gitea: Gitea rootless setup error: mkdir: can't create directory '/var/lib/gitea/git': Permission denied

Description

I’m following the instructions here: https://docs.gitea.io/en-us/install-with-docker-rootless/

After running docker compose up, I’m getting the error:

gitea     | mkdir: can't create directory '/var/lib/gitea/git': Permission denied
gitea     | /var/lib/gitea/git is not writable
gitea     | docker setup failed
gitea exited with code 1

docker-compose.yml

version: "2"
services:
  server:
    container_name: gitea
    image: gitea/gitea:1.18.0-rootless
    environment:
      - GITEA__database__DB_TYPE=postgres
      - GITEA__database__HOST=db:5432
      - GITEA__database__NAME=gitea
      - GITEA__database__USER=gitea
      - GITEA__database__PASSWD=gitea
    restart: always
    volumes:
      - ./data:/var/lib/gitea
      - ./config:/etc/gitea
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    ports:
      - "3000:3000"
      - "2222:2222"
    depends_on:
      - db
  db:
    container_name: gitea-db
    image: postgres:14
    restart: always
    environment:
      - POSTGRES_USER=gitea
      - POSTGRES_PASSWORD=gitea
      - POSTGRES_DB=gitea
    volumes:
      - ./postgres:/var/lib/postgresql/data

gitea directory:

debian@dev:~/gitea$ ls -al
total 24
drwxr-xr-x  5 debian debian 4096 Jan  3 16:51 .
drwxr-xr-x 12 debian debian 4096 Jan  3 16:31 ..
drwxr-xr-x  2 debian debian 4096 Jan  3 16:34 config
drwxr-xr-x  2 debian debian 4096 Jan  3 16:34 data
-rw-r--r--  1 debian debian  792 Jan  3 16:35 docker-compose.yml
drwx------ 19 100998 debian 4096 Jan  3 16:42 postgres

Docker version 20.10.21, build baeda1f

  • Installed via https://docs.docker.com/engine/security/rootless/
  • dbus-user-session is already the newest version (1.12.24-0+deb11u1)
  • fuse-overlayfs is already the newest version (1.4.0-1)
  • slirp4netns is already the newest version (1.0.1-2)
  • curl -fsSL https://get.docker.com/rootless | sh

Docker Compose version v2.14.1

  • Installed via apt install docker-compose-plugin

Debian GNU/Linux 11 (bullseye)

Gitea Version

1.18.0-rootless

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

https://pastebin.com/NmyrhLYE

Screenshots

No response

Git Version

No response

Operating System

Debian 11 (docker host)

How are you running Gitea?

From docker: here: https://docs.gitea.io/en-us/install-with-docker-rootless/ (details in the description above)

Database

PostgreSQL

About this issue

  • Original URL
  • State: open
  • Created a year ago
  • Comments: 17 (5 by maintainers)

Most upvoted comments

I am also facing this issue. It seems to me that this design is fundamentally broken. Running Gitea as root in a rootless container shouldn’t matter because the primary limiting factor in the security of the setup would be the security of the containerization technologies used. In my case, it is Podman. Sure, running Gitea as root can allow a malicious actor to do untold damage… to the container. If it somehow manages to exploit the container to the extent that it can infect the host system, well, the container is not running as root anyway - which is what matters. Ideally, the user that is running the container wouldn’t have sudo or any other administrative privileges either - aside from systemd-journal for looking at logs, for example. Conversely, running Gitea rootless in a rootful container has marginally better security than running rootful in a rootless container because an exploit in the containerization technologies doesn’t necessarily need root privileges inside of that container. If Gitea provides true support for running rootless containers, it should be considered to let Gitea inside the container run as root by default. Perhaps there is a better way by means of configuring the container’s run parameters, but so far I haven’t found the way that works for Gitea (for example, in my Joplin server I pass in --userns keep-id:uid=${id -u},gid=${id -g} to the podman run command in order to allow it to run as the correct user), and it would need to be documented in the setup. It’s also not reasonable to expect that all users will want to run their rootless container as the first user created on their system. My Gitea user is the 14th user that I’ve created on my system. Perhaps the setup script could use the id commands as above in place of hard-coded values? Furthermore, in this instance, using the $HOME environment variable in configuration settings also seems to be not ideal as well. The $HOME environment variable is a default environment variable, so setting it to something different will most certainly break things.

+1
LinuxDragon57 on Oct 6, 2023

We have a similar issue in the helm chart: https://gitea.com/gitea/helm-chart/pulls/447

Writing into system-directories is not possible when running rootless. Maybe there could be a change for the rootless image WRT to to $HOME as proposed in the linked PR?

+1
pat-s on May 21, 2023

You can prevent Gitea from trying to create the directory by making it yourself. Inside ./data:

mkdir git
+1
philip-peterson on Feb 6, 2023

I looked into the source for a bit and i think that the problem is that gitea runs as 1000:1000 inside the container, while the permissions for the volume folders remain 0:0 inside. The line throwing the exception is here. You might get away with removing the USER line in the Dockerfile and setting I_AM_BEING_UNSAFE_RUNNING_AS_ROOT in the ini file (see here for further infos), but I don’t know enough to say how good an idea this is.

+1
thinegen on Jan 18, 2023
Read more comments on GitHub
← gitea: Gitea keeping taking 100% CPU usage, and runs slowly in git pushing
gitea: Gitea slow on corperate Windows 10 environment →