Community Packages

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#54649 - [gitlab] Permission error when upgrading

Attached to Project: Community Packages
Opened by Tiago Peixoto (count0) - Friday, 30 June 2017, 16:40 GMT
Last edited by Sven-Hendrik Haase (Svenstaro) - Tuesday, 04 July 2017, 15:00 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Sven-Hendrik Haase (Svenstaro)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

Whenever the package is upgraded, the following error is seen when attempting to update the database:

~# su - gitlab -s /bin/sh -c "cd '/usr/share/webapps/gitlab'; bundle-2.3 exec rake db:migrate RAILS_ENV=production"
rake aborted!
Errno::EACCES: Permission denied @ rb_sysopen - /usr/share/webapps/gitlab/.gitlab_workhorse_secret
/usr/share/webapps/gitlab/lib/gitlab/workhorse.rb:152:in `initialize'
/usr/share/webapps/gitlab/lib/gitlab/workhorse.rb:152:in `open'
/usr/share/webapps/gitlab/lib/gitlab/workhorse.rb:152:in `write_secret'
/usr/share/webapps/gitlab/config/initializers/gitlab_workhorse_secret.rb:4:in `rescue in <top (required)>'
/usr/share/webapps/gitlab/config/initializers/gitlab_workhorse_secret.rb:1:in `<top (required)>'
/usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/activesupport-4.2.8/lib/active_support/dependencies.rb:268:in `load'
/usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/activesupport-4.2.8/lib/active_support/dependencies.rb:268:in `block in load'
/usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/activesupport-4.2.8/lib/active_support/dependencies.rb:240:in `load_dependency'
/usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/activesupport-4.2.8/lib/active_support/dependencies.rb:268:in `load'
/usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/railties-4.2.8/lib/rails/engine.rb:652:in `block in load_config_initializer'
/usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/activesupport-4.2.8/lib/active_support/notifications.rb:166:in `instrument'
/usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/railties-4.2.8/lib/rails/engine.rb:651:in `load_config_initializer'
/usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/railties-4.2.8/lib/rails/engine.rb:616:in `block (2 levels) in <class:Engine>'
/usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/railties-4.2.8/lib/rails/engine.rb:615:in `each'
/usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/railties-4.2.8/lib/rails/engine.rb:615:in `block in <class:Engine>'
/usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/railties-4.2.8/lib/rails/initializable.rb:30:in `instance_exec'
/usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/railties-4.2.8/lib/rails/initializable.rb:30:in `run'
/usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/railties-4.2.8/lib/rails/initializable.rb:55:in `block in run_initializers'
/usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/railties-4.2.8/lib/rails/initializable.rb:44:in `each'
/usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/railties-4.2.8/lib/rails/initializable.rb:44:in `tsort_each_child'
/usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/railties-4.2.8/lib/rails/initializable.rb:54:in `run_initializers'
/usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/railties-4.2.8/lib/rails/application.rb:352:in `initialize!'
/usr/share/webapps/gitlab/config/environment.rb:5:in `<top (required)>'
/usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/activesupport-4.2.8/lib/active_support/dependencies.rb:274:in `require'
/usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/activesupport-4.2.8/lib/active_support/dependencies.rb:274:in `block in require'
/usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/activesupport-4.2.8/lib/active_support/dependencies.rb:240:in `load_dependency'
/usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/activesupport-4.2.8/lib/active_support/dependencies.rb:274:in `require'
/usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/railties-4.2.8/lib/rails/application.rb:328:in `require_environment!'
/usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/railties-4.2.8/lib/rails/application.rb:457:in `block in run_tasks_blocks'
Errno::EACCES: Permission denied @ rb_sysopen - /usr/share/webapps/gitlab/.gitlab_workhorse_secret
/usr/share/webapps/gitlab/lib/gitlab/workhorse.rb:144:in `read'
/usr/share/webapps/gitlab/lib/gitlab/workhorse.rb:144:in `secret'
/usr/share/webapps/gitlab/config/initializers/gitlab_workhorse_secret.rb:2:in `<top (required)>'
/usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/activesupport-4.2.8/lib/active_support/dependencies.rb:268:in `load'
/usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/activesupport-4.2.8/lib/active_support/dependencies.rb:268:in `block in load'
/usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/activesupport-4.2.8/lib/active_support/dependencies.rb:240:in `load_dependency'
/usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/activesupport-4.2.8/lib/active_support/dependencies.rb:268:in `load'
/usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/railties-4.2.8/lib/rails/engine.rb:652:in `block in load_config_initializer'
/usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/activesupport-4.2.8/lib/active_support/notifications.rb:166:in `instrument'
/usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/railties-4.2.8/lib/rails/engine.rb:651:in `load_config_initializer'
/usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/railties-4.2.8/lib/rails/engine.rb:616:in `block (2 levels) in <class:Engine>'
/usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/railties-4.2.8/lib/rails/engine.rb:615:in `each'
/usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/railties-4.2.8/lib/rails/engine.rb:615:in `block in <class:Engine>'
/usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/railties-4.2.8/lib/rails/initializable.rb:30:in `instance_exec'
/usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/railties-4.2.8/lib/rails/initializable.rb:30:in `run'
/usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/railties-4.2.8/lib/rails/initializable.rb:55:in `block in run_initializers'
/usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/railties-4.2.8/lib/rails/initializable.rb:44:in `each'
/usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/railties-4.2.8/lib/rails/initializable.rb:44:in `tsort_each_child'
/usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/railties-4.2.8/lib/rails/initializable.rb:54:in `run_initializers'
/usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/railties-4.2.8/lib/rails/application.rb:352:in `initialize!'
/usr/share/webapps/gitlab/config/environment.rb:5:in `<top (required)>'
/usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/activesupport-4.2.8/lib/active_support/dependencies.rb:274:in `require'
/usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/activesupport-4.2.8/lib/active_support/dependencies.rb:274:in `block in require'
/usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/activesupport-4.2.8/lib/active_support/dependencies.rb:240:in `load_dependency'
/usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/activesupport-4.2.8/lib/active_support/dependencies.rb:274:in `require'
/usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/railties-4.2.8/lib/rails/application.rb:328:in `require_environment!'
/usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/railties-4.2.8/lib/rails/application.rb:457:in `block in run_tasks_blocks'
Tasks: TOP => db:migrate => environment
(See full trace by running task with --trace)

This is fixed by running

~# chown gitlab:gitlab /etc/webapps/gitlab/gitlab_workhorse_secret
~# chown gitlab:gitlab /usr/share/webapps/gitlab/db/schema.rb


Package version: gitlab-9.3.2-3

This task depends upon

Closed by  Sven-Hendrik Haase (Svenstaro)
Tuesday, 04 July 2017, 15:00 GMT
Reason for closing:  Not a bug
Comment by Sven-Hendrik Haase (Svenstaro) - Tuesday, 04 July 2017, 06:59 GMT
No, the PKGBUILD clearly chowns those files. I'm pretty sure that for some reason those files belong to the wrong users on your side. Maybe you have a legacy installation where this stuff was wrongly set. Was this a new installation?
Comment by Tiago Peixoto (count0) - Tuesday, 04 July 2017, 10:33 GMT
Indeed, this is not a new installation, but I can't see how these files can be wrong on my side. This is what I have:

~# ls -l /etc/webapps/gitlab/gitlab_workhorse_secret
-rw-rw---- 1 gitlab gitlab 44 Jun 30 18:29 /etc/webapps/gitlab/gitlab_workhorse_secret
~# ls -l /usr/share/webapps/gitlab/db/schema.rb
-rw-r--r-- 1 gitlab gitlab 79156 Jul 1 19:22 /usr/share/webapps/gitlab/db/schema.rb

Despite this, I have to re-set their permissions on _every_ upgrade. This has happened for many versions for some time.

Comment by Tiago Peixoto (count0) - Tuesday, 04 July 2017, 10:43 GMT
In PKGBUILD I see:

chown root:105 "${pkgdir}${_etcdir}/gitlab_workhorse_secret"
chown 105:105 "${pkgdir}${_datadir}/db/schema.rb"

It's pretty obvious what the problem is: the gitlab user is not number 105 in my system.

Is there a reason for the UID to be hardcoded in the PKGBUILD like this?
Comment by Sven-Hendrik Haase (Svenstaro) - Tuesday, 04 July 2017, 11:13 GMT
Yes, it's the only way we can guarantee that the same files always securely belong to the correct users. See here: https://wiki.archlinux.org/index.php/DeveloperWiki:UID_/_GID_Database

Probably your gitlab user is very old. You should just change its UID and GID and then it should just work. At any rate, I don't consider this a packaging issue at this point.
Comment by Tiago Peixoto (count0) - Tuesday, 04 July 2017, 14:27 GMT
Ok, I didn't know. I'll fix things locally. Thanks for the info.

Loading...