A new self-managed GitLab installation comes with a “root user” which is really a GitLab user record that can be used to sign in to GitLab with administrator privileges the first time.

Personally, I prefer to use the phrase “bootstrap user” for this rather than “root”.

How to Identify the Root User

We expect the “root user” to be either the user with ID 1 or with the email address “admin@example.com”.

The instructions for changing the root user password says:

user = User.where(id: 1).first

or

user = User.find_by(email: 'admin@example.com')

But it appears that the user could have a different email address, set by an environment variable (which would break the second query above). In db/fixtures/production/002_admin.rb:

  email:    ENV['GITLAB_ROOT_EMAIL'].presence || 'admin@example.com',
  name:     'Administrator',
  username: 'root',

And in the instructions for installation from source:

You can set the Administrator/root password and e-mail by supplying them in environmental variables, GITLAB_ROOT_PASSWORD and GITLAB_ROOT_EMAIL respectively, as seen below. If you don’t set the password (and it is set to the default one), wait to expose GitLab to the public internet until the installation is done and you’ve logged into the server the first time. During the first login, you’ll be forced to change the default password.

So it appears that there is a bootstrap “root” user where:

  • The default username is “root” and email is “admin@example.com
  • They can be overridden in the source installation using environment variables

The fixtures job also outputs the root user password.

Disposing of the Root User

It’s tempting to set up the “root user” with a simple, easy-to-remember password and the default username. That’s fine for bootstrapping the instance, but remember to clean up! Delete the “root user” once you’ve set up real user records for administrators and given them privileges. Then all the auditing functionality will work as expected. Alternatively, assign the “root user” a real person’s email, change the password, and add 2FA so it becomes a real person.

Questions

  • Is there a way to override the values in the Omnibus installation?
  • Does signing in with “root” as the username work in a fresh Omnibus installation?
  • Is it best practice to delete this user?
  • Does this user have any special privileges besides being an Administrator?