diff --git a/GITALY_SERVER_VERSION b/GITALY_SERVER_VERSION index e65c8834ada..ff30ca95eda 100644 --- a/GITALY_SERVER_VERSION +++ b/GITALY_SERVER_VERSION @@ -1 +1 @@ -6ed17e45a50357b3cece084cd26e833bc3443089 +575e8b7baeb800a8d0d0f28a80c0461a7a0db741 diff --git a/app/assets/javascripts/diffs/components/tree_list.vue b/app/assets/javascripts/diffs/components/tree_list.vue index 1fce55ce804..6b9b96741fb 100644 --- a/app/assets/javascripts/diffs/components/tree_list.vue +++ b/app/assets/javascripts/diffs/components/tree_list.vue @@ -12,6 +12,7 @@ import micromatch from 'micromatch'; import { getModifierKey } from '~/constants'; import { s__, sprintf } from '~/locale'; import { RecycleScroller } from 'vendor/vue-virtual-scroller'; +import { isElementClipped } from '~/lib/utils/common_utils'; import DiffFileRow from './diff_file_row.vue'; import TreeListHeight from './tree_list_height.vue'; @@ -152,6 +153,8 @@ export default { ...mapActions('diffs', ['toggleTreeOpen', 'goToFile', 'setRenderTreeList', 'setTreeOpen']), scrollVirtualScrollerToFileHash(hash) { + const item = document.querySelector(`[data-file-row="${hash}"]`); + if (item && !isElementClipped(item, this.$refs.scroller.$el)) return; const index = this.treeList.findIndex((f) => f.fileHash === hash); if (index !== -1) { this.$refs.scroller.scrollToItem?.(index); @@ -234,6 +237,7 @@ export default { :class="{ 'tree-list-parent': item.level > 0 }" :tabindex="0" class="gl-relative !gl-m-1" + :data-file-row="item.fileHash" @toggleTreeOpen="toggleTreeOpen" @clickFile="(path) => goToFile({ path })" /> diff --git a/app/assets/javascripts/lib/utils/common_utils.js b/app/assets/javascripts/lib/utils/common_utils.js index 6ff002eb76a..c99726e076f 100644 --- a/app/assets/javascripts/lib/utils/common_utils.js +++ b/app/assets/javascripts/lib/utils/common_utils.js @@ -149,6 +149,18 @@ export const isInViewport = (el, offset = {}) => { ); }; +export const isElementClipped = (element, scrollContainer) => { + const elementRect = element.getBoundingClientRect(); + const containerRect = scrollContainer.getBoundingClientRect(); + + return ( + elementRect.top < containerRect.top || + elementRect.bottom > containerRect.bottom || + elementRect.left < containerRect.left || + elementRect.right > containerRect.right + ); +}; + export const isModifierKey = (e) => e.metaKey || e.ctrlKey || e.altKey || e.shiftKey; export const isMetaKey = (e) => e.metaKey || e.ctrlKey; diff --git a/app/assets/javascripts/pages/shared/wikis/components/wiki_form.vue b/app/assets/javascripts/pages/shared/wikis/components/wiki_form.vue index 344d4ddf829..0ffafff7b40 100644 --- a/app/assets/javascripts/pages/shared/wikis/components/wiki_form.vue +++ b/app/assets/javascripts/pages/shared/wikis/components/wiki_form.vue @@ -439,11 +439,6 @@ export default {
- + {{ + __('Generate page path from title') + }}
diff --git a/app/assets/javascripts/search/results/utils.js b/app/assets/javascripts/search/results/utils.js index 707a9b2896a..23d0653fba7 100644 --- a/app/assets/javascripts/search/results/utils.js +++ b/app/assets/javascripts/search/results/utils.js @@ -22,7 +22,7 @@ export const markSearchTerm = (str = '', highlights = []) => { const chars = str.split(''); [...highlights].reverse().forEach((highligh) => { const [start, end] = highligh; - chars.splice(end, 0, HIGHLIGHT_MARK); + chars.splice(end + 1, 0, HIGHLIGHT_MARK); chars.splice(start, 0, HIGHLIGHT_MARK); }); diff --git a/app/assets/javascripts/security_configuration/components/app.vue b/app/assets/javascripts/security_configuration/components/app.vue index 9a71cf5cd06..079be610f27 100644 --- a/app/assets/javascripts/security_configuration/components/app.vue +++ b/app/assets/javascripts/security_configuration/components/app.vue @@ -12,12 +12,12 @@ import { AUTO_DEVOPS_ENABLED_ALERT_DISMISSED_STORAGE_KEY, TAB_VULNERABILITY_MANAGEMENT_INDEX, i18n, - PRE_RECEIVE_SECRET_DETECTION, + SECRET_PUSH_PROTECTION, } from '../constants'; import AutoDevOpsAlert from './auto_dev_ops_alert.vue'; import AutoDevOpsEnabledAlert from './auto_dev_ops_enabled_alert.vue'; import FeatureCard from './feature_card.vue'; -import PreReceiveSecretDetectionFeatureCard from './pre_receive_secret_detection_feature_card.vue'; +import SecretPushProtectionFeatureCard from './secret_push_protection_feature_card.vue'; import TrainingProviderList from './training_provider_list.vue'; export default { @@ -26,7 +26,7 @@ export default { AutoDevOpsAlert, AutoDevOpsEnabledAlert, FeatureCard, - PreReceiveSecretDetectionFeatureCard, + SecretPushProtectionFeatureCard, GlAlert, GlLink, GlSprintf, @@ -106,8 +106,8 @@ export default { }, methods: { getComponentName(feature) { - if (feature.type === PRE_RECEIVE_SECRET_DETECTION) { - return 'pre-receive-secret-detection-feature-card'; + if (feature.type === SECRET_PUSH_PROTECTION) { + return 'secret-push-protection-feature-card'; } if (feature.type === REPORT_TYPE_CONTAINER_SCANNING_FOR_REGISTRY) { return 'container-scanning-for-registry-feature-card'; diff --git a/app/assets/javascripts/security_configuration/components/pre_receive_secret_detection_feature_card.vue b/app/assets/javascripts/security_configuration/components/secret_push_protection_feature_card.vue similarity index 90% rename from app/assets/javascripts/security_configuration/components/pre_receive_secret_detection_feature_card.vue rename to app/assets/javascripts/security_configuration/components/secret_push_protection_feature_card.vue index 6552c34a797..925e533e992 100644 --- a/app/assets/javascripts/security_configuration/components/pre_receive_secret_detection_feature_card.vue +++ b/app/assets/javascripts/security_configuration/components/secret_push_protection_feature_card.vue @@ -9,11 +9,11 @@ import { GlButton, GlTooltipDirective, } from '@gitlab/ui'; -import ProjectSetPreReceiveSecretDetection from '~/security_configuration/graphql/set_pre_receive_secret_detection.graphql'; +import ProjectPreReceiveSecretDetection from '~/security_configuration/graphql/set_pre_receive_secret_detection.graphql'; import { __, s__ } from '~/locale'; export default { - name: 'PreReceiveSecretDetectionFeatureCard', + name: 'SecretPushProtectionFeatureCard', components: { GlCard, GlIcon, @@ -27,8 +27,8 @@ export default { GlTooltip: GlTooltipDirective, }, inject: [ - 'preReceiveSecretDetectionAvailable', - 'preReceiveSecretDetectionEnabled', + 'secretPushProtectionAvailable', + 'secretPushProtectionEnabled', 'userIsProjectAdmin', 'projectFullPath', 'secretDetectionConfigurationPath', @@ -41,7 +41,7 @@ export default { }, data() { return { - toggleValue: this.preReceiveSecretDetectionEnabled, + toggleValue: this.secretPushProtectionEnabled, errorMessage: '', isAlertDismissed: false, }; @@ -73,13 +73,13 @@ export default { }; }, isToggleDisabled() { - return !this.preReceiveSecretDetectionAvailable || !this.userIsProjectAdmin; + return !this.secretPushProtectionAvailable || !this.userIsProjectAdmin; }, showLock() { return this.isToggleDisabled && this.available; }, featureLockDescription() { - if (!this.preReceiveSecretDetectionAvailable) { + if (!this.secretPushProtectionAvailable) { return this.$options.i18n.tooltipDescription; } if (!this.userIsProjectAdmin) { @@ -96,10 +96,10 @@ export default { this.errorMessage = error; this.isAlertDismissed = false; }, - async togglePreReceiveSecretDetection(checked) { + async toggleSecretPushProtection(checked) { try { const { data } = await this.$apollo.mutate({ - mutation: ProjectSetPreReceiveSecretDetection, + mutation: ProjectPreReceiveSecretDetection, variables: { input: { namespacePath: this.projectFullPath, @@ -203,7 +203,7 @@ export default { :value="toggleValue" :label="s__('SecurityConfiguration|Toggle secret push protection')" label-position="hidden" - @change="togglePreReceiveSecretDetection" + @change="toggleSecretPushProtection" /> { containerScanningForRegistryEnabled, secretDetectionConfigurationPath, ...parseBooleanDataAttributes(el, [ - 'preReceiveSecretDetectionAvailable', - 'preReceiveSecretDetectionEnabled', + 'secretPushProtectionAvailable', + 'secretPushProtectionEnabled', 'userIsProjectAdmin', ]), }, diff --git a/app/models/application_setting.rb b/app/models/application_setting.rb index be80a38d8bf..3bb5ed7d3c3 100644 --- a/app/models/application_setting.rb +++ b/app/models/application_setting.rb @@ -19,6 +19,8 @@ class ApplicationSetting < ApplicationRecord encrypted_vertex_ai_access_token_iv ], remove_with: '17.10', remove_after: '2025-02-15' + ignore_column :pre_receive_secret_detection_enabled, remove_with: '17.9', remove_after: '2025-02-15' + ignore_columns %i[ elasticsearch_aws elasticsearch_search diff --git a/app/models/concerns/protected_ref.rb b/app/models/concerns/protected_ref.rb index 9c3daad45b4..f9f72ffc92d 100644 --- a/app/models/concerns/protected_ref.rb +++ b/app/models/concerns/protected_ref.rb @@ -3,6 +3,7 @@ module ProtectedRef extend ActiveSupport::Concern + include Gitlab::Utils::StrongMemoize include Importable included do @@ -60,7 +61,9 @@ module ProtectedRef private def ref_matcher - @ref_matcher ||= RefMatcher.new(name) + strong_memoize_with(:ref_matcher, name) do + RefMatcher.new(name) + end end end diff --git a/app/models/projects/branch_rules/squash_option.rb b/app/models/projects/branch_rules/squash_option.rb index cae8cb5e7e0..62b599d8834 100644 --- a/app/models/projects/branch_rules/squash_option.rb +++ b/app/models/projects/branch_rules/squash_option.rb @@ -11,7 +11,7 @@ module Projects validates :protected_branch, uniqueness: true validate :validate_protected_branch_not_wildcard - validate :validate_protected_branch_belongs_to_project + validate :validate_protected_branch_belongs_to_project, if: -> { protected_branch_changed? || project_changed? } def branch_rule ::Projects::BranchRule.new(project, protected_branch) diff --git a/app/presenters/projects/security/configuration_presenter.rb b/app/presenters/projects/security/configuration_presenter.rb index 7df38dd7d6f..8d81c2f2ad7 100644 --- a/app/presenters/projects/security/configuration_presenter.rb +++ b/app/presenters/projects/security/configuration_presenter.rb @@ -21,9 +21,9 @@ module Projects gitlab_ci_history_path: gitlab_ci_history_path, security_training_enabled: project.security_training_available?, container_scanning_for_registry_enabled: container_scanning_for_registry_enabled, - pre_receive_secret_detection_available: - Gitlab::CurrentSettings.current_application_settings.pre_receive_secret_detection_enabled, - pre_receive_secret_detection_enabled: pre_receive_secret_detection_enabled, + secret_push_protection_available: + Gitlab::CurrentSettings.current_application_settings.secret_push_protection_available, + secret_push_protection_enabled: secret_push_protection_enabled, user_is_project_admin: user_is_project_admin?, secret_detection_configuration_path: secret_detection_configuration_path } @@ -65,9 +65,9 @@ module Projects scans << scan(:dast_profiles, configured: true) # Add pre-receive before secret detection - if project.licensed_feature_available?(:pre_receive_secret_detection) + if project.licensed_feature_available?(:secret_push_protection) secret_detection_index = scans.index { |scan| scan[:type] == :secret_detection } || -1 - scans.insert(secret_detection_index, scan(:pre_receive_secret_detection, configured: true)) + scans.insert(secret_detection_index, scan(:secret_push_protection, configured: true)) end scans @@ -103,7 +103,7 @@ module Projects end def container_scanning_for_registry_enabled; end - def pre_receive_secret_detection_enabled; end + def secret_push_protection_enabled; end def secret_detection_configuration_path; end end end diff --git a/app/views/admin/application_settings/_performance.html.haml b/app/views/admin/application_settings/_performance.html.haml index cda88339ebf..1abc9e9dacb 100644 --- a/app/views/admin/application_settings/_performance.html.haml +++ b/app/views/admin/application_settings/_performance.html.haml @@ -5,7 +5,7 @@ .form-group - help_link = help_page_path('administration/operations/fast_ssh_key_lookup.md') - help_link_start = ''.html_safe % { url: help_link } - = f.gitlab_ui_checkbox_component :authorized_keys_enabled, _('Use authorized_keys file to authenticate SSH keys'), + = f.gitlab_ui_checkbox_component :authorized_keys_enabled, _('Use %{code_start}authorized_keys%{code_end} file to authenticate SSH keys').html_safe % { code_start: ''.html_safe, code_end: ''.html_safe }, help_text: _('Authenticate user SSH keys without requiring additional configuration. Performance of GitLab can be improved by using the GitLab database instead. %{link_start}How do I configure authentication using the GitLab database? %{link_end}').html_safe % { link_start: help_link_start, link_end: ''.html_safe} .form-group = f.label :raw_blob_request_limit, _('Raw blob request rate limit per minute'), class: 'label-bold' diff --git a/config/application_setting_columns/secret_push_protection_available.yml b/config/application_setting_columns/secret_push_protection_available.yml new file mode 100644 index 00000000000..8c2f8351c9d --- /dev/null +++ b/config/application_setting_columns/secret_push_protection_available.yml @@ -0,0 +1,15 @@ +--- +api_type: boolean +attr: secret_push_protection_available +clusterwide: true +column: secret_push_protection_available +db_type: boolean +default: 'false' +description: Allow projects to enable secret push protection. This does not enable + secret push protection. When you enable this feature, you accept the [GitLab Testing + Agreement](https://handbook.gitlab.com/handbook/legal/testing-agreement/). Ultimate + only. +encrypted: false +gitlab_com_different_than_default: true +jihu: false +not_null: true diff --git a/config/initializers/7_gitlab_http.rb b/config/initializers/7_gitlab_http.rb index 567f0b726db..2b2c1b80304 100644 --- a/config/initializers/7_gitlab_http.rb +++ b/config/initializers/7_gitlab_http.rb @@ -23,7 +23,7 @@ Gitlab::HTTP_V2.configure do |config| Gitlab::SilentMode.log_info(message: message, outbound_http_request_method: http_method) end config.log_with_level_proc = ->(log_level, message_params) do - Gitlab::AppJsonLogger.public_send(log_level, message_params) + Gitlab::AppJsonLogger.public_send(log_level, Gitlab::ApplicationContext.current.merge(message_params)) end end diff --git a/db/docs/merge_requests_approval_rules.yml b/db/docs/merge_requests_approval_rules.yml new file mode 100644 index 00000000000..fc3ebd5900c --- /dev/null +++ b/db/docs/merge_requests_approval_rules.yml @@ -0,0 +1,13 @@ +--- +table_name: merge_requests_approval_rules +classes: + - MergeRequests::ApprovalRule +feature_categories: + - code_review_workflow +description: Main table that stores information about approval rules v2. +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/179839 +milestone: '17.9' +gitlab_schema: gitlab_main_cell +sharding_key: + group_id: namespaces + project_id: projects diff --git a/db/migrate/20250114030220_rename_pre_receive_secret_detection_enabled_to_secret_push_protection_enabled.rb b/db/migrate/20250114030220_rename_pre_receive_secret_detection_enabled_to_secret_push_protection_enabled.rb new file mode 100644 index 00000000000..a7966414a7f --- /dev/null +++ b/db/migrate/20250114030220_rename_pre_receive_secret_detection_enabled_to_secret_push_protection_enabled.rb @@ -0,0 +1,18 @@ +# frozen_string_literal: true + +class RenamePreReceiveSecretDetectionEnabledToSecretPushProtectionEnabled < Gitlab::Database::Migration[2.2] + milestone '17.9' + disable_ddl_transaction! + + TABLE = :project_security_settings + + def up + rename_column_concurrently TABLE, :pre_receive_secret_detection_enabled, + :secret_push_protection_enabled, batch_column_name: :project_id + end + + def down + undo_rename_column_concurrently TABLE, :pre_receive_secret_detection_enabled, + :secret_push_protection_enabled + end +end diff --git a/db/migrate/20250114030822_rename_pre_receive_secret_detection_enabled_to_secret_push_protection_available.rb b/db/migrate/20250114030822_rename_pre_receive_secret_detection_enabled_to_secret_push_protection_available.rb new file mode 100644 index 00000000000..59285556da9 --- /dev/null +++ b/db/migrate/20250114030822_rename_pre_receive_secret_detection_enabled_to_secret_push_protection_available.rb @@ -0,0 +1,16 @@ +# frozen_string_literal: true + +class RenamePreReceiveSecretDetectionEnabledToSecretPushProtectionAvailable < Gitlab::Database::Migration[2.2] + milestone '17.9' + disable_ddl_transaction! + + TABLE = :application_settings + + def up + rename_column_concurrently TABLE, :pre_receive_secret_detection_enabled, :secret_push_protection_available + end + + def down + undo_rename_column_concurrently TABLE, :pre_receive_secret_detection_enabled, :secret_push_protection_available + end +end diff --git a/db/migrate/20250123151650_create_merge_requests_approval_rules.rb b/db/migrate/20250123151650_create_merge_requests_approval_rules.rb new file mode 100644 index 00000000000..700e18d4ded --- /dev/null +++ b/db/migrate/20250123151650_create_merge_requests_approval_rules.rb @@ -0,0 +1,21 @@ +# frozen_string_literal: true + +class CreateMergeRequestsApprovalRules < Gitlab::Database::Migration[2.2] + milestone '17.9' + + def change + create_table :merge_requests_approval_rules do |t| # -- Migration/EnsureFactoryForTable false positive + t.text :name, limit: 255, null: false + t.integer :approvals_required, null: false, default: 0 + t.integer :rule_type, null: false, default: 0, limit: 2 + t.integer :origin, null: false, default: 0, limit: 2 + t.bigint :project_id, null: true + t.bigint :group_id, null: true + t.bigint :source_rule_id, null: true + t.index :project_id + t.index :group_id + t.index :source_rule_id + t.timestamps_with_timezone null: false + end + end +end diff --git a/db/migrate/20250205094214_add_merge_requests_approval_rules_source_rule_fk.rb b/db/migrate/20250205094214_add_merge_requests_approval_rules_source_rule_fk.rb new file mode 100644 index 00000000000..03a6a9ba8a7 --- /dev/null +++ b/db/migrate/20250205094214_add_merge_requests_approval_rules_source_rule_fk.rb @@ -0,0 +1,17 @@ +# frozen_string_literal: true + +class AddMergeRequestsApprovalRulesSourceRuleFk < Gitlab::Database::Migration[2.2] + milestone '17.9' + disable_ddl_transaction! + + def up + add_concurrent_foreign_key :merge_requests_approval_rules, :merge_requests_approval_rules, column: :source_rule_id, + on_delete: :nullify + end + + def down + with_lock_retries do + remove_foreign_key :merge_requests_approval_rules, column: :source_rule_id + end + end +end diff --git a/db/migrate/20250205094243_add_merge_requests_approval_rules_project_fk.rb b/db/migrate/20250205094243_add_merge_requests_approval_rules_project_fk.rb new file mode 100644 index 00000000000..40a1ee3859b --- /dev/null +++ b/db/migrate/20250205094243_add_merge_requests_approval_rules_project_fk.rb @@ -0,0 +1,16 @@ +# frozen_string_literal: true + +class AddMergeRequestsApprovalRulesProjectFk < Gitlab::Database::Migration[2.2] + milestone '17.9' + disable_ddl_transaction! + + def up + add_concurrent_foreign_key :merge_requests_approval_rules, :projects, column: :project_id, on_delete: :cascade + end + + def down + with_lock_retries do + remove_foreign_key :merge_requests_approval_rules, column: :project_id + end + end +end diff --git a/db/migrate/20250205094302_add_merge_requests_approval_rules_group_fk.rb b/db/migrate/20250205094302_add_merge_requests_approval_rules_group_fk.rb new file mode 100644 index 00000000000..b558885fda6 --- /dev/null +++ b/db/migrate/20250205094302_add_merge_requests_approval_rules_group_fk.rb @@ -0,0 +1,16 @@ +# frozen_string_literal: true + +class AddMergeRequestsApprovalRulesGroupFk < Gitlab::Database::Migration[2.2] + milestone '17.9' + disable_ddl_transaction! + + def up + add_concurrent_foreign_key :merge_requests_approval_rules, :namespaces, column: :group_id, on_delete: :cascade + end + + def down + with_lock_retries do + remove_foreign_key :merge_requests_approval_rules, column: :group_id + end + end +end diff --git a/db/migrate/20250205094331_add_merge_requests_approval_rules_multi_column_not_null_constraint.rb b/db/migrate/20250205094331_add_merge_requests_approval_rules_multi_column_not_null_constraint.rb new file mode 100644 index 00000000000..b34c7ea12a4 --- /dev/null +++ b/db/migrate/20250205094331_add_merge_requests_approval_rules_multi_column_not_null_constraint.rb @@ -0,0 +1,14 @@ +# frozen_string_literal: true + +class AddMergeRequestsApprovalRulesMultiColumnNotNullConstraint < Gitlab::Database::Migration[2.2] + milestone '17.9' + disable_ddl_transaction! + + def up + add_multi_column_not_null_constraint(:merge_requests_approval_rules, :group_id, :project_id) + end + + def down + remove_multi_column_not_null_constraint(:merge_requests_approval_rules, :group_id, :project_id) + end +end diff --git a/db/schema_migrations/20250114030220 b/db/schema_migrations/20250114030220 new file mode 100644 index 00000000000..2244a495a22 --- /dev/null +++ b/db/schema_migrations/20250114030220 @@ -0,0 +1 @@ +555bf26fb6ee2d65df9aa7ebde9be19a8681563a053b74d3c9c2df1e2dc9dda9 \ No newline at end of file diff --git a/db/schema_migrations/20250114030822 b/db/schema_migrations/20250114030822 new file mode 100644 index 00000000000..2a744efc277 --- /dev/null +++ b/db/schema_migrations/20250114030822 @@ -0,0 +1 @@ +2d74e09c4f8df3a0e49762bc9bde7c802c33c0f1ac1498b83a3080dc35b93ba2 \ No newline at end of file diff --git a/db/schema_migrations/20250123151650 b/db/schema_migrations/20250123151650 new file mode 100644 index 00000000000..6fbb499a264 --- /dev/null +++ b/db/schema_migrations/20250123151650 @@ -0,0 +1 @@ +d149047a5d5fa4fa8242fde7f0d266cebef8d56e0db282d745c6da6e0f9f1c1d \ No newline at end of file diff --git a/db/schema_migrations/20250205094214 b/db/schema_migrations/20250205094214 new file mode 100644 index 00000000000..d8a44e1c1b5 --- /dev/null +++ b/db/schema_migrations/20250205094214 @@ -0,0 +1 @@ +b22251b9e81427177253b4121f677e6a690378b55cc2836e3da0019b71822629 \ No newline at end of file diff --git a/db/schema_migrations/20250205094243 b/db/schema_migrations/20250205094243 new file mode 100644 index 00000000000..45f04e8079f --- /dev/null +++ b/db/schema_migrations/20250205094243 @@ -0,0 +1 @@ +6d8e72cc35740ab5214c24b9d2094bce9289edd5c999ef89d4c2aa9b4d949a07 \ No newline at end of file diff --git a/db/schema_migrations/20250205094302 b/db/schema_migrations/20250205094302 new file mode 100644 index 00000000000..b54934da8ad --- /dev/null +++ b/db/schema_migrations/20250205094302 @@ -0,0 +1 @@ +89018d03700f67c3d24a34d03529697d7e75dcffad09c6234239a7c661746071 \ No newline at end of file diff --git a/db/schema_migrations/20250205094331 b/db/schema_migrations/20250205094331 new file mode 100644 index 00000000000..c5eb507d3af --- /dev/null +++ b/db/schema_migrations/20250205094331 @@ -0,0 +1 @@ +660df89c5562b36729e4f93d57ad28b761a275105a806eb91258fb01f3b3703f \ No newline at end of file diff --git a/db/structure.sql b/db/structure.sql index 0943c8d31fe..f40d29d46d7 100644 --- a/db/structure.sql +++ b/db/structure.sql @@ -403,6 +403,74 @@ BEGIN END; $$; +CREATE FUNCTION function_for_trigger_1baf8c8e1f66() RETURNS trigger + LANGUAGE plpgsql + AS $$ +BEGIN + NEW."pre_receive_secret_detection_enabled" := NEW."secret_push_protection_available"; + RETURN NEW; +END +$$; + +CREATE FUNCTION function_for_trigger_7f41427eda69() RETURNS trigger + LANGUAGE plpgsql + AS $$ +BEGIN + NEW."secret_push_protection_available" := NEW."pre_receive_secret_detection_enabled"; + RETURN NEW; +END +$$; + +CREATE FUNCTION function_for_trigger_7fbecfcdf89a() RETURNS trigger + LANGUAGE plpgsql + AS $$ +BEGIN + NEW."pre_receive_secret_detection_enabled" := NEW."secret_push_protection_enabled"; + RETURN NEW; +END +$$; + +CREATE FUNCTION function_for_trigger_897f35481f9a() RETURNS trigger + LANGUAGE plpgsql + AS $$ +BEGIN + NEW."secret_push_protection_enabled" := NEW."pre_receive_secret_detection_enabled"; + RETURN NEW; +END +$$; + +CREATE FUNCTION function_for_trigger_b9839c6d713f() RETURNS trigger + LANGUAGE plpgsql + AS $$ +BEGIN + IF NEW."pre_receive_secret_detection_enabled" IS NOT DISTINCT FROM 'false' AND NEW."secret_push_protection_available" IS DISTINCT FROM 'false' THEN + NEW."pre_receive_secret_detection_enabled" = NEW."secret_push_protection_available"; + END IF; + + IF NEW."secret_push_protection_available" IS NOT DISTINCT FROM 'false' AND NEW."pre_receive_secret_detection_enabled" IS DISTINCT FROM 'false' THEN + NEW."secret_push_protection_available" = NEW."pre_receive_secret_detection_enabled"; + END IF; + + RETURN NEW; +END +$$; + +CREATE FUNCTION function_for_trigger_cbecfadbc3e8() RETURNS trigger + LANGUAGE plpgsql + AS $$ +BEGIN + IF NEW."pre_receive_secret_detection_enabled" IS NOT DISTINCT FROM 'false' AND NEW."secret_push_protection_enabled" IS DISTINCT FROM 'false' THEN + NEW."pre_receive_secret_detection_enabled" = NEW."secret_push_protection_enabled"; + END IF; + + IF NEW."secret_push_protection_enabled" IS NOT DISTINCT FROM 'false' AND NEW."pre_receive_secret_detection_enabled" IS DISTINCT FROM 'false' THEN + NEW."secret_push_protection_enabled" = NEW."pre_receive_secret_detection_enabled"; + END IF; + + RETURN NEW; +END +$$; + CREATE FUNCTION gitlab_schema_prevent_write() RETURNS trigger LANGUAGE plpgsql AS $$ @@ -8037,6 +8105,7 @@ CREATE TABLE application_settings ( observability_settings jsonb DEFAULT '{}'::jsonb NOT NULL, search jsonb DEFAULT '{}'::jsonb NOT NULL, anti_abuse_settings jsonb DEFAULT '{}'::jsonb NOT NULL, + secret_push_protection_available boolean DEFAULT false, CONSTRAINT app_settings_container_reg_cleanup_tags_max_list_size_positive CHECK ((container_registry_cleanup_tags_service_max_list_size >= 0)), CONSTRAINT app_settings_dep_proxy_ttl_policies_worker_capacity_positive CHECK ((dependency_proxy_ttl_group_policy_worker_capacity >= 0)), CONSTRAINT app_settings_ext_pipeline_validation_service_url_text_limit CHECK ((char_length(external_pipeline_validation_service_url) <= 255)), @@ -8104,6 +8173,7 @@ CREATE TABLE application_settings ( CONSTRAINT check_application_settings_transactional_emails_is_hash CHECK ((jsonb_typeof(transactional_emails) = 'object'::text)), CONSTRAINT check_b8c74ea5b3 CHECK ((char_length(deactivation_email_additional_text) <= 1000)), CONSTRAINT check_babd774f3c CHECK ((char_length(secret_detection_service_url) <= 255)), + CONSTRAINT check_be6ab41dcc CHECK ((secret_push_protection_available IS NOT NULL)), CONSTRAINT check_bf5157a366 CHECK ((char_length(required_instance_ci_template) <= 1024)), CONSTRAINT check_cdfbd99405 CHECK ((char_length(security_txt_content) <= 2048)), CONSTRAINT check_d03919528d CHECK ((char_length(container_registry_vendor) <= 255)), @@ -15972,6 +16042,30 @@ CREATE TABLE merge_requests ( CONSTRAINT check_970d272570 CHECK ((lock_version IS NOT NULL)) ); +CREATE TABLE merge_requests_approval_rules ( + id bigint NOT NULL, + name text NOT NULL, + approvals_required integer DEFAULT 0 NOT NULL, + rule_type smallint DEFAULT 0 NOT NULL, + origin smallint DEFAULT 0 NOT NULL, + project_id bigint, + group_id bigint, + source_rule_id bigint, + created_at timestamp with time zone NOT NULL, + updated_at timestamp with time zone NOT NULL, + CONSTRAINT check_ba7b03c61a CHECK ((num_nonnulls(group_id, project_id) = 1)), + CONSTRAINT check_c7c36145b7 CHECK ((char_length(name) <= 255)) +); + +CREATE SEQUENCE merge_requests_approval_rules_id_seq + START WITH 1 + INCREMENT BY 1 + NO MINVALUE + NO MAXVALUE + CACHE 1; + +ALTER SEQUENCE merge_requests_approval_rules_id_seq OWNED BY merge_requests_approval_rules.id; + CREATE TABLE merge_requests_closing_issues ( id bigint NOT NULL, merge_request_id bigint NOT NULL, @@ -19539,7 +19633,9 @@ CREATE TABLE project_security_settings ( auto_fix_sast boolean DEFAULT true NOT NULL, continuous_vulnerability_scans_enabled boolean DEFAULT false NOT NULL, container_scanning_for_registry_enabled boolean DEFAULT false NOT NULL, - pre_receive_secret_detection_enabled boolean DEFAULT false NOT NULL + pre_receive_secret_detection_enabled boolean DEFAULT false NOT NULL, + secret_push_protection_enabled boolean DEFAULT false, + CONSTRAINT check_20a23efdb6 CHECK ((secret_push_protection_enabled IS NOT NULL)) ); CREATE SEQUENCE project_security_settings_project_id_seq @@ -25202,6 +25298,8 @@ ALTER TABLE ONLY merge_request_user_mentions ALTER COLUMN id SET DEFAULT nextval ALTER TABLE ONLY merge_requests ALTER COLUMN id SET DEFAULT nextval('merge_requests_id_seq'::regclass); +ALTER TABLE ONLY merge_requests_approval_rules ALTER COLUMN id SET DEFAULT nextval('merge_requests_approval_rules_id_seq'::regclass); + ALTER TABLE ONLY merge_requests_closing_issues ALTER COLUMN id SET DEFAULT nextval('merge_requests_closing_issues_id_seq'::regclass); ALTER TABLE ONLY merge_requests_compliance_violations ALTER COLUMN id SET DEFAULT nextval('merge_requests_compliance_violations_id_seq'::regclass); @@ -27760,6 +27858,9 @@ ALTER TABLE ONLY merge_request_reviewers ALTER TABLE ONLY merge_request_user_mentions ADD CONSTRAINT merge_request_user_mentions_pkey PRIMARY KEY (id); +ALTER TABLE ONLY merge_requests_approval_rules + ADD CONSTRAINT merge_requests_approval_rules_pkey PRIMARY KEY (id); + ALTER TABLE ONLY merge_requests_closing_issues ADD CONSTRAINT merge_requests_closing_issues_pkey PRIMARY KEY (id); @@ -33143,6 +33244,12 @@ CREATE INDEX index_merge_request_reviewers_on_user_id ON merge_request_reviewers CREATE UNIQUE INDEX index_merge_request_user_mentions_on_note_id ON merge_request_user_mentions USING btree (note_id) WHERE (note_id IS NOT NULL); +CREATE INDEX index_merge_requests_approval_rules_on_group_id ON merge_requests_approval_rules USING btree (group_id); + +CREATE INDEX index_merge_requests_approval_rules_on_project_id ON merge_requests_approval_rules USING btree (project_id); + +CREATE INDEX index_merge_requests_approval_rules_on_source_rule_id ON merge_requests_approval_rules USING btree (source_rule_id); + CREATE INDEX index_merge_requests_closing_issues_on_issue_id ON merge_requests_closing_issues USING btree (issue_id); CREATE INDEX index_merge_requests_closing_issues_on_merge_request_id ON merge_requests_closing_issues USING btree (merge_request_id); @@ -37729,6 +37836,8 @@ CREATE TRIGGER trigger_174b23fa3dfb BEFORE INSERT OR UPDATE ON approval_project_ CREATE TRIGGER trigger_18bc439a6741 BEFORE INSERT OR UPDATE ON packages_conan_metadata FOR EACH ROW EXECUTE FUNCTION trigger_18bc439a6741(); +CREATE TRIGGER trigger_1baf8c8e1f66 BEFORE UPDATE OF secret_push_protection_available ON application_settings FOR EACH ROW EXECUTE FUNCTION function_for_trigger_1baf8c8e1f66(); + CREATE TRIGGER trigger_1c0f1ca199a3 BEFORE INSERT OR UPDATE ON ci_resources FOR EACH ROW EXECUTE FUNCTION trigger_1c0f1ca199a3(); CREATE TRIGGER trigger_1ed40f4d5f4e BEFORE INSERT OR UPDATE ON packages_maven_metadata FOR EACH ROW EXECUTE FUNCTION trigger_1ed40f4d5f4e(); @@ -37853,6 +37962,10 @@ CREATE TRIGGER trigger_7de792ddbc05 BEFORE INSERT OR UPDATE ON dast_site_validat CREATE TRIGGER trigger_7e2eed79e46e BEFORE INSERT OR UPDATE ON abuse_reports FOR EACH ROW EXECUTE FUNCTION trigger_7e2eed79e46e(); +CREATE TRIGGER trigger_7f41427eda69 BEFORE UPDATE OF pre_receive_secret_detection_enabled ON application_settings FOR EACH ROW EXECUTE FUNCTION function_for_trigger_7f41427eda69(); + +CREATE TRIGGER trigger_7fbecfcdf89a BEFORE UPDATE OF secret_push_protection_enabled ON project_security_settings FOR EACH ROW EXECUTE FUNCTION function_for_trigger_7fbecfcdf89a(); + CREATE TRIGGER trigger_81b4c93e7133 BEFORE INSERT OR UPDATE ON pages_deployment_states FOR EACH ROW EXECUTE FUNCTION trigger_81b4c93e7133(); CREATE TRIGGER trigger_8204480b3a2e BEFORE INSERT OR UPDATE ON incident_management_escalation_rules FOR EACH ROW EXECUTE FUNCTION trigger_8204480b3a2e(); @@ -37861,6 +37974,8 @@ CREATE TRIGGER trigger_84d67ad63e93 BEFORE INSERT OR UPDATE ON wiki_page_slugs F CREATE TRIGGER trigger_85d89f0f11db BEFORE INSERT OR UPDATE ON issue_metrics FOR EACH ROW EXECUTE FUNCTION trigger_85d89f0f11db(); +CREATE TRIGGER trigger_897f35481f9a BEFORE UPDATE OF pre_receive_secret_detection_enabled ON project_security_settings FOR EACH ROW EXECUTE FUNCTION function_for_trigger_897f35481f9a(); + CREATE TRIGGER trigger_8a38ce2327de BEFORE INSERT OR UPDATE ON boards_epic_user_preferences FOR EACH ROW EXECUTE FUNCTION trigger_8a38ce2327de(); CREATE TRIGGER trigger_8ac78f164b2d BEFORE INSERT OR UPDATE ON design_management_repositories FOR EACH ROW EXECUTE FUNCTION trigger_8ac78f164b2d(); @@ -37923,6 +38038,8 @@ CREATE TRIGGER trigger_b7abb8fc4cf0 BEFORE INSERT OR UPDATE ON work_item_progres CREATE TRIGGER trigger_b8eecea7f351 BEFORE INSERT OR UPDATE ON dependency_proxy_manifest_states FOR EACH ROW EXECUTE FUNCTION trigger_b8eecea7f351(); +CREATE TRIGGER trigger_b9839c6d713f BEFORE INSERT ON application_settings FOR EACH ROW EXECUTE FUNCTION function_for_trigger_b9839c6d713f(); + CREATE TRIGGER trigger_c17a166692a2 BEFORE INSERT OR UPDATE ON audit_events_streaming_headers FOR EACH ROW EXECUTE FUNCTION trigger_c17a166692a2(); CREATE TRIGGER trigger_c59fe6f31e71 BEFORE INSERT OR UPDATE ON security_orchestration_policy_rule_schedules FOR EACH ROW EXECUTE FUNCTION trigger_c59fe6f31e71(); @@ -37937,6 +38054,8 @@ CREATE TRIGGER trigger_cac7c0698291 BEFORE INSERT OR UPDATE ON evidences FOR EAC CREATE TRIGGER trigger_catalog_resource_sync_event_on_project_update AFTER UPDATE ON projects FOR EACH ROW WHEN ((((old.name)::text IS DISTINCT FROM (new.name)::text) OR (old.description IS DISTINCT FROM new.description) OR (old.visibility_level IS DISTINCT FROM new.visibility_level))) EXECUTE FUNCTION insert_catalog_resource_sync_event(); +CREATE TRIGGER trigger_cbecfadbc3e8 BEFORE INSERT ON project_security_settings FOR EACH ROW EXECUTE FUNCTION function_for_trigger_cbecfadbc3e8(); + CREATE TRIGGER trigger_cd50823537a3 BEFORE INSERT OR UPDATE ON issuable_slas FOR EACH ROW EXECUTE FUNCTION trigger_cd50823537a3(); CREATE TRIGGER trigger_cf646a118cbb BEFORE INSERT OR UPDATE ON milestone_releases FOR EACH ROW EXECUTE FUNCTION trigger_cf646a118cbb(); @@ -38070,6 +38189,9 @@ ALTER TABLE ONLY cluster_agent_url_configurations ALTER TABLE ONLY incident_management_escalation_rules ADD CONSTRAINT fk_0314ee86eb FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE; +ALTER TABLE ONLY merge_requests_approval_rules + ADD CONSTRAINT fk_03983bf729 FOREIGN KEY (group_id) REFERENCES namespaces(id) ON DELETE CASCADE; + ALTER TABLE ONLY audit_events_instance_google_cloud_logging_configurations ADD CONSTRAINT fk_03a15ca4fa FOREIGN KEY (stream_destination_id) REFERENCES audit_events_instance_external_streaming_destinations(id) ON DELETE SET NULL; @@ -38943,6 +39065,9 @@ ALTER TABLE ONLY scan_result_policies ALTER TABLE ONLY catalog_resource_versions ADD CONSTRAINT fk_7ad8849db4 FOREIGN KEY (project_id) REFERENCES projects(id) ON DELETE CASCADE; +ALTER TABLE ONLY merge_requests_approval_rules + ADD CONSTRAINT fk_7af76dbd21 FOREIGN KEY (project_id) REFERENCES projects(id) ON DELETE CASCADE; + ALTER TABLE ONLY issue_customer_relations_contacts ADD CONSTRAINT fk_7b92f835bb FOREIGN KEY (contact_id) REFERENCES customer_relations_contacts(id) ON DELETE CASCADE; @@ -39897,6 +40022,9 @@ ALTER TABLE ONLY application_settings ALTER TABLE ONLY issuable_severities ADD CONSTRAINT fk_f9df19ecb6 FOREIGN KEY (namespace_id) REFERENCES namespaces(id) ON DELETE CASCADE; +ALTER TABLE ONLY merge_requests_approval_rules + ADD CONSTRAINT fk_fa5b38e373 FOREIGN KEY (source_rule_id) REFERENCES merge_requests_approval_rules(id) ON DELETE SET NULL; + ALTER TABLE ONLY clusters_managed_resources ADD CONSTRAINT fk_fad3c3b2e2 FOREIGN KEY (environment_id) REFERENCES environments(id) ON DELETE CASCADE; diff --git a/doc/administration/gitlab_duo_self_hosted/configuration_types.md b/doc/administration/gitlab_duo_self_hosted/configuration_types.md new file mode 100644 index 00000000000..4fc3253b102 --- /dev/null +++ b/doc/administration/gitlab_duo_self_hosted/configuration_types.md @@ -0,0 +1,111 @@ +--- +stage: AI-Powered +group: Custom Models +description: Get started with GitLab Duo Self-Hosted. +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments +title: GitLab Duo Self-Hosted configuration and authentication +--- + +DETAILS: +**Tier:** Ultimate with GitLab Duo Enterprise - [Start a trial](https://about.gitlab.com/solutions/gitlab-duo-pro/sales/?type=free-trial) +**Offering:** GitLab Self-Managed +**Status:** Beta + +> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/12972) in GitLab 17.1 [with a flag](../feature_flags.md) named `ai_custom_model`. Disabled by default. +> - [Enabled on GitLab Self-Managed](https://gitlab.com/groups/gitlab-org/-/epics/15176) in GitLab 17.6. +> - Changed to require GitLab Duo add-on in GitLab 17.6 and later. +> - Feature flag `ai_custom_model` removed in GitLab 17.8 + +There are two configuration options for self-managed customers: + +- **GitLab.com AI gateway**: Use the GitLab-managed AI gateway with default external + large language model (LLM) providers (for example, Google Vertex or Anthropic). +- **Self-hosted AI gateway**: Deploy and manage your own AI gateway and language models in your infrastructure, + without depending on GitLab-provided external language providers. + +## GitLab.com AI gateway + +In this configuration, your GitLab instance depends on and sends requests to the external GitLab AI gateway, which communicates with external AI vendors such as Google Vertex or Anthropic. The response is then forwarded back to your GitLab instance. + +```mermaid +%%{init: { "theme": "default", "fontFamily": "GitLab Sans", "sequence": { "actorFontSize": 12, "participantFontSize": 12, "messageFontSize": 12 } }}%% +sequenceDiagram + actor User as User + participant SelfHostedGitLab as Self-hosted GitLab (Your Instance) + participant GitLabAIGateway as GitLab AI gateway (External) + participant GitLabAIVendor as GitLab AI Vendor (External) + + User ->> SelfHostedGitLab: Send request + SelfHostedGitLab ->> SelfHostedGitLab: Check if self-hosted model is configured + SelfHostedGitLab ->> GitLabAIGateway: Forward request for AI processing + GitLabAIGateway ->> GitLabAIVendor: Create prompt and send request to AI model server + GitLabAIVendor -->> GitLabAIGateway: Respond to the prompt + GitLabAIGateway -->> SelfHostedGitLab: Forward AI response + SelfHostedGitLab -->> User: Forward AI response +``` + +## Self-hosted AI gateway + +In this configuration, the entire system is isolated within the enterprise, ensuring a fully self-hosted environment that safeguards data privacy. + +```mermaid +%%{init: { "theme": "default", "fontFamily": "GitLab Sans", "sequence": { "actorFontSize": 12, "participantFontSize": 12, "messageFontSize": 12 } }}%% +sequenceDiagram + actor User as User + participant SelfHostedGitLab as Self-hosted GitLab + participant SelfHostedAIGateway as Self-hosted AI gateway + participant SelfHostedModel as Self-hosted model + + User ->> SelfHostedGitLab: Send request + SelfHostedGitLab ->> SelfHostedGitLab: Check if self-hosted model is configured + SelfHostedAIGateway ->> SelfHostedModel: Create prompt and perform request to AI model server + SelfHostedGitLab ->> SelfHostedAIGateway: Forward request for AI processing + SelfHostedModel -->> SelfHostedAIGateway: Respond to the prompt + SelfHostedAIGateway -->> SelfHostedGitLab: Forward AI response + SelfHostedGitLab -->> User: Forward AI response +``` + +For more information, see the [self-hosted model deployment blueprint](https://handbook.gitlab.com/handbook/engineering/architecture/design-documents/custom_models/). + +## Authentication for GitLab Duo Self-Hosted + +The authentication process for GitLab Duo Self-Hosted is secure, efficient, and made up of the following key components: + +- **Self-issued tokens**: In this architecture, access credentials are not synchronized with `cloud.gitlab.com`. Instead, tokens are self-issued dynamically, similar to the functionality on GitLab.com. This method provides users with immediate access while maintaining a high level of security. + +- **Offline environments**: In offline setups, there are no connections to `cloud.gitlab.com`. All requests are routed exclusively to the self-hosted AI gateway. + +- **Token minting and verification**: The instance mints the token, which is then verified by the AI gateway against the GitLab instance. + +- **Model configuration and security**: When an administrator configures a model, they can incorporate an API key to authenticate requests. Additionally, you can enhance security by specifying connection IP addresses within your network, ensuring that only trusted IPs can interact with the model. + +As illustrated in the following diagram: + +1. The authentication flow begins when the user configures the model through the GitLab instance and submits a request to access the GitLab Duo feature. +1. The GitLab instance mints an access token, which the user forwards to GitLab and then to the AI gateway for verification. +1. Upon confirming the token's validity, the AI gateway sends a request to the AI model, which uses the API key to authenticate the request and process it. +1. The results are then relayed back to the GitLab instance, completing the flow by sending the response to the user, which is designed to be secure and efficient. + +```mermaid +%%{init: { "theme": "default", "fontFamily": "GitLab Sans", "sequence": { "actorFontSize": 12, "participantFontSize": 12, "messageFontSize": 12 } }}%% + sequenceDiagram + participant User as User + participant GitLab as GitLab Instance + participant AI gateway as AI gateway + participant AIModel as AI Model + + User->>GitLab: Configure Model + User->>GitLab: Request Access + GitLab->>GitLab: Mint Token + GitLab->>User: Send Token + User->>GitLab: Forward Minted Token + GitLab->>AI gateway: Verify Token + AI gateway->>GitLab: Token Validated + GitLab->>AI gateway: Send Request to Model + AI gateway->>AIModel: Send Request to Model + AIModel->>AIModel: Authenticate using API Key + AIModel->>AI gateway: Process Request + AI gateway->>GitLab: Send Result to GitLab + GitLab->>User: Send Response + +``` diff --git a/doc/administration/gitlab_duo_self_hosted/configure_duo_features.md b/doc/administration/gitlab_duo_self_hosted/configure_duo_features.md new file mode 100644 index 00000000000..1eabf1823ab --- /dev/null +++ b/doc/administration/gitlab_duo_self_hosted/configure_duo_features.md @@ -0,0 +1,158 @@ +--- +stage: AI-Powered +group: Custom Models +description: Configure your GitLab instance to use GitLab Duo Self-Hosted. +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments +title: Configure GitLab to access GitLab Duo Self-Hosted +--- + +DETAILS: +**Tier:** Ultimate with GitLab Duo Enterprise - [Start a trial](https://about.gitlab.com/solutions/gitlab-duo-pro/sales/?type=free-trial) +**Offering:** GitLab Self-Managed +**Status:** Beta + +> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/12972) in GitLab 17.1 [with a flag](../feature_flags.md) named `ai_custom_model`. Disabled by default. +> - [Enabled on GitLab Self-Managed](https://gitlab.com/groups/gitlab-org/-/epics/15176) in GitLab 17.6. +> - Changed to require GitLab Duo add-on in GitLab 17.6 and later. +> - Feature flag `ai_custom_model` removed in GitLab 17.8 + +To configure your GitLab instance to access the available self-hosted models in your infrastructure: + +1. [Confirm that a fully self-hosted configuration is appropriate for your use case](index.md#decide-on-your-configuration-type). +1. Configure your GitLab instance. +1. Configure the self-hosted model. +1. Configure the GitLab Duo features to use your self-hosted model. + +## Configure your GitLab instance + +Prerequisites: + +- [Upgrade to the latest version of GitLab](../../update/_index.md). + +To configure your GitLab instance to access the AI gateway: + +::Tabs + +:::TabTitle Linux package + +1. Where your GitLab instance is installed, update the `/etc/gitlab/gitlab.rb` file: + + ```shell + sudo vim /etc/gitlab/gitlab.rb + ``` + +1. Add and save the following environment variables: + + ```ruby + gitlab_rails['env'] = { + 'AI_GATEWAY_URL' => ':' + } + ``` + +1. Run reconfigure: + + ```shell + sudo gitlab-ctl reconfigure + ``` + +:::TabTitle Helm Chart (Kubernetes) + +1. Add the following values to your Helm chart: + + ```yaml + gitlab: + webservice: + extraEnv: + AI_GATEWAY_URL: ':' + sidekiq: + extraEnv: + AI_GATEWAY_URL: ':' + toolbox: + extraEnv: + AI_GATEWAY_URL: ':' + ``` + + - The `AI_GATEWAY_URL` parameter for `webservice` must be externally accessible because it is given to editor extensions + for direct connection to the AI gateway. + - The `AI_GATEWAY_URL` parameters for `sidekiq` and `toolbox` can be either externally accessible or Kubernetes internal addresses (for example, `ai-gateway.gitlab.svc.cluster.local`). It might be more time and resource efficient to use Kubernetes internal addresses, so the requests do not have to go through the external load balancer and the Ingress controller to re-enter the cluster. + +::EndTabs + +## Configure the self-hosted model + +Prerequisites: + +- You must be an administrator. +- You must have a Duo Enterprise license add-on. + +To configure a self-hosted model: + +1. On the left sidebar, at the bottom, select **Admin**. +1. Select **GitLab Duo**. +1. In the **GitLab Duo** section, select **Change configuration**. +1. Under **Self-hosted AI models**, select **Turn on self-hosted models**. +1. Select **Save changes**. +1. On the left sidebar, select **Self-hosted models**. + - If the **Self-hosted models** menu item is not available, synchronize your + subscription after purchase: + 1. On the left sidebar, select **Subscription**. + 1. In **Subscription details**, to the right of **Last sync**, select + synchronize subscription (**{retry}**). +1. Select **Add self-hosted model**. +1. Complete the fields: + - **Deployment name**: Enter a name to uniquely identify the model deployment, for example, `Mixtral-8x7B-it-v0.1 on GCP`. + - **Model family**: Select the model family the deployment belongs to. Only GitLab-approved models + are in this list. + - **Endpoint**: Enter the URL where the model is hosted. + - For models hosted through vLLM, you must suffix the URL with `/v1`. The default port is `8000`, so the default endpoint URL is `https://:8000/v1`. + - **API key**: Optional. Add an API key if you need one to access the model. + - **Model identifier**: This is a required field if your deployment method is vLLM, Bedrock or Azure. The value of this field is based on your deployment method, and should match the following structure: + + | Deployment method | Format | Example | + |-------------|---------|---------| + | vLLM | `custom_openai/` | `custom_openai/Mixtral-8x7B-Instruct-v0.1` | + | Bedrock | `bedrock/` | `bedrock/mistral.mixtral-8x7b-instruct-v0:1` | + | Azure OpenAI | `azure/` | `azure/gpt-35-turbo` | + | Others | The field is optional | | + +1. Select **Create self-hosted model**. + +## Configure GitLab Duo features to use self-hosted models + +Prerequisites: + +- You must be an administrator. +- You must have a Duo Enterprise license add-on. + +### View configured features + +1. On the left sidebar, at the bottom, select **Admin**. +1. Select **Self-hosted models**. + - If the **Self-hosted models** menu item is not available, synchronize your + subscription after purchase: + 1. On the left sidebar, select **Subscription**. + 1. In **Subscription details**, to the right of **Last sync**, select + synchronize subscription (**{retry}**). +1. Select the **AI-powered features** tab. + +### Configure the feature to use a self-hosted model + +Configure the GitLab Duo feature to send queries to the configured self-hosted model: + +1. On the left sidebar, at the bottom, select **Admin**. +1. Select **Self-hosted models**. +1. Select the **AI-powered features** tab. +1. For the feature you want to configure, from the dropdown list, choose the self-hosted model you want to use. For example, `Mistral`. + +### Configure the feature to use GitLab AI Vendor models + +Prerequisites: + +- You must use an [online license](https://about.gitlab.com/pricing/licensing-faq/cloud-licensing/#what-is-cloud-licensing). + +Configure the GitLab Duo feature to send queries to the Cloud Connector and use the GitLab AI Vendor model: + +1. On the left sidebar, at the bottom, select **Admin**. +1. Select **Self-hosted models**. +1. Select the **AI-powered features** tab. +1. For the feature you want to configure, from the dropdown list, select **GitLab AI Vendor**. diff --git a/doc/administration/gitlab_duo_self_hosted/index.md b/doc/administration/gitlab_duo_self_hosted/index.md new file mode 100644 index 00000000000..0cbc5f44267 --- /dev/null +++ b/doc/administration/gitlab_duo_self_hosted/index.md @@ -0,0 +1,124 @@ +--- +stage: AI-Powered +group: Custom Models +description: Get started with GitLab Duo Self-Hosted. +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments +title: GitLab Duo Self-Hosted +--- + +DETAILS: +**Tier:** Ultimate with GitLab Duo Enterprise - [Start a trial](https://about.gitlab.com/solutions/gitlab-duo-pro/sales/?type=free-trial) +**Offering:** GitLab Self-Managed +**Status:** Beta + +> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/12972) in GitLab 17.1 [with a flag](../feature_flags.md) named `ai_custom_model`. Disabled by default. +> - [Enabled on GitLab Self-Managed](https://gitlab.com/groups/gitlab-org/-/epics/15176) in GitLab 17.6. +> - Changed to require GitLab Duo add-on in GitLab 17.6 and later. +> - Feature flag `ai_custom_model` removed in GitLab 17.8 + +To maintain full control over your data privacy, security, and the deployment of large language models (LLMs) in your own infrastructure, use GitLab Duo Self-Hosted. + +By deploying GitLab Duo Self-Hosted, you can manage the entire lifecycle of requests made to LLM backends for GitLab Duo features, ensuring that all requests stay in your enterprise network, and avoiding external dependencies. + +## Why use GitLab Duo Self-Hosted + +With GitLab Duo Self-Hosted, you can: + +- Choose any GitLab-approved LLM. +- Retain full control over data by keeping all request/response logs in your domain, ensuring complete privacy and security with no external API calls. +- Isolate the GitLab instance, AI gateway, and models in your own environment. +- Select specific GitLab Duo features tailored to your users. +- Eliminate reliance on the shared GitLab AI gateway. + +This setup ensures enterprise-level privacy and flexibility, allowing seamless integration of your LLMs with GitLab Duo features. + +### Supported GitLab Duo Chat features + +You can use the following GitLab Duo Chat features with GitLab Duo Self-Hosted: + +- [Ask about GitLab](../../user/gitlab_duo_chat/examples.md#ask-about-gitlab) +- [Ask about a specific issue](../../user/gitlab_duo_chat/examples.md#ask-about-a-specific-issue) +- [Ask about a specific epic](../../user/gitlab_duo_chat/examples.md#ask-about-a-specific-epic) +- [Explain selected code](../../user/gitlab_duo_chat/examples.md#explain-selected-code) +- [Ask about or generate code](../../user/gitlab_duo_chat/examples.md#ask-about-or-generate-code) +- [Ask follow up questions](../../user/gitlab_duo_chat/examples.md#ask-follow-up-questions) +- [Ask about errors](../../user/gitlab_duo_chat/examples.md#ask-about-errors) +- [Ask about specific files](../../user/gitlab_duo_chat/examples.md#ask-about-specific-files) +- [Refactor code in the IDE](../../user/gitlab_duo_chat/examples.md#refactor-code-in-the-ide) +- [Fix code in the IDE](../../user/gitlab_duo_chat/examples.md#fix-code-in-the-ide) +- [Write tests in the IDE](../../user/gitlab_duo_chat/examples.md#write-tests-in-the-ide) +- [Ask about CI/CD](../../user/gitlab_duo_chat/examples.md#ask-about-cicd) +- [Use universal and IDE slash commands](../../user/gitlab_duo_chat/examples.md#gitlab-duo-chat-slash-commands) + +### Prerequisites + +Before setting up the GitLab Duo Self-Hosted infrastructure, you must have: + +- A [supported model](../self_hosted_models/supported_models_and_hardware_requirements.md) (either cloud-based or on-premises). +- A [supported serving platform](../self_hosted_models/supported_llm_serving_platforms.md) (either cloud-based or on-premises). +- A [locally hosted AI gateway](../../install/install_ai_gateway.md). +- [Ultimate with GitLab Duo Enterprise](https://about.gitlab.com/solutions/gitlab-duo-pro/sales/?toggle=gitlab-duo-pro). + +## Decide on your configuration type + +The configuration for GitLab Duo Self-Hosted is different to the default configuration +that uses GitLab external AI vendors. + +NOTE: +Both of the following configuration types are for GitLab Self-Managed instances. + +### Self-hosted AI gateway and LLMs + +In a fully self-hosted configuration, you deploy your own AI gateway and LLMs in your infrastructure, without relying on external public services. This gives you full control over your data and security. + +If you have an offline environment with physical barriers or security policies that prevent or limit internet access, and comprehensive LLM controls, you can use GitLab Duo Self-Hosted. + +For licensing, you must have a GitLab Ultimate subscription and GitLab Duo Enterprise. Offline Enterprise licenses are available for those customers with fully isolated offline environments. To get access to your purchased subscription, request a license through the [Customers Portal](../../subscriptions/customers_portal.md). + +For more information, see: + +- [Set up a GitLab Duo Self-Hosted infrastructure](#set-up-a-gitlab-duo-self-hosted-infrastructure) +- The [self-hosted AI gateway configuration diagram](configuration_types.md#self-hosted-ai-gateway). + +### GitLab.com AI gateway with default GitLab external vendor LLMs + +If you do not meet the use case criteria for GitLab Duo Self-Hosted, you can use the +GitLab.com AI gateway with default GitLab external vendor LLMs. + +The GitLab.com AI gateway is the default Enterprise offering and is not self-hosted. In this configuration, +you connect your instance to the GitLab-hosted AI gateway, which +integrates with external vendor LLM providers (such as Google Vertex or Anthropic). + +These LLMs communicate through the [GitLab Cloud Connector](../../development/cloud_connector/_index.md), +offering a ready-to-use AI solution without the need for on-premise infrastructure. + +For licensing, you must have a GitLab Ultimate subscription, and either [GitLab Duo Pro](https://about.gitlab.com/solutions/gitlab-duo-pro/sales/?type=free-trial) or [GitLab Duo Enterprise](https://about.gitlab.com/solutions/gitlab-duo-pro/sales/?type=free-trial). To get access to your purchased subscription, request a license through the [Customers Portal](../../subscriptions/customers_portal.md) + +For more information, see the +[GitLab.com AI gateway configuration diagram](configuration_types.md#gitlabcom-ai-gateway). + +To set up this infrastructure, see [how to configure GitLab Duo on a GitLab Self-Managed instance](../../user/gitlab_duo/setup.md). + +## Set up a GitLab Duo Self-Hosted infrastructure + +To set up a fully isolated GitLab Duo Self-Hosted infrastructure: + +1. **Install a Large Language Model (LLM) Serving Infrastructure** + + - We support various platforms for serving and hosting your LLMs, such as vLLM, AWS Bedrock, and Azure OpenAI. To help you choose the most suitable option for effectively deploying your models, see the [supported LLM platforms documentation](../self_hosted_models/supported_llm_serving_platforms.md) for more information on each platform's features. + + - We provide a comprehensive matrix of supported models along with their specific features and hardware requirements. To help select models that best align with your infrastructure needs for optimal performance, see the [supported models and hardware requirements documentation](../self_hosted_models/supported_models_and_hardware_requirements.md). + +1. **Install the GitLab AI gateway** + [Install the AI gateway](../../install/install_ai_gateway.md) to efficiently configure your AI infrastructure. + +1. **Configure GitLab Duo features** + See the [Configure GitLab Duo features documentation](../self_hosted_models/configure_duo_features.md) for instructions on how to customize your environment to effectively meet your operational needs. + +1. **Enable logging** + You can find configuration details for enabling logging in your environment. For help in using logs to track and manage your system's performance effectively, see the [logging documentation](../self_hosted_models/logging.md). + +## Related topics + +- [Import custom models into Amazon Bedrock](https://www.youtube.com/watch?v=CA2AXfWWdpA) +- [Troubleshooting](../self_hosted_models/troubleshooting.md) diff --git a/doc/administration/gitlab_duo_self_hosted/logging.md b/doc/administration/gitlab_duo_self_hosted/logging.md new file mode 100644 index 00000000000..41a049a277e --- /dev/null +++ b/doc/administration/gitlab_duo_self_hosted/logging.md @@ -0,0 +1,312 @@ +--- +stage: AI-Powered +group: Custom Models +description: Enable logging for self-hosted models. +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments +title: Enable logging for self-hosted models +--- + +DETAILS: +**Tier:** Ultimate with GitLab Duo Enterprise - [Start a trial](https://about.gitlab.com/solutions/gitlab-duo-pro/sales/?type=free-trial) +**Offering:** GitLab Self-Managed +**Status:** Beta + +> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/12972) in GitLab 17.1 [with a flag](../feature_flags.md) named `ai_custom_model`. Disabled by default. +> - [Enabled on GitLab Self-Managed](https://gitlab.com/groups/gitlab-org/-/epics/15176) in GitLab 17.6. +> - Changed to require GitLab Duo add-on in GitLab 17.6 and later. +> - Feature flag `ai_custom_model` removed in GitLab 17.8 + +Prerequisites: + +- You must be an administrator. +- You must have a Duo Enterprise license add-on. + +To enable logging and access the logs, enable the feature flag: + +```ruby +Feature.enable(:expanded_ai_logging) +``` + +Disabling the feature flag stops logs from being written. + +## Logs in your GitLab installation + +The logging setup is designed to protect sensitive information while maintaining transparency about system operations, and is made up of the following components: + +- Logs that capture requests to the GitLab instance. +- Feature flag and logging control. +- The `llm.log` file. + +### Logs that capture requests to the GitLab instance + +Logging in the `application.json`, `production_json.log`, and `production.log` files, among others, capture requests to the GitLab instance: + +- **Filtered Requests**: We log the requests in these files but ensure that sensitive data (such as input parameters) is **filtered**. This means that while the request metadata is captured (for example, the request type, endpoint, and response status), the actual input data (for example, the query parameters, variables, and content) is not logged to prevent the exposure of sensitive information. +- **Example 1**: In the case of a code suggestions completion request, the logs capture the request details while filtering sensitive information: + + ```json + { + "method": "POST", + "path": "/api/graphql", + "controller": "GraphqlController", + "action": "execute", + "status": 500, + "params": [ + {"key": "query", "value": "[FILTERED]"}, + {"key": "variables", "value": "[FILTERED]"}, + {"key": "operationName", "value": "chat"} + ], + "exception": { + "class": "NoMethodError", + "message": "undefined method `id` for {:skip=>true}:Hash" + }, + "time": "2024-08-28T14:13:50.328Z" + } + ``` + + As shown, while the error information and general structure of the request are logged, the sensitive input parameters are marked as `[FILTERED]`. + +- **Example 2**: In the case of a code suggestions completion request, the logs also capture the request details while filtering sensitive information: + + ```json + { + "method": "POST", + "path": "/api/v4/code_suggestions/completions", + "status": 200, + "params": [ + {"key": "prompt_version", "value": 1}, + {"key": "current_file", "value": {"file_name": "/test.rb", "language_identifier": "ruby", "content_above_cursor": "[FILTERED]", "content_below_cursor": "[FILTERED]"}}, + {"key": "telemetry", "value": []} + ], + "time": "2024-10-15T06:51:09.004Z" + } + ``` + + As shown, while the general structure of the request is logged, the sensitive input parameters such as `content_above_cursor` and `content_below_cursor` are marked as `[FILTERED]`. + +### Feature Flag and Logging Control + +**Feature Flag Dependency**: You can control a subset of these logs by enabling or disabling the `expanded_ai_logging` feature flag. Disabling the feature flag disables logging for specific operations. For more information, see the [Feature Flag section under Privacy Considerations](../../development/ai_features/logging.md#privacy-considerations). + +### The `llm.log` file + +When the `:expanded_ai_logging` feature flag is enabled, the [`llm.log` file](../logs/index.md#llmlog) in your GitLab instance captures code generation and Chat events that occur through your instance. The log file does not capture anything when the feature flag is not enabled. Code completion logs are captured directly in the AI gateway. + +For more information on: + +- Logged events and their properties, see the [logged event documentation](../../development/ai_features/logged_events.md). +- How to rotate, manage, export, and visualize the logs in `llm.log`, see the [log system documentation](../logs/index.md). +- The log file location (for example, so you can delete logs), see [LLM input and output logging](../logs/index.md#llm-input-and-output-logging). + +### Logs in your AI gateway container + +To specify the location of logs generated by AI gateway, run: + +```shell +docker run -e AIGW_GITLAB_URL= \ + -e AIGW_GITLAB_API_URL=https:///api/v4/ \ + -e AIGW_GITLAB_API_URL=https:///api/v4/ \ + -e AIGW_LOGGING__TO_FILE="aigateway.log" \ + -v :"aigateway.log" + +``` + +If you do not specify a filename, logs are streamed to the output and can also be managed using Docker logs. +For more information, see the [Docker Logs documentation](https://docs.docker.com/reference/cli/docker/container/logs/). + +Additionally, the outputs of the AI gateway execution can help with debugging issues. To access them: + +- When using Docker: + + ```shell + docker logs + ``` + +- When using Kubernetes: + + ```shell + kubectl logs + ``` + +To ingest these logs into the logging solution, see your logging provider documentation. + +### Logs structure + +When a POST request is made (for example, to the `/chat/completions` endpoint), the server logs the request: + +- Payload +- Headers +- Metadata + +#### 1. Request payload + +The JSON payload typically includes the following fields: + +- `messages`: An array of message objects. + - Each message object contains: + - `content`: A string representing the user's input or query. + - `role`: Indicates the role of the message sender (for example, `user`). +- `model`: A string specifying the model to be used (for example, `mistral`). +- `max_tokens`: An integer specifying the maximum number of tokens to generate in the response. +- `n`: An integer indicating the number of completions to generate. +- `stop`: An array of strings denoting stop sequences for the generated text. +- `stream`: A boolean indicating whether the response should be streamed. +- `temperature`: A float controlling the randomness of the output. + +##### Example request + +```json +{ + "messages": [ + { + "content": "[SUFFIX]None[PREFIX]# # build a hello world ruby method\n def say_goodbye\n puts \"Goodbye, World!\"\n end\n\ndef main\n say_hello\n say_goodbye\nend\n\nmain", + "role": "user" + } + ], + "model": "mistral", + "max_tokens": 128, + "n": 1, + "stop": ["[INST]", "[/INST]", "[PREFIX]", "[MIDDLE]", "[SUFFIX]"], + "stream": false, + "temperature": 0.0 +} +``` + +#### 2. Request headers + +The request headers provide additional context about the client making the request. Key headers might include: + +- `Authorization`: Contains the Bearer token for API access. +- `Content-Type`: Indicates the media type of the resource (for example, `JSON`). +- `User-Agent`: Information about the client software making the request. +- `X-Stainless-` headers: Various headers providing additional metadata about the client environment. + +##### Example request headers + +```json +{ + "host": "0.0.0.0:4000", + "accept-encoding": "gzip, deflate", + "connection": "keep-alive", + "accept": "application/json", + "content-type": "application/json", + "user-agent": "AsyncOpenAI/Python 1.51.0", + "authorization": "Bearer ", + "content-length": "364" +} +``` + +#### 3. Request metadata + +The metadata includes various fields that describe the context of the request: + +- `requester_metadata`: Additional metadata about the requester. +- `user_api_key`: The API key used for the request (anonymized). +- `api_version`: The version of the API being used. +- `request_timeout`: The timeout duration for the request. +- `call_id`: A unique identifier for the call. + +##### Example metadata + +```json +{ + "user_api_key": "", + "api_version": "1.48.18", + "request_timeout": 600, + "call_id": "e1aaa316-221c-498c-96ce-5bc1e7cb63af" +} +``` + +### Example response + +The server responds with a structured model response. For example: + +```python +Response: ModelResponse( + id='chatcmpl-5d16ad41-c130-4e33-a71e-1c392741bcb9', + choices=[ + Choices( + finish_reason='stop', + index=0, + message=Message( + content=' Here is the corrected Ruby code for your function:\n\n```ruby\ndef say_hello\n puts "Hello, World!"\nend\n\ndef say_goodbye\n puts "Goodbye, World!"\nend\n\ndef main\n say_hello\n say_goodbye\nend\n\nmain\n```\n\nIn your original code, the method names were misspelled as `say_hell` and `say_gobdye`. I corrected them to `say_hello` and `say_goodbye`, respectively. Also, there was no need for the prefix', + role='assistant', + tool_calls=None, + function_call=None + ) + ) + ], + created=1728983827, + model='mistral', + object='chat.completion', + system_fingerprint=None, + usage=Usage( + completion_tokens=128, + prompt_tokens=69, + total_tokens=197, + completion_tokens_details=None, + prompt_tokens_details=None + ) +) +``` + +### Logs in your inference service provider + +GitLab does not manage logs generated by your inference service provider. See the documentation of your inference service +provider on how to use their logs. + +## Logging behavior in GitLab and AI gateway environments + +GitLab provides logging functionality for AI-related activities through the use of `llm.log`, which captures inputs, outputs, and other relevant information. However, the logging behavior differs depending on whether the GitLab instance and AI gateway are **self-hosted** or **cloud-connected**. + +By default, the log does not contain LLM prompt input and response output to support [data retention policies](../../user/gitlab_duo/data_usage.md#data-retention) of AI feature data. + +## Logging Scenarios + +### GitLab Self-Managed and self-hosted AI gateway + +In this configuration, both GitLab and the AI gateway are hosted by the customer. + +- **Logging Behavior**: Full logging is enabled, and all prompts, inputs, and outputs are logged to `llm.log` on the instance. +- **Expanded Logging**: When the `:expanded_ai_logging` feature flag is activated, extra debugging information is logged, including: + - Preprocessed prompts. + - Final prompts. + - Additional context. +- **Privacy**: Because both GitLab and the AI gateway are self-hosted: + - The customer has full control over data handling. + - Logging of sensitive information can be enabled or disabled at the customer's discretion. + +### GitLab Self-Managed and GitLab-managed AI gateway (cloud-connected) + +In this scenario, the customer hosts GitLab but relies on the GitLab-managed AI gateway for AI processing. + +- **Logging Behavior**: Prompts and inputs sent to the AI gateway are **not logged** in the cloud-connected AI gateway to prevent exposure of sensitive information such as personally identifiable information (PII). +- **Expanded Logging**: Even if the `:expanded_ai_logging` feature flag is enabled, no detailed logs are generated in the GitLab-managed AI gateway to avoid unintended leaks of sensitive information. + - Logging remains **minimal** in this setup, and the expanded logging features are disabled by default. +- **Privacy**: This configuration is designed to ensure that sensitive data is not logged in a cloud environment. + +## Feature Flag: `:expanded_ai_logging` + +The `:expanded_ai_logging` feature flag controls whether additional debugging information, including prompts and inputs, is logged. This flag is essential for monitoring and debugging AI-related activities. + +### Behavior by Deployment Setup + +- **GitLab Self-Managed and self-hosted AI gateway**: The feature flag enables detailed logging to `llm.log` on the self-hosted instance, capturing inputs and outputs for AI models. +- **GitLab Self-Managed and GitLab-managed AI gateway**: The feature flag enables logging on your GitLab Self-Managed instance. However, the flag does **not** activate expanded logging for the GitLab-managed AI gateway side. Logging remains disabled for the cloud-connected AI gateway to protect sensitive data. +For more information, see the [Feature Flag section under Privacy Considerations](../../development/ai_features/logging.md#privacy-considerations) documentation. + +### Logging in cloud-connected AI gateways + +To prevent potential data leakage of sensitive information, expanded logging (including prompts and inputs) is intentionally disabled when using a cloud-connected AI gateway. Preventing the exposure of PII is a priority. + +### Cross-referencing logs between the AI gateway and GitLab + +The property `correlation_id` is assigned to every request and is carried across different components that respond to a +request. For more information, see the [documentation on finding logs with a correlation ID](../logs/tracing_correlation_id.md). + +The Correlation ID can be found in your AI gateway and GitLab logs. However, it is not present in your model provider logs. + +#### Related topics + +- [Parsing GitLab logs with jq](../logs/log_parsing.md) +- [Searching your logs for the correlation ID](../logs/tracing_correlation_id.md#searching-your-logs-for-the-correlation-id) diff --git a/doc/administration/gitlab_duo_self_hosted/supported_llm_serving_platforms.md b/doc/administration/gitlab_duo_self_hosted/supported_llm_serving_platforms.md new file mode 100644 index 00000000000..2121bdf8fbb --- /dev/null +++ b/doc/administration/gitlab_duo_self_hosted/supported_llm_serving_platforms.md @@ -0,0 +1,95 @@ +--- +stage: AI-Powered +group: Custom Models +description: Supported LLM Serving Platforms. +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments +title: GitLab Duo Self-Hosted supported platforms +--- + +DETAILS: +**Tier:** Ultimate with GitLab Duo Enterprise - [Start a trial](https://about.gitlab.com/solutions/gitlab-duo-pro/sales/?type=free-trial) +**Offering:** GitLab Self-Managed +**Status:** Beta + +> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/12972) in GitLab 17.1 [with a flag](../feature_flags.md) named `ai_custom_model`. Disabled by default. +> - [Enabled on GitLab Self-Managed](https://gitlab.com/groups/gitlab-org/-/epics/15176) in GitLab 17.6. +> - Changed to require GitLab Duo add-on in GitLab 17.6 and later. +> - Feature flag `ai_custom_model` removed in GitLab 17.8 + +There are multiple platforms available to host your self-hosted Large Language Models (LLMs). Each platform has unique features and benefits that can cater to different needs. The following documentation summarises the currently supported options: + +## For self-hosted model deployments + +### vLLM + +[vLLM](https://docs.vllm.ai/en/latest/index.html) is a high-performance inference server optimized for serving LLMs with memory efficiency. It supports model parallelism and integrates easily with existing workflows. + +To install vLLM, see the [vLLM Installation Guide](https://docs.vllm.ai/en/latest/getting_started/installation.html). You should install [version v0.6.4.post1](https://github.com/vllm-project/vllm/releases/tag/v0.6.4.post1) or later. + +For more information on: + +- vLLM supported models, see the [vLLM Supported Models documentation](https://docs.vllm.ai/en/latest/models/supported_models.html). +- Available options when using vLLM to run a model, see the [vLLM documentation on engine arguments](https://docs.vllm.ai/en/stable/usage/engine_args.html). +- The hardware needed for the models, see the [Supported models and Hardware requirements documentation](../self_hosted_models/supported_llm_serving_platforms.md). + +Examples: + +#### Mistral-7B-Instruct-v0.2 + +1. Download the model from HuggingFace: + + ```shell + git clone https://:@huggingface.co/mistralai/Mistral-7B-Instruct-v0.3 + ``` + +1. Run the server: + + ```shell + vllm serve /Mistral-7B-Instruct-v0.3 \ + --served_model_name \ + --tokenizer_mode mistral \ + --tensor_parallel_size \ + --load_format mistral \ + --config_format mistral \ + --tokenizer /Mistral-7B-Instruct-v0.3 + ``` + +#### Mixtral-8x7B-Instruct-v0.1 + +1. Download the model from HuggingFace: + + ```shell + git clone https://:@huggingface.co/mistralai/Mixtral-8x7B-Instruct-v0.1 + ``` + +1. Rename the token config: + + ```shell + cd /Mixtral-8x7B-Instruct-v0.1 + cp tokenizer.model tokenizer.model.v3 + ``` + +1. Run the model: + + ```shell + vllm serve /Mixtral-8x7B-Instruct-v0.1 \ + --tensor_parallel_size 4 \ + --served_model_name \ + --tokenizer_mode mistral \ + --load_format safetensors \ + --tokenizer /Mixtral-8x7B-Instruct-v0.1/ + ``` + +## For cloud-hosted model deployments + +1. [AWS Bedrock](https://aws.amazon.com/bedrock/). + A fully managed service that allows developers to build and scale generative AI applications using pre-trained models from leading AI companies. It seamlessly integrates with other AWS services and offers a pay-as-you-go pricing model. + + You must configure the GitLab instance with your appropriate AWS IAM permissions before accessing Bedrock models. You cannot do this in the GitLab Duo Self-Hosted UI. For example, you can authenticate the AI Gateway instance by defining the [`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY` and `AWS_REGION_NAME`](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) when starting the Docker image. For more information, see the [AWS Identity and Access Management (IAM) Guide](https://docs.aws.amazon.com/bedrock/latest/userguide/security-iam.html). + + - [Supported foundation models in Amazon Bedrock](https://docs.aws.amazon.com/bedrock/latest/userguide/models-supported.html) + +1. [Azure OpenAI](https://learn.microsoft.com/en-us/azure/ai-services/openai/). + Provides access to OpenAI's powerful models, enabling developers to integrate advanced AI capabilities into their applications with robust security and scalable infrastructure. + - [Working with Azure OpenAI models](https://learn.microsoft.com/en-us/azure/ai-services/openai/how-to/working-with-models?tabs=powershell) + - [Azure OpenAI Service models](https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/models?tabs=python-secure%2Cglobal-standard%2Cstandard-chat-completions) diff --git a/doc/administration/gitlab_duo_self_hosted/supported_models_and_hardware_requirements.md b/doc/administration/gitlab_duo_self_hosted/supported_models_and_hardware_requirements.md new file mode 100644 index 00000000000..931f8d77d94 --- /dev/null +++ b/doc/administration/gitlab_duo_self_hosted/supported_models_and_hardware_requirements.md @@ -0,0 +1,127 @@ +--- +stage: AI-Powered +group: Custom Models +description: Supported Models and Hardware Requirements. +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments +title: Supported GitLab Duo Self-Hosted models and hardware requirements +--- + +DETAILS: +**Tier:** Ultimate with GitLab Duo Enterprise - [Start a trial](https://about.gitlab.com/solutions/gitlab-duo-pro/sales/?type=free-trial) +**Offering:** GitLab Self-Managed +**Status:** Beta + +> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/12972) in GitLab 17.1 [with a flag](../feature_flags.md) named `ai_custom_model`. Disabled by default. +> - [Enabled on GitLab Self-Managed](https://gitlab.com/groups/gitlab-org/-/epics/15176) in GitLab 17.6. +> - Changed to require GitLab Duo add-on in GitLab 17.6 and later. +> - Feature flag `ai_custom_model` removed in GitLab 17.8 + +The following table shows the supported models along with their specific features and hardware requirements to help you select the model that best fits your infrastructure needs for optimal performance. + +## Approved LLMs + +Install one of the following GitLab-approved large language models (LLMs): + + + +| Model family | Model | Supported platforms | Status | Code completion | Code generation | GitLab Duo Chat | +|--------------|-------|---------------------|--------|-----------------|-----------------|-----------------| +|Mistral Codestral | [Codestral 22B v0.1](https://huggingface.co/mistralai/Codestral-22B-v0.1) | [vLLM](supported_llm_serving_platforms.md#for-self-hosted-model-deployments) | Generally available | 🟢 Green | 🟢 Green | N/A | +| Mistral | [Mistral 7B-it v0.3](https://huggingface.co/mistralai/Mistral-7B-Instruct-v0.3) | [vLLM](supported_llm_serving_platforms.md#for-self-hosted-model-deployments) | Generally available | 🟢 Green | 🟢 Green | 🔴 Red | +| Mistral | [Mixtral 8x7B-it v0.1](https://huggingface.co/mistralai/Mixtral-8x7B-Instruct-v0.1) | [vLLM](supported_llm_serving_platforms.md#for-self-hosted-model-deployments)
[AWS Bedrock](https://aws.amazon.com/bedrock/mistral/) | Generally available | 🟢 Green | 🟢 Green | 🟡 Amber | +| Mistral | [Mixtral 8x22B-it v0.1](https://huggingface.co/mistralai/Mixtral-8x22B-Instruct-v0.1) | [vLLM](supported_llm_serving_platforms.md#for-self-hosted-model-deployments) | Generally available | 🟢 Green | 🟢 Green | 🟢 Green | +| Claude 3 | [Claude 3.5 Sonnet](https://www.anthropic.com/news/claude-3-5-sonnet) | [AWS Bedrock](https://aws.amazon.com/bedrock/claude/) | Generally available | 🟢 Green | 🟢 Green | 🟢 Green | +| GPT | [GPT-4 Turbo](https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/models?tabs=python-secure#gpt-4) | [Azure OpenAI](https://learn.microsoft.com/en-us/azure/ai-services/openai/overview) | Generally available | 🟢 Green | 🟢 Green | 🟡 Amber | +| GPT | [GPT-4o](https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/models?tabs=python-secure#gpt-4o-and-gpt-4-turbo) | [Azure OpenAI](https://learn.microsoft.com/en-us/azure/ai-services/openai/overview) | Generally available | 🟢 Green | 🟢 Green | 🟢 Green | +| GPT | [GPT-4o-mini](https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/models?tabs=python-secure#gpt-4o-and-gpt-4-turbo) | [Azure OpenAI](https://learn.microsoft.com/en-us/azure/ai-services/openai/overview) | Generally available | 🟢 Green | 🟢 Green | 🟡 Amber | + +Legend: + +- 🟢 Green - Strongly recommended. The model can handle the feature without any loss of quality. +- 🟡 Amber - Recommended. The model supports the feature, but there might be minor compromises or limitations. +- 🔴 Red - Not recommended. The model is unsuitable for the feature, likely resulting in significant quality loss or performance issues. + +The following models are under evaluation, and support is limited: + +| Model family | Model | Supported platforms | Status | Code completion | Code generation | GitLab Duo Chat | +|--------------- |-------|---------------------|--------|-----------------|-----------------|-----------------| +| CodeGemma | [CodeGemma 2b](https://huggingface.co/google/codegemma-2b) | [vLLM](supported_llm_serving_platforms.md#for-self-hosted-model-deployments) | Beta | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No | +| CodeGemma | [CodeGemma 7b-it](https://huggingface.co/google/codegemma-7b-it) | [vLLM](supported_llm_serving_platforms.md#for-self-hosted-model-deployments) | Beta | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | +| CodeGemma | [CodeGemma 7b-code](https://huggingface.co/google/codegemma-7b) | [vLLM](supported_llm_serving_platforms.md#for-self-hosted-model-deployments) | Beta | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No | +| Code Llama | [Code-Llama 13b](https://huggingface.co/meta-llama/CodeLlama-13b-Instruct-hf) | [vLLM](supported_llm_serving_platforms.md#for-self-hosted-model-deployments) | Beta | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | +| DeepSeek Coder | [DeepSeek Coder 33b Instruct](https://huggingface.co/deepseek-ai/deepseek-coder-33b-instruct) | [vLLM](supported_llm_serving_platforms.md#for-self-hosted-model-deployments) | Beta | **{check-circle}** Yes | **{check-circle}** Yes | **{dotted-circle}** No | +| DeepSeek Coder | [DeepSeek Coder 33b Base](https://huggingface.co/deepseek-ai/deepseek-coder-33b-base) | [vLLM](supported_llm_serving_platforms.md#for-self-hosted-model-deployments) | Beta | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No | +| Mistral | [Mistral 7B-it v0.2](https://huggingface.co/mistralai/Mistral-7B-Instruct-v0.2) | [vLLM](supported_llm_serving_platforms.md#for-self-hosted-model-deployments)
[AWS Bedrock](https://aws.amazon.com/bedrock/mistral/) | Beta | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | + + + +## Hardware requirements + +The following hardware specifications are the minimum requirements for running GitLab Duo Self-Hosted on-premise. Requirements vary significantly based on the model size and intended usage: + +### Base system requirements + +- **CPU**: + - Minimum: 8 cores (16 threads) + - Recommended: 16+ cores for production environments +- **RAM**: + - Minimum: 32 GB + - Recommended: 64 GB for most models +- **Storage**: + - SSD with sufficient space for model weights and data. + +### GPU requirements by model size + +| Model size | Minimum GPU configuration | Minimum VRAM required | +|--------------------------------------------|---------------------------|-----------------------| +| 7B models
(for example, Mistral 7B) | 1x NVIDIA A100 (40GB) | 35 GB | +| 22B models
(for example, Codestral 22B) | 2x NVIDIA A100 (80GB) | 110 GB | +| Mixtral 8x7B | 2x NVIDIA A100 (80GB) | 220 GB | +| Mixtral 8x22B | 8x NVIDIA A100 (80GB) | 526 GB | + +Use [Hugging Face's memory utility](https://huggingface.co/spaces/hf-accelerate/model-memory-usage) to verify memory requirements. + +### Response time by model size and GPU + +#### Small machine + +With a `a2-highgpu-2g` (2x Nvidia A100 40 GB - 150 GB vRAM) or equivalent: + +| Model name | Number of requests | Average time per request (sec) | Average tokens in response | Average tokens per second per request | Total time for requests | Total TPS | +|--------------------------|--------------------|------------------------------|----------------------------|---------------------------------------|-------------------------|-----------| +| Mistral-7B-Instruct-v0.3 | 1 | 7.09 | 717.0 | 101.19 | 7.09 | 101.17 | +| Mistral-7B-Instruct-v0.3 | 10 | 8.41 | 764.2 | 90.35 | 13.70 | 557.80 | +| Mistral-7B-Instruct-v0.3 | 100 | 13.97 | 693.23 | 49.17 | 20.81 | 3331.59 | + +#### Medium machine + +With a `a2-ultragpu-4g` (4x Nvidia A100 40 GB - 340 GB vRAM) machine on GCP or equivalent: + +| Model name | Number of requests | Average time per request (sec) | Average tokens in response | Average tokens per second per request | Total time for requests | Total TPS | +|----------------------------|--------------------|------------------------------|----------------------------|---------------------------------------|-------------------------|-----------| +| Mistral-7B-Instruct-v0.3 | 1 | 3.80 | 499.0 | 131.25 | 3.80 | 131.23 | +| Mistral-7B-Instruct-v0.3 | 10 | 6.00 | 740.6 | 122.85 | 8.19 | 904.22 | +| Mistral-7B-Instruct-v0.3 | 100 | 11.71 | 695.71 | 59.06 | 15.54 | 4477.34 | +| Mixtral-8x7B-Instruct-v0.1 | 1 | 6.50 | 400.0 | 61.55 | 6.50 | 61.53 | +| Mixtral-8x7B-Instruct-v0.1 | 10 | 16.58 | 768.9 | 40.33 | 32.56 | 236.13 | +| Mixtral-8x7B-Instruct-v0.1 | 100 | 25.90 | 767.38 | 26.87 | 55.57 | 1380.68 | + +#### Large machine + +With a `a2-ultragpu-8g` (8 x NVIDIA A100 80 GB - 1360 GB vRAM) machine on GCP or equivalent: + +| Model name | Number of requests | Average time per request (sec) | Average tokens in response | Average tokens per second per request | Total time for requests (sec) | Total TPS | +|-----------------------------|--------------------|------------------------------|----------------------------|---------------------------------------|-----------------------------|-----------| +| Mistral-7B-Instruct-v0.3 | 1 | 3.23 | 479.0 | 148.41 | 3.22 | 148.36 | +| Mistral-7B-Instruct-v0.3 | 10 | 4.95 | 678.3 | 135.98 | 6.85 | 989.11 | +| Mistral-7B-Instruct-v0.3 | 100 | 10.14 | 713.27 | 69.63 | 13.96 | 5108.75 | +| Mixtral-8x7B-Instruct-v0.1 | 1 | 6.08 | 709.0 | 116.69 | 6.07 | 116.64 | +| Mixtral-8x7B-Instruct-v0.1 | 10 | 9.95 | 645.0 | 63.68 | 13.40 | 481.06 | +| Mixtral-8x7B-Instruct-v0.1 | 100 | 13.83 | 585.01 | 41.80 | 20.38 | 2869.12 | +| Mixtral-8x22B-Instruct-v0.1 | 1 | 14.39 | 828.0 | 57.56 | 14.38 | 57.55 | +| Mixtral-8x22B-Instruct-v0.1 | 10 | 20.57 | 629.7 | 30.24 | 28.02 | 224.71 | +| Mixtral-8x22B-Instruct-v0.1 | 100 | 27.58 | 592.49 | 21.34 | 36.80 | 1609.85 | + +### AI Gateway Hardware Requirements + +For recommendations on AI gateway hardware, see the [AI gateway scaling recommendations](../../install/install_ai_gateway.md#scaling-recommendations). diff --git a/doc/administration/gitlab_duo_self_hosted/troubleshooting.md b/doc/administration/gitlab_duo_self_hosted/troubleshooting.md new file mode 100644 index 00000000000..2691cbaa1f4 --- /dev/null +++ b/doc/administration/gitlab_duo_self_hosted/troubleshooting.md @@ -0,0 +1,453 @@ +--- +stage: AI-Powered +group: Custom Models +description: Troubleshooting tips for deploying GitLab Duo Self-Hosted +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments +title: Troubleshooting GitLab Duo Self-Hosted +--- + +DETAILS: +**Tier:** Ultimate with GitLab Duo Enterprise - [Start a trial](https://about.gitlab.com/solutions/gitlab-duo-pro/sales/?type=free-trial) +**Offering:** GitLab Self-Managed +**Status:** Beta + +> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/12972) in GitLab 17.1 [with a flag](../feature_flags.md) named `ai_custom_model`. Disabled by default. +> - [Enabled on GitLab Self-Managed](https://gitlab.com/groups/gitlab-org/-/epics/15176) in GitLab 17.6. +> - Changed to require GitLab Duo add-on in GitLab 17.6 and later. +> - Feature flag `ai_custom_model` removed in GitLab 17.8 + +When working with GitLab Duo Self-Hosted, you might encounter issues. + +Before you begin troubleshooting, you should: + +- Be able to access open the [`gitlab-rails` console](../operations/rails_console.md). +- Open a shell in the AI gateway Docker image. +- Know the endpoint where your: + - AI gateway is hosted. + - Model is hosted. +- Enable the feature flag `expanded_ai_logging` on the `gitlab-rails` console: + + ```ruby + Feature.enable(:expanded_ai_logging) + ``` + + Now, requests and responses from GitLab to the AI gateway are logged to [`llm.log`](../logs/index.md#llmlog) + +## Use debugging scripts + +We provide two debugging scripts to help administrators verify their self-hosted +model configuration. + +1. Debug the GitLab to AI gateway connection. From your GitLab instance, run the + [Rake task](../../raketasks/_index.md): + + ```shell + gitlab-rake "gitlab:duo:verify_self_hosted_setup[]" + ``` + + Optional: Include a `` that has an assigned seat. + If you do not include a username parameter, the Rake task uses the root user. + +1. Debug the AI gateway setup. For your AI gateway container: + + - Restart the AI gateway container with authentication disabled by setting: + + ```shell + -e AIGW_AUTH__BYPASS_EXTERNAL=true + ``` + + This setting is required for the troubleshooting command to run the **System Exchange test**. You must remove this setting after troubleshooting is complete. + + - From your AI gateway container, run: + + ```shell + docker exec -it sh + poetry run troubleshoot [options] + ``` + + The `troubleshoot` command supports the following options: + + | Option | Description | Default | Example | + |--------|-------------|---------|---------| + | `--endpoint` | AI Gateway endpoint | `localhost:5052` | `--endpoint=localhost:5052` | + | `--model-family` | Model family to test. Possible values are `mistral`, `mixtral`, `gpt`, or `claude_3` | - | `--model-family=mistral` | + | `--model-endpoint` | Model endpoint. For models hosted on vLLM, add the `/v1` suffix. | - | `--model-endpoint=http://localhost:4000/v1` | + | `--model-identifier` | Model identifier. | - | `--model-identifier=custom_openai/Mixtral-8x7B-Instruct-v0.1` | + | `--api-key` | Model API key. | - | `--api-key=your-api-key` | + + **Examples:** + + For a `claude_3` model running on AWS Bedrock: + + ```shell + poetry run troubleshoot \ + --model-family=claude_3 \ + --model-identifier=bedrock/anthropic.claude-3-5-sonnet-20240620-v1:0 + ``` + + For a `mixtral` model running on vLLM: + + ```shell + poetry run troubleshoot \ + --model-family=mixtral \ + --model-identifier=custom_openai/Mixtral-8x7B-Instruct-v0.1 \ + --api-key=your-api-key \ + --model-endpoint=http:///v1 + ``` + +After troubleshooting is complete, stop and restart the AI gateway container **without** `AIGW_AUTH__BYPASS_EXTERNAL=true`. + +WARNING: +You must not bypass authentication in production. + +Verify the output of the commands, and fix accordingly. + +If both commands are successful, but GitLab Duo Code Suggestions is still not working, +raise an issue on the issue tracker. + +## Check if GitLab can make a request to the model + +From the GitLab Rails console, verify that GitLab can make a request to the model +by running: + +```ruby +model_name = "" +model_endpoint = "" +model_api_key = "" +body = {:prompt_components=>[{:type=>"prompt", :metadata=>{:source=>"GitLab EE", :version=>"17.3.0"}, :payload=>{:content=>[{:role=>:user, :content=>"Hello"}], :provider=>:litellm, :model=>model_name, :model_endpoint=>model_endpoint, :model_api_key=>model_api_key}}]} +ai_gateway_url = Gitlab::AiGateway.url # Verify that it's not nil +client = Gitlab::Llm::AiGateway::Client.new(User.find_by_id(1), service_name: :self_hosted_models) +client.complete(url: "#{ai_gateway_url}/v1/chat/agent", body: body) +``` + +This should return a response from the model in the format: + +```ruby +{"response"=> "", + "metadata"=> + {"provider"=>"litellm", + "model"=>"<>", + "timestamp"=>1723448920}} +``` + +If that is not the case, this might means one of the following: + +- The user might not have access to Code Suggestions. To resolve, + [check if a user can request Code Suggestions](#check-if-a-user-can-request-code-suggestions). +- The GitLab environment variables are not configured correctly. To resolve, [check that the GitLab environmental variables are set up correctly](#check-that-gitlab-environmental-variables-are-set-up-correctly). +- The GitLab instance is not configured to use self-hosted models. To resolve, [check if the GitLab instance is configured to use self-hosted models](#check-if-gitlab-instance-is-configured-to-use-self-hosted-models). +- The AI gateway is not reachable. To resolve, [check if GitLab can make an HTTP request to the AI gateway](#check-if-gitlab-can-make-an-http-request-to-the-ai-gateway). +- When the LLM server is installed on the same instance as the AI gateway container, local requests may not work. To resolve, [allow local requests from the Docker container](#llm-server-is-not-available-inside-the-ai-gateway-container). + +## Check if a user can request Code Suggestions + +In the GitLab Rails console, check if a user can request Code Suggestions by running: + +```ruby +User.find_by_id("").can?(:access_code_suggestions) +``` + +If this returns `false`, it means some configuration is missing, and the user +cannot access Code Suggestions. + +This missing configuration might be because of either of the following: + +- The license is not valid. To resolve, [check or update your license](../license_file.md#see-current-license-information). +- GitLab Duo was not configured to use a self-hosted model. To resolve, [check if the GitLab instance is configured to use self-hosted models](#check-if-gitlab-instance-is-configured-to-use-self-hosted-models). + +## Check if GitLab instance is configured to use self-hosted-models + +To check if GitLab Duo was configured correctly: + +1. On the left sidebar, at the bottom, select **Admin**. +1. Select **Self-hosted models** +1. Expand **AI-powered features**. +1. Under **Features**, check that **Code Suggestions** and **Code generation** are set to **Self-hosted model**. + +## Check that GitLab environmental variables are set up correctly + +To check if the GitLab environmental variables are set up correctly, run the +following on the GitLab Rails console: + +```ruby +ENV["AI_GATEWAY_URL"] == "" +``` + +If the environmental variables are not set up correctly, set them by following the +[Linux package custom environment variables setting documentation](https://docs.gitlab.com/omnibus/settings/environment-variables.html). + +## Check if GitLab can make an HTTP request to the AI gateway + +In the GitLab Rails console, verify that GitLab can make an HTTP request to AI +Gateway by running: + +```ruby +HTTParty.get('/monitoring/healthz', headers: { 'accept' => 'application/json' }).code +``` + +If the response is not `200`, this means either of the following: + +- The network is not properly configured to allow GitLab to reach the AI gateway container. Contact your network administrator to verify the setup. +- The AI gateway is not able to process requests. To resolve this issue, [check if the AI gateway can make a request to the model](#check-if-the-ai-gateway-can-make-a-request-to-the-model). + +## Check if the AI gateway can make a request to the model + +From the AI gateway container, make an HTTP request to the AI gateway API for a +Code Suggestion. Replace: + +- `` with the name of the model you are using. For example `mistral` or `codegemma`. +- `` with the endpoint where the model is hosted. + +```shell +docker exec -it sh +curl --request POST "http://localhost:5052/v1/chat/agent" \ + --header 'accept: application/json' \ + --header 'Content-Type: application/json' \ + --data '{ "prompt_components": [ { "type": "string", "metadata": { "source": "string", "version": "string" }, "payload": { "content": "Hello", "provider": "litellm", "model": "", "model_endpoint": "" } } ], "stream": false }' +``` + +If the request fails, the: + +- AI gateway might not be configured properly to use self-hosted models. To resolve this, [check that the AI gateway environmental variables are set up correctly](#check-that-the-ai-gateway-environmental-variables-are-set-up-correctly). +- AI gateway might not be able to access the model. To resolve, + [check if the model is reachable from the AI gateway](#check-if-the-model-is-reachable-from-ai-gateway). +- Model name or endpoint might be incorrect. Check the values, and correct them + if necessary. + +## Check if AI gateway can process requests + +```shell +docker exec -it sh +curl '/monitoring/healthz' +``` + +If the response is not `200`, this means that AI gateway is not installed correctly. To resolve, follow the [documentation on how to install the AI gateway](../../install/install_ai_gateway.md). + +## Check that the AI gateway environmental variables are set up correctly + +To check that the AI gateway environmental variables are set up correctly, run the +following in a console on the AI gateway container: + +```shell +docker exec -it sh +echo $AIGW_CUSTOM_MODELS__ENABLED # must be true +``` + +If the environmental variables are not set up correctly, set them by +[creating a container](../../install/install_ai_gateway.md#find-the-ai-gateway-release). + +## Check if the model is reachable from AI gateway + +Create a shell on the AI gateway container and make a curl request to the model. +If you find that the AI gateway cannot make that request, this might be caused by the: + +1. Model server not functioning correctly. +1. Network settings around the container not being properly configured to allow + requests to where the model is hosted. + +To resolve this, contact your network administrator. + +## The image's platform does not match the host + +When [finding the AI gateway release](../../install/install_ai_gateway.md#find-the-ai-gateway-release), +you might get an error that states `The requested image's platform (linux/amd64) does not match the detected host`. + +To work around this error, add `--platform linux/amd64` to the `docker run` command: + +```shell +docker run --platform linux/amd64 -e AIGW_GITLAB_URL= +``` + +## LLM server is not available inside the AI gateway container + +If the LLM server is installed on the same instance as the AI gateway container, it may not be accessible through the local host. + +To resolve this: + +1. Include `--network host` in the `docker run` command to enable local requests from the AI gateway container. +1. Use the `-e AIGW_FASTAPI__METRICS_PORT=8083` flag to address the port conflicts. + +```shell +docker run --network host -e AIGW_GITLAB_URL= -e AIGW_FASTAPI__METRICS_PORT=8083 +``` + +## vLLM 404 Error + +If you encounter a **404 error** while using vLLM, follow these steps to resolve the issue: + +1. Create a chat template file named `chat_template.jinja` with the following content: + + ```jinja + {%- for message in messages %} + {%- if message["role"] == "user" %} + {{- "[INST] " + message["content"] + "[/INST]" }} + {%- elif message["role"] == "assistant" %} + {{- message["content"] }} + {%- elif message["role"] == "system" %} + {{- bos_token }}{{- message["content"] }} + {%- endif %} + {%- endfor %} + ``` + +1. When running the vLLM command, ensure you specify the `--served-model-name`. For example: + + ```shell + vllm serve "mistralai/Mistral-7B-Instruct-v0.3" --port --max-model-len 17776 --served-model-name mistral --chat-template chat_template.jinja + ``` + +1. Check the vLLM server URL in the GitLab UI to make sure that URL includes the `/v1` suffix. The correct format is: + + ```shell + http(s)://:/v1 + ``` + +## Code Suggestions access error + +If you are experiencing issues accessing Code Suggestions after setup, try the following steps: + +1. In the Rails console, check and verify the license parameters: + + ```shell + sudo gitlab-rails console + user = User.find(id) # Replace id with the user provisioned with GitLab Duo Enterprise seat + Ability.allowed?(user, :access_code_suggestions) # Must return true + ``` + +1. Check if the necessary features are enabled and available: + + ```shell + ::Ai::FeatureSetting.code_suggestions_self_hosted? # Should be true + ``` + +## Verify GitLab setup + +To verify your GitLab Self-Managed setup, run the following command: + +```shell +gitlab-rake gitlab:duo:verify_self_hosted_setup +``` + +## No logs generated in the AI gateway server + +If no logs are generated in the **AI gateway server**, follow these steps to troubleshoot: + +1. Ensure the `expanded_ai_logging` feature flag is enabled: + + ```ruby + Feature.enable(:expanded_ai_logging) + ``` + +1. Run the following commands to view the GitLab Rails logs for any errors: + + ```shell + sudo gitlab-ctl tail + sudo gitlab-ctl tail sidekiq + ``` + +1. Look for keywords like "Error" or "Exception" in the logs to identify any underlying issues. + +## SSL certificate errors and key de-serialization issues in the AI gateway Container + +When attempting to initiate a Duo Chat inside the AI gateway container, SSL certificate errors and key deserialization issues may occur. + +The system might encounter issues loading the PEM file, resulting in errors like: + +```plaintext +JWKError: Could not deserialize key data. The data may be in an incorrect format, the provided password may be incorrect, or it may be encrypted with an unsupported algorithm. +``` + +To resolve the SSL certificate error: + +- Set the appropriate certificate bundle path in the Docker container using the following environment variables: + - `SSL_CERT_FILE=/path/to/ca-bundle.pem` + - `REQUESTS_CA_BUNDLE=/path/to/ca-bundle.pem` + +## Troubleshooting common Duo Chat errors + +### Error A1000 + +You might get an error that states +`I'm sorry, I couldn't respond in time. Please try again. Error code: A1000`. + +This error occurs when there is a timeout during processing. Try your request again. + +### Error A1001 + +You might get an error that states +`I'm sorry, I can't generate a response. Please try again. Error code: A1001`. + +This error means there was a problem connecting to the AI gateway. You might need to check the network settings and ensure that the AI gateway is accessible from the GitLab instance. + +Use the [self-hosted debugging script](#use-debugging-scripts) to verify if the AI gateway is accessible from the GitLab instance and is working as expected. + +If problem persists, report the issue to the GitLab support team. + +### Error A1002 + +You might get an error that states +`I'm sorry, I couldn't respond in time. Please try again. Error code: A1002`. + +This error occurs when no events are returned from AI gateway or GitLab failed to parse the events. Check the [AI Gateway logs](../self_hosted_models/logging.md) for any errors. + +### Error A1003 + +You might get an error that states +`I'm sorry, I couldn't respond in time. Please try again. Error code: A1003`. + +This error typically occurs due to issues with streaming from the model to the AI gateway. To resolve this issue: + +1. In the AI gateway container, run the following command: + + ```shell + curl --request 'POST' \ + 'http://localhost:5052/v2/chat/agent' \ + --header 'accept: application/json' \ + --header 'Content-Type: application/json' \ + --header 'x-gitlab-enabled-feature-flags: expanded_ai_logging' \ + --data '{ + "messages": [ + { + "role": "user", + "content": "Hello", + "context": null, + "current_file": null, + "additional_context": [] + } + ], + "model_metadata": { + "provider": "custom_openai", + "name": "mistral", + "endpoint": "", + "api_key": "", + "identifier": "" + }, + "unavailable_resources": [], + "options": { + "agent_scratchpad": { + "agent_type": "react", + "steps": [] + } + } + }' + ``` + + If streaming is working, chunked responses should be displayed. If it is not, it will likely show an empty response. + +1. Check the [AI gateway logs](../self_hosted_models/logging.md) for specific error messages, because this is usually a model deployment issue. + +1. To validate the connection, disable the streaming by setting the `AIGW_CUSTOM_MODELS__DISABLE_STREAMING` environment variable in your AI gateway container: + + ```shell + docker run .... -e AIGW_CUSTOM_MODELS__DISABLE_STREAMING=true ... + ``` + +### Error A9999 + +You might get an error that states +`I'm sorry, I can't generate a response. Please try again. Error code: A9999`. + +This error occurs when an unknown error occurs in ReAct agent. Try your request again. If the problem persists, report the issue to the GitLab support team. + +## Related topics + +- [GitLab Duo troubleshooting](../../user/gitlab_duo_chat/troubleshooting.md) diff --git a/doc/administration/self_hosted_models/configuration_types.md b/doc/administration/self_hosted_models/configuration_types.md index 4fc3253b102..f9e3c4a86b1 100644 --- a/doc/administration/self_hosted_models/configuration_types.md +++ b/doc/administration/self_hosted_models/configuration_types.md @@ -1,111 +1,13 @@ --- -stage: AI-Powered -group: Custom Models -description: Get started with GitLab Duo Self-Hosted. -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments -title: GitLab Duo Self-Hosted configuration and authentication +redirect_to: '../gitlab_duo_self_hosted/configuration_types.md' +remove_date: '2025-05-05' --- -DETAILS: -**Tier:** Ultimate with GitLab Duo Enterprise - [Start a trial](https://about.gitlab.com/solutions/gitlab-duo-pro/sales/?type=free-trial) -**Offering:** GitLab Self-Managed -**Status:** Beta + -> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/12972) in GitLab 17.1 [with a flag](../feature_flags.md) named `ai_custom_model`. Disabled by default. -> - [Enabled on GitLab Self-Managed](https://gitlab.com/groups/gitlab-org/-/epics/15176) in GitLab 17.6. -> - Changed to require GitLab Duo add-on in GitLab 17.6 and later. -> - Feature flag `ai_custom_model` removed in GitLab 17.8 +This document was moved to [another location](../gitlab_duo_self_hosted/configuration_types.md). -There are two configuration options for self-managed customers: - -- **GitLab.com AI gateway**: Use the GitLab-managed AI gateway with default external - large language model (LLM) providers (for example, Google Vertex or Anthropic). -- **Self-hosted AI gateway**: Deploy and manage your own AI gateway and language models in your infrastructure, - without depending on GitLab-provided external language providers. - -## GitLab.com AI gateway - -In this configuration, your GitLab instance depends on and sends requests to the external GitLab AI gateway, which communicates with external AI vendors such as Google Vertex or Anthropic. The response is then forwarded back to your GitLab instance. - -```mermaid -%%{init: { "theme": "default", "fontFamily": "GitLab Sans", "sequence": { "actorFontSize": 12, "participantFontSize": 12, "messageFontSize": 12 } }}%% -sequenceDiagram - actor User as User - participant SelfHostedGitLab as Self-hosted GitLab (Your Instance) - participant GitLabAIGateway as GitLab AI gateway (External) - participant GitLabAIVendor as GitLab AI Vendor (External) - - User ->> SelfHostedGitLab: Send request - SelfHostedGitLab ->> SelfHostedGitLab: Check if self-hosted model is configured - SelfHostedGitLab ->> GitLabAIGateway: Forward request for AI processing - GitLabAIGateway ->> GitLabAIVendor: Create prompt and send request to AI model server - GitLabAIVendor -->> GitLabAIGateway: Respond to the prompt - GitLabAIGateway -->> SelfHostedGitLab: Forward AI response - SelfHostedGitLab -->> User: Forward AI response -``` - -## Self-hosted AI gateway - -In this configuration, the entire system is isolated within the enterprise, ensuring a fully self-hosted environment that safeguards data privacy. - -```mermaid -%%{init: { "theme": "default", "fontFamily": "GitLab Sans", "sequence": { "actorFontSize": 12, "participantFontSize": 12, "messageFontSize": 12 } }}%% -sequenceDiagram - actor User as User - participant SelfHostedGitLab as Self-hosted GitLab - participant SelfHostedAIGateway as Self-hosted AI gateway - participant SelfHostedModel as Self-hosted model - - User ->> SelfHostedGitLab: Send request - SelfHostedGitLab ->> SelfHostedGitLab: Check if self-hosted model is configured - SelfHostedAIGateway ->> SelfHostedModel: Create prompt and perform request to AI model server - SelfHostedGitLab ->> SelfHostedAIGateway: Forward request for AI processing - SelfHostedModel -->> SelfHostedAIGateway: Respond to the prompt - SelfHostedAIGateway -->> SelfHostedGitLab: Forward AI response - SelfHostedGitLab -->> User: Forward AI response -``` - -For more information, see the [self-hosted model deployment blueprint](https://handbook.gitlab.com/handbook/engineering/architecture/design-documents/custom_models/). - -## Authentication for GitLab Duo Self-Hosted - -The authentication process for GitLab Duo Self-Hosted is secure, efficient, and made up of the following key components: - -- **Self-issued tokens**: In this architecture, access credentials are not synchronized with `cloud.gitlab.com`. Instead, tokens are self-issued dynamically, similar to the functionality on GitLab.com. This method provides users with immediate access while maintaining a high level of security. - -- **Offline environments**: In offline setups, there are no connections to `cloud.gitlab.com`. All requests are routed exclusively to the self-hosted AI gateway. - -- **Token minting and verification**: The instance mints the token, which is then verified by the AI gateway against the GitLab instance. - -- **Model configuration and security**: When an administrator configures a model, they can incorporate an API key to authenticate requests. Additionally, you can enhance security by specifying connection IP addresses within your network, ensuring that only trusted IPs can interact with the model. - -As illustrated in the following diagram: - -1. The authentication flow begins when the user configures the model through the GitLab instance and submits a request to access the GitLab Duo feature. -1. The GitLab instance mints an access token, which the user forwards to GitLab and then to the AI gateway for verification. -1. Upon confirming the token's validity, the AI gateway sends a request to the AI model, which uses the API key to authenticate the request and process it. -1. The results are then relayed back to the GitLab instance, completing the flow by sending the response to the user, which is designed to be secure and efficient. - -```mermaid -%%{init: { "theme": "default", "fontFamily": "GitLab Sans", "sequence": { "actorFontSize": 12, "participantFontSize": 12, "messageFontSize": 12 } }}%% - sequenceDiagram - participant User as User - participant GitLab as GitLab Instance - participant AI gateway as AI gateway - participant AIModel as AI Model - - User->>GitLab: Configure Model - User->>GitLab: Request Access - GitLab->>GitLab: Mint Token - GitLab->>User: Send Token - User->>GitLab: Forward Minted Token - GitLab->>AI gateway: Verify Token - AI gateway->>GitLab: Token Validated - GitLab->>AI gateway: Send Request to Model - AI gateway->>AIModel: Send Request to Model - AIModel->>AIModel: Authenticate using API Key - AIModel->>AI gateway: Process Request - AI gateway->>GitLab: Send Result to GitLab - GitLab->>User: Send Response - -``` + + + + diff --git a/doc/administration/self_hosted_models/configure_duo_features.md b/doc/administration/self_hosted_models/configure_duo_features.md index 1eabf1823ab..0f35dd56a56 100644 --- a/doc/administration/self_hosted_models/configure_duo_features.md +++ b/doc/administration/self_hosted_models/configure_duo_features.md @@ -1,158 +1,13 @@ --- -stage: AI-Powered -group: Custom Models -description: Configure your GitLab instance to use GitLab Duo Self-Hosted. -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments -title: Configure GitLab to access GitLab Duo Self-Hosted +redirect_to: '../gitlab_duo_self_hosted/configure_duo_features.md' +remove_date: '2025-05-05' --- -DETAILS: -**Tier:** Ultimate with GitLab Duo Enterprise - [Start a trial](https://about.gitlab.com/solutions/gitlab-duo-pro/sales/?type=free-trial) -**Offering:** GitLab Self-Managed -**Status:** Beta + -> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/12972) in GitLab 17.1 [with a flag](../feature_flags.md) named `ai_custom_model`. Disabled by default. -> - [Enabled on GitLab Self-Managed](https://gitlab.com/groups/gitlab-org/-/epics/15176) in GitLab 17.6. -> - Changed to require GitLab Duo add-on in GitLab 17.6 and later. -> - Feature flag `ai_custom_model` removed in GitLab 17.8 +This document was moved to [another location](../gitlab_duo_self_hosted/configure_duo_features.md). -To configure your GitLab instance to access the available self-hosted models in your infrastructure: - -1. [Confirm that a fully self-hosted configuration is appropriate for your use case](index.md#decide-on-your-configuration-type). -1. Configure your GitLab instance. -1. Configure the self-hosted model. -1. Configure the GitLab Duo features to use your self-hosted model. - -## Configure your GitLab instance - -Prerequisites: - -- [Upgrade to the latest version of GitLab](../../update/_index.md). - -To configure your GitLab instance to access the AI gateway: - -::Tabs - -:::TabTitle Linux package - -1. Where your GitLab instance is installed, update the `/etc/gitlab/gitlab.rb` file: - - ```shell - sudo vim /etc/gitlab/gitlab.rb - ``` - -1. Add and save the following environment variables: - - ```ruby - gitlab_rails['env'] = { - 'AI_GATEWAY_URL' => ':' - } - ``` - -1. Run reconfigure: - - ```shell - sudo gitlab-ctl reconfigure - ``` - -:::TabTitle Helm Chart (Kubernetes) - -1. Add the following values to your Helm chart: - - ```yaml - gitlab: - webservice: - extraEnv: - AI_GATEWAY_URL: ':' - sidekiq: - extraEnv: - AI_GATEWAY_URL: ':' - toolbox: - extraEnv: - AI_GATEWAY_URL: ':' - ``` - - - The `AI_GATEWAY_URL` parameter for `webservice` must be externally accessible because it is given to editor extensions - for direct connection to the AI gateway. - - The `AI_GATEWAY_URL` parameters for `sidekiq` and `toolbox` can be either externally accessible or Kubernetes internal addresses (for example, `ai-gateway.gitlab.svc.cluster.local`). It might be more time and resource efficient to use Kubernetes internal addresses, so the requests do not have to go through the external load balancer and the Ingress controller to re-enter the cluster. - -::EndTabs - -## Configure the self-hosted model - -Prerequisites: - -- You must be an administrator. -- You must have a Duo Enterprise license add-on. - -To configure a self-hosted model: - -1. On the left sidebar, at the bottom, select **Admin**. -1. Select **GitLab Duo**. -1. In the **GitLab Duo** section, select **Change configuration**. -1. Under **Self-hosted AI models**, select **Turn on self-hosted models**. -1. Select **Save changes**. -1. On the left sidebar, select **Self-hosted models**. - - If the **Self-hosted models** menu item is not available, synchronize your - subscription after purchase: - 1. On the left sidebar, select **Subscription**. - 1. In **Subscription details**, to the right of **Last sync**, select - synchronize subscription (**{retry}**). -1. Select **Add self-hosted model**. -1. Complete the fields: - - **Deployment name**: Enter a name to uniquely identify the model deployment, for example, `Mixtral-8x7B-it-v0.1 on GCP`. - - **Model family**: Select the model family the deployment belongs to. Only GitLab-approved models - are in this list. - - **Endpoint**: Enter the URL where the model is hosted. - - For models hosted through vLLM, you must suffix the URL with `/v1`. The default port is `8000`, so the default endpoint URL is `https://:8000/v1`. - - **API key**: Optional. Add an API key if you need one to access the model. - - **Model identifier**: This is a required field if your deployment method is vLLM, Bedrock or Azure. The value of this field is based on your deployment method, and should match the following structure: - - | Deployment method | Format | Example | - |-------------|---------|---------| - | vLLM | `custom_openai/` | `custom_openai/Mixtral-8x7B-Instruct-v0.1` | - | Bedrock | `bedrock/` | `bedrock/mistral.mixtral-8x7b-instruct-v0:1` | - | Azure OpenAI | `azure/` | `azure/gpt-35-turbo` | - | Others | The field is optional | | - -1. Select **Create self-hosted model**. - -## Configure GitLab Duo features to use self-hosted models - -Prerequisites: - -- You must be an administrator. -- You must have a Duo Enterprise license add-on. - -### View configured features - -1. On the left sidebar, at the bottom, select **Admin**. -1. Select **Self-hosted models**. - - If the **Self-hosted models** menu item is not available, synchronize your - subscription after purchase: - 1. On the left sidebar, select **Subscription**. - 1. In **Subscription details**, to the right of **Last sync**, select - synchronize subscription (**{retry}**). -1. Select the **AI-powered features** tab. - -### Configure the feature to use a self-hosted model - -Configure the GitLab Duo feature to send queries to the configured self-hosted model: - -1. On the left sidebar, at the bottom, select **Admin**. -1. Select **Self-hosted models**. -1. Select the **AI-powered features** tab. -1. For the feature you want to configure, from the dropdown list, choose the self-hosted model you want to use. For example, `Mistral`. - -### Configure the feature to use GitLab AI Vendor models - -Prerequisites: - -- You must use an [online license](https://about.gitlab.com/pricing/licensing-faq/cloud-licensing/#what-is-cloud-licensing). - -Configure the GitLab Duo feature to send queries to the Cloud Connector and use the GitLab AI Vendor model: - -1. On the left sidebar, at the bottom, select **Admin**. -1. Select **Self-hosted models**. -1. Select the **AI-powered features** tab. -1. For the feature you want to configure, from the dropdown list, select **GitLab AI Vendor**. + + + + diff --git a/doc/administration/self_hosted_models/index.md b/doc/administration/self_hosted_models/index.md index aac7f09def2..467f0469398 100644 --- a/doc/administration/self_hosted_models/index.md +++ b/doc/administration/self_hosted_models/index.md @@ -1,124 +1,13 @@ --- -stage: AI-Powered -group: Custom Models -description: Get started with GitLab Duo Self-Hosted. -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments -title: GitLab Duo Self-Hosted +redirect_to: '../gitlab_duo_self_hosted/index.md' +remove_date: '2025-05-05' --- -DETAILS: -**Tier:** Ultimate with GitLab Duo Enterprise - [Start a trial](https://about.gitlab.com/solutions/gitlab-duo-pro/sales/?type=free-trial) -**Offering:** GitLab Self-Managed -**Status:** Beta + -> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/12972) in GitLab 17.1 [with a flag](../feature_flags.md) named `ai_custom_model`. Disabled by default. -> - [Enabled on GitLab Self-Managed](https://gitlab.com/groups/gitlab-org/-/epics/15176) in GitLab 17.6. -> - Changed to require GitLab Duo add-on in GitLab 17.6 and later. -> - Feature flag `ai_custom_model` removed in GitLab 17.8 +This document was moved to [another location](../gitlab_duo_self_hosted/index.md). -To maintain full control over your data privacy, security, and the deployment of large language models (LLMs) in your own infrastructure, use GitLab Duo Self-Hosted. - -By deploying GitLab Duo Self-Hosted, you can manage the entire lifecycle of requests made to LLM backends for GitLab Duo features, ensuring that all requests stay in your enterprise network, and avoiding external dependencies. - -## Why use GitLab Duo Self-Hosted - -With GitLab Duo Self-Hosted, you can: - -- Choose any GitLab-approved LLM. -- Retain full control over data by keeping all request/response logs in your domain, ensuring complete privacy and security with no external API calls. -- Isolate the GitLab instance, AI gateway, and models in your own environment. -- Select specific GitLab Duo features tailored to your users. -- Eliminate reliance on the shared GitLab AI gateway. - -This setup ensures enterprise-level privacy and flexibility, allowing seamless integration of your LLMs with GitLab Duo features. - -### Supported GitLab Duo Chat features - -You can use the following GitLab Duo Chat features with GitLab Duo Self-Hosted: - -- [Ask about GitLab](../../user/gitlab_duo_chat/examples.md#ask-about-gitlab) -- [Ask about a specific issue](../../user/gitlab_duo_chat/examples.md#ask-about-a-specific-issue) -- [Ask about a specific epic](../../user/gitlab_duo_chat/examples.md#ask-about-a-specific-epic) -- [Explain selected code](../../user/gitlab_duo_chat/examples.md#explain-selected-code) -- [Ask about or generate code](../../user/gitlab_duo_chat/examples.md#ask-about-or-generate-code) -- [Ask follow up questions](../../user/gitlab_duo_chat/examples.md#ask-follow-up-questions) -- [Ask about errors](../../user/gitlab_duo_chat/examples.md#ask-about-errors) -- [Ask about specific files](../../user/gitlab_duo_chat/examples.md#ask-about-specific-files) -- [Refactor code in the IDE](../../user/gitlab_duo_chat/examples.md#refactor-code-in-the-ide) -- [Fix code in the IDE](../../user/gitlab_duo_chat/examples.md#fix-code-in-the-ide) -- [Write tests in the IDE](../../user/gitlab_duo_chat/examples.md#write-tests-in-the-ide) -- [Ask about CI/CD](../../user/gitlab_duo_chat/examples.md#ask-about-cicd) -- [Use universal and IDE slash commands](../../user/gitlab_duo_chat/examples.md#gitlab-duo-chat-slash-commands) - -### Prerequisites - -Before setting up the GitLab Duo Self-Hosted infrastructure, you must have: - -- A [supported model](supported_models_and_hardware_requirements.md) (either cloud-based or on-premises). -- A [supported serving platform](supported_llm_serving_platforms.md) (either cloud-based or on-premises). -- A [locally hosted AI gateway](../../install/install_ai_gateway.md). -- [Ultimate with GitLab Duo Enterprise](https://about.gitlab.com/solutions/gitlab-duo-pro/sales/?toggle=gitlab-duo-pro). - -## Decide on your configuration type - -The configuration for GitLab Duo Self-Hosted is different to the default configuration -that uses GitLab external AI vendors. - -NOTE: -Both of the following configuration types are for GitLab Self-Managed instances. - -### Self-hosted AI gateway and LLMs - -In a fully self-hosted configuration, you deploy your own AI gateway and LLMs in your infrastructure, without relying on external public services. This gives you full control over your data and security. - -If you have an offline environment with physical barriers or security policies that prevent or limit internet access, and comprehensive LLM controls, you can use GitLab Duo Self-Hosted. - -For licensing, you must have a GitLab Ultimate subscription and GitLab Duo Enterprise. Offline Enterprise licenses are available for those customers with fully isolated offline environments. To get access to your purchased subscription, request a license through the [Customers Portal](../../subscriptions/customers_portal.md). - -For more information, see: - -- [Set up a GitLab Duo Self-Hosted infrastructure](#set-up-a-gitlab-duo-self-hosted-infrastructure) -- The [self-hosted AI gateway configuration diagram](configuration_types.md#self-hosted-ai-gateway). - -### GitLab.com AI gateway with default GitLab external vendor LLMs - -If you do not meet the use case criteria for GitLab Duo Self-Hosted, you can use the -GitLab.com AI gateway with default GitLab external vendor LLMs. - -The GitLab.com AI gateway is the default Enterprise offering and is not self-hosted. In this configuration, -you connect your instance to the GitLab-hosted AI gateway, which -integrates with external vendor LLM providers (such as Google Vertex or Anthropic). - -These LLMs communicate through the [GitLab Cloud Connector](../../development/cloud_connector/_index.md), -offering a ready-to-use AI solution without the need for on-premise infrastructure. - -For licensing, you must have a GitLab Ultimate subscription, and either [GitLab Duo Pro](https://about.gitlab.com/solutions/gitlab-duo-pro/sales/?type=free-trial) or [GitLab Duo Enterprise](https://about.gitlab.com/solutions/gitlab-duo-pro/sales/?type=free-trial). To get access to your purchased subscription, request a license through the [Customers Portal](../../subscriptions/customers_portal.md) - -For more information, see the -[GitLab.com AI gateway configuration diagram](configuration_types.md#gitlabcom-ai-gateway). - -To set up this infrastructure, see [how to configure GitLab Duo on a GitLab Self-Managed instance](../../user/gitlab_duo/setup.md). - -## Set up a GitLab Duo Self-Hosted infrastructure - -To set up a fully isolated GitLab Duo Self-Hosted infrastructure: - -1. **Install a Large Language Model (LLM) Serving Infrastructure** - - - We support various platforms for serving and hosting your LLMs, such as vLLM, AWS Bedrock, and Azure OpenAI. To help you choose the most suitable option for effectively deploying your models, see the [supported LLM platforms documentation](supported_llm_serving_platforms.md) for more information on each platform's features. - - - We provide a comprehensive matrix of supported models along with their specific features and hardware requirements. To help select models that best align with your infrastructure needs for optimal performance, see the [supported models and hardware requirements documentation](supported_models_and_hardware_requirements.md). - -1. **Install the GitLab AI gateway** - [Install the AI gateway](../../install/install_ai_gateway.md) to efficiently configure your AI infrastructure. - -1. **Configure GitLab Duo features** - See the [Configure GitLab Duo features documentation](configure_duo_features.md) for instructions on how to customize your environment to effectively meet your operational needs. - -1. **Enable logging** - You can find configuration details for enabling logging in your environment. For help in using logs to track and manage your system's performance effectively, see the [logging documentation](logging.md). - -## Related topics - -- [Import custom models into Amazon Bedrock](https://www.youtube.com/watch?v=CA2AXfWWdpA) -- [Troubleshooting](troubleshooting.md) + + + + diff --git a/doc/administration/self_hosted_models/licensing_and_offerings.md b/doc/administration/self_hosted_models/licensing_and_offerings.md index f144bd676b2..f9e3c4a86b1 100644 --- a/doc/administration/self_hosted_models/licensing_and_offerings.md +++ b/doc/administration/self_hosted_models/licensing_and_offerings.md @@ -1,69 +1,13 @@ --- -stage: AI-Powered -group: Custom Models -description: Self-Hosted AI Models Licensing and Offerings -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments -title: 'Self-Hosted AI Models: Licensing and Offerings' +redirect_to: '../gitlab_duo_self_hosted/configuration_types.md' +remove_date: '2025-05-05' --- -DETAILS: -**Tier:** Ultimate with GitLab Duo Enterprise - [Start a trial](https://about.gitlab.com/solutions/gitlab-duo-pro/sales/?type=free-trial) -**Offering:** GitLab Self-Managed -**Status:** Beta + -> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/12972) in GitLab 17.1 [with a flag](../feature_flags.md) named `ai_custom_model`. Disabled by default. -> - [Enabled on GitLab Self-Managed](https://gitlab.com/groups/gitlab-org/-/epics/15176) in GitLab 17.6. -> - Changed to require GitLab Duo add-on in GitLab 17.6 and later. -> - Feature flag `ai_custom_model` removed in GitLab 17.8 +This document was moved to [another location](../gitlab_duo_self_hosted/configuration_types.md). -To deploy self-hosted AI models, you need GitLab Ultimate and Duo Enterprise - [Start a trial](https://about.gitlab.com/solutions/gitlab-duo-pro/sales/?type=free-trial). - -## Offerings - -### 1. Self-Hosted Models - -These are AI models deployed within your infrastructure, giving you full control over your data and security. - -- **Configuration:** Set up an AI gateway and configure model endpoints within GitLab. -- **Licensing:** Requires a valid GitLab license. You can request a license through the [Customers Portal](https://customers.gitlab.com). - -The following sequence diagram illustrates the process of handling a user request through a self-hosted model: - -```mermaid -sequenceDiagram - participant User - participant GitLab as GitLab Instance - participant Gateway as AI gateway - participant Model as Self-Hosted Model Endpoint - - User->>GitLab: API Request - GitLab->>Gateway: Forward Request - Gateway->>Model: Route to Self-Hosted Model - Model-->>Gateway: Return Response - Gateway-->>GitLab: Send Response - GitLab-->>User: Deliver Response -``` - -### 2. GitLab Vendor Models - -These models are hosted by GitLab and accessed through the GitLab Cloud Connector, providing an out-of-the-box AI solution without requiring on-premise infrastructure. - -- **Configuration:** Enable the desired features in GitLab and select a vendor-hosted model. -- **Licensing:** Included with your GitLab subscription, depending on your plan (Ultimate or GitLab Duo). No additional license is required for these models. - -The following sequence diagram illustrates the process of handling a user request through a GitLab Vendor Model: - -```mermaid -sequenceDiagram - participant User - participant GitLab as GitLab Instance - participant Connector as GitLab Cloud Connector - participant Vendor as GitLab Hosted Model - - User->>GitLab: API Request - GitLab->>Connector: Forward Request - Connector->>Vendor: Route to GitLab Hosted Model - Vendor-->>Connector: Return Response - Connector-->>GitLab: Send Response - GitLab-->>User: Deliver Response -``` + + + + diff --git a/doc/administration/self_hosted_models/logging.md b/doc/administration/self_hosted_models/logging.md index 41a049a277e..a8ce2cddce2 100644 --- a/doc/administration/self_hosted_models/logging.md +++ b/doc/administration/self_hosted_models/logging.md @@ -1,312 +1,13 @@ --- -stage: AI-Powered -group: Custom Models -description: Enable logging for self-hosted models. -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments -title: Enable logging for self-hosted models +redirect_to: '../gitlab_duo_self_hosted/logging.md' +remove_date: '2025-05-05' --- -DETAILS: -**Tier:** Ultimate with GitLab Duo Enterprise - [Start a trial](https://about.gitlab.com/solutions/gitlab-duo-pro/sales/?type=free-trial) -**Offering:** GitLab Self-Managed -**Status:** Beta + -> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/12972) in GitLab 17.1 [with a flag](../feature_flags.md) named `ai_custom_model`. Disabled by default. -> - [Enabled on GitLab Self-Managed](https://gitlab.com/groups/gitlab-org/-/epics/15176) in GitLab 17.6. -> - Changed to require GitLab Duo add-on in GitLab 17.6 and later. -> - Feature flag `ai_custom_model` removed in GitLab 17.8 +This document was moved to [another location](../gitlab_duo_self_hosted/logging.md). -Prerequisites: - -- You must be an administrator. -- You must have a Duo Enterprise license add-on. - -To enable logging and access the logs, enable the feature flag: - -```ruby -Feature.enable(:expanded_ai_logging) -``` - -Disabling the feature flag stops logs from being written. - -## Logs in your GitLab installation - -The logging setup is designed to protect sensitive information while maintaining transparency about system operations, and is made up of the following components: - -- Logs that capture requests to the GitLab instance. -- Feature flag and logging control. -- The `llm.log` file. - -### Logs that capture requests to the GitLab instance - -Logging in the `application.json`, `production_json.log`, and `production.log` files, among others, capture requests to the GitLab instance: - -- **Filtered Requests**: We log the requests in these files but ensure that sensitive data (such as input parameters) is **filtered**. This means that while the request metadata is captured (for example, the request type, endpoint, and response status), the actual input data (for example, the query parameters, variables, and content) is not logged to prevent the exposure of sensitive information. -- **Example 1**: In the case of a code suggestions completion request, the logs capture the request details while filtering sensitive information: - - ```json - { - "method": "POST", - "path": "/api/graphql", - "controller": "GraphqlController", - "action": "execute", - "status": 500, - "params": [ - {"key": "query", "value": "[FILTERED]"}, - {"key": "variables", "value": "[FILTERED]"}, - {"key": "operationName", "value": "chat"} - ], - "exception": { - "class": "NoMethodError", - "message": "undefined method `id` for {:skip=>true}:Hash" - }, - "time": "2024-08-28T14:13:50.328Z" - } - ``` - - As shown, while the error information and general structure of the request are logged, the sensitive input parameters are marked as `[FILTERED]`. - -- **Example 2**: In the case of a code suggestions completion request, the logs also capture the request details while filtering sensitive information: - - ```json - { - "method": "POST", - "path": "/api/v4/code_suggestions/completions", - "status": 200, - "params": [ - {"key": "prompt_version", "value": 1}, - {"key": "current_file", "value": {"file_name": "/test.rb", "language_identifier": "ruby", "content_above_cursor": "[FILTERED]", "content_below_cursor": "[FILTERED]"}}, - {"key": "telemetry", "value": []} - ], - "time": "2024-10-15T06:51:09.004Z" - } - ``` - - As shown, while the general structure of the request is logged, the sensitive input parameters such as `content_above_cursor` and `content_below_cursor` are marked as `[FILTERED]`. - -### Feature Flag and Logging Control - -**Feature Flag Dependency**: You can control a subset of these logs by enabling or disabling the `expanded_ai_logging` feature flag. Disabling the feature flag disables logging for specific operations. For more information, see the [Feature Flag section under Privacy Considerations](../../development/ai_features/logging.md#privacy-considerations). - -### The `llm.log` file - -When the `:expanded_ai_logging` feature flag is enabled, the [`llm.log` file](../logs/index.md#llmlog) in your GitLab instance captures code generation and Chat events that occur through your instance. The log file does not capture anything when the feature flag is not enabled. Code completion logs are captured directly in the AI gateway. - -For more information on: - -- Logged events and their properties, see the [logged event documentation](../../development/ai_features/logged_events.md). -- How to rotate, manage, export, and visualize the logs in `llm.log`, see the [log system documentation](../logs/index.md). -- The log file location (for example, so you can delete logs), see [LLM input and output logging](../logs/index.md#llm-input-and-output-logging). - -### Logs in your AI gateway container - -To specify the location of logs generated by AI gateway, run: - -```shell -docker run -e AIGW_GITLAB_URL= \ - -e AIGW_GITLAB_API_URL=https:///api/v4/ \ - -e AIGW_GITLAB_API_URL=https:///api/v4/ \ - -e AIGW_LOGGING__TO_FILE="aigateway.log" \ - -v :"aigateway.log" - -``` - -If you do not specify a filename, logs are streamed to the output and can also be managed using Docker logs. -For more information, see the [Docker Logs documentation](https://docs.docker.com/reference/cli/docker/container/logs/). - -Additionally, the outputs of the AI gateway execution can help with debugging issues. To access them: - -- When using Docker: - - ```shell - docker logs - ``` - -- When using Kubernetes: - - ```shell - kubectl logs - ``` - -To ingest these logs into the logging solution, see your logging provider documentation. - -### Logs structure - -When a POST request is made (for example, to the `/chat/completions` endpoint), the server logs the request: - -- Payload -- Headers -- Metadata - -#### 1. Request payload - -The JSON payload typically includes the following fields: - -- `messages`: An array of message objects. - - Each message object contains: - - `content`: A string representing the user's input or query. - - `role`: Indicates the role of the message sender (for example, `user`). -- `model`: A string specifying the model to be used (for example, `mistral`). -- `max_tokens`: An integer specifying the maximum number of tokens to generate in the response. -- `n`: An integer indicating the number of completions to generate. -- `stop`: An array of strings denoting stop sequences for the generated text. -- `stream`: A boolean indicating whether the response should be streamed. -- `temperature`: A float controlling the randomness of the output. - -##### Example request - -```json -{ - "messages": [ - { - "content": "[SUFFIX]None[PREFIX]# # build a hello world ruby method\n def say_goodbye\n puts \"Goodbye, World!\"\n end\n\ndef main\n say_hello\n say_goodbye\nend\n\nmain", - "role": "user" - } - ], - "model": "mistral", - "max_tokens": 128, - "n": 1, - "stop": ["[INST]", "[/INST]", "[PREFIX]", "[MIDDLE]", "[SUFFIX]"], - "stream": false, - "temperature": 0.0 -} -``` - -#### 2. Request headers - -The request headers provide additional context about the client making the request. Key headers might include: - -- `Authorization`: Contains the Bearer token for API access. -- `Content-Type`: Indicates the media type of the resource (for example, `JSON`). -- `User-Agent`: Information about the client software making the request. -- `X-Stainless-` headers: Various headers providing additional metadata about the client environment. - -##### Example request headers - -```json -{ - "host": "0.0.0.0:4000", - "accept-encoding": "gzip, deflate", - "connection": "keep-alive", - "accept": "application/json", - "content-type": "application/json", - "user-agent": "AsyncOpenAI/Python 1.51.0", - "authorization": "Bearer ", - "content-length": "364" -} -``` - -#### 3. Request metadata - -The metadata includes various fields that describe the context of the request: - -- `requester_metadata`: Additional metadata about the requester. -- `user_api_key`: The API key used for the request (anonymized). -- `api_version`: The version of the API being used. -- `request_timeout`: The timeout duration for the request. -- `call_id`: A unique identifier for the call. - -##### Example metadata - -```json -{ - "user_api_key": "", - "api_version": "1.48.18", - "request_timeout": 600, - "call_id": "e1aaa316-221c-498c-96ce-5bc1e7cb63af" -} -``` - -### Example response - -The server responds with a structured model response. For example: - -```python -Response: ModelResponse( - id='chatcmpl-5d16ad41-c130-4e33-a71e-1c392741bcb9', - choices=[ - Choices( - finish_reason='stop', - index=0, - message=Message( - content=' Here is the corrected Ruby code for your function:\n\n```ruby\ndef say_hello\n puts "Hello, World!"\nend\n\ndef say_goodbye\n puts "Goodbye, World!"\nend\n\ndef main\n say_hello\n say_goodbye\nend\n\nmain\n```\n\nIn your original code, the method names were misspelled as `say_hell` and `say_gobdye`. I corrected them to `say_hello` and `say_goodbye`, respectively. Also, there was no need for the prefix', - role='assistant', - tool_calls=None, - function_call=None - ) - ) - ], - created=1728983827, - model='mistral', - object='chat.completion', - system_fingerprint=None, - usage=Usage( - completion_tokens=128, - prompt_tokens=69, - total_tokens=197, - completion_tokens_details=None, - prompt_tokens_details=None - ) -) -``` - -### Logs in your inference service provider - -GitLab does not manage logs generated by your inference service provider. See the documentation of your inference service -provider on how to use their logs. - -## Logging behavior in GitLab and AI gateway environments - -GitLab provides logging functionality for AI-related activities through the use of `llm.log`, which captures inputs, outputs, and other relevant information. However, the logging behavior differs depending on whether the GitLab instance and AI gateway are **self-hosted** or **cloud-connected**. - -By default, the log does not contain LLM prompt input and response output to support [data retention policies](../../user/gitlab_duo/data_usage.md#data-retention) of AI feature data. - -## Logging Scenarios - -### GitLab Self-Managed and self-hosted AI gateway - -In this configuration, both GitLab and the AI gateway are hosted by the customer. - -- **Logging Behavior**: Full logging is enabled, and all prompts, inputs, and outputs are logged to `llm.log` on the instance. -- **Expanded Logging**: When the `:expanded_ai_logging` feature flag is activated, extra debugging information is logged, including: - - Preprocessed prompts. - - Final prompts. - - Additional context. -- **Privacy**: Because both GitLab and the AI gateway are self-hosted: - - The customer has full control over data handling. - - Logging of sensitive information can be enabled or disabled at the customer's discretion. - -### GitLab Self-Managed and GitLab-managed AI gateway (cloud-connected) - -In this scenario, the customer hosts GitLab but relies on the GitLab-managed AI gateway for AI processing. - -- **Logging Behavior**: Prompts and inputs sent to the AI gateway are **not logged** in the cloud-connected AI gateway to prevent exposure of sensitive information such as personally identifiable information (PII). -- **Expanded Logging**: Even if the `:expanded_ai_logging` feature flag is enabled, no detailed logs are generated in the GitLab-managed AI gateway to avoid unintended leaks of sensitive information. - - Logging remains **minimal** in this setup, and the expanded logging features are disabled by default. -- **Privacy**: This configuration is designed to ensure that sensitive data is not logged in a cloud environment. - -## Feature Flag: `:expanded_ai_logging` - -The `:expanded_ai_logging` feature flag controls whether additional debugging information, including prompts and inputs, is logged. This flag is essential for monitoring and debugging AI-related activities. - -### Behavior by Deployment Setup - -- **GitLab Self-Managed and self-hosted AI gateway**: The feature flag enables detailed logging to `llm.log` on the self-hosted instance, capturing inputs and outputs for AI models. -- **GitLab Self-Managed and GitLab-managed AI gateway**: The feature flag enables logging on your GitLab Self-Managed instance. However, the flag does **not** activate expanded logging for the GitLab-managed AI gateway side. Logging remains disabled for the cloud-connected AI gateway to protect sensitive data. -For more information, see the [Feature Flag section under Privacy Considerations](../../development/ai_features/logging.md#privacy-considerations) documentation. - -### Logging in cloud-connected AI gateways - -To prevent potential data leakage of sensitive information, expanded logging (including prompts and inputs) is intentionally disabled when using a cloud-connected AI gateway. Preventing the exposure of PII is a priority. - -### Cross-referencing logs between the AI gateway and GitLab - -The property `correlation_id` is assigned to every request and is carried across different components that respond to a -request. For more information, see the [documentation on finding logs with a correlation ID](../logs/tracing_correlation_id.md). - -The Correlation ID can be found in your AI gateway and GitLab logs. However, it is not present in your model provider logs. - -#### Related topics - -- [Parsing GitLab logs with jq](../logs/log_parsing.md) -- [Searching your logs for the correlation ID](../logs/tracing_correlation_id.md#searching-your-logs-for-the-correlation-id) + + + + diff --git a/doc/administration/self_hosted_models/supported_llm_serving_platforms.md b/doc/administration/self_hosted_models/supported_llm_serving_platforms.md index 7e8f651597d..85f664b7326 100644 --- a/doc/administration/self_hosted_models/supported_llm_serving_platforms.md +++ b/doc/administration/self_hosted_models/supported_llm_serving_platforms.md @@ -1,95 +1,13 @@ --- -stage: AI-Powered -group: Custom Models -description: Supported LLM Serving Platforms. -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments -title: GitLab Duo Self-Hosted supported platforms +redirect_to: '../gitlab_duo_self_hosted/supported_llm_serving_platforms.md' +remove_date: '2025-05-05' --- -DETAILS: -**Tier:** Ultimate with GitLab Duo Enterprise - [Start a trial](https://about.gitlab.com/solutions/gitlab-duo-pro/sales/?type=free-trial) -**Offering:** GitLab Self-Managed -**Status:** Beta + -> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/12972) in GitLab 17.1 [with a flag](../feature_flags.md) named `ai_custom_model`. Disabled by default. -> - [Enabled on GitLab Self-Managed](https://gitlab.com/groups/gitlab-org/-/epics/15176) in GitLab 17.6. -> - Changed to require GitLab Duo add-on in GitLab 17.6 and later. -> - Feature flag `ai_custom_model` removed in GitLab 17.8 +This document was moved to [another location](../gitlab_duo_self_hosted/supported_llm_serving_platforms.md). -There are multiple platforms available to host your self-hosted Large Language Models (LLMs). Each platform has unique features and benefits that can cater to different needs. The following documentation summarises the currently supported options: - -## For self-hosted model deployments - -### vLLM - -[vLLM](https://docs.vllm.ai/en/latest/index.html) is a high-performance inference server optimized for serving LLMs with memory efficiency. It supports model parallelism and integrates easily with existing workflows. - -To install vLLM, see the [vLLM Installation Guide](https://docs.vllm.ai/en/latest/getting_started/installation.html). You should install [version v0.6.4.post1](https://github.com/vllm-project/vllm/releases/tag/v0.6.4.post1) or later. - -For more information on: - -- vLLM supported models, see the [vLLM Supported Models documentation](https://docs.vllm.ai/en/latest/models/supported_models.html). -- Available options when using vLLM to run a model, see the [vLLM documentation on engine arguments](https://docs.vllm.ai/en/stable/usage/engine_args.html). -- The hardware needed for the models, see the [Supported models and Hardware requirements documentation](supported_llm_serving_platforms.md). - -Examples: - -#### Mistral-7B-Instruct-v0.2 - -1. Download the model from HuggingFace: - - ```shell - git clone https://:@huggingface.co/mistralai/Mistral-7B-Instruct-v0.3 - ``` - -1. Run the server: - - ```shell - vllm serve /Mistral-7B-Instruct-v0.3 \ - --served_model_name \ - --tokenizer_mode mistral \ - --tensor_parallel_size \ - --load_format mistral \ - --config_format mistral \ - --tokenizer /Mistral-7B-Instruct-v0.3 - ``` - -#### Mixtral-8x7B-Instruct-v0.1 - -1. Download the model from HuggingFace: - - ```shell - git clone https://:@huggingface.co/mistralai/Mixtral-8x7B-Instruct-v0.1 - ``` - -1. Rename the token config: - - ```shell - cd /Mixtral-8x7B-Instruct-v0.1 - cp tokenizer.model tokenizer.model.v3 - ``` - -1. Run the model: - - ```shell - vllm serve /Mixtral-8x7B-Instruct-v0.1 \ - --tensor_parallel_size 4 \ - --served_model_name \ - --tokenizer_mode mistral \ - --load_format safetensors \ - --tokenizer /Mixtral-8x7B-Instruct-v0.1/ - ``` - -## For cloud-hosted model deployments - -1. [AWS Bedrock](https://aws.amazon.com/bedrock/). - A fully managed service that allows developers to build and scale generative AI applications using pre-trained models from leading AI companies. It seamlessly integrates with other AWS services and offers a pay-as-you-go pricing model. - - You must configure the GitLab instance with your appropriate AWS IAM permissions before accessing Bedrock models. You cannot do this in the GitLab Duo Self-Hosted UI. For example, you can authenticate the AI Gateway instance by defining the [`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY` and `AWS_REGION_NAME`](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) when starting the Docker image. For more information, see the [AWS Identity and Access Management (IAM) Guide](https://docs.aws.amazon.com/bedrock/latest/userguide/security-iam.html). - - - [Supported foundation models in Amazon Bedrock](https://docs.aws.amazon.com/bedrock/latest/userguide/models-supported.html) - -1. [Azure OpenAI](https://learn.microsoft.com/en-us/azure/ai-services/openai/). - Provides access to OpenAI's powerful models, enabling developers to integrate advanced AI capabilities into their applications with robust security and scalable infrastructure. - - [Working with Azure OpenAI models](https://learn.microsoft.com/en-us/azure/ai-services/openai/how-to/working-with-models?tabs=powershell) - - [Azure OpenAI Service models](https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/models?tabs=python-secure%2Cglobal-standard%2Cstandard-chat-completions) + + + + diff --git a/doc/administration/self_hosted_models/supported_models_and_hardware_requirements.md b/doc/administration/self_hosted_models/supported_models_and_hardware_requirements.md index a9565a12a07..8779369970b 100644 --- a/doc/administration/self_hosted_models/supported_models_and_hardware_requirements.md +++ b/doc/administration/self_hosted_models/supported_models_and_hardware_requirements.md @@ -1,127 +1,13 @@ --- -stage: AI-Powered -group: Custom Models -description: Supported Models and Hardware Requirements. -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments -title: Supported GitLab Duo Self-Hosted models and hardware requirements +redirect_to: '../gitlab_duo_self_hosted/supported_models_and_hardware_requirements.md' +remove_date: '2025-05-05' --- -DETAILS: -**Tier:** Ultimate with GitLab Duo Enterprise - [Start a trial](https://about.gitlab.com/solutions/gitlab-duo-pro/sales/?type=free-trial) -**Offering:** GitLab Self-Managed -**Status:** Beta + -> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/12972) in GitLab 17.1 [with a flag](../feature_flags.md) named `ai_custom_model`. Disabled by default. -> - [Enabled on GitLab Self-Managed](https://gitlab.com/groups/gitlab-org/-/epics/15176) in GitLab 17.6. -> - Changed to require GitLab Duo add-on in GitLab 17.6 and later. -> - Feature flag `ai_custom_model` removed in GitLab 17.8 +This document was moved to [another location](../gitlab_duo_self_hosted/supported_models_and_hardware_requirements.md). -The following table shows the supported models along with their specific features and hardware requirements to help you select the model that best fits your infrastructure needs for optimal performance. - -## Supported LLMs - -Install one of the following GitLab-supported large language models (LLMs): - - - -| Model family | Model | Supported platforms | Status | Code completion | Code generation | GitLab Duo Chat | -|--------------|-------|---------------------|--------|-----------------|-----------------|-----------------| -|Mistral Codestral | [Codestral 22B v0.1](https://huggingface.co/mistralai/Codestral-22B-v0.1) | [vLLM](supported_llm_serving_platforms.md#for-self-hosted-model-deployments) | Generally available | 🟢 Green | 🟢 Green | N/A | -| Mistral | [Mistral 7B-it v0.3](https://huggingface.co/mistralai/Mistral-7B-Instruct-v0.3) | [vLLM](supported_llm_serving_platforms.md#for-self-hosted-model-deployments) | Generally available | 🟢 Green | 🟢 Green | 🔴 Red | -| Mistral | [Mixtral 8x7B-it v0.1](https://huggingface.co/mistralai/Mixtral-8x7B-Instruct-v0.1) | [vLLM](supported_llm_serving_platforms.md#for-self-hosted-model-deployments)
[AWS Bedrock](https://aws.amazon.com/bedrock/mistral/) | Generally available | 🟢 Green | 🟢 Green | 🟡 Amber | -| Mistral | [Mixtral 8x22B-it v0.1](https://huggingface.co/mistralai/Mixtral-8x22B-Instruct-v0.1) | [vLLM](supported_llm_serving_platforms.md#for-self-hosted-model-deployments) | Generally available | 🟢 Green | 🟢 Green | 🟢 Green | -| Claude 3 | [Claude 3.5 Sonnet](https://www.anthropic.com/news/claude-3-5-sonnet) | [AWS Bedrock](https://aws.amazon.com/bedrock/claude/) | Generally available | 🟢 Green | 🟢 Green | 🟢 Green | -| GPT | [GPT-4 Turbo](https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/models?tabs=python-secure#gpt-4) | [Azure OpenAI](https://learn.microsoft.com/en-us/azure/ai-services/openai/overview) | Generally available | 🟢 Green | 🟢 Green | 🟡 Amber | -| GPT | [GPT-4o](https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/models?tabs=python-secure#gpt-4o-and-gpt-4-turbo) | [Azure OpenAI](https://learn.microsoft.com/en-us/azure/ai-services/openai/overview) | Generally available | 🟢 Green | 🟢 Green | 🟢 Green | -| GPT | [GPT-4o-mini](https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/models?tabs=python-secure#gpt-4o-and-gpt-4-turbo) | [Azure OpenAI](https://learn.microsoft.com/en-us/azure/ai-services/openai/overview) | Generally available | 🟢 Green | 🟢 Green | 🟡 Amber | - -Legend: - -- 🟢 Green - Fully compatible. The model can likely handle the feature without any loss of quality. -- 🟡 Amber - Largely compatible. The model supports the feature, but there might be compromises or limitations. -- 🔴 Red - Not compatible. The model is unsuitable for the feature, likely resulting in significant quality loss or performance issues. - -The following models are configurable for the functionalities marked below, but are currently in experimental or beta status, under evaluation, and are excluded from the "Customer Integrated Models" definition in the [AI Functionality Terms](https://handbook.gitlab.com/handbook/legal/ai-functionality-terms/): - -| Model family | Model | Supported platforms | Status | Code completion | Code generation | GitLab Duo Chat | -|--------------- |-------|---------------------|--------|-----------------|-----------------|-----------------| -| CodeGemma | [CodeGemma 2b](https://huggingface.co/google/codegemma-2b) | [vLLM](supported_llm_serving_platforms.md#for-self-hosted-model-deployments) | Beta | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No | -| CodeGemma | [CodeGemma 7b-it](https://huggingface.co/google/codegemma-7b-it) | [vLLM](supported_llm_serving_platforms.md#for-self-hosted-model-deployments) | Beta | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | -| CodeGemma | [CodeGemma 7b-code](https://huggingface.co/google/codegemma-7b) | [vLLM](supported_llm_serving_platforms.md#for-self-hosted-model-deployments) | Beta | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No | -| Code Llama | [Code-Llama 13b](https://huggingface.co/meta-llama/CodeLlama-13b-Instruct-hf) | [vLLM](supported_llm_serving_platforms.md#for-self-hosted-model-deployments) | Beta | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | -| DeepSeek Coder | [DeepSeek Coder 33b Instruct](https://huggingface.co/deepseek-ai/deepseek-coder-33b-instruct) | [vLLM](supported_llm_serving_platforms.md#for-self-hosted-model-deployments) | Beta | **{check-circle}** Yes | **{check-circle}** Yes | **{dotted-circle}** No | -| DeepSeek Coder | [DeepSeek Coder 33b Base](https://huggingface.co/deepseek-ai/deepseek-coder-33b-base) | [vLLM](supported_llm_serving_platforms.md#for-self-hosted-model-deployments) | Beta | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No | -| Mistral | [Mistral 7B-it v0.2](https://huggingface.co/mistralai/Mistral-7B-Instruct-v0.2) | [vLLM](supported_llm_serving_platforms.md#for-self-hosted-model-deployments)
[AWS Bedrock](https://aws.amazon.com/bedrock/mistral/) | Beta | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | - - - -## Hardware requirements - -The following hardware specifications are the minimum requirements for running GitLab Duo Self-Hosted on-premise. Requirements vary significantly based on the model size and intended usage: - -### Base system requirements - -- **CPU**: - - Minimum: 8 cores (16 threads) - - Recommended: 16+ cores for production environments -- **RAM**: - - Minimum: 32 GB - - Recommended: 64 GB for most models -- **Storage**: - - SSD with sufficient space for model weights and data. - -### GPU requirements by model size - -| Model size | Minimum GPU configuration | Minimum VRAM required | -|--------------------------------------------|---------------------------|-----------------------| -| 7B models
(for example, Mistral 7B) | 1x NVIDIA A100 (40GB) | 35 GB | -| 22B models
(for example, Codestral 22B) | 2x NVIDIA A100 (80GB) | 110 GB | -| Mixtral 8x7B | 2x NVIDIA A100 (80GB) | 220 GB | -| Mixtral 8x22B | 8x NVIDIA A100 (80GB) | 526 GB | - -Use [Hugging Face's memory utility](https://huggingface.co/spaces/hf-accelerate/model-memory-usage) to verify memory requirements. - -### Response time by model size and GPU - -#### Small machine - -With a `a2-highgpu-2g` (2x Nvidia A100 40 GB - 150 GB vRAM) or equivalent: - -| Model name | Number of requests | Average time per request (sec) | Average tokens in response | Average tokens per second per request | Total time for requests | Total TPS | -|--------------------------|--------------------|------------------------------|----------------------------|---------------------------------------|-------------------------|-----------| -| Mistral-7B-Instruct-v0.3 | 1 | 7.09 | 717.0 | 101.19 | 7.09 | 101.17 | -| Mistral-7B-Instruct-v0.3 | 10 | 8.41 | 764.2 | 90.35 | 13.70 | 557.80 | -| Mistral-7B-Instruct-v0.3 | 100 | 13.97 | 693.23 | 49.17 | 20.81 | 3331.59 | - -#### Medium machine - -With a `a2-ultragpu-4g` (4x Nvidia A100 40 GB - 340 GB vRAM) machine on GCP or equivalent: - -| Model name | Number of requests | Average time per request (sec) | Average tokens in response | Average tokens per second per request | Total time for requests | Total TPS | -|----------------------------|--------------------|------------------------------|----------------------------|---------------------------------------|-------------------------|-----------| -| Mistral-7B-Instruct-v0.3 | 1 | 3.80 | 499.0 | 131.25 | 3.80 | 131.23 | -| Mistral-7B-Instruct-v0.3 | 10 | 6.00 | 740.6 | 122.85 | 8.19 | 904.22 | -| Mistral-7B-Instruct-v0.3 | 100 | 11.71 | 695.71 | 59.06 | 15.54 | 4477.34 | -| Mixtral-8x7B-Instruct-v0.1 | 1 | 6.50 | 400.0 | 61.55 | 6.50 | 61.53 | -| Mixtral-8x7B-Instruct-v0.1 | 10 | 16.58 | 768.9 | 40.33 | 32.56 | 236.13 | -| Mixtral-8x7B-Instruct-v0.1 | 100 | 25.90 | 767.38 | 26.87 | 55.57 | 1380.68 | - -#### Large machine - -With a `a2-ultragpu-8g` (8 x NVIDIA A100 80 GB - 1360 GB vRAM) machine on GCP or equivalent: - -| Model name | Number of requests | Average time per request (sec) | Average tokens in response | Average tokens per second per request | Total time for requests (sec) | Total TPS | -|-----------------------------|--------------------|------------------------------|----------------------------|---------------------------------------|-----------------------------|-----------| -| Mistral-7B-Instruct-v0.3 | 1 | 3.23 | 479.0 | 148.41 | 3.22 | 148.36 | -| Mistral-7B-Instruct-v0.3 | 10 | 4.95 | 678.3 | 135.98 | 6.85 | 989.11 | -| Mistral-7B-Instruct-v0.3 | 100 | 10.14 | 713.27 | 69.63 | 13.96 | 5108.75 | -| Mixtral-8x7B-Instruct-v0.1 | 1 | 6.08 | 709.0 | 116.69 | 6.07 | 116.64 | -| Mixtral-8x7B-Instruct-v0.1 | 10 | 9.95 | 645.0 | 63.68 | 13.40 | 481.06 | -| Mixtral-8x7B-Instruct-v0.1 | 100 | 13.83 | 585.01 | 41.80 | 20.38 | 2869.12 | -| Mixtral-8x22B-Instruct-v0.1 | 1 | 14.39 | 828.0 | 57.56 | 14.38 | 57.55 | -| Mixtral-8x22B-Instruct-v0.1 | 10 | 20.57 | 629.7 | 30.24 | 28.02 | 224.71 | -| Mixtral-8x22B-Instruct-v0.1 | 100 | 27.58 | 592.49 | 21.34 | 36.80 | 1609.85 | - -### AI Gateway Hardware Requirements - -For recommendations on AI gateway hardware, see the [AI gateway scaling recommendations](../../install/install_ai_gateway.md#scaling-recommendations). + + + + diff --git a/doc/administration/self_hosted_models/troubleshooting.md b/doc/administration/self_hosted_models/troubleshooting.md index 8990b2d3cd3..c7603809c7c 100644 --- a/doc/administration/self_hosted_models/troubleshooting.md +++ b/doc/administration/self_hosted_models/troubleshooting.md @@ -1,453 +1,13 @@ --- -stage: AI-Powered -group: Custom Models -description: Troubleshooting tips for deploying GitLab Duo Self-Hosted -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments -title: Troubleshooting GitLab Duo Self-Hosted +redirect_to: '../gitlab_duo_self_hosted/troubleshooting.md' +remove_date: '2025-05-05' --- -DETAILS: -**Tier:** Ultimate with GitLab Duo Enterprise - [Start a trial](https://about.gitlab.com/solutions/gitlab-duo-pro/sales/?type=free-trial) -**Offering:** GitLab Self-Managed -**Status:** Beta + -> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/12972) in GitLab 17.1 [with a flag](../feature_flags.md) named `ai_custom_model`. Disabled by default. -> - [Enabled on GitLab Self-Managed](https://gitlab.com/groups/gitlab-org/-/epics/15176) in GitLab 17.6. -> - Changed to require GitLab Duo add-on in GitLab 17.6 and later. -> - Feature flag `ai_custom_model` removed in GitLab 17.8 +This document was moved to [another location](../gitlab_duo_self_hosted/troubleshooting.md). -When working with GitLab Duo Self-Hosted, you might encounter issues. - -Before you begin troubleshooting, you should: - -- Be able to access open the [`gitlab-rails` console](../operations/rails_console.md). -- Open a shell in the AI gateway Docker image. -- Know the endpoint where your: - - AI gateway is hosted. - - Model is hosted. -- Enable the feature flag `expanded_ai_logging` on the `gitlab-rails` console: - - ```ruby - Feature.enable(:expanded_ai_logging) - ``` - - Now, requests and responses from GitLab to the AI gateway are logged to [`llm.log`](../logs/index.md#llmlog) - -## Use debugging scripts - -We provide two debugging scripts to help administrators verify their self-hosted -model configuration. - -1. Debug the GitLab to AI gateway connection. From your GitLab instance, run the - [Rake task](../../raketasks/_index.md): - - ```shell - gitlab-rake "gitlab:duo:verify_self_hosted_setup[]" - ``` - - Optional: Include a `` that has an assigned seat. - If you do not include a username parameter, the Rake task uses the root user. - -1. Debug the AI gateway setup. For your AI gateway container: - - - Restart the AI gateway container with authentication disabled by setting: - - ```shell - -e AIGW_AUTH__BYPASS_EXTERNAL=true - ``` - - This setting is required for the troubleshooting command to run the **System Exchange test**. You must remove this setting after troubleshooting is complete. - - - From your AI gateway container, run: - - ```shell - docker exec -it sh - poetry run troubleshoot [options] - ``` - - The `troubleshoot` command supports the following options: - - | Option | Description | Default | Example | - |--------|-------------|---------|---------| - | `--endpoint` | AI Gateway endpoint | `localhost:5052` | `--endpoint=localhost:5052` | - | `--model-family` | Model family to test. Possible values are `mistral`, `mixtral`, `gpt`, or `claude_3` | - | `--model-family=mistral` | - | `--model-endpoint` | Model endpoint. For models hosted on vLLM, add the `/v1` suffix. | - | `--model-endpoint=http://localhost:4000/v1` | - | `--model-identifier` | Model identifier. | - | `--model-identifier=custom_openai/Mixtral-8x7B-Instruct-v0.1` | - | `--api-key` | Model API key. | - | `--api-key=your-api-key` | - - **Examples:** - - For a `claude_3` model running on AWS Bedrock: - - ```shell - poetry run troubleshoot \ - --model-family=claude_3 \ - --model-identifier=bedrock/anthropic.claude-3-5-sonnet-20240620-v1:0 - ``` - - For a `mixtral` model running on vLLM: - - ```shell - poetry run troubleshoot \ - --model-family=mixtral \ - --model-identifier=custom_openai/Mixtral-8x7B-Instruct-v0.1 \ - --api-key=your-api-key \ - --model-endpoint=http:///v1 - ``` - -After troubleshooting is complete, stop and restart the AI gateway container **without** `AIGW_AUTH__BYPASS_EXTERNAL=true`. - -WARNING: -You must not bypass authentication in production. - -Verify the output of the commands, and fix accordingly. - -If both commands are successful, but GitLab Duo Code Suggestions is still not working, -raise an issue on the issue tracker. - -## Check if GitLab can make a request to the model - -From the GitLab Rails console, verify that GitLab can make a request to the model -by running: - -```ruby -model_name = "" -model_endpoint = "" -model_api_key = "" -body = {:prompt_components=>[{:type=>"prompt", :metadata=>{:source=>"GitLab EE", :version=>"17.3.0"}, :payload=>{:content=>[{:role=>:user, :content=>"Hello"}], :provider=>:litellm, :model=>model_name, :model_endpoint=>model_endpoint, :model_api_key=>model_api_key}}]} -ai_gateway_url = Gitlab::AiGateway.url # Verify that it's not nil -client = Gitlab::Llm::AiGateway::Client.new(User.find_by_id(1), service_name: :self_hosted_models) -client.complete(url: "#{ai_gateway_url}/v1/chat/agent", body: body) -``` - -This should return a response from the model in the format: - -```ruby -{"response"=> "", - "metadata"=> - {"provider"=>"litellm", - "model"=>"<>", - "timestamp"=>1723448920}} -``` - -If that is not the case, this might means one of the following: - -- The user might not have access to Code Suggestions. To resolve, - [check if a user can request Code Suggestions](#check-if-a-user-can-request-code-suggestions). -- The GitLab environment variables are not configured correctly. To resolve, [check that the GitLab environmental variables are set up correctly](#check-that-gitlab-environmental-variables-are-set-up-correctly). -- The GitLab instance is not configured to use self-hosted models. To resolve, [check if the GitLab instance is configured to use self-hosted models](#check-if-gitlab-instance-is-configured-to-use-self-hosted-models). -- The AI gateway is not reachable. To resolve, [check if GitLab can make an HTTP request to the AI gateway](#check-if-gitlab-can-make-an-http-request-to-the-ai-gateway). -- When the LLM server is installed on the same instance as the AI gateway container, local requests may not work. To resolve, [allow local requests from the Docker container](#llm-server-is-not-available-inside-the-ai-gateway-container). - -## Check if a user can request Code Suggestions - -In the GitLab Rails console, check if a user can request Code Suggestions by running: - -```ruby -User.find_by_id("").can?(:access_code_suggestions) -``` - -If this returns `false`, it means some configuration is missing, and the user -cannot access Code Suggestions. - -This missing configuration might be because of either of the following: - -- The license is not valid. To resolve, [check or update your license](../license_file.md#see-current-license-information). -- GitLab Duo was not configured to use a self-hosted model. To resolve, [check if the GitLab instance is configured to use self-hosted models](#check-if-gitlab-instance-is-configured-to-use-self-hosted-models). - -## Check if GitLab instance is configured to use self-hosted-models - -To check if GitLab Duo was configured correctly: - -1. On the left sidebar, at the bottom, select **Admin**. -1. Select **Self-hosted models** -1. Expand **AI-powered features**. -1. Under **Features**, check that **Code Suggestions** and **Code generation** are set to **Self-hosted model**. - -## Check that GitLab environmental variables are set up correctly - -To check if the GitLab environmental variables are set up correctly, run the -following on the GitLab Rails console: - -```ruby -ENV["AI_GATEWAY_URL"] == "" -``` - -If the environmental variables are not set up correctly, set them by following the -[Linux package custom environment variables setting documentation](https://docs.gitlab.com/omnibus/settings/environment-variables.html). - -## Check if GitLab can make an HTTP request to the AI gateway - -In the GitLab Rails console, verify that GitLab can make an HTTP request to AI -Gateway by running: - -```ruby -HTTParty.get('/monitoring/healthz', headers: { 'accept' => 'application/json' }).code -``` - -If the response is not `200`, this means either of the following: - -- The network is not properly configured to allow GitLab to reach the AI gateway container. Contact your network administrator to verify the setup. -- The AI gateway is not able to process requests. To resolve this issue, [check if the AI gateway can make a request to the model](#check-if-the-ai-gateway-can-make-a-request-to-the-model). - -## Check if the AI gateway can make a request to the model - -From the AI gateway container, make an HTTP request to the AI gateway API for a -Code Suggestion. Replace: - -- `` with the name of the model you are using. For example `mistral` or `codegemma`. -- `` with the endpoint where the model is hosted. - -```shell -docker exec -it sh -curl --request POST "http://localhost:5052/v1/chat/agent" \ - --header 'accept: application/json' \ - --header 'Content-Type: application/json' \ - --data '{ "prompt_components": [ { "type": "string", "metadata": { "source": "string", "version": "string" }, "payload": { "content": "Hello", "provider": "litellm", "model": "", "model_endpoint": "" } } ], "stream": false }' -``` - -If the request fails, the: - -- AI gateway might not be configured properly to use self-hosted models. To resolve this, [check that the AI gateway environmental variables are set up correctly](#check-that-the-ai-gateway-environmental-variables-are-set-up-correctly). -- AI gateway might not be able to access the model. To resolve, - [check if the model is reachable from the AI gateway](#check-if-the-model-is-reachable-from-ai-gateway). -- Model name or endpoint might be incorrect. Check the values, and correct them - if necessary. - -## Check if AI gateway can process requests - -```shell -docker exec -it sh -curl '/monitoring/healthz' -``` - -If the response is not `200`, this means that AI gateway is not installed correctly. To resolve, follow the [documentation on how to install the AI gateway](../../install/install_ai_gateway.md). - -## Check that the AI gateway environmental variables are set up correctly - -To check that the AI gateway environmental variables are set up correctly, run the -following in a console on the AI gateway container: - -```shell -docker exec -it sh -echo $AIGW_CUSTOM_MODELS__ENABLED # must be true -``` - -If the environmental variables are not set up correctly, set them by -[creating a container](../../install/install_ai_gateway.md#find-the-ai-gateway-release). - -## Check if the model is reachable from AI gateway - -Create a shell on the AI gateway container and make a curl request to the model. -If you find that the AI gateway cannot make that request, this might be caused by the: - -1. Model server not functioning correctly. -1. Network settings around the container not being properly configured to allow - requests to where the model is hosted. - -To resolve this, contact your network administrator. - -## The image's platform does not match the host - -When [finding the AI gateway release](../../install/install_ai_gateway.md#find-the-ai-gateway-release), -you might get an error that states `The requested image's platform (linux/amd64) does not match the detected host`. - -To work around this error, add `--platform linux/amd64` to the `docker run` command: - -```shell -docker run --platform linux/amd64 -e AIGW_GITLAB_URL= -``` - -## LLM server is not available inside the AI gateway container - -If the LLM server is installed on the same instance as the AI gateway container, it may not be accessible through the local host. - -To resolve this: - -1. Include `--network host` in the `docker run` command to enable local requests from the AI gateway container. -1. Use the `-e AIGW_FASTAPI__METRICS_PORT=8083` flag to address the port conflicts. - -```shell -docker run --network host -e AIGW_GITLAB_URL= -e AIGW_FASTAPI__METRICS_PORT=8083 -``` - -## vLLM 404 Error - -If you encounter a **404 error** while using vLLM, follow these steps to resolve the issue: - -1. Create a chat template file named `chat_template.jinja` with the following content: - - ```jinja - {%- for message in messages %} - {%- if message["role"] == "user" %} - {{- "[INST] " + message["content"] + "[/INST]" }} - {%- elif message["role"] == "assistant" %} - {{- message["content"] }} - {%- elif message["role"] == "system" %} - {{- bos_token }}{{- message["content"] }} - {%- endif %} - {%- endfor %} - ``` - -1. When running the vLLM command, ensure you specify the `--served-model-name`. For example: - - ```shell - vllm serve "mistralai/Mistral-7B-Instruct-v0.3" --port --max-model-len 17776 --served-model-name mistral --chat-template chat_template.jinja - ``` - -1. Check the vLLM server URL in the GitLab UI to make sure that URL includes the `/v1` suffix. The correct format is: - - ```shell - http(s)://:/v1 - ``` - -## Code Suggestions access error - -If you are experiencing issues accessing Code Suggestions after setup, try the following steps: - -1. In the Rails console, check and verify the license parameters: - - ```shell - sudo gitlab-rails console - user = User.find(id) # Replace id with the user provisioned with GitLab Duo Enterprise seat - Ability.allowed?(user, :access_code_suggestions) # Must return true - ``` - -1. Check if the necessary features are enabled and available: - - ```shell - ::Ai::FeatureSetting.code_suggestions_self_hosted? # Should be true - ``` - -## Verify GitLab setup - -To verify your GitLab Self-Managed setup, run the following command: - -```shell -gitlab-rake gitlab:duo:verify_self_hosted_setup -``` - -## No logs generated in the AI gateway server - -If no logs are generated in the **AI gateway server**, follow these steps to troubleshoot: - -1. Ensure the `expanded_ai_logging` feature flag is enabled: - - ```ruby - Feature.enable(:expanded_ai_logging) - ``` - -1. Run the following commands to view the GitLab Rails logs for any errors: - - ```shell - sudo gitlab-ctl tail - sudo gitlab-ctl tail sidekiq - ``` - -1. Look for keywords like "Error" or "Exception" in the logs to identify any underlying issues. - -## SSL certificate errors and key de-serialization issues in the AI gateway Container - -When attempting to initiate a Duo Chat inside the AI gateway container, SSL certificate errors and key deserialization issues may occur. - -The system might encounter issues loading the PEM file, resulting in errors like: - -```plaintext -JWKError: Could not deserialize key data. The data may be in an incorrect format, the provided password may be incorrect, or it may be encrypted with an unsupported algorithm. -``` - -To resolve the SSL certificate error: - -- Set the appropriate certificate bundle path in the Docker container using the following environment variables: - - `SSL_CERT_FILE=/path/to/ca-bundle.pem` - - `REQUESTS_CA_BUNDLE=/path/to/ca-bundle.pem` - -## Troubleshooting common Duo Chat errors - -### Error A1000 - -You might get an error that states -`I'm sorry, I couldn't respond in time. Please try again. Error code: A1000`. - -This error occurs when there is a timeout during processing. Try your request again. - -### Error A1001 - -You might get an error that states -`I'm sorry, I can't generate a response. Please try again. Error code: A1001`. - -This error means there was a problem connecting to the AI gateway. You might need to check the network settings and ensure that the AI gateway is accessible from the GitLab instance. - -Use the [self-hosted debugging script](#use-debugging-scripts) to verify if the AI gateway is accessible from the GitLab instance and is working as expected. - -If problem persists, report the issue to the GitLab support team. - -### Error A1002 - -You might get an error that states -`I'm sorry, I couldn't respond in time. Please try again. Error code: A1002`. - -This error occurs when no events are returned from AI gateway or GitLab failed to parse the events. Check the [AI Gateway logs](logging.md) for any errors. - -### Error A1003 - -You might get an error that states -`I'm sorry, I couldn't respond in time. Please try again. Error code: A1003`. - -This error typically occurs due to issues with streaming from the model to the AI gateway. To resolve this issue: - -1. In the AI gateway container, run the following command: - - ```shell - curl --request 'POST' \ - 'http://localhost:5052/v2/chat/agent' \ - --header 'accept: application/json' \ - --header 'Content-Type: application/json' \ - --header 'x-gitlab-enabled-feature-flags: expanded_ai_logging' \ - --data '{ - "messages": [ - { - "role": "user", - "content": "Hello", - "context": null, - "current_file": null, - "additional_context": [] - } - ], - "model_metadata": { - "provider": "custom_openai", - "name": "mistral", - "endpoint": "", - "api_key": "", - "identifier": "" - }, - "unavailable_resources": [], - "options": { - "agent_scratchpad": { - "agent_type": "react", - "steps": [] - } - } - }' - ``` - - If streaming is working, chunked responses should be displayed. If it is not, it will likely show an empty response. - -1. Check the [AI gateway logs](logging.md) for specific error messages, because this is usually a model deployment issue. - -1. To validate the connection, disable the streaming by setting the `AIGW_CUSTOM_MODELS__DISABLE_STREAMING` environment variable in your AI gateway container: - - ```shell - docker run .... -e AIGW_CUSTOM_MODELS__DISABLE_STREAMING=true ... - ``` - -### Error A9999 - -You might get an error that states -`I'm sorry, I can't generate a response. Please try again. Error code: A9999`. - -This error occurs when an unknown error occurs in ReAct agent. Try your request again. If the problem persists, report the issue to the GitLab support team. - -## Related topics - -- [GitLab Duo troubleshooting](../../user/gitlab_duo_chat/troubleshooting.md) + + + + diff --git a/doc/api/graphql/reference/_index.md b/doc/api/graphql/reference/_index.md index 73294586bad..1ee9c45f828 100644 --- a/doc/api/graphql/reference/_index.md +++ b/doc/api/graphql/reference/_index.md @@ -3056,6 +3056,56 @@ Input type: `BranchRuleExternalStatusCheckUpdateInput` | `errors` | [`[String!]!`](#string) | Errors encountered during execution of the mutation. | | `externalStatusCheck` | [`ExternalStatusCheck`](#externalstatuscheck) | Updated external status check after mutation. | +### `Mutation.branchRuleSquashOptionDelete` + +Delete a squash option for a branch rule. + +DETAILS: +**Introduced** in GitLab 17.9. +**Status**: Experiment. + +Input type: `BranchRuleSquashOptionDeleteInput` + +#### Arguments + +| Name | Type | Description | +| ---- | ---- | ----------- | +| `branchRuleId` | [`ProjectsBranchRuleID!`](#projectsbranchruleid) | Global ID of the branch rule. | +| `clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. | + +#### Fields + +| Name | Type | Description | +| ---- | ---- | ----------- | +| `clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. | +| `errors` | [`[String!]!`](#string) | Errors encountered during execution of the mutation. | + +### `Mutation.branchRuleSquashOptionUpdate` + +Update a squash option for a branch rule. + +DETAILS: +**Introduced** in GitLab 17.9. +**Status**: Experiment. + +Input type: `BranchRuleSquashOptionUpdateInput` + +#### Arguments + +| Name | Type | Description | +| ---- | ---- | ----------- | +| `branchRuleId` | [`ProjectsBranchRuleID!`](#projectsbranchruleid) | Global ID of the branch rule. | +| `clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. | +| `squashOption` | [`SquashOptionSetting!`](#squashoptionsetting) | Squash option after mutation. | + +#### Fields + +| Name | Type | Description | +| ---- | ---- | ----------- | +| `clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. | +| `errors` | [`[String!]!`](#string) | Errors encountered during execution of the mutation. | +| `squashOption` | [`SquashOption`](#squashoption) | Updated squash option after mutation. | + ### `Mutation.branchRuleUpdate` DETAILS: @@ -10056,6 +10106,30 @@ Input type: `SetPreReceiveSecretDetectionInput` | `clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. | | `errors` | [`[String!]!`](#string) | Errors encountered during execution of the mutation. | | `preReceiveSecretDetectionEnabled` | [`Boolean`](#boolean) | Whether the feature is enabled. | +| `secretPushProtectionEnabled` | [`Boolean`](#boolean) | Whether the feature is enabled. | + +### `Mutation.setSecretPushProtection` + +Enable/disable secret push protection for the given project. + +Input type: `SetSecretPushProtectionInput` + +#### Arguments + +| Name | Type | Description | +| ---- | ---- | ----------- | +| `clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. | +| `enable` | [`Boolean!`](#boolean) | Desired status for secret push protection feature. | +| `namespacePath` | [`ID!`](#id) | Full path of the namespace (project). | + +#### Fields + +| Name | Type | Description | +| ---- | ---- | ----------- | +| `clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. | +| `errors` | [`[String!]!`](#string) | Errors encountered during execution of the mutation. | +| `preReceiveSecretDetectionEnabled` | [`Boolean`](#boolean) | Whether the feature is enabled. | +| `secretPushProtectionEnabled` | [`Boolean`](#boolean) | Whether the feature is enabled. | ### `Mutation.starProject` @@ -32736,6 +32810,7 @@ Project-level settings for product analytics provider. | `requirementStatesCount` | [`RequirementStatesCount`](#requirementstatescount) | Number of requirements for the project by their state. | | `sastCiConfiguration` | [`SastCiConfiguration`](#sastciconfiguration) | SAST CI configuration for the project. | | `savedReplies` | [`ProjectSavedReplyConnection`](#projectsavedreplyconnection) | Saved replies available to the project. (see [Connections](#connections)) | +| `secretPushProtectionEnabled` | [`Boolean`](#boolean) | Indicates whether Secret Push Protection is on or not for the project. | | `securityDashboardPath` | [`String`](#string) | Path to project's security dashboard. | | `securityPolicyProject` | [`Project`](#project) | Security policy project assigned to the project, absent if assigned to a parent group. | | `securityPolicyProjectLinkedNamespaces` **{warning-solid}** | [`NamespaceConnection`](#namespaceconnection) | **Deprecated** in GitLab 17.4. This was renamed. Use: `security_policy_project_linked_groups`. | @@ -42417,6 +42492,17 @@ Values for sorting the mapping of users on source instance to users on destinati | `STATUS_ASC` | Status of the mapping by ascending order. | | `STATUS_DESC` | Status of the mapping by descending order. | +### `SquashOptionSetting` + +Options for default squash behaviour for merge requests. + +| Value | Description | +| ----- | ----------- | +| `ALLOWED` | Allow. | +| `ALWAYS` | Require. | +| `ENCOURAGED` | Encourage. | +| `NEVER` | Do not allow. | + ### `SubscriptionHistoryChangeType` Types of change for a subscription history record. diff --git a/doc/development/custom_models/_index.md b/doc/development/custom_models/_index.md index 8b72798b415..2eed6943ed3 100644 --- a/doc/development/custom_models/_index.md +++ b/doc/development/custom_models/_index.md @@ -18,8 +18,8 @@ title: Setting up local development ## Configure self-hosted models -1. Follow the [instructions](../../administration/self_hosted_models/configure_duo_features.md#configure-the-self-hosted-model) to configure self-hosted models -1. Follow the [instructions](../../administration/self_hosted_models/configure_duo_features.md#configure-gitlab-duo-features-to-use-self-hosted-models) to configure features to use the models +1. Follow the [instructions](../../administration/gitlab_duo_self_hosted/configure_duo_features.md#configure-the-self-hosted-model) to configure self-hosted models +1. Follow the [instructions](../../administration/gitlab_duo_self_hosted/configure_duo_features.md#configure-gitlab-duo-features-to-use-self-hosted-models) to configure features to use the models AI-powered features are now powered by self-hosted models. diff --git a/doc/solutions/_index.md b/doc/solutions/_index.md index 2a2144ade62..71e6e66d78b 100644 --- a/doc/solutions/_index.md +++ b/doc/solutions/_index.md @@ -18,6 +18,8 @@ While information in this section gives valuable and qualified guidance on ways - [Cloud Solutions](cloud/_index.md) - [Coding Languages and Frameworks](languages/_index.md) - [Integrations](integrations/_index.md) +- [Solution Components](components/_index.md) + - [Security Metrics and KPIs Dashboard](components/securitykpi.md) ## Self-Hosted Model diff --git a/doc/solutions/cloud/aws/gitlab_aws_partner_designations.md b/doc/solutions/cloud/aws/gitlab_aws_partner_designations.md index 4b4244b92c1..9687929b6b2 100644 --- a/doc/solutions/cloud/aws/gitlab_aws_partner_designations.md +++ b/doc/solutions/cloud/aws/gitlab_aws_partner_designations.md @@ -34,4 +34,4 @@ GitLab Instances and Runner have been validated on Amazon Linux 2 and 2023 - thi GitLab is a marketplace seller and you can purchase and deploy it through AWS marketplace [AWS Program Information](https://aws.amazon.com/marketplace/partners/management-tour) -![AWS Partner Designations Logo](img/all-aws-partner-designations_v16_6.png){: .right} +![AWS Partner Designations Logo](img/all-aws-partner-designations_v16_6.png) diff --git a/doc/solutions/components/_index.md b/doc/solutions/components/_index.md new file mode 100644 index 00000000000..8836d43c172 --- /dev/null +++ b/doc/solutions/components/_index.md @@ -0,0 +1,12 @@ +--- +stage: Solutions Architecture +group: Solutions Architecture +info: This page is owned by the Solutions Architecture team. +title: Solution Components +--- + +This documentation section covers a variety of Solution Components. + +## Metrics and KPIs + +[Security Metrics and KPIs Dashboard](securitykpi.md) diff --git a/doc/solutions/components/securitykpi.md b/doc/solutions/components/securitykpi.md new file mode 100644 index 00000000000..9b7d8d6745e --- /dev/null +++ b/doc/solutions/components/securitykpi.md @@ -0,0 +1,18 @@ +--- +stage: Solutions Architecture +group: Solutions Architecture +info: This page is owned by the Solutions Architecture team. +title: Security Metrics and KPIs Dashboard +--- + +This component exports vulnerability data from GitLab projects or groups using the GraphQL API and sends it to Splunk through HTTP Event Collector (HEC), for the purpose of creating dashboards. It's designed to run as a GitLab CI/CD pipeline on a scheduled basis. + +## Download the Solution Components + +1. Download the solution component from the webstore by using your invitation code. +1. Obtain the invitation code from your account team. + +## Getting Started + +1. Create a new GitLab project to host this exporter. +1. Check the project `readme.md` file. diff --git a/doc/user/application_security/api_fuzzing/performance.md b/doc/user/application_security/api_fuzzing/performance.md index d625b99a710..bd60b45e471 100644 --- a/doc/user/application_security/api_fuzzing/performance.md +++ b/doc/user/application_security/api_fuzzing/performance.md @@ -106,8 +106,8 @@ apifuzzer_fuzz: FUZZAPI_EXCLUDE_PATHS: /api/large_response_json ``` +WARNING: Excluding operations from testing could allow some vulnerabilities to go undetected. -{: .alert .alert-warning} ### Splitting a test into multiple jobs diff --git a/doc/user/application_security/api_security_testing/performance.md b/doc/user/application_security/api_security_testing/performance.md index 6326075e064..bc3ed943c25 100644 --- a/doc/user/application_security/api_security_testing/performance.md +++ b/doc/user/application_security/api_security_testing/performance.md @@ -105,8 +105,8 @@ api_security: APISEC_EXCLUDE_PATHS: /api/large_response_json ``` +WARNING: Excluding operations from testing could allow some vulnerabilities to go undetected. -{: .alert .alert-warning} ### Splitting a test into multiple jobs diff --git a/doc/user/project/issues/design_management.md b/doc/user/project/issues/design_management.md index 404fee3818a..5ea6f3c7bf1 100644 --- a/doc/user/project/issues/design_management.md +++ b/doc/user/project/issues/design_management.md @@ -235,7 +235,7 @@ so that everyone involved can participate in the discussion. ## Delete a comment from a design > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/385100) in GitLab 15.9. -> Minimum role to delete comment from a design [changed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/169256) from Reporter to Planner in GitLab 17.7. +> - Minimum role to delete comment from a design [changed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/169256) from Reporter to Planner in GitLab 17.7. Prerequisites: diff --git a/doc/user/project/merge_requests/revert_changes.md b/doc/user/project/merge_requests/revert_changes.md index 9a036eef956..f14b3238532 100644 --- a/doc/user/project/merge_requests/revert_changes.md +++ b/doc/user/project/merge_requests/revert_changes.md @@ -106,7 +106,7 @@ the command line, see [Revert and undo changes with Git](../../../topics/git/und > - Enabled on GitLab.com in confidential issue `https://gitlab.com/gitlab-org/gitlab/-/issues/462999` in GitLab 17.2. > - Enabled on GitLab Self-Managed and GitLab Dedicated in confidential issue `https://gitlab.com/gitlab-org/gitlab/-/issues/462999` in GitLab 17.3. > - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/472018) in GitLab 17.9. Feature flag `rewrite_history_ui` removed. -> + Permanently delete sensitive or confidential information that was accidentally committed, ensuring it's no longer accessible in your repository's history. Replaces a list of strings with `***REMOVED***`. diff --git a/lib/gitlab/security/features.rb b/lib/gitlab/security/features.rb index 32abe9acbc7..a623dcfba5c 100644 --- a/lib/gitlab/security/features.rb +++ b/lib/gitlab/security/features.rb @@ -87,14 +87,14 @@ module Gitlab 'user/application_security/container_scanning/index.md', anchor: 'container-scanning-for-registry'), type: 'container_scanning_for_registry' }, - pre_receive_secret_detection: { + secret_push_protection: { name: _('Secret push protection'), description: _('Block secrets such as keys and API tokens from being pushed to your repositories. ' \ 'Secret push protection is triggered when commits are pushed to a repository. ' \ 'If any secrets are detected, the push is blocked.'), help_path: Gitlab::Routing.url_helpers.help_page_path( 'user/application_security/secret_detection/secret_push_protection/index.md'), - type: 'pre_receive_secret_detection' + type: 'secret_push_protection' }, secret_detection: { name: _('Pipeline Secret Detection'), diff --git a/locale/gitlab.pot b/locale/gitlab.pot index 3d6ea2ed257..575a67bfdd6 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -379,16 +379,6 @@ msgid_plural "%d lines removed" msgstr[0] "" msgstr[1] "" -msgid "%d matching branch" -msgid_plural "%d matching branches" -msgstr[0] "" -msgstr[1] "" - -msgid "%d matching environment" -msgid_plural "%d matching environments" -msgstr[0] "" -msgstr[1] "" - msgid "%d merge request" msgid_plural "%d merge requests" msgstr[0] "" @@ -1066,9 +1056,6 @@ msgstr "" msgid "%{label_name} was removed" msgstr "" -msgid "%{lastUsed} by" -msgstr "" - msgid "%{lessThan} 1 hour" msgstr "" @@ -1270,9 +1257,6 @@ msgid_plural "%{reviewer_names} were removed from reviewers." msgstr[0] "" msgstr[1] "" -msgid "%{rotationDate} (%{rotationPeriod})" -msgstr "" - msgid "%{rotation} has been recalculated with the remaining participants. Please review the new setup for %{rotation_link}. It is recommended that you reach out to the current on-call responder to ensure continuity of on-call coverage." msgstr "" @@ -48579,9 +48563,6 @@ msgstr "" msgid "Rollback" msgstr "" -msgid "Rotation reminder" -msgstr "" - msgid "Ruby" msgstr "" @@ -61862,6 +61843,9 @@ msgstr "" msgid "Use %{code_start}::%{code_end} to create a %{link_start}scoped label set%{link_end} (eg. %{code_start}priority::1%{code_end})" msgstr "" +msgid "Use %{code_start}authorized_keys%{code_end} file to authenticate SSH keys" +msgstr "" + msgid "Use .gitlab-ci.yml" msgstr "" @@ -61880,9 +61864,6 @@ msgstr "" msgid "Use an existing commit message" msgstr "" -msgid "Use authorized_keys file to authenticate SSH keys" -msgstr "" - msgid "Use banners and notifications to notify your users about scheduled maintenance, recent upgrades, and more." msgstr "" diff --git a/qa/gdk/Dockerfile.gdk b/qa/gdk/Dockerfile.gdk index eaf02bef542..d795a6a831d 100644 --- a/qa/gdk/Dockerfile.gdk +++ b/qa/gdk/Dockerfile.gdk @@ -1,4 +1,4 @@ -ARG GDK_SHA=6362a1f763959e15d2f9db1f5e6c6cb1aeeebda0 +ARG GDK_SHA=575bcba2b31dcd79391f841c3da9d3e2d3532209 # Use tag prefix when running on 'stable' branch to make sure 'protected' image is used which is not deleted by registry cleanup ARG GDK_BASE_TAG_PREFIX diff --git a/qa/qa/page/project/secure/configuration_form.rb b/qa/qa/page/project/secure/configuration_form.rb index 762b4566641..6fa0f921df5 100644 --- a/qa/qa/page/project/secure/configuration_form.rb +++ b/qa/qa/page/project/secure/configuration_form.rb @@ -59,11 +59,11 @@ module QA end def has_true_secret_detection_status? - has_element?('feature-status', feature: 'pre_receive_secret_detection_true_status') + has_element?('feature-status', feature: 'secret_push_protection_true_status') end def has_false_secret_detection_status? - has_element?('feature-status', feature: 'pre_receive_secret_detection_false_status') + has_element?('feature-status', feature: 'secret_push_protection_false_status') end def has_auto_devops_container? diff --git a/scripts/cells/application-settings-analysis.rb b/scripts/cells/application-settings-analysis.rb index f9e5623fe58..e22894df48a 100755 --- a/scripts/cells/application-settings-analysis.rb +++ b/scripts/cells/application-settings-analysis.rb @@ -193,7 +193,7 @@ class ApplicationSettingsAnalysis pipeline_limit_per_project_user_sha plantuml_enabled plantuml_url - pre_receive_secret_detection_enabled + secret_push_protection_available product_analytics_data_collector_host product_analytics_enabled productivity_analytics_start_date diff --git a/spec/frontend/diffs/components/tree_list_spec.js b/spec/frontend/diffs/components/tree_list_spec.js index 2309d34384f..700f2fd75bc 100644 --- a/spec/frontend/diffs/components/tree_list_spec.js +++ b/spec/frontend/diffs/components/tree_list_spec.js @@ -9,6 +9,9 @@ import { shallowMountExtended } from 'helpers/vue_test_utils_helper'; import { SET_LINKED_FILE_HASH, SET_TREE_DATA, SET_DIFF_FILES } from '~/diffs/store/mutation_types'; import { generateTreeList } from '~/diffs/utils/tree_worker_utils'; import { sortTree } from '~/ide/stores/utils'; +import { isElementClipped } from '~/lib/utils/common_utils'; + +jest.mock('~/lib/utils/common_utils'); describe('Diffs tree list component', () => { let wrapper; @@ -313,6 +316,8 @@ describe('Diffs tree list component', () => { }); it('auto scroll', async () => { + wrapper.element.insertAdjacentHTML('afterbegin', `
`); + isElementClipped.mockReturnValueOnce(true); wrapper.vm.$refs.scroller.scrollToItem = jest.fn(); store.state.diffs.currentDiffFileId = '05.txt'; await nextTick(); diff --git a/spec/frontend/search/results/utils_spec.js b/spec/frontend/search/results/utils_spec.js index 5f1543adf7a..b4b6b4cb8c3 100644 --- a/spec/frontend/search/results/utils_spec.js +++ b/spec/frontend/search/results/utils_spec.js @@ -36,7 +36,7 @@ describe('Global Search Results Utils', () => { highlight.mockClear(); const result = await initLineHighlight({ - line: { text: 'const test = true;', highlights: [[6, 9]] }, + line: { text: 'const test = true;', highlights: [[6, 8]] }, language: 'txt', fileUrl: 'test.txt', }); @@ -64,7 +64,7 @@ describe('Global Search Results Utils', () => { it('calls highlight with correct parameters', async () => { const result = await initLineHighlight({ - line: { text: 'const test = true;', highlights: [[6, 10]] }, + line: { text: 'const test = true;', highlights: [[6, 9]] }, language: 'javascript', fileUrl: 'test.js', }); @@ -98,8 +98,8 @@ describe('Global Search Results Utils', () => { it('adds highlight marks at correct positions', () => { const text = 'foobar test foobar test'; const highlights = [ - [7, 11], - [19, 23], + [7, 10], + [19, 22], ]; const result = cleanLineAndMark({ text, highlights }); @@ -111,11 +111,11 @@ describe('Global Search Results Utils', () => { }); it('adds single highlight mark at correct position', () => { - const text = 'const testValue = true;\n'; - const highlights = [[6, 15]]; + const text = ' return false unless licensed_and_indexing_enabled?\\n'; + const highlights = [[28, 57]]; const result = cleanLineAndMark({ text, highlights }); - const expected = `const ${HIGHLIGHT_MARK}testValue${HIGHLIGHT_MARK} = true;`; + const expected = ` return false unless ${HIGHLIGHT_MARK}licensed_and_indexing_enabled?${HIGHLIGHT_MARK}\\n`; expect([...result].map((c) => c.charCodeAt(0))).toEqual( [...expected].map((c) => c.charCodeAt(0)), diff --git a/spec/frontend/security_configuration/components/app_spec.js b/spec/frontend/security_configuration/components/app_spec.js index 1df91e09c7b..7f8fef23127 100644 --- a/spec/frontend/security_configuration/components/app_spec.js +++ b/spec/frontend/security_configuration/components/app_spec.js @@ -11,9 +11,9 @@ import AutoDevopsAlert from '~/security_configuration/components/auto_dev_ops_al import AutoDevopsEnabledAlert from '~/security_configuration/components/auto_dev_ops_enabled_alert.vue'; import { AUTO_DEVOPS_ENABLED_ALERT_DISMISSED_STORAGE_KEY } from '~/security_configuration/constants'; import FeatureCard from '~/security_configuration/components/feature_card.vue'; -import PreReceiveSecretDetectionFeatureCard from '~/security_configuration/components/pre_receive_secret_detection_feature_card.vue'; +import SecretPushProtectionFeatureCard from '~/security_configuration/components/secret_push_protection_feature_card.vue'; import TrainingProviderList from '~/security_configuration/components/training_provider_list.vue'; -import { securityFeaturesMock, provideMock, preReceiveSecretDetectionMock } from '../mock_data'; +import { securityFeaturesMock, provideMock, secretPushProtectionMock } from '../mock_data'; const gitlabCiHistoryPath = 'test/historyPath'; const { vulnerabilityTrainingDocsPath, projectFullPath } = provideMock; @@ -58,8 +58,7 @@ describe('~/security_configuration/components/app', () => { const findGlTabs = () => wrapper.findComponent(GlTabs); const findByTestId = (id) => wrapper.findByTestId(id); const findFeatureCards = () => wrapper.findAllComponents(FeatureCard); - const findPreReceiveSecretDetection = () => - wrapper.findComponent(PreReceiveSecretDetectionFeatureCard); + const findSecretPushProtection = () => wrapper.findComponent(SecretPushProtectionFeatureCard); const findTrainingProviderList = () => wrapper.findComponent(TrainingProviderList); const findManageViaMRErrorAlert = () => wrapper.findByTestId('manage-via-mr-error-alert'); const findLink = ({ href, text, container = wrapper }) => { @@ -285,10 +284,10 @@ describe('~/security_configuration/components/app', () => { }); }); - describe('With pre receive secret detection', () => { + describe('With secret push protection', () => { beforeEach(() => { createComponent({ - augmentedSecurityFeatures: [preReceiveSecretDetectionMock], + augmentedSecurityFeatures: [secretPushProtectionMock], }); }); @@ -296,10 +295,8 @@ describe('~/security_configuration/components/app', () => { expect(findFeatureCards().length).toBe(0); }); it('renders component with correct props', () => { - expect(findPreReceiveSecretDetection().exists()).toBe(true); - expect(findPreReceiveSecretDetection().props('feature')).toEqual( - preReceiveSecretDetectionMock, - ); + expect(findSecretPushProtection().exists()).toBe(true); + expect(findSecretPushProtection().props('feature')).toEqual(secretPushProtectionMock); }); }); diff --git a/spec/frontend/security_configuration/components/pre_receive_secret_detection_feature_card_spec.js b/spec/frontend/security_configuration/components/secret_push_protection_feature_card_spec.js similarity index 86% rename from spec/frontend/security_configuration/components/pre_receive_secret_detection_feature_card_spec.js rename to spec/frontend/security_configuration/components/secret_push_protection_feature_card_spec.js index f6311a977a8..3b0d30cc1aa 100644 --- a/spec/frontend/security_configuration/components/pre_receive_secret_detection_feature_card_spec.js +++ b/spec/frontend/security_configuration/components/secret_push_protection_feature_card_spec.js @@ -3,11 +3,11 @@ import { shallowMount } from '@vue/test-utils'; import VueApollo from 'vue-apollo'; import Vue from 'vue'; import { extendedWrapper } from 'helpers/vue_test_utils_helper'; -import PreReceiveSecretDetectionFeatureCard from '~/security_configuration/components/pre_receive_secret_detection_feature_card.vue'; +import SecretPushProtectionFeatureCard from '~/security_configuration/components/secret_push_protection_feature_card.vue'; import createMockApollo from 'helpers/mock_apollo_helper'; -import ProjectSetPreReceiveSecretDetection from '~/security_configuration/graphql/set_pre_receive_secret_detection.graphql'; +import ProjectPreReceiveSecretDetection from '~/security_configuration/graphql/set_pre_receive_secret_detection.graphql'; import waitForPromises from 'helpers/wait_for_promises'; -import { preReceiveSecretDetectionMock } from '../mock_data'; +import { secretPushProtectionMock } from '../mock_data'; Vue.use(VueApollo); @@ -19,17 +19,17 @@ const setMockResponse = { }, }, }; -const feature = preReceiveSecretDetectionMock; +const feature = secretPushProtectionMock; const defaultProvide = { - preReceiveSecretDetectionAvailable: true, - preReceiveSecretDetectionEnabled: false, + secretPushProtectionAvailable: true, + secretPushProtectionEnabled: false, userIsProjectAdmin: true, projectFullPath: 'flightjs/flight', secretDetectionConfigurationPath: 'flightjs/Flight/-/security/configuration/secret_detection', }; -describe('PreReceiveSecretDetectionFeatureCard component', () => { +describe('SecretPushProtectionFeatureCard component', () => { let wrapper; let apolloProvider; let requestHandlers; @@ -39,7 +39,7 @@ describe('PreReceiveSecretDetectionFeatureCard component', () => { setMutationHandler: jest.fn().mockResolvedValue(setMockResponse), }; return createMockApollo([ - [ProjectSetPreReceiveSecretDetection, requestHandlers.setMutationHandler], + [ProjectPreReceiveSecretDetection, requestHandlers.setMutationHandler], ]); }; @@ -47,7 +47,7 @@ describe('PreReceiveSecretDetectionFeatureCard component', () => { apolloProvider = createMockApolloProvider(); wrapper = extendedWrapper( - shallowMount(PreReceiveSecretDetectionFeatureCard, { + shallowMount(SecretPushProtectionFeatureCard, { propsData: { feature, ...props, @@ -134,7 +134,7 @@ describe('PreReceiveSecretDetectionFeatureCard component', () => { beforeEach(() => { createComponent({ provide: { - preReceiveSecretDetectionAvailable: false, + secretPushProtectionAvailable: false, }, }); }); @@ -165,7 +165,7 @@ describe('PreReceiveSecretDetectionFeatureCard component', () => { createComponent({ props: { feature: { - ...preReceiveSecretDetectionMock, + ...secretPushProtectionMock, available: false, }, }, diff --git a/spec/frontend/security_configuration/mock_data.js b/spec/frontend/security_configuration/mock_data.js index 10435aecf7e..3a02aedee52 100644 --- a/spec/frontend/security_configuration/mock_data.js +++ b/spec/frontend/security_configuration/mock_data.js @@ -3,7 +3,7 @@ import { SAST_SHORT_NAME, SAST_IAC_NAME, SAST_IAC_SHORT_NAME, - PRE_RECEIVE_SECRET_DETECTION, + SECRET_PUSH_PROTECTION, } from '~/security_configuration/constants'; import { helpPagePath } from '~/helpers/help_page_helper'; @@ -149,7 +149,7 @@ export const securityFeaturesMock = [ }, ]; -export const preReceiveSecretDetectionMock = { +export const secretPushProtectionMock = { name: 'Secret push protection', description: `Block secrets such as keys and API tokens from being pushed to your repositories. 'Secret push protection is triggered when commits are pushed to a repository. ' \ @@ -158,7 +158,7 @@ export const preReceiveSecretDetectionMock = { configurationHelpPath: helpPagePath( 'user/application_security/secret_detection/secret_push_protection/index', ), - type: PRE_RECEIVE_SECRET_DETECTION, + type: SECRET_PUSH_PROTECTION, available: true, }; diff --git a/spec/initializers/gitlab_http_spec.rb b/spec/initializers/gitlab_http_spec.rb index 91d9b445719..5627e064e29 100644 --- a/spec/initializers/gitlab_http_spec.rb +++ b/spec/initializers/gitlab_http_spec.rb @@ -19,7 +19,7 @@ RSpec.describe Gitlab::HTTP_V2, feature_category: :shared do describe 'log_with_level_proc' do it 'calls AppJsonLogger with the correct log level and parameters' do - expect(::Gitlab::AppJsonLogger).to receive(:debug).with({ message: 'Test' }) + expect(::Gitlab::AppJsonLogger).to receive(:debug).with({ message: 'Test', "correlation_id" => anything }) described_class.configuration.log_with_level(:debug, message: 'Test') end diff --git a/spec/lib/gitlab/security/scan_configuration_spec.rb b/spec/lib/gitlab/security/scan_configuration_spec.rb index 159096df4bc..a844ae7899e 100644 --- a/spec/lib/gitlab/security/scan_configuration_spec.rb +++ b/spec/lib/gitlab/security/scan_configuration_spec.rb @@ -137,13 +137,13 @@ RSpec.describe ::Gitlab::Security::ScanConfiguration do help_path: "/help/user/application_security/container_scanning/index.md", configuration_help_path: "/help/user/application_security/container_scanning/index.md#configuration", type: "container_scanning" } - :pre_receive_secret_detection | { name: _("Secret push protection"), + :secret_push_protection | { name: _("Secret push protection"), description: "Block secrets such as keys and API tokens from being pushed to your repositories. " \ "Secret push protection is triggered when commits are pushed to a repository. " \ "If any secrets are detected, the push is blocked.", help_path: Gitlab::Routing.url_helpers.help_page_path( "user/application_security/secret_detection/secret_push_protection/index.md"), - type: "pre_receive_secret_detection" } + type: "secret_push_protection" } :secret_detection | { name: "Pipeline Secret Detection", description: "Analyze your source code and Git history for secrets by using CI/CD pipelines.", help_path: "/help/user/application_security/secret_detection/pipeline/index.md", diff --git a/spec/presenters/projects/security/configuration_presenter_spec.rb b/spec/presenters/projects/security/configuration_presenter_spec.rb index 5767c9e5a4c..c527ea6b696 100644 --- a/spec/presenters/projects/security/configuration_presenter_spec.rb +++ b/spec/presenters/projects/security/configuration_presenter_spec.rb @@ -12,7 +12,7 @@ RSpec.describe Projects::Security::ConfigurationPresenter, feature_category: :so before do stub_licensed_features(licensed_scan_types.index_with { true }) - stub_licensed_features(pre_receive_secret_detection: true) + stub_licensed_features(secret_push_protection: true) end describe '#to_html_data_attribute' do @@ -305,14 +305,14 @@ RSpec.describe Projects::Security::ConfigurationPresenter, feature_category: :so end end - describe 'pre_receive_secret_detection' do + describe 'secret_push_protection' do let_it_be(:project) { create(:project, :repository) } let(:features) { Gitlab::Json.parse(html_data[:features]) } - it 'feature includes pre_receive_secret_detection' do + it 'feature includes secret_push_protection' do skip unless Gitlab.ee? - feature = features.find { |scan| scan["type"] == 'pre_receive_secret_detection' } + feature = features.find { |scan| scan["type"] == 'secret_push_protection' } expect(feature).not_to be_nil end end diff --git a/spec/requests/api/projects_spec.rb b/spec/requests/api/projects_spec.rb index c8ccfa20b69..da0d520a53f 100644 --- a/spec/requests/api/projects_spec.rb +++ b/spec/requests/api/projects_spec.rb @@ -2671,7 +2671,7 @@ RSpec.describe API::Projects, :aggregate_failures, feature_category: :groups_and security_and_compliance_enabled issues_template merge_requests_template - pre_receive_secret_detection_enabled + secret_push_protection_enabled ] end