Disaster Recovery (Geo) (PREMIUM SELF)

Geo replicates your database, your Git repositories, and few other assets, but there are some limitations.

WARNING: Multi-secondary configurations require the complete re-synchronization and re-configuration of all non-promoted secondaries and causes downtime.

Promoting a secondary Geo site in single-secondary configurations

We don't currently provide an automated way to promote a Geo replica and do a failover, but you can do it manually if you have root access to the machine.

This process promotes a secondary Geo site to a primary site. To regain geographic redundancy as quickly as possible, you should add a new secondary site immediately after following these instructions.

Step 1. Allow replication to finish if possible

If the secondary site is still replicating data from the primary site, follow the planned failover docs as closely as possible in order to avoid unnecessary data loss.

Step 2. Permanently disable the primary site

WARNING: If the primary site goes offline, there may be data saved on the primary site that have not been replicated to the secondary site. This data should be treated as lost if you proceed.

If an outage on the primary site happens, you should do everything possible to avoid a split-brain situation where writes can occur in two different GitLab instances, complicating recovery efforts. So to prepare for the failover, we must disable the primary site.

  • If you have SSH access:

    1. SSH into the primary site to stop and disable GitLab:

      sudo gitlab-ctl stop
    2. Prevent GitLab from starting up again if the server unexpectedly reboots:

      sudo systemctl disable gitlab-runsvdir
  • If you do not have SSH access to the primary site, take the machine offline and prevent it from rebooting by any means at your disposal. You might need to:

    • Reconfigure the load balancers.
    • Change DNS records (for example, point the primary DNS record to the secondary site to stop usage of the primary site).
    • Stop the virtual servers.
    • Block traffic through a firewall.
    • Revoke object storage permissions from the primary site.
    • Physically disconnect a machine.

    If you plan to update the primary domain DNS record, you may wish to lower the TTL now to speed up propagation.

Step 3. Promoting a secondary site

WARNING: In GitLab 13.2 and 13.3, promoting a secondary site to a primary while the secondary is paused fails. Do not pause replication before promoting a secondary. If the secondary site is paused, be sure to resume before promoting. This issue has been fixed in GitLab 13.4 and later.

Note the following when promoting a secondary:

  • If replication was paused on the secondary site (for example as a part of upgrading, while you were running a version of GitLab earlier than 13.4), you must enable the site by using the database before proceeding. If the secondary site has been paused, the promotion performs a point-in-time recovery to the last known state. Data that was created on the primary while the secondary was paused is lost.
  • A new secondary should not be added at this time. If you want to add a new secondary, do this after you have completed the entire process of promoting the secondary to the primary.
  • If you encounter an ActiveRecord::RecordInvalid: Validation failed: Name has already been taken error message during this process, for more information, see this troubleshooting advice.
  • If you run into errors when using --force or --skip-preflight-checks before 13.5 during this process, for more information, see this troubleshooting advice.

Promoting a secondary site running on a single node running GitLab 14.5 and later

  1. SSH in to your secondary site and execute:

    • To promote the secondary site to primary:

      sudo gitlab-ctl geo promote
    • To promote the secondary site to primary without any further confirmation:

      sudo gitlab-ctl geo promote --force
  2. Verify you can connect to the newly-promoted primary site using the URL used previously for the secondary site.

  3. If successful, the secondary site is now promoted to the primary site.

Promoting a secondary site running on a single node running GitLab 14.4 and earlier

WARNING: The gitlab-ctl promote-to-primary-node and gitlab-ctl promoted-db commands are deprecated in GitLab 14.5 and later, and removed in GitLab 15.0. Use gitlab-ctl geo promote instead.

  1. SSH in to your secondary site and login as root:

    sudo -i
  2. If you're using GitLab 13.5 and later, skip this step. If not, edit /etc/gitlab/gitlab.rb and remove any of the following lines that might be present:

    geo_secondary_role['enable'] = true
    roles ['geo_secondary_role']
  3. Promote the secondary site to the primary site:

    • To promote the secondary site to primary along with preflight checks:

      gitlab-ctl promote-to-primary-node
    • If you have already run the preflight checks separately or don't want to run them, you can skip them with:

      gitlab-ctl promote-to-primary-node --skip-preflight-checks

      NOTE: In GitLab 13.7 and earlier, if you have a data type with zero items to sync and don't skip the preflight checks, promoting the secondary reports ERROR - Replication is not up-to-date even if replication is actually up-to-date. If replication and verification output shows that it is complete, you can skip the preflight checks to make the command complete promotion. This bug was fixed in GitLab 13.8 and later.

    • To promote the secondary site to primary without any further confirmation, even when preflight checks fail:

      gitlab-ctl promote-to-primary-node --force
  4. Verify you can connect to the newly-promoted primary site using the URL used previously for the secondary site.

  5. If successful, the secondary site is now promoted to the primary site.

Promoting a secondary site with multiple nodes running GitLab 14.5 and later

  1. SSH to every Sidekiq, PostgresSQL, and Gitaly node in the secondary site and run one of the following commands:

    • To promote the node on the secondary site to primary:

      sudo gitlab-ctl geo promote
    • To promote the secondary site to primary without any further confirmation:

      sudo gitlab-ctl geo promote --force
  2. SSH into each Rails node on your secondary site and run one of the following commands:

    • To promote the secondary site to primary:

      sudo gitlab-ctl geo promote
    • To promote the secondary site to primary without any further confirmation:

      sudo gitlab-ctl geo promote --force
  3. Verify you can connect to the newly-promoted primary site using the URL used previously for the secondary site.

  4. If successful, the secondary site is now promoted to the primary site.

Promoting a secondary site with multiple nodes running GitLab 14.4 and earlier

WARNING: The gitlab-ctl promote-to-primary-node and gitlab-ctl promoted-db commands are deprecated in GitLab 14.5 and later, and removed in GitLab 15.0. Use gitlab-ctl geo promote instead.

The gitlab-ctl promote-to-primary-node command cannot be used yet in conjunction with multiple nodes, as it can only perform changes on a secondary with only a single node. Instead, you must do this manually.

  1. SSH in to the database node in the secondary site and trigger PostgreSQL to promote to read-write:

    sudo gitlab-ctl promote-db

    In GitLab 12.8 and earlier, see Message: sudo: gitlab-pg-ctl: command not found.

  2. Edit /etc/gitlab/gitlab.rb on every node in the secondary site to reflect its new status as primary by removing any of the following lines that might be present:

    geo_secondary_role['enable'] = true
    roles ['geo_secondary_role']

    After making these changes, reconfigure GitLab on each machine so the changes take effect.

  3. Promote the secondary to primary. SSH into a single application server and execute:

    sudo gitlab-rake geo:set_secondary_as_primary
  4. Verify you can connect to the newly-promoted primary using the URL used previously for the secondary.

  5. If successful, the secondary site is now promoted to the primary site.

Promoting a secondary site with a Patroni standby cluster running GitLab 14.5 and later

  1. SSH to every Sidekiq, PostgresSQL, and Gitaly node in the secondary site and run one of the following commands:

    • To promote the secondary site to primary:

      sudo gitlab-ctl geo promote
    • To promote the secondary site to primary without any further confirmation:

      sudo gitlab-ctl geo promote --force
  2. SSH into each Rails node on your secondary site and run one of the following commands:

    • To promote the secondary site to primary:

      sudo gitlab-ctl geo promote
    • To promote the secondary site to primary without any further confirmation:

      sudo gitlab-ctl geo promote --force
  3. Verify you can connect to the newly-promoted primary site using the URL used previously for the secondary site.

  4. If successful, the secondary site is now promoted to the primary site.

Promoting a secondary site with a Patroni standby cluster running GitLab 14.4 and earlier

WARNING: The gitlab-ctl promote-to-primary-node and gitlab-ctl promoted-db commands are deprecated in GitLab 14.5 and later, and removed in GitLab 15.0. Use gitlab-ctl geo promote instead.

The gitlab-ctl promote-to-primary-node command cannot be used yet in conjunction with a Patroni standby cluster, as it can only perform changes on a secondary with only a single node. Instead, you must do this manually.

  1. SSH in to the Standby Leader database node in the secondary site and trigger PostgreSQL to promote to read-write:

    sudo gitlab-ctl promote-db
  2. Edit /etc/gitlab/gitlab.rb on every application and Sidekiq nodes in the secondary to reflect its new status as primary by removing any of the following lines that might be present:

    geo_secondary_role['enable'] = true
    roles ['geo_secondary_role']
  3. Edit /etc/gitlab/gitlab.rb on every Patroni node in the secondary to disable the standby cluster:

    patroni['standby_cluster']['enable'] = false
  4. Reconfigure GitLab on each machine for the changes to take effect:

    sudo gitlab-ctl reconfigure
  5. Promote the secondary to primary. SSH into a single application server and execute:

    sudo gitlab-rake geo:set_secondary_as_primary
  6. Verify you can connect to the newly-promoted primary using the URL used previously for the secondary.

  7. If successful, the secondary site is now promoted to the primary site.

Promoting a secondary site with an external PostgreSQL database running GitLab 14.5 and later

The gitlab-ctl geo promote command can be used in conjunction with an external PostgreSQL database. In this case, you must first manually promote the replica database associated with the secondary site:

  1. Promote the replica database associated with the secondary site. This sets the database to read-write. The instructions vary depending on where your database is hosted:

    • Amazon RDS

    • Azure PostgreSQL

    • Google Cloud SQL

    • For other external PostgreSQL databases, save the following script in your secondary site, for example /tmp/geo_promote.sh, and modify the connection parameters to match your environment. Then, execute it to promote the replica:

      #!/bin/bash
      
      PG_SUPERUSER=postgres
      
      # The path to your pg_ctl binary. You may need to adjust this path to match
      # your PostgreSQL installation
      PG_CTL_BINARY=/usr/lib/postgresql/10/bin/pg_ctl
      
      # The path to your PostgreSQL data directory. You may need to adjust this
      # path to match your PostgreSQL installation. You can also run
      # `SHOW data_directory;` from PostgreSQL to find your data directory
      PG_DATA_DIRECTORY=/etc/postgresql/10/main
      
      # Promote the PostgreSQL database and allow read/write operations
      sudo -u $PG_SUPERUSER $PG_CTL_BINARY -D $PG_DATA_DIRECTORY promote
  2. SSH to every Sidekiq, PostgresSQL, and Gitaly node in the secondary site and run one of the following commands:

    • To promote the secondary site to primary:

      sudo gitlab-ctl geo promote
    • To promote the secondary site to primary without any further confirmation:

      sudo gitlab-ctl geo promote --force
  3. SSH into each Rails node on your secondary site and run one of the following commands:

    • To promote the secondary site to primary:

      sudo gitlab-ctl geo promote
    • To promote the secondary site to primary without any further confirmation:

      sudo gitlab-ctl geo promote --force
  4. Verify you can connect to the newly-promoted primary site using the URL used previously for the secondary site.

  5. If successful, the secondary site is now promoted to the primary site.

Promoting a secondary site with an external PostgreSQL database running GitLab 14.4 and earlier

WARNING: The gitlab-ctl promote-to-primary-node and gitlab-ctl promoted-db commands are deprecated in GitLab 14.5 and later, and removed in GitLab 15.0. Use gitlab-ctl geo promote instead.

The gitlab-ctl promote-to-primary-node command cannot be used in conjunction with an external PostgreSQL database, as it can only perform changes on a secondary node with GitLab and the database on the same machine. As a result, a manual process is required:

  1. Promote the replica database associated with the secondary site. This sets the database to read-write. The instructions vary depending on where your database is hosted:

    • Amazon RDS

    • Azure PostgreSQL

    • Google Cloud SQL

    • For other external PostgreSQL databases, save the following script in your secondary site, for example /tmp/geo_promote.sh, and modify the connection parameters to match your environment. Then, execute it to promote the replica:

      #!/bin/bash
      
      PG_SUPERUSER=postgres
      
      # The path to your pg_ctl binary. You may need to adjust this path to match
      # your PostgreSQL installation
      PG_CTL_BINARY=/usr/lib/postgresql/10/bin/pg_ctl
      
      # The path to your PostgreSQL data directory. You may need to adjust this
      # path to match your PostgreSQL installation. You can also run
      # `SHOW data_directory;` from PostgreSQL to find your data directory
      PG_DATA_DIRECTORY=/etc/postgresql/10/main
      
      # Promote the PostgreSQL database and allow read/write operations
      sudo -u $PG_SUPERUSER $PG_CTL_BINARY -D $PG_DATA_DIRECTORY promote
  2. Edit /etc/gitlab/gitlab.rb on every node in the secondary site to reflect its new status as primary by removing any of the following lines that might be present:

    geo_secondary_role['enable'] = true
    roles ['geo_secondary_role']

    After making these changes Reconfigure GitLab on each node so the changes take effect.

  3. Promote the secondary to primary. SSH into a single secondary application node and execute:

    sudo gitlab-rake geo:set_secondary_as_primary
  4. Verify you can connect to the newly-promoted primary using the URL used previously for the secondary.

  5. If successful, the secondary site is now promoted to the primary site.

Step 4. (Optional) Updating the primary domain DNS record

Updating the DNS records for the primary domain to point to the secondary site to prevent the need to update all references to the primary domain to the secondary domain, like changing Git remotes and API URLs.

  1. SSH into the secondary site and login as root:

    sudo -i
  2. Update the primary domain's DNS record. After updating the primary domain's DNS records to point to the secondary site, edit /etc/gitlab/gitlab.rb on the secondary site to reflect the new URL:

    # Change the existing external_url configuration
    external_url 'https://<new_external_url>'

    NOTE: Changing external_url does not prevent access via the old secondary URL, as long as the secondary DNS records are still intact.

  3. Reconfigure the secondary site for the change to take effect:

    gitlab-ctl reconfigure
  4. Execute the command below to update the newly promoted primary site URL:

    gitlab-rake geo:update_primary_node_url

    This command uses the changed external_url configuration defined in /etc/gitlab/gitlab.rb.

  5. For GitLab 12.0 through 12.7, you may need to update the primary site's name in the database. This bug has been fixed in GitLab 12.8.

    To determine if you need to do this, search for the gitlab_rails["geo_node_name"] setting in your /etc/gitlab/gitlab.rb file. If it is commented out with # or not found at all, then you need to update the primary site's name in the database. You can search for it like so:

    grep "geo_node_name" /etc/gitlab/gitlab.rb

    To update the primary site's name in the database:

    gitlab-rails runner 'Gitlab::Geo.primary_node.update!(name: GeoNode.current_node_name)'
  6. Verify you can connect to the newly promoted primary using its URL. If you updated the DNS records for the primary domain, these changes may not have yet propagated depending on the previous DNS records TTL.

Step 5. (Optional) Add secondary Geo site to a promoted primary site

Promoting a secondary site to primary site using the process above does not enable Geo on the new primary site.

To bring a new secondary site online, follow the Geo setup instructions.

Step 6. (Optional) Removing the secondary's tracking database

Every secondary has a special tracking database that is used to save the status of the synchronization of all the items from the primary. Because the secondary is already promoted, that data in the tracking database is no longer required.

The data can be removed with the following command:

sudo rm -rf /var/opt/gitlab/geo-postgresql

If you have any geo_secondary[] configuration options enabled in your gitlab.rb file, these can be safely commented out or removed, and then reconfigure GitLab for the changes to take effect.

Promoting secondary Geo replica in multi-secondary configurations

If you have more than one secondary site and you need to promote one of them, we suggest you follow Promoting a secondary Geo site in single-secondary configurations and after that you also need two extra steps.

Step 1. Prepare the new primary site to serve one or more secondary sites

  1. SSH into the new primary site and login as root:

    sudo -i
  2. Edit /etc/gitlab/gitlab.rb:

    ## Enable a Geo Primary role (if you haven't yet)
    roles ['geo_primary_role']
    
    ##
    # Allow PostgreSQL client authentication from the primary and secondary IPs. These IPs may be
    # public or VPC addresses in CIDR format, for example ['198.51.100.1/32', '198.51.100.2/32']
    ##
    postgresql['md5_auth_cidr_addresses'] = ['<primary_site_ip>/32', '<secondary_site_ip>/32']
    
    # Every secondary site needs to have its own slot so specify the number of secondary sites you're going to have
    # postgresql['max_replication_slots'] = 1 # Set this to be the number of Geo secondary nodes if you have more than one
    
    ##
    ## Disable automatic database migrations temporarily
    ## (until PostgreSQL is restarted and listening on the private address).
    ##
    gitlab_rails['auto_migrate'] = false

    (For more details about these settings you can read Configure the primary server)

  3. Save the file and reconfigure GitLab for the database listen changes and the replication slot changes to be applied:

    gitlab-ctl reconfigure

    Restart PostgreSQL for its changes to take effect:

    gitlab-ctl restart postgresql
  4. Re-enable migrations now that PostgreSQL is restarted and listening on the private address.

    Edit /etc/gitlab/gitlab.rb and change the configuration to true:

    gitlab_rails['auto_migrate'] = true

    Save the file and reconfigure GitLab:

    gitlab-ctl reconfigure

Step 2. Initiate the replication process

Now we need to make each secondary site listen to changes on the new primary site. To do that you need to initiate the replication process again but this time for another primary site. All the old replication settings are overwritten.

Promoting a secondary Geo cluster in the GitLab Helm chart

When updating a cloud-native Geo deployment, the process for updating any node that is external to the secondary Kubernetes cluster does not differ from the non cloud-native approach. As such, you can always defer to Promoting a secondary Geo site in single-secondary configurations for more information.

The following sections assume you are using the gitlab namespace. If you used a different namespace when setting up your cluster, you should also replace --namespace gitlab with your namespace.

WARNING: In GitLab 13.2 and 13.3, promoting a secondary site to a primary while the secondary is paused fails. Do not pause replication before promoting a secondary. If the site is paused, be sure to resume before promoting. This issue has been fixed in GitLab 13.4 and later.

Step 1. Permanently disable the primary cluster

WARNING: If the primary site goes offline, there may be data saved on the primary site that has not been replicated to the secondary site. This data should be treated as lost if you proceed.

If an outage on the primary site happens, you should do everything possible to avoid a split-brain situation where writes can occur in two different GitLab instances, complicating recovery efforts. So to prepare for the failover, you must disable the primary site:

  • If you have access to the primary Kubernetes cluster, connect to it and disable the GitLab webservice and Sidekiq pods:

    kubectl --namespace gitlab scale deploy gitlab-geo-webservice-default --replicas=0
    kubectl --namespace gitlab scale deploy gitlab-geo-sidekiq-all-in-1-v1 --replicas=0
  • If you do not have access to the primary Kubernetes cluster, take the cluster offline and prevent it from coming back online by any means at your disposal. You might need to:

    • Reconfigure the load balancers.
    • Change DNS records (for example, point the primary DNS record to the secondary site to stop usage of the primary site).
    • Stop the virtual servers.
    • Block traffic through a firewall.
    • Revoke object storage permissions from the primary site.
    • Physically disconnect a machine.

Step 2. Promote all secondary site nodes external to the cluster

WARNING: If the secondary site has been paused, this performs a point-in-time recovery to the last known state. Data that was created on the primary while the secondary was paused is lost.

If you are running GitLab 14.5 and later:

  1. For each node outside of the secondary Kubernetes cluster using Omnibus such as PostgreSQL or Gitaly, SSH into the node and run one of the following commands:

    • To promote the secondary site node external to the Kubernetes cluster to primary:

      sudo gitlab-ctl geo promote
    • To promote the secondary site node external to the Kubernetes cluster to primary without any further confirmation:

      sudo gitlab-ctl geo promote --force
  2. Find the toolbox pod:

    kubectl --namespace gitlab get pods -lapp=toolbox
  3. Promote the secondary:

    kubectl --namespace gitlab exec -ti gitlab-geo-toolbox-XXX -- gitlab-rake geo:set_secondary_as_primary

If you are running GitLab 14.4 and earlier:

  1. SSH in to the database node in the secondary site and trigger PostgreSQL to promote to read-write:

    sudo gitlab-ctl promote-db
  2. Edit /etc/gitlab/gitlab.rb on the database node in the secondary site to reflect its new status as primary by removing any lines that enabled the geo_secondary_role:

    NOTE: Depending on your architecture, these steps need to run on any GitLab node that is external to the secondary Kubernetes cluster.

    ## In pre-11.5 documentation, the role was enabled as follows. Remove this line.
    geo_secondary_role['enable'] = true
    
    ## In 11.5+ documentation, the role was enabled as follows. Remove this line.
    roles ['geo_secondary_role']

    After making these changes, reconfigure GitLab on the database node.

  3. Find the task runner pod:

    kubectl --namespace gitlab get pods -lapp=task-runner
  4. Promote the secondary:

    kubectl --namespace gitlab exec -ti gitlab-geo-task-runner-XXX -- gitlab-rake geo:set_secondary_as_primary

Step 3. Promote the secondary cluster

  1. Update the existing cluster configuration.

    You can retrieve the existing configuration with Helm:

    helm --namespace gitlab get values gitlab-geo > gitlab.yaml

    The existing configuration contains a section for Geo that should resemble:

    geo:
       enabled: true
       role: secondary
       nodeName: secondary.example.com
       psql:
          host: geo-2.db.example.com
          port: 5431
          password:
             secret: geo
             key: geo-postgresql-password

    To promote the secondary cluster to a primary cluster, update role: secondary to role: primary.

    If the cluster remains as a primary site, you can remove the entire psql section; it refers to the tracking database and is ignored whilst the cluster is acting as a primary site.

    Update the cluster with the new configuration:

    helm upgrade --install --version <current Chart version> gitlab-geo gitlab/gitlab --namespace gitlab -f gitlab.yaml
  2. Verify you can connect to the newly promoted primary using the URL used previously for the secondary.

  3. Success! The secondary has now been promoted to primary.

Troubleshooting

This section was moved to another location.