Blackhole issues with CSP and gitlab_rails
NMRC Network Problem
Upgrade to one of the main servers failed.
System(s) impacted:
Nature of problem:
During an upgrade from 16.2 to 16.3 of GitLab, the pre-configuration failed, causing the entire upgrade to abort. There were two errors, one dealing with Grafana (which is deprecated) and one dealing with a database migration.
Potential resolution:
The Grafana issue was resolved by manually disabling Grafana in /etc/gitlab/gitlab.rb
, which was interesting as disabling it in the web interface did not seem to change the config file.
The errors with the database pointed to an action taken during reconfiguration that were similar to this issue. As that issue involved TLS it reminded me I was using a heavily modified setting with gitlab_rails
and a Content Security Policy, something that has caused issues in the past. Disabling the policy allowed the reconfiguration to run without errors, the upgrade ran without errors, and GitLab is now upgraded and functioning. This suggests one of the settings in the CSP needs to be adjusted, even though this doesn't make sense, but it was the only change made (and things were changed one at a time to find the culprit) that made things work. As finding the specific directive will involve a lot of trial and error as the interaction between minor adjustments of the various directives and restarts (which are not quick), will most likely perform this after hours instead of during a lunch hour to refine the CSP.