Folders HOME and GITEA_WORK_DIR should corelate in rootless installation #396

New Issue

Closed

opened 2023-01-18 09:52:20 +00:00 by horvaro · 5 comments

horvaro commented 2023-01-18 09:52:20 +00:00 (Migrated from gitea.com)

Copy Link

Copy Source

I am using the helm chart version 6.0.4 and had trouble running it on OpenShift 4.11.
The helm chart can be run with the rootless option which solved some, but not all issues.

One of them was, that the Gitea Pod itself did not use the defined working directory, which would be on the mounted persistent volume in /data. Instead, it tried to create/chmod the folder /var/lib/gitea/git, which results in "permission denied" on OpenShift. The init-containers did run in /data and /data/gitea and created their files there.
They used the environment variable GITEA_WORK_DIR which is set to /data.

I discovered that the Gitea rootless image uses the environment variable HOME to reference to the git folder. HOME points to /var/lib/gitea/git which in a constrained platform like OpenShift, where you would choose the rootless image, is not writable. (There is the /data mount for everything we need)
The docker-setup script in the rootless image tries to create/chmod a folder based on that HOME variable:
https://github.com/go-gitea/gitea/blob/main/docker/rootless/usr/local/bin/docker-setup.sh#L4

Setting the environment variable HOME in the values.yaml solved the issue:

gitea:
  statefulset:
    env:
      - name: HOME
        value: /data/gitea/git

(For everyone else having this issue: Overwrite also the GITEA_TEMP variable to point to the /data mount)

My suggestion would be to add the HOME variable in the statefulset definition, preferably together with the rootless switch:
https://gitea.com/gitea/helm-chart/src/branch/main/templates/gitea/statefulset.yaml#L240

Or add this fact to the documentation. Maybe suggesting creating a volume mount also for /var/lib/gitea or setting HOME correctly.

I am using the helm chart version 6.0.4 and had trouble running it on OpenShift 4.11. The helm chart can be run with the rootless option which solved some, but not all issues. One of them was, that the Gitea Pod itself did not use the defined working directory, which would be on the mounted persistent volume in `/data`. Instead, it tried to create/chmod the folder `/var/lib/gitea/git`, which results in "permission denied" on OpenShift. The init-containers did run in `/data` and `/data/gitea` and created their files there. They used the environment variable `GITEA_WORK_DIR` which is set to `/data`. I discovered that the Gitea rootless image uses the environment variable `HOME` to reference to the git folder. `HOME` points to `/var/lib/gitea/git` which in a constrained platform like OpenShift, where you would choose the rootless image, is not writable. (There is the `/data` mount for everything we need) The docker-setup script in the rootless image tries to create/chmod a folder based on that `HOME` variable: https://github.com/go-gitea/gitea/blob/main/docker/rootless/usr/local/bin/docker-setup.sh#L4 Setting the environment variable `HOME` in the values.yaml solved the issue: ```yaml gitea: statefulset: env: - name: HOME value: /data/gitea/git ``` (For everyone else having this issue: Overwrite also the `GITEA_TEMP` variable to point to the `/data` mount) My suggestion would be to add the `HOME` variable in the statefulset definition, preferably together with the rootless switch: https://gitea.com/gitea/helm-chart/src/branch/main/templates/gitea/statefulset.yaml#L240 Or add this fact to the documentation. Maybe suggesting creating a volume mount also for `/var/lib/gitea` or setting `HOME` correctly.

pat-s commented 2023-01-18 11:14:10 +00:00 (Migrated from gitea.com)

Copy Link

Copy Source

Thanks, this is a very concise description!

Openshift is usually stricter in many points and most don't have a testing cluster available.

I am also running with the rootless image myself on EKS and I can see that /var/lib/gitea/git exists but it's empty ?
Is it empty in your install as well?

Anyhow, changing the default HOME definition conditionally on the rootless image use makes sense.

Overwrite also the GITEA_TEMP variable to point to the /data mount)

Is /tmp also restricted in openshift?

Thanks, this is a very concise description! Openshift is usually stricter in many points and most don't have a testing cluster available. I am also running with the rootless image myself on EKS and I can see that `/var/lib/gitea/git` exists but it's empty ? Is it empty in your install as well? Anyhow, changing the default `HOME` definition conditionally on the rootless image use makes sense. > Overwrite also the GITEA_TEMP variable to point to the /data mount) Is `/tmp` also restricted in openshift?

horvaro commented 2023-01-18 16:51:38 +00:00 (Migrated from gitea.com)

Copy Link

Copy Source

I cannot check if /var/lib/gitea/git is empty or not, because with that default setting, the pod won't even start.
Same goes for the folder /tmp.

The issue lies in the fact that the chmod operation will fail on those folders.
OpenShift does not allow chmod-ing files/folders in non-mounted places, at least with the current security context constraints (scc) active in my OpenShift install.

Thanks for considering the HOME env-var definition!

I cannot check if `/var/lib/gitea/git` is empty or not, because with that default setting, the pod won't even start. Same goes for the folder `/tmp`. The issue lies in the fact that the `chmod` operation will fail on those folders. OpenShift does not allow chmod-ing files/folders in non-mounted places, at least with the current security context constraints (scc) active in my OpenShift install. Thanks for considering the `HOME` env-var definition!

justusbunsi commented 2023-01-18 17:54:51 +00:00 (Migrated from gitea.com)

Copy Link

Copy Source

That's odd. The Helm Chart explicitly overrides and aligns all the differences between both image variants. It sounds like Openshift would look for the image spec and restricts the environment based on that.

Feel free to propose an Openshift related section to the docs.

That's odd. The Helm Chart explicitly overrides and aligns all the differences between both image variants. It sounds like Openshift would look for the image spec and restricts the environment based on that. Feel free to propose an Openshift related section to the docs.

horvaro commented 2023-01-19 06:34:25 +00:00 (Migrated from gitea.com)

Copy Link

Copy Source

Yes, that's what OpenShift does.

It sounds like Openshift would look for the image spec and restricts the environment based on that.

Yes, that's what OpenShift does. > It sounds like Openshift would look for the image spec and restricts the environment based on that.

horvaro commented 2023-01-19 13:54:20 +00:00 (Migrated from gitea.com)

Copy Link

Copy Source

Nevermind: The GITEA_TEMP override is not necessary.
The helm chart already maps /tmp to an "emptyDir", which is also for OpenShift useable.

https://gitea.com/gitea/helm-chart/src/branch/main/templates/gitea/statefulset.yaml#L340-L341

Nevermind: The GITEA_TEMP override is not necessary. The helm chart already maps `/tmp` to an "emptyDir", which is also for OpenShift useable. https://gitea.com/gitea/helm-chart/src/branch/main/templates/gitea/statefulset.yaml#L340-L341

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

renovate/postgresql-ha-15.x

renovate/postgresql-16.x

renovate/redis-20.x

renovate/redis-cluster-11.x

fix-674

app-ini-recreation

fix-env-to-ini

clean-app-ini

gitea-ha

v10.6.0

v10.5.0

v10.4.1

v10.4.0

v10.3.0

v10.2.0

v10.1.4

v10.1.3

v10.1.2

v10.1.1

v10.1.0

v10.0.2

v10.0.1

v10.0.0

v9.6.1

v9.6.0

v9.5.1

v9.5.0

v9.4.0

v9.3.0

v9.2.1

v9.2.0

v9.1.0

v9.0.4

v9.0.3

v9.0.2

v9.0.1

v9.0.0

v8.3.0

v8.2.0

v8.1.0

v8.0.3

v8.0.2

v8.0.1

v8.0.0

v7.0.4

v7.0.3

v7.0.2

v7.0.1

v7.0.0

v6.0.5

v6.0.4

v6.0.3

v6.0.2

v6.0.1

v6.0.0

v5.0.9

v5.0.8

v5.0.7

v5.0.6

v5.0.5

v5.0.4

v5.0.3

v5.0.2

v5.0.1

v5.0.0

v4.1.1

v4.1.0

v4.0.3

v4.0.2

v4.0.1

v4.0.0

v3.1.4

v3.1.3

v3.1.2

v3.1.1

v3.1.0

v3.0.0

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.11

v2.1.10

v2.1.9

v2.1.8

v2.1.7

v2.1.6

v2.1.5

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.0

v1.5.5

v1.5.4

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.9

v1.4.8

v1.4.7

v1.4.6

v1.4.5

v1.4.4

v1.4.3

v1.4.2

Labels

Clear labels

has/backport

in progress

invalid

kind/breaking

kind/bug

kind/build

kind/dependency

kind/deployment

kind/docs

kind/enhancement

kind/feature

kind/lint

kind/proposal

kind/question

kind/refactor

kind/security

kind/testing

kind/translation

kind/ui

need/backport

priority/critical

priority/low

priority/maybe

priority/medium

reviewed/duplicate

reviewed/invalid

reviewed/wontfix

skip-changelog

status/blocked

status/needs-feedback

status/needs-reviews

status/wip

upstream/gitea

upstream/other

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

lunny (Lunny Xiao)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: lunny/helm-chart#396