Skip to content
Go to file

Latest commit

Igor Drozdov
Release v13.5.0

See merge request gitlab-org/gitlab-shell!404

Git stats


Failed to load latest commit information.

GitLab Shell

GitLab Shell handles git SSH sessions for GitLab

GitLab Shell handles git SSH sessions for GitLab and modifies the list of authorized keys. GitLab Shell is not a Unix shell nor a replacement for Bash or Zsh.

When you access the GitLab server over SSH then GitLab Shell will:

  1. Limits you to predefined git commands (git push, git pull).
  2. Call the GitLab Rails API to check if you are authorized, and what Gitaly server your repository is on
  3. Copy data back and forth between the SSH client and the Gitaly server

If you access a GitLab server over HTTP(S) you end up in gitlab-workhorse.

An overview of the four cases described above:

  1. git pull over SSH -> gitlab-shell -> API call to gitlab-rails (Authorization) -> accept or decline -> establish Gitaly session
  2. git push over SSH -> gitlab-shell (git command is not executed yet) -> establish Gitaly session -> (in Gitaly) gitlab-shell pre-receive hook -> API call to gitlab-rails (authorization) -> accept or decline push

Git hooks

The gitlab-shell repository used to also contain the Git hooks that allow GitLab to validate Git pushes (e.g. "is this user allowed to push to this protected branch"). These hooks also trigger events in GitLab (e.g. to start a CI pipeline after a push).

We are in the process of moving these hooks to Gitaly, because Git hooks require direct disk access to Git repositories, and that is only possible on Gitaly servers. It makes no sense to have to install gitlab-shell on Gitaly servers.

As of GitLab 11.10 the actual Git hooks are in the Gitaly repository, but gitlab-shell must still be installed on Gitaly servers because the hooks rely on configuration data (e.g. the GitLab internal API URL) that is not yet available in Gitaly itself. Also see the transition plan.

Code status

pipeline status coverage report Code Climate


GitLab Shell is written in Go, and needs a Go compiler to build. It still requires Ruby to build and test, but not to run.

Download and install the current version of Go from


make setup


Checks if GitLab API access and redis via internal API can be reached:

make check


Run tests:

bundle install
make test

Run gofmt and rubocop:

bundle install
make verify

Run both test and verify (the default Makefile target):

bundle install
make validate

Git LFS remark

Starting with GitLab 8.12, GitLab supports Git LFS authentication through SSH.

Releasing a new version

GitLab Shell is versioned by git tags, and the version used by the Rails application is stored in GITLAB_SHELL_VERSION.

For each version, there is a raw version and a tag version:

  • The raw version is the version number. For instance, 15.2.8.
  • The tag version is the raw version prefixed with v. For instance, v15.2.8.

To release a new version of GitLab Shell and have that version available to the Rails application:

  1. Create a merge request to update the CHANGELOG with the tag version and the VERSION file with the raw version.
  2. Ask a maintainer to review and merge the merge request. If you're already a maintainer, second maintainer review is not required.
  3. Add a new git tag with the tag version.
  4. Update GITLAB_SHELL_VERSION in the Rails application to the raw version. (Note: this can be done as a separate MR to that, or in and MR that will make use of the latest GitLab Shell changes.)





You can’t perform that action at this time.