n\n##### `GCS_BACKUP_SECRET_ACCESS_KEY`\n\nGCS secret access key. No defaults\n\n##### `GCS_BACKUP_BUCKET`\n\nGCS bucket for backup uploads. No defaults\n\n##### `GITLAB_ROBOTS_PATH`\n\nLocation of custom `robots.txt`. Uses GitLab's default `robots.txt` configuration by default. See [www.robotstxt.org](http://www.robotstxt.org) for examples.\n\n##### `RACK_ATTACK_ENABLED`\n\nEnable/disable rack middleware for blocking \u0026 throttling abusive requests Defaults to `true`.\n\n##### `RACK_ATTACK_WHITELIST`\n\nAlways allow requests from whitelisted host.\nThis should be a valid yaml sequence of host address. Each host address string must be a valid IP address that can be passed to `IPAddr.new` of ruby. See [ruby-lang reference](https://docs.ruby-lang.org/en/3.0/IPAddr.html#method-c-new) for detail.\nIf you need to set multiple hosts, set this parameter like `[\"1.1.1.1\",\"192.168.0.0/24\"]` for example.\n\n````yaml\nenvironment:\n# pattern 1: `- key=value` style : you can specify array of hosts as is\n- RACK_ATTACK_WHITELIST=[\"1.1.1.1\",\"192.168.0.0/24\"]\n# pattern 2: `key: value` style : you must surround with quote, as the value of environment variable must not be an array\n RACK_ATTACK_WHITELIST: \"['1.1.1.1','192.168.0.0/24']\"\n````\n\nDefaults to `[\"127.0.0.1\"]`\n\n##### `RACK_ATTACK_MAXRETRY`\n\nNumber of failed auth attempts before which an IP should be banned. Defaults to `10`\n\n##### `RACK_ATTACK_FINDTIME`\n\nNumber of seconds before resetting the per IP auth attempt counter. Defaults to `60`.\n\n##### `RACK_ATTACK_BANTIME`\n\nNumber of seconds an IP should be banned after too many auth attempts. Defaults to `3600`.\n\n##### `GITLAB_WORKHORSE_TIMEOUT`\n\nTimeout for gitlab workhorse http proxy. Defaults to `5m0s`.\n\n##### `SENTRY_ENABLED`\n\nEnables Error Reporting and Logging with Sentry. Defaults to `false`.\n\n##### `SENTRY_DSN`\n\nSentry DSN. No defaults.\n\n##### `SENTRY_CLIENTSIDE_DSN`\n\nSentry client side DSN. No defaults.\n\n##### `SENTRY_ENVIRONMENT`\n\nSentry environment. Defaults to `production`.\n\n#### Docker secrets and configs\n\nAll the above environment variables can be put into a [secrets](https://docs.docker.com/compose/compose-file/#secrets) or [config](https://docs.docker.com/compose/compose-file/#configs) file\nand then both docker-compose and Docker Swarm can import them into your gitlab container.\n\nOn startup, the gitlab container will source env vars from a config file labeled `gitlab-config`, and then a secrets file labeled `gitlab-secrets` (both mounted in the default locations).\n\nSee the example [`contrib/docker-swarm/docker-compose.yml`](./contrib/docker-swarm/docker-compose.yml) file, and the\nexample `gitlab.configs` and `gitlab.secrets` file.\nYou may as well choose file names other than the example source files (`gitlab.configs` and `gitlab.secrets`) and update\nthe `file: ./gitlab.configs` and `file: ./gitlab.secrets` references accordingly. But do not alter the config\nkeys [`gitlab-configs`](contrib/docker-swarm/docker-compose.yml#L158) and\n[`gitlab-secrets`](contrib/docker-swarm/docker-compose.yml#L162) as they are currently\n[hardcoded](./assets/runtime/functions#L4:L9) and thus must be kept as in the example.\n\nIf you're not using one of these files, then don't include its entry in the docker-compose file.\n\n## Maintenance\n\n### Creating backups\n\nGitLab defines a rake task to take a backup of your gitlab installation. The backup consists of all git repositories, uploaded files and as you might expect, the sql database.\n\nBefore taking a backup make sure the container is stopped and removed to avoid container name conflicts.\n\n```bash\ndocker stop gitlab \u0026\u0026 docker rm gitlab\n```\n\nExecute the rake task to create a backup.\n\n```bash\ndocker run --name gitlab -it --rm [OPTIONS] \\\n sameersbn/gitlab:18.10.3 app:rake gitlab:backup:create\n```\n\nA backup will be created in the backups folder of the [Data Store](#data-store). You can change the location of the backups using the `GITLAB_BACKUP_DIR` configuration parameter.\n\n*P.S. Backups can also be generated on a running instance using `docker exec` as described in the [Rake Tasks](#rake-tasks) section. However, to avoid undesired side-effects, I advice against running backup and restore operations on a running instance.*\n\nWhen using `docker-compose` you may use the following command to execute the backup.\n\n```bash\ndocker-compose rm -sf gitlab\ndocker-compose run --rm gitlab app:rake gitlab:backup:create\n```\n\nAfterwards you can bring your Instance back with the following command:\n\n```bash\ndocker-compose up -d\n```\n\n### Restoring Backups\n\nGitLab also defines a rake task to restore a backup.\n\nBefore performing a restore make sure the container is stopped and removed to avoid container name conflicts.\n\n```bash\ndocker stop gitlab \u0026\u0026 docker rm gitlab\n```\n\nIf this is a fresh database that you're doing the restore on, first\nyou need to prepare the database:\n\n```bash\ndocker run --name gitlab -it --rm [OPTIONS] \\\n sameersbn/gitlab:18.10.3 app:rake db:setup\n```\n\nExecute the rake task to restore a backup. Make sure you run the container in interactive mode `-it`.\n\n```bash\ndocker run --name gitlab -it --rm [OPTIONS] \\\n sameersbn/gitlab:18.10.3 app:rake gitlab:backup:restore\n```\n\nThe list of all available backups will be displayed in reverse chronological order. Select the backup you want to restore and continue.\n\nTo avoid user interaction in the restore operation, specify the timestamp, date and version of the backup using the `BACKUP` argument to the rake task.\n\n```bash\ndocker run --name gitlab -it --rm [OPTIONS] \\\n sameersbn/gitlab:18.10.3 app:rake gitlab:backup:restore BACKUP=1515629493_2020_12_06_13.0.6\n```\n\nWhen using `docker-compose` you may use the following command to execute the restore.\n\n```bash\ndocker-compose run --rm gitlab app:rake gitlab:backup:restore # List available backups\ndocker-compose run --rm gitlab app:rake gitlab:backup:restore BACKUP=1515629493_2020_12_06_13.10.0 # Choose to restore from 1515629493\n```\n\n### Host Key Backups (ssh)\n\nSSH keys are not backed up in the normal gitlab backup process. You\nwill need to backup the `ssh/` directory in the data volume by hand\nand you will want to restore it prior to doing a gitlab restore.\n\n### Automated Backups\n\nThe image can be configured to automatically take backups `daily`, `weekly` or `monthly` using the `GITLAB_BACKUP_SCHEDULE` configuration option.\n\nDaily backups are created at `GITLAB_BACKUP_TIME` which defaults to `04:00` everyday. Weekly backups are created every Sunday at the same time as the daily backups. Monthly backups are created on the 1st of every month at the same time as the daily backups.\n\nBy default, when automated backups are enabled, backups are held for a period of 7 days. While when automated backups are disabled, the backups are held for an infinite period of time. This behavior can be configured via the `GITLAB_BACKUP_EXPIRY` option.\n\n#### Amazon Web Services (AWS) Remote Backups\n\nThe image can be configured to automatically upload the backups to an AWS S3 bucket. To enable automatic AWS backups first add `--env 'AWS_BACKUPS=true'` to the docker run command. In addition `AWS_BACKUP_REGION` and `AWS_BACKUP_BUCKET` must be properly configured to point to the desired AWS location. Finally an IAM user must be configured with appropriate access permission and their AWS keys exposed through `AWS_BACKUP_ACCESS_KEY_ID` and `AWS_BACKUP_SECRET_ACCESS_KEY`.\n\nMore details about the appropriate IAM user properties can found on [doc.gitlab.com](http://doc.gitlab.com/ce/raketasks/backup_restore.html#upload-backups-to-remote-cloud-storage)\n\nFor remote backup to self-hosted s3 compatible storage, use `AWS_BACKUP_ENDPOINT`.\n\nAWS uploads are performed alongside normal backups, both through the appropriate `app:rake` command and when an automatic backup is performed.\n\n#### Google Cloud Storage (GCS) Remote Backups\n\nThe image can be configured to automatically upload the backups to an Google Cloud Storage bucket. To enable automatic GCS backups first add `--env 'GCS_BACKUPS=true'` to the docker run command. In addition `GCS_BACKUP_BUCKET` must be properly configured to point to the desired GCS location.\nFinally a couple of `Interoperable storage access keys` user must be created and their keys exposed through `GCS_BACKUP_ACCESS_KEY_ID` and `GCS_BACKUP_SECRET_ACCESS_KEY`.\n\nMore details about the Cloud storage interoperability properties can found on [cloud.google.com/storage](https://cloud.google.com/storage/docs/interoperability)\n\nGCS uploads are performed alongside normal backups, both through the appropriate `app:rake` command and when an automatic backup is performed.\n\n### Rake Tasks\n\nThe `app:rake` command allows you to run gitlab rake tasks. To run a rake task simply specify the task to be executed to the `app:rake` command. For example, if you want to gather information about GitLab and the system it runs on.\n\n```bash\ndocker run --name gitlab -it --rm [OPTIONS] \\\n sameersbn/gitlab:18.10.3 app:rake gitlab:env:info\n```\n\nYou can also use `docker exec` to run rake tasks on running gitlab instance. For example,\n\n```bash\ndocker exec --user git -it gitlab bundle exec rake gitlab:env:info RAILS_ENV=production\n```\n\nSimilarly, to import bare repositories into GitLab project instance\n\n```bash\ndocker run --name gitlab -it --rm [OPTIONS] \\\n sameersbn/gitlab:18.10.3 app:rake gitlab:import:repos\n```\n\nOr\n\n```bash\ndocker exec -it gitlab sudo -HEu git bundle exec rake gitlab:import:repos RAILS_ENV=production\n```\n\nFor a complete list of available rake tasks please refer \u003chttps://github.com/gitlabhq/gitlabhq/tree/master/doc/raketasks\u003e or the help section of your gitlab installation.\n\n*P.S. Please avoid running the rake tasks for backup and restore operations on a running gitlab instance.*\n\nTo use the `app:rake` command with `docker-compose` use the following command.\n\n```bash\n## For stopped instances\ndocker-compose run --rm gitlab app:rake gitlab:env:info\ndocker-compose run --rm gitlab app:rake gitlab:import:repos\n\n## For running instances\ndocker-compose exec --user git gitlab bundle exec rake gitlab:env:info RAILS_ENV=production\ndocker-compose exec gitlab sudo -HEu git bundle exec rake gitlab:import:repos RAILS_ENV=production\n```\n\n### Import Repositories\n\nCopy all the **bare** git repositories to the `repositories/` directory of the [data store](#data-store) and execute the `gitlab:import:repos` rake task like so:\n\n```bash\ndocker run --name gitlab -it --rm [OPTIONS] \\\n sameersbn/gitlab:18.10.3 app:rake gitlab:import:repos\n```\n\nWatch the logs and your repositories should be available into your new gitlab container.\n\nSee [Rake Tasks](#rake-tasks) for more information on executing rake tasks.\nUsage when using `docker-compose` can also be found there.\n\n### Upgrading\n\n\u003e **Important Notice**\n\u003e\n\u003e Since GitLab release `8.6.0` PostgreSQL users should enable `pg_trgm` extension on the GitLab database. Refer to GitLab's [Postgresql Requirements](http://doc.gitlab.com/ce/install/requirements.html#postgresql-requirements) for more information\n\u003e\n\u003e If you're using `sameersbn/postgresql` then please upgrade to `kkimurak/sameersbn-postgresql:16` or later and add `DB_EXTENSION=pg_trgm,btree_gist` to the environment of the PostgreSQL container (see: \u003chttps://github.com/sameersbn/docker-gitlab/blob/master/docker-compose.yml#L21\u003e).\n\u003e\n\u003e Please keep in mind that:\n\u003e\n\u003e - As of version 13.7.0, the required PostgreSQL version is 12.x.\n\u003e - As of version 16.0.0, the required PostgreSQL version is 13.x.\n\u003e - As of version 17.0.0, the required PostgreSQL version is 14.x.\n\u003e - As of version 18.0.0, the required PostgreSQL version is 16.x.\n\u003e\n\u003e If you're using PostgreSQL image other than the above, please review section [Upgrading PostgreSQL](#upgrading-postgresql).\n\nGitLabHQ releases new versions on the 22nd of every month, bugfix releases immediately follow. I update this project almost immediately when a release is made (at least it has been the case so far). If you are using the image in production environments I recommend that you delay updates by a couple of days after the gitlab release, allowing some time for the dust to settle down.\n\nTo upgrade to newer gitlab releases, simply follow this 4 step upgrade procedure.\n\n\u003e **Note**\n\u003e\n\u003e Upgrading to `sameersbn/gitlab:18.10.3` from `sameersbn/gitlab:7.x.x` can cause issues. It is therefore required that you first upgrade to `sameersbn/gitlab:8.0.5-1` before upgrading to `sameersbn/gitlab:8.1.0` or higher.\n\n- **Step 1**: Update the docker image.\n\n```bash\ndocker pull sameersbn/gitlab:18.10.3\n```\n\n- **Step 2**: Stop and remove the currently running image\n\n```bash\ndocker stop gitlab\ndocker rm gitlab\n```\n\n- **Step 3**: Create a backup\n\n```bash\ndocker run --name gitlab -it --rm [OPTIONS] \\\n sameersbn/gitlab:x.x.x app:rake gitlab:backup:create\n```\n\nReplace `x.x.x` with the version you are upgrading from. For example, if you are upgrading from version `6.0.0`, set `x.x.x` to `6.0.0`\n\n- **Step 4**: Start the image\n\n\u003e **Note**: Since GitLab `8.0.0` you need to provide the `GITLAB_SECRETS_DB_KEY_BASE` parameter while starting the image.\n\n\u003e **Note**: Since GitLab `8.11.0` you need to provide the `GITLAB_SECRETS_SECRET_KEY_BASE` and `GITLAB_SECRETS_OTP_KEY_BASE` parameters while starting the image. These should initially both have the same value as the contents of the `/home/git/data/.secret` file. See [Available Configuration Parameters](#available-configuration-parameters) for more information on these parameters.\n\n\u003e **Note**: Since Gitlab 13.7 you need to provide the `GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE` parameter while starting the image. If not provided, the key will be generated by gitlab. So you can start the image without setting this parameter. But you will lose the key when you shutting down the container without taking a backup of `secrets.yml`.\n\n\u003e **Note**: Since Gitlab 17.8 you need to provide `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY`,`GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY` and `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT`. If not provided, these keys will be generated by gitlab. The image can be started without setting these parameters, **but you will lose the settings when you shutting down the container without taking a backup of `secrets.yml` and settings stored securely (such as the Dependency Proxy) will be unusable and unrecoverable.**\n\n```bash\ndocker run --name gitlab -d [OPTIONS] sameersbn/gitlab:18.10.3\n```\n\n### Shell Access\n\nFor debugging and maintenance purposes you may want access the containers shell. If you are using docker version `1.3.0` or higher you can access a running containers shell using `docker exec` command.\n\n```bash\ndocker exec -it gitlab bash\n```\n\n## Monitoring\n\nYou can monitor your GitLab instance status as described in the [official documentation](https://docs.gitlab.com/ee/user/admin_area/monitoring/health_check.html), for example:\n\n```bash\ncurl 'https://gitlab.example.com/-/liveness'\n```\n\nOn success, the endpoint will return a `200` HTTP status code, and a response like below.\n\n```bash\n{\n \"status\": \"ok\"\n}\n```\n\nTo do that you will need to set the environment variable `GITLAB_MONITORING_IP_WHITELIST` to allow your IP or subnet to make requests to your GitLab instance.\n\n### Health Check\n\nYou can also set your `docker-compose.yml` [healthcheck](https://docs.docker.com/compose/compose-file/compose-file-v2/#healthcheck) configuration to make periodic checks:\n\n```yml\nservices:\n gitlab:\n image: sameersbn/gitlab:18.10.3\n healthcheck:\n test: [\"CMD\", \"/usr/local/sbin/healthcheck\"]\n interval: 1m\n timeout: 5s\n retries: 5\n start_period: 2m\n```\n\nThen you will be able to consult the health check log by executing:\n\n```bash\ndocker inspect --format \"{{json .State.Health }}\" $(docker-compose ps -q gitlab) | jq\n```\n\n## References\n\n- \u003chttps://github.com/gitlabhq/gitlabhq\u003e\n- \u003chttps://github.com/gitlabhq/gitlabhq/blob/master/doc/install/installation.md\u003e\n- \u003chttp://wiki.nginx.org/HttpSslModule\u003e\n- \u003chttps://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html\u003e\n- \u003chttps://github.com/gitlabhq/gitlab-recipes/blob/master/web-server/nginx/gitlab-ssl\u003e\n- \u003chttps://github.com/jpetazzo/nsenter\u003e\n- \u003chttps://jpetazzo.github.io/2014/03/23/lxc-attach-nsinit-nsenter-docker-0-9/\u003e\n","funding_links":[],"categories":["Shell","HarmonyOS","Communication and Coordination","Coordination and Communication","Shell (473)","gitlab","git","\u003ca name=\"Shell\"\u003e\u003c/a\u003eShell"],"sub_categories":["Windows Manager"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsameersbn%2Fdocker-gitlab","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsameersbn%2Fdocker-gitlab","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsameersbn%2Fdocker-gitlab/lists"}