I'm trying to run the gitlab-ce docker image and am having issues with permission being denied for secrets_helper.rb. The following is pulled from the startup logs:
================================================================================
Recipe Compile Error in /opt/gitlab/embedded/cookbooks/cache/cookbooks/gitlab/recipes/default.rb
================================================================================
Errno::EPERM
------------
Operation not permitted @ rb_file_chmod - /etc/gitlab/gitlab-secrets.json
Cookbook Trace:
---------------
/opt/gitlab/embedded/cookbooks/cache/cookbooks/package/libraries/helpers/secrets_helper.rb:121:in `chmod'
/opt/gitlab/embedded/cookbooks/cache/cookbooks/package/libraries/helpers/secrets_helper.rb:121:in `block in write_to_gitlab_secrets'
/opt/gitlab/embedded/cookbooks/cache/cookbooks/package/libraries/helpers/secrets_helper.rb:119:in `open'
/opt/gitlab/embedded/cookbooks/cache/cookbooks/package/libraries/helpers/secrets_helper.rb:119:in `write_to_gitlab_secrets'
/opt/gitlab/embedded/cookbooks/cache/cookbooks/package/libraries/helpers/settings_helper.rb:163:in `generate_secrets'
/opt/gitlab/embedded/cookbooks/cache/cookbooks/package/libraries/helpers/settings_helper.rb:167:in `generate_config'
/opt/gitlab/embedded/cookbooks/cache/cookbooks/gitlab/recipes/config.rb:26:in `from_file'
/opt/gitlab/embedded/cookbooks/cache/cookbooks/gitlab/recipes/default.rb:26:in `from_file'
Relevant File Content:
----------------------
/opt/gitlab/embedded/cookbooks/cache/cookbooks/package/libraries/helpers/secrets_helper.rb:
There was an error running gitlab-ctl reconfigure:
Operation not permitted @ rb_file_chmod - /etc/gitlab/gitlab-secrets.json
114:
115: def self.write_to_gitlab_secrets
116: secret_tokens = gather_gitlab_secrets
117:
118: if File.directory?('/etc/gitlab')
119: File.open('/etc/gitlab/gitlab-secrets.json', 'w', 0600) do |f|
120: f.puts(Chef::JSONCompat.to_json_pretty(secret_tokens))
121>> f.chmod(0600)
122: end
123: end
124:
125: nil
126: end
127: end
128:
I've created the container with the following:
docker run --detach \
--hostname domain.name.com \
--publish 4443:443 \
--publish 4080:80 \
--publish 4022:22 \
--name gitlab \
--restart always \
--volume /mnt/nfs-1/gitlab/config:/etc/gitlab \
--volume /mnt/nfs-1/gitlab/logs:/var/log/gitlab \
--volume /mnt/nfs-1/gitlab/data:/var/opt/gitlab \
gitlab/gitlab-ce:latest
Permissions look like the following:
/mnt
/mnt/nfs-1
drwxrwx--- 5 1020 1020 5 Jun 2 23:13 gitlab
/mnt/nfs-1/gitlab
drwxrwx--- 2 1020 1020 10 Jun 2 23:15 config
drwxrwx--- 2 1020 1020 2 Jun 2 23:13 data
drwxrwx--- 4 1020 1020 4 Jun 2 23:15 logs
The /mnt/nfs-1 is an NFS share that's setup with rancher's config.
# /var/lib/rancher/conf/cloud-config.d/nfs.yml
rancher:
services:
nfs:
image: walkerk1980/rancher-nfs-client
labels:
io.rancher.os.after: console, preload-user-images
io.rancher.os.scope: system
net: host
privileged: true
restart: always
volumes:
- /usr/bin/iptables:/sbin/iptables:ro
- /mnt/nfs-1:/mnt/nfs-1:shared
environment:
SERVER: nas.stark.local
SHARE: /mnt/pool/data_set
MOUNT_OPTIONS: rw,noatime,nolock,soft,_netdev,auto
The NFS file share (in FreeNAS) looks like this:
However, the solution there didn't work for me and I'm not quite sure where the git user exists. I'd assume that it exists in the running image.
I also tried to downgrade/upgrade/different versions/ee edition with the same problem so I'm under the assumption it has something to do with the volumes?
External Resources