- Enable Maintenance Mode
- Disable Maintenance Mode
- Behavior of GitLab features in Maintenance Mode
- An example use case: a planned failover
Introduced in GitLab Premium 13.9.
Maintenance Mode allows administrators to reduce write operations to a minimum while maintenance tasks are performed. The main goal is to block all external actions that change the internal state, including the PostgreSQL database, but especially files, Git repositories, Container repositories, etc.
Once Maintenance Mode is enabled, in-progress actions will finish relatively quickly since no new actions are coming in, and internal state changes will be minimal. In that state, various maintenance tasks are easier, and services can be stopped completely or be further degraded for a much shorter period of time than might otherwise be needed, for example stopping cron jobs and draining queues should be fairly quick.
Maintenance Mode allows most external actions that do not change internal state. On a high-level, HTTP POST, PUT, PATCH, and DELETE requests are blocked and a detailed overview of how special cases are handled is available.
There are three ways to enable Maintenance Mode as an administrator:
Go to Admin Area > Settings > General, expand Maintenance Mode, and toggle Enable Maintenance Mode. You can optionally add a message for the banner as well.
Click Save for the changes to take effect.
curl --request PUT --header "PRIVATE-TOKEN:$ADMIN_TOKEN" "<gitlab-url>/api/v4/application/settings?maintenance_mode=true"
::Gitlab::CurrentSettings.update_attributes!(maintenance_mode: true) ::Gitlab::CurrentSettings.update_attributes!(maintenance_mode_message: "New message")
There are three ways to disable Maintenance Mode:
Go to Admin Area > Settings > General, expand Maintenance Mode, and toggle Enable Maintenance Mode.
Click Save for the changes to take effect.
curl --request PUT --header "PRIVATE-TOKEN:$ADMIN_TOKEN" "<gitlab-url>/api/v4/application/settings?maintenance_mode=false"
When Maintenance Mode is enabled, a banner is displayed at the top of the page. The banner can be customized with a specific message.
An error is displayed when a user tries to perform a write operation that isn’t allowed.
Systems administrators can edit the application settings. This will allow them to disable Maintenance Mode after it’s been enabled.
All users can log in and out of the GitLab instance but no new users can be created.
All read-only Git operations will continue to work, for example
git clone and
git pull. All write operations will fail, both through the CLI and Web IDE with the error message:
Git push is not allowed because this GitLab instance is currently in (read-only) maintenance mode.
If Geo is enabled, Git pushes to both primary and secondaries will fail.
All write actions except those mentioned above will fail. For example, a user cannot update merge requests or issues.
Creating new issue replies, issues (including new Service Desk issues), merge requests by email will fail.
Notification emails will continue to arrive, but emails that require database writes, like resetting the password, will not arrive.
For most JSON requests, POST, PUT, PATCH, and DELETE are blocked, and the API returns a 403 response with the error message:
You cannot perform write operations on a read-only instance. Only the following requests are allowed:
|HTTP request||Allowed routes||Notes|
|POST||To allow updating application settings in the admin UI|
|PUT||To allow updating application settings with the API|
|POST||To allow users to log in.|
|POST||To allow users to log out.|
|POST||To allow users to log in to a Geo secondary for the first time.|
||To allow Admin mode for GitLab administrators|
|POST||Paths ending with ||Git revision routes.|
|POST||To allow Git pull/clone.|
|POST||internal API routes|
|POST||To allow management of background jobs in the admin UI|
|POST||To allow updating Geo Nodes in the admin UI|
|POST||To allow certain Geo-specific admin UI actions on secondary sites|
POST /api/graphql requests are allowed but mutations are blocked with the error message
You cannot perform write operations on a read-only instance.
- No new jobs or pipelines start, scheduled or otherwise.
- Jobs that were already running continue to have a
runningstatus in the GitLab UI, even if they finish running on the GitLab Runner.
- Jobs in the
runningstate for longer than the project’s time limit do not time out.
- Pipelines cannot be started, retried or canceled. No new jobs can be created either.
After Maintenance Mode is disabled, new jobs are picked up again. Jobs that were
running state before enabling Maintenance Mode resume and their logs start
runningpipelines after Maintenance Mode is turned off.
Deployments won’t go through because pipelines will be unfinished.
It is recommended to disable auto deploys during Maintenance Mode, and enable them once it is disabled.
Terraform integration depends on running CI pipelines, hence it will be blocked.
docker push will fail with this error:
denied: requested access to the resource is denied, but
docker pull will work.
Package Registry will allow you to install but not publish packages.
Background jobs (cron jobs, Sidekiq) will continue running as is, because background jobs are not automatically disabled.
During a planned Geo failover, it is recommended that you disable all cron jobs except for those related to Geo.
You can monitor queues and disable jobs in Admin Area > Monitoring > Background Jobs.
- Development feature flags cannot be turned on or off through the API, but can be toggled through the Rails console.
- The feature flag service will respond to feature flag checks but feature flags cannot be toggled
When primary is in Maintenance Mode, secondary will also automatically go into Maintenance Mode.
It is important that you do not disable replication before enabling Maintenance Mode.
Replication and verification will continue to work but proxied Git pushes to primary will not work.
Features that depend on creating issues or creating or approving Merge Requests, will not work.
Exporting a vulnerability list from a Vulnerability Report page will not work.
Changing the status on a finding or vulnerability object will not work, even though no error is shown in the UI.
SAST and Secret Detection cannot be initiated because they depend on passing CI jobs to create artifacts.
In the use case of a planned failover, a few writes in the primary database are acceptable, since they will be replicated quickly and are not significant in number.
For the same reason we don’t automatically block background jobs when Maintenance Mode is enabled.
The resulting database writes are acceptable. Here, the trade-off is between more service degradation and the completion of replication.
However, during a planned failover, we ask users to turn off cron jobs that are not related to Geo, manually. In the absence of new database writes and non-Geo cron jobs, new background jobs would either not be created at all or be minimal.