chroot bind mount breaks containerised Omnibus deployment
I run Omnibus on K8s/GKE through the old legacy Helm charts. In testing 10.7 (with an upgrade to Pages 0.8.1), I found Pages no longer starts:
INFO[0000] GitLab Pages Daemon revision=5405831 version=dev
INFO[0000] URL: https://gitlab.com/gitlab-org/gitlab-pages
INFO[0000] running the daemon as unprivileged user gid=998 uid=998
INFO[0000] chroot failed error="Failed to bind mount /gitlab-data/shared/pages on /tmp/gitlab-pages-1524311552549745939/pages. operation not permitted"
FATA[0000] error="Failed to bind mount /gitlab-data/shared/pages on /tmp/gitlab-pages-1524311552549745939/pages. operation not permitted"
I assume this is due to the resolv.conf
changes, which also included bind-mounting rather than copying page content into a chroot. Perhaps the bind-mounting needs more flags added, e.g. nosuid, to be able to run inside a Docker container as it is on K8s deployments?
This should be reproducible by taking the charts/charts.gitlab.io repo, bumping it to 10.7.0+rc7.ce.0 CE image, and deploying the Omnibus to GKE.
Edited by Daniel Stone