[Solved] A question about permission

[jasonnix]

Hello,
I installed Gitlab Runner and after installation I did the following steps:

Code: Select all

$ sudo usermod -aG docker gitlab-runner
$ sudo nano /etc/sudoers
gitlab-runner ALL=(ALL) NOPASSWD: ALL

Containers and source repositories are located in another partition and the directory permission is as follows:

Code: Select all

# ls -l
total 20
drwxrwxr-x 5 root root  4096 Apr 22 09:22 partition
drwxrwx--- 2 root root 16384 Apr  9 16:50 lost+found

With this permission the runner cannot work and I have to use the following command:

Code: Select all

# chown -R gitlab-runner /mnt/partition

The problem will be solved, but I heard that this will cause problems in the future.
I did the following step:

Code: Select all

# chown -R root /mnt/partition
# groupadd runner
# /sbin/usermod -a -G runner gitlab-runner
# /sbin/usermod -a -G runner root
# chgrp -R runner /mnt/partition/
# chmod -R g+rwx /mnt/partition/

After this, the runner can't copy files in the directory again.
The content of the .gitlab-ci.yml file is as follows:

Code: Select all

stages:
  - build
  - deploy
build-test:
  stage: build
  script:
    - rm -rf node_modules
    - mkdir -p node_modules/
    - rm -rf /mnt/partition/containers/test
    - cd /mnt/partition/containers/
    - git clone http://jason:PASS@192.168.1.2/project/test.git
deploy-test:
  stage: deploy
  script:
    - cd /mnt/partition/containers/YAML
    - docker compose up -d test

What is wrong?

Thank you.

[jmgibson1981]

The only thing you should need to do is give the /mnt/partition folder the proper permissions for the gitrunner user? and it will work. The rest of that stuff is nonsense to me. The global sudo for that program is a very bad idea. Global ALL:ALL nopasswd is never the right answer.

There is no reason that chowning a non system owned data partition will cause problems. What you read is wrong on that one.

Never give something more than the absolute minimum it needs unless you have a very good reason to do so. If Gitlab runner needs docker access then put it in the docker group. No need for that sudo modification. Chown the /mnt/partition data directory to Gitlab runner user with 755 permissions. 700 if you are trying to block it from any and all others than the gitlab runner.

[jasonnix]

The only thing you should need to do is give the /mnt/partition folder the proper permissions for the gitrunner user? and it will work. The rest of that stuff is nonsense to me. The global sudo for that program is a very bad idea. Global ALL:ALL nopasswd is never the right answer.

There is no reason that chowning a non system owned data partition will cause problems. What you read is wrong on that one.

Never give something more than the absolute minimum it needs unless you have a very good reason to do so. If Gitlab runner needs docker access then put it in the docker group. No need for that sudo modification. Chown the /mnt/partition data directory to Gitlab runner user with 755 permissions. 700 if you are trying to block it from any and all others than the gitlab runner.

Hello,
Do you mean something like the commands below?

Code: Select all

# chown -R gitlab-runner:gitlab-runner /mnt/partition
# chmod -R 755 /mnt/partition

OR:

Code: Select all

# chown -R gitlab-runner:runner /mnt/partition
# chmod -R 755 /mnt/partition

which one is better?

[jmgibson1981]

either. you want to keep it simple. if there is no reason for the runner group then eliminate it. You can do just fine with 755 for the gitlab-runner user. the only way you need the group separate is if someone else needs to be in it, but in that case3 you can add them to the gitlab-runner group anyway.

[jasonnix]

either. you want to keep it simple. if there is no reason for the runner group then eliminate it. You can do just fine with 755 for the gitlab-runner user. the only way you need the group separate is if someone else needs to be in it, but in that case3 you can add them to the gitlab-runner group anyway.

Hi,
Thank you so much.
The permissions are as follows:

Code: Select all

$ ls -ls
total 4
4 drwxr-xr-x 4 gitlab-runner runner 4096 Apr 26 23:36 partition

The Git command does not give any error without using the runner:

Code: Select all

# git clone http://jason:PASS@192.168.1.2/project/test.git
Cloning into 'test'...
remote: Enumerating objects: 124, done.
remote: Counting objects: 100% (91/91), done.
remote: Compressing objects: 100% (91/91), done.
remote: Total 124 (delta 54), reused 0 (delta 0), pack-reused 33
Receiving objects: 100% (124/124), 178.22 KiB | 7.13 MiB/s, done.
Resolving deltas: 100% (54/54), done.

But when the above command is executed by the runner, the following error message is displayed:

Code: Select all

Running with gitlab-runner 16.11.0 (91a27b2a)
  on test t_Wy2xFrX, system ID: s_a88f5fe318c9
Preparing the "shell" executor
Using Shell (bash) executor...
Preparing environment
Running on project...
Getting source from Git repository
Fetching changes with git depth set to 20...
Initialized empty Git repository in /home/gitlab-runner/builds/t_Wy2xFrX/0/project/test/.git/
Created fresh repository.
remote: You are not allowed to download code from this project.
fatal: unable to access 'http://192.168.1.2/project/test.git/': The requested URL returned error: 403
ERROR: Job failed: exit status 1

The error message says that I do not have the required permission, but it is not.

[jmgibson1981]

Code: Select all

Initialized empty Git repository in /home/gitlab-runner/builds/t_Wy2xFrX/0/project/test/.git/
Created fresh repository.

Is it running from the proper directory? It's saying you aren't downloading anything rather creating one.

Code: Select all

remote: You are not allowed to download code from this project.
fatal: unable to access 'http://192.168.1.2/project/test.git/': The requested URL returned error: 403

I'd check your webserver or give yourself permissions to the git. I've also seen this message when I mistype my own gitlab repositories and I'm assuming it's tryin gto clone a non existent one, or a locked one. Either way.

*EDIT* On second look the problem isn't your folders on the server. In the working one you have jason@PASS. You are missing that on this attempt it looks like.

[jasonnix]

Code: Select all

Initialized empty Git repository in /home/gitlab-runner/builds/t_Wy2xFrX/0/project/test/.git/
Created fresh repository.

Is it running from the proper directory? It's saying you aren't downloading anything rather creating one.

Code: Select all

remote: You are not allowed to download code from this project.
fatal: unable to access 'http://192.168.1.2/project/test.git/': The requested URL returned error: 403

I'd check your webserver or give yourself permissions to the git. I've also seen this message when I mistype my own gitlab repositories and I'm assuming it's tryin gto clone a non existent one, or a locked one. Either way.

*EDIT* On second look the problem isn't your folders on the server. In the working one you have jason@PASS. You are missing that on this attempt it looks like.

Hello,
Thanks again.
This error was because I was not a member of the project.