[gitlab-shell] permissions on log file are set to root:root, so git operations fail

[baronfel]

Hi,

First off, thanks for this repo and all the work that you've done to set this up. It's been a huge help to us and you've been super responsive to version updates, as well as making the new features configurable.

The issue I have seen came up when migrating from 8.16.x to 10.1.0. Once I updated image versions and let the migrations run, I started validating the configuration/repos/pipelines/etc. I found that git operations from a client (e.g. git pushes) would result in failures from the container. The error message was the following:

/usr/lib/ruby/2.3.0/logger.rb:703:in `initialize': Permission denied @ rb_sysopen - /var/log/gitlab/gitlab-shell/gitlab-shell.log (Errno::EACCES)
    from /usr/lib/ruby/2.3.0/logger.rb:703:in `open'
    from /usr/lib/ruby/2.3.0/logger.rb:703:in `open_logfile'
    from /usr/lib/ruby/2.3.0/logger.rb:695:in `set_dev'
    from /usr/lib/ruby/2.3.0/logger.rb:635:in `initialize'
    from /usr/lib/ruby/2.3.0/logger.rb:353:in `new'
    from /usr/lib/ruby/2.3.0/logger.rb:353:in `initialize'
    from /home/git/gitlab-shell/lib/gitlab_logger.rb:15:in `new'
    from /home/git/gitlab-shell/lib/gitlab_logger.rb:15:in `<top (required)>'
    from /home/git/gitlab-shell/lib/gitlab_net.rb:6:in `require_relative'
    from /home/git/gitlab-shell/lib/gitlab_net.rb:6:in `<top (required)>'
    from /home/git/gitlab-shell/lib/gitlab_shell.rb:4:in `require_relative'
    from /home/git/gitlab-shell/lib/gitlab_shell.rb:4:in `<top (required)>'
    from /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require'
    from /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require'
    from /home/git/gitlab-shell/bin/gitlab-shell:18:in `<main>'
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

As you can see, it's a simple file system access and was easily resolved by chown git:git /var/log/gitlab/gitlab-shell.log so that the shell could actually read the file.

Is this something that's more widespread than my situation? If so, would it be worth ensuring permissions on the log files?

[solidnerd]

Hey @baronfel , first of all I would not recommend to upgrade directly from 2 old major versions and you skip one entirely. I think this case is not so widespread but you could provide a test case for that someone Iis able to reproduce your error and we could bring up fix than for that.

I did a look at some of my instances and all of them have not this permission problem.

[stale[bot]]

This issue has been automatically marked as stale because it has not had any activity for the last 60 days. It will be closed if no further activity occurs during the next 7 days. Thank you for your contributions.