gitea: Permission denied error when starting Gitea after updating to 1.17.0

Description

I have updated to Gitea 1.17.0, but when starting it I receive an error in the console, and then it exits. The message is available in the first file of my log gist.

In the docker compose file I have 2 volumes defined for use directly by Gitea:

/mnt/gitea/data/ - /var/lib/gitea
/mnt/gitea/custom - /etc/gitea

Gitea should run under user 1000, as set up in the docker compose file:

environment:
    - USER_UID=1000
    - USER_GID=1000

According to the console log, Gitea tries to create the /var/lib/gitea/custom/home directory, which is mapped to /mnt/gitea/data/custom/home on the host system. After inspecting this latter path, I see that no one is granted write permissions on the custom directory in it:

/mnt/gitea/data $ ls -hal
total 20K
drwxr-xr-x  5 1000 1000 4.0K okt   29  2021 .
drwxr-xr-x  5 root root 4.0K jún   14  2021 ..
dr-x------ 13 1000 1000 4.0K nov   10  2021 custom
drwx------  5 1000 1000 4.0K márc  26 00:21 git
drwx------  2 root root 4.0K jún   13  2021 ssh

However, if I grant write permission to the owner with sudo chmod u+w custom, Gitea will still produce the same error on startup, then exit, and when exited, the write permission on the directory have disappeared.

I suspect that Gitea is unable to create the new home directory because it removes the write permission from it’s parent directory, but I also suspect that I might be doing something wrong, as no one else has reported this bug yet.

If I try to fix this problem by hand, by manually creating the directory and setting ownership, as seen here:

sudo mkdir custom/home
sudo chown 1000:1000 custom/home

then starting up Gitea can continue a little, but will exit again because it wants yet another directory besides the new home one. The output from this run is in the second file in my log gist.

Gitea Version

v1.17.0

Can you reproduce the bug on the Gitea demo site?

Log Gist

https://gist.github.com/mpeter50/c7ba7eb7fc5e74fd708736736800a4e6

Screenshots

No response

Git Version

2.36.2

Operating System

Raspbian

How are you running Gitea?

I’m running Gitea in Docker, for which I have built the container image myself, using the Docker.rootless DOckerfile in the repo.

Database

MySQL

About this issue

Original URL
State: closed
Created 2 years ago
Comments: 40 (32 by maintainers)

Commits related to this issue

Disable doctor logging on panic If permissions are incorrect for writing to the doctor log simply disable the log file instead of panicing. Related #20570 Signed-off-by: Andrew Thornton <art27@cant... — committed to zeripath/gitea by zeripath 2 years ago
Disable doctor logging on panic (#20847) * Disable doctor logging on panic If permissions are incorrect for writing to the doctor log simply disable the log file instead of panicing. Related #... — committed to go-gitea/gitea by zeripath 2 years ago
Disable doctor logging on panic (#20847) Backport #20847 If permissions are incorrect for writing to the doctor log simply disable the log file instead of panicing. Related #20570 Signed-off-by: A... — committed to zeripath/gitea by zeripath 2 years ago
Disable doctor logging on panic (#20847) (#20898) Backport #20847 If permissions are incorrect for writing to the doctor log simply disable the log file instead of panicing. Related #20570 ... — committed to go-gitea/gitea by zeripath 2 years ago
Disable doctor logging on panic (#20847) * Disable doctor logging on panic If permissions are incorrect for writing to the doctor log simply disable the log file instead of panicing. Related #... — committed to IntegraSDL/gitea by zeripath 2 years ago

Most upvoted comments

Thank you for your time, I think I know the problem now.

I found this:

https://github.com/go-gitea/gitea/blob/main/docker/rootless/usr/local/bin/docker-setup.sh#L8

mkdir -p ${GITEA_CUSTOM} && chmod 0500 ${GITEA_CUSTOM}

😂

wxiaoguang on Aug 19, 2022

The tests are done, here are the results.

Docker bug test

First I checked if just mounting to a docker container changes the permissions. I gave write permissions to the owner on the custom directory:

$ sudo chmod u+w custom/
$ ls -hal
total 20K
drwxr-xr-x  5 1000 1000 4.0K okt   29  2021 .
drwxr-xr-x  5 root root 4.0K jún   14  2021 ..
drwx------ 13 1000 1000 4.0K júl   31 18:34 custom
drwx------  5 1000 1000 4.0K márc  26 00:21 git
drwx------  2 root root 4.0K jún   13  2021 ssh

I started the container with this command:

sudo docker run -it --volume 'gitea_gitea_data:/mnt/gitea_data' debian bash

(gitea_gitea_data is a named volume stored at the location where I executed the previous commands)

Checked the permissions inside too, and stopped the container:

# cd /mnt/gitea_data/
# ls -hal
total 20K
drwxr-xr-x  5 1000 1000 4.0K Oct 29  2021 .
drwxr-xr-x  1 root root 4.0K Aug 19 07:27 ..
drwx------ 13 1000 1000 4.0K Jul 31 16:34 custom
drwx------  5 1000 1000 4.0K Mar 25 23:21 git
drwx------  2 root root 4.0K Jun 13  2021 ssh
# exit

Checked the permissions outside again:

$ ls -hal
total 20K
drwxr-xr-x  5 1000 1000 4.0K okt   29  2021 .
drwxr-xr-x  5 root root 4.0K jún   14  2021 ..
drwx------ 13 1000 1000 4.0K júl   31 18:34 custom
drwx------  5 1000 1000 4.0K márc  26 00:21 git
drwx------  2 root root 4.0K jún   13  2021 ssh

Gitea bug test

Out of curiosity first I tried with the current container (1.16.5).

I checked if the permissions are still ok, before starting the container:

$ ls -hal
total 20K
drwxr-xr-x  5 1000 1000 4.0K okt   29  2021 .
drwxr-xr-x  5 root root 4.0K jún   14  2021 ..
drwx------ 13 1000 1000 4.0K júl   31 18:34 custom
drwx------  5 1000 1000 4.0K márc  26 00:21 git
drwx------  2 root root 4.0K jún   13  2021 ssh

I started the container with docker-compose (if you’re interested in the compose file, please let me know):

sudo docker-compose up

After the database and Gitea has finished starting up (~1 minute), I checked the permissions again:

$ ls -hal
total 20K
drwxr-xr-x  5 1000 1000 4.0K okt   29  2021 .
drwxr-xr-x  5 root root 4.0K jún   14  2021 ..
dr-x------ 13 1000 1000 4.0K júl   31 18:34 custom
drwx------  5 1000 1000 4.0K márc  26 00:21 git
drwx------  2 root root 4.0K jún   13  2021 ssh

The permissions have changed.

I also checked inside the container:

$ sudo docker exec -it gitea bash
bash-5.1$ ls -hal /var/lib/gitea/
total 20K
drwxr-xr-x    5 git      git         4.0K Oct 29  2021 .
drwxr-xr-x    1 root     root        4.0K Mar 24 11:49 ..
dr-x------   13 git      git         4.0K Jul 31 18:34 custom
drwx------    5 git      git         4.0K Mar 26 00:21 git
drwx------    2 root     root        4.0K Jun 13  2021 ssh

I also checked this again with 1.17.0. I set the write permission again:

$ sudo chmod u+w custom/
$ ls -hal
total 20K
drwxr-xr-x  5 1000 1000 4.0K okt   29  2021 .
drwxr-xr-x  5 root root 4.0K jún   14  2021 ..
drwx------ 13 1000 1000 4.0K júl   31 18:34 custom
drwx------  5 1000 1000 4.0K márc  26 00:21 git
drwx------  2 root root 4.0K jún   13  2021 ssh

I changed the container image to start, and started the container:

sudo docker-compose up

When Gitea has started to start up and printed its first error messages, the permissions were changed again:

$ ls -hal
total 20K
drwxr-xr-x  5 1000 1000 4.0K okt   29  2021 .
drwxr-xr-x  5 root root 4.0K jún   14  2021 ..
dr-x------ 13 1000 1000 4.0K júl   31 18:34 custom
drwx------  5 1000 1000 4.0K márc  26 00:21 git
drwx------  2 root root 4.0K jún   13  2021 ssh

Conclusion

The strange behavior is connected to the Gitea container, but it looks it hasn’t been introduced with 1.17.0, as the 1.16.5 container does this too.

mpeter50 on Aug 19, 2022