FS#66774 - [gitlab] Can't push due to invalid `.gitlab_shell_secret` path

Attached to Project: Community Packages
Opened by simonzack (simonzack) - Monday, 25 May 2020, 09:02 GMT
Last edited by Anatol Pomozov (anatolik) - Wednesday, 27 May 2020, 22:36 GMT
Task Type Support Request
Category Packages
Status Closed
Assigned To Anatol Pomozov (anatolik)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:
I just updated today to Gitlab 13.0.0-1. When I push, I get the following errors:

```
remote: Resolving deltas: 100% (150/150), completed with 38 local objects.
remote: /usr/share/webapps/gitlab-gitaly/ruby/gitlab-shell/lib/http_helper.rb:118:in `read': No such file or directory @ rb_sysopen - /home/git/gitlab-shell/.gitlab_shell_secret (Errno::ENOENT)
remote: from /usr/share/webapps/gitlab-gitaly/ruby/gitlab-shell/lib/http_helper.rb:118:in `secret_token'
remote: from /usr/share/webapps/gitlab-gitaly/ruby/gitlab-shell/lib/http_helper.rb:51:in `http_request_for'
remote: from /usr/share/webapps/gitlab-gitaly/ruby/gitlab-shell/lib/http_helper.rb:68:in `request'
remote: from /usr/share/webapps/gitlab-gitaly/ruby/gitlab-shell/lib/http_helper.rb:99:in `post'
remote: from /usr/share/webapps/gitlab-gitaly/ruby/gitlab-shell/lib/gitlab_net.rb:31:in `check_access'
remote: from /usr/share/webapps/gitlab-gitaly/ruby/gitlab-shell/lib/gitlab_access.rb:24:in `block in exec'
remote: from /usr/share/webapps/gitlab-gitaly/ruby/gitlab-shell/lib/gitlab_metrics.rb:50:in `measure'
remote: from /usr/share/webapps/gitlab-gitaly/ruby/gitlab-shell/lib/gitlab_access.rb:23:in `exec'
remote: from /usr/share/webapps/gitlab-gitaly/ruby/gitlab-shell/hooks/pre-receive:26:in `<main>'
```

Additional info:
* package version(s) gitlab 13.0.0-1, gitlab-shell 2:13.2.0-1

I tried to change `/etc/webapps/gitlab-shell/config.yml` and `/etc/webapps/gitlab/gitlab.yml` to no avail.

My `gitlab.yml` contains:

```
## GitLab Shell settings
gitlab_shell:
path: /usr/share/webapps/gitlab-shell/
authorized_keys_file: /var/lib/gitlab/.ssh/authorized_keys
```

And `config.yml` contains the following commented out:

```
# secret_file: "/var/lib/gitlab/gitlab-shell/.gitlab_shell_secret"
```
This task depends upon

Closed by  Anatol Pomozov (anatolik)
Wednesday, 27 May 2020, 22:36 GMT
Reason for closing:  Implemented
Additional comments about closing:  13.0.0-2
Comment by simonzack (simonzack) - Monday, 25 May 2020, 09:06 GMT
Edit, my `gitlab.yml` contains:

```
## GitLab Shell settings
gitlab_shell:
path: /usr/share/webapps/gitlab-shell/
authorized_keys_file: /var/lib/gitlab/.ssh/authorized_keys

# File that contains the secret key for verifying access for gitlab-shell.
# Default is '.gitlab_shell_secret' relative to Rails.root (i.e. root of the GitLab app).
# secret_file: /var/lib/gitlab/gitlab-shell/.gitlab_shell_secret
```
Comment by simonzack (simonzack) - Monday, 25 May 2020, 10:43 GMT
Ok I digged through a bit. Apparently `/etc/webapps/gitlab-shell/config.yml` is now considered `fetch_from_legacy_config` in the source now (see `/usr/share/webapps/gitlab-gitaly/ruby/gitlab-shell/lib/gitlab_config.rb`).

The non-legacy config settings sets the environment variables in the gitlab-shell instead, and are in `/etc/gitlab-gitaly/config.toml`.

We edit it so it says:

```
secret_file = "/var/lib/gitlab/gitlab-shell/.gitlab_shell_secret"
# custom_hooks_dir = "/home/git/custom_hooks"
```

This solves one issue, and now when we push we have:

```
remote: GitLab: Failed to authorize your Git request: internal API unreachable
```
Comment by simonzack (simonzack) - Monday, 25 May 2020, 12:45 GMT
I finally figured this out, took a lot of effort.

The main thing is that we need to change the GitLab URL in the config file to point to the unix socket of `/etc/webapps/gitlab/puma.rb`

First change `/etc/gitlab-gitaly/config.toml` to include the following:

```
# dir = "/home/git/gitlab/log"

secret_file = "/var/lib/gitlab/gitlab-shell/.gitlab_shell_secret"
# custom_hooks_dir = "/home/git/custom_hooks"
gitlab_url = "http+unix://%2Frun%2Fgitlab%2Fgitlab.socket"
```

Then change `/etc/webapps/gitlab-shell/config.yml` to also have:

```
gitlab_url: "http+unix://%2Frun%2Fgitlab%2Fgitlab.socket"
```

Took some effort. I think it's useful to include something in the update message so other users can solve this problem too.
Comment by Justin Kromlinger (hashworks) - Monday, 25 May 2020, 17:00 GMT
I've created upstream MRs for the gitlab_url change:
https://gitlab.com/gitlab-org/gitlab-shell/-/merge_requests/388
https://gitlab.com/gitlab-org/gitaly/-/merge_requests/2213

Until then, we can always replace the localhost url with the socket path.
Comment by Anatol Pomozov (anatolik) - Tuesday, 26 May 2020, 09:50 GMT
I just pushed new versions of gitlab packages. It contains updates for default configs + an install message to emphasize the recent Puma changes.

Please try the packages from [community-testing] and let me know if it works for you.
Comment by Anatol Pomozov (anatolik) - Wednesday, 27 May 2020, 15:36 GMT
Hi folks, could you please confirm that the version at [community-testing] resolves your issue?
Comment by Justin Kromlinger (hashworks) - Wednesday, 27 May 2020, 15:46 GMT
Thanks for the reminder. Looks good to me!

Loading...