Gitlab Docker Instance Startup Permission Denied secrets_helper.rb

517 Views Asked by At

I'm trying to run the gitlab-ce docker image and am having issues with permission being denied for secrets_helper.rb. The following is pulled from the startup logs:

================================================================================
Recipe Compile Error in /opt/gitlab/embedded/cookbooks/cache/cookbooks/gitlab/recipes/default.rb
================================================================================

Errno::EPERM
------------
Operation not permitted @ rb_file_chmod - /etc/gitlab/gitlab-secrets.json

Cookbook Trace:
---------------
  /opt/gitlab/embedded/cookbooks/cache/cookbooks/package/libraries/helpers/secrets_helper.rb:121:in `chmod'
  /opt/gitlab/embedded/cookbooks/cache/cookbooks/package/libraries/helpers/secrets_helper.rb:121:in `block in write_to_gitlab_secrets'
  /opt/gitlab/embedded/cookbooks/cache/cookbooks/package/libraries/helpers/secrets_helper.rb:119:in `open'
  /opt/gitlab/embedded/cookbooks/cache/cookbooks/package/libraries/helpers/secrets_helper.rb:119:in `write_to_gitlab_secrets'
  /opt/gitlab/embedded/cookbooks/cache/cookbooks/package/libraries/helpers/settings_helper.rb:163:in `generate_secrets'
  /opt/gitlab/embedded/cookbooks/cache/cookbooks/package/libraries/helpers/settings_helper.rb:167:in `generate_config'
  /opt/gitlab/embedded/cookbooks/cache/cookbooks/gitlab/recipes/config.rb:26:in `from_file'
  /opt/gitlab/embedded/cookbooks/cache/cookbooks/gitlab/recipes/default.rb:26:in `from_file'

Relevant File Content:
----------------------
/opt/gitlab/embedded/cookbooks/cache/cookbooks/package/libraries/helpers/secrets_helper.rb:

There was an error running gitlab-ctl reconfigure:

Operation not permitted @ rb_file_chmod - /etc/gitlab/gitlab-secrets.json

114:  
115:    def self.write_to_gitlab_secrets
116:      secret_tokens = gather_gitlab_secrets
117:  
118:      if File.directory?('/etc/gitlab')
119:        File.open('/etc/gitlab/gitlab-secrets.json', 'w', 0600) do |f|
120:          f.puts(Chef::JSONCompat.to_json_pretty(secret_tokens))
121>>         f.chmod(0600)
122:        end
123:      end
124:  
125:      nil
126:    end
127:  end
128:  

I've created the container with the following:

docker run --detach \
  --hostname domain.name.com \
  --publish 4443:443 \
  --publish 4080:80 \
  --publish 4022:22 \
  --name gitlab \
  --restart always \
  --volume /mnt/nfs-1/gitlab/config:/etc/gitlab \
  --volume /mnt/nfs-1/gitlab/logs:/var/log/gitlab \
  --volume /mnt/nfs-1/gitlab/data:/var/opt/gitlab \
  gitlab/gitlab-ce:latest

Permissions look like the following:

/mnt Rancher /mnt

/mnt/nfs-1

drwxrwx---    5 1020     1020             5 Jun  2 23:13 gitlab

/mnt/nfs-1/gitlab

drwxrwx---    2 1020     1020            10 Jun  2 23:15 config
drwxrwx---    2 1020     1020             2 Jun  2 23:13 data
drwxrwx---    4 1020     1020             4 Jun  2 23:15 logs

The /mnt/nfs-1 is an NFS share that's setup with rancher's config.

# /var/lib/rancher/conf/cloud-config.d/nfs.yml

rancher:
  services:
    nfs:
      image: walkerk1980/rancher-nfs-client
      labels:
        io.rancher.os.after: console, preload-user-images
        io.rancher.os.scope: system
      net: host
      privileged: true
      restart: always
      volumes:
      - /usr/bin/iptables:/sbin/iptables:ro
      - /mnt/nfs-1:/mnt/nfs-1:shared
      environment:
        SERVER: nas.stark.local
        SHARE: /mnt/pool/data_set
        MOUNT_OPTIONS: rw,noatime,nolock,soft,_netdev,auto

The NFS file share (in FreeNAS) looks like this:

FreeNAS Permissions NFS

However, the solution there didn't work for me and I'm not quite sure where the git user exists. I'd assume that it exists in the running image.

I also tried to downgrade/upgrade/different versions/ee edition with the same problem so I'm under the assumption it has something to do with the volumes?

External Resources

0

There are 0 best solutions below