jprdonnelly/docs
1
0
Fork 0
mirror of synced 2025-12-25 02:17:36 -05:00
Code Issues Projects Releases Wiki Activity

ran script/content-migrations/remove-map-topics.js && script/content-migrations/update-tocs.js

Browse Source
This commit is contained in:
Sarah Schneider
2021-05-19 10:12:38 -04:00
parent 253c356fb0
commit f7e848e0c4
14528 changed files with 410545 additions and 411354 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
content/admin/configuration/configuring-your-enterprise/about-enterprise-configuration.md Normal file
View File

@@ -0,0 +1,34 @@
---
title: About enterprise configuration
intro: 'You can use the site admin dashboard{% if enterpriseServerVersions contains currentVersion %}, {% data variables.enterprise.management_console %}, and administrative shell (SSH) {% elsif currentVersion == "github-ae@latest" %} and enterprise settings or contact support{% endif %} to manage your enterprise.'
versions:
enterprise-server: '*'
github-ae: '*'
type: overview
topics:
- Enterprise
- Fundamentals
- SSH
redirect_from:
- /admin/configuration/about-enterprise-configuration
---
{% if enterpriseServerVersions contains currentVersion %}
{% data reusables.enterprise_site_admin_settings.about-the-site-admin-dashboard %} For more information, see "[Site admin dashboard](/admin/configuration/site-admin-dashboard)."
{% data reusables.enterprise_site_admin_settings.about-the-management-console %} For more information, see "[Accessing the management console](/admin/configuration/accessing-the-management-console)."
{% data reusables.enterprise_site_admin_settings.about-ssh-access %} For more information, see "[Accessing the administrative shell (SSH)](/admin/configuration/accessing-the-administrative-shell-ssh)."
{% endif %}
{% if currentVersion == "github-ae@latest" %}
The first time you access your enterprise, you will complete an initial configuration to get {% data variables.product.product_name %} ready to use. The initial configuration includes connecting your enterprise with an identity provider (IdP), authenticating with SAML SSO, configuring policies for repositories and organizations in your enterprise, and configuring SMTP for outbound email. For more information, see "[Initializing {% data variables.product.prodname_ghe_managed %}](/admin/configuration/initializing-github-ae)."
Later, you can use the site admin dashboard and enterprise settings to further configure your enterprise, manage users, organizations and repositories, and set policies that reduce risk and increase quality.
All enterprises are configured with subdomain isolation and support for TLS 1.2 and higher for encrypted traffic only.
{% endif %}
### Further reading
- "[Managing users, organizations, and repositories](/admin/user-management)"
- "[Setting policies for your enterprise](/admin/policies)"

78
content/admin/configuration/configuring-your-enterprise/accessing-the-administrative-shell-ssh.md Normal file
View File

@@ -0,0 +1,78 @@
---
title: Accessing the administrative shell (SSH)
redirect_from:
- /enterprise/admin/articles/ssh-access/
- /enterprise/admin/articles/adding-an-ssh-key-for-shell-access/
- /enterprise/admin/guides/installation/administrative-shell-ssh-access/
- /enterprise/admin/articles/troubleshooting-ssh-permission-denied-publickey/
- /enterprise/admin/2.13/articles/troubleshooting-ssh-permission-denied-publickey/
- /enterprise/admin/2.14/articles/troubleshooting-ssh-permission-denied-publickey/
- /enterprise/admin/2.15/articles/troubleshooting-ssh-permission-denied-publickey/
- /enterprise/admin/installation/accessing-the-administrative-shell-ssh
- /enterprise/admin/configuration/accessing-the-administrative-shell-ssh
- /admin/configuration/accessing-the-administrative-shell-ssh
intro: '{% data reusables.enterprise_site_admin_settings.about-ssh-access %}'
versions:
enterprise-server: '*'
type: how_to
topics:
- Enterprise
- Fundamentals
- SSH
---
### About administrative shell access
If you have SSH access to the administrative shell, you can run {% data variables.product.prodname_ghe_server %}'s command line utilities. SSH access is also useful for troubleshooting, running backups, and configuring replication. Administrative SSH access is managed separately from Git SSH access and is accessible only via port 122.
### Enabling access to the administrative shell via SSH
To enable administrative SSH access, you must add your SSH public key to your instance's list of authorized keys.
{% tip %}
**Tip:** Changes to authorized SSH keys take effect immediately.
{% endtip %}
{% data reusables.enterprise_site_admin_settings.access-settings %}
{% data reusables.enterprise_site_admin_settings.management-console %}
3. Under "SSH access", paste your key into the text box, then click **Add key**.
![Text box and button for adding an SSH key](/assets/images/enterprise/settings/add-authorized-ssh-key-admin-shell.png)
{% data reusables.enterprise_management_console.save-settings %}
### Connecting to the administrative shell over SSH
After you've added your SSH key to the list, connect to the instance over SSH as the `admin` user on port 122.
```shell
$ ssh -p 122 admin@github.example.com
Last login: Sun Nov 9 07:53:29 2014 from 169.254.1.1
admin@github-example-com:~$ █
```
#### Troubleshooting SSH connection problems
If you encounter the `Permission denied (publickey)` error when you try to connect to {% data variables.product.product_location %} via SSH, confirm that you are connecting over port 122. You may need to explicitly specify which private SSH key to use.
To specify a private SSH key using the command line, run `ssh` with the `-i` argument.
```shell
ssh -i /path/to/ghe_private_key -p 122 admin@<em>hostname</em>
```
You can also specify a private SSH key using the SSH configuration file (`~/.ssh/config`).
```shell
Host <em>hostname</em>
IdentityFile /path/to/ghe_private_key
User admin
Port 122
```
### Accessing the administrative shell using the local console
In an emergency situation, for example if SSH is unavailable, you can access the administrative shell locally. Sign in as the `admin` user and use the password established during initial setup of {% data variables.product.prodname_ghe_server %}.
### Access limitations for the administrative shell
Administrative shell access is permitted for troubleshooting and performing documented operations procedures only. Modifying system and application files, running programs, or installing unsupported software packages may void your support contract. Please contact {% data variables.contact.contact_ent_support %} if you have a question about the activities allowed by your support contract.

54
content/admin/configuration/configuring-your-enterprise/accessing-the-management-console.md Normal file
View File

@@ -0,0 +1,54 @@
---
title: Accessing the management console
intro: '{% data reusables.enterprise_site_admin_settings.about-the-management-console %}'
redirect_from:
- /enterprise/admin/articles/about-the-management-console/
- /enterprise/admin/articles/management-console-for-emergency-recovery/
- /enterprise/admin/articles/web-based-management-console/
- /enterprise/admin/categories/management-console/
- /enterprise/admin/articles/accessing-the-management-console/
- /enterprise/admin/guides/installation/web-based-management-console/
- /enterprise/admin/installation/accessing-the-management-console
- /enterprise/admin/configuration/accessing-the-management-console
- /admin/configuration/accessing-the-management-console
versions:
enterprise-server: '*'
type: how_to
topics:
- Enterprise
- Fundamentals
---
### About the {% data variables.enterprise.management_console %}
Use the {% data variables.enterprise.management_console %} for basic administrative activities:
- **Initial setup**: Walk through the initial setup process when first launching {% data variables.product.product_location %} by visiting {% data variables.product.product_location %}'s IP address in your browser.
- **Configuring basic settings for your instance**: Configure DNS, hostname, SSL, user authentication, email, monitoring services, and log forwarding on the Settings page.
- **Scheduling maintenance windows**: Take {% data variables.product.product_location %} offline while performing maintenance using the {% data variables.enterprise.management_console %} or administrative shell.
- **Troubleshooting**: Generate a support bundle or view high level diagnostic information.
- **License management**: View or update your {% data variables.product.prodname_enterprise %} license.
You can always reach the {% data variables.enterprise.management_console %} using {% data variables.product.product_location %}'s IP address, even when the instance is in maintenance mode, or there is a critical application failure or hostname or SSL misconfiguration.
To access the {% data variables.enterprise.management_console %}, you must use the administrator password established during initial setup of {% data variables.product.product_location %}. You must also be able to connect to the virtual machine host on port 8443. If you're having trouble reaching the {% data variables.enterprise.management_console %}, please check intermediate firewall and security group configurations.
### Accessing the {% data variables.enterprise.management_console %} as a site administrator
The first time that you access the {% data variables.enterprise.management_console %} as a site administrator, you must upload your {% data variables.product.prodname_enterprise %} license file to authenticate into the app. For more information, see "[Managing your {% data variables.product.prodname_enterprise %} license](/enterprise/{{ currentVersion }}/admin/guides/installation/managing-your-github-enterprise-license)."
{% data reusables.enterprise_site_admin_settings.access-settings %}
{% data reusables.enterprise_site_admin_settings.management-console %}
{% data reusables.enterprise_management_console.type-management-console-password %}
### Accessing the {% data variables.enterprise.management_console %} as an unauthenticated user
1. Visit this URL in your browser, replacing `hostname` with your actual {% data variables.product.prodname_ghe_server %} hostname or IP address:
```shell
http(s)://HOSTNAME/setup
```
{% data reusables.enterprise_management_console.type-management-console-password %}
### Unlocking the {% data variables.enterprise.management_console %} after failed login attempts
The {% data variables.enterprise.management_console %} locks after ten failed login attempts are made in the span of ten minutes. You must wait for the login screen to automatically unlock before attempting to log in again. The login screen automatically unlocks as soon as the previous ten minute period contains fewer than ten failed login attempts. The counter resets after a successful login occurs.
To immediately unlock the {% data variables.enterprise.management_console %}, use the `ghe-reactivate-admin-login` command via the administrative shell. For more information, see "[Command line utilities](/enterprise/{{ currentVersion }}/admin/guides/installation/command-line-utilities#ghe-reactivate-admin-login)" and "[Accessing the administrative shell (SSH)](/enterprise/{{ currentVersion }}/admin/guides/installation/accessing-the-administrative-shell-ssh/)."

830
content/admin/configuration/configuring-your-enterprise/command-line-utilities.md Normal file
View File

@@ -0,0 +1,830 @@
---
title: Command-line utilities
intro: '{% data variables.product.prodname_ghe_server %} includes a variety of utilities to help resolve particular problems or perform specific tasks.'
redirect_from:
- /enterprise/admin/articles/viewing-all-services/
- /enterprise/admin/articles/command-line-utilities/
- /enterprise/admin/installation/command-line-utilities
- /enterprise/admin/configuration/command-line-utilities
- /admin/configuration/command-line-utilities
miniTocMaxHeadingLevel: 4
versions:
enterprise-server: '*'
type: reference
topics:
- Enterprise
- SSH
---
You can execute these commands from anywhere on the VM after signing in as an SSH admin user. For more information, see "[Accessing the administrative shell (SSH)](/enterprise/{{ currentVersion }}/admin/guides/installation/accessing-the-administrative-shell-ssh/)."
### General
#### ghe-announce
This utility sets a banner at the top of every {% data variables.product.prodname_enterprise %} page. You can use it to broadcast a message to your users.
{% if currentVersion ver_gt "enterprise-server@2.21" %}
You can also set an announcement banner using the enterprise settings on {% data variables.product.product_name %}. For more information, see "[Customizing user messages on your instance](/enterprise/admin/user-management/customizing-user-messages-on-your-instance#creating-a-global-announcement-banner)."
{% endif %}
```shell
# Sets a message that's visible to everyone
$ ghe-announce -s MESSAGE
> Announcement message set.
# Removes a previously set message
$ ghe-announce -u
> Removed the announcement message
```
#### ghe-check-disk-usage
This utility checks the disk for large files or files that have been deleted but still have open file handles. This should be run when you're trying to free up space on the root partition.
```shell
ghe-check-disk-usage
```
#### ghe-cleanup-caches
This utility cleans up a variety of caches that might potentially take up extra disk space on the root volume. If you find your root volume disk space usage increasing notably over time it would be a good idea to run this utility to see if it helps reduce overall usage.
```shell
ghe-cleanup-caches
```
#### ghe-cleanup-settings
This utility wipes all existing {% data variables.enterprise.management_console %} settings.
{% tip %}
**Tip**: {% data reusables.enterprise_enterprise_support.support_will_ask_you_to_run_command %}
{% endtip %}
```shell
ghe-cleanup-settings
```
#### ghe-config
With this utility, you can both retrieve and modify the configuration settings of {% data variables.product.product_location %}.
```shell
$ ghe-config <em>core.github-hostname</em>
# Gets the configuration value of `core.github-hostname`
$ ghe-config <em>core.github-hostname</em> <em>'example.com'</em>
# Sets the configuration value of `core.github-hostname` to `example.com`
$ ghe-config -l
# Lists all the configuration values
```
Allows you to find the universally unique identifier (UUID) of your node in `cluster.conf`.
```shell
$ ghe-config <em>HOSTNAME</em>.uuid
```
{% if currentVersion ver_gt "enterprise-server@2.21" %}
Allows you to exempt a list of users from API rate limits. For more information, see "[Resources in the REST API](/rest/overview/resources-in-the-rest-api#rate-limiting)."
``` shell
$ ghe-config app.github.rate-limiting-exempt-users "<em>hubot</em> <em>github-actions</em>"
# Exempts the users hubot and github-actions from rate limits
```
{% endif %}
#### ghe-config-apply
This utility applies {% data variables.enterprise.management_console %} settings, reloads system services, prepares a storage device, reloads application services, and runs any pending database migrations. It is equivalent to clicking **Save settings** in the {% data variables.enterprise.management_console %}'s web UI or to sending a POST request to [the `/setup/api/configure` endpoint](/enterprise/{{ currentVersion }}/user/rest/reference/enterprise-admin#management-console).
You will probably never need to run this manually, but it's available if you want to automate the process of saving your settings via SSH.
```shell
ghe-config-apply
```
#### ghe-console
This utility opens the GitHub Rails console on your {% data variables.product.prodname_enterprise %} appliance. {% data reusables.command_line.use_with_support_only %}
```shell
ghe-console
```
#### ghe-dbconsole
This utility opens a MySQL database session on your {% data variables.product.prodname_enterprise %} appliance. {% data reusables.command_line.use_with_support_only %}
```shell
ghe-dbconsole
```
#### ghe-es-index-status
This utility returns a summary of Elasticsearch indexes in CSV format.
Print an index summary with a header row to `STDOUT`:
```shell
$ ghe-es-index-status -do
> warning: parser/current is loading parser/ruby23, which recognizes
> warning: 2.3.3-compliant syntax, but you are running 2.3.4.
> warning: please see https://github.com/whitequark/parser#compatibility-with-ruby-mri.
> Name,Primary,Searchable,Writable,UpToDate,RepairProgress,Version
> code-search-1,true,true,true,true,100.0,72e27df7c631b45e026b42bfef059328fa040e17
> commits-5,true,true,true,true,100.0,7ed28813100c47813ef654c0ee2bb9abf21ab744
> gists-4,true,true,true,true,100.0,cf8e7d04fcf2564c902e2873c424a279cc41079d
> issues-4,false,false,false,true,100.0,d0bb08f71eebf6e7b070572aa399b185dbdc8a76
> issues-5,true,true,true,true,100.0,d0bb08f71eebf6e7b070572aa399b185dbdc8a76
> projects-2,true,true,true,true,100.0,c5cac1c4b3c66d42e609d088d174dbc3dd44469a
> pull-requests-6,true,true,true,true,100.0,6a466ad6b896a3499509990979bf9a18d7d41de3
> repos-6,true,true,true,true,100.0,6c8b5fbba0fc1e409558db411d05e092c1387082
> users-5,true,true,true,true,100.0,38984875552bb826c9ec42999f409cb2e95556eb
> wikis-4,true,true,true,true,100.0,2613dec44bd14e14577803ac1f9e4b7e07a7c234
```
Print an index summary and pipe results to `column` for readability:
```shell
$ ghe-es-index-status -do | column -ts,
> warning: parser/current is loading parser/ruby23, which recognizes
> warning: 2.3.3-compliant syntax, but you are running 2.3.4.
> warning: please see https://github.com/whitequark/parser#compatibility-with-ruby-mri.
> Name Primary Searchable Writable UpToDate RepairProgress Version
> code-search-1 true true true true 100.0 72e27df7c631b45e026b42bfef059328fa040e17
> commits-5 true true true true 100.0 7ed28813100c47813ef654c0ee2bb9abf21ab744
> gists-4 true true true true 100.0 cf8e7d04fcf2564c902e2873c424a279cc41079d
> issues-4 false false false true 100.0 d0bb08f71eebf6e7b070572aa399b185dbdc8a76
> issues-5 true true true true 100.0 d0bb08f71eebf6e7b070572aa399b185dbdc8a76
> projects-2 true true true true 100.0 c5cac1c4b3c66d42e609d088d174dbc3dd44469a
> pull-requests-6 true true true true 100.0 6a466ad6b896a3499509990979bf9a18d7d41de3
> repos-6 true true true true 100.0 6c8b5fbba0fc1e409558db411d05e092c1387082
> users-5 true true true true 100.0 38984875552bb826c9ec42999f409cb2e95556eb
> wikis-4 true true true true 100.0 2613dec44bd14e14577803ac1f9e4b7e07a7c234
```
#### ghe-legacy-github-services-report
This utility lists repositories on your appliance that use {% data variables.product.prodname_dotcom %} Services, an integration method that will be discontinued on October 1, 2018. Users on your appliance may have set up {% data variables.product.prodname_dotcom %} Services to create notifications for pushes to certain repositories. For more information, see "[Announcing the deprecation of {% data variables.product.prodname_dotcom %} Services](https://developer.github.com/changes/2018-04-25-github-services-deprecation/)" on {% data variables.product.prodname_blog %} or "[Replacing {% data variables.product.prodname_dotcom %} Services](/developers/overview/replacing-github-services)." For more information about this command or for additional options, use the `-h` flag.
```shell
ghe-legacy-github-services-report
```
#### ghe-logs-tail
This utility lets you tail log all relevant log files from your installation. You can pass options in to limit the logs to specific sets. Use the -h flag for additional options.
```shell
ghe-logs-tail
```
#### ghe-maintenance
This utility allows you to control the state of the installation's maintenance mode. It's designed to be used primarily by the {% data variables.enterprise.management_console %} behind-the-scenes, but it can be used directly.
```shell
ghe-maintenance -h
```
#### ghe-motd
This utility re-displays the message of the day (MOTD) that administrators see when accessing the instance via the administrative shell. The output contains an overview of the instance's state.
```shell
ghe-motd
```
#### ghe-nwo
This utility returns a repository's name and owner based on the repository ID.
```shell
ghe-nwo <em>REPOSITORY_ID</em>
```
#### ghe-org-admin-promote
Use this command to give organization owner privileges to users with site admin privileges on the appliance, or to give organization owner privileges to any single user in a single organization. You must specify a user and/or an organization. The `ghe-org-admin-promote` command will always ask for confirmation before running unless you use the `-y` flag to bypass the confirmation.
You can use these options with the utility:
- The `-u` flag specifies a username. Use this flag to give organization owner privileges to a specific user. Omit the `-u` flag to promote all site admins to the specified organization.
- The `-o` flag specifies an organization. Use this flag to give owner privileges in a specific organization. Omit the `-o` flag to give owner permissions in all organizations to the specified site admin.
- The `-a` flag gives owner privileges in all organizations to all site admins.
- The `-y` flag bypasses the manual confirmation.
This utility cannot promote a non-site admin to be an owner of all organizations. You can promote an ordinary user account to a site admin with [ghe-user-promote](#ghe-user-promote).
Give organization owner privileges in a specific organization to a specific site admin
```shell
ghe-org-admin-promote -u <em>USERNAME</em> -o <em>ORGANIZATION</em>
```
Give organization owner privileges in all organizations to a specific site admin
```shell
ghe-org-admin-promote -u <em>USERNAME</em>
```
Give organization owner privileges in a specific organization to all site admins
```shell
ghe-org-admin-promote -o <em>ORGANIZATION</em>
```
Give organization owner privileges in all organizations to all site admins
```shell
ghe-org-admin-promote -a
```
#### ghe-reactivate-admin-login
Use this command to immediately unlock the {% data variables.enterprise.management_console %} after 10 failed login attempts in the span of 10 minutes.
```shell
$ ghe-reactivate-admin-login
```
#### ghe-resque-info
This utility displays information on background jobs, both active and in the queue. It provides the same job count numbers as the admin stats bar at the top of every page.
This utility can help identify whether the Resque server is having problems processing background jobs. Any of the following scenarios might be indicative of a problem with Resque:
* The number of background jobs is increasing, while the active jobs remain the same.
* The event feeds are not updating.
* Webhooks are not being triggered.
* The web interface is not updating after a Git push.
If you suspect Resque is failing, contact {% data variables.contact.contact_ent_support %} for help.
With this command, you can also pause or resume jobs in the queue.
```shell
$ ghe-resque-info
# lists queues and the number of currently queued jobs
$ ghe-resque-info -p <em>QUEUE</em>
# pauses the specified queue
$ ghe-resque-info -r <em>QUEUE</em>
# resumes the specified queue
```
#### ghe-saml-mapping-csv
This utility can help map SAML records.
To create a CSV file containing all the SAML mapping for your {% data variables.product.product_name %} users:
```shell
$ ghe-saml-mapping-csv -d
```
To perform a dry run of updating SAML mappings with new values:
```shell
$ ghe-saml-mapping-csv -u -n -f /path/to/file
```
To update SAML mappings with new values:
```shell
$ ghe-saml-mapping-csv -u -f /path/to/file
```
#### ghe-service-list
This utility lists all of the services that have been started or stopped (are running or waiting) on your appliance.
```shell
$ ghe-service-list
start/running
- github-resqued, process 12711
- github-unicorn, process 12726
- github-gitauth, process 12743
- git-daemon, process 12755
- babeld, process 12771
- github-svn-proxy, process 12802
- gist-unicorn, process 12832
- gist-resqued, process 12881
- render-unicorn, process 12939
- hookshot-unicorn, process 13076
- nodeload2, process 13192
- slumlord-unicorn, process 13304
- ghe-storage, process 2012
- enterprise-manage-unicorn, process 2024
- enterprise-manage-resque, process 2053
stop/waiting
- ghe-replica-mode
```
{% tip %}
The service names returned from this command can be used with [`systemctl`](https://www.freedesktop.org/software/systemd/man/systemctl.html) commands to stop, start, or restart these services manually, if needed. For example:
```shell
$ sudo systemctl restart github-resqued
```
Stopping services will cause downtime on your installation, so we recommend you contact {% data variables.contact.contact_ent_support %} before stopping or restarting any service.
{% endtip %}
#### ghe-set-password
With `ghe-set-password`, you can set a new password to authenticate into the [{% data variables.enterprise.management_console %}](/enterprise/{{ currentVersion }}/admin/guides/installation/accessing-the-management-console).
```shell
ghe-set-password <new_password>
```
#### ghe-ssh-check-host-keys
This utility checks the existing SSH host keys against the list of known leaked SSH host keys.
```shell
$ ghe-ssh-check-host-keys
```
If a leaked host key is found the utility exits with status `1` and a message:
```shell
> One or more of your SSH host keys were found in the blacklist.
> Please reset your host keys using ghe-ssh-roll-host-keys.
```
If a leaked host key was not found, the utility exits with status `0` and a message:
```shell
> The SSH host keys were not found in the SSH host key blacklist.
> No additional steps are needed/recommended at this time.
```
#### ghe-ssh-roll-host-keys
This utility rolls the SSH host keys and replaces them with newly generated keys.
```shell
$ sudo ghe-ssh-roll-host-keys
Proceed with rolling SSH host keys? This will delete the
existing keys in /etc/ssh/ssh_host_* and generate new ones. [y/N]
# Press 'Y' to confirm deleting, or use the -y switch to bypass this prompt
> SSH host keys have successfully been rolled.
```
#### ghe-ssh-weak-fingerprints
This utility returns a report of known weak SSH keys stored on the {% data variables.product.prodname_enterprise %} appliance. You can optionally revoke user keys as a bulk action. The utility will report weak system keys, which you must manually revoke in the [{% data variables.enterprise.management_console %}](/enterprise/{{ currentVersion }}/admin/guides/installation/accessing-the-management-console).
```shell
# Print a report of weak user and system SSH keys
$ ghe-ssh-weak-fingerprints
# Revoke all weak user keys
$ ghe-ssh-weak-fingerprints --revoke
```
#### ghe-ssl-acme
This utility allows you to install a Let's Encrypt certificate on your {% data variables.product.prodname_enterprise %} appliance. For more information, see "[Configuring TLS](/enterprise/{{ currentVersion }}/admin/guides/installation/configuring-tls)."
You can use the `-x` flag to remove the ACME configuration.
```shell
ghe-ssl-acme -e
```
#### ghe-ssl-ca-certificate-install
This utility allows you to install a custom root CA certificate on your {% data variables.product.prodname_enterprise %} server. The certificate must be in PEM format. Furthermore, if your certificate provider includes multiple CA certificates in a single file, you must separate them into individual files that you then pass to `ghe-ssl-ca-certificate-install` one at a time.
Run this utility to add a certificate chain for S/MIME commit signature verification. For more information, see "[About commit signature verification](/enterprise/{{ currentVersion }}/user/articles/about-commit-signature-verification/)."
Run this utility when {% data variables.product.product_location %} is unable to connect to another server because the latter is using a self-signed SSL certificate or an SSL certificate for which it doesn't provide the necessary CA bundle. One way to confirm this is to run `openssl s_client -connect host:port -verify 0 -CApath /etc/ssl/certs` from {% data variables.product.product_location %}. If the remote server's SSL certificate can be verified, your `SSL-Session` should have a return code of 0, as shown below.
```
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: C794EBCC3CBC10F747C9AFC029C03C1048FC99CFC34D13D7444E0F267C58DF4C
Session-ID-ctx:
Master-Key: 02A7C47CFD6EEC87D3C710E9DD87390E04EF82DDD7514AE03127D5DC1945FC0CAEFB5395791AEA598667EFA61B9EA8C5
Key-Arg : None
Start Time: 1394581597
Timeout : 300 (sec)
Verify return code: 0 (ok)
```
If, on the other hand, the remote server's SSL certificate can *not* be verified, your `SSL-Session` should have a nonzero return code:
```
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: 82CB288051A6DB66094C50A69CF1292AEE7E54C6B01B659B98AB336F8C33863E
Session-ID-ctx:
Master-Key: 01B025B2F764043A27919A8D1355AAECD8844FF0831B1D664042334790574A6F4025BAB085D4ED71D71AAB3091B849E5
Key-Arg : None
Start Time: 1394581782
Timeout : 300 (sec)
Verify return code: 27 (certificate not trusted)
```
You can use these additional options with the utility:
- The `-r` flag allows you to uninstall a CA certificate.
- The `-h` flag displays more usage information.
```shell
ghe-ssl-ca-certificate-install -c <em>/path/to/certificate</em>
```
#### ghe-ssl-generate-csr
This utility allows you to generate a private key and certificate signing request (CSR), which you can share with a commercial or private certificate authority to get a valid certificate to use with your instance. For more information, see "[Configuring TLS](/enterprise/{{ currentVersion }}/admin/guides/installation/configuring-tls)."
For more information about this command or for additional options, use the `-h` flag.
```shell
ghe-ssl-generate-csr
```
#### ghe-storage-extend
Some platforms require this script to expand the user volume. For more information, see "[Increasing Storage Capacity](/enterprise/admin/guides/installation/increasing-storage-capacity/)".
```shell
$ ghe-storage-extend
```
#### ghe-version
This utility prints the version, platform, and build of {% data variables.product.product_location %}.
```shell
$ ghe-version
```
#### ghe-webhook-logs
This utility returns webhook delivery logs for administrators to review and identify any issues.
```shell
ghe-webhook-logs
```
To show all failed hook deliveries in the past day:
{% if currentVersion ver_gt "enterprise-server@2.22" %}
```shell
ghe-webhook-logs -f -a <em>YYYY-MM-DD</em>
```
The date format should be `YYYY-MM-DD`, `YYYY-MM-DD HH:MM:SS`, or `YYYY-MM-DD HH:MM:SS (+/-) HH:M`.
{% else %}
```shell
ghe-webhook-logs -f -a <em>YYYYMMDD</em>
```
{% endif %}
To show the full hook payload, result, and any exceptions for the delivery:
{% if currentVersion ver_gt "enterprise-server@2.22" %}
```shell
ghe-webhook-logs -g <em>delivery-guid</em>
```
{% else %}
```shell
ghe-webhook-logs -g <em>delivery-guid</em> -v
```
{% endif %}
### Clustering
#### ghe-cluster-status
Check the health of your nodes and services in a cluster deployment of {% data variables.product.prodname_ghe_server %}.
```shell
$ ghe-cluster-status
```
#### ghe-cluster-support-bundle
This utility creates a support bundle tarball containing important logs from each of the nodes in either a Geo-replication or Clustering configuration.
By default, the command creates the tarball in */tmp*, but you can also have it `cat` the tarball to `STDOUT` for easy streaming over SSH. This is helpful in the case where the web UI is unresponsive or downloading a support bundle from */setup/support* doesn't work. You must use this command if you want to generate an *extended* bundle, containing older logs. You can also use this command to upload the cluster support bundle directly to {% data variables.product.prodname_enterprise %} support.
To create a standard bundle:
```shell
$ ssh -p 122 admin@<em>hostname</em> -- 'ghe-cluster-support-bundle -o' > cluster-support-bundle.tgz
```
To create an extended bundle:
```shell
$ ssh -p 122 admin@<em>hostname</em> -- 'ghe-cluster-support-bundle -x -o' > cluster-support-bundle.tgz
```
To send a bundle to {% data variables.contact.github_support %}:
```shell
$ ssh -p 122 admin@<em>hostname</em> -- 'ghe-cluster-support-bundle -u'
```
To send a bundle to {% data variables.contact.github_support %} and associate the bundle with a ticket:
```shell
$ ssh -p 122 admin@<em>hostname</em> -- 'ghe-cluster-support-bundle -t <em>ticket-id</em>'
```
{% if currentVersion ver_gt "enterprise-server@2.21" %}
#### ghe-cluster-failover
Fail over from active cluster nodes to passive cluster nodes. For more information, see "[Initiating a failover to your replica cluster](/enterprise/admin/enterprise-management/initiating-a-failover-to-your-replica-cluster)."
```shell
ghe-cluster-failover
```
{% endif %}
#### ghe-dpages
This utility allows you to manage the distributed {% data variables.product.prodname_pages %} server.
```shell
ghe-dpages
```
To show a summary of repository location and health:
```shell
ghe-dpages status
```
To evacuate a {% data variables.product.prodname_pages %} storage service before evacuating a cluster node:
```shell
ghe-dpages evacuate pages-server-<em>UUID</em>
```
#### ghe-spokes
This utility allows you to manage the three copies of each repository on the distributed git servers.
```shell
ghe-spokes
```
To show a summary of repository location and health:
```shell
ghe-spokes status
```
To show the servers in which the repository is stored:
```shell
ghe-spokes route
```
To evacuate storage services on a cluster node:
```shell
ghe-spokes server evacuate git-server-<em>UUID</em>
```
#### ghe-storage
This utility allows you to evacuate all storage services before evacuating a cluster node.
```shell
ghe-storage evacuate storage-server-<em>UUID</em>
```
### Git
#### ghe-btop
A `top`-like interface for current Git operations.
```shell
ghe-btop [ <port number> | --help | --usage ]
```
#### ghe-repo
This utility allows you to change to a repository's directory and open an interactive shell as the `git` user. You can perform manual inspection or maintenance of a repository via commands like `git-*` or `git-nw-*`.
```shell
ghe-repo <em>username</em>/<em>reponame</em>
```
#### ghe-repo-gc
This utility manually repackages a repository network to optimize pack storage. If you have a large repository, running this command may help reduce its overall size. {% data variables.product.prodname_enterprise %} automatically runs this command throughout your interaction with a repository network.
You can add the optional `--prune` argument to remove unreachable Git objects that aren't referenced from a branch, tag, or any other ref. This is particularly useful for immediately removing [previously expunged sensitive information](/enterprise/user/articles/remove-sensitive-data/).
```shell
ghe-repo-gc <em>username</em>/<em>reponame</em>
```
### Import and export
#### ghe-migrator
`ghe-migrator` is a hi-fidelity tool to help you migrate from one GitHub instance to another. You can consolidate your instances or move your organization, users, teams, and repositories from GitHub.com to {% data variables.product.prodname_enterprise %}.
For more information, please see our guide on [migrating user, organization, and repository data](/enterprise/admin/guides/migrations/).
#### git-import-detect
Given a URL, detect which type of source control management system is at the other end. During a manual import this is likely already known, but this can be very useful in automated scripts.
```shell
git-import-detect
```
#### git-import-hg-raw
This utility imports a Mercurial repository to this Git repository. For more information, see "[Importing data from third party version control systems](/enterprise/admin/guides/migrations/importing-data-from-third-party-version-control-systems/)."
```shell
git-import-hg-raw
```
#### git-import-svn-raw
This utility imports Subversion history and file data into a Git branch. This is a straight copy of the tree, ignoring any trunk or branch distinction. For more information, see "[Importing data from third party version control systems](/enterprise/admin/guides/migrations/importing-data-from-third-party-version-control-systems/)."
```shell
git-import-svn-raw
```
#### git-import-tfs-raw
This utility imports from Team Foundation Version Control (TFVC). For more information, see "[Importing data from third party version control systems](/enterprise/admin/guides/migrations/importing-data-from-third-party-version-control-systems/)."
```shell
git-import-tfs-raw
```
#### git-import-rewrite
This utility rewrites the imported repository. This gives you a chance to rename authors and, for Subversion and TFVC, produces Git branches based on folders. For more information, see "[Importing data from third party version control systems](/enterprise/admin/guides/migrations/importing-data-from-third-party-version-control-systems/)."
```shell
git-import-rewrite
```
### Support
#### ghe-diagnostics
This utility performs a variety of checks and gathers information about your installation that you can send to support to help diagnose problems you're having.
Currently, this utility's output is similar to downloading the diagnostics info in the {% data variables.enterprise.management_console %}, but may have additional improvements added to it over time that aren't available in the web UI. For more information, see "[Creating and sharing diagnostic files](/enterprise/admin/guides/enterprise-support/providing-data-to-github-support#creating-and-sharing-diagnostic-files)."
```shell
ghe-diagnostics
```
#### ghe-support-bundle
{% data reusables.enterprise_enterprise_support.use_ghe_cluster_support_bundle %}
This utility creates a support bundle tarball containing important logs from your instance.
By default, the command creates the tarball in */tmp*, but you can also have it `cat` the tarball to `STDOUT` for easy streaming over SSH. This is helpful in the case where the web UI is unresponsive or downloading a support bundle from */setup/support* doesn't work. You must use this command if you want to generate an *extended* bundle, containing older logs. You can also use this command to upload the support bundle directly to {% data variables.product.prodname_enterprise %} support.
To create a standard bundle:
```shell
$ ssh -p 122 admin@<em>hostname</em> -- 'ghe-support-bundle -o' > support-bundle.tgz
```
To create an extended bundle:
```shell
$ ssh -p 122 admin@<em>hostname</em> -- 'ghe-support-bundle -x -o' > support-bundle.tgz
```
To send a bundle to {% data variables.contact.github_support %}:
```shell
$ ssh -p 122 admin@<em>hostname</em> -- 'ghe-support-bundle -u'
```
To send a bundle to {% data variables.contact.github_support %} and associate the bundle with a ticket:
```shell
$ ssh -p 122 admin@<em>hostname</em> -- 'ghe-support-bundle -t <em>ticket-id</em>'
```
#### ghe-support-upload
This utility sends information from your appliance to {% data variables.product.prodname_enterprise %} support. You can either specify a local file, or provide a stream of up to 100MB of data via `STDIN`. The uploaded data can optionally be associated with a support ticket.
To send a file to {% data variables.contact.github_support %} and associate the file with a ticket:
```shell
ghe-support-upload -f <em>path/to/your/file</em> -t <em>ticket-id</em>
```
To upload data via `STDIN` and associating the data with a ticket:
```shell
<em>ghe-repl-status -vv</em> | ghe-support-upload -t <em>ticket-id</em> -d "<em>Verbose Replication Status</em>"
```
In this example, `ghe-repl-status -vv` sends verbose status information from a replica appliance. You should replace `ghe-repl-status -vv` with the specific data you'd like to stream to `STDIN`, and `Verbose Replication Status` with a brief description of the data. {% data reusables.enterprise_enterprise_support.support_will_ask_you_to_run_command %}
### Upgrading {% data variables.product.prodname_ghe_server %}
#### ghe-upgrade
This utility installs or verifies an upgrade package. You can also use this utility to roll back a patch release if an upgrade fails or is interrupted. For more information, see "[Upgrading {% data variables.product.prodname_ghe_server %}](/enterprise/{{ currentVersion }}/admin/guides/installation/upgrading-github-enterprise-server/)."
To verify an upgrade package:
```shell
ghe-upgrade --verify <em>UPGRADE-PACKAGE-FILENAME</em>
```
To install an upgrade package:
```shell
ghe-upgrade <em>UPGRADE-PACKAGE-FILENAME</em>
```
{% data reusables.enterprise_installation.command-line-utilities-ghe-upgrade-rollback %}
#### ghe-upgrade-scheduler
This utility manages scheduled installation of upgrade packages. You can show, create new, or remove scheduled installations. You must create schedules using cron expressions. For more information, see the [Cron Wikipedia entry](https://en.wikipedia.org/wiki/Cron#Overview).
To schedule a new installation for a package:
```shell
$ ghe-upgrade-scheduler -c "0 2 15 12 *" <em>UPGRADE-PACKAGE-FILENAME</em>
```
To show scheduled installations for a package:
```shell
$ ghe-upgrade-scheduler -s <em>UPGRADE PACKAGE FILENAME</em>
> 0 2 15 12 * /usr/local/bin/ghe-upgrade -y -s <em>UPGRADE-PACKAGE-FILENAME</em> > /data/user/common/<em>UPGRADE-PACKAGE-FILENAME</em>.log 2>&1
```
To remove scheduled installations for a package:
```shell
$ ghe-upgrade-scheduler -r <em>UPGRADE PACKAGE FILENAME</em>
```
#### ghe-update-check
This utility will check to see if a new patch release of {% data variables.product.prodname_enterprise %} is available. If it is, and if space is available on your instance, it will download the package. By default, it's saved to */var/lib/ghe-updates*. An administrator can then [perform the upgrade](/enterprise/admin/guides/installation/updating-the-virtual-machine-and-physical-resources/).
A file containing the status of the download is available at */var/lib/ghe-updates/ghe-update-check.status*.
To check for the latest {% data variables.product.prodname_enterprise %} release, use the `-i` switch.
```shell
$ ssh -p 122 admin@<em>hostname</em> -- 'ghe-update-check'
```
### User management
#### ghe-license-usage
This utility exports a list of the installation's users in JSON format. If your instance is connected to {% data variables.product.prodname_ghe_cloud %}, {% data variables.product.prodname_ghe_server %} uses this information for reporting licensing information to {% data variables.product.prodname_ghe_cloud %}. For more information, see "[Connecting {% data variables.product.prodname_ghe_server %} to {% data variables.product.prodname_ghe_cloud %} ](/enterprise/admin/installation/connecting-github-enterprise-server-to-github-enterprise-cloud)."
By default, the list of users in the resulting JSON file is encrypted. Use the `-h` flag for more options.
```shell
ghe-license-usage
```
#### ghe-org-membership-update
This utility will enforce the default organization membership visibility setting on all members in your instance. For more information, see "[Configuring visibility for organization membership](/enterprise/{{ currentVersion }}/admin/guides/user-management/configuring-visibility-for-organization-membership)." Setting options are `public` or `private`.
```shell
ghe-org-membership-update --visibility=<em>SETTING</em>
```
#### ghe-user-csv
This utility exports a list of all the users in the installation into CSV format. The CSV file includes the email address, which type of user they are (e.g., admin, user), how many repositories they have, how many SSH keys, how many organization memberships, last logged IP address, etc. Use the `-h` flag for more options.
```shell
ghe-user-csv -o > users.csv
```
#### ghe-user-demote
This utility demotes the specified user from admin status to that of a regular user. We recommend using the web UI to perform this action, but provide this utility in case the `ghe-user-promote` utility is run in error and you need to demote a user again from the CLI.
```shell
ghe-user-demote <em>some-user-name</em>
```
#### ghe-user-promote
This utility promotes the specified user account to a site administrator.
```shell
ghe-user-promote <em>some-user-name</em>
```
#### ghe-user-suspend
This utility suspends the specified user, preventing them from logging in, pushing, or pulling from your repositories.
```shell
ghe-user-suspend <em>some-user-name</em>
```
#### ghe-user-unsuspend
This utility unsuspends the specified user, granting them access to login, push, and pull from your repositories.
```shell
ghe-user-unsuspend <em>some-user-name</em>
```

25
content/admin/configuration/configuring-your-enterprise/configuring-applications.md Normal file
View File

@@ -0,0 +1,25 @@
---
title: Configuring applications
intro: 'You can configure internal application settings for {% data variables.product.product_location %}.'
redirect_from:
- /enterprise/admin/installation/configuring-applications
- /enterprise/admin/configuration/configuring-applications
- /admin/configuration/configuring-applications
versions:
enterprise-server: '*'
type: how_to
topics:
- Enterprise
- Fundamentals
---
### Adjusting image caching
You can choose the amount of time that {% data variables.product.product_location %} caches avatars. When you increase the cache time, you increase the amount of time a user's avatar will take to load. Configuring the cache time with too low a value can overload {% data variables.product.product_location %} work processes.
{% data reusables.enterprise_site_admin_settings.access-settings %}
{% data reusables.enterprise_site_admin_settings.management-console %}
3. In the left sidebar, click **Applications**.
![Applications tab in the settings sidebar](/assets/images/enterprise/management-console/sidebar-applications.png)
4. Under "Avatar image cache time (seconds)", type the number of seconds that you would like {% data variables.product.product_location %} to cache avatar images.
![Avatar image caching form field](/assets/images/enterprise/management-console/add-image-caching-value-field.png)
{% data reusables.enterprise_management_console.save-settings %}

125
content/admin/configuration/configuring-your-enterprise/configuring-backups-on-your-appliance.md Normal file
View File

@@ -0,0 +1,125 @@
---
title: Configuring backups on your appliance
shortTitle: Configuring backups
redirect_from:
- /enterprise/admin/categories/backups-and-restores/
- /enterprise/admin/articles/backup-and-recovery/
- /enterprise/admin/articles/backing-up-github-enterprise/
- /enterprise/admin/articles/restoring-github-enterprise/
- /enterprise/admin/articles/backing-up-repository-data/
- /enterprise/admin/articles/restoring-enterprise-data/
- /enterprise/admin/articles/restoring-repository-data/
- /enterprise/admin/articles/backing-up-enterprise-data/
- /enterprise/admin/guides/installation/backups-and-disaster-recovery/
- /enterprise/admin/installation/configuring-backups-on-your-appliance
- /enterprise/admin/configuration/configuring-backups-on-your-appliance
- /admin/configuration/configuring-backups-on-your-appliance
intro: 'As part of a disaster recovery plan, you can protect production data on {% data variables.product.product_location %} by configuring automated backups.'
versions:
enterprise-server: '*'
type: how_to
topics:
- Backups
- Enterprise
- Fundamentals
- Infrastructure
---
### About {% data variables.product.prodname_enterprise_backup_utilities %}
{% data variables.product.prodname_enterprise_backup_utilities %} is a backup system you install on a separate host, which takes backup snapshots of {% data variables.product.product_location %} at regular intervals over a secure SSH network connection. You can use a snapshot to restore an existing {% data variables.product.prodname_ghe_server %} instance to a previous state from the backup host.
Only data added since the last snapshot will transfer over the network and occupy additional physical storage space. To minimize performance impact, backups are performed online under the lowest CPU/IO priority. You do not need to schedule a maintenance window to perform a backup.
For more detailed information on features, requirements, and advanced usage, see the [{% data variables.product.prodname_enterprise_backup_utilities %} README](https://github.com/github/backup-utils#readme).
### Prerequisites
To use {% data variables.product.prodname_enterprise_backup_utilities %}, you must have a Linux or Unix host system separate from {% data variables.product.product_location %}.
You can also integrate {% data variables.product.prodname_enterprise_backup_utilities %} into an existing environment for long-term permanent storage of critical data.
We recommend that the backup host and {% data variables.product.product_location %} be geographically distant from each other. This ensures that backups are available for recovery in the event of a major disaster or network outage at the primary site.
Physical storage requirements will vary based on Git repository disk usage and expected growth patterns:
| Hardware | Recommendation |
| -------- | --------- |
| **vCPUs** | 2 |
| **Memory** | 2 GB |
| **Storage** | Five times the primary instance's allocated storage |
More resources may be required depending on your usage, such as user activity and selected integrations.
### Installing {% data variables.product.prodname_enterprise_backup_utilities %}
{% note %}
**Note:** To ensure a recovered appliance is immediately available, perform backups targeting the primary instance even in a Geo-replication configuration.
{% endnote %}
1. Download the latest [{% data variables.product.prodname_enterprise_backup_utilities %} release](https://github.com/github/backup-utils/releases) and extract the file with the `tar` command.
```shell
$ tar -xzvf /path/to/github-backup-utils-v<em>MAJOR.MINOR.PATCH</em>.tar.gz
```
2. Copy the included `backup.config-example` file to `backup.config` and open in an editor.
3. Set the `GHE_HOSTNAME` value to your primary {% data variables.product.prodname_ghe_server %} instance's hostname or IP address.
4. Set the `GHE_DATA_DIR` value to the filesystem location where you want to store backup snapshots.
5. Open your primary instance's settings page at `https://HOSTNAME/setup/settings` and add the backup host's SSH key to the list of authorized SSH keys. For more information, see [Accessing the administrative shell (SSH)](/enterprise/{{ currentVersion }}/admin/guides/installation/accessing-the-administrative-shell-ssh/).
5. Verify SSH connectivity with {% data variables.product.product_location %} with the `ghe-host-check` command.
```shell
$ bin/ghe-host-check
```
6. To create an initial full backup, run the `ghe-backup` command.
```shell
$ bin/ghe-backup
```
For more information on advanced usage, see the [{% data variables.product.prodname_enterprise_backup_utilities %} README](https://github.com/github/backup-utils#readme).
### Scheduling a backup
You can schedule regular backups on the backup host using the `cron(8)` command or a similar command scheduling service. The configured backup frequency will dictate the worst case recovery point objective (RPO) in your recovery plan. For example, if you have scheduled the backup to run every day at midnight, you could lose up to 24 hours of data in a disaster scenario. We recommend starting with an hourly backup schedule, guaranteeing a worst case maximum of one hour of data loss if the primary site data is destroyed.
If backup attempts overlap, the `ghe-backup` command will abort with an error message, indicating the existence of a simultaneous backup. If this occurs, we recommended decreasing the frequency of your scheduled backups. For more information, see the "Scheduling backups" section of the [{% data variables.product.prodname_enterprise_backup_utilities %} README](https://github.com/github/backup-utils#scheduling-backups).
### Restoring a backup
In the event of prolonged outage or catastrophic event at the primary site, you can restore {% data variables.product.product_location %} by provisioning another {% data variables.product.prodname_enterprise %} appliance and performing a restore from the backup host. You must add the backup host's SSH key to the target {% data variables.product.prodname_enterprise %} appliance as an authorized SSH key before restoring an appliance.
{%if currentVersion ver_gt "enterprise-server@2.22"%}
{% note %}
**Note:** If {% data variables.product.product_location %} has {% data variables.product.prodname_actions %} enabled, you must first configure the {% data variables.product.prodname_actions %} external storage provider on the replacement appliance before running the `ghe-restore` command. For more information, see "[Backing up and restoring {% data variables.product.prodname_ghe_server %} with {% data variables.product.prodname_actions %} enabled](/admin/github-actions/backing-up-and-restoring-github-enterprise-server-with-github-actions-enabled)."
{% endnote %}
{% endif %}
To restore {% data variables.product.product_location %} from the last successful snapshot, use the `ghe-restore` command. You should see output similar to this:
```shell
$ ghe-restore -c 169.154.1.1
> Checking for leaked keys in the backup snapshot that is being restored ...
> * No leaked keys found
> Connect 169.154.1.1:122 OK (v2.9.0)
> WARNING: All data on GitHub Enterprise appliance 169.154.1.1 (v2.9.0)
> will be overwritten with data from snapshot 20170329T150710.
> Please verify that this is the correct restore host before continuing.
> Type 'yes' to continue: <em>yes</em>
> Starting restore of 169.154.1.1:122 from snapshot 20170329T150710
# ...output truncated
> Completed restore of 169.154.1.1:122 from snapshot 20170329T150710
> Visit https://169.154.1.1/setup/settings to review appliance configuration.
```
{% note %}
**Note:** The network settings are excluded from the backup snapshot. You must manually configure the network on the target {% data variables.product.prodname_ghe_server %} appliance as required for your environment.
{% endnote %}
You can use these additional options with `ghe-restore` command:
- The `-c` flag overwrites the settings, certificate, and license data on the target host even if it is already configured. Omit this flag if you are setting up a staging instance for testing purposes and you wish to retain the existing configuration on the target. For more information, see the "Using using backup and restore commands" section of the [{% data variables.product.prodname_enterprise_backup_utilities %} README](https://github.com/github/backup-utils#using-the-backup-and-restore-commands).
- The `-s` flag allows you to select a different backup snapshot.

25
content/admin/configuration/configuring-your-enterprise/configuring-data-encryption-for-your-enterprise.md Normal file
View File

@@ -0,0 +1,25 @@
---
title: Configuring data encryption for your enterprise
shortTitle: Configuring data encryption
intro: 'For encryption at rest, you can provide your own encryption key to encrypt your data under your encryption policies.'
versions:
github-ae: '*'
type: how_to
topics:
- Enterprise
- Fundamentals
- Security
redirect_from:
- /admin/configuration/configuring-data-encryption-for-your-enterprise
---
{% note %}
**Note:** Configuring encryption at rest with a customer-managed key is currently in beta and subject to change.
{% endnote %}
### About data encryption
To provide a high level of security, {% data variables.product.product_name %} encrypts your data while at rest in the data centers and while your data is in transit between users' machines and the data centers.
For encryption in transit, {% data variables.product.product_name %} uses Transport Layer Security (TLS). For encryption at rest, {% data variables.product.product_name %} provides a default RSA key.

188
content/admin/configuration/configuring-your-enterprise/configuring-email-for-notifications.md Normal file
View File

@@ -0,0 +1,188 @@
---
title: Configuring email for notifications
intro: 'To make it easy for users to respond quickly to activity on {% data variables.product.product_name %}, you can configure {% data variables.product.product_location %} to send email notifications for issue, pull request, and commit comments.'
redirect_from:
- /enterprise/admin/guides/installation/email-configuration/
- /enterprise/admin/articles/configuring-email/
- /enterprise/admin/articles/troubleshooting-email/
- /enterprise/admin/articles/email-configuration-and-troubleshooting/
- /enterprise/admin/user-management/configuring-email-for-notifications
- /admin/configuration/configuring-email-for-notifications
versions:
enterprise-server: '*'
github-ae: '*'
type: how_to
topics:
- Enterprise
- Fundamentals
- Infrastructure
- Notifications
---
{% if currentVersion == "github-ae@latest" %}
Enterprise owners can configure email for notifications.
{% endif %}
### Configuring SMTP for your enterprise
{% if enterpriseServerVersions contains currentVersion %}
{% data reusables.enterprise_site_admin_settings.access-settings %}
{% data reusables.enterprise_site_admin_settings.management-console %}
2. At the top of the page, click **Settings**.
![Settings tab](/assets/images/enterprise/management-console/settings-tab.png)
3. In the left sidebar, click **Email**.
![Email tab](/assets/images/enterprise/management-console/email-sidebar.png)
4. Select **Enable email**. This will enable both outbound and inbound email, however for inbound email to work you will also need to configure your DNS settings as described below in "[Configuring DNS and firewall
settings to allow incoming emails](#configuring-dns-and-firewall-settings-to-allow-incoming-emails)."
![Enable outbound email](/assets/images/enterprise/management-console/enable-outbound-email.png)
5. Type the settings for your SMTP server.
- In the **Server address** field, type the address of your SMTP server.
- In the **Port** field, type the port that your SMTP server uses to send email.
- In the **Domain** field, type the domain name that your SMTP server will send with a HELO response, if any.
- Select the **Authentication** dropdown, and choose the type of encryption used by your SMTP server.
- In the **No-reply email address** field, type the email address to use in the From and To fields for all notification emails.
6. If you want to discard all incoming emails that are addressed to the no-reply email address, select **Discard email addressed to the no-reply email address**.
![Checkbox to discard emails addressed to the no-reply email address](/assets/images/enterprise/management-console/discard-noreply-emails.png)
7. Under **Support**, choose a type of link to offer additional support to your users.
- **Email:** An internal email address.
- **URL:** A link to an internal support site. You must include either `http://` or `https://`.
![Support email or URL](/assets/images/enterprise/management-console/support-email-url.png)
8. [Test email delivery](#testing-email-delivery).
{% elsif currentVersion == "github-ae@latest" %}
{% data reusables.enterprise-accounts.access-enterprise %}
{% data reusables.enterprise-accounts.settings-tab %}
{% data reusables.enterprise-accounts.email-tab %}
2. Select **Enable email**.
!["Enable" checkbox for email settings configuration](/assets/images/enterprise/configuration/ae-enable-email-configure.png)
3. Type the settings for your email server.
- In the **Server address** field, type the address of your SMTP server.
- In the **Port** field, type the port that your SMTP server uses to send email.
- In the **Domain** field, type the domain name that your SMTP server will send with a HELO response, if any.
- Select the **Authentication** dropdown, and choose the type of encryption used by your SMTP server.
- In the **No-reply email address** field, type the email address to use in the From and To fields for all notification emails.
4. If you want to discard all incoming emails that are addressed to the no-reply email address, select **Discard email addressed to the no-reply email address**.
!["Discard" checkbox for email settings configuration](/assets/images/enterprise/configuration/ae-discard-email.png)
5. Click **Test email settings**.
!["Test email settings" button for email settings configuration](/assets/images/enterprise/configuration/ae-test-email.png)
6. Under "Send test email to," type the email address where you want to send a test email, then click **Send test email**.
!["Send test email" button for email settings configuration](/assets/images/enterprise/configuration/ae-send-test-email.png)
7. Click **Save**.
!["Save" button for enterprise support contact configuration](/assets/images/enterprise/configuration/ae-save.png)
{% endif %}
{% if enterpriseServerVersions contains currentVersion %}
### Testing email delivery
1. At the top of the **Email** section, click **Test email settings**.
![Test email settings](/assets/images/enterprise/management-console/test-email.png)
2. In the **Send test email to** field, type an address to send the test email to.
![Test email address](/assets/images/enterprise/management-console/test-email-address.png)
3. Click **Send test email**.
![Send test email](/assets/images/enterprise/management-console/test-email-address-send.png)
{% tip %}
**Tip:** If SMTP errors occur while sending a test email—such as an immediate delivery failure or an outgoing mail configuration error—you will see them in the Test email settings dialog box.
{% endtip %}
4. If the test email fails, [troubleshoot your email settings](#troubleshooting-email-delivery).
5. When the test email succeeds, at the bottom of the page, click **Save settings**.
![Save settings button](/assets/images/enterprise/management-console/save-settings.png)
6. Wait for the configuration run to complete.
![Configuring your instance](/assets/images/enterprise/management-console/configuration-run.png)
### Configuring DNS and firewall settings to allow incoming emails
If you want to allow email replies to notifications, you must configure your DNS settings.
1. Ensure that port 25 on the instance is accessible to your SMTP server.
2. Create an A record that points to `reply.[hostname]`. Depending on your DNS provider and instance host configuration, you may be able to instead create a single A record that points to `*.[hostname]`.
3. Create an MX record that points to `reply.[hostname]` so that emails to that domain are routed to the instance.
4. Create an MX record that points `noreply.[hostname]` to `[hostname]` so that replies to the `cc` address in notification emails are routed to the instance. For more information, see {% if currentVersion ver_gt "enterprise-server@2.20" %}"[Configuring notifications](/github/managing-subscriptions-and-notifications-on-github/configuring-notifications){% else %}"[About email notifications](/github/receiving-notifications-about-activity-on-github/about-email-notifications){% endif %}."
### Troubleshooting email delivery
#### Create a Support Bundle
If you cannot determine what is wrong from the displayed error message, you can download a [support bundle](/enterprise/{{ currentVersion }}/admin/guides/enterprise-support/providing-data-to-github-support) containing the entire SMTP conversation between your mail server and {% data variables.product.prodname_ghe_server %}. Once you've downloaded and extracted the bundle, check the entries in *enterprise-manage-logs/unicorn.log* for the entire SMTP conversation log and any related errors.
The unicorn log should show a transaction similar to the following:
```shell
This is a test email generated from https://10.0.0.68/setup/settings
Connection opened: smtp.yourdomain.com:587
-> "220 smtp.yourdomain.com ESMTP nt3sm2942435pbc.14\r\n"
<- "EHLO yourdomain.com\r\n"
-> "250-smtp.yourdomain.com at your service, [1.2.3.4]\r\n"
-> "250-SIZE 35882577\r\n"
-> "250-8BITMIME\r\n"
-> "250-STARTTLS\r\n"
-> "250-ENHANCEDSTATUSCODES\r\n"
-> "250 PIPELINING\r\n"
<- "STARTTLS\r\n"
-> "220 2.0.0 Ready to start TLS\r\n"
TLS connection started
<- "EHLO yourdomain.com\r\n"
-> "250-smtp.yourdomain.com at your service, [1.2.3.4]\r\n"
-> "250-SIZE 35882577\r\n"
-> "250-8BITMIME\r\n"
-> "250-AUTH LOGIN PLAIN XOAUTH\r\n"
-> "250-ENHANCEDSTATUSCODES\r\n"
-> "250 PIPELINING\r\n"
<- "AUTH LOGIN\r\n"
-> "334 VXNlcm5hbWU6\r\n"
<- "dGhpc2lzbXlAYWRkcmVzcy5jb20=\r\n"
-> "334 UGFzc3dvcmQ6\r\n"
<- "aXRyZWFsbHl3YXM=\r\n"
-> "535-5.7.1 Username and Password not accepted. Learn more at\r\n"
-> "535 5.7.1 http://support.yourdomain.com/smtp/auth-not-accepted nt3sm2942435pbc.14\r\n"
```
This log shows that the appliance:
* Opened a connection with the SMTP server (`Connection opened: smtp.yourdomain.com:587`).
* Successfully made a connection and chose to use TLS (`TLS connection started`).
* The `login` authentication type was performed (`<- "AUTH LOGIN\r\n"`).
* The SMTP Server rejected the authentication as invalid (`-> "535-5.7.1 Username and Password not accepted.`).
#### Check {% data variables.product.product_location %} logs
If you need to verify that your inbound email is functioning, there are two log files that you can examine on your instance: To verify that */var/log/mail.log* and */var/log/mail-replies/metroplex.log*.
*/var/log/mail.log* verifies that messages are reaching your server. Here's an example of a successful email reply:
```
Oct 30 00:47:18 54-171-144-1 postfix/smtpd[13210]: connect from st11p06mm-asmtp002.mac.com[17.172.124.250]
Oct 30 00:47:19 54-171-144-1 postfix/smtpd[13210]: 51DC9163323: client=st11p06mm-asmtp002.mac.com[17.172.124.250]
Oct 30 00:47:19 54-171-144-1 postfix/cleanup[13216]: 51DC9163323: message-id=<b2b9c260-4aaa-4a93-acbb-0b2ddda68579@me.com>
Oct 30 00:47:19 54-171-144-1 postfix/qmgr[17250]: 51DC9163323: from=<tcook@icloud.com>, size=5048, nrcpt=1 (queue active)
Oct 30 00:47:19 54-171-144-1 postfix/virtual[13217]: 51DC9163323: to=<reply+i-1-1801beb4df676a79250d1e61e54ab763822c207d-5@reply.ghe.tjl2.co.ie>, relay=virtual, delay=0.12, delays=0.11/0/0/0, dsn=2.0.0, status=sent (delivered to maildir)
Oct 30 00:47:19 54-171-144-1 postfix/qmgr[17250]: 51DC9163323: removed
Oct 30 00:47:19 54-171-144-1 postfix/smtpd[13210]: disconnect from st11p06mm-asmtp002.mac.com[17.172.124.250]
```
Note that the client first connects; then, the queue becomes active. Then, the message is delivered, the client is removed from the queue, and the session disconnects.
*/var/log/mail-replies/metroplex.log* shows whether inbound emails are being processed to add to issues and pull requests as replies. Here's an example of a successful message:
```
[2014-10-30T00:47:23.306 INFO (5284) #] metroplex: processing <b2b9c260-4aaa-4a93-acbb-0b2ddda68579@me.com>
[2014-10-30T00:47:23.333 DEBUG (5284) #] Matched /data/user/mail/reply/new/1414630039.Vfc00I12000eM445784.ghe-tjl2-co-ie
[2014-10-30T00:47:23.334 DEBUG (5284) #] Moving /data/user/mail/reply/new/1414630039.Vfc00I12000eM445784.ghe-tjl2-co-ie => /data/user/incoming-mail/success
```
You'll notice that `metroplex` catches the inbound message, processes it, then moves the file over to `/data/user/incoming-mail/success`.{% endif %}
#### Verify your DNS settings
In order to properly process inbound emails, you must configure a valid A Record (or CNAME), as well as an MX Record. For more information, see "[Configuring DNS and firewall settings to allow incoming emails](#configuring-dns-and-firewall-settings-to-allow-incoming-emails)."
#### Check firewall or AWS Security Group settings
If {% data variables.product.product_location %} is behind a firewall or is being served through an AWS Security Group, make sure port 25 is open to all mail servers that send emails to `reply@reply.[hostname]`.
#### Contact support
{% if enterpriseServerVersions contains currentVersion %}
If you're still unable to resolve the problem, contact {% data variables.contact.contact_ent_support %}. Please attach the output file from `http(s)://[hostname]/setup/diagnostics` to your email to help us troubleshoot your problem.
{% elsif currentVersion == "github-ae@latest" %}
You can contact {% data variables.contact.github_support %} for help configuring email for notifications to be sent through your SMTP server. For more information, see "[Receiving help from {% data variables.contact.github_support %}](/admin/enterprise-support/receiving-help-from-github-support)."
{% endif %}

72
content/admin/configuration/configuring-your-enterprise/configuring-github-pages-for-your-enterprise.md Normal file
View File

@@ -0,0 +1,72 @@
---
title: Configuring GitHub Pages for your enterprise
intro: 'You can enable or disable {% data variables.product.prodname_pages %} for your enterprise and choose whether to make sites publicly accessible.'
redirect_from:
- /enterprise/admin/guides/installation/disabling-github-enterprise-pages/
- /enterprise/admin/guides/installation/configuring-github-enterprise-pages/
- /enterprise/admin/installation/configuring-github-pages-on-your-appliance
- /enterprise/admin/configuration/configuring-github-pages-on-your-appliance
- /admin/configuration/configuring-github-pages-on-your-appliance
- /enterprise/admin/guides/installation/configuring-github-pages-for-your-enterprise/
- /admin/configuration/configuring-github-pages-for-your-enterprise
versions:
enterprise-server: '*'
github-ae: '*'
type: how_to
topics:
- Enterprise
- Pages
---
### Enabling public sites for {% data variables.product.prodname_pages %}
{% if enterpriseServerVersions contains currentVersion %}If private mode is enabled on your enterprise, the {% else %}The {% endif %}public cannot access {% data variables.product.prodname_pages %} sites hosted by your enterprise unless you enable public sites.
{% warning %}
**Warning:** If you enable public sites for {% data variables.product.prodname_pages %}, every site in every repository on your enterprise will be accessible to the public.
{% endwarning %}
{% if enterpriseServerVersions contains currentVersion %}
{% data reusables.enterprise_site_admin_settings.access-settings %}
{% data reusables.enterprise_site_admin_settings.management-console %}
{% data reusables.enterprise_management_console.pages-tab %}
4. Select **Public Pages**.
![Checkbox to enable Public Pages](/assets/images/enterprise/management-console/public-pages-checkbox.png)
{% data reusables.enterprise_management_console.save-settings %}
{% elsif currentVersion == "github-ae@latest" %}
{% data reusables.enterprise-accounts.access-enterprise %}
{% data reusables.enterprise-accounts.policies-tab %}
{% data reusables.enterprise-accounts.pages-tab %}
5. Under "Pages policies", select **Public {% data variables.product.prodname_pages %}**.
![Checkbox to enable public {% data variables.product.prodname_pages %}](/assets/images/enterprise/business-accounts/public-github-pages-checkbox.png)
{% data reusables.enterprise-accounts.pages-policies-save %}
{% endif %}
### Disabling {% data variables.product.prodname_pages %} for your enterprise
{% if enterpriseServerVersions contains currentVersion %}
If subdomain isolation is disabled for your enterprise, you should also disable {% data variables.product.prodname_pages %} to protect yourself from potential security vulnerabilities. For more information, see "[Enabling subdomain isolation](/admin/configuration/enabling-subdomain-isolation)."
{% endif %}
{% if enterpriseServerVersions contains currentVersion %}
{% data reusables.enterprise_site_admin_settings.access-settings %}
{% data reusables.enterprise_site_admin_settings.management-console %}
{% data reusables.enterprise_management_console.pages-tab %}
4. Unselect **Enable Pages**.
![Checkbox to disable {% data variables.product.prodname_pages %}](/assets/images/enterprise/management-console/pages-select-button.png)
{% data reusables.enterprise_management_console.save-settings %}
{% elsif currentVersion == "github-ae@latest" %}
{% data reusables.enterprise-accounts.access-enterprise %}
{% data reusables.enterprise-accounts.policies-tab %}
{% data reusables.enterprise-accounts.pages-tab %}
5. Under "Pages policies", deselect **Enable {% data variables.product.prodname_pages %}**.
![Checkbox to disable {% data variables.product.prodname_pages %}](/assets/images/enterprise/business-accounts/enable-github-pages-checkbox.png)
{% data reusables.enterprise-accounts.pages-policies-save %}
{% endif %}
{% if enterpriseServerVersions contains currentVersion %}
### Further reading
- "[Enabling private mode](/admin/configuration/enabling-private-mode)"
{% endif %}

58
content/admin/configuration/configuring-your-enterprise/configuring-rate-limits.md Normal file
View File

@@ -0,0 +1,58 @@
---
title: Configuring rate limits
intro: 'You can set rate limits for {% data variables.product.prodname_ghe_server %} using the {% data variables.enterprise.management_console %}.'
redirect_from:
- /enterprise/admin/installation/configuring-rate-limits
- /enterprise/admin/configuration/configuring-rate-limits
- /admin/configuration/configuring-rate-limits
versions:
enterprise-server: '*'
type: how_to
topics:
- Enterprise
- Infrastructure
- Performance
---
### Enabling rate limits for {% data variables.product.prodname_enterprise_api %}
Enabling rate limits on {% data variables.product.prodname_enterprise_api %} can prevent overuse of resources by individual or unauthenticated users. For more information, see "[Resources in the REST API](/rest/overview/resources-in-the-rest-api#rate-limiting)."
{% if currentVersion ver_gt "enterprise-server@2.21" %}
You can exempt a list of users from API rate limits using the `ghe-config` utility in the administrative shell. For more information, see "[Command-line utilities](/enterprise/admin/configuration/command-line-utilities#ghe-config)."
{% endif %}
{% note %}
**Note:** The {% data variables.enterprise.management_console %} lists the time period (per minute or per hour) for each rate limit.
{% endnote %}
{% data reusables.enterprise_site_admin_settings.access-settings %}
{% data reusables.enterprise_site_admin_settings.management-console %}
2. Under "Rate Limiting", select **Enable API Rate Limiting**.
![Checkbox for enabling API rate limiting](/assets/images/enterprise/management-console/api-rate-limits-checkbox.png)
3. Type limits for authenticated and unauthenticated requests for each API, or accept the pre-filled default limits.
{% data reusables.enterprise_management_console.save-settings %}
### Enabling abuse rate limits
Setting abuse rate limits protects the overall level of service on {% data variables.product.product_location %}.
{% data reusables.enterprise_site_admin_settings.access-settings %}
{% data reusables.enterprise_site_admin_settings.management-console %}
2. Under "Rate Limiting", select **Enable Abuse Rate Limiting**.
![Checkbox for enabling abuse rate limiting](/assets/images/enterprise/management-console/abuse-rate-limits-checkbox.png)
3. Type limits for Total Requests, CPU Limit, and CPU Limit for Searching, or accept the pre-filled default limits.
{% data reusables.enterprise_management_console.save-settings %}
### Enabling Git rate limits
You can apply Git rate limits per repository network or per user ID. Git rate limits are expressed in concurrent operations per minute, and are adaptive based on the current CPU load.
{% data reusables.enterprise_site_admin_settings.access-settings %}
{% data reusables.enterprise_site_admin_settings.management-console %}
2. Under "Rate Limiting", select **Enable Git Rate Limiting**.
![Checkbox for enabling Git rate limiting](/assets/images/enterprise/management-console/git-rate-limits-checkbox.png)
3. Type limits for each repository network or user ID.
![Fields for repository network and user ID limits](/assets/images/enterprise/management-console/example-git-rate-limits.png)
{% data reusables.enterprise_management_console.save-settings %}

49
content/admin/configuration/configuring-your-enterprise/configuring-time-synchronization.md Normal file
View File

@@ -0,0 +1,49 @@
---
title: Configuring time synchronization
intro: '{% data variables.product.prodname_ghe_server %} automatically synchronizes its clock by connecting to NTP servers. You can set the NTP servers that are used to synchronize the clock, or you can use the default NTP servers.'
redirect_from:
- /enterprise/admin/articles/adjusting-the-clock/
- /enterprise/admin/articles/configuring-time-zone-and-ntp-settings/
- /enterprise/admin/articles/setting-ntp-servers/
- /enterprise/admin/categories/time/
- /enterprise/admin/installation/configuring-time-synchronization
- /enterprise/admin/configuration/configuring-time-synchronization
- /admin/configuration/configuring-time-synchronization
versions:
enterprise-server: '*'
type: how_to
topics:
- Enterprise
- Fundamentals
- Infrastructure
- Networking
---
### Changing the default NTP servers
{% data reusables.enterprise_site_admin_settings.access-settings %}
{% data reusables.enterprise_site_admin_settings.management-console %}
2. In the left sidebar, click **Time**.
![The Time button in the {% data variables.enterprise.management_console %} sidebar](/assets/images/enterprise/management-console/sidebar-time.png)
3. Under "Primary NTP server," type the hostname of the primary NTP server. Under "Secondary NTP server," type the hostname of the secondary NTP server.
![The fields for primary and secondary NTP servers in the {% data variables.enterprise.management_console %}](/assets/images/enterprise/management-console/ntp-servers.png)
4. At the bottom of the page, click **Save settings**.
![The Save settings button in the {% data variables.enterprise.management_console %}](/assets/images/enterprise/management-console/save-settings.png)
5. Wait for the configuration run to complete.
### Correcting a large time drift
The NTP protocol continuously corrects small time synchronization discrepancies. You can use the administrative shell to synchronize time immediately.
{% note %}
**Notes:**
- You can't modify the Coordinated Universal Time (UTC) zone.
- You should prevent your hypervisor from trying to set the virtual machine's clock. For more information, see the documentation provided by the virtualization provider.
{% endnote %}
- Use the `chronyc` command to synchronize the server with the configured NTP server. For example:
```shell
$ sudo chronyc -a makestep
```

72
content/admin/configuration/configuring-your-enterprise/enabling-and-scheduling-maintenance-mode.md Normal file
View File

@@ -0,0 +1,72 @@
---
title: Enabling and scheduling maintenance mode
intro: 'Some standard maintenance procedures, such as upgrading {% data variables.product.product_location %} or restoring backups, require the instance to be taken offline for normal use.'
redirect_from:
- /enterprise/admin/maintenance-mode/
- /enterprise/admin/categories/maintenance-mode/
- /enterprise/admin/articles/maintenance-mode/
- /enterprise/admin/articles/enabling-maintenance-mode/
- /enterprise/admin/articles/disabling-maintenance-mode/
- /enterprise/admin/guides/installation/maintenance-mode/
- /enterprise/admin/installation/enabling-and-scheduling-maintenance-mode
- /enterprise/admin/configuration/enabling-and-scheduling-maintenance-mode
- /admin/configuration/enabling-and-scheduling-maintenance-mode
versions:
enterprise-server: '*'
type: how_to
topics:
- Enterprise
- Fundamentals
- Maintenance
- Upgrades
---
### About maintenance mode
Some types of operations require that you take {% data variables.product.product_location %} offline and put it into maintenance mode:
- Upgrading to a new version of {% data variables.product.prodname_ghe_server %}
- Increasing CPU, memory, or storage resources allocated to the virtual machine
- Migrating data from one virtual machine to another
- Restoring data from a {% data variables.product.prodname_enterprise_backup_utilities %} snapshot
- Troubleshooting certain types of critical application issues
We recommend that you schedule a maintenance window for at least 30 minutes in the future to give users time to prepare. When a maintenance window is scheduled, all users will see a banner when accessing the site.
![End user banner about scheduled maintenance](/assets/images/enterprise/maintenance/maintenance-scheduled.png)
When the instance is in maintenance mode, all normal HTTP and Git access is refused. Git fetch, clone, and push operations are also rejected with an error message indicating that the site is temporarily unavailable. Visiting the site in a browser results in a maintenance page.
![The maintenance mode splash screen](/assets/images/enterprise/maintenance/maintenance-mode-maintenance-page.png)
### Enabling maintenance mode immediately or scheduling a maintenance window for a later time
{% data reusables.enterprise_site_admin_settings.access-settings %}
{% data reusables.enterprise_site_admin_settings.management-console %}
2. At the top of the {% data variables.enterprise.management_console %}, click **Maintenance**.
![Maintenance tab](/assets/images/enterprise/management-console/maintenance-tab.png)
3. Under "Enable and schedule", decide whether to enable maintenance mode immediately or to schedule a maintenance window for a future time.
- To enable maintenance mode immediately, use the drop-down menu and click **now**.
![Drop-down menu with the option to enable maintenance mode now selected](/assets/images/enterprise/maintenance/enable-maintenance-mode-now.png)
- To schedule a maintenance window for a future time, use the drop-down menu and click a start time.
![Drop-down menu with the option to schedule a maintenance window in two hours selected](/assets/images/enterprise/maintenance/schedule-maintenance-mode-two-hours.png)
4. Select **Enable maintenance mode**.
![Checkbox for enabling or scheduling maintenance mode](/assets/images/enterprise/maintenance/enable-maintenance-mode-checkbox.png)
{% data reusables.enterprise_management_console.save-settings %}
### Scheduling maintenance mode with {% data variables.product.prodname_enterprise_api %}
You can schedule maintenance for different times or dates with {% data variables.product.prodname_enterprise_api %}. For more information, see "[Management Console](/enterprise/{{ currentVersion }}/user/rest/reference/enterprise-admin#enable-or-disable-maintenance-mode)."
### Enabling or disabling maintenance mode for all nodes in a cluster
With the `ghe-cluster-maintenance` utility, you can set or unset maintenance mode for every node in a cluster.
```shell
$ ghe-cluster-maintenance -h
# Shows options
$ ghe-cluster-maintenance -q
# Queries the current mode
$ ghe-cluster-maintenance -s
# Sets maintenance mode
$ ghe-cluster-maintenance -u
# Unsets maintenance mode
```

35
content/admin/configuration/configuring-your-enterprise/enabling-private-mode.md Normal file
View File

@@ -0,0 +1,35 @@
---
title: Enabling private mode
intro: 'In private mode, {% data variables.product.prodname_ghe_server %} requires every user to sign in to access the installation.'
redirect_from:
- /enterprise/admin/articles/private-mode/
- /enterprise/admin/guides/installation/security/
- /enterprise/admin/guides/installation/securing-your-instance/
- /enterprise/admin/installation/enabling-private-mode
- /enterprise/admin/configuration/enabling-private-mode
- /admin/configuration/enabling-private-mode
versions:
enterprise-server: '*'
type: how_to
topics:
- Access management
- Authentication
- Enterprise
- Fundamentals
- Infrastructure
- Networking
- Privacy
- Security
---
You must enable private mode if {% data variables.product.product_location %} is publicly accessible over the Internet. In private mode, users cannot anonymously clone repositories over `git://`. If built-in authentication is also enabled, an administrator must invite new users to create an account on the instance. For more information, see "[Using built-in authentication](/enterprise/{{ currentVersion }}/admin/guides/user-management/using-built-in-authentication)."
{% data reusables.enterprise_installation.image-urls-viewable-warning %}
With private mode enabled, you can allow unauthenticated Git operations (and anyone with network access to {% data variables.product.product_location %}) to read a public repository's code on your instance with anonymous Git read access enabled. For more information, see "[Allowing admins to enable anonymous Git read access to public repositories](/enterprise/{{ currentVersion }}/admin/guides/user-management/allowing-admins-to-enable-anonymous-git-read-access-to-public-repositories)."
{% data reusables.enterprise_site_admin_settings.access-settings %}
{% data reusables.enterprise_site_admin_settings.management-console %}
{% data reusables.enterprise_management_console.privacy %}
4. Select **Private mode**.
![Checkbox for enabling private mode](/assets/images/enterprise/management-console/private-mode-checkbox.png)
{% data reusables.enterprise_management_console.save-settings %}

37
content/admin/configuration/configuring-your-enterprise/index.md Normal file
View File

@@ -0,0 +1,37 @@
---
title: Configuring your enterprise
intro: 'After {% data variables.product.product_name %} is up and running, you can configure your enterprise to suit your organization''s needs.'
redirect_from:
- /enterprise/admin/guides/installation/basic-configuration/
- /enterprise/admin/guides/installation/administrative-tools/
- /enterprise/admin/articles/restricting-ssh-access-to-specific-hosts/
- /enterprise/admin/guides/installation/configuring-the-github-enterprise-appliance/
- /enterprise/admin/installation/configuring-the-github-enterprise-server-appliance
- /enterprise/admin/configuration/configuring-your-enterprise
versions:
enterprise-server: '*'
github-ae: '*'
topics:
- Enterprise
children:
- /about-enterprise-configuration
- /initializing-github-ae
- /accessing-the-management-console
- /accessing-the-administrative-shell-ssh
- /configuring-data-encryption-for-your-enterprise
- /enabling-and-scheduling-maintenance-mode
- /configuring-backups-on-your-appliance
- /site-admin-dashboard
- /enabling-private-mode
- /managing-github-for-mobile-for-your-enterprise
- /configuring-email-for-notifications
- /verifying-or-approving-a-domain-for-your-enterprise
- /configuring-rate-limits
- /configuring-applications
- /troubleshooting-ssl-errors
- /configuring-time-synchronization
- /command-line-utilities
- /restricting-network-traffic-to-your-enterprise
- /configuring-github-pages-for-your-enterprise
---

123
content/admin/configuration/configuring-your-enterprise/initializing-github-ae.md Normal file
View File

@@ -0,0 +1,123 @@
---
title: Initializing GitHub AE
intro: 'To get your enterprise ready to use, you can complete the initial configuration of {% data variables.product.product_name %}.'
versions:
github-ae: '*'
type: how_to
topics:
- Enterprise
redirect_from:
- /admin/configuration/initializing-github-ae
---
### About initialization
Before you can initialize your enterprise, you must purchase {% data variables.product.product_name %}. For more information, contact {% data variables.contact.contact_enterprise_sales %}.
After you purchase {% data variables.product.product_name %}, we'll ask you to provide an email address and username for the person you want to initialize the enterprise. Your dedicated technical account manager in {% data variables.contact.enterprise_support %} will create an account for the enterprise owner and send the enterprise owner an email to log into {% data variables.product.product_name %} and complete the initialization. Make sure the information you provide matches the intended enterprise owner's information in the IdP. For more information about enterprise owners, see "[Roles in an enterprise](/github/setting-up-and-managing-your-enterprise/roles-in-an-enterprise#enterprise-owner)."
During initialization, the enterprise owner will name your enterprise, configure SAML SSO, create policies for all organizations in your enterprise, and configure a support contact for your users.
### Prerequisites
{% note %}
**Note**: Before you begin initialization, store the initial username and password for {% data variables.product.prodname_ghe_managed %} securely in a password manager. {% data reusables.saml.contact-support-if-your-idp-is-unavailable %}
{% endnote %}
1. To initialize {% data variables.product.product_location %}, you must have a SAML identity provider (IdP). {% data reusables.saml.ae-uses-saml-sso %} To connect your IdP to your enterprise during initialization, you should have your IdP's Entity ID (SSO) URL, Issuer ID URL, and public signing certificate (Base64-encoded). For more information, see "[About identity and access management for your enterprise](/admin/authentication/about-identity-and-access-management-for-your-enterprise)."
{% note %}
**Note**: {% data reusables.saml.create-a-machine-user %}
{% endnote %}
2. {% data reusables.saml.assert-the-administrator-attribute %}
### Signing in and naming your enterprise
1. Follow the instructions in your welcome email to reach your enterprise.
2. Type your credentials under "Change password", then click **Change password**.
3. Under "What would you like your enterprise account to be named?", type the enterprise's name, then click **Save and continue**.
!["Save and continue" button for naming an enterprise](/assets/images/enterprise/configuration/ae-enterprise-configuration.png)
### Connecting your IdP to your enterprise
To configure authentication for {% data variables.product.product_name %}, you must provide {% data variables.product.product_name %} with the details for your SAML IdP. {% data variables.product.company_short %} recommends using Azure AD as your IdP. For more information, see "[Configuring authentication and provisioning with your identity provider](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider)."
1. To the right of "Set up your identity provider", click **Configure**.
!["Configure" button for IdP configuration](/assets/images/enterprise/configuration/ae-idp-configure.png)
1. Under "Sign on URL", copy and paste the URL for your SAML IdP.
![Text field for SAML IdP's sign-on URL](/assets/images/enterprise/configuration/ae-idp-sign-on-url.png)
1. Under "Issuer", copy and paste the issuer URL for your SAML IdP.
![Text field for SAML IdP's issuer URL](/assets/images/enterprise/configuration/ae-idp-issuer-url.png)
1. Under "Public certificate", copy and paste the public certificate for your SAML IdP.
![Text field for SAML IdP's public certificate](/assets/images/enterprise/configuration/ae-idp-public-certificate.png)
1. Click **Test SAML configuration** to ensure that the information you've entered is correct.
!["Test SAML configuration" button](/assets/images/enterprise/configuration/ae-test-saml-configuration.png)
1. Click **Save**.
!["Save" button for IdP configuration](/assets/images/enterprise/configuration/ae-save.png)
### Setting your enterprise policies
Configuring policies will set limitations for repository and organization management for your enterprise. These can be reconfigured after the initialization process.
1. To the right of "Set your enterprise policies", click **Configure**.
!["Configure" button for policies configuration](/assets/images/enterprise/configuration/ae-policies-configure.png)
2. Under "Default Repository Permissions", use the drop-down menu and click a default permissions level for repositories in your enterprise. If a person has multiple avenues of access to an organization, either individually, through a team, or as an organization member, the highest permission level overrides any lower permission levels. Optionally, to allow organizations within your enterprise to set their default repository permissions, click **No policy**
![Drop-down menu for default repository permissions options](/assets/images/enterprise/configuration/ae-repository-permissions-menu.png)
3. Under "Repository creation", choose whether you want to allow members to create repositories. Optionally, to allow organizations within your enterprise to set permissions, click **No policy**.
!["Members can create repositories" button for enterprise policies configuration](/assets/images/enterprise/configuration/ae-repository-creation-permissions.png)
4. Under "Repository forking", choose whether to allow forking of private and internal repositories. Optionally, to allow organizations within your enterprise to set permissions, click **No policy**
![Drop-down menu for repository forking permissions options](/assets/images/enterprise/configuration/ae-repository-forking-menu.png)
5. Under "Repository invitations", choose whether members or organization owners can invite collaborators to repositories. Optionally, to allow organizations within your enterprise to set permissions, click **No policy**
![Drop-down menu for repository invitation permissions options](/assets/images/enterprise/configuration/ae-repository-invitations-menu.png)
6. Under "Default repository visibility", use the drop-down menu and click the default visibility setting for new repositories.
![Drop-down menu for default repository visibility options](/assets/images/enterprise/configuration/ae-repository-visibility-menu.png)
7. Under "Users can create organizations", use the drop-down menu to enable or disable organization creation access for members of the enterprise.
![Drop-down menu for organization creation permissions options](/assets/images/enterprise/configuration/ae-organization-creation-permissions-menu.png)
8. Under "Force pushes", use the drop-down menu and choose whether to allow or block force pushes.
![Drop-down menu for force pushes configuration options](/assets/images/enterprise/configuration/ae-force-pushes-configuration-menu.png)
9. Under "Git SSH access", use the drop-down menu and choose whether to enable Git SSH access for all repositories in the enterprise.
![Drop-down menu for Git SSH access options](/assets/images/enterprise/configuration/ae-git-ssh-access-menu.png)
10. Click **Save**
!["Save" button for enterprise policies configuration](/assets/images/enterprise/configuration/ae-save.png)
11. Optionally, to reset all selections, click "Reset to default policies".
![Link to reset all default policies](/assets/images/enterprise/configuration/ae-reset-default-options.png)
### Setting your internal support contact
You can configure the method your users will use to contact your internal support team. This can be reconfigured after the initialization process.
1. To the right of "Internal support contact", click **Configure**.
!["Configure" button for internal support contact configuration](/assets/images/enterprise/configuration/ae-support-configure.png)
2. Under "Internal support contact", select the method for users of your enterprise to contact support, through a URL or an e-mail address. Then, type the support contact information.
![Text field for internal support contact URL](/assets/images/enterprise/configuration/ae-support-link-url.png)
3. Click **Save**.
!["Save" button for enterprise support contact configuration](/assets/images/enterprise/configuration/ae-save.png)
### Setting your email settings
Once this is initialized, you can reconfigure any settings after the initialization process. For more information, see "[Configuring email for notifications](/admin/configuration/configuring-email-for-notifications)."
1. To the right of "Configure email settings", click **Configure**.
!["Configure" button for email settings configuration](/assets/images/enterprise/configuration/ae-email-configure.png)
2. Select **Enable email**. This will enable both outbound and inbound email, however, for inbound email to work you will also need to configure your DNS settings. For more information, see "[Configuring DNS and firewall
settings to allow incoming emails](/admin/configuration/configuring-email-for-notifications#configuring-dns-and-firewall-settings-to-allow-incoming-emails)."
!["Enable" checkbox for email settings configuration](/assets/images/enterprise/configuration/ae-enable-email-configure.png)
3. Complete your email server settings:
- In the **Server address** field, type the address of your SMTP server.
- In the **Port** field, type the port that your SMTP server uses to send email.
- In the **Domain** field, type the domain name that your SMTP server will send with a HELO response, if any.
- In the **Authentication** dropdown, choose the type of encryption used by your SMTP server.
- In the **No-reply email address** field, type the email address to use in the From and To fields for all notification emails.
4. If you want to discard all incoming emails that are addressed to the no-reply email address, select **Discard email addressed to the no-reply email address**.
!["Discard" checkbox for email settings configuration](/assets/images/enterprise/configuration/ae-discard-email.png)
5. Click **Test email settings**.
!["Test email settings" button for email settings configuration](/assets/images/enterprise/configuration/ae-test-email.png)
6. Under "Send test email to," type the email address where you want to send a test email, then click **Send test email**.
!["Send test email" button for email settings configuration](/assets/images/enterprise/configuration/ae-send-test-email.png)
7. Click **Save**.
!["Save" button for enterprise support contact configuration](/assets/images/enterprise/configuration/ae-save.png)

33
content/admin/configuration/configuring-your-enterprise/managing-github-for-mobile-for-your-enterprise.md Normal file
View File

@@ -0,0 +1,33 @@
---
title: Managing GitHub for mobile for your enterprise
intro: 'You can decide whether authenticated users can connect to {% data variables.product.product_location %} with {% data variables.product.prodname_mobile %}.'
permissions: 'Enterprise owners can manage {% data variables.product.prodname_mobile %} for an enterprise on {% data variables.product.product_name %}.'
versions:
enterprise-server: '>=3.0'
type: how_to
topics:
- Enterprise
- Mobile
redirect_from:
- /admin/configuration/managing-github-for-mobile-for-your-enterprise
---
{% if enterpriseServerVersions contains currentVersion %}
{% data reusables.mobile.ghes-release-phase %}
{% endif %}
### About {% data variables.product.prodname_mobile %}
{% data reusables.mobile.about-mobile %} For more information, see "[GitHub for mobile](/github/getting-started-with-github/github-for-mobile)."
Members of your enterprise can use {% data variables.product.prodname_mobile %} to triage, collaborate, and manage work on {% data variables.product.product_location %} from a mobile device. By default, {% data variables.product.prodname_mobile %} is enabled for {% data variables.product.product_location %}. You can allow or disallow enterprise members from using {% data variables.product.prodname_mobile %} to authenticate to {% data variables.product.product_location %} and access your enterprise's data.
### Enabling or disabling {% data variables.product.prodname_mobile %}
{% data reusables.enterprise_site_admin_settings.access-settings %}
{% data reusables.enterprise_site_admin_settings.management-console %}
{% data reusables.enterprise_management_console.type-management-console-password %}
1. In the left sidebar, click **Mobile**.
!["Mobile" in the left sidebar for the {% data variables.product.prodname_ghe_server %} management console](/assets/images/enterprise/management-console/click-mobile.png)
1. Under "GitHub for mobile", select or deselect **Enable GitHub Mobile Apps**.
![Checkbox for "Enable GitHub Mobile Apps" in the {% data variables.product.prodname_ghe_server %} management console](/assets/images/enterprise/management-console/select-enable-github-mobile-apps.png)
{% data reusables.enterprise_management_console.save-settings %}

68
content/admin/configuration/configuring-your-enterprise/restricting-network-traffic-to-your-enterprise.md Normal file
View File

@@ -0,0 +1,68 @@
---
title: Restricting network traffic to your enterprise
shortTitle: Restricting network traffic
intro: You can use an IP allow list to restrict access to your enterprise to connections from specified IP addresses.
versions:
github-ae: '*'
type: how_to
topics:
- Access management
- Enterprise
- Fundamentals
- Networking
- Security
redirect_from:
- /admin/configuration/restricting-network-traffic-to-your-enterprise
---
### About IP allow lists
By default, authorized users can access your enterprise from any IP address. Enterprise owners can restrict access to assets owned by organizations in an enterprise account by configuring an allow list for specific IP addresses. {% data reusables.identity-and-permissions.ip-allow-lists-example-and-restrictions %}
{% data reusables.identity-and-permissions.ip-allow-lists-cidr-notation %}
{% data reusables.identity-and-permissions.ip-allow-lists-enable %}
You can also configure allowed IP addresses for an individual organization. For more information, see "[Managing allowed IP addresses for your organization](/organizations/keeping-your-organization-secure/managing-allowed-ip-addresses-for-your-organization)."
By default, Azure network security group (NSG) rules leave all inbound traffic open on ports 22, 80, 443, and 25. Enterprise owners can contact {% data variables.contact.github_support %} to configure access restrictions for your instance.
For instance-level restrictions using Azure NSGs, contact {% data variables.contact.github_support %} with the IP addresses that should be allowed to access your enterprise instance. Specify address ranges using the standard CIDR (Classless Inter-Domain Routing) format. {% data variables.contact.github_support %} will configure the appropriate firewall rules for your enterprise to restrict network access over HTTP, SSH, HTTPS, and SMTP. For more information, see "[Receiving help from {% data variables.contact.github_support %}](/admin/enterprise-support/receiving-help-from-github-support)."
### Adding an allowed IP address
{% data reusables.enterprise-accounts.access-enterprise %}
{% data reusables.enterprise-accounts.settings-tab %}
{% data reusables.enterprise-accounts.security-tab %}
{% data reusables.identity-and-permissions.ip-allow-lists-add-ip %}
{% data reusables.identity-and-permissions.ip-allow-lists-add-description %}
{% data reusables.identity-and-permissions.ip-allow-lists-add-entry %}
### Enabling allowed IP addresses
{% data reusables.enterprise-accounts.access-enterprise %}
{% data reusables.enterprise-accounts.settings-tab %}
{% data reusables.enterprise-accounts.security-tab %}
1. Under "IP allow list", select **Enable IP allow list**.
![Checkbox to allow IP addresses](/assets/images/help/security/enable-ip-allowlist-enterprise-checkbox.png)
4. Click **Save**.
### Editing an allowed IP address
{% data reusables.enterprise-accounts.access-enterprise %}
{% data reusables.enterprise-accounts.settings-tab %}
{% data reusables.enterprise-accounts.security-tab %}
{% data reusables.identity-and-permissions.ip-allow-lists-edit-entry %}
{% data reusables.identity-and-permissions.ip-allow-lists-edit-ip %}
{% data reusables.identity-and-permissions.ip-allow-lists-edit-description %}
8. Click **Update**.
### Deleting an allowed IP address
{% data reusables.enterprise-accounts.access-enterprise %}
{% data reusables.enterprise-accounts.settings-tab %}
{% data reusables.enterprise-accounts.security-tab %}
{% data reusables.identity-and-permissions.ip-allow-lists-delete-entry %}
{% data reusables.identity-and-permissions.ip-allow-lists-confirm-deletion %}
### Using {% data variables.product.prodname_actions %} with an IP allow list
{% data reusables.github-actions.ip-allow-list-hosted-runners %}

209
content/admin/configuration/configuring-your-enterprise/site-admin-dashboard.md Normal file
View File

@@ -0,0 +1,209 @@
---
title: Site admin dashboard
intro: '{% data reusables.enterprise_site_admin_settings.about-the-site-admin-dashboard %}'
redirect_from:
- /enterprise/admin/articles/site-admin-dashboard/
- /enterprise/admin/installation/site-admin-dashboard
- /enterprise/admin/configuration/site-admin-dashboard
- /admin/configuration/site-admin-dashboard
versions:
enterprise-server: '*'
type: reference
topics:
- Enterprise
- Fundamentals
---
To access the dashboard, in the upper-right corner of any page, click {% octicon "rocket" aria-label="The rocket ship" %}.
![Rocket ship icon for accessing site admin settings](/assets/images/enterprise/site-admin-settings/access-new-settings.png)
{% if currentVersion ver_gt "enterprise-server@2.21" %}
### Search
Refer to this section of the site admin dashboard to search for users and repositories, and to query the [audit log](#audit-log).
{% else %}
### License info & search
Refer to this section of the site admin dashboard to check your current {% data variables.product.prodname_enterprise %} license; to search for users and repositories; and to query the [audit log](#audit-log).
{% endif %}
### {% data variables.enterprise.management_console %}
Here you can launch the {% data variables.enterprise.management_console %} to manage virtual appliance settings such as the domain, authentication, and SSL.
### Explore
Data for GitHub's [trending page][] is calculated into daily, weekly, and monthly time spans for both repositories and developers. You can see when this data was last cached and queue up new trending calculation jobs from the **Explore** section.
[trending page]: https://github.com/blog/1585-explore-what-is-trending-on-github
### Audit log
{% data variables.product.prodname_enterprise %} keeps a running log of audited actions that you can query.
By default, the audit log shows you a list of all audited actions in reverse chronological order. You can filter this list by entering key-value pairs in the **Query** text box and then clicking **Search**, as explained in "[Searching the audit log](/enterprise/{{ currentVersion }}/admin/guides/installation/searching-the-audit-log)."
For more information on audit logging in general, see "[Audit logging](/enterprise/{{ currentVersion }}/admin/guides/installation/audit-logging)." For a full list of audited actions, see "[Audited actions](/enterprise/{{ currentVersion }}/admin/guides/installation/audited-actions)."
### Reports
If you need to get information on the users, organizations, and repositories in {% data variables.product.product_location %}, you would ordinarily fetch JSON data through the [GitHub API](/rest). Unfortunately, the API may not provide all of the data that you want and it requires a bit of technical expertise to use. The site admin dashboard offers a **Reports** section as an alternative, making it easy for you to download CSV reports with most of the information that you are likely to need for users, organizations, and repositories.
Specifically, you can download CSV reports that list
- all users
- all users who have been active within the last month
- all users who have been inactive for one month or more
- all users who have been suspended
- all organizations
- all repositories
You can also access these reports programmatically via standard HTTP authentication with a site admin account. You must use a personal access token with the `site_admin` scope. For more information, see "[Creating a personal access token](/github/authenticating-to-github/creating-a-personal-access-token)."
For example, here is how you would download the "all users" report using cURL:
```shell
curl -L -u <em>username</em>:<em>token</em> http(s)://<em>hostname</em>/stafftools/reports/all_users.csv
```
To access the other reports programmatically, replace `all_users` with `active_users`, `dormant_users`, `suspended_users`, `all_organizations`, or `all_repositories`.
{% note %}
**Note:** The initial `curl` request will return a 202 HTTP response if there are no cached reports available; a report will be generated in the background. You can send a second request to download the report. You can use a password or an OAuth token with the `site_admin` scope in place of a password.
{% endnote %}
#### User reports
Key | Description
-----------------:| ------------------------------------------------------------
`created_at` | When the user account was created (as an ISO 8601 timestamp)
`id` | Account ID for the user or organization
`login` | Account's login name
`email` | Account's primary email address
`role` | Whether the account is an admin or an ordinary user
`suspended?` | Whether the account has been suspended
`last_logged_ip` | Most recent IP address to log into the account
`repos` | Number of repositories owned by the account
`ssh_keys` | Number of SSH keys registered to the account
`org_memberships` | Number of organizations to which the account belongs
`dormant?` | Whether the account is dormant
`last_active` | When the account was last active (as an ISO 8601 timestamp)
`raw_login` | Raw login information (in JSON format)
`2fa_enabled?` | Whether the user has enabled two-factor authentication
#### Organization reports
Key | Description
--------------:| ------------------------------------
`id` | Organization ID
`created_at` | When the organization was created
`login` | Organization's login name
`email` | Organization's primary email address
`owners` | Number of organization owners
`members` | Number of organization members
`teams` | Number of organization teams
`repos` | Number of organization repositories
`2fa_required?`| Whether the organization requires two-factor authentication
#### Repository reports
Key | Description
---------------:| ------------------------------------------------------------
`created_at` | When the repository was created
`owner_id` | ID of the repository's owner
`owner_type` | Whether the repository is owned by a user or an organization
`owner_name` | Name of the repository's owner
`id` | Repository ID
`name` | Repository name
`visibility` | Whether the repository is public or private
`readable_size` | Repository's size in a human-readable format
`raw_size` | Repository's size as a number
`collaborators` | Number of repository collaborators
`fork?` | Whether the repository is a fork
`deleted?` | Whether the repository has been deleted
### Indexing
GitHub's [code search][] features are powered by [ElasticSearch][]. This section of the site admin dashboard shows you the current status of your ElasticSearch cluster and provides you with several tools to control the behavior of searching and indexing. These tools are split into the following three categories.
[Code Search]: https://github.com/blog/1381-a-whole-new-code-search
[ElasticSearch]: http://www.elasticsearch.org/
#### Code search
This allows you to enable or disable both search and index operations on source code.
#### Code search index repair
This controls how the code search index is repaired. You can
- enable or disable index repair jobs
- start a new index repair job
- reset all index repair state
{% data variables.product.prodname_enterprise %} uses repair jobs to reconcile the state of the search index with data stored in a database (issues, pull requests, repositories, and users) and data stored in Git repositories (source code). This happens when
- a new search index is created;
- missing data needs to be backfilled; or
- old search data needs to be updated.
In other words, repair jobs are started as needed and run in the background—they are not scheduled by site admins in any way.
Furthermore, repair jobs use a "repair offset" for parallelization. This is an offset into the database table for the record being reconciled. Multiple background jobs can synchronize work based on this offset.
A progress bar shows the current status of a repair job across all of its background workers. It is the percentage difference of the repair offset with the highest record ID in the database. Don't worry about the value shown in the progress bar after a repair job has completed: because it shows the difference between the repair offset and the highest record ID in the database, it will decrease as more repositories are added to {% data variables.product.product_location %} even though those repositories are actually indexed.
You can start a new code-search index repair job at any time. It will use a single CPU as it reconciles the search index with database and Git repository data. To minimize the effects this will have on I/O performance and reduce the chances of operations timing out, try to run a repair job during off-peak hours first. Monitor your system's load averages and CPU usage with a utility like `top`; if you don't notice any significant changes, it should be safe to run an index repair job during peak hours, as well.
#### Issues index repair
This controls how the [Issues][] index is repaired. You can
[Issues]: https://github.com/blog/831-issues-2-0-the-next-generation
- enable or disable index repair jobs
- start a new index repair job
- reset all index repair state
{% if currentVersion ver_gt "enterprise-server@2.21" %}
### Enterprise overview
Refer to this section of the site admin dashboard to manage organizations, people, policies, and settings.
{% endif %}
### Repositories
This is a list of the repositories on {% data variables.product.product_location %}. You can click on a repository name and access functions for administering the repository.
- [Blocking force pushes to a repository](/enterprise/{{ currentVersion }}/admin/guides/developer-workflow/blocking-force-pushes-to-a-repository/)
- [Configuring {% data variables.large_files.product_name_long %}](/enterprise/{{ currentVersion }}/admin/guides/installation/configuring-git-large-file-storage/#configuring-git-large-file-storage-for-an-individual-repository)
- [Archiving and unarchiving repositories](/enterprise/{{ currentVersion }}/admin/guides/user-management/archiving-and-unarchiving-repositories/)
### All users
Here you can see all of the users on {% data variables.product.product_location %}—, and [initiate an SSH key audit](/enterprise/{{ currentVersion }}/admin/guides/user-management/auditing-ssh-keys).
### Site admins
Here you can see all of the administrators on {% data variables.product.product_location %}, and [initiate an SSH key audit](/enterprise/{{ currentVersion }}/admin/guides/user-management/auditing-ssh-keys).
### Dormant users
Here you can see and [suspend](/enterprise/{{ currentVersion }}/admin/guides/user-management/suspending-and-unsuspending-users) all of the inactive users on {% data variables.product.product_location %}. A user account is considered to be inactive ("dormant") when it:
- Has existed for longer than the dormancy threshold that's set for {% data variables.product.product_location %}.
- Has not generated any activity within that time period.
- Is not a site administrator.
{% data reusables.enterprise_site_admin_settings.dormancy-threshold %} For more information, see "[Managing dormant users](/enterprise/{{ currentVersion }}/admin/guides/user-management/managing-dormant-users/#configuring-the-dormancy-threshold)."
### Suspended users
Here you can see all of the users who have been suspended on {% data variables.product.product_location %}, and [initiate an SSH key audit](/enterprise/{{ currentVersion }}/admin/guides/user-management/auditing-ssh-keys).

80
content/admin/configuration/configuring-your-enterprise/troubleshooting-ssl-errors.md Normal file
View File

@@ -0,0 +1,80 @@
---
title: Troubleshooting SSL errors
intro: 'If you run into SSL issues with your appliance, you can take actions to resolve them.'
redirect_from:
- /enterprise/admin/articles/troubleshooting-ssl-errors/
- /enterprise/admin/categories/dns-ssl-and-subdomain-configuration/
- /enterprise/admin/installation/troubleshooting-ssl-errors
- /enterprise/admin/configuration/troubleshooting-ssl-errors
- /admin/configuration/troubleshooting-ssl-errors
versions:
enterprise-server: '*'
type: how_to
topics:
- Enterprise
- Errors
- Infrastructure
- Networking
- Security
- Troubleshooting
---
### Removing the passphrase from your key file
If you have a Linux machine with OpenSSL installed, you can remove your passphrase.
1. Rename your original key file.
```shell
$ mv yourdomain.key yourdomain.key.orig
```
2. Generate a new key without a passphrase.
```shell
$ openssl rsa -in yourdomain.key.orig -out yourdomain.key
```
You'll be prompted for the key's passphrase when you run this command.
For more information about OpenSSL, see [OpenSSL's documentation](https://www.openssl.org/docs/).
### Converting your SSL certificate or key into PEM format
If you have OpenSSL installed, you can convert your key into PEM format by using the `openssl` command. For example, you can convert a key from DER format into PEM format.
```shell
$ openssl rsa -in yourdomain.der -inform DER -out yourdomain.key -outform PEM
```
Otherwise, you can use the SSL Converter tool to convert your certificate into the PEM format. For more information, see the [SSL Converter tool's documentation](https://www.sslshopper.com/ssl-converter.html).
### Unresponsive installation after uploading a key
If {% data variables.product.product_location %} is unresponsive after uploading an SSL key, please [contact {% data variables.product.prodname_enterprise %} Support](https://enterprise.github.com/support) with specific details, including a copy of your SSL certificate.
### Certificate validity errors
Clients such as web browsers and command-line Git will display an error message if they cannot verify the validity of an SSL certificate. This often occurs with self-signed certificates as well as "chained root" certificates issued from an intermediate root certificate that is not recognized by the client.
If you are using a certificate signed by a certificate authority (CA), the certificate file that you upload to {% data variables.product.prodname_ghe_server %} must include a certificate chain with that CA's root certificate. To create such a file, concatenate your entire certificate chain (or "certificate bundle") onto the end of your certificate, ensuring that the principal certificate with your hostname comes first. On most systems you can do this with a command similar to:
```shell
$ cat yourdomain.com.crt bundle-certificates.crt > yourdomain.combined.crt
```
You should be able to download a certificate bundle (for example, `bundle-certificates.crt`) from your certificate authority or SSL vendor.
### Installing self-signed or untrusted certificate authority (CA) root certificates
If your {% data variables.product.prodname_ghe_server %} appliance interacts with other machines on your network that use a self-signed or untrusted certificate, you will need to import the signing CA's root certificate into the system-wide certificate store in order to access those systems over HTTPS.
1. Obtain the CA's root certificate from your local certificate authority and ensure it is in PEM format.
2. Copy the file to your {% data variables.product.prodname_ghe_server %} appliance over SSH as the "admin" user on port 122.
```shell
$ scp -P 122 rootCA.crt admin@HOSTNAME:/home/admin
```
3. Connect to the {% data variables.product.prodname_ghe_server %} administrative shell over SSH as the "admin" user on port 122.
```shell
$ ssh -p 122 admin@HOSTNAME
```
4. Import the certificate into the system-wide certificate store.
```shell
$ ghe-ssl-ca-certificate-install -c rootCA.crt
```

35
content/admin/configuration/configuring-your-enterprise/verifying-or-approving-a-domain-for-your-enterprise.md Normal file
View File

@@ -0,0 +1,35 @@
---
title: Verifying or approving a domain for your enterprise
intro: 'You can verify your ownership of domains with {% data variables.product.company_short %} to confirm the identity of organizations owned by your enterprise account. You can also approve domains where organization members can receive email notifications.'
product: '{% data reusables.gated-features.enterprise-accounts %}'
versions:
enterprise-server: '>=3.2'
permissions: Enterprise owners can verify or approve a domain for an enterprise account.
type: how_to
topics:
- Enterprise
- Notifications
- Organizations
- Policy
redirect_from:
- /admin/configuration/verifying-or-approving-a-domain-for-your-enterprise
---
### About verification of domains
{% data reusables.enterprise-accounts.domains-about-verification %}
### About approval of domains
{% data reusables.enterprise-accounts.domains-about-approval %}
### Verifying a domain for your enterprise account
{% data reusables.enterprise-accounts.domains-verifying %}
### Approving a domain for your enterprise account
{% data reusables.enterprise-accounts.domains-approving %}
### Removing an approved or verified domain
{% data reusables.enterprise-accounts.domains-removing %}