search

go-gitea / gitea

Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD
https://gitea.com
MIT License
44.39k stars 5.43k forks source link

Can Gitea support Azure file storage? #28810

Closed YanFenGuo closed 1 month ago

YanFenGuo commented 8 months ago

Feature Description

I see https://github.com/go-gitea/gitea/issues/22527 about Azure Blob Storage and this is about Azure File Storage support. I'm trying to deploy Gitea on ARO with Azure file storage, according to https://help.thorntech.com/docs/next/sftp-gateway-azure/azure-file-storage-mount/#caveats-and-limitations , with Azure file storage, it is impossible to do chmod.

This is my app.ini and I have PVC mount to /data:

APP_NAME = Gitea: Git with a cup of tea
RUN_MODE = prod
RUN_USER = git

[repository]
ROOT = /data/git/repositories
ENABLE_PUSH_CREATE_USER = true
ENABLE_PUSH_CREATE_ORG  = true
DEFAULT_PRIVATE         = public
FORCE_PRIVATE           = false

[repository.local]
LOCAL_COPY_PATH = /data/gitea/tmp/local-repo

[repository.upload]
TEMP_PATH = /data/gitea/uploads

[server]
APP_DATA_PATH    = /data/gitea
DOMAIN           = {{DOMAIN_NAME}}
SSH_DOMAIN       = localhost
HTTP_PORT        = 3000
ROOT_URL         = %(PROTOCOL)s://%(DOMAIN)s
DISABLE_SSH      = false
SSH_PORT         = 22
SSH_LISTEN_PORT  = 22
LFS_START_SERVER = false
PROTOCOL         = https
CERT_FILE        = /data/gitea/conf/tls.crt
KEY_FILE         = /data/gitea/conf/tls.key

[lfs]
PATH = /data/git/lfs

[database]
PATH    = /data/gitea/gitea.db
DB_TYPE = sqlite3
HOST    = localhost:3306
NAME    = gitea
USER    = root
PASSWD  =

[indexer]
ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve

[session]
PROVIDER_CONFIG = /data/gitea/sessions
PROVIDER        = file

[picture]
AVATAR_UPLOAD_PATH            = /data/gitea/avatars
REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
DISABLE_GRAVATAR              = false
ENABLE_FEDERATED_AVATAR       = true

[attachment]
PATH = /data/gitea/attachments

[log]
ROOT_PATH = /data/gitea/log
MODE      = file, console

[security]
INSTALL_LOCK   = true
SECRET_KEY     =

[service]
DISABLE_REGISTRATION              = false
REQUIRE_SIGNIN_VIEW               = false
REGISTER_EMAIL_CONFIRM            = false
ENABLE_NOTIFY_MAIL                = false
ALLOW_ONLY_EXTERNAL_REGISTRATION  = false
ENABLE_CAPTCHA                    = false
DEFAULT_KEEP_EMAIL_PRIVATE        = false
DEFAULT_ALLOW_CREATE_ORGANIZATION = true
DEFAULT_ENABLE_TIMETRACKING       = true
NO_REPLY_ADDRESS                  = noreply.localhost

[mailer]
ENABLED = false

[openid]
ENABLE_OPENID_SIGNIN = true
ENABLE_OPENID_SIGNUP = true

The first issue I met is Gitea pod can't be started with error:

Server listening on :: port 22.
Server listening on 0.0.0.0 port 22.
2024/01/16 02:42:26 cmd/web.go:105:runWeb() [I] Starting Gitea on PID: 15
2024/01/16 02:42:26 cmd/web.go:159:runWeb() [I] Global init
2024/01/16 02:42:27 routers/init.go:70:mustInitCtx() [F] code.gitea.io/gitea/modules/git.InitFull(ctx) failed: failed to set git global config user.email, err: exit status 4 - error: chmod on /data/gitea/home/.gitconfig.lock failed: Operation not permitted
     - error: chmod on /data/gitea/home/.gitconfig.lock failed: Operation not permitted

Received signal 15; terminating.

After some investigate I'm able to fix it by adding below to app.ini because I mount /data/git as emptyDir so change permission is fine in this folder:

[git]
HOME_PATH=/data/git

But then I meet another permission issue when trying to login Gitea from UI:

2024/01/16 03:45:18 ...ers/web/auth/auth.go:312:handleSignInFull() [E] [65a5fbce] RegenerateSession: regenerate session: chtimes /data/gitea/sessions/7/8/78238946019cfcae: operation not permitted
2024/01/16 03:45:18 [65a5fbce] router: completed POST /user/login for 10.129.2.4:55512, 500 Internal Server Error in 260.8ms @ auth/auth.go:170(auth.SignInPost)

And error when trying to create an organization:

2024/01/16 03:48:03 ...rs/api/v1/org/org.go:272:Create() [E] [65a5fc73] CreateOrganization: generate random avatar: Failed to create dir 43aa32a241c84f3e6df8e5651ed81e76: chmod /data/gitea/avatars/43aa32a241c84f3e6df8e5651ed81e76: operation not permitted
2024/01/16 03:48:03 [65a5fc73] router: completed POST /api/v1/orgs?token=b45f8e88e9e77742a7ce89523fe094cabf274290 for 10.128.5.146:47868, 500 Internal Server Error in 245.4ms @ org/org.go:223(org.Create)

So unless we remove the PVC mount, it is impossible to use Azure file storage? Does Gitea support Azure file storage?

Screenshots

No response

lunny commented 8 months ago

Looks like your file system is readonly.

YanFenGuo commented 8 months ago

@lunny Yes it is readonly file system according to our security requirement, below is the deployment yaml file:

kind: Deployment
apiVersion: apps/v1
metadata:
  name: icp4adeploy-gitea-deploy
  labels:
    app: icp4adeploy-gitea-deploy
spec:
  replicas: 1
  selector:
    matchLabels:
      app: icp4adeploy-gitea-deploy
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: icp4adeploy-gitea-deploy
    spec:
      restartPolicy: Always
      initContainers:
        - resources: {}
          terminationMessagePath: /dev/termination-log
          name: icp4adeploy-gitea-prereqs
          command:
            - sh
            - '-cx'
            - |
              set -o errexit
              set -o pipefail

              mkdir -p /data/gitea/conf
              mkdir -p /data/gitea/log
              rm -rf /data/git/.gitconfig.lock

              cp /opt/ansible/share/gitea_* /data/gitea/conf/
              cp /rootca/tls.crt /data/gitea/conf/root_ca_crt.crt
              cp /tlssecret/* /data/gitea/conf/
              chown -R git:git /data/gitea 
              mv /data/gitea/conf/gitea_app.ini /data/gitea/conf/app.ini
          env:
            - name: USER_UID
              value: '1000'
            - name: USER_GID
              value: '1000'
          securityContext:
            readOnlyRootFilesystem: true
          imagePullPolicy: IfNotPresent
          volumeMounts:
            - name: gitea-data
              mountPath: /data
            - name: operator-shared-folder
              mountPath: /opt/ansible/share
            - name: tlssecret
              mountPath: /tlssecret
            - name: rootcasecret
              mountPath: /rootca
          terminationMessagePolicy: File
          image: >-
            cp.icr.io/cp/cp4a/demo/gitea@sha256:30540b7b97dd483f69a1a51d0bf0d5b8c0262a0d976658fe21469563aa2c007b
        - resources: {}
          terminationMessagePath: /dev/termination-log
          name: folder-prepare-container
          command:
            - /bin/bash
            - '-ecx'
            - >
              rm -rf /s6-folder/* && cp -rp /etc/s6/* /s6-folder && rm -rf
              /etc-ssh-folder/* && cp -rp /etc/ssh/* /etc-ssh-folder && rm -rf
              /app-gitea-folder/* && cp -rp /app/gitea/* /app-gitea-folder && rm
              -rf /run-folder/* && cp -rp /run/* /run-folder
          securityContext:
            readOnlyRootFilesystem: true
          imagePullPolicy: IfNotPresent
          volumeMounts:
            - name: s6-folder-pvc
              mountPath: /s6-folder
            - name: etc-ssh-folder-pvc
              mountPath: /etc-ssh-folder
            - name: app-gitea-folder-pvc
              mountPath: /app-gitea-folder
            - name: run-folder-pvc
              mountPath: /run-folder
          terminationMessagePolicy: File
          image: >-
            cp.icr.io/cp/cp4a/demo/gitea@sha256:30540b7b97dd483f69a1a51d0bf0d5b8c0262a0d976658fe21469563aa2c007b
      serviceAccountName: ibm-cp4ba-anyuid
      schedulerName: default-scheduler
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
              - matchExpressions:
                  - key: kubernetes.io/arch
                    operator: In
                    values:
                      - amd64
                      - s390x
                      - ppc64le
          preferredDuringSchedulingIgnoredDuringExecution:
            - weight: 3
              preference:
                matchExpressions:
                  - key: kubernetes.io/arch
                    operator: In
                    values:
                      - amd64
                      - s390x
                      - ppc64le
      terminationGracePeriodSeconds: 30
      securityContext: {}
      containers:
        - resources:
            limits:
              cpu: 500m
              memory: 512Mi
            requests:
              cpu: 100m
              memory: 256Mi
          readinessProbe:
            httpGet:
              path: /
              port: 3000
              scheme: HTTPS
            initialDelaySeconds: 30
            timeoutSeconds: 5
            periodSeconds: 10
            successThreshold: 1
            failureThreshold: 3
          terminationMessagePath: /dev/termination-log
          name: icp4adeploy-gitea-deploy
          livenessProbe:
            httpGet:
              path: /
              port: 3000
              scheme: HTTPS
            initialDelaySeconds: 30
            timeoutSeconds: 5
            periodSeconds: 10
            successThreshold: 1
            failureThreshold: 3
          env:
            - name: USER_UID
              value: '1000'
            - name: USER_GID
              value: '1000'
            - name: DOMAIN
              value: gitea-demo.apps.kragon.eastus.aroapp.io
            - name: INSTALL_LOCK
              value: 'true'
          securityContext:
            readOnlyRootFilesystem: true
          ports:
            - name: https
              containerPort: 3000
              protocol: TCP
            - name: ssh
              containerPort: 22
              protocol: TCP
          imagePullPolicy: IfNotPresent
          volumeMounts:
            - name: gitea-data
              mountPath: /data
            - name: root-folder-pvc
              mountPath: /root
            - name: gitea-folder-pvc
              mountPath: /gitea
            - name: git-folder-pvc
              mountPath: /data/git
            - name: ssh-folder-pvc
              mountPath: /data/ssh
            - name: s6-folder-pvc
              mountPath: /etc/s6
            - name: etc-ssh-folder-pvc
              mountPath: /etc/ssh
            - name: app-gitea-folder-pvc
              mountPath: /app/gitea
            - name: run-folder-pvc
              mountPath: /run
          terminationMessagePolicy: File
          image: >-
            cp.icr.io/cp/cp4a/demo/gitea@sha256:30540b7b97dd483f69a1a51d0bf0d5b8c0262a0d976658fe21469563aa2c007b
      serviceAccount: ibm-cp4ba-anyuid
      volumes:
        - name: operator-shared-folder
          persistentVolumeClaim:
            claimName: operator-shared-pvc
        - name: gitea-data
          persistentVolumeClaim:
            claimName: gitea-filestore-pvc
        - name: rootcasecret
          secret:
            secretName: icp4adeploy-root-ca
            defaultMode: 420
        - name: tlssecret
          secret:
            secretName: icp4adeploy-prereq-ext-tls-secret
            defaultMode: 420
        - name: root-folder-pvc
          emptyDir: {}
        - name: gitea-folder-pvc
          emptyDir: {}
        - name: git-folder-pvc
          emptyDir: {}
        - name: ssh-folder-pvc
          emptyDir: {}
        - name: s6-folder-pvc
          emptyDir: {}
        - name: etc-ssh-folder-pvc
          emptyDir: {}
        - name: app-gitea-folder-pvc
          emptyDir: {}
        - name: run-folder-pvc
          emptyDir: {}

Could you pls let me is this a configuration issue or Gitea has limitation on supporting Azure file storage? I feel unless I remove the PVC, I can't make it work....

lunny commented 1 month ago

Gitea will not know the real file system after you mount. So I don't think this is a problem can be resolved from Gitea side. It should be a configuration problem.