Troubleshooting Gitaly | GitLab (2024)

  • Check versions when using standalone Gitaly servers
  • Find storage resource details
  • Use gitaly-debug
  • Commits, pushes, and clones return a 401
  • 500 and fetching folder content errors on repository pages
  • Client side gRPC logs
  • Server side gRPC logs
  • Correlating Git processes with RPCs
  • Repository changes fail with a 401 Unauthorized error
  • Repository pushes fail with 401 Unauthorized and JWT::VerificationError
  • Repository pushes fail with a deny updating a hidden ref error
  • Command-line tools cannot connect to Gitaly
  • Permission denied errors appearing in Gitaly or Praefect logs when accessing repositories
  • Gitaly not listening on new address after reconfiguring
  • Permission denied errors appearing in Gitaly logs when accessing repositories from a standalone Gitaly node
  • Health check warnings
  • File not found errors
  • Git pushes are slow when Dynatrace is enabled
  • gitaly check fails with 401 status code
  • Changes (diffs) don’t load for new merge requests when using Gitaly TLS
  • Gitaly fails to fork processes stored on noexec file systems
  • Commit signing fails with invalid argument: signing key is encrypted or invalid data: tag byte does not have MSB set.
  • Gitaly logs show errors in info messages
  • Profiling Gitaly
    • Profile Git operations
  • Repositories are shown as empty after a GitLab restore
  • Pre-receive hook declined error when pushing to RHEL instance with fapolicyd enabled

Tier: Free, Premium, UltimateOffering: Self-managed

Refer to the information below when troubleshooting Gitaly. For information on troubleshooting Gitaly Cluster (Praefect),see Troubleshooting Gitaly Cluster.

The following sections provide possible solutions to Gitaly errors.

See also Gitaly timeout settings,and our advice on parsing the gitaly/current file.

Check versions when using standalone Gitaly servers

When using standalone Gitaly servers, you must make sure they are the same versionas GitLab to ensure full compatibility:

  1. On the left sidebar, at the bottom, select Admin Area.
  2. Select Overview > Gitaly Servers.
  3. Confirm all Gitaly servers indicate that they are up to date.

Find storage resource details

You can run the following commands in a Rails consoleto determine the available and used space on a Gitaly storage:

Gitlab::GitalyClient::ServerService.new("default").storage_disk_statistics# For Gitaly ClusterGitlab::GitalyClient::ServerService.new("<storage name>").disk_statistics

Use gitaly-debug

The gitaly-debug command provides “production debugging” tools for Gitaly and Gitperformance. It is intended to help production engineers and supportengineers investigate Gitaly performance problems.

To see the help page of gitaly-debug for a list of supported sub-commands, run:

gitaly-debug -h

Commits, pushes, and clones return a 401

remote: GitLab: 401 Unauthorized

You need to sync your gitlab-secrets.json file with your GitLabapplication nodes.

500 and fetching folder content errors on repository pages

Fetching folder content, and in some cases 500, errors indicateconnectivity problems between GitLab and Gitaly.Consult the client-side gRPC logsfor details.

Client side gRPC logs

Gitaly uses the gRPC RPC framework. The Ruby gRPCclient has its own log file which may contain helpful information whenyou are seeing Gitaly errors. You can control the log level of thegRPC client with the GRPC_LOG_LEVEL environment variable. Thedefault level is WARN.

You can run a gRPC trace with:

sudo GRPC_TRACE=all GRPC_VERBOSITY=DEBUG gitlab-rake gitlab:gitaly:check

If this command fails with a failed to connect to all addresses error,check for an SSL or TLS problem:

/opt/gitlab/embedded/bin/openssl s_client -connect <gitaly-ipaddress>:<port> -verify_return_error

Check whether Verify return code field indicates aknown Linux package installation configuration problem.

If openssl succeeds but gitlab-rake gitlab:gitaly:check fails,check certificate requirements for Gitaly.

Server side gRPC logs

gRPC tracing can also be enabled in Gitaly itself with the GODEBUG=http2debugenvironment variable. To set this in a Linux package installation:

  1. Add the following to your gitlab.rb file:

    gitaly['env'] = { "GODEBUG=http2debug" => "2"}
  2. Reconfigure GitLab.

Correlating Git processes with RPCs

Sometimes you need to find out which Gitaly RPC created a particular Git process.

One method for doing this is by using DEBUG logging. However, this needs to be enabledahead of time and the logs produced are quite verbose.

A lightweight method for doing this correlation is by inspecting the environmentof the Git process (using its PID) and looking at the CORRELATION_ID variable:

This method isn’t reliable for git cat-file processes, because Gitalyinternally pools and re-uses those across RPCs.

Repository changes fail with a 401 Unauthorized error

If you run Gitaly on its own server and notice these conditions:

  • Users can successfully clone and fetch repositories by using both SSH and HTTPS.
  • Users can’t push to repositories, or receive a 401 Unauthorized message when attempting tomake changes to them in the web UI.

Gitaly may be failing to authenticate with the Gitaly client because it has thewrong secrets file.

Confirm the following are all true:

  • When any user performs a git push to any repository on this Gitaly server, itfails with a 401 Unauthorized error:

    remote: GitLab: 401 UnauthorizedTo <REMOTE_URL>! [remote rejected] branch-name -> branch-name (pre-receive hook declined)error: failed to push some refs to '<REMOTE_URL>'
  • When any user adds or modifies a file from the repository using the GitLabUI, it immediately fails with a red 401 Unauthorized banner.
  • Creating a new project and initializing it with a READMEsuccessfully creates the project but doesn’t create the README.
  • When tailing the logson a Gitaly client and reproducing the error, you get 401 errorswhen reaching the /api/v4/internal/allowed endpoint:

    # api_json.log{ "time": "2019-07-18T00:30:14.967Z", "severity": "INFO", "duration": 0.57, "db": 0, "view": 0.57, "status": 401, "method": "POST", "path": "\/api\/v4\/internal\/allowed", "params": [ { "key": "action", "value": "git-receive-pack" }, { "key": "changes", "value": "REDACTED" }, { "key": "gl_repository", "value": "REDACTED" }, { "key": "project", "value": "\/path\/to\/project.git" }, { "key": "protocol", "value": "web" }, { "key": "env", "value": "{\"GIT_ALTERNATE_OBJECT_DIRECTORIES\":[],\"GIT_ALTERNATE_OBJECT_DIRECTORIES_RELATIVE\":[],\"GIT_OBJECT_DIRECTORY\":null,\"GIT_OBJECT_DIRECTORY_RELATIVE\":null}" }, { "key": "user_id", "value": "2" }, { "key": "secret_token", "value": "[FILTERED]" } ], "host": "gitlab.example.com", "ip": "REDACTED", "ua": "Ruby", "route": "\/api\/:version\/internal\/allowed", "queue_duration": 4.24, "gitaly_calls": 0, "gitaly_duration": 0, "correlation_id": "XPUZqTukaP3"}# nginx_access.log[IP] - - [18/Jul/2019:00:30:14 +0000] "POST /api/v4/internal/allowed HTTP/1.1" 401 30 "" "Ruby"

To fix this problem, confirm that your gitlab-secrets.json fileon the Gitaly server matches the one on Gitaly client. If it doesn’t match,update the secrets file on the Gitaly server to match the Gitaly client, thenreconfigure.

If you’ve confirmed that your gitlab-secrets.json file is the same on all Gitaly servers and clients,the application might be fetching this secret from a different file. Your Gitaly server’sconfig.toml file indicates the secrets file in use.If that setting is missing, GitLab defaults to using .gitlab_shell_secret under/opt/gitlab/embedded/service/gitlab-rails/.gitlab_shell_secret.

Repository pushes fail with 401 Unauthorized and JWT::VerificationError

When attempting git push, you can see:

  • 401 Unauthorized errors.
  • The following in server logs:

    { ... "exception.class":"JWT::VerificationError", "exception.message":"Signature verification raised", ...}

This combination of errors occurs when the GitLab server has been upgraded to GitLab 15.5 or later but Gitaly has not yet been upgraded.

From GitLab 15.5, GitLab authenticates with GitLab Shell using a JWT token instead of a shared secret.You should follow the recommendations on upgrading external Gitaly and upgrade Gitaly before the GitLabserver.

Due to a changeintroduced in GitLab 13.12, Gitaly has read-only, internal GitLab references that users are notpermitted to update. If you attempt to update internal references with git push --mirror, Gitreturns the rejection error, deny updating a hidden ref.

The following references are read-only:

  • refs/environments/
  • refs/keep-around/
  • refs/merge-requests/
  • refs/pipelines/

To mirror-push branches and tags only, and avoid attempting to mirror-push protected refs, run:

git push origin +refs/heads/*:refs/heads/* +refs/tags/*:refs/tags/*

Any other namespaces that the administrator wants to push can be included there as well via additional patterns.

Command-line tools cannot connect to Gitaly

gRPC cannot reach your Gitaly server if:

  • You can’t connect to a Gitaly server with command-line tools.
  • Certain actions result in a 14: Connect Failed error message.

Verify you can reach Gitaly by using TCP:

sudo gitlab-rake gitlab:tcp_check[GITALY_SERVER_IP,GITALY_LISTEN_PORT]

If the TCP connection:

  • Fails, check your network settings and your firewall rules.
  • Succeeds, your networking and firewall rules are correct.

If you use proxy servers in your command line environment such as Bash, these can interfere withyour gRPC traffic.

If you use Bash or a compatible command line environment, run the following commands to determinewhether you have proxy servers configured:

echo $http_proxyecho $https_proxy

If either of these variables have a value, your Gitaly CLI connections may be getting routed througha proxy which cannot connect to Gitaly.

To remove the proxy setting, run the following commands (depending on which variables had values):

unset http_proxyunset https_proxy

Permission denied errors appearing in Gitaly or Praefect logs when accessing repositories

You might see the following in Gitaly and Praefect logs:

{ ... "error":"rpc error: code = PermissionDenied desc = permission denied", "grpc.code":"PermissionDenied", "grpc.meta.client_name":"gitlab-web", "grpc.request.fullMethod":"/gitaly.ServerService/ServerInfo", "level":"warning", "msg":"finished unary call with code PermissionDenied", ...}

This information in the logs is a gRPC callerror response code.

If this error occurs, even thoughthe Gitaly auth tokens are set up correctly,it’s likely that the Gitaly servers are experiencingclock drift.

Ensure the Gitaly clients and servers are synchronized, and use an NTP timeserver to keep them synchronized.

Gitaly not listening on new address after reconfiguring

When updating the gitaly['configuration'][:listen_addr] or gitaly['configuration'][:prometheus_listen_addr] values, Gitaly maycontinue to listen on the old address after a sudo gitlab-ctl reconfigure.

When this occurs, run sudo gitlab-ctl restart to resolve the issue. This should no longer benecessary because this issue is resolved.

Permission denied errors appearing in Gitaly logs when accessing repositories from a standalone Gitaly node

If this error occurs even though file permissions are correct, it’s likely that the Gitaly node isexperiencing clock drift.

Ensure that the GitLab and Gitaly nodes are synchronized and use an NTP timeserver to keep them synchronized if possible.

Health check warnings

The following warning in /var/log/gitlab/praefect/current can be ignored.

"error":"full method name not found: /grpc.health.v1.Health/Check","msg":"error when looking up method info"

File not found errors

The following errors in /var/log/gitlab/gitaly/current can be ignored.They are caused by the GitLab Rails application checking for specific filesthat do not exist in a repository.

"error":"not found: .gitlab/route-map.yml""error":"not found: Dockerfile""error":"not found: .gitlab-ci.yml"

Git pushes are slow when Dynatrace is enabled

Dynatrace can cause the /opt/gitlab/embedded/bin/gitaly-hooks reference transaction hook,to take several seconds to start up and shut down. gitaly-hooks is executed twice when userspush, which causes a significant delay.

If Git pushes are too slow when Dynatrace is enabled, disable Dynatrace.

gitaly check fails with 401 status code

gitaly check can fail with 401 status code if Gitaly can’t access the internal GitLab API.

One way to resolve this is to make sure the entry is correct for the GitLab internal API URL configured in gitlab.rb with gitlab_rails['internal_api_url'].

Changes (diffs) don’t load for new merge requests when using Gitaly TLS

After enabling Gitaly with TLS, changes (diffs) for new merge requests are not generatedand you see the following message in GitLab:

Building your merge request... This page will update when the build is complete

Gitaly must be able to connect to itself to complete some operations. If the Gitaly certificate is not trusted by the Gitaly server,merge request diffs can’t be generated.

If Gitaly can’t connect to itself, you see messages in the Gitaly logs like the following messages:

{ "level":"warning", "msg":"[core] [Channel #16 SubChannel #17] grpc: addrConn.createTransport failed to connect to {Addr: \"ext-gitaly.example.com:9999\", ServerName: \"ext-gitaly.example.com:9999\", }. Err: connection error: desc = \"transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority\"", "pid":820, "system":"system", "time":"2023-11-06T05:40:04.169Z"}{ "level":"info", "msg":"[core] [Server #3] grpc: Server.Serve failed to create ServerTransport: connection error: desc = \"ServerHandshake(\\\"x.x.x.x:x\\\") failed: wrapped server handshake: remote error: tls: bad certificate\"", "pid":820, "system":"system", "time":"2023-11-06T05:40:04.169Z"}

To resolve the problem, ensure that you have added your Gitaly certificate to the /etc/gitlab/trusted-certs folder on the Gitaly serverand:

  1. Reconfigure GitLab so the certificates are symlinked
  2. Restart Gitaly manually sudo gitlab-ctl restart gitaly for the certificates to be loaded by the Gitaly process.

Gitaly fails to fork processes stored on noexec file systems

Because of changes introduced in GitLab 14.10, applying the noexec option to a mountpoint (for example, /var) causes Gitaly to throw permission denied errors related to forking processes. For example:

fork/exec /var/opt/gitlab/gitaly/run/gitaly-2057/gitaly-git2go: permission denied

To resolve this, remove the noexec option from the file system mount. An alternative is to change the Gitaly runtime directory:

  1. Add gitaly['runtime_dir'] = '<PATH_WITH_EXEC_PERM>' to /etc/gitlab/gitlab.rb and specify a location without noexec set.
  2. Run sudo gitlab-ctl reconfigure.

Commit signing fails with invalid argument: signing key is encrypted or invalid data: tag byte does not have MSB set.

Because Gitaly commit signing is headless and not associated with a specific user, the GPG signing key must be created without a passphrase, or the passphrase must be removed before export.

Gitaly logs show errors in info messages

Because of a bug introduced in GitLab 16.3, additional entries were written to theGitaly logs. These log entries contained "level":"info" but the msg string appeared to contain an error.

For example:

{"level":"info","msg":"[core] [Server #3] grpc: Server.Serve failed to create ServerTransport: connection error: desc = \"ServerHandshake(\\\"x.x.x.x:x\\\") failed: wrapped server handshake: EOF\"","pid":6145,"system":"system","time":"2023-12-14T21:20:39.999Z"}

The reason for this log entry is that the underlying gRPC library sometimes output verbose transportation logs. These log entries appear to be errors but are, in general,safe to ignore.

This bug was fixed in GitLab 16.4.5, 16.5.5, and 16.6.0, which prevents these types of messages frombeing written to the Gitaly logs.

Profiling Gitaly

Gitaly exposes several of the Go built-in performance profiling tools on the Prometheus listen port. For example, if Prometheus is listeningon port 9236 of the GitLab server:

  • Get a list of running goroutines and their backtraces:

    curl --output goroutines.txt "http://<gitaly_server>:9236/debug/pprof/goroutine?debug=2"
  • Run a CPU profile for 30 seconds:

    curl --output cpu.bin "http://<gitaly_server>:9236/debug/pprof/profile"
  • Profile heap memory usage:

    curl --output heap.bin "http://<gitaly_server>:9236/debug/pprof/heap"
  • Record a 5 second execution trace. This impacts the Gitaly performance while running:

    curl --output trace.bin "http://<gitaly_server>:9236/debug/pprof/trace?seconds=5"

On a host with go installed, the CPU profile and heap profile can be viewed in a browser:

go tool pprof -http=:8001 cpu.bingo tool pprof -http=:8001 heap.bin

Execution traces can be viewed by running:

go tool trace heap.bin

Profile Git operations

History

  • Introduced in GitLab 16.9 with a flag named log_git_traces. Disabled by default.

On self-managed GitLab, by default this feature is not available. To make it available, an administrator can enable the feature flagnamed log_git_traces. On GitLab.com, this feature is available but can be configured by GitLab.com administrators only. On GitLab Dedicated, this feature is not available.

You can profile Git operations that Gitaly performs by sending additional information about Git operations to Gitaly logs. With this information, users have more insightfor performance optimization, debugging, and general telemetry collection. For more information, see the Git Trace2 API reference.

To prevent system overload, the additional information logging is rate limited. If the rate limit is exceeded, traces are skipped. However, after the rate returns to a healthystate, the traces are processed again automatically. Rate limiting ensures that the system remains stable and avoids any adverse impact because of excessive trace processing.

Repositories are shown as empty after a GitLab restore

When using fapolicyd for increased security, GitLab can report that a restore from a GitLab backup file was successful but:

  • Repositories show as empty.
  • Creating new files causes an error similar to:

    13:commit: commit: starting process [/var/opt/gitlab/gitaly/run/gitaly-5428/gitaly-git2go -log-format json -log-level -correlation-id 01GP1383JV6JD6MQJBH2E1RT03 -enabled-feature-flags -disabled-feature-flags commit]: fork/exec /var/opt/gitlab/gitaly/run/gitaly-5428/gitaly-git2go: operation not permitted.
  • Gitaly logs might contain errors similar to:

     "error": "exit status 128, stderr: \"fatal: cannot exec '/var/opt/gitlab/gitaly/run/gitaly-5428/hooks-1277154941.d/reference-transaction': Operation not permitted\\nfatal: cannot exec '/var/opt/gitlab/gitaly/run/gitaly-5428/hooks-1277154941.d/reference-transaction': Operation not permitted\\nfatal: ref updates aborted by hook\\n\"", "grpc.code": "Internal", "grpc.meta.deadline_type": "none", "grpc.meta.method_type": "client_stream", "grpc.method": "FetchBundle", "grpc.request.fullMethod": "/gitaly.RepositoryService/FetchBundle",...

You can usedebug modeto help determine if fapolicyd is denying execution based on current rules.

If you find that fapolicyd is denying execution, consider the following:

  1. Allow all executables in /var/opt/gitlab/gitaly in your fapolicyd configuration:

    allow perm=any all : ftype=application/x-executable dir=/var/opt/gitlab/gitaly/
  2. Restart the service.

Pre-receive hook declined error when pushing to RHEL instance with fapolicyd enabled

When pushing to an RHEL-based instance with fapolicyd enabled, you might get a Pre-receive hook declined error. This error can occur because fapolicyd can block the executionof the Gitaly binary. To resolve this problem, either:

  • Disable fapolicyd.
  • Create an fapolicyd rule to permit execution of Gitaly binaries with fapolicyd enabled.

To create a rule to allow Gitaly binary execution:

  1. Create a file at /etc/fapolicyd/rules.d/89-gitlab.rules.
  2. Enter the following into the file:

    allow perm=any all : ftype=application/x-executable dir=/var/opt/gitlab/gitaly/
  3. Restart the service:

    systemctl restart fapolicyd

The new rule takes effect after the daemon restarts.

Troubleshooting Gitaly | GitLab (2024)

FAQs

What is GitLab Praefect? ›

Praefect is an optional reverse-proxy for Gitaly to manage a cluster of Gitaly nodes for high availability. Initially, high availability be implemented through asynchronous replication.

What does Gitaly do? ›

Gitaly provides high-level RPC access to Git repositories. It is used by GitLab to read and write Git data. Gitaly is present in every GitLab installation and coordinates Git repository storage and retrieval.

What is GitLab in layman terms? ›

GitLab is a web-based Git repository that provides free open and private repositories, issue-following capabilities, and wikis.

What does GitLab CI stand for? ›

CI and CD are common modern development and DevOps best practices. While CI means continuous integration, CD has two meanings: continuous delivery and continuous deployment.

What does GitLab store in Postgres? ›

The GitLab application uses PostgreSQL for persistent database information (for example, users, permissions, issues, or other metadata).

What is PostgreSQL used for in GitLab? ›

The GitLab application uses PostgreSQL for persistent database information (for example, users, permissions, issues, or other metadata). GitLab stores the bare Git repositories in the location defined in the configuration file, repositories: section.

What is the GitLab registry? ›

Offering: GitLab.com, Self-managed, GitLab Dedicated. The GitLab package registry acts as a private or public registry for a variety of common package managers. You can publish and share packages, which can be easily consumed as a dependency in downstream projects.

What is GitLab agent used for? ›

The agent runs in the cluster, and you can use it to: Communicate with a cluster, which is behind a firewall or NAT. Access API endpoints in a cluster in real time. Push information about events happening in the cluster.

References

Top Articles
Latest Posts
Article information

Author: Golda Nolan II

Last Updated:

Views: 6566

Rating: 4.8 / 5 (78 voted)

Reviews: 85% of readers found this page helpful

Author information

Name: Golda Nolan II

Birthday: 1998-05-14

Address: Suite 369 9754 Roberts Pines, West Benitaburgh, NM 69180-7958

Phone: +522993866487

Job: Sales Executive

Hobby: Worldbuilding, Shopping, Quilting, Cooking, Homebrewing, Leather crafting, Pet

Introduction: My name is Golda Nolan II, I am a thoughtful, clever, cute, jolly, brave, powerful, splendid person who loves writing and wants to share my knowledge and understanding with you.