Toolbox
The Toolbox Pod is used to execute periodic housekeeping tasks within the GitLab application. These tasks include backups, Sidekiq maintenance, and Rake tasks.
Configuration
The following configuration settings are the default settings provided by the Toolbox chart:
gitlab:
## doc/charts/gitlab/toolbox
toolbox:
enabled: true
replicas: 1
backups:
cron:
enabled: false
concurrencyPolicy: Replace
failedJobsHistoryLimit: 1
schedule: "0 1 * * *"
successfulJobsHistoryLimit: 3
suspend: false
backoffLimit: 6
safeToEvict: false
restartPolicy: "OnFailure"
resources:
requests:
cpu: 50m
memory: 350M
persistence:
enabled: false
accessMode: ReadWriteOnce
useGenericEphemeralVolume: false
size: 10Gi
objectStorage:
backend: s3
config: {}
persistence:
enabled: false
accessMode: 'ReadWriteOnce'
size: '10Gi'
resources:
requests:
cpu: '50m'
memory: '350M'
securityContext:
fsGroup: '1000'
runAsUser: '1000'
runAsGroup: '1000'
containerSecurityContext:
runAsUser: '1000'
affinity: {}
Parameter | Description | Default |
---|---|---|
affinity
|
Affinity rules for pod assignment |
{}
|
annotations
|
Annotations to add to the Toolbox Pods and Jobs |
{}
|
common.labels
|
Supplemental labels that are applied to all objects created by this chart. |
{}
|
antiAffinityLabels.matchLabels
|
Labels for setting anti-affinity options | |
backups.cron.activeDeadlineSeconds
|
Backup CronJob active deadline seconds (if null, no active deadline is applied) |
null
|
backups.cron.ttlSecondsAfterFinished
|
Backup CronJob job time to live after finished (if null, no time to liveis applied) |
null
|
backups.cron.safeToEvict
|
Autoscaling safe-to-evict annotation | false |
backups.cron.backoffLimit
|
Backup CronJob backoff limit |
6
|
backups.cron.concurrencyPolicy
|
Kubernetes Job concurrency policy |
Replace
|
backups.cron.enabled
|
Backup CronJob enabled flag | false |
backups.cron.extraArgs
|
String of arguments to pass to the backup utility | |
backups.cron.failedJobsHistoryLimit
|
Number of failed backup jobs list in history |
1
|
backups.cron.persistence.accessMode
|
Backup cron persistence access mode |
ReadWriteOnce
|
backups.cron.persistence.enabled
|
Backup cron enable persistence flag | false |
backups.cron.persistence.matchExpressions
|
Label-expression matches to bind | |
backups.cron.persistence.matchLabels
|
Label-value matches to bind | |
backups.cron.persistence.useGenericEphemeralVolume
|
Use a generic ephemeral volume | false |
backups.cron.persistence.size
|
Backup cron persistence volume size |
10Gi
|
backups.cron.persistence.storageClass
|
StorageClass name for provisioning | |
backups.cron.persistence.subPath
|
Backup cron persistence volume mount path | |
backups.cron.persistence.volumeName
|
Existing persistent volume name | |
backups.cron.resources.requests.cpu
|
Backup cron minimum needed CPU |
50m
|
backups.cron.resources.requests.memory
|
Backup cron minimum needed memory |
350M
|
backups.cron.restartPolicy
|
Backup cron restart policy (Never or OnFailure )
|
OnFailure
|
backups.cron.schedule
|
Cron style schedule string |
0 1 * * *
|
backups.cron.startingDeadlineSeconds
|
Backup cron job starting deadline, in seconds (if null, no starting deadline is applied) |
null
|
backups.cron.successfulJobsHistoryLimit
|
Number of successful backup jobs list in history |
3
|
backups.cron.suspend
|
Backup cron job is suspended |
false
|
backups.cron.timeZone
|
Time zone for the backup schedule. For more information, see the Kubernetes documentation. Uses the cluster time zone if not specified. | ”” |
backups.cron.tolerations
|
Tolerations to add to the backup cron job | ”” |
backups.cron.nodeSelector
|
Backup cron job node selection | ”” |
backups.objectStorage.backend
|
Object storage provider to use (s3 , gcs or azure )
|
s3
|
backups.objectStorage.config.gcpProject
|
GCP Project to use when backend is gcs
|
”” |
backups.objectStorage.config.key
|
Key containing credentials in secret | ”” |
backups.objectStorage.config.secret
|
Object storage credentials secret | ”” |
common.labels
|
Supplemental labels that are applied to all objects created by this chart. |
{}
|
deployment.strategy
|
Allows one to configure the update strategy utilized by the deployment | { type : Recreate }
|
enabled
|
Toolbox enablement flag | true |
extra
|
YAML block for extra gitlab.yml configuration
|
{} |
image.pullPolicy
|
Toolbox image pull policy |
IfNotPresent
|
image.pullSecrets
|
Toolbox image pull secrets | |
image.repository
|
Toolbox image repository |
registry.gitlab.com/gitlab-org/build/cng/gitlab-toolbox-ee
|
image.tag
|
Toolbox image tag |
master
|
init.image.repository
|
Toolbox init image repository | |
init.image.tag
|
Toolbox init image tag | |
init.resources
|
Toolbox init container resource requirements | { requests : { cpu : 50m }}
|
init.containerSecurityContext
|
initContainer specific securityContext | |
init.containerSecurityContext.allowPrivilegeEscalation
|
initContainer specific: Controls whether a process can gain more privileges than its parent process |
false
|
init.containerSecurityContext.runAsUser
|
initContainer specific: User ID under which the container should be started |
1000
|
init.containerSecurityContext.allowPrivilegeEscalation
|
initContainer specific: Controls whether a process can gain more privileges than its parent process |
false
|
init.containerSecurityContext.runAsNonRoot
|
initContainer specific: Controls whether the container runs with a non-root user |
true
|
init.containerSecurityContext.capabilities.drop
|
initContainer specific: Removes Linux capabilities for the container |
[ "ALL" ]
|
nodeSelector
|
Toolbox and backup job node selection | |
persistence.accessMode
|
Toolbox persistence access mode |
ReadWriteOnce
|
persistence.enabled
|
Toolbox enable persistence flag | false |
persistence.matchExpressions
|
Label-expression matches to bind | |
persistence.matchLabels
|
Label-value matches to bind | |
persistence.size
|
Toolbox persistence volume size |
10Gi
|
persistence.storageClass
|
StorageClass name for provisioning | |
persistence.subPath
|
Toolbox persistence volume mount path | |
persistence.volumeName
|
Existing PersistentVolume name | |
podLabels
|
Labels for running Toolbox Pods | {} |
priorityClassName
|
Priority class assigned to pods. | |
replicas
|
Number of Toolbox Pods to run |
1
|
resources.requests
|
Toolbox minimum requested resources | { cpu : 50m , memory : 350M
|
securityContext.fsGroup
|
File System Group ID under which the pod should be started |
1000
|
securityContext.runAsUser
|
User ID under which the pod should be started |
1000
|
securityContext.runAsGroup
|
Group ID under which the pod should be started |
1000
|
securityContext.fsGroupChangePolicy
|
Policy for changing ownership and permission of the volume (requires Kubernetes 1.23) | |
securityContext.seccompProfile.type
|
Seccomp profile to use |
RuntimeDefault
|
containerSecurityContext
|
Override container securityContext under which the container is started | |
containerSecurityContext.runAsUser
|
Allow to overwrite the specific security context under which the container is started |
1000
|
containerSecurityContext.allowPrivilegeEscalation
|
Controls whether a process of the container can gain more privileges than its parent process |
false
|
containerSecurityContext.runAsNonRoot
|
Controls whether the container runs with a non-root user |
true
|
containerSecurityContext.capabilities.drop
|
Removes Linux capabilities for the Gitaly container |
[ "ALL" ]
|
serviceAccount.annotations
|
Annotations for ServiceAccount | {} |
serviceAccount.automountServiceAccountToken
|
Indicates whether or not the default ServiceAccount access token should be mounted in pods |
false
|
serviceAccount.enabled
|
Indicates whether or not to use a ServiceAccount | false |
serviceAccount.create
|
Indicates whether or not a ServiceAccount should be created | false |
serviceAccount.name
|
Name of the ServiceAccount. If not set, the full chart name is used | |
tolerations
|
Tolerations to add to the Toolbox | |
extraEnvFrom
|
List of extra environment variables from other data sources to expose |
Configuring backups
Information concerning configuring backups in the backup and restore documentation. Additional information about the technical implementation of how the backups are performed can be found in the backup and restore architecture documentation.]
Persistence configuration
The persistent stores for backups and restorations are configured separately. Please review the following considerations when configuring GitLab for backup and restore operations.
Backups use the backups.cron.persistence.*
properties and restorations
use the persistence.*
properties. Further descriptions concerning the
configuration of a persistence store will use just the final property key
(e.g. .enabled
or .size
) and the appropriate prefix will need to be
added.
The persistence stores are disabled by default, thus .enabled
needs to
be set to true
for a backup or restoration of any appreciable size.
In addition, either .storageClass
needs to be specified for a PersistentVolume
to be created by Kubernetes or a PersistentVolume needs to be manually created.
If .storageClass
is specified as ‘-‘, then the PersistentVolume will be
created using the default StorageClass
as specified in the Kubernetes cluster.
If the PersistentVolume is created manually, then the volume can be specified
using the .volumeName
property or by using the selector .matchLables
/
.matchExpressions
properties.
In most cases the default value of .accessMode
will provide adequate
controls for only Toolbox accessing the PersistentVolumes. Please consult
the documentation for the CSI driver installed in the Kubernetes cluster to
ensure that the setting is correct.
Backup considerations
A backup operation needs an amount of disk space to hold the individual components that are being backed up before they are written to the backup object store. The amount of disk space depends on the following factors:
- Number of projects and the amount of data stored under each project
- Size of the PostgresSQL database (issues, MRs, etc.)
- Size of each object store backend
Once the rough size has been determined, the backups.cron.persistence.size
property can be set so that backups can commence.
Restore considerations
During the restoration of a backup, the backup needs to be extracted to disk
before the files are replaced on the running instance. The size of this
restoration disk space is controlled by the persistence.size
property. Be
mindful that as the size of the GitLab installation grows the size of the
restoration disk space also needs to grow accordingly. In most cases the
size of the restoration disk space should be the same size as the backup
disk space.
Toolbox included tools
The Toolbox container contains useful GitLab tools such as Rails console, Rake tasks, etc. These commands allow one to check the status of the database migrations, execute Rake tasks for administrative tasks, interact with the Rails console:
# locate the Toolbox pod
kubectl get pods -lapp=toolbox
# Launch a shell inside the pod
kubectl exec -it <Toolbox pod name> -- bash
# open Rails console
gitlab-rails console -e production
# execute a Rake task
gitlab-rake gitlab:env:info
affinity
For more information, see affinity
.