Page 1 of 1
[Solved] A question about permission
Posted: 2024-04-26 16:26
by jasonnix
Hello,
I installed Gitlab Runner and after installation I did the following steps:
Code: Select all
$ sudo usermod -aG docker gitlab-runner
$ sudo nano /etc/sudoers
gitlab-runner ALL=(ALL) NOPASSWD: ALL
Containers and source repositories are located in another partition and the directory permission is as follows:
Code: Select all
# ls -l
total 20
drwxrwxr-x 5 root root 4096 Apr 22 09:22 partition
drwxrwx--- 2 root root 16384 Apr 9 16:50 lost+found
With this permission the runner cannot work and I have to use the following command:
Code: Select all
# chown -R gitlab-runner /mnt/partition
The problem will be solved, but I heard that this will cause problems in the future.
I did the following step:
Code: Select all
# chown -R root /mnt/partition
# groupadd runner
# /sbin/usermod -a -G runner gitlab-runner
# /sbin/usermod -a -G runner root
# chgrp -R runner /mnt/partition/
# chmod -R g+rwx /mnt/partition/
After this, the runner can't copy files in the directory again.
The content of the
.gitlab-ci.yml file is as follows:
Code: Select all
stages:
- build
- deploy
build-test:
stage: build
script:
- rm -rf node_modules
- mkdir -p node_modules/
- rm -rf /mnt/partition/containers/test
- cd /mnt/partition/containers/
- git clone http://jason:PASS@192.168.1.2/project/test.git
deploy-test:
stage: deploy
script:
- cd /mnt/partition/containers/YAML
- docker compose up -d test
What is wrong?
Thank you.
Re: [Software] A question about permission
Posted: 2024-04-26 16:54
by jmgibson1981
The only thing you should need to do is give the /mnt/partition folder the proper permissions for the gitrunner user? and it will work. The rest of that stuff is nonsense to me. The global sudo for that program is a very bad idea. Global ALL:ALL nopasswd is never the right answer.
There is no reason that chowning a non system owned data partition will cause problems. What you read is wrong on that one.
Never give something more than the absolute minimum it needs unless you have a very good reason to do so. If Gitlab runner needs docker access then put it in the docker group. No need for that sudo modification. Chown the /mnt/partition data directory to Gitlab runner user with 755 permissions. 700 if you are trying to block it from any and all others than the gitlab runner.
Re: [Software] A question about permission
Posted: 2024-04-26 18:10
by jasonnix
jmgibson1981 wrote: 2024-04-26 16:54
The only thing you should need to do is give the /mnt/partition folder the proper permissions for the gitrunner user? and it will work. The rest of that stuff is nonsense to me. The global sudo for that program is a very bad idea. Global ALL:ALL nopasswd is never the right answer.
There is no reason that chowning a non system owned data partition will cause problems. What you read is wrong on that one.
Never give something more than the absolute minimum it needs unless you have a very good reason to do so. If Gitlab runner needs docker access then put it in the docker group. No need for that sudo modification. Chown the /mnt/partition data directory to Gitlab runner user with 755 permissions. 700 if you are trying to block it from any and all others than the gitlab runner.
Hello,
Do you mean something like the commands below?
Code: Select all
# chown -R gitlab-runner:gitlab-runner /mnt/partition
# chmod -R 755 /mnt/partition
OR:
Code: Select all
# chown -R gitlab-runner:runner /mnt/partition
# chmod -R 755 /mnt/partition
which one is better?
Re: [Software] A question about permission
Posted: 2024-04-26 19:06
by jmgibson1981
either. you want to keep it simple. if there is no reason for the runner group then eliminate it. You can do just fine with 755 for the gitlab-runner user. the only way you need the group separate is if someone else needs to be in it, but in that case3 you can add them to the gitlab-runner group anyway.
Re: [Software] A question about permission
Posted: 2024-04-26 20:14
by jasonnix
jmgibson1981 wrote: 2024-04-26 19:06
either. you want to keep it simple. if there is no reason for the runner group then eliminate it. You can do just fine with 755 for the gitlab-runner user. the only way you need the group separate is if someone else needs to be in it, but in that case3 you can add them to the gitlab-runner group anyway.
Hi,
Thank you so much.
The permissions are as follows:
Code: Select all
$ ls -ls
total 4
4 drwxr-xr-x 4 gitlab-runner runner 4096 Apr 26 23:36 partition
The Git command does not give any error without using the runner:
Code: Select all
# git clone http://jason:PASS@192.168.1.2/project/test.git
Cloning into 'test'...
remote: Enumerating objects: 124, done.
remote: Counting objects: 100% (91/91), done.
remote: Compressing objects: 100% (91/91), done.
remote: Total 124 (delta 54), reused 0 (delta 0), pack-reused 33
Receiving objects: 100% (124/124), 178.22 KiB | 7.13 MiB/s, done.
Resolving deltas: 100% (54/54), done.
But when the above command is executed by the runner, the following error message is displayed:
Code: Select all
Running with gitlab-runner 16.11.0 (91a27b2a)
on test t_Wy2xFrX, system ID: s_a88f5fe318c9
Preparing the "shell" executor
Using Shell (bash) executor...
Preparing environment
Running on project...
Getting source from Git repository
Fetching changes with git depth set to 20...
Initialized empty Git repository in /home/gitlab-runner/builds/t_Wy2xFrX/0/project/test/.git/
Created fresh repository.
remote: You are not allowed to download code from this project.
fatal: unable to access 'http://192.168.1.2/project/test.git/': The requested URL returned error: 403
ERROR: Job failed: exit status 1
The error message says that I do not have the required permission, but it is not.
Re: [Software] A question about permission
Posted: 2024-04-26 20:33
by jmgibson1981
Code: Select all
Initialized empty Git repository in /home/gitlab-runner/builds/t_Wy2xFrX/0/project/test/.git/
Created fresh repository.
Is it running from the proper directory? It's saying you aren't downloading anything rather creating one.
Code: Select all
remote: You are not allowed to download code from this project.
fatal: unable to access 'http://192.168.1.2/project/test.git/': The requested URL returned error: 403
I'd check your webserver or give yourself permissions to the git. I've also seen this message when I mistype my own gitlab repositories and I'm assuming it's tryin gto clone a non existent one, or a locked one. Either way.
*EDIT* On second look the problem isn't your folders on the server. In the working one you have jason@PASS. You are missing that on this attempt it looks like.
Re: [Software] A question about permission
Posted: 2024-04-28 09:33
by jasonnix
jmgibson1981 wrote: 2024-04-26 20:33
Code: Select all
Initialized empty Git repository in /home/gitlab-runner/builds/t_Wy2xFrX/0/project/test/.git/
Created fresh repository.
Is it running from the proper directory? It's saying you aren't downloading anything rather creating one.
Code: Select all
remote: You are not allowed to download code from this project.
fatal: unable to access 'http://192.168.1.2/project/test.git/': The requested URL returned error: 403
I'd check your webserver or give yourself permissions to the git. I've also seen this message when I mistype my own gitlab repositories and I'm assuming it's tryin gto clone a non existent one, or a locked one. Either way.
*EDIT* On second look the problem isn't your folders on the server. In the working one you have jason@PASS. You are missing that on this attempt it looks like.
Hello,
Thanks again.
This error was because I was not a member of the project.