gitea: [Summary] USER_UID/uid related problems (snap/docker)
Background
- Discord: “v1.19.0 installed via snap on Ubuntu server doesn’t launch. all is OK with 1.18.5 , but with the last one i got” :
setting.go:322:loadRunModeFrom() [F] Expect user 'gitea' but current user is: root.- “no i didn’t change anything, automatic snap update last night to 1.19, break my gitea. i just rollback to 1.18 and all is ok again without touch my config”, the chat link
- Personally I guess it is likely a misconfiguration problem, but I can’t see the details nor get more clues from the reporter at the moment.
- Docker config: USER_UID=1000 & USER_GID=1000
- It’s unclear what they are used for, or what they affect.
- #19920
- Although it was closed, actually it didn’t get a fix, it’s closed because no time spending on it.
- The pterodactyl / parkervcp:
- I used pterodactyl which uses docker with this docker image: ghcr.io/parkervcp/yolks:debian
- And installs from the config generated from this file: https://github.com/parkervcp/eggs/blob/master/software/gitea/egg-gitea.json
- Then:
AddPublicKey, calcFingerprintSSHKeygen: 'ssh-keygen -lf /tmp/....' failed with error 'exec(64c52017-2:AddPublicKey) failed: exit status 255(<nil>) stdout: stderr: No user exists for uid 999 ': No user exists for uid 999
TODO
I haven’t spent time on these problems. Some brief thoughts:
- If Gitea runs with root, it should be able to setuid/seteuid to switch to the “gitea” user.
- However, “setuid” correctly in a complex Go program like Gitea is very difficult.
- Gitea checks the current running user by its name, it’s not ideal, because in some rare cases, the UID could be used without an existing user name.
- Update: eg: Builtin SSH Server & Docker-rootless only needs a virtual SSH_USER.
- The USER_UID/USER_GID config for docker-root/docker-rootless are unclear, and it might cause problems if something mismatches or changes.
I guess Gitea needs to spend some time on these problems, work them out, clarify the behaviors and improve documents.
About this issue
- Original URL
- State: open
- Created a year ago
- Reactions: 3
- Comments: 32 (18 by maintainers)
Commits related to this issue
- Fix incorrect CurrentUser check for docker rootless (#24435) Many users report that 1.19 has a regression bug: the rootless image can't start if the UID is not 1000. https://github.com/go-gitea/g... — committed to go-gitea/gitea by wxiaoguang a year ago
- docker: configurable git user / group IDs Per #23632, there are several issues with the hardcoded values (1000:1000) in the existing Docker installation flow. This is the first step in a series of c... — committed to tomholford/gitea by tomholford 9 months ago
TL;DR
The problem is here - the UID and GID are hardcoded in the
Dockerfile.Dockerfile(ENV),docker-compose.yml(environment:) or via docker cli (docker run -e).Most of this issue (and MANY others) are based on this one problem. Please consider it as a major issue - because of this, we cannot use passthrough.
@lonix1 great work, I also spent lots of time with the documentation, thinking I’m plain stupid. We are currently using Alternative 3 from your recommendation, but would love a simpler solution
I did not test carefully last time I upgraded, but when I rolled back to
gitea/gitea:1.18-rootless, the problem goes away. I have a user/groupgiteaon host system, with uid/gid 1016/1017, and my docker-compose looks like this:Maybe it is enough to just have user: set in docker-compose and upgrade to 1.19? In
config/app.ini, I have:Not sure if RUN_USER has anything to do with it.
That’s not true for Builtin SSH Server, eg: docker-rootless. Only SSH_USER is necessary, the RUN_USER shouldn’t be mixed there.
I updated the description, added this context: “Builtin SSH Server & Docker-rootless only needs a virtual SSH_USER.”