Cannot change repositores location

#1

On a non-omnibus install (Arch Linux), I fail to change the location of repositories to something outside of /var/lib/gitlab. For instance, adding

home:
  path: /var/lib/gitlab/foo/
  gitaly_address: unix:/var/lib/gitlab/sockets/gitlab-gitaly.socket

to the storages section works. However, setting the path to /home/gitlab/repositories/ fails: GitLab refuses to start and I get the following error in unicorn.stderr.log:

/usr/share/webapps/gitlab/config/initializers/6_validations.rb:8:in realpath': Permission denied @ realpath_rec - /home/gitlab (Errno::EACCES) from /usr/share/webapps/gitlab/config/initializers/6_validations.rb:8:inrealpath’
from /usr/share/webapps/gitlab/config/initializers/6_validations.rb:8:in block in find_parent_path' from /usr/share/webapps/gitlab/config/initializers/6_validations.rb:7:ineach’
from /usr/share/webapps/gitlab/config/initializers/6_validations.rb:7:in detect' from /usr/share/webapps/gitlab/config/initializers/6_validations.rb:7:infind_parent_path’
from /usr/share/webapps/gitlab/config/initializers/6_validations.rb:37:in block in validate_storages_paths' from /usr/share/webapps/gitlab/config/initializers/6_validations.rb:36:ineach’
from /usr/share/webapps/gitlab/config/initializers/6_validations.rb:36:in validate_storages_paths' from /usr/share/webapps/gitlab/config/initializers/6_validations.rb:45:in<top (required)>‘
from /usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/activesupport-4.2.8/lib/active_support/dependencies.rb:268:in load' from /usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/activesupport-4.2.8/lib/active_support/dependencies.rb:268:inblock in load’
from /usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/activesupport-4.2.8/lib/active_support/dependencies.rb:240:in load_dependency' from /usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/activesupport-4.2.8/lib/active_support/dependencies.rb:268:inload’
from /usr/share/webapps/gitlab/vendor/bundle/ruby/2.3.0/gems/railties-4.2.8/lib/rails/engine.rb:652:in `block in load_config_initializer’

The permissions for /home/gitlab/repositories are exactly the same as for /var/lib/gitlab/foo. Is there something like the ruby equivalent of PHP’s open_basedir?

#2

I am facing the same problem, did you find a fix ?

#3

Timing :wink: … I haven’t had time to verify this, but I think I may in fact have found the cause of the issue just today. I believe this is caused by systemd’s ProtectHome directive (see the man page for details) and its cousins. I assume that a reasonable fix would be to add something like ReadWritePaths=/home/gitlab to the relevant gitlab unit files.

This also explains why I was able to run gitlab backups manually but not through the backup timer service.

#4

I tried using an override (with systemctl edit) with only ReadWritePaths=/home/gitlab but it does not work.

I had to set ProtectHome=false for gitlab-unicorn (without ReadWritePaths) to be able to access the directory (we are then relying on the filesystem permissions, which should be sufficient).